Barrett Lancaster Brown, best known as the so-called former mouthpiece for the hacker collective Anonymous, is sitting in a jail cell in Texas. For the past eight months, Mansfield Law Enforcement Center has been home for the journalist and activist now known as Prisoner 45047177.

Three hots and a cot will continue to be his routine at least until September, when he is scheduled to stand trial on 17 charges, including allegations that he threatened an FBI agent and committed identity theft and credit card fraud.

The slightly built 31-year-old former heroin addict denies the charges. What he does admit is that he used his hacker connections to look under rocks and uncover what he considered evidence that the U.S. government was using private security companies to clip the wings of Internet activists and sympathetic journalists.

Brown: I Wasn't A Hacker

Brown's sometimes questionable behavior and affiliations make him a confusing and polarizing character. He claims he never hacked anything, and we'll probably never know with certainty exactly which details in his story stack up, or what involvement he had with Anonymous' core hackers.

There doesn't seem to be much evidence Brown was involved in any actual hacking, despite his connection to both Anonymous and his obsessive interest in federal security contractors. But his outspokenness, drug history and outlandish claims make him unsympathetic and hard to believe — an unlikely poster child for Internet freedom. And his unbalanced, over-the-top YouTube rants — more on those below — made him an easy target for the feds. 

What we do know is that in early 2011, Anonymous targeted a security contractor called HBGary Federal and its CEO Aaron Barr after Barr publicly claimed he'd infiltrated the hacker collective. When Barr threatened to reveal the identities of Anonymous members, the group hacked straight into HBGary's servers, stealing 70,000 company emails.

Brown, through his affiliation with Anonymous, then posted a link to those hacked company documents on a public website called Project PM and wrote about his findings for the U.K. Guardian. Brown, who seems to have been conducting an obsessive investigation of both HBGary Federal and Stratfor (another security contractor hacked by Anonymous), claimed the material proved that the companies were hired by the government to monitor and shut down various online activist groups. In particular, he alleged that HBGary was working with high-level government agencies to feed fake information to WikiLeaks.

In The Feds' Crosshairs

Brown, one of the few public figures available for authorities to target for the activities of Anonymous, is basically a fall guy for the hacker collective. He faces 100 years behind bars if found guilty on all counts. And right now he's stewing in a cell where he may be getting less than proper care. In a Pastebin message from last September, Brown claimed he did not receive appropriate medical attention for crushed ribs suffered during the FBI's raid of his home.

Between his connection to Anonymous and his obsession with digging up dirt on the national security state, Brown pinged up on the feds' radar pretty quickly. He was first indicted last year after allegedly threatening federal agents. He was arrested, then subsequently indicted a second time for allegedly linking to stolen documents from Stratfor that included credit card data.

The third indictment involves an obstruction charge of concealing evidence, wherein Brown allegedly hid two laptops when federal agents stormed his mother's home in a raid. The laptops were eventually found and confiscated. The alleged threats and credit-card charges led prosecutors to push for a life sentence. 

In some ways, Brown's muckraking wasn't all that different from what many journalists have always done, updated to employ digital tools. Reporting based on leaked documents — which, of course, aren't usually authorized for release — is as old as investigative journalism itself.

But Brown pushed the boundaries, and his drug history and proximity to the hacker community made him more vulnerable than other rabble rousers such as columnist Glenn Greenwald. Brown wasn't a staffer at a major publication, and his own blistering public statements and threats, on both television and YouTube, gave the government all the motivation it needed to take him down.

Barrett Brown's Incendiary Videos

Major news organizations like the New York Times and The Guardian both describe Brown as a victim of persecution. And in many ways he is, although some of his alleged actions are criminal by definition, such as threatening the life of a federal agent. 

Brown's legal troubles began when his mother's Dallas home was first raided in March of 2012. At that time, the feds confiscated his laptop, and by his account terrorized his mother and sent his life into a downward spiral.  

After the raid, Brown took to the Web to tell his side of the story. On Sept. 11, 2012, Brown posted a trio of videos lashing out at perceived enemies:

At around the 12:00 mark of video number 2, Brown says that the FBI views him as a bad guy, and that he's going to prove in the court system just how bad of a guy he is. About a minute later he demands that the FBI return his laptop, notebook and Xbox. 

In the third video, shot and released a day later, Brown brings up his heroin addiction and subsequent move to suboxone, a narcotic used to treat oppiate addiction. At around the 12:00 mark of this video, Brown warns that he is armed and has been trained to shoot, saying if any FBI agents come to his home, particlary one agent that really irked him for allegedly harassing his mother:

I will shoot them and kill them... I have no choice left but to defend my family, myself, my girlfriend, my reputation, my work, my activism, my ideas and the revelation that my friends are going to prison so we can have a chance to get out for other people. So they would matter. And frankly, you know, it was pretty obvious I was going to be dead before I was 40 or so, so I wouldn't mind going out with two FBI sidearms like a f***ing Egyptian pharaoh. Adios.

Hours later, while on a live feed on TinyChat, Brown's home was raided and he was arrested. The whole thing is captured in this almost surreal video: 

Since his arrest, Brown's mother Karen has also been targeted by authorities. She pled guilty to obstructing the execution of a search warrant, and now faces up to a year in jail and a $100,00 fine. Sentencing has not yet been scheduled. 

Brown has gotten some support from the Internet community, but nothing like the outpouring for the recently passed Aaron Swartz. Anonymous created a White House petition to stop his prosecution, but the reprieve didn't come close to getting the required 100,000 signatures by the April 20 deadline. Supporters have built several sites to educate the public about his plight, the timeline of his case and to help raise money for legal representation. 

Hard Times For The Fall Guy

Brown's supporters have raised about $20,000 for legal fees, and Brown has a new team of lawyers replacing his previous public defendants. But the court had up until last week frozen Brown's access to those funds, which meant that Brown's new legal team of Ahmed Ghappour and Charles Swift were essentially working pro bono. But that all changed last Wednesday when the court allowed the transfer of funds to pay for the lawyers' travel expenses and fees.

It's still a long way to Brown's September trial, which could end up conflated in public perception with two other prominent hacker prosecutions. There's the case of Matthew Keys, the journalist facing a $750,000 fine and jail time for allegedly feeding passwords to Anonymous members who then defaced the Los Angeles Times' website. Andrew Auernheimer, the hacker also known as Weev, is also appealing his sentence of more than 41 months in prison for his role in a 2010 hack of AT&T.

(See also Hacker Crackdown: Blame AT&T's Crappy Security, Not Weev.)

All of these cases are related to the much-maligned Computer Fraud and Abuse Act (CFAA) the outdated law that has led to a number of questionable prosecutions — often of activists like Aaron Swartz rather than actual computer criminals. By the time Brown's trial gets going, there could be government movement to reform the poorly constructed law.

(See also 'Aaron's Law' Promises To Reduce Hacker Penalties.)

Prosecuting Brown Won't Stop Hacking

The federal case against Brown, once you understand the details, doesn't pass the laugh test. It turns hyperlinking into a crime akin to breaking into secured computers and casts loose and admittedly unwise Internet soapboxing as criminal conspiracy against federal agents. And it turns one link into 11 separate charges of alleged identity theft.

Arresting hackers and fringe collaborators doesn't seem to be slowing the tide of cyberattacks. The last 12 months have seen some of the biggest cyber attacks on record. Denial of service attacks are up 12% since 2011, according to data from the security firm Arbor Networks. If the government really wants to stop hacking attacks, it needs to focus more on the actual perpetrators and less on show-trial prosecutions of peripheral figures like Brown. 

Which isn't to say that Brown himself deserves to get off scot-free, just that his proposed punishment should fit his alleged crime. No matter what the circumstances, once you threaten the FBI, the feds are pretty much guaranteed to come down on you. And even Barrett Brown should have known that.

Photos courtesy of Shutterstock, Twitter

The next time you're thinking about buying a new smartphone, there's one more spec you might want to consider. If the FBI or the IRS wants to read your texts, will Apple hand them over? Would it require the feds to get a warrant first? And would it even bother to let you know that federal agents made the request in the first place?

If you're looking at a shiny new iPhone, the answers are not comforting. 

The Electronic Frontier Foundation's latest digital privacy report, Who's Got Your Back?, awards Apple its secondthe Electronic Frontier Foundation gives Apple a paltry one out of six stars. While Apple got credit for supporting efforts to defend users by modernizing electronic privacy laws, its apparent willingness to hand over your personal information to the government without a warrant and its failure to tell its users how it handles such requests put it in the dock.

Worse Than Comcast: Apple's Privacy Black Box

Apple came off much, much worse than most of its peers — here defined as major non-ISP mobile-computing players. Apple fared worse than Amazon (two stars), Facebook (three), Microsoft (four) and Google (five). Even Comcast, the cable conglomerate consumers love to hate, scored one star higher than Apple. 

The EFF chides Apple for not publishing a transparency report as companies like Google and Twitter do. Without that, users have no idea what kinds of information the government asks for, because Apple won't tell them, nor does it let them know what its guidelines are for dealing with law enforcement data requests. 

(See also: EFF: Twitter Scores, Verizon Fails At Protecting User Privacy)

Apple certainly wasn't the worst-ranked company overall. The major telcos and ISPs almost always get raked over coals on privacy. In this report, Verizon got no stars, while AT&T racked up a grand total of one. MySpace also got no stars and Yahoo only got one. Amazon's showing is also pretty disappointing, especially considering its vast storehouse of consumer-purchase data and its rumored plans to enter the smartphone market. 

But Apple dominates mobile computing in a way few other companies do. And as the proprietor of a mobile operating system that runs on more than half a billion devices, Apple has its hands on a lot of data. Its approach to privacy matters to an awful lot of people — and its lousy performance is a big deal considering how deeply its devices are embedded into our lives.

That integration is only getting deeper as Apple prototypes wearable devices and dreams up more screens to dominate. 

Not Just A Computer Company Anymore 

It's not all together shocking that Apple has some catching up to do in the privacy realm. Until recently, it didn't deal with all that much information about its customers. For most of its history, the company was called Apple Computer, because that's what it sold: computers.

In the early days, the only way for the government to snoop through your MacIntosh was to get a warrant to search your apartment. Today's Apple's computers are smaller, constantly connected to the Internet and, increasingly reliant on iCloud to sync and share data across devices.

Whereas Google has been handling (and profiting from) user data since day one, Apple is only just getting started. If you use iCloud, its servers house your calendars, email, photos, notes and any other data you choose to feed it. If you're using iOS 5 or higher, you're also entrusting Apple with whatever percentage of your personal text messages go through its iMessage protocol.

To its credit, Apple built iMessage using end-to-end encryption that makes its harder for others to snoop on the contents of messages. Of course, if the FBI — or the local cops — really want to know what you're iMessaging back and forth, they can go directly to Apple, with or without a warrant. 

Of course, if the texts in question aren't iMessages, the authorities could just do what they've always done: Ask the mobile data provider to see them. Such requests have seen a dramatic uptick in recent years, and the major ISPs don't approach them with the same level of transparency that a company like Twitter or Sonic.net would. 

Why Consumers Should Care

Apple has never been lauded for having a forward-thinking and open approach to user privacy issues. That hasn't stopped millions of people from trying to predict the company's next gadget and then eagerly standing in line to purchase it. 

Part of that may have to do with awareness. Digital privacy reports excite a certain breed of data nerd (OK, guilty as charged), but they don't approach the media attention lavished on Apple product announcements. Nor is the EFF's chart plastered all over billboards, bus stops and television sets. 

Even for those of you who already knew that Apple doesn't treat your privacy with kid gloves, the risk of the government peeking into law-abiding texts and calendars is too remote to worry about. To some, this is just a side effect of the hyper-connected, digitally-immersed society we're becoming. Even if they don't particularly like it, it's just not their battle to fight. 

Trouble is, that sort of complacency puts no pressure on Apple to get more proactive about keeping your digital life safe from prying eyes.

If you fall in this category, you might still luck out, of course. Even if there's some major privacy gaffe down the line, it might not affect you. And if you're fortunate, IRS agents aren't currently reading your Apple email or iMessages, looking for possible evidence of tax evasion.

But given Apple's current practices in this regard, if they are, you'd never know. Maybe ignorance really is bliss.

CISPA, the controversial cybersecurity bill passed by the House last week, appears to be dead in the Senate. It's deja vu all over again for the measure, which would authorize private companies to share your email, texts and other personal information with federal agencies without a warrant or other privacy protections. Last year, CISPA also cleared the House but foundered in the Senate.

Every time you ask Siri a question, the data remains on Apple's servers for two years, Apple told Wired earlier this week. It's a revelation that raises concerns about privacy, which isn't exactly Apple's strong suit to begin with. But is this really something to flip out about? Nope.

For six months, Siri's servers retain a record of the things you ask it and associates that data with you, the user. For the remaining 18 months, it's anonymized. That way, Apple can use the data to improve its service over time without knowing that it was in fact you that asked what the rash in your nether regions is all about.

(See also: Siri Jokes Aside, Voice Control Will Make Computing Better)

The ACLU rightly faults Apple for not making its Siri data retention policies clearer or easier to find. The worry here is that the often private information we utter to Siri could wind up in the hands of marketers, the authorities or lawyers in civil suits.

These are valid concerns, and Apple should clarify whether — or how — this information is used for marketing purposes, for example. But in the process of reining in Cupertino, we should be careful not to handicap the evolution of such a promising technology. 

Artificial Intelligence Needs Data To Learn

Here's the thing: Siri is artificial intelligence. Like the human mind it attempts to emulate, AI improves as it learns. To teach machines, we need to feed them data. Every time we ask Siri where the nearest Italian restaurant or strip club is, we're also teaching her, not just about our own tastes and curiosities, but about human language, sentiment and intent.

Some of those lessons she can apply to us individually. Much of it, crucially, is used to improve the service for everybody. Without this progress, Siri will never lose the "beta" label for which it is so easy to ridicule.  

For most of its lifespan on Apple's servers, this data is anonymous. That means there's no way to tie your filthy inquiries back to you, should anybody ever inquire. You could, of course, argue that Apple should keep the data anonymous from the moment it's created, as Google proclaims it does with Voice Search. It might not be a fair comparison (given how much Google learns about us via other channels), but perhaps Apple should take a cue from Google and keep this data anonymous from the outset.

But if temporarily tying my questions to my voice helps Siri fine-tune my experience using the service, I'm fine with that. That's the bottom line here: Apple should hang onto data like this only as long as technically necessary. If it stops being useful to the product's evolution, the data should disappear. 

For The Privacy Concious, Alternatives Abound

I'd be more concerned about what Siri does with my queries if the access it offered to information was unique. You don't have to use Siri. It's just a more convenient tool to use in some contexts. For truly private inquiries, people can (and likely do) continue to use traditional methods like a Chrome incognito tab or any other browser in private mode. 

Now, if Apple wants us to turn to Siri more often, it's going to have to add better privacy controls. Much like Web browsers and Google Web History offer us toggles to keep certain (or all) activity private, the voice-controlled personal assistants of the the future will need to do the same. If they don't, people will continue to use alternative, more privacy-friendly tools, whether Web browsers or competing voice assistants. 

Apple has a responsibility to be transparent about this type of thing. And it really ought to scrap this data as soon as it's not technically beneficial to keep it. But insofar as it fuels the core functionality of an evolving technology, if Siri needs to remember my questions for awhile, go for it, Siri. Just give me a heads up.

Investigators in Australia have arrested the self-proclaimed leader of LulzSec, the hacker group and Anonymous offshoot that previously claimed responsibility for a slew of major hacks in 2011 including attacks on Sony Pictures, the UK tabloid The Sun, and the CIA's public website. All "just for the Lulz" — laughs, that is — of it.

On Tuesday night, police in Sydney took into custody Matt Flannery, a 24-year-old Australian IT professional who goes by the online moniker Aush0k. The alleged hacker faces up to 12 years behind bars for two counts of unauthorized modification of data to cause impairment and one count of unauthorized access to a restricted computer system.  

Australian Federal Police say their investigation began only two weeks ago when they discovered a government website had been compromised. Police apparently made the connection between Flannery and the recently targeted website because the multinational Tenable Network Security, where Flannery was allegedly employed, had access to specific Australian government information (a quick search on Google revealed a LinkedIn profile of Flannery claiming employment there).

However, representatives from Tenable contacted ReadWrite and informed us that Flannery was instead employed by Content Security, a security firm that subcontracted for Tenable. Still, it could explain just how he had access to such sensitive material. Tenable's Nessus software is used by clients such as the U.S. Department of Defense, Amazon and the American Red Cross for checking network security vulnerabilities. And determining weaknesses in networks is exactly what allowed LulzSec and similar hackers to pick their targets. 

Following the arrest, Content Security's Phil Kurth described Flannery as a low-level support tech already on 3 month probation, although the reason behind the suspension, and any tie-into these charges, was not specified. Kurth further pointed out that Flannery had no access to any type of customer data apart from support tickets, and that most of the activities Flannery was accused of were conducted on his home PC, and seldom on his work-issued laptop. 

Flannery's work computer has been seized by police.

Authorities claim Flannery asserted his LulzSec leadership in online forums monitored by police and visited by LulzSec members. They also claim Flannery admitted his leading role in the group directly to police. Some discussions in the hacker material stored at the online locker Pastebin also seems to support authorities' claims. 

"This man is known to international law enforcement and police will allege he was in a position of trust within the company with access to information from clients including government agencies," explained Glen McEwen, the AFP's federal police commander. 

Flannery isn't the first alleged member of LulzSec to face the wraith of law enforcement. Another reputed leader, Sabu, aka Hector Xavier Monsegur, turned states evidence and became an FBI informant after his 2011 arrest. Sabu may have been the hacker who ratted out former Reuters social media editor Matthew Keys, who was indicted for his role in the Anonymous infiltration of the Los Angeles Times website. Just 2 weeks ago, another former LulzSec member, Ryan Ackroyd, pleaded guilty to several cyberattacks in the UK. The 26 year-old Ackroyd faces sentencing next month. 

Flannery has already been released on bail, and now faces a May 15 court date. 

Photo courtesy of Twitter  

On Monday, Microsoft premiered a television ad that portrays its Internet Explorer as the defender of user privacy among modern browsers.

The ad highlights IE's use of Do Not Track and its Tracking Protection Lists as effective tools in preserving online privacy, implying that Google's Chrome, Mozilla's Firefox, Apple's Safari and Opera fail to keep up with Microsoft's principled stand on privacy.

Six months ago, Microsoft might have had a point. Now, however, many privacy advocates say that IE is the browser now falling behind in the privacy wars - because it doesn't block third-party tracking cookies by default.

(Many websites store a small snippet of code called a cookie on your hard drive when you visit the site. Typically, these cookies contain login information or other preferences. Since many websites serve up content or ads from third-parties, those third-party sources may also place tracking cookies in your browser - even though you never visited their site.)

Microsoft does allow users to manually exclude third-party cookies, as does Chrome. But Safari and soon Firefox will do this by default, stealing the wind from Microsoft's sails. 

And given Microsoft's history in terms of privacy and competition, it's easy to see the new ad - and Microsoft's whole privacy strategy - as a cynical ploy to acquire new IE users while denigrating its competitors. Even if that's true, privacy advocates said, Microsoft is at least doing something to address privacy issues. 

IE Trumpets Do Not Track, Tracking Protection

As a piece of advertising, Microsoft's spot does a fine job highlighting what users don't mind sharing, and what users would rather keep private. Microsoft focuses on two features in the 30-second ad: Do Not Track, which is turned on by default; and its Tracking Protection Lists. "Your privacy is our priority," is the tag line.

Do Not Track (DNT) merely asks a site not to track the user visiting it. At this point, Do Not Track is completely voluntary, and privacy advocates note that the vast majority of online advertising agencies decline to honor it. Microsoft's implementation of Do Not Track is little more than a symbolic gesture unless and until the online ad agencies agree to play ball. 

"Microsoft's DNT setting is fine, although it will likely be ignored until the W3C finishes the DNT standard, if ever," said David Jacobs, the Consumer Protection Counsel for the Electronic Privacy Information Center (EPIC), in an email.

Consumer watchdogs can still rattle their sabers, as Federal Trade Commission chairwoman Edith Ramirez did last week (PDF) in a speech to the American Advertising Federation. Ramirez warned that now was the time for industry stakeholders to nail down a Do Not Track agreement once and for all:

One can forgive stakeholders for thinking that it will always be so – for believing that 'not all the water in the rough rude sea can wash' the shine off this cyber-economy. But an online advertising system that breeds consumer discomfort is not a foundation for sustained growth. More likely, it is an invitation to Congress and other policymakers in the U.S. and abroad to intervene with legislation or regulation and for technical measures by browsers or others to limit tracking.

Tracking Protection lists are far more effective - they prevent websites from capturing information that the user doesn't wish to be shared. Right now, they're probably the most effective weapon that Microsoft has in protecting user privacy - but they rarely get used, according to Dan Auerbauch, a staff technologist with Electronic Frontier Foundation (EFF).

Which Browser Leads In Privacy Protection?

"Firefox and Safari I would say are in first place right now in terms of protecting user privacy," because of third-party cookie blocking by default, Auerbach said.

Safari blocks third-party cookies by default; Mozilla has begun blocking third-party cookies by default in its alpha or Aurora build, with the expectation that the standard build will block them by summer. Chrome users must turn on the feature themselves by following a few simple instructions. Microsoft IE users can do this as well - but again, not by default.

"I would hope that Microsoft would follow soon, and I think that they're well-positioned to be the leader [in privacy]," Auerbach added. "We're encouraged by this campaign from Microsoft, and we think that they have the ability to do really good things here."

What's Microsoft Really Up To Here?

Is Microsoft genuinely interested in user privacy, or is it simply raising the specter of intrusive advertising to win new converts to IE? If Microsoft hadn't run its Scroogled campaign, which has highlighted all the ways that Google allegedly misuses user data to its own commercial ends, the answer might be yes. As it is, it's difficult to see Microsoft's efforts as truly altruistic, given its past history.

"Ultimately, I'm not sure how successful the campaign will be, but I think it's generally good when companies compete on privacy," said EPIC's Jacobs. "I don't know what Microsoft's underlying motivation is, but regardless of whether it's altruistic concern for user privacy or self-interested profit maximization, consumers can still benefit."

Unfortunately, Microsoft hasn't said when or whether it will block third-party cookies by default, and company representatives weren't able to comment. Microsoft does seem to be making strides in protecting user privacy, but its competitors are poised to pass it by, if they haven't already.

Image: Flickr/Scubadive67

Anonymous has called for an Internet blackout to protest CISPA, the much maligned cybersecurity bill that threatens your privacy more than it protects it. But without the support of Reddit, which co-sponsored last year's SOPA blackout, the Web isn't listening.

About 200 hundred sites have joined the #CISPABlackout today in protest of CISPA, which last week passed the House of Representatives. That may sound like a big number, but the list mostly consists of small sites within the hacker community. That's a big contrast to the last year's SOPA protests, which drew support from huge organizations like Google and Wikipedia.

Blackout your website: (requires some basic HTML/CSS knowledge): bit.ly/11dtXv6#CISPABlackout

— Anonymous (@YourAnonNews) April 22, 2013

Exceptions include the nonprofit Fight for the Future, which has tweeted solidarity but has not blacked out its site. Another is Stan Lee's Comikaze, the comic book convention backed by the former Marvel Comics head honcho, which has blacked out its site.

A Reddit Divided

Reddit itself appears conflicted over the CISPA blackout. Some Reddit sections, aka subreddits, have switched their background color to black and added a CISPA protest banner and link, but have stopped short of a full blackout that would inconvenience users by obscuring links. As of about 11am PT, subreddits including "pics," "politics," "funny," "askreddit" and "technology") have black backgrounds, although their listed links remain visible in the foreground. Reddit's front page and subreddits such as "news" and "worldnews" remain un-blackened.

It's a clear case of the hacker collective overestimating its influence, as my ReadWrite colleague Dan Rowinski suggested to me in chat earlier today. "Without Reddit, it is just Anonymous proclaiming something into its own echo chamber," he wrote.

It also doesn't help that Internet firms themselves are divided on CISPA. Microsoft and Facebook may have recently walked back their support for the bill — which, by the way, faces a veto threat from President Obama — but Google hasn't taken a position. And a rogue's gallery of telcos, ISPs and other tech firms support CISPA.

CISPA threatens our privacy by essentially giving the government a blank check to monitor all of our online communication, without a warrant. So a sign of solidarity blacking out the Web would be a good thing. But it seems the collective isn't as influential in garnering support as it is when its making cyberattacks. Which is too bad, because this mission would actually be a good thing.

Below is a video from Anonymous explaining more about the blackout:

If you want to contact your local senator or congressperson, check out this list of contact information from Anonymous. Here's some background on Anonymous' plans and how you can further support the blackout.

Lead image via Imgur, although it's circulating across the Internet and its provenance is unknown

Google is sort of everywhere these days. Between its successful Android platform and the ubiquity of Google services for consumers and businesses, it's getting hard to avoid the big G. Yet when its rivals form an organization like FairSearch.org and start calling out the search giant as monopolistic and anticompetitive, no one much seems to care. 

(See also: Microsoft's Complaint Against Android In Europe Is All Kinds Of Stupid)

It's a huge contrast with the smacking around Microsoft took a decade ago, when Windows dominated the PC universe and both U.S. and European antitrust regulators branded the company a monopolist. Microsoft, in fact, is still getting its butt handed to it in Europe, where it recently faced huge fines for failing to comply with earlier penalties.

These days, however, Google's Teflon coating remains largely unscratched.

Getting The Message Out

It's not like FairSearch, a tech lobbying group with 17 members that each have a reason to want Google hamstrung in one way or another, isn't trying. It has run advertisements. It has produced videos. It has held panel discussions. It has lobbied lawmakers and regulators.

The general response? Apathy.

For instance, two anti-Google videos FairSearch posted on YouTube have only 1,874 views. The group's Twitter account has 939 followers. Clearly, it's having trouble getting traction.

FairSearch basically faces two big problems. One is something it won't be able to fix very easily: the shoot-the-messenger problem. Read "FairSearch.org," and it's hard not to think "Microsoft" — Google's sworn enemy.

(See also: Microsoft Launching Another Pathetic Smear Attack On Google)

True, Microsoft is only one of the group's 17 members, and isn't even a co-founder. But it's still hard to take FairSearch's complaints at face value, because everyone knows they're self-serving and tailored to advance the interests of Microsoft and other members. Particularly when they follow Microsoft's own high-profile assaults on Google.

Too Big A Target?

The other problem is broader, but no less of a concern: FairSearch's message is too unfocused. Nor can it be tightened. It's a real dilemma.

When organizations or governments bust a company for antitrust violations, there's a clear black-and-white line that the company has to cross: they are doing something to reduce consumer choice. As much as FairSearch would like to pin that accusation on Google, there's little evidence that Google has done anything of the sort.

Last week, for instance, FairSearch complained to the European Commission that Google's Android operating system was an anticompetitive threat to the mobile market. My ReadWrite colleague Dan Rowinski did a pretty good job tearing that complaint apart. It's pretty simple: No user is forced to stay with Google services on Android. Nor is any manufacturer. So whose choices are being constrained?

That looks deliberate on Google's part. It's been very, very careful to be as big an influence on the market as possible without actually trying to establish direct control over anything. That makes it very hard for competitors to make the monopoly charge stick.

Fire A Shotgun, See What Sticks

Which may be why FairSearch is trying everything else under the sun. A quick look at its site reveals no fewer than nine lines of attack, include complaints about Google's acquisitions, "content scraping," "deceptive display," mobile, "search manipulation" and alleged unfair treatment of advertisers and partners.

This kind of unfocused effort suggests that FairSearch is taking a "see what sticks" approach, kicking up as much sand as possible in the hopes of clouding the view of government regulators.

Curiously, the one area where Google rightly gets smacked about sometimes — privacy — doesn't get much emphasis on the FairSearch site. Of course, its members probably want just as much user data as Google is collecting, so they don't see much advantage to rocking that particular boat.

Google's enemies have a tough nut to crack, and FairSearch's broad approach reflects that problem. The search giant has made a very good business out of mining user data and generating ad revenue without (as far as we know) crossing any serious lines yet. Until that changes, Google's competitors may have to deal with their Google problem by, y'know, competing.

Image courtesy of 1000 Words / Shutterstock

The White House doesn't support the amended version of CISPA, the controversial Cyber Intelligence Sharing and Protection Act that would let companies and the feds monitor and share your online communication without a warrant. But while President Obama remains opposed to the bill's latest iteration, he's apparently hedging on whether he'd veto it.

The bill, aimed at data sharing between the public and private sectors, is a security nightmare for its vagueness and privacy oversight. Last year, we heard the same pop shots from Obama, except that back then he promised to veto the law. This year he isn't making any promises, although White House rhetoric suggests that the polarizing bill still comes up short in the area of privacy concerns. 

White House's National Security Council spokeswoman Caitlin Hayden said in a statement:

We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections.... We believe the adopted committee amendments reflect a good-faith effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities.

These comments came a day after the House Intelligence Committee passed the bill on an 18-2 vote on Wednesday. New amendments to the bill require government agencies to strip away any private information they receive from companies participating in information sharing, prohibit companies from retaliating against alleged hackers or cyberattackers and backed away from a clause that would have allowed the use of threat information sharing arrangements for vague "national security" reasons. These sound like digital freedom wins, but most other privacy protections didn't make the cut. 

It's unclear which way Obama will tilt, but if this year's slew of major government targeted cyber attacks and the President's cyber mandate mean anything, it looks like he may lean (and be forced politically) towards more regulation, even if it's flawed.

Next week, the new version of the bill is expected to head to the House floor for a vote. If you want to help light a fire under the president and legislators, sign this petition from the privacy advocacy group Fight For The Future and check out this video from Reddit co-founder Alexis Ohanian to see why you should also hold tech companies accountable for their support of this poorly written law. 

Photo courtesy of Shutterstock

Turns out the world hadn't quite heard the last of Aaron Swartz, the Internet activist and Reddit co-founder who killed himself in January. The makers of an unreleased documentary about the fight over the open Internet, War for the Web, have just released a snippet of unedited footage from what they call "the last video interview with Aaron Swartz." It's embedded below.

We don't have any way to independently verify the filmmakers' claim to Swartz's "last" video interview (it was filmed on July 10, 2012). And near as I can tell, the portion of the interview released so far — this clip is about eight minutes long, whereas the entire thing runs "several hours," according to the film's PR rep — doesn't appear to break much new ground.

In particular, it doesn't even raise the federal prosecution of Swartz for surreptitiously downloading — the feds termed it "stealing" — four million academic articles from an academic database called JSTOR, an overzealous pursuit that some critics believe contributed to Swartz's suicide. Unsurprisingly, the interview doesn't touch on Swartz's long battle with depression, either.

But it's still an engaging eight-minute conversation with a handsome and articulate activist who now looms as large — if not larger — in death as he did in life. The best part comes at around 5:00 in the interview, where Swartz waxes philosophical on the threat that copyright maximalism, as embodied in bills like SOPA and the ongoing war against digital piracy, poses to creativity and innovation.

See for yourself.

Update, 9:31am PT: Turns out this video is an eight-minute excerpt of a much longer interview, a fact that wasn't clear from the information the filmmakers' representative initially provided us. I've updated the item throughout to make that clear.

What These Bad Apps Glom Onto

Between last September and March, security vendor Bitdefender analyzed 130,000 popular Android apps on Google Play and found that roughly 13% collected your phone number without explicit notification, 12% stored your location data and 8% sucked up your email address. Included in those numbers are apps that siphoned off one or more of the three.

Many apps don't stop there. Other data they glom onto includes your browsing activity, your contact list, the unique identification number of your device and even your call registry.

These apps took all that information legally. Android apps display their privacy policies in seeking permission to gather personal data, and many developers bank on the fact that most people will just click through to the app.

(See also: Hey! iOS Apps Play Faster And Looser With Your Data Than Android)

All that data gathering typically starts when an app developer download an ad framework provided by more than 400 companies listed on the Ad Network Directory. Such frameworks makes it easy for developers to display ads in the app, and thus to get paid every time someone clicks on them.

Since free apps only make money for developers from such clicks (and, it turns out, the distribution of associated user data), very few pay attention to exactly what kind of information ad frameworks are gathering.

"Because they copy-paste the code, they don't really debug it; they don't really look through it and see what data it collects," Bitdefender researcher Liviu Arsene told me. "I bet they don't even care."

And It Doesn't Stop There

App privacy policies often stake out even more aggressive data-collection goals, presumably to pave the way for future updates to vacuum up more info and further erode user privacy.

Take, for instance, Airpush, the second-largest ad network for Android developers with 40,000 apps. Its privacy policy reads, in part:

[I]n accordance with the permissions you have granted, we may collect your device ID, device make and model, device IP address, mobile web browser type and version, mobile carrier, real-time location information, email address, phone number and a list of the mobile applications on your device.

The policy goes on to explain that Airpush might supply that information to third-party advertisers who are part of its ad platform and third-party vendors, consultants and other service providers. Because the data is available to so many organizations, it's virtually impossible to know who is using your personal data, and how, once it leaves the device.

Obviously, the possibilities for abuse here are legion. Suppose one of those third-party organizations is acquired by an outfit that is, shall we say, less reputable. Or that a third party company's computers are hacked, spilling your data into the hands of cybercriminals.

The Feds Agree: It's A Huge Problem

Federal regulators acknowledge that a huge problem exists. "Mobile technology provides unique privacy challenges," Jon Leibowitz, departing chairman of the Federal Trade Commission, said in February, as reported by The Wall Street Journal. "Some would say it's a sort of Wild West."

The FTC wants the mobile industry to bolster privacy controls by allowing phone users to opt out of being tracked by ad networks. The commission also wants apps to prominently display the kind of data they're collecting, rather than burying it in fine print. Congress is also considering proposals to tighten privacy protections on mobile devices, though it's hard to say how such measures will fare given firm opposition from industry.

In the meantime, here's some free (!!) advice: Scrutinize your free mobile apps as if they're malware ready to wreak havoc on your personal information.

Good news: If you're running a local crime syndicate from your iPhone, the authorities are going to have a hard time reading your texts. That's because, as the DEA recently complained, the company's iMessage protocol is encrypted end-to-end, which prevents law enforcement from spying on users' messages, even with a court order.

This is good news for iOS-loving drug lords, but, more importantly, it's a big win for digital privacy. And from Apple, no less. 

With government requests for personal data on the rise, there are few guarantees in place that you or I won't have our private communications snooped through. Since the Fourth Amendment hasn't yet caught up with the lightning fast pace of technological change, some of the best privacy protections are often the ones implemented by tech companies themselves. 

A Rare Privacy Win For Apple 

Apple isn't exactly known as a champion of consumer privacy. It's not reckless either, but few people expect the company to defend users' privacy any more than they the law or consumer sentiment requires. 

For a company like Twitter, it's different. Principles like user privacy and free speech have become important enough to the service's core functionality that the company has no choice but to value and protect them. As a result, Twitter gets pretty high marks from privacy advocates.

Even Google, which has had its share of privacy snafus, is pretty good at being transparent and safeguarding its users' privacy generally. Apple? It's as mindful about privacy as it needs to be, but it's not a chief motivator for the company.

By architecting iMessage the way it did, Apple created a messaging protocol more secure and private than standard text messages, which is how millions of people communicate every day. As we fire those texts back and forth, we're all creating a digital trail that can be snooped upon or hacked more easily than we care to think about. But if they're being and sent and received from iPhones running iOS 5 or later, those messages are invisible to wiretaps by law enforcement or other prying eyes. 

Apple didn't have to build iMessage with end-to-end encryption. Gmail isn't encrypted this way, nor are the Facebook messages that are increasingly used like texts on mobile devices. Clearly, SMS text messages aren't particularly well-secured either. Whether winning privacy points was its motivation or not, Apple definitely racks up a few for this. 

Of course, Apple has had its own share of privacy controversies. Locationgate and Carrier IQ come to mind. Then there was the iMessage bug that accidentally exposed some users' private messages, an embarrassing screwup was fixed in iOS 6.  

Critics were rightfully quick to pounce on Apple for those things, but we need to be every bit as eager to applaud big tech companies when they get it right.

As the world waits with bated breath to see if Pyongyang will make good on its nuclear threats, the hacker collective Anonymous has made its own move in the increasingly cyber conflict between North Korea and the world. 

On Tuesday, the group claimed to have stolen 15,000 passwords from the communist nation as part of what it calls Operation North Korea. Late Wednesday, as tensions rose in Kaesong over the North's closure and seizure of a industrial park it shares with the South, along with repeated declarations of nuclear launch, Anonymous advanced its own chess pieces. The hackers allegedly seized control of North Korea's official Twitter and Flickr accounts, in the process defacing several related websites, and making the autocratic nation look extremely unprepared for cyber attack.  

Tango Down flickr.com/photos/uriminz…

— uriminzokkiri (@uriminzok) April 4, 2013

The Uriminzokkiri accounts on both the social media networks, which translates to "our nation," looked like anything but North Korea's after the strike. The Twitter account's avatar changed to a couple in Guy Fawkes masks tangoing, while the Flickr account filled up with less-than-flattering images of the supreme leader, Kim Jong Un. 

In addition, several sites hocking propaganda material have been hit by digital graffiti (visit Aindf.com to see a wanted poster of Kim Jong Un). North Korean state-run news site Uriminzokkiri.com has been knocked offline, possibly by related DDoS attack. The Next Web is reporting that a Pastebin note, allegedly from the hacktivists, claims that they have agents on the ground fighting off the North's "cyber army." Below is an excerpt from the latest Pastebin message, supposedly penned by Anonymous members, explaining the group's reasoning and m.o. for the attack:

1. ecause of North Korea's new threats today we are forced to
2. contact you again.
3. Within this release we also take the chance to set some things
4. straight about our goals, because it seems some web citizens
5. didn't really get it right. Here we go:
6.  
7. @ Kim Jong-un
8. You just went full retarded! Never go full retarded.
9. We feel really sorry for your suffering of TDS
10. (aka "tiny dick syndrome") but be assured, threatening the
11. world with your nukes won't make it any better at all.
12. If you had finally opened up your country for the
13. real internet, you would have already seen over 9000 ads for
14. products devoted to solve your problem.

If Kim Jong Un really does have thousands of soldiers in his cyber army, it's likely that this attack will soon be thwarted and things will go back to normal. Normal, of course, being a relative term as the bluffing situation escalates between the peninsula and the rest of the world. 

Will Anonymous' actions (in February it hacked the U.S. State Department) push the conflict over the edge and give the 30-year-old despot reason to hit the launch button and plunge the world into hot war? Who knows what this digital assault will do to the man's ego, since he is already eager to prove himself in the wake of his father's passing.

(See also South Korea Cyber Attack Heightens Tensions In Hair-Trigger Region and World War III Is Already Here - And We're Losing.)

When ex-NBA oddball Dennis "the Worm" Rodman seems to have more on-the-ground knowledge of the leader than every major intelligence agency combined, you know we're in a pickle, no matter how you cut it. Anonymous is pulling on the tail of a tiger. If this is the prelude to the end of the world, let's hope it has a viable plan for when the beast turns around and bares its fangs.

Image courtesy of Uriminzokkiri

California has proposed a potentially groundbreaking consumer privacy law. The Right To Know Act, if approved, would require companies to divulge what kind of data they have on individual consumers, as well as with whom they're sharing that information. 

We need this. Not only should California pass this law, but it should be emulated far and wide. And while it's a good start, The Right To Know Act is really just the beginning of what's needed.

The vast quantity of personal data that companies collect, store and sell is mind-boggling. We caught a glimpse of some of this massive and now-routine data mining during the presidential campaign. Outside of the election cycle, it continues full force as marketers and financial institutions amass private information about consumers, sell it to one another and use it in ways that aren't entirely clear. Much of it is totally obvious and innocent. Some of it probably isn't. We don't know. That's the problem.

The Ongoing Personal Data Explosion 

Of course, this data is just going to keep exploding. The proliferation of smartphones has generated enough privacy questions to keep lawyers and legislators busy for a generation. We're just beginning to grapple with those issues and now Google wants us to wear computers on our faces. As we move toward wearable computers, connected cars and smart homes, the sheer volume of data about our personal lives is going to grow exponentially. 

There's a lot we stand to gain from these advances in personal technology, just as we have with smartphones and tablets. But before we plough forward into this otherwise awesome future, we should probably take a minute and think about some of the less exciting implications. Privacy is at the top of the list.

The Right To Know Act sounds like a sensible attempt to set up the kind of consumer privacy framework we'll need to have in place if we don't want things to get too weird in the future.

Whether or not we actually regulate the ways companies use this data is another question, which we'll also need to deal with. In the meantime, what the Right To Know Act will do is simply allow consumers to know exactly what data exists and and to learn a little bit about how it's being used.

"This Law Is About Transparency"

"This law is about transparency and access, not new restrictions on data sharing," writes the Electronic Frontier Foundation (EFF), one of the supporters of the bill. "It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

To Europeans, this concept isn't anything radical. As Ars Technica points out, the European Union has laws like this on the books already, as it should. The principle of habeas data, as it's known, is just a part of digital life there. 

How likely is passage of the bill? Plenty of firms will loathe it, but it will be interesting to see how tolerant the more privacy-friendly tech companies are of the idea. It's hard to predict the bill's fate, but when it comes to implementing forward-thinking privacy laws, California has a pretty decent track record.

The premise is that simple: Companies know a lot about us, and we, as consumers, have a right to know what they know. Whether or not we can do anything about it, we at least deserve to know. They are, after all, our lives. 

Depending on who you believe, the week long Spamhaus-Cyberbunker cyberattack we covered Wednesday was either a threat to the Internet itself or hyped up by an overzealous security vendor. Either way, it was still serious business.

While much of the Internet disruption may have in fact been localized to Europe, and also potentially caused by tampering with underwater telecom cables in the Mediterranean, big DDoS attacks — that is, distributed denial-of-service assaults that aim to knock target computers off the Internet — are real, and have been on the rise since 2010. 

Dan Holden, the director of ASERT, Arbor Networks' security engineering and response team, has been monitoring DDoS attacks for more than 12 years. In 2012 his company released a Worldwide Infrastructure Report that reports attack sizes have been peaking at around 100Gbps (check out this detailed look at the report here). This week's attack was more than 300Gbps — way above the norm, in other words. 

That's because the attackers actually co-opted part of the Internet's basic infrastructure -- the Domain Name System, or DNS -- in such a way as to greatly amplify the firehose stream of data they were directing at target computers.

Here's how they work, according to Carlos Morales, Arbor Networks' vice president of global sales engineering and operations:

Attackers send DNS queries to a [DNS server] on the Internet but use the victim address as the source of the query. When the response goes back, a response that is usually multiple times the size of the initial query, the response goes to the victim. Multiple this by hundreds of thousands of requests from bots on the Internet spoofing the one victim address and you get a very large flood of traffic to the victim machine.

Holden says DNS is becoming an increasingly popular target for DDoS. As many as 27 million DNS servers across the Internet are "open" in a way that allows them to be hijacked this way. 

That means that while this week's attack may not have knocked us Americans off of the Web, the amount of localized disruption overseas was definitely large enough to cause serious reverberations. This may not have been the Web's D-Day, but these could definitely be the opening salvo of a hacker blitzkrieg. Let's hope the ISPs and powers that be don't Neville Chamberlain it. 

Photo courtesy of Shutterstock

The Internet is groaning today under the load of a huge cyberattack — one of the worst on record — that's clogged some of its most vital systems. And while you might be inclined to blame Spamhaus or Cyberbunker, two European outfits at the center of this online dustup, almost no one is talking about the real villains here: the world's Internet service providers.

First, some background on Spamhaus vs. Cyberbunker. Yes, that sounds like the lineup at a punk-rock show, but it's actually a virtual battle that began when the anti-spam group Spamhaus added the Dutch web hosting company Cyberbunker to a blacklist used to fight spam. That apparently stung the outlaws at Cyberbunker, which prides itself on hosting anything but "child porn and anything related to terrorism."

Seemingly insulted, on March 19 Cyberbunker allegedly launched a major distributed denial-of-service (DDoS) attack — that is, one that aims huge streams of data at target Web servers in an attempt to knock them offline — against Spamhaus. When that failed, the attackers pivoted to a much more serious attack, one that exploited a vulnerability in the Internet's Domain Name System (DNS). And in so doing, they almost broke the Internet.

Dissing the DNS

DNS is a core service that translates URLs like readwrite.com into the numerical Internet addresses used by computers (204.9.177.211 in the case of ReadWrite). Without it, traffic on the Internet goes nowhere.

In this case, the attackers targeting Spamhaus turned to what's called a DNS amplification attack — one that basically tricks DNS servers into directing a huge flood of traffic at a target. This is relatively easy because many network providers and ISPs have left DNS servers (also called "resolvers") open and unprotected, meaning that they'll respond to requests from anywhere on the Internet.

All an attacker needs to do is to send a stream of forged DNS requests that appear to come from their target's computers. Open DNS resolvers do the rest, responding with automated messages that are much larger than the initial requests. The security company Cloudfare, which has assisted Spamhaus in its current fight, wrote that attackers can use DNS amplification to boost their initial DDoS data flood by a factor of 50 or more.

Which is exactly what Spamhaus's attackers appear to have done.

Why Your ISP Sucks

The big problem here, as you've probably already figured out, is that so many network operators have left their DNS resolvers open. It's fairly trivial to configure resolvers to filter out and ignore forged requests, but relatively few network operators have done so. The Open DNS Resolver Project, an Internet community initiative aimed at blocking this vulnerability, has catalogued more than 25 million open DNS resolvers around the world.

"If ISPs had fixed those issues, [which are] relatively simple, and [involve] very little cost, this kind of attack would have been impossible," Rodney Joffe, a senior vice president at the Virginia security firm Neustar, told me. 

How To Stop The Suckage

DNS resolvers are becoming an increasingly popular target for hackers. Dan Holden, a security official at Arbor Networks, told me that in a recent Arbor survey, a full quarter of respondents said they'd experienced serious DDoS attacks on their DNS servers in 2012 — double the number who acknowledged similar attacks in the previous year.

Fixing DNS vulnerabilities would be an ideal way to stop these attacks, says security expert Dan Kaminsky, who has helped shore up previous DNS problems. But he's skeptical that this will ever happen.

"If only everyone on the Internet made major changes at the same time, this wouldn't have happened," Kaminsky told me via email. Short of that, he said, the answer may lie in straightforward police work:

We stop DDoS by getting as close as possible to the source and doing something about it there, or by doing nothing and tolerating it. I prefer the former, in this case, by perhaps finding the person almost certainly responsible.

Photo courtesy of Shutterstock

Another hacker bites the dust. This morning, Andrew Auernheimer — aka "Weev" — got handed a sentence of 41 months in prison, 3 years of supervised release and a $36,500 fine. All for basically exposing a major security hole at AT&T and publicly shaming the company that hadn't ever bothered to fix it.

Back in 2010, Auernheimer and his partner Daniel Spitler, part of a team calling itself Goatse Security, hacked into a public server owned by AT&T. That server housed hundreds of thousands of email addresses of customers who owned 3G iPads. Through trial and error and some ingenuity, group members discovered they could randomly guess iPad identification numbers and then use them to extract matching email addresses from that server.

AT&T's Security Loophole, Exposed

This security loophole on AT&T's site returned email addresses associated with ICC IDs, the unique serial numbers used to track and link SIM cards on mobile devices with specific subscribers. A PHP script that automated the process ended up harvesting a whopping 114,000 email addresses. Auernheimer then sent news of the group's work as an exclusive to Gawker.

(See also: U.S. Announces 120,000 iPad Users Had Their Data Stolen)

A day later in a blog post on the Goatse Security site, Auernheimer and company wrote:

I want to summarize this explicitly:

• All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration.
• The dataset was not disclosed until we verified the problem was fixed by the vendor.
• The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.

[...]

We did this to help you.

By its own account, AT&T responded with "swift action" to prevent additional intrusions: 

Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

Problem solved, right? Wrong. A week later Auernheimer was arrested after the FBI raided his house. He was then charged with major computer crimes under the Computer Fraud and Abuse Act (CFAA), the same legal club prosecutors have used to go after Aaron Swartz and, last week, Reuters social editor Matthew Keys.

(See also: Reuters Social Editor Indicted Over Anonymous Hack; Internet's Jaw Drops)

During the trial, AT&T admitted the server was publicly accessible, yet claimed Auernheimer's access was unauthorized. Under the CFAA, unauthorized access is a crime. But the statute's ambiguity on that score has opened the door for egregious prosecutorial overreach in this and other cases.

On Nov. 20, 2012, a jury found Auernheimer guilty of one count each of identity theft and conspiracy to violate the CFAA. Today, Auernheimer was sentenced.

Fair Or Fanning The Flames?

Supporters of Auernheimer say what he did was not a crime. Maybe it wasn't smart to expose a major vulnerability at AT&T and then rub the company's nose, but stupidity shouldn't be a federal offense. Friends and colleagues point out that the point of hacking is to gain something from it — and in this case, there was no money involved and nothing else to gain but besides a measure of celebrity.

Australian journalist and hacktivist Asher Wolf wrote a poignant piece today arguing that's it's insane to publicly tar and feather someone who spurred a company to fix a problem, even if he didn't choose the most orthodox means of doing it:

Putting Weev behind bars is pointless and tragic. Jailing the most outspoken men and women amongst our generation won’t stop the leaks, the hacks, the news revelations, the whistleblowers — and most of all it won’t stop the rage of the malcontent, dispossessed youth from eventually tumbling down upon the heads of the bureaucrats who sold us out and then tried to lock us up when we complained.

Bees To Honey

AT&T's vulnerability was basically low hanging fruit — just too easy a target for hackers to ignore. But the question of whether AT&T was asking for it is more complicated.

Sure, poor security is asking for trouble. But playing with fire will get you burned no matter how righteous and ethical you claim to be. "Our conduct doesn't happen in a vacuum," hacker Adrian Lamo — the guy who allegedly dropped a dime on Bradley Manning — wrote on Twitter today. "I don't think 3+ years is warranted for Weev, but in totality of circumstances, it's understandable."

I respect weev's reasons and even his means for their ethical consistency. But he got exactly what he planned to. He owns his outcome.

— Adrian Lamo (@6) March 18, 2013

Still, this is significant time for essentially not hurting anyone, as the British journalist Laurie Penny pointed out. By comparison, the Steubenville rapists were sentenced to just one year in juvenile jail.

Note that @rabite just got sent down for 3.5 years for computer violations. That's 1.5 years longer than the #steubenville rapists #freeweev

— Laurie Penny (@PennyRed) March 18, 2013

This isn't over. Auernheimer is appealing his conviction. And either another example will be made to hackers everywhere, or the sentence will be reduced.

At the end of the day, Weev and co. were nicer to AT&T than, say, hacker HD Moore — who published unpatched iPhone flaws and exposed another big bug in Apple's WiFi — was to Apple. But that doesn't seem to matter much in the boardrooms and courtrooms of America. In their view, all hackers are criminals.

Even many mainstream journalists think all hacking is a crime. Last night on 60 Minutes, for instance, Lara Logan basically accused Jack Dorsey's early work of bordering on just that. And even with the best of intentions, hackers' attempts to route around the system will likely never gain the benefit of the doubt with the public.

Instead, they'll just keep earning jail sentences, at least unless and until the courts — or Congress, though don't hold your breath — push back against prosecutorial overreach. And that, at least, will give them plenty of time to repent at leisure.

Lead image via Flickr user shane_curcuru, CC 2.0; image of Andrew Auernheimer via Wikimedia Commons

The hyper-connected smart home of the future promises to change the way we live. More efficient energy usage, Internet-connected appliances that communicate with one another and cloud-enhanced home security are just some of the conveniences we'll enjoy.

It's going to be amazing. It will also open up major questions about privacy.

We're already catching a glimpse of our futuristic living quarters with products like the Nest, the WiFi-connected smart thermostat with an Apple-esque sleekness. Each year, the Consumer Electronics Show introduces us a handful of new connected appliances and household items, each one bringing us closer to the so-called "Internet of things" we keep hearing about. Everybody from giant Internet service providers to scrappy startups are getting in on the smart home game, building products that will make our homes more efficient, secure and livable. Before long, Jetsons-style robots will be feeding our pets. 

If you think digital privacy is a contentious issue now, just wait. 

Government Requests For Personal Data On The Rise

Consider this: In the last few years, Internet service providers and mobile carriers have seen a huge spike in government requests for data about customers. AT&T alone receives 700 such requests per day, according to The New York Times. They're not alone. Carriers and ISPs collectively receive thousands of requests for customer data per day from local law enforcement, federal agencies and courts. In many cases, they're willingly handing it over. In very few are they actually telling us about it.  

This uptick in government data requests corresponds with the rapid rise of smartphones and other connected gadgets among the general population. Naturally, as these devices proliferate, they are inevitably being used by some consumers to do bad things. But as we've seen, the technology has evolved more quickly than our society's rules about privacy — such as those enshrined in the Fourth Amendment to the U.S. Constitution — can possibly be crafted.

Why does it matter what companies like Verizon and Comcast do with their customers' information? Because those very same firms are now selling smart home products that will allow them to collect more data about our lives than ever before. 

"The information that's available in a smart home can be really extraordinarily detailed," says Rebecca Jeschke, media relations director at the Electronic Frontier Foundation.  

Analyzing a household's power usage alone can reveal details about a family's schedule and habits and may even one day hint at what different appliances might be used for. 

"The technology is such that it won't be too long before you can look at somebody's power usage be able to know when they opened the fridge or how much food was in it," says Jeschke. "And that's without a wired fridge. That's just the power."

Your Smart Home Will Be a Trove Of Data

Every time we connect another one of our household appliances to the Internet, we're going to be generating another set of data about our lives and storing it some company's servers. That data can be incredibly useful to us, but it creates yet another digital trail of personal details that could become vulnerable to court subpoenas, law enforcement requests (with or without a warrant) or hackers. 

Okay, so maybe you don't care if somebody else knows what's in your WiFi-connected refrigerator. But what about your bedroom? 

Comcast is one of the many companies making a move toward the connected home. The cable giant offers a product called XFinity Home that offers the latest in home automation technology: smart energy management, remote-controlled door locks and in-home video surveillance. All of these features and more are conveniently accessible from smartphones, tablets and a Web-based portal. 

Having remote, mobile access to our homes in this way presents enormous advantages. But it also raises a red flag when it comes to privacy, says Abdullahi Arabo, a research fellow at the University of Oxford who wrote a paper examining the privacy implications of smart home technology. 

"In reality, our smart devices hold more information than our brains," says Arabo. "This makes them a good target for hackers, malware and unauthorized users."

Of course, this has been the case for quite some time, but in the age of the smart home, a stolen or hacked phone isn't just a repository of personal information: it's a remote control for your entire house. If you've signed up for the remote surveillance service, it also contains live video feeds from every room in the house. 

In-Home Video Surveillance: Fair Game For Authorities? 

The video monitoring feature alone raises some serious questions about privacy, hackers aside. These videos are living on Comcast's servers. If the police suspect me of being a drug lord and they ask Comcast for access for a live video feed into my house, will they comply? Would the police need a warrant? 

As is often the case with digital privacy issues, there's no clear legal precedent to draw from. Courts and legislative bodies tend to move considerably more slowly than the pace of technological innovation, so we end up with awkward grey areas like this. 

Comcast did not respond to multiple requests for information about XFinity Home's privacy protections. In general, the company's privacy policy acknowledges that "it is possible that we may be required to provide information about you to a court or law enforcement agency… [only] if we are legally required to do so." 

Not Exactly Digital Privacy Champions 

Historically, Comcast isn't known to be transparent about such requests. In the EFF's "Who Has Your Back?" digital privacy scorecard, Comcast earned only one of four stars. While the company has been known to stand up for user privacy in the courts, it lost points for not being transparent about government data requests. 

It's not just XFinity Home that offers this type of smart home service. Verizon has its own offering and its privacy record is even worse, according to the EFF's most recent report. AT&T, another telco with a less-than-stellar privacy record, is also getting into the home automation business. It's worth noting that these are the same companies fielding thousands of government data requests every day, many of which are granted. 

"The big question you need to ask when you look at these kinds of services is, If I can get access to this information, who else can?" says Jeschke. "If a report is being generated for me or if I have access to a live feed, who else has access to it?"

It's admittedly still very early in this game. There haven't been any known cases of smart home customers alleging privacy intrusions via their Internet-connected home surveillance systems, for instance. But as the technology becomes more widely adopted, expect to hear more about the privacy implications.  Indeed, there's already been some controversy in Northern California over the use of smart energy meters and the personal information they can transmit. 

"I can see some really bad outcomes from this kind of wired world," says Jeschke.  The most obvious one, she says, is that third parties like law enforcement, courts and marketers can get access to more private information about consumers.  "Another bad outcome is that we don't get these cool things, because of privacy concerns."

Lead photo via Flickr user Brett VA

Disbelief and shock. That's what's sweeping across the Web following news that one of its best and brightest social journalists, Reuter's Matthew Keys, has been indicted by the Department of Justice for allegedly helping Anonymous deface the Los Angeles Times website in 2011. (See the full indictment below.)

The 26-year-old deputy social media editor has been charged with providing hackers with server login credentials to access the Tribune Company's site. Keys had previously worked as a web producer for the Tribune-owned KTXL FOX 40, in Sacramento, Calif. The charges are serious, but what he allegedly did... wasn't, really. The site break-in described in the indictment led to a hack that defaced a story.

Keys has been charged with one count each of conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer and attempted transmission of information to damage a protected computer. If convicted, he faces up to 10 years in prison, 3 years of supervised release and a fine of up to $250,000 for each count. In addition, he also must forfeit property related to the crime.

Journalists and members of the media are still having trouble wrapping their heads around the news.

wow – this story about Matthew Keys and Anonymous is bizarre: politico.com/blogs/media/20…

— Mathew Ingram (@mathewi) March 14, 2013

"Speechless," NPR's Andy Carvin wrote on Twitter. "Woah," said the Wall Street Journal's Liz Heron.

Even others in the hacker community are shaking their head, like 'Weev,' nee Andrew Auernheimer, who himself faces jail time over his role in exposing the email addresses of thousands of AT&T customers.

Let us pray for @thematthewkeys in his struggle against the beast.

— Andrew Auernheimer (@rabite) March 14, 2013

Say It Ain't So!

Key's alleged involvement with Anonymous, should it prove true, has been under our noses for some time. Keys wrote about Anonymous on multiple occasions, including his first post for Reuters back in Feb. 2012:

My first blog entry at @reuters: "Details in leaked FBI call could prove uncomfortable for Anonymous" - blogs.reuters.com/matthew-keys/2…

— Matthew Keys (@TheMatthewKeys) February 3, 2012

http://tinyurl.com/mattkeysexposed AESCracked/Matt Keys was former producer for Tribune sites. Gave full control of LATimes.com to hackers.

— The Real Sabu (@anonymouSabu) March 22, 2011

Why And What Now?

It's not entirely clear why the Justice Department choose to indict Keys now, in 2013, two years after the hacking/defacing incident. It's possible it took the government that long to gather evidence. Or maybe the feds tried, but failed, to turn Keys -- pardon the pun -- to nab bigger figures within Anonymous.

Either way, it certainly looks like the Justice Department wants to make an example of Keys, which would make him the latest of several high-profile Web figures so treated (think Aaron Swartz, Bradley Manning and even Kim Dotcom for starters).

According to The Atlantic Wire, Benjamin Wagner, the same federal prosecutor in the Keys case, took down Sabu. So did Sabu rat out Keys for a shorter sentence? At the moment, there's no way to know.

Personally, I'm saddened by this. I know Keys. Although we've never met in real life, our paths have crossed many times online. We follow each other on Twitter and are Facebook friends, and we direct message and Facebook message each other regularly. When I heard about the charges, I called Keys' phone. It rang and rang and went to voicemail. I left a message. I still haven't heard back.

His arraignment is April 12 in Sacramento, and according to some reports, it looks like he may be fired at Reuters. So was Keys a covert agent for Anonymous? A guy supportive of some deviant hijinks? Or actually an innocent bystander? We can't really say. If there's any truth to the indictment, my money is on him being a reporter who got too close to the fire and got burned.

Which could, of course, still ruin his career. But what I really hope is that Keys doesn't end up wasting his talents behind bars.

Here's the federal indictment:

Lede image via Matthew Keys' Facebook page

Copyright. Innovation. Free speech. These firestarting issues and the relationship between creation, law and technology were the topics in a Sunday panel that just may have been the sleeper hit of SXSW.

Speakers included Andrew Bridges, partner at Fenwick & West LLP, Margot Kaminski, the executive director at the Information Society Project at Yale Law School, Wendy Seltzer, policy counsel at the World Wide Web Consortium (W3C), Derek Khanna, a former Republican Study Committee staffer, and surprise guest Ben Huh, the chief executive of Cheezburger. All have been influential in speaking out against and litigating civil liberty cases pertaining to ACTA, SOPA and PIPA.

After the panel, ReadWrite spoke one-on-one with Bridges, whose 30-year career has included representing clients like Google and MasterCard in cases involving copyright, trademark and unfair competition. Bridges spoke on the lessons stemming from the hour-long panel:

ReadWrite: You have lots of criticisms of the copyright system. Can you explain your objections?

Andrew Bridges: Copyright is elevated to a level of importance in our society and our politics that it does not seem to deserve. If you actually took some copyright policies and extended them into other arenas, the consequences would seem absurd. Let's say we decided to apply the Six Strikes principal. Say you send out one of those mailers for a subscription to Time Magazine. And you check the box that says bill me later. Let's say that they start sending you Time Magazine, and after 2 or 3 issues they send you the bill, and you never pay. But in the meantime you have 6 or 8 issues before they cut you off for not paying. My proposal is let's adopt Six Strikes and knock somebody off the postal system. You don't pay for it, you don't get to use the postal service any longer. Or let's say somebody blows through a toll plaza 6 times, does that mean you don't ever use the highways anymore? In the world of DMCA take-down notices, the copyright holder sends 6 wrongful take down notices, maybe they should lose access to the copyright system itself. Why is this limited to occasional, or amateur or individual persons who induce copyright infringement and why are they subjected to these type of penalties?

ReadWrite: How is copyright disruptive to technology?

Andrew Bridges: New technologies do disrupt existing business models. They do disrupt current expectations of profits and revenues. Actually copyright law itself has its own disruptive function. The function of copyright law as it has evolved is indeed to disrupt innovation and to disrupt new technologies that threaten the interest of copyright holders. Frankly all copyright legislation has been in reaction to new technologies that are developed. And copyright law has sought as its purpose, interfering with, limiting, pampering and indeed disrupting innovation of technology, business plans, even disruption of consumer choice.

ReadWrite: For example?

Andrew Bridges: It's illegal to operate a business where you rent CDs out. Under copyright law, it's illegal to watch on your DVD player, a DVD that a Greek friend of mine brings over as a present, because it has region coding. That's a disruption of a user experience, by copyright law. We talk about disruptive technologies, but I think we're talking about both disruptive technologies and disruptive law. I think if we have to look at rival disruptions,  on the one hand [disruption] of business models and our expectations, and the other side [disruption] of technological developments and innovations and consumer choice, then I tend to cast my allegiance on the side of those who are disrupting older business models. That is how an economy grows, by creative disruption. That's exactly how innovation enriches our culture and gives us the progress of science and the useful arts.

If other laws were proportional to copyright law, the fine to jump a NY subw turnstile ($2) would be $370K. Thx @andrewbridges! @sxsw #ftmsx

— Flip The Media (@flipthemedia) March 10, 2013

ReadWrite: How out of whack are the penalties for copyright violation?

Andrew Bridges: A woman in Minnesota got hit with a jury verdict of $1.5 million for downloads without any evidence that she actually shared anything with anybody else. That law allows statutory damages, which I call fictional damages because they [are] divorced from any proof whatsoever. The law allows fictional damages of $150,000 per work infringed. And that includes $0.99 downloads. So the ratio between penalty and loss revenue is excessive... 150,000 to 1. Let's put copyright in the broader context. If I jump the turnstile of the New York City subway, If the copyright proportionality damages applies, it would be OK for that penalty fare to be $370,000. It's as ridiculous in copyright law as it is in subway law.

ReadWrite: So who's at fault here?

Andrew Bridges: People are focusing on Congress, [but] that's misplaced... after SOPA. Because things don't have to happen in Congress for bad things to go off. Even though SOPA failed, SOPA is now in some respects the law of the land. Because we now have Soft SOPA. We have the government putting pressure on advertising networks and putting pressure on payment processors, unofficially, to take the same measures that SOPA was going to require them to [do]. But now it's a sort of 'if you know what's good for you, could you pretty please, wink-wink' method.

ReadWrite: Can you give an example of that pressure?

Andrew Bridges: There are payment processors notifying companies that they are no longer willing to process payments for them. It's happening. It happened with three of my clients. It's part of what the administration calls its 'voluntary cooperation initiative,' which the Intellectual Property Enforcement Coordinator Victoria Espinel describes in her annual report. And we have advertisers blacklisting certain sites, and telling sites. 'We're not going to place advertising on your site because people tell us you're not a good site.' So that's happening. And it's being done as "Oh it's just a private decision." But it's no secret that the government is encouraging these private decisions. So that's why I call it Soft SOPA.

Photo courtesy of Wendy Seltzer.