Engineer says Google fired her for browser pop-up about worker rights

A 2018 walkout to protest Google's handling of sexual misconduct allegations was an early sign of increasing worker assertiveness at the company.

Enlarge / A 2018 walkout to protest Google’s handling of sexual misconduct allegations was an early sign of increasing worker assertiveness at the company.

Another former employee has accused Google of violating federal labor law by firing her for activities related to labor organizing. In a Tuesday blog post, Kathryn Spiers says Google terminated her after she created a browser tool to notify employees of their organizing rights.

It’s the latest sign of tension between Google and portions of its workforce. Last month, Google fired four workers who were involved in workplace organizing. Google said that the employees had violated company policies by accessing documents without authorization. The workers say that these charges were trumped up to justify purging employees who had been effectively organizing Google’s workforce. The National Labor Relations Board is investigating those firings.

Back in September, Google reached a settlement with the NLRB over earlier alleged violations of federal labor law. Under the settlement, Google was required to post a list of employee rights in its Mountain View headquarters.

Spiers says she worked on a Google security team that was focused on how Google employees used Chrome within the company. Part of her job was to “write browser notifications so that my coworkers can be automatically notified of employee guidelines and company policies while they surf the Web.”

So when Google hired a consulting company known for its anti-union work, Spiers wrote a notification that would appear whenever Google employees visited the firm’s website. The notification stated that “Googlers have the right to participate in protected concerted activities.” That’s a legal term of art for worker organizing efforts. It also included a link to the worker rights notification mandated by the NLRB settlement.

Google responded swiftly and harshly, according to Spiers. She was suspended from her job pending an investigation. Spiers writes that Google officials “dragged me into three separate interrogations with very little warning each time. I was interrogated about separate other organizing activities, and asked (eight times) if I had an intention to disrupt the workplace.” She says she wasn’t allowed to consult with a lawyer.

Two weeks later, on December 13, Spiers was fired. She was told that she had violated Google’s policies but couldn’t get more details about which policies she had violated.

The Communications Workers of America, a union active in the telecommunications industry, has filed an NLRB complaint on Spiers’ behalf. The complaint argues that her firing was an “attempt to quell Spiers and other employees from asserting their right to engage in concerted protected activities.”

Update: Google executive Royal Hansen explained Spiers’ firing in an email Google shared with several media outlets.

“She misused a security and privacy tool to create a pop-up that was neither about security nor privacy,” Hansen wrote. “She did that without authorization from her team or the Security and Privacy Policy Notifier team, and without a business justification. And she used an emergency rapid push to do it.”

Hansen argued that the firing had nothing to do with the content of the message. “The decision would have been the same had the pop-up message been on any other subject,” he argued.

Russian media group Rambler attempting to hold Nginx hostage

Stock photo of empty jail cell.

Enlarge / This listing image is slightly hyperbolic—Nginx co-founders Sosoev and Konovalov didn’t do time in jail, they were “just” detained and interrogated at gunpoint in their homes at 7am local time.

Maxim Konovalov and Igor Sysoev—founders and creators of the popular Web server software Nginx—were arrested, detained, and interrogated last Thursday. Sysoev’s former employer, Rambler—Russia’s third-largest Internet company, which occupies a roughly similar position in Russian-language Internet to Yahoo or AOL at their height in the English-speaking world—alleged that it owned the rights to Nginx’s source code, due to Sysoev having originally developed it while an employee at Rambler.

In an interview with Meduza.io—a news site focusing on Russian and former Soviet Union reporting—founder Konovalov decried Rambler’s move as “a typical racket, simple as that,” and he went on to state that no attempt had been made to negotiate with or even notify him or Sysoev before the raid happened. Their first indication of a problem came with the police raids which detained the two, seized IT equipment from them, and interrogated them early that morning. Konovalov described the raid as “professional and polite, if you exclude the fact that special forces agents were standing around with automatic weapons… then there were interrogations. Generally speaking, the questions weren’t particularly interesting or pleasant.”

Konovalov characterized the move as a money-grabbing shakedown from the current leadership at Rambler, inspired by Nginx’s $670 million acquisition by American tech giant F5 Networks approximately six months earlier.

He told Meduza:

Nginx was officially registered in 2011, and it’s now 2019, and in all this time Rambler never raised any issues… there was the deal with F5, the big money became palpable, and then we see the desire to grab a piece of it for themselves. It’s a typical racket. Simple as that.

Konovalov and Sysoev were not even certain what criminal charges were filed against them. But earlier today, Rambler requested the Russian courts to drop the criminal charges and instead turned to civil litigation. This follows Konovalov’s earlier prediction that the criminal charges were merely being used as an excuse to go on a fishing expedition for leverage to use in a civil case. Rambler further claimed it was cutting ties with the “Lynwood” law firm which had filed criminal charges; but this seems likely to be a move for show only, since Lynwood Investments is tied to Alexander Mamut—a Russian billionaire who is co-owner of Rambler itself.

A simple cash grab?

Although Nginx co-founder Konovalov characterizes the move by Rambler as a simple cash grab inspired by Nginx’s $670 million acquisition, the potential ramifications are far wider-reaching than ~42 billion rubles in cold hard cash. A successful, retroactive acquisition of the rights to Nginx would not just give Rambler access to that cash—it would also provide the ability to declare the entire open source license of the Nginx platform invalid.

This would, in turn, open up effectively the entire developed world’s tech industry to shakedowns for licensing fees—both for continued operation, and in theory, retroactively for more than a decade of “unlicensed” usage.

Since the Nginx license was a weak, permissive license—largely akin to the BSD license, requiring nothing but acknowledgement of the original copyright notice in source code and documentation—Nginx has not just proliferated directly as a Web server used on general purpose computers but also as a key embedded component of many other solutions. For instance, Symantec’s Blue Coat appliances, Sophos’ Email Appliances, and Netflix’s Open Connect Appliances all depend on Nginx.

Moving back to “simple” software deployments, UK Internet services company Netcraft lists Nginx as the single-most common Internet-facing Web server on the planet in its Q3 2019 Web server survey, with more than 31 percent of all sites surveyed detected as Nginx. Filtering to only “active” sites seemingly reduces Nginx to the second-most common server, with Apache at 30 percent and Nginx at 20 percent. But this conveniently ignores a whopping 37 percent of “other” results, representing Web servers locked down in production too tightly to be easily classified. Many of those “other” servers will also be Nginx or Nginx derivatives.

As of December 2019, Nginx is even more popular than Apache. Netcraft confirms it.

Enlarge / As of December 2019, Nginx is even more popular than Apache. Netcraft confirms it.

If Russian courts were to grant a civil victory to Rambler and award it ownership of the rights to Nginx, the sweeping impact on the entire global technical industry is difficult even to estimate. A simple self-hosted blog might be able to swap out Nginx for Apache in a few hours. A more complex and heavily optimized site, designed to field a lot of traffic, might get back on its feet nearly as quickly but operate at reduced capacity for a week.

Meanwhile, the industry giants which depend on Nginx include Facebook, Netflix, and WordPress. Add in Cloudflare‘s Content Distribution Network and DDoS protection service, and it becomes easier to discuss what portion of the Internet wouldn’t stop working without Nginx than which ones would.

It seems difficult to believe that this fact is lost on the Rambler executives who initiated this grab. But it also seems difficult to believe that the rest of the world would tolerate it and honor a Russian-court decision with such far-ranging effects. Adding to the already ham-handed obviousness of the grab—which comes more than a decade after Nginx established itself as both a service company and a significant part of the global Internet infrastructure—Igor Ashmanov, a Rambler chief executive from the time Sysoev worked at the company, declared on Facebook that “developing software wasn’t part of [Sysoev’s] job description at all,” and “Rambler [probably can’t] come up with a single piece of paper, never mind a non-existent task to develop a web server.”

This author believes that it would be difficult to find a court outside Russia’s direct control that would issue injunctions based on such a decision which would necessarily bind the entire visible Internet from operation. As dark as politics has become, I believe sanctioning corruption this immediately and obviously visible and damaging to both tech industry giants and everyday citizens—No cat memes today? No pictures of each others’ lunches? Sacrilege!—would represent immediate political suicide no elected official would likely believe they could ignore.

Amazon bans third-party merchants from shipping with FedEx

Amazon's going to need some bigger boxes to ship those Outpost racks next year.

Enlarge / Amazon’s going to need some bigger boxes to ship those Outpost racks next year.

If you’re cramming last-minute Christmas or Hanukkah shopping online ahead of next week’s holidays, and it absolutely, positively has to be there overnight, don’t count on FedEx being the service to get it there for you. Not only is Amazon no longer working with the carrier, but now third-party merchants are banned from using the service, too.

The Wall Street Journal obtained a copy of a message Amazon sent to its third-party vendors Sunday night explaining the prohibition. Starting this week, marketplace vendors offering Prime shipments will not be allowed to use FedEx Ground or Home services. This ban will persist “until the delivery performance of these ship methods improves.”

Third-party retailers accounted for about 58% of Amazon’s retail activity in 2018, company CEO Jeff Bezos said earlier this year, and sold a cumulative $160 billion worth of goods. The vendor marketplace is on track to be at least as large a share of Amazon’s retail business in 2019.

FedEx ended its last domestic contract with Amazon in August in part due to that in-house business. “High-volume shippers such as Amazon “are developing and implementing in-house delivery capabilities and utilizing independent contractors for deliveries, and may be considered competitors,” FedEx wrote in an investor document earlier this year. The company added that Amazon in particular is “investing significant capital to establish a network of hubs, aircraft, and vehicles.”

A FedEx representative told the WSJ that the impact to the shipping firm is “minuscule,” while admitting that Amazon’s directive “limits the options for those small businesses on some of the highest shipping days in history.”

Marketplace sellers selling items marked for Amazon Prime delivery can use UPS services, FedEx’s Express service (which is pricey), or Amazon’s own in-house logistics business (which the company heavily encourages vendors to use). That encouragement is so heavy, in fact, that at least one merchant has complained to Congress that the shipping business should be considered one of Amazon’s many potential antitrust violations.

Controversial sale of .org domain manager faces review at ICANN

A closeup of the letters

ICANN is reviewing the pending sale of the .org domain manager from a nonprofit to a private equity firm and says it could try to block the transfer.

The .org domain is managed by the Public Internet Registry (PIR), which is a subsidiary of the Internet Society, a nonprofit. The Internet Society is trying to sell PIR to private equity firm Ethos Capital.

ICANN (Internet Corporation for Assigned Names and Numbers) said last week that it sent requests for information to PIR in order to determine whether the transfer should be allowed. “ICANN will thoroughly evaluate the responses, and then ICANN has 30 additional days to provide or withhold its consent to the request,” the organization said.

ICANN, which is also a nonprofit, previously told the Financial Times that it “does not have authority over the proposed acquisition,” making it seem like the sale was practically a done deal. But even that earlier statement gave ICANN some wiggle room. ICANN “said its job was simply to ‘assure the continued operation of the .org domain’—implying that it could only stop the sale if the stability and security of the domain-name infrastructure were at risk,” the Financial Times wrote on November 28.

In its newer statement last week, ICANN noted that the .org registry agreement between PIR and ICANN requires PIR to “obtain ICANN’s prior approval before any transaction that would result in a change of control of the registry operator.”

ICANN can raise “reasonable” objection

The registry agreement lets ICANN request transaction details “including information about the party acquiring control, its ultimate parent entity, and whether they meet the ICANN-adopted registry operator criteria (as well as financial resources, and operational and technical capabilities),” ICANN noted. ICANN’s 30-day review period begins after PIR provides those details.

Per the registry agreement, ICANN said it will apply “a standard of reasonableness” when determining whether to allow the change in control over the .org domain. As Domain Name Wire noted in a news story, whether ICANN can block the transfer using that standard “might ultimately have to be determined by the courts.”

The agreement between PIR and ICANN designates PIR as the registry operator for the .org top-level domain. It says that “neither party may assign any of its rights and obligations under this Agreement without the prior written approval of the other party, which approval will not be unreasonably withheld.”

Concern about price hikes, transparency

The pending sale comes a few months after ICANN approved a contract change that eliminates price caps on .org domain names. The sale has raised concerns that Ethos Capital could impose large price hikes.

ICANN says it wants to make the transaction-review process more transparent. But ICANN apparently needs PIR’s permission to publish the request for information and PIR’s responses, and so far PIR has refused a request to make documents public. In last week’s letter to PIR and the Internet Society, ICANN General Counsel and Secretary John Jeffrey urged PIR to make the information public:

As you are well aware, transparency is a cornerstone of ICANN and how ICANN acts to protect the public interest while performing its role. In light of the level of interest in the recently announced acquisition of PIR, both within the ICANN community and more generally, we continue to believe that it is critical that your Request, and the questions and answers in follow up to the Request, and any other related materials, be made public.

While PIR has previously declined our request to publish the Request, we urge you to reconsider. We also think there would be great value for us to publish the questions that you are asked and your answers to those questions. We will of course provide you with the opportunity to redact portions of the documents that you believe contain personally identifiable information before posting and renew that offer here.

As you, [ISOC CEO] Andrew [Sullivan], stated publicly during a webcast meeting in which you participated on 5 December 2019, you are uncomfortable with the lack of transparency. Many of us watching the communications on this transaction are also uncomfortable.

In sum, we again reiterate our belief that it is imperative that you commit to completing this process in an open and transparent manner, starting with publishing the Request and related material, and allowing us to publish our questions to you, and your full responses.

We contacted PIR today and the organization said it isn’t able to comply with the request to make documents public because of confidentiality agreements. PIR told Ars:

PIR is committed to being transparent with ICANN and the Internet community, and PIR is working to answer ICANN’s questions and address why this acquisition will be good for the .org community. But like any company in the middle of an acquisition, and consistent with other changes of control that have been reviewed by ICANN, we are limited in what we can release publicly due to confidential[it]y agreements with other parties and proprietary information involving the transaction.

PIR defends sale

PIR CEO Jon Nevett defended the pending sale in a blog post last week, calling it “the best path for .org’s future.”

“[A] diversified portfolio is much better, and less risky, than relying on one company like Public Interest Registry—in one industry—for nearly all of its funding,” Nevett wrote.

Under the Internet Society’s ownership, PIR has “been in perpetual ‘harvest’ mode, where PIR sends the fruits of our labor to support the amazing work they do,” Nevett continued. “A relationship with Ethos will allow us to invest in .org, enabling us to deliver more to the .org community, and the Internet at-large.”

But critics of the sale want guarantees in writing that the new owner won’t impose big price increases. ICANN’s Noncommercial Stakeholders Group (NCSG) has called on the ICANN board to require public-interest protections in the sale. For example, the NCSG said that before any wholesale price increases, .org domain registrants should be given “six months to renew their domains for periods of up to 20 years at the pre-existing annual rate.”

Ethos Capital should also have to commit to content neutrality with a pledge that it “will not suspend or take away domains based on their publication of political, cultural, social, ethnic, religious, and personal content, even untrue, offensive, indecent, or unethical material, like that protected under the US First Amendment,” the NCSG said.

If Ethos Capital refuses to make those commitments, ICANN should “exercise its right” from the registry agreement to withhold its approval, the NCSG said.

When contacted by Ars, PIR said that its existing agreement with ICANN “requires that PIR provide notification six months in advance of any price increase” and that “PIR under new ownership will honor the terms of that contract.” However, PIR did not commit to accepting the NCSG proposals.

I created my own deepfake—it took two weeks and cost $552

Deepfake technology uses deep neural networks to convincingly replace one face with another in a video. The technology has obvious potential for abuse and is becoming ever more widely accessible. Many good articles have been written about the important social and political implications of this trend.

This isn’t one of those articles. Instead, in classic Ars Technica fashion, I’m going to take a close look at the technology itself: how does deepfake software work? How hard is it to use—and how good are the results?

I thought the best way to answer these questions would be to create a deepfake of my own. My Ars overlords gave me a few days to play around with deepfake software and a $1,000 cloud computing budget. A couple of weeks later, I have my result, which you can see above. I started with a video of Mark Zuckerberg testifying before Congress and replaced his face with that of Lieutenant Commander Data (Brent Spiner) from Star Trek: The Next Generation. Total spent: $552.

The video isn’t perfect. It doesn’t quite capture the full details of Data’s face, and if you look closely you can see some artifacts around the edges.

Still, what’s remarkable is that a neophyte like me can create fairly convincing video so quickly and for so little money. And there’s every reason to think deepfake technology will continue to get better, faster, and cheaper in the coming years.

In this article I’ll take you with me on my deepfake journey. I’ll explain each step required to create a deepfake video. Along the way, I’ll explain how the underlying technology works and explore some of its limitations.

Deepfakes need a lot of computing power and data

We call them deepfakes because they use deep neural networks. Over the last decade, computer scientists have discovered that neural networks become more and more powerful as you add additional layers of neurons (see the first installment of this series for a general introduction to neural networks). But to unlock the full power of these deeper networks, you need a lot of data and a whole lot of computing power.

That’s certainly true of deepfakes. For this project, I rented a virtual machine with four beefy graphics cards. Even with all that horsepower, it took almost a week to train my deepfake model.

I also needed a heap of images of both Mark Zuckerberg and Mr. Data. My final video above is only 38 seconds long, but I needed to gather a lot more footage—of both Zuckberg and Data—for training.

To do this, I downloaded a bunch of videos containing their faces: 14 videos with clips from Star Trek: The Next Generation and nine videos featuring Mark Zuckerberg. My Zuckerberg videos included formal speeches, a couple of television interviews, and even footage of Zuckerberg smoking meat in his backyard.

I loaded all of these clips into iMovie and deleted sections that didn’t contain Zuckerberg or Data’s face. I also cut down longer sequences. Deepfake software doesn’t just need a huge number of images, but it needs a huge number of different images. It needs to see a face from different angles, with different expressions, and in different lighting conditions. An hour-long video of Mark Zuckerberg giving a speech may not provide much more value than a five-minute segment of the same speech, because it just shows the same angles, lighting conditions, and expressions over and over again. So I trimmed several hours of footage down to 9 minutes of Data and 7 minutes of Zuckerberg.

This alleged Bitcoin scam looked a lot like a pyramid scheme

This alleged Bitcoin scam looked a lot like a pyramid scheme

The world of cryptocurrency has no shortage of imaginary investment products. Fake coins. Fake blockchain services. Fake cryptocurrency exchanges. Now five men behind a company called BitClub Network are accused of a $722 million scam that allegedly preyed on victims who thought they were investing in a pool of bitcoin mining equipment.

Federal prosecutors call the case a “high-tech” plot in the “complex world of cryptocurrency.” But it has all the hallmarks of a classic pyramid scheme, albeit with a crypto-centric conceit. Investors were invited to send BitClub Network cash, which would allow the company to buy mining equipment—machines that produce bitcoin through a process called hashing. When those machines were turned on, all would (in theory) enjoy the spoils. The company also allegedly gave rewards to existing investors in exchange for recruiting others to join. According to the complaint, the scheme began in April 2014 and continued until earlier this month.

Matthew Brent Goettsche, Jobadiah Sinclair Weeks, and Silviu Catalin Balaci are accused of conspiracy to commit wire fraud and conspiracy to offer and sell unregistered securities. A fourth defendant, Joseph Frank Abel, faces only the latter charge. Another unnamed defendant remains at large. Balaci’s name was redacted from one public version of the indictment, but appeared on another.

The scheme appears to have started as a relatively modest scam and spiraled dramatically in ambition. Internal messages between the conspirators give the impression of growing glee at the ease of taking advantage of investors, referring to “building this whole model on the backs of idiots.” The men allegedly described their victims as “dumb” investors and “sheep.”

“They were not wrong,” Emin Gun Sirer, the CEO of blockchain startup Ava Labs, quipped on Twitter.

In October 2014, a few months after BitClub Network was founded, Goettsche allegedly posted about the need to “fak[e] it for the first 30 days while we get going,” instructing a co-conspirator to do some “magic” on the company’s revenue numbers. They allegedly agreed on a method of cooking the numbers that would include inconsistencies to make sure they appeared real. The tricks swiftly became more daring. Later, Goettsche allegedly suggested the company “bump up the daily mining earnings starting today by 60%.”

Feds reap data from 1,500 phones in largest reported reverse-location warrant

You're not the only one looking at your phone's location history.

Enlarge / You’re not the only one looking at your phone’s location history.

Federal investigators trying to solve arson cases in Wisconsin have scooped up location history data for about 1,500 phones that happened to be in the area, enhancing concerns about privacy in the mobile Internet era.

Four Milwaukee-area arsons since 2018, as yet unsolved, have resulted in more than $50,000 of property damage as well as the deaths of two dogs, Forbes explains. In an attempt to find the person or persons responsible, officers from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) obtained search warrants to gather data about all the devices in the area at the time.

The two warrants Forbes obtained together covered about nine hours’ worth of activity within 29,400 square meters—an area a smidge larger than an average Milwaukee city block. Google found records for 1,494 devices matching the ATF’s parameters and sent the data along.

While this is far from the first search to demand a wide swath of data in a given geographic location, Forbes notes, this is the highest number of results such a geofenced search has so far produced. Not only is that a whole lot of potentially unrelated data for investigators to sort through, but it’s also possible that the search will prove entirely fruitless, as whoever committed the crimes may not have a phone, may not have brought it with them, or may have brought it with them in airplane mode or powered off.

The big net

The concept behind such a request is straightforward: you can’t track the phone of a suspect you don’t have, but you can start with the time and place the crimes were committed and look to see who was there. With that information in hand, they can drill down, as Forbes explains:

[T]he police give Google a timeframe and an area on Google Maps within which to find every Google user within. Google then looks through its SensorVault database of user locations, taken from devices running the tech giant’s services like Google Maps or anything that requires the “location history” feature be turned on. The police then look through the list, decide which devices are of interest to the investigation and ask for subscriber information that includes more detailed data such as name, email address, when they signed up to Google services and which ones they used.

While the ability to go through data that way might be handy for law enforcement, some privacy experts are not on board. Such a request “shows the unconstitutional nature of reverse location search warrants because they inherently invade the privacy of numerous people, who everyone agrees are unconnected to the crime being investigated, for the mere possibility that it may help identify a suspect,” Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society, told Forbes.

Google told Forbes it tries to protect individual users’ privacy when it receives such a request, saying, “We only produce information that identifies specific users when we are legally required to do so.” The company does have a history of trying to push back on overly broad reverse-location requests, Forbes notes. For example, when federal investigators wanted information on devices in a 400-meter radius around a bank robbery earlier this year, the company convinced them to drop that to a 50-meter radius.

Users who disable Google’s location history features should, in theory, not have data in Google’s SensorVault for the company to pass along to investigators. That said, Google is facing multiple lawsuits, including a potential class-action in the US and a suit by consumer protection regulators in Australia, alleging the company misled users and retained location data even if the setting was turned off.

FCC’s “illogical” claim that broadband isn’t telecommunications faces appeal

The Federal Communications Commission meeting room, with an empty chair in front of the FCC seal and two United States flags.

Enlarge / The Federal Communications Commission seal hangs inside a meeting room at the headquarters ahead of an open commission meeting in Washington, DC, on Thursday, December 14, 2017.
Getty Images | Bloomberg

Mozilla and other organizations today appealed the court ruling that upheld the Federal Communications Commission’s repeal of net neutrality rules, arguing that the FCC’s claim that broadband isn’t telecommunications should not have been accepted by judges.

The FCC repeal was upheld in October by a three-judge panel at the US Court of Appeals for the District of Columbia Circuit. The court had some good news for net neutrality supporters because it vacated the FCC’s attempt to preempt all current and future state net neutrality laws. But Mozilla and others aren’t giving up hope on reinstating the FCC rules nationwide.

The Mozilla petition filed today asks for an en banc rehearing of the case involving all of the DC Circuit judges. Mozilla is probably facing an uphill battle because the three-judge panel unanimously agreed that the FCC can repeal its own net neutrality rules.

Joining Mozilla in the appeal were online companies Etsy and Vimeo, industry lobby group Incompas, and the Ad Hoc Telecom Users Committee, which represents business users of communications services. The case is known as Mozilla v. FCC.

Another appeal was filed today by several advocacy groups, namely New America’s Open Technology Institute, Free Press, Public Knowledge, the Center for Democracy & Technology, the Benton Institute for Broadband & Society, the Computer & Communications Industry Association, and the National Association of State Utility Consumer Advocates. Another appeal was filed by the National Hispanic Media Coalition, and another by Santa Clara County, San Francisco, the California Public Utilities Commission, and the National Association of Regulatory Utilities Commissioners.

Mozilla wrote in a blog post today:

Mozilla’s petition focuses on the FCC’s reclassification of broadband as an information service and on the FCC’s failure to properly address competition and market harm. We explain why we believe the court can in fact overturn the FCC’s new treatment of broadband service despite some of the deciding judges’ belief that Supreme court precedent prevents rejection of what they consider a nonsensical outcome. In addition, we point out that the court should have done more than simply criticize the FCC’s assertion that existing antitrust and consumer protection laws are sufficient to address concerns about market harm without engaging in further analysis. We also note inconsistencies in how the FCC handled evidence of market harm, and the court’s upholding of the FCC’s approach nonetheless.

Judge blasted FCC but upheld repeal

Circuit Judge Patricia Millett, one of the three judges who decided the case, wrote that the FCC’s justification for classifying broadband as an information service instead of a telecommunications service “is unhinged from the realities of modern broadband service.” But the FCC has broad authority to classify offerings as either information services or telecommunications, as long as it provides a reasonable justification for its decision, and judges said they had to leave the net neutrality repeal in place based on US law and Supreme Court precedent.

Obviously, consumer advocacy groups are arguing that judges didn’t have to give the FCC so much deference.

“Although the court came to the right conclusion on some key issues, such as the FCC’s lack of authority to preempt state net neutrality rules, in other ways it gave the FCC the benefit of the doubt too many times,” Public Knowledge Legal Director John Bergmayer wrote today. “While agencies should be given deference where appropriate, they do not have the authority to rewrite the law or come to illogical, results-driven conclusions.”

The FCC argued that broadband isn’t telecommunications because Internet providers also offer DNS (Domain Name System) services and caching as part of the broadband package. Millett wrote that this interpretation “confuse[s] the leash for the dog,” but ruled in the FCC’s favor because of the Supreme Court’s 2005 decision in the Brand X case, which let the FCC classify cable broadband as an information service. Brand X “compels us to affirm as a reasonable option the agency’s reclassification of broadband as an information service based on its provision of Domain Name System (‘DNS’) and caching,” Millett wrote.

Circuit Judge Robert Wilkins agreed with Millett’s assessment. Senior Circuit Judge Stephen Williams didn’t join Millett and Wilkins in this line of criticism, but he joined them in upholding the repeal. Williams wanted to uphold the other big portion of the FCC order, too, as he dissented from a 2-1 decision to vacate the FCC’s preemption of state laws.

The advocacy groups’ petition argued that judges “misconstrued Brand X as precluding any judicial review of the reasonableness of classifying a service that overwhelmingly offers telecommunications as an information service simply because it includes DNS and caching.”

If the court decides not to grant the request for a re-hearing of the case, petitioners could appeal to the Supreme Court.

The FCC could also appeal, since judges ruled against the commission on its attempt to preempt state laws. Today is the deadline for filing appeals at the DC Circuit court, and we’ll update this story if the FCC submits one.

AT&T doesn’t want you to see its slow Internet speed-test results

A computer showing a slow-moving loading bar.

Getty Images | Steven Puetzer

AT&T doesn’t want its home Internet speeds to be measured by the Federal Communications Commission anymore, and it already convinced the FCC to exclude its worst speed-test results from an annual government report.

“AT&T this year told the commission it will no longer cooperate with the FCC’s SamKnows speed test,” The Wall Street Journal wrote in an investigative report titled “Your Internet provider likely juiced its official speed scores.”

AT&T already convinced the FCC to exclude certain DSL test results from last year’s Measuring Broadband America report. The reports are based on the SamKnows testing equipment installed in thousands of homes across the US.

“AT&T was dismayed at its report card from a government test measuring Internet speeds” and thus “pushed the Federal Communications Commission to omit unflattering data on its DSL Internet service from the report,” the Journal wrote.

“In the end, the DSL data was left out of the report released late last year, to the chagrin of some agency officials,” the Journal wrote. “AT&T’s remaining speed tiers notched high marks.”

Pai’s FCC gives less attention to speed tests

The Obama-era FCC began the Measuring Broadband America program in 2011 to compare the actual speeds customers receive to the advertised speeds customers are promised. The FCC released reports annually through 2016, but the testing program has gotten less attention since Ajit Pai became chairman in January 2017.

As we wrote in November 2018, the FCC hadn’t yet released any new Measuring Broadband America reports since Pai became chair. Pai’s FCC in December 2018 finally released both the 2017 and 2018 reports, tucking them into the final appendices of a larger “Communications Marketplace Report.” You can see all the Measuring Broadband America results from over the years at this page.

The 2017 report includes two categories for AT&T, one for its oldest DSL technology and another for its DSL-based IP broadband with speeds of up to 45Mbps. While AT&T’s oldest DSL service only provided 82 percent of advertised download speeds, AT&T IP broadband was over 100 percent. The 2018 report only includes AT&T’s IP broadband category, leaving out the company’s worst results.

Satellite Internet provider ViaSat also “left the FCC’s program” last year, the Journal wrote. ViaSat results were included in the 2018 report, which covers tests from September 2017.

We asked the FCC yesterday if it will include any AT&T and ViaSat test results in future reports, since SamKnows testing equipment could still be in AT&T and ViaSat customer homes, and we asked when the next Measuring Broadband America report will come out. We’ll update this article if we get any answers.

AT&T says its own speed test is better

AT&T defended its decision to drop out of FCC testing when contacted by Ars. “AT&T developed a best-in-class tool to measure its consumer broadband services,” the company said in a statement provided to Ars. “This tool measures performance on all AT&T IP broadband technologies and is more accurate, versatile, and transparent. For these and other reasons, our tool provides better and more useful information to our customers.”

But consumers have less reason to trust a speed-test tool created by AT&T than one created by the FCC. Even with the FCC’s speed tests, AT&T was able to exclude unflattering results. It would be even easier to dump slow speed-test results when AT&T is the one determining which numbers to show the public.

AT&T and the mobile industry’s top lobby group have also argued that carriers shouldn’t have to submit detailed 5G maps to the FCC. Separately, the FCC said this month that Verizon, T-Mobile, and US Cellular exaggerated their 4G coverage in official government filings.

Back in 2011, AT&T touted the FCC’s in-home speed tests as being far more accurate than previous testing methodologies. But the company’s opinion then seems to have been influenced by early test results that AT&T said showed “consumers are getting high-quality broadband services from their ISPs.”

Wave of Ring surveillance camera hacks tied to podcast, report finds

A hand-sized black and white device on a wooden table.

Enlarge / An Amazon Ring security camera on display during an unveiling event on Thursday, Sept. 20, 2018.

A series of creepy Ring camera intrusions, including one where a stranger sang to an 8-year-old child and said he was Santa Claus, may be linked through a forum and associated livestream podcast, a new report finds.

The cluster of hacks, first reported by local media outlets, have become national news in the past few days. In all the cases, some bad actor accessed indoor Ring cameras (not doorbells) and used them to harass, intimidate, or attempt to extort the residents.

One family in Florida suddenly heard racist commentary about their teenage son coming from their Ring camera on Sunday night. On Monday, someone yelled at a couple in Georgia to “wake up.” Another family, in Tennessee, heard a voice taunting their daughter through a camera in their kids’ room on Tuesday. And in Texas yesterday, someone tried to demand a ransom to exit the household camera system, telling the homeowners to pay 50 bitcoin (roughly $360,000).

In all the cases, the residents stopped the intrusions by unplugging or removing the batteries from their devices, successfully cutting off access to them.

In response to the incidents, Ring said it had not suffered any kind of breach or intrusion and urged subscribers not to use account credentials that could have been stolen in one of the thousands of other data breaches that happen in any given year. That’s excellent advice for all services, as far as it goes, as is enabling two-factor authentication on any service that supports it (which Ring does), particularly as cameras have been easy targets for years. In at least one instance, however, the camera owner said her Ring account used a specific passphrase she has not associated with any previous accounts.

Nulled

Cheap tools for accessing Ring illicitly are plentiful and easy to get, reporters for Vice Motherboard found yesterday. The reporters also found a reason so many incidents using those tools are popping up all at once: the NulledCast.

The NulledCast is livestreamed on Discord, Motherboard explains, and it’s connected to the forum (also called Nulled) where the tools for accessing Ring cameras are sold and traded. Motherboard continues:

“Sit back and relax to over 45 minutes of entertainment,” an advertisement for the podcast posted to a hacking forum called Nulled reads. “Join us as we go on completely random tangents such as; Ring & Nest Trolling, telling shelter owners we killed a kitten, Nulled drama, and more ridiculous topics. Be sure to join our Discord to watch the shows live.”

Motherboard was able to see a message from a now-deleted thread saying, in part, “Hello everyone. As you probably have heard, I was featured on the news for a stunt I pulled,” apparently linked to one of the media reports. The national spotlight is, however, more attention than the Ring hackers apparently wanted to draw. Motherboard found that, since yesterday, posts in the forum relating to Ring hacking have apparently been deleted, as has some content from the Discord server.

As of Wednesday, members of the server insisted that the livestream would be continuing with another installment on Friday. Earlier this afternoon, however, Motherboard reporter Joseph Cox (no relation) said on Twitter that Discord banned the server and all its users. That said, the Internet being what it is, they are likely to pop up somewhere else before long.

988 will be the new 911 for suicide prevention—by sometime in 2021

A lonely person sitting on a bench at night.

The Federal Communications Commission plans to designate 988 as the short dialing code for the United States’ suicide-prevention hotline. Much like 911 for general emergencies, 988 could be dialed by anyone undergoing a mental health crisis and/or considering suicide.

The National Suicide Prevention Lifeline can already be reached at 1-800-273-8255 (or 1-800-273-TALK), but the FCC today gave preliminary approval to a plan that would make 988 redirect to that hotline. The commission’s unanimous vote approved a Notice of Proposed Rulemaking (NPRM) that seeks public comment on the plan.

Once the NPRM is published in the Federal Register, there will be a 60-day period for taking public comments, and the FCC would finalize the plan after considering the public input. It could take another 18 months after that to implement 988 nationwide, depending on what requirements the FCC imposes on phone providers.

The 1-800-273-8255 hotline “provides free and confidential emotional support to people in suicidal crisis or emotional distress 24 hours a day, 7 days a week,” its website says. Callers are connected to one of “163 crisis centers funded by the Department of Health and Human Services’ Substance Abuse and Mental Health Services Administration,” the FCC said. “In 2018, trained Lifeline counselors answered over 2.2 million calls and over 100,000 online chats.”

The 988 proposal was spurred by Congress, which last year passed a law directing the FCC to examine the technical feasibility of designating “a simple, easy-to-remember, 3-digit dialing code” for the hotline.

Before today’s vote, FCC Chairman Ajit Pai said that “988 has an echo of the 911 number we all know as an emergency number, and we believe that this 3-digit number, dedicated for this purpose, will help ease access to crisis services. It’ll reduce the stigma surrounding suicide and mental health conditions. And it’ll ultimately save lives.”

18-month deadline up for debate

The proposal would require all telecommunications carriers and interconnected VoIP providers to support 988 on their networks within 18 months, the FCC said. But the FCC noted that it is “seek[ing] comment on all aspects of implementation, including whether a longer or shorter timeframe would be needed to make 988 a reality.” Based on the comment-period length and proposed implementation time frame, 988 would be implemented nationwide sometime in late 2021.

The FCC’s NPRM explained:

We believe this time frame would provide sufficient time for providers to make any necessary changes to equipment and software and to institute new dialing requirements, if necessary. To begin with, we understand that modern IP switches can already accommodate 988 today or do so with minor software updates. In this regard, we observe that most providers are already actively upgrading their equipment to IP technology given the technological advances in the marketplace and the advanced services that consumers are demanding. Moreover, we believe that 18 months is sufficient time to upgrade the approximately 12 percent of legacy switches that will need such upgrades and we anticipate that the majority of technical upgrades necessary to switches and systems can be done in parallel with other work to implement 988.

FCC Commissioner Jessica Rosenworcel said the public comment period will help the FCC fine-tune details of the plan. “How we implement this matters. So we ask for input on the details to get this done, including just how calls will be routed and how to implement the three-digit code in areas where it is already used at the start of a seven-digit telephone number,” she said.

Russia’s only carrier, damaged in shipyard accident, now on fire

MURMANSK, RUSSIA - DECEMBER 12, 2019: A fire has broken out aboard the Project 11435 aircraft carrier Admiral Kuznetsov of the Russian Northern Fleet. Admiral Kuznetsov is the only aircraft carrier of the Russian Navy. Lev Fedoseyev/TASS

Enlarge / MURMANSK, RUSSIA – DECEMBER 12, 2019: A fire has broken out aboard the Project 11435 aircraft carrier Admiral Kuznetsov of the Russian Northern Fleet. Admiral Kuznetsov is the only aircraft carrier of the Russian Navy. Lev Fedoseyev/TASS
TASS / Lev Fedosev

The Admiral Kuznetsov, Russia’s only aircraft carrier, caught fire today during repairs in Murmansk. While officials of the shipyard said that no shipyard workers were injured, Russia’s TASS news service reports that at least 12 people (likely Kuznetsov sailors) were injured, some critically. In addition, three people, possibly including the third-rank captain in charge of the ship’s repairs, are unaccounted for.

The Kuznetsov has had a long string of bad luck, experiencing fires at sea, oil spills, and landing deck accidents—including a snapped arresting wire that caused a landing Sukhoi Su-33 fighter to roll off the end of the deck and into the ocean. Its boilers belched black smoke during the ship’s transit to Syria in 2016, and it had to be towed back home after breaking down during its return in 2017. Then last year, as it was undergoing repairs in a floating drydock in Murmansk’s Shipyard 82, the drydock sank and a crane on the drydock slammed into the Kuznetsov, leaving a gash in the ship’s hull. It looked like completion of repairs might be put off indefinitely because repair of the drydock would take over a year, and the budget for repairs had been slashed.

The fire was caused when sparks from welding work near one of the ship’s electrical distribution compartments set a cable on fire. The fire spread through the wiring throughout compartments of the lower deck of the ship, eventually involving 120 square meters (1,300 square feet) of the ship’s spaces.

In total, 12 victims were delivered to hospitals, 10 of them were saved during the fire. One is assessed as serious, and one suffered a head injury. Most received poisoning from combustion products, according to a report from TASS.

Shipboard firefighting, even in port, is a grim and hellish undertaking. Lack of ventilation, darkness, and the toxic smoke released by burning electrical wiring, oil, paint, and equipment make fighting fires aboard a ship particularly difficult, requiring frequent relief of those fighting the fires due to the stress and limits on breathing apparatuses. Those who have served in any navy afloat can attest to how terrifying even the thought of a mass conflagration aboard a ship is, even when pier-side.

Senate Judiciary committee interrogates Apple, Facebook about crypto

A serious man in a suit speaks during a senate hearing.

Enlarge / Lindsay Graham doesn’t want people reading his texts. But he’ll make darned sure there are backdoors for law enforcement into encrypted texts and devices, and he will pass a law if he needs to.

In a hearing of the Senate Judiciary Committee yesterday, while their counterparts in the House were busy with articles of impeachment, senators questioned New York District Attorney Cyrus Vance, University of Texas Professor Matt Tait, and experts from Apple and Facebook over the issue of gaining legal access to data in encrypted devices and messages. And committee chairman Sen. Lindsay Graham (R-S.C.) warned the representatives of the tech companies, “You’re gonna find a way to do this or we’re going to do it for you.”

The hearing, entitled “Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy,” was very heavy on the public safety with a few passing words about privacy. Graham said that he appreciated “the fact that people cannot hack into my phone, listen to my phone calls, follow the messages, the texts that I receive. I think all of us want devices that protect our privacy.” However, he said, “no American should want a device that is a safe haven for criminality,” citing “encrypted apps that child molesters use” as an example.

“When they get a warrant or court order, I want the government to be able to look and find all relevant information,” Graham declared. “In American law there is no place that’s immune from inquiry if criminality is involved… I’m not about to create a safe haven for criminals where they can plan their misdeeds and store information in a place that law enforcement can never access it.”

Graham and ranking member Sen. Diane Feinstein (D-Calif.)—who referenced throughout the hearing the 2015 San Bernardino mass shooting and the confrontation between Apple and the Federal Bureau of Investigation that resulted from mishandling of the shooter’s county-owned iCloud account by administrators directed by the FBI—closed ranks on the issue.

“Everyone agrees that having the ability to safeguard our personal data is important,” Feinstein said. “At the same time, we’ve seen criminals increasingly use technology, including encryption, in an effort to evade prosecution. We cannot let that happen. It is important that all criminals, whether foreign or domestic, be brought to justice.”

Vance, for his part, called Apple’s and Google’s introduction of device encryption “the single most important challenge to law enforcement over the last 10 years… Apple and Google upended centuries of American jurisprudence.” He cited a human trafficking case he could not get evidence for because of encryption, recounting how the suspect in jail told a cellmate that Apple’s encryption was “a gift from God” to him.

That isn’t how any of this works

Vance has been a frequent and long advocate for federal legislation to ensure legal, extraordinary access to data. “I’m not sure state and local law enforcement are going to be able to bridge the gap with technology without congressional intervention,” Vance told the committee in a response to a question from Sen. Feinstein. Explaining that his office’s lab gets about 1,600 devices a year as part of case evidence, Vance said, “About 82 percent are locked—it was 60 percent four years ago,” he said. “About half of those are Apple devices. Using technology, we’re able to unlock about half of the devices—so there are about 300 to 400 phones [a year] that we can’t access with the technology we have. There are many, many serious cases where we can’t access the device in the time period where it is most important.”

Feinstein then told the other witnesses, “You heard a very prominent district attorney from New York explain what the situation is… I’d like to have your response on what you’re going to do about it. That will determine the degree to which we do something about it.”

Apple Manager of User Privacy Erik Neuenschwander responded that Apple will continue to work with law enforcement, citing the 127,000 requests from law enforcement for assistance Apple’s team—which includes former law enforcement officials—has responded to over the past seven years, in addition to thousands of emergency requests that Apple has responded to usually within 20 minutes. “We’re going to continue to work with law enforcement as we have to find ways through this,” Neuenschwander said. “We have a team of dedicated professionals that is working on a daily basis with law enforcement.”

Feinstein interrupted Neuenschwander: “My understanding is that even a court order won’t convince you to open the device.”

Neuenschwander replied, “I don’t think it’s a matter of convincing or a court order. It’s the fact that we don’t have the capability today to give the data off the device to law enforcement.” There had been conversations about making changes to fix that, Neuenschwander said, “But ultimately we believe strong encryption makes us all safer, and we haven’t found a way to provide access to users’ devices that wouldn’t weaken security for everyone.”

Vance said in response that Apple should re-engineer its phones to allow access. “What they created, they can fix,” he said.

Lawsuit forces CenturyLink to stop charging “Internet Cost Recovery Fee”

A white truck with a CenturyLink logo is parked next to a building.

Enlarge / A CenturyLink repair truck in Estes Park, Colorado, in 2018.

CenturyLink has agreed to pay a $6.1 million penalty after Washington state regulators found that the company failed to disclose fees that raised actual prices well above the advertised rates. CenturyLink must also stop charging a so-called “Internet Cost Recovery Fee” in the state, although customers may end up paying the fee until their contracts expire unless they take action to switch plans.

“CenturyLink deceived consumers by telling them they would pay one price and then charging them more,” Washington Attorney General Bob Ferguson said in an announcement yesterday. “Companies must clearly disclose all added fees and charges to Washingtonians.”

Ferguson encouraged Washington residents “who believe they have received bills that include undisclosed fees to file a complaint” with the state.

Ferguson’s office said it began investigating CenturyLink in 2016 “after receiving complaints from consumers that their actual bills were more than the advertised price, or the price that they were promised by sales representatives.”

Here’s what Ferguson’s office found:

There were three main fees CenturyLink did not disclose: a broadcast fee of $2.49 per month, a sports fee of $2.49 per month, and CenturyLink’s “Internet Cost Recovery Fee,” ranging from $0.99 to $1.99 per month.

CenturyLink charged its Internet Cost Recovery Fee to 650,000 Washingtonians. Of those, another 60,000 were also charged the broadcast and sports fees. These fees alone added up to $7 per month to a television subscriber’s bill—$84 per year.

The investigation found that CenturyLink did not adequately disclose additional taxes and fees for its cable, Internet and telephone services.

CenturyLink admitted no wrongdoing but agreed to a financial settlement and changes in business practices as part of a consent decree filed in King County Superior Court on Monday. The attorney general’s office detailed its allegations in a lawsuit filed the same day.

Internet Cost Recovery Fee

The attorney general’s office said that “CenturyLink is required to… stop charging its Internet Cost Recovery Fee” in Washington state. CenturyLink says the fee “helps defray costs associated with building and maintaining CenturyLink’s High-Speed Internet broadband network, as well as the costs of expanding network capacity to support the continued increase in customers’ average broadband consumption.” In other words, the fee covers the company’s normal costs of doing business but is excluded from advertised rates in order to make CenturyLink’s service sound cheaper than it really is. CenturyLink has been charging $1.99 for the Internet Cost Recovery Fee in Washington and continues to charge an Internet Cost Recovery Fee of $3.99 per Internet connection in other states.

There are circumstances in which CenturyLink can continue charging the fee in the Evergreen State until the end of customers’ contracts, but the company must give everyone a chance to opt out of the fee. It would be easier for customers if CenturyLink simply had to eliminate the fee immediately for everyone, regardless of their contract status, but the settlement between Washington and CenturyLink isn’t that simple.

“Within 90 days of the effective date of this consent decree, CenturyLink shall not charge any new Washington consumers for any Internet Cost Recovery Fee or Broadband Cost Recovery Fee,” the consent decree said. Also within 90 days, CenturyLink must notify current Washington customers that they can cancel service without paying an early termination fee or switch to another plan that doesn’t include the Internet Cost Recovery Fee.

If customers who are under contract do not cancel service or switch plans within 30 days of receiving that notice, “these consumers will continue to be charged the Internet or Broadband Cost Recovery Fee through the expiration of their Internet service plans,” the consent decree said.

To settle the case, CenturyLink must also “disclose the actual price of its services, including charges and fees” in sales materials and advertising, provide order confirmations with complete bill summaries to customers “within three days after consumers order services from CenturyLink,” and “honor any and all incentives and discounts promised to consumers.” Like the promise to stop charging the Internet Cost Recovery Fee, these requirements only apply in Washington state.

To ensure that CenturyLink lives up to its commitment, the company must retain all sales call recordings and correspondence related to sales calls and submit compliance reports to the attorney general’s office after one year and again after three years.

New YouTube policy tries to ban “implied” threats, “malicious” insults

An illustration of YouTube's logo behind barbed wire.

Enlarge / Photoshopped image of YouTube logo behind a barbed-wire fence.

YouTube has for a long time been used as a platform for bad actors to launch massive campaigns of targeted harassment against individuals. After years of professing an inability to act and reduce such behavior, YouTube is finally updating its policies to reflect the ways bad actors actually tend to behave, and the site is promising to increase consequences against harassers.

Content that “maliciously insults” someone based on their membership in a legally protected class, such as race, gender, or sexual orientation, is now against the rules, YouTube said in a blog post today. “Veiled or implied” threats, of the sort that tend to rile up an online mob to go harass someone, are also now prohibited.

“Something we’ve heard from our creators is that harassment sometimes takes the shape of a pattern of repeated behavior across multiple videos or comments,” YouTube added, catching up to what targets of coordinated online abuse campaigns have been saying for the better part of a decade. As such, the pattern of behavior will now be something the platform takes into account.

Accounts that repeatedly “brush up against” YouTube’s new and improved harassment policy may face financial harm for doing so, the company now says:

We’re tightening our policies for the YouTube Partner Program (YPP) to get even tougher on those who engage in harassing behavior and to ensure we reward only trusted creators. Channels that repeatedly brush up against our harassment policy will be suspended from YPP, eliminating their ability to make money on YouTube. We may also remove content from channels if they repeatedly harass someone.

Why now?

The change was spurred in part by pushback to YouTube’s handling of a harassment campaign against journalist Carlos Maza earlier this year. Maza, who is Latino and openly gay, became a target of conservative personality Steven Crowder, who repeatedly hurled homophobic and racist invectives against Maza in the videos shared with his millions of subscribers.

YouTube investigated the reports against Crowder. On June 4, the company told Maza in a series of tweets that while Crowder’s behavior was “hurtful,” it did not violate YouTube’s policies. One day later, after widespread negative reactions to that statement, YouTube amended its stance and demonetized Crowder, prohibiting him from selling ads on his YouTube videos.

At the same time, YouTube updated its hate speech policy to ban neo-Nazi material and similar white supremacist content. That policy update also prohibited “truther”-style denialist content, such as videos claiming the Holocaust or the 2012 mass shooting at Sandy Hook Elementary School never happened.

That update, however, had an extremely rocky rollout. As soon as the policy launched, a journalist who makes documentary films chronicling hate movements had content removed from YouTube, and his channel was demonetized.

Equally applied?

YouTube said in its statement that the new rules apply to everyone, “from private individuals, to YouTube creators, to public officials.” Whether that actually translates into practice, however, is anyone’s guess.

Historically speaking, YouTube has not been great about applying its already existing policies evenly across the board. Content moderators working on behalf of YouTube have reported the company deliberately exempts certain high-profile creators from enforcement. But the problem goes well beyond high-profile YouTube “influencers.” If anything trips the company up, it’s likely to be that claim that “public officials” are also subject to its policies.

Other social media platforms, including Facebook and Twitter, are having a hard time enforcing rules against inflammatory, racist, threatening, or otherwise policy-breaking content on their sites when it comes from politicians, especially but not exclusively US President Donald Trump.

Trump’s political rallies, during which he often makes disparaging remarks about a person or group of people, are livestreamed on YouTube, as are other videos in which he does something that would theoretically break YouTube’s new terms of service—such as mocking a reporter with a disability. One wonders what, if anything, YouTube will do about videos of this type, which Facebook’s and Twitter’s policies would leave in place.

Maze ransomware was behind Pensacola “cyber event,” Florida officials say

Pensacola was hit by Maze ransomware, which has apparently stolen data before encrypting it in other cases.

Enlarge / Pensacola was hit by Maze ransomware, which has apparently stolen data before encrypting it in other cases.
Paul Harris / Getty Images

An email sent by the Florida Department of Law Enforcement to all Florida county commissioners indicated that the ransomware that struck the city of Pensacola on December 7 was the same malware used in an attack against the private security firm Allied Universal, according to a report by the Pensacola News Journal. That malware has been identified elsewhere as Maze, a form of ransomware that has also been distributed via spam email campaigns in Italy.

Bleeping Computer’s Lawrence Abrams reported in November that the Maze operators had contacted him after the Allied Universal attack, claiming to have stolen files from the company before encrypting them on the victims’ computers. After Allied apparently missed the deadline for payment of the ransom on the files, the ransomware operators published 700 megabytes of files from Allied and demanded 300 Bitcoins (approximately $2.3 million) to decrypt the network. The Maze operators told Abrams that they always steal victims’ files to use as further leverage to get them to pay:

It is just a logic. If we disclose it who will believe us? It is not in our interest, it will be silly to disclose as we gain nothing from it. We also delete data because it is not really interesting. We are neither espionage group nor any other type of APT, the data is not interesting for us.

Stealing data as proof of compromise—and to therefore encourage payment by ransomware victims—is rare but not new. The RobbinHood ransomware operator that attacked Baltimore City in May also stole files as part of the attack and posted screenshots of some files—faxed documents sent to Baltimore City Hall’s fax server—on a Twitter account to encourage city officials to pay. Baltimore did not pay the ransom.

Theft of data opens up another problem for targets of ransomware who in the past would pay quietly to decrypt their data, as it introduces the possibility that they will have to report the breach to customers and government regulators. So in some cases, it may ironically remove some of the motivation for victims to pay, since their data may be sold off by the attackers whether they pay or not.

The use of the data to blackmail the victim, and in Allied’s case, the threat to use Allied’s certificates and domain name to spam customers with additional ransomware attacks, is something new.”This is fhe first time this has ever happened, as far as we know,” said Brett Callow, a spokesperson for the antivirus software vendor Emisoft.” Ransomware groups usually encrypt, not steal. We expect data exfiltration to become more and more commonplace. Whether Pensacola’s data was exfiltrated, I obviously can’t say.”

“Broad targeted” attacks

Maze, Ryuk, and other ransomware attacks against government agencies and companies have moved increasingly toward what Raytheon Cyber Services Senior Manager Dylan Owen referred to as a “broad targeted” attack—while they rely on spam for the initial breach, the attackers “are poking around figuring out who they breached” before they launch the attack.

“They don’t necessarily target a specific agency,” Owen told Ars. “The attackers have often either gotten a list of emails from another source, or they “have programs that randomly try emails, or combinations of username, first name/last name, middle initial, all different kinds of combinations,” he explained. “They might do a little bit of research if they were going for a particular type of organization, but usually they’re very broad-based… then once they get a beacon back saying, ‘Hey, somebody clicked on my link’, they go and figure out who it was.” And if the click came from a larger organization rich in targets, Owen said, they go forward.

State and local agencies have been particularly vulnerable to these sorts of attacks because of the economics of their IT operations. “They’re dependent on the funding through taxes or whatever, and that money can only go so far,” Owen noted. “They also have a preponderance of older IT systems because of the lack of funding over the years. So it’s something that’s built upon itself. A lot of them also have proprietary software, so it’s not commercial, off the shelf—they hired somebody to create some special code, and that code may not run on newer operating systems. So now they have older operating systems that are harder to patch.”

On top of that, many state and local agencies haven’t done the work of segregating those vulnerable systems and putting additional defenses around them to reduce the risk posed by legacy systems, Owen explained. But he said that’s starting to change. “I know with Louisiana particularly, the governor had said that cyber security is going to be a really big focus for 2020,” he said. “They put a lot of money in it in 2019.” And while Louisiana had to take the drastic step of cutting off many services during the recent Ryuk attack, it was effective in stopping the spread of the attack.

Failed plot to steal domain name at gunpoint brings 14-year prison term

A man holding a gun, seen in a dark office.

An Iowa man who plotted to steal an Internet domain name at gunpoint was sentenced to 14 years in federal prison yesterday.

Rossi Lorathio Adams II, a former Iowa State University student who ran a social-media platform featuring “images and videos of young adults engaged in crude behavior, drunkenness, and nudity,” repeatedly tried to buy the “doitforstate.com” domain name from a resident of Cedar Rapids. But Adams refused to pay the domain-name owner’s $20,000 asking price—and then things got weird.

“In June 2017, Adams enlisted his cousin, Sherman Hopkins Jr., to break into the domain owner’s home and force him at gunpoint to transfer doitforstate.com to Adams,” a Department of Justice press release said. Hopkins was previously sentenced to 20 years in prison as part of a plea agreement. More details are in the government’s trial brief.

Adams’ social-media venture was called “State Snaps” and had more than 1 million followers on Snapchat, Instagram, and Twitter, the DOJ press release said. The phrase “Do It For State!” was commonly used on the State Snaps platform, which explains why Adams wanted the doitforstate.com domain name.

The DOJ described Adams as a “social media influencer.” Adams told law enforcement that “he used to own the doitforstate.com domain name” before the victim did, according to the trial brief. The victim registered the domain name on GoDaddy sometime after Adams lost control of it. Adams allegedly began pressuring the victim to sell the domain name to him in June 2015.

Robbery ends in gunshots

In June 2017, Adams drove Hopkins to the domain-name owner’s house “and provided Hopkins with a demand note, which contained instructions for transferring the domain to Adams’ GoDaddy account,” the DOJ said. The heist didn’t go as planned, and both the domain-name owner and Hopkins ended up suffering gunshot wounds.

Here’s how the DOJ described the incident:

When Hopkins entered the victim’s home in Cedar Rapids, he was carrying a cellular telephone, a stolen gun, [and] a taser, and he was wearing a hat, pantyhose on his head, and dark sunglasses on his face.

The victim was upstairs and heard Hopkins enter the home. From the top of a staircase, the victim saw Hopkins with the gun on the first floor. Hopkins shouted at the victim, who then ran into an upstairs bedroom and shut the door, leaning up against the door to stop Hopkins from entering.

Hopkins went upstairs, kicked the door open, grabbed the victim by the arm and demanded to know where he kept his computer. When the victim told Hopkins that he kept his computer in his home office, Hopkins forcibly moved the victim to the office. Hopkins ordered the victim to turn on his computer and connect to the Internet. Hopkins pulled out Adams’ demand note, which contained a series of directions on how to change an Internet domain name from the domain owner’s GoDaddy account to one of Adams’ GoDaddy accounts.

Hopkins put the firearm against the victim’s head and ordered him to follow the directions on the demand note. Hopkins then pistol whipped the victim several times in the head. Fearing for his life, the victim quickly turned to move the gun away from his head. The victim then managed to gain control of the gun, but during the struggle, he was shot in the leg. The victim shot Hopkins multiple times in the chest. He then contacted law enforcement.

Hopkins also tased the victim in the “left arm, back, and neck,” the trial brief said. Even as the victim was trying to finish the domain-name transfer on the GoDaddy website, Hopkins “cocked the firearm and stated, ‘If this isn’t right I’m going to blow your fucking head off!'” the trial brief said. That’s when the victim fought back and wrestled the gun away from Hopkins. The domain-name transfer apparently wasn’t completed.

Adams was convicted in April by a jury in US District Court for the Northern District of Iowa. In addition to his 14-year sentence, Adams was “ordered to make nearly $9,000 in restitution” and pay for court costs of nearly $26,000. “Adams had court-appointed counsel during trial, but the court later discovered Adams was earning significant amounts of money while the case was pending,” the press release said.

Pensacola confirms ransomware attack but provides few details

A decommissioned fighter jet is held up by a metal beam over a highway rest stop.

Enlarge / Pensacola, home of the Navy’s flight school and a cyberwarfare training center, was still reeling from a mass shooting at the Naval Air Station when ransomware hit the city’s network.

On December 7—less than a day after a mass shooting at Naval Air Station Pensacola—the city of Pensacola, Florida, was hit by what was originally described as a generic “cyber incident.” A city spokesperson has since confirmed that ransomware had struck a number of the city’s servers, taking down phones, email, electronic “311” service requests, and electronic payment systems.

With a population of 52,500 people, Pensacola is in Florida’s Gulf Coast “panhandle.”  In addition to being the home of the US Navy’s pilot training center, Pensacola is also, perhaps ironically, home of one of the training centers for the Navy’s Information Warfare Training Command.

Pensacola public information spokesperson Kacee Lagarde said in a statement that the Pearl Harbor Day ransomware attack began in the early morning. Lagarde said:

As a result of the incident, Technology Resources staff disconnected computers from the city’s network until the issue can be resolved… The City of Pensacola has remained operational throughout the incident, but some services have been impacted while the network is disconnected, including City emails, some city landlines, 311 customer service (311 can receive calls, but online services are not available) [and] online bill payments including Pensacola Energy and City of Pensacola Sanitation Services. Emergency dispatch services and 911 were not impacted and continue to operate normally.

The attack’s timing appears to be coincidental and not related to the killing of three sailors by a Saudi Air Force officer on December 6. And it follows the pattern of a number of recent Ryuk-based ransomware attacks on other state and local agencies.

Ars reached out to Pensacola officials for more details on the attack but received no response—possibly because the city has just begun to restore email service to city workers with mobile devices.

A Pensacola city-government Facebook update on the ransomware attack.

Enlarge / A Pensacola city-government Facebook update on the ransomware attack.

Backup on the bayou

Meanwhile, Louisiana officials claim to have largely shrugged off last month’s Ryuk ransomware attack. In a statement to Ars, Jacques Berry, director of policy and communication for Louisiana’s Division of Administration, characterized the ransomware as an “abject failure” because there was no “major data loss or compromised information or irrecoverable applications—none of these happened.” Berry insisted that sources who spoke to Ars “have incorrect, misleading, or conflicting information. I would strongly caution you against trusting information that doesn’t come from me or an interview arranged by me.”

The staff of Louisiana’s Office of Technology Services spent the week after the attack “laboring 24/7,” Berry said, “and scaling back only somewhat since then… They implemented a plan with a specific order of priority and continue their efforts as final service restorations are completed in the most urgent but accurate manner possible.”

Medicaid records affected were limited to “program files from the Medicaid office,” Berry said, and the state’s new LaMEDS (Louisiana Medicaid Enrollment System) was not affected. Additionally, he said, no Medicaid recipient’s personal information was in the affected data. Other reported data outages were due to network shutdowns and not data loss, Berry explained.

Uploaded Ring footage reportedly provides location to the square inch

A Ring camera doorbell.

Enlarge / A Ring camera doorbell.

Amazon’s aggressive push to grow its surveillance-camera company Ring is working, and adoption has skyrocketed in the past two years thanks to deals with hundreds of police departments. A new set of reports highlights the ways Amazon convinces police to join those partnerships—and the amount of data that users can inadvertently reveal.

Integral to the Ring system is an app called Neighbors, kind of like an over-eager NextDoor with everything except the crime stripped out. Neighbors generates a map of your local area, based on your address, and then populates it with crime reports. Those reports include comments from other Neighbors users, as well as reports of burglaries, vehicle break-ins or theft, shots fired or shootings, stabbings, hostages taken, and arson imported from real-time 911 dispatcher data.

Anyone can install the app and create an account, but owners of Ring devices can also upload video snippets to the service, either when they have something they want to share or when police request it using the companion portal for law enforcement. Gizmodo this week published a new report delving into video data available on Neighbors to identify precisely how many Ring cameras are deployed, and where.

Too many to count

Gizmodo conducted its analysis in November, using videos posted to Neighbors in the previous 500 days—since right around July 1, 2018, give or take. The report managed to grab the precise locations of about 20,000 Ring cameras in nine-square-mile zones of 15 different US cities. Gizmodo adds that the reporters don’t actually know how many camera locations they could have obtained, because they stopped collecting the data once they had enough information to generate their report.

In a location selected at random in Washington, DC, for example, Gizmodo was able to identify at least 1,863 unique Ring cameras that had uploaded video to Neighbors during the 500-day window. In their 9-square-mile sample of Los Angeles, they found at least 5,016 Ring cameras; in Denver, 1,788.

Gizmodo writes:

Examining the network traffic of the Neighbors app produced unexpected data, including hidden geographic coordinates that are connected to each post—latitude and longitude with up to six decimal points of precision, accurate enough to pinpoint roughly a square inch of ground.

Many of those coordinates were indeed right in front of someone’s house, a few feet away from the location of the camera. Some were near intersections; the farthest Gizmodo identified was about 260 feet. However, they note, backtracking to find the camera that captured footage is “trivial” in person, when armed with the video and the coordinates, and reporters basically drove or walked up to people’s houses to prove it.

Ring did not refute Gizmodo’s location findings, the site reports. Instead, the company said, “Only content that a Neighbors user chooses to share on the Neighbors App is publicly accessible through the Neighbors App or by your local law enforcement.”

Gizmodo also spoke with a researcher at the Massachusetts Institute of Technology who has used several years’ worth of video posted to Neighbors to make a similar map. He has so far pinpointed the locations of about 440,000 Ring cameras.

Ring did not refute that it was possible for anyone, armed with the data Gizmodo acquired, to pinpoint the exact locations of users’ homes. Instead, the company reiterated that “Only content that a Neighbors user chooses to share on the Neighbors App is publicly accessible through the Neighbors App or by your local law enforcement.”

What privacy?

When neighborhoods are blanketed with surveillance cameras, the privacy implications are profound. And because these cameras belong to individuals, there are few if any restrictions on what footage can be captured or used.

In Washington, DC, for example, Gizmodo notes that at least 13 active Ring cameras line the path between one public charter school for grades 6-12 and the soccer field its students use. Gizmodo also found several dozen instances of DC residents using Neighbors to share videos of children. Some of the kids in question were reportedly doing such activities as riding bicycles and taking selfies. Not exactly striking threats to public safety—but in a densely urban environment such as the District of Columbia, perhaps the homeowners simply did not have lawns to tell the kids to get off of.

Security and surveillance experts voiced concerns to Gizmodo that such a web of cameras could easily track individuals going into or out of “sensitive buildings.” So the reporters looked and did indeed find at least one health clinic that provides abortion services within “unnerving proximity” to some Ring cameras, as well as a legal office handling immigration and refugee cases. Having footage showing individuals going to those sorts of facilities uploaded to a platform like Neighbors and becoming widespread could actually put individuals’ lives in danger.

Amazon: Trump used “improper pressure” to block AWS from DOD cloud contract

The JEDI contract is central to DOD's efforts to rapidly adopt cloud technology. But the winner-take-all contract offer has been controversial from the start—and now Amazon claims President Trump put a whole lot more than a finger on the scales to ensure AWS lost.

Enlarge / The JEDI contract is central to DOD’s efforts to rapidly adopt cloud technology. But the winner-take-all contract offer has been controversial from the start—and now Amazon claims President Trump put a whole lot more than a finger on the scales to ensure AWS lost.
Department of Defense

In a redacted filing released today by the US Federal Court of Claims, attorneys for Amazon asserted that Amazon Web Service’s loss of the Department of Defense Joint Enterprise Defense Infrastructure (JEDI) cloud computing contract to Microsoft’s Azure was the result of “improper pressure from President Donald J. Trump, who launched repeated public and behind-the-scenes attacks to steer the JEDI Contract away from AWS to harm his perceived political enemy—Jeffrey P. Bezos, founder and CEO of AWS’ parent company, Amazon.com, Inc. (“Amazon”), and owner of the Washington Post.”

The suit cites Trump’s instructions to former Secretary of Defense James Mattis to “screw Amazon” out of the contract, as recounted by Mattis’ former chief speechwriter, and numerous other incidents of direct interference by Trump in the contract competition, including ordering an “independent” review of the contract by Defense Secretary Mark Esper in August of 2019.

JEDI was awarded to Microsoft in October. The $10 billion contract is for a DOD-wide enterprise Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service(PaaS) program providing compute and storage services—including delivering them to the “tactical edge,” giving troops in the field access to critical data. The initial expenditure, scheduled for the first year of the contract, would be just $1 million—but it would be followed by a base two-year ordering period and up to eight years of optional extensions out to 2029, with a capped value of $10 billion.

Because of the scale of the contract, AWS was long assumed to be the front-runner—AWS already provides the DOD with cloud services and other government agencies that meet most of the security requirements set out by the JEDI contract. But Microsoft’s Azure was also a strong contender, and the DOD’s internal cloud capabilities (provided by the Defense Information Systems Agency) have relied heavily on Microsoft technology. And Amazon’s attorneys claim that after Trump injected himself into the procurement discussion, the DOD “took numerous actions to systematically remove the advantages of AWS’ technological and experiential superiority and artificially level the playing field between AWS and its competitors, including Microsoft.”

The filing cites as an example the DOD’s decision in mid-2018 to not evaluate past performance as part of the competition in violation of Federal Acquisition Regulation (FAR) requirements—when “only AWS possessed [past performance] with regard to a contract remotely comparable to the size and complexity of JEDI.”

“These errors, however, were not merely the result of arbitrary and capricious decision making,” the filing states. “DoD’s substantial and pervasive errors are hard to understand and impossible to assess separate and apart from the President’s repeatedly expressed determination to, in the words of the President himself, ‘screw Amazon.'” As a result, Amazon’s attorneys asserted, “Basic justice requires reevaluation of proposals and a new award decision,” and the court should decide “whether the President of the United States should be allowed to use the budget of DoD to pursue his own personal and political ends.”

Verizon reportedly blocks archivists from Yahoo Groups days before deletion

Screenshot of the Yahoo Groups home page, showing a collection of people jumping in the air and a message that says,

Enlarge / The Yahoo Groups home page (for now).

An ad-hoc group scrambling to archive as much content as possible from Yahoo Groups ahead of the site’s final demise next week is running into trouble as more than a hundred volunteer archivists say Yahoo’s parent company, Verizon, has banned their accounts.

Yahoo Groups has been on the wane for years, but Verizon announced its official date of death two months ago. Users were blocked from uploading or posting new content to the site as of October 28, and all content currently on the site is slated to be deleted on December 14—less than one week from now.

Members of the Archive Team have been working rapidly to preserve content from as many groups as possible in that six-week time frame. The volunteers have been using “semi-automated” scripts to join groups rapidly and are using a third-party tool known as PGOffline to access messages, photos, and files not captured by Verizon/Yahoo’s data download or export tool. They estimate that as a result of this weekend’s blocks, they have now lost access to 80 percent of the material they were attempting to preserve.

One volunteer working on the effort shared a response she received from Verizon in a blog post yesterday. The Verizon representative said the 128 volunteers from Archiveteam.org, who joined groups with the intent of archiving them, were banned for violating the Verizon Media terms of service and would not be able to have their accounts reinstated.

“I understand your usage of groups is different from the majority of our users, and we understand your frustration,” the Verizon employee added. “However, the resources needed to maintain historical content from Yahoo Groups pages is cost-prohibitive, as they’re largely unused.”

This is not the first time Verizon and the Archive Team have butted heads. Almost exactly a year ago, members of the Archive Team working to preserve Tumblr content had their accounts banned. In that case, however, volunteers found their way around Verizon’s block and continued their work within a day.

The Organization for Transformative Works—the nonprofit best known for running the decade-old, Hugo-winning fanfiction site Archive of Our Own—has joined the chorus calling on Verizon to postpone the deletion date by six months, until May 14, 2020, in order to allow volunteers to archive more material.

Ars has asked Verizon for comment and will update this story if we hear back.