An anti-hacking law can be used to curtail the use of scraping tools across the Web.

LinkedIn: It’s illegal to scrape our website without permission
A legal scholar calls LinkedIn’s position “hugely problematic.”
Timothy B. Lee – 7/31/2017, 8:00 AM
A small company called hiQ is locked in a high-stakes battle over Web scraping with LinkedIn. It’s a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the Web.
HiQ scrapes data about thousands of employees from public LinkedIn profiles, then packages the data for sale to employers worried about their employees quitting. LinkedIn, which was acquired by Microsoft last year, sent hiQ a cease-and-desist letter warning that this scraping violated the Computer Fraud and Abuse Act, the controversial 1986 law that makes computer hacking a crime. HiQ sued, asking courts to rule that its activities did not, in fact, violate the CFAA.
James Grimmelmann, a professor at Cornell Law School, told Ars that the stakes here go well beyond the fate of one little-known company.
“Lots of businesses are built on connecting data from a lot of sources,” Grimmelmann said. He argued that scraping is a key way that companies bootstrap themselves into “having the scale to do something interesting with that data.” If scraping without consent becomes illegal, startups like hiQ will have a harder time getting off the ground.
But the law may be on the side of LinkedIn—especially in Northern California, where the case is being heard. In a 2016 ruling, the 9th Circuit Court of Appeals, which has jurisdiction over California, found that a startup called Power Ventures had violated the CFAA when it continued accessing Facebook’s servers despite a cease-and-desist letter from Facebook.
Some details of that case were different—Power Ventures was sending out private messages with the permission and cooperation of Facebook users, while hiQ is scraping data on public webpages. But experts told Ars that the Power Ventures precedent is likely to be bad news for hiQ because it suggests that continuing to access a site after being asked to stop is enough to trigger the anti-hacking law.
“Hugely problematic”
LinkedIn’s position disturbs Orin Kerr, a legal scholar at George Washington University. “You can’t publish to the world and then say ‘no, you can’t look at it,'” Kerr told Ars.
The CFAA makes it a crime to “access a computer without authorization or exceed authorized access.” Courts have been struggling to figure out what this means ever since Congress passed it more than 30 years ago.
One plausible reading of the law—the one LinkedIn is advocating—is that once a website operator asks you to stop accessing its site, you commit a crime if you don’t comply.
That’s the interpretation suggested by the 2016 Power Ventures decision, which is a binding precedent in California. was a social network that functioned as a social network aggregator. Through the website, users could log into other social networks like Facebook, allowing them to access information from multiple social networks simultaneously.
To expand its user base, Power asked users to provide their Facebook credentials and then—with their permission—sent invitations to their Facebook friends. Facebook, naturally, didn’t appreciate this marketing tactic. They sent Power a cease-and-desist letter and also blocked the IP addresses Power was using to communicate with Facebook’s servers.
Facebook sued, claiming that its cease-and-desist letter made Power’s access unauthorized under the terms of the CFAA. Power disagreed and argued that having permission from Facebook users was good enough—it didn’t need separate approval from Facebook itself.
But the 9th Circuit Court of Appeals sided with Facebook last year.
“Power users arguably gave Power permission to use Facebook’s computers to disseminate messages,” the court wrote. “But Facebook expressly rescinded that permission when Facebook issued its written cease-and-desist letter.” After this point, the court held, “Power knew it no longer had authorization to access Facebook’s computers, but continued to do so anyway.”
That result bothers Kerr.
For example, he said, imagine if CNN sent out letters to reporters at rival news organizations demanding that their reporters not access Under an expansive reading of the law, Kerr told Ars, it would then “become a federal crime to visit a public website.”
Kerr argues sites wanting to limit access to their site should be required to use a technical mechanism like a password to signal that the website is not, in fact, available to the public.
“It’s hugely problematic to let the subjective wishes of the website owner and not their objective action” determine what’s legal, Kerr told Ars.
The Power Ventures case isn’t over. Power Ventures asked the Supreme Court to consider the case in May, and the high court hasn’t decided whether to do so yet. And for now, the Power Ventures precedent only applies within the 9th Circuit, which covers California and other Western states. Unfortunately for hiQ, the LinkedIn dispute is being heard by California federal courts.
Ultimately, Grimmelmann believes, the text of the CFAA doesn’t clearly settle this question. Both Kerr’s view that running a public website implicitly gives the public authorization to access it and LinkedIn’s view that companies can rescind authorization on a case-by-case basis are plausible interpretations of the law.
But both scholars argue there are good reasons to favor the more permissive reading of the law. The LinkedIn interpretation of the law gives big website operators like LinkedIn plenty of power over how their sites are used. They argue the courts should preserve the rights of small companies, watchdog groups, and others to gather information from the Web using scraping tools.
Timothy B. Lee Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.

FINALLY: Court says health insurance company can be sued for data breach

Court says health insurance company can be sued for data breach
By Lydia Wheeler – 08/01/17 11:55 AM EDT 1
The nation’s second most powerful court ruled Tuesday that a health insurance company’s customers can sue the provider for a 2014 cyberattack in which their personal information was stolen.
A three-judge panel on the D.C. Circuit Court of Appeals reversed a district court’s decision dismissing the class action suit that seven customers brought against CareFirst, which serves 1 million customers in the District of Columbia, Maryland and Virginia.
The customers attributed the breach to the company’s carelessness and argued that they suffered an increased risk of identity theft as a result. But the lower court said the customers lacked standing because they failed to show a present injury or a likelihood of being injured in the future.
Delivering the opinion of the appeals court on Tuesday, Judge Thomas Griffith said the district court gave the complaint an unduly narrow reading.
“The District Court concluded that the plaintiffs had ‘not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing,’ in part because they had ‘not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their Social Security or credit card numbers,’” Griffith said.
“But that conclusion rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach,” he added. “In fact, the complaint did.”

IF: The FBI Has Your Biometrics, It Doesn't Have to Tell You

If the FBI Has Your Biometrics, It Doesn’t Have to Tell You
By Mohana Ravindranath August 2, 2017
The FBI’s Next Generation Identification system stores the biometric records of people who have undergone background checks for jobs, volunteer positions and military service, as well as of those who have criminal records. Effective Aug. 31, that database will be exempt from certain parts of the Privacy Act, a law that allows people whose records are held by the federal government to request more information about which records those are.
The exemption means the FBI doesn’t have to acknowledge if it is storing the biometric records of an individual in that database; the bureau has argued that notifying people that they were in the database could compromise investigations.
The FBI published the final rule this week.
Under the rule, individuals won’t be able to find out what types of records the FBI may have of because it could “specifically reveal investigative interest by the FBI or agencies that are recipients of the disclosures.”
Most of the criminal records in that database are obtained from state and local agencies at the time of arrest, so the FBI cannot always collect information directly from the individual or notify them that their records are being included. “It is not feasible,” the final rule said.
The FBI posted a draft of that rule last year. In that draft, the bureau argued that some records it keeps might seem irrelevant to ongoing investigations, but could eventually end up being necessary for “authorized law enforcement purposes.”
The Electronic Privacy Information Center, an advocacy group in Washington, has tried to persuade the FBI to reduce its data collection and the exemptions from the Privacy Act. After suing the FBI for information about the information stored in the Next Generation Identification System, EPIC concluded that the database has an up to 20 percent error rate for facial recognition searches.
Though it’s not clear exactly how many records are in the system, the Electronic Frontier Foundation, another advocacy group, estimated in 2014 that it could contain up to 52 million facial images by 2015.
One of the most troubling consequences of the final rule is that people in the database might become the subject of investigation without being notified, Jeramie Scott, EPIC’s Domestic Surveillance Project director, told Nextgov. A person whose image is erroneously called up in a search for a different individual might also find themselves being investigated, he explained.
The FBI is “now in a position as the determiner of when the exemption applies,” he said.

CIA 'torture' psychologists to stand trial

CIA ‘torture’ psychologists to stand trial
AFP•August 8, 2017
Washington (AFP) – Two psychologists who helped design the CIA’s post-9/11 detainee interrogation program will stand trial in September for promoting the use of torture methods like water-boarding, starvation and chaining prisoners in extreme stress positions.
Federal judges in Washington state late Monday ordered a lawsuit on behalf of three former detainees — one of whom died in a CIA prison following harsh interrogation — to go to a jury trial, rejecting efforts to force a settlement and prevent a full hearing of the case.
The lawsuit, filed by the American Civil Liberties Union on behalf of the ex-detainees, will be the first involving the torture program to go to trial.
The government has headed off previous efforts, citing what is said is a need to protect sensitive intelligence.
The case targets psychologists James Mitchell and Bruce Jessen, who were recruited by the CIA in 2002 to design and help conduct interrogations of war-on-terror suspects captured in Afghanistan and elsewhere.
The two were paid $80 million for their work, which included helping interrogate Khalid Sheikh Mohammed, the mastermind of the September 11, 2001 attacks by Al-Qaeda, and Abu Zubaydah, another top Qaeda official.
The ACLU suit alleges that Jessen and Mitchell were responsible for, and profited financially from, the illegal torture of Tanzanian Suleiman Abdullah Salim, Libyan Mohamed Ahmed Ben Soud, and Afghani Gul Rahman.
The first two were later freed after years of imprisonment, while Rahman died of hypothermia in a CIA prison cell in November 2002, after what the ACLU says was two weeks of “brutal torture”.
“This is a historic day for our clients and all who seek accountability for torture,” said ACLU attorney Dror Ladin in a statement.
“The court’s ruling means that for the first time, individuals responsible for the brutal and unlawful CIA torture program will face meaningful legal accountability for what they did. Our clients have waited a long time for justice.”
The court rejected the psychologists’ arguments that they were not responsible for all of the CIA’s interrogation activities and had nothing to do with the interrogations of two of the men.
They also claimed they were not responsible for specific decisions to use so-called “enhanced interrogation techniques” in the specific cases of the three, but only broadly supplied the CIA with a list of methods to choose from.
Defending that act as legal, they cited a post-World War II war trial which cleared a technician involved in supplying poison Zyklon B gas to Nazi concentration camps of culpability in mass murder.
They also claimed that the decision to use such techniques was made by the CIA and approved by the Department of Justice, and that they cannot therefore be held responsible.

Science section of 2018 National Climate Assessment leaked to NYTimes

A national hero has leaked the final draft of the science section of the
2018 National Climate Assessment to the New York Times.  Article:
Scientists Fear Trump Will Dismiss Blunt Climate Report
The report concludes that even if humans immediately stopped
emitting greenhouse gases into the atmosphere, the world would
still feel at least an additional 0.50 degrees Fahrenheit
(0.30 degrees Celsius) of warming over this century compared
with today. The projected actual rise, scientists say, will be
as much as 2 degrees Celsius.
A small difference in global temperatures can make a big
difference in the climate: The difference between a rise in
global temperatures of 1.5 degrees Celsius and one of 2 degrees
Celsius, for example, could mean longer heat waves, more intense
rainstorms and the faster disintegration of coral reefs.
Among the more significant of the study’s findings is that it is
possible to attribute some extreme weather to climate change. The
field known as “attribution science” has advanced rapidly
in response to increasing risks from climate change.
The report:
The report as a downloadable PDF:
It’s 673 pages.  The executive summary is readable by a general audience
but some science background would be helpful for some of the chapters.

Ad-infested malware distribution site is top of the list.

Google reveals sites with ‘failing’ ads, including Forbes, LA Times
August 8, 2017 by Lucia Moses
Publishers that have fretted about Google’s plans to unleash an ad-blocking version of Chrome in 2018 can now see if their own sites’ ads will be blocked by the tech giant.
On June 1, Google rolled out its Ad Experience Report, a tool it’s using to evaluate and score websites based on their ad creative and design. It provides screenshots and videos of ads that have been identified as annoying to users, such as pop-ups and autoplaying video ads with sound, and “prestitial” ads with countdown timers.
So far, Google has identified about 700 sites as warranting corrective action out of around 100,000 sites it’s reviewed so far. Half of the roughly 700 got a “failing” status and the other half a “warning.” Pop-ups were the most common problem Google found, accounting for 96 percent of violations on desktop and 54 percent on mobile.
Most of these sites are out of the mainstream, such as entertainment sites and But a couple dozen are a who’s who of traditional media. Those listed as failing include Forbes; Tronc-owned Orlando Sentinel, Sun-Sentinel and Los Angeles Times; Bauer Xcel Media’s Life & Style and In Touch Weekly; The Wrap; Chicago Sun-Times; Tribune Broadcasting’s Fox 13 Now; and Sporting News.
A similar number of mainstream sites got warnings. They included Kiplinger, Gizmodo Media Group’s Lifehacker, The Jerusalem Post, The San Diego Union-Tribune, Cox Media Group’s WSB-TV in Atlanta, Tronc’s Baltimore Sun and Chicago Tribune, The Christian Science Monitor, the U.K. Independent, The Daily Caller, Reader’s Digest, All You, Smithsonian, New York Daily News, Salt Lake Tribune and CBS News.
Google underscored that it hasn’t hashed out all the enforcement details yet. One aspect of the plan that may raise alarms with publishers is that Google hasn’t ruled out filtering all of a failing site’s ads — not just the offending ads. Google also didn’t specify what exactly would lead a site to be labeled “failing.” It said “warning” would apply to publishers with “two or more violations” but that these sites wouldn’t be blocked.
Once the new version of Chrome with the ad filter launches next year, Google said it would pull ads from failing publishers’ sites if they don’t fix the violations within 30 days. Google is using the Better Ads Standards set by the Coalition for Better Ads, an alliance of heavy-hitters in advertising and media such as Unilever, GroupM and The Washington Post that was formed to clean up digital advertising. Google is a founding member of the coalition.
The tool is meant to give publishers a way to fix their sites well before Google launches its Chrome ad blocker and to give advertisers and their representatives a way to avoid having their ads run on sites that have a poor user experience. Google also said publishers can use the tool to request a new review after they fix their sites and report if they think they were unfairly identified as having violations.
Along with Google’s ad blocker news, Apple recently said it would update its Safari browser to block video ads that autoplay and stop ad tracking. The platform giants’ moves are seen as a response to users and a way to ward off ad blocking, but publishers see them as a way to solidify control over the platforms’ own digital ad market share, which has grown at the expense of publishers.
Critics also say Google shouldn’t be the arbiter of how publishers monetize their sites (while protecting its own revenue by leaving alone its ads on YouTube and by paying the popular ad blocker AdBlock Plus to make sure its own ads aren’t blocked). No one would argue that users enjoy autoplay video, but the concern is that clamping down on it has a disproportionate impact on independent publishers. It’s worth noting that many of the flagged sites belong to single-title companies or are legacy publishers that are struggling to modernize. Tronc’s digital ad revenue has been dwindling. The Daily News is said to be losing millions a year.
So far, publishers would seem to have little choice but to do what Google wants, though. Ben Gerst, Tronc’s svp of product development, said the company was focused on a better experience for users and advertisers and that it was working with Google and implementing changes to meet the Coalition’s standards. Grant Whitmore, evp of digital at the Daily News, said the paper’s warning status was related to an ad tech partner and in-image ad that was supposed to meet industry ad standards but was somehow getting flagged, and that the publisher was working with Google to resolve it.
A spokesman for Lifehacker, meanwhile, raised the specter of misidentification, however, saying: “Our Kinja publishing platform has always taken a very audience-centric approach to how we integrate advertising and we believe that practice will ultimately benefit our sites ahead of any upcoming changes in the market, including the new version of Chrome. We don’t believe is currently out of step with existing U.S. better ad standards.”
All publishers are embracing the user experience mantra, but getting there is another matter. Paul Likins, vp of revenue operations at American Media Inc., whose Men’s Fitness and National Enquirer sites were cited for violations, said it’s not always clear from Google’s tool what the violation is, making it confusing for publishers trying to fix them. And fixing them means replacing the revenue generated by offending ads, which isn’t easily done. Google’s approach feels “heavy-handed,” but publishers have to comply, lest they risk not just repercussions from Google but advertisers, who used to clamor for “disruptive” ads, he said.
“We’re all trying to fix this, but we’re moving from a vendor-based business model,” he said. “It takes time, money and resources.”
Paul Vincent is founder of Neuranet, a tech company that helps publishers comply with Interactive Advertising Bureau specs for fast-loading, non-invasive ads. He said an unintended consequence of a company like Google being the arbiter of the web is that small publishers may just throw up their hands and hand over more of their tech needs to Google, thinking that’ll at least ensure their sites won’t be blocked.
“It’s gotten too much power over what’s acceptable,” he said of Google. “When it makes these releases, it can have a massive effect across the industry and sometimes contributes to its dominance because of the confusion.”

Trump gets a folder full of positive news about himself twice a day It’s known as the “propaganda document”

Trump gets a folder full of positive news about himself twice a day
It’s known as the “propaganda document”
By Alex Thompson Aug 8, 2017
Twice a day since the beginning of the Trump administration, a special folder is prepared for the president. The first document is prepared around 9:30 a.m. and the follow-up, around 4:30 p.m. Former Chief of Staff Reince Priebus and former Press Secretary Sean Spicer both wanted the privilege of delivering the 20-to-25-page packet to President Trump personally, White House sources say.
These sensitive papers, described to VICE News by three current and former White House officials, don’t contain top-secret intelligence or updates on legislative initiatives. Instead, the folders are filled with screenshots of positive cable news chyrons (those lower-third headlines and crawls), admiring tweets, transcripts of fawning TV interviews, praise-filled news stories, and sometimes just pictures of Trump on TV looking powerful.
One White House official said the only feedback the White House communications shop, which prepares the folder, has ever gotten in all these months is: “It needs to be more fucking positive.” That’s why some in the White House ruefully refer to the packet as “the propaganda document.”
The process of assembling the folder begins at the Republican National Committee’s “war room,” which has expanded from 4 to 10 people since the GOP won the White House. A war room — both parties have one regardless of who’s in the White House — is often tasked with monitoring local and national news, cable television, social media, digital media, and print media to see how the party, its candidates or their opponents are being perceived.
Beginning at 6 a.m. every weekday — the early start is a longtime war room tradition — three staffers arrive at the RNC to begin monitoring the morning shows on CNN, MSNBC, and Fox News as they scour the internet and newspapers. Every 30 minutes or so, the staffers send the White House Communications Office an email with chyron screenshots, tweets, news stories, and interview transcripts.
White House staffers then cull the information, send out clips to other officials, and push favorable headlines to a list of journalists. But they also pick out the most positive bits to give to the president. On days when there aren’t enough positive chyrons, communications staffers will ask the RNC staffers for flattering photos of the president.
“Maybe it’s good for the country that the president is in a good mood in the morning,” one former RNC official said.
Contacted by VICE News, Spicer disputed the nature of the folder. “While I won’t comment on materials we share with the president, this is not accurate on several levels,” he said in an email. Asked what about the story was inaccurate, Spicer did not respond.
Of course, every White House monitors media coverage to see how they’re being covered, and the RNC may have decided more staff was needed after the party won the White House. As the political media environment has become faster-moving and more frenzied, the efforts to follow it have also become more robust. The Obama White House usually had at least one very caffeinated point person and two others dedicated to watching Twitter, online publications, print media, and cable news, and then compile relevant clips and send them around to White House aides.
But the production of a folder with just positive news — and the use of the RNC to help produce it — seemed abnormal to former White House officials. “If we had prepared such a digest for Obama, he would have roared with laughter,” said David Axelrod, the senior adviser to Barack Obama during his first two years in the White House. “His was a reality-based presidency.”
“The RNC is always going to work to defend the White House, the administration, and its members of Congress, and our war room’s efforts help capture and drive how our team can echo that defense,” said RNC spokeswoman Lindsay Jancek.
Another current White House official said that the idea for the twice-daily ego boost came from Priebus and Spicer, who competed to deliver the folder and be the bearer of the good news. “Priebus and Spicer weren’t in a good position, and they wanted to show they could provide positive coverage,” the official said. “It was self-preservation.”
In the two-plus weeks following the departure of both Spicer and Priebus, White House officials say, the document has been produced less frequently and more typically after public events, such as Trump’s recent speech at the National Boy Scouts Jamboree in West Virginia. It’s unclear what will change, if anything, once a new White House communications director is appointed to replace the briefly tenured Anthony Scaramucci.
“It needs to be more fucking positive.”
It’s not the first recorded instance of Trump welcoming excessive flattery.
He frequently cites or thanks cable television hosts like Sean Hannity, Lou Dobbs, and the hosts of “Fox & Friends” who cover his presidency more favorably.
Thank you to @LOUDOBBS for giving the first six months of the Trump Administration an A+. S.C.,reg cutting,Stock M, jobs,border etc. = TRUE!
— Donald J. Trump (@realDonaldTrump) July 24, 2017
And at a broadcasted Cabinet meeting in June, Trump listened contentedly as the vice president, his chief of staff, and nearly all of the 15 Cabinet secretaries heaped praise on him. Priebus took that opportunity to tell Trump: “On behalf of the entire senior staff around you, Mr. President, we thank you for the opportunity and the blessing that you’ve given us to serve your agenda and the American people.”

!!!THIS – The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time

The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time
Adam Clark Estes
We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards  nearly 15 years ago now admits that they’re basically useless. He is also very sorry.
The man in question is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A.” This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers—those are all because of Bill.
The only problem is that Bill Burr didn’t really know much about how passwords worked back in 2003, when he wrote the manual.

He certainly wasn’t a security expert. And now the retired 72-year-old bureaucrat wants to apologize.

“Much of what I did I now regret,” Bill Burr told The Wall Street Journal recently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Bill is not wrong. Simple math shows that a shorter password with wacky characters is much easier to crack than a long string of easy-to-remember words. This classic XKCD comic shows how four simple words create a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days:
Image: XKCD (published under a Creative Commons 2.5 license)
This is why the latest set of NIST guidelines recommends that people create long passphrases rather than gobbledygook words like the ones Bill thought were secure. (Pro tip: Use this guide to create a super secure passcode using a pair of dice.)
Inevitably, you have to wonder if Bill not only feels regretful but also a little embarrassed. It’s not entirely his fault either. Fifteen years ago, there was very little research into passwords and information security, while researchers can now draw on millions upon millions of examples. Bill also wasn’t the only one to come up with some regrettable ideas in the early days of the web, either. Remember pop-ads, the scourge of the mid-aughts internet? The inventor of those is super sorry as well. Oh, and the confusing, unnecessary double slash in web addresses? The inventor of that idea (and the web itself) Tim Berners-Lee is also sorry.
Technology is often an exercise of trial and error. If you get something right, like Jeff Bezos or Mark Zuckerberg have done, the rewards are sweet. If you screw up and waste years of unsuspecting internet users’ time in the process, like Bill did, you get to apologize years later. We forgive you, Bill. At least some of us do.
[Wall Street Journal]