An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"

schwit1 quotes the MIT Technology Review: The FBI has access to nearly 412 million photos in its facial recognition system—perhaps including the one on your driver's license. But according to a new government watchdog report, the bureau doesn't know how error-prone the system is, or whether it enhances or hinders investigations.

Since 2011, the bureau has quietly been using this system to compare new images, such as those taken from surveillance cameras, against a large set of photos to look for a match. That set of existing images is not limited to the FBI's own database, which includes some 30 million photos. The bureau also has access to face recognition systems used by law enforcement agencies in 16 different states, and it can tap into databases from the Department of State and the Department of Defense. And it is in negotiations with 18 other states to be able to search their databases, too...

Adding to the privacy concerns is another finding in the GAO report: that the FBI has not properly determined how often its system makes errors and has not "taken steps to determine whether face recognition systems used by external partners, such as states and federal agencies, are sufficiently accurate" to support investigations.

An anonymous reader writes: The EFF reports that a federal court in Virginia today ruled that a criminal defendant has no "reasonable expectation of privacy" in his personal computer (PDF), located inside his home. The court says the federal government does not need a warrant to hack into an individual's computer. EFF reports: "The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all. To say the least, the decision is bad news for privacy. But it's also incorrect as a matter of law, and we expect there is little chance it would hold up on appeal. (It also was not the central component of the judge's decision, which also diminishes the likelihood that it will become reliable precedent.) But the decision underscores a broader trend in these cases: courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone's rights.

Let's Encrypt is a nonprofit aimed at encrypting the entire web. It provides free certificates, and its service is backed by EFF, Mozilla, Cisco, Akamai and others. Despite it being around for years, security firm Comodo, which as of 2015, was the largest issuer of SSL certificates with a 33.6% market share on 6.6% of all web domains, last year in October filed for the trademark Let's Encrypt. The team at Let's Encrypt wrote in a blog post today that they have asked Comodo to abandon its "Let's Encrypt" applications, directly but it has refused to do so. The blog post adds: We've forged relationships with millions of websites and users under the name Let's Encrypt, furthering our mission to make encryption free, easy, and accessible to everyone. We've also worked hard to build our unique identity within the community and to make that identity a reliable indicator of quality. We take it very seriously when we see the potential for our users to be confused, or worse, the potential for a third party to damage the trust our users have placed in us by intentionally creating such confusion. By attempting to register trademarks for our name, Comodo is actively attempting to do just that. Update: 06/23 22:25 GMT by M :Comodo CEO has addressed the issue on company's forum (screenshot).

Remember when Capitol Records sued Vimeo over copyright-violating videos? They just lost in court again, when an Appeals court overruled three lower court decisions. Slashdot reader NewYorkCountryLawyer shares the specifics of the Appeals court's findings: [T]he Copyright Office was dead wrong in concluding that pre-1972 sound recordings aren't covered by the DMCA... the judge was wrong to think that Vimeo employees' merely viewing infringing videos was sufficient evidence of "red flag knowledge"... a few sporadic instances of employees being cavalier about copyright law did not amount to a "policy of willful blindness" on the part of the company. "The decision once again affirms that the DMCA extends immunity to a service provider for the infringement of their customers if the service provider removes material at the request of the right holder," writes Ars Technica.

An anonymous reader writes from a report via EFF: The federal Government Accountability Office published a report on the FBI's face recognition capabilities that says the FBI has access to hundreds of millions of photos. According to the GAO report, the FBI's Facial Analysis, Comparison, and Evaluation (FACE) Services unit not only has access to the FBI's Next Generation Identification (NGI) face recognition database of nearly 30 million civil and criminal mug shot photos, but it also has access to the State Department's Visa and Passport databases, the Defense Department's biometric database, and the drivers license databases of at least 16 states. This totals 411.9 million images, most of which are Americans and foreigners who have committed no crimes. In May, it was reported that the FBI is keeping information contained in the NGI database private and unavailable. It argues in a proposal that the database should be exempt from the Privacy Act.

An anonymous reader writes "Let's Encrypt, the certificate authority best known for offering free SSL/TLS certificates, has reported that it accidentally disclosed thousands of user email addresses due to a bug with an automated emailing system." Executive Director Josh Aas posted this announcement: On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email... The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.

We take our relationship with our users very seriously and apologize for the error... If you received one of these emails we ask that you not post lists of email addresses publicly.

An anonymous reader writes: Google has announced in a blog post Friday their support for the controversial Trans-Pacific Trade Partnership (TPP). Recode reports: "The trade agreement includes key provisions about the global passage of digital data, intellectual property and copyright -- measures that have drawn criticism from both the political right and left, including several outspoken tech groups. Google's endorsement isn't exactly full-throated, but its stake clearly demonstrates another key area of support with the Obama administration, to which Google is close." Google's SVP and general counsel Kent Walker wrote: "The TPP is not perfect, and the trade negotiation process would certainly benefit from greater transparency. We will continue to advocate for process reforms, including the opportunity for all stakeholders to have a meaningful opportunity for input into trade negotiations." The company has already shown support of the TPP behind the Internet Association, which endorsed the trade agreement in March. Google joins a list of other tech titans, like Apple and Microsoft, who have shown their support as well. The Electronic Frontier Foundation calls the TPP a "secretive, multinational trade agreement" that will restrict IP laws and enforce digital policies that "benefit big corporations at the expense of the public." The TPP is still awaiting congressional approval after being signed in February.

An anonymous reader writes: Hundreds of internal NSA documents have been declassified and released to VICE in response to their FOIA lawsuit. They're now sharing them all online, calling it "an extraordinary behind-the-scenes look at the efforts by the NSA, the White House, and US Senator Dianne Feinstein to discredit Snowden [that] call into question aspects of the U.S. government's long-running narrative about Snowden's time at the NSA." The documents officially confirm that Snowden had also worked with the CIA, and show a vigorous internal discussion about how to respond to Snowden's leaks that apparently led the NSA to erroneously assert that Snowden hadn't voiced his objections about the surveillance of U.S. citizens within the NSA before going public.

Living in Russia now, Snowden himself refused to comment on the new releases, with his attorney saying Snowden "believes the NSA is still playing games with selective releases, and [he] therefore chooses not to participate in this effort. He doesn't trust that the intelligence community will operate in good faith."
The EFF is also marking the three-year anniversary of Snowden's leaks, saying they led directly to the first legislation curtailing the NSA's power in over 30 years and changed the way the world perceives government surveillance. Snowden was inspired in part by a desire to keep the internet free, saying in 2014 that "I remember what the Internet was like before it was being watched, and there's never been anything in the history of man that's like it."

An anonymous reader writes: One of the most frustrating things about the ongoing stream of stories about Windows 10 upgrades is that there seems to be no way to hold Microsoft to account. Or perhaps there is: a petition asking the Electronic Frontier Foundation to investigate has now been posted on Change.org.
The petition argues "people are being tricked or forced into upgrading to Windows 10 from their current, preferred version of Windows," and describes Microsoft's actions as "ignorantly unethical at best and malicious at worst."

An anonymous reader writes: According to an Electronic Frontier Foundation (EFF) investigation, the FBI is working to create software with government researchers that will allow law enforcement to sort and identify people based off their tattoos. The advanced tattoo recognition technology aims to determine "affiliation to gangs, sub-cultures, religious or ritualistic beliefs, or political ideology" and decipher tattoos that "contain intelligence, messages, meaning and motivation." Such research first originated at the National Institute for Standards and Technology (NIST) in 2014, and used a database of prisoner's tattoos. The technology developed by NIST would "map connections between people with similarly themed tattoos or make inferences about people from their tattoos," the EFF reports. What some may view as even more unnerving is that the EFF investigation claims the researchers disregarded basic ethical government research standards, especially those relating specifically to prisoners. The obtained documents reveal NIST researchers sought permission from supervisors only after they had conducted their initial research. The EFF argues that a database that sorts citizens based on their tattoos may or may not reflect their religious or political beliefs, social affiliations, or interests.

An anonymous reader writes: The Computer Fraud and Abuse Act is "vague, draconian, and notoriously out of touch with how we use computers today," warns the EFF. But instead of reforming it, two U.S. Senators "are on a mission to make things worse..." The senators' proposed Botnet Prevention Act of 2016 "could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities," according to the EFF. And the bill would also make it a felony to damage "critical infrastructure," which may include software companies and ISPs (since they're apparently using the Department of Homeland Security's definition).

The harsher penalties would ultimately give prosecutors much more leverage for plea deals. But worst of all, the proposed bill even "empowers government officials to obtain court orders to force companies to hack computer users for a wide range of activity completely unrelated to botnets. What's worse is that the bill allows the government to do this without any requirement of notice to non-suspect or innocent customers or companies, including botnet victims... These changes would only increase -- not alleviate -- the CFAA's harshness, overbreadth, and confusion."
The CFAA was originally written in 1986, and was partly inspired by the 1983 movie "WarGames".

mi quotes a report from The Intercept: A provision snuck into the still-secret text of the Senate's annual intelligence authorization would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy. [The spy bill passed the Senate Intelligence Committee on Tuesday, with the provision in it. The lone no vote came from Sen. Ron Wyden, D-Ore., who wrote in a statement that one of the bill's provisions "would allow any FBI field office to demand email records without a court order, a major expansion of federal surveillance powers." If passed, the change would expand the reach of the FBI's already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs -- most commonly, information about the name, address, and call data associated with a phone number or details about a bank account. The FBI's power to issue NSLs is actually derived from the Electronic Communications Privacy Act -- a 1986 law that Congress is currently working to update to incorporate more protections for electronic communications -- not fewer. The House unanimously passed the Email Privacy Act in late April, while the Senate is due to vote on its version this week. "NSLs have a sordid history. They've been abused in a number of ways, including targeting of journalists and use to collect an essentially unbounded amount of information," Andrew Crocker, staff attorney for the Electronic Frontier Foundation, wrote. One thing that makes them particularly easy to abuse is that recipients of NSLs are subject to a gag order that forbids them from revealing the letters' existence to anyone, much less the public.]

An anonymous reader quotes a report from Wired: [Computer scientists have created a way of letting law enforcement tap any camera that isn't password protected so they can determine where to send help or how to respond to a crime.] The system, which is just a proof of concept, alarms privacy advocates who worry that prudent surveillance could easily lead to government overreach, or worse, unauthorized use. It relies upon two tools developed independently at Purdue. The Visual Analytics Law Enforcement Toolkit superimposes the rate and location of crimes and the location of police surveillance cameras. CAM2 reveals the location and orientation of public network cameras, like the one outside your apartment. You could do the same thing with a search engine like Shodan, but CAM2 makes the job far easier, which is the scary part. Aggregating all these individual feeds makes it potentially much more invasive. [Purdue limits access to registered users, and the terms of service for CAM2 state "you agree not to use the platform to determine the identity of any specific individuals contained in any video or video stream." A reasonable step to ensure privacy, but difficult to enforce (though the team promises the system will have strict security if it ever goes online). Beyond the specter of universal government surveillance lies the risk of someone hacking the system.] EFF discovered that anyone could access more than 100 "secure" automated license plate readers last year.

The EFF debated delegates on WIPO's Standing Committee on Copyright this week, joking the whole week could be summarized as "proposals for a broadcasting treaty continue to edge forward, while rich countries remain at loggerheads with users and poorer countries about copyright exceptions for education and libraries."

An anonymous reader writes: The EFF continued to push for more rights for libraries, for example to preserve "orphaned" works and to lend works across national borders. But they also report that at an EFF-sponsored side-meeting, one independent recording artist made an interesting suggestion about Mycelia, an open and distributed "verified" database of music metadata that's blockchain-enabled. "Although it remains mostly a vision for now, the widespread adoption of Mycelia-enabled services could, in theory, provide better transparency to artists about how and where their works are being used, as well as enabling many new innovative uses of music, both free and paid." (One audience member even asked whether it could resurrect Napster's model of peer-to-peer music-sharing with a mechanism for artist micropayments.)
Meanwhile, the EFF characterized the music industry's stance as "Blaming online content platforms for the low returns that artists receive, and moves to target them with additional responsibilities or obligations." But they added, "As frustrating as the long-winded discussions at WIPO often are, our ability to participate in them is a key advantage that this multilateral forum has over the secretive, closed-door negotiations over copyright that take place in trade negotiations such as the Trans-Pacific Partnership."

Peter Eckersley, the staff technologist for the Electronic Frontier Foundation, writes: EFF has just launched Certbot, which is the next iteration of the Let's Encrypt client. It's a powerful tool for obtaining TLS/SSL certificates from Let's Encrypt, and (if you wish) automatically installing them to enable and tune HTTPS on your website. It's extensible, and supports a rapidly-growing range of server software.
As of last week more than three million certificates had been issued, according to EFF.org, and despite a new name and host, Certbot "will still get certificates from Let's Encrypt and automatically configure HTTPS on your webserver.... We expect OS packages to begin using the Certbot name in the next few weeks as well."

"A new system called 'video visitation' is replacing in-person jail visits with glitchy, expensive Skype-like video calls," reports Tech.Mic. "It's inhumane, dystopian and actually increases in-prison violence -- but god, it makes money."

Slashdot reader gurps_npc writes: In-person costs a lot to administer, while you can charge people to 'visit' via video conferencing. (Charge as in overcharge -- just like they charge up to $14 a minute for normal, audio only telephone calls). This is new, and the few studies that have been done show that doing this increases violence in the prison -- and it's believed to also increase recidivism. But the companies making a ton on it like that -- repeat customers and all. Of course, the service is horrible, often being full of static and dropped calls -- and the company doesn't help you fix the problem.
Meanwhile, the EFF reports that last year Facebook disabled 53 U.S prisoner and 74 U.K. prisoner accounts at the request of the government, and is urging people to report takedown requests for inmate social media to OnlineCensorship.org.

Long-time Slashdot reader robot5x writes: I'm a fan of online privacy and, where possible, don't automatically permit cookies and tend to set Ghostery to block all trackers in my browser. This rarely causes a problem -- I have lots of subscriptions to various sites which require me to login and have only rarely encountered minor issues. Recently I had a present of a Slate Plus membership. I really like their content and was keen on supporting it financially. Activating it from the email they sent required me to first register as a user. I clicked on the icon, and nothing happened. Ghostery picked up 7 trackers which I had blocked.

Assuming that one of these was the cause, I activated each in turn and reloaded. None of them made any difference, except a single tracker from JanRain. Accepting this tracker let everything work perfectly. Reading more about JanRain though -- and particularly its interaction with Adobe analytics (which it also tries to load) -- I discovered that they wanted to "create a holistic view of your business by collecting, analyzing and reporting all customer interactions. To derive the most actionable insights, you must link your customers' actions with who they are and what their interests are. Janrain bridges the gap by connecting demographic and psychographic data, collected through traditional and social login, with Adobe's behavioral data, so you understand the whole customer journey".

I do not want them to do any of this, and don't think I should have to. Interactions with Slate's 'support' were excruciating and -- while they at least didn't ask me to restart my computer -- they actually ended up saying that allowing these trackers is tied to their login process and I have to either accept or get a refund.
Robot 5x asks: Is it unacceptable to have to accept being tracked as a paying customer for new sites? "Or am I just being a big baby?"

An anonymous reader writes: Humble Bundle announced a special "pay what you want" sale for four ebooks from No Starch Press, with proceeds going to the Electronic Frontier Foundation (or to the charity of your choice). This "hacker edition" sale includes two relatively new titles from 2015 -- "Automate the Boring Stuff with Python" and Violet Blue's "Smart Girl's Guide to Privacy," as well as "Hacking the Xbox: An Introduction to Reverse Engineering" by Andrew "bunnie" Huang, and "The Linux Command Line".

Hackers who are willing to pay "more than the average" -- currently $14.87 -- can also unlock a set of five more books, which includes "The Maker's Guide to the Zombie Apocalypse: Defend Your Base with Simple Circuits, Arduino, and Raspberry Pi". (This level also includes "Bitcoin for the Befuddled" and "Designing BSD Rootkits: An Introduction to Kernel Hacking".) And at the $15 level -- just 13 cents more -- four additional books are unlocked. "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" is available at this level, as well as "Hacking: The Art of Exploitation" and "Black Hat Python."
Nice to see they've already sold 28,506 bundles, which are DRM-free and available in PDF, EPUB, and MOBI format. (I still remember Slashdot's 2012 interview with Make magazine's Andrew "bunnie" Huang, who Samzenpus described as "one of the most famous hardware and software hackers in the world.")

An anonymous reader quotes a report from Reuters: FBI Director James Comey said on Tuesday that his agency was still assessing whether a vulnerability used to unlock an iPhone linked to one of the San Bernardino killers would go through a government review to determine if it should be disclosed to Apple or the public. "We are in the midst of trying to sort that out," Comey said. "The threshold (for disclosure) is, are we aware of the vulnerability, or did we just buy a tool and don't have sufficient knowledge of the vulnerability to implicate the process?" The White House has a procedure for reviewing technology security flaws and deciding which ones should be made public. Although officials say the process leans toward disclosure, it is not set up to handle or reveal flaws that are discovered and owned by private companies, sources have told Reuters, raising questions about the effectiveness of the so-called Vulnerabilities Equities Process.