FBI Officials Were Angry That An iPhone Hack Blocked Them From Getting Court To Force Apple To Break Encryption

from the agency-actually-doesn't-care-much-about-the-public-or-safety dept

As you probably recall, last year the FBI tried to force a court to effectively create a backdoor for encrypted iPhones, using the high profile San Bernardino shootings as the wedge. It seemed quite obvious with how the whole thing played out that the FBI didn't really need to get into Syed Farook's work iPhone, but that it hoped leverage the high profile nature of the case and the "fear, uncertainty and doubt" around a "terrorist" attack to finally get a court to force Apple to do this. A new report reveals that the FBI was very much focused on using this case to force the issue to the point that top officials were angry that a vendor figured out another way into the iPhone, and stopped the court proceedings.

Again: if the real goal (as stated publicly by the FBI at the time) was to find a way into this phone for important reasons, then you'd think the FBI would be excited when they found a way in, rather than pissed that a court wasn't needed to force a backdoor. But that's not what happened.

A recently-released Inspector General's report [PDF] shows the FBI jumped the gun in the San Bernardino case. The FBI insisted it had no other options when it asked a judge to grant its All Writs Act request to compel Apple to break into the shooter's recovered iPhone. But this report shows these claims -- one repeated by the DOJ in its legal filings and by James Comey in testimony to Congress -- weren't actually true.

The ROU [Remote Operations Unit] Chief told us that, at a monthly OTD managers’ meeting on February 11, 2016, the Chief of DFAS (of which CEAU [Cryptographic and Electronics Analysis Unit] is a part but ROU is not), indicated that CEAU was having problems accessing the data on the Farook iPhone and was preparing for court. The ROU Chief, who told the OIG that his unit did not have a technique for accessing the iPhone at the time, said that it was only after this meeting that he started contacting vendors and that ROU “got the word out” that it was looking for a solution. As discussed further below, at that time, he was aware that one of the vendors that he worked closely with was almost 90 percent of the way toward a solution that the vendor had been working on for many months, and he asked the vendor to prioritize completion of the solution.

There was a another option available at the time the DOJ filed its All Writs Request (February 16). It may not have been complete yet, but the FBI had reason to believe it would be soon. Instead of giving this option a shot, the FBI tried to secure a favorable ruling compelling Apple to crack the shooter's iPhone. This wasn't what was presented to the judge in the DOJ's filing.

Comey testified before Congress on February 9th. If there had been better communication between the FBI's Operational Technology Division (OTD) and the Cryptographic and Electronic Analysis Unit (CEAU), Comey may have been apprised of this fact before his first testimonial appearance. Given the national attention being paid to this case, there's no reason Comey should have been out of the operational loop, even at this early date.

But Comey repeated the same claim nearly a month later (March 1st): the FBI could not get into the iPhone without Apple's assistance. (And again three weeks later in an angry letter to the editor published by the Wall Street Journal.) There's no way Comey could not have been aware of these developments, not with the DOJ engaged in a high-profile courtroom battle with Apple over compelled assistance.

The Inspector General finds Comey's claims to be technically true: the breakthrough offered by the still-undisclosed vendor was not passed on to the FBI until March 16th and successfully demonstrated for agents on March 20th. The following day, the US Attorney's Office informed the court of this development and withdrew its All Writs request.

Comey's statements were technically true but not the parts where he insisted the only way to access the iPhone's contents was with Apple's assistance. If he was not being informed of ongoing developments on the tech side, that's inexplicable behavior by FBI entities directly tasked with cracking the shooter's iPhone. Given the high-profile status of this case, it's not just inexplicable. It's literally unbelievable.

But that's not the only concerning aspect of this report. The head of the FBI's Remote Operations Unit (ROU) -- the person who reached out to the vendor about the progress of its iPhone crack -- was never contacted or consulted by the other offices working on the same problem. As the ROU Chief stated, the ROU walled itself off to prevent national security tools from being used in normal criminal cases.

This would seem to be good news -- the FBI drawing internal lines in the sand between natsec and normal criminal investigations -- but it actually isn't. The CEAU head believed no line existed and it could bring tools over from the natsec side any time it wanted to. But that's not the worst of it. The CEAU actually did not want a solution found.

According to the ROU Chief, his only conversation with the CEAU Chief was well after the fact, during which the CEAU Chief “was definitely not happy” that the legal proceeding against Apple could no longer go forward.

This is further backed up by statements made to the IG by FBI Executive Assistant Director (EAD) Amy Hess.

After the outside vendor successfully demonstrated its technique to the FBI in late March, EAD Hess learned of an alleged disagreement between the CEAU and ROU Chiefs over the use of this technique to exploit the Farook iPhone – the ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the “poster child” case for the Going Dark challenge.

This was also admitted by the CEAU Chief in his interview with the Inspector General.

The CEAU Chief told the OIG that, after the outside vendor came forward, he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief. He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, “Why did you do that for?”

The report makes it clear those steering the iPhone-cracking efforts were less interested in an outside vendor cracking the phone than obtaining a precedential decision. In doing so, the DOJ ended up filing false statements as sworn assertions, claiming it had exhausted every option before approaching the court with an All Writs Request. This report may sort of clear Comey and the DOJ, but it exposes something much uglier: FBI officials are not making good faith efforts to find outside solutions to the FBI's supposed "going dark" problem. They'd much rather have favorable court decisions and legislative mandates than work with the tools others are crafting for them. This all but guarantees the number of uncracked phones in the FBI's possession will continue to grow. But they should never be viewed as investigative dead ends. They should be seen for what they are: rhetorical devices.

Update: Sen. Ron Wyden sees the report for what it is. Here's his statement on the matter:

"The FBI's leadership went straight to the nuclear option -- attempting to force Apple to circumvent its encryption -- before attempting to see if their in-house hackers or trusted outside suppliers had the technical capability to break into the San Bernardino terrorist's iPhone," Wyden said. "It's clear now that the FBI was far more interested in using this horrific terrorist attack to establish a powerful legal precedent than they were in promptly gaining access to the terrorist's phone."

Filed Under: all writs act, encryption, fbi, going dark, iphone, syed farook
Companies: apple

DOJ Back To Pushing For Legislation Targeting Encryption

from the CLIPPER-CHIP-2K18 dept

The New York Times is reporting that the War on Encryption continues, with a renewed push for legislation the Justice Department couldn't talk Obama into.

Federal law enforcement officials are renewing a push for a legal mandate that tech companies build tools into smartphones and other devices that would allow access to encrypted data in criminal investigations.

F.B.I. and Justice Department officials have been quietly meeting with security researchers who have been working on approaches to provide such “extraordinary access” to encrypted devices, according to people familiar with the talks.

[...]

Against that backdrop, law enforcement officials have revived talks inside the executive branch over whether to ask Congress to enact legislation mandating the access mechanisms.

FBI Director Chris Wray still has yet to hand over his list of agreeable security experts to Sen. Ron Wyden. Wray continues to assert there's a way to solve the "going dark" problem that won't involve make device encryption less secure, but every suggestion he offers involves making device encryption less secure. There are a few techies looking for solutions, and that small group may be who Wray believes can talk legislators into prepping a mandated access bill.

A National Academy of Sciences committee completed an 18-month study of the encryption debate, publishing a report last month. While it largely described challenges to solving the problem, one section cited presentations by several technologists who are developing potential approaches.

They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.

The solutions presented by this group are more of the same: key escrow, weakened encryption, or technological assistance mandates. None of these work out particularly well for customers, as each options provides additional attack vectors for criminals, not just law enforcement. So, even if Wray hopes to rely on more sympathetic tech experts, he's still going to run into the same facts: you cannot provide access to law enforcement without increasing the chance of access by criminals and state-sponsored hackers.

It appears the DOJ isn't interested in letting the perfect be the enemy of the good. And why should it? It won't be affected by mandated access and/or weakened encryption. Those affected most will be members of the general public, and they simply don't matter when the FBI's agitating for destroying the encryption the public relies on to keep their devices and communications secure.

[O]ne Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.

Take a long look at that statement. This is the DOJ saying it's willing to sacrifice the security of millions of Americans to make sure it can round up the nation's least intelligent criminals. This isn't a balance anyone outside of the FBI's inner circle will be happy with. Wray and others routinely claim encryption is preventing them from solving serious crimes and hunting down dangerous criminals, but when all is said and done, it will apparently be satisfied locking up the most inept suspects.

Filed Under: backdoors, doj, encryption, fbi, going dark, legislation, responsible encryption

Security Researcher At The Center Of Emoji-Gate Heading Home After Feds Drop Five Felony Charges

from the good-news-for-one-of-the-actual-good-guys dept

The security researcher who was at the center of an audacious and disturbing government demand to unmask several Twitter accounts on the basis of an apparently menacing smiley emoji contained in one of them is now facing zero prison time for his supposed harassment of an FBI agent. Justin Shafer, who was originally facing five felony charges, has agreed to plead guilty to a single misdemeanor charge. Shafer, who spent eight months in jail for blogging about the FBI raiding his residence repeatedly, is finally going home.

Here are the details of plea agreement [PDF] Shafer has agreed to. (h/t DissentDoe]

Mr. Shafer is pleading to a single misdemeanor of simple assault, based on his sending a Facebook direct message to an FBI Agent’s immediate relative's public Facebook account. There is no allegation of any physical contact.

The government agrees to recommend a sentence of time served. Mr. Shafer already served 8 months in jail before trial for criticizing the government's prosecution in a blog post. He was released after the defense filed a motion arguing his pre-trial detention violated First Amendment free speech rights and the statute governing pre-trial detention.

The government is not seeking for any restitution.

The United States Attorney's Office has agreed not to prosecute Mr. Shafer for the events leading to the initial armed FBI raid of his family’s home.

Mr. Shafer has agreed to a no contact order with the FBI agent, the agent’s family, and the company involved in the initial investigation.

What started out as normal security research soon became a nightmare for Shafer. His uncovering of poor security practices in the dental industry -- particularly the lack of attention paid to keeping HIPAA information secured -- led to his house being raided by FBI agents. The FBI raided his house again after he blogged about the first raid. The FBI justified its harassment of Shafer with vague theories about his connection to infamous black hat hacker TheDarkOverlord. To do this, the FBI had to gloss over -- if not outright omit -- the warnings Shafer had sent to victims of TheDarkOverlord, as well as the information on the hacker Shafer had sent to law enforcement agencies including the FBI.

Blogging about his interactions with the FBI led to the judge presiding over his criminal trial to revoke his release and jail him for exercising his First Amendment rights. This was ultimately reversed by a federal judge who agreed Shafer was allowed to call FBI agents "stupid" and blog about his treatment by the federal agency. (He was not to reveal personal info about FBI agents, however.)

This trial has come to a swift end because the presiding judge sees zero merit in the government's case.

[T]he case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal.

This case comes to an end, but it does not absolve the government of its abusive behavior. Here's what Shafer's defense team (Tor Ekeland, Fred Jennings, and Jay Cohen) had to say about their client's treatment by federal law enforcement.

Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen’s right to criticize the government.

And what can we learn from this debacle? Here's what Shafer has learned: never help anybody.

I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won’t care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk. I think it would benefit society greatly if people who find publicly accessible data were not threatened by the people who put it there.

Thank god the FBI was there to help ensure public safety no one publicly badmouthed one of its agents. Shooting the messenger is the expected response when security breaches are discovered. If it's not those leaving personal info exposed threatening researchers with lawsuits or criminal charges, it's the government itself stepping in to "protect" entities that can't even protect the data of paying customers.

Filed Under: disclosure, fbi, hacking, justin shafer, security, security research

DOJ Readying Warrants In Carter Page Investigation For Public Release

from the giving-the-Republicans-what-they-may-not-want dept

For the first time since the FISA court opened for national security business, the DOJ is considering declassifying FISA warrant applications. The documents are linked to the FBI's surveillance of former Trump campaign aide, Carter Page. Both sides of the political aisle have asked for these documents, which is something you'd think they'd have wanted to see before issuing their takes on perceived surveillance improprieties.

Devin Nunes -- following the release of his memo -- sent a letter to the FISA court asking it to clear the warrants for public release. The court's reply, penned by Judge Rosemary Collyer, pointed out two things. First, the FISA court had never released these documents publicly, nor was it in the best position to do so. It is only tasked with determining whether or not surveillance is warranted and to what restrictions it must adhere. It does not have the innate power to declassify documents, nor can it arbitrarily decide what documents have gathered enough public interest to outweigh the government's perpetual demands for secrecy.

The court did point out this release could be achieved much faster if Nunes directed his question to the DOJ, which does have the power to declassify its own investigation documents. It doesn't appear Devin Nunes has approached the DOJ but litigants in an FOIA lawsuit have, and they're looking at possibly obtaining the documents Devin Nunes requested from the FISA court.

The government is considering an unprecedented disclosure of parts of a controversial secret surveillance order that justified the monitoring of former Trump campaign aide Carter Page.

Responding to a legal challenge brought by USA TODAY and the James Madison Project, Justice Department lawyers Friday cast the ongoing review as “novel, complex and time-consuming.”

“The government has never, in any litigation civil or criminal, processed FISA (Foreign Intelligence Surveillance Act) applications for release to the public,” Justice lawyers wrote in a five-page filing.

The filing [PDF] notes that the President's unilateral decision (over the DOJ's objection) of releasing the Nunes memo has forced it to reverse some of its Glomar declarations in ongoing FOIA lawsuits, since it's impossible to maintain a stance of non-confirmation and non-denial when the White House is handing out confirmation left and right.

The DOJ has asked for four months to review the documents before returning to the court with its final answer on public release. There will probably be further delays from this point, as the DOJ will need the FISA court to officially unseal documents before it can turn these over to the litigants. It notes the plaintiffs are not happy with this timetable, but points to the presumed complexity of a task it has never undertaken previously as the reason it needs 120 days before the litigation can move forward.

This administration continues to break new grounds in inadvertent transparency. However, the release of these documents may further undermine the Nunes Memo narrative, so legislators and White House officials hellbent on using the FISA court to score political points should be careful what they wish for.

Filed Under: carter page, devin nunes, doj, fbi, fisa court, fisc, warrants

The Future The FBI Wants: Secure Phones For Criminals, Broken Encryption For Everyone Else

from the safety's-just-another-word-for-nothing-left-to-lose dept

The old truism is in play again with the FBI's renewed CryptoWar: if X is outlawed, only criminals will have X. In this case, it's secure encryption. The FBI may not be trying to get encryption banned, but it does want it weakened. No backdoors, claims FBI director Chris Wray, just holes for the government to use at its pleasure. So, if the FBI gets it way, the only truly secure encryption will be in the hands of criminals… exactly the sort of people the FBI claims it needs weakened encryption to catch.

For years, a slew of shadowy companies have sold so-called encrypted phones, custom BlackBerry or Android devices that sometimes have the camera and microphone removed and only send secure messages through private networks. Several of those firms allegedly cater primarily for criminal organizations.

Now, the FBI has arrested the owner of one of the most established companies, Phantom Secure, as part of a complex law enforcement operation, according to court records and sources familiar with the matter.

Phantom makes phones solely for criminals, unlike Apple or Android manufacturers, who only have a certain percentage of criminals in their userbases. All of these companies may provide the protection of encryption, but only one actively targets a criminal market. Encryption protects everyone, not just criminals, but that fact is usually paved over with subtle-as-10-tons-of-asphalt comments from the FBI director while portraying the FBI as the nation's white knight and cell phone manufacturers as profit-driven sociopaths.

These companies marketing directly to criminals do more to protect data and communications than vanilla smartphones. Remote wipe capability is built in. Often, cameras and microphones are removed, along with GPS software/hardware. It's more security than most people need, but then again, most people aren't cartel members.

The thing is, the FBI director doesn't care if you're law-abiding. He wants your encryption options limited and weakened so the contents can be accessed. This makes your smartphone more susceptible to being accessed by criminals, rather than just G-men. And these criminals accessing your phone will probably have phones the FBI can't even access, even with backdoors or key escrow or easily-cracked encryption. Chris Wray claims this is all about public safety, but he's willing to make the public less safe to gain the access he wants.

While I understand the concern of the inability to access evidence, the fact remains no solution involving compromised encryption will make the public safer. And while I understand the concern, the concern itself is overstated and accompanied by smoke-and-mirrors presentations. The FBI points to stacks of locked phones, but says nothing about the many tools at its disposal: phone-cracking companies, judges, contempt charges, good old fashioned consent requests, or whether all cases involving these phones remain at a standstill. The FBI does not argue in good faith, and the access it wants can only be had by sacrificing the security and safety of law-abiding citizens.

Filed Under: doj, encryption, fbi, going dark, security

FBI Director Says It's 'Not Impossible' To Create Compromised Encryption That's Still Secure

from the saying-the-same-thing-over-and-over-doesn't-make-it-true dept

FBI Director Chris Wray was back on the "going dark" stump this week. In a speech [PDF] at Boston College, Wray again stated, without evidence, that it wasn't impossible to create weakened encryption that isn't weakened. (via Cyrus Farivar at Ars Technica)

We have a whole bunch of folks at FBI Headquarters devoted to explaining this challenge and working with stakeholders to find a way forward. But we need and want the private sector’s help. We need them to respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cybersecurity. We need to have both, and can have both. I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available. But I just don’t buy the claim that it’s impossible.

It really doesn't matter whether or not Wray "buys" this claim. If you deliberately weaken encryption -- either through key escrow or by making it easier to bypass -- the encryption no longer offers the protection it did before it was compromised. That's the thing about facts. They're not like cult leaders. They don't need a bunch of true believers hanging around to retain their strength.

Yet Wray continues to believe this can be done. He has yet to provide Senator Ron Wyden with a list of tech experts who feel the same way. The "going dark" part of his remarks is filled with incongruity and non sequiturs. Like this, in which Wray says he doesn't want backdoors, but rather instant access to encrypted data and communications… almost like a backdoor of some sort.

We’re not looking for a “back door” – which I understand to mean some type of secret, insecure means of access. What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.

If by "backdoor," he means insecure exploit, then he's technically correct. If by "not a backdoor," he means another door located on the front or side or connected to the basement or whatever, then what difference does the door's location really make? A door is door and it provides an opening where there wasn't one previously.

Solutions have been provided. There's no shortage of people suggesting workarounds. Metadata is valuable even if Wray continues to downplay it. It's a weird position for him to take considering the agency's long reliance on metadata swept up by the NSA. Devices can be hacked, but Wray continues to assert this isn't a solution either, even after Cellebrite made the stunning announcement it could crack any iPhone, including the latest models. There are a variety of third parties hosting communications in cloud services, all of which could be approached to gain access to at least some evidence. Even public enemy #1, Apple, stores encryption keys for its iCloud services, which would give law enforcement much of what can't be obtained from a locked device.

Wray doesn't want a solution that isn't forced subservience of tech companies. That's become plainly apparent as he continues his anti-encryption crusade. Tech experts are ignored. Hacking breakthroughs like Cellebrite's aren't even cited. Legislators, for the most part, have offered no support for anti-encryption legislation, and yet Wray continues to push for technical access he can't define and proclaim his rightness despite having no expertise in the subject matter.

He also mentioned the stack of cellphones the agency claims it can't access -- 7,800 devices or more than half of those the FBI tried to access last year. But the number is meaningless. Wray claims they're all tied to investigations in one way or another, but does not describe what efforts were made to access their contents. Were the phones owners approached and asked for passcodes? Were the phones owners presented with the option of unlocking the devices or facing contempt charges? Were phones sent to Cellebrite or its competitors? Or has the FBI simply shrugged its shoulders, thrown them in a big pile, and decided to let the problem go unaddressed until it has enough legislators on its side?

In this discussion of The 7,800 Phones That Couldn't Be Broken, Wray mentioned something that shows the FBI won't be happy until it has mandated access to all encrypted data -- not just data at rest on locked devices.

Being unable to access nearly 78-hundred devices is a major public safety issue. That’s more than half of all the devices we attempted to access in that timeframe. And that’s just at the FBI. That’s not even counting devices sought by other law enforcement agencies – our state, local, and foreign counterparts. It also doesn’t count important situations outside of accessing a specific device, like when terrorists, spies, and criminals use encrypted messaging apps to communicate, which is an increasingly widespread problem.

Wray ended his speech as he always does -- with emotional appeals meant to throw shade on the tech experts who've told him his safely-broken encryption dreams are impossible.

After all, America leads the world in innovation. We have the brightest minds doing and creating fantastic things. A responsible solution will incorporate the best of two great American traditions – the rule of law and innovation. But for this to work, the private sector needs to recognize that it’s part of the solution. Again, I’m open to all kinds of ideas. But I reject this notion that there could be such a place that no matter what kind of lawful authority you have, it’s utterly beyond reach to protect innocent citizens. I also can’t accept that anyone out there reasonably thinks the state of play as it exists now – much less the direction it’s going – is acceptable.

Broken down, his final thoughts on "going dark" run like this:

1. Smart people refuse to help us.

2. They are irresponsible.

3. They are part of the problem.

4. They are making America unsafe.

Christ, what an asshole. The private sector is doing far more to "protect innocent citizens" than the FBI is. Encryption makes communications and data transfer much, much safer. Wray wants this weakened for one reason: to give law enforcement immediate access. Will this make America safer? The answer is no. Default encryption has been available for years now and there's been no corresponding spike in criminal activity and no loud chorus of united law enforcement officials lamenting their inability to close cases or prosecute people. America's jails are as full as they've ever been and crime rates remain far lower than they were prior to the advent of smartphones and encryption-by-default. It's only a very small number of law enforcement officials that seem to have a problem with this, but they're by far the loudest and most visible.

Filed Under: backdoors, chris wray, encryption, fbi, going dark, responsible encryption

Good Faith Beats Bad Warrant In Another Win For FBI's World-Traversing NIT Malware

from the this-should-keep-this-out-of-the-Supreme-Court's-hands dept

Another challenge of the NIT (Network Investigative Technique) warrant used by the FBI during its investigation of a dark web child porn website has hit the appellate level. A handful of district courts have found the warrant used invalid, given the fact that its reach (worldwide) exceeded its jurisdictional grasp (the state of Virginia, where it was obtained). That hasn't had much of an effect on appeals court rulings, which have all found the warrant questionable to varying degrees, but have granted the FBI "good faith" for violating the jurisdictional limits the DOJ was attempting to have rewritten (Rule 41 -- which governs warrant jurisdictional limits, among other things) to allow it to do the things it was already doing.

Even though the FBI had to have known searches performed all over the world using one Virginia-based warrant violated Rule 41 limits, appellate judges have declared the FBI agent requesting the warrant wasn't enough of a legal expert to know this wasn't allowed. Two appeals courts have stated suppressing the evidence is pointless because the law changed after the jurisdiction limit violation took place. The appellate decisions have been troubling to say the least, providing further evidence that the good faith exception is the rule, rather than the outlier.

The latest decision [PDF] dealing with the NIT warrant comes from the Third Circuit Appeals Court. It, too, finds the warrant questionable. And it states the government has agreed the warrant was not valid under Rule 41(b).

The Government conceded below that “[a]lthough Rule 41 does authorize a judge to issue a search warrant for a search in another district in some circumstances, it does not explicitly do so in these circumstances.” App. 91 (Government Br. in Opposition to Motion to Suppress) (emphasis added).

The opinion goes on to note the government, having admitted its warrant was bad, then argued it was good because it was apparently thinking of a different part of Rule 41 when it applied for a warrant, even though none of this thought made its way into the affidavit as words.

On appeal, however, the Government curiously has reversed course, and now contends that the NIT was in fact explicitly authorized by Rule 41(b)(4), which provides that a magistrate judge may “issue a warrant to install within the district a tracking device; the warrant may authorize use of the device to track the movement of a person or property located within the district, outside the district, or both.” Fed. R. Crim. P. 41(b)(4) (emphasis added).

According to the Government, under this Rule, “the NIT warrant properly authorized use of the NIT to track the movement of information—the digital child pornography content requested by users who logged into Playpen’s website—as it traveled from the server in [EDVA] through the encrypted Tor network to its final destination: the users’ computers, wherever located.”

Wrong again, says the court, noting the disingenuousness of the government's goalpost move. (All emphasis added by me and not the court from this point forward.)

We need not resolve Werdene’s contention that the Government waived this argument because we find that the Government’s tracking device analogy is inapposite. As an initial matter, it is clear that the FBI did not believe that the NIT was a tracking device at the time that it sought the warrant. Warrants issued under Rule 41(b)(4) are specialized documents that are denominated “Tracking Warrant” and require the Government to submit a specialized “Application for a Tracking Warrant.” See ADMINISTRATIVE OFFICE OF U.S. COURTS, CRIMINAL FORMS AO 102 (2009) & AO 104 (2016). Here, the FBI did not submit an application for a tracking warrant – rather, it applied for, and received, a standard search warrant. Indeed, the term “tracking device” is absent from the NIT warrant application and supporting affidavit.

The court also helpfully finds that computer users have an expectation of privacy in their IP addresses and other identifying info housed in their computers. It points out the government obtained this directly from targets' computers rather than third parties, making this a Fourth Amendment search rather than a Third Party Doctrine case.

But that's where the good news ends for the defendant. The appeals court says the warrant was invalid the moment it was issued, but that this can't be held against the FBI. It rationalizes its opinion this way: suppression of evidence is for deterrence, not for righting the government's wrongs. So, it's OK for the FBI to rely on an invalid warrant because the judge made the error approving it. The FBI was not wrong to rely on the warrant, even though it very likely knew its request violated Rule 41 jurisdictional limits. Then it arrives at this conclusion -- one reached previously by another appeals court:

More importantly, the exclusionary rule “applies only where it ‘result[s] in appreciable deterrence.’” Herring, 555 U.S. at 141 (quoting Leon, 468 U.S. at 909) (emphasis added). Thus, even though Rule 41(b) did not authorize the magistrate judge to issue the NIT warrant, future law enforcement officers may apply for and obtain such a warrant pursuant to Rule 41(b)(6), which went into effect in December 2016 to authorize NIT-like warrants. Accordingly, a similar Rule 41(b) violation is unlikely to recur and suppression here will have no deterrent effect.

In other words, because it's now impossible for the FBI to engage in this violation of Rule 41, there's nothing to be gained by suppressing the evidence. In essence, the court is saying that if the DOJ can get laws changed quickly enough to codify earlier statutory violations, defendants challenging evidence based on legal violations that occurred before the law was changed are shit out of luck. Compare and contrast this to civil rights lawsuits where the courts have awarded good faith to law enforcement for apparent rights violations because they occurred before such acts were declared unconstitutional by precedential opinions. It's "heads I win, tails you lose" in federal courts, thanks to the good faith exception.

More cases will reach the appellate level but it hardly seems likely any of those will result in suppressed evidence for Playpen defendants. These findings will be reached despite most appellate judges declaring the underlying warrants void from the moment they were issued. Defendants asking for suppression are going to run into judges willing to forgive the FBI both before and after the fact, which means there's very little justice left in the justice system's tanks.

Filed Under: 4th amendment, doj, fbi, good faith exception, nit, playpen, rule 41, third circuit, warrant

Report On Device Encryption Suggests A Few Ways Forward For Law Enforcement

from the time-to-dial-back-the-apocalyptic-narrative dept

Another paper has been released, adding to the current encryption discussion. The FBI and DOJ want access to the contents of locked devices. They call encryption that can be bypassed by law enforcement "responsible encryption." It isn't. A recent paper by cryptograpghy expert Riana Pfefferkorn explained in detail how irresponsible these suggestions for broken or weakened encryption are.

This new paper [PDF] was put together by the National Academies of Science, Engineering, and Medicine. (h/t Lawfare) It covers a lot of ground others have and rehashes the history of encryption, along with many of the pro/con arguments. That said, it's still worth reading. It raises some good questions and spends a great deal of time discussing the multitude of options law enforcement has available, but which are ignored by FBI officials when discussing the backdoors/key escrow/weakened encryption they'd rather have.

The paper points out law enforcement now has access to much more potential evidence than it's ever had. But that might not always be a good thing.

The widespread use of cloud storage means that law enforcement has another potential source of evidence to turn to when they do not have access to the data on devices, either because the device is unavailable or the data on the device is encrypted. Not all of this digital information will be useful, however. Because storage is cheap or even free, people keep all sorts of non-noteworthy electronic documents forever.

What's unsaid here is law enforcement should be careful what it wishes for. Encryption that allows government on-demand access may drown it in useless data and documents. If time is of the essence in cases where law enforcement is seeking to prevent further criminal activity, having a golden key may not move things along any faster. I'm sure the FBI and others would prefer access all the same, but this does point to a potential negative side effect of cheap storage and endless data generation.

And the more access law enforcement has, the more chances there are for something to go horribly wrong on the provider's end.

How frequently might vendors be asked to unlock phones? It is difficult to predict the volume of requests to vendors, but a figure in the tens of thousands per year seems reasonable, given the number of criminal wiretaps per year in the United States and the number of inaccessible devices reported by just the FBI and Manhattan District Attorney’s Office. As a result, each vendor, depending on its market share, needs to be able to handle thousands to tens of thousands of domestic requests per year.

Such a change in scale, as compared to the software update process, would necessitate a change in process and may require a larger number of people authorized to release an unlock code than are authorized to release a software update, which would increase the insider risk.

The paper also runs down stats provided by the FBI and the Manhattan DA's office. It notes the overall number of unlockable phones has continued to rise but points out these numbers aren't all that meaningful without context.

In November 11, 2016, testimony to this committee, then-Federal Bureau of Investigation (FBI) General Counsel James Baker reported that for fiscal year 2016, the FBI had encountered passcodes on 2,095 of the 6,814 mobile devices examined by its forensic laboratories. They were able to break into 1,210 of the locked phones, leaving 885 that could not be accessed. The information Baker presented did not address the nature of the crimes involves nor whether the crimes were solved using other techniques.

[...]

Although existing data clearly show that encryption is being encountered with increasing frequency, the figures above do not give a clear picture of how frequently an inability to access information seriously hinders investigations and prosecutions.

It goes on to note that we may never see this contextual information. Any attempt to collect this data would be hindered by law enforcement's reluctance to provide it, and there are currently no visible efforts being made by agencies to determine just how often encryption stymies investigations. Whatever would actually be reported would be tainted by subjective assessments of encryption's role in the investigation. However, without more context, the endless parade of locked device figures is nothing more than showmanship in service to the greater goal of undermining encryption.

The paper helpfully lists several options law enforcement can pursue, including approaching cloud services for content stored outside of locked devices. It also points out the uncomfortable fact that law enforcement doesn't appear to be making use of tools it's always had available. One of these options is compelled production of passwords or biometric data to unlock phones. While the Fifth Amendment implications of compelled password production are still under debate, it's pretty clear fingerprints or retinas aren't going to receive as much Constitutional protection.

On top of that, there's the fact that a number of device owners have already voluntarily provided copies of encryption keys, and these can likely be accessed by law enforcement using a standard warrant or an All Writs Act order.

[M]any storage encryption products today offer key escrow-like features to avoid data loss or support business record management requirements. For example, Apple’s full disk encryption for the Mac gives the user the option to, in effect, escrow the encryption key. Microsoft Windows’ BitLocker feature escrows the key by default but allows users to request that the escrowed key be deleted. Some point to the existence of such products as evidence that key recovery for stored data can be implemented in a way that sensibly balances risks and benefits at least in certain contexts and against certain threats. In any case, data that is recoverable by a vendor without the user’s passcode can be recovered by the vendor for law enforcement as well. Key escrow-type systems are especially prevalent and useful where the user, or some other authorized person such as the employer, needs access to stored data.

The report also claims law enforcement "had not kept pace" with the increase of digital evidence. It posits the problem is a lack of funding and training. Training is almost certainly a problem, but very few law enforcement agencies -- especially those at the federal level -- suffer for funding or expertise. This might be due to bad assumptions, where officials believed they would always have full access to device contents (minus occasional end user initiative on encryption). When it became clear they wouldn't, they began to seek solutions to the problems. This put them a few steps behind. Then there are those, like Manhattan DA Cy Vance and FBI Director Chris Wray, who are putting law enforcement even further behind by pushing for legislation rather than focusing their efforts on keeping officers and agents well-supplied and well-trained.

While the report does suggest vendors and law enforcement work together to solve this access "problem," the suggestions place the burden on vendors. One suggested fix is one-way information sharing where vendors make law enforcement aware of unpatched exploits, allowing the government (and anyone else who discovers it) to use these vulnerabilities to gain access to communications and data. It's a horrible suggestion -- one that puts vendors in the liability line of fire and encourages continued weakening of device and software security.

The report also points out the calls for harder nerding have been at least partially answered. The proposed solutions aren't great. In fact, one of them (running lawful access keys and software update keys through the same pipeline) is terrible. But it's not as though no one on the tech side is trying to come up with a solution.

Several individuals with backgrounds in security and systems have begun to explore possible technical mechanisms to provide government exceptional access. Three individuals presented their ideas to the committee.

• Ernie Brickell, former chief security architect, Intel Corporation, described ways that protected partitions, a security feature provided by future microprocessor architectures, could be used to provide law enforcement access to devices in their physical possession, provide remote access by law enforcement, or provide key escrowed cryptography for use by applications and nonescrowed cryptography for a set of “allowed” applications.

• Ray Ozzie, former chief technical officer and former chief software architect, Microsoft Corporation, argued that if a user trusts a vendor to update software, the user should be able to trust the vendor to manage keys that can provide exceptional access. He proposed that this extension of the trust model used for software updates could be used to provide government exceptional access to unlock mobile devices. Ozzie also provided the committee with materials describing how this approach could be extended to real-time communications such as messaging.

• Stefan Savage, professor of computer science and engineering, University of California, San Diego, described how phone unlock keys could be stored in hardware and made available via an internal hardware interface together with a “proof-of-effort” lock that together would require physical possession and a time delay before law enforcement could unlock a device.

The report points out these are only suggestions and have yet to be rigorously examined by security professionals. But their existence belies the narrative pushed by the FBI in its search for a federal statutory mandate. There are experts trying to help. Unfortunately, every solution proposed is going to require a sacrifice in device security.

The problem is complex, if you choose to believe it's a problem. It may be troublesome that law enforcement can't have access to device contents as easily as they could five years ago, but it's not the threat to public safety anti-encryption enthusiasts like Chris Wray and Cy Vance make it out to be. Encryption use has gone up while crime rates have remained steady or decreased. The emphasis on cellphones as the ultimate investigative goldmine is misplaced. Plenty of options remain and law enforcement spent years solving crimes without having one-stop access to communications and personal documents. An ancient discovery known as "fire" has put evidence out of reach for hundreds of years, but no one's asking the smart guys at Big Match to come up with a solution. Things are harder but they're not impossible. What is impossible is what Wray and others are asking for: secure compromised encryption.

Filed Under: doj, encryption, fbi, going dark, responsible encryption

Nunes Demands Copies Of FISA Docs About Steele Dossier Warrants; Court Suggests Taking It Up With The FBI

from the god-I-so-hope-Nunes-takes-it-up-with-the-FBI dept

Having already released the memo purportedly showing surveillance abuses committed by the FBI, the legislators behind the release are now getting around to asking for documents to back up the memo's assertions. Bob Goodlatte and Devin Nunes have both asked the FISA court for the paperwork they probably should have looked at before writing and releasing the memo.

Nunes has asked for "transcripts of relevant FISC hearings" related to the FISA warrants predicated largely on assertions made in Steele dossier. Goodlatte has asked applications and orders for the same warrants. The FISA court has replied with two letters stating basically the same thing: thanks for the weird (and inappropriate) question, but maybe take this up the FBI. (h/t Zoe Tillman)

From the letter [PDF] sent by Judge Rosemary Collyer to Devin Nunes:

The Court appreciates the interest of the House Intelligence Committee in its operations and public confidence therein. Before 2018, the Court had never received a request from Congress for documents related to any specific FISA application. Thus, your requests -- and others I have recently received from Congress -- present novel and significant questions. The considerations involve not only prerogatives of the Legislative Branch, but also interests of the Executive Branch, including its responsibility for national security and its need to maintain the integrity of any ongoing law enforcement investigations.

While this analysis is underway, you may note that the Department of Justice possesses (or can easily obtain) the same responsive information the Court might possess, and because of separation of powers considerations, is better positioned than the Court to respond quickly. (We have previously made clear to the Department, both formally and informally, that we do not object to any decision by the Executive Branch to convey to Congress any such information.)

The response [PDF] to Goodlatte pretty much says the same thing. Both letter close with a little bit of shade-throwing.

I expect that [the DOJ and FBI's] handling of your requests will inform the Court as to how the Executive Branch perceives its interests and will assist us in our consideration of the full range of issues…

This seems to suggest the FISA court has noticed (how could it not) the contentious relationship between the FBI and the White House and wants to see how the DOJ handles its end of the paperwork requested by the legislators before proceeding. It also implies the court thinks the White House will sidestep its obligations to preserve the integrity of national security-related obligations if it thinks it can score some political points. If the court really felt like laying on the snark, it might have mentioned the utility of viewing underlying documents before releasing a "damning" memo, rather than attempting to find justification for the memo's accusations after the fact.

Filed Under: bob goodlatte, devin nunes, doj, fbi, fisa application, fisa court, fisc, nunes memo, rosemary collyer, steele dossier

FBI Director Still Won't Say Which Encryption Experts Are Advising Him On His Bizarre Approach To Encryption

from the perhaps-there's-a-reason-he-won't-say... dept

For the past few months, we've talked about how FBI Director Chris Wray has more or less picked up where his predecessor, James Comey, left off when it came to the question of encryption and backdoors. Using a contextless, meaningless count of encrypted seized phones, Wray insists that not being able to get into any phone the FBI wants to get into is an "urgent public safety issue."

Of course, as basically every security expert has noted, the reverse is true. Weakening encryption in the manner that Wray is suggesting would create a much, much, much bigger safety issue in making us all less safe. Hell, even the FBI used to recommend strong encryption as a method to protect public safety.

Last month, we wrote about a letter sent by Senator Ron Wyden to Wray, simply asking him to list out the names of encryption experts that he had spoken to in coming to his conclusion that it was possible to create backdoors to encryption without putting everyone at risk.

I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

Technically, Wray still has a week or so to answer, but earlier this week during an open Senate hearing involving the heads of various law enforcement and intelligence agencies, Wyden asked Wray when he might get that list and Wray sidestepped the question entirely, other than saying he'd discuss it later (in a closed session):

If you can't see that, here's my quick transcript (though I do recommend watching the video just to see the smartass smirk on Wray's face through much of it).

Wyden: On encryption. Director Wray, as you know, this isn't a surprise because I indicated, I would ask you about this. You have essentially indicated that companies should be making their products with backdoors in order to allow you all to do your job. And we all want you to protect Americans and at the same time, sometimes there are these policies that make us less safe and give up our liberties. And that's what I think we get with what you all are advocating which is weak encryption. Now this is a pretty technical area, as you and I have talked about it. And there's a field known as cryptography. I don't pretend to be an expert on it. But I think there is a clear consensus among experts in the field against your position to weaken strong encryption. So I have asked you for a list of the experts that you have consulted. I haven't been able to get it. Can you give me a date this afternoon when you will give me... this morning, a sense of when we will be told who are these people who are advising you to pursue this route. Because I don't know of anybody who is respected in this field who is advising that it is a good idea to adopt your position to weaken strong encryption. So can I get that list?

Wray: I would be happy to talk more about this topic this afternoon. My position is not that we should weaken encryption. My position is that we should be working together -- the government and the private sector -- to try to find a solution that balances both concerns.

Wyden: I'm on the program for working together. I just think we need to be driven by objective facts, and the position you all are taking is out of sync with what all the experts in the field are saying and I'd just like to know who you all have been consulting, and we'll talk more about it this afternoon.

So, a few points on this. First, Wray doesn't answer the actual question of when he'll be giving Wyden a list, but rather suggests he'll discuss this topic in the closed session. But the question of when he'll be delivering his list of experts he's consulted shouldn't be a classified piece of information. It's just a date. Second, Wray immediately misrepresents the issue, by saying he's not asking to weaken encryption. Because he has to realize by now that that's exactly what he's asking to do. If he doesn't recognize that then it's clear he doesn't understand the first thing about how encryption actually works. Third, he's incorrectly talking about "balancing both concerns." But there's no balancing question here. It is not a "balance" between "security" and "civil liberties" as some keep trying to make it out to be. This is a concern between good security and bad security that makes everyone less safe (oh, and also has the potential to violate civil liberties).

It does not inspire confidence to have Wray have trouble answering such a basic question and then totally misrepresent how this all works, even in his two sentence answer.

Filed Under: backdoors, chris wray, cryptographers, encryption, experts, fbi, ron wyden