Never Mind The Israelis: Nebraska Company Is Selling Wiretap-Esque Access To Social Media Accounts, Third Party Data

(Mis)Uses of Technology

from the absolutely-blinded-by-the-ongoing-darkness dept

While our attention is focused on a handful of Israeli malware purveyors that have the capability to turn phones into state witnesses, plenty of others are operating under the radar. Israel doesn’t have a monopoly on powerful phone exploits. It’s a crowded market and everybody — from totalitarian states to the FBI — wants some. The market is there. It just needs companies to fill it. And they have been.

Thomas Brewster — who is one of the few reasons anyone should read Forbes — has uncovered a US company that is giving law enforcement plenty of powerful tools to track down criminal suspects. There is no “going dark.” The Midwest is giving cops the edge in the tech war.

PenLink might be the most pervasive wiretapper you’ve never heard of.

The Lincoln, Nebraska-based company is often the first choice of law enforcement looking to keep tabs on the communications of criminal suspects. It’s probably best known, if it’s known at all, for its work helping convict Scott Peterson, who murdered his wife Laci and their unborn son in a case that fomented a tabloid frenzy in the early 2000s. Nowadays the company has been helping cops keep tabs on suspected wrongdoing by users of Google, Facebook and WhatsApp — whatever web tool that law enforcement requests.

PenLink may not be able to deputize suspects’ phones with no-click exploits, but it’s still giving law enforcement plenty to work with. Brewster notes that the federal government is spending over $20 million a year to give the DEA, ICE, and FBI access to PenLink’s tools. PenLink also sells to local law enforcement agencies in several states, according to contracts obtained by Brewster.

PenLink — like so many others occupying this surveillance space — isn’t willing to discuss its tech and tools with the general public. To gather details, Jack Poulson of Tech Inquiry attended a law enforcement conference and recorded PenLink’s pitch to law enforcement agencies.

The company has been around for more than 25 years. Originally, it just provided database tools that allowed law enforcement to organize and search phone records — i.e., those gathered with a pen register order. Since then, it has expanded its scope and improved its surveillance tech. PenLink — apparently named after the pen register orders it streamlined back in 1987 — is now capable of providing a digital analog of physical wiretaps. Those intercepts are sold to cops under the name “Lincoln.”

But phone calls are no longer where the action is at. The company has pivoted to provide a host of powerful social media monitoring tools. It’s not perfect, but it’s better than the nothing most agencies have access to when it comes to tracking suspects without an actual wiretap order.

The PenLink rep said that tech companies can be ordered to provide near-live tracking of suspects free of charge. One downside is that the social-media feeds don’t come in real time, like phone taps. There’s a delay — 15 minutes in the case of Facebook and its offshoot, Instagram. Snapchat, however, won’t give cops data much more than four times a day, he said. In some “exigent circumstances,” however, Tuma said he’d seen companies providing intercepts in near real time.

Why is this delayed reaction worth spending money for? Well, it allows law enforcement agencies to bypass court scrutiny. With this tool, there’s no need to seek wiretap orders, which are subject to court scrutiny and additional oversight. (In theory, anyway?). Using nothing more than a subpoena (or, in the case of federal agencies, self-issued National Security Letters), cops can track people’s location via social media activity, adding to the vast amount of location info other apps provide which can also be obtained without asking a court’s permission.

PenLink allows cops to deploy a surveillance shotgun and go fishing in the data to find reasons to extend investigations or engage in more intrusive surveillance. This is highly problematic. It allows law enforcement to bypass everything that’s been set up to protect citizens from their government — something the founding fathers clearly envisioned when setting limits on government power.

Here’s what the ACLU’s surveillance/cybersecurity lawyer Jennifer Granick has to say about these revelations:

“The law requires police to minimize intercepted data, as well as give notice and show necessity,” she said. “It’s hard to imagine that wiretapping 50 social media accounts is regularly necessary, and I question whether the police are then going back to all the people who comment on Facebook posts or are members of groups to tell them that they’ve been eavesdropped upon.”

Problematic, to say the least. But another data point stating there is no “going dark.” The feds — along with thousands of law enforcement agencies — are living in a golden age of surveillance. PenLink’s surreptitiously recorded presentation saw 15-year PenLink employee Scott Tuma give cops plenty of reasons to rejoice in the unexpected bounty of actionable info the internet, social media services, and cell phone providers have dropped into their collective laps.

PenLink’s Tuma “gushed” over the massive amounts of location data Google services generate — much of which is obtainable without a search warrant. As Tuma notes, Google’s data can put cops within 5 feet of a suspect, compared to the coarser location data obtainable from Facebook and Twitter, which can be off by as much as 100 feet. Then there are Google searches, which can also be easily obtained — something that can be used to sift and sort for suspects by looking for “suspicious” searches. “Google’s the best,” according to the PenLink rep.

Then there’s Apple, the supposed gold standard for user privacy. Encrypt all you want, but if iCloud backups are enabled, there’s almost nothing standing between law enforcement and SMS messages, photos, and other content. Even encrypted services still generate a lot of data that might be useful to investigators — and all of it can be obtained with the assistance of tools like PenLink.

Tuma said he was working on a case in New York where he was sitting on “about a thousand recordings from WhatsApp.” The Facebook-owned app may not be so susceptible to near real-time interception, however, as backups can only be done as frequently as once a day. Metadata, however, showing how a WhatsApp account was used and which numbers were contacting one another and when, can be tracked with a surveillance technology known as a pen-register. PenLink provides that tool as a service.

There’s a lot cops can get to. And a lot of it doesn’t require a warrant. PenLink puts the grease on the wheels and provides analytic tools that help investigators make sense of the wealth of data they’ve obtained. While companies like NSO Group are turning phones into listening devices, PenLink and its competitors are converting tons of third party data into actionable intel — and all without bothering the courts too much about the constitutionality of this form of surveillance.

Direct surveillance of single targets may be the most intrusive method of intercepting communications, but proxy surveillance via social media services can accomplish almost the same thing without the government worrying too much about seeing evidence suppressed. And this because courts made most of the tough decisions on expectations of privacy back when people still used phone booths and the US postal service regularly. PenLink operates in this underdeveloped area of case law, building on the lessons learned in 1987 that are somehow still mostly applicable in 2022.

Filed Under: 3rd party data, law enforcement, social media, surveillance
Companies: penlink