DOJ Asks DC Court To Compel Decryption Of Device Seized In A Capitol Raid Case

from the be-careful-what-you-ask-for dept

The DOJ is testing some waters it may not want to be troubling, not with hundreds of prosecutions stemming from the January 6 Capitol raid on the docket. It has asked the DC court to compel a defendant to decrypt his laptop so the FBI can search it for evidence. (h/t Marcy Wheeler)

The government is seeking an All Writs Act order [PDF] forcing the alleged device owner to unlock the device using either his face or his passcode.

The government respectfully moves for an order compelling the defendant to produce a critical piece of evidence – his Microsoft Surface Pro laptop computer – in an unencrypted state. The government proposes a two-step process: First, the defendant should be ordered to place his face in front of the computer’s camera, so that the computer can be biometrically unlocked. Second, if the biometric attempt does not unlock the computer, the defendant should be ordered to type his passcode or PIN into the computer.

Having failed to obtain consent, the government is now hoping to achieve this by force. This isn't a particularly wise idea considering how many cases it's currently juggling in this circuit. If the court decides this violates the Fifth Amendment, it may negatively affect other prosecutions involving secured devices.

The government argues there's no Fifth Amendment issue here.

The requested relief would not violate the defendant’s Fourth or Fifth Amendment rights. With respect to the Fourth Amendment, there is only minimal intrusion on the defendant’s privacy, and there is probable cause that the defendant’s face can unlock the Subject Device (and lead to the recovery of relevant evidence). With respect to the Fifth Amendment, Reffitt’s entering his password into the Subject Device does not violate his privilege against self-incrimination, because his act of production would not be testimonial, since the only potentially testimonial component implicit in his act of producing the unlocked/unencrypted device is a foregone conclusion.

This will come down to what the court feels the phrase "foregone conclusion" actually means. While the act itself (either presenting biometrics or providing a passcode) isn't necessarily testimonial, it does give the government access to evidence that might be used against the person being compelled to grant access to this information. At least one court has found that entering passwords and providing evidence are basically the same thing, since the first naturally leads to the latter. The government has no interest in the password, even though that's what it is seeking to compel. It's interested in what having that password entered will provide.

If the only foregone conclusion the government needs to have in its possession is who owns the computer, obviously compelled decryption will help establish ownership. The government appears to know whose computer it is. The Surface Pro targeted by the proposed order displays the name of the defendant (Guy Reffitt) on the screen when opened. And, despite Reffitt (initially) telling investigators otherwise, one of Reffitt's family members confirmed it belonged to the defendant.

Having that much information on hand might be enough to compel decryption if the court decides the only foregone conclusion the government needs to reach is the most likely owner of the device it's seeking to unlock. But if the foregone conclusion bar is set higher -- a likely source of criminal evidence -- things will get much more difficult for the government.

The government is basing this request on the theory that recordings captured at the Capitol by the suspect's helmet-mounted camera were moved to the laptop for storage prior to their deletion from the camera. However, the government seized multiple devices from the defendant's home, including three phones, two other laptops, and one desktop computer. Most of those have been searched already and determined they don't hold any relevant data.

The government is assuming -- based on statements by family members who viewed recordings on that device -- that's where the recordings it is seeking are now located. But it won't know this until after it performs a search. And it can't perform a search until the device is unlocked. This assumption is credible, but the files could have been uploaded to the cloud and viewed on the device, which means the files the government concludes (in a foregone way) must reside on the laptop possibly aren't actually there.

If the court decides the government doesn't have more than a hunch at this point, it may deny this order. And it may decide to lay down some Fifth Amendment ground rules that eliminate compelled production as an option. This is a roll of the Constitutional dice the government may later regret -- a rerun of its failure to compel decryption assistance in the San Bernardino case. But if it goes the other way, it will become that much easier for the government to pursue prosecutions in a district that handles an outsized portion of the DOJ's cases.

Filed Under: 4th amendment, 5th amendment, all writs act, decryption, doj, encryption, facial recognition, january 6th, unlocking

Small Australian Company Cracked The San Bernardino Shooter's IPhone For The FBI

from the well...-better-luck-next-time,-Cellebrite dept

Five years ago, the DOJ and Apple engaged in a courtroom fight over device encryption. The DOJ wanted Apple to craft a backdoor so the FBI could search a phone belonging to one of the San Bernardino shooters. It was a work phone owned by Syed Farook, who was killed during a shootout with law enforcement. That it was a work-issued phone suggested it wouldn't contain much useful evidence or information. But the government insisted it would and attempted to secure an order forcing Apple to do what the DOJ wanted.

While everything still remained unsettled, the DOJ dropped the case after finding someone who could break into the phone. This small victory against device encryption was treated as a loss by many inside the FBI, who really would rather have had court precedent mandating compelled decryption. Ultimately, the millions of dollars spent trying to achieve this -- including the $900,000-1.3 million spent on the exploit itself -- meant nothing. There was no useful evidence recovered from Farook's work phone.

Since then, there has been a lot of speculation about which phone cracking tech company provided the exploit to the FBI. It turns out to have been none of the usual suspects. Instead, as Ellen Nakashima and Reed Albergotti report for the Washington Post, it was a small Australian company that has flown under the radar until this point: Azimuth Security.

Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters. Founder Mark Dowd, 41, is an Australian coder who runs marathons and who, one colleague said, “can pretty much look at a computer and break into it.” One of his researchers was David Wang, who first set hands on a keyboard at age 8, dropped out of Yale, and by 27 had won a prestigious Pwnie Award — an Oscar for hackers — for “jailbreaking” or removing the software restrictions of an iPhone.

Now that it's on the radar, Azimuth appears to have memory-holed its site. Azimuth is owned by L3 Harris, a US government contractor. But before it became a subsidiary of Harris, Azimuth was selling exploits to a very select number of government agencies. That its involvement in this very public fight over device encryption hasn't been revealed until now suggests it works with a very small group of very trustworthy customers.

The exploit itself involved Apple's Lightning port and code that allowed hackers to bypass internal security features that wipe the device after ten failed password attempts.

Azimuth specialized in finding significant vulnerabilities. Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person.

[...]

Using the flaw Dowd found, Wang, based in Portland, Ore., created an exploit that enabled initial access to the phone — a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor — the brains of the device.

This is also the first we're hearing about the exploit used to crack the phone. Azimuth reached out to the FBI and demonstrated the hack for it. Once it was determined it could be run safely, the FBI paid for the assistance with the understanding Azimuth would remain in possession of the code and details of the exploit.

But Apple was only a few court motions away from discovering what the public didn't know and the DOJ has refused to divulge. In 2019, Apple sued David Wang's company, Corellium -- which sells virtual devices (including virtual iPhones) to developers and security researchers. According to Apple, the creation of virtual devices violated its copyright. Corellium's first customer, Azimuth Security, was subpoenaed. It refused to answer questions citing national security concerns.

Apple also demanded information directly from Corellium, which might have turned up information on the iPhone exploit used in the San Bernardino case.

Last April, Apple also made a document request in the lawsuit for “all documents concerning, evidencing, referring to, or relating to any bugs, exploits, vulnerabilities, or other software flaws in iOS of which Corellium or its employees currently are, or have ever been, aware.”

Those employees included Wang. The request would have turned up Condor [the hack used to crack Farook's iPhone].

This motion was denied and Apple's copyright case tossed out by the judge, who found it "puzzling, if not disingenuous" Apple would claim virtual phones used to find security vulnerabilities somehow harmed iPhone sales (though the anti-circumvention part of the case lives on).

Speaking of "puzzling, if not disingenuous," the FBI and DOJ continue their anti-encryption clamoring to this day, despite there being a number of options available to help investigators circumvent device encryption. In this case, Azimuth reached out to the FBI with a potential solution, showing there are plenty of smart people working for tech companies who want to help address the challenges raised by encryption. Just because Apple won't make its devices less secure for every one of its users doesn't mean the company doesn't care and doesn't want to help law enforcement. The FBI continues to insist the only solution is something that can be applied in every case. And, by doing that, the FBI shows it cares far less for the public's safety and security than the handful of tech companies it continues to portray as its enemies.

Filed Under: all writs act, doj, encryption, fbi, going dark, hacking, iphones
Companies: apple, azimuth security, corellium, harris

The FBI Is Abusing The All Writs Act To Gain Access To Millions Of Travel Records

from the not-how-the-Third-Party-Doctrine-works dept

When the Fourth Amendment limits your surveillance plans, just go private. That seems to be the standard operating procedure for law enforcement agencies.

When cops aren't willing to canvas neighborhoods to find crime suspects, they just head to Google and ask for info on everyone who happened to be in the area. When they want more data on suspects they're tracking, they don't run subpoenas by judges. They just tap into collections of data harvested from breaches and malicious hacking, all compiled and collated by private companies for easy searchability. And when the CBP decides its own ALPR database just doesn't have enough plate photos in it, it taps into Vigilant's stash of 9 billion plates even as it admits it may not have the legal authority to do so.

The FBI does the same thing. Thomas Brewster reports for Forbes that the FBI has taken an expansive view of the Third Party Doctrine to grab records from a private company that complies records related to several different businesses. The company is Sabre, a publicly-traded entity that compiles travel bookings. First formed in 1964, the company, which began as a division of American Airlines, now handles bookings for nearly every major airline, hoovering up data on a third of world's air travelers.

Sabre gained a lot of traction as an investigative tool following the 9/11 attacks in 2001. But it continues to be used as a convenient compilation of travel records, sparing the FBI (and others) from approaching several different companies with subpoenas.

Brewster has dug up some recent documents detailing Sabre's relationship with the FBI.

[A]s detailed in one international cybercrime investigation, Sabre can be compelled to proactively watch and report on a persons’ whereabouts as soon as they start travelling. In an order from December 2019, feds asked Sabre to provide the FBI with “real-time” updates on the travel activities of a hacking suspect, an Indian fugitive called Deepanshu Kher. Sabre was told to provide “complete and contemporaneous ‘real time’ account activity information of the traveler [Kher] on a weekly basis” for six months. Sabre would provide “any travel orders, transactions or reservations” for the suspect.

The order goes on to note law enforcement has already tapped Sabre's vast stores of travel data to assist in three other investigations dating back to 2016. This appears to be an abuse of a very old legal doctrine -- one that dates back much, much further than even the 2001 attacks. The All Writs Act (b. 1789) is in play here, and it appears to be allowing the FBI to skirt subpoena requirements to go to a compiler of third party records, rather than the original source of those records.

[Attorney Mark Zwillinger {who represented Apple in the San Bernardino case}] says that if it wants to leverage the All Writs Act, the government has to show a third party is necessary and close enough to the matter at hand. With Sabre, given there were other ways of getting the information on Kher’s travel, such as records of him entering the U.S. via Customs and Border Protection databases, that necessity was questionable.

There are also questions on the “reasonableness of the burden” on Sabre, another requirement for All Writs Act orders, he adds. “In one particular order, it might not be that burdensome, but once you start to get some volume here, then it really turns Sabre into a sort of … government agent every time they want to find a fugitive.”

This isn't how the Act is supposed to work. The FBI is aware of the limits of the Act and its duty to comply with Constitutional rights and applicable law. Unfortunately, the first check on abuses like this is the federal court system, and it appears to be fine with the FBI imposing a burden on a third party one step removed from the original travel records. The second check is the recipient of bogus orders like these. But Sabre doesn't appear to be willing to call the government on its bullshit, allowing the FBI to continue defining the "third party" part of Third Party Doctrine as being anyone holding records created by someone else.

Filed Under: 3rd party records, 4th amendment, all writs act, doj, fbi, privacy, travel records

Real Security Begins At Home (On Your Smartphone)

from the not-with-the-fbi dept

When the FBI sued Apple a couple of years ago to compel Apple's help in cracking an iPhone 5c belonging to alleged terrorist Syed Rizwan Farook, the lines seemed clearly drawn. On the one hand, the U.S. government was asserting its right (under an 18th-century statutory provision called the All Writs Act) to force Apple to develop and implement technologies enabling the Bureau to gather all the evidence that might possibly be relevant in the San Bernardino terrorist-attack case. On the other, a leading tech company challenged the demand that it help crack the digital-security technologies it had painstakingly developed to protect users — a particularly pressing concern given that these days we often have more personal information on our handheld devices than we used to keep in our entire homes.

What a difference a couple of years has made. The Department of Justice's Office of Inspector General (OIG) released a report in March on the FBI's internal handling of issue of whether the Bureau truly needed Apple's assistance. The report makes clear that, despite what the Bureau said in its court filings, the FBI hadn't explored every alternative, including consultation with outside technology vendors, in cracking the security of the iPhone in question. The report also seemed to suggest that some department heads in the government agency were less concerned with the information that might be on that particular device than they were with setting a general precedent in court. Their goal? To establish as a legal precedent that Apple and other vendors have a general obligation to develop and apply technologies to crack the very digital security measures they so painstakingly implemented to protect their users.

In the aftermath of that report, and in heartening display of bipartisanship, Republican and Democratic members of Congress came together last week to introduce a new bill, the Secure Data Act of 2018, aimed at limiting the ability of federal agencies to seek court orders broadly requiring Apple and other technology vendors to help breach their own security technologies. (The bill would exclude court orders based on the comparatively narrow Communications Assistance to Law Enforcement Act—a.k.a. CALEA, passed in 1994--which requires telecommunications companies to assist federal agencies in implementing targeted wiretaps.)

This isn't the first time members of Congress in both parties have tried to limit the federal government's ability to demand that tech vendors build "backdoors" into their products. Bills similar to this year's Secure Data Act have been introduced a couple of times before in recent years. What makes this year's bill different, though, is the less-than-flattering light cast by the OIG report. (The bill's sponsors have expressly said as much.) At the very least the report makes clear that the FBI's own bureaucratic handling of the research into whether technical solutions were available to hack the locked iPhone led to both confusion as to what was possible and to delays in resolving that confusion.

But worse than that is the report's suggestion that some technologically challenged FBI department heads didn't even know how to frame (or parse) the questions about whether the agency possessed, or had access to, technical solutions to crack the iPhone's problem. And even worse is the report's account that at least some Bureau leaders may not even have wanted to discover such a technical was already available—because that discovery could undermine litigation they hoped would establish Apple's (and other vendors') general obligation to hack their own digital security if a court orders them to. As the report puts it:

After the outside vendor successfully demonstrated its technique to the FBI in late March, [Executive Assistant Director Amy] Hess learned of an alleged disagreement between the CEAU [Cryptographic and Electronic Analysis Unit] and ROU [Remote Operations Unit] Chiefs over the use of this technique to exploit the Farook iPhone – the ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the "poster child" case for the Going Dark challenge.

There's a lot to unpack here, and one key question is whether "capabilities available to national security programs" — that is, technologies used for FBI's counterintelligence programs — can and should be used in pursing criminal investigations and prosecutions. (If such technologies are used in criminal cases, the technologies may have to be revealed as part of court proceedings, which would bother the counterintelligence personnel in the FBI who don't want to publicize the tools they use.) But the case against Apple Inc. was based on a blanket assertion by FBI that neither its technical divisions nor the vendors the agency works with had access to any technical measures to break into Farook's company-issued iPhone. (Farook had destroyed his personal iPhones, and the FBI's eventually successful unlocking of his employer-issued phone apparently produced no evidence relating to the terrorist plot.)

Was the problem just bureaucratic miscommunication? The OIG report concludes that this was the fundamental source of internal misunderstandings about whether FBI did have access to technical solutions that didn't require drafting Apple into compelled cooperation to crack their own security. (The report recommends some structural reforms to address this.) And certainly there's evidence in the report that miscommunication plus the occasional lack of technical understanding did create problems within the Bureau.

But the OIG report also suggests that some individuals within the Bureau actually may have preferred to be able to argue that the FBI didn't have any alternative but to seek to compel Apple's technical assistance:

The CEAU Chief told the OIG that, after the outside vendor came forward [with a technical solution], he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief. He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, "Why did you do that for?" According to the CEAU Chief, his unit did not ask CEAU's partners to check with their outside vendors. CEAU was only interested in knowing what their partners had in hand – indicating that checking with "everybody" did not include OTD's trusted vendors, at least in the CEAU Chief's mind.

I have to note here, of course, that the FBI has consistently opposed strong encryption and other essential digital-security technologies since the "Crypto Wars" of the 1990s. This isn't due to any significant failures of the agency to acquire evidence it needs; instead, it's due to the FBI's fears that its ability to capture digital evidence of any sort may someday be significantly hindered by encryption and other security tech. That opposition to strong security tech has been baked into FBI culture for a while, and it's at the root of agency's fears of "the Going Dark challenge."

Let's be real: it's not clear that encryption will ever be the problem the FBI thinks it is, given that we live in what law professor Peter Swire has called "The Golden Age of Surveillance." But if the day that digital-security technology significantly hinders criminal investigations ever does come, then it would be appropriate for Congress to consider whether CALEA should be updated, or whether a new CALEA-like framework for technology companies like Apple should be enacted.

But that day hasn't come yet. That's why I favor passage of the Secure Data Act of 2018 — it would limit federal agencies' ability to impose general-purpose technology mandates through the courts' interpretation of a two-century-old ambiguous statute. (Among other features, the Act also would effectively clarify that that the All Writs Act, general-purpose statutory provision from 18th century can't be invoked all by itself to compel technology companies to undermine the very digital security measures they've been working so hard to strengthen.) In the long term, our security (in both cyberspace and meatspace) is going to depend much more on whether we all have technical tools that protect our information and data than it will depend on the FBI's has a legal mandate compelling Apple to hack into our iPhones.

Of course, I may be wrong about this. But I share Apple CEO Tim Cook's argument that this public-policy issue ought to be fully debated by our lawmakers, which is a better venue for policy development than a lawsuit filed based on a single dramatic incident like the terrorist attack in San Bernardino.

Mike Godwin (@sfmnemonic) is a Distinguished Senior Fellow with R Street Institute.

Filed Under: all writs act, doj, encryption, fbi, going dark, secure data act

Another Federal Court Says Compelled Decryption Doesn't Raise Fifth Amendment Issues

from the not-a-blanket-statement,-but-more-often-than-not dept

Another federal court is wrestling with compelled decryption and it appears the Fifth Amendment will be no better off by the time it's all over. A federal judge in North Carolina has decided compelling decryption of devices is only a small Fifth Amendment problem -- one that can be overlooked if the government already possesses certain knowledge. [h/t Orin Kerr]

The defendant facing child porn charges requested relief from a magistrate's order to compel decryption. The government isn't asking Ryan Spencer to turn over his passwords. But it wants exactly the same result: decrypted devices. The government's All Writs Order demands Spencer unlock the devices so law enforcement can search their contents. As the court notes in the denial of Spencer's request, the Fifth Amendment doesn't come into play unless the act of production -- in this case, turning over unlocked devices -- is both "testimonial" and "incriminating."

Spencer argued both acts are the same. The government may not ask him directly for his passwords, but a demand he produce unlocked devices accomplishes the same ends. As the court notes, the argument holds "superficial appeal." It actually holds a bit more than that. A previous dissenting opinion on the same topic said the government cannot compel safe combinations by "either word or deed."

This opinion [PDF], however, goes the other way. Judge Breyer likes the wall safe analogy, but arrives at a different conclusion than Justice Stevens did in an earlier dissent. The court finds drawing a Fifth Amendment line at password protection would produce a dichotomy it's not willing to accommodate.

[A] rule that the government can never compel decryption of a password-protected device would lead to absurd results. Whether a defendant would be required to produce a decrypted drive would hinge on whether he protected that drive using a fingerprint key or a password composed of symbols.

The refusal to craft this bright line ultimately makes little difference. The line already exists. Almost no courts have said the compelled production of fingerprints is a Fifth Amendment violation. Producing passwords, however, is an issue that's far from settled. In the cases that have gone the government's way, the key appears to be what the government already knows: the "foregone conclusions." The same goes here.

The court admits producing unlocked devices strengthens the government's case even before any searches take place.

So: the government’s request for the decrypted devices requires an act of production. Nevertheless, this act may represent incriminating testimony within the meaning of the Fifth Amendment because it would amount to a representation that Spencer has the ability to decrypt the devices. See Fisher, 425 U.S. at 410. Such a statement would potentially be incriminating because having that ability makes it more likely that Spencer encrypted the devices, which in turn makes it more likely that he himself put the sought-after material on the devices.

But that only deals with the incrimination side. Is it testimonial? The court thinks it isn't. Or at least, it believes whatever testimonial value it adds is almost nonexistent. All the government needs to show is that the defendant has the ability to unlock the devices.

Turning over the decrypted devices would not be tantamount to an admission that specific files, or any files for that matter, are stored on the devices, because the government has not asked for any specific files. Accordingly, the government need only show it is a foregone conclusion that Spencer has the ability to decrypt the devices.

It's a low bar but one that's sometimes difficult to reach if the government can't clearly link the defendant to the locked devices obtained during the search of a residence or business. As the court notes, it requires more than a reasonable assumption that files the government seeks might reside on the locked devices.

But it is nonsensical to ask whether the government has established with “reasonable particularity” that the defendant is able to decrypt a device. While physical evidence may be described with more or less specificity with respect to both appearance and location, a defendant’s ability to decrypt is not subject to the same sliding scale. He is either able to do so, or he is not. Accordingly, the reasonable particularity standard cannot apply to a defendant’s ability to decrypt a device.

The government needs far more if it seeks to compel decryption.

The appropriate standard is instead clear and convincing evidence. This places a high burden on the government to demonstrate that the defendant’s ability to decrypt the device at issue is a foregone conclusion. But a high burden is appropriate given that the “foregone conclusion” rule is an exception to the Fifth Amendment’s otherwise jealous protection of the privilege against giving self-incriminating testimony.

And the court finds the government does possess clear, convincing evidence.

All three devices were found in Spencer’s residence. Spencer has conceded that he owns the phone and laptop, and has provided the login passwords to both. Moreover, he has conceded that he purchased and encrypted an external hard drive matching the description of the one found by the government. This is sufficient for the government to meet its evidentiary burden. The government may therefore compel Spencer to decrypt the devices.

There is one caveat, however.

Once Spencer decrypts the devices, however, the government may not make direct use of the evidence that he has done so.

As the court points out, if the government's foregone conclusion is the correct conclusion, additional evidence linking Spencer to the locked devices will be unnecessary. The government should have no use for the testimony inherent in the act -- the concession that Spencer owned and controlled the now-unlocked devices, making him ultimately criminally responsible for any evidence located in them.

In terms of compelled production, passwords continue to beat fingerprints for device security, but only barely.

Filed Under: 5th amendment, all writs act, decryption, due process, encryption, north carolina, passwords, ryan spencer

FBI Officials Were Angry That An iPhone Hack Blocked Them From Getting Court To Force Apple To Break Encryption

from the agency-actually-doesn't-care-much-about-the-public-or-safety dept

As you probably recall, last year the FBI tried to force a court to effectively create a backdoor for encrypted iPhones, using the high profile San Bernardino shootings as the wedge. It seemed quite obvious with how the whole thing played out that the FBI didn't really need to get into Syed Farook's work iPhone, but that it hoped leverage the high profile nature of the case and the "fear, uncertainty and doubt" around a "terrorist" attack to finally get a court to force Apple to do this. A new report reveals that the FBI was very much focused on using this case to force the issue to the point that top officials were angry that a vendor figured out another way into the iPhone, and stopped the court proceedings.

Again: if the real goal (as stated publicly by the FBI at the time) was to find a way into this phone for important reasons, then you'd think the FBI would be excited when they found a way in, rather than pissed that a court wasn't needed to force a backdoor. But that's not what happened.

A recently-released Inspector General's report [PDF] shows the FBI jumped the gun in the San Bernardino case. The FBI insisted it had no other options when it asked a judge to grant its All Writs Act request to compel Apple to break into the shooter's recovered iPhone. But this report shows these claims -- one repeated by the DOJ in its legal filings and by James Comey in testimony to Congress -- weren't actually true.

The ROU [Remote Operations Unit] Chief told us that, at a monthly OTD managers’ meeting on February 11, 2016, the Chief of DFAS (of which CEAU [Cryptographic and Electronics Analysis Unit] is a part but ROU is not), indicated that CEAU was having problems accessing the data on the Farook iPhone and was preparing for court. The ROU Chief, who told the OIG that his unit did not have a technique for accessing the iPhone at the time, said that it was only after this meeting that he started contacting vendors and that ROU “got the word out” that it was looking for a solution. As discussed further below, at that time, he was aware that one of the vendors that he worked closely with was almost 90 percent of the way toward a solution that the vendor had been working on for many months, and he asked the vendor to prioritize completion of the solution.

There was a another option available at the time the DOJ filed its All Writs Request (February 16). It may not have been complete yet, but the FBI had reason to believe it would be soon. Instead of giving this option a shot, the FBI tried to secure a favorable ruling compelling Apple to crack the shooter's iPhone. This wasn't what was presented to the judge in the DOJ's filing.

Comey testified before Congress on February 9th. If there had been better communication between the FBI's Operational Technology Division (OTD) and the Cryptographic and Electronic Analysis Unit (CEAU), Comey may have been apprised of this fact before his first testimonial appearance. Given the national attention being paid to this case, there's no reason Comey should have been out of the operational loop, even at this early date.

But Comey repeated the same claim nearly a month later (March 1st): the FBI could not get into the iPhone without Apple's assistance. (And again three weeks later in an angry letter to the editor published by the Wall Street Journal.) There's no way Comey could not have been aware of these developments, not with the DOJ engaged in a high-profile courtroom battle with Apple over compelled assistance.

The Inspector General finds Comey's claims to be technically true: the breakthrough offered by the still-undisclosed vendor was not passed on to the FBI until March 16th and successfully demonstrated for agents on March 20th. The following day, the US Attorney's Office informed the court of this development and withdrew its All Writs request.

Comey's statements were technically true but not the parts where he insisted the only way to access the iPhone's contents was with Apple's assistance. If he was not being informed of ongoing developments on the tech side, that's inexplicable behavior by FBI entities directly tasked with cracking the shooter's iPhone. Given the high-profile status of this case, it's not just inexplicable. It's literally unbelievable.

But that's not the only concerning aspect of this report. The head of the FBI's Remote Operations Unit (ROU) -- the person who reached out to the vendor about the progress of its iPhone crack -- was never contacted or consulted by the other offices working on the same problem. As the ROU Chief stated, the ROU walled itself off to prevent national security tools from being used in normal criminal cases.

This would seem to be good news -- the FBI drawing internal lines in the sand between natsec and normal criminal investigations -- but it actually isn't. The CEAU head believed no line existed and it could bring tools over from the natsec side any time it wanted to. But that's not the worst of it. The CEAU actually did not want a solution found.

According to the ROU Chief, his only conversation with the CEAU Chief was well after the fact, during which the CEAU Chief “was definitely not happy” that the legal proceeding against Apple could no longer go forward.

This is further backed up by statements made to the IG by FBI Executive Assistant Director (EAD) Amy Hess.

After the outside vendor successfully demonstrated its technique to the FBI in late March, EAD Hess learned of an alleged disagreement between the CEAU and ROU Chiefs over the use of this technique to exploit the Farook iPhone – the ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the “poster child” case for the Going Dark challenge.

This was also admitted by the CEAU Chief in his interview with the Inspector General.

The CEAU Chief told the OIG that, after the outside vendor came forward, he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief. He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, “Why did you do that for?”

The report makes it clear those steering the iPhone-cracking efforts were less interested in an outside vendor cracking the phone than obtaining a precedential decision. In doing so, the DOJ ended up filing false statements as sworn assertions, claiming it had exhausted every option before approaching the court with an All Writs Request. This report may sort of clear Comey and the DOJ, but it exposes something much uglier: FBI officials are not making good faith efforts to find outside solutions to the FBI's supposed "going dark" problem. They'd much rather have favorable court decisions and legislative mandates than work with the tools others are crafting for them. This all but guarantees the number of uncracked phones in the FBI's possession will continue to grow. But they should never be viewed as investigative dead ends. They should be seen for what they are: rhetorical devices.

Update: Sen. Ron Wyden sees the report for what it is. Here's his statement on the matter:

"The FBI's leadership went straight to the nuclear option -- attempting to force Apple to circumvent its encryption -- before attempting to see if their in-house hackers or trusted outside suppliers had the technical capability to break into the San Bernardino terrorist's iPhone," Wyden said. "It's clear now that the FBI was far more interested in using this horrific terrorist attack to establish a powerful legal precedent than they were in promptly gaining access to the terrorist's phone."

Filed Under: all writs act, encryption, fbi, going dark, iphone, syed farook
Companies: apple

Wyden's Reform Bill Would Also Deter Misuse Of NSA Powers To Compel Tech Company Assistance

from the not-just-backdoors dept

Sen. Ron Wyden is again raising concerns about NSA tactics, this time through his recently-submitted Section 702 reform bill. The USA RIGHTS Act contains a number of improvements, including addressing backdoor searches of NSA data by federal agencies and increasing the reporting requirements for access of US persons communications and data. It also permabans the NSA's "about" collection -- one it shut down voluntarily after years of misuse but recently expressed an interest in restarting.

There's another form of surveillance being eyed by Wyden's bill: technical assistance. Marcy Wheeler points out some of the limitations imposed by the bill, which appear to target compelled assistance by tech companies.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

This could refer to FISA-enabled pressure to backdoor encryption or allow the NSA to otherwise compromise hardware and software. And it may be Wyden's way of sending out a heads up to the general public.

This suggests that Wyden is concerned the government might use — or has used — FISA to make sweeping onerous technical demands of companies without explicitly explaining what those demands are to the Court.

No one should be surprised the government is -- or intends to -- use the FISA court to compel compliance. This is another tool it has at its disposal, going hand-in-hand with All Writs orders to cover government requests not explicitly allowed by existing law. As we saw in the government's most famous All Writs case -- its legal battle with Apple over the contents of the San Bernardino shooter's iPhone -- these expansive orders predicated on a 1789 law still have their limits. As more companies fight back against government overreach, the NSA will need to keep its options open if it hopes to compel compliance.

But if it's going to do this, it needs to be on the record. This is what Wyden's bill would do: force the NSA (and other IC agencies) to detail their plans for compelled assistance and seek explicit approval for these actions from the court.

Filed Under: all writs act, compelled assistance, nsa, ron wyden, surveillance, usa rights act

Court Calls Out Government For The 'General Warrant' It Served To Facebook

from the but-awards-it-an-A-for-effort dept

In a disturbing case involving the sex trafficking of minors, the 11th Circuit Appeals Court has reached a few interesting conclusions involving digital searches and the Fourth Amendment. Included in the court's findings are rulings on the use of the All Writs Act to force Apple to unlock a device, an email warrant served to Microsoft, and warrants used to obtain a vast amount of information from Facebook. [h/t Orin Kerr]

The All Writs Act received a ton of free publicity thanks to Apple's fight with the DOJ over the (forced) unlocking of the San Bernardino shooter's iPhone. Ultimately, the DOJ hired outside help to crack open the phone, abandoning its search for helpful precedent. (And, ultimately, the phone -- the shooter's work-issued phone -- contained nothing of interest.)

Here, the Appeals Court finds [PDF] there's nothing wrong with using the 1789 All Writs Act to paper over holes in the 200+ years of legislation.

The authority granted by the All Writs Act is broad but not boundless. The Act “is a residual source of authority” that permits issuing writs only if they “are not otherwise covered by statute.” Penn. Bureau of Corr. v. U.S. Marshals Serv., 474 U.S. 34, 43, 106 S. Ct. 355, 361 (1985). It is a gap filler. “Where a statute specifically addresses the particular issue at hand, it is that authority, and not the All Writs Act, that is controlling.” Id. And where Congress has proscribed a certain type of judicial action, the Act cannot overcome that proscription. See id. The bypass order meets this requirement because no statute expressly permits or prohibits it.

Using somewhat circular reasoning, the court states the All Writs warrant issued here doesn't produce any Fourth Amendment difficulties because Apple willingly complied with it.

To comply with the bypass order, Apple simply had to have an employee plug the iPad into a special computer and then transfer the iPad’s data to a thumb drive. That is not an unreasonable burden, especially in light of the fact that Apple did not object to the bypass order’s requirements.

More helpfully, the court seems to suggest it's amenable to challenges like the one raised here. In most cases, challenging an All Writs warrant can only be done by the company receiving it. The court doesn't have to meet the issue of whether or not the defendants had standing to challenge the warrant served to Apple, but doesn't immediately dismiss their attempt to establish standing.

Moving on, the court examines the warrant served to Microsoft for emails related to the criminal charges. The court finds the warrant was not overbroad.

Viewed against that constitutional history, the Microsoft warrant complied with the particularity requirement. It limited the emails to be turned over to the government, ensuring that only those that had the potential to contain incriminating evidence would be disclosed. Those limitations prevented “a general, exploratory rummaging” through Moore’s email correspondence. The Microsoft warrant was okay.

How often does a court describe a warrant as merely "okay?" I'm guessing it's probably not that often. Here's why it did in this case, explained in the footnote attached to the "okay" descriptor.

It is somewhat troubling that the Microsoft warrant did not limit the emails sought to emails sent or received within the time period of Moore’s suspected participation in the conspiracy. Nevertheless, the warrant was appropriately limited in scope because it sought only discrete categories of emails that were connected to the alleged crimes. As a result, the lack of a time limitation did not render the warrant unconstitutional.

The government passes this warrant examination with C-. The work needs improvement and the government just isn't applying itself. Unfortunately, neither is the court if it's going to allow third parties do the government's particularity work for it.

The Facebook warrant, however, doesn't live up to the court's "okay" standard.

The Facebook warrants are another matter. They required disclosure to the government of virtually every kind of data that could be found in a social media account… And unnecessarily so. With respect to private instant messages, for example, the warrants could have limited the request to messages sent to or from persons suspected at that time of being prostitutes or customers. And the warrants should have requested data only from the period of time during which Moore was suspected of taking part in the prostitution conspiracy. Disclosures consistent with those limitations might then have provided probable cause for a broader, although still targeted, search of Moore’s Facebook account. That procedure would have undermined any claim that the Facebook warrants were the internet-era version of a “general warrant.”

If there's one thing law enforcement doesn't want to hear from a judge, it's the term "general warrant." Being compared to an occupying force is never a good thing. And these warrants are definitely not "okay."

The two warrants required Facebook to “disclose” to the government virtually every type of data that could be located in a Facebook account, including every private instant message Moore had ever sent or received, every IP address she had ever logged in from, every photograph she had ever uploaded or been “tagged” in, every private or public group she had ever been a member of, every search on the website she had ever conducted, and every purchase she had ever made through “Facebook Marketplace,” as well as her entire contact list. The disclosures were not limited to data from the period of time during which Moore managed the prostitution ring; one warrant asked for all data “from the period of the creation of the account” and the other did not specify what period of time was requested.

The government claimed the Facebook warrant was no different than warrants used to search electronic devices. In the latter case, the government generally takes possession of the device and digs through it until it finds what it needs. (This is an area of jurisprudence that is slowly shifting. With "persons' entire lives" often located on devices like smartphones, the analog equivalent is the government seizing the entire contents of a person's home before taking what's actually relevant to the case at hand.) The court has no sympathy for this argument, pointing out the warrant should have asked Facebook for only what was relevant and allow a non-government party to dig through the suspects' digital personal effects.

The means of hiding evidence on a hard drive — obscure folders, misnamed files, encrypted data — are not currently possible in the context of a Facebook account. Hard drive searches require time-consuming electronic forensic investigation with special equipment, and conducting that kind of search in the defendant’s home would be impractical, if not impossible. By contrast, when it comes to Facebook account searches, the government need only send a request with the specific data sought and Facebook will respond with precisely that data.

And the government should know this, because it does this thousands of times a year.

That procedure does not appear to be impractical for Facebook or for the government. Facebook produced data in response to over 9500 search warrants in the six-month period between July and December 2015.

Unfortunately, the government is allowed to keep the Facebook evidence under the "good faith" exception.

The Facebook warrants do not fall within either category of excludable warrants. As we have already explained, probable cause supported issuance of the warrants. And while the warrants may have violated the particularity requirement, whether they did is not an open and shut matter; it is a close enough question that the warrants were not “so facially deficient” that the FBI agents who executed them could not have reasonably believed them to be valid.

This suggests a two-step process for warrants served to service providers might be the better path to take in the future. While particularity is difficult to nail down when you're not sure exactly what you're looking for, trimming down demands for data and communications to relevant time periods raises the chances of warrants surviving suppression challenges. The court sets no precedent in this decision thanks to its good faith ruling, but the footnote addressing the Microsoft warrant and the multiple paragraphs devoted to the government's Facebook haul hints the government really needs to tighten up its search warrant procedures.

Filed Under: all writs act, doj, fishing expedition, general warrant, surveillance
Companies: apple, facebook, microsoft

Third Circuit Appeals Court Says All Writs Orders Can Be Used To Compel Passwords For Decryption

from the still-no-definitive-answer-on-the-Fifth-Amendment-though dept

The Third Circuit Court of Appeals has ruled that passwords can be compelled with All Writs Orders. Handing down a decision in the case of Francis Rawls, a former Philadelphia police officer facing child porn charges, the court finds the order lawful, but doesn't go quite as far as to determine whether compelling password production implicates the Fifth Amendment.

The Third Circuit doesn't touch the Fifth Amendment implications because Rawls failed to preserve them.

Even if we could assess the Fifth Amendment decision of the Magistrate Judge, our review would be limited to plain error. See United States v. Schwartz, 446 F.2d 571, 576 (3d Cir. 1971) (applying plain error review to unpreserved claim of violation of privilege against self-incrimination). Doe’s arguments fail under this deferential standard of review.

Orin Kerr highlights a footnote from the order [PDF], which shows even if the court had addressed the Fifth Amendment implications, it likely would have sided with government based on its interpretation of the government's "foregone conclusion" argument.

It is important to note that we are not concluding that the Government’s knowledge of the content of the devices is necessarily the correct focus of the “foregone conclusion” inquiry in the context of a compelled decryption order. Instead, a very sound argument can be made that the foregone conclusion doctrine properly focuses on whether the Government already knows the testimony that is implicit in the act of production. In this case, the fact known to the government that is implicit in the act of providing the password for the devices is “I, John Doe, know the password for these devices.” Based upon the testimony presented at the contempt proceeding, that fact is a foregone conclusion.

However, because our review is limited to plain error, and no plain error was committed by the District Court in finding that the Government established that the contents of the encrypted hard drives are known to it, we need not decide here that the inquiry can be limited to the question of whether Doe’s knowledge of the password itself is sufficient to support application of the foregone conclusion doctrine.

This interpretation limits what the government has to assert to avail itself of this argument -- one that's sure to become more common as default encryption comes to more devices and communications services. As applied here, the government only has to show the defendant knows the password. It doesn't have to make assertions about what it believes will be found once the device/account is unlocked. (That being said, the DHS performed a forensic scan of the one device it could access -- the MacBook Pro -- and found data and photos suggesting the locked external drives contained more child pornography.)

The court also addresses the All Writs Act being used to compel password production in service to a search warrant that still can't be fully executed.

Doe asserts that New York Telephone should not apply because the All Writs Act order in that case compelled a third party to assist in the execution of that warrant, and not the target of the government investigation. The Supreme Court explained, however, that the Act extends to anyone “in a position to frustrate the implementation of a court order or the proper administration of justice” as long as there are “appropriate circumstances” for doing so. Id. at 174. Here, as in New York Telephone: (1) Doe is not “far removed from the underlying controversy;” (2) “compliance with [the Decryption Order] require[s] minimal effort;” and (3) “without [Doe’s] assistance there is no conceivable way in which the [search warrant] authorized by the District Court could [be] successfully accomplished.” Id. at 174-175. Accordingly, the Magistrate Judge did not plainly err in issuing the Decryption Order.

This shows just how malleable the New York Telephone decision is. This 1977 Supreme Court decision paved the way for widespread pen register use. Since that point, it has been used by the DOJ to argue for the lawfulness of encryption-defeating All Writs Orders (as in the San Bernardino iPhone case), as well as by criminal defendants arguing these same orders are unlawful.

In Apple's case, the government argued the company was not "far removed" from the controversy, despite it being only the manufacturer of the phone. Apple's distance as a manufacturer provided its own argument against the DOJ's application of this Supreme Court decision.

In this case, the key words are "third party": Rawls is arguing this isn't nearly the same thing as forcing a phone company to comply with pen register orders. This is a "first party" situation where compliance may mean producing evidence against yourself for use in a criminal trial. The government likes the New York Telephone decision for its Fourth Amendment leeway. The defendant here is arguing this isn't even a Fourth Amendment issue.

As the court points out, it can't really assess the Fifth Amendment argument -- not when it hasn't been preserved for appeal. But even so, the court says law enforcement already has enough evidence to proceed with prosecution. If so, the only reason the government's pressing the issue -- which has resulted in Rawls being jailed indefinitely for contempt of court -- is that it wants a precedential ruling clearly establishing the lawfulness of compelling the production of passwords. The court doesn't quite reach that point, but the ruling here seems to suggest it will be easier (in this circuit at least) to throw people in jail for refusing to hand over passwords, since all the government is really being forced to establish is that it knows the defendant can unlock the targeted devices/accounts.

Filed Under: 5th amendment, all writs act, compelled, francis rawls, passwords, third circuit

Researchers Ask Court To Unseal Documents Related To Technical Assistance Requests And Electronic Surveillance Warrants

from the great-unsealing-continues dept

This has the makings of a movement along the lines of the highly-unofficial "Magistrates Revolt." More efforts are being made more frequently to push federal courts out of their default secrecy mode. The government prefers to do a lot of its work under the cover of judicial darkness, asking for dockets and documents to be sealed in a large percentage of its criminal cases.

Just in the last month, we've seen the ACLU petition the court to unseal dockets related to the FBI's takedown of Freedom Hosting using a Tor exploit and Judge Beryl Howell grant FOIA enthusiast Jason Leopold's request to have a large number of 2012 pen register cases unsealed.

Now, we have researchers Jennifer Granick and Riana Pfefferkorn petitioning [PDF] the Northern District of California court to unseal documents related to "technical assistance" cases -- like the one involving the DOJ's attempted use of an All Writs Order to force Apple to crack open a phone for it.

Petitioners Jennifer Granick and Riana Pfefferkorn, researchers at the Stanford Center for Internet and Society proceeding pro se, file this Petition to unseal court records. We file this Petition so that the public may better understand how government agents are using legal authorities to compel companies to assist them in decrypting or otherwise accessing private data subject to surveillance orders. Petitioners hereby seek the docketing of surveillance orders issued by this Court; the unsealing of those dockets; and the unsealing of the underlying Court records in surveillance cases relating to technical-assistance orders issued by this Court to communications service providers, smartphone manufacturers, or other third parties…

This district should contain a great number of documents fitting this description, seeing as it also contains a great number of service providers and third party tech companies.

More specifically, the researchers are looking to gain access to documents in cases where the government has used the following list of statutes to compel cooperation:

• the Wiretap Act, 18 U.S.C. §§ 2510-2522;
• the Stored Communications Act (or “SCA”), 18 U.S.C. §§ 2701-2712;
• the Pen Register Act (or “Pen/Trap Act”), 18 U.S.C. §§ 3121-3127; and/or
• the All Writs Act (or “AWA”), 28 U.S.C. § 1651

Not only that, but Granick and Pfefferkorn are asking the court to shift away from the default secrecy that has made this petition necessary.

[Petitioners request that] the Court revise its practices going forward, such that the Clerk’s office will assign case numbers to, docket, and enter into CM/ECF all applications and orders for search warrants, surveillance, and technical assistance; the Court will undertake a periodic review (e.g., annually or biannually) of sealed dockets, warrants, surveillance orders, and technical-assistance orders; and after such review, the Court will unseal those records for which there is no longer any need for continued sealing.

The researchers point out that secrecy in court records is a First Amendment issue: these documents were meant to be accessible by the general public. They also note that they aren't asking for anything related to ongoing investigations or information that might compromise future investigations -- like names of law enforcement personnel or other potential criminal investigation targets. All they're asking is that the court stop granting the government permission to seal complete dockets so often and to perform periodic reviews of sealed cases to see whether the imposed secrecy is still warranted.

As it stands now, this large number of sealed documents prevents the public from knowing how law enforcement agencies and courts are interpreting (often outdated) tech-related laws. It's preventing researchers like these two from gaining any insight on the government's electronic surveillance efforts and it's locking defense lawyers out of possibly precedential rulings that may affect current or future clients.

Filed Under: all writs act, electronic surveillance, jennifer granick, riana pfefferkorn, technical assistance, warrants