Two More Courts Find In Favor Of The FBI And Its NIT Warrant; No Suppression Granted

from the malware-deployment-is-a-go dept

Two more rulings on suppression motions in FBI Playpen cases have been handed down. (h/t Riana Pfefferkorn) The ruling [PDF] in Tennessee agrees with the defendant that the FBI's NIT warrant exceeded Rule 41 jurisdiction limits. The following quotes are from the more substantive "Report and Recommendation" [PDF] by the magistrate judge, which has been adopted by the court overseeing the criminal trial.

The undersigned agrees with the majority of courts to analyze the Virginia search warrant that it violates Rule 41(b) because the magistrate judge in the Eastern District of Virginia lacked authority to issue a search warrant to search property located outside of her district.

Defendant’s computer was never located in the Eastern District of Virginia. See Fed. R. Crim. P. 41(b)(1) & (2). Moreover, the FBI was not investigating a crime of terrorism in the Eastern District of Virginia, nor was it attempting to seize property located in a United States territory or foreign state. See Fed. R. Crim. P. 41(b)(3) & (5). The Government argues that Rule 41(b)(4) is persuasive because the NIT is analogous to a tracking device, which was installed on the Defendant’s computer when his electronic transmission “touched down” in the Eastern District of Virginia, where Playpen was hosted. However, as observed by the Western District of Washington, applying Rule 41(b)(4) to the Virginia warrant “stretches the rule too far…"

That being said, the court decides suppression is not the right remedy for this violation:

In balancing the present facts and circumstances, the magistrate judge first correctly concluded that suppressing the evidence in this case would not meaningfully deter future law enforcement misconduct. The defendant’s objections that officers acted deliberately, recklessly, or with gross negligence, and that it should have been apparent to law enforcement that the Virginia magistrate lacked authority to sign the warrant, are simply unsupported by the record.

[...]

To the extent that there was error in this investigation, such error “rests with the issuing magistrate, not the police officer, and ‘punish[ing] the errors of judges’ is not the office of the exclusionary rule.”

Interestingly (and a bit infuriatingly), the court grants good faith to the FBI for its apparent inability to fully comprehend the "intricacies of the jurisdictions of federal magistrates." This gives the FBI credit for pretending to misunderstand the very statutes it's in the process of trying to change. The FBI -- and the DOJ above it -- very much want the jurisdictional limitations of Rule 41 removed precisely for cases like these: where a search and seizure is performed on remote computers located far outside the jurisdiction where the warrant was issued.

The Nebraska decision [PDF] is much, much worse. First, the court finds there's no expectation of privacy in an IP address, even if the defendant has taken affirmative steps to obscure it.

With or without Tor, Defendant was sharing his IP address with others—total strangers, to potentially include law enforcement officers—with the hope and belief that the users of the first “node” computer would keep his IP address secret. While Defendant’s choice to use Tor may be evidence of his “actual, (subjective) expectation of privacy” in his IP address, using Tor does not elevate that expectation to “one that society is prepared to recognize as ‘reasonable.’”

Not only that, but the court rules the NIT is not a search (nor a "tracking device," as the government argued in the Tennessee case), even though it had to extract this information from the user's computer.

But deploying the NIT to reveal the IP address was not a computer search. Defendant’s IP address is not a “physical component” of the computer or a file residing on his computer like electronic documents or pictures. Rather, the IP address is assigned to a user by the ISP and typically is “maintained on the internet modem that connects an internet device to the internet.” Thus, the NIT essentially compelled Defendant’s computer to produce its IP address (similar to a return address on an envelope) when the NIT instructed the computer to send other information identified in the Virginia Warrant. And the NIT was deployed only after Defendant sought out and visited the Playpen website. “The FBI did not come looking for Defendant. Instead it waited until he came to them and engaged in illicit activity by downloading content from Playpen.”

And here we have another reason why digital-to-analog so often fails. Comparing the compelled production of an IP address to a return address on an envelope is a non-starter because utilizing the postal service does not require the use of a return address, whereas an internet connection almost always requires an IP address.

Worse, the opinion cites Virginia judge Henry Morgan Jr.'s decision in another Playpen case -- where he asserted the FBI could hack computers with invalid warrants because, hey, computers get hacked all the time.

See also Matish, --- F. Supp. 3d ---, 2016 WL 3545776 at *22-24 (holding that with the prevalence of computer hacking and the “compromise of unprecedented amounts of data previously thought to be private,” all individuals have a diminished expectation of privacy once they log onto the internet.)

The court also finds that the FBI's NIT reach didn't exceed Rule 41 geographical limitations. Instead, the defendant made a virtual "trip" to the warrant's jurisdiction to access content stored on the seized server.

Finally, even if the defendant had raised a Fourth Amendment challenge the court found valid, the good faith exception would have prevailed. As in the Tennessee decision, the court finds the FBI held up its side of the deal by providing the magistrate with an affidavit full of technical language and specifics about the search method to be deployed.

This appears to be the broader finding across the large number of Playpen/NIT cases. The FBI's warrant may be invalid but either there's no expectation of privacy in the information obtained or the good faith exception prevents suppression of the obtained evidence.

The first is less problematic than the latter. While some users may undertake efforts to obscure their IP addresses, their expectation of privacy is no more "reasonable" than that of those who don't. Either the info has an expectation of privacy or it doesn't. The legal justifications used by judges, however, haven't been all that great, with the worst being that having your anonymity stripped and your information absconded with is just the price of doing business on the internet -- whether it's a criminal or law enforcement performing the actions apparently matters very little.

The latter part -- the reliance on the FBI's good faith -- is more of an issue. The FBI clearly knew its NIT would travel far beyond the jurisdiction the warrant was issued in. It apparently felt that it benefited heavily from good faith rulings as it made little attempt to obscure this fact from the magistrate judge it presented its affidavit to. But it still withheld some information, including the fact that it would actually be delivering a malware package that would "phone home" once it reached its destination. Just because the search sort of originated at a seized server in Virginia does not excuse seizures performed all over the nation utilizing a single, jurisdictionally-limited warrant.

Filed Under: fbi, hacking, malware, nit, playpen, rule 41

FBI Tests The Waters On Another Attempt To Force Apple To Unlock An iPhone

from the not-this-again dept

Earlier this year, as you recall, there were two big cases in which the DOJ and FBI sought to force Apple to make significant technological changes to iPhone software in order to allow the DOJ to brute force the passcode on some iPhones used by some criminals. Eventually, after Apple (and others) pushed back, and public opinion was turning against the FBI, the DOJ miraculously announced that it found its way into both iPhones and the cases were dropped. But the issue of forcing companies (and Apple especially) to backdoor their way into encrypted iPhones certainly has not been dropped. And it appears that the FBI may be testing the waters to see if it can try again.

You may recall the knife attack in a Minnesota mall last month that wounded 10 individuals. The attacker, Dahir Adan, was shot and killed by an off-duty police officer. The FBI is still investigating and guess what? Adan had an iPhone. And it's locked.

Thornton said the Federal Bureau of Investigation is still investigating Adan's activities and wants access to his cell phone.
"Dahir Adan's iPhone is locked and we are in the process of assessing our legal and technical options to gain access to this device and the data it may contain," Thornton said.

"Technical options" meaning if any of the previously obtained methods will work to break in... and "legal" options as in going back to court to try, once again, to abuse the All Writs Act to force Apple to create backdoored code. Stay tuned...

Filed Under: all writs act, dahir adan, doj, encryption, fbi, going dark, iphone
Companies: apple

FBI Arrested NSA Contractor For Walking Off With 'Highly Classified Information'

from the thought-this-kind-of-thing-was-supposed-to-be-impossible? dept

The Justice Department announced this morning that it had arrested Harold Martin, an NSA contractor (working for Booz Allen), for apparently copying "highly classified" material. The arrest actually happened at the end of August, but the details were only unsealed today.

According to the affidavit, on August 27, 2016, search warrants were executed at Martin’s residence in Glen Burnie, including two storage sheds, as well as upon his vehicle and person. During execution of the warrants, investigators located hard copy documents and digital information stored on various devices and removable digital media. A large percentage of the materials recovered from Martin’s residence and vehicle bore markings indicating that they were property of the United States and contained highly classified information of the United States, including Top Secret and Sensitive Compartmented Information (SCI). In addition, investigators located property of the United States with an aggregate value in excess of $1,000, which Martin allegedly stole.

The complaint alleges that among the classified documents found in the search were six classified documents obtained from sensitive intelligence and produced by a government agency in 2014. These documents were produced through sensitive government sources, methods, and capabilities, which are critical to a wide variety of national security issues. The disclosure of the documents would reveal those sensitive sources, methods, and capabilities.

The NY Times story about this claims that the information Martin had was "computer code." There's a lot of speculation on the Twitters that this is related to the infamous Shadow Brokers "leak" of NSA hacking tools. The dates don't fully line up. The Shadow Brokers leak involved code from 2013. The DOJ claims that the code it found Martin had is from 2014 -- though it's certainly possible that the investigation into Shadow Brokers led them to Martin (the arrest came the week after the Shadow Brokers info went public). However, the NY Times report does say that the info was for breaking into foreign computer systems:

The contractor arrested in recent weeks is suspected of taking the highly classified “source code” developed by the agency to break into computer systems of adversaries like Russia, China, Iran and North Korea. Two officials said that some of the information the contractor is suspected of taking was dated.

As always, it will be interesting to hear the other side of this story. We've certainly seen the DOJ come down hard on former NSA employees and contractors, claiming they had made off with classified information, when the later details turned out to show a lot less. But this is clearly a story worth following...

It should also make you wonder just how many "controls" the NSA has really put in place to keep employees and contractors from walking off with highly classified information. We know that Snowden did it back in 2013, but the NSA keeps insisting that it's put in place more controls to stop it from happening again. And, if this truly is exploit code, this is much worse. Snowden made off with information about certain programs -- but not actual code.

Filed Under: contractor, doj, exploits, fbi, harold martin, nsa, shadow brokers, surveilance
Companies: booz allen

FBI's Comey: Actually, Chasing ISIS Off Twitter Makes It More Difficult For Us To Follow Them

from the things-to-think-about dept

Over and over again we keep hearing politicians and others going on and on about the need for social media companies like Facebook, Twitter and Google to kick ISIS users off their platforms. Both Hillary Clinton and Donald Trump have called for this. And some people at these companies are supportive of this idea. Twitter regularly feels compelled to talk about how many ISIS accounts it removes.

Yet, as we've pointed out each time it's done so, this seems backwards. We've noted that intelligence officials have claimed that they actually get really good intelligence from following these social media accounts. But generally those voices aren't heard as much. So it's actually great to see FBI Direct James Comey (someone we rarely agree with) come out and say it directly: kicking ISIS members off Twitter makes things more difficult for law enforcement.

"We are making good progress with the help of companies like Twitter at chasing the Islamic State" off the platform—the microblogging site has suspended hundreds of thousands of accounts promoting terrorism—but Comey said the challenge is that such efforts push some users "to a place where they’re less able to proselytize broadly but more able to communicate in a secure way. [We've] chased them to apps like Telegram.”

Now, of course, this all seems part of Comey's effort to then demonize encryption. But there is a larger point here: when terrorists are using social media and revealing useful info, why should we try to kick them off those platforms? Let them make mistakes.

I know that the big fear from some is that letting ISIS use Twitter means they can better "recruit" but almost every study on this notes that online recruitment isn't really that effective. Most recruitment happens from people who actually know people. And cutting ISIS people off from Twitter also kills off good opportunities for counterspeech, like the time that an ISIS leader called on Muslims to join ISIS, and a whole bunch of Muslims responded with mocking tweets instead: Yes, yes, I know that people saying stuff we disagree with online is very scary -- but silencing them has serious costs as well. So, yes, here's a rare instance where we agree with James Comey: pushing ISIS members off of Twitter is a bad idea. It harms the ability of law enforcement to follow them (and, gives Comey more opportunities to whine about encryption). Just keep them on Twitter and let law enforcement and the intelligence community follow them.

Filed Under: censorship, encryption, fbi, isis, james comey, law enforcement, social media, surveillance
Companies: twitter

FBI, DOJ And Their Forensic Scientists State They'll Continue Using Discredited Junk Science To Put People Behind Bars

from the if-it-ain't-working,-don't-fix-it dept

For dozens of years, criminal prosecutions have relied on junk science. Forensic science, properly applied, can actually provide matches that identify suspects. But it's not properly applied. In the hands of the DOJ, forensic evidence examination is a closed loop. Outside scientists have been granted access to the DOJ's DNA work, but everything else -- from fingerprints to hair samples -- has been locked away in the government's database.

Still, the DOJ insists its science is solid, something it bases on confirmation bias. The matches determined in its forensic labs are "scientifically certain" because the DOJ's expert witnesses have said so in court. Not only are outside scientists locked out of examining evidence and forensic processes, but defense lawyers are as well.

The DOJ has finally decided to dial back its "scientific certainty" a bit by issuing guidance instructing its experts to not make this claim in court. This follows years of bogus matches being presented as sure things by forensic experts in court, leading to an unknown number of false convictions. This step back is a step forward for an agency that is mostly unwilling to admit to any mistakes or wrongdoing.

This small change is likely due to a damning report [PDF] issued by the President's Council of Advisors on Science and Technology (PCAST) that asserts that the "scientifically certain" evidence prosecutors rely on is severely flawed.

The questions that DNA analysis had raised about the scientific validity of traditional forensic disciplines and testimony based on them led, naturally, to increased efforts to test empirically the reliability of the methods that those disciplines employed. Relevant studies that followed included:

• a 2002 FBI re-examination of microscopic hair comparisons the agency’s scientists had performed in criminal cases, in which DNA testing revealed that 11 percent of hair samples found to match microscopically actually came from different individuals;

• a 2004 National Research Council report, commissioned by the FBI, on bullet-lead evidence, which found that there was insufficient research and data to support drawing a definitive connection between two bullets based on compositional similarity of the lead they contain;

• a 2005 report of an international committee established by the FBI to review the use of latent fingerprint evidence in the case of a terrorist bombing in Spain, in which the committee found that “confirmation bias”—the inclination to confirm a suspicion based on other grounds—contributed to a misidentification and improper detention; and

• studies reported in 2009 and 2010 on bitemark evidence, which found that current procedures for comparing bitemarks are unable to reliably exclude or include a suspect as a potential biter.

Beyond these kinds of shortfalls with respect to “reliable methods” in forensic feature-comparison disciplines, reviews have found that expert witnesses have often overstated the probative value of their evidence, going far beyond what the relevant science can justify. Examiners have sometimes testified, for example, that their conclusions are “100 percent certain;” or have “zero,” “essentially zero,” or “negligible,” error rate. As many reviews—including the highly regarded 2009 National Research Council study—have noted, however, such statements are not scientifically defensible: all laboratory tests and feature-comparison analyses have non-zero error rates.

Despite these conclusions, law enforcement forensic scientists, along with the FBI and DOJ are promising to continue using junk science to convict people. The Attorney General's response to the report is basically, "Thanks for all the hard work, but we're not changing a thing."

In a statement reported by the Wall Street Journal, Attorney General Loretta Lynch said that the agency remains “confident that, when used properly, forensic science evidence helps juries identify the guilty and clear the innocent, and the department believes that the current legal standards regarding the admissibility of forensic evidence are based on sound science and sound legal reasoning.” As such, she said, while “we appreciate their contribution to the field of scientific inquiry, the department will not be adopting the recommendations related to the admissibility of forensic science evidence.”

The FBI's response [PDF] is no more enthusiastic. Its one-page blast claims the entire PCAST report is flawed. It also asserts there are "multiple studies" that back up its forensics work. However, the FBI turned down an invitation to participate in the PCAST study and one of the PCAST members points out that the studies the FBI claims contradict the PCAST findings actually do no such thing.

Asked about the FBI’s complaints, Eric Lander, co-chair of the presidential council and president and founding member of the Broad Institute of MIT and Harvard, a biomedical research group, told The Intercept that the FBI is mistaken. “Neither report says that proficiency testing be used to estimate the ‘error rate’ of forensic methods,” he wrote in an email, and both reports agree that examiners should be subject to proficiency tests. And Lander said he is “not aware” of what studies the FBI believes were ignored by the report. “We specifically received FBI’s input on studies to consider and we did so.”

[...]

Lander wrote that the presidential council did in fact review the six studies the FBI complains that it missed. “However, these studies are clearly not empirical studies ‘providing support for foundational validity,'” he wrote. “Indeed, only one of the papers even reports an empirical study of current forensic method at all!”

But the most defensive response [PDF] to the PCAST study has come from the American Congress of Forensic Science Laboratories. Unsurprisingly, the group isn't pleased that its conclusions and methodology have been questioned. Before addressing the shortcomings it feels the study contains, the ACFSL first tries to claim the whole thing is just a politically-motivated attack on the good people in law enforcement.

Interestingly, the PCAST report comes during a presidential administration that has demonstrated a deep sensitivity to the needs and demands of trial attorneys, criminal defendants, and advocates of sweeping criminal justice reform. Future administrations may take a different approach, tending to champion positions traditionally held by police and prosecutors. We have no opinion in these matters. But these swings in ideological perspective cause commensurate changes in how forensic science and its role in our criminal justice system are perceived. In the current political climate, forensic science is looked upon with far more suspicion and, in some cases, disdain than would be the case in other political circumstances. And because forensic science is both expected and apt to remain independent of these political currents, it is vulnerable to being misportrayed and even bullied in a way that compromises its occupational stability.

It's somewhat interesting that a field where evidence has been used to deprive innocent people of their freedom -- and whose courtroom assertions are treated as nearly-unassailable despite a long history of uncorrected errors -- can somehow be bullied by a report both the DOJ and FBI have already indicated they're going to ignore.

It also attacks some of the contributors for their work with the Innocence Project (Eric Lander) and their previous assertions about the intrusiveness of DNA collections (Tania Simoncelli) -- all the while claiming it has no interest in "disparaging" the authors of the study. Even in this, the forensic scientists' sample size is way too small. Attacking Lander for his Innocence Project work conveniently overlooks his considerable contributions to the scientific community.

[Innocence Project's Chris] Fabricant said the congress’ assertions were absurd. “To suggest that the leading scientists in the country would cash in their credibility to do – what? What possible agenda could they be pursuing except scientific validity?” he asked. “I’d like to know what agenda they propose is being driven, and how somebody like Eric Lander – who mapped the human genome — is going to preside over a process that is intended to undermine the criminal justice.”

These responses indicate business -- as lousy and inaccurate as it is -- will continue as usual until the DOJ is forced to confront these issues, either by litigation or legislation. Not exactly heartening news for citizens who don't like being locked up for crimes they didn't commit.

Filed Under: doj, fbi, forensic science, junk science, prosecutors, science

How I Taught A Jury About Trolls, Memes And 4Chan -- And Helped Get A Troll Out Of Jail

from the interesting-experiences dept

A few weeks ago, CNN had a story on how a jury failed to convict Peter Wexler, an unemployed IT worker, who had been arrested and spent nearly a year in jail (without bail) for writing some mean stuff on his blog. He was literally arrested for five blog posts (which came with 20 criminal charges, as they had multiple charges on each post) and was facing up to 15 years in jail for those posts. Ken "Popehat" White blogged briefly about it, noting that it was a huge First Amendment win in a case where the defense team included one of his partners, Caleb Mason (along with lawyer Marri Derby, who was appointed by the court to represent Wexler through the Criminal Justice Act). It's also a case that involved... me. I was an expert witness in the case, brought in to explain to the jury the nature of internet discourse, including how trolls quite frequently say outrageous things to get attention, and how it's (for better or worse) not that uncommon to see people post angry rants on the internet, or to talk about how certain people should die, or to photoshop famous people into weird scenarios.

I've avoided writing about the case up until now, mostly because of my involvement. And since Wexler was found not guilty on some charges, while the other charges resulted in a hung jury (the jury foreperson said that they voted 8 to 4 to acquit on those other charges), there's a chance there may be a second trial. So recognize that it's a case that I may still have future involvement in -- and where I'm choosing my words carefully (the prosecutors in the case tried to take some of my posts on Techdirt out of context to attack my credibility, and it's possible that could happen again -- though I will admit to some confusion over being asked, twice, on the stand if I consider myself "an advocate for internet freedom," as if that were a bad thing).

What I will say is that I was asked to review Wexler's blog -- and while I certainly don't agree with much of what he wrote there, I didn't see anything that seemed out of character in many internet forums. Much of it seemed straight out of 4chan's /pol/ honestly. Wexler cheered on ISIS beheadings and cop shootings. He blasted US politicians and US policy both at home and abroad. He's not a fan of the mainstream media. He's not a fan of any "establishment" politician, and would mock them all, while cheering on both Donald Trump and Bernie Sanders. In short, he had opinions and he expressed them, sometimes angrily and in ways that were clearly designed to get people to react. At one point, responding to the news that the online troll Joshua Goldberg had been arrested (a story we wrote about, in part because of my own interactions with Goldberg), Wexler declared himself to be an "ISIS SUPPORTING ONLINE TROLL" (echoing the language being used to describe Goldberg): Even an FBI special agent, Voviette Morgan, noted to others in the Bureau that "everything we have reviewed to date [on Wexler's blog] falls into the category of First Amendment protected speech." But the FBI still sent some agents to visit him. And that led him to post some fairly angry rants against the FBI and the FBI's top agent in Southern California, David Bowdich (who has since moved up to a new position in DC), including the one in the image above.

After a few more posts calling out Bowdich, and photoshopping him into a variety of images -- including taking a picture of a Bowdich press conference and overlaying a forearm and hand holding a gun pointing at Bowdich, overlaying a target on Bowdich's face in a press shot, and photoshopping Bowdich into a still from an ISIS beheading video (something that Wexler did with other people, including Brian Williams and Ben Carson, which the FBI also seemed to think was protected speech), Wexler was arrested, with the charges focusing on his posts about Bowdich, and arguing that statements like what he says above about how he wants "to shove my Fat Man Gadget up David Bowdich's limpwristed West Los Angeles ass, and I intend to!" should be seen as a legitimate threat on Bowdich's life (anyone know what a Fat Man Gadget is?).

Wexler then spent basically the last year in jail for a bunch of angry blog posts, without even the option of being bailed out allowed. There were a number of other issues at play in the trial, some of which I may get to in a future post, but I was there to just explain the nature of online trolling, and how what Wexler said -- while certainly distasteful, and perhaps offensive -- was hardly out of the ordinary in certain online communities, and how many people in those communities recognized that kind of shitposting for what it was, and would laugh at those who "fell" for such extreme and offensive statements. I got to explain 4chan and trolling and even the creation of memes (yes, I explained rickrolling to a jury). I discussed numerous examples of similar blog posts, tweets, Facebook posts and forum posts. I highlighted numerous examples of people declaring publicly that some public figures (and some not so public figures) should be executed. I talked about (and showed examples of) politicians calling for the death of Hillary Clinton. I talked about photoshopping and photoshopping contests -- including ones that involved photoshopping targets or First Person Shooter-style overlays onto images of people. I showed many examples of famous people having targets overlayed on their images.

Basically, I showed the simple fact that in some corners of the internet, posting crazy offensive stuff is pretty commonplace, and it rarely means they're actually planning to go out and do anything. I don't know how useful my testimony was, though the fact that Wexler was not convicted and is now free from jail at least suggests it did not hurt the case. I recognize that what Wexler was saying on his blog is stuff that many people find offensive -- but if what he said was a crime, then a hell of a lot of people spouting off online are criminals too, and I'm pretty sure that's not how the First Amendment is supposed to work.

Once the case is really over, there are some other elements of the case that I'd feel more comfortable discussing, but for now, since a few people had asked about it, I did want to share this part of the story. A guy just spent nearly an entire year in jail because he blogged some (admittedly extreme) things in expressing his anger over the state of things in the world today. I may not agree with Peter Wexler's views on most of those things, but it seems like he should have the right to express himself on a blog without being thrown in jail for a year (or much longer).

Filed Under: blog posts, david bowdich, doj, fbi, first amendment, free speech, peter wexler, trolls

Another Judge Declares FBI's Playpen Warrant Invalid, Suppresses All Evidence

from the playing-fast-and-loose-with-the-Fourth-Amendment dept

Cyrus Farivar of Ars Technica reports that another federal judge has found the warrant used by the FBI to deploy its Tor-busting malware is invalid. This finding isn't unique. Multiple judges in various jurisdictions have found the warrant invalid due to Rule 41, which limits execution of warrants to the jurisdiction where they were issued. But only in a few of the dozens of cases stemming from the FBI's child porn investigation has a judge ruled to suppress the evidence obtained by the FBI's NIT.

A federal judge in Iowa has ordered the suppression of child pornography evidence derived from an invalid warrant. The warrant was issued as part of a controversial government-sanctioned operation to hack Tor users. Out of nearly 200 such cases nationwide that involve the Tor-hidden child porn site known as "Playpen," US District Judge Robert Pratt is just the third to make such a ruling.

In other cases, judges have found the warrant invalid, but have granted the FBI the "good faith" exception or found that the information harvested by the agency's hacking tool isn't protected under the Fourth Amendment. In one particularly memorable case, the presiding judge wandered off script and conflated security and privacy, suggesting that because computer hacking is so commonplace, the FBI should be allowed to peek into compromised computers (and compromise them!) and extract whatever it can without worrying about tripping all over the Fourth Amendment.

With hundreds of cases all over the nation (and many more handed off to foreign law enforcement agencies) stemming from a single warrant, this collection of rulings is far from coherent. But, more often than not, judges have found that the reach of the FBI's NIT deployment far exceeded its Rule 41 grasp. That all could change by the end of the year, making future investigations handled in this manner (running seized websites to deploy hacking tools) much less likely to be successfully challenged in court.

Judge Pratt's ruling [PDF], however, did at least shut down the government's Third Party Doctrine arguments.

There is a significant difference between obtaining an IP address from a third party and obtaining it directly from a defendant’s computer.

[...]

If a defendant writes his IP address on a piece of paper and places it in a drawer in his home, there would be no question that law enforcement would need a warrant to access that piece of paper—even accepting that the defendant had no reasonable expectation of privacy in the IP address itself. Here, Defendants' IP addresses were stored on their computers in their homes rather than in a drawer.

Analogies to physical objects are seldom perfect, but Pratt's does better than most.

"Judge Pratt correctly interpreted the NIT's function and picked the correct analogy," Fred Jennings, a New York-based lawyer who has worked on numerous computer crime cases, told Ars. Jennings continues:

[Pratt] correctly points out that the usual analogies, to tracking devices or IP information turned over by a third-party service provider, are inapplicable to this type of government hacking. A common theme in digital privacy, with Fourth Amendment issues especially, is the difficulty of analogizing to apt precedent—there are nuances to digital communication that simply don't trace back well to 20th-century precedent about physical intrusion or literal wiretapping.

The evidence suppression will likely result in charges being dropped, as anything located on the defendant's devices would have stemmed from the invalid NIT warrant. Outcomes like these don't do much to appease the general public, as the actions alleged are often viewed as indefensible. But the ugliness of the crime has no bearing on the Constitution and the rules governing search warrants.

The FBI can't play by different rules just because the targets are less sympathetic. That's why the push back against the proposed Rule 41 changes is important, because alterations to jurisdictional limits won't solely be used to chase down the worst of the worst. It will greatly expand the reach of questionable search warrants and investigative tools and encourage magistrate shopping by law enforcement to lower the level of scrutiny their deficient affidavits might otherwise receive.

Filed Under: doj, evidence, fbi, nit, playpen, warrant

Inspector General Says FBI Probably Shouldn't Impersonate Journalists; FBI Says It Would Rather Impersonate Companies Anyway

from the upgrade-to-fbiOS-10! dept

The FBI's impersonation of an AP journalist during an investigation raised some serious questions about what the agency considered to be acceptable behavior when pursuing suspects. The outing of this tactic led to a lawsuit by the Associated Press, which was naturally unhappy its name was being used to deliver malware to a teenaged bomb threat suspect.

The FBI performed its own investigation of the matter (but only after it had become public knowledge -- seven years after the incident actually occurred) and found that rules may have been broken by this impersonation of a news agency. Certain approval steps were skipped, making the investigatory tactic not exactly by the book. But in the end, the report congratulated the FBI on using the ends to justify the means.

The DOJ's Inspector General [PDF] has now reviewed the incident as well and, uncharacteristically, is even more supportive and less critical of the FBI's actions.

We found that Department and FBI policies in effect in 2007 did not prohibit agents from impersonating journalists or from posing as a member of a news organization, nor was there any requirement that agents seek special approval to engage in such undercover activities. The only policies in effect at the time that might have required elevated consideration regarding the FBI’s plans turned on whether the undercover activity involved a “sensitive circumstance.” We concluded, given the lack of clarity in the policy language, that making a determination whether a situation was a “sensitive circumstance” was a challenging one and that the judgments made by the agents were not unreasonable given the lack of clarity.

Basically, the OIG has granted the FBI a "good faith" exception. The report also notes that an interim policy eliminated much of the vagueness previously present in the FBI's policies. That being said, the OIG's recommendation doesn't want for vagueness.

Recommendation 2: The FBI should consider the appropriate level of review required before FBI employees in a criminal investigation use the name of third party organizations or businesses without their knowledge or consent.

"Consider the appropriate level of review" sounds a lot like something that could be interpreted as "roll the dice and see what happens" or "it's always easier to ask for forgiveness than permission." Fortunately, the OIG has additional guidance on this recommendation, which makes it less vague than it first appears.

After reviewing a draft of this report, the FBI provided comments explaining that the heightened level of review and approval required for FBI employees to pose as members of the news media was introduced because such activity potentially could “impair news-gathering activities” under the First Amendment, but that such constitutional considerations do not apply to businesses and other third parties. Our recommendation, however, does not rely on equating the reputational interests of some third party organizations and businesses with the constitutional interests of others. We believe that reputational interests, and the potential impact FBI investigations can have on those interests, are themselves sufficiently important to merit some level of review before FBI employees use the names of third party organizations or businesses without their knowledge or consent.

As is pointed out by Marcy Wheeler, the FBI is arguing that it shouldn't have to seek special approval to imitate non-journalistic entities. It could impersonate any number of companies without additional oversight because there are fewer Constitutional concerns. It could -- in the hypothetical Wheeler proposes -- pretend to be Apple and issue a software update. That's one way to ensure a phone's crackable once the FBI gets its hands on it.

So, the change in policy will only affect the FBI's ability to impersonate journalists or their employers. It won't prevent the FBI from doing this. It will only require additional signatures on the paperwork.

Another OIG finding of note is that the FBI is the worst at impersonating journalists. Fortunately for it and its terrible imitation skills, it was only up against a 15-year-old bomb threat suspect.

Grant identified himself in the e-mail as “Norm Weatherill,” an “AP Staff Publisher.”

At 2:55 p.m. Jenkins responded, “leave me alone.”

Grant replied at 3:21 p.m.:

I respect that you do not want to be bothered by the Press. Please let me explain my actions. I am not trying to find out your true identity. As a member of the Press, I would rather not know who you are as writers are not allowed to reveal their sources. The school has continually requested that the Press NOT cover this story. After the School Meeting last night, it is obvious to me that this needs coverage. Readers find this type of story fascinating. People don’t understand your actions and we are left to guess what message you are trying to send. . . .

Nothing says "competent journalist" like random capitalization and referring to the Associated Press as "the Press..." if that's even what's happening here. It could very well be that "the Man" assumes everything is "us vs. them" and that "the Press" is just another key player in a larger conspiracy to subvert "School Meetings" and the administrators that oversee them. Whatever this mess of words is, "competent" it certainly isn't.

On top of that, the FBI couldn't even nail down a writing style that has its own, frequently-updated guidebook, as Ryan J. Reilly points out at the Huffington Post.

Despite the fact that the “entire investigative team was present” and “consulted together about what to say before the message was sent,” none of them apparently thought to follow AP Style.

Neither did the fake news story the FBI posted to its fake website -- the link used to serve the suspect with malware.

All joking aside, the policies the FBI had in place before this blew up were plainly inadequate. The policies replacing them aren't much better. The agency is already given plenty of leeway in terms of investigative tactics. Limiting its impersonation to those that don't implicate First Amendment rights won't stop it from impersonating any other private entity that might serve its purposes.

Filed Under: fake journalists, fbi, inspector general, journalists
Companies: ap, associated press

AP, USA Today, Vice Sue FBI Over Refusal To Release Information About Contractor Who Cracked iPhone For It

from the exemption-(b)ecause-shut-up dept

USA Today, the Associated Press, and Vice News have joined forces to sue the FBI over its refusal to release even the most minimal amount of information on the hack it purchased to crack open the iPhone seized during its San Bernardino shooting investigation.

The DOJ certainly seemed adamant that Apple disclose all sorts of inside info to the government during the heated litigation. It turned down offers of assistance from hackers and security researchers before finally shelling out an unknown amount of money to an Israeli firm to gain access to the phone's contents. It also ensured it would never have to discuss the technical details of the hacking by not demanding this information be included in the purchase price.

Now, it refuses to even discuss the purchase price. Educated guesses that put it north of $1 million are based on a James Comey comment in which he said it was several times his annual salary. Somehow, the actual amount paid -- if revealed -- would somehow prevent the FBI's investigation from reaching its conclusion.

This FOIA lawsuit [PDF] targets other innocuous information the FBI refuses to release: contractor info on the party used to open up the seized iPhone (and discover nothing of investigative use on it).

This action is brought pursuant to the Freedom of Information Act (“FOIA”), 5 U.S.C. §§ 552, et seq., for basic contracting information from the Federal Bureau of Investigation (“FBI”) regarding one of its most publicly-discussed and controversial acquisitions: a technological tool openly purchased from a third-party vendor that was used to circumvent the need for a court order to access the locked iPhone of Syed Rizwan Farook, one of the perpetrators of the mass killings in San Bernardino, California.

As the lawsuit cleverly points out by using FBI director James Comey's own words against him, the public's interest in this information should easily outweigh the FBI's stated reasons for withholding it.

[T]he News Organizations seek to compel the FBI to provide records of the publicly-acknowledged business transaction that resulted in the purchase this March of the so-called iPhone access tool. The public interest in receiving this information is significant. The FBI’s purchase of this tool allowed government access to Mr. Farook’s phone, providing new information about one of the deadliest attacks on American soil in recent years, but also apparently failing to reveal any evidence of links between Mr. Farook and foreign terrorists or terrorist organizations...

FBI Director James Comey has himself stressed the essential importance of a nationwide “adult conversation” about whether and when law enforcement should be able to access encrypted devices because, “‘We’ve got to get to a point where we can reach [wrongdoers] as easily as they can reach us and change behavior by that reach-out.’” Mr. Comey also noted the need for increased information sharing with the public, an acknowledgment particularly critical given the potential of future legislative action on this issue, noting, “‘We need to understand in the FBI, how is this exactly affecting our work, and then share that with folks.’”

Moreover, the FBI’s purchase of the technology – and its subsequent verification that it had successfully obtained the data it was seeking thanks to that technology – confirmed that a serious undisclosed security vulnerability existed (and likely still exists) in one of the most popular consumer products in the world. And in order to exploit that vulnerability, the FBI contracted with an unidentified third-party vendor, effectively sanctioning that party to retain this potentially dangerous technology without any public assurance about what that vendor represents, whether the vendor has adequate security measures, whether the vendor is a proper recipient of government funds, or whether it will act only in the public interest.

The complaint points out the FBI has offered up zero information on this mysterious contractor, leaving several questions unanswered. The agency has refused to turn over anything on the vetting process used to select this vendor, raising the possibility that the FBI's chosen hacking entity may also be aiding blacklisted governments, terrorist groups, or criminals with accessing communications and data.

The news agencies participating in the lawsuit have been seeking this info since the All Writs Order was vacated back in March. Every request has been denied. The lawsuit seeks an order compelling the release of this information.

The DOJ will obviously fight this but it should be an interesting case to watch… if there's anything to be seen from the outside. Despite the hack being specific to one iPhone make running one specific version of iOS -- and there being nothing of interest found on the cracked phone -- the DOJ is sure to claim that any disclosure, however minimal, will do serious damage to national security and law enforcement means and methods.

Filed Under: cracked, doj, encryption, fbi, foia, going dark, iphone, san bernardino, transparency
Companies: ap, usa today, vice

FBI Director: Our Electronic Voting System Is Such A Complete Mess, It Would Be Difficult To Hack

from the well,-then dept

There's been plenty of talking going around this election cycle about the terrible security problems with our current voting technology -- along with some conspiracy-theory level talk of foreign agents looking to "hack" the election. We haven't been very impressed with officials telling us all to calm down and it's difficult to see how FBI director James Comey did himself any favors by basically arguing that the voting system is secure... mainly because of what a complete and utter mess it is. The larger point he's making is somewhat valid, if clunky, in the fact that each state runs their own voting, so it's not like hackers can get into one central system and wreak havoc. The different systems definitely make it harder. But arguing that this is a sign of good security seems kind of ridiculous:

“The beauty of the American voting system is that it is dispersed among the 50 states, and it is clunky as heck,’’ said Mr. Comey. “A lot of people have found that challenging over the years, but the beauty of that is it’s not exactly a swift part of the internet of things, and so it is hard for an actor to reach our voting process.’’

Yeah, that's basically security through obscurity... at scale. Not exactly very reassuring, even if the underlying point may be true.

Wouldn't it be better if we just made sure the systems were actually secure (i.e., not computerized and connected to the internet) rather than just "clunky"?

Filed Under: e-voting, elections, fbi, hacking, james comey