Could The DOJ Be Violating SESTA/FOSTA?
from the quite-possible dept
Last week, Gizmodo’s Dell Cameron has a great report on how the DOJ’s Amber Alert site was configured so stupidly that it could be used to redirect people to any website (this was also true of weather.gov and the National Oceanic and Atmospheric Administration). And it was being used. To redirect people to hardcore porn. Basically, the sites were designed such that just by knowing the right URL and adding a new URL to the end, it would redirect to those sites. Porn sites used this for a couple of reasons: first, since they’d now be getting referrals from high ranking sites, it can help their Google ranking. Second, because the primary URL would come from a trusted source again, it would help their Google ranking. And, finally, the links may look much more legit to people doing searches (though that would be more true of scam sites than porn sites).
Redirect scripts like this used to be fairly common, but they died off long ago. Except in the federal government. From Cameron’s article:
?This is like the 1990s called and wants its vulnerable redirect script back,? said Adriel Desautels, founder of the penetration testing firm Netragard.
But, here’s the thing: does this mean that the DOJ (and the NOAA) could be violating SESTA/FOSTA? It’s possible! And that just goes to show how poorly drafted the law is. Remember, under the law, it is now illegal to “participate in a venture” that “knowingly” is “assisting, supporting, or facilitating” a violation of sex trafficking laws. So, if someone were to create a DOJ Amber Alert redirect to a sex trafficking website (or just an escort site, since people keep insisting those serve little purpose other than sex trafficking) would the DOJ be in violation?
The obvious response is that the DOJ isn’t “knowingly” doing this. But… is that true? As Cameron’s article notes, every time you hit one of those Amber Alert redirects, the DOJ gives you a nice little parting message:
Is that enough to “knowingly” participate? Maybe. I would bet that if non-governmental websites popped up similar messages, SESTA/FOSTA supporters would argue it’s proof of knowledge. After all, Rep. Cathy McMorris Rodgers claimied that merely “turning a blind eye” was enough to prove “knowledge.” And here, clearly, the DOJ must be logging those exit pages. Is it ignoring them? Is that turning a blind eye? Does that count as knowledge?
Maybe it’s a stretch, but the fact that the language of the bill even makes this a possibility just demonstrates how poorly drafted the bill is, and shame on all the politicians who refused to step up and fix it.
Filed Under: doj, fosta, intermediary liability, porn, prostitution, redirects, sesta, trafficking, unintended consequences
Comments on “Could The DOJ Be Violating SESTA/FOSTA?”
Violating SESTA/FOSTA
Even if they were in violation, would they not be immune? After all they are full of prosecutors with absolute immunity.
Re: Violating SESTA/FOSTA
Immunity from logic and reason maybe.
Re: Violating SESTA/FOSTA
We already know the FBI/DOJ run actual CP sites. They were in violation of exploitation laws long before FOSTA/SESTA. If they didn’t prosecute themselves for running an actual CP site, they certainly aren’t going to prosecute themselves for redirect links.
How else can USG folks get to watch porn at the office?
As the FBI says, we have to study it, so that we can stamp it out.
“The Internet is for porn” — DARPA
Maybe. But that’s why a good bill is worded to narrowly define what is and isn’t in violation so we don’t wind up in these gray areas
::checks notes::
TWO WEEKS AFTER IT WAS SIGNED INTO LAW.
And by posting an image with the site TD could be violating SESTA/FOSTA (if that site facilitates sex trafficking).
Re: Re:
And, by commenting on the article, you’re also “participating in the venture.”
Re: Re: Re:
Wouldn’t this mean that any attempts to prosecute would involve the prosecution in the venture as well?
By extension, someone had better let Kevin Bacon know that he’s violating SESTA/FOSTA.
Re: Re: Re:
That might be true if the comment promoted the site but it doesn’t mention anything that can be perceived as promotion.
Re: Re:
Rest assured you are in violation of multiple laws every second of your life and you are probably not even aware of it, so add another one to the long list. You can be arrested for violating laws that do not exist, and yet I am supposed to get upset about this one? Why?
I seem to recall there were serious concerns about the binding of the words. In particular, does the law bind as follows:
If structured as such, then the "knowingly" qualifier only applies to whether the venture knows it is doing those things, but not to whether the defendant knew (or even reasonably should have known) that the venture was doing those things. Put another way, suppose a bus driver operates a public bus (that is, open to anyone who pays the fare). Suppose one of the riders is a criminal, such that the criminal is aware of his crime (but no one else on the bus is aware). With the bindings above, the bus driver is participating in the venture (moving people about the city) and some of those people are knowingly committing crimes, so – the bus driver is "participat[ing] in a venture" (driving the bus, collecting fares) that "knowingly" (the criminal knows what he did) is "assisting, supporting, or facilitating" a violation of some law (because the criminal cannot commit his crimes without the bus transporting him around the city). We generally agree that if a reasonable person (in this case, the bus driver) had no reason to suspect his unknowing involvement in the crime, then he should not be charged, but that’s not how the law seems to be written here.
Re: Re:
Technology sets up even worse examples:
A month ago it was reported that the Bitcoin blockchain contained child abuse imagery, making it potentially unlawful in many countries. Someone could add sex trafficking website links to the blockchain, making those storing copies or transmitting of it illegal under SESTA/FOSTA.
In your example the bus driver isn’t "knowingly" participating. But once the word is out about illegal links in the blockchain, all those who don’t erase their Bitcoin are "knowingly" participating.
Re: Re:
If the bug has been reported to them, it “knows” enough to meet the definition.
SESTA takes its' evil toll...
I appreciate that every single comment prior to this one was made anonymously. Is this evidence of the climate of fear that this legislation was designed to create?
Re: SESTA takes its' evil toll...
You don’t get it, commenter are safe, its the web site owner who will be held liable.
Making third parties responsible is the way to end all crime.
Re: Re: SESTA takes its' evil toll...
But it is the commenter that they are after, can not let anyone disparage our great leader(s).
Irony in process
I am having an enjoyable fantasy where the DoJ and NOAA get prosecuted and the law is found to be unconstitutional. That is, at least for government websites. The sex sites that did the hack are all found guilty.
This page gives a list of the attacks hackers can use. It says “don’t do this,” just to make sure the hackers feel challenged. Honestly, isn’t there anybody at the tiller over there?
https://www.weather.gov/disclaimer
"Could The DOJ Be Violating SESTA/FOSTA?" -- NO, M_snick!
LOL. This all you’ve got?
Re: "Could The DOJ Be Violating SESTA/FOSTA?" -- NO, M_snick!
If it is all he’s got, it’s a good and valid point.
Unlike you.
Re: "Could The DOJ Be Violating SESTA/FOSTA?" -- NO, M_snick!
Yes, this is actually the only post on this subject on all of Techdirt. You’ve got him.
Re: Re:
Yes, according to SESTA/FOSTA, unlike what your authoritarian loveboner would have you believe.
Seriously doubt it
There’s plenty of plausible ways the people at DOJ IT would never know without being informed first. First of all, they may not even be logging redirects. You can scoff all you want, but once you’re off their servers they may not log where the redirect went. Logging isn’t monolithic. Administrators choose what level of information collection they want. Too much and you end up with a lot of useless chaff. Not enough and you could miss something like this.
Second, most people don’t read raw log files line by line. There’s too much information there for trafficked websites like this. Administrators will be looking for certain known patterns when they filter logs which could miss things like this because no one is looking. You can’t just assume that because it’s potentially in the logs that it’s automatically going to be noticed. You have to be looking for it.
As for the law itself, politicians name laws like this exactly so they can nail opposition next election cycle. You think any politician in our society is going to want to have ads run against them that decry them for “supporting prostitution”, “exploitation of women”, “not opposing sex and human trafficking”, “not protecting our children from sexual predators”, and any other resonant issues that’s bound to stir up Average Law Abiding Joe? Average Law Abiding Joe doesn’t know, and probably doesn’t care, that the law was badly written, all he’s going to see is that their Congressman didn’t stand up against sexual deviancy and loose morals. He won’t care till he gets caught in the gears and by then it’s too late.
Re: Seriously doubt it
“First of all, they may not even be logging redirects.”
Since they have a “good bye” page, this is less likely and actually not fully a redirect issue anymore. Their page listed the URL and courts have found liability in linking.
“most people don’t read raw log files line by line”
That is not necessarily important for the “knowledge” standards. It is still up in the air as to whether or not “could have known” , “should have known”, or “knew” fits the definition. There is a lot of risk in these as they tend to encourage not logging and making it impossible to know, and that is the point. Laws that make it safer to not retain laws make it harder for law enforcement to work with sites that have bad actors using them.
“politicians name laws like this exactly so they can nail opposition next election cycle”
While I am no fan of US politicians, that is a broad statement that is almost certainly, overwhelmingly false. Most US laws are written with good intentions. Some have bad side-effects. It really is unlikely that these laws were written with as much political motivation as you seem to be attributing.
Re: Re: Seriously doubt it
Considering that the MPAA and RIAA got behind this law, and they would love to see all content on the Internet approved before publication, I doubt that good intentions come into it. Third party liability is a way of forcing third parties to control the use of their websites, and this law is a big step in that direction.
It gets better
It’s worth remembering that one of the big problematic aspects of the law is that it’s retroactive, so if one of the sites they linked to qualified then they’d be on the hook, even if they currently aren’t linking to said site.
Of course this assumes that the DOJ would ever prosecute… ah yes, ‘the DOJ’, so I doubt anyone in the agency is losing any sleep over the possibility.
Re: It gets better
I suspect the ‘Wayback Machine’ is going to have a lot of government traffic, at least for any site they may have some animosity for.
Re: Prosecutory Discretion
id est selective enforcement. It works like this:
1. Pass laws criminalizing actions everyone is guilty of.
2. Appoint prosecutors who only prosecute bad people (rather than good people who might have broken a law accidental-like.)
3. Bypass the rule of law!
lmao..
I love the concept of Security..
And those responsible for it, DONT USE ANY..
A site, setup and NEVER UPDATED…
WHO is supposed to be responsible??
Those Internet/Tech Czars that we keep firing?? WHY?? Because they tell our GOV., that they need to spend abit of money to FIX SHIT..