Government Prosecutor Caught Sending Emails With Tracking Software To Reporters And Defense Attorneys
from the Mark-Harmon-must-be-rolling-over-in-his-grave dept
Well, this is a new twist on prosecutorial misconduct. Why play fair when you can play with Network Investigative Techniques?
A Navy prosecutor last week sent an email to the editor of Navy Times that was embedded with a secret digital tracking device. The tracking device came at a time when the Naval Criminal Investigative Service is mounting an investigation into media leaks surrounding the high-profile court-martial of a Navy SEAL accused of war crimes.
That email, from Navy prosecutor Cmdr. Christopher Czaplak to Navy Times editor Carl Prine, came after several months of Navy Times reporting that raised serious questions about the Navy lawyers’ handling of the prosecution in the war crimes case.
The NCIS claims this is all above-board, which is obviously the case because no one was surprised by the presence of trackers and no one had to issue a statement defending the use of emails containing tracking software. Oh wait. The other thing.
The reporter was more than surprised the prosecutor decided to engage in his own leak investigation to track the source of information covered by a protective order. The prosecutor's employer, the US fucking government, explained via a spokesman that this tracking software was not "malware" or a "virus" and does nothing more than send IP addresses back to the NCIS home base. This is apparently supposed to make this OK.
But how OK is it really? Not very, it would appear. Not only does the use of this NIT violate a handful of laws, it also plays havoc with a handful of protections, Constitutional and otherwise.
The Navy email to Navy Times contained hidden computer coding designed to extract the IP address of the Navy Times computer network and to send that information back to a server located in San Diego. Under U.S. criminal law, authorities normally have to obtain a subpoena or court order to acquire IP addresses or other metadata. Not using one could be a violation of existing privacy laws, including the Electronic Communications Privacy Act.
Defense attorneys involved in the SEALs’ war crimes cases have said that 13 lawyers and paralegals on their team also received emails with a similar tracking device, according to court documents filed by the defense attorneys.
Sure, there's not much to be gleaned from scraped IP addresses, but it's possible that's not all that was picked up by the NCIS's NIT. It could have gathered email metadata as well, which can be almost as revealing as the content of the emails, especially when prosecutors are looking for sources of leaks.
This is problematic for a number of reasons. Targeting journalists to reveal sources does damage to First Amendment protections. Targeting defense attorneys puts attorney-client confidentiality at risk and strongly suggests the government isn't interested in a fair trial.
NCIS insists its prosecutor is in the right, despite all this potential collateral damage. The attorney representing a Navy SEAL accused of war crimes begs to differ.
“The conduct of the prosecution is egregious,” said Tim Parlatore, a New York-based attorney, who is among several, including Marc Mukasey, a member of President Donald Trump’s legal team, defending the 39-year-old Gallagher. “(Cmdr.) Chris Czaplak should lose his law license and face criminal charges. He illegally spied on the defense attorneys and the media. The prosecutor needs his own defense attorney.”
The US government continues to downplay this as just a normal thing done in leak investigations. But it isn't. It targeted journalists and defense attorneys -- two parties that definitely shouldn't be on the receiving end of anything even mildly nefarious originating from government prosecutors. This prosecutor decided the most important thing here wasn't respecting rights or focusing on the suspect on trial, but rather sniffing out the source of a leak. This doesn't reflect well on the NCIS and it's quite possible there's a benchslap awaiting this prosecutor, if not sanctions and a dismissal.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, carl pine, christopher czaplak, investigation, leaks, navy, nit, tracking, war crimes
Companies: navy times
Reader Comments
The First Word
“Not entirely accurate
Um, no, not really. These "tracking devices" are typically 1 pixel square transparent images linked to an external server, i.e. the image is downloaded from some server via http. This is how HTML email, the kind that displays more than simple text, works. The request from your mail client for the image from the server hosting the image passes along the "user agent" (your email client name and version) and your IP address. Nothing more.
There is no chance of exposing "email metadata" or anything else necessary to put attorney-client privilege or news sources at risk. This article demonstrates a typical yet fundamental lack of understanding of how email and the internet work.
Yeah, it's crappy that they're collecting IP addresses but that and the time/date their emails were viewed are all they get out of this. They're also super easy to defeat: Disable automatic remote content in emails and only download remote content for emails for which you choose to do so.
Subscribe: RSS
View by: Time | Thread
When you've enjoyed doing whatever to people once you call them a terrorist or leaker, you forget the law actually exists.
[ link to this | view in chronology ]
"The prosecutor's employer, the US fucking government,"
This one comment alone is sufficient for one to understand that most likely everything in this article is a lie and that the author is engaged in spreading hate, fear, and lies.
[ link to this | view in chronology ]
Re:
Not "one". Just you.
[ link to this | view in chronology ]
Re:
"The prosecutor's employer, the US fucking government,"
This one comment alone is sufficient for one to understand that most likely everything in this article is a lie and that the author is engaged in spreading hate, fear, and lies.
Guess you are the fucking paradigm of truthiness and reporting?
Please show us the published article you wrote that tells us how it really is?
[ link to this | view in chronology ]
"Gary", you astro-turfing by Timothy Geigner, aka "Dark Helmet"
So you have ZERO authority to snipe at anyone.
And are at least TWO with same view of Techdirt. So few reasonable people read this tiny little site that doesn't give any indication of how anomalous and stupid are its netwit notions.
DULL STALE topics like this certainly don't help, either.
By the way... No one seems to pick up on the HOW of this, but "emails" are mere TEXT and can't "track" themselves. The REAL story here is how vulnerable are "modern" systems, especially Linux, Apple, Android, and Crimosoft: no email reader should be executing ANY code from such "containers" in first place! It's. Just. Stupid.
Now, had Techdirt followed THAT slant, it'd be interesting. But since utterly conventional un-imaginative netwits re-writing for other such, it won't even now pointed out, just re-writes slightly what's been out a week.
[ link to this | view in chronology ]
So few reasonable people read this tiny little site that doesn't give any indication of how anomalous and stupid are its netwit notions.
Thanks for reminding us that you're an unreasonable person!
[ link to this | view in chronology ]
Re: "Gary", you astro-turfing by Timothy Geigner, aka "Dark Helm
There are dozens of us! Literally dozens of us!
[ link to this | view in chronology ]
Re: I love watching unmedicated schizos brains melt.
I am at least 22 Bangladeshis and one Sparticus.
[ link to this | view in chronology ]
Re:
This information is about two weeks old. It's well beyond the regular news cycle. As to the article itself, had you clicked any of the links embedded within or maybe searched for yourself, outside of Techdirt, you would have found this same information.
There are organizations that earn their pay with Fake News. Techdirt is not one of them.
One has to wonder, with the type of news org that is Techdirt and those that follow it, why would you waste your time on weeks-old news on a blog that you don't care enough about to register and post under at least a pseudonym.
[ link to this | view in chronology ]
Re:
Are you always an idiot, or just today?
[ link to this | view in chronology ]
Re: Re:
that comment was supposed to be to the idiot decrying this whole artukle is liez!
[ link to this | view in chronology ]
So much for that evidence
Tainted, collected illegally, inadmissible.
[ link to this | view in chronology ]
Re: So much for that evidence
Irrelevant.
It does not matter - all the prosecutor is doing is establishing what is the public IP of the email recipient. (I.e. because he email downloaded the "transparent 1 pixel image" embedded in the HTML of the message, he now knows what the IP address is. if it was opened at home, he knows the journalist's home IP. From there, the prosecutor looks for any other people in the suspect group of leakers who may have had chats, sent items, etc. to that IP, thus making them suspects. He searches the navy base firewalls, which log all sorts of data about connections to outside.
[ link to this | view in chronology ]
Re: Re: So much for that evidence
From the military times:
[ link to this | view in chronology ]
Navy Times is not part of the Navy
For those who don't know, the Navy Times is NOT part of the Navy, or the DoD in any way. Sightline Media Group publishes the Navy Times, the Army Times, and the Air Force Times - and frequently goes head-to-head with the powers that be in the military.
As a former sailor ... the Navy Times was most often a realistic counterpoint to the propaganda the official Navy channel published.
Just in case you thought it was OK for a navy prosecutor to go after a Navy publication because they're both DoD - they're not.
[ link to this | view in chronology ]
Re: Navy Times is not part of the Navy
So, someone is getting into a blue with the Navy?
[ link to this | view in chronology ]
CFAA Violation?
"...could be a violation of existing privacy laws, including the Electronic Communications Privacy Act."
What about a violation of the CFAA for unauthorized access of a computer network?
[ link to this | view in chronology ]
Re: CFAA Violation?
Two words: selective enforcement
[ link to this | view in chronology ]
Not entirely accurate
Um, no, not really. These "tracking devices" are typically 1 pixel square transparent images linked to an external server, i.e. the image is downloaded from some server via http. This is how HTML email, the kind that displays more than simple text, works. The request from your mail client for the image from the server hosting the image passes along the "user agent" (your email client name and version) and your IP address. Nothing more.
There is no chance of exposing "email metadata" or anything else necessary to put attorney-client privilege or news sources at risk. This article demonstrates a typical yet fundamental lack of understanding of how email and the internet work.
Yeah, it's crappy that they're collecting IP addresses but that and the time/date their emails were viewed are all they get out of this. They're also super easy to defeat: Disable automatic remote content in emails and only download remote content for emails for which you choose to do so.
[ link to this | view in chronology ]
Re: Not entirely accurate
According to the story:
It also specifically says software was included, not just an image. But an earlier paragraph describes a suspicious image, so I think you're right that the malware claim is bullshit. I get the impression that neither the reporter nor the squadron tech people know what they're talking about.
[ link to this | view in chronology ]
Re: Re: Not entirely accurate
Everything in an email is digital. Most is hidden. Unless there's either an embedded exploit or an embedded phishing attack, the most they can do is embed a callback script or image reference that calls home. And most email clients are designed to NOT call home on those unless you load images or agree to run a script.
I'd really like to know what sort of "NIT" was used here, because if it's not one of the simple ones that can be ignored by the mail client, it breaks all sorts of laws by being deployed against civilians by the military.
[ link to this | view in chronology ]
Re: Re: Re: Not entirely accurate
Doesn't "NIT" specifically refer to something that uses an exploit? I certainly wouldn't use the term for a tracking image, which would lead us to the conclusion "OMG Facebook like buttons are hacking our computers!!!"". They're using a feature as designed, which as noted only shitty email clients will even allow.
[ link to this | view in chronology ]
Re: Not entirely accurate - Dang. Techdirt's shrieking misled me
Yup, fell into the trap of thinking this was a big deal with code executed, when you're probably right: just pixel based tracking, as GOOGLE and every other SPY corporation uses.
You need to "host out" the known commercial ones to defeat it when merely browsing, though of course that wouldn't work for a custom server.
[ link to this | view in chronology ]
Re: Re: Not entirely accurate - Dang. Techdirt's shrieking misle
I think you'll find the shrieking was in the courtroom; TD's just reporting it.
[ link to this | view in chronology ]
Re: Not entirely accurate
There is no such option in PINE (nor is it probably even needed)
Another 'solution' is to use a proxy or VPN, as well as make sure that all scripting is disabled, though that doesn't prevent the attacker from using some other zero-day exploit that can peek behind proxies. And let's not forget that TOR was thought to be untraceable, until the FBI proved otherwise.
[ link to this | view in chronology ]
Re: Re: Not entirely accurate
Please be careful with statements like this. It gives the impression that the FBI discovered some fundamental flaw in the design of Tor--when in reality they did what any attacker would do and attacked not the strong foundation but a weaker upper layer, viz., Firefox which is the basis of the Tor Browser. Tor Browser is not the same as Tor, and a browser bug doesn't make all uses of Tor traceable.
[ link to this | view in chronology ]
Re: Not entirely accurate
And it shouldn't work anyway, all email clients I know of (well, all non-Web-based ones anyway) default to not fetching remote content in email bodies at all and you have to deliberately enable it before it'll go fetch the embedded image. A reporter probably shouldn't be using a Webmail client simply because it doesn't let you disable things like remote content and scripts.
[ link to this | view in chronology ]
Re: Re: Not entirely accurate
There's no reason a webmail service has to send the original, possibly harmful, HTML to the browser. That's laziness at best (more cynically, we might note that many webmail services are run by advertising companies...).
[ link to this | view in chronology ]
Re: Not entirely accurate
I have Thunderbird set to never load remote content.
[ link to this | view in chronology ]
Re: Not entirely accurate
Yeah, I'd go so far as to say that over 75% of the emails most people receive have these tracking pixels in them, including every email you get from any major business. Outlook has the option to include them in your private email.
In fact, pretty much any email with an image in it, hidden or not, is probably causing a server log to be updated with your IP, software, operating system, etc. It's just how the internet works.
[ link to this | view in chronology ]
Re: Not entirely accurate
You're missing the fact that many HTML tags can have event tracking attributes that cause JavaScript scripts to run, and said scripts can harvest a great deal of data, not unlike the urchin script that is at the core of Google Analytics' page tracking code. You'd be amazed at how much 'anonymized' data you can see in Google Analytics, and that's not even explicitly malicious.
[ link to this | view in chronology ]
Re: Not entirely accurate
This is, of course, a load of fetid dingo's kidneys. Tracking pixels are not normally anonymous. Each one does, or should, identify the mail with which it was included.
Example will illustrate. You send potentially forwardable e-mails to persons A, B, and C, including mail identifier and recipient identifiers. Watch to see what lights up. Not only do you know who brought up your e-mail when, but you can keep watching. When you see the e-mail marker for a message to B light up again, from a different IP address, you know which e-mail got forwarded.
Spam trackers generally work on a similar principle. When you fetch tracking pixels , they can send back your e-mail address, or an index into a table of sent e-mails, along with some sort of campaign identifier, to verify that your address is a live one and a good prospect for future spam.
Here is an example. [<img src="https://track.firmfinder.net/o.z?j=320920807&email=marklegal@yandex.com" height=24 width=24 title="tracking pixel example">]. Due to bugs with this "markdown" stuff, which ought to be ditched in favor of standard HTML, it is hard to illustrate here.
[ link to this | view in chronology ]
1 comment
Monkey see, monkey do..
[ link to this | view in chronology ]
Ok, I'm really getting tired of the press continually suggesting that because they're "journalists" they individually deserve more rights than the average person. This is patently NOT the case. The rights of journalists are the the SAME as that of private citizens. The field of journalism enjoys a few extra protections in First Amendment law because of its nature in exposing relevant information to the public at large, but any single journalist has no greater or lesser rights than any single Joe off the street before the Law.
There is no exception in the US Constitution for journalists because it was well understood that the rights of citizens are the same as those of the rights of journalists. Any single individual could be a reporter at any instant of time and serving in the same capacity. It's the pursuit of journalism that has the protection. This has very vividly been exposed with the advent of the Internet and the democratization of news dissemination taking the reporting of news and divesting it of those more traditional media conglomerates and back into the hands of the independent citizenry as it was when the US was founded.
"The prosecutor needs his own defense attorney.”
Doubt it. Prosecutors are rarely prosecuted for any laws, especially federal ones and especially civil rights laws. He may need a specialist in civil law, but even that is iffy because many courts decline to hear cases against prosecutorial civil rights abuses.
[ link to this | view in chronology ]
Re:
Everyone is a journalist.
[ link to this | view in chronology ]
This is not criminal court
First off I don't agree with the tactics here.This is a military court that falls under the UCMJ Military code of conduct.
Civilian laws do not apply here they are playing on a completely different field when it comes to law different rules. I don't believe that they don't have to prove guilt rather the defense must prove innocents (at least that's what they told up in boot camp)
[ link to this | view in chronology ]
Re: This is not criminal court
I can't speak to the specifics of military courts, but I'm pretty goddamn sure being a military prosecutor doesn't make it legal to engage in unauthorized surveillance of a privately-owned newspaper.
[ link to this | view in chronology ]
Even USAF doesn't like this
Amusingly even the US Air Force is annoyed with this and is investigating what the hell is going on.
https://www.airforcetimes.com/news/your-air-force/2019/05/21/why-the-air-force-is-investigating-a-c yber-attack-from-the-navy/
Not a good sign when your fellow brethren in arms, even if different branch of DoD, thinks you're shady.
[ link to this | view in chronology ]
Let's give the government some credit here...at least they didn't pull the SFPD bullshit of raiding a journalist's home and seizing all the electronics....
YET
[ link to this | view in chronology ]
'Well, not YET anyway...'
The US government continues to downplay this as just a normal thing done in leak investigations. But it isn't. It targeted journalists and defense attorneys -- two parties that definitely shouldn't be on the receiving end of anything even mildly nefarious originating from government prosecutors.
Let's be honest though, if they thought they could get away with it(or, you know, did in the case of the FBI/Playpen...) it would be a regular, 'normal' action.
'Make the government look bad? The rules/laws no longer apply when it comes to investigating/prosecuting you.'
[ link to this | view in chronology ]
All you have to do is look at how infrequently prosecutorial misconduct has any repurcussions to realize that it's a way of life for prosecutors.
[ link to this | view in chronology ]