Jonathan Mayer

We had a similar challenge at FCC, where controversial notices often received many comments with varying coordination. Members differed on how to account for that. My view was that comment volume was a rough public opinion barometer, at most, and we should focus on substantive facts and arguments.

Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence ... By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:      Section 1.  Purpose.  Artificial intelligence (A...

The full text of the AI Executive Order is now available on the White House website. Complete with, as @brianfung.me notes, a fun Halloween bat GIF. www.whitehouse.gov/briefing-roo...

I used to work on the Hill. It was common for doors to have confusing signage and sometimes be closed. That’s a quite plausible explanation for this mistake. The incident should have a nonpartisan investigation by the Capitol Police and Sergeant at Arms, not political releases of manipulated media.

The Jamaal Bowman fire alarm thing is a great example of a cheapfake. Presumably the video shows him struggling to open the door to get to the House floor. But the Administration Committee posted a selective still photo, generating a news cycle about attempting to delay the vote to end the shutdown.

Could we not do the FTC Amazon complaint, FCC net neutrality NPRM, and DOJ Google trial testimony on the same day? Some of us are trying to get tech law research done over here.

In computer crime law, it’s normal to consider access and fraud to be separate elements from receiving information. CFAA expressly draws that distinction. These are legal concepts based on a logical construct of systems and data within systems. They don’t neatly match underlying technical details.

The legislative purpose, it seems to me, is straightforward. Reporters who come into possession of ill-gotten or contraband material, through no doing of their own, have some protection from law enforcement search for that material. Essentially the fact pattern in Bartnicki v. Vopper.

I read the text and purpose of that PPA exception-to-the-exception somewhat differently. The term “consists of” is exclusive (the usual meaning), and it precedes specific offense elements. If a computer offense exceeds those elements, which it would (e.g., access or fraud), then police can search.

The PPA’s text and history (Senate report, Conference report, and DOJ implementation) all contemplate searches of a suspect’s materials. None address the proper scope of a search like that. The “possession” qualifier helps, but could break down if the news org is a suspect or the newsroom is small.

There are further indicia that the newsroom was acting in good faith. After they realized the tip was problematic, they declined to run a story and they reported it to law enforcement. That makes the aggressive raids even more unconscionable.

The PPA exception for people suspected of committing criminal offenses is, presumably, grounded in an assumption that there’ll always be a risk of evidence tampering. One of the many unusual aspects of this episode is that the assumption may be wrong. The newsroom has been open about what happened.

One wrinkle I’ve been mulling over is “possession” under the PPA. It’s possible that the searches were lawful with respect to some materials (i.e., devices used by the reporter who accessed the website) and not others. Another wrinkle is the good faith defense, compounded by the search warrant.

Could you say more about why you think the Privacy Protection Act would apply? I’m with you on policy considerations, but under the (current) law, there is a statutory exception when law enforcement is investigating an alleged crime by a person who would otherwise be covered by the law.

As I said (several times!), I’m not condoning what the Marion Police Department did here. This was a terrible mistake. The media consequences will reverberate for years, and the personal toll is tragic.

Policy and law are different. A law enforcement action can be bad policy and permitted by law.

In closing, I want to reemphasize that I in no way support what happened. More facts will come out. Even if this was a properly predicated investigation, there may be other problems with the searches. I just want to offer some perspective on the legal dimensions of what happened and might happen.

If that's what the Marion Police Department is investigating, that would explain searching (at least some) electronic devices in the newsroom. That would also explain the department's position that the Privacy Protection Act didn't apply, because it was investigating alleged crimes by a reporter.

While the DPPA’s exceptions are notoriously broad, it doesn't look like any apply to these circumstances. Pretexting to circumvent the DPPA could plausibly violate Kansas criminal law, such as the identity fraud law (if posing as the driver) or the computer fraud law (access without authorization).

The first page on the Kansas website for obtaining driving records, which references the DPPA.

The second page on the Kansas website for obtaining driving records, which requires affirmatively selecting a DPPA exception that allows the state to disclose a person’s record.

Second, here’s the Kansas state government website for obtaining a driver’s history. Look closely at the user interface design. There’s a notice about the DPPA, and then the user has to affirmatively attest to the specific DPPA exception that makes them eligible to obtain a person’s driving records.

Here’s where two critical issues, which I haven’t seen discussed, come into play.

First, there is a federal privacy law that covers driving records held by a state government. The Driver’s Privacy Protection Act prohibits disclosing these records to third parties, subject to various exceptions.

These are the (seemingly) undisputed facts: A source provided information about a person’s driver’s license and past driving offenses to the newsroom. A reporter then looked up and confirmed the information on a state government website. Local police are investigating the lookup as a possible crime.

Before I get to the law: I do not condone this newsroom search. The Marion Police Department appears to have demonstrated terrible judgment, inconsistent with a commitment to a free press. More bad facts could emerge. I also think this area of law needs a revamp. Ok, back to the legal analysis.

What if the Kansas newspaper raid was legal? And what if that entirely depended on… the user interface design of a website?

As a criminal procedure and computer crime person, looking at the undisputed public facts so far, what the police did may have been lawful (but awful). Allow me to explain…

NPR/PBS NewsHour/Marist poll on raising the federal debt ceiling.

CNN/SSRS poll on raising the federal debt ceiling.

Here’s a great example of why survey design is so important. NPR/Marist asked about raising the debt ceiling so the government can “pay its bills” & “avoid a default.” 52-42 for a clean increase. CNN/SSRS gave a wordy & budget-ish prompt (“keep all government programs running”). 60-24 the other way!

Governance of superintelligence Now is a good time to start thinking about the governance of superintelligence—future AI systems dramatically more capable than even AGI.

OpenAI’s grand AI policy proposal is… a new international agency focused on long-term risks of AI that exceeds human cognition. It’s like they’re straight up trolling the AI fairness, governance, etc. communities, which consistently emphasize the need for near-term actionable solutions to AI harms.

The state-of-the-art research methods for spotting AI-generated writing aren’t nearly good enough for a high-stakes & adversarial setting like academic discipline. OpenAI’s in-house model has 26% recall & a 9% false positive rate in their own evaluation! I wouldn’t trust Turnitin’s black box at all.

The case for a federal robotics commission Ryan Calo explores whether advances in robotics also call for a standalone body within the federal government, tentatively concluding that the United States would benefit from an agency dedicated to the responsible integration of robotics technologies into American society.

I enjoy (and occasionally teach) the provocative paper by @rcalo.bsky.social proposing a Federal Robotics Commission. Which he wrote… over a year before OpenAI was founded.

Hah! I would suggest a “greatest hits” list of papers, though that can be dangerous in the information security community. There’s definitely some newer work, since we had to stop reading papers at some point. Especially the Google paper… which quietly took a position against private hash matching?!

I saw! Just hoping to help save you some time, since we learned the hard way how deep this intellectual rabbit hole goes. We kept surfacing additional research that was relevant, even though not expressly about E2EE messaging. The PETS version has final pagination etc., otherwise arXiv is identical.

Table 1: Literature search results for content moderation under E2EE sorted by goal. Some works appear in multiple categories.

Table 2: Details of non-middlebox methods for E2EE content moderation found in our survey. See Table 4 for middleboxes.

We just published a literature review of content moderation methods for end-to-end encrypted communications. There are nearly 400 relevant references! 😵‍💫

https://petsymposium.org/popets/2023/popets-2023-0060.pdf

Sarah Scheffler, who’s an *amazing* fellow at Princeton CITP, deserves all the credit.

Under compulsion, Twitter could trivially change a few lines of web app code and send back copies of a specific user’s decrypted messages. This type of risk is precisely why Signal launched on desktop as a web browser extension, rather than as a website, and then quickly migrated to a native app.