Inspector General Says FBI Not Doing Enough To Prevent Abuse Of Cell Phone Forensic Equipment By Law Enforcement Officers

from the but-we-maintain-strict-control-of-the-cables! dept

The FBI’s Inspector General has released a report on the New Jersey FBI branch’s Computer Forensics Laboratory. For the most part, the report is positive and shows this branch tends to handle its forensics work competently. The problem comes when it opens up its tools up to local law enforcement.

The FBI lab has a phone/media forensics kiosk located in the lobby of its building.

The Cell Phone Investigative Kiosk (Kiosk) allows users to quickly and easily view data stored on a cell phone, extract the data to use as evidence, put the data into a report, and copy the report to an electronic storage device such as a compact disk.8 In addition to the Kiosk, there is also a Loose Media Kiosk, which processes digital evidence stored on loose media, such as a DVD or memory card.

Because it’s outside of the actual lab, the FBI apparently feels it’s ok if it doesn’t track who’s using the kiosk.

To use the Kiosk, law enforcement personnel are required to schedule an appointment. However, the NJRCFL does not require Kiosk users to sign its Visitors Log since users do not go beyond the reception area or enter the NJRCFL’s laboratory space.

That leads to this sort of thing.

According to the Director, sometimes one investigator will schedule a Kiosk appointment and another investigator will show up in his or her place, or more than one investigator may accompany the scheduled investigator to use the Kiosk. According to the Director, NJRCFL personnel assume that all of the personnel who arrive for a scheduled appointment are part of the same case. However, he said that the NJRCFL does not verify that everyone arriving for a scheduled appointment is working on the same investigative matter.

This is a problem because there are rules in place for use of the forensics kiosk, which include law enforcement officers having the proper authority to perform the search, the training to do so and the permission of the local AUSA (Assistant US Attorney). The FBI’s decision to skip this verification step by not requiring signatures on the visitor’s log means anyone could show up and use the kiosk without having secured the permission to do so.

The FBI does have this control in place, which couldn’t possibly be circumvented.

While the Kiosk is housed in the reception area, the cables necessary to connect the Kiosk to a cell phone are not stored with the Kiosk. Instead, the NJRCFL examiner responsible for supervising the Kiosk provides the cables to a visiting user. Without the cables, cell phones cannot be connected to the Kiosk, ensuring that the examiner on duty would have to know that a person was attempting to use the Kiosk because the examiner would have to supply the appropriate cable.

These “cables” sound a lot like your standard USB cables. There may be a proprietary connection on the FBI kiosk which prevents the use of off-the-shelf cables, but it’s not as though no one in law enforcement could secure this sort of cable through other means. Even if these are cables that are only found at FBI offices, there’s nothing stopping law enforcement officers from searching removable media without checking in with the reception desk first.

On top of that, there’s nothing preventing law enforcement officers from asking for a cable and then performing illegal searches or using the forensics software for non-law enforcement reasons.

As a result of the procedures and practices described above, we found that the NJRCFL did not have adequate controls over the access to and use of its Kiosk. FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media. During our fieldwork, neither the FBI nor the NJRCFL provided any confirmation to show that NJRCFL Kiosk users possessed the proper legal authority to search for evidence on the devices examined. In addition, the FBI did not provide us with any information regarding controls in place at the NJRCFL to ensure that users do not use the Kiosk for nonlaw enforcement matters, an inherent risk of Kiosks without adequate controls.

While the form officers are required to fill out to use the kiosk contain statements about having the legal authority to perform the search, the documents do not ask for any specifics about these authorities. It’s just boilerplate text that anyone can sign, knowing that the lack of a visitor’s log means no one can cross-reference possibly bogus affirmations with kiosk use.

This same problem is likely found at most other FBI offices with forensics kiosks. The report notes the same issues were discovered during its audit of the Philadelphia field office. The form — and the “best practices” — provide only the most minimal of safeguards against abuse. And the fact that the changes made in Philadelphia in response to the OIG’s investigation never trickled down to the New Jersey office suggests this problem will be corrected on a case-by-case basis following an Inspector General’s audit, rather than adopted across all offices.

A new form has been put into use — at least at the New Jersey office — that will capture more information about the legal authorities used to perform kiosk searches. However, there’s nothing in the report that indicates this office — or any others — have stepped up to require kiosk users to sign a visitor’s log. In addition, more than a quarter of kiosk users reported they did not have the training in place to use the equipment, yet are accessing it anyway. Until more improvements are put in place, FBI offices can’t say they’re doing everything they can to ensure lawful use of its forensic equipment.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Inspector General Says FBI Not Doing Enough To Prevent Abuse Of Cell Phone Forensic Equipment By Law Enforcement Officers”

Subscribe: RSS Leave a comment
DannyB (profile) says:

Re: Re:

It is only an assumption, an IF, on TechDirt’s part.

There MAY be a proprietary connection on the FBI kiosk…

It is unknown whether proprietary cables are needed.

Given that the FBI would want to promote abuse of these kiosks, why should they require anything other than standard off the shelf cables. And yes, it is correct to assume that they deliberately intend to promote abuse. Otherwise why go to all the trouble to put these into kiosks that anyone can access with no controls other than a mere token that allows them to claim that usage is controlled by an appointment, a form and required cables.

If the cables requirement is so easy to work around, how difficult is it to work around the appointment requirement and the signature requirement.

DannyB (profile) says:

Re: Re:

Maybe FBI should offer an inducement for everyone entering the mall to plug their phone into a kiosk each time they visit the mall.

NEW!! FIB Hack-A-Fone Kiosk!
Chance to win up to $1000 each time you visit the mall!

That would save law enforcement from having to round up every US citizen to ‘inspect’ their phones. And after all, this is about pirac… er, I meant to say, about terrorism.

And just like any offer to win up to $1000, you only have to pay it once. And the meaning of ‘up to’ is not well defined. And you can pay it to any of your cronies or hired goons.

Anonymous Coward says:

UPCOMING: House E&C Oversight hearing April 19

Yesterday, the United States House of Representatives, Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, announced an upcoming hearing, scheduled to take place on Tuesday, April 19, 2016 at 10:00am EDT. The hearing is entitled—

Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives

Invited witnesses TBA. Hearing will be webcast.

Anonymous Coward says:

Re: UPCOMING: House E&C Oversight hearing April 19

Subcommittee on Oversight and Investigations

The Energy and Commerce, Oversight and Investigations Subcommittee has—

Responsibility for oversight of agencies, departments, and programs related to the jurisdiction of the full committee, and for conducting investigations

The subcommittee’s listed membership includes twenty-four representatives from eighteen states (if I counted right). Although the witnesses for this upcoming hearing have not yet been announced, all the same, some constituents might think to bring any concerns arising from this FBI OIG audit to the attention of their representative.

Personanongrata says:

FBI: Heads They're Transparent, Tails They're Not

Inspector General Says FBI Not Doing Enough To Prevent Abuse Of Cell Phone Forensic Equipment By Law Enforcement Officers

This is the same FBI that forces local police departments to sign non-disclosure agreements regarding the use of electronic surveillance gear?

The paragraph below was excerpted from The Intercept:


A Secret Catalogue of Government Gear for Spying on Your Cellphone

Jeremy Scahill, Margot Williams
Dec. 17 2015, 12:23 p.m.

When state or local police purchase the cell-site simulators, they are routinely required to sign non-disclosure agreements with the FBI that they may not reveal the “existence of and the capabilities provided by” the surveillance devices, or share “any information” about the equipment with the public.

So on one hand FBI would like to be more forthcoming and transparent in it’s use of electronic surveillance gear and on the other they require local police departments to sign non-disclosure statements regarding their use even going so far as dropping all charges so the methods utilized in collecting the data can remain secret.

The paragraphs below was excerpted from Techdirt:

New Documents Show FBI Instructing Law Enforcement To Throw Out Cases Rather Than Give Up Info On Stingray Use

by Tim Cushing

Wed, Apr 8th 2015 12:20pm

In short: parallel construction. The Sheriff’s Office can hand over the results of Stingray collections, but not divulge how it arrived at these results. If it’s going to deploy a Stingray, it either needs to do it without a warrant, or mislead the judge on its search techniques when applying for one.

When not lying to judges, the Sheriff’s Office will need to lie to defendants and their counsel. Most incredibly, the FBI instructs the law enforcement agency to directly disobey court orders, if it would mean turning over Stingray information.

If any of this seems unavoidable, our nation’s top law enforcement agency encourages its colleagues to toss out criminal prosecutions rather than risk exposing Harris Technology’s equipment.

So which is it FBI guys/gals? Are you going to be more transparent or will you continue force local police departments into signing non-disclosure statements and drop charges when it becomes too inconvenient.

The FBI’s electronic surveillance gear scheme sounds mighty arbitrary and as any student of the law should know:

Arbitrary application of the law is tyranny.

Holly says:

New Jersey TRANSIT

A bit off topic but you might note that New Jersey transit has installed microphones on all its trains to record rider conversations in a bid to reduce ‘terrorism’. Uhh, where?

So, recording your cell phone conversation in a train by the police is ok??? Makes all this sting-ray stuff seem tame by comparison.

wayne thomas sparks says:

this whole story is a joke and is meant to mislead you. if people were aware of what top law enforcement in california can do on the fly to their cell phones without ever physically touching their phone. it would start a revelution. And probably should.

This whole story is a joke and is meant to mislead you. if people were aware of what top law enforcement in california can do on the fly to their cell phones without ever physically touching their phone. it would start a revelution. And probably should.

Anybody who knows knows what i mean. Law enforcement in california can get in into your cell phone at at any time anywhere. as a matter of fact they can get all he data from any device that has wifi and do whatever they want to. they can erase evidence from your phone. they can erase phone calls or text from your phone and from your service provider. They can block phone calls or text to or from anybody. they can even erase any of your recipients of your text or calls and their service providers too. they can copy all your phone information with the click of a button. do you wonder why other software companies seem to have ESP that is because they have teamed with a high ranking law enforcement person who is simply stealing information directly from other companies computers and making a fortune in the process. it is and has been happening for years. and people still wonder how. It is crooked thieving law enforcement that are the criminals. and they are making a killing. article about kiosk is soooo lame…..

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...