Inspector General Says FBI Not Doing Enough To Prevent Abuse Of Cell Phone Forensic Equipment By Law Enforcement Officers
from the but-we-maintain-strict-control-of-the-cables! dept
The FBI's Inspector General has released a report on the New Jersey FBI branch's Computer Forensics Laboratory. For the most part, the report is positive and shows this branch tends to handle its forensics work competently. The problem comes when it opens up its tools up to local law enforcement.
The FBI lab has a phone/media forensics kiosk located in the lobby of its building.
The Cell Phone Investigative Kiosk (Kiosk) allows users to quickly and easily view data stored on a cell phone, extract the data to use as evidence, put the data into a report, and copy the report to an electronic storage device such as a compact disk.8 In addition to the Kiosk, there is also a Loose Media Kiosk, which processes digital evidence stored on loose media, such as a DVD or memory card.Because it's outside of the actual lab, the FBI apparently feels it's ok if it doesn't track who's using the kiosk.
To use the Kiosk, law enforcement personnel are required to schedule an appointment. However, the NJRCFL does not require Kiosk users to sign its Visitors Log since users do not go beyond the reception area or enter the NJRCFL’s laboratory space.That leads to this sort of thing.
According to the Director, sometimes one investigator will schedule a Kiosk appointment and another investigator will show up in his or her place, or more than one investigator may accompany the scheduled investigator to use the Kiosk. According to the Director, NJRCFL personnel assume that all of the personnel who arrive for a scheduled appointment are part of the same case. However, he said that the NJRCFL does not verify that everyone arriving for a scheduled appointment is working on the same investigative matter.This is a problem because there are rules in place for use of the forensics kiosk, which include law enforcement officers having the proper authority to perform the search, the training to do so and the permission of the local AUSA (Assistant US Attorney). The FBI's decision to skip this verification step by not requiring signatures on the visitor's log means anyone could show up and use the kiosk without having secured the permission to do so.
The FBI does have this control in place, which couldn't possibly be circumvented.
While the Kiosk is housed in the reception area, the cables necessary to connect the Kiosk to a cell phone are not stored with the Kiosk. Instead, the NJRCFL examiner responsible for supervising the Kiosk provides the cables to a visiting user. Without the cables, cell phones cannot be connected to the Kiosk, ensuring that the examiner on duty would have to know that a person was attempting to use the Kiosk because the examiner would have to supply the appropriate cable.These "cables" sound a lot like your standard USB cables. There may be a proprietary connection on the FBI kiosk which prevents the use of off-the-shelf cables, but it's not as though no one in law enforcement could secure this sort of cable through other means. Even if these are cables that are only found at FBI offices, there's nothing stopping law enforcement officers from searching removable media without checking in with the reception desk first.
On top of that, there's nothing preventing law enforcement officers from asking for a cable and then performing illegal searches or using the forensics software for non-law enforcement reasons.
As a result of the procedures and practices described above, we found that the NJRCFL did not have adequate controls over the access to and use of its Kiosk. FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media. During our fieldwork, neither the FBI nor the NJRCFL provided any confirmation to show that NJRCFL Kiosk users possessed the proper legal authority to search for evidence on the devices examined. In addition, the FBI did not provide us with any information regarding controls in place at the NJRCFL to ensure that users do not use the Kiosk for nonlaw enforcement matters, an inherent risk of Kiosks without adequate controls.While the form officers are required to fill out to use the kiosk contain statements about having the legal authority to perform the search, the documents do not ask for any specifics about these authorities. It's just boilerplate text that anyone can sign, knowing that the lack of a visitor's log means no one can cross-reference possibly bogus affirmations with kiosk use.
This same problem is likely found at most other FBI offices with forensics kiosks. The report notes the same issues were discovered during its audit of the Philadelphia field office. The form -- and the "best practices" -- provide only the most minimal of safeguards against abuse. And the fact that the changes made in Philadelphia in response to the OIG's investigation never trickled down to the New Jersey office suggests this problem will be corrected on a case-by-case basis following an Inspector General's audit, rather than adopted across all offices.
A new form has been put into use -- at least at the New Jersey office -- that will capture more information about the legal authorities used to perform kiosk searches. However, there's nothing in the report that indicates this office -- or any others -- have stepped up to require kiosk users to sign a visitor's log. In addition, more than a quarter of kiosk users reported they did not have the training in place to use the equipment, yet are accessing it anyway. Until more improvements are put in place, FBI offices can't say they're doing everything they can to ensure lawful use of its forensic equipment.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: abuse, fbi, forensic kiosks, forensic lab, law enforcement, new jersey
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Really. Their security method is proprietary cables. Because Apple succeeded in preventing anyone from buying some knock off, right?
[ link to this | view in chronology ]
Re:
It is unknown whether proprietary cables are needed.
Given that the FBI would want to promote abuse of these kiosks, why should they require anything other than standard off the shelf cables. And yes, it is correct to assume that they deliberately intend to promote abuse. Otherwise why go to all the trouble to put these into kiosks that anyone can access with no controls other than a mere token that allows them to claim that usage is controlled by an appointment, a form and required cables.
If the cables requirement is so easy to work around, how difficult is it to work around the appointment requirement and the signature requirement.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
NEW!! FIB Hack-A-Fone Kiosk!
Chance to win up to $1000 each time you visit the mall!
That would save law enforcement from having to round up every US citizen to 'inspect' their phones. And after all, this is about pirac... er, I meant to say, about terrorism.
And just like any offer to win up to $1000, you only have to pay it once. And the meaning of 'up to' is not well defined. And you can pay it to any of your cronies or hired goons.
[ link to this | view in chronology ]
UPCOMING: House E&C Oversight hearing April 19
“Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives”
Invited witnesses TBA. Hearing will be webcast.
[ link to this | view in chronology ]
Re: UPCOMING: House E&C Oversight hearing April 19
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Of course! That's what's so wonderful about tax dollars!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
FBI: Heads They're Transparent, Tails They're Not
This is the same FBI that forces local police departments to sign non-disclosure agreements regarding the use of electronic surveillance gear?
The paragraph below was excerpted from The Intercept:
Stingrays
A Secret Catalogue of Government Gear for Spying on Your Cellphone
Jeremy Scahill, Margot Williams
Dec. 17 2015, 12:23 p.m.
When state or local police purchase the cell-site simulators, they are routinely required to sign non-disclosure agreements with the FBI that they may not reveal the “existence of and the capabilities provided by” the surveillance devices, or share “any information” about the equipment with the public.
https://theintercept.com/2015/12/17/a-secret-catalogue-of-government-gear-for-spying-on-your- cellphone/
So on one hand FBI would like to be more forthcoming and transparent in it's use of electronic surveillance gear and on the other they require local police departments to sign non-disclosure statements regarding their use even going so far as dropping all charges so the methods utilized in collecting the data can remain secret.
The paragraphs below was excerpted from Techdirt:
New Documents Show FBI Instructing Law Enforcement To Throw Out Cases Rather Than Give Up Info On Stingray Use
by Tim Cushing
Wed, Apr 8th 2015 12:20pm
In short: parallel construction. The Sheriff's Office can hand over the results of Stingray collections, but not divulge how it arrived at these results. If it's going to deploy a Stingray, it either needs to do it without a warrant, or mislead the judge on its search techniques when applying for one.
When not lying to judges, the Sheriff's Office will need to lie to defendants and their counsel. Most incredibly, the FBI instructs the law enforcement agency to directly disobey court orders, if it would mean turning over Stingray information.
If any of this seems unavoidable, our nation's top law enforcement agency encourages its colleagues to toss out criminal prosecutions rather than risk exposing Harris Technology's equipment.
https://www.techdirt.com/articles/20150408/10242230590/new-documents-show-fbi-instructing- law-enforcement-to-throw-out-cases-rather-than-give-up-info-stingray-use.shtml
So which is it FBI guys/gals? Are you going to be more transparent or will you continue force local police departments into signing non-disclosure statements and drop charges when it becomes too inconvenient.
The FBI's electronic surveillance gear scheme sounds mighty arbitrary and as any student of the law should know:
Arbitrary application of the law is tyranny.
[ link to this | view in chronology ]
New Jersey TRANSIT
So, recording your cell phone conversation in a train by the police is ok??? Makes all this sting-ray stuff seem tame by comparison.
http://www.nj.com/traffic/index.ssf/2016/04/nj_transit_is_recording_the_conversations_of_ thousands_of_its_riders.html
[ link to this | view in chronology ]