Documents Show FBI Deployed Software Exploits To Break Encryption Back In 2003

from the and-privacy-and-security-for-none... dept

Documents FOIA'ed by Ryan Shapiro and shared with the New York Times shed some new light on previous FBI efforts to break encryption. Back in 2003, the FBI was investigating an animal rights group for possibly sabotaging companies that used animals for testing. The FBI's Department of Cutesy Investigation Names dubbed this "Operation Trail Mix," which I'm sure endeared it to the agents on the case. At the center of the investigation were emails the FBI couldn't read. But it found a way.

They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption.

That effort, revealed in newly declassified and released records, shows in new detail how F.B.I. hackers worked to defeat encryption more than a decade before the agency’s recent fight with Apple over access to a locked iPhone.

The documents don't detail what the exploit was, but it targeted PGP -- the encryption method used to keep the group's communications private. The FBI was able to obtain a "full access" warrant to grab every communication, but that did nothing to decode the scrambled emails. The documents don't specify what the FBI used, but language suggests it either copied the decryption keys or deployed a keylogger to snag passwords.

Either way, it apparently was the first time the FBI had deployed its own malware.

“This was the first time that the Department of Justice had ever approved such an intercept of this type,” an F.B.I. agent wrote in a 2005 document summing up the case.

The secrecy surrounding the FBI's tactics was nearly absolute. The wiretap order was disclosed to the defense but not the use of an exploit/keylogger. On top of that, the DOJ never mentioned the FBI's efforts in its 2002 and 2003 annual reports, despite being required to report any instance where it runs across encryption during a wiretap investigation.

Not that the DOJ and FBI's lack of transparency harmed their case. It resulted in six convictions, and a higher court basically said the use of encryption was suspicious in and of itself.

An appeals court upheld the convictions in 2009, and said that the use of encryption, among other things, was “circumstantial evidence of their agreement to participate in illegal activity.”

What the documents do show is that the FBI has been in the fight against encryption for a long time and in the business of deploying malware and exploits without judicial oversight for about as long. What has changed is that it's now openly fighting encryption by trying to force compliance throught the use of All Writs Acts. It's also deploying a variety of exploits that can -- with a single warrant -- access info about any computer/device visiting a website.

It may be more open about its intents and tool usage now, but that's not because it's gained new respect for things like due process and accurate warrant applications. It's doing this now because it needs an upper-level court ruling in its favor to basically excuse the things it's been doing in secret for years, as well as give it the permission it needs to continue to undermine encryption in the future.

Filed Under: animal rights, cracking, encryption, fbi, hacking

Wyoming Makes Reporting Environmental Disasters Illegal

from the ag-gag-embiggened dept

Techdirt has written several times about so-called "ag-gag" laws, which have the strange effect of making it illegal for members of the public to expose animal abuse on farms. Slate has a fascinating report about how Wyoming is bringing in its own kind of ag-gag law that is so wide in its reach that it could make taking photos in Yellowstone illegal:

photos are a type of data, and the new law makes it a crime to gather data about the condition of the environment across most of the state if you plan to share that data with the state or federal government.

The specificity of that restriction sounds absurd. Why on earth would anyone want to prevent environmental data being gathered? Here's why:

The state wants to conceal the fact that many of its streams are contaminated by E. coli bacteria, strains of which can cause serious health problems, even death.

The reason the state is trying to do that is because the E. coli in question comes from cows, and cows have clout in Wyoming:

Acknowledging that fact could result in rules requiring ranchers who graze their cows on public lands to better manage their herds. The ranching community in Wyoming wields considerable political power and has no interest in such obligations, so the state is trying to stop the flow of information rather than forthrightly address the problem.

The law is framed broadly: it makes it a crime to "preserve information in any form" about "open land" if there is any intention to submit it to a federal or state agency. That means that if you discovered a major environmental disaster in Wyoming, no matter how life-threatening, you had better keep information about it to yourself. As the Slate post points out:

By enacting this law, the Wyoming legislature has expressed its disdain for the freedoms protected by the First Amendment and the environmental protections enshrined in federal statutes. Today, environmentally conscious citizens face a stark choice: They can abandon efforts to protect the lands they love or face potential criminal charges.

Now that's what I call an ag-gag law.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: ag gag, animal rights, cows, environment, free expression, photographs, wyoming, yellowstone

FBI Stops Responding To The Most Prolific FOIA Filer, Because He Might Actually Learn Something

from the he's-so-effective-that-they'd-like-him-to-stop dept

Mother Jones has an interesting profile of Ryan Shapiro, a punk rocker turned animal rights activist turned MIT PhD student, who is officially the "most prolific" filer of Freedom of Information Act (FOIA) requests from the FBI. At a high point, he was filing an average of two per day. In fact, he filed so many FOIA requests so successfully, that the FBI is now refusing to respond and is giving the courts a secret explanation which they won't share.

The FBI claims that it cannot discuss the case in open court "without damaging the very national security law enforcement interests it is seeking to protect." Instead, it has filed a secret declaration outlining its case. "This is an especially circular and Kafkaesque line of argument," Shapiro counters. "The FBI considers it a national security threat to make public its reasoning for considering it a national security threat to use federal law to request information about the FBI's deeply problematic understanding of national security threats."

The FBI is basically arguing that because Shapiro is filing so many requests, he might actually be able to pull enough info together from so many different responses, that it would reveal stuff that wouldn't have been revealed if it had been found in a single FOIA request. In other words, Shapiro is better at this game than the FOIA censors, figuring out ways to get a variety of information that, when put together, is actually kind of useful.

Part of the trick, apparently, is getting a ton of people to agree to sign "privacy waivers" so he can request the FBI's info on those people, which the FBI wouldn't reveal otherwise.

When he started using privacy waivers, Shapiro realized he was on to something. Suppose you and I volunteered for the animal rights group PETA. If Shapiro requested all PETA-related FBI documents, he might get something back, but any references to us would be blacked out. If he requested documents related to us, he'd probably get nothing at all. But if he filed his PETA request along with privacy waivers signed by us, the FBI would be compelled to return all PETA documents that mention us—with the relevant details uncensored.

Shapiro began calling up old friends and asking for waivers. Coming of age amid the 1990s punk scene, he'd been drawn to animal rights causes and took part in their actions. He walked into foie gras facilities to film sick and injured ducks, several of which he rescued, and locked himself to the doors of fur salons. And while he no longer does such things, he has kept in touch with people who do.

Armed with signed privacy waivers, he sent out a few experimental requests—he calls them "submarine pings"—and when the FBI returned more than 100 pages on a close friend, he knew he'd struck gold. The response included pages of information that Shapiro had requested previously, but that the FBI had claimed didn't exist. Using case details from those documents and a handful of additional waivers, he filed a new set of requests.

Later in the article, Shapiro admits that as he got more and more responses, it certainly allowed him to fill in many blanks (and also point him to where to file other requests). This, it seems, is exactly what the FBI fears the most: Shapiro has outsmarted them. While, normally, FOIA responses are done in a manner to limit what information is shared and to never, ever suggest a slightly different query that might be useful, it appears Shapiro has more or less figured out a way around that, in part via bulk requests which lead down other paths of inquiry. No wonder the FBI has stopped responding. Shapiro just plays the game better than they do, and they're used to a world where the house always wins.

Filed Under: activists, animal rights, fbi, foia, mosaic theory, privacy waiver, ryan shapiro