[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem

Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization’s security plans and strategies compare to what others are doing? Here’s an in-depth look.
Source: Vulnerabilitys & Threats

GhostHook Attacks Windows 10 and OpenVPN has Flaws! – Threat Wire

Microsoft just had a pretty bad week, WannaCry is still alive and kickin!, the CIA’s Brutal Kangaroo hits the web, and OpenVPN has flaws, so make sure to update. All that coming up now on Threat Wire.

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ
——————————

Links:
https://thehackernews.com/2017/06/ghosthook-windows-10-hacking.html
https://threatpost.com/ghosthook-attack-bypasses-windows-10-patchguard/126462/
https://www.cyberark.com/threat-research-blog/ghosthook-bypassing-patchguard-processor-trace-based-hooking/

http://www.zdnet.com/article/microsoft-no-known-ransomware-windows-we-tried-to-hack-it/
https://arstechnica.com/information-technology/2017/06/microsoft-should-shore-up-windows-10-ss-security-then-offer-it-to-everyone/

https://thehackernews.com/2017/06/windows10-builds-source-code.html
https://www.theregister.co.uk/2017/06/23/windows_10_leak/
https://arstechnica.com/information-technology/2017/06/32tb-of-windows-10-beta-builds-driver-source-code-leaked/

https://thehackernews.com/2017/06/honda-wannacry-attack.html
https://www.cnet.com/roadshow/news/wannacry-ransomware-causes-honda-plant-shutdown-in-japan/
https://www.cnet.com/news/wannacry-hits-traffic-cameras-in-australia/

https://wikileaks.org/vault7/#Brutal%20Kangaroo
https://thehackernews.com/2017/06/wikileaks-Brutal-Kangaroo-airgap-malware.html
https://motherboard.vice.com/en_us/article/wjq3zq/wikileaks-docs-show-how-the-cia-allegedly-infected-offline-computers

https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/
https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-2-fixes-critical-issues-discovered-openvpn-audit-reports/
https://thehackernews.com/2017/06/openvpn-security-flaw_21.html

Source: Security news


Source: Zologic

No-Name Security Incidents Caused as Many Tears as WannaCry, Pros Say

Half of security pros say they’ve worked just as frantically this year to fix other incidents that the public never heard about.
Source: Vulnerabilitys & Threats

Ukraine hit hard as Petya Ransomware Variant Spreads around the world

We will be updating this page with additional information. Please check back for the latest.

While initial reports have only centred on the Ukraine being hit by a new stream of ransomware known as Petya, this is a global attack. Just like WannaCry, this might be leveraging EternalBlue, which attacks SMB file-sharing services, locking organisations out of their networks and demanding a fee to decrypt files. Bitcoin payments are currently already at $2,000+ already. But it’s essential that victims understand that payment may not actually allow them to access their data, and may just fund hackers to commit further crimes.

The exact measures organisations can implement to mitigate risk depends on the kind of system being protected but there are fundamental actions such as backing up data in the Cloud and on an external hard drive, updating system and patch vulnerabilities, and ensuring everyone is watching where their click. While collaboration across organisations and individuals is also a highly effective method of prevention and mitigation. Sharing experience or research on various types of ransomware helps to dilute their effectiveness.


Source: Honeypot Tech

Anomali Weekly Threat Intelligence Briefing – June 27, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

SamSam Ransomware Now Demands $33,000 from Victims (June 26, 2017)
AlienVault researchers have observed an increase in distribution of the “SamSam” ransomware. Additionally, the actors behind the campaign are demanding and increasing amount of funds for the decryption key. The malware is typically installed by exploiting an unpatched server vulnerability, according to researchers. Recently, threat actors have been demanding 1.7 Bitcoin (approximately $4,600 USD) for the decryption key for one machine. If multiple machines are infected, threat actors are demanding 6 Bitcoin (approximately $16,400 USD) to decrypt half of the machines, and 12 Bitcoin (approximately $32,800 USD) to decrypt all of the machines.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: SamSam, Ransomware

Birthday Reminder Looks Benign but the Devil’s In the Details: Hook DNS, Serves Dodgy Ads (June 23, 2017)
ESET researchers have discovered a “Birthday Reminder” application for Windows operating systems that has some hidden malicious features. The malware contained in the application, dubbed “DNSBirthday,” can hook into DNS requests to inject advertisements into web pages. The malware loads multiple modules onto the infected machine, one of which is capable of gathering information about machine that is sent to a C2 before delivering advertisement payloads.
Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.
Tags: DNSBirthday, Malicious application

New Android Marcher Variant Posing as Adobe Flash Player Update (June 22, 2017)
The banking malware called, “Marcher,” has been observed being distributed via fake Adobe Flash Player updates, according to Zscaler researchers. If a device installs the fake update, the malware hides icon and will proceed to perform web injection overlays attacks. The overlays impersonate legitimate banking applications and will gather the data that is inputted by the user and send it to a C2.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Marcher, Mobile malware, Android

Following the Trail of BlackTech’s Cyber Espionage Campaigns (June 22, 2017)
According to Trend Micro researchers, a cyber espionage threat group called, “BlackTech,” has been discovered to be attacking targets located in East Asia. The group appears to have been active since at least 2010 and has primarily targeted Taiwan, however, Hong Kong and Japan have also been targeted. Additionally, researchers have discovered connections between BlackTech operations and other information theft campaigns codenamed PLEAD, Shrouded Crossbow, and Waterbear; this appears to indicate that the same group is behind the campaigns.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts.
Tags: APT, BlackTech, Cyber espionage

Player 1 Limps Back Into the Ring – Hello Again, Locky! (June 21, 2017)
The malspam botnet, “Necurs,” has been observed switching back to distributing “Locky” ransomware and away from previous “Jaff” ransomware distribution, according to Talos researchers. The spam emails claim that an attached .zip file contains information for a previously placed order. The Locky ransomware is contained in a .exe file that is encapsulated within two compressed .zip archives.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided. Furthermore, it is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files.
Tags: Locky, Necurs, Malspam

Honda Halts Japan Car Plant After WannaCry Hits Computer (June 21, 2017)
The Honda Motor Company has stated that its Sayama manufacturing plant was affected by the “WannaCry” ransomware on June 19, 2017. The company reported that it shut down all manufacturing in the Sayama plant for the entire day while they underwent mitigation procedures to contain and remove the malware.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files.
Tags: WannaCry, Breach

Ztorg: From Rooting to SMS (June 20, 2017)
Two malicious applications were discovered in the Google Play Store that were downloaded in total more than 60,000 times, according to Kaspersky researchers. One of the applications, called “Magic Browser,” was downloaded approximately 50,000 times and the other, called “Noise Detector,” was downloaded approximately 10,000 times. Both applications contain malicious code that is similar to the “Ztorg” malware family. Ztorg is capable of receiving remote commands that can allow it to steal money from an infected device’s account, among other features.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Ztorg, Mobile malware

AdGholas Malvertising Campaign Employs Astrum Exploit Kit (June 20, 2017)
TrendMicro researchers have discovered a new “AdGholas” malvertising campaign that is using the “Astrum” exploit kit to deliver malware. Researchers identified 262,163 separate events that involved AdGholas C2’s with the traffic coming largely from the U.S. and Japan. While no specific malware payloads were identified, the traffic did appear to coincide with ransomware attacks in the U.K.
Recommendation: Malvertising and exploit kits, in general, are being developed and improved constantly by cybercriminals, therefore keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.
Tags: AdGholas, Malvertising

Minimalist Alina POS Variant Starts Using SSL (June 19, 2017)
A new variant of the Point-of-Sale (POS) malware called “Alina” has been discovered, according to SpiderLabs researchers. The malware was first identified in the wild in late 2012, and in this variant the threat actors have removed some features in favor of a Secure Socket Layer (SLL) tunnel. In this manner, Alina is able to add another layer of encryption in addition to obfuscating the stolen credit card data using a legacy XOR scheme.
Recommendation: Customer-facing companies that store credit card data must actively defend against Point-of-Sale (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats, and important network infrastructure should be segregated. In the case of infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.
Tags: Alina, POS malware

The RNC Files: Inside the Largest US Voter Data Leak (June 19, 2017)
UpGuard’s Cyber Risk Team discovered an Amazon S3 Bucket that was misconfigured in a way that allowed public access. The cloud server was owned by U.S. Republican National Committee employed data firm, “Deep Root Analytics,” and contained Personally Identifiable Information (PII) belonging to approximately 198 million American voters. UpGuard discovered the database on June 12, 2017, and subsequently informed federal authorities; the cloud server was secured from public access on June 19, 2017. The data consisted of date of birth, full name, home address, phone numbers, voter registration details, and other unspecified “modeled” data regarding ethnicity and religion.
Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, misconfigured databases has the potential to cause significant harm to individuals and a company’s reputation.
Tags: Misconfigured database, Data leak


Source: Honeypot Tech

Scratch 2.0: all-new features for your Raspberry Pi

We’re very excited to announce that Scratch 2.0 is now available as an offline app for the Raspberry Pi! This new version of Scratch allows you to control the Pi’s GPIO (General Purpose Input and Output) pins, and offers a host of other exciting new features.

Offline accessibility

The most recent update to Raspbian includes the app, which makes Scratch 2.0 available offline on the Raspberry Pi. This is great news for clubs and classrooms, where children can now use Raspberry Pis instead of connected laptops or desktops to explore block-based programming and physical computing.

Controlling GPIO with Scratch 2.0

As with Scratch 1.4, Scratch 2.0 on the Raspberry Pi allows you to create code to control and respond to components connected to the Pi’s GPIO pins. This means that your Scratch projects can light LEDs, sound buzzers and use input from buttons and a range of sensors to control the behaviour of sprites. Interacting with GPIO pins in Scratch 2.0 is easier than ever before, as text-based broadcast instructions have been replaced with custom blocks for setting pin output and getting current pin state.

Scratch 2.0 GPIO blocks

To add GPIO functionality, first click ‘More Blocks’ and then ‘Add an Extension’. You should then select the ‘Pi GPIO’ extension option and click OK.

Scratch 2.0 GPIO extension

In the ‘More Blocks’ section you should now see the additional blocks for controlling and responding to your Pi GPIO pins. To give an example, the entire code for repeatedly flashing an LED connected to GPIO pin 2.0 is now:

Flashing an LED with Scratch 2.0

To react to a button connected to GPIO pin 2.0, simply set the pin as input, and use the ‘gpio (x) is high?’ block to check the button’s state. In the example below, the Scratch cat will say “Pressed” only when the button is being held down.

Responding to a button press on Scractch 2.0

Cloning sprites

Scratch 2.0 also offers some additional features and improvements over Scratch 1.4. One of the main new features of Scratch 2.0 is the ability to create clones of sprites. Clones are instances of a particular sprite that inherit all of the scripts of the main sprite.

The scripts below show how cloned sprites are used — in this case to allow the Scratch cat to throw a clone of an apple sprite whenever the space key is pressed. Each apple sprite clone then follows its ‘when i start as clone’ script.

Cloning sprites with Scratch 2.0

The cloning functionality avoids the need to create multiple copies of a sprite, for example multiple enemies in a game or multiple snowflakes in an animation.

Custom blocks

Scratch 2.0 also allows the creation of custom blocks, allowing code to be encapsulated and used (possibly multiple times) in a project. The code below shows a simple custom block called ‘jump’, which is used to make a sprite jump whenever it is clicked.

Custom 'jump' block on Scratch 2.0

These custom blocks can also optionally include parameters, allowing further generalisation and reuse of code blocks. Here’s another example of a custom block that draws a shape. This time, however, the custom block includes parameters for specifying the number of sides of the shape, as well as the length of each side.

Custom shape-drawing block with Scratch 2.0

The custom block can now be used with different numbers provided, allowing lots of different shapes to be drawn.

Drawing shapes with Scratch 2.0

Peripheral interaction

Another feature of Scratch 2.0 is the addition of code blocks to allow easy interaction with a webcam or a microphone. This opens up a whole new world of possibilities, and for some examples of projects that make use of this new functionality see Clap-O-Meter which uses the microphone to control a noise level meter, and a Keepie Uppies game that uses video motion to control a football. You can use the Raspberry Pi or USB cameras to detect motion in your Scratch 2.0 projects.

Other new features include a vector image editor and a sound editor, as well as lots of new sprites, costumes and backdrops.

Update your Raspberry Pi for Scratch 2.0

Scratch 2.0 is available in the latest Raspbian release, under the ‘Programming’ menu. We’ve put together a guide for getting started with Scratch 2.0 on the Raspberry Pi online (note that GPIO functionality is only available via the desktop version). You can also try out Scratch 2.0 on the Pi by having a go at a project from the Code Club projects site.

As always, we love to see the projects you create using the Raspberry Pi. Once you’ve upgraded to Scratch 2.0, tell us about your projects via Twitter, Instagram and Facebook, or by leaving us a comment below.

The post Scratch 2.0: all-new features for your Raspberry Pi appeared first on Raspberry Pi.


Source: RaspberryPi – IOT Anonimo

Source: Privacy Online


Source: Zologic

‘NotPetya’ ransomware attack shows corporate social responsibility should include cybersecurity

Location

United States
As the “NotPetya” ransomware attack spreads around the world, it’s making clear how important it is for everyone – and particularly corporations – to take cybersecurity seriously. The companies affected by this malware include power utilities, banks and technology firms. Their customers are now left without power and other crucial services, in part because the companies did not take action and make the investments necessary to better protect themselves from these cyberattacks.
 
Cybersecurity is becoming another facet of the growing movement demanding corporate social responsibility. This broad effort has already made progress toward getting workers paid a living wage, encouraging companies to operate zero-waste production plants and practice cradle-to-cradle manufacturing – and even getting them to donate products to people in need.
 
The overall idea is that companies should make corporate decisions that reflect obligations not just to owners and shareholders, customers and employees, but to society at large and the natural environment. As a scholar of cybersecurity law and policy and chair of Indiana University’s new integrated program on cybersecurity risk management, I say it’s time to add cyberspace to that list.
 
Online security affects everyone
 
The recent WannaCry ransomware attack affected more than 200,000 computers in 150 nations. The results of the attack made clear that computers whose software is not kept up to date can hurt not only the computers’ owners, but ultimately all internet users. The companies hit by the NotPetya attack didn’t heed that warning, and got caught by an attack using the same vulnerability as WannaCry, because they still haven’t updated their systems.
 
Some policymakers and managers are taking notice around the world. In the U.S., the Department of Homeland Security, the chief federal agency dealing with cybersecurity, has highlighted businesses’ “shared responsibility” to protect themselves against cyberattacks. Consumers can’t protect their utility services, banking systems or even their personal data on their own, and must depend on companies to handle that security.
 
Cybersecurity is an effort that not only protects – and even benefits – a company’s bottom line but also contributes to overall corporate and societal sustainability. In addition, by protecting privacy, free expression and the exchange of information, cybersecurity helps support people’s human rights, both online and offline.
 
Read the full piece at The Conversation.
Focus Area: 
Related Topics: 
Author(s): 
Publication Type: 
Other Writing
Publication Date: 
June 27, 2017


Source: Cyber Law

Source: Privacy Online


Source: Zologic

Three Chemicals Every Geek Should Have In Their Toolbox – TekThing Short

Some of the best tools you can keep in your toolbox include things that come in a can, a bottle, or a tube! Let’s talk some inexpensive cleaning chemicals!

91% Isopropyl Alcohol: http://amzn.to/2sWEKlk
QD Electronic Cleaner: http://amzn.to/2sS7hrL
Loctite Ultra Gel Control Super Glue: http://amzn.to/2tPC8SU

——
Thank You Patrons! Without your support via patreon.com/tekthing, we wouldn’t be able to make the show for you every week!
https://www.patreon.com/tekthing
——
EMAIL US!
ask@tekthing.com
——
Amazon Associates: http://amzn.to/2gm9Egf
Subscribe: https://www.youtube.com/c/tekthing
——
Website: http://www.tekthing.com
RSS: http://feeds.feedburner.com/tekthing
THANKS!
HakShop: https://hakshop.myshopify.com/
——
SOCIAL IT UP!
Twitter: https://twitter.com/tekthing
Facebook: https://www.facebook.com/TekThing
Reddit: https://www.reddit.com/r/tekthingers
——

Source: Security news


Source: Zologic

Introducing the Raspberry Pi Integrator Programme

An ever-growing number of companies take advantage of Raspberry Pi technology and use our boards as part of their end products. Raspberry Pis are now essential components of everything from washing machines to underwater exploration vehicles. We love seeing these commercial applications, and are committed to helping bring Raspberry Pi-powered products to market. With this in mind, we are excited to announce our new Raspberry Pi Integrator Programme!

Raspberry Pi Integrator Programme

Product compliance testing

Whenever a company wants to sell a product on a market, it first has to prove that selling it is safe and legal. Compliance requirements vary between different products; rules that would apply to a complicated machine like a car will, naturally, not be the same as those that apply to a pair of trainers (although there is some overlap in the Venn diagram of rules).

Raspberry Pi Integrator Programme

Regions of the world within each of which products have to be separately tested

Different countries usually have slightly different sets of regulations, and testing has to be conducted at an accredited facility for the region the company intends to sell the product in. Companies have to put a vast amount of work into getting their product through compliance testing and certification to meet country-specific requirements. This is especially taxing for smaller enterprises.

Making testing easier

Raspberry Pi has assisted various companies that use Pi technology in their end products through this testing and certification process, and over time it has become clear that we can do even more to help. This realisation led us to work with our compliance testing and certification partner UL to create a system that simplifies and speeds up compliance processes. Thus we have started the Raspberry Pi Integrator Programme, designed to help anyone get their Raspberry Pi-based product tested and on the market quickly and efficiently.

The Raspberry Pi Integrator Programme

The programme provides access to the same test engineers who worked on our Raspberry Pis during their compliance testing. It connects the user to a dedicated team at UL who assess and test the user’s product, facilitated by their in-depth knowledge of Raspberry Pi. The team at UL work closely with the Raspberry Pi engineering team, so any unexpected issues that may arise during testing can be resolved quickly. Through the programme, UL will streamline the testing and certification process, which will in turn decrease the amount of time necessary to launch the product. Our Integrator Programme is openly available, it comes with no added cost beyond the usual testing fees at UL, and there are companies already taking advantage of it.

Get your product on the market more quickly

We have put the Integrator Programme in place in the hope of eliminating the burden of navigating complicated compliance issues and making it easier for companies to bring new, exciting products to consumers. With simplified testing, companies and individuals can get products to market in less time and with lower overhead costs.

The programme is now up and running, and ready to accept new clients. UL and Raspberry Pi hope that it will be an incredibly useful tool for creators of Raspberry Pi-powered commercial products. For more information, please email compliance@raspberrypi.org.

Powered by Raspberry Pi

As a producer of a Pi-based device, you can also apply to use our ‘Powered by Raspberry Pi’ logo on your product and its packaging. Doing so indicates to customers that a portion of their payment supports the educational work of the Raspberry Pi Foundation.

Powered by Pi Logo

You’ll find more information about the ‘Powered by Raspberry Pi’ logo and our simple approval process for using it here.

The post Introducing the Raspberry Pi Integrator Programme appeared first on Raspberry Pi.


Source: RaspberryPi – IOT Anonimo

Source: Privacy Online


Source: Zologic

“Tool Without a Handle: Reflections on 20 years from Reno v. ACLU”

Location

United States

On 26 June 1997, in Reno v ACLU,[1] the US Supreme Court decided the fate of the Communications Decency Act (“CDA”), insofar as it criminalized the intentional transmission of “obscene or indecent” messages or information.  In doing so, the Court made not only a finding that this provision of the CDA violated the 1st Amendment, but applied an approach to Internet cases with clear implications for cases the Court faces today.

Reno established that it is essential the Court recognize differences between the measured pace of judge-made law and the blistering pace of technology’s evolution, a point that is still cited by the Court today.[2]  And, it identified that the capabilities and availability of the tools at issue have an important role to play in the constitutional analysis.  As the Court continues to address Internet and technology-related constitutional cases, the importance of considering the capabilities of Internet tools may well be the most impactful legacy of Reno.

As Adam Thierer colorfully put it, “The Court concluded that there was “no basis for qualifying the level of First Amendment scrutiny that should be applied to this medium” and rejected the congressional effort to pigeonhole this exciting new medium into the archaic censorship regimes of the past.”[3]

It’s this last aspect of the decision – that the Court treated the Internet as its own medium – on which I focus here.  In Reno, the Court carefully fashioned principles tailored to the unique characteristics of the Internet.  It found the Internet was not comparable to newspapers, where ownership of papers of meaningful reach is economically concentrated.  It was not comparable to broadcast radio and television because material online is sought out by intentional acts, rather than passively received.[4]

Reno indicates that even where particular rules were reasonable for earlier technology, the constitutionality of a given Internet-related rule must be considered anew in the context of the unique properties of networked information tools, as they currently stand before the court at the time of its ruling.  And, as the District Court put it succinctly, “The Internet is… a unique and wholly new medium of worldwide human communication.”[5]

Which is to say, also, that implicit in Reno is the proposition that the constitutionality of a given law may well depend on the availability and capability of technology available at the moment – some rules that are constitutional may well become unconstitutional as technology advances, and vice-versa.  And, as such, the Court should be cautious in setting long-term rules to govern a rapidly evolving medium.

These two points are made clear in both the main opinion by Justice Stevens and in the concurrence by Justice O’Connor (which Chief Justice Rehnquist joined).  Justice Stevens cites two findings of the District Court: 1) that, at the time of trial, existing technology did not include any effective method for a sender to prevent minors from obtaining access to communications on the Internet without also denying access to adults;[6] 2) there are at least four “special attributes of Internet communication”[7] – all of which point towards far more open access to mass communications, and towards more democratic distribution of such tools.[8]

In Justice O’Connor’s concurrence, she observes that, as a matter of principle, cyberspace “undeniably” reflects a form of geography, on the assumption that websites exist at fixed “locations” on the Internet,[9] and that therefore zoning laws that restrict certain parts of the geography to adults could be constitutional.  She agrees with the outcome here, though, on the basis that there was no technology available at the time to create such a “zoning” approach in a manner that does not preclude access to adults – and therefore does not sweep so broadly as to violate the 1st Amendment’s protections.[10]

As readers of this blog will likely surmise, I disagree with Justice O’Connor’s assumption that the Internet “undeniably” reflects a type of geography (aka “cyberspace.”).[11] As an illustration, what Reno referred to as “zoning” off Internet pornography isn’t the same as “zoning” of construction and land use in the physical world.  Rather, such Internet “zoning” was effectively a proposal to require Internet tools to recognize signals, e.g., code embedded in websites, that the content therein contained “indecent” material.[12]

In other words, it was a tool, rather than a configuration of physical space.  It was useful to call it “zoning” because spatial metaphors are familiar, and because there was, for at least two Justices, a belief that “safe spaces for children” could comport with the 1st Amendment if technology could eventually make it possible.[13]

Indeed, today a variety of user-directed tools – which require no changes on the behavior of Internet publishers or access providers – are reasonably effective at blocking indecent (pornographic) content based on various heuristic and machine-learning approaches.  And the availability of such tools was key to the Court finding a later Internet indecency law – the Children’s Online Protection Act (“COPA”) – unconstitutionally overbroad as well.[14]

This approach, assuming that constitutional outcomes may depend on the characteristics of technology, and may vary over time depending on changes in technology, is important today in other contexts – particularly 4th Amendment cases.  5 years ago, in U.S. v. Jones, the Supreme Court ruled that it was a 4th Amendment “search” to physically install a tracking device on the car of a suspect and to so monitor the suspect for a length of time.[15]  While the Justices’s views varied on the reasons for that conclusion, Jones stands as a marked change from prior doctrine that one had no reasonable expectation of privacy in one’s public movements and activities.[16]  Layered in among the reasoning for that change is the fact that technology has evolved so that far more information can be captured than when earlier doctrine was developed.   

Jones differs from Reno, of course, in that one concerns surveillance rather than expression, but Jones is similar in that the question of whether a government action is constitutional depends on the way the technology operates, and to the extent to which it intrudes on constitutionally protected spheres.  Relatedly, the Ashcroft case concerning the COPA statute (which followed from Reno) indicates the availability of tools is also important.  And, as Kevin Bankston and Ashkan Soltani noted in analyzing Jones, a key factor is not only the availability of tools, but the relative cost of acquiring and using them.[17]

Now, in 2017, the court will revisit the “reasonable expectation of privacy” question in light of changes in technology when it considers, in Carpenter v. U.S., the use of a court order procedure to obtain business records revealing the location and movements of a cell phone user over the course of 127 days.  The question there is whether the 4th Amendment instead requires the higher showing needed to obtain a search warrant.  This case, too, will turn in part on the capabilities of the technology and, as in Reno, whether those capabilities allow the government to achieve legitimate interests through means that do not unduly intrude on constitutional freedoms.

In Carpenter, Petitioner ACLU argues that the “degree of invasiveness of the surveillance” involved distinguishes this case from prior precedent holding there is no reasonable expectation of privacy in records held by third-parties such as banks or phone companies.[18]  The government, respondent, argues inter alia that changes in technology are not relevant, because a reasonable expectation of privacy cannot attach to 3rd party business records created by that 3rd party for its own purposes.[19]

But the government goes on to point out the use of a court order procedure is also constitutional because the technology used to develop the cell site location records at issue in Carpenter differs in precision from that in Jones (“as much as 12,500 times less accurate than the GPS data in Jones”), nor does it involve access to cell phone data which is as personal as that at issue in Riley.[20]  In this way, the government, too, will contend that the capabilities and availability of the tools at issue are central to determining the lines of Constitutional protections.

Regardless of which view you find more persuasive,Carpenter is likely to also turn, in part, on discussion of the capabilities of the tools at issue, the extent to which those tools impact the constitutionally protected activity, and whether it is the appropriate time for the Court to set a long-term precedent in an area of quickly changing technology.  And, we can consider the Reno decision a milestone highlighting the value of this approach to constitutional inquiry.

[2]Packingham v. North Carolina 582 U.S. at ___ (June 19, 2017); online at https://www.supremecourt.gov/opinions/16pdf/15-1194_08l1.pdf  (“The forces and directions of the Internet are so new, so protean, and so far reaching that courts must be conscious that what they say today might be obsolete tomorrow…”).

[3]Adam Thierer, “Celebrating 20 Years of Internet Free Speech & Free Exchange,” https://readplaintext.com/celebrating-20-years-of-internet-free-speech-free-exchange-8a10f236d0bd

[4]See, e.g., 521 US at 869.

[5]American Civil Liberties Union v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996), at 844.  Considering 1st Amendment issues through a medium-specific lens is not novel or unique, as the District Court noted.   929 F. Supp., at 873.  What is important here, rather, is that both the District Court and the Supreme Court examined the specific characteristics of the Internet to fashion an approach tailored to that medium that was much more protective of free expression, given medium-specific capabilities such as the ability of users to select their own content, and the like.  See n.7, infra.

[6]521 U.S. at 876.

[7]521 U.S. at 863.  The characteristics noted by District Court Judge Dalzell were: 1) the Internet presents very low barriers to entry; 2) barriers to entry are identical for both speakers and listeners; 3) as a result of these low barriers, “astoundingly diverse content” is available on the Internet and 4) the Internet provides significant access to all who wish to speak in the medium, and even creates a relative parity among speakers.

[8]See 521 U.S. at 868 (noting “[t]he vast democratic forums of the Internet…”).

[9]521 U.S. at 890.  Even here, she uses “locations” in quotation marks; signaling some uncertainty as to whether websites really are analogous to geographic points.  As I’ve argued extensively in this blog, the geographic metaphor of “cyberspace” has manifest limitations; one is that a website does not in fact exist in a single “location”:  several URLs may redirect to a given website’s content; the servers hosting a given website are likely geographically distributed and which server(s) deliver pages at any given time is a very dynamic process.

[10]521 U.S. at 890-892.

[11]Apparently, so do 3 Justices on the current Supreme Court; in Packingham Justice Alito’s concurrence (joined by Chief Justice Roberts and Justice Thomas) argued that “[c]yberspace is different from the physical world, and if it is true, as the Court believes, that “we cannot appreciate yet” the “full dimensions and vast potential” of “the Cyber Age,” ibid., we should proceed circumspectly, taking one step at a time.”   See supra, n.2.

[12]See, e.g., Lessig & Resnick, “Zoning Speech on the Internet:  A Legal and Technical Model,” (discussing a “kid’s zone browser.” regime); online at http://bit.ly/2rOWqLZ.  The technologies available at the time included the Platform for Internet Content Selection, wherein “tags” would be added to websites indicating a rating for that site (akin to how the MPAA rates movies); see https://www.w3.org/PICS/iacwcv2.htm.  Challenges with this approach were many, however; among them were that many websites would need to adopt the labeling approach and that fashioning a legal or technical mandate to require such labels was challenging, especially given the bipartisan consensus for a “hands-off the Internet” regulatory approach.  Also, as website technologies and business models evolved, content hosted by sites became more dynamic – varying both by what a publisher chose to host and as to what an interacting viewer might add or comment.  Nonetheless, some parties did make a go of this access control approach.  Microsoft created a “Content Advisor” tool, which read labels promoted by the Internet Content Rating Association, initially using the PICS format , and carried the tool in the Internet Explorer browser until its last supported version (Internet Explorer 11), although the feature was eventually moved largely out of sight due to underuse.  See http://www.thewindowsclub.com/enable-content-advisor-internet-explorer-10-11

[13]Indeed, other attempts at “zoning” were tried, which would have relied not on access controls signaling the browsers of those seeking to access websites, but rather on a broad prohibition on using a particular Internet port to carry indecent content.  A “port” is an indicator in communications between Internet-connected computers to identify a specific type of service (e.g., port 25 is generally associated with email, and port 80 with HTTP web surfing traffic.  A proposal, backed by an entrepreneur and lawmakers in Utah, would have blocked obscene and indecent content from using port 80, with the goal of improving filtering capabilities.  See http://www.deseretnews.com/article/660213162/Lawmakers-seek-ways-to-block-Net-porn.html

[14]COPA, enacted in response to the Reno decision, required all commercial distributors of “material harmful to minors” to restrict their sites from access by minors.  It was found unconstitutional in large part because of the availability of “less restrictive means” in the form of filtering tools available to end users.  The procedural history of the constitutional review of COPA is complex; for present purposes it’s sufficient to note that lower court findings striking down COPA were allowed to stand by the Supreme Court as the statute likely violated the 1st Amendment.  See Ashcroft v. ACLU (03-218) 542 U.S. 656 (2004), 322 F.3d 240, affirmed and remanded; online at https://www.law.cornell.edu/supct/html/03-218.ZS.html   

[15] United States v. Jones, 132 S. Ct. 945 (2012); online at: https://www.law.cornell.edu/supremecourt/text/10-1259. The Justices were, similarly, alternatively silent or unaligned as to the extent to which tracking must go (e.g., its duration) before a search warrant is required.  This point too, is very likely to depend on the capabilities of the tools.     

[16]See, e.g. U.S. v. Knotts, 460 U.S. 276, 282 (1983).

[17]“Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones,”   The Yale Law Journal Online 123:335 (2014); http://www.yalelawjournal.org/pdf/1231_jjd1qz1e.pdf

[18]ACLU Petition for Certiorari (September 26, 2016) http://www.scotusblog.com/wp-content/uploads/2016/10/16-402-cert-petition.pdf  The ACLU also cites to Riley v. California, where the court relied in part on the capabilities and storage capacity of current cell phone technology to find that warrantless search of the contents of a cell phone incident to a lawful arrest violates the Fourth Amendment.  Riley, 134 S. Ct. 2473 (2014).

[20]Id.

 


Source: Cyber Law

Source: Privacy Online


Source: Zologic