Transportation

Delta Airlines Tests Facial Recognition To Speed Up Baggage Check-In (cnn.com) 57

Would you let Delta airlines scan your face if it meant you could skip the line to check-in your baggage? An anonymous reader quotes CNN: Delta is testing a face-scanning kiosk for baggage check... It uses facial recognition technology to match your identity to your passport photo. You tag your own bags, pay the fee and drop your luggage on a conveyor belt... Delta will test four of the machines at Minneapolis-St. Paul International Airport this summer. The airline spent $600,000 on the four kiosks.
A senior staff attorney at the EFF warns this could be a slippery slope -- at what point this morphs into airline surveillance? But a Delta spokerspeson insists the images won't be stored, that they're complying with privacy laws, and that the kiosks could double the number of passengers whisking through their check-in procedures.
Communications

FCC Suspends Net Neutrality Comments, As Chairman Pai Mocks 'Mean Tweets' (gizmodo.com) 184

An anonymous reader writes:Thursday the FCC stopped accepting comments as part of long-standing rules "to provide FCC decision-makers with a period of repose during which they can reflect on the upcoming items" before their May 18th meeting. Techdirt wondered if this time to reflect would mean less lobbying from FCC Chairman Ajit Pai, but on Friday Pai recorded a Jimmy Kimmel-style video mocking mean tweets, with responses Gizmodo called "appalling" and implying "that anyone who opposes his cash grab for corporations is a moron."

Meanwhile, Wednesday The Consumerist reported the FCC's sole Democrat "is deploying some scorched-earth Microsoft Word table-making to use FCC Chair Ajit Pai's own words against him." (In 2014 Pai wrote "A dispute this fundamental is not for us five, unelected individuals to decide... We should also engage computer scientists, technologists, and other technical experts to tell us how they see the Internet's infrastructure and consumers' online experience evolving.") But Pai seemed to be mostly sticking to friendlier audiences, appearing with conservative podcasters from the Taxpayer Protection Alliance, the AEI think tank and The Daily Beast.

The Verge reports the flood of fake comments opposing Net Neutrality may have used names and addresses from a breach of 1.4 billion personal information records from marketing company River City Media. Reached on Facebook Messenger, one woman whose named was used "said she hadn't submitted any comments, didn't live at that address anymore and didn't even know what net neutrality is, let alone oppose it."

Techdirt adds "If you do still feel the need to comment, the EFF is doing what the FCC itself should do and has set up its own page at DearFCC.org to hold any comments."
Electronic Frontier Foundation

EFF Warns Most Of Intel's Chipsets Contain 'A Security Hazard' (eff.org) 158

The EFF is issuing a warning about the "tiny homunculus computer" in most of Intel's chipsets -- the largely-undocumented "Management Engine" which houses more than just the AMT module. An anonymous reader quotes their report: While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one....vulnerabilities in any of the other modules could be as bad, if not worse, for security. Some of the other modules include hardware-based authentication code and a system for location tracking and remote wiping of laptops for anti-theft purposes... It should be up to hardware owners to decide if this code will be installed in their computers or not. Perhaps most alarmingly, there is also reportedly a DRM module that is actively working against the user's interests, and should never be installed in a Management Engine by default...

While Intel may put a lot of effort into hunting for security bugs, vulnerabilities will inevitably exist, and having them lurking in a highly privileged, low-level component with no OS visibility or reliable logging is a nightmare for defensive cybersecurity. The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility... EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.

TLDR: "We have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure."
The Internet

A New Use For Browser Fingerprints: Defeating Spoofing (browserprint.info) 64

AnonymousCube writes: Researchers at the University of Adelaide have found a new use for browser fingerprints: uncovering and defeating spoofing by web browsers. By using machine learning on browser fingerprints they were able to correctly guess the OS or browser family of a browser 90% of the time, and defeat operating system and browser family spoofing 76% of the time. This was done with small training sets of less than 1000 fingerprints, so accuracy with a much larger training set, like the size of the EFF's Panopticlick database should give even better results; you can help prove this, and see what their site thinks your browser family and OS is, by submitting your fingerprint to their site.
DRM

DRM Will Be Gone By 2025, Predicts Cory Doctorow (theregister.co.uk) 191

An anonymous reader writes: It's been two years since Cory Doctorow joined the EFF's campaign to eliminate DRM within 8 years -- and he still believes it'll happen. "Farmers and the Digital Right To Repair Coalition have done brilliantly and have a message which is extremely resonant with the political right as well as the political left." And now even the entertainment industry seems to oppose extending the DMCA to tractors. "The entertainment industry feels very proprietary towards laws that protect DRM. They really feel that they lobbied for and bought these laws in order to protect the business model they envisioned. For these latecomer upstarts to turn up and stretch and distort these laws out of proportion has really exposed one of the natural cracks in copyright altogether."
Doctorow also says that "If there's anything good that might come of Brexit, it's that the UK will renegotiate and reevaluate its relationship to the Organisation for Economic Co-operation and Development and other directives. The UK enjoys a really interesting market position if it wants to be the only nation in the region that makes, exports, and supports DRM-breaking tools."
Crime

Debian Developer Imprisoned In Russia Over Alleged Role In Riots (itwire.com) 93

An anonymous reader writes: "Dmitry Bogatov, Debian developer and Tor node admin, is still being held in a Moscow jail," tweeted the EFF Saturday. IT Wire reports that the 25-year-old math teacher was arrested earlier this month "on suspicion of organizing riots," and is expected to be held in custody until June 8. "The panel investigating the protests claims Bogatov posted several incitory messages on the sysadmin.ru forum; for example, one claim said he was asking people to bring 'bottles, fabric, gasoline, turpentine, foam plastic' to Red Square, according to a post at Hacker News. The messages were sent in the name of one Airat Bashirov and happened to be transmitted through the Tor node that Bogatov was running. The Hacker News post said Bogatov's lawyer had produced surveillance video footage to show that he was elsewhere at the time when the messages were posted.
"After Dmitry's arrest," reports the Free Bogatov site, "Airat Bashirov continue to post messages. News outlets 'Open Russia' and 'Mediazona' even got a chance to speak with him."

Earlier this month the Debian GNU/Linux project also posted a message of support, noting Dmitry maintains several packages for command line and system tools, and saying their group "honours his good work and strong dedication to Debian and Free Software... we hope he is back as soon as possible to his endeavours... In the meantime, the Debian Project has taken measures to secure its systems by removing Dmitry's keys in the case that they are compromised."
Databases

Five Years Later, Legal Megaupload Data Is Still Trapped On Dead Servers (arstechnica.com) 82

An anonymous reader quotes a report from Ars Technica: It's been more than five years since the government accused Megaupload and its founder Kim Dotcom of criminal copyright infringement. While Dotcom himself was arrested in New Zealand, U.S. government agents executed search warrants and grabbed a group of more than 1,000 servers owned by Carpathia Hosting. That meant that a lot of users with gigabytes of perfectly legal content lost access to it. Two months after the Dotcom raid and arrest, the Electronic Frontier Foundation filed a motion in court asking to get back data belonging to one of those users, Kyle Goodwin, whom the EFF took on as a client. Years have passed. The U.S. criminal prosecution of Dotcom and other Megaupload executives is on hold while New Zealand continues with years of extradition hearings. Meanwhile, Carpathia's servers were powered down and are kept in storage by QTS Realty Trust, which acquired Carpathia in 2015. Now the EFF has taken the extraordinary step of asking an appeals court to step in and effectively force the hand of the district court judge. Yesterday, Goodwin's lawyers filed a petition for a writ of mandamus (PDF) with the U.S. Court of Appeals for the 4th Circuit, which oversees Virginia federal courts. "We've been asking the court for help since 2012," said EFF attorney Mitch Stolz in a statement about the petition. "It's deeply unfair for him to still be in limbo after all this time."
Education

EFF Says Google Chromebooks Are Still Spying On Students (softpedia.com) 84

schwit1 quotes a report from Softpedia: In the past two years since a formal complaint was made against Google, not much has changed in the way they handle this. Google still hasn't shed its "bad guy" clothes when it comes to the data it collects on underage students. In fact, the Electronic Frontier Foundation says the company continues to massively collect and store information on children without their consent or their parents'. Not even school administrators fully understand the extent of this operation, the EFF says. According to the latest status report from the EFF, Google is still up to no good, trying to eliminate students privacy without their parents notice or consent and "without a real choice to opt out." This, they say, is done via the Chromebooks Google is selling to schools across the United States.
Electronic Frontier Foundation

Troll With 'Stupid Patent' Sues EFF. EFF Sues Them Back (arstechnica.com) 68

"The Electronic Frontier Foundation has sued an Australian company that it previously dubbed as a 'classic patent troll' in a June 2016 blog post entitled: Stupid Patent of the Month: Storage Cabinets on a Computer." An anonymous reader quotes Ars Technica: Last year, that company, Global Equity Management (SA) Pty. Ltd. (GEMSA), managed to get an Australian court to order EFF to remove its post -- but EFF did not comply. In January 2017, Pasha Mehr, an attorney representing GEMSA, further demanded that the article be removed and that EFF pay $750,000. EFF still did not comply. The new lawsuit, filed in federal court in San Francisco on Wednesday, asks that the American court declare the Australian ruling unenforceable in the U.S.
GEMSA's attorneys reportedly threatened to have the EFF's post de-indexed from search engine listings -- on the basis of the Australian court order -- so now the EFF "seeks a court order declaring the Australian injunction 'repugnant' to the U.S. Constitution and unenforceable in the United States."

The Register reports that GEMSA has already sued 37 companies, "including big-name tech companies Airbnb, Uber, Netflix, Spotify, and eBay. In each case, GEMSA accused the company's website design of somehow trampling on the GUI patent without permission." But things were different after the EFF's article, according to Courthouse News. "GEMSA said the article made it harder to enforce its patents in the United States, citing its legal opponents' 'reduced interest in pursuing pre-trial settlement negotiations.'"
Government

Should The FBI Have Arrested 'The Hacker Who Hacked No One'? (thedailybeast.com) 227

Last week The Daily Beast ran an article about the FBI's arrest of "the hacker who hacked no one." In December they'd arrested 26-year-old Taylor Huddleston, "the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers." It's been "linked to intrusions in at least 10 countries," reported Kevin Poulsen, but "as Huddleston sees it, he's a victim himself -- hackers have been pirating his program for years and using it to commit crimes."

The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."

Click through for the rest of the story.
Electronic Frontier Foundation

London Police Ink Shadowy Deal With Industry On Website Takedowns (eff.org) 23

AmiMoJo writes: The EFF is warning about unregulated activity against websites by the Police Intellectual Property Crime Unit (PIPCU) of the City of London Police. A program called RogueBlock accepts notifications from IP holders, which the PIPCU then acts on, giving private companies legal jurisdiction over the entire internet, with appeals in the case of malicious reports and mistakes being extremely difficult to make. For example, Spanish sports streaming site Rojadirecta had its domain name seized by the U.S. government for over a year, despite the site being lawful in its native Spain. The EFF terms this kind of activity "Shadow Regulation."
Privacy

How To Protect Your Privacy Online (theverge.com) 130

Though the U.S. Congress voted to roll back privacy rules, broadband customers can still opt-out of targeted advertising from Comcast, Charter, AT&T, and T-Mobile. But an anonymous reader explains why that's not enough: "It's not clear that opting out will prevent ISPs from putting your data to use," reports The Verge, adding "you're opting out of seeing ads, but not out of providing data." Neema Singh Guliani, legislative counsel for the American Civil Liberties Union, tells NPR that consumers can also "call their providers and opt out of having their information shared." But he also suggests a grass roots effort, calling this "an opportunity to pressure companies to implement good practices and for consumers to say 'I think that you should require opt-in consent and if you're not, why not?'"

To try to stop the creation of that data, Brian Krebs has also posted a guide for choosing a VPN provider, and shared a useful link to a chart comparing VPN providers that was recommended by the EFF. This may help avoid some of the problems reported with VPN services, and Krebs also recommends Tor as a free (albeit possibly slower) option, while sharing an informational link describing Tor's own limitations.

I'm curious what steps Slashdot's readers are taking (if any) to protect their own privacy online?
Electronic Frontier Foundation

EFF Issues April Fool's Day Newsletter (eff.org) 21

An anonymous reader writes: There were some surprises in today's edition of the EFF's "EFFector" newsletter. Noting that it's their sqrt(-1)th issue, they report that the EU will protect the privacy of its data by building a 30-foot wall around the United States. "Only U.S. tech companies that comply with EU privacy restrictions and prohibit U.S. government access to their data will be given fiber optic grappling hooks to transport Europeans' data across the Atlantic, over the wall, and back to their U.S.-based servers."

The newsletter also reports that the bipartisan leaders of the U.S. House and Senate Intelligence Committees "apologized during a press conference this morning for failing to provide rigorous supervision of the intelligence community." And the newsletter also reports that Deadpool won an Oscar after PricewaterhouseCoopers mistakenly handed the presenters an envelope with a list of the most-frequently torrent-ed movie of 2016. But perhaps its most unexpected headline is "Comcast to Assimilate with the Borg."

The Borg said the deal would increase its market share, nationwide reach, and overall reputation for evil -- while Comcast claimed that the deal would boost competition.
Communications

Senate Votes To Kill FCC's Broadband Privacy Rules (pcworld.com) 404

The Senate voted 50-48 along party lines Thursday to repeal an Obama-era law that requires internet service providers to obtain permission before tracking what customers look at online and selling that information to other companies. PCWorld adds: The Senate's 50-48 vote Thursday on a resolution of disapproval would roll back Federal Communications Commission rules requiring broadband providers to receive opt-in customer permission to share sensitive personal information, including web-browsing history, geolocation, and financial details with third parties. The FCC approved the regulations just five months ago. Thursday's vote was largely along party lines, with Republicans voting to kill the FCC's privacy rules and Democrats voting to keep them. The Senate's resolution, which now heads to the House of Representatives for consideration, would allow broadband providers to collect and sell a "gold mine of data" about customers, said Senator Bill Nelson, a Florida Democrat. Kate Tummarello, writing for EFF: [This] would be a crushing loss for online privacy. ISPs act as gatekeepers to the Internet, giving them incredible access to records of what you do online. They shouldn't be able to profit off of the information about what you search for, read about, purchase, and more without your consent. We can still kill this in the House: call your lawmakers today and tell them to protect your privacy from your ISP.
Businesses

Patents Are A Big Part Of Why We Can't Own Nice Things (eff.org) 243

An anonymous reader shares an EFF article: Today, the Supreme Court heard arguments in a case that could allow companies to keep a dead hand of control over their products, even after you buy them. The case, Impression Products v. Lexmark International, is on appeal from the Court of Appeals for the Federal Circuit, who last year affirmed its own precedent allowing patent holders to restrict how consumers can use the products they buy. That decision, and the precedent it relied on, departs from long established legal rules that safeguard consumers and enable innovation. When you buy something physical -- a toaster, a book, or a printer, for example -- you expect to be free to use it as you see fit: to adapt it to suit your needs, fix it when it breaks, re-use it, lend it, sell it, or give it away when you're done with it. Your freedom to do those things is a necessary aspect of your ownership of those objects. If you can't do them, because the seller or manufacturer has imposed restrictions or limitations on your use of the product, then you don't really own them. Traditionally, the law safeguards these freedoms by discouraging sellers from imposing certain conditions or restrictions on the sale of goods and property, and limiting the circumstances in which those restrictions may be imposed by contract. But some companies are relentless in their quest to circumvent and undermine these protections. They want to control what end users of their products can do with the stuff they ostensibly own, by attaching restrictions and conditions on purchasers, locking down their products, and locking you (along with competitors and researchers) out. If they can do that through patent law, rather than ordinary contract, it would mean they could evade legal limits on contracts, and that any one using a product in violation of those restrictions (whether a consumer or competitor) could face harsh penalties for patent infringement.
Patents

Maryland Legislator Wants To Keep State University Patents Away From Trolls (eff.org) 52

The EFF's "Reclaim Invention" campaign provided the template for a patent troll-fighting bill recently introduced in the Maryland legislature to guide public universities. An anonymous reader writes: The bill would "void any agreement by the university to license or transfer a patent to a patent assertion entity (or patent troll)," according to the EFF, requiring universities to manage their patent portfolios in the public interest. James Love, the director of the nonprofit Knowledge Ecology International, argues this would prevent assigning patents to "organizations who are just suing people for infringement," which is especially important for publicly-funded colleges. "You don't want public sector patents to be used in a way that's a weapon against the public." Yarden Katz, a fellow at Harvard's Berkman Klein Center for Internet amd Society, says the Maryland legislation would "set an example for other states by adopting a framework for academic research that puts public interests front and center."
The EFF has created a web page where you can encourage your own legislators to pass similar bills, and to urge universities to pledge "not to knowingly license or sell the rights of inventions, research, or innovation...to patent assertion entities, or patent trolls."
The Courts

Hacking Victim Can't Sue Foreign Government For Hacking Him On US Soil, Says Court (vice.com) 102

According to Motherboard, a court of appeals in Washington D.C. ruled that an American citizen can't sue the Ethiopian government for hacking into his computer and monitoring him with spyware. "The decision on Tuesday is a blow to anti-surveillance and digital rights activists who were hoping to establish an important precedent in a widely documented case of illegitimate government-sponsored hacking." From the report: In late 2012, the Ethiopian government allegedly hacked the victim, an Ethiopian-born man who goes by the pseudonym Kidane for fear for government reprisals. Ethiopian government spies from the Information Network Security Agency (INSA) allegedly used software known as FinSpy to break into Kidane's computer, and secretly record his Skype conversations and steal his emails. FinSpy was made by the infamous FinFisher, a company that has sold malware to several governments around the world, according to researchers at Citizen Lab, a digital watchdog group at the University of Toronto's Munk School of Global Affairs, who studied the malware that infected Kidane's computer. The U.S. Court of Appeals for the District of Columbia Circuit ruled that Kidane didn't have jurisdiction to sue the Ethiopian government in the United States. Kidane and his lawyers invoked an exception to the Foreign Sovereign Immunities Act (FSIA), which says foreign governments can be sued in the U.S. as long as the entire tort on which the lawsuit is based occurred on American soil. According to the court, however, the hacking in this case didn't occur entirely in the U.S. "Ethiopia's placement of the FinSpy virus on Kidane's computer, although completed in the United States when Kidane opened the infected email attachment, began outside the United States," the decision read. "[It] gives foreign governments carte blanche to do whatever they want to Americans in America so long as they do it by remote control," Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, a digital rights group who represented Kidane in this first-of-its-kind lawsuit, told Motherboard.
Privacy

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org) 246

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
Crime

Local Police Departments Are Building Their Own DNA Databases (ap.org) 50

Slashdot reader schwit1 quotes the Associated Press: Dozens of police departments around the U.S. are amassing their own DNA databases to track criminals, a move critics say is a way around regulations governing state and national databases that restrict who can provide genetic samples and how long that information is held. The local agencies create the rules for their databases, in some cases allowing samples to be taken from children or from people never arrested for a crime. Police chiefs say having their own collections helps them solve cases faster because they can avoid the backlogs that plague state and federal repositories...

Frederick Harran, the public safety director in Bensalem Township, Pennsylvania...said he knows of about 60 departments using local databases... "The local databases have very, very little regulations and very few limits, and the law just hasn't caught up to them," said Jason Kreig, a law professor at the University of Arizona who has studied the issue.

One ACLU attorney cites a case where local police officers in California took DNA samples from children without even obtaining a court order first.
IBM

IBM Gets a Patent On 'Out-of-Office' Email Messages -- In 2017 (arstechnica.com) 65

The U.S. Patent and Trademark Office has issued IBM a -- what the Electronic Frontier Foundation calls -- "stupefyingly mundane" patent on e-mail technology. U.S. Patent No. 9,547,842, "Out-of-office electronic mail messaging system" was filed in 2010 and granted about six weeks ago. Ars Technica reports: The "invention" represented in the '842 patent is starkly at odds with the real history of technology, accessible in this case via a basic Google search. EFF lawyer Daniel Nazer, who wrote about the '842 patent in this month's "Stupid Patent of the Month" blog post, points to an article on a Microsoft publicity page that talks about quirky out-of-office e-mail culture dating back to the 1980s, when Microsoft marketed its Xenix e-mail system (the predecessor to today's Exchange.) IBM offers one feature that's even arguably not decades old: the ability to notify those writing to the out-of-office user some days before the set vacation dates begin. This feature, similar to "sending a postcard, not from a vacation, but to let someone know you will go on a vacation," is a "trivial change to existing systems," Nazer points out. Nazer goes on to identify some major mistakes made during the examination process. The examiner never considered whether the software claims were eligible after the Supreme Court's Alice v. CLS Bank decision, which came in 2014, and in Nazer's view, the office "did an abysmal job" of looking at the prior art. "[T]he examiner considered only patents and patent applications," notes Nazer. The office "never considered any of the many, many, existing real-world systems that pre-dated IBM's application."

Slashdot Top Deals