A huge spreadsheet naming ICE employees gets yanked from GitHub and Medium

A massive database of current U.S. Immigration and Customs Enforcement (ICE) employees scraped from public LinkedIn profiles has been removed from the tech platforms hosting the data. The project was undertaken by Sam Lavigne, self-described artist, programmer and researcher in response to recent revelations around ICE’s detention practices at the southern U.S. border.

Lavigne posted the database to GitHub on Tuesday and by Wednesday the repository had been removed. The database included the name, profile photo, title and city area of every ICE employee who listed the agency as their employer on the professional networking site. A more in-depth version of the data pulled all public LinkedIn data from the pool of users, including previous employment, education history and any other information those users opted to make public. The total database lists this information for 1,595 ICE employees, from the agency’s CTO on down to low-level workers and interns.

The project accompanied a Medium post about the project’s aims that has since been removed by the platform:

While I don’t have a precise idea of what should be done with this data set, I leave it here with the hope that researchers, journalists and activists will find it useful…

I find it helpful to remember that as much as internet companies use data to spy on and exploit their users, we can at times reverse the story, and leverage those very same online platforms as a means to investigate or even undermine entrenched power structures. It’s a strange side effect of our reliance on private companies and semi-public platforms to mediate nearly all aspects of our lives.

The data set appears to have violated GitHub and Medium guidelines against doxing. Medium’s anti-harassment policy specifically forbids doxing and defines it broadly, preventing “the aggregation of publicly available information to target, shame, blackmail, harass, intimidate, threaten, or endanger.”

Because it doesn’t include personal identifying information like home addresses, phone numbers or other non-public details, Lavigne’s project isn’t really doxing in the normal sense of the word, though that hasn’t made it less controversial.

GitHub’s own policy leading to the data’s removal is less clear, though the company told The Verge the repository was removed due to “doxxing and harassment.” The platform’s terms of service forbid uses of GitHub that “violate the privacy of any third party, such as by posting another person’s personal information without consent.” This leaves some room for interpretation, and it is not clear that data from a public-facing social media profile is “personal” under this definition. GitHub allows researchers to scrape data from external sites in order to aggregate it “only if any publications resulting from that research are open access.”

While Lavigne’s aggregation efforts were deemed off-limits by some tech platforms, they do raise compelling questions. What kinds of public data, in aggregate, run afoul of anti-harassment rules? Why can this kind of data be scraped for the purposes of targeted advertising or surveillance by law enforcement but not be collected in a user-facing way? The ICE database raised these questions and plenty more, but for some tech companies the question of hosting the data proved too provocative from the start.

Priscilla Chan to discuss Chan Zuckerberg Initiative at Disrupt SF

The Chan Zuckerberg Initiative is one of the biggest philanthropic organizations in the world, and the most technology-forward foundations in history. By integrating technology, CZI believes it can affect social change at a much more rapid pace than by simply infusing initiatives with cash.

With that said, we’re absolutely thrilled to have Priscilla Chan join us on the Disrupt SF stage in September.

The Chan Zuckerberg Initiative was founded in 2015 upon the birth of Mark Zuckerberg and Priscilla Chan’s first daughter Max. The $45 billion organization first launched with a focus on personalized education, and has moved into the areas of justice and science since then.

The overall goal of the education initiative at CZI is to ensure that all children are able to realize their full potential by the age of 21, including the ability to earn a living wage, achieve independence, and identify and pursue their passions.

Some educational programs include The Summit Learning Platform (meant to give educators tools to customize instruction based on the student), The College Board (which helps students from rural and low-income communities prep for college and career), and Vision To Learn (a non-profit that offers free eye exams and glasses to low-income children).

CZI is also investing in justice and opportunity, with focuses on criminal justice reform, economic opportunity, housing affordability, and immigration reform.

In 2016, CZI added a Science initiative to the docket, focusing its efforts on collaboration between the tech and science communities, enabling tools and technologies, and building support for science and scientific research with the hope that doctors and scientists will be able to cure, prevent or manage all diseases by the end of this century.

Part of what makes the Chan Zuckerberg Initiative so impactful is its continued effort to use the efficiency and affordability of technology to further various causes.

Though CZI has been up and running for three years, the organization has really started to hit its stride of late, hiring a number of big names from the tech world to join the leadership team.

We’re thrilled to ask Chan about her work at CZI and her plans for the future of the organization at TC Disrupt SF.

Tickets to the show are available here.

CivTech Scotland wants to procure what no one knows exists

Here’s a tale of two organizations. When it comes to banking, I can walk up to an ATM anywhere in the world, slide in a card, hit a couple of buttons, and walk away with cash, often in less than 20-30 seconds. It’s magical, but so quotidian that we easily forget the vast technical infrastructure that powers this experience.

Now, try to walk into a government agency to get service done. You often need to get a ticket and wait, often for an hour or more. During a recent trip to the New York Department of Motor Vehicles, I ended up getting sent to four different lines, all of which were independent, and because of a computer malfunction, the whole place was being run by people pointing and shouting.

The dichotomy between those two experiences is, fundamentally, a difference in procurement.

Before you run to get coffee (or whiskey, for that matter), let me say this: procurement is the sort of extremely boring but absolutely vital task that is both the barrier but also the opportunity for making the DMV and other government services more like the ATM. New initiatives around the world are trying to rebuild procurement from the ground up, with entrepreneurship at their core. One initiative I’ve spent time with recently is CivTech, based in Scotland.

CivTech, a component of the digital directorate of the Scottish government, is a sort of two-sided marketplace connecting startup founders with government agencies. Agencies sponsor challenges, and startups compete to be the best at solving that challenge, potentially winning hundreds of thousands of dollars and a reference customer. Those startups are organized into batches, with the program launching its third batch shortly (applications are due July 2nd).

Alexander Holt, head of CivTech, is an energetic true believer that startup innovation can transform government services. For him, the key question for public agencies is “how do you procure what you don’t know exists?”

In the classical model of procurement, an agency drafts a Request for Proposals (RFP) that spells out exactly what the agency is looking for from vendors. Then, whoever bids lowest on the RFP will usually get the contract. The disconnect is that agencies rarely know what solutions they need, and Holt says that often leads to disaster. “We are writing specs that we don’t understand, and we are looking at the solution, not looking at the problem,” he said.

Holt wants to completely change that process. Instead of presenting a solution and asking for implementations, he wants agencies to present problems and keep an “open mind” about what a solution might look like. His message to agencies is “don’t give us a solution you think you need, but give us a problem you think you have.”

Then — and this is a major difference from traditional procurement — he encourages agencies to select several teams (usually three) to build pilot projects that could solve the problem. The idea is to get a better sense of what solutions exist, and also learn how the companies function. “You get an understanding of their capacity and more importantly, their culture, and that is really important,” Holt explained.

After a few weeks of building, the agency can choose to work with one company, and help them launch their product. The model is fast, since startups are iterating rapidly in competition with each other, but also cheap. As Holt said, “The other benefit for the challenge sponsor is that the amount of time that the companies are putting in versus what you’re paying them is 10 times cheaper,” than conventional procurement models.

CivTech wants to educate the next generation of civic entrepreneurs

For startups participating in the program, CivTech hopes it can provide them with legitimacy and a first customer for their business. By the end of the program, “you have a first reference client, which is the government, that allows you to keep your equity 100% and your IP 100%,” Holt said. Plus, the program connects its startups to citizens to accelerate the innovation feedback loop.

While the team has a bold vision, the program had humble beginnings. The first cohort launched in June 2016 within days of Brexit, which radically redefined the future of the United Kingdom and Scotland along with it. The program also faced its own procurement challenge around finding a home, eventually signing a lease for its first batch less than an hour before launch.

The program has grown rapidly since its inception. It had just 6 challenges during its first batch, but this time around has 10 challenges from a diverse set of agencies, including Scotland’s health service and illicit trade agencies.

Transforming procurement and therefore government won’t happen overnight, but a change in mentality is the key to imprinting entrepreneurship and startup culture on bureaucrats. Holt said that his message is always consistent: “show me the law, not the rule.” Laws are much more flexible than we think, and changing procurement doesn’t start in the legislature, but in the acquisition office of every public agency.

Official near-earth object plan will look into nuking asteroids and other ‘planetary defense missions’

Space is a big place, and mostly empty — but there’s no shortage of objects which, should they float our direction, could end life as we know it. A new national plan for detecting and handling such objects was proposed today, and it includes the possibility of nuclear strikes on the incoming asteroids and other “planetary defense missions.”

The plan, revealed and discussed this morning, is far from a joke — it’s just that the scales these threats operate at necessarily elevates the discourse to Hollywood levels.

It’s not so much “let’s do this” as “let’s figure out what we can do.” As such it has five major goals.

First, improve our ability to detect and track near-earth objects, or NEOs. We’ve been doing it for years, and projects like NEOWISE have captured an incredible amount of these objects, ranging in size from the kind that will safely burn up in orbit, to those that might cause serious damage (like the Chelyabinsk one), to proper planet-killers.

But we often hear about NEOs being detected for the first time on near-collision courses just days before approach, or even afterwards. So the report recommends looking at how existing and new programs can be utilized to better catch these objects before they become a problem.

Second, improve our knowledge of what these objects can and have done by studying and modeling them. Not just so that we know more in general, but so that in the case of a serious incoming object we know that our predictions are sound.

Third, and this is where things go a little off the rails, we need to assess and develop NEO “deflection and disruption” technologies. After all, if a planet-killer is coming our direction, we should be able to do something, right? And perhaps it shouldn’t be the very first time we’ve tried it.

The list of proposed methods sounds like it was sourced from science fiction:

This assessment should include the most mature in-space concepts — kinetic impactors, nuclear devices, and gravity tractors for deflection, and nuclear devices for disruption — as well as less mature NEO impact prevention methods.

I wasn’t aware that space nukes and gravity tractors were our most mature concepts for this kind of thing! But again, the fact is that a city-sized object approaching at a significant fraction of the speed of light is an outlandish problem that demands outlandish solutions.

And I don’t know about you, but I’d rather we tried a space nuke once or twice on a dry run rather than do it live while Armageddon looms.

At first these assessments will be purely theoretical, of course. But in the medium and long-term NASA and others are tasked with designing actual “planetary defense missions”:

This action includes preliminary designs for a gravity tractor NEO deflection mission campaign, and for a kinetic impactor mission campaign in which the spacecraft is capable of either functioning as a kinetic impactor or delivering a nuclear explosive device. For the latter case, the spacecraft would contain all systems necessary to carry and safely employ a nuclear explosive device, but would carry a mass simulator with appropriate interfaces in place of an actual nuclear device. Designs should include reconnaissance spacecraft and methods to measure the achieved deflection.

Actual flight tests “would not incorporate an actual nuclear device, or involve any nuclear explosive testing.” Not yet, anyway. It’d just be a dry run, which serves its own purposes: “Thorough flight testing of a deflection/disruption system prior to an actual planetary defense mission would substantially decrease the risk of mission failure.”

Fourth the report says that we need to collaborate on the world stage, since of course NEO strikes don’t exactly discriminate by country. So in the first place we need to strengthen our existing partnerships with countries sharing NEO-related data or studies along these lines. We should all be looking into how a potential impact could affect our country specifically, of course, since we’re the ones here — but that data should be shared and analyzed globally.

Last, “Strengthen and Routinely Exercise NEO Impact Emergency Procedures and Action Protocols.”

In other words, asteroid drills.

But it isn’t just stuff like “here’s where Boulder residents should evacuate to in case of impact.” As the document points out, NEO impacts are a unique sort of emergency event.

Response and mitigation actions cannot be made routine to the same degree that they are for other natural disasters such as hurricanes. Rather, establishing and exercising thresholds and protocols will aid agencies in preparing options and recommending courses of action.

The report recommends exploring some realistic scenarios based on objects or situations we know to exist and seeing how they might play out — who will need to get involved? How will data be shared? Who is in charge of coordinating the agencies if it’s a domestic impact versus a foreign one? (See Shin Godzilla for a surprisingly good example of bureaucratic paralysis in the face of an unknown threat.)

It’s strange to think that we’re really contemplating these issues, but it’s a lot better than sitting on our hands waiting for the Big One to hit. You can read the rest of the recommendations here.

California legislators stealthily ‘eviscerate’ state’s net neutrality bill

A group of legislators in California have sneakily but comprehensively “eviscerated” the state’s imminent net neutrality bill, removing a huge amount of protections in a set of last-minute amendments. State Senator Scott Wiener called the hostile rework of the bill “outrageous.”

California’s net neutrality bill has been cited as an excellent example of what states can do to protect their citizens now that the 2015 rules have been officially rolled back and weaker ones substituted. And in some ways it actually went further than the FCC’s popular rules, which were a bit more conservative on, for example, the practice of zero rating.

While the FCC found that zero rating practices could basically be pursued up to a certain point, the California bill would essentially render the ones that exist today illegal.

The California rules (SB 822) would allow zero rating to happen, but prohibit the part where an ISP could prioritize certain apps or businesses over others. So they could allow all music, or medical data, or indeed video advertising traffic to be free to consumers — but not just Spotify, or just this insurance provider, etc. Consumers get the benefits and are protected from most of the quiet but substantial ill effects.

But late last night the chair of the committee through which the bill must pass, Miguel Santiago, proposed some “suggested amendments” that completely removed the zero rating rules and several other important protections.

Now, disagreements on proposed laws are perfectly ordinary and that’s what committees like this are for, to balance different viewpoints and ostensibly produce a better law. And Sen. Wiener has indicated that he and the others behind the bill are willing to negotiate.

“We attempted to work with the committee and made clear we were willing to make amendments, but we also made clear what our bottom lines were, and what we couldn’t remove from the bill,” he told me. “The way the committee went about doing this is pretty outrageous.”

Normally the amendments would be proposed and the author of the bill would work with them on how to integrate them — if they can’t reach an agreement, the bill doesn’t pass the committee. But in this case the committee literally proposed the changes late last night and forcibly injected them first thing this morning.

“It’s not common to force hostile amendments into the bill, and it’s particularly uncommon to force amendments before the hearing even starts,” Wiener said.

To be clear, the amendments aren’t minor changes: pages of rules and definitions are entirely removed or reduced to far simpler versions.

“These amendments eviscerate the bill,” Wiener said. “They remove critical protections on interconnection, paid access fees, anti-consumer zero rating.”

Naturally these are issues that broadband and mobile providers are very concerned about. Since many already zero-rate lots of services, they would have to bring their offerings into line with the law, the process of which would probably remove any competitive benefit they derive from them.

Why couldn’t these decisions wait until the bill is formally heard and public opinion formally sought? The bill as it was written had received plenty of support, but substantive changes could still be made in the months before it is voted on.

Wiener was frustrated but not defeatist. “We’re all professionals,” he said. “These are my colleagues. I’m sure we’ll have lots of discussions over the next few weeks, or even the next few months.”

That said, it’s clear from this ambush on the bill that there are powerful forces at work opposing it. What happens next is anybody’s guess, but we’ll know more in the coming weeks as more hearings and committees consider the now deeply compromised law.

Trump signs an executive order to detain families together at the border indefinitely

President Trump has signed an executive order to reverse a practice recently enacted by his own administration that resulted in the separation of children from their families at the border.

The language of the executive order, titled “Affording Congress an Opportunity to Address Family Separation,” points blame at Congress, echoing Trump’s previous statements demanding that this issue be resolved through legislation although it was not implemented through legislation.

The meat of the order:

“Section 1. Policy. It is the policy of this Administration to rigorously enforce our immigration laws. Under our laws, the only legal way for an alien to enter this country is at a designated port of entry at an appropriate time. When an alien enters or attempts to enter the country anywhere else, that alien has committed at least the crime of improper entry and is subject to a fine or imprisonment under section 1325(a) of title 8, United States Code. This Administration will initiate proceedings to enforce this and other criminal provisions of the INA until and unless Congress directs otherwise. It is also the policy of this Administration to maintain family unity, including by detaining alien families together where appropriate and consistent with law and available resources. It is unfortunate that Congress’s failure to act and court orders have put the Administration in the position of separating alien families to effectively enforce the law.”

The executive order proposes a “temporary detention policy” that would allow the Department of Homeland Security to detain families attempting to enter the United States at the southern border “during the pendency of any criminal improper entry or immigration proceedings involving their members.”

That portion of the order suggests that DHS would indefinitely detain a family, together while any of its members await prosecution and potential deportation, a policy that looks likely to violate an existing court decision, Flores v. Reno. Because that legal precedent forbids the indefinite detainment of children at the border, the administration is likely gearing up for a clash in the courts.

Through the executive order, the president makes his plan to challenge the decision, known as the Flores agreement, plain:

“The Attorney General shall promptly file a request with the U.S. District Court for the Central District of California to modify the Settlement Agreement in Flores v. Sessions, CV 85-4544 (“Flores settlement”), in a manner that would permit the Secretary, under present resource constraints, to detain alien families together throughout the pendency of criminal proceedings for improper entry or any removal or other immigration proceedings.”

As controversy around the southern border erupted in recent days, many major tech companies weighed in with vocal opposition to the Trump administration’s recent practice of separating adults who enter the U.S. illegally from the children they bring with them. Microsoft’s Satya Nadella also denounced the policy, though the company is facing both internal and external criticism over its previously announced intentions to supply deep learning and facial recognition software to U.S. Immigration and Customs Enforcement (ICE) through a lucrative federal contract.

Feds crack down on Tesla Autopilot safety cheat device

The federal government is stepping in to end the use of an aftermarket product designed to let Tesla owners skirt a safety feature from the electric automaker’s semi-autonomous Autopilot system.

The U.S. Department of Transportation’s National Highway Traffic Safety Administration issued a cease and desist letter Tuesday to a California company known as Dolder, Falco and Reese Partners LLC that is selling the Autopilot Buddy product.

The Autopilot Buddy product, which is marketed with the catchy slogan “Tesla Autopilot Nag Reduction Device,” is a magnetic piece of plastic that disables the feature in Tesla vehicles that monitors the driver’s hands on the steering wheel and warns the driver when hands are not detected. Aftermarket devices, such as Autopilot Buddy, are motor vehicle equipment regulated by NHTSA.

Autopilot Buddy works on the Tesla Model S, Model X and Model 3.

“A product intended to circumvent motor vehicle safety and driver attentiveness is unacceptable,” NHTSA Deputy Administrator Heidi King said in a statement. “By preventing the safety system from warning the driver to return hands to the wheel, this product disables an important safeguard, and could put customers and other road users at risk.”

Tesla’s Autopilot is not a fully autonomous driving system. Instead, the advanced assistance system includes a number of features such as traffic-aware cruise control (TACC) and its branded Autosteer, which uses information from cameras, radar and the ultrasonic sensors to detect lane markings as well as the presence of vehicles and objects. When Autopilot and the Autosteer feature are activated, the system maintains the speed of the Tesla while keeping a distance from the vehicle in front of it, keeps it in its lane and changes lanes.

However, it also requires drivers to keep their hands on the wheel, apparently a rule so annoying that owners have found all sorts of interesting ways to trick the system. When drivers don’t keep their hands on the wheel, the system is supposed to give visual and audible warnings. If the driver continues to ignore it, Autopilot shuts off.

The letter directs the company to respond by June 29, 2018, and to certify to NHTSA that all U.S. marketing, sales and distribution of the Autopilot Buddy has ended.

The company appears to have already adjusted to the feds. The company posted on its website that it is currently only taking international orders. “We are not taking orders inside the U.S.A. at this time,” the website reads. “We are hopeful to resolve this by as quickly as possible.”

Verizon and others call a conditional halt on sharing location with data brokers

Verizon is cutting off access to its mobile customers’ real-time locations to two third-party data brokers “to prevent misuse of that information going forward.” The company announced the decision in a letter sent to Senator Ron Wyden (D-OR), who along with others helped reveal improper usage and poor security at these location brokers. It is not, however, getting out of the location-sharing business altogether.

(Update: AT&T and Sprint have also begun the process of ending their location aggregation services — with a caveat, of which below.)

Verizon sold bulk access to its customers’ locations to the brokers in question, LocationSmart and Zumigo, which then turned around and resold that data to dozens of other companies. This isn’t necessarily bad — there are tons of times when location is necessary to provide a service the customer asks for, and supposedly that customer would have to okay the sharing of that data. (Disclosure: Verizon owns Oath, which owns TechCrunch. This does not affect our coverage.)

That doesn’t seem to have been the case at LocationSmart customer Securus, which was selling its data directly to law enforcement so they could find mobile customers quickly and without all that fuss about paperwork and warrants. And then it was found that LocationSmart had exposed an API that allowed anyone to request mobile locations freely and anonymously, and without collecting consent.

When these facts were revealed by security researchers and Sen. Wyden, Verizon immediately looked into it, they reported in a letter sent to the Senator.

“We conducted a comprehensive review of our location aggregator program,” wrote Verizon CTO Karen Zacharia. “As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program.”

“We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices,” she wrote later in the letter. In other words, the program is on ice until it can be secured.

Although Verizon claims to have “girded” the system with “mechanisms designed to protect against misuse of our customers’ location data,” the abuses in question clearly slipped through the cracks. Perhaps most notable is the simple fact that Verizon itself does not seem to need to be informed whether a customer has consented to having their location polled. That collection is the responsibility of “the aggregator or corporate customer.”

In other words, Verizon doesn’t need to ask the customer, and the company it sells the data to wholesale doesn’t need to ask the customer — the requirement devolves to the company buying access from the wholesaler. In Securus’s case, it had abstracted things one step further, allowing law enforcement full access when it said it had authority to do so, but apparently without checking, AT&T wrote in its own letter to Sen. Wyden.

And there were 75 other corporate customers. Don’t worry, someone is keeping track of them. Right?

These processes are audited, Verizon wrote, but apparently not an audit that finds things like the abuse by Securus or a poorly secured API. Perhaps how this happened is among the “number of internal questions” raised by the review.

When asked for comment, a Verizon representative offered the following statement:

When these issues were brought to our attention, we took immediate steps to stop it. Customer privacy and security remain a top priority for our customers and our company. We stand-by that commitment to our customers.

And indeed while the program itself appears to have been run with a laxity that should be alarming to all those customers for whom Verizon claims to be so concerned, some of the company’s competitors have yet to take similar action. AT&T, T-Mobile and Sprint were also named by LocationSmart as partners. Their own letters to Sen. Wyden stressed that their systems were similar to the others, with similar safeguards (that were similarly eluded).

In a press release announcing that his pressure on Verizon had borne fruit, Sen. Wyden called on the others to step up:

Verizon deserves credit for taking quick action to protect its customers’ privacy and security. After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off. In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.

AT&T actually announced that it is ending its agreements as well, after Sen. Wyden’s call to action was published, and Sprint followed shortly afterwards. AT&T said it “will be ending [its] work with these aggregators for these services as soon as is practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.” Sprint stopped working with LocationSmart last month and is now “beginning the process of terminating its current contracts with data aggregators to whom we provide location data.”

What’s missing from these statements? Among other things: what and how many companies they’re working with, whether they’ll pursue future contracts, and what real changes will be made to prevent future problems like this. Since they’ve been at this for a long time and have had a month to ponder their next course of actions, I don’t think it’s unreasonable to expect more than a carefully worded statement about “these aggregators for these services.”

T-Mobile CEO John Legere tweeted that the company “will not sell customer location data to shady middlemen.” Of course, that doesn’t really mean anything. I await substantive promises from the company pertaining to this “pledge.”

The FCC, meanwhile, has announced that it is looking into the issue — with the considerable handicap that Chairman Ajit Pai represented Securus back in 2012 when he was working as a lawyer. Sen. Wyden has called on him to recuse himself, but that has yet to happen.

I’ve asked Verizon for further clarification on its arrangements and plans, specifically whether it has any other location-sharing agreements in place with other companies. These aren’t, after all, the only players in the game.