Massive databases full of personal information are in the hands of law enforcement. There are many legitimate uses for these databases, but like anything containing sensitive information, the temptation to abuse access privileges is omnipresent. This is highly problematic when the violator is a law enforcement officer. Not only does this violate internal policies and local statutes, but it puts sensitive info in the hands of someone who has plenty of power but little apparent interest in wielding it properly.
[Independent Monitor Nicholas] Mitchell said 25 Denver officers have been punished for inappropriate use of the databases since 2006. Most of them received reprimands rather than the harsher penalties some police agencies impose for the same offense. None of the 25 was charged with a crime.
The abuse will continue at the Denver PD unless something changes. Officers are warned that improper access of the NCIC (National Crime Information Center) database may result in criminal charges, but that's obviously not true. The report says that, in the last decade, no officer caught abusing access to the database has received anything more severe than a three-day suspension. It further notes that these officers may not have even received this minimal suspension if it weren't for previous misconduct on the records prior to the improper access violation.
This improper access was used to facilitate activities that could themselves be considered criminal.
The Denver cases include an officer who looked up the phone number of a hospital employee with whom he chatted during a sex assault investigation and called at home against her wishes.
Another officer ran a man’s license plate seeking information for a friend, who then began driving by the man’s house and threatening him, according to the monitor’s report.
Unsurprisingly, the monitor has suggested the Denver PD immediately institute harsher punishments for improper access. The Denver PD has responded by saying the punishments are harsh. And they are. It can fire officers and bring criminal charges against them for improper access. It just has never done so. I guess a theoretical deterrent is better than no deterrent at all?
And, while 25 officers may seem like a really low number of abusers, the monitor says his office has no idea how widespread this abuse is. The Denver PD never audits its officers' use of the database. It only responds to complaints of possible improper access. Its internal oversight is just as weak as its half-hearted wrist slaps in response to verified abuse.
Just when we thought some surveillance reforms might stick, the administration announced it was expanding law enforcement access to NSA data hauls. This prompted expressions of disbelief and dismay, along with a letter from Congressional representatives demanding the NSA cease this expanded information sharing immediately.
This backlash prompted Office of the Director of National Intelligence General Counsel Robert Litt to make an unscheduled appearance at Just Security to explain how this was all a matter of everyone else getting everything wrong, rather than simply taking the administration at its word.
There has been a lot of speculation about the content of proposed procedures that are being drafted to authorize the sharing of unevaluated signals intelligence. While the procedures are not yet in final form, it would be helpful to clarify what they are and are not. In particular, these procedures are not about law enforcement, but about improving our intelligence capabilities.
As Litt explains it, everything about this is lawful and subject to a variety of policies and procedures.
These procedures will thus not authorize any additional collection of anyone’s communications, but will only provide a framework for the sharing of lawfully collected signals intelligence information between elements of the Intelligence Community. Critically, they will authorize sharing only with elements of the Intelligence Community, and only for authorized foreign intelligence and counterintelligence purposes; they will not authorize sharing for law enforcement purposes. They will require individual elements of the Intelligence Community to establish a justification for access to signals intelligence consistent with the foreign intelligence or counterintelligence mission of the element. And finally, they will require Intelligence Community elements, as a condition of receiving signals intelligence, to apply to signals intelligence information the kind of strong protections for privacy and civil liberties, and the kind of oversight, that the National Security Agency currently has.
So, this all sounds like it has nothing to do with law enforcement. Just intelligence "elements" from the community. Except that law enforcement and intelligence agencies are hardly separate entities. We already know the NSA is allowed to "tip" data to the FBI if it might be relevant to criminal investigations. There's no clear dividing line between intelligence and law enforcement -- not with law enforcement's steady encroachment into national security territory. When Litt says "only intelligence agencies," he's actually referring to several law enforcement agencies, as Marcy Wheeler points out.
As a threshold matter, both FBI and DEA are elements of the intelligence community. Counterterrorism is considered part of FBI’s foreign intelligence function, and cyber investigations can be considered counterintelligence and foreign intelligence (the latter if done by a foreigner). International narcotics investigations have been considered a foreign intelligence purpose since EO 12333 was written.
In other words, this sharing would fall squarely in the area where eliminating the wall between intelligence and law enforcement in 2001-2002 also happened to erode fourth amendment protections for alleged Muslim (but not white supremacist) terrorists, drug dealers, and hackers.
So make no mistake, this will degrade the constitutional protections of a lot of people, who happen to be disproportionately communities of color.
And, to go back to Litt's statement, the whole thing starts with a dodge:
These procedures will thus not authorize any additional collection of anyone’s communications…
This is something no one has actually claimed. What people are concerned about is the NSA using its massive collection abilities to become an extension of domestic law enforcement, rather than the foreign-focused entity it's supposed to be.
And, as for Litt's claims that everything is subject to clearly-defined rules on minimization, those are also false. First off, the expanded permissions originate under Executive Order 12333, which has been revised in secret on more than one occasion -- all without the full participation of Congressional oversight. Not only that, but agencies that are recipients of unminimized data from the NSA are supposed to apply their own minimization procedures to better ensure "strong protections for privacy and civil liberties." Wheeler notes that two recipients have yet to put any minimization procedures in place, despite having had years to do so.
I also suspect that Treasury will be a likely recipient of this data; as of February 10, Treasury still did not have written EO 12333 protections that were mandated 35 years ago (and DEA’s were still pending at that point).
The backdoor search loophole has yet to be closed (which gives the FBI access to unminimized data and communications obtained via Section 702) and these agencies -- along with two consecutive, very compliant administrations -- have been tearing down any walls between the NSA and law enforcement for several years now.
Litt's reassurances are worthless. It namechecks all the stuff we know is mostly worthless: oversight, minimization procedures, the frankly laughable idea that the FBI cares more about privacy and civil liberties than making busts, etc. and asks us to believe that a tangled thicket of secretive agencies and even-more-secretive laws are all designed to protect us from government overreach.
After the Paris attacks late last year, we noted that it was clear that they were evidence of an intelligence community failure, rather than an "encryption" problem -- which kind of explained why the intelligence community quickly tried to blame encryption. But, as we noted, most of the attackers were already known to the intelligence community and law enforcement -- and there's still little evidence that they used any encryption.
It's looking like the Brussels attacks are showing the same pattern. First, there were reports that Belgian law enforcement was well aware of the attackers and their connections.
In Brussels, one of two brothers who took part in Tuesday’s attacks on Zaventem airport and a subway train, which killed 31 people and injured hundreds more, had already been suspected of helping the Paris attackers, the federal prosecutors’ office said.
And another report noted that one of the brothers had been deported from Turkey a few months ago, and that Turkish officials had warned Belgium about his ties to terrorist groups.
U.S. security agencies had the names of the two suicide bombers who attacked Brussels airport in their databases as potential terror threats.
NBC News quoted U.S. officials who said that Khalid and Ibrahim El Bakraoui were known to U.S. counterterrorism authorities before Tuesday morning, when the pair and a third man detonated theor bombs at the airport and a train station.
So, once again, we see a situation where these guys were known (or should have been known) to law enforcement and intelligence, but they were still able to carry out their attack. And, yet, rather than blaming intelligence failures, politicians are blaming encryption again.
And, of course, the intelligence community will do what it always does: rather than admit it failed here, it will blame encryption or blame limits on surveillance and demand more powers. As we've noted in the past, no matter what the result, the intelligence community will always insist that more surveillance is the answer. If the surveillance works, to them it's evidence that they need more of it to do an even better job. If the surveillance fails (as in this case), then it's evidence that they need more surveillance to avoid such misses in the future. Anything to deflect from the fact that they had a ton of intelligence here, and still failed at stopping the attack.
You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called "Celebgate" in certain circles, and the much more terrible "The Fappening" in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But... that's not all that he apparently used. He also used "lawful access" technologies to help him grab everything he could once he got in.
We keep hearing from people who think that just "giving law enforcement only" access to encrypted data is something that's easy to do. It's not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a "lawful access" forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It's tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.
We already covered Apple's reply brief in the fight over getting into Syed Farook's encrypted work iPhone, highlighting a number of lies by the DOJ's filing. But I wanted to focus on a few more highlighted in the additional declarations filed by Apple as well. The DOJ kept insisting that Apple built this feature specifically to keep law enforcement out, which is ridiculous. Apple notes repeatedly that it built the feature to keep its customers safer from malicious attacks, most of which are not from law enforcement. But the DOJ keeps pretending that it was a deliberate attempt to mock law enforcement. In the DOJ's filing:
Here, Apple has deliberately used its control over its software to block law-enforcement requests for access to the contents of its devices, and it has advertised that feature to sell its products.
Since the introduction of iOS 8 in October 2014, Apple has placed
approximately 1,793 advertisements worldwide—627 in the United States alone—of
different types, including, print ads, television ads, online ads, cinema ads, radio ads
and billboards. Those advertisements have generated an estimated 253 billion
impressions worldwide and 99 billion impressions in the United States alone (an
impression is an estimate of the number of times an ad is viewed or displayed online).
Of those advertisements, not a single one has ever advertised or promoted
the ability of Apple’s software to block law enforcement requests for access to the
contents of Apple devices.
Indeed, only three of those advertisements reference security at all, and all three related to the Apple Pay service, and then only to say that Apple Pay is "safer than a credit card, and keeps your info yours."
I'm assuming the DOJ, if it decides to push this point, will argue that it wasn't talking about those kinds of advertisements, but Apple's statements to the press, but still, there's a strong point here. Contrary to what the DOJ is saying, no, the company does not proactively advertise the encryption as a way to keep law enforcement out. Or, in short, no, FBI, strong encryption on the iPhone just isn't about you.
While other states seem distressingly focused on exempting law enforcement from greater transparency -- whether by crafting new loopholes in FOI laws or deciding body camera footage should remain in the control of police -- California is going the other way.
State Sen. Mark Leno, seeking to tighten accountability amid a national conversation over police shootings and a push for law enforcement reform in San Francisco, introduced a bill that would roll back a 1978 law and subsequent Supreme Court rulings that prompted cities to close police disciplinary cases to the media and the public.
This is Leno's second attempt to rewrite the law that created an accountability shelter for police officers. It must be said this is a much better idea than the San Francisco PD's response to a recent high-profile shooting: limiting officers to firing two bullets each during interactions with citizens. Despite more public support for greater law enforcement transparency, Leno still faces a tough battle to push this legislation through. As in any other push for police accountability, those pushing back are the usual, powerful suspects.
Harry Stern, an attorney who represents officers around the Bay Area, slammed the proposal, linking it to the San Francisco Board of Supervisors’ recent approval of a day of remembrance for Mario Woods, the stabbing suspect whose video-recorded killing by police sparked protests and a federal review of the city force.
Harry Stern works for the deputies' union and, like many other union reps, feels the real problem with today's policing is everyone else.
“No one is against accountability,” Stern said. “But when politicos press an agenda that includes declaring a day in honor of a violent felon, one must consider their motives with a jaundiced eye. ... In today's criminal-friendly, antipolice climate, we need fewer baseless public floggings of cops, not more.”
Actually, it seems pretty clear that some people are against accountability, with a large majority of them acting as police union reps. No one likes "baseless public floggings," but union leaders have made it abundantly clear they're not too fond of justified floggings either, whether performed in public or not.
Another law enforcement union is also looking to block the bill.
San Francisco Police Officers Association officials will be among those fighting the legislation. Nathan Ballard, an adviser for the union, said that while officers support efforts to bring transparency — including having officers wear body cameras — the union will oppose legislation seeking “to undo the California Supreme Court’s ruling that protects police officers’ privacy interests.”
For public figures who act under the color of law and wield an immense amount of power, police officers (or at least their union reps) seem awfully sensitive about their (mostly-imagined) privacy. The public should have access to police misconduct records, including the names of officers involved. The unions pretend this will lead to "public floggings" by those with ulterior motives, like politicians and the media. But the simple fact is that law enforcement remains a revolving door for bad cops, allowing them to move from one agency to the next with minimal effort. Access to police misconduct records will allow outside parties to keep tabs on job-surfing habitual offenders -- an essential aspect of accountability very few law enforcement agencies seem willing to perform themselves.
Teens sexting can't be addressed by existing laws. Law enforcement -- which far too often chooses to involve itself in matters best left to parents -- bends child pornography laws to "fit" the crime. They often state they're only doing this to save kids from the harm that might result by further distribution of explicit photos. How exactly turning a teen into a child pornographer who must add his or herself to the sex offender registries is less harmful than the imagined outcomes cited by law enforcement is never explained.
Over in New Mexico, legislators are making an honest attempt to keep sexting teens from being treated like sex offenders. And it's law enforcement that's leading the opposition to the proposed changes. The bill would continue to uphold harsh penalties for actual child pornographers while decriminalizing sexting between teens.
"I cannot support an amendment that weakens protections for teenagers from predatory activity, creates a dangerous new child exploitation loophole, and places New Mexico's federal Internet Crimes Against Children Task Force funding in jeopardy,” said Attorney General Hector Balderas in a statement, according to the Alamogordo Daily News.
This statement is not only ridiculous, but it shows the AG is more interested in budget lines than the future of teens who do the sort of things teens are inevitably going to do. Balderas is explicitly stating that he's willing to sacrifice young lives in order to secure his task force's funding. That's just sickening. In Balderas' world, sexting teens are nothing more than a revenue stream.
As Soave points out, the legislation still contains harsh punishments for child pornographers and does nothing to create a "loophole" for accused offenders. What it would do is keep teens from being charged for exchanging explicit photos with their peers by carving out an exception for photos exchanged by teens ages 14-17.
There's nothing logical about applying sexual predator/child pornography laws in this way. But Balderas has helpfully explained why many law enforcement officials are more than happy to do exactly that. There's good money in chasing down child pornographers -- a criminal act reviled by a majority of their constituents. Anything that might jeopardize these funds -- like treating sexting teens as a disciplinary/educational problem rather than a criminal one -- is to be rejected out of hand.
Soave notes Balderas was so incensed by this threat to his funding that he and his staff walked out of the hearing in a show of outrageously stupid, callously self-centered solidarity. Balderas may want to play hardball with child pornographers, but he's also shown he's more than willing to fuck a few kids himself when there's money on the line.
So, we already wrote about the nutty amicus filing in support of the FBI by San Bernardino's District Attorney, as well as the tons of amicus briefs in support of Apple. However, there are two more amicus briefs that were filed in support of the Justice Department, and we didn't want to leave those out of our coverage either. The main one is a brief from a ton of law enforcement agencies, namely the Federal Law Enforcement Officers Association, the Association of Prosecuting Attorneys, and the National Sheriff's Association.
The argument is not a surprising one. It's basically "but we really, really, really want to see what's on these phones" combined with "this may inspire others not to obey us."
Amici believe that the position Apple has taken is a dangerous one. First, Apple's refusal to provide assistance has far-reaching public safety ramifications by making it difficult, and in some cases impossible, for law enforcement to fulfill its obligation to investigate crimes, protect the public by bringing criminals to justice, and enforce the law. Second, if Apple were to prevail, the public at large may itself think twice about cooperating with law enforcement when called upon to do so.
Of course both of these are hogwash. First of all, Apple has provided a ton of assistance. But providing some assistance doesn't mean it should be compelled to provide all possible assistance. In fact, this claim ignores the very heart of this case, which is just how far must Apple go, and can a company be compelled to go way beyond what any company has been compelled to do in the past. But this filing misleads the court and pretends it's simply about whether or not Apple should provide any assistance. Similarly, the argument that this kind of info is needed to "enforce the law" is similarly ridiculous. As we've noted, law enforcement never gets "all of the information." It never knows what information has been destroyed, or is hidden and not found, or is just in people's brains. The idea that they need every possible scrap of information has simply never been true, and in fact, our Constitution is designed on the principle that, no, law enforcement doesn't always have the right to access any and all information it wants. That's on purpose.
Separately, this amicus brief -- despite officially being in support of the Justice Department and the FBI may serve to undermine their case. After all, a key part of the DOJ's argument is that this case is just about this one phone. However, as we've discussed, tons of law enforcement folks are salivating over using this ruling as a precedent elsewhere. And this brief makes that quite clear, which might help the judge realize that the Justice Department is being misleading in arguing otherwise.
The other amicus brief in support of the DOJ is one filed on behalf of six individuals who are mostly family members of people who were killed in the San Bernardino attack (five of them, with the other person being the husband of a woman who witnessed the attack, but was not shot). This filing was also not unexpected given that, as we reported earlier, the DOJ reached out to a lawyer to file this amicus brief before even asking the judge for the order. For whatever reason, the actual brief does not appear on PACER, just the application for the amicus brief (it says the brief is attached, but as of my writing this, the full brief does not appear in PACER). I can certainly understand why these individuals would want to support the DOJ here (though, as noted in our earlier posts, at least three other family members have supported Apple's position). But I'm not convinced that their views have any legal impact on the case, just an emotional one.
In Jim Comey's defensive blog post over the weekend, he insisted that the FBI was absolutely not doing this to set a precedent or to do anything other than get into a single phone:
The San Bernardino litigation isn't about trying to set a precedent or send any kind of message....
The particular legal issue is actually quite narrow. The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist's passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That's it. We don't want to break anyone's encryption or set a master key loose on the land.
Yeah, except that's clearly bullshit. They absolutely want the precedent, and if the FBI's PR strategy is to now insist this precedent won't be useful beyond this case, perhaps it should have coordinated those talking points with others in law enforcement. Because if you talk to them, they're happy to tell everyone just how badly they want this precedent so they, too, can demand Apple build hacking tools into iPhones. Jenna McLaughlin at The Intercept has put together examples of law enforcement people practically drooling over the possibilities that will be opened up should the FBI win.
In Suffolk County, Massachusetts, district attorney’s office spokesperson Jake Wark said prosecutors “can’t rule out” bringing their own case of a locked cellphone before a judge, too. “It may be a question of finding the right case,” he told the Wall Street Journal.
“It’s going to have significant ramifications on us locally,” Matt Rokus, deputy chief of Wisconsin’s Eau Claire Police Department, told the city’s Leader-Telegram newspaper on Monday.
In South Dakota, Minnehaha County State’s Attorney Aaron McGowan told the Sioux Falls Argus Leader that “the court’s ruling could have a significant impact on conducting sensitive criminal investigations.”
And then of course, there's Cyrus Vance, the Manhattan DA who also has been quite vocal in asking for backdoors into encryption, who has admitted that he basically wants the same power the FBI is now trying to exert. And, meanwhile, Senator Richard Burr used the Apple case as a keying off point to try to push for legislation he's been working on for a while that would effectively mandate such backdoors.
So it's fairly difficult to believe the FBI and Director Comey when not only does everyone know he's lying, but his friends and colleagues in law enforcement can't even be bothered to play along with the script.
Update: Oh, and even the DOJ is off-script as well. It's now being reported that the DOJ is currently seeking similar orders on 12 more iPhones. So, yeah, Comey's flat out lying.
Manhattan DA Cyrus Vance can't stop griping about phone encryption. He's basically a one-issue politician at this point. His creaky platform is the coming criminal apocalypse, currently being ushered in by smartphone manufacturers. The only person complaining more about phone encryption is FBI Director James Comey, but in Comey's defense, his jurisdiction is the whole of the United States. Vance has only his district, but it encompasses the NYPD -- a police force that often seems to view itself as the pinnacle of American policing.
Manhattan District Attorney Cyrus R. Vance Jr. said at a news conference that investigators cannot access 175 Apple devices sitting in his cybercrime lab because of encryption embedded in the company’s latest operating systems.
“They’re warrant proof,” he said, adding that the inability to peer inside the devices was especially problematic because so much evidence once stored in file cabinets, on paper, and in vaults, is now only on criminals’ smartphones.
Tough luck, that. But considering the information inside is encrypted, it's a bit bold to declare that whatever's contained there that the NYPD hasn't seen would be useful to investigators. The assumption seems to be that if it's encrypted and on a device seized by law enforcement, then it must be composed of smoking guns and signed confessions in PDF format.
Even if we buy the assumption that the phones contain massive amounts of useful data, there are other pathways to this data. It doesn't have to run through the smartphone provider. And the efforts made to lock out cops (as it's always presented) also keeps criminals from accessing the personal data and communications of others. So, there's that.
Vance claims investigations are being hindered by encryption. Supposedly, the NYPD is sitting on 175 uncracked devices -- some of which were displayed during the press conference. But other than this number being cited, very little was offered in the way of further detail. Instead, Vance photo-opped a pile of supposedly inaccessible devices and let the press draw its own conclusions. Police Commissioner Bill Bratton was on hand to back up Vance's assertions with the sort of jailhouse hearsay Detective Vincent Hanna would find patently ridiculous.
Bratton said criminals are increasingly aware of the protection offered by their devices. He said a prisoner in a city jail was recently recorded saying in a phone call that iPhone encryption was “another gift from God.”.
Devastating.
It's a shame the Vance-Bratton loop doesn't seem to be interested in hearing from other law enforcement representatives about whether the government should be forcing companies out of the encryption business or a locked-up phone should be treated as an investigative brick wall.
The Associated Press said in its report, “The dispute places Apple, one of the world’s most respected companies, on the side of protecting the digital privacy of an accused Islamic terrorist.”
Well, no. Apple is protecting its product for the hundreds of millions who possess Apple iOS devices, and it is protecting its own corporate interests. The company’s market position could be jeopardized by taking away one of the elements to its product that is most appealing to consumers (privacy and encryption) and thereby put the shareholders in financial jeopardy. As CEO, it is Cook’s responsibility to resist that.
Furthermore, the FBI may be using terrorism as leverage to secure Apple's assistance, but its insistence that key info is held on a dead suspect's phone suggests it's reading too much into things it can't actually see, as well as short-circuiting its own investigative processes.
The fact is that the probability that a terrorist would keep sensitive information about his plot/plans on his government-issued mobile phone is pretty preposterous. In the unlikely event that there is information relevant to the investigation on that device, the possibility exists that it resides elsewhere as well, such as with mobile carrier network records, or another person’s phone who spoke or exchanged messages with Farook. Consequently, the FBI should:
Vigorously pursue all of the other avenues of investigation.
Work to develop better decryption capabilities for future investigations.
Withdraw its petition to the court to force a private company to damage its products.
This is coming from the editor of a site that's so much of a law enforcement echo chamber that you're not even allowed to see comments unless you can prove you're a law enforcement officer or official.
When another closed, pro-law enforcement loop can see both the forest and the trees, it clearly exposes Vance's efforts here as little more than grandstanding. What Vance and Bratton want -- along with James Comey -- is for every impediment to investigations to be removed, either by courts or by legislators. Because they've chosen to focus on encryption, they're ignoring scalable fences while wringing their hands over the padlock on the gate.
And, once more it must be pointed out that the FBI and other law enforcement agencies solved plenty of crimes before smartphones -- much less smartphone encryption -- became the norm. They claim everything that used to reside in file cabinets and bedroom drawers now resides in encrypted devices. While many people's "lives" are contained in their phones, their lives encompass far more than their Companion Rectangles™. They still have computers and laptops that aren't encrypted, third party social media services/email providers, as well as friends, relatives and co-conspirators who may be able to offer more insight or access. But all people like Vance see is iNcriminating Device 5S standing between them and justice, even when multiple paths around it still exist.
