TechDirt 🕸

We've talked about so many problems with the EARN IT Act, but there are more! I touched on this a bit in my post about how EARN IT is worse than FOSTA, but it came up a bit in the markup last week, and it showed that the Senators pushing for this do not understand the issues around the knowledge standard required here, and how various state laws complicate things. Is it somewhat pathetic that the very senators pushing for a law that would make major changes impacting a wide variety of things don't seem to understand the underlying mechanisms at play? Sure is! But rest assured that you can be smarter than a senator.

First, let's start here: the senators supporting EARN IT seem to think that if you remove Section 230 for a type of law-violating content (in this case, child sexual abuse material, or CSAM), that magically means that website will be liable for that content -- and because of that they'll magically make it disappear. The problem is that this is not how any of this actually works. Section 230 expert and law professor Jeff Kosseff broke the details down in a great thread, but I want to make it even more clear.

Today's EARN IT Act markup had a lot of discussion about what mens rea would be necessary for platforms to face civil liability for distributing CSAM. The discussion wasn't terribly clear, so I'm going to try to break down what we do know about the legal standards.

— Jeff Kosseff (@jkosseff) February 10, 2022

As a reminder, Section 230 has never been a "get out of jail free" card, as some of its critics suggest. It's a procedural benefit that gets cases that would otherwise lose on 1st Amendment grounds tossed out at an earlier stage (when it's much less costly, and thus, much less likely to destroy a smaller company).

So, here, the senators supporting EARN IT seem to think, falsely, that if they remove Section 230 for CSAM that (1) it will make websites automatically liable for CSAM, and (2) that will somehow spur them into action to take down all CSAM because of the legal risk and that this will somehow make CSAM go away. Both of these assumptions are wrong, and wrong in such stupid ways that, again, EARN IT would likely make problems worse, not better. The real problem underlying both of these is the question of "knowledge." The legal folks like Jeff Kosseff dress this up as "mens rea" but the key thing is about whether or not a website knows about the illegal content.

This impacts everything in multiple ways. As Kosseff points out in his thread, Supreme Court precedent (which you would know if you read just the first chapter of his Section 230 book) says that for a distributor to be held liable for content that is not protected by the 1st Amendment, it needs to have knowledge of the illegal content. Supporters of EARN IT counteract with the correct, but meaningless, line that "CSAM is not protected by the 1st Amendment." And, it's not. But that's not the question when it comes to distributor liability. In Smith v. California, the Supreme Court overturned a conviction of Eleazar Smith (his bookstore sold a book the police believed was obscene), noting that even if the book's content was not protected by the 1st Amendment, the 1st Amendment cannot impose liability on a distributor, if that distributor does not have knowledge of the unprotected nature of the content. Any other result, Justice Brennan correctly noted, would lead distributors to be much more censorial, including of protected speech:

While there are some other cases, this remains precedent and it's difficult to see how the courts would (or could) say that a website is strictly liable for content that it does not know about.

This creates a bunch of problems. First and foremost, removing 230 in this context then gives websites not an incentive to do more to find CSAM, but actually to do less to find CSAM, because the lack of knowledge would most likely protect them from liability. That is the opposite of what everyone should want.

Second, it creates various problems in how EARN IT interacts with various state laws. As we've pointed out in the past, EARN IT isn't just about the federal standards for CSAM, but it opens up websites to legal claims regarding state laws as well. And the knowledge standards regarding CSAM in state laws is, literally, all over the map. Many do require actual knowledge (which again, reverses the incentives here). Others, however, have much more troubling standards around "should have known" or "good reason to know" or in some cases, they set a standard of "recklessness" for not knowing.

Some of those, if challenged, might not stand up to 1st Amendment scrutiny, such as what's found in Smith v. California, which should require actual knowledge, but either way the law would create a huge mess -- with it mostly incentivizing companies not to look for this. And considering that the sponsors of the bill keep saying that the whole reason of the bill is to get companies to do more looking for CSAM, they've literally got the entire law backwards.

What's most troubling, is that when Senator Blumenthal was pushed on this point during the markup, and it was mentioned that different states have different standards, rather than realizing one of the many (many) problems with the bill, he literally suggested that he hoped more states would change their standards to a potentially unconstitutional level, in which actual knowledge is not required for liability. And that's just setting up a really dangerous confrontation with the 1st Amendment.

If Senator Blumenthal and his legislative staffers actually cared about stopping CSAM, they would be willing to engage and talk about this. Instead, they refuse to engage, and mock anyone who brings up these points. Perhaps it's fun for them to generate false headlines while fundamentally causing massive problems for the internet and speech and making the CSAM problem worse while pretending the reverse is happening. But some of us find it immensely problematic.

ID.me -- the facial recognition company that has managed to snag several lucrative contracts -- has gotten the brushback from perhaps its most lucrative government partner, the IRS. ID.me promised government agencies better control over distributions of unemployment benefits and other payments to the public, citing its own (unexamined) prowess at recognizing faces as well as an astounding claim that governments have been duped out of $400 billion in unemployment benefits by fraudsters -- a claim it has yet to back up with actual evidence.

That the pitch worked so well isn't a surprise. After all, governments hate to give money to taxpayers and most governments have deficits they'd like to trim down. Anyone promising millions in savings is bound to be given a second, third, or fourth chance even after it's become obvious claims about fraud are, at best, dubious, and that the company can't really do the job it promised to do: eliminate fraud.

Misspending tax dollars is a national pastime. The bizarre embrace of ID.me is no exception. The IRS may have walked back its reliance on ID.me for identity verification, but problems persist. States are still relying on ID.me, even if the feds aren't. And ID.me doesn't seem to have the personnel on hand to backstop questionable calls by its facial recognition tech, as Corin Faife reports for The Verge.

Internal documents and former ID.me employees say the company was beset by disorganization and staffing shortages throughout 2021, as shortcomings in the automated systems created tensions among the company’s workforce, particularly the human verification workers who have to step in when the algorithms fail. Even now, the company plays a central role in how claimants access benefits across the United States — working on behalf of 27 state-level uninsurance employment programs to verify applicants — and the underlying issues are far from settled.

Current and former employees who spoke to The Verge paint a picture of a company described as being in “permanent crisis mode,” changing policies rapidly to keep up with fluctuating demand for its services and fight a slew of negative press. In particular, they say a lack of human review capacity has been a chokepoint for the company, leading to stress, pressure, and a failure to meet quality standards.

This verifies accusations raised earlier by other critics of ID.me -- critics who were forced to become users of faulty systems due to several states making ID.me the barrier between claimants and their benefits. Those locked out of their benefits complained the company offered few options for review of their supplied info. ID.me claimed it was performing reviews on the regular, but social media comments suggested this simply wasn't true. Actual humans were nearly impossible to reach. This report confirms what was suspected: the company simply did not have enough humans employed to deal with the problems generated by its verification processes.

Claimants were given no option but to put all their biometric eggs into one malicious hacker-tempting basket owned and operated by ID.me. When glitches separated people from their payments, the company's CEO blamed users for not being better at using an entirely new verification system. When these problems persisted, the CEO claimed most false negatives were actually the company thwarting fraudsters.

But ID.me can be duped. And it can be duped fairly easily it seems. A Washington Post report shows one person illicitly secured nearly $1 million in unemployment benefits using little more than an extremely obvious wig.

[D]espite the scale of the data gathering by the company, ID.me, revealed in newly released records, the system has been exploited by scammers. Federal prosecutors last month said a New Jersey man was able to verify fake driver’s licenses through an ID.me system in California as part of a $2.5 million unemployment-fraud scheme.

ID.me has pointed to the scam as an example of how well its systems work, noting that it referred the case to federal law enforcement after an internal investigation. But the criminal complaint in the case shows that ID.me’s identification systems did not detect bogus accounts created around the same day that included fake driver’s licenses with photos of the suspect’s face in a cartoonish curly wig.

I mean… [images via DOJ criminal complaint]:

Humans might have been able to shut this fraud down immediately. But it's clear ID.me doesn't have enough humans and is relying on mostly unproven tech to decide who is or isn't entitled to government benefits.

The IRS's walk-back on ID.me use may end up causing at least as many problems as it solves, unfortunately. The IRS also suffers from a shortage of humans and now they will be expected to do more with less outside assistance as tax return season shifts into high gear. By the time the IRS was forced by public and Congressional pressure to make a change, it was already up to its eyeballs in returns. Taxpayers can now expect delays ranging from several weeks to several months at least partially as a result of the agency's regrettable decision to do business with ID.me and its questionable track record.

YouTube's Content ID automated copyright system sucks. There, I said it. Any review of the different posts we've done specifically on the topic of Content ID can only leave you with one impression: the system doesn't work. Not that it never works, of course, but when you build a system that is designed specifically to allow 3rd parties to take down speech content, that system had damned well better not be wide the hell open for abuse or laughable errors. Well, guess what? You've got your music labels getting works taken down that were specifically designed not to not be infringing, news organizations managed to claim their own live streams as copyright infringing, and music labels being able to demonetize videos of a guy singing public domain Christmas carols. It's all very stupid, very much the tip of the iceberg, and very much an indication that Content ID, in its current state, is broken.

What's that, you say? You need more? Fine, a guy uploaded videos of his cat purring and those got claimed by two different labels as infringing on their copyrights.

YouTube's automated takedown tool is known for its flaws, but this week it crossed a line by attacking a purring cat. According to YouTube's Content-ID system both EMI Publishing and PRS own the rights to a 12 second purring loop. Last March, YouTube user Digihaven uploaded one hour of video loops featuring his cat Phantom, purring, as cats do. The video didn’t go viral but appealed to a niche public, and more recently also two major music publishers.

Nearly a year after the video was posted Digihaven was informed by YouTube that Phantom is “pirate” purring. Apparently, part of the 12 second loop belongs to EMI Music Publishing and PRS.

Yes, this is sort of funny, but only after you've encountered so many Content ID problems just like this that you become dead inside, like me. I've made statements like this before, but I'll repeat it again: your automated copyright system doesn't have to be perfect, but if your system is so flawed that a 12 second video of a cat purring can be flagged by multiple music labels then your system sucks so badly that you need to completely start from scratch on a new one.

Now, I've done some haphazard searching for songs entitled "Focus" by artists on the EMI label and, frankly, I gave up. There are a ton of search results for songs that include that word in their titles. That being said, I'm fairly certain that EMI doesn't have a band with a song that is 12 seconds of a cat purring or, if that in fact is a thing, that such a video would be copyrightable. In other words, either way, EMI and PRS should not be monetizing Phantom the Cat's musical stylings.

“I’m sure EMI/PRS made Phantom a sad kitty. It seems like companies such as EMI are pirating ads on people’s legit videos, so I’m wondering if they apologize to, or reimburse people for those false claims,” he tells TF.

Hoping to clear his cat’s name Digihaven decided to file a dispute. This was partially successful, as EMI lifted its claim shortly before publication of this article.

Which, absurdly, means now Phantom just has to figure out what PRS' problem is.

Or, hey, maybe we could all just admit together that Content ID in its current form doesn't work and should be done away with in some organized and planned fashioned. Replace it with a better automated system. Replace it with more humans doing moderation. Admit that content moderation at scale is completely impossible and stop trying.

Anything would be better than living under a automated system we all know sucks.

In 2018, the sheriff of Butts County, Georgia (no, really), Buford T. Justice Gary Long instructed deputies to ruin the Halloween holiday spirt by planting damning signs in the yards of released sex offenders. The sheriff cited no reason for doing this -- not even extremely anecdotal "evidence." Instead, the signs -- which warned trick or treaters away from the homes of certain county residents -- appeared to be purely punitive: a way to continue to punish criminals who'd already served their time.

The sheriff's deputies wandered onto private property and planted signs printed by the department -- ones that said nothing more than "NO TRICK-OR-TREAT AT THIS ADDRESS." The signs were signed (so to speak) by the sheriff, passing themselves off as a "community safety message."

In a now-deleted, self-congratulatory post, Sheriff Gary Long claimed this invasion of privacy and property was lawful good:

As Sheriff, there is nothing more important to me than the safety of your children. This Halloween, my office has placed signs in front of every registered sex offender's house to notify the public that it's a house to avoid. Georgia law forbids registered sex offenders from participating in Halloween, to include decorations on their property. With the Halloween on the square not taking place this year, I fully expect the neighborhoods to be very active with children trick-or-treating. Make sure to avoid houses which are marked with the attached posted signs in front of their residents. I hope you and your children have a safe and enjoyable Halloween. It is an honor and privilege to serve as your sheriff.

(These signs are placed In accordance with Georgia Law O.C.G.A. 42-1-12-i(5) which states the Sheriff shall inform the public of the presence of sexual offenders in each community)

Nothing in the law requires this, despite the sheriff's half-assed appeal to authority. The public is already made aware of these facts by sex offender registries, which are accessible with or without Sheriff Long's assistance. If the law truly required the posting of signs like this, they would already have been posted by these residents in order to comply with the conditions of their release. There are plenty of laws in place that deter sex offenders from using a once-a-year celebration to further their sex offending. The lack of evidence or data pointing to a spike in sex offenses against children during Halloween suggests the laws on the books are working. This was nothing more than Sheriff Long being an asshole for no other reason than he could.

Four years later, the uppance has finally come for Sheriff Long and his deputies. The Eleventh Circuit Court of Appeals has ruled [PDF] these signs were nothing more than cheaply printed rights violations. (h/t Volokh Conspiracy)

The plaintiffs in this case posed a minimal, if not entirely nonexistent, threat to the communities they reside in. Here's how the court describes the three men suing Sheriff Long and his deputies:

Plaintiffs Reginald Holden, Corey McClendon, and Christopher Reed are residents of Butts County and are required to register as sex offenders under O.C.G.A. § 42-1-12, et seq. The Georgia statute not only requires individuals with certain convictions to register as sex offenders, but also requires Georgia to classify registrants based on whether they pose an increased risk of recidivism. Id. § 42-1-14. None of the three plaintiffs have been classified as posing an increased risk of recidivism.

In 2004, Holden was convicted of lewd and lascivious battery in Pinellas County, Florida. He has been a homeowner in Butts County since May 2017. He lives by himself and works as a warehouse coordinator.

In 2001, McClendon was convicted of statutory rape of a minor in Butts County. He lives with his daughter and his parents who own the home where they all reside. He holds a commercial driver’s license.

In 2007, Reed was convicted of sexual assault of a minor in Cook County, Illinois. He works as a truck driver and has lived with his father, who owns their home, since 2011. In the 2020 order now on appeal, the district court found that all three plaintiffs “have, by all accounts, been rehabilitated and are leading productive lives.”

Sheriff Gary Long was aware of this when he made and posted the signs.

The Sheriff does not dispute this, nor does the record support a contrary finding.

Sheriff Gary Long was also aware that sex offenders don't offend more often on Halloween.

Since 2013, Long had been Sheriff in Butts County and in that time did not know of any incidents in Butts County involving registered sex offenders on Halloween. In fact, during his six-year tenure as Sheriff, there were no issues with any registered sex offenders in Butts County having unauthorized contact or reoffending with minors at any time.

So, the signs were clearly made and distributed under the color of law for the sole purpose of heaping more stigma on stigmatized residents -- all under the guise of public safety. The sheriff had no lawful authority to do this. But he did it anyway.

The court is not happy with Sheriff Long's actions. Despite being constrained by the limits of the lawsuit, which does not seek damages or dispute any finding of qualified immunity, the Eleventh Circuit makes it clear this is some bullshit, Constitutionally speaking. This is compelled speech, forced on certain members of Butts County by Sheriff Gary Long. And there's nearly 50-year-old Supreme Court precedent on hand that made it clear the sheriff should never have engaged in this activity.

In Wooley, the Supreme Court held that it was unconstitutional for the State of New Hampshire to prosecute a citizen for covering the State motto, “Live Free or Die,” on his license plate. Specifically, the Court held that a state could not “constitutionally require an individual to participate in the dissemination of an ideological message by displaying it on his private property in a manner and for the express purpose that it be observed and read by the public.” The Court stated that the New Hampshire statute “in effect requires that appellees use their private property as a ‘mobile billboard’ for the State’s ideological message or suffer a penalty.”

This case is materially similar to Wooley. The Sheriff’s warning signs, like the State motto on the New Hampshire license plate, are government speech. Indeed, the signs expressly bore the imprimatur of government, stating that they were “a community safety message from Butts County Sheriff Gary Long.” The deputies placed the signs despite the homeowners’ and/or residents’ objections. The deputies explained, both verbally and through the accompanying leaflet, that only the Sheriff’s Office could remove the signs.

To sum up:

The Sheriff’s warning signs are a classic example of compelled government speech.

Sheriff Gary Long had no justification for this imposition on county residents, even given the state's obvious (and justifiable) desire to prevent the sexual abuse of children. The sheriff's office had other ways of informing Butts County residents of where sex offenders were located. The signs were completely unnecessary. Nothing the sheriff's office submitted to the court shows this punitive measure was the only (or least intrusive) way to ensure the safety of trick-or-treating children.

Assuming that yard signs alerting people to the residences of registered sex offenders on Halloween would prevent the sexual abuse of children (which, we repeat, is not supported by any record evidence), the signs are not tailored narrowly enough. Sheriff Long testified that the sex-offender registry, which contains each registrant’s name, address, and photograph, is available on the State of Georgia’s website, on the Butts County website, at Butts County administrative buildings, and at the Butts County Superior Court Clerk’s Office. The Sheriff has made the sex offender registry widely available through government sources, diminishing the need to require residents to disseminate the same information in yard signs on their private property. And, while “narrowly tailored” does not mean “perfectly tailored,” the Sheriff has not met his burden to show the yard signs were narrowly tailored because he has not offered evidence that any of the yard signs would accomplish the compelling purpose of protecting children from sexual abuse.

Sheriff Long tried arguing the government had the right to post whatever it wanted in "public rights of way," his way of describing the areas (towards the end of driveways or near sidewalks) where deputies posted signs. This footnote makes it clear this is the sheriff's Hail Mary play -- one the court easily bats down in the 11th Circuit end zone.

Before placing the signs in 2018, the deputies did not conduct research to assure themselves the signs would be placed in rights-of-way. In 2019, for the preliminary injunction hearing, the Sheriff introduced some poorly scanned copies of subdivision plats that do not include any keys, legends, or labels; the plat maps are not self-explanatory. He also introduced aerial Google Maps photos of roads with lines drawn across them. But those maps do not indicate who owns the underlying fee where the lines are drawn, or that the lines represent right-of-way easements—much less who possesses any easements or for what purpose.

The end result is a reversal of the lower court's decision in favor of Sheriff Long and his Halloween-adjacent dickishness. The case travels back down the federal pipe to the district court with instructions to find in favor of the plaintiffs and their request for a permanent injunction prohibiting the sheriff from pulling this stunt in the future. The ruling is clear: the government can't force people to say things they don't want to by planting signs in their yards. Sheriff Long will just have to find some other, more constitutional way to harass residents he doesn't like next Halloween.

Make sure you read the update at the end

This is a story that appears like it was created just to get Techdirt coverage, given how many issues we cover it touches on. Here's how it starts: Tulane law professor Ann Lipton, an expert on corporate governance and corporate law, wrote an academic paper about "Capital Discrimination." It's really interesting, and you should read it -- and a lot more people have been reading it over the last few days because of the situation I'm about to describe. The gist of the paper is that sex and gender discrimination happens in disputes regarding corporate structures/ownership, but that we don't generally have language in typical discussions of corporate ownership that recognize this very real dynamic. The article highlights multiple examples where courts try to apply the more traditional language of corporate ownership disputes in cases where there is clearly an element of sex discrimination.

One of the examples cited is In re: Shawe & Elting LLC, et al., which involves a somewhat incredible dispute between two people, Philip Shawe and Elizabeth Elting, who founded a company together, Transperfect Global. Without getting into all of the sordid details, Shawe and Elting had been in a relationship very early on, around the time of the formation of the business. At some point they were engaged to be married, though, according to the documents, Elting called off the engagement in 1997. From all of the details discussed in the opinion in the legal dispute between them, one could surmise that Shawe and Elting -- despite working together as co-CEOs, being the only two members of the board, and building up the company into a massive success, employing thousands of employees, and making hundreds of millions of dollars in revenue a year -- spent an awful lot of time fighting with each other in incredibly immature ways. It seems like they had been able to work together semi-amicably for over a decade after their personal relationship broke off, but things went off the rails sometime around 2012. The opinion linked above has detail after detail of incredibly petty and ridiculous behavior, sometimes on both of their parts, but quite frequently driven by Shawe. Here's just one example from the ruling:

There are multiple stories along these lines -- many of which appeared to be petty disputes between two co-CEOs posturing over who had power (there's a side issue in which technically Elting owned 50% of the business and Shawe 49%, but the other 1% was ostensibly held by Shawe's mother, in order to take advantage of being a "majority woman-owned business," but in practice, Shawe controlled his mother's share, so it was a 50/50 company). Many of the business disputes seem incredibly counter-productive, and seem to involve trying to make life difficult for the other one by delaying/hindering business decision making. As they argued, some of the behavior went into really, really questionable territory:

But some of the issues go way beyond arguments over how the business should be run or how its finances should work -- including some pointers that suggest odd behavior in response to the failure of the personal relationship. From a footnote:

You can see how this dispute was of interest to Lipton's paper. It's one of multiple examples that fits right in and she quotes from the opinion directly. A draft of her paper was uploaded (like many pre-publication papers) to the Elsevier-owned SSRN website, and it was scheduled to be published in the Houston Law Review. However, if you go to the SSRN link now it shows the following:

It was not removed at the request of the author or of "the rights holder." It was removed by SSRN because Shawe had a lawyer send a ridiculous SLAPPy cease-and-desist letter, claiming that the law review article was defamatory. The cease and desist, from lawyer Martin Russo demands that the article be removed.

The crux of Shawe's complaint is that their legal dispute had nothing to do with their previous relationship, and was entirely a more traditional business dispute. But... that's an opinion. As is Lipton's opinion regarding how it relates the thesis of her paper. And, opinions are not defamatory. Other elements in the paper, including the references to Shawe's terrible behavior, seem obviously protected under fair reporting privilege. Honestly, the crux of Shawe/Russo's complaint is that they don't like how Lipton characterizes the nature of the dispute, but that's easily protected opinion and not defamatory.

Also, if Shawe wants to contend that the behavior at issue in the lawsuit was solely because of differences in how the business should be run, and not having anything to do with his failed personal relationship with Elting, he maybe should not have done the following, as detailed in the court's opinion:

So, maybe it wasn't Lipton who was connecting the failed relationship with the business dispute -- perhaps it was Shawe himself who sought to make use of the failed relationship claim to give him leverage in the business dispute, including seeking to have Elting criminally prosecuted by filing a "domestic incident report."

Given all of this, it's hard to see the cease and desist letter as anything more than blustery nonsense. But, ridiculously, SSRN pulled the paper, as has the Houston Law Review. To their credit, Lipton's employer, Tulane University is standing behind her:

The letter also points out to SSRN that no terms of service have been violated, and they believe SSRN should repost the article.

So combine this all together and we have a situation in which Shawe is angry about how he is portrayed in the paper, but that doesn't make it defamatory. The cease and desist letter has all the hallmarks of a frivolous SLAPPy legal threat. It highlights no false statements of fact, but merely calls out the statements of opinion made by Lipton in her paper, which are based on the facts that -- again -- Shawe's letter does not dispute. So this seems like a pretty blatant SLAPP threat.

Then, let's get to SSRN, which should not be pulling down the article. First, even a semi-competent review of the cease and desist would find that the defamation claims appear baseless. One would hope that SSRN would do such an analysis and not fall prey to a heckler's veto. Second, even if there were defamatory content (and again, that seems like a huge stretch), SSRN would be easily protected under Section 230. SSRN is an interactive computer service under the law, and cannot be held liable for the speech of third party content providers, such as Lipton.

In fact, this situation highlights the importance of Section 230, in that without Section 230, bumptious threats like this one would enable anyone to get just about anything pulled off of an online host. The nature of Section 230's immunity, is that it allows all sorts of different kinds of websites to host content, without having to freak out at the first sign of a legal threat over the content uploaded by a user. SSRN is within its own rights to pull down any content, of course, but the decision to do so here strongly suggests that (1) it did not carefully review the letter and the paper, or (2) that it doesn't understand how Section 230 protects it here.

Finally, there's the Streisand Effect. I'd never heard about this paper, or the dispute between Shawe and Elting. And now I and many, many, many more people have read the article (and I went and read the opinion in the Delaware Chancery Court with many, many, many more details on Shawe's behavior). So, once again, in filing a highly questionable legal threat intended to suppress this information, Shawe and Russo have only served to make people much, much, much more aware of the court record regarding Shawe's behavior.

Update... and just as I was putting the finishing touches on this post, SSRN put the paper back up. On Twitter, it explained itself as follows:

And one can argue that taking it down while you investigate is a reasonable policy -- though a key part of the way Section 230 works is that you don't need to. And, frankly, that's the appropriate setup, because it recognizes that the potential harm from suppressing legal speech is a huge problem. In the end, though, it's good that SSRN appears to be revising its policy.

The regional monopolization of U.S. broadband comes with all manner of nasty side effects. The lack of competition at the heart of the country's monopoly and duopoly problem contributed to high prices, comically bad customer service, slow speeds, spotty coverage, annoying fees, and even privacy and net neutrality violations (since there's often no market penalty for bad behavior). But it also results in "redlining," or when a regional monopoly simply refuses to upgrade minority neighborhoods because they deem it not profitable enough to serve.

The National Digital Inclusion Alliance has done some interesting work on this front, showing how companies like AT&T, despite billions in subsidies and tax breaks, routinely just avoids upgrading minority and low income neighborhoods to fiber. Not only that, the group has long showed how users in those neighborhoods also struggle to have their existing (older and slower) services repaired.

Again, defenders of the status quo will insist that these neighborhoods don't get upgraded because the return on investment (ROI) doesn't make it worth it, and that's a company's, like AT&T, right. But that (usually intentionally) ignores the billions upon billions of dollars we've thrown at regional monopolies for fiber networks that, time and time again, are only half delivered. Companies like AT&T routinely get to have their cake (billions in subsidies, regulatory favors, and tax breaks) and eat it too (only half deliver the upgrades they've promised for literally 20 years).

It's 2022 and the FCC has only just announced that it's going to take a look at the problem. Prompted by language in the recently passed infrastructure bill, the FCC has announced it's creating a task force to tackle "digital discrimination":

The problem, as usual, is that the real underlying disease here is regional monopolization. A company like AT&T not only faces little competitive pressure to expand service beyond the most profitable areas, it all but owns most state legislatures (and during Trump, federal regulators as well). As usual with broadband, if you don't tackle the regional monopolization and the corruption that protects it, you don't fix the real problem. And not only does the FCC (under both parties) not tackle this problem, you'd be hard pressed to find an FCC official capable of admitting the problem exists.

That's not to say this initiative won't do some good in terms of building awareness and creating some basic guidelines. But a program like this is only as good as its enforcement, and the idea some company like AT&T will face any serious penalties for 20 years of bad behavior on this front seems unlikely. The U.S. broadband monopoly problem has been obviously apparent for the last 20 years. 83 million currently live under a broadband monopoly, usually Comcast. You literally cannot find a single instance in the last five years where this problem was candidly acknowledged by regulators and lawmakers of either party, which kind of makes it hard to fix.

It's somehow gotten even worse during the (often justified) policy freak out surrounding "big tech." "Big telecom" has just almost completely fallen off the policy table, and even the idea of having some base levels of accountability for regional monopiles with 20 years of documented, anticompetitive behavior under their belts feels like a distant afterthought. You'll know things have changed when you see an FCC official clearly capable of acknowledging telecom monopolization and corruption are bad things. Until then we seem stuck in the age of half measures and incomplete solutions.

Last autumn, you may recall, the St. Louis Post-Dispatch published an article revealing that the Missouri Department of Elementary and Secondary Education (DESE) was leaking the Social Security numbers of teachers and administrators, past and present, by putting that information directly in the HTML. The reporters at the paper ethically disclosed this to the state, and waited until this very, very bad security mistake had been patched before publishing the story. In response, rather than admitting that an agency under his watch had messed up, Missouri Governor Mike Parson made himself into a complete laughingstock, by insisting that the act of viewing the source code on the web page was nefarious hacking. Every chance he had to admit he fucked up, he doubled down instead.

The following month, the agency, DESE, flat out admitted it screwed up and apologized to teachers and administrators, and offered them credit monitoring... but still did not apologize to the journalists. FOIA requests eventually revealed that before Governor Parson had called the reporters hackers, the FBI had already told the state that no network intrusion had taken place and it was also revealed that the state had initially planned to thank the journalists. Instead, Parson blundered in and insisted that it was hacking and that people should be prosecuted.

Hell, three weeks after it was revealed that the FBI had told the state that no hacking had happened, Parson was still saying that he expected the journalists to be prosecuted.

Finally, late on Friday, the prosecutors said that they were not pressing charges and considered the matter closed. The main journalist at the center of this, Jon Renaud, broke his silence with a lengthy statement that is worth reading. Here's a snippet:

Later in the letter, he notes that a week earlier, Parson himself had decried the treatment of his rejected nominee to lead the state's Department of Health and Senior Services, noting that Parson complained that "more care was given to political gain than the harm caused to a man and his family." Renaud noted that the same could be said of Parson's treatment of himself:

He concludes by hoping that "Parson's eyes will be opened, that he will see the harm he did to me and my family, that he will apologize, and that he will show Missourians a better way."

And Parson showed himself to be a bigger man and did exactly that... ha ha, just kidding. Parson just kept digging, and put out a truly obnoxious statement, with no apology and continuing to insist that Renaud hacked the government's computers even though -- again, this is important, lest you just think the governor is simply technically ignorant -- the FBI has already told him that there was no hacking:

This whole statement is utter hogwash and embarrassing nonsense. Again, there was no hacking whatsoever. The state messed up by putting information that should never, ever be in HTML code into HTML code, making it accessible for anyone who viewed the source on their own computer. The state messed up. The state failed to secure the data. The state sent that data to the browsers of everyone who visited certain pages on their public websites. Renaud did exactly the right thing. He discovered this terrible security flaw that the state put on the database, ethically reported it, waited until the state fixed its own error, and then reported on it.

Parson knew from the beginning that no hacking occurred. The FBI told the state that no hacking occurred. The state had prepared to thank Renaud and his colleagues at the St. Louis Post-Dispatch. It was only after Parson decided to deny, deny, deny and blame, blame, blame reporters for pointing out Parson's own government's failings, that this whole thing got out of hand.

The prosecutors have their own reasons for declining to prosecute, but the most likely reason is they knew they'd get laughed out of court and it would make them and Parson look even more ridiculous. Renaud chose give a heartfelt write up of what Parson's nonsense put him through, and asked in the politest way possible for Parson to look deep inside at the harm he had caused and to apologize. Instead, Parson quadrupled down, continued to insist that his own government's failings could be blamed on a "hack," and insisting that he's trying to "protect" the state when all he's done is show why no serious tech company should do business in such a state.

Missouri: elect better politicians. Parson is an embarrassment.

The 2022 Ultimate Adobe CC Training Bundle has 9 courses to help you become an Adobe power user. You'll learn about Lightroom, XD, Animate, and After Effects. You'll get more advanced training on Premier Pro, Photoshop, and Illustrator. The bundle is on sale for $30.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

In admitting that his EARN IT Act is really about attacking encryption, Senator Richard Blumenthal said he wouldn't agree to keep encryption out of the bill because he worried that it would give companies a "get-out-of-jail-free card." That's nonsense for multiple reasons, which we explained in that post, but the fact is Blumenthal's bill actually does contain a "get-out-of-jail-free card" that is incredibly damaging. It's one that child sexual abusers may be able to use to suppress any evidence collected against them and which would not just undermine the very point of EARN IT Act, but would make it that much harder to do the thing that needs to be done: stopping such abusers.

We touched on this a little bit in our earlier post about the mistakes senators made during the markup, but it's a little wonky, so it deserves a deeper exploration. Here's a good short description from Kir Nuthi in Slate:

In short: under the current setup, companies can search for child sexual abuse material (CSAM) and if they find it they must report it to NCMEC (and remove it). This is good and useful and helps prevent the further spread. But under the 4th Amendment, if the government is mandating a search, then it would require a warrant before the search can happen. So, if the government mandates the search -- and as various senators made clear in both their "myths and facts" document, and in the markup hearing, that's exactly what they intend this bill to do -- then anyone who is charged with evidence found via such a search would have an unfortunately strong response that the evidence was collected under state action, and, as such in order to survive a 4th Amendment review, would require a warrant.

In other words, it hands terrible criminals -- those involved in the abuse of children -- a way to suppress the evidence used against them on 4th Amendment grounds. Under such a regime that would make it more difficult to prosecute actual criminals. But, even worse, it would then create a perverse and dangerous precedent in which companies would be greatly encouraged not to use basic scanning tools to find, remove, and report CSAM content, because in doing so, it would no longer be usable in prosecutions.

So the failure by senators to understand how the 4th Amendment works, means that EARN IT (beyond all its other problems) creates a constitutional mess that is, effectively (and almost literally) a "get-out-of-jail-free card" for criminals.

Once someone legally obtains documents from a government entity through a public records request, the government simply cannot demand to have them returned just because it screwed up when it fulfilled the request.

That unalterable fact hasn't stopped government agencies from trying (or even [temporarily] succeeding). The NYPD botched its handling of a public records request twice, handing out information it didn't want to disclose to facial recognition researchers on two separate occasions. Both times, it tried to get a court to help it demand the mistakenly released information be returned. One request was granted (then rescinded). The second time the NYPD screwed up it didn't even bother to see if a court would oblige it twice.

US Citizenship and Immigration Services (USCIS) is being sued for trying to do exactly this same thing. It fulfilled FOIA requests pertaining to Hoppock Law Firm clients, sending the firm the "alien files" compiled by the agency. (h/t National Security Counselors)

At the time, the USCIS told Hoppock Law Firm it was aware it was over-fulfilling the request. From Hoppock Law's lawsuit [PDF] against USCIS:

In the Determination Letter, defendant USCIS wrote that it was intentionally releasing portions of the records that would otherwise be considered “exempt” under the FOIA statute after discussion between agency personnel and a member of its staff. It purported to release this exempt material “as a matter of administrative discretion.” And it said that the released records may also include other “discretionary releases of exempt information.”

These statements confirmed that even if portions of the records released were subject to any exemption under the FOIA, such release was intentional, not inadvertent.

Seven months later, USCIS had a new Director of FOIA Operations. And Hoppock Law had a new letter from USCIS demanding the "return" of information the agency had already voluntarily released.

The Demand Letter stated that, as for request number NRC2021092780, the USCIS had now decided that it had “inadvertently released personally identifiable information of third parties and/or law enforcement sensitive information.” It did not identify what pages or portions of the release the defendants were now claiming to be exempt or address its previous statements that it was releasing exempt information on purpose, as a matter of administrative discretion.

The Demand Letter did not identify any specific statutory exemption under the FOIA statute that the Defendants believed should apply to these records.

Although the request was for Plaintiffs’ client’s own A-file and the records released included only those found in the client’s A-file, the Demand Letter said that “improper use” of the records Plaintiffs received could “harm” the individuals “whose information was mistakenly sent.”

The demand letter [PDF] also hinted the law firm could be subject to criminal charges if it did not immediately comply. The letter claimed that any "any use or disclosure" of information (information not specified in the letter) might "impede or interfere with law enforcement activities." That's called obstruction when the feds are bringing charges. And like any federal charge, it's serious and can result in lengthy sentences.

The letter went on to demand compliance by January 18, 2022, which would be the same day the law firm received the letter. On January 19, the law firm responded, asking USCIS to identify which FOIA request this demand letter covered and noted that it needed other information from the agency if it was even going to begin complying with its demands, including identification of every person and entity the documents might have been shared with.

Despite the implicit threat of criminal charges and the demand for immediate action, the law firm's questions have yet to be answered. To prevent it from being accused of federal crimes or improper dissemination of sensitive information, the law firm is suing USCIS, seeking an order that would strictly define what the law firm is obligated to do in response to this letter, especially given its implication of criminal charges.

And it points out USCIS has no legal right to demand the things it's demanding.

The FOIA statute includes no authority for the responding agency to demand that a requester return records it has disclosed under the FOIA or to furnish information to the agency about who has been provided access to those records.

Even if there were some implied claw-back power in the FOIA statute, it would not apply to records the agency has intentionally disclosed, as it said explicitly here in the June 2021 disposition letter.

Because of that, the law firm is also seeking declaratory judgment stating that the demand letter violates FOIA law and that the law firm is under no obligation to comply with an extremely belated letter that, in effect, orders the firm to disclose the names of others who've viewed the documents and any attorney-client privileged communications compliance with the letter might reveal.

The law firm should prevail. FOIA law simply does not work this way. And USCIS's earlier statements that it knew it was providing information normally considered exempt from disclosure shows the agency was fully aware of what it was handing over to the law firm. A change at the top of the FOIA org chart doesn't suddenly make all of the agency's past public records actions null and void. And it sure as shit doesn't change how this law works.

This week, our first place winner on the insightful side is That Anonymous Coward on our post about the ruling that a college can't order a student to stop talking about an instructor, responding to another commenter who decided to go on a bizarre rant questioning the student's disability:

They are called sunglasses, perhaps one you get your head out of your ass you might learn about them.

Oooh and you get to decide if her disability is or is not real.
Are you one of those assholes who demand people parked in handicapped spots prove their disability to you?
You know they faked it to get the permit hanging from the rearview & now they have to answer to you...

On the upside your entire rant really highlights why many people with disabilities often just suck it up because they really don't feel like explaining to petty able bodied tyrants the exact nature of their disability and having to perform like a circus animal to meet your mental requirements for being disabled enough.

Did you read a different letter?
No where was there a request or demand to give bad reviews, merely honest reviews.

I offer you a big hearty fuck off from someone who sometimes is light sensitive, sometimes doesn't need his cane, sometimes needs to park closer to the entrance who is fed up with assholes like you who think unless your missing limbs you aren't disabled & are required to prove it on demand by every fucking Karen who is just pissed that there are a couple spaces they can't use.

In second place, it's That One Guy with a comment about the Minneapolis cops who demanded a no-knock warrant then killed an innocent gun owner nine seconds after entering a residence:

Criminals lying? Perish the thought

No no, gunning someone down on the spot after you broke into their house in the middle of the night and they're disoriented from being woken up is totally reasonable so long as you say 'police' and 'warrant', I mean can you imagine criminals ever doing something like that or police ever shooting an innocent person?

Clearly not, which means that if someone armed breaks into your house yelling about how they're cops they have a right to be there, and so long as you're innocent you have absolutely no reason to be worried or feel the need to defend yourself or even protest in the slightest.

For editor's choice on the insightful side, we start out with another comment from That One Guy, this time in response to the opposition from companies to good new regulators:

'You can't nominate them, they might do the job!'

As with Sohn, now with Bedoya: The greatest sign that a person is qualified for the job is when the corrupt come pouring out of the woodworks to try to keep them from it.

Next, it's a comment from someone who we haven't seen in these lists before, under the name... That Other Guy. The comment comes in response to a German court fining a site owner for "sharing user data with Google" by using web fonts:

One of the many terrible things about this decision is that the website owner didn't send the user's IP address to Google; the user's browser did.

Over on the funny side, our first place winner is Bobvious, with a comment about the Boston police department's bullshit gang database:

Are you saying

that the Boston Police Department has been frequenting areas notorious for MS13 gang activity?

In second place, it's Toom1275 on our post about Penguin Random House and Maus in the wake of its controversial removal from Tennessee schools. One commenter complained about calling this a "ban", Mike pointed out that the post discussed the fact that it's a bit more complicated and wondered if the complainer had read it, and Toom had a reply:

It seems unlikely anyone supporting the book ban would be a fan of reading.

For editor's choice on the funny side, we start out with David and one more similar crack about the gang database:

Are you rooting for the criminals?

After all, Ortiz has a record of associating with people who have a record of associating with people.

Finally, it's one more comment from That One Guy, this time in response to Apple opposing the trademark on an indie film, Apple Man:

Apple: Our customers are INCREDIBLY stupid

No, that makes perfect sense, why just last week I went to the grocery store because I heard they were selling apples and to my great surprise I was pointed towards a pile of fruit. How dare the store and it's staff deceive people by telling their customers that they are selling apples when they clearly are not, don't they understand that when someone hears 'apple' the only thing that comes to mind is electronics of various types?

That's all for this week, folks!

Five Years Ago

This week in 2017, in the wake of Trump's racist executive order banning people from seven countries from entering the US, pretty much the entire tech industry stood up in opposition. Meanwhile, Ajit Pai was getting quickly to work saying one thing and doing another (not unlike the broadband providers themselves. The FBI was revealed to have even more surveillance powers than we thought, and was also changing its FOIA policies to be even more hostile.

Ten Years Ago

This week in 2012, more dominoes were falling on ACTA: the Romanian Prime Minister admitted he had no idea why Romania signed it, the Czech government suspended ratification, then Latvia did the same, and even Germany got cold feet — and soon the mainstream financial press was writing off ACTA as dead. Meanwhile, we took a look at who was still supporting SOPA and why, while Lamar Smith was defending another terrible internet bill, and the RIAA was just lashing out at everyone.

Fifteen Years Ago

This week in 2007, we looked at the collateral damage from Viacom's wave of YouTube takedowns and a top NBC executive's hatred of the site, while one guy was claiming to own the Electric Slide and issuing DMCA notices on wedding videos. We also got a closer look at how little it takes for the RIAA to fire off a flimsy DMCA notice, while the RIAA was spending its time trying to tell people they should be paying more for CDs. Meanwhile, we took a look at just how completely bogus the MPAA's claims of a Canadian camcording epidemic were.

If you haven't been a long time Techdirt reader, you'll probably hear me say that there is a copyright infringement court case in Denmark and immediately wonder, "Yeesh, what did Disney do now?" But this is not a story about Disney. This is a story about the heirs of Edvard Eriksen, creator of a bronze statue of The Little Mermaid, inspired by the classic Hans Christian Andersen fairy tale, and their inability to let anyone in any way depict the statue or anything similar without being accosted in copyright actions. Most of the bullying actions by Eriksen's heirs have been, unbelievably, against other towns throughout the world for creating their own Little Mermaid statues: Greenville, Michigan and the Danish city of Asaa for example.

But less known are all the times Eriksen's heirs have gone after publications for showing pictures or other depictions of the statue. I won't pretend to be an expert in Danish copyright law, but if that country's laws are such that a newspaper or magazine cannot show a picture of one of the country's most famous landmarks, then that law is silly and should be changed or amended. Lest you think I must have this wrong, you can see a recent story of, not one, but two courts ruling that a newspaper must compensate Eriksen's heirs for a cartoon that depicted the statue on its pages.

An appeals court in Denmark has increased the compensation a newspaper was ordered to pay for violating the copyright of Copenhagen's The Little Mermaid statue with a cartoon depicting the bronze landmark as a zombie and a photo of it with a facemask.

The Berlingske newspaper published the cartoon in 2019 to illustrate an article about the debate culture in Denmark and used the photo in 2020 to represent a link between the far right and people fearing COVID-19.

For those of us reading this news in America, as well as many other nations, this all looks completely laughable. This is purely free speech stuff, protected in America by the First Amendment. Even getting past that, a cartoon of a statue is not a recreation of that statue, therefore copyright wouldn't even really apply. Plus it's parody and being used for commentary. Nothing about this makes sense.

And, yet, it must in Denmark because this 2nd court not only affirmed the ruling of the lower court but actually increased the compensation the newspaper was ordered to pay Eriksen's heirs.

Both were found to be infringements of the Danish Copyright Act. Copenhagen’s district court ordered the newspaper in 2020 to pay the heirs of Danish sculptor Edvard Eriksen 285,000 kroner ($44,000) in compensation. The appeals court on Wednesday raised the amount to 300,000 kroner ($46,000).

In a statement, the Eastern High Court in the Danish capital agreed with the lower court that “there was a violation of copyright" in the newspaper's actions. It did not give a reason for increasing the compensation amount but noted that Berlingske is a commercial venture since it wants to sell newspapers.

Again, this is all absurd. If the above rulings truly do comport with Danish copyright law, then all that suggests is that there needs to be an active movement in Denmark to amend the law. And, just to make this all the more frustrating, the copyright protections in Denmark are familiar: 70 years after the death of the author. In this case, that means Eriksen's heirs will only have this ability to bilk others for cash payments for the statue for another seven years.

Many of the worst ideas in recent copyright laws have been driven by some influential companies’ fear of the transition from analog to digital. Whereas analog formats – vinyl, books, cinematic releases of films – are relatively easy to control, digital ones are not. Once a creation is in a digital form, anyone can make copies and distribute them on the Internet. Traditional copyright industries seem to think that digital versions of everything will be freely available everywhere, and that no one will ever buy analog versions. That’s not the case with vinyl records, and a recent post on Publisher’s Weekly suggests that analog books too, far from dying, are going from strength to strength:

Led by the fiction categories, unit sales of print books rose 8.9% in 2021 over 2020 at outlets that report to NPD BookScan. Units sold were 825.7 million last year, up from 757.9 million in 2020. BookScan captures approximately 85% of all print sales. In 2020, unit sales were up 8.2% over 2019, which saw 693.7 million print units sold.

The young adult fiction segment had the largest increase, with unit sales jumping 30.7%, while adult fiction sales rose 25.5%. Sales in the juvenile fiction category increased 9.6%.

The two years of increased sales is part of a longer-term trend, as this article from the New York Times in 2015 indicates:

the digital apocalypse never arrived, or at least not on schedule. While analysts once predicted that e-books would overtake print by 2015, digital sales have instead slowed sharply.

Now, there are signs that some e-book adopters are returning to print, or becoming hybrid readers, who juggle devices and paper. E-book sales fell by 10 percent in the first five months of this year, according to the Association of American Publishers, which collects data from nearly 1,200 publishers. Digital books accounted last year for around 20 percent of the market, roughly the same as they did a few years ago.

Digital formats possess certain advantages over analog ones, notably convenience. Today, you can access tens of millions of tracks online with music streaming services, and carry around thousands of ebooks on your phone. But many people evidently continue to appreciate the physicality of analog books, just as they like and buy vinyl records. The Publisher’s Weekly article also shows how the digital world is driving analog sales:

Gains in the young adult category were helped by several titles that benefitted from attention drummed up by BookTok, users of the social media platform TikTok who post about their favorite books. They Both Die at the End by Adam Silvera, released in December 2018, was the #1 title in the category, selling nearly 685,000 copies.

As a recent post on Walled Culture noted, if publishing companies were less paranoid about people sharing snippets of the books they love, on BookTok and elsewhere, the already significant analog sales they produce could be even higher. If the copyright industries want to derive the maximum benefit from the online world, they need to be brave, not bullying, as they so often are today.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Originally posted to Walled Culture.

When most people think of the CIA (Central Intelligence Agency), they think of a foreign-facing spy agency with a long history of state sponsored coup attempts (some successful!), attempted assassinations of foreign leaders, and putting the US in the torture business. What most people don't assume about the CIA is that it's also spying on Americans. After all, we prefer our embarrassments to be foreign-facing -- something that targets (and affects) people we don't really care about and governments we have been told are irredeemable.

An entity with the power to provoke military action halfway around the world has periodically shown an unhealthy interest in domestic affairs, which are supposed to be off-limits for the nation's most morally suspect spies. The CIA (along with the FBI) routinely abuses its powers to perform backdoor searches of foreign surveillance stashes to locate US-based communications. It also has asked the FBI to do its dirty secondhand surveillance work for it in order to bypass restrictions baked into Executive Order 12333 -- an executive order issued by Ronald Reagan that significantly expanded surveillance permissions for US agencies.

Perhaps most significantly -- at least in terms of this report -- the order instructed other government agencies to be more compliant with CIA requests for information. Since its debut in December 1981, the order has been modified twice (by George W. Bush) to give the government more power.

That's the authority the CIA has been using to spy on Americans, as a recent PCLOB (Privacy and Civil Liberties Oversight Board) report shows. The PCLOB performed a "deep dive" in CIA domestic spying at the request of Senators Ron Wyden and Martin Heinrich. After its completion, the senators asked for an unclassified version of the PCLOB's report. That report has arrived. And, according to Ron Wyden's statements, it shows the CIA is utilizing EO 12333 to spy on Americans and bypass the protections (however minimal) the FISA court provides to Americans.

“FISA gets all the attention because of the periodic congressional reauthorizations and the release of DOJ, ODNI and FISA Court documents,” said Senators Wyden and Heinrich in response to the newly declassified documents. “But what these documents demonstrate is that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and handles information under executive order and outside the FISA law. In particular, these documents reveal serious problems associated with warrantless backdoor searches of Americans, the same issue that has generated bipartisan concern in the FISA context.”

Wyden and Heinrich called for more transparency from the CIA, including what kind of records were collected and the legal framework for the collection. The PCLOB report noted problems with CIA’s handling and searching of Americans’ information under the program.

Even if the spying isn't direct, the outcome is pretty much identical to direct targeting. With EO 12333, the CIA obtains the compliance from other federal agencies envisioned by Ronald Reagan back in 1981 as his administration ran headlong into the CIA-implicating Iran-Contra scandal.

Domestic data is supposed to be "masked" if incidentally acquired by foreign-facing surveillance collections. Sometimes this simply doesn't happen. Sometimes unmasking occurs without proper permission or oversight. The FBI uses this to its advantage. So does the CIA. But the FBI handles domestic terrorism. The CIA does not. That makes the CIA's abuse possibly more egregious than the FBI's numerous violations of the same restrictions placed on domestic surveillance via foreign interception of communications by the NSA.

The PCLOB report [PDF] shows the CIA has obtained bulk financial data from other sources, possibly without proper masking of incidentally-collected US persons data. According to the CIA's response to the report, the only thing separating CIA analysts from US persons' data and communications is a pop-up box warning them that access may be illegal. This is only a warning. It does not (nor could it) prevent analysts from obtaining data they shouldn't have access to without explicit permission.

How extensive this "incidental" collection is remains to be seen. And there's a good chance no one will ever know how often this pop-up was ignored to collect data generated by US citizens and residents. Much of the report is redacted and what was shared with the PCLOB was limited to whatever the CIA felt like sharing. The oversight of programs like these is deliberately limited by the Executive Order -- one that made the assumption some things (like national security) are too important to be done properly or overseen directly.

The report does note that the CIA has internal processes to limit abuse of backdoor searches. But it also points out the CIA has read EO 12333 and its modifications to mean it can do what it wants when it wants without worrying too much about straying outside of the generous lines drawn by this Executive Order.

The limits include a requirement to use the “least intrusive collection techniques feasible within the United States or directed against United States persons abroad.” Annex A implements E.O. 12333’s “least intrusive collection technique” requirement regarding activities outside of the United States involving U.S. persons. Given that the Executive Order’s restriction only applies to activities in the United States or activities directed against U.S. persons abroad, the CIA interprets the language of Annex A to only apply to collections directed against USPs abroad. Annex A does not require [redacted] to apply the least intrusive collection technique to collections covered by this report, which are generally not directed against USPs.

There's the exploitable loop: the EO only applies to collections "directed" at US persons. Since all information is pulled from foreign-facing surveillance collections that "incidentally" collect US persons data, the resulting collection the CIA has access to is completely legal. Analysts access these collections specifically to find US persons' data, but because no agency deliberately targeted US persons, it's all above board.

This is the exploitation of foreign bulk collections to obtain information about Americans. While some may argue the damage is minimal because it only accesses information (financial records) unlikely to have an established expectation of privacy, people obviously know their financial institutions track their purchases, but that's not the same thing as people assuming the government should be able to access records -- which may contain sensitive information -- using nothing more than an Executive Order that was ostensibly written to strengthen foreign surveillance efforts.

And that's only what can be observed from this redacted release. This isn't the CIA's only attempt to hoover up info on US persons via side channels. Wyden's letter hints at FISA reforms, which likely refers to domestic phone records the NSA used to collect in bulk -- a program that was specifically targeted by Congress following the Snowden revelations. What's contained in this report is a narrow examination of one part of the CIA's exploitation of bulk collections to obtain US persons data. And if it feels this confident about its nearly unrestricted ability to perform these backdoor searches, examinations of other aspects of this program are likely to find other domestic data is ending up in the hands of CIA analysts who are supposed to be focused on foreign activities.

Recently, I re-read through various discussions about the “dot-com bubble.” Surprisingly, it sounded all too familiar. I realized there are many similarities to today's techno-optimism and techno-pessimism around Web3 and Blockchain. We have people hyping up the future promises, while others express concerns about the bubble.

The Dot-Com Outspoken Optimism

In the mid-1990s, the dot-com boom was starting to gather steam. The key players in the tech ecosystem had blind faith in the inherent good of computers. Their vision of the future represented the broader Silicon Valley culture and the claim that the digital revolution “would bring an era of transformative abundance and prosperity.” Leading tech commentators celebrated the potential for advancing democracy and empowering people.

Most tech reporting pitted the creative force of technological innovation against established powers trying to tame its disruptive inevitability. Tech companies, in this storyline, represented the young and irreverent, gleefully smashing old traditions and hierarchies. The narrative was around “the mystique of the founders,” recalled Rowan Benecke. It was about “the brashness, the arrogance, but also the brilliance of these executives who were daring to take on established industries to find a better way.”

David Karpf examined “25 years of WIRED predictions” and looked back at how both Web 1.0 and Web 2.0 imagined a future that upended traditional economics: “We were all going to be millionaires, all going to be creators, all going to be collaborators.” However, “The bright future of abundance has, time and again, been waylaid by the present realities of earnings reports, venture investments, and shareholder capitalism. On its way to the many, the new wealth has consistently been diverted up to the few.”

The Dot-Com Outspoken Pessimism

During the dot-com boom, the theme around its predicted burst was actually prominent. “At the time, there were still people who said, ‘Silicon Valley is a bubble; this is all about to burst. None of these apps have a workable business model,’” said Casey Newton. “There was a lot of really negative coverage focused on ‘These businesses are going to collapse.’”

Kara Swisher shared that in the 1990s, a lot of the coverage was, “Look at this new cool thing.” But also, “the initial coverage was ‘this is a Ponzi scheme,’ or ‘this is not going to happen.’ When the Internet came, there was a huge amount of doubt about its efficacy. Way before it was doubt about the economics, it was doubt about whether anyone was going to use it,” Then, “it became clear that there was a lot of money to be made; the ‘gold rush’ mentality was on.”

At the end of 1999, this gold rush was mocked by San Francisco Magazine. “The Greed Issue” featured the headline “Made your Million Yet?” and stated that “Three local renegades have made it easy for all of us to hit it big trading online. Yeah…right.” Soon after, came the dot-com implosion.

“In 2000, the coverage became more critical,” explained Nick Wingfield. There was a sense that, “You do have to pay attention to profitability and to create sustainable businesses.” “There was this new economy, where you didn’t need to make profits, you just needed to get a product to market and to grow a market share and to grow eyeballs,” added Rowan Benecke. “It was ultimately its downfall at the dot-com crash.”

The Blockchain is Partying Like It’s 1999

While VCs are aggressively promoting Web3 - Crypto, NFTs, decentralized finance (DeFi) platforms, and a bunch of other Blockchain stuff - they are also getting more pushback. See, for example, the latest Mark Andreesen Twitter fight with Jack Dorsey, or listen to Box CEO Aaron Levie's conversation with Alex Kantrowitz. The reason the debate is heated is, in part, due to the amount of money being poured into it.

Web3 Outspoken Optimism

Andreessen Horowitz, for example, has just launched a new $2.2 billion cryptocurrency-focused fund. “The size of this fund speaks to the size of the opportunity before us: crypto is not only the future of finance but, as with the internet in the early days, is poised to transform all aspects of our lives,” a16z’s cryptocurrency group announced in a blog post. “We’re going all-in on the talented, visionary founders who are determined to be part of crypto’s next chapter.”

The vision of Web3’s believers is incredibly optimistic: “Developers, investors and early adopters imagine a future in which the technologies that enable Bitcoin and Ethereum will break up the concentrated power today's tech giants wield and usher in a golden age of individual empowerment and entrepreneurial freedom.” It will disrupt concentrations of power in banks, companies and billionaires, and deliver better ways for creators to profit from their work.

Web3 Outspoken Pessimism

Critics of the Web3 movement argue that its technology is hard to use and prone to failure. “Neither venture capital investment nor easy access to risky, highly inflated assets predicts lasting success and impact for a particular company or technology” (Tim O’Reilly).

Other critics attack “the amount of utopian bullshit” and call it a “dangerous get-rich-quick scam” (Matt Stolle) or even “worse than a Ponzi scheme” (Robert McCauley). “At its core, Web3 is a vapid marketing campaign that attempts to reframe the public’s negative associations of crypto assets into a false narrative about disruption of legacy tech company hegemony” (Stephen Diehl). “But you can’t stop a gold rush,” wrote Moxie Marlinspike. Sounds familiar?

A “Big Bang of Decentralization” is NOT Coming

In his seminal “Protocols, Not Platforms,” Mike Masnick asserted that “if the token/cryptocurrency approach is shown to work as a method for supporting a successful protocol, it may even be more valuable to build these services as protocols, rather than as centralized, controlled platforms.” At the same time, he made it clear that even decentralized systems based on protocols will still likely end up with huge winners that control most of the market (like email and Google, for example. I recommend reading the whole piece if you haven’t already).

Currently, Web3 enthusiasts are hyping that a “Big Bang of decentralization” is coming. However, as the crypto market evolves, it is “becoming more centralized, with insiders retaining a greater share of the token” (Scott Galloway). As more people enter Web3, the more likely centralized services will become dominant. The power shift is already underway. See How OpenSea took over the NFT trade.

However, Mike Masnick also emphasized that decentralization keeps the large players in check. The distributed nature incentivizes the winners to act in the best interest of their users.

Are the new winners of Web3 going to act in their users’ best interests? If you watch Dan Olson’s “Line Goes Up – The Problem With NFTs” you will probably answer, “NO.”

From “Peak of Inflated Expectations” to “Trough of Disillusionment”

In Gartner’s Hype Cycle, it is expected that hyped technologies experience “correction” in the form of a crash: A “peak of inflated expectations” is followed by a “trough of disillusionment.” In this stage, the technology can still be promoted and developed, but at a slower pace. With regards to Web3, we might be reaching the apex of the "inflated expectations". Unfortunately, there will be a few big winners and a “long tail” of losers in the upcoming “disillusionment.”

Previous evolutions of the web had this "power law distribution". Blogs, for example, were marketed as a megaphone for anyone with a keyboard. It was amazing to have access to distribution and an audience. But when you have more blogs than stars in the sky, only a fraction of them can rise to power. Accordingly, only a few of Web3’s new empowering initiatives will ultimately succeed. Then, “on its way to the many,” the question remains “would the new wealth be diverted up to the few?” As per the history of the web, in a "winner-take-all" world, the next iteration wouldn't be different. 

From a “Bubble” to a “Balloon”

Going through the dot-com description, and then, the current Web3 debate - feels like déjà vu. Nonetheless, as I argue that the tech coverage should not be in either Techlash (“tech is a threat”) or Techlust (“tech is our savior”) but rather Tech Realism – I also argue the Web3 debate should be neither “bubble burst” nor “golden age,” but rather in the middle.

A useful description of this middle was recently offered by M.G. Siegler, who said the tech bubble is not a bubble but a balloon. Following his line of thought, instead of a bubble, Web3 can be viewed as a “deflating balloons ecosystem”: The overhyped parts of Web3 might burst, and affect the whole ecosystem, but most evaluations and promises will just return closer to earth.

That’s where they should be in the first place.

Dr. Nirit Weiss-Blatt is the author of The Techlash and Tech Crisis Communication

Cops are out there giving each other bad advice. An instructor for Street Cop Training -- a New Jersey based provider of officer training programs -- is telling officers it's ok to run facial recognition searches during routine traffic stops, when not encouraging them to go further with their potential rights violations.

In a podcast recently uncovered by Caroline Haskins for Insider, Maryland detective Nick Jerman tells listeners there's nothing wrong with running a facial image against publicly available databases during a traffic stop.

In a July 2021 episode of the Street Cop Podcast with Dennis Benigno, the company's founder, Jerman encouraged using facial recognition software to determine the identity of the person pulled over. The Street Cop Podcast is advertised as "The training that cops deserve" and, along with Street Cop Training's other programs, is marketed to active-duty police.

"Let's say you're on a traffic stop and we have someone in the car that we suspect may be wanted," Benigno asked during the episode. "What do we do in that situation?"

"Well there's a couple of paid programs you can use where you can take their picture, and it'll put it in," Jerman said, referring to facial recognition tools, before recommending "another one called PimEyes you can use." PimEyes is a free, public-facing facial-recognition search engine.

The legality of running searches like this is still up in the air. If there's nothing beyond suspicion a vehicle occupant might be a wanted suspect, officers would likely have to develop something a little more reasonable before engaging in searches -- like utilizing a facial recognition program -- unrelated to the traffic stop. And in some states and cities, it is very definitely illegal, thanks to recent facial recognition tech bans. Just because the cops may not own the tech utilized during these searches doesn't necessarily make actions like these legal.

But that's not the only potential illegality Detective Jerman (who, as Haskins points out, is currently being investigated by his department over some very questionable social media posts) encourages. He notes that in many states officers cannot demand people they stop ID themselves, especially when they're just passengers in a vehicle. He recommends this bit of subterfuge to obtain this information without consent.

"How about, you're in a situation where you can't compel ID and before you even ask you're like there's something not right with this guy and he's gonna lie," Benigno said.

Jerman suggested getting the person's phone number, either by asking the person, or by accusing the person of stealing a phone in the car and asking if they can call the phone in order to exonerate them.

"[Say] 'I see that phone in the car, we've had a lot of thefts of phones,' say 'Is that really your phone?' and then you can call it to see if that's the real phone number," Jerman said. "If you can get the phone number from your target, the world is your oyster."

Once a cop has a phone number, they can use third-party services to discover the phone owner's name and may be able to find any social media accounts associated with that phone number. The request may sound innocuous -- seeking to see if a phone is stolen -- but the end result may be someone unwittingly sharing a great deal about themselves with an officer.

Detective Jerman also provides classes on how to create fake social media accounts using freely accessible tools. He does this despite knowing it's a terms of service violation and appears to believe that since there's no law against it, officers should avail themselves of this subterfuge option. He has also made social media posts mocking Facebook and others for telling cops they're breaking the platform's rules when they do this.

But far more worrisome is something he admitted on another Street Cop Training podcast:

He recounted that at a wedding a few years ago, his friend wanted to approach a woman in a red dress because he "thought she was pretty hot." Jerman said that on the spot, he did a geofence Instagram search for recent posts near the wedding venue. He found a picture with the woman in the red dress, named Marilisa, posted by her friend, Amanda.

"Then you can start gaining intel on Amanda, then you can go back to Marilisa and start talking to her as if you know her friend Amanda," Jerman said.

Even his host, Street Cop Training founder Dennis Bengino, seemed to consider Jerman's actions to be a little creepy. But that appears to be Detective Jerman's MO: the exploitation of any service or platform to obtain information on anyone he runs into, whether it's at a wedding or during a pretextual traffic stop.

Despite Jerman's insistence that none of this breaks any laws, the actual legality of these actions is still up in the air. The lack of courtroom precedent saying otherwise is not synonymous with "lawful." Cases involving tactics like these are bound to result in challenges of arrests or evidence, and it's not immediately clear running unjustified searches clears the (very low) bar for reasonableness during investigative stops.

However, Jerman's big mouth and enthusiasm for exploitation should make it clear what's at stake when cops start asking questions, no matter how innocuous the questions may initially appear. And documents like the one obtained by Insider -- one that lists dozens of publicly accessible search tools and facial recognition AI -- should serve as a warning to anyone stopped by police officers. Imagine the creepiest things a stalker might do to obtain information about you. Now, imagine all of that in the hands of someone with an incredible amount of power, easy access to weapons, and an insular shield on non-accountability surrounding them.

The Complete 2022 Microsoft Office Master Class Bundle has 14 courses to help you learn all you need to know about MS Office products to help boost your productivity. Courses cover SharePoint, Word, Excel, Access, Outlook, Teams, and more. The bundle is on sale for $75.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

We've said it over and over again, if libraries did not exist today, there is no way publishers would allow them to come into existence. We know this, in part, because of their attempts to stop libraries from lending ebooks, and to price ebooks at ridiculous markups to discourage libraries, and their outright claims that libraries are unfair competition. And we won't even touch on their lawsuit over digital libraries.

Anyway, in other book news, you may have heard recently about how a Tennessee school board banned Art Spiegelman's classic graphic novel about the Holocaust, Maus, from being taught in an eighth-grade English class. Some people called this a ban, while others said the book is still available, so it's not a "ban." To me, I think school boards are not the teachers, and the teachers should be able to come up with their own curriculum, as they know best what will educate their students. Also, Maus is a fantastic book, and the claim that it was banned because of "rough, objectionable language" and nudity is utter nonsense.

Either way, Maus is now back atop various best seller lists, as the controversy has driven sales. Spiegelman is giving fun interviews again where he says things like "well, who's the snowflake now?" And we see op-eds about how the best way get kids not to read books... is to assign it in English class.

But, also, we have publishers getting into the banning business themselves... by trying to capitalize on the sudden new interest in Maus.

Penguin Random House doesn't want this new interest in Maus to lead to... people taking it out of the library rather than buying a copy. They're now abusing copyright law to demand the book be removed from the Internet Archive's lending library, and they flat out admit that they're doing so for their own bottom line:

This is just blatant greed laid bare. As the article notes, whatever problems US copyright law has, it has enshrined the concept of libraries, and the right to lend out books as a key element of the public interest. And the publishers -- such as giants like Penguin Random House -- would do anything possible to stamp that right out.

NSO Group -- the embattled, extremely controversial Israeli phone malware developer -- finally has some good news to report. It may have a white knight riding to its rescue -- a somewhat unknown American venture capital firm that could help it pay its bills and possibly even rehabilitate its image.

Integrity Partners, which according to its website deals with investments in the fields of mobility and digital infrastructure, is managed by partners Chris Gaertner, Elad Yoran, Pat Wilkinson and Thomas Morgan.

According to the document of intentions, they will establish a company called Integrity Labs that would acquire control of NSO. It would also stream $300 million to the firm, in order to rebuild the company.

It's not all good news, at least not at the outset. The VC firm had pledged to lobby the US government on NSO's behalf to get the recent blacklist lifted, which means NSO would once again be able to purchase US tech solely for the purpose of developing exploits to use against that tech. If Integrity Partners has any interest in remaining true to its name, it should probably backburner this effort until it has engaged in some reputation rehabilitation.

Fortunately, it appears the VC firm is also interested in getting NSO back on the right track. Following neverending reports of NSO exploits being used to target journalists, political opponents, ex-wives, dissidents, and religious leaders, the government of Israel drastically reduced the number of countries NSO could sell to.

Integrity Labs aims to limit that list even further.

Instead of the current 37 clients, the company will reduce its sales to only five clients: the Five Eyes Anglosphere intelligence alliance of New Zealand, the United States, Australia, Great Britain and Canada. The company would initially focus on defensive cyber products as part of its rebranding effort.

With these restrictions in place -- and the United States on the preferred customer list -- it should be pretty easy to get the blacklist lifted. It's not that none of these countries would ever abuse malware to engage in domestic surveillance, but it's a far better list of potential clients than the one NSO had compiled over the last several years, which included a number of known habitual human rights abusers.

But there are still reasons to be concerned. Much of what happens to NSO after this acquisition occurs will still be shrouded in secrecy. There may be a claimed focus on defensive tech, but offensive exploits have always been NSO's main money makers and it will be much more difficult to remain profitable without this revenue stream.

Then there's the chance NSO will enter into a partnership with a different company that may not have the same altruistic goals, which means the malware developer will be able to continue limping along as the poster child for irresponsible sales and marketing. And the market for powerful malware will continue to exist. It will just end up being handled by companies that have remained mostly off the world press radar.

Also, there's the fact that there's very little information about who "Integrity Partners" actually is. While the firm's website lists its partners -- all of whom mention their military experience -- there is no evidence of a portfolio, or any evidence of previous investments. While the firm is listed in Crunchbase (the main database tracking VCs and startups), it shows no investments, and only mentions a single fund the firm has raised... for $350,000. It seems unlikely that that's enough to buy NSO Group.

For now, NSO's financial well-being and reputation are in tatters. The company cannot meet its debt obligations without outside help and its ruinous months-long streak of negative press present challenges even a timely influx of cash may not be able to reverse. But if it can rebrand and retool to provide defensive tech to a very short list of customers it may be able to survive its precipitous plunge into the "Tech's Most Hated" pool.