We’re familiar with vulnerability disclosure philosophies, but what if the problem can’t be fixed because there’s no forward secrecy for the hundreds of millions of documents that are already out there?
It’s tricky stuff and we have limited resources, unfortunately.
It’s a fine line. Most redactions are for the good, to protect someone or something. For example even in the Epstein files, where some redactions are being abused, most redactions are protecting victims.
If there’s a way to undo huge amounts of redactions, that’d certainly be a net negative. Sort of like if encryption were suddenly broken, you wouldn’t publish a paper saying so.
Our goal has always been to educate about the problem so that it can be addressed. We didn’t have resources to push on the font metrics approach, so we stayed mostly quiet about it.
Really depends on the length and predictability of the redaction, but yes. If it's short and contextually it's only likely to be either "yes" or "no", you've got it. If it's longer and could contain an unknown person's name along with some other words, well, that's harder.
No, we worked with researchers that developed that kind of system, but didn't broadcast our work b/c the research was too sensitive. Seems the cat is out the bag now though.
I think the combination of AI and font-metrics is going to be wild though. You ought to be able to make a system that can figure out likely words based on the unredacted ones and the redaction's size. I haven't seen any redaction system yet that protects against this.
Cool to see this here. It’s funny because we do so many huge, complex, multiyear projects at Free Law Project, but this is the most viral any of our work has ever gone!
Anyway, I made X-ray to analyze the millions of documents we have in CourtListener so that we can try to educate people about the issue.
The analysis was fun. We used S3 batch jobs to analyze millions of documents in a matter of minutes, but we haven’t done the hard part of looking at the results and reporting them out. One day.
OK, this is really neat:
- S3 is really cheap static storage for files.
- DuckDB is a database that uses S3 for its storage.
- WASM lets you run binary (non-JS) code in your browser.
- DuckDB-Wasm allows you to run a database in your browser.
Put all of that together, and you get a website that queries S3 with no backend at all. Amazing.
Maine's remote work program is an incredibly promising development to prevent recidivism. The amazing thing about it is that it gives real jobs to prisoners that they can seamlessly continue after they get out of prison. Normally when you get out, it's impossible to get a job, and the clock is ticking. This leads to desperation, which leads to bad behavior.
There is a real risk of exploitation, but if it's properly managed, remote work for prisoners is one of the most hopeful things I've heard about the prison system. It gives people purpose while there and an avenue to success once they're out.
OK, here's the first thing popping up in court about this. There's a motion to unseal search warrants filed by a security researcher at Stanford that was just filed:
This doesn't mean there are search warrants, necessarily, but this case might be the next place something pops up. If anybody wants to follow the case, you can do so with this link. :
You'd have to go study the case, but it's a class action case, so it'll hurt if they lose (and even if they don't). The court appears to be consolidating cases into this one, because LastPass has been sued in federal court 15 times so far:
Wow, funny to see this here. I'm the director of Free Law Project. Juriscraper is a project we use to scrape and parse millions of court records. I'll be happy to answer any questions folks have about it.
It's on version 2.6.0 now, but it has had several hundred point releases over the years as we adapt to changing court websites. Fun stuff.
It’s tricky stuff and we have limited resources, unfortunately.