Source Code: Your daily look at what matters in tech.
To give you the best possible experience, this site uses cookies. If you continue browsing. you accept our use of cookies. You can review our privacy policy to find out more about the cookies we use.
yesIssie LapowskyNone
November 30, 2020
The country's foundational anti-hacking law — the Computer Fraud and Abuse Act — faces a major test Monday, as the Supreme Court prepares to hear arguments in a case that could radically broaden the scope of what's considered a computer crime and expand the power that companies have over their users.
The case, Van Buren v. United States, has divided frequent allies in the security and privacy space. On one side are groups like the Electronic Frontier Foundation and the American Civil Liberties Union, who argue that expanding the interpretation of the CFAA could make research conducted by cybersecurity experts and journalists alike illegal, paving the way for increased legal action by tech companies. On the other are groups like the Electronic Privacy Information Center and a raft of prominent privacy scholars who emphasize that the case before the court involves a law enforcement official using a government database to commit a serious privacy breach — behavior they say the law does and should prohibit.
Whatever the court decides, both sides believe the decision will have sweeping consequences for the future of internet safety and the power that companies have over their users.
At the center of the case is a former Georgia police officer named Nathan Van Buren, who was convicted in 2017 of violating the CFAA after he accepted money to look up a woman's license plate in a law enforcement database and was caught in an FBI sting. The CFAA, which was enacted in 1986, made it a crime to knowingly access a computer "without authorization or exceeding authorized access," a frustratingly vague standard that has been interpreted differently by the courts. Van Buren successfully petitioned the Supreme Court to take up his case, arguing that he didn't violate the CFAA because he did have authorized access to use the system; he merely used it for unauthorized purposes, just as millions of Americans, say, use their work computers to check sports scores.
Van Buren's argument has gained traction with cybersecurity professionals and civil liberties groups, who say that the CFAA is meant to prevent actual hacking. Interpreting it broadly to also include unauthorized actions by authorized users, they argue, would also make it a crime for anyone to violate a web company's terms of service. That, they fear, would make research and reporting that requires something as simple as creating a fake account on Facebook or scraping publicly available data illegal.
"Something that's concerned us for a long time is the ability of journalists and researchers to conduct research that we think is really in the public interest, especially on huge tech platforms like the social media companies," said Stephanie Krent, staff attorney at the Knight First Amendment Institute, which signed on to an amicus brief siding with Van Buren. "Journalists and researchers who want to study those questions shouldn't face criminal civil liability just for breaching terms of service."
In recent years, tech companies, including Facebook, have repeatedly sought legal remedies to enforce their terms of service. Just last month, Facebook tried to shut down a research project at New York University focused on Facebook ads, arguing that the researchers' strategy violated Facebook's terms and put Facebook at risk of violating its own consent decree with the Federal Trade Commission.
"You can see examples of how big companies are using CFAA for so-called privacy enforcement and why we think that's a really bad idea," said Andrew Crocker, staff attorney at EFF. "They're kind of just using it as an excuse to bully outside groups they don't like." If the court sides against Van Buren, Crocker and others worry that bullying will only get worse.
That groups like the EFF and ACLU are lining up behind a police officer who misused a government database to spy on a private citizen is unusual. Those same groups have been among the loudest opponents of police surveillance and have been particularly suspicious of automated license plate readers in particular. But they argue that the privacy concerns raised by Van Buren's case can and should be addressed through other means. "It's not a privacy statute, and it wasn't passed as a privacy statute," said Crocker. "To the extent folks are concerned about misuse of data online and unintended consequences, the way to solve that is with a federal privacy law."
Groups like EPIC have, meanwhile, made precisely the opposite point. In its amicus brief, EPIC argues that protecting privacy is core to the CFAA and that the law was written to defend against both outside hackers and unauthorized access from insiders. EPIC points to a Senate report that was published when the CFAA was amended in 1996, which stated that the changes were designed to "increase protection for the privacy and confidentiality of consumer information." EPIC's lawyers argue it's especially important for the CFAA to hold government officials like Van Buren accountable for misusing the "vast troves" of highly sensitive personal information they have access to.
"This case concerns a police officer who abused his login credential and the public trust by accessing a record in a database filled with sensitive personal information for no other purpose than to sell it to an outsider," said Megan Iorio, counsel for EPIC. "This is the kind of behavior we think is clearly covered by the statute."
Taking the state's side in this case has made EPIC, another organization wary of police surveillance, strange bedfellows with groups like the Federal Law Enforcement Officers Association. That's not to say EPIC doesn't agree that researchers and journalists are doing important work that ought to be considered carefully under the CFAA. But it argues that the "slippery slope" argument invoked by the EFF and ACLU is weak, because Van Buren wasn't tapping into a public consumer-facing website with its terms of service hidden away in fine print. He was improperly accessing a government database. Iorio says the court could find Van Buren to be in violation of the CFAA without making broader proclamations about violations of internet terms of service. "The Van Buren case doesn't require figuring out all the nuanced ways the CFAA applies in the internet context because it's not internet-based," she said.
Instead, she believes concerns about research and journalism are better handled through another case called LinkedIn v. hiQ. In that case, hiQ was scraping public LinkedIn data to make its own HR tool. When LinkedIn found out, it slapped hiQ with a cease and desist letter. HiQ filed suit to prevent LinkedIn from taking legal action under the CFAA. A court in that case said that hiQ's scraping of public data from LinkedIn didn't violate the law, but LinkedIn has since petitioned the Supreme Court to take up the case. That case has also divided the privacy community, with EPIC taking LinkedIn's side in the name of protecting internet users' data and the EFF taking hiQ's in the name of protecting researchers and journalists who scrape public data in the course of their work.
Whether the court decides to hear that case will likely depend a lot on the decision in Van Buren, which could have downstream consequences for that case — and so many others in the future.
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
Big Tech benefits from Biden’s sweeping immigration actions
Tim Cook and Sundar Pichai praised President Biden's immigration actions, which read like a tech industry wishlist.
Newly-inaugurated President Joe Biden signed two immigration-related executive orders on Wednesday.
Photo: Chip Somodevilla/Getty Images
January 20, 2021
Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.
January 20, 2021
Immediately after being sworn in as president Wednesday, Joe Biden signed two pro-immigration executive orders and delivered an immigration bill to Congress that reads like a tech industry wishlist. The move drew enthusiastic praise from tech leaders, including Apple CEO Tim Cook and Alphabet CEO Sundar Pichai.
President Biden nullified several of former-President Trump's most hawkish immigration policies. His executive orders reversed the so-called "Muslim ban" and instructed the attorney general and the secretary of Homeland Security to preserve the Deferred Action for Childhood Arrivals, or DACA, program, which the Trump administration had sought to end. He also sent an expansive immigration reform bill to Congress that would provide a pathway to citizenship for undocumented individuals and make it easier for foreign U.S. graduates with STEM degrees to stay in the United States, among other provisions.
<p>Biden's Day One moves suggest that immigration reform will be one of the key areas for allyship between Silicon Valley and the Biden administration over the next several years. The industry is sorely in need of common ground as Democrats pledge to use their power over Congress and the White House to crack down on Big Tech. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>"We welcome President Biden's commitment to pursuing comprehensive immigration reform that reflects the American values of justice, fairness and dignity," said Cook in a statement to Protocol. "This effort will strengthen American communities and the pathways to opportunity this country has long fostered." </p><p>Cook, who is the chair of Business Roundtable's immigration committee, said he looked forward to working with Democrats and Republicans on a "permanent solution for Dreamers that includes a path to citizenship."</p><p>"We applaud @POTUS's quick action on COVID relief, the Paris Climate Accord, and immigration reform," Pichai <a href="https://twitter.com/sundarpichai/status/1352021111479832576?s=21" rel="noopener noreferrer" target="_blank">tweeted</a> Wednesday. "Google has supported action on these important issues & we look forward to working with the new administration to help the US recover from the pandemic + grow our economy."</p><p>An Uber spokesperson also affirmed the company's support for President Biden's actions. "At Uber, we have long supported positive immigration reform and an effective system that upholds core American values," the spokesperson said. "Uber will continue to support Dreamers, and we welcome the new Administration's effort to reform our nation's immigration system."</p><p>The tech industry, which relies heavily on foreign workers, has spent the last four years <a href="https://www.usatoday.com/story/tech/2017/08/31/tech-industry-prepares-new-trump-fight-over-daca-dreamer-protection-program/622897001/" rel="noopener noreferrer" target="_blank">battling with the Trump administration</a> over efforts to shut down vital talent pipelines from countries including India, China and Iran. Over the last four years, tech giants have filed <a href="https://abcnews.go.com/Business/dreamers-embody-apples-innovation-strategy-apple-ceo-tim/story?id=66030999" rel="noopener noreferrer" target="_blank">amicus briefs</a> in high-profile <a href="https://www.vox.com/2020/1/16/21069827/twitter-microsoft-linkedin-public-charge-trump-immigration-tech-companies" rel="noopener noreferrer" target="_blank">court cases</a> and lobbied in favor of opening up U.S. borders to high-skilled workers. Despite protestations from Silicon Valley leaders, the Trump administration continually added uncertainty to the H-1B visa application process, resulting in significant backlogs. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>Biden's immigration bill would put money towards clearing visa backlogs, eliminate visa caps on certain countries and make it easier for people on temporary work visas to get green cards. Perhaps most significantly, it would immediately give the 11 million undocumented immigrants in the U.S. a pathway to become citizens. </p><p>The executive orders on DACA and the Muslim ban will immediately appease immigration advocates, including those inside the tech industry, but the toughest battle still lies ahead: rallying support in Congress for immigration reform, which has failed for years. Still, there may be some in the Republican party who are willing to work with the Biden administration on key pillars of the proposal. On Wednesday, Sen. Lindsey Graham, who was a leading player in immigration talks during the Obama years and a top Trump ally, told CBS he is open to creating a path to citizenship for undocumented immigrants.</p><p>"What we are really looking for is making sure there is congressional action and there is a legislative solution," said Karolina Filipiak, senior director of government affairs at the Information Technology Industry Council, a tech trade group. "We don't want to be in the same position four years from now or eight years from now [with] a new administration that could rescind the program." </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>Companies including Facebook and Google are hoping to work with lawmakers in Congress to create bipartisan support for reform, particularly as they face regulatory headwinds of their own. </p>
Keep Reading
Show less
Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.
People
Amazon’s head of Alexa Trust on how Big Tech should talk about data
Anne Toth, Amazon's director of Alexa Trust, explains what it takes to get people to feel comfortable using your product — and why that is work worth doing.
Anne Toth, Amazon's director of Alexa Trust, has been working on tech privacy for decades.
Photo: Amazon
January 18, 2021
David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.
January 18, 2021
Anne Toth has had a long career in the tech industry, thinking about privacy and security at companies like Yahoo, Google and Slack, working with the World Economic Forum and advising companies around Silicon Valley.
Last August she took on a new job as the director of Alexa Trust, leading a big team tackling a big question: How do you make people feel good using a product like Alexa, which is designed to be deeply ingrained in their lives? "Alexa in your home is probably the closest sort of consumer experience or manifestation of AI in your life," she said. That comes with data questions, privacy questions, ethical questions and lots more.
<p>During CES week, when Toth was also on a popular panel about the future of privacy, she hopped on a Chime call to talk about her team, her career and what it takes to get users to trust Big Tech. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p><em>This interview has been edited and condensed for clarity.</em></p><p><strong>How does the Trust team work? That's what it's called, right?</strong></p><p>Yeah. I work on the Alexa Trust org, it's part of the Alexa organization overall. The team that I work on is responsible for building all the privacy features, all the privacy controls and settings, and thinking about privacy across Alexa, as well as accessibility. So the aging teams, the accessibility teams, Alexa for Everyone, all reside within this organization. And we're thinking about content issues and the whole gamut. So really all of the all of the policy dimensions and how they manifest in consumer-accessible controls and features is what this team thinks about.</p><p><strong>Why is that one team? You just named a bunch of different, equally important things. What is the tie that binds all of those things?</strong></p><p>Well … I think it's trust, right? It's, how do we develop trustworthy experiences? We are very much a horizontal organization that works throughout the Alexa org. </p><p>And the Alexa org actually is much larger than I even anticipated. When I first was interviewing with the organization, I was really surprised at how big and how quickly it's grown. So it's truly a horizontal effort to think about the customer experience, and all of these areas where there are potential trust issues, and try to deal with them very proactively. </p><p><strong>That's a much bigger definition of trust than I would have guessed. I feel like we talk about trust a lot as sort of synonymous with privacy, and so "what do you do with my data" is the core question. But then when you put things like accessibility and ethics in there, it broadens the definition of what you're looking at in this really interesting way.</strong></p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>Yeah, it's a very expansive view. I have worked on privacy for most of my career. It often presents as a defensive issue for companies, right? And even the word "privacy" brings up a sort of connotation that makes you think about all the things you don't want people to know. </p><p>But I think of it really as an opportunity to innovate and to try to create more positive experiences, rather than to think of it as a defensive posture. How are we enabling the usage of data to help create better experiences for customers? Because that's really, ultimately what customers want: for you to use data to make this better for me. And I'm totally good with that. The concern is when I'm not sure what I'm getting out of you using my data, and you have it, and why do you have it? That's the area that's problematic. And what I see, and what we're trying to do, is to be very transparent, and to demonstrate time and again how your data is actually benefiting you in this product experience.</p><p><strong>That's actually one of the things I wanted to talk about. You said in another interview that so much of privacy and security is basically just, like, don't screw up. There's no positive experience, it's just there until you ruin it. It's interesting to think about it the other way: to say, "What does it look like to be more proactive about privacy and data security?" What does that look like for you, in terms of how to actually put it in front of people in a way that feels useful, instead of just having pop-ups that say, "Don't worry, we're not using your data for bad things?"</strong><br></p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>Designing for privacy, or designing for trust more specifically, is about baby steps. It's like developing a relationship with a person, right? You have to earn the trust. And you have to do things in the beginning that over time become less important. So the wake word: We rely very heavily on the wake word. You have to invoke Alexa. But the use of the wake word, and the training around that, is in order to make people comfortable with the fact that we are only streaming your requests to the cloud once the wake word has been invoked. </p><p>That is about interjecting some conscious friction, to create a trusted experience so that later when we have more advanced features, more advanced conversational-type elements, you'll be in a place where you're comfortable with that experience. It moved you along that learning curve, and got to that place where you trust us to do that for you effectively. </p><p>I think it was on Twitter or on LinkedIn, I saw that there was an article that had gone viral. There was a security organization that did a breakdown of an Echo device because there was a theory the mic-off button was in fact just cosmetic. So they did a whole breakdown and sort of mapped out the electronics to prove, in fact, if the red light is on, the wiring to the mic is disabled. The red light and the mic cannot both be on at the same time and vice versa. That was a design choice. There are a lot of choices that are about getting people comfortable with the device, and feeling that degree of trust so that later down the road, we can introduce more features that people will be more likely to use. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><p><strong>But it's telling even that those sort of conspiracy theories exist, right? People think the same thing about Facebook turning on their microphone. Does it feel like there is this perception hole that every big tech company is in right now? That you, as Alexa, have to go out of your way to convince people that you're doing the right thing, as opposed to even starting in a neutral place? It just feels like we're in this place where people are learning to be suspicious about things that they don't understand.</strong></p><p>I'm kind of a hardened cynic. That's just my natural disposition on things. So yes, I think we are in a period of time right now where skepticism is at an all-time high. And I think deservedly so, in the world we're living in at the present moment.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="5">
</div>
</div></p><p>But what I'm often heartened by is that people have put this device into their homes, into their most sacred private spaces with their families with their loved ones. To do that is a big leap of faith and trust in Amazon and Alexa. So the mere fact that we're there is already a sign that people have extended to us the benefit of the doubt and have said "we trust you." </p><p>So it's not even so much about having to earn that trust in the first place as it is having to be worthy of that trust, right? Or be worthy of that privilege of being in that space. That's the goal for me: to make sure that we continue to be worthy of the trust they've already placed in us, which is not a hurdle everyone gets over. </p><p><strong>What about as you think about things like default settings versus giving people choice? You can give people all the options in the world, but we know for a fact that most people are never going to change anything. So I'm suspicious of the idea that that's a solution to these problems, but it's definitely part of the solution. How do you think about making good decisions for people versus letting people make decisions?</strong> </p><p>First of all, no two people have the exact same notions of privacy. It's different generations, different cultures, different backgrounds, different experiences, all driving different expectations. No matter where you set a default, it's not going to be right for everybody. So there has to be the ability to change it. And you have to make that easy to find. <br></p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="6">
</div>
</div></p><p>So in the Alexa context, voice-forward commands to try to make it as easy as possible to be able to say, "why did you do that," or "delete what I just said," or "delete everything I have ever said" — those kinds of interactions help reduce the friction in privacy, they make it easier for people to exercise those those options. </p><p>Your default settings generally represent your organizational bias, in one way or the other. And in this case, the default settings that we have reflect our ability to use data in a way that's going to improve the product and make it better for the customer. So that's where they are. And that's how they've been determined. But they're not immovable. And that's the most important part. </p><p><strong>Well, that education piece seems hard, though. We've seen Facebook, for instance, try to explain why it collects a lot of data. And it doesn't necessarily track for a lot of people. There was this big dustup with WhatsApp, people lost their minds. Is it harder than you're making it sound to help people understand what you're doing with their data?</strong></p><p>In some ways, I think that this product gives you a more immediate example of that data benefit than other products. I mean, I spent a lot of my career talking about the benefits of targeted advertising, and how if you're going to get an ad, better to get a targeted ad than one that's irrelevant. But the relative benefit to you as a customer, as an individual, for that use of your data doesn't really feel as meaningful as the types of experiences or improvements we're able to make. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="7">
</div>
</div></p><p>And there's lots of data, particularly looking at introducing Alexa into new countries and languages and dialects, where the ability to use that voice data to dramatically improve our responses and our accuracy is something that is noticeable by people over time. I think people would recognize that, that trajectory.</p><p><strong>That's fair. And it does seem like most people, when you explain it to them, will understand pieces of it like that.</strong> </p><p>This is why I love "Alexa, why did you do that?" Because Alexa doesn't always get it right the first time, and to be able to actually ask and get a response about what that reasoning was, and you can see it in real time — you can't do that with a lot of other experiences. That's a cool one that I hope more people use. </p><p>But we are faced with some real challenges under regulation about explainable AI. These technologies are getting more and more sophisticated, and when they work really well, sometimes we're delighted, and sometimes we're creeped out. It's that balancing act of like, "Wait a minute, that was really useful … should I be worried?" Which is why trust is so important to develop, so that when you get to that moment, you can offer a customer benefit without it being intrusive, or invasive or feeling somehow uncomfortable. Devices should learn!</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="8">
</div>
</div></p><p><strong>You're a privacy person, so I have a current events question for you: We're in the middle right now of this privacy versus transparency debate, where it's either better to let people use encrypted services because they can't be watched or becomes a problem because bad people can do bad stuff in those encrypted services and nobody can find them. And obviously, this shows up in lots of scary ways recently. Where do you fall on the debate?</strong></p><p>I will have to speak to this on a personal level, but all the messaging apps I use are end-to-end encrypted for primary messaging. I think it's important, and I think that there's a role that they play that is important. There are lots of people who think that people aren't really concerned about privacy in the world, and we've passed that moment where privacy is an issue. Just based on the number of people that I've seen crop up on Signal and Telegram in the last week, I can tell you that people really are paying attention. So I think that if that's the indicator that we should be looking at, then I would say privacy is not dead. People really do care. And it's something everybody should be paying attention to.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="9">
</div>
</div></p>
Keep Reading
Show less
David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.
Doxxing insurrectionists: Capitol riot divides online extremism researchers
The uprising has sparked a tense debate about the right way to stitch together the digital scraps of someone's life to publicly accuse them of committing a crime.
Rioters scale the U.S. Capitol walls during the insurrection.
Photo: Blink O'faneye/Flickr
January 16, 2021
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
January 16, 2021
Joan Donovan has a panic button in her office, just in case one of the online extremists she spends her days fighting tries to fight back.
"This is not baby shit," Donovan, who is research director of Harvard's Shorenstein Center on Media, Politics and Public Policy, said. "You do not fuck around with these people in public."
<p>Which is why Donovan has been so worried about what she's seen happening online in the days since a violent mob overtook the U.S. Capitol. Scores of amateur sleuths are combing through terabytes of footage and openly trading tips on Twitter in hopes of piecing together the rioters' identities and bringing them to justice. To Donovan, these Twitter detectives aren't just running the risk of misidentifying innocent people; they may also unknowingly be putting themselves at risk by publicly pursuing potentially dangerous people.</p><p>Even more worrisome to Donovan: the role some prominent researchers are playing in organizing the hunt. So this week, she went on Twitter and shared some blunt words of warning. "This is one of the most dangerous uses of social media by a researcher," Donovan <a href="https://twitter.com/BostonJoan/status/1349358629846183936?s=20" rel="noopener noreferrer" target="_blank">wrote</a>. "Research ethics now. We must hold each other to account."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>Her remarks were directed at another academic, John Scott-Railton of the University of Toronto's Citizen Lab, who has gained a following for his crowdsourced investigations of the riot, which most notably led to the successful identification of an Air Force veteran who was photographed in full tactical gear on the floor of the Senate. Two days after The New Yorker's Ronan Farrow used Scott-Railton's tip to <a href="https://www.newyorker.com/news/news-desk/an-air-force-combat-veteran-breached-the-senate" rel="noopener noreferrer" target="_blank">confirm</a> the veteran's identity and published a story with his findings, the suspect was arrested in Texas. </p><p>Scott-Railton shares Donovan's concerns — and admires her work — but says those concerns have led him to a different conclusion. He argues that in the wake of any public event caught on camera, be it a confrontation on a bike trail or the Boston Marathon bombing, there are bound to be crowds of extremely online people using digital techniques to assign blame. His goal is to harness that energy in productive ways and model appropriate behavior. </p><p>"I think the conversation has to be one that involves being very intentional in thinking about harm reduction and in trying to do one's best to always model the behavior you want to see from others," he said, noting that he has repeatedly urged his followers not to name potential suspects on Twitter and, instead, to funnel any specific names to the Federal Bureau of Investigation. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>Besides, with the inauguration around the corner and the vast majority of the Capitol rioters still on the loose, Scott-Railton argues it's critically important to use the power of crowdsourcing to stop those people from committing any more violence. "There may be people who intend to do violent things around the inauguration," he said. "We urgently need to understand who they are."</p><p>The Capitol riot was a boundary-busting event in almost every way, and its impact on the digital privacy debate was no different. The insurrectionists' acts were so galling, so frightening, that suddenly, even those who might oppose digital surveillance and forensics techniques in other contexts, like, say, identifying peaceful protesters at a Black Lives Matter rally, feel justified in deploying those tools against the rioters. The shifting goalposts have sparked a tense debate among researchers of online extremism about the right way to stitch together the digital scraps of someone's life to publicly accuse them of committing a crime — or whether there is a right way at all.</p><p>Shortly after the riot, Vivian Schiller, executive director of the Aspen Institute's digital department, <a href="https://twitter.com/vivian/status/1347556058487787521?s=20" rel="noopener noreferrer" target="_blank">asked</a> her followers a question on Twitter and stressed that it was not rhetorical: "Is there such a thing as 'ethical doxxing'?" </p><p>"Not really," replied Kate Klonick, an assistant professor of law at St. John's University, who studies online content moderation. </p><p>Others disagreed vehemently. "Yes, absolutely," wrote Sasha Costanza-Chock, an associate professor of civic media at MIT. "I would argue that in fact we have an ethical responsibility to expose people who are literal nazis and ensure there are consequences for their actions. Of course, this requires extreme care to verify so that innocents are not wrongfully accused."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>Scott-Railton tends to see things that way, as does Aric Toler, a researcher with the group Bellingcat, which has been archiving vast troves of footage of the riot to help with identification. "The crowdsourcing element is obviously powerful and can go both ways, but I think it's overall more positive than not," Toler said. </p><p>The Capitol riot was virtually unprecedented in terms of the amount of digital exhaust it gave off. That's partly to do with the fact that the uprising was largely organized on social media, partly to do with the fact that some of the rioters were there <a href="https://www.protocol.com/trump-coup-social-networks" target="_self">explicitly to broadcast their actions</a> on social media and partly to do with the fact that Parler, the go-to social platform of the far-right, <a href="https://www.wired.com/story/parler-hack-data-public-posts-images-video/" rel="noopener noreferrer" target="_blank">had a bug</a> that enabled a hacker to <a href="https://gizmodo.com/every-deleted-parler-post-many-with-users-location-dat-1846032466" rel="noopener noreferrer" target="_blank">scrape and archive</a> every public post and GPS coordinate before deletion.</p><p>Now, before anyone can get named and blamed, there's a virtual ton of information to sift through first. Toler sees much of the crowdsourcing work going on as a responsible way to divvy up the labor. "A lot of the work is just around sifting through ungodly amounts of photos and videos," Toler said.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><p>Of course, a lot of it isn't. Already, a retired Chicago firefighter was <a href="https://patch.com/illinois/chicago/trolls-wrongly-accused-retired-firefighter-capitol-riot-murder" rel="noopener noreferrer" target="_blank">wrongly accused </a>of being involved in the riot, after Twitter detectives digitally enhanced a blurry photo of a man throwing a fire extinguisher at a cop and accused him of being "Extinguisher Man." In fact, he was back in Chicago, he said, celebrating his wife's birthday. "This story has fucked my life up," the man told a local news outlet.</p><p>Both Scott-Railton and Bellingcat had been seeking footage of that suspect on Twitter before he was misidentified. Though neither of them encouraged their followers to name names, and in some cases even actively discouraged it, the effort went sideways anyway. </p><p>That's to be expected, Donovan argues. Once you animate a crowd around a particular purpose, it's impossible to control what they'll do next, which she says is all the more reason for researchers to avoid such public investigations in the first place. "I have this overarching thesis that the internet turns us all into cops," Donovan said. "These are technologies of surveillance, and so use of them by the public to turn crowds into cops seems to me to be a very dangerous impulse."</p><p>That's to say nothing of the danger amateur investigators put themselves in, Donovan said. For all of the digital records the rioters have left behind, she stresses that the people looking into them often have their own digital trail that leaves them vulnerable to retaliation. "Say you identify some neo-Nazi militia member and think you're doing a good job, but you have your kid's birthday photos up on a Flickr account, which has the geotag of the apartment complex that you live in," Donovan said. "People don't understand how much is being revealed about them as they participate in these public campaigns."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="5">
</div>
</div></p><p>It's not that only trained researchers or law enforcement should be able to do this work. Donovan argues there's a way to carry out crowdsourced investigations in private channels, where participants are educated about the risks they're taking and how to protect themselves. Anything less, she argues, is malpractice. "If you don't educate people before you call them into action," Donovan said, "you put them at risk."</p><p>Scott-Railton has tailored his approach somewhat in response to feedback from Donovan and others. For one thing, he's begun <a href="https://twitter.com/jsrailton/status/1349914986278252553?s=20" rel="noopener noreferrer" target="_blank">deleting</a> old threads investigating people who have already been arrested to avoid leaving any misleading leads out in the open. He's also since deleted the tweet that Donovan first called him out on, in which he was seeking footage of people wearing earpieces at the riot. Donovan pointed out that such a directive could risk outing members of the media, who also regularly wear earpieces.</p><p>Perhaps, most importantly, on Thursday night, he <a href="https://twitter.com/jsrailton/status/1349919058922250240?s=20" rel="noopener noreferrer" target="_blank">tweeted</a> an official notice to his now more than 100,000 followers. He told them that he was now moving to a "form-based intake model" for tips, in collaboration with Bellingcat, writing, "I feel this approach better balances the *many* reasonable concerns about a participatory & crowdsourced model done on Twitter."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="6">
</div>
</div></p>
From Your Site Articles
Keep Reading
Show less
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
Protocol | Enterprise
Don’t worry about the cybersecurity fallout of the Capitol breach
Members of Congress can't access classified information on their work computers, and the chances that Wednesday's mob contained a few moonlighting cyberspies are slim.
Any lasting cybersecurity damage from the breach is likely to be limited.
Photo: Louis Velazquez/Unsplash
January 11, 2021
Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He served as executive editor of Gigaom and Structure, and most recently produced a leading cloud computing newsletter called Mostly Cloudy.
January 7, 2021
Among the disasters that visited Capitol Hill on Wednesday, the fact that the people who infiltrated Congressional offices had unfettered access to IT assets for several hours ranks rather low.
One of the most iconic images of Wednesday's events was a picture of the home screen of Speaker Nancy Pelosi's office computer, abandoned in haste after a mob broke into the Capitol building, forcing Congress and staffers to retreat to safer locations. By design, nothing on Pelosi's computer was classified: Members of Congress have to enter a protected area room in the building to view secret documents, as you'll recall from last year's impeachment proceedings when several House Republicans stormed into such a room in protest because they were denied access to documents their leaders could access.
<p>There could have been plenty of unclassified information that would still be considered sensitive, such as Pelosi's contacts and email correspondence. And it's fair to say that congressional IT practices are somewhat haphazard; some computers might have been encrypted, while some might not have even had password protection, according to security experts.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>As Katie Moussouris, CEO and founder of Luta Security, <a href="https://www.washingtonpost.com/politics/2021/01/07/cybersecurity-202-riot-capitol-is-nightmare-scenario-cybersecurity-professionals/" rel="noopener noreferrer" target="_blank">told The Washington Post</a>: "There's an old saying, if an attacker has physical access to your computer, it's not your computer anymore."</p><p>Still, any lasting cybersecurity damage from the breach is likely to be quite limited.</p><p>A <a href="https://www.reuters.com/article/us-usa-election-cyber/u-s-senator-says-capitol-building-rioters-made-off-with-laptop-idUSKBN29C2GA" rel="noopener noreferrer" target="_blank">laptop from Sen. Jeff Merkley's office was taken</a>, but there were no other reports of missing computers. Representatives from Merkley's office did not respond to an inquiry as to whether or not that laptop was encrypted; computers purchased for Senate offices after October 2018 were <a href="https://www.zdnet.com/article/us-senate-computers-will-use-disk-encryption/" rel="noopener noreferrer" target="_blank">required to have encryption technology turned on</a> at the urging of Merkley's fellow Oregon senator, Ron Wyden, but it's not clear when the laptop in question was purchased.</p><p>There's a far greater threat to information security in the Capitol Building, and it doesn't require access to the building itself. As we've seen with the SolarWinds hack that infiltrated several executive branch agencies last year, the biggest threats to government information security aren't wearing red hats and breaking windows; they're coming from overseas through the internet to steal sensitive data.</p><p>And in any event, the Capitol Building is not exactly the most secure facility controlled by the government, as Wednesday's events show. Any foreign intelligence agent bent on figuring out what the House Committee on Ways and Means is up to would probably have better luck accessing computers by infiltrating the cleaning staff or mingling with visitors on a post-pandemic tour of the building.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>The incident does shine a light on congressional cybersecurity practices, which are far less robust than the requirements of the executive branch.</p><p>In the House, members of Congress are responsible for procuring their own IT assets just like any of us, whereas in the Senate, technology purchases are made through the office of the <a href="https://www.senate.gov/reference/office/sergeant_at_arms.htm" rel="noopener noreferrer" target="_blank">Sergeant at Arms</a>. Email and file servers in the House are managed by the chief administrative officer, a non-partisan position. In the Senate, that duty falls to the Sergeant at Arms, who serves at the pleasure of the party in power.</p><p>"Images on social media and in the press of vigilantes accessing congressional computers are worrying," said Rep. Anna Eshoo, a Democrat from California, in a statement. "I asked the Chief Administrative Officer of the House to conduct a full assessment of threats based on what transpired yesterday, and the CAO has already taken important steps to that end. I have confidence that House and Senate IT and cybersecurity professionals are taking the matter seriously."</p><p>On Thursday afternoon, the <a href="https://twitter.com/ericgeller/status/1347303258180751364/photo/1" rel="noopener noreferrer" target="_blank">CAO updated members of the House</a> saying that administrators took "efforts including issuing commands to lock computers and laptops and shutting down wired network access to prevent inappropriate access to House data." It's not clear what, if any, action was taken on the Senate side.</p><p>Executive branch staff are almost universally required to use two-factor authentication to log into their work computers, but such a requirement does not exist in the legislative branch. Congresspeople are essentially small-business owners who can require their staff to follow whatever cybersecurity practices they deem necessarily, including, well, nothing.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>There's certainly a chance that a few individuals among the mob that breached the Capitol Building could have read less-than-flattering emails sent by or to members of Congress, and could use those emails to damage a few reputations.</p><p>But the most likely outcome of Wednesday's breach is that a lot of passwords have already been changed, or will be changed in the next few days.</p><p><em><strong>Update: </strong>This article was updated at 4:07 p.m. PT to include a statement from Rep. Anna Eshoo, and corrected at 5:17 p.m. PT to fix the spelling of her first name.</em><br></p>
Keep Reading
Show less
Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He served as executive editor of Gigaom and Structure, and most recently produced a leading cloud computing newsletter called Mostly Cloudy.
Politics
In 2020, COVID-19 derailed the privacy debate
From biometric monitoring to unregulated contact tracing, the crisis opened up new privacy vulnerabilities that regulators did little to address.
Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, says the COVID-19 pandemic has become a "cash grab" for surveillance tech companies.
Photo: Lianhao Qu/Unsplash
December 30, 2020
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
December 29, 2020
As the coronavirus began its inexorable spread across the United States last spring, Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, worried the virus would bring with it another scourge: mass surveillance.
"A lot of really bad ideas were being advanced here in the U.S. and a lot of really bad ideas were being actually implemented in foreign countries," Schwartz said.
<p>In China, where the virus first took hold, the country had already begun using draconian smartphone-based tools to <a href="https://www.bbc.com/news/technology-51439401" rel="noopener noreferrer" target="_blank">track sick people's whereabouts</a> and effectively force them to stay home. In Israel, lawmakers rushed through a proposal to give government officials <a href="https://www.bbc.co.uk/news/technology-51930681" rel="noopener noreferrer" target="_blank">access to Israelis' location data</a>. As the White House met with tech giants including Facebook and Google to discuss ways they could help, Schwartz and others feared the U.S. might be next in allowing fear of the virus to subvert basic civil liberties.</p><p>Nine months into the crisis, Schwartz said, the "worst ideas" being deployed internationally have yet to take hold in the U.S. But that doesn't mean COVID-19 hasn't created a slew of smaller, but still insidious privacy setbacks for Americans who, in recent years, have become increasingly wary of all the intrusive ways that governments and private companies use their personal data. Since March, corporate offices and college campuses have been flooded with biometric scanners, employers have deployed software that lets them remotely monitor workers' keystrokes and giant corporations like Ticketmaster have <a href="https://help.ticketmaster.com/s/article/What-are-your-COVID-screening-requirements?language=en_US" rel="noopener noreferrer" target="_blank">contemplated</a> linking people's negative COVID-19 tests to their tickets to gain entry to future events. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>While many of these precautions are well-meaning attempts to preserve public safety and to use technology to get the economy up and running again, they can come at a cost to personal privacy. And yet, the crisis has once again relegated privacy legislation to the back burner in Congress as lawmakers battle over how to handle dueling health and economic disasters.</p><p>Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, says the COVID-19 pandemic has become a "cash grab" for surveillance tech companies. "I think this has been the most dangerous moment for civil rights since 9/11," he said. "When you're faced with impossible choices like whether or not to keep schools open and deprive kids of an education or put them at risk, it's so easy to be taken in by the allure of magical thinking and startups that say if you just install this tracking device you'll somehow be able to avoid doing the impossible."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>Contact tracing has been a source of concern, as governments across the country work with a slew of private firms to manage manual contact tracing with no real guardrails in place. "People by the thousands are telling contact tracers where they've been, who they're with, and we don't think there are sufficient ways to secure that data, especially when private contractors or for-profit corporations are helping," Schwartz said.</p><p>In New York, Cahn's organization supported legislation that would have protected New Yorkers from having their contact tracing data used against them in court or administrative proceedings. That bill passed over the summer, but Governor Andrew Cuomo has yet to sign it into law, leaving that information vulnerable. "In most states, police or ICE can get contact tracing data with a subpoena," Cahn said. "This not only creates a privacy threat, but it's a public health nightmare. There are millions of Americans who would second guess whether to fully disclose their potential contacts."</p><p>Apple and Google partnered on a contact-tracing tool that went to extremes to ensure people's data wouldn't be centrally stored or shared with either company or with the government. But health officials, at least early on, <a href="https://www.washingtonpost.com/technology/2020/05/15/app-apple-google-virus/" rel="noopener noreferrer" target="_blank">scoffed</a> at the limitations. "Digital apps and technology have struggled in the in-between space of wanting to track the path of this disease, this virus, while at the same time really struggling with very real privacy concerns," said Malkia Devich-Cyril, founding director and senior fellow at the advocacy group MediaJustice.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>The imminent rollout of a vaccine presents even trickier questions, like what happens if businesses or governments begin requiring people to prove they've been vaccinated in order to access certain spaces. California's legislature already defeated a bill that would have created a blockchain-based system to create what Schwartz calls "immunity passports." EFF argued that requiring people to hand over their smartphones to prove their immunity would open them up to other privacy invasions and would require people to have a smartphone in the first place. "We view this as a horrible, horrible idea," Schwartz said, noting that EFF will be "in the trenches" if any similar proposals arise.</p><p>Over the course of 2020, there have been other, subtler attitudinal shifts too. In the spring, news outlets that, in the past, criticized apps for surreptitiously tracking and selling people's location data, suddenly began tapping that same data to track where people were actually <a href="https://www.nytimes.com/interactive/2020/04/02/us/coronavirus-social-distancing.html" rel="noopener noreferrer" target="_blank">staying at home</a> or whether anti-shutdown protesters might be <a href="https://www.theguardian.com/us-news/2020/may/18/lockdown-protests-spread-coronavirus-cellphone-data" rel="noopener noreferrer" target="_blank">spreading the virus</a>. "We think there's a lot of COVID-washing going on," Schwartz said.</p><p>That COVID-washing hasn't been uniform though, Devich-Cyril said, noting that Black and brown communities with a long history of being surveilled remain wary of that kind of intrusion. "The simple fact of a medical disaster is not enough to turn people away from their desire for basic freedoms and rights," Devich-Cyril said.</p><p>Still, despite these setbacks, privacy advocates did score some wins in the midst of the chaos. On Election Day, Portland, Maine succeeded in banning facial recognition technology. Michigan voted to require police to seek search warrants before accessing electronic data. And California passed Proposition 24, a measure that rewrites the California Consumer Privacy Act and gives Californians new rights over protecting their data. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><p>"That is the story of privacy in 2020," said Jim Steyer, CEO of Common Sense Media, which backed Prop. 24. "That was a significant step forward." It's worth noting that not all privacy groups celebrated the passage of Prop. 24. Some, like the American Civil Liberties Union, opposed it over concerns that it created new privacy loopholes for businesses.</p><p>Schwartz is at least relieved that so many of the "bad ideas" that emerged at the beginning of 2020 have not been adopted in the U.S. But as the pandemic rages on through 2021, the fight for privacy in the face of a global health crisis will undoubtedly continue.</p>
From Your Site Articles
Keep Reading
Show less
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
Latest Stories
See more
Most Popular
Bulletins
Get Source Code in your inbox
David Pierce's daily analysis of the tech news that matters.