Category Archives: Policy

FCC has a redaction party with emails relating to mystery attack on comment system

You may remember the FCC explaining that in both 2014 and 2017, its comment system was briefly taken down by a denial of service attack. At least, so it says — but newly released emails show that the 2014 case was essentially fabricated, and the agency has so aggressively redacted documents relating to the 2017 incident that one suspects they’re hiding more than ordinary privileged information.

As a very quick recap: Shortly after the comment period opened for both net neutrality and the rollback of net neutrality there was a rush of activity that rendered the filing system unusable for a period of hours. This was corrected soon afterwards and the capacity of the system increased to cope with the increased traffic.

A report from Gizmodo based on more than 1,300 pages of emails obtained by watchdog group American Oversight shows that David Bray, the FCC’s chief information officer for a period encompassing both events, appears to have advanced the DDoS narrative with no real evidence or official support.

The 2014 event was not called an attack until much later, when Bray told reporters following the 2017 event that it was. “At the time the Chairman [i.e. Tom Wheeler] did not want to say there was a DDoS attack out of concern of copycats,” Bray wrote to a reporter at Federal News Radio. “So we accepted the punches that it somehow crashed because of volume even though actual comment volume wasn’t an issue.”

Gigi Sohn, who was Wheeler’s counsel at the time, put down this idea: “That’s just flat out false,” she told Gizmodo. “We didn’t want to say it because Bray had no hard proof that it was a DDoS attack. Just like the second time.”

And it is the second time that is most suspicious. Differing on the preferred nomenclature for a four-year-old suspicious cyber event would not be particularly damning, but Bray’s narrative of a DDoS is hard to justify with the facts we do know.

In a blog post written in response to the report, Bray explained regarding the 2017 outage:

Whether the correct phrase is denial of service or “bot swarm” or “something hammering the Application Programming Interface” (API) of the commenting system — the fact is something odd was happening in May 2017.

Bray’s analysis appears sincere, but the data he volunteers is highly circumstantial: large amounts of API requests that don’t match comment counts, for instance, or bunches of RSS requests that tie up the servers. Could it have been a malicious actor doing this? It’s possible. Could it have been bad code hammering the servers with repeated or malformed requests? Also totally possible. The FCC’s justification for calling it an attack seems to be nothing more than a hunch.

Later the FCC, via then-CIO Bray, would categorize the event as a “non-traditional DDoS attack” flooding the API interface. But beyond that it has produced so little information of any import that Congress has had to re-issue its questions in stronger words.

No official documentation of either supposed attack has appeared, nor has the FCC released any data on it, even a year later and long after the comment period has closed, improvements to the system have been made and the CIO who evaded senators’ questions departed.

But most suspicious is the extent to which the FCC redacted documents relating to the 2017 event. Having read through the trove of emails, Gizmodo concludes that “every internal conversation about the 2017 incident between FCC employees” has been redacted. Every one!

The FCC stated before that the “ongoing nature” of the threats to its systems meant it would “undermine our system’s security” to provide any details on the improvements it had made to mitigate future attacks. And Bray wrote in his post that there was no “full blown report” because the team was focused on getting the system up and running again. But there is also an FCC statement saying that “our analysis reveals” that a DDoS was the cause.

What analysis? If it’s not a “significant cyber incident,” as the FBI determined, why the secrecy? If there’s no report or significant analysis from the day — wrong or right in retrospect — what is sensitive about the emails that they have to be redacted en masse? Bray himself wrote more technical details into his post than the FCC has offered in the year since the event — was this information sent to reporters at the time? Was it redacted? Why? So little about this whole information play makes no sense.

One reasonable explanation (and just speculation, I should add) would be that the data do not support the idea of an attack, and internal discussions are an unflattering portrait of an agency doing spin work. The commitment to transparency that FCC Chairman Pai so frequently invokes is conspicuously absent in this specific case, and one has to wonder why.

The ongoing refusal to officially document or discuss what all seem to agree was an important event, whether it’s a DDoS or something else, is making the FCC look bad to just about everyone. No amount of redaction can change that.

Washington sues Facebook and Google over failure to disclose political ad spending

Facebook and Google were paid millions for political advertising purposes in Washington but failed for years to publish related information — such as the advertiser’s address — as required by state law, alleges a lawsuit by the state’s attorney general.

Washington law requires that “political campaign and lobbying contributions and expenditures be fully disclosed to the public and that secrecy is to be avoided.”

Specifically, “documents and books of account” must be made available for public inspection during the campaign and for three years following; these must detail the candidate, name of advertiser, address, cost and method of payment, and description services rendered.

Bob Ferguson, Washington’s attorney general, filed a lawsuit yesterday alleging that both Facebook and Google “failed to obtain and maintain” this information. Earlier this year, Eli Sanders of Seattle’s esteemed biweekly paper The Stranger requested to view the “books of account” from both companies, and another person followed up with an in-person visit; both received unsatisfactory results.

They alerted the AG’s office to these investigations in mid-April, and here we are a month and a half later with a pair of remarkably concise lawsuits. (This appears to be separate from the Seattle Election Commission’s allegations of similar failings by Facebook in February.)

All told Facebook took in about $3.4 million over the last decade, including “$2.5 million paid through political consultants and other agents or intermediaries, and $619,861 paid directly to Facebook.” Google received about $1.5 million over the same period, almost none of which was paid directly to the company. (I’ve asked the AG’s office for more information on how these amounts are defined.)

The total yearly amounts listed in the lawsuits may be interesting to anyone curious about the scale of political payments to online platforms at the state scale, so I’m reproducing them here.

Facebook

  • 2013: $129,099
  • 2014: $310,165
  • 2015: $147,689
  • 2016: $1,153,688
  • 2017: $857,893

Google

  • 2013: $47,431
  • 2014: $72,803
  • 2015: $56,639
  • 2016: $310,175
  • 2017: $295,473

(Note that these don’t add up to the totals mentioned above; these are the numbers filed with the state’s Public Disclosure Committee. 2018 amounts are listed but are necessarily incomplete, so I omitted them.)

At least some of the many payments making up these results are not properly documented, and from the looks of it, this could amount to willful negligence. If a company is operating in a state and taking millions for political ads, it really can’t be unaware of that state’s disclosure laws. Yet according to the lawsuits, even basic data like names and addresses of advertisers and the amounts paid were not collected systematically, let alone made available publicly.

It’s impossible to characterize flouting the law in such a way as an innocent mistake, and certainly not when the mistake is repeated year after year. This isn’t an academic question: if the companies are found to have intentionally violated the law, the lawsuit asks that damages be tripled (technically, “trebled.”)

Neither company addressed the claims of the lawsuit directly when contacted for comment.

Facebook said in a statement that “Attorney General Ferguson has raised important questions and we look forward to resolving this matter with his office quickly.” The company also noted that it has taken several steps to improve transparency in political spending, such as its planned political ad archive and an API for requesting this type of data.

Google said only that it is “currently reviewing the complaint and will be engaging with the Attorney General’s office” and asserted that it is “committed” to transparency and disclosure, although evidently not in the manner Washington requires.

The case likely will not result in significant monetary penalties for the companies in question; even if fines and damages totaled tens of millions it would be a drop in the bucket for the tech giants. But deliberately skirting laws governing political spending and public disclosure is rather a bad look for companies under especial scrutiny for systematic dishonesty — primarily Facebook.

If the AG’s suit goes forward and the companies are found to have intentionally avoided doing what the law required, they (and others like them) would be under serious pressure to do so in the future, not just in Washington, but in other states where similar negligence may have taken place. AG Ferguson seems clearly to want to set a precedent and perhaps inspire others to take action.

I’ve asked the AG’s office for some clarifications and additional info, and will update this post if I hear back.

Google reportedly backing out of military contract after public backlash

A controversial Google contract with the U.S. military will not be renewed next year after internal and public outcry against it, Gizmodo reports. The program itself was not particularly distasteful or lucrative, but served as a foot in the door for the company to pursue more government work that may very well have been both.

Project Maven, as the program was known, essentially had Google working with the military to perform image analysis on sensitive footage like that from drones flying over conflict areas.

A small but vocal group of employees has repeatedly called the company out for violating its familiar (but now deprecated) “Don’t be evil” motto by essentially taking a direct part in warfare. Thousands of employees signed a petition to end the work, and several even resigned in protest.

But more damaging than the loss of a few squeaky wheels has been the overall optics for Google. When it represented the contract as minor, and that it was essentially aiding in the administration of open-source software, the obvious question from the public was “so why not stop?”

The obvious answer is that it isn’t minor, and that there’s more to it than just a bit of innocuous support work. In fact, as reportage over the last few months has revealed, Maven seems to have been something like a pilot project intended to act as a wedge by which to gain access to other government contracts.

Part of the goal was getting the company’s security clearance fast-tracked and thus gaining access to data by which it could improve its military-related offerings. And promises to Pentagon representatives detailed far more than facilitation of garden-variety AI work.

Gizmodo’s sources say that Diane Greene, CEO of Google Cloud, told employees today at a meeting that the backlash was too much and that the company’s priorities as regards military work have changed. They must have changed recently, since discussions have been ongoing right up until the end of 2017. I’ve asked Google for comment on the issue.

Whether the expiration of Project Maven will represent a larger change to Google’s military and government ambitions remains to be seen; some managers are surely saying to themselves right now that it would be a shame to have that security clearance go to waste.

Google To EFF On Student Privacy: “Our Tools Comply With Both The Law And Our Promises”

ChromebookinClassroom Yesterday, the EFF announced the launch of a campaign called ‘Spying on Students’ to raise awareness about privacy risks for technology used at schools. The campaign came with a complaint that it filed with the FTC against Google, claiming that the company collects and data mines school children’s personal info, including what they search for. EFF staff attorney Nate Cardozo… Read More

Google’s November Self-Driving Car Report Details Learnings, A Pull-Over, And A Rear-End Collision

Screen Shot 2015-12-01 at 3.45.59 PM Google’s monthly self-driving car reports are fun to read through, and gives transparent accounts of what the team is up to, how the cars are performing, and any lessons learned along the way. Last month focused on pedestrians, with Halloween being a helper. This month? The company says its currently averaging 10,000-15,000 autonomous miles per week on public streets with 23 Lexus… Read More

The Last Bus Startup Standing: Chariot

rsz_dsc_5569 In the beginning, there were three. There was Leap Transit, the Andreessen Horowitz-backed bus startup stocked with Blue Bottle Coffee and furnished with plush stool seating for morning and evening commuters. Then there was the Nightschool’s nostalgic take with off-duty schoolbuses for late-night transport between the East Bay and San Francisco after the region’s commuter… Read More

The Meme Election

giphy-trump Social media has been playing an increasingly critical role in political elections. The 2008 presidential election, dubbed the “Facebook Election,” was the first time voters could view and share debates, interviews, commercials and statements on-demand. 2012 saw the evolution continue with Barack Obama utilizing social platforms to not just distribute his message, but actually… Read More

The Encryption Debate Isn’t Taking A Thanksgiving Break

Internet security concept open red padlock virus or unsecured with threat of hacking Lawmakers and Congressional staffers may be trickling out of their Hill offices and to the airports, the encryption debate is not taking a holiday this week. Following media reports that the terrorists responsible for the Paris attacks communicated via encrypted messaging platforms, both opponents and proponents of backdoors for law enforcement are speaking up. Yesterday Senator Ron… Read More

Our National Encryption Debate, In Quotes

capitol building The long-burning debate concerning encryption, its impact on both consumer privacy and the government’s ability to protect its citizens is back with a vengeance. The dialogue appeared to be dwindling after the White House said it would not require companies to breach the security of their products to provide the government with information. The Paris terror attack has thrust encryption… Read More

Share