DEA Sets Up Fake Facebook Page in Woman's Name

This is a creepy story. A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name.

The woman sued the government over this. Extra creepy was the government's defense in court: "Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic]."

The article was edited to say: "Update: Facebook has removed the page and the Justice Department said it is reviewing the incident." So maybe this is just an overzealous agent and not official DEA policy.

But as Marcy Wheeler said, this is a good reason to encrypt your cell phone.

Posted on October 15, 2014 at 7:06 AM • 17 Comments

Comments

KhavrenOctober 15, 2014 8:28 AM

I have to wonder, if she had refused permission, would she have been threatened with interfering with a criminal investigation? How far does that logic go; we've gone past 'The innocent have nothing to hide' to 'It's a crime not to actively support the State'

x0017AOctober 15, 2014 9:06 AM

In addition to the general creepiness and bizarre implied compliance here, doesn't this woman (and potentially, if they were taken by someone else, whoever took them) have a copyright image in these photos? Even if she's implicitly complying with the investigation by allowing access to her phone, I don't think you can imply an implicit publication right to all her photos, particularly ones of her, which were probably taken by someone else and thus the copyright is likely owned by an uninvolved third party.

CallMeLateForSupperOctober 15, 2014 9:18 AM

Special Agent Timothy Sinnigen could have used photos of some of his relatives, e.g. his own wife and children, instead of an unwitting citizens. But he never would, because he cares about his family. What does this say about how he regards those unwitting citizens? At the very least, Special Agent Sinnigen needs a head slap, a leave of absence w/o pay, and a ton of retraining.

Snarki, child of LokiOctober 15, 2014 10:33 AM

I have no doubt that the DEA (with the willing assistance of judges and DoJ) will use all kinds of legal contortions to avoid any accountability for their actions.

But perhaps Anonymous can get the DEA jerks linked into a kiddie-pr0n ring; one can but hope.

paulOctober 15, 2014 10:52 AM

Ultimately this seems like the kind of thing that will cost law enforcement more than it ever might have gained. Every time officers use consent (especially "implied consent") to overreach, they make it clearer that explicit nonconsent is probably a safer path. Sure, there are immediate repercussions, but if consent doesn't get you out of those repercussions then the calculus changes.

What's really creepy to me is that there's a judge who bought this.

ChelloveckOctober 15, 2014 11:26 AM

"But as Marcy Wheeler said, this is a good reason to encrypt your cell phone."

Except that in this case, she had consented to letting them look at the phone's contents. Presumably had the phone been encrypted she would have also provided the key. It may be a good reason not to cooperate with law enforcement, but that's a separate issue.

HermanOctober 15, 2014 11:45 AM

I don't have a Facebook account, since I always considered it a security risk. Now I think I need to reconsider and create an account with nothing in it, as a place holder, to prevent others from impersonating me.

bobOctober 15, 2014 12:01 PM

@Herman How would that work? Someone creates an account in the same name and fakes a bunch of details. Random person comes along and compare your empty account to the account full of faked details. Which one do you think he woud trust?

LessThanObviousOctober 15, 2014 12:28 PM

I hope her case wins in court. This is clearly an abuse of power. Implied consent works for opening a package and installing software even if you don't read the EULA first. In a case like this where they are using her identity and possibly putting her or her family in danger I'd say that would require not just "implied consent", but "informed consent". Since no actions on the part of government seem to carry any real consequence it doesn't come as much of a surprise that we have this "We're the government, we can do whatever we want" attitude.

SoWhatDidYouExpectOctober 15, 2014 5:58 PM

Not the 1st time, won't be the last.

Along with the rest of the unconstitutional & criminal behavior, it is likely normal operating procedure within the spook agencies. They didn't get where they are, such that some people in their ranks have become whistleblowers, without building a long history of such behavior, getting worse as time goes by.

ThothOctober 17, 2014 12:00 PM

This is the one of two very important reason for the advocacy of people to kick the addiction of social networks that compromise privacy (basically give up all the Facebook and Twitter thingy). And that other important reason I personally advocate strongly to friends, relatives, strangers, colleagues and everyone near me to always secure themselves is not just for selfish personal security, but for security for everyone on a larger picture in terms of not making oneself a "stepping stone" that would allow attackers and aggressors to make use of you to "harm" others.

TarzanOctober 17, 2014 12:22 PM

Hurry, get a Facebook account!! And make sure that all your friends have one and that their accounts are connected to yours!!

Claim your identity now!!

...Otherwise you risk to be impersonated...

(Not to mention that this kind of fear induced behaviour would highly please both Facebook and NSA, among other directorates)

Andrew_KOctober 20, 2014 2:42 AM

(Post originally written on Oct, 16th)
It's not as if it is a completely new thing that agencies using real existing persons as covers. Secretly. And probably (I cross fingers and toes on this one) keeping on the radar which danger this poses to the affected identity owner (and which danger his actions pose to the agent currently using his name). That's not fine, but common practice.

But this case, it is just unprofessional and dumb -- probably both unneccessary.

If this would be informed consent -- what else would be allowed? What shall I explicitly deny next time I get into a stop-and-search and which charges will be caused by me not willingly handing my identity as a cover?

I see it coming. They take my wallet to check my license and when they hand it back, $50 are missing, because the cops haven't had their morning donuts (which is important to them being able to do police work).

ThothOctober 20, 2014 4:02 AM

This is one reason to step away from social media that leaks all over the place and make sure people know that it is not your norm to do so (inform friends and family you don't do Facebook and Twitter so they would not expect you to do so).

The second part on phone crypto is very true but in the face of Law Enforcement subversions, it will be useful but not foolproof. Almost all phones are known to be broken (TLA friendly) regardless if Apple or Google are going to enable device wide encryption or not. If the OS is not breakable, break the chips or break the person....

A lot of us on the comments forum (including myself) have advocated using open source hardware and software with high assurance measures.

In the context of Law Enforcement taking the extra-judicial steps to corrupt the trust in a willing and unsuspecting victim of their illegal and also highly unconstitutional dragnet style raids, device encryption will only do half the job right (what if the incident happens in a country that requires handing over self-incriminating keys and passwords) then this is where a few protection services can be invoked:

- Emergency Self-Destruct (probably leads to more torture)
- Fake Profiles (can be easily checked by experts)
- CALEA friendly access with robust mechanism to announce and proof CALEA is done without abuse or illegal means (LEA/LEO/TLA can subvert CALEA access to their own needs to lie since they already lied to their Auditing Departments of their activities).

What does this leave us with if almost all the ideas run dry ?

- Encrypt your stuff and put it not on your mobile smartphones in a secure location.
- Warrant and temper canary.
- Temper evident modules.

The first point is quite intuitive. If it is not there, they are not getting it that easily. The second point and third point are very critical. If someone access your device, it needs to reflect temper and sends out a covert warning.

Coming one big round, we are unlikely to be prepared in crypto protected devices (most device are badly protected by any good crypto at all), most device are temper inviting, most of us do not have warrant canaries ... the list can go on.

We are simply not prepared to protect ourselves and our identities.

MartinOctober 20, 2014 12:21 PM

This incident adds credibility to not having or using a smart phone. I have an inexpensive (

Andrew_KOctober 21, 2014 5:56 AM

Thoth:
Warning canaries are great, but only in a suitable environment. I etablished an "everything fine"-canary with several persons in my social environment. At least I thought so until I testet it. Unfortunately, no one noticed. In a safe and secure environment I asked them individually whether they noticed something. No one remembered the canary. That was a quite frustrating day.
The huge drawback of not being part of a spy ring or a paranoid social environment. And this is the very danger of subtle canaries.

I am still quite puzzled what to do next.

Silent UndergroundOctober 21, 2014 3:53 PM

Dopplegangers.

I think that their problems probably reflect some of the problems (challenges) human intel & law enforcement agencies have had to create background legends and maintain cover stories...

How do you backtrack a social media legend realistically.

How do you maintain a social media cover story on a daily basis, realistically. When your agent is not that person and may have multiple personas?

You have to deal with all those friends, family, and everyone else.

Someone might say, "Just have the drifter personas", no social media, all high school, family contacts dead.... maybe one or two people waiting by a "phone"?

Mmm, but -- if you *could* do these things, you could also 100% verify the authenticity of that legend even against the most paranoid of gov agencies.....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.