2016 claims another victim: Your privacy
In a blow to privacy on par with the Patriot Act, changes to the rules around warrants grant the US government unprecedented hacking powers in any jurisdiction, and on as many devices as they want.
The changes to a measure known as Rule 41 were made earlier this year but went into effect Thursday after lots of opposition. Basically they let any judge issue a warrant to remotely access an unlimited number of computers and devices located in any jurisdiction. There was plenty of objection from senators and congresspeople, groups like the Center for Democracy and Technology, and companies such as Google, who said it’s unconstitutional and invades citizens’ rights to privacy.
All that came to a head this week when months of opposition and requests for inquiry and review came to nothing. In Congress, a bipartisan bill called the Review The Rule Act was introduced but that failed in Washington on Wednesday afternoon.
In a last-ditch effort, civil society organizations, trade associations, and companies sent a letter to lawmakers dated November 21 pleading to delay the implementation of Rule 41’s changes and subject them to further review. “The consequences of this rule change are far from clear, and could be deleterious to security as well as to Fourth Amendment privacy rights,” they wrote.
The letter explained the changes “could be abused to obtain a single warrant to search millions of targets” and “would allow a judge to issue a warrant that would permit law enforcement to search the computers of hundreds of entirely innocent crime victims without their consent.” It’s kind of like searching all the houses on your block, without clearing with the owners first, just to find one bad guy.
Also concerned were 22 senators and congresspeople, who wrote the Attorney General at the Department of Justice in October with a lot of specific questions about implementation.
The DoJ responded to the lawmakers in kind, with a letter. It didn’t answer their questions. Instead, the DoJ reminded them that the use of remote searches isn’t new, and that warrants for these searches are already issued under Rule 41, including ones for multiple computers. Warrant applicants will still have to get the proper probable cause ducks in a row for the judge, they assured.
But of course it remains to be seen whether or not the judges will actually understand what it is they’re rubber-stamping approval for. The letter was also pretty light on explaining the part where if someone gets hacked, the FBI gets to poke around in their computers or devices without the user’s consent — or knowledge until after the fact.
By examining the DoJ’s response, it’s easy to tell that this whole messy mix of desires and half-cocked protectionism is slightly personal for the authorities. The main thrust of Rule 41’s changes are about dealing with its ongoing irritation with online anonymity tool, Tor. The main changes to search warrants and jurisdiction, they said, specifically apply to when a suspect is using anonymizing software. They named Tor specifically.
In that letter the DoJ included a long digression about Tor and the FBI’s investigation into a vile darknet child sexual exploitation website called Playpen. The FBI had taken control of the site and exploited vulnerabilities in Tor to unmask visitors, some of whom are currently being prosecuted. They said that despite successes with the Playpen investigation, “Federal courts have ordered the suppression of evidence in some of the prosecutions because of the lack of clear venue in the current version of Rule 41.”
Pedos can die in a million fires; unquestionably this is the kind of fighting we want to see the FBI doing, as long as it’s being done properly. Consider the FBI’s willingness to take over darknet sites and own site visitors, and it shines a fresh light on how things are about to change in the world of underground sites.
With the legal framework to make anything they find stick, it’s safe to say that the golden age of buying illegal stuff on the darknet is over. It also feels increasingly like the use of anonymity tools automatically makes you a suspect, which is already true in repressive regimes around the world who target Tor users.
Your computer is now a “crime scene”
Where Rule 41’s changes get weirder is when it comes to botnet victims. The DoJ made a case in its letter that the warrant changes are needed for investigation when the victims of computer crime (botnet and ransomware) reside in different jurisdictions. In a blog post, U.S. Assistant Attorney General Leslie Caldwell likened the computers of botnet victims to a crime scene — that they need access to.
Unlike a regular warrant for search, where the homeowner is notified by authorities before they enter and search the premises, targets under Rule 41 are only notified after they’ve been hacked and searched.
Imagine the FBI breaks into and enters your house in order to find out who you are, to tell you that your house was burgled. And after, they’re like oh, here’s our paperwork that gave us permission to burgle you in the first place.
On one hand, I get what they’re trying to do here, sort of. They’re attempting to deal with things like the Mirai botnet, which shut down half the internet (and is still a growing threat). To do that, current thinking is to intervene and stop the attacks on the victims’ devices. Which means accessing the computers and DVRs of people who don’t know they’re infected with a botnet.
Except trying to fight botnets by expanding FBI hack and search powers is a quick-and-dirty, but highly problematic way to solve this problem. Not to mention how horribly it could be abused. If there’s anything we learned from the Silk Road bust, it’s that if there’s a chance for abuse, there exists someone within the authorities who consider it a chance worth taking.
Combine the anonymity tool unmasking intentions, and the interest in accessing botnet victims’ devices, and now there’s a whole lot of people who are gonna get legally hacked by their own government. Thinking about what this means under a Trump presidency gives it all a much darker cast.
Our president-elect is unapologetically vindictive, openly advocates hacking his opponents, and has called for expanding the NSA’s domestic spying programs — abuse seems all but unavoidable. International cyberwar incidents also appear highly likely, because no one’s said jack about what happens when one of the computers the FBI hacks, surveils, and gathers evidence from is across a border.
I suppose we’ll find out.
Image: stevanovicigor/Getty (Hooded figure)
FCC accuses AT&T and Verizon of violating net neutrality
The FCC has a few things to say about AT&T and Verizon’s takes on net neutrality. Jon Wilkins, the commission’s chief of wireless telecommunication, wrote separate letters to both telcos highlighting concerns about recent zero-rating moves — when consumed data doesn’t count against your monthly allotment.
In a letter to AT&T’s Robert W. Quinn, Jr., Wilkins said he was concerned that AT&T’s Sponsored Data program “denies unaffiliated third parties the same ability to compete over AT&T’s network on reasonable terms.” The issue here is that AT&T is not offering discounted data rates to outside service providers. Instead, it’s giving its newly acquired DirecTV preferential treatment when it comes to how streaming video will affect your monthly data cap.
Using the company’s own example against it, the FCC said that a video provider would have to pay $16 a month for zero-rated service (when data use doesn’t count against your monthly allotment). Should a customer bump up to 30 minutes of use in a day, the provider would have to pay $47.
“These costs alone would represent 46 percent to 134 percent of DirecTV Now’s $35 retail price,” Wilkins elaborated. The worry here is that as more people start using more data-hungry mobile services, that it’s going to make it harder and harder for third-party providers to compete against the likes of DirecTV, in AT&T’s case. “By contrast, AT&T incurs no comparable cost to offer its own DirecTV Now service on a zero-rated basis,” Wilkins wrote.
Further, Wilkins called out AT&T’s misleading evidence that what it’s doing is similar to what the FCC has approved prior. “In each of those cases, however, the validity of the comparisons between rates charged to affiliates and rates charged to third-party competitors were reinforced and accompanied by additional restrictions… No such safeguards are present here.”
Wilkins said that the FCC remains “very concerned” of the unfair playing field AT&T is trying to construct here and is worried that this would extend beyond just video providers in the future. AT&T has until December 15th to respond.
Verizon, on the other hand, is under the microscope for its “FreeBee Data 360” offering that gives preferential treatment to providers on the Go90 video platform. The concern there is that this could extend to its FiOS home internet service, and, again, provide an unfair advantage to its home-grown offerings.
“While there is no cash cost on a consolidated basis for Verizon to zero-rate its own affiliated edge service, an unaffiliated edge provider’s FreeBee Data 360 payment to Verizon is a true cash cost that could be significant,” Wilkins wrote. “Unaffiliated edge providers not purchasing FreeBee Data 360 would likewise face a significant competitive disadvantage in trying to serve Verizon’s customer base without zero-rating.”
People will naturally flock toward a service that doesn’t go against their data cap because of how Verizon has set up its content deals. Verizon stands to benefit, as customers are likely to choose the cheapest option they can — which will be its own. “Verizon customers subscribing to Verizon’s own zero-rated Go90 services would not encounter these cost or impacts,” Wilkins wrote. Like AT&T, Verizon has until December 15th to address the FCC’s concerns.
It’s worth noting that T-Mobile has similar deals in place with its “Binge On” offering, but since it doesn’t own the services, it’s less of a conflict of interest.
We’ve reached out to AT&T and Verizon for more information and will update this post should it arrive.
Update: AT&T has responded with the following statement:
“These are incredibly popular free services available to millions of customers. Once again, we will provide the FCC with additional information on why the government should not take away a service that saves consumers money.”
Source: The Verge (PDF) (1), (2)
Apple Store App for iOS Updated With Rich Notifications, One-Tap Apple Watch Purchases
Apple today updated its Apple Store app for iOS to version 4.1, adding support for rich notifications and expanding the functionality of the Apple Store app on the Apple Watch.
Rich notifications, available in iOS 10, deliver more information than a standard notification and in many cases, are interactive, so you can do more without having to unlock your phone.
In addition to supporting iOS 10’s new notification system, the Apple Store app for Apple Watch has been updated with a new feature that allows customers to make one-tap purchases from their “Favorites” list.
Items added to the Favorites list on iOS or the web will be visible on the Apple Watch and can be purchased by tapping on them on the Apple Watch. Apple Pay is used to make the purchase, so a device with Apple Pay and an available credit or debit card is required.
According to Apple’s release notes, today’s update also includes unspecified improvements and performance enhancements.
The Apple Store app can be downloaded from the iOS App Store for free. [Direct Link]
Discuss this article in our forums
AT&T and Verizon Facing FCC Scrutiny After Exempting Their Own Apps From Data Caps
Both AT&T and Verizon offer apps and streaming services that don’t count against the data cap they impose on customers, a practice that the United States Federal Communications Commission does not approve of.
The FCC this week sent letters (via The Verge) to both Verizon and AT&T, claiming that the data cap exemptions, called “zero rating,” raise net neutrality concerns and could impact consumers and competition.
AT&T and Verizon each offer programs that allow content providers to pay a fee to be exempted from customer data caps, programs that they themselves take advantage of with their own apps and services.
DirecTV Now, AT&T’s recently introduced streaming television service, does not use data when streamed on the AT&T network, for example. DirecTV Now pays for the data, but as an AT&T subsidiary, AT&T is just paying itself. Verizon, meanwhile, exempts its own Go90 streaming service from using data on the Verizon network and does not pay fees to do so.
The FCC first sent a warning to AT&T in early November, but was not pleased with the response it received from the company. In this week’s letter, the FCC says that it has come to the “preliminary” conclusion that the Sponsored Data program inhibits competition, harms consumers, and violates Open Internet rules. It asks AT&T to answer a series of questions about its Sponsored Data practices.
We find that those responses fail to alleviate the serious concerns expressed in our November 9 letter regarding the potential anti-competitive impacts of a wholesale Sponsored Data program for zero-rated mobile video services. Indeed, your submission tends to confirm our initial view that the Sponsored Data program strongly favors AT&T’s own video offerings while unreasonably discriminating against unaffiliated edge providers and limiting their ability to offer competing video services to AT&T’s broadband subscribers on a level playing field.
A similar letter sent to Verizon expresses concern over the “FreeBee Data 360” program and says it has the potential to “hinder competition and harm consumers” because Verizon does not need to pay to participate in the Sponsored Data program when it exempts its own app, but competing content providers do.
The position that the participation of Go90 in FreeBee Data 360 is the same as that of third parties, however, fails to take account of the notably different financial impact on unaffiliated edge providers. For example, while there is no cash cost on a consolidated basis for Verizon to zero-rate its own affiliated edge service, an unaffiliated edge provider’s FreeBee Data 360 payment to Verizon is a true cash cost that could be significant.
AT&T and Verizon have responded to the letters sent by the FCC in statements given to the media. AT&T says the government should not take away a service that’s saving customers money, while Verizon says its practices are good for consumers, non-discriminatory, and consistent with the rules.
The two carriers have been given a December 15 deadline to respond to the FCC’s concerns.
Tags: FCC, AT&T, Verizon
Discuss this article in our forums
AIVAnet 