108 posts categorized "Legislation" Feed

FDA Releases Guidelines For Apps And Wearables For Fitness And Health

The U.S. Food and Drug Administration (FDA) released guidelines about mobile apps and wearable devices for health and fitness (Adobe PDF). The guidelines document stated that it is for clarity for industry and FDA staff, and include "nonbinding recommendations." The federal agency will not regulate mobile apps and wearables that promote general wellness or a healthy lifestyle, and are classified as "low risk." The guidelines do not apply to products (e.g., drugs, biologics, dietary supplements, foods, or cosmetics) regulated by other FDA Centers or to combination products.

The FDA's Center For Devices and Radiological Health (CDRH) defines general wellness products as:

"... products that meet the following two factors: (1) are intended for only general wellness use, as defined in this guidance, and (2) present a low risk to the safety of users and other persons. General wellness products may include exercise equipment, audio recordings, video games, software programs4 and other products that are commonly, though not exclusively, available from retail establishments (including online retailers and distributors that offer software to be directly downloaded), when consistent with the two factors above."

The guidelines provide further definitions:

"A general wellness product, for the purposes of this guidance, has (1) an intended use that relates to maintaining or encouraging a general state of health or a healthy activity, or (2) an intended use that relates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition. If the product’s intended uses are not limited to the above general wellness intended uses, this guidance does not apply."

The guidelines provide a list of general wellness health outcomes: weight management, physical fitness (including recreational uses), relaxation or stress management, mental acuity, self-esteem, sleep management, and sexual function.

Typically, regulation is used to ensure that products actually do what their manufacturers and developers claim to do. The guidelines specified which claims are general wellness (e.g., the FDA will not regulate) and which claims are not (e.g., the FDA will continue to regulate). General wellness claims include claims to:

  1. Promote or maintain a healthy weight, encourage healthy eating, or assist
    with weight loss goals;
  2. Promote relaxation or manage stress;
  3. Increase, improve, or enhance the flow of qi “energy;”
  4. Improve mental acuity, instruction following, concentration, problem solving, multitasking, resource management, decision-making, pattern recognition or eye-hand coordination;
  5. Enhance learning capacity;
  6. Promote physical fitness (e.g., log, track, or trend exercise activity, measure aerobic fitness, develop or improve endurance, strength or coordination;
  7. Promote sleep management (e.g., track sleep trends);
  8. Promote self-esteem
  9. Address a specific body structure or function (e.g., increase or improve muscle size or body tone, enhance or improve sexual performance);
  10. Improve general mobility; and
  11. Enhance participation in recreational activities by monitoring the consequences (e.g., heart rate).

Some claims are categorized as "disease related." The new FDA guidelines list disease-related general wellness claims and how companies should reference those claims in product packaging and advertisements:

"A claim that a product will treat or diagnose obesity; a claim that a product will treat an eating disorder, such as anorexia; a claim that a product helps treat an anxiety disorder; a claim that a computer game will diagnose or treat autism; a claim that a product will treat muscle atrophy or erectile dysfunction; a claim to restore a structure or function impaired due to a disease or condition, e.g., a claim that a prosthetic device enables amputees to walk... disease-related general wellness claims should only be based on references where it is well understood that healthy lifestyle choices may reduce the risk or impact of a chronic disease or medical condition..."

Since the new FDA guidelines apply only to products categorized as "low risk," it is important to understand that definition:

"If the answer to any of the following questions is YES, the product is not low risk and is not covered by this guidance: 1) Is the product invasive? 2) Is the product implanted? 3) Does the product involve an intervention or technology that may pose a risk to the safety of users and other persons if specific regulatory controls are not applied, such as risks from lasers or radiation exposure? In assessing whether a product is low risk for purposes of this guidance, FDA recommends that you also consider whether CDRH actively regulates products of the same type as the product in question. For example, CDRH actively regulates external penile rigidity devices, which are devices intended to create or maintain sufficient penile rigidity for sexual intercourse, under 21 CFR 876.5020 as class II devices exempt from premarket notification with special controls..."

The guidelines listed examples of products that are low risk and those which are not. Products that are not low risk:

"Sunlamp products promoted for tanning purposes, due to risks to a user’s safety from the ultraviolet radiation, including, without limitation, an increased risk of skin cancer.

Implants promoted for improved self-image or enhanced sexual function. Implants pose risks to users such as rupture or adverse reaction to implant materials and risks associated with the implantation procedure.

A laser product that claims to improve confidence in user’s appearance by rejuvenating the skin. Although the claims of rejuvenating the skin and improving confidence in user’s appearance are general wellness claims, laser technology presents risks of skin and eye burns.

A neuro-stimulation product that claims to improve memory, due to the risks to a user’s safety from electrical stimulation.

A product that claims to enhance a user’s athletic performance by providing suggestions based on the results of relative lactic acid testing, when the product uses venipuncture to obtain the blood samples needed for testing. Such a product is not low risk because it is invasive (e.g., obtains blood samples by piercing the skin) and also because the product involves an intervention that may pose a risk to the safety of the user and other persons if specific regulatory controls are not applied (e.g., venipuncture may pose a risk of infection transmission)."

Companies and individuals can submit feedback to the FDA about these guidelines. See the guidelines document for instructions for submitting feedback. Fierce Healthcare reported:

"Epstein Becker Green health attorney Brad Thompson, who had previously commented to FierceHealthIT on the draft guidance, said in an email the final version "strikes the right balance between regulation and innovation... Over the intervening year and a half, I have talked to a lot of developers of wearable technologies and associated mobile apps and have used the draft guidance as a roadmap for how to assess FDA jurisdiction. I have found it to be extremely practical..."

A copy of the guidance document is also available here (Adobe PDF). What guidance or clarity does it provide for consumers? I guess not much regarding low risk apps and wearables. Consumers are on their own, so shop wisely and carefully. Whenever I read a document that describes itself as "nonbinding recommendations," that is worrisome.


Senate Narrowly Rejected Bill To Expand Government Surveillance

While consumers may have been distracted with votes in the U.S. Senate about gun reform or the sit-in within the U.S. House, a key vote also happened last week regarding government surveillance. The U.S. Senate narrowly voted down a bill to grant expanded surveillance powers to the Federal Bureau of Investigation.

According to Reuters, the legislation sought to:

"... broaden the type of telephone and internet records the FBI could request from companies such as the Google unit of Alphabet Inc and Verizon Communications Inc without a warrant... filed as an amendment to a criminal justice funding bill, would widen the FBI’s authority to use so-called National Security Letters, which do not require a warrant and whose very existence is usually a secret. Such letters can compel a company to hand over a user's phone billing records. Under the Senate's change, the FBI would be able to demand electronic communications transaction records such as time stamps of emails and the emails' senders and recipients, in addition to some information about websites a person visits and social media log-in data. It would not enable the FBI to use national security letters to obtain the actual content of electronic communications."

Perhaps, more importantly the bill would have made:

"... permanent a provision of the USA Patriot Act that lets the intelligence community conduct surveillance on “lone wolf” suspects who do not have confirmed ties to a foreign terrorist group. That provision, which the Justice Department said last year had never been used, expires in December 2019."

Senate Amendment 4787 was introduced by Senators John McCain and Richard Burr. It failed by two votes: 58-38. Before the vote on Wednesday, Senator Ron Wyden (Dem.-Oregon) had warned:

"If this proposal passes, FBI agents will be able to demand the records of what websites you look at online, who you email and chat with, and your text message logs, with no judicial oversight whatsoever. The reality is the FBI already has the power to demand these electronic records with a court order under the Patriot Act. In emergencies the FBI can even obtain the records right away and go to a judge after the fact. This isn’t about giving law-enforcement new tools, it’s about the FBI not wanting to do paperwork.”

Yep. That rejected bill sounds like an erosion of privacy rights. Senate Majority Leader Mitch McConnell (Rep.-Kentucky) has already filed a motion to reconsider the amendment.


U.S. Chamber of Commerce Opposes Proposed FCC Broadband Privacy Rules

U.S. Chamber of Commerce logo Some companies don't want consumers to have privacy when using high-speed Internet services. Just before the long Memorial Day holiday weekend, the U.S. Chamber of Commerce (USCOC) submitted comments about the broadband privacy rules proposed by the U.S. Federal Communications Commission (FCC) in April. Portions of the USCOC's comments to the FCC:

"... the Chamber opposes the proposed broadband privacy rule because it is unnecessary, exceeds statutory authority, furthers a regulatory digital divide between edge and telecommunications providers, and threatens innovation by stifling the already thriving Internet ecosystem... I. Current broadband provider privacy practices and the market do not justify the proposed rule... II. The Commission is engaging in a regulatory overreach with its proposed rule... III. The NPRM furthers a regulatory digital divide The proposed rule creates regulatory imbalance in which broadband service providers will be subject to highly restrictive and prescriptive “opt-in” privacy regulations while other content and edge providers — like Netflix — remain under the light-touch regulatory framework of the FTC... The Chamber strongly supports voluntary self-regulation as the appropriate mechanism for online data protection... IV. The proposed FCC privacy rule threatens innovation and the current digital ecosystem..."

What is the USCOC? It is a political lobbying organization representing businesses. According to the organization's website:

"The U.S. Chamber of Commerce is the world’s largest business organization representing the interests of more than 3 million businesses of all sizes, sectors, and regions. Our members range from mom-and-pop shops and local chambers to leading industry associations and large corporations. They all share one thing—they count on the Chamber to be their voice in Washington, D.C."

Let's unpack this a bit. In its comments to the FCC, the USCOC is arguing for the interests of Internet Service Providers (ISPs), and not small mom-and-pop shops, and definitely not the interests of consumers. The USCOC's view is that opt-in privacy approaches is "highly restrictive" and a burden. Instead, they want to collect whatever consumer information ISPs desire and place the entire burden on consumers to opt-out of programs. Think about that for a moment. They believe it is burdensome to explain a program's privacy policy and display an "opt-in" (or "register" or "I accept these terms") button so that consumers stay in control of their personal information.

The USCOC's submission claims that the FCC's proposed rules unfairly places restrictions on ISPs compared to "edge providers' or companies that produce content and advertising networks:

"The proposed rule creates regulatory imbalance in which broadband service providers will be subject to highly-restrictive and prescriptive “opt-in” privacy regulations while other content and edge providers — like Netflix — remain under the light-touch regulatory framework of the FTC. The same customer data about Internet usage will be regulated by two very different agencies. Content and edge providers will continue to operate under FTC’s jurisdiction to regulate “unfair and deceptive” trade practices under Section 5 of the Federal Trade Commission Act. 21 Under Section 5, in the case of unfair and deceptive trade practice violations, the FTC generally issues a cease and desist order that does not immediately impose penalties on alleged violators. This practice gives companies notice and a chance to clean up their act. Conversely, broadband providers under section 222 would not be entitled to a notice to correct mistakes and would be subject to the highly-prescriptive regulations imposed by the NPRM. The decision to regulate broadband providers under two different regulatory regimes is entirely arbitrary..."

Huh? Really? Internet access is not content. Content is content. Of course, the two should be treated differently. Internet access includes the connections for devices a consumer uses online: phones, tablets, laptops, desktops, smart televisions, smart thermometers, smart home-security systems, fitness bands, smart watches, connected refrigerators, and more. Consuming content from Netflix, or another provider, may involve a few, one, or none of these devices -- the choice of the consumer.

In its comments to the FCC, the USCOC also said:

The Commission has also failed to offer any evidence that edge and content providers are respecting consumers’ privacy more than broadband providers or that Internet service providers have any meaningful advantage over content and edge providers with respect to personal data."

MediaPost reported:

"Consumer advocacy groups disagree, pointing out that ISPs have access to all unencrypted traffic in their networks. While more sites now encrypt data than in the past, much remains unencrypted. Consider, a recent study by Upturn found that more than 85% of the top 50 sites in health, news and shopping don't fully support encryption. Upturn also noted in its report that ISPs can glean information about consumers even when they visit encrypted sites... Consumer advocacy groups also argue that broadband providers should be subject to tougher privacy rules because consumers have only limited options about which ISP to use, but many choices about which Web sites to visit."

Well said. I would add to this that the industry historically has repeatedly abused consumers' privacy. This blog has covered many of those abuses:

Historically, ISPs have sought increased revenues and viewed targeted (behavioral) advertising as the means. To do this, they partnered with several technology companies (some went out of business after class-action lawsuits) to spy on consumers without notice, without consent, and without providing opt-out  mechanisms. Consumers should control their privacy, not ISPs.

Now you know who if fighting for consumers' interests, and who is not.


Pending Rule 41 Changes Facilitate Government Spying, So Senators Introduce Legislation To Protect Citizens

Late last week, MacDailyNews reported (links added):

"U.S. Senators Ron Wyden, D-Ore., and Rand Paul, R-Ky., yesterday introduced the Stopping Mass Hacking (SMH) Act to protect millions of law-abiding Americans from government hacking. The Stopping Mass Hacking (SMH) Act prevents recently approved changes to Rule 41 from going into effect. The changes would allow the government to get a single warrant to hack an unlimited number of Americans’ computers if their computers had been affected by criminals, possibly without notifying the victims."

This news story caught my attention because you don't often see Senators Wyden and Paul working together. It raises several questions: what is so important? What is going on?

Last summer, this blog briefly discussed Rule 41 changes the U.S. Justice Department (DOJ) sought. The rule governs how search, seizure, and arrest warrants are obtained by prosecutors for criminal cases. Given sophisticated computer viruses (e.g., malware) that can take over multiple computers in multiple areas and coordinate attacks by those infected computers (a/k/a botnets), the DOJ sought changes where judges could approve warrants where the botnet location is unknown or located in another area, state, or jurisdiction. The Tech Dirt blog covered this well on April 29:

"The DOJ is one step closer to being allowed to remotely access computers anywhere in the world using a normal search warrant issued by a magistrate judge. The proposed amendments to Rule 41 remove jurisdiction limitations, which would allow the FBI to obtain a search warrant in, say, Virginia, and use it to "search" computers across the nation using Network Investigative Techniques (NITs)."

The Tech Dirt blog post also published the relevant section of the pending Rule 41changes approved by the U.S. Supreme Court (SCOTUS):

"Rule 41. Search and Seizure

(b) Venue for a Warrant Application. At the request of a federal law enforcement officer or an attorney for the government:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:

(A) the district where the media or information is located has been concealed through technological means; or

(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
"

The document also says the following about electronic searches:

"(f) Executing and Returning the Warrant.
(1) Warrant to Search for and Seize a Person or Property.
* * * * *
(C) Receipt. The officer executing the warrant must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property. For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person."

So, the remote, electronic searching of computers doesn't target only the computers of the defendant suspected of committing a crime, but it also targets innocent people whose computers may or may not have been infected by the computer virus or botnet. How? Government prosecutors can easily craft broad warrants, and/or computer-illiterate judges can approve them.

And, innocent people won't necessarily receive any notice (e.g., the "reasonable efforts") about remote electronic searches of their devices (e.g., desktops, laptops, phones or tablets) located inside or outside their homes. And, that notice might be after the remote electronic searches were completed. Huh? When the government performs broad searches like this, that is called surveillance... spying.

Were you aware of Rule 41? Of the pending changes? Probably not. And, you'd probably agree that innocent persons' computers shouldn't be searched; and if so, advance notice should be provided. This troubles me and I hope that it troubles you, too.

I also find it troubling that the proposed Rule 41 changes weren't discussed nor debated publicly in Congress. Using the proposed Rule 41 changes, the government has found slick, stealth way to gain broader powers to spy on U.S. citizens while conveniently ignoring the Fourth Amendment of the U.S. Constitution.

Senator Paul said in a statement:

"The Fourth Amendment wisely rejected general warrants and requires individualized suspicion before the government can forcibly search private information. I fear this rule change will make it easier for the government to search innocent Americans’ computers and undermine the requirement for individual suspicion..."

Senator Wyden said in a statement:

"This is a dramatic expansion of the government’s hacking and surveillance authority. Such a substantive change with an enormous impact on Americans’ constitutional rights should be debated by Congress, not maneuvered through an obscure bureaucratic process... Unless Congress acts before December 1, Americans’ security and privacy will be thrown out the window and hacking victims will find themselves hacked again - this time by their own government."

Proponents of the Rule 41 changes will often argue that the changes are needed to fight child predators and terrorists. A wise person once told me, "you can't just run away from the Fourth Amendment." The ends don't justify the means.

The Computer & Communications Industry Association (CCIA) said:

"The proposed rule change has gone largely unnoticed by the public via a behind-the-scenes process usually reserved for procedural updates. The CCIA has voiced its concern about the government’s requested change for the past two years and we invite other technology advocates to join us in supporting this important legislation... We welcome Senators Wyden and Paul’s efforts to prevent this highly controversial rule change from taking effect. They recognize that the far-reaching implications of the government’s proposed changes merit the full attention of their colleagues in Congress. There are Constitutional, international, and technological questions that ought to be addressed transparently... The government’s proposal is a substantive expansion of its ability to conduct electronic searches, and it deserves a public debate in Congress..."

Peter Goldberger, the Co-Chair of Committee on Rules of Procedure at the National Association of Criminal Defense Lawyers (NACDL) said:

"This is a significant and substantive change to the law masquerading as a procedural rule change.. While it is surely possible to craft a constitutional procedure for digital searches, the rule making process is not sufficient for addressing such fundamental constitutional questions. Only a comprehensive legislative approach, crafted after full public hearings, could possibly deal with all the complex aspects of this issue."

You can read the Stopping Mass hacking Act (Adobe PDF) text. It's short. I wish that it went further and, a) cited prior legal cases to prevent the remote electronic searches of innocent persons' devices, b) included stronger language to prevent innocent persons from the burden of responding to court orders, subpoenas, and searches, and c) prevent the government from hiring a third-party to perform the remote electronic searches.

So, now you know. Thankfully, Senators Wyden and Paul are paying attention and have decided to work together. The seriousness demands such. Senators Tammy Baldwin (D-Wisconsin), Steve Daines (R-Montana), and Jon Tester (D-Montana) are co-sponsors of the Senate bill. Contact your Senator and ask why he/she does not support the Stopping Mass Hacking (SMH) Act. Then, contact your Representative and demand that he/she support a similar bill in the House of Representatives. Tell them that rules changes should not masquerade as changes in laws.

Opinions? Comments?


Open Letter By Tech Industry Associations Calls The Burr-Feinstein Anti-Encryption Proposal 'Unworkable'

Several technology industry associations have sent a joint, open letter to U.S. Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.) about proposed legislation the Senators drafted. The Compliance with Court Orders Act of 2016 (CCOA) would force companies to de-encrypt communications on demand for law enforcement agencies.

The industry associations described the proposed legislation as "unworkable" in that it would "create government mandated security vulnerabilities" in digital products and services. The letter stated in part:

"We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems... Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers... The bill would force those providing digital communication and storage to ensure that digital data can be obtained in “intelligible” form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access.  This access could, in turn, be exploited by bad actors... such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the United States..."

Four groups signed the open letter: Reform Government Surveillance (RGS), the Computer & Communications Industry Association (CCIA), the Internet Infrastructure Coalition (I2C), and the Entertainment Software Association (ESA). RGS members include Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and others. CCIA members include Amazon, Ebay, Google, Microsoft, Netflix, Pandora, PayPal, Samsung, Sprint, and others. I2C members include Amazon, Google, GoDaddy, HostGator, Verisign, and many more companies worldwide. ESA members include Activision, Disney Interactive Studios, EA, Konami, Nintendo, and others.

Privacy and security advocates itemized several problems with the CCOA. Some experts warn that the proposed legislation makes encryption illegal:

"... if the court orders you to provide the contents of a phone you made, a conversation on your messaging service, an account on your social network, or basically anything that has been made “unintelligible” using encryption, you are required by law to decrypt that information... the very foundation of encrypted communication is the deliberate and transparent impossibility of a third party listening in, service providers and manufacturers included. If it can be accessed, it isn’t encrypted. If it can’t be accessed, it isn’t legal..."

Earlier this month, Congressman Darrell Issa (R-CA), Chairman of the House Judiciary subcommittee responsible for the nation’s Internet policy, described the CCOA as:

“... about as flawed and technically-naive as a piece of legislation can get. Mandating that companies weaken our security to give government secret backdoor access into our devices would be a massive blow to American’s right to privacy and frankly would also be downright dangerous...”

The The full text of the CCOA discussion draft is available at Senator Burr's website and here (Adobe PDF, 35k).


5 Things Wrong With the Burr-Feinstein Anti-Encryption Bill

If you haven't heard, two U.S. Senators proposed a bill that forces technology companies to assist law enforcement and break the encryption built into their products and services. The Just Security blog analyzed the proposed bill, called the Compliance with Court Orders Act of 2016 (CCOA).

The CCOA draft was written by Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.), leaders of the Senate Intelligence Committee. It's chief provisions:

"Upon receipt of a court order or warrant for “information or data” sought by a federal, state, local, or tribal government in specific types of investigations or prosecutions, the CCOA requires covered entities to give the government the information or data in an “intelligible” (i.e., unencrypted) format, or to provide any “necessary” technical assistance to render it intelligible. The CCOA only kicks in if the data is “unintelligible” (i.e., encrypted) due to “a feature, product, or service” that is “owned, controlled, created, or provided” by the entity (or by a third party on its behalf). The bill says that no government officer can dictate or prohibit specific design requirements to comply with the law."

Covered entities include tech companies: software developers, device manufacturers, communications providers (wired and wireless), and "remote computing services (RCS)." There are several major things wrong with this proposed legislation:

"In short, the bill prohibits covered entities from designing encryption and other security features so encrypted data is accessible only to the user, not law enforcement nor the entity itself. This is what I would call “effective encryption,” but law enforcement derisively calls “warrant-proof” encryption."

Effective encryption makes sense. It is precisely what is needed by both consumers and businesses to protect and keep private sensitive information, proprietary information, and banking transactions. The Burr-Feinstein proposed bill forces tech companies to build products and services with weaker security:

"...The CCOA would prohibit covered entities in the US from implementing state-of-the-art data security in their products and services... effectively outlaw such cornerstone security concepts as end-to-end encryption, forward secrecy, and HTTPS, which encrypts web traffic against hackers, state-sponsored attackers, and other snoops... It makes covered “license distributors” responsible for the compliance of the software being distributed, meaning Apple’s and Google’s app stores would be on the hook for ensuring every app on offer has weak enough security to meet government standards. It would chill innovation by rendering it largely pointless to work on making software and hardware more secure, because only CCOA-compliant security architectures would be legal."

Think of CCOA-compliant security architectures as GovtOS. The government is forcing tech companies to build a GovtOS. That's wrong. Some of the things wrong with the CCOA:

"2. It can’t stop terrorists and criminals from hiding their activities. The joke in the infosec community used to be that “when crypto is outlawed, only outlaws will use crypto.” The joke’s on Burr and Feinstein... Not only are effective encryption offerings readily available from entities based outside the US, there are already millions upon millions of devices, apps, and software programs presently in use that employ the encryption to be banned going forward. The crypto cat is out of the bag, as New America’s Open Technology Institute put it, and law enforcement’s alarmist and unsupported “going dark” rhetoric can’t hide that fact."

"3. There is no “middle ground” on encryption. This one-sided bill tries to hold itself out as the “middle ground” on encryption... But as cryptography experts have repeatedly explained over the last two decades, there is no middle ground on this issue. Mandating a means of access for law enforcement simply isn’t “appropriate” data security. It is a vulnerability, whose use can’t be limited to “good guys” bearing a court order. This was true 20 years ago and it’s still true today."

That's why many security experts call the CCOA an "anti-encryption" proposal. There's plenty more that's wrong with the CCOA. Read the entire Just Security article.

The CCOA is myopic and wrong. It forces tech companies to build inferior products and services with weaker security; and places U.S.-based tech companies at a disadvantage in the world market. It forces tech companies to do, for free, the investigative work law enforcement should do themselves. The CCOA forces tech companies to build GovtOS, regardless of the negative economic consequences to industry and jobs.

If the CCOA bothers you (and I sincerely hope that it does), tell your elected representatives.


FBI vs. Apple: Cancelled Hearing, Draft Legislation, New Decryption Capabilities, And An Outside Party

Federal Bureau of Investigation logo A lot happened this week. A lot. Below is a recap of key headlines and events involving Apple, Inc. and the U.S. Federal Bureau of Investigation (FBI).

Late during the day on Monday, the government's lawyers got U.S. Magistrate Sheri Pym to cancel a Tuesday March 22 hearing between Apple and the FBI about an earlier court decision forcing Apple to unlock the iPhone used by one of the San Bernardino attackers. Apple did not object to the cancelled hearing. The FBI was ordered to file a status by April 5, 2016. The government filed court papers on Monday explaining why:

"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone. Testing is required whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for assistance from Apple Inc. set forth in the All Writs Act Order in this case."

So, on or before April 5 we will learn if this outside party successfully demonstrated the ability to unlock and decrypt information stored on this newer model iPhone without any loss of damage to the information stored on it.

Are these decryption capabilities a good thing? Ars Technica reported:

"Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, said that these new government decryption capabilities are not good for privacy and ever-expanding government surveillance. "The DOJ doesn't want bad precedent, and I think Apple had the better side in this argument," she told Ars. "Being able to hack helps DOJ for a while. Apple could upgrade beyond the capability..."

Meanwhile, two U.S. Senators have drafted proposed legislation giving federal judges broad powers to force technology companies like Apple to help law enforcement break into encrypted devices. Prior proposals died in Congress. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee.

Apple Inc. logo Who is this mysterious outside party helping the FBI unlock and decrypt information on newer model iPhones? There has been speculation that the National Security Agency (NSA) was helping the FBI. One would expect the NSA to have the decryption capabilities. BGR explored this on March 4:

"... the NSA can hack into the device but that it doesn’t want to tell that to the FBI because it never likes to reveal what it’s capable of doing. If that were the case, however, why wouldn’t the NSA help the FBI behind the scenes before the FBI went public with its request for Apple’s assistance? And besides, as The Intercept notes, “courts have affirmed the NSA’s legal right to keep its investigative methods secret.” In fact, security experts explained to Wired earlier this week that the FBI could recruit the NSA to connect the iPhone 5c to a Stingray-like rogue cellular network as it’s booting up, which could give the agency the ability to control the device before it even gets to the unlock screen..."

However, Inverse reported on Thursday who else it might be and why:

"Sun Corporation, the company currently getting rich off public speculation that it can help the FBI break into the notorious San Bernardino iPhone was not always such a fierce competitor. While it’s seen the value of its stock rise 36 percent since Reuters reported that the FBI had enlisted its subsidiary, an Israeli-firm called Cellebrite, to unlock the iPhone..."

NPR reported that it might be a publicity stunt by Cellebrite. Will the FBI meet its April 5 deadline? The NPR report discussed a possible decryption approach:

"Computer forensics researcher Jonathan Zdziarski argues that because the FBI has asked courts for only two weeks to test the viability of the new method, it's likely not highly experimental. It's also likely not something destructive, like the "decapping" method that relies on physically shaving off tiny layers of the microprocessor inside the phone to reveal a special code that would let investigators move the data and crack the passcode. The idea that's garnering the most focus is something called chip cloning, or mirroring or transplantation..."

During a press conference on Friday, FBI Director James Comey wouldn't disclose the name of the outside party. USA Today also reported:

"Law enforcement officials Thursday threw cold water on two recent theories on how the FBI was attempting to hack into an iPhone used by one of the San Bernardino terrorists... FBI Director James Comey, in response to a reporter's question at a briefing, said making a copy of the iPhone’s chip in an effort to circumvent the password lockout “doesn’t work”... A widely discussed scenario in the security world, put forward by a staff technologist at the ACLU, has been that the FBI had found a way to remove crucial chips from the iPhone, make digital copies of them and then run multiple passcode attempts against the digital copies, while keeping the phone's software itself untouched. That would avoid tripping the self-erase program built into the iPhone..."

So, who is helping the FBI -- Cellebrite, the NSA, or both? Or another entity?

Another line of speculation is that the FBI has received assistance from the NSA and has decided to use Cellebrite as a false front. Why might this be true? It allows the FBI to reveal (some) investigation methods without revealing the NSA's real methods. I'm no legal expert, but if this is true, I can't see any judge being pleased about being lied to.

We shall see on or before April 5. What are your opinions? Speculation?


Updated Laws And Protections Needed Regarding Drone Privacy

Image of a drone or unmanned aircraft Consumer Reports explored the issues with drone privacy: what privacy protections consumers have, if any, and who enforces them. A 70-year-old lawsuit involving a farmer in North Carolina has now taken on new importance:

"The case made it all the way to the Supreme Court in 1946. And one result of United States v. Causby was that the Court set the limits of private airspace: If you own a house, your property rights extend 83 feet up into the air... the 70-year-old ruling has new importance in the age of drones. It remains the only clear federal statement of law on how far above the ground your property ends..."

Basically, the Federal Aviation Administration (FAA) is responsible for setting rules and enforcement. Drones (also referred to as unmanned aircraft) have many valid uses, including faster, easier safety inspections of infrastructure, such as bridges, residential roofs, towers, and stacks; plus commercial package delivery. Thankfully, drone pilots have been required to register with the FAA since December.

To improve things, the Electronic Privacy Information Center (EPIC) filed a federal lawsuit, to try to force the FAA to set rules protecting citizens from privacy intrusions by drones:

"... EPIC wants the FAA to make it easy for citizens to find out whether drones flying overhead have surveillance capabilities. The group also wants to protect the privacy rights of drone pilots..."

While some states have "paparazzi" laws that apply when photos or video are taken, improvements are needed to help consumers distinguish between drones flying overhead versus drones performing unauthorized recording:

"... existing nuisance and invasion-of-privacy statutes would apply to drone owners. If you could prove you were being harassed by a drone flying over your house, or even that one was spying on you from afar, you might have a case against the drone operator. But proof is difficult to obtain... and not everyone agrees on how to define harassment."

Other legislative efforts:

"A law proposed by Massachusetts Senator Ed Markey, the Drone Aircraft Privacy and Transparency Act, would require the agency to ensure baseline privacy and transparency safeguards, which would apply to both private drone operators and law enforcement. The ACLU, which supports the Markey bill, argued as far back as 2011 that a lack of oversight could lead to excessive surveillance by law enforcement using drones."

Related blog posts:


FCC Proposes New Rule To Unlock Set-Top Cable Boxes To Encourage Innovation, Competition, Choice And Lower Prices

Federal communications Commission logo During an open Commission meeting on Thursday February 18, 2016, the U.S. Federal Communications Commission (FCC) discussed and approved several agenda items including a proposal to encourage competition with the cable television set-top boxes that many consumers lease from their cable-TV providers:

"The Notice of Proposed Rulemaking (NPRM) will create a framework for providing innovators, device manufacturers, and app developers the information they need to develop new technologies, reflecting the many ways consumers access their subscription video programming today. Ninety-nine percent of pay-TV subscribers have limited choices today and lease set-top boxes from their cable and satellite operators. Lack of competition has meant few choices and high prices for consumers – on average, $231 in rental fees annually for the average American household. Altogether, U.S. consumers spend $20 billion a year to lease these devices. Since 1994, according to a recent analysis, the cost of cable set-top boxes has risen 185 percent while the cost of computers, televisions, and mobile phones has dropped by 90 percent. Congress recognized the importance of a competitive marketplace and directed the Commission to adopt rules that will ensure consumers will be able to use the device they prefer for accessing programming they’ve paid for."

The NPRM recommends that Multi-channel Video Programming Distributors (MVPD), including legacy cable-TV providers, TV networks, and others that provide programming via cable and/or the Internet, be required to deliver three core information streams:

"1. Service discovery: Information about what programming is available to the consumer, such as the channel listing and video-on-demand lineup, and what is on those channels.
2. Entitlements: Information about what a device is allowed to do with content, such as recording,
3. Content delivery: The video programming itself."

Consumers can keep their current cable set-top boxes, or switch to newer solutions when available. The FCC did not dictate standards for the solutions. Instead the FCC recommended that:

"... these three streams be available to the creators of competitive solutions using any published, transparent format that conforms to specifications set by an independent, open standards body... The Notice of Proposed Rulemaking also recommends content protection rules... The proposed rules do not mandate a single security system but simply require MVPDs to offer at least one content protection system that is openly licensed on reasonable and non-discriminatory terms. This gives MVPDs the ability to create their own content protection system to prevent theft and misuse, while ensuring that manufacturers will be able to build devices that can access protected content from a variety of MVPDs."

The proposed rules also include the following requirements for MVPDs:

"Ensure that children’s programming advertising limits and emergency alerts apply regardless of whether the consumer leases the MVPD’s set-top box or uses a competitive solution to access video programming;

Include a billing transparency rule to ensure that consumers understand their monthly charges for both programming services and equipment lease fees in accordance with section 629; and

Retain the Commission’s rules adopted in a 2010 Report and Order to improve support for consumer-owned CableCARD devices."

Much needs to happen before competitive set-top box solutions are available in the marketplace. The next step includes a comment period where interested parties (e.g., companies, consumers) -- supporters and opponents -- submit feedback about the proposed rules. Then, the FCC reviews the feedback and may adjust its rules based upon that feedback. After finalized rules, companies will then develop set-top box solutions. The proposed rules document lists several topics the FCC seeks feedback about. Some of those topics:

"... ways to address any licensing and consumer protection issues... how best to align our rules on device billing and subsidies... whether the rules the Commission adopted in a 2010 Report and Order to improve support for consumer-owned CableCARD devices have continued relevance and should remain valid and enforceable... statistics show, however, that almost all consumers have one source for access to the multichannel video programming to which they subscribe: the leased set-top box, or the MVPD-provided application. Therefore, we tentatively conclude that the market for navigation devices is not competitive, and that we should adopt new regulations to further Section 629. We invite comment on this tentative conclusion... the process that an MVPD uses to decide whether to allow such a device to access its services... it appears that consumers have downloaded proprietary MVPD applications many times; we seek comment on whether consumers actually use those applications to access multichannel video programming..."

Regardless, the proposed set-top box rules will disrupt the revenue streams cable-TV operators have enjoyed for decades. So, you can expect them, and their allies, to put up a fight. Wired magazine reported:

"Each consumer has invested thousands of dollars into the box without having any ownership,” says Chip Pickering, CEO of Incompas, a trade association for “competitive networks” backed by Google, Amazon, Netflix, and others. “That’s a monopoly business model.” The distribution of set-top boxes, then, is essentially a monopoly within an already monopolistic industry..."

One argument opponents have used is to blame Google:

"Google has become a popular bogeyman for entrenched cable interests for good reason. The company has actively supported set-top box disruption, both through its involvement with Incompas and through direct contact with the FCC. AT&T went so far as to call it “Google’s Set-Top Box Proposal” in a corporate blog post opposing the rules..."

Despite the hype and spin that has been presented (and will be presented), it's important for consumers to remember that:

“Nothing in the [FCC] proposal changes linear TV or traditional TV’s advertising. Their programming, their advertising, nothing that they do today will be changed,” says Pickering. What could change is that the traditional programming would be served up alongside Internet programming..."

View the FCC "Unlock the Box" press release (Adobe PDF) or here. View the FCC "Unlock the Box" NPRM (Adobe PDF) or here.

The FCC set-top proposal is is good news for consumers. It starts to break the monopolistic strangle-hold. Cable-TV providers have had decades to recoup their infrastructure investments. It's time to move forward with solutions more friendly for consumers. Kudos to the FCC for encouraging competition to lower cable prices for consumers.


CFPB Considers Proposal to Ban Some Arbitration Clauses

Logo for Consumer Financial Protection Bureau On Wednesday, the Consumer Financial Protection Bureau (CFPN) announced a proposal to ban arbitration clauses which many companies use to prevent consumers from joining class-action lawsuits. In its announcement, the CFPB explained the problem:

"Many contracts for consumer financial products and services include arbitration clauses. These clauses typically state that either the company or the consumer can require disputes about that product to be resolved by privately appointed individuals (arbitrators), rather than through the court system. Where such a clause exists, either side can generally block lawsuits from proceeding in court. These clauses also typically bar consumers from bringing group claims through the arbitration process. There are arbitration clauses in all kinds of consumer financial products, from bank accounts to private student loans. They affect tens of millions of consumers. As a result, no matter how many consumers are injured by the same conduct, consumers must resolve their claims individually against the company, which few consumers do."

The Dodd-Frank Wall Street Reform and Consumer Protection Act, passed by Congress, required the CFPB to study the use of arbitration clauses in consumer financial markets and provide remedies. The CFPB released the results of its study in March 2015:

"... arbitration clauses restrict consumers’ relief for disputes with financial service providers by allowing companies to block group lawsuits... very few consumers individually seek relief through arbitration or the federal courts, while millions of consumers are eligible for relief each year through group settlements. According to the study, more than 75 percent of consumers surveyed in the credit card market did not know whether they were subject to an arbitration clause in their contract. Fewer than 7 percent of those consumers covered by arbitration clauses realized that the clauses restricted their ability to sue in court."

The proposal would not ban arbitration clauses, but limit and monitor their use instead:

"... the clauses would have to say explicitly that they do not apply to cases filed as class actions unless and until the class certification is denied by the court or the class claims are dismissed in court. The proposals under consideration would also require that companies that choose to use arbitration clauses for individual disputes submit to the CFPB the arbitration claims filed and awards issued. This will allow the Bureau to monitor consumer finance arbitrations to ensure that the process is fair for consumers. The Bureau is also considering publishing the claims and awards on its website so the public can monitor them."

This is really good because the playing field is heavily tilted against consumers. A friend (who asked to remain anonymous) experienced a very lengthy arbitration process with a big bank that stretched out for more than 12 years. The process should have been resolved a lot faster, and the bank still refused to pay after the arbiter's decision. That's one way companies abuse consumers, knowing that most consumers have limited financial resources and legal options.

Readers of this blog are familiar with the problem. I discussed it during a 2014 review of the Vanilla Visa Prepaid Card, which includes arbitration in its terms. Bankrate published in 2004:

"Binding arbitration, a little noticed clause in many agreements and contracts, strips consumers of their fundamental rights, including the right to sue individually or join a class-action suit if they have a problem with a company. Under binding arbitration, a consumer can be forced to pay thousands of dollars upfront to pursue a complaint, travel thousands of miles to a location of the company's choosing for the hearing, argue their case before an arbitrator who depends on the company for future business and surrender such basic legal weapons as the right to discovery and the right to appeal a decision... Labeled by the National Consumer Law Center as "astonishingly unfair and undemocratic," these clauses affect millions of consumers across the country. Corporations insert them into employment and home building contracts, in agreements for credit cards, computer software and hardware purchases, and many types of loans."

And, arbitration can cost more than a traditional court trial:

"Consumers' costs for arbitration vary widely and depend on the arbitration company, the type of dispute and the cost of the proposed remedy. The American Arbitration Association offers a streamlined process for consumer disputes that limits costs, but limits your rights too. While the American Arbitration Association is an umbrella group for arbitration companies, not all arbitration companies follow its suggested rules. Under these consumer rules, there is a filing fee of $125 if your dispute is under $10,000 and $350 if it is over that amount... However, in exchange for the low filing fees and streamlined process, you must give up some of your rights... There is no contingency in arbitration. Also, these costs don't include costs for an attorney if you want one..."

According to the National Association of Consumer Advocates (NACA):

"One of the alleged benefits of arbitration is that it costs less than litigation, but frequently this is not true for consumers and employees. Forced arbitration frequently costs more than taking a case to court and can cost thousands of dollars. Individuals often have to pay a large fee simply to initiate the arbitration process. If they are able to get an in-person hearing, individuals sometimes have to travel thousands of miles on their own dime to attend the arbitration. In the end, the loser (usually the individual) often pays the company’s legal fees."

The benefits of the CFPB arbitration proposal:

  1. Consumers get their day in court. With current arbitration clauses, consumers don't.
  2. A deterrent against wrongdoing and bad actors. The CFPB proposal encourages companies to comply with the law to avoid lawsuits.
  3. Increased transparency. Arbitration processes and results shouldn't be secret. CFPB monitoring would help consumers determine whether or not they're getting a good deal in arbitration.

So, the CFPB proposal to ban arbitration clauses is very good and welcomed news for consumers. You probably already use a service that includes arbitration clauses. The Public Citizen website lists the banks, retail stores, entertainment, online shopping, telecommunications, consumer electronics, software, nursing homes, and health care companies that include binding arbitration clauses in their contracts with customers.

If this bothers you (and I hope that it does), you can take action at the NACA website. And, tell your elected officials you support the CFPB's arbitration proposal. What are your opinions of the CFPB arbitration proposal?


Charts: Gun vs. Terrorism Deaths, Comparisons By State

In a news conference yesterday after the latest shooting at a school, President Obama challenged the news media to report facts comparing gun versus terrorism deaths in the USA. Vox published an interactive chart comparing deaths:

Chart comparing gun versus terrorism deaths in the USA. Click to view larger image

And, there's plenty more. Vox provided several charts and statistics about gun violence and gun ownership in the United States:

"America's unique problem with gun violence: American has six times as many firearm homicides as Canada, and 15 times as many as Germany... America has 4.4 percent of the world's population, but almost half of the civilian-owned guns around the world... There is a mass shooting almost every day in America... States with more guns have more gun deaths... States with tighter gun control laws have fewer gun-related deaths... In states with more guns, more police officers are also killed on duty..."

The chart comparing gun ownership and gun-related deaths by state:

Chart comparing gun ownership versus gun deaths by state. Click to view larger image

To learn more, browse the charts Vox has assembled.


U.S. Senator Calls For Geo-Fencing To Keep Drones Away From High Value Targets

Image of a drone or unmanned aircraft Most people like to travel. That includes airplane trips for business or for pleasure. And, everyone wants to travel safely. Newsday reported:

"The FAA reported 52 instances of pilots spotting drones in June and July 2014, but the rate of such sightings has risen to 275 in June and July 2015, the senator said. Schumer said he fears a drone may eventually be sucked into the engine of a plane or otherwise collide with aircraft."

This blog reported in August about two near misses in New York. For safety, U.S. Senator Chuck Schumer (Democrat-New York) proposed an amendment to Federal Aviation Administration Re-authorization bill to require all remote-controlled aircraft sold in the United States to have tracking mechanisms installed. The mechanisms would use geo-fencing technology to keep drones away from high-value targets, such as airports, major parades, the Pentagon, major sporting events, and sports stadiums.

The Federal Aviation Administration (FAA) is responsible for maintaining the safety of our skies in the United States. The incident highlights the need for continued and stronger enforcement of aviation safety laws by drone operators:

"Unmanned aircraft systems are neither supposed to fly within five miles of an airport without notifying the airport operator and control tower nor are they supposed to go above 400 feet."

There will likely be a fight in Washington about the FAA Re-authorization bill. General Aviation News reported in July 2015:

"The House Transportation and Infrastructure Committee has delayed plans to release its proposed FAA reauthorization legislation. That occurred after the House majority leader informed the committee that consideration of the FAA reauthorization bill has been moved to September. The current FAA authorization expires Sept. 30. It was put into place after an agonizing 23 short-term extensions that stretched from September 2007 to February 2012. While some lawmakers had promised that wouldn’t happen with this reauthorization, a short-term extension of the authorization may be needed while lawmakers pound out the final bill."

About his bill amendment, the Senator said in a statement:

"There needs to be a clear strategy to address the public safety dilemma of reckless drone use because a future drone crash could spell real trouble. That’s why I am unveiling brand new federal language in Congress that would virtually eliminate any chance of drones crashing into planes and causing serious danger... If geo-fencing technology were mandated in every drone sold in America, it would go a long way toward preventing the kinds of near-misses that have occurred over the past few months, and still allow hobbyists to fly drones in safe places.”

I agree. What are your opinions?


Location Privacy. Does Your State Allow Warrantless Searches Of Cellphones?

Does your state's laws allow law enforcement to perform warrantless searches for cellphone location data? The American Civil Liberties Union (ACLU) released a report where it researched each state's current laws to determine whether residents' location privacy is protected or not:

"... 18 states now require law enforcement to get a probable cause warrant before obtaining people’s cell phone location information. Six of those states protect both historical and real-time location information from warrantless search... This year alone, legislation was introduced in 17 states. Instead of waiting for Congress or the courts to act, state legislatures are leading the way..."

Metadata about your phone calls reveals who you called, who called you, when the call happened, and how long you talked. Geo-location data reveals your travel patterns: where you went, when you left, when you returned, how long you stayed, places you passed by and didn't enter, and travel patterns (e.g., places you visit frequently and/or at certain times or on certain days).

The report included what's known (so far) about stingrays, the technology using fake cellular phone towers to spy and collect your phone usage and geo-location data:

"... New Hampshire has joined the ranks of states offering full probable-cause warrant protection to both historical and real-time cell phone location information. The Washington legislature unanimously passed a law requiring a warrant for use of “StingRay” cell phone tracking equipment, and Virginia enacted a similar law."

You can browse the report to read detail about the laws (or lack thereof) in the state where you live. For example, the state where I live:

ACLU report on warrantless search laws by state. Massachusetts. Click to view larger version

Besides stingrays, the use of other technologies threaten consumers' location privacy. The ACLU of Southern California and the Electronic Frontier Foundation (EFF) asked the California Supreme Court to review their lawsuit seeking access to automated license plate-reader (ALPR) data collected by the Los Angeles Police and Sheriff’s Departments. The EFF said in July:

"This case has significant precedential impact, setting a troubling standard allowing police to keep these records and details of its surveillance of ordinary, law-abiding citizens from ever being scrutinized. The appeals court ruling may apply not only to records collected with license plate cameras, but to data collected using other forms of automatic and indiscriminate surveillance systems, from body cameras and dash cameras to public surveillance cameras and drones. Without access to these records, we can’t ensure police accountability."

The case started in 2012 when local law enforcement refused to disclose ALPR data after the EFF filed a public records request:

"... cameras mounted on patrol cars and at fixed locations around the city and county of Los Angeles. ALPRs automatically take a picture of all license plates that come into view and record the time, date, and location where the vehicle was photographed. Because the agencies store the data for two to five years, they have been able to collect a massive amount of sensitive location-based information on mostly innocent Los Angeles residents..."

Reportedly, the reasons given by local law enforcement agencies:

"The agencies refused to turn over the records, claiming they could withhold the millions of license plate data points as “records of law enforcement investigations,” which are exempt from public review under the California Public Records Act. Incredibly, they argued that all drivers in Los Angeles are under criminal investigation at all times—whether or not the police suspect them of being involved in any criminal activity. The ACLU has estimated that as many as 99.8% of the vehicles photographed by ALPR cameras are never linked to any ongoing criminal investigation..."

Sadly, both the trial and appeal courts sided with the law enforcement agencies. So, the threat to consumers is two-fold: a) collection of law-abiding citizens without notice nor consent, and b) lack of accountability of government surveillance programs that could extend into more technologies such as body cameras.

Last, all of this does not minimize nor condone surveillance by corporations, which is arguably more extensive than government surveillance. Terms such as behavioral advertising, geo-fencing, and targeted advertising are often used to describe private-sector surveillance, with vague promises of relevant advertising benefits. At the end of the day, surveillance is surveillance; tracking is tracking. Many law enforcement and spy executives have probably looked at the extensive private-sector surveillance with weak consumer protections and concluded, "if they can do it, so should we."

View the ACLU report and status of warrantless search laws in your state.


Can You Legally Shoot Down a Drone Hovering Over Your Property?

Image of a drone or unmanned aircraft During the coming months and years, this is a question more and more people will ask: can citizens shoot down a drone hovering over your property? Many drones are outfitted with surveillance cameras. One person outfitted a drone with a handgun (video). Some hobbyists outfitted their drones with paintball handguns. Newsweek explored the problem:

"A New Jersey resident who shot down a neighbor’s drone was arrested and charged with possession of a weapon for an unlawful purpose and criminal mischief. After a Californian shot down a neighbor’s drone thinking “it was a CIA surveillance device, ”the drone’s owner won a suit in a small claims court that found the man “acted unreasonably... regardless of whether it was over his property or not." "

Last month, a Kentucky homeowner was arrested after shooting down a camera-equipped drone that hovered directly over his property while his teenage daughter sunbathed in the back yard. You might think that the case should have favored the homeowner, but it didn't. Why? Keep reading.

The legality of shooting down a drone depends upon whether or not it is threatening. The Newsweek article explored the legal issues:

"... unlike pedestrian trespass, your options for removing drones from your property are limited. More troubling is this: How do you know when a drone is truly threatening? As Michael Froomkin, a professor at the University of Miami School of Law, writes, neither the law nor technology has developed far enough to clarify what constitutes a threat and what measure of self-help is appropriate."

So, there is ambiguity about what constitutes a threat and what a reasonable response is. Our laws both lag behind the rapidly advancing technology and inconsistency treat crime versus privacy:

"Ryan Calo, a professor at the University of Washington School of Law, writes, “[T]he lack of a coherent mental model of privacy harm helps account for the lag between the advancement of technology and privacy law.” But not so in criminal law, where tough-on-crime mania routinely drives quick application of broadly phrased statutes to new contexts."

Reportedly, the Federal Aviation Administration (FAA) has responsibility for all civil airspace (e.g., non military) above cities and towns. Based upon the 2012 FAA Modernization and Reform Act, there are different rules for government, non-government, and recreational operators of Unmanned Aircraft Systems (UAS), commonly referred to as drones. The FAA rules for recreational or hobby drone usage:

"Fly below 400 feet and remain clear of surrounding obstacles; Keep the aircraft within visual line of sight at all times; Remain well clear of and do not interfere with manned aircraft operations; Don't fly within 5 miles of an airport unless you contact the airport and control tower before flying; Don't fly near people or stadiums; Don't fly an aircraft that weighs more than 55 lbs; Don't be careless or reckless with your unmanned aircraft – you could be fined for endangering people or other aircraft"

How close is "near" -- 3 feet, 30 feet, 30 yards? That seems vague. Nor do the rules mention privacy, so i guess it is legal to film anyone without consent. And, I guess you can modify your recreational drone with any attachment, as long as you stay under the 55-pound limit.

Some people have used drones to record natural sights, such as a volcano and lava river, that would be too dangerous to record otherwise. Some local governments have used drones to inspect building rooftops after snowstorms for damage or collapse risks. Other local governments want to use camera-equipped drones to inspect structures, such as bridges, that otherwise would be costly or inaccessible. Both make sense.

There already are film festivals for drone operators. The New York City Drone Film Festival debuted in March, and the Flying Robot International Film Festival is scheduled for November 19. Some consumers have already used drones to record landmarks such as the Golden Gate Bridge near San Francisco. Predictably, one recreational drone crashed into the bridge's roadway. While it didn't cause a traffic accident, the risk is there. I'd hate to think that legislators waited until a catastrophe before taking action.

Does this bother you? I hope so. Contact your elected officials and demand updated, effective drone laws that protect both your safety and privacy.

What are your opinions?


China's New National Security Law Raises Intellectual Property, Privacy, And Supply Chain Concerns

The New York Times reported about China's new national security law and how it will affect U.S.-based corporations doing business there. The new law also raises intellectual property, privacy, and supply-chain concerns. What is different about the new law:

"New language in the rules calls for a “national security review” of the technology industry — including networking and other products and services — and foreign investment. The law also calls for technology that supports crucial sectors to be “secure and controllable,” a catchphrase that multinationals and industry groups say could be used to force companies to build so-called back doors — which allow third-party access to systems — provide encryption keys or even hand over source code."

MSS Indisde The term "controllable" seems to imply a lot more than access via back doors to software and computing systems. Closely related to this new law are disagreements between the United States and China:

"The United States has accused China of state-sponsored hacking attacks against American companies to gain a commercial advantage... In turn, China maintains that the disclosures by Edward J. Snowden, the former United States National Security Agency contractor, about American online espionage give it plenty of reason to wean itself from foreign technology that may have been tampered with by United States intelligence agencies."

The Ministry of State Security is China's intelligence agency. In April, China withdrew a law that:

"... restricted which technology products could be sold by foreign companies to Chinese banks. Groups that represent companies like Apple, Google and Microsoft had pushed against that law."

Australia's Sydney Morning Herald reported:

"... the Chinese government has enacted a new national security law that amounts to a sweeping command from President Xi Jinping to maintain the primacy of Communist Party rule across all aspects of society. The law is expected to bolster the power of China's domestic security apparatus and military. The law says "security" must be maintained in all fields, from culture to education to cyberspace... security must be defended on international seabeds, in the polar regions and even in outer space."

The Herald added:

"The law is one of three being scrutinised by foreign leaders and corporate executives... The other two laws are expected to be passed soon; one would regulate foreign non-governmental organisations and place them under the oversight of the Ministry of Public Security, and the other is a counterterrorism law... Legal scholars and analysts in China say it will probably lead to the security apparatus amassing more power..."

The U.S. Chamber of Commerce and several companies sent a letter in January 2015 to China calling for more discussions about the new law. The new laws seem to be clear rejection of that request.

NSA Android logo So, there are more security laws to come from China. China's new law raises several questions:

  1. How will high-tech companies respond? Will they comply, fight the new laws, or relocate their businesses to more hospitable countries?
  2. Will Apple permit the Chinese to have back doors or keys to its products after denying that to the U.S. intelligence community?
  3. reportedly, Google has included NSA code in its software. Will it also allow the MSS to include code?
  4. How will IBM, Cisco, Microsoft, and other high-tech companies respond?
  5. Is it possible to technically alter software products and Internet service for only the Chinese market, which aren't sold in other countries?
  6. If #5 is possible, would other countries' governments accept differentiated products, or demand the same backdoor access as China?
  7. How will the new law affect the Internet of Things (ioT); especially including Internet-capable appliances made in China?

NSA Inside logo What are your opinions of China's new security law? Are there any more issues or questions than the seven listed above? How do you think U.S.-based corporations should respond to China's new law?


FISA Court Rules NSA Bulk Phone Metadata Collection Program Can Resume

National Security Agency logo On Monday the Foreign Intelligence Surveillance Court ruled that the National Security Agency (NSA) can temporarily resume for six months its bulk collection of metadata about Americans' phone calls. The program had ended on June 1 when the law it was based upon, Secton 215 of the USA Patriot Act, expired. The New York Times reported:

"Congress revived that provision on June 2 with a bill called the USA Freedom Act, which said the provision could not be used for bulk collection after six months. The six-month period was intended to give intelligence agencies time to move to a new system in which the phone records — which include information like phone numbers and the duration of calls but not the contents of conversations — would stay in the hands of phone companies."

The Second Circuit Court of Appeals ruled in May that the bulk phone records program violated the USA Patriot Act. Also:

"... After President Obama signed the Freedom Act on June 2, his administration applied to restart the program for six months. But a conservative and libertarian advocacy group, FreedomWorks, filed a motion in the surveillance court saying it had no legal authority to permit the program to resume,"

The FISA Court ruled against the motion by FreedomWorks. For those interested, read the full text of the June 29, 2015 FISA Court opinion.

Senator Ron Wyden said in a statement:

"I see no reason for the Executive Branch to restart bulk collection, even for a few months. This illegal dragnet surveillance violated Americans' rights for fourteen years without making our country any safer... It is disappointing that the {Obama] administration is seeking to resurrect this unnecessary and invasive program after it has already been shut down. However I am relieved this will be the final five months of Patriot Act mass surveillance... It will take a concerted effort by everyone who cares about Americans' privacy and civil liberties to continue making inroads against government overreach."

So, while the official bulk phone records collection program is ending on November 29, 2015, one could argue that not much has really changed since experts say the telephone companies will perform the phone records collection and archiving instead.

What are your opinions?


State AGs Work To Keep Cities And Towns From Forming Municipal Broadband Networks

Readers of this blog are familiar with the fact that 20 states have laws preventing cities and towns from forming high-speed Internet services. That means, the residents in these locations have fewer rights and freedoms. ProPublica reported how some states are fighting to keep these restrictions in place:

"... the attorneys general in North Carolina and Tennessee have recently filed lawsuits in an attempt to overrule the FCC and block towns in these states from expanding publicly funded Internet service. North Carolina’s attorney general argued in a suit filed last month that the “FCC unlawfully inserted itself between the State and the State’s political subdivisions.” Tennessee’s attorney general filed a similar suit in March. Tennessee has hired one of the country’s largest telecom lobbying and law firms, Wiley Rein, to represent the state in its suit. The firm, founded by a former FCC chairman, has represented AT&T, Verizon and Qwest, among others."

Why some states' attorney generals are doing this:

"... the Tennessee attorney general’s office told ProPublica, “This is a question of the state’s sovereign ability to define the role of its local governmental units.” North Carolina Attorney General’s office said in a statement that the “legal defense of state laws by the Attorney General’s office is a statutory requirement.” As the New York Times detailed last year, state attorneys general have become a major target of corporate lobbyists and contributors including AT&T, Comcast and T-Mobile."

And, money appears to be corrupting the decision process. The North Carolina:

"... Attorney General Roy Cooper received roughly $35,000 from the telecommunications industry in his 2012 run for office. Only the state’s retail industry gave more. The donations are just a small part of contributions the industry has made in the states. In North Carolina’s 2014 elections, the telecommunications industry gave a combined $870,000 to candidates in both parties, which made it one of the top industries to contribute that year. Candidates in Tennessee received nearly $921,000 from AT&T and other industry players in 2014."

Studies have documented that consumers in the USA pay more and get slower speeds than consumers in other countries. Several U.S. Senators introduced the Community Broadband Act to encourage more competition, faster speeds, and lower Internet prices.

If you live in one of these states, tell your elected officials you want more freedoms, not fewer, and better Internet services: faster speeds and lower prices. Tell them you want more competition to make sure you get better services. Tell them you will remember what they do, or fail to do, at the next election.


The EPA Science Advisory Board Reform Act, "Zombie" Bills, And Privacy

In November 2014, the GOP-led House passed HR 1422. At that time, Inhabit summarized the bill and the issues associated with it:

“Bill H.R. 1422, also known as the Science Advisory Board Reform Act, passed 229-191. It was sponsored by Representative Chris Stewart (R-UT), pictured. The bill changes the rules for appointing members to the Science Advisory Board (SAB), which provides scientific advice to the EPA Administrator. Among many other things, it states: “Board members may not participate in advisory activities that directly or indirectly involve review or evaluation of their own work.” This means that a scientist who had published a peer-reviewed paper on a particular topic would not be able to advise the EPA on the findings contained within that paper. That is, the very scientists who know the subject matter best would not be able to discuss it.”

Thankfully, the White House threatened to veto this if passed. I don’t know about you, but I want the stewards at the EPA to have ALL of the facts when making decisions about how best to protect our air, water, and lands. And, peer-reviewed science articles are part of the facts... important facts, too, the EPA should be allowed to consider in its decisions.

There’s more. Proponents claim the bill solves conflict-of-interest concerns, but really doesn’t:

“Director of the Union of Concerned Scientists Andrew A. Rosenberg wrote a letter to House Representatives stating: “This [bill] effectively turns the idea of conflict of interest on its head, with the bizarre presumption that corporate experts with direct financial interests are not conflicted while academics who work on these issues are. Of course, a scientist with expertise on topics the Science Advisory Board addresses likely will have done peer-reviewed studies on that topic...”

Incredible.

For a bill to become law, it must be passed by both the House and Senate with the exact same language. Usually, the Senate proposes its bill version, and negotiations ensue. S 543 is the current Senate version. Some people have claimed that the Inhabit article is misleading. It wasn't. To understand why, one must understand both bill version. Below is the same clause from both bills:

HR 1422S 543
"E) Board members may not participate in advisory activities that directly or indirectly involve review or evaluation of their own work" "E) Board members may not participate in advisory activities that directly or indirectly involve review or evaluation of their own work, unless fully disclosed to the public and the work has been externally peer-reviewed..."

So, S 543 contains better language. The Inhabit article was correct to highlight the faulty language in HR 1422. Senate Bill 543 also contains this:

"To facilitate public participation in the advisory activities of the Board, the Administrator and the Board shall make public all reports and relevant scientific information and shall provide materials to the public at the same time as received by members of the Board."

So, the limitations mentioned in "E" are unnecessary since all studies will be made public. Problem solved, right? Not so fast.

The UCS explained problems in bills repeatedly submitted by House representatives. The UCS calls this proposed legislation, "zombie" bills:

"... anti-science “zombie” bills that House members insist on reintroducing over and over. These bills are written in such a way to appear to be something a science advocacy organization like the Union of Concerned Scientists would support, but upon close examination, it becomes clear that their intent is to prevent the Environmental Protection Agency and other federal agencies from carrying out their duties."

An example of an anti-science "zombie" bill:

"... In a recent hearing on the so-called Secret Science bill, legislators accused the Environmental Protection Agency of “[relying] on studies with data that was not publicly available... The House passed... the Secret Science Reform Act, in mid-March... the bill, sponsored by Rep. Lamar Smith (R-Texas), would prohibit the EPA from implementing a regulation unless it makes public all related data, scientific analyses, materials and models. That’s a big problem, despite the fact that it sounds like a good idea."

The UCS explained why this is a problem:

"Agencies such as the EPA don’t make all this information publicly available for a number of very good reasons. Protecting individuals’ privacy is prime among them. For example, we’re all aware of the laws that protect the privacy of our medical records. The Secret Science bill appears to require the EPA to release such confidential personal health information about the participants in scientific studies if it wants to use health studies to make regulatory decisions—a direct violation of health privacy law. The bill also fails to protect intellectual property rights..."

So, Senate Bill 543 isn't the improvement it pretends to be. Why would legislators write bills that conflict with existing laws? Why would legislators write bills that erodes individuals' medical privacy? The UCS concluded:

"... if [the Secret Science] bill became law, the EPA would not be able to use public health data protected by confidentiality agreements to enact science-based regulations. The result? The EPA would not be able to carry out its mission of protecting public health and the environment. To be clear, there is nothing secret about the science that EPA uses to make decisions. The agency relies on peer-reviewed publications that have been vetted by relevant experts in and outside of the agency... The Secret Science Reform Act is clearly not in the public interest. It’s intended to enable industry to challenge proposed rules with competing analyses, slow the process, and cast doubt."

Senate Bill 543 doesn't seem to be in the public's interest, either. The whole affair still smells like another GOP attempt to neuter and de-claw the EPA, and then claim it is incompetent and unworthy of funding, after stealth efforts to make it that way. What are your opinions of the EPA Science Advisory Board Reform Act?


The California Drought, Money, And Pitchforks

If you haven't read it, there's an interesting article in the Washington Post about how some wealthy residents in California are responding to the state's attempts to protect its residents (and businesses) given an epic -- some might say biblical - drought.

First, some background. Numerous lakes, ponds, and rivers have all dried up or are at historic low levels. You may have seen the before-and-after photographs. As dramatic as the photos are, it must be even more-so in-person. The New Republic published these California drought statistics:

"The scary statistics of California’s drought read like a latter-day version of the 1930s Dust Bowl crisis. Last year was the state’s driest since the start of record-keeping in 1895, and this year is likely to be even drier. The state’s snowpack, the source of roughly one-third of the water used by California cities and farms, is hovering at only about 20 percent of its normal water content. The amount of water in certain crucial reservoirs is lower now than it was in 1977, which was one of the two prior driest years on record. About a month ago, the state announced that 17 rural communities were within 100 days of running out of drinking water, given current patterns of water supply and demand."

Those statistics were more than a year ago -- March, 2014. The drought continued since then. The U.S. Drought Monitor relays the percentages of the state under various drought conditions from "none" to "abnormally dry" to "exceptional drought."The State government has enacted numerous restrictions in response to the drought crisis.

Earlier this month, the Weather Channel reported that researchers determined no slowdown or hiatus with climate change. Global temperature trends are still slowly going upwards. The Pew Research Center published in June 2015 survey results that 68 percent of the public say there is solid evidence the average temperature of the earth is getting warmer, and 46 percent said also say it is a serious problem. 46 percent also say that the warming is caused by human activity. Public opinion is slowly catching up to the fact that 97 percent of scientists say global warming is caused by human activity.

How have residents in one wealthy California town responded to the crisis and the state's plan to start rationing water on July 1? The Washington Post reported:

"Drought or no drought, Steve Yuhas resents the idea that it is somehow shameful to be a water hog. If you can pay for it, he argues, you should get your water. People “should not be forced to live on property with brown lawns, golf on brown courses...” Yuhas fumed recently on social media. “We pay significant property taxes based on where we live,” he added in an interview. “And, no, we’re not all equal when it comes to water.”

Yes, everyone is entitled to their opinions, and many exercise that right on social networking sties. Yuhas is not the only person who feels this way:

"Yuhas lives in the ultra-wealthy enclave of Rancho Santa Fe, a bucolic Southern California hamlet of ranches, gated communities and country clubs that guzzles five times more water per capita than the statewide average. In April, after Gov. Jerry Brown (D) called for a 25 percent reduction in water use, consumption in Rancho Santa Fe went up by 9 percent."

Wow! Water use went up.

For me, this reaction to the drought and crisis highlights the two chief challenges facing humans:

  1. Climate change, and
  2. Ethics

Some people may argue about the order. You may remember the dust-up in Florida earlier this year about climate change, or more precisely: climate change denial. Senior state officials had banned employees in the state's environmental protection agency from using the words "climate change." How one responds to the crisis says a lot about their values and compassion.

Experts predict that the drought will affect all other states, including higher prices for produce and lost jobs. It will affect all taxpayers, too. In its June 16 Drought Update report (Adobe PDF), the California State government reported:

"On June 12, President Barack Obama announced a federal aid package to support farmers and workers suffering from drought, provide food assistance, support water efficiency and conservation, and combat wildfire in California and other drought - stricken Western states. California is expected to receive $18 million from the Department of Labor to provide jobs for works dislocated by the drought and another $7 million from the USDA to support conservation and water system improvements for water utilities and households coping with drought."

Like it or not, we are all connected.

You'd think that given all of this, wealthy folks (who could more easily afford it than others) would invest NOW in water-saving and water-conserving technologies to improve and ensure the (resale) value of
their properties into the future. But, I guess that myopic, denial-based thinking dominates.

Some people insist upon learning the hard way. That myopic thinking will quickly change when a mob of thirsty, angry villagers visit in the middle of the night armed with torches and pitchforks. Then, it'll be too late.

Frankenstein villagers visit


Hydraulic Fracturing, Safety, And America's Future

You've probably seen the television commercial. If not, it features an attractive blonde with a calm, reassuring voice emphasizing America's bright future from hydraulic fracturing (a/k/a "fracking") for oil and gas:

The energy is often contained in shale rock, which must be fractured or broken apart in order to release and access the energy supplies. Many people are concerned about safety and contaminated ground water. If you listen closely to the commercial, it briefly mentions safety:

"... new technologies are safely unlocking vast domestic supplies of oil and natural gas ..."

So, how safe is fracking? Does it threaten ground water? ProPublic investigated and reported:

"A peer-reviewed study published in 2014 found that drinking water wells near fracking sites in Pennsylvania and Texas were contaminated with methane that had the chemical signature of gas normally found only deep underground. Rob Jackson, a Stanford University professor of earth system science who coauthored the 2014 study, told us that drilling that uses hydraulic fracturing has “contaminated ground waters through chemical and wastewater spills, poor well integrity, and other pathways.”

The report emphasized that how one defines the term "fracking" matters when discussing safety:

"Fracking involves injection of a large volume of water, sand and a cocktail of chemicals (known as fracking fluid) deep underground to fracture the rock and allow gas to seep out. It is also used for oil extraction... the term “fracking” is sometimes used to describe the entire process of drilling for natural gas, but that isn’t accurate. After a well is drilled, cemented and prepared in other ways, only then is the well “fracked” — the actual stimulation of rock far beneath the earth’s surface to allow extraction of the gas."

So, it is critical to define fracking as the whole process, not a subset such as only the fracturing of rock:

"... the scientists we interviewed say that it doesn’t make sense to separate fracking from the entire gas and oil production process, and there is ample evidence that the overall process can cause contamination of water supplies. As we noted above, the new DOI rules cover the entire process including fracking, well casings and other activities."

Some of that evidence:

"Among the first studies specifically linking natural gas development and fracking to water quality was a paper published in the Proceedings of the National Academy of Sciences in 2014 that analyzed drinking well water near fracking operations in Texas and Pennsylvania. In that study, which was coauthored by Jackson at Stanford, researchers identified the presence of methane — the primary component of natural gas — in drinking well water near unconventional drilling sites in the Marcellus Shale region in Pennsylvania and the Barnett Shale region in Texas. Using chemical signatures of certain gases, the researchers were able to determine in several cases that the methane was from deep underground — evidence that the drilling operations had caused the contamination. The study found that faulty and leaky wells were likely to blame...”

When you view a commercial or hear a fracking proponent claim that there's no proof that fracking contaminates ground water (e.g., it's safe), you now know otherwise. During an open, honest, and complete conversation about safety everyone defines the terms they use, and hopefully address the entire process. If it's unclear, demand clarification.

In my opinion, to claim something is safe while only addressing part of the process is simply dishonest. Words matter. Definitions matter.

ProPublic also reported:

"Partially in response to [safety] concerns, the Department of the Interior finalized a regulation on March 20 regarding hydraulic fracturing and related activities on public and tribal land. The regulation includes a number of provisions related to fracking and other aspects of natural gas drilling activity. For example, the rule includes “[p]rovisions for ensuring the protection of groundwater supplies by requiring a validation of well integrity and strong cement barriers between the wellbore and water zones through which the wellbore passes.” It has specific requirements for constructing cement casings for wells, and monitoring pressure on certain well parts during fracking operations. And it also requires disclosure of the chemical contents of fracking fluids."

That sounds sensible to me, since the regulation looks at the whole process. Of course, fracking proponents oppose the federal regulations, and want to shift regulations locally to the states:

"Inhofe, a Republican from Oklahoma who chairs the Senate Environment and Public Works Committee, opposes the regulation. He, along with 26 cosponsors, introduced a bill that would specifically put the responsibility for regulating relevant oil and gas operations in the hands of the states rather than the federal government."

That sounds like: if you can't fool all of the people all of the time, then maybe you can fool some of the people. Ground water supplies don't magically stop at state lines or boundaries. Ground water contamination doesn't magically stop at state lines, either.

When I think of fracking and safety, it is important to remember the history of how we got here:

"The federal Energy Policy Act of 2005 contained a provision that has come to be known as the "Halliburton Loophole," an exemption for gas drilling and extraction from requirements in the underground injection control (UIC) program of the Safe Drinking Water Act (SDWA). Other exemptions are also present in the Clean Air Act and Clean Water Act."

So, this law was enacted during the Bush-Cheney administration's tenure. That energy producers pursued these exemptions before starting the current fracking boom speaks volumes. They probably knew that water contamination was likely, and/or that they couldn't safely drill and extract oil and gas. So, too, did compliant politicians.

You can't have a bright future with polluted drinking water and groundwater. Inhofe's proposed legislation should be opposed. Contact your elected officials, and tell them what you think.

What are your opinions of fracking? Should regulations be shifted to only the states?