Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals.
An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, "it is impossible to intercept iMessages between two Apple devices" even with a court order approved by a federal judge.
CNET posted an image of the letter:
In reading over this, however, a number of people quickly called bullshit. While Apple boasts of "end-to-end encryption" it's pretty clear that Apple itself holds the key -- because if you boot up a brand new iOS device, you automatically get access to your old messages. That means that (a) Apple is storing those messages in the cloud and (b) it can decrypt them if it needs to. As Julian Sanchez discusses in trying to get to the bottom of this, the memo really only suggests that law enforcement can't get those messages by going to the mobile operators. It says nothing about the ability to get those same messages by going to Apple directly. And, in fact, in many ways iMessages may be even more prone to surveillance, since SMS messages are only stored on mobile operators' servers for a brief time, whereas iMessages appear to be stored by Apple indefinitely.
That leads Sanchez to wonder if there might be some sort of ulterior motive behind the "leaking" of this document, done in a way to falsely imply that iMessages are actually impervious to government snooping. He comes up with two plausible theories: (1) that this is part of the feds' longstanding effort to convince lawmakers to make it mandatory that all communications systems have backdoors for wiretapping and (2) that it's an attempt to convince criminals that iMessages are safe, so they start using them falsely believing their messages are protected.
Which brings us to the question of why, exactly, this sensitive law enforcement document leaked to a news outlet in the first place. It would be very strange, after all, for a cop to deliberately pass along information that could help drug dealers shield their communications from police. One reason might be to create support for the Justice Department’s longstanding campaign for legislation to require Internet providers to create backdoors ensuring police can read encrypted communications—even though in this case, the backdoor would appear to already exist.
The CNET article itself discusses this so-called “Going Dark” initiative. But another possible motive is to spread the very false impression that the article creates: That iMessages are somehow more difficult, if not impossible, for law enforcement to intercept. Criminals might then switch to using the iMessage service, which is no more immune to interception in reality, and actually provides police with far more useful data than traditional text messages can. If that’s what happened here, you have to admire the leaker’s ingenuity—but I’m inclined to think people are entitled to accurate information about the real level of security their communication enjoy.
While both scenarios are plausible, both seem fairly cynical as well. I'd like to think that law enforcement is above attempting such tricks, but unfortunately that might just be naive these days.
from the you-can-only-take-my-information-for-so-long,-until-you-take-it-all dept
Just in case you had slipped into some sort of uneasy comfort thinking maybe, JUST MAYBE, the government had already gathered as much personal information as it "needed" (all without warrants), along comes the news that another agency is looking to get just a little more.
Records of the prescription medications we take can reveal some of the most private and sensitive information about us. Knowing that a person self-administers prescription testosterone injections can reveal that he is a transgender man undergoing hormone replacement therapy. Knowing that someone takes Xanax, Valium, or other anti-anxiety medications can reveal a diagnosis of mental illness. If a person is on Marinol, a medication containing synthetic THC, she is likely fighting weight loss associated with AIDS. A prescription for a narcotic painkiller such as codeine or oxycodone might indicate a chronic or terminal illness. Ritalin and Adderall are associated with treatment of Attention Deficit Hyperactivity Disorder.
The state of Oregon tracks prescriptions like these for several good reasons: to prevent drug overdoses and cut down on substance abuse. While it would seem the DEA should be able to access the records carte blanche because of the latter concern, Oregon has made the right move and added a warrant requirement in order to protect patients' information. The DEA, like many other government agencies (*coughFBI*), has been using administrative subpoenas to circumvent this requirement.
Fortunately, the state of Oregon is fighting back, with some help from the ACLU.
The State of Oregon sued the DEA in federal court to defend its right to require law enforcement, including federal agencies, to obtain the warrants required by state law. Today, the ACLU filed a motion to intervene in the case on behalf of several patients and a doctor whose prescription records are contained in the PDMP. Our clients are concerned that the privacy of their medical information will be violated if the DEA is allowed to search through prescription records without a warrant. If the DEA can demonstrate to a judge that it has probable cause to believe that a crime has been committed and that prescription records will provide evidence of that crime, then it can legitimately obtain records from the PDMP. Because prescription records and the medical information they reveal are such a sensitive matter, protecting their privacy is vital, and we argue that obtaining private and confidential prescription records without a warrant constitutes an unreasonable search in violation of the Fourth Amendment.
The ACLU points out that the "third-party doctrine" is being used to portray information provided to a doctor or pharmacist as exempt from warrant requirements. Courts have shown in the past that information turned over to a third party is no longer protected by the "reasonable expectation of privacy." This is a false equation, the ACLU states:
We disagree with this principle—but even on its own terms, the third party doctrine should not apply here. Medical records are different than the trash we put out on the curb, or the canceled checks we provide to our bank, or the electrical usage records we transmit to the power company. The information we share with our doctors and pharmacists can be some of our most private information. Just because we trust our doctors with our medical information doesn’t mean the DEA should be able to easily access it too.
Barbara Alice Mahaffey died of colon cancer in her bedroom last May. [Vernal, UT resident] Ben D. Mahaffey, 80, said he was distraught and trying to make sure his wife's body would be taken to the funeral home with dignity, when he says officers insisted he help them look for the drugs.
"I was holding her hand saying goodbye when all the intrusion happened," he told the Deseret News.
Barbara Mahaffey died at 12:35 a.m. with Mahaffey, a Navy medic in the Korean War, and his friend, an EMT, at her side. In addition to police, a mortician and a hospice worker arrived at the home about 12:45 a.m., Mahaffey said. He said he doesn't know how police came to be there.
Mahaffey said he was treated as if he were going to sell the painkillers, which included OxyContin, oxycodone and morphine, on the street.
Yep. If your loved ones use certain painkillers, you can expect to be raided at any time, especially if they've just passed on, leaving behind a treasure trove of highly marketable controlled substances. But don't worry, Vernal City Manager Ken Bassett would expect nothing less than a raid by Vernal's finest during the final moments of his loved ones' lives:
In his suit, Mahaffey alleges that Vernal City Manager Ken Bassett told Mahaffey he was being "'overly sensitive' and that police were just trying to protect the public from illegal use of prescription drugs." The suit also alleges that Bassett then told Mahaffey "his own parents had recently died and he wouldn't have cared had police searched their house for drugs."
Also noted: this is "common practice" for Vernal police, although it's often "selectively applied." Yay! A badly written law, randomly enforced and noxious from any angle, that latter of which perfectly describes the DEA's attempt to circumvent patient privacy by exploiting a few loopholes.
Catching up on some older stories, Aaron DeOliveira points us to the bizarre news that the DEA sought (and got) dismissal of a case against someone involved in a online pharmacy prescription drug scam (basically prescribing the drugs without ever seeing the patients) because the DEA was sick of storing all of the evidence, both electronic and paper. How much evidence?
More than 400,000 documents and two terabytes of electronic data that federal authorities say is expensive to maintain....
[....] "Continued storage of these materials is difficult and expensive," wrote Stephanie Rose, the U.S. attorney for northern Iowa. She called the task "an economic and practical hardship" for the Drug Enforcement Administration....
[....] The evidence took up 5 percent of the DEA's worldwide electronic storage. Agents had also kept several hundred boxes of paper containing 440,000 documents, plus dozens of computers, servers and other bulky items.
Two terabytes is enough to store the text of 2 million novels, or roughly 625,000 copies of "War and Peace."
None of this makes much sense. You can pick up a two-terabyte drive for a little over $100 (I was just looking to pick up a couple for a backup system). The fact that it can store 2 million novels is meaningless. The idea that it's expensive to store that much seems silly -- as does the claim that 2 terabytes represents 5% of the DEA's "worldwide electronic storage." I recognize that government procurement is a ridiculous process, but if there's any truth to this, then the DEA is even more dysfunctional than originally believed.
As Scott Greenfield noted in the link above:
The revelations from this motion, if true, are amazing and appalling. Given the scope of electronic data involves in investigations, the claim that two terabytes constitutes five percent of the DEA's storage capacity is laughable. It suggests that they're screwing with us, and have no ability to do 90% of the things they claim or we fear they're up to.
Indeed, while we worry about their creating mirror images of hard drives of thousands of computers, or obtaining digital evidence from hundreds of thousands of cellphones, this isn't conceivably possible if the total storage capacity of the DEA is 40 terabytes. It just can't be.
FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes. The FBI has even suggested that a new law may be necessary if the private sector doesn't do enough voluntarily.
The issue has more to do with record-keeping than technology. As Declan McCullagh explains at the link above:
ARIN and the other regional registries maintain public Whois databases for IP addresses, meaning that if you type in 22.214.171.124, you can see that it's registered to CNET's publisher. ARIN tries to ensure that Internet providers keep their segments of the Whois database updated, and because it's been handing out IPv4 addresses blocks every few months, it currently enjoys enough leverage to insist on it.
But for IPv6, ARIN will be handing out much larger Internet address blocks only every 10 to 15 years, meaning it loses much of its ability to convince Internet providers to keep their Whois entries up-to-date. That means it may take law enforcement agencies -- presumably armed with court orders -- longer to trace an IPv6 address such as 2001:4860:4860::8888 back to an Internet service provider's customer.
Of course, some might see that as a feature, not a bug. Either way, I would imagine that most service providers will bend over backwards to make sure that law enforcement can, in fact, track people down if necessary. Too many service providers fold when the feds come knocking seeking information on people already. As long as this is presented as a way to protect children or stop terrorists or whatever the favorite of the day is, it seems likely that ISPs will get things in order themselves.
Glyn Moody points us to some research coming out of the University of Leicester which suggests that highly restrictive copyright laws and enforcement regimes actually serve to harm creative output and the creative industries. This is a point that we've discussed in the past, so it's nice to see more research being done in this area. Basically, what the research is finding is that these legislative efforts are serving to limit the technologies that are used to create new works today.
Of particular concern is that it will "stifle the creative opportunities for youngsters with tough regulation on digital media restricting young peoples’ ability to transform copyrighted material for their own personal and, more importantly, educational uses." Now, I can already hear the copyright system defenders claiming that transforming copyright materials for their own uses is not a "creative opportunity," but that's wrong. The way young people learn to create is initially through emulation. You learn to draw what you see. You learn to play the music that others wrote. And as you start to play around, you transform it in your own way. That's the very basis of young creative expression.
The issue is that new digital technologies allow for a modern version of that in things like digital mashups and remixes. People who don't recognize that these are the modern day equivalents to creating new artworks by attempting to copy what others have done will scoff, but they are mostly demonstrating the myopic view that modern technology used for creativity and creative learning simply "isn't like it used to be." Creativity comes in all forms, and what young people learn today through transforming the creative works of others is what will lead to the great artwork and creative output of tomorrow... if the legacy industries and our politicians don't stamp out such creative opportunities.
Christopher Best: He was a disturbed individual, and a disgruntled software developer. There's explicit tax law that treats software developers very unfairly if they try to work as independent contractors... yaga: that's very true CB Alana: AJ Seriously just compared arguments against copyright infringment to rape. ... Yeah, nobody should take him seriously at this point. err, against copyright* silverscarcat: seriously? Jay: Glenn Beck asking for a 9/12 movement isn't the least bit suspicious? Along with all of the other issues with the IRS right now? Ninja: I am honestly amused that the community is marking the comments of that "horse" guy as funny silverscarcat: Who takes Glenn Beck seriously? Jeff: did the 'new' comment color bars go away? dennis deems: ya I hadn't noticed until you said that. I don't recall seeing them the last couple days. Mike Masnick: new color bars ran into some big technical problems. :) we took them down while we fix them. fix is currently going through testing and should be back (and better than before) soon. dennis deems: yay! the color bars rule! Jeff: whew! Thought I was going... wait for it... "Color Blind" thanks! I'll be here all day... :-) Jay: @ssc I'm talking more in 2011 at the peak of TP hysteria TheResidentSkeptic: @mike - mod for your business model - CwF+RtB+DoP..too many miss the "Deliver On Promises" silverscarcat: Piracy will destroy software! https://www.youtube.com/watch?v=dlniehU08ks Back in 1985