Blackmoor Vituperative

Here we go again. Congress has decided it needs to protect us from spyware, but – surprise, surprise – the bill they are most seriously considering actually offers no help in that regard. What’s worse, the bill seems designed to make it harder for you to legally go after those who spy on you, particularly if they are doing so to determine if you’re authorized to use a software product.

Last week a subcommittee of the House Committee on Energy and Commerce approved H.R. 964, the Spy Act, which bans some of the more blatant forms of spyware such as those that hijack computer or log keystrokes. The bill now goes to the full committee for approval, and it’s expected to move quickly as it has strong bipartisan support.

But why? There are already plenty of federal and state laws regarding computer fraud, trespass, and deceptive trade practices that make spyware illegal. The existing laws have been sufficient to allow the FTC and/or state attorneys general to even successfully go after some of the nastier adware companies like Direct Revenue and Zango/180 Solutions. So what is the purpose of this law?

[…]

In other words, it’s perfectly OK for basically any vendor you do business with, or maybe thinks you do business with them for that matter, to use any of the deceptive practices the bill prohibits to load spyware on your computer. The company doesn’t have to give you notice and it can collect whatever information it thinks necessary to make sure there’s no funny business going on. And by the way, another exception provision specifically protects computer manufacturers from any liability for spyware they load on your computer before they send it to you. Of course, the exception for software companies checking to make sure you’re an authorized user is the strongest evidence of what this bill is all about. After all, in terms of function, there’s not much difference between spyware and DRM. Too bad for Sony this bill wasn’t already the law when its rootkit-infected CDs came to light.

[…]

Let’s sum up. If the Spy Act become law, hardware, software, and network vendors will be granted carte blanche to use spyware themselves to police their customers’ use of their products and services. Incredibly broad exceptions will probably allow even the worst of the adware outfits to operate with legal cover. State attempts to deal with the spyware problem will be pre-empted and enforcement left up almost entirely to the FTC. Gee, what’s not to like in that deal?

(from InfoWorld, Spy Act Only Protects Vendors and Their DRM)

So here’s my question: just how stupid are Federal legislators? As corrupt as they are, I simply can’t imagine that people in Congress are intentionally making it legal for criminal organizations like Zango and Sony to infect consumers — not just their customers — with malware, rootkits, and so on. But that is exactly what they are doing. So… what the hell is wrong with these people?!?

Want further proof that the Spy Act will do more to protect spyware and adware than it will to stop it? As the Electronic Frontier Foundation’s Fred von Lohmann pointed out in his Deep Links blog, Zango, which is regularly identified by security company Webroot Software as one of the biggest spreaders of adware, came out in recent testimony before Congress in full support of the Spy Act in its current form.

That’s pretty much all I need to know. If a company such as Zango thinks this bill is A-OK, then we might as well start referring to it as the Please Spy Act.

(eWeek, Another Bad Technology Bill)

Further information:

The Spy Act
The EFF’s Fred Lohmann on the Spy Act’s impact

With dozens of lawsuits against phone companies for cooperating with the Bush Adminisration’s domestic spying operations, such as the Electronic Frontier Foundation’s suit against AT&T, President Bush is now asking Congress to give immunity to the phone companies, The Washington Post reports.

Lots of luck getting that one through a pretty pissed off Democratic Congress.

The proposal states that “no action shall lie . . . in any court, and no penalty . . . shall be imposed . . . against any person” for giving the government information, including customer records, in connection with alleged intelligence activity the attorney general certifies “is, was, would be or would have been” intended to protect the United States from terrorist attack. The measure, which has not yet been filed, is contained in a proposed amendment to the fiscal 2008 intelligence authorization bill.

This little bit of stonewalling comes as the FBI was found to have contracted with phone companies to obtain phone records. Without probable cause to search someone’s records, however, that’s a violation of the Fourth Amendment. So the bureau claimed the requests qualified under the “exigent circumstances” exception to the Fourth. The Supreme Court has interpreted this to mean a danger the suspect will escape or destroy evidence. The Justice Dept. inspector general found that no such circumstances existed; the FBI just plain lied.

“To let them off the hook now sets a dangerous precedent by encouraging them to continue to engage in illegal collaborations with the government in the future,” said Kevin Bankston, staff attorney for the Electronic Frontier Foundation, which last year filed a class-action lawsuit against AT&T for allowing the government to unlawfully monitor U.S. residents.

“The end result is not only will the Bush administration continue to stonewall Congress in its request for information on warrantless wiretapping, but no one who participated will have any threat above their head. You could just face a congressional subpoena and say, ‘I’m sorry, I’m immunized,’ ” the ACLU’s TimSparapani said.

Ron Wyden (D-Ore.), a member of the Senate Select Committee on Intelligence, said he wouldn’t support immunity for companies that intentionally broke the law.

(from ZDNet, Bush wants immunity for telcos that assisted in illegal searches)

It’s hard to keep one’s faith in the good intentions of our President when faced with something like this.

E-Gold, what F-Secure calls a “very prominent” digital currency for criminals, has been indicted for money laundering, conspiracy and operating an unlicensed money transmitting business.

According to an indictment, handed down by a Washington federal grand jury and unsealed on April 27, E-Gold is a preferred method of payment by investment scammers, credit card and identity fraudsters, and online sellers of child pornography. E-Gold allegedly conducted funds transfers on behalf of such customers knowing that the funds were the proceeds of unlawful activity, thus violating federal money-laundering statutes.

E-Gold’s digital currency, “E-Gold,” is supposedly backed by physical gold. The company only requires a valid e-mail address to open an account, with no additional verification of contact information. E-Gold accounts can be funded with a number of exchangers to convert national currency into E-Gold. With an open account, users can conduct anonymous transactions worldwide.

[…]

The indictment charges E Gold Ltd., Gold & Silver Reserve, and their owners Dr. Douglas L. Jackson, of Satellite Beach, Fla., Reid A. Jackson, of Melbourne, Fla., and Barry K. Downey, of Woodbine, Md., each with one count of conspiracy to launder monetary instruments, one count of conspiracy to operate an unlicensed money transmitting business, one count of operating an unlicensed money transmitting business under federal law and one count of money transmission without a license under D.C. law.

[…]

The conspiracy charge relating to money transmitting carries a maximum sentence of five years in prison. Operating an unlicensed money transmitting business also carries a maximum sentence of five years in prison. The D.C. Code violation for money transmission without a license carries a maximum sentence of five years. The conspiracy charge relating to money laundering carries a maximum sentence of 20 years in prison.

(from Security Watch, E-Gold E-ndicted for Fronting Child Pornsters, Fraudsters)

This is a shame, but I suppose it shouldn’t be a surprise in this age of universal surveillance. E-gold didn’t do anything immoral, nor did they defraud anyone. They provided a service. But if you aren’t proactively helping the government spy on your customers, you’re a criminal.

If they knew they were going to get nailed for it, E-Gold should have moved their activities offshore, like the gambling sites did. But if they didn’t know… how could they not know? I mean, really, even as clueless as I am, I would think that they’d at least need to keep client records for IRS purposes, because gold would be considered a capital gain (or loss). And the feds had been investigating them for two years. This couldn’t have come as a surprise. Ah, well.

In a truly incredible display of governmental disregard for personal privacy, Massachusetts Secretary of State William Galvin has refused to take down — or provide any access restrictions — on tens of thousands of personal data records that identify borrowers’ SSNs, bank account numbers, home addresses and phone numbers, The Associated Press reports.

His resistance comes just weeks after he criticized Gov. Deval Patrick for failing to protect voter information on his campaign site.

“It’s totally unacceptable that they are contemplating leaving it up,” said Betty Ostergren, a Virginia-based privacy advocate. “Once they realize it’s a veritable treasure trove, identity thieves will flock to it. They need to shut the links down.”

Galvin refused to shut down the links, saying: “This is standard practice in the business world,” he said. “It’s necessary for commerce. There are people who are reliant upon this system.”

At issue are Uniform Commercial Code filings that borrowers make when they put up collateral to secure a loan. While intended for lenders’ research, the information is freely available to all. The site has no access restrictions.

A quick check on Wednesday by The Associated Press showed names, addresses and other personal information for various Massachusetts residents. In one case, a copy of a woman’s personal check — complete with her name, phone number, address, bank account number and all the account information for a loan with General Motors’ financing arm — was posted.

And Galvin sees nothing hypocritical about criticizing Patrick while displaying all this data on the open net.

“That’s very different from what we’re talking about here,” Galvin said, who was aware of his office’s policy when he criticized Patrick. “The governor’s site is a political committee. Our site is a governmental function. This is an essential part of commerce.”

Complete nonsense, of course. Commerce is not at restrained by having to enter a password or having the data encrypted so it can only be used by legitimate lenders.

(from ZDNet, MA exposes thousands of private data – and doesn’t plan to stop

AT&T told an appeals court in a written brief Monday that the case against it for allegedly helping the government spy on its customers should be thrown out, because it cannot defend itself — even by showing a signed order from the government — without endangering national security.

A government brief filed simultaneously backed AT&T’s claims and said a lower court judge had exceeded his authority by not dismissing the suit outright.

(from WIRED Blogs, Spying Too Secret For Your Court: AT&T, Gov Tell Ninth)

Ah, there we go: my cynicism is now back in place. I was feeling disoriented for a moment there.

An anonymous reader dropped us a link to this New York Times article about a ‘vast expansion’ of DNA sampling here in the US. A little-noticed rider to the January 2006 renewal of the ‘Violence Against Women Act’ allows government agencies to collect DNA samples from any individual arrested by federal authorities, and from every illegal immigrant held for any length of time by US agents. The goal is to make DNA collection as routine a part of detainment as fingerprinting and photography. Privacy experts and immigrant rights groups are decrying this initiative already. Many are also skeptical of lab throughput, as FBI analysts indicate this may increase intake by as much as a million samples per year. There is already a backlog of 150,000 samples waiting to be entered into the agency’s database.

(from Slashdot, US Set on Expansion of Security DNA Collection)

A California court made it clear to Apple that if the company wanted to find out who leaked details of an in-development product to bloggers, they’d actually have to do it legally. That lesson cost the company almost $700,000 in legal fee reimbursement.

(from WebProNews, Apple Ordered To Pay Legal Fees For Bloggers)

The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed.

Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.

Such a technique is broader and potentially more intrusive than the FBI’s Carnivore surveillance system, later renamed DCS1000. It raises concerns similar to those stirred by widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of what’s legally permissible.

(from ZDNet, FBI turns to broad new wiretap method)

President Bush has quietly claimed sweeping new powers to open Americans’ mail without a judge’s warrant, the Daily News has learned.

The President asserted his new authority when he signed a postal reform bill into law on Dec. 20. Bush then issued a “signing statement” that declared his right to open people’s mail under emergency conditions.

That claim is contrary to existing law and contradicted the bill he had just signed, say experts who have reviewed it.

(from CommonDreams.org, W Pushes Envelope on US Spying)

Jesus Fucking Christ. Are you kidding me? Has this man even READ the U.S. Constitution?

As concerns about Internet privacy (or the lack thereof) continue to increase — and as users worry about the ability of governments, criminals and businesses to spy on their Internet usage — more attention is being given to tools that are designed to help users surf the Web anonymously.

The leading method for anonymous Web surfing is currently the Tor Network (which I discussed recently in my Tech Directions column).

Tor works through a technique called onion routing, which uses numerous routers through which communications will pass. As data passes through points on the Tor Network, each point knows only where the data is going and where it came from. As the network grows, it becomes increasingly difficult to trace a connection’s origin.

eWEEK Labs has been impressed with the functionality of Tor-based tools such as Vidalia, but these tools require full system installs and lack portability.

Hoawever, a recently released tool makes it very simple to get up and running quickly with a secure and anonymous Web connection. The free Torpark is a Firefox-based browser that automatically connects to the Tor Network and lets users surf anonymously with a minimum of fuss.

Even more impressive, Torpark, which runs straight from an executable and requires no installation routine, can be run directly from a USB drive. This means users can carry a privacy-enabled browser with them wherever they go. (No data is stored on the drive; only the app itself.)

(from eWeek, Torpark Makes Anonymous Web Surfing Easy)

I wonder how long it will be before this is made illegal and/or made the target of a domestic spying law?