Law Enforcement Access to Chat Data and Metadata

A January 2021 FBI document outlines what types of data and metadata can be lawfully obtained by the FBI from messaging apps. Rolling Stone broke the story and it’s been written about elsewhere.

I don’t see a lot of surprises in the document. Lots of apps leak all sorts of metadata: iMessage and WhatsApp seem to be the worst. Signal protects the most metadata. End-to-end encrypted message content can be available if the user uploads it to an unencrypted backup server.

EDITED TO ADD (12/13): Here’s a more legible copy of the text.

Tags: , , , ,

Posted on December 10, 2021 at 6:37 AM26 Comments

Comments

qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq December 10, 2021 9:04 AM

quoting the article :
“Signal will provide only the date and time someone signed up for the app and when the user last logged into the app.

Last time logged is a very interesting metadata though.

Ted December 10, 2021 9:48 AM

@Bruce
“Lots of apps leak all sorts of metadata: iMessage and WhatsApp seem to be the worst.”

Is it that these apps leak metadata or that they are the most permissibly accessible? Doesn’t law enforcement still need a legal path to obtain information from these services?

Also, I sort of wish someone would retype up the FBI document. Was it faxed?

Aaron December 10, 2021 10:33 AM

If you want a Rolex, you buy a Rolex.

Most people know why a Rolex has such a high prowess association to its name and why so many people try to sell Rolex knockoffs. In agreeing to posses a knockoff you soon find that it can’t match the reality that was in your mind surrounding a real Rolex and you’ve only done yourself a disservice in acquiring the knockoff and pretending it was the real deal.

So why people use WhatsApp instead of Signal is understandable as for some ignorance is their bliss or their sense of self disservice hasn’t set in yet or their brand loyalty to Facebook is more powerful. If the later part of that is true then there are far larger problems at hand then acceptance of a crappy knockoff for secure messaging.

Clive Robinson December 10, 2021 10:34 AM

@ Bruce, ALL,

End-to-end encrypted message content can be available if the user uploads it to an unencrypted backup server.

I think the truth about “encryption can not be stopped” has got into certain peoples heads.

They are not going to stop fighting to force what they call “lawful access” with “for the sake of the children” and other FUD. Because they will always get some increased advantage in doing so.

However, they are moving to “spyware on the user device” where “plaintext” is available and “spyware on the cloud server”.

I fully exoect these to be the “Next battle grounds for the golden key” over the next decade.

It can be fought and yes it can easily be technically beaten.

But you and I both know,

User convenience trumos all.

For just about all, most will not recognise the harm they are doing. Others will hear very little, after they the hear the lock and key rattle at the start of “Special Administrative Measures”(SAM) for life or worse.

Brad December 10, 2021 12:36 PM

I believe we should assume all of our phones are compromised (either by nations or advanced cyber criminals) or can be at any moment. If this assumption is true, then we have no secret keys and there is no end to end encryption. Call me crazy/paranoid, but I’m increasingly convinced this is true.

Ted December 10, 2021 12:43 PM

@cybersmorgasbord, ALL

That’s awesome!! Thank you!

I wasn’t exactly sure how to interpret the search warrant info for Apple iMessage from the FBI’s document, particularly whether access to iMessage content was allowed.

However, the ‘reason’ article that Bruce linked to (under the word ‘elsewhere’) does a really great job of being more explicit about this.

The short answer is ‘yes’ the FBI can access iMessage content if you back it up to iCloud (although Apple had fought against this, unsuccessfully.) Andrea provides more excellent details in her article.

She also brings to light something that I hadn’t thought about, which was the date on the document – January 7, 2021. This would have been the day after the attack on the US capital.

Clive Robinson December 10, 2021 2:03 PM

@ ALL,

It should be noted that there is a bit more to this than at first it might appear.

It’s probably best for most people to “draw a diagram” to get their mind around things but hey as the old adage has it “A picture is worth a thousand words”, I’ll try for a fee less.

Most important to understand,

1, There is a big big difference between a “system” and a “subsystem” which forms part of it.

2, Systems are made as “chains of subsystems” that for reliability and availability, NOT security can be paralleled up.

3, A system is only as strong as the weakest link in the system.

Therefor consider that a “secure messaging App” might be quite strong, but it is pointless, if other links in the chain are weak or compleatly broken, as many are.

So you have to consider “the WHOLE system” when doing your security analysis not just one subsystem.

4, The less complex subsystems are often called “components” in general these are not capable of being secure on their own.

5, Only by carefull considered design can components with no inherent security be made into secure subsystems and so eventually secure systems.

The “secure” design process is first and formost a “Quality Process” if you don’t understand QProc design then you’ve got a large mountain to climb. BUT over and above QProc design there are a whole bunch of non intuative design rules based on a solid understanding of the laws of physics, reasoned logic, and mathmatics. Few people have the skills or experience to design secure systems without having to resort to rules of thumb to give mitigation, which then necescitates extensive testing that again few posses the knowledge and skills to do to the required level.

So be distrustful of systems designed by “one man bands” or even “teams” where the expertise can not be verified by you or others that have the required knowledge and ability to assess them. That by the way also means,

“Do not implicitly trust what I say, VERIFY what I say.”

Also do it as a “continuing process” as QProc requires for design, manufacture, operation, and EOL disposal.

As now should be clear to everyone, computer hardware can no more be trusted, than software, and likewise the firmware that joins the two. Or for that matter any other part of the computing stack from the lowly circuit trace from transistor to transistor that is part of the logic that makes up the hundred of thousands of parts you do not see behind the “Instruction Set Architecture”(ISA) at the chip pin out.

I have no idea just how many vulnerabilities will be found this year only a small number of them will get “official recognition” by CERT, and they will number in the tens of thousands[1]. Yes, that ages old “eternal vigilance” quote realy does have teeth, and those that ignore it will at some point get bitten.

I’m not going to go any further into the design rules other than say you need to be aware as a minimum,

A, Issolation can be a friend.
B, Efficiency is dangerous.
C, All channels are bidirectional.
D, Bandwidth should be minimal.
E, All work is inefficient.
F, All energy and matter can be modulated.
G, All modulation carries information.
H, All errors are communications.

And quite a few more besides, getting your head around them and relating them to the laws of physics takes time.

But what about a description at the system level

Put simply to communicate requires as a minimum a “Shannon Information Channel” that has a transmitter at the originating end and a receiver at the recipient end. The first party has a channel between them and the transmitter and likewise there is a channel from the receiver to the second party. Normally this pair of paths are not discussed, however in security work you have to be acutely aware they exist and have characteristics that usually makes them insecure by default (ie “plaintext”).

The channel between the transmitter and reciver has certain characteristics, such as at minimum bandwidth, loss, and noise. What is not often mentioned is that the noise can be natural (what some call QRN) or manmade (what some call QRM). The level of the signal to the total noise defines an expected error rate for the type of signal. Man made noise falls into two varieties “consequential” and “deliberate”. We tend to call consequential noise “background” and assume in most casses it can be modeled as random or “Average Gaussian White Noise”(AGWN). Deliberate noise however is not random and can be purposeful such as “jamming” or from other channels as “cross modulation” and the like.

Which brings us to a “third party” on the channel. Jamming is used by a third party to raise the effective noise threshold such that communications between the transmitter and receiver are disrupted. Cross modulation carries information thus forms a “side channel” which a third party can use.

One example of a side channel is “trimming uncertainty” or “jitter” which originates at some point in the trasmission device. With poorly implemented stream cipher systems no matter how strong the key-stream, if jitter originates in the mixer (XOR gate) then carefull observation by the third party might well result in them being easily able to strip off the key-stream. Similar issues arise with block ciphers and public key ciphers as well.

But most practical communications systems have to have some kind of control system. Which requires “signalling mechanisms”. These can be “in band” or “out of band”. In band signalling reserves some of the characters for channel control, hrnce “Control Characters”. In times past of Full Duplex Serial communications “Ctrl-S” sent to a remote system would stop it transmitting, “Ctrl-Q” would start it again. Out of band signalling requires another communications channel, back in the davs of V.24/28 signalling (RS232 signalling) there would be additional wires that were used in pairs such as CTS/RTS DSR/DTR.

The important thing to remember is that in nearly all communications there is hidden away an implicit extra channel for handeling error conditions and the “back channel” can be used to attack a secure system in a number of ways.

In modern data communications many “logical channels” share the same “physical channel” and this represents a significant risk.

The logical channels have to be “demultiplexed in the receiver by the “communications stack” which is generally a function of the “Operating System”(OS). As the OS also handles the “User Interface”(UI) which for most secure messaging Apps is “plaintext” then no matter how secure the App is any weakness in the OS can potentially alow an attacker to compleatly bypass the Apps Security in an “End Run Attack”. Such attacks are way way more likely than Crypto attacks on the logical communications channel.

Though not directly seen on the FBI sheet, the Apple iPhone suffers from a very significant “end run attack” which is all the Apps files stored in “plaintext” become available whenever the users phone syncs to the Apple backup which happens automatically unless the user takes care not just to ensure it is off, but stays off, it can be turned back on by an “Over The Air”(OTA) update.

But even “End to End Encryption”(E2EE) has real issues…

It is not at all secure in “group” or “broadcast” messages. Some Apps can be left in “group” mode in which case E2EE is easily broken by just adding a “ghost user”.

Worse E2EE can be not realy what you might think E2EE should be due to “Key Managment”(KeyMan) issues. Think about the who/how of not just “Key Generation”(KeyGen) but how it is distributed by “Key Communications”(KeyCom) or distribution (KeyDist). There are a whole manner of ways this can be done, many are not in reality as secure as their descriptions and “proofs” might lead you to think.

Finally consider this,

In the US the rules are in effect “encrypted comms” once pulled from the wire can be kept indefinitely what appears to all intents and purposes to be “plaintext” can not, though the rules are a real mess to rven understand let alone work through. In Australia and the UK there are other rules that can get you sent to jail, simply because you have no idea what the “message key” is, even if you can provide the plaintext of any requested message (from storage etc).

Currently all secure messaging Apps give away the fact they are sending encrypted messages one way or another.

So not only are you opening yourself up to having your messages held for ever, you are also “painting a target on your back” that at the very least can open you up to all sorts of legal abuse you can not defend yourself against no matter what you do.

The way things are going politically with Law Enforcment, sooner rather than later they are going to bring the hammer down on people to scare everyone else into stop using either all encrypted messaging Apps or the ones they can not work around.

There are ways that you can communicate securely whilst sending “plaintext” such methods are “ages old” and when used correctly have saved many peoples lives.

One such was the correct use of “Duress Codes” by SOE agents during WWII. However the stupidity of the “Dutch Section” of SOE in London shows what can go horribly wrong, as it ment many individuals got captured, tourtured, and killed.

[1] It was just under seventeen and a half thousand last year, and we are a thousand up on that already this year with another 6% of the year to go (holidays mean nothing to crackers). That’s going to be over 53 per day, any one of which might effect your “secure system” even if you do not realise it.

ffff December 10, 2021 5:05 PM

I think the main thrust of the Rolling Stone piece is problem of corporations making semi-false statements to their customers. To be blunt, Apple and Facebook [or Meta] almost committed fraud or betrayal of their “valued privacy concerned customers.”

“…Apple and WhatsApp have built themselves into multibillion-dollar behemoths, they’ve done it while preaching the importance of privacy, especially when it comes to secure messaging… Facebook’s Mark Zuckerberg has articulated a “privacy-focused vision” built around WhatsApp, the most popular messaging service in the world. Apple CEO Tim Cook says privacy is a “basic human right” and… For journalists, activists, and government critics…political retribution…facing imminent danger…A judge later sentenced Edwards to six months in prison.” -RollingStone

In these times scamming customers is business as usual. I will say this is the same one-way mirror abuse where citizens who are paying the salaries of FBI agents yet not being able to verify what government agents are actually doing is also SOP.

PS: Excuse all of the mistakes I short of time and have poor equipment . My handle is a variation of my old handle used here years ago.

Cassandra December 11, 2021 3:39 AM

@Clive Robinson

A nice succinct essay.

My experience of telling people even part of the reality you describe is glazing over of their minds with a viewpoint of ‘that really doesn’t apply to me/affect me’, and to carry on using the oh-so-convenient Apps. Scott McNealy was prescient in saying that consumer privacy issues were a red herring, and that ” You have zero privacy anyway,…Get over it!”, over two decades ago. The vast majority of people are content to live in the Panopticon, so long as it doesn’t affect them personally in their day-to-day lives. Convenience surely does beat security.

Cassandra

Clive Robinson December 11, 2021 6:30 AM

@ The tech dummy, ALL,

So is the end result nothing is secure?

A reasonable question, but as a statment “false”. Which should be good news, only it is not.

As can be seen by the behind the scenes nonsense with Apple and the backups as “third party records” secured with a key they give to the FBI amongst others,

“That which could be secure is rendered insecure by the designers, quite knowingly and deliberately.”

Only they don’t talk about their “feet of clay” and their now obvious perfidy… Because of a nonsense about “legislation”…

The US after WWII “shot themselves in the foot” as to their desire to “hang’m high”. So they foolishly started the doctrine of “It is criminal to follow ‘Unlawful’ orders” where ‘unlawful’ had absolutly nothing to do with “law and legislation” but “personal conviction and morals”.

As I keep saying,

“Technical solutions, –which is what legislation is,– do not solve societal issues.”

Also you realy have to think about,

“The law of unintended consequences”

The US administration clearly did not. Which is why arguably by that US doctrine, handing over peoples private corespondance is “unlawful” not just morally but ethically, thus people “Following FBI orders” to do so shoud be “Hung high” etc…

But is there another way?

The simple answer is “yes” as I’ve pointed out from time to time on this blog.

The big problem is actually “security end points” and the fact that the systems as they currently are, alow the likes of the FBI to carry out “reach around” or “end run” attacks past the security to vunerable “plaintext”.

So can an ordinary user do anything to stop this?

Long answer short “Yes” and easily so.

[though a user might not think so as it can be manually intesive and require concentration.]

The important point to realise is “reach” that is just how far can the FBI or others with sociopathic tendencies push their grasping maw from the wire in secrecy, and in reality it’s the “secrecy” they most want so as to hide their shamefull behaviours from society?

And the answer to “how far” is,

“Only as far as the device can sense.”

So, leave your phone in the other room, shut the door, sit down and write a letter unless they are using other technology, what you write remains unknown to them (note “write” not “type”).

If you then use a secure paper and pencil cipher you can encrypt your message securely and if you destroy the papers you wrote the “plaintext” and “enciphering” on, leaving only the final “ciphertext” then the message is secure at your end.

You can then send the “ciphertext” which ever way you want, so ordinary SMS is fine as is eMail or broadcast via Morse Code over HF Radio link for all the world to hear as “agents in the field” have done for over 85 years.

So as you can see there is a solution to that individual problem.

But what about other problems?

Well as is said at the end of “The Martian”,

“At some point, everything’s gonna go south on you… everything’s going to go south and you’re going to say, this is it. This is how I end. Now you can either accept that, or you can get to work. That’s all it is. You just begin. You do the math. You solve one problem… and you solve the next one… and then the next. And If you solve enough problems, you get to come home.”

So I’ve solved problem 1 for you. I guess you are going to ask, “what other problems are there?” well lets list some of them,

1, Secure Message.
2, Hide ciphertext.
3, Ensure Deniability.
4, Hide transmission.
5, Hide Reception.
6, Hide Look-up.

These I’ve worked out solutions for and in all but the case of problem “6” I’ve described solutions for them on this blog sufficient for people to implement.

But in reality, those are the easy ones to solve.

The hard ones are those to do with “Key Managment”(KeyMan) and that’s a work in progress which I wish the Open Crypto Community would turn it’s mind towards. With the first problem being that of,

7, Establishing a root of trust.

I could carry on listing the others but I won’t because there is a salutory “life lesson” in it.

The way we currently commonly establish a “root of trust” is via PubKey Certificates in a hierarchy we call “Certificate authorities”(CA). If you look up the living history of CA security it’s a disaster like a drunk driving down hill on an icy road bouncing from crash to crash.

Why? Because of the usual human failings, impatience, lazyness, etc.

So remember Apollo 13, and Gene Kranz’s sage words,

Let’s work the problem people. Let’s not make things worse by guessing.

So what do you want to work on?

qrv11 December 11, 2021 6:57 AM

I am surprised you did not mention telegram as it is the clear winner, no message content, no metadata, no login info with a very narrow and conditional exception for terrorism

Clive Robinson December 11, 2021 7:19 AM

@ qrv11,

with a very narrow and conditional exception for terrorism

Stop sipping the “cool-aid” you might find it’s been laced with poison.

Because “terrorism” is a “weasle word” just like “obscenity” it has no accepted legal definition and thus claims of “terrorism” can mean anything or nothing. Or worse effectively “fabricated” and designed to persecute someone as “journalists” and “activists” are finding out.

Have a look at what France tried on with the Swiss Court system and got away with not so long ago,

https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-court-order-french-climate-activist-arrest-identification

Note the behaviour of the Swiss authorities, a trend that does not bode well.

Ted December 11, 2021 7:33 AM

@Clive, ALL

Re: Communications and lawful access

I know this post is specifically discussing messaging apps. However, I am a little confused as to what law enforcement has and does not have access to, legally.

The darknet diaries podcast on NSO, briefly mention a keylogging software deployed by the FBI that was brought to light way back in 2001.

https://en.m.wikipedia.org/wiki/Magic_Lantern_(software)

I guess it put a trojan horse on a suspect’s computer and allowed the FBI to decrypt user communications. (?)

As we talk about client-side scanning and the levels of privacy associated messaging apps, I am just getting the feeling that law enforcement is held back very little.

I am curious what activities allow the FBI, or whoever, to gain legal access to all this information. I’d like to see the chart for this.

Ted December 11, 2021 7:43 AM

@qrv11

I am surprised you did not mention telegram as it is the clear winner, no message content, no metadata, no login info

Bruce linked to a ‘reason’ article in his original post you might enjoy taking a look at.

From it:

“Weirdly, Rolling Stone does not mention Telegram at all, despite being the apparently most FBI-proof application all around and much more popular than Wickr, which does get a nod. The FBI document does note that Telegram may choose to divulge IP addresses and phone numbers for “confirmed terrorist investigations,” but it cites Telegram’s public policy rather than any secret backchannel.”

There are more details there on Telegram too.

Clive Robinson December 11, 2021 9:41 AM

@ Cassandra,

A nice succinct essay.

Thank you that has made me feel a little bit warmer and aglow on what is a cold, damp grey day, where even several cups of tea have failed to give a lift.

The vast majority of people are content to live in the Panopticon, so long as it doesn’t affect them personally in their day-to-day lives. Convenience surely does beat security.

The thing is most people either don’t think/care or think/care incorrectly they live in an “Ephemeral World”.

Which whilst it is partly true for the physical world, it’s certainly not for the information world.

Most have forgotton if they ever even took it onboard that the NSA built a “time machine” in Blufdale via “collect it all”. That alows them to go backwards and forwards in the past, doing “jigsaw searching” with “traffic analysis” so finding all secrets and indiscretions that went into “electronic communications”.

But there is a point I make from time to time that should realy realy scare people, yet I think I’m the only one that mentions it publicly.

There is a distinct difference between,

1, Homes and papers.
2, Computers and E-Comms.

Law enforcment can not search your “home and papers” lawfully without “tipping you off”. Where as they can search your “Comouter and E-Comms” indefinately and you won’t know.

This is actually a devistating advantage to them that it is very difficult for you to defend against.

It’s why they make such a lot of noise falsely about “going dark”. It’s very clear that “going dark” has very very little or nothing to do with their ability to prosecute a crime. But has everything to do with taking their time finding leverage and the like. As I’ve mentioned there is nothing so usefull to authorities as threatening some one through their children and loved ones or even just their friends.

When you are being surveilled for years without knowing it, a lot of minor things can be built up into very long leavers, and even if they don’t work against you, they will work against some of those around you, who will then turn on you as their defence…

It’s why I mention sending “plaintext” not “ciphertext” and “plausable deniability against betrayal”, along with using two computers one which is “forever off-line” for privacy and the other a “throw away on-line” which you in effect “re-install everything” just about every time you reset it. That is it runs a CD/DVD ROM based OS image loaded into RAM which is cleared each time. Sadly this is getting harder and harder to do as more and more hidden Flash ROM gets put in chips for I/O and the like.

And that’s all before we start talking about the reasons to communicate with “Paper Paper NEVER Data”…

There is an old joke about paranoia, but the thing is we are moving away from “justice” via “coercion” to “show trials”. At this rate there will be a time fairly soon when “to fill quotas” machine learning will be used to trawl your past and make unfounded allegations knowing that you will not be able to defend yourself. You will then be stripped of all assets by civil forfiture and thrown out to rot with the garbage. It will be aimed at probably the most honest of people, the middle classes that work hard for them and their families and mistakenly believe lines like,

“If you’ve done nothing wrong you have nothing to fear”.

They have done something wrong, in that they have not “rendered unto Caesar, that which Caesar wants”. So they will be striped of their rights, then their assets, and paraded as an example to others, prior to being thrown away into some modern serfdom or limbo.

As others have pointed out “Robodebt” is just the start of things to come,

https://www.theguardian.com/australia-news/2021/jun/11/robodebt-court-approves-18bn-settlement-for-victims-of-governments-shameful-failure

JonKnowsNothing December 11, 2021 11:32 AM

@ Clive, @ Cassandra, @All

re: … there will be a time fairly soon when “to fill quotas” machine learning will be used to trawl your past and make unfounded allegations knowing that you will not be able to defend yourself. You will then be stripped of all assets by civil forfeiture

You can see this process happening today in AU, UK, USA where AI/ML Secret Sauce Formulas are used to claim Over Payment and insinuate Fraud for lawfully filed benefits given by different departments.

The process in nearly impossible to challenge, even when Court Rulings have ordered reinstatement of benefits, the AI/ML simply strips the benefits out again at a later date.

The Governments send email or text messages with quick turnaround dates to people who do not have equipment get them, or may be in medical or care facilities, they make “Cold Calls” to persons unable to respond. Failure to respond is auto-termination of benefits; in some cases 100% of benefits are terminated, including “age pensions” that have been withdrawn from living persons.

Garnishment of income for the false restitution demands for these lawful benefits can be up to 100% of other benefit incomes (age pensions, tax refunds) is part of the scheme.

As most of these systems require extensive access to the person’s banking establishment and automatic statement download with data extraction. The AI can calculate the withdrawals by the “Secret Sauce” formula. Even with access to all the electronic supporting data, some departments require 30 years or more of historic documentation.

The repeating cycle is underway again, with “stealth cuts” that are not announced or explained, just hard reductions in expected benefits, reductions in required care services needed due to medical conditions, and unannounced required filings now for future benefits that will otherwise be forever forfeited.

JonKnowsNothing December 12, 2021 8:56 AM

@ Clive, @ Cassandra, @All

re: Automated Debt Demands

In the UK this year there has been a serious problem with their energy supply system. A lot of “suppliers” went out of business as the costs of energy rose beyond their balance sheets. The USA had a similar experience during the ENRON scandal that bankrupted many municipalities and some states.

This particular example of automated debt collection highlights some of the problems when claw backs are demanded and the system design is fully automated.

First on the List: The presumption that you are guilty

This concept allows any government, business entity or legal system to demand restitution without proof of wrongful acts.

A long running legal fight between the UK postal system and their local village postmasters, wrongfully accused them of fraud and bankrupted many of them because of an accounting error in the systems. Rather than fix the accounting error, the UK postal system continued to charge and obtain convictions of fraud against the village postmasters.

Only recently was it acknowledged that no fraud ever took place. The physical and emotional toll remain.

Companies sell their uncollected debt to debt collectors. An entire industry designed to make people’s lives miserable in order to enrich themselves over debts that have already been written off and received a tax reduction benefit.

It’s a double dip business.

The originating company often gets a $ for $ reduction in their taxes. They then sell the debt to a collection agency for some % of the total, sometimes .01 per $100. The collection agency then attempts to collect the full face value of the debt or may offer some discount which in this case is 75% of the face value of the debt: $25.

The debt has already been cleared but the collection agency demands an extra $25 as a form of “blackmail-coercion” to not place a negative note on your credit history-credit rating.

So the UK energy companies sold on their uncollected debts, it passed through a few agencies and ended up at a law firm. The basic information purchased was dates of service, amount, account number, address of service. This basic information was then matched against an unknown database that assigned names and current details to the written-off-claims list.

Mass Emailing and Demand Letters were sent out based on the Cross Referenced Merge.

Nothing too unusual except: a good number of these were sent to people who no longer lived at the address, had not lived there for a number of years, had no account with the referenced-bill or the account was not their current account. These people had no debts to settle but received demand letters and the threats anyway.

Being that the system presumes you are guilty, it falls to these people to attempt to rectify and notify the collection agency that they do not owe any debts. They also have to “prove” they do not owe the money.

  • How can you prove that you never lived at XYZ Address?
  • How can you prove you paid your bills in full 5+ years ago?
  • How can you prove that you never had an account?
  • How can you prove that account referenced is not yours?

It’s hardly surprising that some people are Not Amused.

The collection agency response:

  “We are proactively working with them to reach amicable solutions.”

The onus is still on the persons getting the letter to do the contact. A forced Opt-In like answering spam-calls or spam-text.

===

h t tps://ww w.theguardian. c o m/money/2021/dec/12/law-firm-for-debt-company-pursues-customers-for-eon-bills-on-homes-they-werent-living-in

http s://e n.wik ipedia. org/wiki/Enron_scandal

john doe December 12, 2021 9:04 AM

Civil Asset Forfeiture – Government steals all your shit
Cell Phones – Government steals all your shit

Clive Robinson December 12, 2021 2:45 PM

@ JonKnowsNothing, Cassandra, All,

This particular example of automated debt collection highlights some of the problems when claw backs are demanded and the system design is fully automated.

It’s also illegal in the UK…

The most interesting thing was several years ago British Gas continuously harassed a woman for a gas service she did not have, and it had been proved the property was not connected to a gas supply.

But as the gag line in the SitCom “Little Briton” had it,

“The computer says…”

Well the lady despite many very dirty tricks by British Gas Senior Managers and Directors and their Barristers got the case up to the most senior of Law Lords…

And they were not imoressed in the slightest, not only did they praise the lady for bringing it to the court despite what British Gas had done, they made it quite clear with simple logic that British Gas’ defence of “computer error” was unexceptable.

In short,

1, British Gas Ditectors are responsable for all that British Gas does under law.
2, This includes all human and work of humans in their direct or otherwise employ.
3, As programers who were human employees of British Gas wrote the code that caused the alleged errors then it was a failing of managment.
4, The number of times the failing had been brought to steadily increasing managers ment that the failings could only have happened by failings at the Director level.

They then handed British Gas their ass in a bucket and told them they would be oaying for all the court costs…

Therefore, if an “entity” that has “human agency” is notified of an error, they have a legal duty of care to ensure that what they think are facts actually are. If they fail to do so, then under the Harassment Act the second demand makes them open to being sued, the third makes them liable to criminal prosecution as individuals.

But E.On need to be very very carefull. The chances are good that if investigated it will be found that it was they that put details in those credit databases… Therefore they do not dispose of the liability on selling off a debt.

But then there is the question of “fraud”. If they claim the money against tax and sell it on, that is liable to be “defrauding Her Majesties Inspector of Taxes and Revenue” and committing direct fraud as a debt that has been paid in what ever way nolonger exists so to sell it on is by definition fraud.

But those debt chasers work a numbers game which is why they pay so little for even a valid debt, because they know that onlyva few will ever get payed.

The big mistake people make is panicing and responding to the debt agency. They do not have a contract in any way with them so should not respond less they form one…

As for that alledged law firm, their employees doing this actual work are probably not legally qualified and even if they were they are beyond skating on thin ice, all they are relying on is nobody has gone to court yet to kick the bottom out of this house of cards.

But one interesting point the UK was part of the EU at a time when the GDPR came into force… If it can be shown and it probably can that the incorrect data was in a “database” and being used… Then there is no reason why the GDPR rules can not be enforced against these orgsnisations to make them clean there act up and E.On are very definately on the hook for that…

vas pup December 15, 2021 4:12 PM

Online Safety Bill: New offences and tighter rules

https://www.bbc.com/news/technology-59638569

“New criminal offences and major changes have been proposed in the UK’s landmark Online Safety Bill, which seeks to regulate social media and tech giants.

A new parliamentary report calls for adding scams and offences, like sending unwanted sexual images and promoting violence against women and girls.

Among the many recommendations made over its 191 pages are:

An explicit duty for all pornography sites to make sure children cannot access them
Scams and fraud - such as fake adverts designed to trick users - should be covered
The bill should cover not just content, but "the potential harmful impact of algorithms"
It should also be expanded to cover paid-for advertising, such as those involving scams.

The draft bill and this report both lay out exemptions for journalism, public interest, and free speech.

But think tank the Adam Smith Institute (ASI) said the report “fails to alleviate the gigantic threats posed by the draft Online Safety Bill to freedom of speech, privacy and innovation”.

Clive Robinson December 15, 2021 8:38 PM

@ vas pup,

and promoting violence against women and girls.

I realy object to that.

Why should it just be for “women and girls” it should be fully inclusive of all ages and genders, or not at all.

That sort of “in built” bias is dangerous because it takes the question off of the crime and onto the victim.

That is people do not ask “is it violence?” instead they ask “is the target legaly a victim?”…

So beating up on an old mam is legaly OK, but an old woman is not… Does that make sense in any normal society?

Ted December 15, 2021 10:25 PM

@vas pup, Clive, All

So beating up on an old mam is legaly OK, but an old woman is not…

No wonder women tend to live longer. This is not right.

Winter December 16, 2021 2:12 AM

@vas pup,
“> and promoting violence against women and girls.
I realy object to that.”

I have yet to see a voice promoting “violence against men and boys”. So, in the line of not burdening the legal system with laws that have no use, and could be abused, I could see why laws might be limited to situations that actually occur. There currently are women attacked and killed by men who engage in online forums that do promote violence against women. Women who are active online are threatened regularly, and much more frequently than men.

It is not that those voices that “promote violence against women and girls” will switch to promoting “violence against men and boys” if the former was made illegal.

That said, I would advice everyone to first look at the actual text of the law before complaining it does not protect the reader from a non-existing danger. It is very well possible that the actual text will include all voices that promote violence, and all hate speech, even that from hypothetical women who might promote violence against elderly men.

Randy December 22, 2021 6:03 PM

So this is the document outlining what can legally be collected. That is, in accordance with the laws that have been passed, this data can be used in a regular court case without risk of … consequences.

The other document that outlines all the stuff that can actually be collected is still in a drawer somewhere.

Clive Robinson December 22, 2021 8:03 PM

@ Randy,

The other document that outlines all the stuff that can actually be collected is still in a drawer somewhere.

Err no.

The law as defined by various court cases is ill defined.

So the thinking is,

1, Collect everything.
2, Store it.
3, Sort it electronically.

No laws have been broken at this point because human eyes “Have not seen/read it”.

So the trick is to keep “humans out” and why Inteligence agencies and more recently Law Enforcment agencies have taken such an interest in machine learning…

Look at it this way, your phone has a camera in it. From searched meta-data it can be found that your phone was in the area. And from other searched meta-data that you took photos. Again with other searchrd meta-data which direction the camera was pointing. Then with facial recognition if certain persons were in that photo…

All of that can be done without a human “looking” at your photograph.

Now the computer can tell me this without any laws in the US being broken and with a little “grey area” shuffling it becomes “probable cause” for a warrant to search your phone.

Which begs the question “What shuffling” well I know from the phones location records where you were probably standing to within a few feet. So I go there and I look for CCTV systems. Technically any recordings made do not need a search warrant to access any longer if they can be made to look like “Third Party Records”, which are not protected.

I get an image of you holding your phone in your hand then that is now probable cause to pull you in for questioning and twist your arm. If you don’t play nicely then I can go get a warrant with that image of you holding your phone. And even if you have deleted the images claim they were still on the phone, even if they were originally searched in your “cloud account” etc.

Just accept the fact that anything in digital form is going to be “legal” as those on the Dec 37 walk around the US Capitol are finding out. Esspecially as it looks increasingly like some were FBI “agent provocateurs” etc.

Actually things might back fire on the FBI, by the fact that so much information is in the public domain the “agent provocateurs” etc are becoming identified by members of the public who have identified them as being “involved” by their actions yet have not been pulled in by the FBI as they have with others… Even if the FBI belatedly pull them in, they are now being “watched” so unless they get prosecuted found guilty and do the same sort of time people in the public will trade information on them so they will remain “marked men”…

As the IC and LE agencies are finding out to their constination OSint from technology advances not just rivals but can be more effective against them than they realised it can be.

As I’ve indicated in the past technology is a double edged sword and any advantage it gives to one side is at best temporary as it quickly becomes available to both sides.

Technology does what it does under a Directing Mind, if that is “good or bad” is not a technical but social issue.

But also “humans evolve rapidly to threats” so any technology used against segments of society fairly quickly becomes usless. It’s something I pointed out on this blog a very long time ago about CCTV. At first it works for a short time against career-criminals and then after at most a few months it stops working against them, and so only catches inexperienced and idiots. To career-criminals CCTV is a “threat” and they simply “out evolved” it in various ways, especial the young ones involved with gangs.

It’s what has ammused me about crypto-coins it worked the other way around. The IC and LE agencies see it as a major threat and they are evolving fairly quickly to deal with it. So they have become a threat to the cyber-criminals, who will now find a way to out evolve the IC and LE attempts at control.

What the IC can do but the LE can not do is “hide the technology”. The IC is not required to reveal their “methods and sources” because their “product” is not for courts. LE “product” is for courts, thus legaly they are required to “disclose to the defence” who can then make it public knowledge in one way or another. It’s why there is the issue of “Parallel Construction” where a method ir source is kept hidden by inventing another way by which the evidence apprars to have been obtained… Unfortunately for LE “signals average out of the noise” that is eventually the true source or method becomes known. It’s known as “Jigsaw Identification” that is with enough pieces you can “build a picture”. Whilst the IC can hide their pieces LE can not they can only disguise them at best, and if they get caught doing it, people get “Get out of jail free” cards and even a large sum from “the community chest”.

How long this technology dance can go on is one that follows the law of “diminishing returns” that is you get less and less benifit for each amount of money. As this is a percentage game it follows an exponential curve. However the cost of technology upto a point follows the inverse exponential curve, so you end up with an aproximately straight line that has a gradient. That gradient tells you a couple of things.

1, How much you have to spend for an advantage.
2, How long each unit of spending gets you a given advantage.

It’s therefor of interest what the pace of “inovation” is. With technology we talk of on average “doubling every 18months”. Based on the 2/3rds rule that means the average advantage time is just a year…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.