Essay on FBI-Mandated Backdoors
Good essay by Matt Blaze and Susan Landau.
Entries Tagged "FBI"
Page 13 of 23
Anti-Surveillance Clothing
It’s both an art project and a practical clothing line.
…Harvey’s line of “Stealth Wear” clothing includes an “anti-drone hoodie” that uses metalized material designed to counter thermal imaging used by drones to spot people on the ground. He’s also created a cellphone pouch made of a special “signal attenuating fabric.” The pocket blocks your phone signal so that it can’t be tracked or intercepted by devices like the covert “Stingray” tool used by law enforcement agencies like the FBI.
E-Mail Security in the Wake of Petraeus
I’ve been reading lots of articles discussing how little e-mail and Internet privacy we actually have in the U.S. This is a good one to start with:
The FBI obliged—apparently obtaining subpoenas for Internet Protocol logs, which allowed them to connect the sender’s anonymous Google Mail account to others accessed from the same computers, accounts that belonged to Petraeus biographer Paula Broadwell. The bureau could then subpoena guest records from hotels, tracking the WiFi networks, and confirm that they matched Broadwell’s travel history. None of this would have required judicial approval—let alone a Fourth Amendment search warrant based on probable cause.
While we don’t know the investigators’ other methods, the FBI has an impressive arsenal of tools to track Broadwell’s digital footprints—all without a warrant. On a mere showing of “relevance,” they can obtain a court order for cell phone location records, providing a detailed history of her movements, as well as all people she called. Little wonder that law enforcement requests to cell providers have exploded—with a staggering 1.3 million demands for user data just last year, according to major carriers.
An order under this same weak standard could reveal all her e-mail correspondents and Web surfing activity. With the rapid decline of data storage costs, an ever larger treasure trove is routinely retained for ever longer time periods by phone and Internet companies.
Had the FBI chosen to pursue this investigation as a counterintelligence inquiry rather than a cyberstalking case, much of that data could have been obtained without even a subpoena. National Security Letters, secret tools for obtaining sensitive financial and telecommunications records, require only the say-so of an FBI field office chief.
And:
While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the usually sensitive methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.
The guest lists from hotels, IP login records, as well as the creative request to email providers for “information about other accounts that have logged in from this IP address” are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the “what” being communicated; the government’s powers to determine “who” communicated remain largely unchecked.
This is good, too.
The EFF tries to explain the relevant laws. Summary: they’re confusing, and they don’t protect us very much.
My favorite quote is from the New York Times:
Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, said the chain of unexpected disclosures was not unusual in computer-centric cases.
“It’s a particular problem with cyberinvestigations —they rapidly become open-ended because there’s such a huge quantity of information available and it’s so easily searchable,” he said, adding, “If the C.I.A. director can get caught, it’s pretty much open season on everyone else.”
And a day later:
“If the director of central intelligence isn’t able to successfully keep his emails private, what chance do I have?” said Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation, a digital-liberties advocacy group.
In more words:
But there’s another, more important lesson to be gleaned from this tale of a biographer run amok. Broadwell’s debacle confirms something that some privacy experts have been warning about for years: Government surveillance of ordinary citizens is now cheaper and easier than ever before. Without needing to go before a judge, the government can gather vast amounts of information about us with minimal expenditure of manpower. We used to be able to count on a certain amount of privacy protection simply because invading our privacy was hard work. That is no longer the case. Our always-on, Internet-connected, cellphone-enabled lives are an open door to Big Brother.
Remember that this problem is bigger than Petraeus. The FBI goes after electronic records all the time:
In Google’s semi-annual transparency report released Tuesday, the company stated that it received 20,938 requests from governments around the world for its users’ private data in the first six months of 2012. Nearly 8,000 of those requests came from the U.S. government, and 7,172 of them were fulfilled to some degree, an increase of 26% from the prior six months, according to Google’s stats.
So what’s the answer? Would they have been safe if they’d used Tor or a regular old VPN? Silent Circle? Something else? This article attempts to give advice; this is the article’s most important caveat:
DON’T MESS UP It is hard to pull off one of these steps, let alone all of them all the time. It takes just one mistake —forgetting to use Tor, leaving your encryption keys where someone can find them, connecting to an airport Wi-Fi just once —to ruin you.
“Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use,” Mr. Blaze warned. “We’ve all made the mistake of accidentally hitting ‘Reply All.’ Well, if you’re trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make.”
In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in its way may just lull you into a false sense of security.
Some people think that if something is difficult to do, “it has security benefits, but that’s all fake—everything is logged,” said Mr. Kaminsky. “The reality is if you don’t want something to show up on the front page of The New York Times, then don’t say it.”
The real answer is to rein in the FBI, of course:
If we don’t take steps to rein in the burgeoning surveillance state now, there’s no guarantee we’ll even be aware of the ways in which control is exercised through this information architecture. We will all remain exposed but the extent of our exposure, and the potential damage done to democracy, is likely to remain invisible.
“Hopefully this [case] will be a wake-up call for Congress that the Stored Communications Act is old and busted,” Mr Fakhoury says.
I don’t see any chance of that happening anytime soon.
EDITED TO ADD (12/12): E-mail security might not have mattered.
NPR on Biometric Data Collection
Interesting Talk of the Nation segment.
Database of 12 Million Apple UDIDs Leaked
In this story, we learn that hackers got their hands on a database of 12 million Apple Unique Device Identifiers (UDIDs) by hacking an FBI laptop.
My question isn’t about the hack, but about the data. Why does an FBI agent have user identification information about 12 million iPhone users on his laptop? And how did the FBI get their hands on this data in the first place?
For its part, the FBI denies everything:
In a statement released Tuesday afternoon, the FBI said, “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
Apple also denies giving the database to the FBI.
Okay, so where did the database come from? And are there really 12 million, or only one million?
EDITED TO ADD (9/12): A company called BlueToad is the source of the leak.
If you’ve been hacked, you’re not going to be informed:
DeHart said his firm would not be contacting individual consumers to notify them that their information had been compromised, instead leaving it up to individual publishers to contact readers as they see fit.
When Investigation Fails to Prevent Terrorism
I’ve long advocated investigation, intelligence, and emergency response as the places where we can most usefully spend our counterterrorism dollars. Here’s an example where that didn’t work:
Starting in April 1991, three FBI agents posed as members of an invented racist militia group called the Veterans Aryan Movement. According to their cover story, VAM members robbed armored cars, using the proceeds to buy weapons and support racist extremism. The lead agent was a Vietnam veteran with a background in narcotics, using the alias Dave Rossi.
Code-named PATCON, for “Patriot-conspiracy,” the investigation would last more than two years, crossing state and organizational lines in search of intelligence on the so-called Patriot movement, the label applied to a wildly diverse collection of racist, ultra-libertarian, right-wing and/or pro-gun activists and extremists who, over the years, have found common cause in their suspicion and fear of the federal government.
The undercover agents met some of the most infamous names in the movement, but their work never led to a single arrest. When McVeigh walked through the middle of the investigation in 1993, he went unnoticed.
The whole article is worth reading.
Smart Meter Hacks
Brian Krebs writes about smart meter hacks:
But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet.
Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts that it believed was related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.
Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.
The FBI believes that miscreants hacked into the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.
FBI Special Agent and Counterterrorism Expert Criticizes the TSA
Good essay. Nothing I haven’t said before, but it’s good to hear it from someone with a widely different set of credentials than I have.
"Going Dark" vs. a "Golden Age of Surveillance"
It’s a policy debate that’s been going on since the crypto wars of the early 1990s. The FBI, NSA, and other agencies continue to claim they’re losing their ability to engage in surveillance: that it’s “going dark.” Whether the cause of the problem is encrypted e-mail, digital telephony, or Skype, the bad guys use it to communicate, so we need to pass laws like CALEA to force these services to be made insecure, so that the government can eavesdrop.
The counter-argument is the “Golden Age of Surveillance”—that the massive increase of online data and Internet communications systems gives the government a far greater ability to eavesdrop on our lives. They can get your e-mail from Google, regardless of whether you use encryption. They can install an eavesdropping program on your computer, regardless of whether you use Skype. They can monitor your Facebook conversations, and learn thing that just weren’t online a decade ago. Today we all carry devices that tract our locations 24/7: our cell phones.
In this essay, CDT fellows (and law professors) challenge the “going dark” metaphor and make the case for “the golden age of surveillance.” Yes, wiretapping is harder; but so many other types of surveillance are easier.
A simple test can help the reader decide between the “going dark” and “golden age of surveillance” hypotheses. Suppose the agencies had a choice of a 1990-era package or a 2011-era package. The first package would include the wiretap authorities as they existed pre-encryption, but would lack the new techniques for location tracking, confederate identification, access to multiple databases, and data mining. The second package would match current capabilities: some encryption-related obstacles, but increased use of wiretaps, as well as the capabilities for location tracking, confederate tracking and data mining. The second package is clearly superior—the new surveillance tools assist a vast range of investigations, whereas wiretaps apply only to a small subset of key investigations. The new tools are used far more frequently and provide granular data to assist investigators.
A longer and more detailed version of the same argument can be found in “Encryption and Globalization,” forthcoming in the Columbia Science and Technology Law Review.
In a related story, there’s a relatively new WikiLeaks data dump of documents related to government surveillance products.
FBI-Sponsored Backdoors
From a review of Susan Landau’s Surveillance or Security?:
To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build “backdoors” into their products. If Mueller’s wish were granted, the FBI would gain undetected real-time access to suspects’ Skype calls, Facebook chats, and other online communicationsand in “clear text,” the industry lingo for unencrypted data. Backdoors, in other words, would make the Internet—and especially its burgeoning social media sector—”wiretappable.”
This is one of the cyber threats I talked about last week: insecurities deliberately created in some mistaken belief that they will stop crime. Once you build a backdoor into a product, you need to ensure that only the good guys use that backdoor, and only when they should. We’d all be much more secure if the backdoor didn’t exist at all.
Sidebar photo of Bruce Schneier by Joe MacInnis.