[syndicated profile] techdirt_feed

Posted by Tim Cushing

The Trump Administration is continuing its war on leakers. It's probably meant to keep whistleblowers at bay as well. This isn't necessarily a trait unique to Trump's White House. There really hasn't been a whistleblower-friendly administration in pretty much ever, but this particular administration has been awash in leaked documents, each one prompting more severe crackdowns.

But it's going to come to a head at the national security level. The "Intelligence Community" -- sixteen agencies participating and partaking in intelligence analysis and collection under the Office of the Director of National Intelligence -- is basically ousting its internal oversight. Jenna McLaughlin, writing for Foreign Policy, has the details.

[Dan] Meyer, whose job is to talk to intelligence community whistleblowers, can no longer talk to whistleblowers. He has been barred from communicating with whistleblowers, the main responsibility of his job as the executive director for intelligence community whistleblowing and source protection. He is currently working on an instructional pamphlet for whistleblowers, and he will have no duties to perform after he’s completed that work.

He can also no longer brief the agencies or the congressional committees on his work as he’s done in the past, send out his whistleblower newsletter, or conduct outreach. And he has no deputy or staff.

This is the end result of internal struggles and the continual sidelining of the so-called "proper channels." They weren't worth much when Snowden decided to leak. They were relatively worthless when others leaked documents years before Snowden began changing the intelligence community from the far outside. And if they were ever going to be worth anything, that effort has been derailed in favor of hunting down leakers.

This is incredibly stupid. If the administration wants to stop leaks, one of the better tools is proper channels that actually work -- ones that get results and shield whistleblowers from retaliation. Instead, intelligence officials have decided leaking and whistleblowing are pretty much the same thing and have headed off attempts to build an official whistleblowing outfit worth a damn

What's being ousted, bit by bit, is the IC's Inspector General's office. Elimination of whistleblower outlets may only be part of the plan. Once rendered toothless, it may be prevented from performing other oversight duties. But the war of leakers starts where it always starts: with whistleblowers. If the Inspector General's office is completely neutralized, the only option will be leaking, not exactly the best news for this particularly sieve-like administration.



Permalink | Comments | Email This Story

In other news

Oct. 20th, 2017 17:56
alasse_irena: Photo of the back of my head, hair elaborately braided (Default)
[personal profile] alasse_irena
 Microwave mac and cheese is a trap. Delicious trap, though.
[syndicated profile] lawfare_feed

Posted by Robert Chesney

 

Conferees from the House and Senate are in the midst of ironing out the details for the next National Defense Authorization Act. Meanwhile, the Secretary of Defense has now weighed in with a “heartburn letter” pointing out the items in the bill that particularly concern him (Politico provides a copy of the letter here).  The second item on his list: Section 1621, titled “Policy of the United State on Cyberspace, Cybersecurity, and Cyber Warfare.”  More specifically, Secretary Mattis asks the conferees to remove 1621(f):

I am troubled by the conventional approach applied to an unconventional problem.... The nature of cyber-attacks is ever evolving, and we need to maintain our ability to take decisive action against this increasingly dangerous threat.  Section 1621(f) is particularly concerning as it would require the U.S. to notify foreign governments before we take steps to defeat certain cyber threats.  We request removal of this section during conference.

Sounds serious, so let’s dig in.  What follows below is an annotation of 1621's many subparts, not just 1621(f).  My aim is to explore the Secretary’s objection, yes, but also to understand what other things the remaining portions of 1621 do.  

1621(a)

Current text:

(a) In General.—It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond when necessary, to any and all cyber attacks or other malicious cyber activities that target United States interests with the intent to—

(1) cause casualties among United States persons or persons of our allies;

(2) significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government);

(3) threaten the command and control of the United States Armed Forces, the freedom of maneuver of the United States Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or

(4) achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.

Comments:

It’s tempting to pass over this one, since a statutory statement of policy of this kind will not control decisions the President may make as to which instruments of national power should be deployed, and in what manner, in any particular instance.  Put another way, provisions like this are usually best understood as symbolic.  This one is a bit more complicated, however, in two respects.

First, note that 1621(a)(2) conspicuously—if rather awkwardly—squeezes in the word “democratic” in a manner that one can’t help but read as a veiled reference to the Russian covert action program that impacted the 2016 election. That in turn suggests a reading of 1621 that signals a desire on the part of Congress, at least, to warn Russia (and others) that such interference (particularly interference with voting machines?) might be construed by the U.S. government as a justification for a cyber countermeasure.

Could the scenarios listed in 1621(a) also be a justification for a cross-domain response, of the traditional military variety?  That’s also strongly implied, though not said expressly. And that’s where 1621 gets interesting.  Can it be read as the equivalent of a standing AUMF in the event of a high-salience cyberattack fitting into one of the four 1621(a) categories? I think it’s probably too indirect in its terminology to bear that weight, but I also think that it does not need to.  The section 1621(a) categories might all be understood as examples in which it would be possible for the executive branch to assert that the United States has suffered an attack implicating the authority of the president to use at least necessary and proportional means in national self-defense. From this point of view, 1621(a) will function to reinforce a presidential determination of that kind, which might otherwise stand alone as an Article II measure.

 

1621(b)

Current text:

(b) Response Options.—In carrying out the policy set forth in subsection (a), the United States shall plan, develop, and demonstrate response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.

Comments:

The idea here appears to be to improve America’s cyber-deterrence posture by pushing the executive branch not only to have a full suite of response options in case one of the 1621(a) scenarios arises, but also to display those capacities in some fashion.  If that display is meant to encompass cyber means of response (note that 1621(b) does not actually say so, and of course it would be silly to assume that a US response must be a within-domain response), then it’s probably a bad idea.  Such a display to be effective for deterrence might well have to involve considerable exposure of means, thus enabling adversaries to gain valuable intelligence.  Conversely, if the display is limited to avoid that risk, it will not likely be an impressive—and thus deterring—display. 

 

Section 1621(c)

Current text:

c) Denial Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall, to the greatest extent practicable, prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities described in subsection (a) of infrastructure critical to the political integrity, economic security, and national security of the United States.

Comment:

None, aside from noting the reference to “political integrity” as an additional reminder that our electoral processes are now in the critical infrastructure category along side the traditional CI categories.

 

Section 1621(d)

Current text:

(d) Cost-Imposition Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall develop and demonstrate, or otherwise make known to adversaries of the existence of, cyber capabilities to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity described in subsection (a).

Comments:

This is much like 1621(b): trying to improve our deterrence posture by pushing the executive branch to take steps to ensure adversaries understand what we are capable of doing.  Alas, the problem probably is not that our adversaries underestimate our technical prowess; it’s that they do not believe we have the political will to use that prowess.   

 

Section 1621(e)

Current text:

(e) Multi-Prong Response.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall—

(1) devote immediate and sustained attention to boosting the cyber resilience of critical United States strike systems (including cyber, nuclear, and non-nuclear systems) in order to ensure the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attack;

(2) develop offensive cyber capabilities and specific plans and strategies to put at risk targets most valued by adversaries of the United States and their key decision makers;

(3) enhance attribution capabilities to reduce the time required to positively attribute an attack with high confidence; and

(4) develop intelligence and offensive cyber capabilities to detect, disrupt, and potentially expose malicious cyber activities.

Comments:

What’s not to like?  Each of these objectives would improve our deterrence posture. And there’s certainly not any harm in having Congress express its desire to see such efforts.  My only quibble is that I am confident the executive branch already feels the same way, and that efforts of these kinds already exist.  I certainly hope so, at any rate.

 

*Section 1621(f)* (aka, the one that the SecDef has challenged)

Current text:

(f) Policies Relating To Offensive Cyber Capabilities And Sovereignty.—It is the policy of the United States that, when a cyber attack or malicious cyber activity transits or otherwise relies upon the networks or infrastructure of a third country—

(1) the United States shall, to the greatest extent practicable, notify and encourage the government of that country to take action to eliminate the threat; and

(2) if the government is unable or unwilling to take action, the United States reserves the right to act unilaterally (with the consent of that government if possible, but without such consent if necessary).

Comments:

This is the one that drew a strong objection from Mattis. In his letter, he says that it would “require” the US government to give notice to foreign governments before we take certain steps in response to cyber attacks.  Does it really require that step in all cases, though?

It can be read that way, yes. And if it had to be read that way then I would agree it should be removed.  But it can be read otherwise, too.  Here's why I think that:

The “unable or unwilling” language in 1621(f)(2) is the giveaway on this point.  That language is very familiar to those who follow debates over whether the use of lethal force violates the UN Charter when carried out for counterterrorism purposes in the territory of a state that has not consented and has not itself attacked the state that now is responding.  The issue comes up in relation to using force in Syria against the Islamic State, for example, and previously has been associated with U.S. uses of force in Pakistan.  In the latter context, critically, it seems clear the U.S. government does not believe it always must actually ask the foreign sovereign whether it can and will act.  The bin Laden raid is the most famous example in which we instead made a determination ex ante based on past experience and current intelligence.  

The point being:  US practice with the unwilling/unable test already seems to encompass the possibility of not actually asking in advance and then waiting to see how it turns out.  The same logic could be applied under 1621(f), then.

Does that mean 1621(f) should be left as is?  No. Why leave any uncertainty on the point?  If the provision is to remain, the language should be amended to confirm that the unwilling/unable determination can be based on anticipated actions/inaction in light of experience and available intelligence, and does not always have to involve the question being put first to the foreign sovereign in question.

Before moving on, note two other issues that 1621(f) raises, apart from the one highlighted by the SecDef. 

First: The provision is a bit unclear insofar as it might be read to apply (i) only to US operations that have an effect on a server located in the third country in question or (ii) also to US operations that ultimately will have their effect elsewhere but that happen to transit through the third country in question.  It would be good to make clear that the latter scenario is not covered.

Second: This language needs to be adjusted so as to eliminate the possibility that it might be interpreted to apply not only to Title 10 actions but also to Title 50 actions.  That is to say: the drafters need to watch out lest this be read to bind in the context of a covert action, and not just in connection with what CYBERCOM does.

 

1621(g) and (h)

Current Text:

(g) Authority Of Secretary Of Defense.—

(1) IN GENERAL.—The Secretary of Defense has the authority to develop, prepare, coordinate, and, when appropriately authorized to do so, conduct military cyber operations in response to cyber attacks and malicious cyber activities described in subsection (a) that are carried out against the United States or United States persons by a foreign power.

(2) DELEGATION OF ADDITIONAL AUTHORITIES.—The Secretary may delegate to the Commander of the United States Cyber Command such authorities of the Secretaries of the military departments, including authorities relating to manning, training, and equipping, that the Secretary considers appropriate.

(3) USE OF DELEGATED AUTHORITIES.—The use by the Commander of the United States Cyber Command of any authority delegated to the Commander pursuant to this subsection shall be subject to the authority, direction, and control of the Secretary.

(4) RULE OF CONSTRUCTION.—Nothing in this subsection shall be construed to limit the authority of the President or Congress to authorize the use of military force.

(h) Foreign Power Defined.—In this section, the term “foreign power” has the    meaning given that term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

Comments:

None. 

Thanks for reading through to the end!  Your comments on this analysis are very welcome, so feel free to reach out (@bobbychesney or rchesney@law.utexas.edu)

 

[syndicated profile] techdirt_feed

Posted by Glyn Moody

Although the Transatlantic Trade and Investment Partnership (TTIP) has dropped off the radar completely since Donald Trump's election, for some years it was a key concern of both the US and European governments, and a major theme of Techdirt's posts. One of the key issues was transparency -- or the lack of it. Eventually, the European Commission realized that its refusal to release information about the negotiations was seriously undermining its ability to sell the deal to the EU public, and it began making some changes on this front, as we discussed back in 2015. Since then, transparency has remained a theme of the European Commission's initiatives. Last month, in his annual State of the Union address, President Jean-Claude Juncker unveiled his proposals for trade policy. One of them was all about transparency:

the Commission has decided to publish as of now all its recommendations for negotiating directives for trade agreements (known as negotiating mandates). When they are submitted to the European Parliament and the Council, those documents will in parallel be sent automatically to all national Parliaments and will be made available to the general public. This should allow for a wide and inclusive debate on the planned agreements from the start.

An interesting article on Borderlex explores why moves to open up trade policy by the European Commission did not and probably never will satisfy activists who have been pushing for more transparency, and why in this area there is an unbridgeable gulf between them and the EU politicians. In contrast to Juncker's limited plan to publish negotiating directives in order to allow "a wide and inclusive debate on the planned agreements", this is what activists want, according to the article:

timely release of textual proposals on all negotiating positions, complete lists and minutes of meetings of Commission officials with third parties, consolidated texts, negotiating mandates, and all correspondence between third parties and officials.

Activists are keen to see what is happening in detail throughout the negotiations, not just some top-level view at the start, or the initial textual proposals for each chapter, but nothing afterwards. The article suggests that this is not simply a case of civil society wanting more information for its own sake, but rather reflects completely different conceptions of what transparency means. Transparency is intimately bound up with accountability, which raises the key question of: accountability to whom?

These two different views reflect a seminal academic distinction between 'delegation' and 'participation' models of accountability in international politics. In a 'delegation' model, an organisation (such as the Commission) is accountable to those who have granted it a mandate (in the EU: the Council, the [European Parliament] and national parliaments). Transparency and participation should first and foremost be directed to them. Extending managed transparency to the wider public can be instrumentally used to increase trust.

In a 'participation model', in contrast, organisations are accountable to those who bear the burden of the decisions that are taken. If contemporary trade policy impacts people's daily lives, the people -- directly or through civil society organisations that claim to represent them -- should be able to see what is going on, and be able to influence the process. Therefore, there is a presupposition for openness, disclosure, and close participation.

The article's authors suggest that for activists, transparency is a means to an end -- gaining influence through participation -- and it is the European Commission's refusal to allow civil society any meaningful role in trade negotiations that guarantees that token releases of a few policy documents will never be enough.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+



Permalink | Comments | Email This Story
[syndicated profile] aclu_feed
The federal government is holding a young woman hostage to force her to carry her pregnancy to term against her will.

After Jane Doe, a 17-year-old immigrant from Central America, found out she was pregnant last month, she decided to have an abortion. But the Office of Refugee Resettlement  the federal government agency charged with caring for unaccompanied immigrant minors once they enter the country  is prohibiting her from getting one.

The federal government has a new policy that allows it to veto an unaccompanied minors’ abortion decision, and government officials are doing everything imaginable to prevent Ms. Doe from accessing abortion. They have instructed the shelter where Jane Doe is staying not to transport Ms. Doe or allow Ms. Doe’s court-appointed guardian to transport her to the health care center to have an abortion  essentially holding her hostage.

The new policy is the creation of E. Scott Lloyd, the man President Trump appointed in March 2017 to head ORR. Prior to becoming head of ORR, he was senior policy coordinator for the Knights of Columbus, an anti-abortion Catholic charity. In law school, he assisted the parents of Terri Schiavo, a woman in a vegetative state, in a legal battle to prevent her husband and guardian from removing her feeding tube. In 2010, he founded a law firm, Legal Works Apostolate, which specialized in providing counsel “informed by the particular concerns of families and institutions that must navigate the ‘thickets of the law’ while remaining faithful to Church teaching.”

Rather than allowing Ms. Doe to access a legal procedure that she wants, ORR forced her to go for counseling at a religious, anti-abortion crisis pregnancy center, where she was forced to have a sonogram.

Ms. Doe has never wavered in her decision to have an abortion. Texas law requires minors to have either parental consent or permission from a judge before having an abortion. Ms. Doe went to court and got a judicial permission to have the abortion. The Texas court appointed a guardian and an attorney to look after her best interests. She informed both of them that she decided to have an abortion and made an appointment to get one.

Although the guardian and the attorney are willing to provide transport and have secured financing for the abortion,  the government has refused to temporarily release her from custody or transport her themselves, insisting that either would be tantamount to “facilitating abortion.”

On October 18, we went to court seeking an order to have Jane Doe released so that she could get the abortion she needs. The government argued that they weren’t holding Ms. Doe hostage because she could just agree to be deported to her home country.

Judge Tanya S. Chutkan appeared incredulous at the government argument.

I am astounded by that position. I have to tell you, I'm astounded that the government is going to make this 17-year-old girl who has received judicial authorization for a medical procedure to which she is constitutionally authorized choose between a pregnancy that she does not want to go forward with to term or returning to the country from which she left. Those are her options. And is it your position that that does not constitute a substantial obstacle? She can leave the country or she cannot get her abortion, those are her options?”

Judge Chutkan promptly ordered the government to release Ms. Doe to her state-appointed guardian so that she could get the abortion.

Ms. Doe had her first of two necessary appointments to get her abortion on October 19, and she was scheduled to get the abortion October 20. However, the government appealed the circuit court’s decision and requested an immediate administrative stay to prevent Jane Doe from getting an elective abortion that would be “irreversible.”

The appellate court granted the request, so we will be back in court on Friday at 10 a.m. to once again argue on behalf of Ms. Doe, so she can get the care to which she is constitutionally entitled  if only the government would step out of her way.

[syndicated profile] techdirt_feed

Posted by Timothy Geigner

Author Dan Brown is certainly not a stranger to copyright claims and lawsuits over his bestseller The Da Vinci Code. Not long after publishing the book in 2003 to wide acclaim, several legal actions took place against Brown and his publisher, as well as some action initiated by the publisher to stave off claims of copyright infringement and plagiarism. One such case that we did not cover here was brought by Jack Dunn of Massachusetts, who authored a book called The Vatican Boys, and sued Brown in Massachusetts for copyright infringement over the usual claims: there were claimed similarities in characters, plots, and factual assertions (including some that are erroneous in both). In 2007, Judge Michael Ponsor threw out the case, claiming that all the evidence Dunn's legal team provided amounted to thematic and structural similarities, which are not copyrightable.

For the proceeding decade, Dunn simply went away. That is until he found another law firm willing to file another copyright suit against Brown, but this time in the UK. The suit is reportedly being prepped for filing, with Dunn's side making much of the impending legal action.

Dunn has hired London-based media law firm Keystone Law. In a letter to Penguin Random House, Keystone stated they intended to issue proceedings for copyright infringement unless they received a credible explanation from Brown and his researcher wife, Blythe Brown, for what they perceive to be extraordinary similarities in both works.

Keystone Law’s letter stated: “There are hundreds of similarities between “The Vatican Boys” and “The Da Vinci Code” which comprise copying portions of TVB [“The Vatican Boys”] in the form of storylines, plots, characters, historical information, scenes, themes and even factual error which have been appropriated from TVB by Mr. and/or Mrs. Brown in writing The TDC [“The Da Vinci Code].”

It seems that the requested explanation from Brown or Penguin Random House will not be coming. In response, the publisher flatly rejected all of Dunn's claims and then helpfully put in written display, something like warning heads on pikes, all of the prior litigation by both Dunn and others that Brown and the publisher have fended off successfully.  

There are several factors that should give Dunn and his legal team pause when it comes to actually filing this suit. Much of the reasoning by Dunn for filing this second lawsuit centers around his claim that the US ruling didn't properly evaluate the evidence he presented. That's unlikely to be the case. His reasoning for filing the suit in the UK, on the other hand, is flatly bizarre.

Dunn told MarketWatch he is now finalizing legal evidence in preparation for issuing copyright proceedings against Brown. Dunn, who is from Western Massachusetts, said “The Vatican Boys” was sold around New England upon publication, and he said he suspects Dan Brown read his book while he was living in Portsmouth, New Hampshire in the late 1990s.

Little of which factors at all as a basis for the UK being the proper venue for this lawsuit between two American authors. On top of that, it stretches the mind to believe that it has taken the better part of a decade for an author to come up with all of these dastardly similarities between his own work and one of the most widely read books in modern times. So too does it bend credulity to imagine that these newly discovered similarities are of the sort that are awarded copyright protection. After all, if the new evidence is more explosive than the old evidence, why wasn't it properly presented ten years ago?

We'll see if this suit ever gets filed. Given Brown's track record for defeating these sorts of attempts, I know on which party I'd be putting my money.



Permalink | Comments | Email This Story

[ SECRET POST #3942 ]

Oct. 19th, 2017 18:47
case: (Default)
[personal profile] case posting in [community profile] fandomsecrets

⌈ Secret Post #3942 ⌋

Warning: Some secrets are NOT worksafe and may contain SPOILERS.

01.


More! )


Notes:

Secrets Left to Post: 01 pages, 09 secrets from Secret Submission Post #564.
Secrets Not Posted: [ 0 - broken links ], [ 0 - not!secrets ], [ 0 - not!fandom ], [ 0 - too big ], [ 0 - repeat ].
Current Secret Submissions Post: here.
Suggestions, comments, and concerns should go here.
[syndicated profile] eff_feed

Posted by gennie

This week security researchers announced a newly discovered vulnerability dubbed KRACK, which affects several common security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2. This is a bad vulnerability in that it likely affects billions of devices, many of which are hard to patch and will remain vulnerable for a long time. Yet in light of the sometimes overblown media coverage, it’s important to keep the impact of KRACK in perspective: KRACK does not affect HTTPS traffic, and KRACK’s discovery does not mean all Wi-Fi networks are under attack. For most people, the sanest thing to do is simply continue using wireless Internet access.

The limited privacy goals of WPA

It’s worth taking a step back and remembering why a cryptographic protocol like WPA was developed to begin with. Before the advent of Wi-Fi, computers typically connected to their local Internet access point (e.g. a modem) using a physical wire. Traditional protocols like Ethernet for carrying data on this wire (called the physical layer) were not encrypted, meaning an attacker could physically attach an eavesdropping device to the wire (or just another computer using the same wire) to intercept communications. Most people weren’t too worried about this problem; physically attaching a device is somewhat difficult, and important traffic should be encrypted anyways at a higher layer (most commonly a protocol like TLS at the transport layer). So Ethernet was unencrypted, and remains so today.

With wireless protocols it became much easier to eavesdrop on the physical layer. Instead of attaching a device to a specific wire, you just need an antenna somewhere within range. So while an unencrypted wireless network is theoretically no less secure than an unencrypted wired network, in practice it’s much easier to set up an eavesdropping device. For some it became a hobby to drive or bike around with an antenna looking for wireless networks to eavesdrop on (called wardriving). In response, the IEEE (a computer and electronics engineers’ professional organization) standardized an encryption protocol called WEP (Wired Equivalent Privacy). The name is telling here: the goal was just to get back to the relative privacy of a wired connection, by using encryption so that an eavesdropping device couldn’t read any of the traffic. WEP was badly broken cryptographically and has been supplanted by WPA and WPA2, but they have the same basic privacy goal.

Note that WPA’s privacy goals were always very limited. It was never intended to provide complete confidentiality of your data all the way to its final destination. Instead, protocols like TLS (and HTTPS) exist which protect your data end-to-end. In fact, WPA provides no protection against a number of adversaries:

  • At any point between the access point and the server you’re communicating with, an eavesdropper can read your data whether the first hop was WPA, Ethernet, anything else. This means your Internet provider or any Internet router on the network path between you and the destination server can intercept your traffic.
  • Your access point operator (e.g. the owner of your local coffee shop) can read your traffic.
  • Anybody who compromises your access point can read your traffic, and there is a long history of exploits against wireless routers.
  • Anybody who knows the access point’s password can perform a machine-in-the-middle attack and read your traffic. This includes anybody who cracks that password.

A secondary goal: access control

In addition to providing privacy against local eavesdroppers, WPA is commonly used to provide access control to the network by requiring the use of a “pre-shared key” to create sessions. This is the Wi-Fi access password or token which is familiar to most users when trying to connect to a new network. The goal here is simple: the owner of the wireless access point may want to prevent access by unauthorized devices, require new devices to jump through some hoops like watching an advertisement or agreeing to a terms of use agreement, or otherwise alter traffic for unauthorized guests. For years EFF has supported increased availability of open wireless access points, but certainly access point owners should have the ability to limit access if they want to.

How KRACK changes the picture

KRACK makes it possible for an adversary to completely undermine the privacy properties of WPA and WPA2 in many cases. The attack is somewhat complex in that it requires active broadcasting of packets and tricking a device into resetting its key, but it’s the kind of thing that will likely soon be automated in software. This means that, for now, data on many wireless access points may be vulnerable to interception or modification. Keep in mind two big caveats:

  • The attacker must be local and proactive. Carrying out this attack requires having an active antenna in range of the targeted wireless network and requires broadcasting many packets and intercepting or delaying others. This is all doable, but does not easily scale.
  • Important traffic should already be protected with HTTPS. As discussed above, there are already many potential attackers that WPA provides no security against. At worst, KRACK adds an additional one to the list, but with no more power than you ISP or any router on the Internet backbone already has (and those are much more scalable places to conduct surveillance or other mischief). We already have protocols to defend against these attackers, and thanks to the success of projects like EFF’s Encrypt The Web initiative more than half of all Internet traffic is already protected by HTTPS.

On the access control front, it’s unclear how much KRACK matters. It does not provide a new way to crack the pre-shared key or password of a wireless network. Some variants of KRACK enable recovering enough key material to hijack an existing connection and use it to gain unauthorized access, but this is probably not the easiest way to gain unauthorized access.

How did we get here?

Matt Green provides a great overview of the flawed process that led to KRACK being undiscovered for over a decade. The biggest single problem is that the protocol definitions were not easily available to security researchers, so none bothered to seriously look. This is another clear example of why important protocols like WPA and WPA2 should be open and free to the public: so that security researchers can investigate and catch these sorts of vulnerabilities early in the life of a protocol, before it’s embedded in billions of devices.

What you can do to protect your local network

Fortunately, while the KRACK vulnerability is baked into the WPA specification and deployed on billions of devices, it is relatively easy to patch in a backwards-compatible way. It requires patching both devices that connect to the Internet and access points. If you operate a wireless network, patching your router is a great step. Your Internet devices (your computer, phone or tablet) will also need to be patched. Many patches are already available and many devices will automatically be patched.

With that said, it’s a forgone conclusion that there will still be billions of unpatched devices for years (maybe even decades) to come. That’s because, as we’ve said before:

patching large, legacy systems is hard. For many kinds of systems, the existence of patches for a vulnerability is no guarantee that they will make their way to the affected devices in a timely manner. For example, many Internet of Things devices are unpatchable, a fact that was exploited by the Mirai Botnet. Additionally, the majority of Android devices are no longer supported by Google or the device manufacturers, leaving them open to exploitation by a "toxic hellstew" of known vulnerabilities.

So while we don’t think people should necessarily freak out about KRACK, it does demonstrate once again how important it is for industry to solve the patching problem.

[syndicated profile] lawfare_feed

Posted by Benjamin Wittes

I'm away this week, but the Atlantic's Julia Ioffe is our guest. President Trump says Iran is not living up to the “spirit” of the deal to curtail its nuclear program. Russian trolls and propagandists speak out. And an American woman and her family are freed after five years in captivity in Afghanistan. Plus, Julia recommends a new documentary on Russian doping. Tamara hearts Guam. And Shane recommends a new TV series on the FBI profilers.

Have you helped us promote Rational Security yet? If not, please leave us a rating and a review on whatever podcast distribution system you use. A lot of people are visiting Lawfare and reaching our podcasts for the first time these days, so if you're new to Lawfare and Rational Security, you can subscribe to the podcast using our RSS feed, or listen on iTunes, on Stitcher and now on Google Play.

[syndicated profile] techdirt_feed

Posted by Karl Bode

A few years ago, Russian whistleblowers like Lyudmila Savchuk began to reveal that Vladimir Putin had built a massive new internet propaganda machine. At the heart of this machine sat the "Internet Research Agency," a Russian government front company tasked with operating warehouses filled with employees paid 40,000 to 50,000 rubles ($800 to $1,000) a month to create proxied, viable fake personas -- specifically tasked with pumping the internet full of toxic disinformation 24 hours a day. Initial reports on these efforts were often playful, suggesting little more than shitposting and memes.

Subsequent reports by folks like Adrian Chen at the New York Times highlighted in great detail how deep this particular rabbit hole went. Chen detailed how these efforts often went well beyond routine online trolling, and frequently extended into the real world (like the time online trolls urged American citizens to visit a Russian-operated Chelsea art gallery solely to try and distort and downplay the country's annexation of Crimea). By the summer of 2016, reports began to emerge that these same employees were also posing as Trump supporters to help stoke already raw political divisions in the States.

Fast forward to this week, when Russian newspaper RBC issued a fairly massive and comprehensive report (in Russian, the Guardian has an alternative take here) showing that these efforts went even further than most initial reports indicated. From the creation of popular Texas secessionist Facebook groups to the hiring of more than 100 U.S. activists who had no idea they were working for Russia -- all tasked with stoking division inside the United States:

Perhaps the most alarming element of the article was the claim that employees of the troll factory had contacted about 100 real US-based activists to help with the organisation of protests and events. RBC claimed the activists were contacted by Facebook group administrators hiding their Russian origin and were offered financial help to pay for transport or printing costs. About $80,000 was spent during a two-year period, according to the report.

And while some on both sides of the political spectrum have tried to downplay Russia's propaganda and disinformation efforts as amateurish, unimportant and ineffective, the collective scope of the IRA's work revealed by whistleblowers continues to indicate otherwise:

Today, business site RBC revealed the numbers that allegedly made the company work. It reports that over two years the agency spent $2.3 million on its US operations. Most of that was spent on Russian staff—around 90 employees were working on the US at the height of the trolling campaign in 2016—but it also paid for 100 US activists to travel around America, organizing 40 rallies in US cities, and spent $120,000 spreading their message on Facebook. (The Silicon Valley giant has admitted that thousands of ads were bought under Russian IP addresses during the campaign.) The 100 activists didn’t suspect any Russian involvement in the funding, RBC reports.

In addition to the RBC report, Russian journalists at Dozhd interviewed a new whistleblower named "Maxim" who worked at the Internet Research Agency. According to Maxim, the organization included a "Russian desk," a "foreign desk," a "Facebook desk," and a "Department of Provocations." Whereas the Russian desk operated the country's now infamous Twitter bots and online trolls, the foreign desk was notably more sophisticated in its information assaults, trained in the more nuanced aspects of U.S. politics in order to "set Americans against their own government," and "provoke unrest and discontent."

Meanwhile, the Russian government's Facebook desk was tasked with battling Facebook administrators who would try to delete fake accounts and groups -- and who would often buckle to opposition from Russian trolls who raised First Amendment concerns when challenged:

"The troll farm also had its own "Facebook desk," whose function was to relentlessly push back against the platform's administrators who deleted fake accounts as they began gaining traction. When Internet Research Agency employees argued against having their accounts deleted, Max said, Facebook staffers would write back, "You are trolls." The trolls would in turn invoke the First Amendment right to free speech — occasionally, they won the arguments.

By the latter half of 2016, up to a third of the Internet Research Agency was tasked with stoking existing tensions ahead of the U.S. election, according to yet another report by Russian media outlet Meduza. Another whistleblower claims that the IRA's goal wasn't always specificlly to aid Trump, but to help encourage American infighting, contributing to partisan gridlock in the States (though the IRA's disinformation work is just one prong in Russia's efforts, and the Mueller investigation may obviously have more to say on this subject in time).

The RBC report notes that Chen's 2015 bombshell story in particular forced the Russian government to notably revamp its disinformation efforts, so what it looks like now is far from certain. What is certain is that Russia's online disinformation efforts -- a response to years of equally brazen efforts by the United States -- are just the latest in a multi-generational cold war that perpetually seeks to take horrible ideas to new and obnoxious levels. The biggest concern now isn't just how a country immeasurably susceptible to bullshit combats this kind of attack, but just how ham-fisted and harmful the United States' inevitable response will be.



Permalink | Comments | Email This Story

Today's Headlines and Commentary

Oct. 19th, 2017 15:41
[syndicated profile] lawfare_feed

Posted by Vanessa Sauter

Attorney General Jeff Sessions testified before the Senate Judiciary Committee yesterday in a five-hour oversight hearing, the Washington Post reports. It was the first time Sessions appeared before the committee since his January confirmation hearing. The attorney general refused to disclose any details of his private conversations with President Trump concerning former FBI Director James Comey’s dismissal. Senators also questioned Sessions on his attitude towards prosecuting journalists, to which the attorney general responded that he couldn’t “make a blanket commitment to that effect.” Sessions, who recused himself from the Russian investigation, also stated that Special Counsel Robert Mueller “will produce the [investigation] in a way he thinks is correct, and history will judge.”

Members of President Donald Trump’s campaign promoted tweets from Kremlin-backed professional trolls, the Daily Beast reports. Michael Flynn, Donald Trump Jr., and Kellyanne Conway were among the Trump campaign members who followed or retweeted @Ten_GOP, the self-described “Unofficial Twitter account of Tennessee Republicans.” Russian media outlet RBC first reported that the Internet Research Agency, regarded as a Russian-funded troll farm, ran the account. Twitter terminated the account, which had accumulated more than 100,000 followers since its inception in late 2015, in August for undisclosed reasons.

Sgt. Bowe Bergdahl’s lawyers filed a motion on Tuesday asserting that Trump’s comments cast an “impermissible shadow” over Bergdahl’s sentencing trial, according to the Hill. On Monday, Bergdahl pleaded guilty to desertion and misbehavior before the enemy for abandoning his post in Afghanistan back in 2009. Trump had previously expressed unfavorable opinions of Bergdahl, commenting at a 2015 campaign rally that the sergeant is a “no-good traitor, who should have been executed” and that “thirty years ago, he would have been shot.” Bergdahl’s sentencing proceedings will begin this Monday. He faces the possibility of life in prison.

Deputy Secretary of State John Sullivan met with South Korean and Japanese senior officials in Seoul on Wednesday to discuss the threat from North Korea, ABC News reports. The officials maintained their commitment to diplomatic negotiations in de-escalating tension with Pyongyang. Sullivan, however, reiterated the Trump administration’s decision to keep all options open, citing the regime’s erraticism and the need to prepare for any possible action. The meeting came after a joint U.S.-South Korean naval drill to prepare for a potential North Korean attack.

Guantanamo prison guards seized the court-approved laptops and hard drives of the accused 9/11 attack plotters on Wednesday, according to the Miami Herald. The inmates were using the laptops in preparation for their death penalty trials. The 9/11 defense lawyers were also denied access to their normal weekly meeting site on Monday, though a judge later reversed the decision. Both events follow the collapse of al-Nashiri’s defense team, announced in a press release last Friday, after allegations of breached attorney-client privilege.

The United Nations is seeking access to Raqqa now that the Islamic State group has been driven out, the BBC reports. As Syrian Democratic Forces (SDF) claim they have full control of the city, U.N. officials are prioritizing access to the area in their effort to assist the nearly 300,000 displaced people living in nearby camps. A U.N. official stated that he does not believe there are Syrian civilians currently in Raqqa. The SDF’s control of the city is expected to be a significant turning point for humanitarian aid in the country.

 

ICYMI, Yesterday on Lawfare

Garrett Hinck posted the European Commission’s first annual report on the EU-U.S. Privacy Shield.

Thomas Kellogg examined the Chinese government’s efforts to undermine U.N. human rights mechanisms.

Anthony Bellia and Bradford Clark argued that Justice Gorsuch was right concerning the original meaning of the Alien Tort Statute.

Robert Chesney and Steve Vladeck posted the National Security Law Podcast.

Dana Stuster posted the Middle East ticker, addressing Kurdish national aspirations in Iraq, Trump’s decertification announcement, and the Islamic State group’s defeat in Raqqa.

Vanessa Sauter posted the live streaming of Attorney General Jeff Sessions’ testimony before the Senate Judiciary Committee.

Evelyn Douek discussed the U.K.’s new Green Paper and how it will impact private sector internet operations.

Michael J. Glennon reviewed Oona A. Hathaway and Scott J. Shapiro’s new book The Internationalists.

Emma Kohse summarized Judge K. Watson’s temporary restraining order against Trump’s travel ban.

 

Email the Roundup Team noteworthy law and security-related articles to include, and follow us on Twitter and Facebook for additional commentary on these issues. Sign up to receive Lawfare in your inbox. Visit our Events Calendar to learn about upcoming national security events, and check out relevant job openings on our Job Board.

[syndicated profile] aclu_feed
An immigration law criminalizes various types of speech on behalf of immigrants, in clear violation of the First Amendment.

As wildfires raged across Northern California last week, Sen. Kamala Harris (D-Calif.) took to Twitter to encourage those in need to seek shelter, even if they didn’t have lawful immigration status.

Senator Harris’s desire to protect all her constituents is admirable. It also may be a crime.

A section of the federal Immigration and Naturalization Act states that any person who “encourages or induces” a non-citizen to “come to, enter, or reside” in this country in violation of the law is guilty of a felony, and may be imprisoned for up to five years. For a person to be found guilty, the prosecution must show that the person knew or recklessly disregarded the fact that the non-citizen’s action was unlawful. Harris’s tweet arguably “encouraged” undocumented immigrants to “reside” in the country. That’s precisely the type of speech a zealous federal prosecutor could target for criminal sanction under this law.

Senator Harris is in good company. Other potential “criminals” include:

  • A woman who tells her undocumented housekeeper that she should not depart the U.S. or else she won’t be allowed back in. (A former U.S. Customs and Border Protection official stood trial in just such a case.)
  • A university president who publishes an op-ed arguing that DACA recipients should consider her campus to be a “sanctuary” after their deferred action expires.
  • A community organization that announces its shelters and soup kitchens are open to homeless undocumented youth in their area.

This law clearly oversteps the First Amendment, which does not allow the government to criminalize these kinds of speech. The Supreme Court has stated clearly: “The mere tendency of speech to encourage unlawful acts is not a sufficient reason for banning it.” That’s why the ACLU yesterday submitted an amicus brief to the U.S. Court of Appeals for the Ninth Circuit arguing that this law is unconstitutional.

The government can only prohibit “unprotected” speech, like incitement to violence or speech that itself constitutes a crime, like harassment. Speech “encouraging” immigration violations does not qualify. This makes the law we challenged “presumptively unconstitutional,” because it regulates the content of things we can say.

The ACLU filed its brief in a criminal case against Evelyn Sineneng-Smith, an immigration consultant from San Jose, California. Ms. Sineneng-Smith was convicted in 2013 for filing labor applications for clients she knew were not eligible for green cards at the time. Despite the fact that all the information Ms. Sineneng-Smith filed was accurate — including disclosure of the fact that her clients had been in the country illegally for years — she was convicted of “encouraging or inducing” her clients to remain in the U.S. She has appealed her conviction.

Our brief argues that the First Amendment protects the right of an individual — whether Evelyn Sineneng-Smith or Sen. Kamala Harris — to speak their mind on this hotly debated, sensitive subject without fear of prosecution. This includes speaking with and advocating for undocumented individuals who must navigate the complex web of U.S. immigration law. With this anti-encouragement law on the books, the only sure way to avoid prosecution for such speech is self-censorship.

Now, as ever, immigration is an issue of enormous public concern and controversy, especially given the hostile stance of the Trump administration and some state officials toward immigrant communities. For those in our communities who are undocumented immigrants, or whose loved ones are undocumented immigrants, there is nothing more important than speaking on these issues. The last several months have demonstrated precisely how movements for immigrant justice rely on robust political speech: organizing rallies against deportation, speaking to undocumented people about how to avoid being separated from their families, and more.

Freedom of speech is at the foundation of these efforts, and we must strive to keep it that way.

[syndicated profile] techdirt_feed

Posted by Tim Cushing

It's amazing what effect a little public scrutiny has on government overreach. In the wake of inauguration day protests, the DOJ started fishing for information from internet service providers. First, it wanted info on all 1.2 million visitors of a protest website hosted by DreamHost. After a few months of bad publicity and legal wrangling, the DOJ was finally forced to severely restrict its demands for site visitor data.

Things went no better with the warrants served to Facebook. These demanded a long list of personal information and communications from three targeted accounts, along with the names of 6,000 Facebook users who had interacted with the protest site's Facebook page. Shortly before oral arguments were to be heard in the Washington DC court, the DOJ dropped its gag order.

The last minute removal of the gag order appears to have been done to avoid the establishment of unfavorable precedent. It looks like the government perhaps has further concerns about precedential limitations on warrants served to service providers. As Kate Conger reports for Engadget, the DOJ has decided to walk away from this particular warrant challenge.

In a court hearing today, the Department of Justice dropped its request for the names of an estimated 6,000 people who “liked” a Facebook page about an Inauguration Day protest, the American Civil Liberties Union said. The ACLU challenged several warrants related to protests against President Trump’s inauguration on Friday, one of which included the search, claiming they were over-broad.

The ACLU notes the judge seemed sympathetic to allegations of overreach. In response, the government has apparently reduced its demands to info from two arrested protestors' accounts and further limited the date range from which data is sought.

This isn't a good look for the government. Dropping demands before an order has been issued indicates the DOJ had some idea its demands were too broad. It also shows the government will make concessions, rather than risk adverse rulings.

Then there's the whole issue of seeking personal information on protesters. This sort of thing creates a very real chilling effect by threatening to turn over personal information to the same entity the protesters were protesting. Fortunately, the government has walked back most of its demands in both cases.



Permalink | Comments | Email This Story
[syndicated profile] aclu_feed
An immigration law criminalizes various types of speech on behalf of immigrants, in clear violation of the First Amendment.

As wildfires raged across Northern California last week, Sen. Kamala Harris (D-Calif.) took to Twitter to encourage those in need to seek shelter, even if they didn’t have lawful immigration status.

Senator Harris’s desire to protect all her constituents is admirable. It also may be a crime.

A section of the federal Immigration and Naturalization Act states that any person who “encourages or induces” a non-citizen to “come to, enter, or reside” in this country in violation of the law is guilty of a felony, and may be imprisoned for up to five years. For a person to be found guilty, the prosecution must show that the person knew or recklessly disregarded the fact that the non-citizen’s action was unlawful. Harris’s tweet arguably “encouraged” undocumented immigrants to “reside” in the country. That’s precisely the type of speech a zealous federal prosecutor could target for criminal sanction under this law.

Senator Harris is in good company. Other potential “criminals” include:

  • A woman who tells her undocumented housekeeper that she should not depart the U.S. or else she won’t be allowed back in. (A former U.S. Customs and Border Protection official stood trial in just such a case.)
  • A university president who publishes an op-ed arguing that DACA recipients should consider her campus to be a “sanctuary” after their deferred action expires.
  • A community organization that announces its shelters and soup kitchens are open to homeless undocumented youth in their area.

This law clearly oversteps the First Amendment, which does not allow the government to criminalize these kinds of speech. The Supreme Court has stated clearly: “The mere tendency of speech to encourage unlawful acts is not a sufficient reason for banning it.” That’s why the ACLU yesterday submitted an amicus brief to the U.S. Court of Appeals for the Ninth Circuit arguing that this law is unconstitutional.

The government can only prohibit “unprotected” speech, like incitement to violence or speech that itself constitutes a crime, like harassment. Speech “encouraging” immigration violations does not qualify. This makes the law we challenged “presumptively unconstitutional,” because it regulates the content of things we can say.

The ACLU filed its brief in a criminal case against Evelyn Sineneng-Smith, an immigration consultant from San Jose, California. Ms. Sineneng-Smith was convicted in 2013 for filing labor applications for clients she knew were not eligible for green cards at the time. Despite the fact that all the information Ms. Sineneng-Smith filed was accurate — including disclosure of the fact that her clients had been in the country illegally for years — she was convicted of “encouraging or inducing” her clients to remain in the U.S. She has appealed her conviction.

Our brief argues that the First Amendment protects the right of an individual — whether Evelyn Sineneng-Smith or Sen. Kamala Harris — to speak their mind on this hotly debated, sensitive subject without fear of prosecution. This includes speaking with and advocating for undocumented individuals who must navigate the complex web of U.S. immigration law. With this anti-encouragement law on the books, the only sure way to avoid prosecution for such speech is self-censorship.

Now, as ever, immigration is an issue of enormous public concern and controversy, especially given the hostile stance of the Trump administration and some state officials toward immigrant communities. For those in our communities who are undocumented immigrants, or whose loved ones are undocumented immigrants, there is nothing more important than speaking on these issues. The last several months have demonstrated precisely how movements for immigrant justice rely on robust political speech: organizing rallies against deportation, speaking to undocumented people about how to avoid being separated from their families, and more.

Freedom of speech is at the foundation of these efforts, and we must strive to keep it that way.

[syndicated profile] eff_feed

Posted by amul

E-Verify is a massive federal data system used to verify the eligibility of job applicants to work in the United States. The U.S. Department of Homeland Security (DHS), U.S. Citizenship and Immigration Services (USCIS), and the U.S. Social Security Administration (SSA) administer E-Verify. Until now, the federal government has not required private employers to use E-Verify, and only a few states have required it. However, a proposed bill in Congress, the Legal Workforce Act (HR 3711), aims to make E-Verify use mandatory nationwide despite all the very real privacy and accuracy issues associated with the data system.

EFF recently joined human rights and workers rights organizations from across the United States and sent a letter to Congress pointing out the flaws of E-Verify. 

Instead of learning from the recent Equifax data breach that access to sensitive information creates an attractive target for data thieves, our elected representatives want to compel a massive increase in the use of yet another data system that can be breached. To use E-Verify, employers need to collect and transmit sensitive information, such as our social security and passport numbers.

And a data breach isn’t the only concern with such a data system: there’s also the likelihood of data errors that can prevent many Americans from obtaining jobs. Even worse, E-Verify is likely to have an unfair disparate impact against women, as they are more likely to change their names due to marriage or divorce. Additionally, a Government Accountability Office (GAO) report [.pdf page 19] found that despite being eligible, E-Verify leads to more denials for people not born in America, and can “create the appearance of discrimination.” The GAO report also stated that these errors would increase dramatically if E-Verify is made mandatory.

Instead of recognizing the problematic nature of E-Verify, the White House is pushing to make it mandatory in its negotiations with Congress concerning legislative protection for Deferred Action for Childhood Arrivals (DACA) recipients. If successful, this would jeopardize Americans’ collective security and privacy. Not to mention that this expanded database may find uses beyond employment verification, and end up as another tool in an already impressive law enforcement surveillance arsenal.

As we have in the past, EFF will continue to do everything in our power to fight against the mandatory usage of E-Verify. It was a bad idea then and it’s a bad idea now.

[syndicated profile] aclu_feed
An immigration law criminalizes various types of speech on behalf of immigrants, in clear violation of the First Amendment.

As wildfires raged across Northern California last week, Sen. Kamala Harris (D-Calif.) took to Twitter to encourage those in need to seek shelter, even if they didn’t have lawful immigration status.

Senator Harris’s desire to protect all her constituents is admirable. It also may be a crime.

A section of the federal Immigration and Naturalization Act states that any person who “encourages or induces” a non-citizen to “come to, enter, or reside” in this country in violation of the law is guilty of a felony, and may be imprisoned for up to five years. For a person to be found guilty, the prosecution must show that the person knew or recklessly disregarded the fact that the non-citizen’s action was unlawful. Harris’s tweet arguably “encouraged” undocumented immigrants to “reside” in the country. That’s precisely the type of speech a zealous federal prosecutor could target for criminal sanction under this law.

Senator Harris is in good company. Other potential “criminals” include:

  • A woman who tells her undocumented housekeeper that she should not depart the U.S. or else she won’t be allowed back in. (A former U.S. Customs and Border Protection official stood trial in just such a case.)
  • A university president who publishes an op-ed arguing that DACA recipients should consider her campus to be a “sanctuary” after their deferred action expires.
  • A community organization that announces its shelters and soup kitchens are open to homeless undocumented youth in their area.

This law clearly oversteps the First Amendment, which does not allow the government to criminalize these kinds of speech. The Supreme Court has stated clearly: “The mere tendency of speech to encourage unlawful acts is not a sufficient reason for banning it.” That’s why the ACLU yesterday submitted an amicus brief to the U.S. Court of Appeals for the Ninth Circuit arguing that this law is unconstitutional.

The government can only prohibit “unprotected” speech, like incitement to violence or speech that itself constitutes a crime, like harassment. Speech “encouraging” immigration violations does not qualify. This makes the law we challenged “presumptively unconstitutional,” because it regulates the content of things we can say.

The ACLU filed its brief in a criminal case against Evelyn Sineneng-Smith, an immigration consultant from San Jose, California. Ms. Sineneng-Smith was convicted in 2013 for filing labor applications for clients she knew were not eligible for green cards at the time. Despite the fact that all the information Ms. Sineneng-Smith filed was accurate — including disclosure of the fact that her clients had been in the country illegally for years — she was convicted of “encouraging or inducing” her clients to remain in the U.S. She has appealed her conviction.

Our brief argues that the First Amendment protects the right of an individual — whether Evelyn Sineneng-Smith or Sen. Kamala Harris — to speak their mind on this hotly debated, sensitive subject without fear of prosecution. This includes speaking with and advocating for undocumented individuals who must navigate the complex web of U.S. immigration law. With this anti-encouragement law on the books, the only sure way to avoid prosecution for such speech is self-censorship.

Now, as ever, immigration is an issue of enormous public concern and controversy, especially given the hostile stance of the Trump administration and some state officials toward immigrant communities. For those in our communities who are undocumented immigrants, or whose loved ones are undocumented immigrants, there is nothing more important than speaking on these issues. The last several months have demonstrated precisely how movements for immigrant justice rely on robust political speech: organizing rallies against deportation, speaking to undocumented people about how to avoid being separated from their families, and more.

Freedom of speech is at the foundation of these efforts, and we must strive to keep it that way.

[syndicated profile] lawfare_feed

Posted by Peter Swire, Richard Clarke

Lawfare editors Susan Hennessey and Benjamin Wittes recently criticized efforts to reform Section 702 of FISA before it expires at the end of 2017. Based on our own experience with Section 702, we respectfully disagree. There are compelling reasons to reform Section 702, notably the principles of the Fourth Amendment. This post highlights three areas where reforms are clearly indicated: the so-called “backdoor” or “incidental” searches, the “about” collection under Section 702, and common-sense reforms to the Privacy and Civil Liberties Oversight Board (PCLOB).

Our own view of Section 702 was formed when we were two of five members of the 2013 Review Group on Intelligence and Communications Technology, convened by President Obama in the wake of the Snowden revelations. Many of our recommendations have now become law, notably in the 2015 USA Freedom Act. For Section 702, based on review of classified materials, our recommendation 12 highlighted the problems with what public debate has since labeled “backdoor searches” under Section 702.

The problematic searches happen like this. Section 702 applies to foreign intelligence searches carried out in the United States of the content of communications, including emails, texts, and social network communications. The searches cannot be targeted at “U.S. persons,” who are U.S. citizens or permanent residents. Instead, they must be targeted at non-U.S. persons who are outside of the United States.

Here’s where the problem comes in. Suppose a foreign intelligence search is properly targeted at a non-U.S. person who is out of the country, such as in France or Pakistan. That target quite easily can send an email or otherwise communicate with someone inside of the U.S. At that moment, the full content of the U.S. person’s communications with that person get included in the surveillance authorized by Section 702. Ordinarily, the government needs a search warrant to gain the full content of communications of a U.S. person (or someone temporarily in the U.S.). Now, due to the happenstance that the U.S. person communicated with someone outside of the country, the content of communications become available to the government.

After reviewing the evidence available to us, the Review Group found that Section 702 is often an important asset to our national security. We also found, though, that necessary safeguards had not been included for these incidental or “backdoor” collections of communications content. Our principal recommendation was stated in a recent Washington Post op-ed by Review Group members former top CIA official Michael Morrell and legal scholar Geoffrey Stone: “The government should no longer be permitted to search the data collected under Section 702 without a warrant when seeking information about U.S. citizens and legal permanent residents.”

Our recommendation upholds the principles of the Fourth Amendment as applied to the content of communications. For law enforcement investigations, the police must get a search warrant, signed by a judge, that there is probable cause of a crime. For foreign intelligence investigations, the government must get a search warrant, signed by a judge in the Foreign Intelligence Surveillance Court (FISC), that there is probable cause that the individual is an agent of a foreign power.

Our understanding of the draft bill headed for markup in the Senate Intelligence Committee is that it currently fails even to address this crucial issue. The House Judiciary discussion draft on Section 702 partially but incompletely addresses the concerns about searches of incidentally collected communications of U.S. persons. Under current practice, law enforcement and foreign intelligence agents can “query” a large set of databases, including incidental 702 collection, when they are investigating a U.S. person. Under the House draft, these queries about U.S. persons can continue. If the query turns up a hit from incidental 702 collection, then law enforcement must get a warrant before accessing the content of the U.S. person communications. For foreign intelligence purposes, no warrant is needed to gain access to U.S. persons communications, although there would be senior Department of Justice sign-off.

The Review Group recommendation, and the position of civil liberties groups now, is that it should take either a law enforcement or FISA judicial order to query the database. If Congress decides to permit the queries to continue, however, then there should at least be a judge involved before there is access to the contents of U.S. person communications. For the House draft bill to satisfy this standard, it should be updated to include a requirement to obtain a FISA order for foreign intelligence investigations, to accompany the probable cause court order for criminal investigations. Otherwise, it appears that the government could access the U.S. person communications without a warrant, and later build on that information for use in a criminal prosecution.

These same Fourth Amendment principles apply to a second topic of reform, “about” collection under Section 702. Under current law, Section 702 is used as authority for intercepting communications that are “to” or “from” a target, such as that person in France or Pakistan. The statute also authorizes communications that are “about” a target, such as an email that mentions the email address or phone number of the target. Earlier this year, however, the FISC found that the minimization techniques used for “about” collection did not adequately protect the communications of U.S. persons.

As with incidental collection, “about” collection creates situations where the government can access the content of U.S. persons’ communications, without a warrant. FISA searches are carried out within the United States. They target non-U.S. persons abroad, but “about” collection in many cases has swept in contents of communications of U.S. persons, notably under the Upstream program. In such cases, the Fourth Amendment norm is to have a warrant approved by a judge. The House bill appropriately provides a statutory basis to keep the current non-use of “about” collection in place, but we understand that the current Senate bill does not.

A third topic, addressed in part in the House discussion draft, would improve the administration of the PCLOB. The discussion draft enables the Board to carry on ordinary business when there is no chairman, the situation today until nominee Adam Klein is confirmed. Notably, under current law, the Board cannot hire any employees until a new Chairman is confirmed—imagine a company that cannot hire any employees while a CEO search is underway! We urge the Congress to consult with the PCLOB on other needed reforms. For instance, under current law, the four Board members who are not Chairman face a strict limit on the number of hours they can work for the Board—they are prohibited from volunteering to work extra hours on important Board business.

In conclusion, Congress is considering sensible reforms to ensure that Fourth Amendment warrant requirements apply to incidental and “about” collection. We agree with Hennessey and Wittes that Section 702 authorities are important to our national security. But the unanimous opinion of the Review Group stands since 2013: Judges should approve Fourth Amendment search warrants before searching the communications of Americans.

[syndicated profile] lawfare_feed

Posted by Michael Bahar, David Cook, Varun Shingari, Curtis Arnold

This fall may prove a landmark in the ongoing debate between security and privacy.  Poised to take action are both the U.S. Supreme Court, in Carpenter v. United States, and the U.S. Congress, with the impending sunset of Section 702 of the Foreign Intelligence Surveillance Act (FISA). Decisions made—or not made—this autumn will have ripple effects in the United States and around the globe.

This post explains the dynamics of the Supreme Court’s upcoming decision in Carpenter, and how it could impact this and other important surveillance authorities.  It then discusses the implications of Carpenter to the emerging global privacy regime, and the conflicts of law that may ensue.

 

The Supreme Court

In its upcoming term, the Supreme Court will reconsider the so-called third-party doctrine, which states that an individual has no reasonable expectation of privacy under the Fourth Amendment in information voluntarily disclosed to third parties. The doctrine is over forty years old and traces its roots to earliest Fourth Amendment jurisprudence; but many—including Justice Sotomayor in her concurrence in United States v. Jones—question whether the doctrine is still appropriate given the digital world, a world in which we routinely share mountains of personal data with third parties via mobile devices, apps, web-based email, and increasingly even cars and clothing.  With every movement we make while holding our cellphones, wearing our web-enabled fitness devices, and making online purchases, we freely hand over information that, either in isolation or in aggregation, can reveal tremendous things about us, suggesting a fundamental constitutional question: is the Government entitled to such personal information without a warrant?

In Carpenter v. United States, the Court this term will consider whether there is a protected privacy interest in the history of our locations, which, whether consciously or not, we routinely turn over to our wireless carriers.  The Sixth Circuit, in United States v. Carpenter, applied the third-party doctrine to find that Carpenter had no reasonable expectation of privacy in cell site location information (CSLI) maintained by his telephone company and accessed by the Government under the Stored Communications Act (SCA), which permits the government to obtain records that are “relevant and material to an ongoing investigation.”  Carpenter, along with a co-defendant, were convicted in the Eastern District of Michigan for several robberies that took place in and around Detroit.  To build its case, the FBI requested Carpenter’s CSLI, which had been collected each time he made a call and his mobile phone pinged the nearest cell tower.  The CSLI did not contain the content of his calls, but it did provide valuable metadata, including the date, time, length of each call; the phone numbers engaged on the call; and the cell sites where the call began and ended.  From this information, the FBI put together a map of where Carpenter had been over the course of 127 days, which proved critical to securing the conviction.

On appeal, the Sixth Circuit affirmed on third-party doctrine grounds, holding that the defendant had no reasonable expectation of privacy in business records kept by the phone company.  While content is protected under the Supreme Court decision Katz v. United States, the metadata is not. The court reasoned that, like the suspected robber in Smith v. Maryland whose dialed numbers were communicated to the telephone company and then collected by the government via a pen register, Carpenter must have known that phone companies receive (and record) the type of information collected by the police here.

Importantly, the Sixth Circuit also distinguished the 2012 case of United States v. Jones, in which the Supreme Court denied law enforcement’s attempts to track a defendant’s location by attaching a GPS to his car.  The Sixth Circuit explained that unlike in Jones in which a GPS was directly affixed to the defendant’s vehicle, this tracking resulted from information handed over to a third-party and kept in the ordinary course of business.  The Jones court also anchored its holding in a trespass theory in which the attaching of the GPS device was a trespass to Jones’s property under the Fourth Amendment, which for many observers was a convenient solution to an increasingly thorny third-party problem. 

In Jones, Justice Sotomayor, in her concurrence recognized that classic third-party doctrine may no longer apply and urged the court to confront the issue squarely, which it finally may do this fall in Carpenter.

Similarly, observing Justice Sotomayor’s concurrence in Jones, Judge Stranch in her concurrence in Carpenter argued that it is for the courts, not legislators, to design an updated Fourth Amendment doctrine to accommodate 21st century realities.  She expressed two concerns that may help define the parameters for a Supreme Court decision.  First, she found troubling the volume of governmental tracking permissible under current tests, which the Sixth Circuit earlier seemed concerned with in United States v. Skinner, where it stated: “There may be situations where the police, using otherwise legal methods, so comprehensively track a person’s activities that the very comprehensiveness of the tracking is unreasonable for Fourth Amendment purposes.”  Second, Judge Stranch seemed bothered by the temporal aspect, questioning how long is it permissible for the Government to go back in time to acquire business records, with 127 days seeming excessive.

In agreeing to grant certiorari, the Court may be indicating a desire to define the new floor and ceiling for permissible searches under the third-party doctrine. It may decide to factor in volume, temporality or some other distinction –for example, single-source data or aggregated data.  Or, it could resolve the case on a very narrow holding and, disagreeing with Judge Stranch, defer to the political branches, including Congress, to draw the line between privacy and security.

 

Congress

If the Court does defer, Congress’s action in the upcoming reauthorization debate of Section 702 of the Foreign Intelligence Surveillance Act (FISA) may become that much more significant. 

FISA Section 702, set to expire at the end of 2017, permits the government to conduct surveillance, without a warrant, in order “to obtain foreign intelligence for national security purposes [that] is directed against foreign powers or agents of foreign powers reasonably believed to be located outside the United States.”  It is a foundational surveillance authority of tremendous utility. But, it is vulnerable because, while a tool of foreign surveillance, it does not prohibit what is essentially inevitable: “incidental” collection and retention of overseas communications that may include or concern, U.S. persons (USPs).  Section 702 also does not prohibit querying the 702 database, or information gathered under the authority of 702, using USP identifiers (e.g., a name or a phone number) to see if there are any matching results.  Constitutional support for the program has traditionally resided in the often-upheld argument that querying the 702 database is not a search under the Fourth Amendment because the information has already been lawfully collected.  It is not unlike the plain view doctrine in which police that are lawfully in a home for one purpose, can collect evidence of other crimes that are in plain view.

There is, therefore, also a third-party aspect to Section 702.  In the government’s efforts to collect information on foreign powers or agents of foreign powers, an unsuspecting individual becomes the third party who may have his or her information incidentally collected—a probability that increases with more means of digital communications—and then searched via FBI USP queries.

This precise Section 702 issue is not scheduled to be before the Supreme Court, but a larger third-party holding in Carpenter could impact it, even if Congress acts before the Court.

If, on the other hand, the Court issues a narrower holding, Congress will remain the institution to decide whether to reauthorize Section 702 and whether to make any privacy-centric reforms, particularly to incidental collection and querying the 702 database with USP identifiers.  For example, Congress could prohibit USP queries outright, permit them only for potential victims of crimes or terrorist events or permit them with some heightened judicial showing, either before—with exigency procedures—or after the fact. It could also preserve the core authority while making some reforms, such as limiting the retention or access period for USP information, heightening auditability requirements for unmasking USP information and increasing the use of amici curiae.  Some versions of these latter reforms have been circulated recently by the House Judiciary Committee.

But, even a more limited Supreme Court holding confined to metadata could have a ripple effect on FISA.  In 2015, Congress reauthorized FISA Section 215, the so-called telephone metadata program, which Snowden brought to the world’s attention and which is directly grounded in the third-party doctrine.  Like CSLI, telephone metadata does not involve content, rather it encompasses information about calls kept by telephone companies for billing and other business purposes.  After a very contentious debate, Congress reauthorized Section 215, but it made a series of privacy-enhancing reforms, specifically ending “bulk collection” of that metadata and requiring prior judicial authorization to access that information.  A decision in the Carpenter case could certainly impact the 215 program, something the Court should be made aware of before it decides how broad a ruling to issue.

 

Global Impact

U.S. decisions can have broad implications both at home and abroad, especially in those countries that are also working to define their lines between privacy and security in the digital age.

Take Europe for example.  The definition of personal data is set to expand under the European Union General Data Protection Regulation (GDPR), which becomes enforceable on May 25, 2018, and will soon explicitly include “location data.”  The European Convention on Human Rights, an international treaty drafted in the immediate aftermath of the Second World War, contains a series of core principles that promote human rights.  Article 8 sets out that everyone has the “right to respect for his private and family life, his home and his correspondence.”  That core principle is further defined in the EU Charter of Fundamental Rights, which requires states to ensure, among other things, that every person “has the right to the protection of personal data concerning him or her,” and that such data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.”

GDPR will further define it to explicitly include location data, setting up a potential conflict of laws, especially for U.S. companies that do business in Europe.

While any broad U.S. Supreme Court pronouncements on this issue are unlikely to be adopted as persuasive authority by European courts, in which the privacy analysis is done on a case-by-case basis (and, especially after GDPR goes into effect, with a presumption in favor of an expectation of privacy in location data), there is an extraterritorial dimension of the GDPR which could substantially affect the privacy analysis with respect to U.S. organizations that routinely process EU citizens’ personal data.

In other words, government requests for consumer information that would not violate the Fourth Amendment might run afoul of the GDPR, thus setting up a conflict between U.S. and EU law.

Where this conflict would be most felt is for those U.S. companies that come under GDPR requirements. The extra-territorial effect of GDPR is more extensive than many realize.  For example, the GDPR could directly apply if a U.S. organization is monitoring the activity of individuals in the EU, or if it is offering its goods or services to individuals located there.  Similarly, the GDPR will apply if the U.S. organization collects or hosts personal data as a service provider to an EU business which is itself subject to the GDPR.  This means that such an organization will be required to comply with the GDPR, and also face potentially substantial penalties—a maximum of the greater of 4 percent of the global turnover for the preceding financial year or €20 million—for failing to comply with these obligations.

Furthermore, the GDPR provides that any third country “judgment of a court” requiring a controller or processor “to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty [MLAT], in force between the requesting third country and the Union or a Member State….”

It could then follow that U.S. companies which are subject to the GDPR may be in an unenviable position when they are required to comply with a warrant, outside of an MLAT, with respect to location information held in Europe or that relates to European individuals.  Those U.S. companies may find themselves on the horns of a dilemma in which they can either: face sanctions for not complying with the U.S. warrant for location information; or comply with the warrant and but be in breach of the GDPR.

Previous third-party related surveillance issues have already caused conflicts between the United States and Europe.  The bulk collection program under FISA Section 215, for example, was a key factor in the Court of Justice of the European Union’s (CJEU) decision to deem the Safe Harbor agreement between the European Commission and the United States invalid.  The Court felt that the Safe Harbor agreement allowed for government interference with the privacy protections required by EU legislation, and therefore, the European Commission, by entering into the Safe Harbor agreement, violated Articles 7 and 8.  The outcome of the decision was to deem any transfers made under the Safe Harbor decision unlawful and required the implementation of the Privacy Shield, a redesign of the Safe Harbor agreement that also required additional US legislative safeguards.  While the Privacy Shield agreement has recently passed its annual review, there are indications that, privately, there are concerns on both sides with respect to its operation.

Similar concerns about government interference was a key factor in the recent referral by the Irish Courts to the CJEU in DPC v Facebook Ireland and Maximillian Schrems which related to the use of Model Contract Clauses to transfer personal data to the United States, and which stresses the continuing sensitivity of the issue.

 

The Stakes are High

The upcoming months may prove to be a watershed year for the third-party doctrine, and for the larger debate between the appropriate balance between privacy and security.  What is decided in the United States will also have impacts beyond its borders, especially where personal data belonging to non-U.S. residents are being processed by U.S. businesses or within the United States, and could give rise to judicial and legislative conflicts between the United States and Europe.

Ultimately, the stakes are high, and the equities on both sides of the privacy and security debate equally important.  The truth that should guide both the Court and Congress is that there is no true privacy without security, and no true security without privacy.  Bright lines may be elusive, but reasonable doctrines and statutory lines can—and increasingly must—be drawn.  

[syndicated profile] techdirt_feed

Posted by Cathy Gellis

First, if you are someone who likes stepped-up ICE immigration enforcement and does not like "sanctuary cities," you might cheer the implications of this post, but it isn't otherwise directed at you. It is directed at the center of the political ven diagram of people who both feel the opposite about these immigration policies, and yet who are also championing SESTA. Because this news from Oakland raises the specter of a horrific implication for online speech championing immigrant rights if SESTA passes: the criminal prosecution of the platforms which host that discussion.

Much of the discussion surrounding SESTA is based on some truly horrific tales of sex abuse, crimes that more obviously fall under what the human trafficking statutes are clearly intended to address. But with news that ICE is engaging in a very broad reading of the type of behavior the human trafficking laws might cover and prosecuting anyone that happens to help an immigrant, it's clear that the type of speech that SESTA will carve out from Section 230's protection will go far beyond the situations the bill originally contemplated.

Some immigration rights activists are worried that ICE has recently re-defined the crime of human trafficking to include assistance, like housing and employment, that adults provide to juveniles who come to the United States without their parents. In many cases, the adults being investigated and charged are close relatives of the minors who are supposedly being trafficked.

Is ICE simply misreading the trafficking statutes? Perhaps, but it isn't necessarily a far-fetched reading. People in the EU who've merely given rides to Syrian (and other) refugees tired from trekking on foot have been prosecuted for trafficking. Yes that's Europe, not the US, but it's an example of how well-intentioned trafficking laws can easily be over-applied to the point that they invite absurd results, including those that end up making immigrants even more vulnerable to traffickers than they would have been without the laws.

So what does that have to do with SESTA? SESTA is drafted with language that presumes that sex trafficking laws are clearly and unequivocally good in their results. And what that Oakland example suggests is that this belief is a myth. Anti-immigrant forces within the government, both federal and state, can easily twist them against the very same people they were ostensibly designed to protect.

And that means they are free to come after the platforms hosting any and all speech related to the assistance of immigrants, if any and all assistance can be considered trafficking. The scope of what they could target is enormous: tweets warning about plain-clothed ICE agents at courthouses, search engine results for articles indicating whether evacuation centers will be checking immigration status, online ads for DACA enrollment assistance, or even discussion about sanctuary cities and the protections they afford generally. If SESTA passes, platforms will either have to presumptively censor all such online speech, or risk prosecution by any government or state entity with different views on immigration policy. Far from being the minor carve-out of Section 230 that SESTA's supporters insist it is, it instead is an invitation to drive an awful lot of important speech from the Internet that these same supporters would want to ensure we can continue to have.



Permalink | Comments | Email This Story

Daily Deal: BlankPage

Oct. 19th, 2017 10:40
[syndicated profile] techdirt_feed

Posted by Daily Deal

Prone to distractions? Slip into writer's block easily? Remove the distractions and do your writing in a safe, controlled, quiet environment with BlankPage. This app offers everything you need to start writing and keep writing, eliminating your desktop's distractions so you can focus on the task at hand. It helps you write your stories in pieces and organize them as you like, and it can help you set and keep your writing goals. The lifetime subscription is on sale for $25 and you can take an extra 20% off with the SOFTWARE20 code at checkout.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.



Permalink | Comments | Email This Story
[syndicated profile] techdirt_feed

Posted by Karl Bode

In a healthy, competitive market, cable providers would respond to the growing threat of streaming video competition by lowering prices, improving their historically awful customer service, and giving consumers more flexible cable bundles.

But because these same cable operators enjoy a growing monopoly over the uncompetitive broadband market -- they don't have to do that. Instead, they've found that the easiest response to added competition on the TV front is to impose a relentless array of rate hikes on captive broadband customers. There's a myriad of ways they accomplish this, ranging from misleading hidden fees that jack up the advertised price (something they're being sued for), to usage caps and overage fees (which let them not only charge more money for the same service, but hamstring streaming competitors via tricks like zero rating).

But with the U.S. entering a period of rubber stamp regulators, and a lack of telco upgrades resulting in less competition than ever, Wall Street is pressuring cable operators to also jack up the standalone price of broadband services outright. New Street Research analyst Jonathan Chaplin recently predicted that a lack of broadband competition could allow cable providers like Comcast to double already expensive broadband prices over the next year. UBS analyst John Hodulik issued a research note the same week stating that cable operators should specifically jack up the price of standalone broadband service to $80 to $90 per month.

Not too surprisingly, cable operators are already heeding these demands. Analysis from Morgan Stanley this week indicated that cable operators had already hiked the cost of standalone broadband 12% from last year's rates:

"In a note to clients Tuesday, Morgan Stanley said that based on its own survey, cable TV companies hiked broadband prices by 12% to $66 monthly from a year earlier for customers that buy only high-speed internet and not a TV package.

"As video revenue growth is increasingly pressured, leaning on data pricing is tempting to sustain earnings," said Benjamin Swinburne, a Morgan Stanley analyst in a report."

Tempting, indeed. Especially when there's neither healthy market competition nor regulatory oversight there to stop companies like Comcast and Charter from doing so. Of course this is before you factor in all manner of additional costs that await consumers over the next few years, from the problems that will be caused by the mindless gutting of popular net neutrality protections, to the Trump administration's gutting of privacy rules that would have stopped ISPs from their stated goal of charging users more money if they want to protect their own privacy.

And instead of creating policies aimed at improving competition in what's clearly not a healthy market, the Trump administration's FCC is engaged in the mindless gutting of consumer protections, and the manipulation of data to try and pretend the broadband market's obvious problems don't actually exist.



Permalink | Comments | Email This Story
[syndicated profile] lawfare_feed

Posted by Elsa Kania

The artificial intelligence (AI) revolution is creating new challenges for law, policy, and governance at domestic and international levels. Although advances in AI could cause productivity growth and spark a new industrial revolution, current trends in robotics and automation will likely cause unprecedented economic dislocation, particularly by replacing low-skilled jobs. Projected to increase GDP by 14% as of 2030, AI is on track to become a critical accelerant of global economic growth. Yet the greatest economic benefits from AI will likely go to China and the United States, with more modest gains in growth and productivity for developing countries. Such uneven distribution of AI’s benefits could exacerbate inequality, resulting in higher concentrations of wealth within and among nations. In addition, algorithmic bias tends to compound human and systemic biases, compounding societal inequities. Concurrently, international competition to leverage military applications of AI has provoked concerns of an “AI arms race.” Looking forward, these trends could disrupt domestic and international politics alike.

Despite dedicated attempts to ensure “AI for good,” the AI revolution could thus intensify existing disparities of power. Russian President Vladimir Putin recently declared, “Whoever becomes the leader in [AI] will become the ruler of the world.” As I’ve written before, advances in AI could transform, or even revolutionize, military capabilities. For this reason, China has articulated its ambitions to “lead the world” in AI by 2030, intending to leverage AI as a “new engine for economic growth” and guarantor of national defense. Such ambitions threaten the U.S. private sector’s dominance in AI, as China has started to outperform the U.S. across a number of metrics, including numbers of publications and patents. (Beyond mere quantitative superiority, Chinese research teams dominated the last ImageNet competition, an AI contest for image recognition, and, in the inaugural WebVision challenge, the successor to ImageNet, Chinese AI start-up Malong Technologies bested over 100 competitors.) The continued competition among superpowers—and, perhaps more importantly, among the world’s top technology companies—to advance in AI could spur innovation for positive purposes, like enhancing human well-being, or could cause unanticipated negative consequences.

Going forward, national policy choices and international engagement will inherently influence the trajectory of AI’s development. The potential for AI policy—as well as the underlying question of whether AI should be regulated—has started to provoke debate, despite sometimes being dismissed as premature. At a domestic level, national governments looking to enhance their respective nations’ competitiveness in the AI revolution might look to policies that target strategic investments in cutting-edge research and development (R&D), education and recruitment of leading talent in the field, and open-sourcing and availability of data and platforms for AI development. To mitigate adverse effects of AI, governments might focus on issues like workforce adjustment, even universal basic income, and measures to ensure the safety of and correct for potential bias in AI systems.

At the international level, nation-states, the private sector, and civil society will all have roles to play in establishing norms and devising legal and ethical frameworks involving the use of AI-enabled and autonomous systems. For instance, the UN Group of Government Experts, working under the Convention on Certain Conventional Weapons, has explored the risks of lethal autonomous weapons systems (LAWS). This summer, the AI for Good Global Summit also highlighted the potential for international cooperation to ensure that AI enhances “humanity’s grand challenges,” such as advancing the UN’s sustainable development goals. 

Despite a promising start, the U.S. government has achieved only limited progress in these dimensions of AI leadership. The Obama administration notably published three reports on the future of AI in late 2016, considering factors like economic issues, workforce challenges, and R&D. These reports highlighted critical policy issues, including the importance of greater funding for R&D, the imperative of expanding the AI workforce, and the overarching objective to take advantage of the economic opportunities that the AI revolution offers, while mitigating the adverse impacts on the U.S. workforce. However, it is unclear whether these policy issues will remain a priority under the present administration. To date, the Office of Science and Technology Policy (OSTP), which played a leading role in these efforts, has remained almost empty, thus perhaps depriving the administration of critical expertise to carry forward a national strategy in AI. In the meantime, these same recommendations may have inspired Chinese policymakers.

At present, U.S. engagement with these issues remains fairly nascent, and it is unclear whether the current administration will build upon those reports from late 2016. The latest proposed budget would cut AI research at the National Science Foundation by 10%, to a mere $175 million, as the continued decline in U.S. government funding for basic research has provoked concerns of an “innovation deficit.” Despite predictions that automation could cause levels of unemployment exceeding the Great Depression, U.S. Treasury Secretary, Steve Mnuchin has stated that AI workforce issues are “not even on our radar screen.” However, already, technology has become (subscription required) a more powerful driver of job losses than trade and globalization. As today’s trends towards greater automation exacerbate these dynamics, the U.S. education system continues to underperform in STEM and is not adequately educating today’s students for future job opportunities.

Beyond questions of competitiveness, the U.S. also has yet to create a clearer framework of laws and policies to address AI safety and bias. These issues will become more acute as self-driving cars hit the roads and algorithms become ever more pervasive. It also remains unclear whether the U.S. government will remain diplomatically engaged with the international dimension of AI issues, as through the GGE on LAWS, or seek to lead the creation of norms or frameworks for the use of AI in warfare.

Concurrently, beyond its quest for technological leadership in AI, China government is actively seeking to create a comprehensive framework for national policy and strategy in AI. In July 2017, the Chinese government released the New Generation AI Development Plan, which formulates an ambitions and relatively comprehensive agenda for advances in AI. Although elements of the plan remain vague and aspirational, its release reflects the high-level focus on these issues and prioritization of continued progress. China’s National Development and Reform Commission has approved the establishment of China’s National Engineering Laboratory of Deep Learning Technology, led by Baidu. The Ministry of Science and Technology will create (link in Chinese) an AI Plan Promotion Office to oversee and advance the plan’s implementation, likely including a multibillion-dollar funding effort for next-generation research and development. The Ministry of Industry and Information Technology (MIIT) also seeks (link in Chinese) to take a leading role in China’s AI policy, such as through developing industry-specific AI action plans that are supplemented by policies at the provincial, and even municipal, levels. In addition, China’s Ministry of Education will take responsibility for the creation of new educational programming to create a pipeline of AI talent and retrain workers displaced by AI in order to mitigate issues of social instability that might arise.

Although these efforts are only in their early stages, the plan highlights a number of priorities for China’s future AI policy. Of note, the plan addresses issues of AI safety, calling for the establishment of an AI safety supervision and evaluation system focusing on both issues of employment and social ethics. This system will include a robust regulatory mechanism that allows for oversight, such as through standards and testing methods, to ensure the safety and performance of AI products and systems. The plan also calls for China to develop laws, regulations, and ethical norms that promote the development of AI, while calling for greater research on these legal, ethical, and social issues. Certainly, these dimensions of AI policy are, in the abstract, positive and important objectives for the Chinese government to pursue. However, the ethical concerns guiding the development of AI in China will be informed by the interests and imperatives of the Party-State, thus likely diverging from the focus on these issues in the U.S. The same plan also calls for the use of AI to enhance “social management,” such as automating censorship and surveillance. It is clear that big data has already become a tool for social control. The emergence of AI-enabled mechanisms of social control in China could reinforce the regime’s control and might even proliferate to other authoritarian systems, potentially undermining human rights worldwide in the process. 

Looking to the future, it is clear that becoming a world “leader” in AI will require not only technological innovation but also policy choices. Since the release of its new plan, it is clear that China is actively formulating a national strategy to leverage AI, while planning to actively participate in the future “global governance” of AI. The U.S. must work towards implementing its own national strategy to ensure economic competitiveness and national security with a focus on human capital, strategic investments, and greater public-private partnership. At a time when the perceived U.S. retreat from international engagement has created an opening for China to fill, Chinese leadership plans to deepen international cooperation on AI laws, regulations, and global norms. At the international level, the U.S. should also look to exercise leadership on AI governance issues, including the risks of AI to military and strategic stability. If the U.S. seeks to remain a global leader in AI, these challenges will merit serious and continued consideration—and rapid action.