Gun Trafficking Investigation Shows The FBI Is Still Capable Of Accessing Communications On Encrypted Devices

from the so-dark-we-could-only-get-everything-we-needed dept

It's been clear for some time that the FBI and DOJ's overly dramatic calls for encryption backdoors are unwarranted. Law enforcement still has plenty of options to deal with device encryption and end-to-end encrypted messaging services. Multiple reports have shown encryption is rarely an obstacle to investigations. And for all the noise the FBI has made about its supposedly huge stockpile of locked devices, it still has yet to hand over an accurate count of devices in its possession, more than two years after it discovered it had been using an inflated figure to back its "going dark" hysteria for months.

An ongoing criminal case discussed by Thomas Forbes for Fortune provides more evidence law enforcement is not only finding ways to bypass device encryption, but access contents of end-to-end encrypted messages. This isn't the indictment of Signal (a popular encrypted messaging service) it first appears to be, though. The access point was the iPhone in law enforcement's possession which, despite still being locked, was subjected to a successful forensic extraction.

In the Signal chats obtained from one of [the suspect's] phones, they discuss not just weapons trades but attempted murder too, according to documents filed by the Justice Department. There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off. An iPhone in this state is more susceptible to having data inside extracted because encryption keys are stored in memory.

Seizing a phone in this vulnerable state allows investigators to obtain evidence from "locked" phones by using forensic tools like those sold by Cellebrite and Grayshift. Signal's encryption works. But that encryption doesn't matter -- not if law enforcement has access to the device. Encryption protects against message interception but even the strongest forms of encryption can't secure communications on a partially unlocked device. In this state, it's as simple as hooking up a phone to an extraction device and letting the device do the work.

It's not clear which forensic option was used, but it does show encryption isn't making phones and communications "warrant-proof." A locked device (rather than one in an "after first unlock") is going to be tougher to crack, but it's far from impossible. And if it is indeed impossible, a wealth of information can be recovered from cloud backups, unencrypted communications platforms, social media services, and any number of third parties that collect information and location data from cellphone users. In only the rarest cases will investigators have almost nothing to work with.

Even in those cases, there are options. Investigators can roll the dice on Fifth Amendment challenges and hope a court orders arrestees to unlock their devices. They can also seek consent to a search -- something that's never a one-and-done thing when law enforcement has both suspects and their devices in its possession.

This case shows multiple layers of encryption are mainly a hassle at this point. It's enough to keep people's devices secure in case of loss or theft, but it's not much of an impediment to investigators with powerful forensic tools at their disposal.

Filed Under: access, doj, encryption, evidence, fbi, going dark, law enforcement

Michigan State Police Officials Are Dodging Public Records Obligations By Using Encrypted Messaging Apps

from the it's-not-the-encryption,-it's-the-message-destruction dept

There have been some very vocal calls for encryption backdoors by the heads of certain law enforcement agencies. And those making the most noise imply every other law enforcement agency that isn't clamoring for worse security supports the clamoring loudmouths demanding mandated backdoors.

Maybe these other agencies do agree with "going dark" proselytizers like Chris Wray and Cy Vance. Maybe these agencies that never speak out are the silent majority. Then again, maybe they recognize the tradeoff for what it is and find other ways to obtain the evidence they need. But one thing is clear, cops are fans of encryption if it benefits them.

Admissions made in a lawsuit brought by a fired Michigan State Police inspector show police officials have been using an encrypted messaging app with a self-destruct feature to engage in official business.

Top officials at the Michigan State Police have been using text messaging encryption devices that can put their internal communications out of the reach of the Freedom of Information Act and legal discovery, according to admissions the MSP made in a civil lawsuit.

Among those who have downloaded the "end-to-end" encryption applications onto their state-issued phones are a lieutenant-colonel, two majors and two first lieutenants, according to court records obtained by the Free Press.

Former inspector Michael Hahn sued the Michigan State Police after he was allegedly fired in retaliation for his vocal opposition to "unlawful racial and gender hiring and promotion preference." Hahn's lawyer, James Fett, suspected something was amiss when his discovery request for text messages from officials involved in Hahn's firing returned hardly any messages. The meager output was at odds with the four-month investigation of Hahn involving numerous MSP officials that occurred prior to his dismissal.

After a motion to compel, the Michigan State Police admitted its officials were using an encrypted app with self-destructing messages that leaves no permanent record on officials' phones or MSP servers.

Fett asked the MSP to admit that Gasper, Hinkley, Lt. Col. Kyle Bowman, Maj. Emmitt McGowan, Maj. Beth Clark, 1st Lt. Brody Boucher, and 1st Lt. Jason Nemecek had each downloaded and used an instant messaging application with end-to-end encryption on their state-issued cellphones.

Assistant Attorney General Mark Donnelly, who is representing the state defendants in the lawsuit, admitted in an Oct. 29 response, obtained by the Free Press, that was true for each of the officials named. But in a corrected filing Thursday, Donnelly said use of the encryption app on state phones was not true for Gasper or Hinkley, though it was true for the others.

The app being used appears to be Signal, according to the fired MSP inspector bringing the lawsuit. Hahn noted that lots of MSP officials' names disappeared from the app after the Detroit Free Press began asking MSP officials to comment on the filing.

While encryption is a great way to protect sensitive communications from malicious hackers and criminals, it's not so great when it's being used to shield public servants from transparency and accountability. By all means, these communications should be encrypted. But they should also be archived and stored somewhere the MSP can retrieve them when sought by public records requesters or court orders. This storage should also be encrypted.

Encryption isn't the problem here. It's the sidestepping of obligations to the public -- something that, in this case, happens to involve encryption. And if this is going to get sorted out, it's probably going to take litigation and nosy journalists to get it done. Because it looks like the department in charge of defining the contours and limits of official communications isn't up to the task.

The Michigan Department of Technology Management and Budget can restrict or forbid use of messaging services that don't create permanent records of official communications. It hasn't. And its conflicting statement to the Detroit Free Press seems to imply it permits the use of self-destructing messages by state employees who are required to preserve their official communications.

Asked whether state employees are permitted to install end-to-end encryption applications on their state-issued phones, Caleb Buhs, a spokesman for DTMB, said that would be allowed only "if the application is for legitimate state business."

Which is fine, but…

Buhs was then asked to give examples of what the Whitmer administration would consider "legitimate state business" that would leave no record of official communications between state employees. He did not respond.

Well, that clears nothing up. Perhaps this will motivate the DTMB to come up with some coherent guidelines and retention mandates. Or perhaps the Department will just find a better spokesperson.

Whatever the end result of this lawsuit, the immediate payoff is confirmation public officials are violating laws and blowing off their obligations to the public. Perhaps some public good will come of this outing of willful destruction of public records, but given the number of times similar things have happened at all levels of government, it's difficult to greet this revelation with optimism, rather than cynicism.

Filed Under: encryption, foia, going dark, michigan state police, transparency

Police Chief Demands Holes In Encryption Because Some Cops Decided To Participate In The DC Insurrection

from the sure,-make-this-all-about-us-when-it's-really-just-about-you dept

As more evidence comes to light showing a disturbing amount of law enforcement participation in the January 6th attack on the Capitol, police departments around the nation are finally being forced to face something they've ignored for far too long.

The law enforcement officers who participated in the insurrection attacked officers attempting to defend the building, or, at the very least, did nothing to discourage the lawless actions occurring all around them. The officers that went to DC and engaged in a riot aren't an anomaly. They've been part of law enforcement for as long as law enforcement has existed: bigots with a penchant for violence and a thirst for power.

These officers are finally beginning to be rooted out, but only because they did things no one can ignore. Hundreds of participants produced hundreds of recordings, turning their own celebration of their attempted election-thwarting into the evidence needed to identify them and charge them with federal crimes. Posts made to social media platforms provided more evidence, tying incriminating statements to location data to place off-duty cops on the scene.

Now that agencies are finally confronting their in-house white supremacist/militia problem, they're asking for everyone to be made less secure so they can handle the problem that's been hiding in plain sight for years.

Houston Police Chief Art Acevedo -- who presides over an agency with more than its share of bad cops -- was asked what officials like himself are doing to confront this problem. In response, Chief Acevedo asked for Congress to do him -- and other law enforcement agencies -- a favor:

Acevedo... said anonymous online platforms on the “dark web” are making such [internal] investigations impossible, even for departments with sufficient resources. He expects the move away from public platforms like Facebook and Twitter to grow rapidly in response to the FBI arrests of those who rioted at the Capitol.

This month, Acevedo was asked by the House Oversight and Reform Committee to explain what actions police chiefs are taking, and responded by asking for help. For years, law enforcement officials have asked for passage of a federal law that would require such platforms to have a “back door” that law enforcement can access if they have “a legitimate investigative need and a court order” to gain entry.

Then he blamed social media platforms for his own inability to police his police, calling them out as the real lawbreakers here:

“Congress’s failure to act has enabled industry giants to flaunt the law and operate with impunity,” Acevedo wrote in response.

First off, if the bad cops are shifting to "dark web" platforms in response to their own opsec failures during the January 6th riot, mandating backdoors that affect "industry giants" isn't going to make it any easier to track down cops who've moved on to "darker" web services.

Second, law enforcement agencies' continuous failure to hold officers accountable or to perform rigorous background checks should not be used as leverage to make services and devices less secure for millions of Americans. Citizens have already had to watch their tax dollars pay the salaries of brutal thugs whose loyalty to each other often supersedes their sworn duties as public servants. They don't need to be punished further just so it's a little easier for cops to perform the occasional internal investigation.

Finally, the encryption offered by device makers and communications platforms also protects cops -- not just from accountability, as Acevedo implies here -- but from malicious hackers and criminals who would love access to cops' devices, communications, and sensitive files. A backdoor for bad cops is a backdoor for good cops -- and a backdoor that strips a layer of security away from everyone who uses these devices and services.

The ugliness that permeates law enforcement needs to be rooted out. But the security of millions of Americans shouldn't be weakened just because those policing the police haven't done much of this policing for decades. They've had open access to evidence for years and rarely used it. Now that their sins are too big to ignore until the next news cycle hits shouldn't be the impetus for backdoor mandates.

Filed Under: art acevedo, backdoors, encryption, going dark, insurrection, washington dc

'Going Dark' Is Bullshit, Says Yet Another Report Detailing All The Ways Law Enforcement Can Obtain Evidence

from the in-the-land-of-the-deliberately-blind,-the-no-eyed-agitator-is-king dept

"Going dark" is a "problem" that appears to be localized almost entirely at the federal level. While numerous options have presented themselves over the years, the FBI, DOJ, and the president's law enforcement commission continue to claim encryption poses insurmountable problems to law enforcement. With the exception of one Manhattan prosecutor, no one else seems to believe encryption is much of a problem.

Encryption may be limiting access to the contents of a few devices and a handful of IMs, but it's really not stopping investigators from securing evidence or prosecutors from securing convictions. Time after time after time after time it's been pointed out a wealth of options are available to law enforcement. And every new iteration of "smart" things just gives them more. Encrypted phones may eliminate the most direct route to evidence, but the number of workarounds is nearly infinite.

People are tracking their movements and actions with more accuracy than ever. Smart meters track utility use with an intense amount of detail. Citizens are installing cameras in their homes and granting access to devices that record their conversations and log their interactions with any number of services. The only way the FBI, DOJ, et al can say anything is "dark" is if they're walking around with their eyes closed. And that appears to be the case.

Yet another lengthy report on the "golden age of surveillance" has been released, highlighting the surveillance side doors available to law enforcement if the "front door" appears to be locked. "We can't get any evidence!" claim consecutive FBI directors, pointing to the agency's uncounted pile of locked devices.

Meanwhile:

In New Hampshire, for instance, a man was accused of shooting his brother in the arm in a dispute in a driveway. Footage of the altercation was captured by several Ring cameras owned by neighbors, who provided their footage to police. A judge allowed audio of the incident to come in, ruling that the defendant should have expected the driveway communications between himself and his brother to be publicly exposed.

Connected devices have also been used to contradict an account of events. A Pennsylvania woman who alleged she was raped was later charged with making false statements and tampering with evidence after Fitbit data she voluntarily provided to police suggested she had been moving around her home during the time she claimed to be asleep.

In other instances, police have obtained warrants to access data from connected devices. In Arkansas, unusual water usage tracked by a smart meter was used to substantiate claims that a defendant attempted to clean up a murder scene. Prosecutors also sought to obtain a warrant for recordings of the defendant’s Amazon Echo, but the man eventually voluntarily disclosed the recordings.

And in the case of a Connecticut man currently facing trial for the murder of his wife, police have obtained warrants for the victim’s Fitbit and several other connected devices throughout the house that revealed movements and other information contradicting his account of events.

That's just a small part of the Brennan Center's report, which covers nearly every evidentiary avenue law enforcement has access to, as well as the concerns raised by always-on surveillance… even if citizens are willingly participating in their own surveillance. There's a lot of Fourth Amendment questions yet to be answered, but a lot of the answers will come down to whether or not courts view willingly sharing data with companies the same as willingly sharing it with the government.

Any law enforcement official complaining about encryption is being disingenuous. The lack of direct access to things sought by warrants isn't the same as working blindly in the dark. Cops have tons of options they've never had before -- options that replace jackboots on the ground, mind-numbingly long stakeouts, and hanging out in a nondescript van hoping to overhear something incriminating. The investigative cost -- at least in terms of personnel and man hours -- has steadily been decreasing. Reams of data are often only a subpoena away. And for a few thousand dollars, private contractors are on tap to turn data firehoses into useful streams of information.

How many attack vectors are there for evidence? An insane amount. Onboard vehicle communication systems like OnStar have eavesdropped on conversations for years. The addition of Bluetooth connections to in-car entertainment systems has provided another point of access for data that may otherwise be locked inside an encrypted phone. Built-in navigation systems track drivers and their favorite destinations.

Smart gadgets in homes record conversations, track movements, and give investigators clues as to whether anyone was in a home at certain points in time. Fitbits and similar devices track people's movements in areas where cars can't go. They also provide handy biometric info that has never been available to investigators prior to this point in time.

And that only covers the surveillance citizens aim at themselves. Law enforcement has plenty of always-on options of its own that provide it streams of useful data and evidence investigators need no warrants to access. Agencies have augmented their aerial surveillance with powerful cameras capable of tracking movements across entire cities. Low-cost drones provide more aerial surveillance without the expense of keeping manned aircraft aloft. Millions of license plate records are gathered every day by thousands of plate readers. Interlinked databases allow law enforcement to track people's movements across the country if need be.

Then there's the more personally-invasive efforts. Cops are using cheap facial recognition tech to identify suspects and seem largely unconcerned when the software picks the wrong person out of the lineup. Entire communities are subjected to additional scrutiny thanks to flawed analytic systems that turn garbage, racist data into "predictions" about upcoming criminal activity. And this tech is being introduced to schools, turning minors with their whole lives ahead of them into minors whose future has been predetermined by an Excel spreadsheet.

This hasn't replaced anything law enforcement has already had warrantless access to, like utility records, trash pulls, pole-mounted camera footage, etc. This is in addition. To claim the only useful evidence hides in the static storage of a locked phone is bullshit. To their credit, most law enforcement agencies realize this. It's only those up top pretending this isn't the case.

Filed Under: doj, encryption, evidence, fbi, going dark, law enforcement

Brexit Deal Copied And Pasted Recommendations For Netscape, Outdated Encryption

from the I'm-sure-this-will-all-go-great dept

You'd think a massive and controversial deal to sever the UK from the European Union, impacting the lives of millions of people over the better part of the next generation, would contain a certain amount of... precision.

Not so much.

After a long, contentious debate and some last minute haggling over fish, the final agreement governing the United Kingdom and European Union’s trade relations for decades was finalized last week. But when security researchers dug through the wording of the final agreement (which you can peruse here (pdf)), they found a bunch of indications of laziness.

Including, apparently, recommendations to protect yourself from cyberattacks by using a web browser (Netscape) that stopped being updated somewhere around 1997 or so:

As the BBC notes, the language appears to have been copied and pasted from a 2008 law, and the recommendations were already outdated then. While it's reflective of the rushed and sloppy nature of the effort, the Netscape recommendation isn't that big of a deal, given it's simply cited as an example of a "modern e-mail software package” and will likely be ignored. More troubling however is the document's recommendation of using 1024-bit RSA encryption and the SHA-1 hashing algorithm, both outdated and vulnerable to cyber-attacks:

" the SHA-1 hashing algorithm has been demonstrated to be vulnerable to collision attacks, and computing power has advanced such that 1024-bit RSA encryption can be broken in a sensible time frame by anyone with sufficient GPU power to give it a try. It’s clear that something is amiss in the drafting of this treaty, and we’d go so far as to venture the opinion that a tired civil servant simply cut-and-pasted from a late-1990s security document."

While you'd hope the recommendations won't be taken seriously, it still suggests a certain amount of... half-assedness that doesn't bode particularly well for the broader agreement, the finer details of which will impact the lives of real human beings for decades.

Filed Under: brexit, copy paste, encryption, eu, trade deals, uk
Companies: netscape

Still Not 'Going Dark:' Device Encryption Still Contains Plenty Of Exploitable Flaws

from the good-news-and-bad-news-(which-some-might-consider-good-news) dept

Law enforcement -- especially at the federal level -- has spent a great deal of time complaining about an oddity known only to the FBI and DOJ as "warrant-proof" encryption. Device users and customers just call this "encryption" and realize this protects them against criminals and malicious hackers. The federal government, however, sees device encryption as a Big Tech slap in the face. And so they complain. Endlessly. And disingenuously.

First off, law enforcement has access to a wide variety of tech solutions. It also has access to plenty of communications and other data stored in the cloud or by third parties that encryption can't protect. And it has the users themselves, who can often be persuaded to allow officers to search their devices without a warrant.

Then there's the protection being handed out to phone users. It's got its own problems, as Matthew Green points out:

Authorities don't need to break phone encryption in most cases, because modern phone encryption sort of sucks.

More specifically, even the gold standard (Apple's) for encryption still leaves some stuff unencrypted. Once unlocked after a period of rest (say, first thing in the morning), the phone is placed into an "AFU" (after first unlock) state where crypto keys are stored in the phone. These stay in memory until erased. Most common use of phones won't erase them. And they're only erased one at a time, leaving several sets resident in memory where cops (and criminals!) using phone-cracking tech can still access them.

A report [PDF] put together by Matthew Green, Maximilian Zinkus, and Tushar Jois highlights the exploitable flaws of device encryption efforts by Apple, Google, and other device manufacturers. And there's not a lot of darkness going on, despite law enforcement's protestations.

This reaction is best exemplified by the FBI’s “Going Dark” initiative, which seeks to increase law enforcement’s access to encrypted data via legislative and policy initiatives. These concerns have also motivated law enforcement agencies, in collaboration with industry partners, to invest in developing and acquiring technical means for bypassing smartphone security features. This dynamic broke into the public consciousness during the 2016 “Apple v. FBI” controversy, in which Apple contested an FBI demand to bypass technical security measures. However, a vigorous debate over these issues continues to this day. Since 2015 and in the US alone, hundreds of thousands of forensic searches of mobile devices have been executed by over 2,000 law enforcement agencies, in all 50 states and the District of Columbia, which have purchased tools implementing such bypass measures.

The research here shows there's no need for legislative mandates or court orders to access most of the contents of suspects' iPhones. There's plenty to be had just by exploiting the shortcomings of Apple's built-in encryption.

[W]e observed that a surprising amount of sensitive data maintained by built-in applications is protected using a weak “available after first unlock” (AFU) protection class, which does not evict decryption keys from memory when the phone is locked. The impact is that the vast majority of sensitive user data from Apple’s built-in applications can be accessed from a phone that is captured and logically exploited while it is in a powered-on (but locked) state.

This isn't theoretical. This has actually happened.

[W]e found circumstantial evidence in both the DHS procedures and investigative documents that law enforcement now routinely exploits the availability of decryption keys to capture large amounts of sensitive data from locked phones. Documents acquired by Upturn, a privacy advocate organization, support these conclusions, documenting law enforcement records of passcode recovery against both powered-off and simply locked iPhones of all generations.

Utilizing Apple's iCloud storage greatly increases the risk that a device's contents can be accessed. Using iCloud to sync messages results in the decryption key being uploaded to Apple's servers, which means law enforcement, Apple, and malicious hackers all have potential access. Device-specific file encryption keys also make their way to Apple via other iCloud services.

Over on the Android side, it's a bigger mess. Multiple providers and manufacturers all use their own update services. Devices are phased out for ongoing protection by both, resulting in user confusion as to which devices still offer software updates and the latest in encryption tech. Cheaper devices sometimes bypass these niceties entirely, leaving low-cost options the most vulnerable to exploitation. And, while the DOJ and FBI may spend the most time complaining about Apple, it only commands about 15% of the smartphone market. This means most devices law enforcement seizes aren't secured by the supposedly "impenetrable" encryption provided by Apple.

Google's cloud services offer almost no protection for Android users. App creators must opt in to certain security measures. In most cases, data backed up to Google's cloud services is only protected by encryption keys Google holds, rather than the user uploading the data. Not only is encryption not much of a barrier, but neither is the legal system. A great deal of third party data -- like the comprehensive data sets maintained by Google -- can be accessed with only a subpoena.

The rest of the report digs deep into the strengths and limitations of encryption offered to phone users. But the conclusion remains unaltered: law enforcement does have multiple ways to access the contents of encrypted devices. And some of these solutions scale pretty easily. While it's not cheap, it's definitely affordable. While there will always be those who "got away," law enforcement isn't being hindered much by encryption that provides security to all phone users, whether or not they're suspected of criminal activity.

Filed Under: encryption, going dark, law enforcement, vulnerabilities

No Surprises Here: Presidential Commission On Law Enforcement Repeats Calls For Anti-Encryption Legislation

from the another-pile-of-garbage-ideas dept

[Note: this is one of multiple posts covering the Commission's 332-page report.]

The Presidential Commission on Law Enforcement -- ushered into existence by a 2019 Executive Order -- has released its report [PDF], just in time for the man who ordered it to move out of the White House. President Trump spent his four years defending and praising law enforcement, no matter how often law enforcement's actions provoked criticism elsewhere. This report does the same thing, even as it pretends to offer an objective opinion on the challenges facing the law enforcement community.

The Commission is composed solely of law enforcement officials and officers, which makes its findings one-sided and, of course, suspect. The report calls for an end to the "disrespect" shown to law enforcement. But it does little to address the roots of this perceived disrespect. At best, the report suggests the public is just "misinformed" about law enforcement's role in society and posits it's "progressive prosecutors" and opportunistic legislators causing most of the reputational damage, rather than the things cops do when their leash is long enough.

The report also has nothing good to say about device encryption. Using lingo provided to it by consecutive FBI directors and former AG Bill Barr, the report claims something called "warrant-proof encryption" (a.k.a., regular encryption) should have backdoors legislated into it.

The lack of lawful access to encrypted information controlled by technology companies is presently one of the greatest obstacles to law enforcement in its efforts to combat crime. The rule of law cannot exist in a space—digital or otherwise—that deliberately insulates criminals from law enforcement investigation. The substantial danger to individual victims and general safety posed by warrant-proof encryption demands a prompt and decisive policy action. Because the prominent technology companies have increasingly elected to implement data systems that prevent law enforcement access, the Commission has concluded that a legislative solution may be necessary to optimally balance the interests of personal privacy and public safety.

Ah, but the rule of law can exist in such a space. It's doing it right now. The FBI may have claimed it had nearly 8,000 devices "insulated" from "investigation" in its possession, but after being questioned by Congress about its struggles with encryption, it revealed it couldn't accurately count physical items. We're still waiting for an updated number -- one promised to us nearly three years ago.

At least the Commission recognizes law enforcement has never had more tech options at its disposal. But it suggests law enforcement make use of some of its most questionable options more frequently.

New methods of electronic surveillance and digital investigation hold considerable promise, and the Commission recommends that law enforcement take a proactive approach to developing and innovating technologies to combat crime instead of reactively catching up to the technological innovations of the day. Accordingly, the Commission encourages law enforcement to specifically consider—with appropriate contemplation of competing policy interests— developing and adapting crime reduction technologies, such as unmanned aerial systems (quadcopters), acoustic gunshot detection technologies, real time crime centers, and facial recognition software, to add to their crime-fighting arsenal.

Shot spotters. Predictive policing. Facial recognition. This is a list of things that don't work well and, in the latter two cases, are made worse by the inclusion of biases the tech is supposed to be removing.

Heading back to encryption, the report contains testimonial statements from an agency that shouldn't be allowed to bitch about encryption until it can be honest about how many encrypted devices are in its possession. Here's another call for legislated backdoors by Darrin Jones, the FBI's Assistant Director for Science and Technology:

“The impact and magnitude of the lawful access crisis in the United States has grown to a point where the public safety trade-off to the citizens of this country can and should no longer be made privately and independently in the corporate boardrooms of tech companies. It must, instead, be returned to the halls of the people’s democratically elected and publicly accountable representatives.”

But we don't know the "impact" or the "magnitude." The FBI says both are enormous. But the FBI has also overstated the number of locked devices in its possession -- something it routinely leveraged to push claims of a looming criminal apocalypse that has completely failed to materialize. Until it can provide an accurate count, it really shouldn't opine about the "impact" of device encryption. And its testimony shouldn't be the basis for legislation seeking to weaken encryption.

The report goes on to complain about Facebook adding encryption to its Messenger service and Zoom (sort of...) doing the same for its users. Then it claims this is pretty much the first time law enforcement hasn't been able to obtain evidence when it has a warrant.

Companies that have chosen to adopt end-to-end user encryption have effectively upended more than 200 years of jurisprudence by placing evidence beyond the reach of a court-ordered search warrant.

Right. Because no one's destroyed or hidden evidence prior to this point in history. No one held conversations in person to assure no record remained of criminal conspiracies. Just because phones now contain a wealth of potential evidence does not mean the tables have been turned because something more than a physical door separates cops from the stuff they want to take. Any number of third parties store communications and other data in unencrypted form. And no one in law enforcement feels like honestly discussing the phone-cracking tools that are available or how often suspects consent to searches.

The Commission asks for backdoors:

Congress should require providers of communications services and electronic data storage manufacturers to implement strong, managed encryption for stored data and data in motion while ensuring lawful access to evidence pursuant to court orders.

Then it claims it doesn't want backdoors:

The Commission considered but rejected the idea that lawful access equates to back-door access. Almost all mobile device manufacturers, operating system vendors, and app providers maintain their own “upgrade” back doors, which enables providers to routinely change functions and settings of a device or service. Law enforcement does not seek such direct access, nor does it wish to hold any encryption “keys.” Instead, law enforcement seeks to have tech companies develop and manage for themselves the capability to respond to a lawful court order. Having tech companies themselves remain in control of this process is actually privacy enhancing, ensuring law enforcement is afforded only specific, limited access to data as defined in each case by a specific warrant.

The government won't be honest about the challenges encryption actually poses -- beginning with its refusal to tell Americans how many devices it can't crack open. And it's not honest about its desires. A door is a door -- a hole in encryption that doesn't exist until it's mandated. Refusing to call it a "backdoor" doesn't change what it is.

Then there's this, which implies legislators should look into stripping tech companies of protections they currently enjoy… solely to make it easier for law enforcement to access device contents.

Civil liability immunity statutes that were adopted during the infancy of many tech companies may unintentionally encourage such companies to pursue and market user-only access and end-to-end encryption models. Absent any risk of financial liability, the routine cost–benefit analysis— which most companies use to determine whether to dedicate resources to harm-mitigation strategies—may not influence some of these technology companies into a willingness to facilitate lawful access.

According to the Commission, the only way out of this mess is to strip companies of this liability shield... unless they agree to undermine the protections they give to their customers.

As long as tech companies are immune from liability, the Commission assumes that these companies perceive any development or maintenance of lawful access capabilities to be a drain on profits, which allows the tech companies to hide their financial motivations under the guise of a desire to enhance users’ privacy. Ultimately, this behavior enables plausible corporate ignorance and allows criminals to use these systems for illegal purposes. If corporations are to continue to benefit from civil immunity, Congress should mandate that these companies develop and maintain a lawful access solution capable of producing clear text data in response to court-ordered search warrants.

The Commission also says legislators should implement regulations that allow it to wiretap real-time communications that are currently encrypted. Somehow this proposal starts with stored communications and ends with ordained MITM attacks.

The Stored Communications Act of 1986 requires data to be stored for up to 180 days upon request by the government. Providers must also disclose private information in emergency cases where individuals or groups may be in danger. In addition, a “court order is required for access to digital information. An administrative subpoena may be issued to gain access to specific data such as usernames, addresses, telephone numbers, and call transcripts.”

Recently, the FBI investigated a gang task force case where it was revealed that the primary suspect of a homicide case used FaceTime to orchestrate the crime. Because Apple uses end-to-end encryption, it allows criminals to coordinate their crimes through this avenue. If law enforcement is given lawful access, they can then intercept the plans of criminals and gain evidence to prosecute those who break the law.

The government appears to hate tech companies. Combined with the recent attacks on Section 230, Trump and his law enforcement buddies are apparently still entertaining any option that might let them score a win over Big Tech and its supposed anti-conservative/anti-law enforcement bias.

These are dangerous suggestions. Fortunately, they're being offered up by a lame duck Commission that will presumably expire along with a lot of other Trump mandates following his exit from office. Bill Barr has already resigned. Whoever replaces him presumably can't be as terrible as he was.

Law enforcement faces a lot of challenges. But it also has access to more tools, data, and information than it's ever had before. Undermining user security in exchange for law enforcement convenience isn't the way forward. It's a step backwards -- one that places the government's wants over the needs of the people it's supposed to be serving.

Filed Under: doj, encryption, executive order, fbi, going dark, law enforcement, presidential commission on law enforcement

Embarrassing: New Antitrust Suit Against Google Confuses WhatsApp Encrypted Backup Option With Giving Google A Backdoor

from the guys,-guys,-guys dept

Look, I get the fact that people are concerned about big technology companies. I'm very concerned about big technology companies too, and think it's important that we figure out ways to build more competition, and to get away from reliance on many of these companies. But the way in which so many assume that antitrust is the only way to get there is problematic. And it's even more problematic when the antitrust lawsuits they file seem to be mostly based on misunderstanding or misrepresenting certain things with totally innocuous explanations. That keeps happening.

The DOJ's antitrust lawsuit against Google is embarrassingly weak, and seems to confuse who has market power (e.g., claiming that Google paying billions to Apple is some sort of proof of its own dominance). The FTC and nearly all states' antitrust suits against Facebook are fundamentally stronger than the DOJ's case against Google, but still, astoundingly weak in terms of actual evidence of antitrust violations.

This week, there are two new entrants. One lawsuit was just announced today, and we'll explore that one later, but yesterday, Texas Attorney General Ken Paxton, who was one of the earliest Attorney Generals who spoke out in favor of going after Google, has now done so, with a an interesting antitrust lawsuit against the company, done with the support of 9 other states, all with Republican Attorneys General. Notably, some of the states (though not all) also signed onto the DOJ's antitrust lawsuit.

This lawsuit takes a different approach from the DOJ's lawsuit, which focused on the market for general search services and search advertising. This one focuses on general display advertising. And maybe there's an argument that Google is doing something bad in how it handles the display advertising market. Indeed, some of the complaint (though heavily redacted), suggests some potentially sketchy behavior on the part of Google, to block competition in the ads space. If that's proven, that would be bad, and it would be good if the lawsuit forced Google to change those practices and enable more competition.

There's also a heavily redacted section, that hints strongly that Google and Facebook worked out some sort of agreement to keep Facebook from competing as directly with (and undercutting the pricing of) Google's display ads business. And that does sound like a potentially huge deal -- one that very well might truly be anticompetitive. But the details and what's redacted are important.

It would be great if the lawsuit focused on things like those two points. But it also includes other things that seem to suggest a near total and fundamental misunderstanding of how technology works, which does not provide much confidence that the Attorneys General know what they're talking about in the other parts. Notably, there's this scary bit that started making the rounds on Twitter, with people asking what the fuck was going on:

Google also has violated users’ privacy in other egregious ways when doing so is convenient for Google. For instance, shortly after Facebook acquired WhatsApp, in 2015, Facebook signed an exclusive agreement with Google, granting Google access to millions of Americans’ end-to-end encrypted WhatsApp messages, photos, videos, and audio files.

That raised many eyebrows, because, if true, that's huge news. Most of the details here are redacted as well, but the complaint calls this a "fundamental breach of privacy." But, this seems like a giant misunderstanding by the lawyers who wrote the lawsuit. What they appear to be referencing is a deal from 2015 in which Google allowed WhatsApp users to easily back up their encrypted data to Google Drive. That's a useful feature, and not at all nefarious. The content is still encrypted, so Google doesn't get access to anything more than the encrypted blob. Google even has this integration as a Google Cloud case study.

That's not exactly the behavior of a company that has a nefarious deal to snoop on everyone's WhatsApp messages. Notably, that integration is a totally voluntary opt-in feature that is really useful. It lets you restore your WhatsApp if you're switching phones, or just make sure you don't lose all your messages if you lose or break your phone. It's a good thing -- not some evil attack on privacy, as the lawsuit suggests.

There is some more redacted content around this, suggesting that Facebook shared some kind of information with Google that it shouldn't have, but the non-redacted parts seem to misunderstand the technology, which seems problematic. It also seems emblematic of lawyers looking to twist anything against the company, rather than looking for actual violations.

As for the rest, much of it seems to misunderstand the ad market. In particular there's a long discussion on header bidding, and how Google did not like header bidding and wanted to kill it:

Finally, Google wanted to eliminate header bidding to foreclose any competition with its publisher ad server monopoly. The companies involved with header bidding would have a foothold on a key function of Google’s ad server: routing a publishers’ inventory to exchanges. With that, a major header bidding player like Amazon or Facebook was well-positioned to eventually compete directly with Google’s monopoly ad server. Without control over publishers’ inventory, Google would lose the ability to block exchange competition and tilt trading to Google.

I'm a publisher. And, every freaking day, we get approached by some new online ad firm that wants us to sign up to use their ads because of their use of header bidding. There must be hundreds of ad providers now offering header bidding. Honestly, as a publisher, at this point, it's almost impossible to put ads on your site that don't make use of header bidding.

If the all powerful Google set out to quash header bidding, holy crumb, did it fail.

There are elements (again, too much redacted) in the complaint that do seem concerning. And if the end result of this lawsuit is to force Google to play more fair with display ads, that would be a good thing. So I'd be happy if that were the result here. But I'm concerned by what appears to be a clumsy misunderstanding of the technology, and the status of the advertising market today.

Filed Under: antitrust, cloud backup, competition, display ads, encryption, ken paxton, messages, privacy
Companies: facebook, google, whatsapp

Schools Are Using Phone-Cracking Tech To Access The Contents Of Students' Devices

from the brave-new-hellscape dept

To the detriment of our nation's future, the future of our nation is increasingly being subjected to law enforcement's presents (and presence). On the plus side, it will help students grow up with a healthy distrust of their government.

We've put cops in schools so kids can be subjected to the same brutality adults receive. Disciplinary problems long-handled by schools and parents are now handled with handcuffs and criminal charges. The same questionable science that leads cops to believe future criminal acts can be predicted by algorithms and checklists is being wielded against children, turning their bad grades and spotty attendance records into criminal predicates.

Now, there's this: the use of high-tech hacking tools to forensically scrape kids' phones for evidence of alleged criminal acts.

In May 2016, a student enrolled in a high-school in Shelbyville, Texas, consented to having his phone searched by one of the district’s school resource officers. Looking for evidence of a romantic relationship between the student and a teacher, the officer plugged the phone into a Cellebrite UFED to recover deleted messages from the phone. According to the arrest affidavit, investigators discovered the student and teacher frequently messaged each other, “I love you.” Two days later, the teacher was booked into the county jail for sexual assault of a child.

While this may have resulted in something that actually prevented further harm to a student, the fact that schools possess tools capable of bypassing device encryption is… well, horrifying. We're talking about minors here, not dangerous criminals. This case is not a great argument for the acquisition and use of phone-cracking tools by educators. There were many ways to approach this problem, but this one was the easiest. And it shows those selling phone-cracking tech don't really care who buys it or what they use it for.

Cracking a phone to scrape it for evidence gives investigators easy access to communications and other private info even a consenting minor wouldn't agree to share with others. But the tools can't make that distinction. And investigators assume consent for a search means looking at everything the tools give them access to.

The Cellebrite used in this case was owned by the local sheriff's office. That it decided it was appropriate to use on a minor's phone is disturbing, to say the least. It seems the same thing could have been accomplished by the minor providing them with access to the messages, which could have been documented and downloaded without engaging in a forensic search of the phone.

This isn't some sort of anomaly. As Gizmodo reports, multiple school districts are buying phone-cracking tech to access the content of students' devices.

In March 2020, the North East Independent School District, a largely Hispanic district north of San Antonio, wrote a check to Cellebrite for $6,695 for “General Supplies.” In May, Cypress-Fairbanks ISD near Houston, Texas, paid Oxygen Forensics Inc., another mobile device forensics firm, $2,899. Not far away, majority-white Conroe ISD wrote a check to Susteen Inc., the manufacturer of the similar Secure View system, for $995 in September 2016.

According to Gizmodo, only eight districts in the US acknowledge publicly (via their websites) that they own device-cracking tech. The actual number is definitely much higher. This total doesn't include law enforcement agencies that own or have access to the tech, and whose "school resource officers" might decide is necessary to investigate students or their accusations against school employees.

Deploying this tech to search students' phones isn't just irresponsible, it's dangerous. Cops and prosecutors have rarely been reluctant to turn consensual sharing of intimate images into the "production" of "child pornography." Dig deep enough into someone's phone and you'll find something incriminating. And that's if the cops are simply looking for evidence. Some cops like to look at stuff just because they have the access and the power to demand compliance. Access to this tech guarantees abuse. But in these cases, the victim will be a minor -- people who are assumed to be more vulnerable and whose lives can be ruined before they can even be started.

Filed Under: education, encryption, law enforcement, phone cracking, schools, surveillance
Companies: cellebrite, susteen

New Report Shows Cellphone Encryption Isn't Really Stopping Cops From Searching Phones

from the complaining-that-99%-access-isn't-100%-access dept

We're still hearing quite a bit about law enforcement's supposedly endless string of losses to criminals and their device encryption. Citing facts not in evidence, consecutive FBI directors -- along with outgoing Attorney General Bill Barr -- have claimed the implementation of encryption has pretty much made it impossible to successfully prosecute criminals.

We know this isn't true for several reasons. But let's begin with the FBI, which has relied on overstated numbers to press the "going dark" theory for a few dozen months at this point. After admitting it couldn't do math -- even when aided by a spreadsheet -- the FBI has refused to update its overblown number of locked devices in its possession. The FBI has not corrected its math for 931 days at this point.

Criminal prosecutions haven't slowed down either. When almost every prosecution ends in a plea deal, it's pretty rich for prosecutors and law enforcement to complain they're being beaten by criminals. And a bunch of federal agencies pad their own numbers, engaging in borderline entrapment to ensure a steady stream of prosecutorial wins.

A new report shows just how little of an effect device encryption has had on law enforcement efforts. Some of the report's highlights are touched on by Lawfare's Susan Landau. We've heard the complaints encryption is keeping law enforcement out of seized cellphones. The reality is much more worrying. Not only is encryption not much of a barrier, but law enforcement tech allows investigators to access pretty much everything before trimming it down to what's been asked for in warrant affidavits.

These forensic tools are quite sophisticated. FBI Director Christopher Wray once complained that “warrant-proof encryption,” like that used on iPhones, prevents law enforcement access to crucial evidence. But Upturn found that the forensic tools copy all the data found on a cellphone. The tools then sort the data so that law enforcement can easily search through it. And MDFTs include some features that make law enforcement’s job even easier. For example, Cellebrite, perhaps the most sophisticated MDFT, can compare a facial image, such as from a police database, to any of the faces in photos stored on the phone. Others MDFTs classify text conversations by topic, such as drugs, money or family.

The MDFTs work on a variety of sophisticated phones. Cellebrite says it can extract data from “all iPhone devices from iPhone 4S to the latest iPhone 11 / 11 Pro / Max running the latest iOS versions up to the latest 13.4.1.” The company claims to be able to handle even locked iPhones and Android devices.

"Going dark" is nothing more than rhetoric. The reality is encryption isn't much of a roadblock. The report by DC think tank Upturn shows there's little standing in the way of law enforcement forensic extractions, no matter how much federal officials claim otherwise. The business of cracking/scraping phones is largely automated -- plug-and-play invasive searches that pretty much ignore efforts owners might make to secure their devices against government intrusion.

Mobile device forensic tools (MDFTs) are so powerful, Upturn recommends the ban on consensual searches of cellphones, given what investigators can access when they're deployed. This makes some sense, given the specious reasons given for some cellphone searches. But that's going to be a really difficult thing to sell to legislators when one of the most recognized exceptions to the Fourth Amendment is the voluntary waiver. (Counterpoint: the definition of "voluntary" could use more examination by courts, which have decided the third-party doctrine applies even when voluntary consent isn't obvious, but still side with law enforcement agencies who have coerced confessions and "consent.")

People may think these powerful tools will only be aimed at the worst criminals -- drug kingpins, child molesters, financial services firms, etc. But they're not. They're used for everything because they're cheap, easy, and convenient.

Law enforcement use these tools to investigate not only cases involving major harm, but also for graffiti, shoplifting, marijuana possession, prostitution, vandalism, car crashes, parole violations, petty theft, public intoxication, and the full gamut of drug-related offenses.

Anti-encryption enthusiasts like FBI directors Chris Wray and James Comey have somewhat acknowledged some powerful tools render device encryption moot. But even while (sort of) admitting their "going dark" claims were overblown, proponents of encryption backdoors claim success rates are too low, tools are too expensive, and solutions provided by government contractors won't scale. Upturn's report says otherwise.

Our records show that at least 2,000 agencies have purchased a range of products and services offered by mobile device forensic tool vendors. Law enforcement agencies in all 50 states and the District of Columbia have these tools. Each of the largest 50 police departments have purchased or have easy access to mobile device forensic tools. Dozens of district attorneys’ and sheriff’s offices have also purchased them. Many have done so through a variety of federal grant programs. Even if a department hasn’t purchased the technology itself, most, if not all, have easy access thanks to partnerships, kiosk programs, and sharing agreements with larger law enforcement agencies, including the FBI.

So, there's plenty of access. Funding isn't a problem. Vendors have solutions that scale because there's plenty of access and plenty of funding. But the complaints continue. And the complaints continue despite how much is being extracted with each deployment.

MDFTs pull every photo on the device, extracting metadata that shows when and where photos were taken. It pulls data from every app that generates it, including location data, which allows law enforcement to track movement without a warrant. The extraction tools can also pull deleted data, allowing investigators to perform digital trash pulls for additional evidence.

Then there's the third parties themselves. While the FBI and others complain about a lack of access, any data/communications stored by cloud services can be recovered without having to deal with device encryption.

The wealth of data available to law enforcement allows them to engage in fishing expeditions for evidence of other crimes. The only thing stopping them is the courts, so it's worth their while to dig through everything, considering the worst case scenario is a dismissed case, rather than fines, fees, sanctions, or anything else that might hurt them more directly.

A city or state might ban facial recognition searches, but cops can still do this without violating the specifics of the ban, thanks to built-in tools.

Cellebrite offers a “search by face” function, whereby law enforcement can compare an image of a face to all other images of faces found on the phone.

They can also look for anything else conceivably incriminating (or titillating) without having to screw with their tools' default settings.

Cellebrite also allows law enforcement to define new image categories by feeding its software a small set of example images to search for (for example, searching for hotel rooms by giving the software a set of five images of hotel rooms that were taken from Google images). As another example, Magnet Forensics’ AXIOM can employ text classification models in attempts to detect “sexual conversations,” or to filter conversations by topics ranging from family, drugs, money, and police.

Even if encryption is the default option, a variety of software and hardware exploits renders this useless in most cases. Patches from developers and manufacturers make this somewhat of an arms race, but this race remains a tie, at worst. Law enforcement isn't losing. And if it's losing access, it's only temporary.

There's another "war" at play here -- one that's rarely referenced by law enforcement officials. Every vendor wants more customers, so they're always improving their tech. The healthy competition makes tools more powerful while dropping their price, ensuring equal access for law enforcement agencies across the nation. The public records obtained by Upturn show there's not a single state in the Union that doesn't have access to forensic tools capable of cracking or bypassing encryption. Funding isn't an issue, given the federal government's interest in making encryption a non-issue.

That means there's thousands of extractions a year -- something that undercuts the FBI's "warrant-proof encryption" narrative at least as much as its inability to count physical items accurately.

The records of use we’ve assembled from 44 law enforcement agencies represent at least 50,000 extractions of cellphones between 2015 and 2019.

There is no going dark. If legislators want to believe there is, they're going to have to do so by ignoring all the evidence to the contrary. What law enforcement wants is convenience -- the ability to crack open phones without having to hook them up to a machine or beat the submission out of an arrestee. The options are there and agencies are obviously using them. Every argument that says encryption is locking law enforcement out is not just disingenuous -- it's dishonest.

Filed Under: access, doj, encryption, fbi, going dark, law enforcement, prosecutors