Topic: Telecom, Internet & Information Policy

Pushing Back on an Anti-Social Network

Power Ventures, Inc. offers a service to amalgamate various social-media platforms into one system; each user gives the company his usernames and passwords, including for Facebook. Facebook objected to Power Ventures’ use of Facebook in this manner and sent a cease-and-desist letter. When Power Ventures refused to comply, Facebook sued under the Computer Fraud and Abuse Act (“CFAA”).

The CFAA was designed to prevent hackers from accessing a computer system “without authorization” and has criminal penalties of up to five years in prison. The district court found that Power Ventures had indeed accessed Facebook without authorization and the U.S. Court of Appeals for the Ninth Circuit affirmed that decision. Power Ventures has petitioned the Supreme Court to review the case; Cato has filed an amicus brief supporting that petition.

We explain that there’s a split among the circuit courts as to the legal basis for an entry to be “authorized” under the CFAA. The Fifth and Seventh Circuits use agency law (scope of employer permission), the First and Eleventh Circuits use contract law (established policies), and the Second, Fourth, and Ninth Circuits use property law (the common law of trespass). The ideal resolution would involve an analogy to physical trespass, which various members of Congress involved in drafting the CFAA used to discuss the computer crimes that the law was designed to prevent.

In applying trespass law here, the facts begin to look like a landlord-tenant dispute over a third-party guest. A landlord typically can’t prevent a tenant from inviting guests to access the tenants’ property by using the common areas of the building, without a limitation in the lease. Here, Facebook’s users own the data (information, pictures, etc.) they put on the social network, as Facebook acknowledges, and there’s no guest-access restriction in the terms of service.

Many people share social-network, email, or other passwords without considering such actions to be criminal and the common law is presumed to conform to the customs of the people unless there’s explicit statutory text to the contrary. Otherwise millions of people could unwittingly be made criminals.

This is also the reason why the “rule of lenity” applies in Power Ventures’ favor, because an (at best) ambiguous statute cannot be used to punish someone.

The final reason that the Supreme Court should take the case is its importance to the online economy. Power Ventures is trying to compete with Facebook and Facebook’s ban prevents the market from being able to determine who has the better product. Many other companies, including Google, use a method of automated access similar to that which Power Ventures uses and could be imperiled by the lower court’s ruling. Internet companies need clear legal rules so they know what they can do nationwide without the threat of civil liability or criminal prosecution.

The Supreme Court may decide whether to take Power Ventures v. Facebook before it breaks for its summer recess at the end of June, or it could hold the decision over till the start of the next term in the fall.

More Data, More Problems

In recent years, criminologists, law enforcement organizations, government agencies, and other criminal justice experts have been experimenting with various methods of data collection to improve American criminal justice. For example, some researchers look at recidivism—that is, how likely a person who has been incarcerated will end up back in jail or prison—to stem the tide of mass incarceration. Others have turned to “hot-spot policing” to better focus limited police resources on preventing new crimes in highly specific, high-crime areas.  Each method typically has its strengths and weaknesses, and much can be learned from new techniques.

But more data isn’t always a good thing. After a long battle with the Sun-Times, the Chicago Police Department released its “Strategic Subject List.” From the report:

“We have 1,400 individuals that drive this gun violence in this city,” police Supt. Eddie Johnson said in August, assuring the public his department was keeping tabs on the people on its closely guarded “Strategic Subject List.” “We’ve gotten very good at predicting who will be the perpetrators or victims of gun violence.”

Yet the list is far broader and more extensive than Johnson and other police officials have suggested. It includes more than 398,000 entries — encompassing everyone who has been arrested and fingerprinted in Chicago since 2013.

Nearly half of the people at the top of the list have never been arrested for illegal gun possession. About 13 percent have never been charged with any violent crime. And 20 of the 153 people deemed most at risk to be involved in violent crime, as victim or shooter, have never been arrested either for guns or violence.

Why ‘Net Neutrality’ Is a Problem

Yesterday, Federal Communications Commission Chairman Ajit Pai announced his intention to reverse Obama administration “net neutrality” rules governing the internet that were put in place in 2015. Some commentators are criticizing the announcement as a give-away to large telecom companies and an attack on consumers. But the Obama rules create some serious problems for consumers—problems that Pai says he wants to correct.

Under the Obama rules, internet service providers (ISPs) are subject to “rate-of-return” regulations, which the federal government previously applied to AT&T’s long-distance telephone service back when it was a monopoly more than 50 years ago. Ostensibly, rate-of-return regulation gives government officials the power to review and approve or reject ISP rates. In reality it basically guarantees ISPs government-enforced market protection and profitability, in exchange for regulators ensuring that ISPs won’t be too profitable.

As explained in this 2014 post, rate-of-return regulation involves more than just telecom. It is an attempt to settle fights between “producers” and “shippers”—whether those are farms, mines, and factories on one side and railroads and shipping lines on the other, or Netflix and Hulu on one side and ISPs on the other. In all those cases, the producers and shippers need each other to satisfy consumers, but they fight each other to capture the larger share of consumers’ payments. If shippers charge more, then farmers, factories, and Netflix must charge less in order to maintain the same level of sales.

The political resolution of the producer–shipper fights was the Interstate Commerce Act of 1887 and its rate-of-return regulations, which were initially written with railroads in mind. Similar efforts were later extended to trucking, air transportation, energy, and telecom. It took about 100 years for policymakers to accept that those efforts hurt consumers much more than it helped them, forcing on consumers too many bad providers with high prices and poor quality.

Trump’s Wiretap Dance

I’ve already explained, in a post over at Just Security, some of the law and background surrounding what we know about Donald Trump’s incendiary claim that his predecessor wiretapped his phones at Trump Tower during the presidential campaign, and I’d suggest reading that if you want to delve into some of the wonky details, but I thought it might be worth a separate point to pull out some of the critical points and remark on how the story has evolved since Saturday.

  • There’s no basis on the public record to support the allegation that phones at Trump Tower were wiretapped, or that the Trump campaign was targeted for electronic surveillance, let alone on the orders of Barack Obama. Former Director of National Intelligence James Clapper has publicly denied it, and FBI Director James Comey has reportedly been pressing for a disavowal from the Justice Department. This appears to be something Trump concocted on the basis of (deep breath now) his own misreading of a misleading Breitbart News article based on a talk radio host’s summary of months-old reports in the British press. Those news stories—which conspicuously haven’t been reported out by the deeply-sourced intelligence journalists at U.S. outlets, and so should be taken with a grain of salt—concern some sort of order, purportedly sought by the FBI from the Foreign Intelligence Surveillance Court, targeting Russian banks in order to follow up intelligence leads concerning possible transfers of funds from Russia to Trump aides. If the reports are true, that’s vastly different from what Trump alleged, and not obviously improper on its face, though when intelligence surveillance intersects domestic politics, even indirectly, there’s always an elevated risk of abuse.
  • The White House has been dodging and weaving a bit in its public statements following Trump’s allegations on Twitter. Initially, aides told multiple reporters that they thought the president had been reacting to the Breitbart piece, which was circulated internally on Friday. But, as I explain in more detail in my Just Security post, the sources drawn on for the Breitbart piece don’t actually support Trump’s claims. More recently, spokeswoman Kellyanne Conway insinuated that Trump may have some other classified basis for his accusations. She’s called on the FBI to release more information, while other White House officials have suggested it should fall to Congress to investigate. This is all, to put it mildly, grossly irresponsible. If the president has classified information about improper surveillance of his campaign, he is empowered to declassify it. If he’s not sure whether to believe what he reads on the Internet, the head of the executive branch is not limited to relying on Breitbart News to learn about the activities of his own intelligence community. But it should be wholly unacceptable for Trump to level serious accusations of criminal abuse of intelligence authorities by his predecessor,  then punt to Congress when pressed to produce evidence.  

War of the Worst Case Scenarios

A few nightmare scenarios haunt the dreams of civil libertarians—scenes drawn from our long and ignominious history of intelligence abuses.   One—call it the Nixon scenario—is that the machinery of the security state will fall into the hands of an autocratic executive, disdainful of the rule of law, who equates “national security” with the security of his own grip on political authority, who is all too willing to turn powers meant to protect us from foreign adversaries against his domestic political opponents, and who lacks any qualms about quashing inquiries into his own illegal conduct or that of his allies.  Another—call it the Hoover scenario—is that the intelligence agencies anxious to protect their own powers and prerogatives will themselves slip the leash, using their command of embarrassing secrets to intimidate (and in extreme cases perhaps even select) their own nominal masters.  As the American surveillance state has ballooned over the past 15 years, we’ve often invoked those scenarios to argue out that the slippery slope from a reasonable-sounding security measure a tool of anti-democratic repression is disquietingly short and well-oiled. You may trust that some new authority will only be used to monitor terrorists today, but under a more authoritarian administration, might it be used to suppress dissent—as when civil rights and anti-war activists became the targets of the FBI’s notorious COINTELPRO?  You may be reassured by all the rigid rules and layers of oversight designed to keep the Intelligence Community accountable, but will those mechanisms function if the intelligence agencies decide to use their broad powers to cow their own overseers?

We are now, it seems, watching both scenarios play out simultaneously.  Perhaps surprisingly, however, they’re playing out in opposition to each other—for the moment. Whatever the outcome of that conflict, it seems unlikely to bode well for American liberal democracy.

On the one hand we have Donald Trump, whose thin-skinned vindictiveness and contempt for judicial checks on his whims are on daily display, and who during his presidential campaign revealed a disturbing instinct for lashing out at political opponents with threats to disclose embarrassing personal information. (Recall his tweets promising to “spill the beans” on Heidi Cruz, wife of primary opponent Ted, or his warning that the Ricketts family, which funded ads opposing him, had “better be careful” because they “have a lot to hide”.) As a private citizen, Trump treated the legal system as a tool to harass people who wrote unflattering things about him; as a candidate, he thought nothing of offhandedly suggesting he could use the power of the Justice Department to jail his opponent. Even before taking the Oval Office, then, Trump had provided civil libertarians and intelligence community insiders with a rare point of consensus: Both feared that with control of both the intelligence agencies and the institutional checks on those agencies within the executive branch, Trump would fuse a disposition to abuse power with an institutionally unique ability to get away with it.  On the flip side, Trump’s dismissive attitude toward the intelligence consensus that Russia had intervened to aid him in the election; his frankly bizarre, fawning posture toward Russia’s strongman leader; and his insistence on defying decades of political norms to shield his finances from public scrutiny signaled that inquiries into illicit conduct by himself or his allies and associates would be likely to wither on the vine once Trump loyalists had been installed at the heads of law enforcement agencies. As Nixon scenarios go, to steal a turn of phrase from my colleague Gene Healy, Trump is a civil libertarian’s grimmest thought experiment come to life.

Trump’s Android: Time for a Damage Assessment?

A New York Times report that Donald Trump continues to carry his ancient and insecure Android phone—despite having received a new Secret Service-approved secure device on Inauguration Day—has prompted a flurry of reports on the cybersecurity “risks” this entails.  But “risk”—the connotations of which are both future-oriented and hypothetical—seems like the wrong word here.  We should be asking how many foreign intelligence services have had access to the phone, for how long, and what sensitive information they’ve already gleaned from it.

Because let’s be clear: An American president’s personal smartphone may be a holy grail for foreign spies, but a phone belonging to a president-elect, or even a credible candidate, would be an extremely juicy target too.  It’s almost inconceivable it would not have been attacked already.  And given the laughable level of security provided by a phone that last saw an update in 2015, any serious effort to compromise it by a state-level adversary would likely have succeeded. The safe assumption that NSA’s overseas counterparts have a similar array of “implant” tools would mean that Trump’s movements could have been tracked, any credentials stored on the phone exfiltrated, and any conversation held in the same room as the phone, recorded.  

If the White House has been following the most basic protocols, we can at least expect Trump’s Android hasn’t been allowed into the Secure Compartmentalized Information Facilities where classified briefings are held, but even so, that’s a rich trove of intelligence on Trump’s strategic intentions and mindset, and may well include sensitive personal information that could be used for leverage.  So, by all means, he ought to ditch the phone immediately—but instead of tossing it in the trash, he ought to hand it off to NSA’s technical division for a thorough look, assuming they haven’t already had one.  It will be too late to undo the damage, but perhaps not too late to mitigate the consequences if the Intelligence Community can start piecing together what the adversaries would have obtained and how they’re likely to use it. 

The Chilling Effect of the Government’s Subpar Subpoenas

Here we go again. History repeats itself with classified-ad website Backpage.com’s announcement yesterday that it’s shuttering its “adult” section after years of unrelenting pressure from public officials at all levels of government. 

Most recently, the Senate’s Permanent Subcommittee on Investigations (PSI) hauled several Backpage.com officials before it for a public shaming without bothering to wait for a ruling on the legality of its “investigation.” In California, just before Christmas then-attorney general (now U.S. Senator) Kamala Harris refiled criminal charges against Backpage’s CEO and its former owners in the face of a December 9 ruling throwing her initial charges out.

These tactics represent a marked escalation since September 2010, when Craigslist caved in to pressure from a group of 17 state attorneys general and shut down its “adult advertisements” section. As a federal court had already ruled at that time—and numerous courts have held since—the government cannot assume that ads that mention sex are advertising illegal transactions, much less coercive sex-trafficking. Laws censoring such websites have been roundly and repeatedly held to violate the First Amendment.

But the law is one thing, and less-direct pressure tactics are quite another. It’s harder to hold government accountable when it tries to hide what it’s up to with public letters, demands, and investigations, even if meritless.

Pages