Obtained Documents Show The DEA Sold Compromised Phones To Suspected Drug Dealers

from the Blackberry-once-again-at-the-center-of-government-subterfuge dept

Human Rights Watch -- which delivered info on law enforcement's "parallel construction" habit earlier this year -- is back with a bombshell. Court documents obtained by the group show the DEA sold compromised devices to drug dealers during an investigation into a Mexico-to-Canada trafficking operation.

Human Rights Watch has identified two forms of this technique that the Drug Enforcement Administration (DEA) has used or, evidence suggests, has contemplated using. One involved the undercover sale of BlackBerry devices whose individual encryption keys the DEA possessed, enabling the agency to decode messages sent and received by suspects. The second, as described in a previously unreported internal email belonging to the surveillance software company Hacking Team, may have entailed installing monitoring software on a significant number of phones before attempting to put them into suspects’ hands.

The DEA broke ranks (at least publicly) with Italy's exploit/malware vendor Hacking Team after it was (ironically) hacked and its internal communications fed to Wikileaks. That the DEA would purchase exploits and hacking tools wasn't surprising. Neither was the fact that these tools had never been discussed in a courtroom setting. (See above re: parallel construction.) What was more disappointing than surprising was that a US government entity would choose to do business with a company caught selling hacking tools to UN-blacklisted countries.

The big news here is the compromised phones. The DEA held encryption keys for phones sold to drug dealers in order to intercept communications like texts and email. The affidavit [PDF] obtained by Human Rights Watch raises cart/horse questions about the legality of the interceptions. While wiretap warrants were obtained (and quite easily -- these were routed through Southern California's particularly DEA-friendly courtrooms), the narrative in the sworn statements doesn't state clearly whether these warrants were obtained before the interceptions began. In fact, one statement made in the affidavit seems to indicate the interceptions from the compromised phones were used to buttress claims in warrant requests. From the affidavit:

[O]n April 10, 2011, [suspect John] Krokos in Mexico contacted SA Burkdoll and asked for another EBD [encrypted Blackberry device]. The next day, on April 11, 2011, SA Burkdoll, in an undercover capacity, provided [suspect Ismael] Tomatani with a new EBD for $1,000 in the parking lot of a Home Depot store in West Hills, California. Two days later, Tomatani began communicating with [suspect Eduardo] Olivares over the EBD. A variety of relatively plain drug communications were intercepted over Tomatani's EBD as he communicated with Olivares on the new EBD.

[...]

I am aware that, on May 16, 2011, signed an order for the wiretap interception of both the EBD and cellular telephone being used by Olivares.

The wiretap order to intercept communications came nearly a month after the interception began. And that warrant targeted only the communications originating from Olivares' devices. Nothing in the affidavit narrative says anything about obtaining wiretap warrants for the EBDs supplied to Tomatani and Krokos.

There's also nothing in the paperwork suggesting the plan to sell suspects compromised devices was ever run past a judge. Considering the sole purpose of these devices was to facilitate the interception of communications, you'd think judicial approval would have been sought to ensure the collected evidence would survive a suppression motion. (There's also discussion of the DEA repeatedly using "slap on" GPS tracking devices to track suspects' movement without seeking warrants first. Of course, some of this happened before the Supreme Court (sort of) ruled law enforcement should seek warrants before placing tracking devices on vehicles, but the practice appears to have continued past the 2012 ruling.)

Another, longer affidavit [PDF] from SA Burkdoll (the agent that sold the drug dealers the compromised phones) suggests the agency had been seeking wiretap warrants for a number of devices and landlines since 2010, which would be prior to the sale described in the other affidavit.

Even if the wiretap warrants preceeded the interceptions, the delivery of compromised phones to criminal suspects is still a questionable tactic. For one, nothing suggests this plan had been run by anyone outside of the DEA to vet the tactic for legality or constitutionality.

Second, this isn't the sort of thing you want investigative agencies to do regularly. There are all sort of side effects and the omnipresent mission creep problem to be considered.

The US government’s policies for secretly distributing devices it has compromised by obtaining encryption keys or installing surveillance tools largely remain unknown. Documents the Federal Bureau of Investigation (FBI) disclosed in 2011 mention seeking a warrant explicitly for a “two-step” process of installing a spying mechanism on a US computer and then carrying out surveillance, but it is unclear whether the DEA has adopted similar standard procedures for the measures it has used or considered.

Under international human rights law, all surveillance methods that interfere with privacy should be authorized by clear, publicly available laws; be subject to approval by a court or other independent body for specific purposes such as protecting public safety or national security; and be proportionate to those aims. Undermining the security of devices to conduct surveillance could have long-term repercussions for privacy, including for people other than the original intended surveillance targets, making it all the more important for the Justice Department to disclose its policies regarding these tactics.

This isn't to say the government should never engage in these tactics. Sometimes it's necessary. But subterfuge involving compromised devices and muddy wiretap warrant timelines isn't the way to do it.The agency has shown it's more than willing to launder its tainted evidence -- both to hide its true origin from defendants and to hide its methods from the rest of the world. The agency's past actions indicate respect for people's rights (along with their personal property/lives) is pretty low on its list of priorities. So, if further revelations show a lack of candor -- either in court or to its oversight -- it won't surprise anyone.

Filed Under: backdoors, dea, drug dealers, encryption, phones
Companies: hacking team

State Court Says Cop Posing As A Facebook Friend To Snag Criminal Evidence Isn't A 4th Amendment Violation

from the of-course-it-isn't dept

Getting roped in by your public Facebook posts isn't a Fourth Amendment violation -- not even if the viewing "public" contains undercover cops. The Delaware Supreme Court [PDF] got to wrestle with an interesting question, but the public nature of conversations prevents the Fourth Amendment from being much of an issue. [h/t Eric Goldman]

Here, the defendant-appellant, Terrance Everett (“Everett”), accepted the friend request from a detective who was using a fictitious profile. The detective then used information gained from such monitoring to obtain a search warrant for Everett’s house, where officers discovered evidence that prosecutors subsequently used to convict him.

Everett posted pictures of cash and weapons. As a convicted felon, he certainly wasn't supposed to be in possession of the latter. There's a discussion of privacy settings in the court's decision, but it only shows nothing conclusive was determined by the lower court. Apparently, Everett did set his account to "Friends-only" at some point, but that most likely did not occur until after the photos used to obtain a search warrant had already been viewed.

Ultimately, the court decides the privacy settings don't really matter -- at least not as far as Everett extended them. It would have still allowed the detective to see the photos Everett posted, given that the law enforcement officer was already a Facebook friend.

Attempting to claim his privacy was violated by the three-year subterfuge, Everett's challenge partially hinged on a key omission from the detective's warrant affidavit. The detective never informed the judge he had spent three years pretending to be Everett's friend to gather probable cause for a search. If nothing else, this seems like a waste of law enforcement resources, given the only charge Everett was convicted for was firearms possession. Then again, surveillance through a Facebook account is a largely passive enterprise.

The lower court found the omission did not affect the warrant's validity and the state Supreme Court agrees. Then it moves on to address the larger issue: is a fake friend a privacy violation?

We reject Everett’s contentions because Everett did not have a reasonable expectation that the Facebook posts that he voluntarily shared with Detective Landis’s fake profile and other “friends” would not be disclosed. We observe that Detective Landis did not request or access the Photo directly from Facebook, the third-party service provider— a scenario that we need not address here. Rather, Everett made the Photo accessible to his “friends” and, by doing so, he assumed the risk that one of them might be a government officer or share his information with law enforcement.

This is true across all communications platforms, including personal conversations and snail mail. The expectation of privacy the sender might have can be "violated" at any time by the recipient of the communications. Even if the recipient is a cop pretending to be a Facebook friend, the privacy of communications is only as solid as the other participant.

The court also notes this isn't even comparable to wiretapping. The detective did not intercept private communications or otherwise place himself between Everett and message recipients. Everything gathered to support the warrant was visible to Everett's Facebook friends. Any one of them could have turned the photo over to police without violating Everett's privacy. The detective's passive monitoring of a Facebook account doesn't change the equation much.

One cannot reasonably believe that such “false friends” will not disclose incriminating statements or information to law enforcement—and acts under the risk that one such person might actually be an undercover government agent. And thus, one does not have a reasonable expectation of privacy in incriminating information shared with them because that is not an expectation that the United States Supreme Court has said that society is prepared to recognize as reasonable.

[...]

If one allows others to have access to his or her information that contains evidence of criminal wrongdoing, then that person assumes the risk that they might expose that information to law enforcement—or they might be undercover officers themselves. As the United States Supreme Court has put it, “[t]he risk of being . . . betrayed by an informer or deceived as to the identity of one with whom one deals is probably inherent in the conditions of human society” and “is the kind of risk we necessarily assume whenever we speak.”

That's how it works. Communications are public, to a certain extent. The government can't access certain conversations you have with others without a warrant, but nothing says it can't pretend to be another person to be invited into incriminating conversations. Posting photos to Facebook isn't a private act, even if the settings only allow "friends" to view them. The subterfuge deployed makes it seem like more of a privacy violation than it actually is. What this should be is a cautionary tale, rather than an indictment of the Fourth Amendment's limitations. If someone doesn't want evidence of criminal activity used against them, they should probably keep that information to themselves, rather than post it on social media sites.

Filed Under: 4th amendment, delaware, drug dealers, fake friends, social media, terrance everett, undercover

AT&T Fined For Turning A Blind Eye As Drug Dealers Ripped Off Its Customers

from the telecom-free-for-all dept

While Comcast gets the lion's share of the public's loathing, there's an argument to be made for AT&T actually being a worse company. Think Comcast, but with slower broadband speeds, more dubious executive ethics, and an even greater disdain for its paying customers. In just the last few years AT&T has been: fined $18.6 million for helping rip off programs for the hearing impaired; fined $10.4 million for ripping off a program for low-income families; and fined $105 million for helping "crammers" by intentionally making such bogus charges more difficult to see on customer bills.

In every instance AT&T was either busy ripping off customers directly, or turning a blind eye to fraud aimed directly at AT&T customers -- because in most instances AT&T got a cut of the profits.

Fast forward to this week, when the FCC announced it would be fining AT&T another $7.7 million (pdf), this time for actively helping drug dealers rip off paying AT&T customers. According to the full FCC order (pdf), AT&T turned a blind eye to two bogus Cleveland companies, Discount Directory, Inc. (DDI) and Enhanced Telecommunications Services (ETS), which had been billing AT&T phone customers $9 per month for a "directory assistance service" that didn't actually exist. These bogus companies were originally only uncovered during a DEA drug investigation:

"In May 2015, while investigating the Companies’ principals for drug-related crimes and money laundering, the United States Drug Enforcement Administration uncovered that DDI and ETS were sham operations that never provided any directory assistance service to the customers billed by AT&T. The Companies’ principals told law enforcement that they submitted fake service charges for thousands of AT&T customers (mostly small businesses) over a multiyear period."

The complaint proceeds to suggest that AT&T was aware of these charges (as with previous cramming settlements), but turned a blind eye because it took a cut of each fraudulent charge:

"Although it bore ultimate responsibility for the charges placed on its customers’ bills, AT&T never required proof from the Companies that they obtained customer authorizations to be billed for their service and the record shows that the Companies never obtained any such customer authorizations. In addition, AT&T ignored a number of red flags that the charges were unauthorized, including thousands of charges submitted by the Companies for nonexistent, disconnected, or otherwise “unbillable” accounts."

As per the settlement, AT&T will issue $6,800,000 in refunds to all current and former consumers charged for the sham directory assistance service, and a $950,000 fine to the U.S. Treasury. AT&T's also been forced to cease billing for nearly all third-party products and services for wireline customers (now that few use wireline anyway), adopt policies requiring express informed consumer consent before such charges can be reapplied, and revise its billing systems so that such charges are easier to find.

While these fines are puny and belated, keep in mind that until the last few years regulators did little to nothing whatsoever to hold larger telecom companies accountable for their role in perpetuating that kind of fraud -- making this a step up from the apathy of decades' past. Still, AT&T consistently gets to pay settlements that are likely only a small fraction of the money collected over the years, its lawyers and accountants already busy cooking up the fraudulent efforts we'll surely get to read about in 2022.

Filed Under: cramming, drug dealers, fcc, fines, service fees
Companies: at&t

Drug Dealers Swapping Down To Old Cellphones To Stay One Step Ahead In The 'Tech Arms Race'

from the to-win,-cede-ground dept

The FBI, along with seemingly every law enforcement agency in the country, wants a backdoor into every new, encrypted-by-default cellphone, arguing that without this, the "bad guys" will win the "tech arms race." The DOJ cited this same "arms race" in its (losing) argument against a warrant requirement for cellphone searches. To hear law enforcement tell it, today's criminals are racing far ahead of today's under-equipped cops, who are stymied by their billions of federal drug-chasing dollars, automatic license plate readers, warrantless GPS tracking, building interior-scanning radar devices and cell tower spoofers.

Meanwhile in the UK, some criminals have discovered one way to stay a step ahead of the cops is to take a few steps backward.

A dealer in Handsworth, Birmingham—who would only give his name as "K2"—told me: "I've got three Nokia 8210 phones and have been told they can be trusted, unlike these iPhones and new phones, which the police can easily [use to] find out where you've been… Every dealer I know uses old phones, and the Nokia 8210 is the one everyone wants because of how small it is and how long the battery lasts.

Old tech beats new tech, at least in some business ventures. The 8210 has 50-150 hours of standby time and an infrared port to quickly beam data from one phone to another (handy for burners or compromised phones). But other than its connection to cell towers, the phone provides no other means of connectivity: no Bluetooth, no WiFi, no WLAN. Nothing.

And while the police should be able to easily obtain call records, cell site location data (along with intercepting signals with IMSI catchers), simply grabbing the phone from a suspected dealer will only reveal the last ten calls sent and received, along with whatever's been saved to the address book. ('K2' halves his exposure by using one for sent calls and one for received.). They're durable, cheap and unlike today's smartphones, aren't "just GPS ankle monitors that double up as pizza-ordering devices," as Vice's Mike Zacharanda puts it.

These are the phones police have been able to access for the last 15 years, but it's only in the last couple that we've been hearing sustained noise about cellphones giving criminals a head start in the tech race. But if more criminals begin moving in the other direction, how will law enforcement respond? They'll have won the arms race but will have gained no ground. They'll be back in burner territory of yesteryear -- small, disposable phones that hold very limited amounts of incriminating evidence. So, it's back to regular police work, where the seized device doesn't perform the investigation for you. Which is the way it should be, even now, when technology has expanded far beyond a game of Snake and a 5-line monochrome screen.

Filed Under: drug dealers, old tech, surveillance

RIAA To Prosecutors: Use Piracy Charges To Round Up Drug Dealers And Terrorists

from the it's-a-starter-crime dept

Back in the 1920s, the FBI was never able to get Al Capone on racketeering charges, but eventually got a conviction for tax evasion. It appears that the RIAA's message to federal prosecutors is now: think of music piracy as the new tax evasion! In a leaked "training video," put together by the RIAA for the National District Attorneys Association, RIAA representatives talk about how prosecutors can use music piracy charges to go after drug dealers and terrorists, noting that "it might allow you to have probable cause for a drug house." That's said by the RIAA's Deborah Robinson, who can barely stifle a laugh as she starts to say it. She then goes on to talk about how often they're supposedly seeing drug dealers and gun dealers selling counterfeit CDs with the drugs and guns. Oh really? Weren't we just hearing about how the counterfeit CD business was rapidly shrinking due to file sharing? There's also a great leading question from the NDAA person, asking if convicted murderers who were out on parole are "gravitating to this type of piracy." The response from the RIAA's Frank Walters: "More often than not..." It's no secret that the RIAA is eager to get federal prosecutors to take on piracy cases, but this seems a bit extreme.

Filed Under: counterfeiters, drug dealers, riaa, terrorists
Companies: riaa

Hushmail Turns Out To Not Be Quite So Hush Hush

from the privacy-is-an-illusion dept

Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." It turns out that isn't quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here -- and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly -- and that's how Hushmail was able to access the accounts required in the court order. So, while it's true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.

Filed Under: drug dealers, email, encryption, fbi, privacy
Companies: fbi, hushmail