FCC backs off newsroom survey plan.

FCC backs off newsroom survey plan

Published February 21, 2014

FoxNews.com

The Federal Communications Commission announced Friday that it was putting on hold a controversial study of American newsrooms, after complaints from Republican lawmakers and media groups that the project was too intrusive.

FCC spokeswoman Shannon Gilson said Chairman Tom Wheeler agreed with critics that some of the study’s proposed questions for reporters and news directors “overstepped the bounds of what is required.”

The agency announced that a proposed pilot study in South Carolina will now be shelved, at least until a “new study design” is finalized. But the agency made clear that this and any future studies will not involve interviews with “media owners, news directors or reporters.”

Commissioner Ajit Pai, who was one of the staunchest critics of the proposal, heralded the decision Friday as an acknowledgement that government-backed researchers would not be dispatched into newsrooms, as feared.

“This study would have thrust the federal government into newsrooms across the country, somewhere it just doesn’t belong,” he said in a statement. “The Commission has now recognized that no study by the federal government, now or in the future, should involve asking questions to media owners, news directors, or reporters about their practices. This is an important victory for the First Amendment.”

He added: “And it would not have been possible without the American people making their voices heard. I will remain vigilant that any future initiatives not infringe on our constitutional freedoms.”

The Radio and Television News Directors Association took a more cautious view of the announcement.

“RTDNA views this as an important admission by the FCC that questions regarding editorial policies and practices are off-limits to the government,” Director Mike Cavender said in a statement. “We are eager to see the revised study to insure there aren’t topics or questions that could be construed as a ‘back door’ attempt to gather the same type of information.”

Amid the controversy, Wheeler had already told lawmakers the commission had “no intention” of regulating reporters’ speech. He also directed that the controversial questions be removed from the survey entirely.

The initial proposal for the study called for looking into issues like “perceived station bias” and “perceived responsiveness to underserved populations.” The proposed questions for the interviews with members of the media raised alarm bells, including questions about “news philosophy” and how much community input goes into story selection and whether reporters ever had “a story with critical information” rejected by management.

Gilson said Friday that, “Any subsequent market studies conducted by the FCC, if determined necessary, will not seek participation from or include questions for media owners, news directors or reporters.”

However, she added: “Any suggestion that the FCC intends to regulate the speech of news media or plans to put monitors in America’s newsrooms is false. The FCC looks forward to fulfilling its obligation to Congress to report on barriers to entry into the communications marketplace, and is currently revising its proposed study to achieve that goal.”

The contract for the study had gone to Maryland-based firm Social Solutions International, whose background largely focuses on public health and not media. Republican lawmakers first complained about the potential course of the study in December. Pai raised additional concerns in a Wall Street Journal column earlier this month.

New Obama initiative tramples First Amendment protections.

firsrt amendment copy

New Obama initiative tramples First Amendment protections

BY BYRON YORK | FEBRUARY 20, 2014 AT 5:48 PM

The First Amendment says “Congress shall make no law…abridging the freedom of speech, or of the press…” But under the Obama administration, the Federal Communications Commission is planning to send government contractors into the nation’s newsrooms to determine whether journalists are producing articles, television reports, Internet content, and commentary that meets the public’s “critical information needs.” Those “needs” will be defined by the administration, and news outlets that do not comply with the government’s standards could face an uncertain future. It’s hard to imagine a project more at odds with the First Amendment.

The initiative, known around the agency as “the CIN Study” (pronounced “sin”), is a bit of a mystery even to insiders. “This has never been put to an FCC vote, it was just announced,” says Ajit Pai, one of the FCC’s five commissioners (and one of its two Republicans). “I’ve never had any input into the process,” adds Pai, who brought the story to the public’s attention in a Wall Street Journal column last week.

 

Advocates promote the project with Obama-esque rhetoric. “This study begins the charting of a course to a more effective delivery of necessary information to all citizens,” said FCC commissioner Mignon Clyburn in 2012. Clyburn, daughter of powerful House Democratic Rep. James Clyburn, was appointed to the FCC by President Obama and served as acting chair for part of last year. The FCC, Clyburn said, “must emphatically insist that we leave no American behind when it comes to meeting the needs of those in varied and vibrant communities of our nation — be they native born, immigrant, disabled, non-English speaking, low-income, or other.” (The FCC decided to test the program with a trial run in Ms. Clyburn’s home state, South Carolina.)

The FCC commissioned the University of Southern California Annenberg School for Communication & Journalism and the University of Wisconsin-Madison Center for Communication and Democracy to do a study defining what information is “critical” for citizens to have. The scholars decided that “critical information” is information that people need to “live safe and healthy lives” and to “have full access to educational, employment, and business opportunities,” among other things.

The study identified eight “critical needs”: information about emergencies and risks; health and welfare; education; transportation; economic opportunities; the environment; civic information; and political information.

It’s not difficult to see those topics quickly becoming vehicles for political intimidation. In fact, it’s difficult to imagine that they wouldn’t. For example, might the FCC standards that journalists must meet on the environment look something like the Obama administration’s environmental agenda? Might standards on economic opportunity resemble the president’s inequality agenda? The same could hold true for the categories of health and welfare and “civic information” — and pretty much everything else.

“An enterprising regulator could run wild with a lot of these topics,” says Pai. “The implicit message to the newsroom is they need to start covering these eight categories in a certain way or otherwise the FCC will go after them.”

The FCC awarded a contract for the study to a Maryland-based company called Social Solutions International. In April 2013, Social Solutions presented a proposal outlining a process by which contractors hired by the FCC would interview news editors, reporters, executives and other journalists.

“The purpose of these interviews is to ascertain the process by which stories are selected,” theSocial Solutions report said, adding that news organizations would be evaluated for “station priorities (for content, production quality, and populations served), perceived station bias, perceived percent of news dedicated to each of the eight CINs, and perceived responsiveness to underserved populations.”

There are a lot of scary words for journalists in that paragraph. And not just for broadcasters; the FCC also proposes to regulate newspapers, which it has no authority to do. (Its mission statement says the FCC “regulates interstate and international communications by radio, television, wire, satellite and cable…”)

Questioning about the CIN Study began last December, when the four top Republicans on the House Energy and Commerce Committee asked the FCC to justify the project. “The Commission has no business probing the news media’s editorial judgment and expertise,” the GOP lawmakers wrote, “nor does it have any business in prescribing a set diet of ‘critical information.'”

If the FCC goes forward, it’s not clear what will happen to news organizations that fall short of the new government standards. Perhaps they will be disciplined. Or perhaps the very threat of investigating their methods will nudge them into compliance with the administration’s journalistic agenda. What is sure is that it will be a gross violation of constitutional rights.

Feds tell Web firms to turn over user account passwords

Feds tell Web firms to turn over user account passwords

Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.

Declan McCullagh

July 25, 2013 11:26 AM PDT

(Credit: Photo illustration by James Martin/CNET)

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

“I’ve certainly seen them ask for passwords,” said one Internet industry source who spoke on condition of anonymity. “We push back.”

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies “really heavily scrutinize” these requests, the person said. “There’s a lot of ‘over my dead body.'”

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

“This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?”
–Jennifer Granick, Stanford University

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: “No, we don’t, and we can’t see a circumstance in which we would provide it.”

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has “never” turned over a user’s encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. “We take the privacy and security of our users very seriously,” the spokesperson said.

A Yahoo spokeswoman would not say whether the company had received such requests. The spokeswoman said: “If we receive a request from law enforcement for a user’s password, we deny such requests on the grounds that they would allow overly broad access to our users’ private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law.”

Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users’ passwords and how they would respond to them.

Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn’t recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, “we don’t get a high volume” of U.S. government demands.

The FBI declined to comment.

Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. “The authority of the government is essentially limitless” under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week.

Large Internet companies have resisted the government’s requests by arguing that “you don’t have the right to operate the account as a person,” according to a person familiar with the issue. “I don’t know what happens when the government goes to smaller providers and demands user passwords,” the person said.

An attorney who represents Internet companies said he has not fielded government password requests, but “we’ve certainly had reset requests — if you have the device in your possession, than a password reset is the easier way.”

Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.(Credit: Photo by Declan McCullagh)

Cracking the codes
Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user’s original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.

Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase “National Security Agency” into this string of seemingly random characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output.

But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.

The best practice among Silicon Valley companies is to adopt far slower hash algorithms — designed to take a large fraction of a second to scramble a password — that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination.

One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.

But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.

As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. “I’d say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper,” said Percival, who founded a company called Tarsnap Backup, which offers “online backups for the truly paranoid.” Percival added that a government agency would likely use ASICs — application-specific integrated circuits — for password cracking because it’s “the most cost-efficient — at large scale — approach.”

While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the “cost of a hardware brute-force attack” against a hashed password as much as 4,000 times greater than bcrypt.

Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google’s infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.

With the computers available today, “bcrypt won’t pipeline very well in hardware,” Mazières said, so it would “still be very expensive to do widespread cracking.”

Even if “the NSA is asking for access to hashed bcrypt passwords,” Mazières said, “that doesn’t necessarily mean they are cracking them.” Easier approaches, he said, include an order to extract them from the server or network when the user logs in — which has been done before — or installing a keylogger at the client.

Sen. Ron Wyden, who warned this week that "the authority of the government is essentially limitless" under the Patriot Act's business records provision.Sen. Ron Wyden, who warned this week that “the authority of the government is essentially limitless” under the Patriot Act’s business records provision.(Credit: Getty Images)

Questions of law
Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

“This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?” said Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society. “I don’t know.”

Granick said she’s not aware of any precedent for an Internet company “to provide passwords, encrypted or otherwise, or password algorithms to the government — for the government to crack passwords and use them unsupervised.” If the password will be used to log in to the account, she said, that’s “prospective surveillance,” which would require a wiretap order or Foreign Intelligence Surveillance Act order.

If the government can subsequently determine the password, “there’s a concern that the provider is enabling unauthorized access to the user’s account if they do that,” Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.

The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.

The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors’ demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man “could not be compelled to decrypt the drives.”

In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.

Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation — and don’t address when a hashed password is stored on the servers of a company that’s an innocent third party.

“If you can figure out someone’s password, you have the ability to reuse the account,” which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at theElectronic Frontier Foundation.

Last updated at 8:00 p.m. PT with comment from Yahoo, which responded after this article was published.

Disclosure: McCullagh is married to a Google employee not involved with this issue.