Government Prosecutor Caught Sending Emails With Tracking Software To Reporters And Defense Attorneys

from the Mark-Harmon-must-be-rolling-over-in-his-grave dept

Well, this is a new twist on prosecutorial misconduct. Why play fair when you can play with Network Investigative Techniques?

A Navy prosecutor last week sent an email to the editor of Navy Times that was embedded with a secret digital tracking device. The tracking device came at a time when the Naval Criminal Investigative Service is mounting an investigation into media leaks surrounding the high-profile court-martial of a Navy SEAL accused of war crimes.

That email, from Navy prosecutor Cmdr. Christopher Czaplak to Navy Times editor Carl Prine, came after several months of Navy Times reporting that raised serious questions about the Navy lawyers’ handling of the prosecution in the war crimes case.

The NCIS claims this is all above-board, which is obviously the case because no one was surprised by the presence of trackers and no one had to issue a statement defending the use of emails containing tracking software. Oh wait. The other thing.

The reporter was more than surprised the prosecutor decided to engage in his own leak investigation to track the source of information covered by a protective order. The prosecutor's employer, the US fucking government, explained via a spokesman that this tracking software was not "malware" or a "virus" and does nothing more than send IP addresses back to the NCIS home base. This is apparently supposed to make this OK.

But how OK is it really? Not very, it would appear. Not only does the use of this NIT violate a handful of laws, it also plays havoc with a handful of protections, Constitutional and otherwise.

The Navy email to Navy Times contained hidden computer coding designed to extract the IP address of the Navy Times computer network and to send that information back to a server located in San Diego. Under U.S. criminal law, authorities normally have to obtain a subpoena or court order to acquire IP addresses or other metadata. Not using one could be a violation of existing privacy laws, including the Electronic Communications Privacy Act.

Defense attorneys involved in the SEALs’ war crimes cases have said that 13 lawyers and paralegals on their team also received emails with a similar tracking device, according to court documents filed by the defense attorneys.

Sure, there's not much to be gleaned from scraped IP addresses, but it's possible that's not all that was picked up by the NCIS's NIT. It could have gathered email metadata as well, which can be almost as revealing as the content of the emails, especially when prosecutors are looking for sources of leaks.

This is problematic for a number of reasons. Targeting journalists to reveal sources does damage to First Amendment protections. Targeting defense attorneys puts attorney-client confidentiality at risk and strongly suggests the government isn't interested in a fair trial.

NCIS insists its prosecutor is in the right, despite all this potential collateral damage. The attorney representing a Navy SEAL accused of war crimes begs to differ.

The conduct of the prosecution is egregious,” said Tim Parlatore, a New York-based attorney, who is among several, including Marc Mukasey, a member of President Donald Trump’s legal team, defending the 39-year-old Gallagher. “(Cmdr.) Chris Czaplak should lose his law license and face criminal charges. He illegally spied on the defense attorneys and the media. The prosecutor needs his own defense attorney.”

The US government continues to downplay this as just a normal thing done in leak investigations. But it isn't. It targeted journalists and defense attorneys -- two parties that definitely shouldn't be on the receiving end of anything even mildly nefarious originating from government prosecutors. This prosecutor decided the most important thing here wasn't respecting rights or focusing on the suspect on trial, but rather sniffing out the source of a leak. This doesn't reflect well on the NCIS and it's quite possible there's a benchslap awaiting this prosecutor, if not sanctions and a dismissal.

Filed Under: 4th amendment, carl pine, christopher czaplak, investigation, leaks, navy, nit, tracking, war crimes
Companies: navy times


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 29 May 2019 @ 9:44am

    When you've enjoyed doing whatever to people once you call them a terrorist or leaker, you forget the law actually exists.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 29 May 2019 @ 9:46am

    "The prosecutor's employer, the US fucking government,"

    This one comment alone is sufficient for one to understand that most likely everything in this article is a lie and that the author is engaged in spreading hate, fear, and lies.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2019 @ 9:56am

      Re:

      Not "one". Just you.

      reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 29 May 2019 @ 9:58am

      Re:

      "The prosecutor's employer, the US fucking government,"

      This one comment alone is sufficient for one to understand that most likely everything in this article is a lie and that the author is engaged in spreading hate, fear, and lies.

      Guess you are the fucking paradigm of truthiness and reporting?
      Please show us the published article you wrote that tells us how it really is?

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Piccorolo Fragasso, 29 May 2019 @ 10:29am

        "Gary", you astro-turfing by Timothy Geigner, aka "Dark Helmet"

        So you have ZERO authority to snipe at anyone.

        And are at least TWO with same view of Techdirt. So few reasonable people read this tiny little site that doesn't give any indication of how anomalous and stupid are its netwit notions.

        DULL STALE topics like this certainly don't help, either.

        By the way... No one seems to pick up on the HOW of this, but "emails" are mere TEXT and can't "track" themselves. The REAL story here is how vulnerable are "modern" systems, especially Linux, Apple, Android, and Crimosoft: no email reader should be executing ANY code from such "containers" in first place! It's. Just. Stupid.

        Now, had Techdirt followed THAT slant, it'd be interesting. But since utterly conventional un-imaginative netwits re-writing for other such, it won't even now pointed out, just re-writes slightly what's been out a week.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 May 2019 @ 10:38am

          So few reasonable people read this tiny little site that doesn't give any indication of how anomalous and stupid are its netwit notions.

          Thanks for reminding us that you're an unreasonable person!

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 May 2019 @ 12:27pm

          Re: "Gary", you astro-turfing by Timothy Geigner, aka "Dark Helm

          And are at least TWO with same view of Techdirt.

          There are dozens of us! Literally dozens of us!

          reply to this | link to this | view in chronology ]

    • icon
      Spaceboy (profile), 29 May 2019 @ 3:43pm

      Re:

      This information is about two weeks old. It's well beyond the regular news cycle. As to the article itself, had you clicked any of the links embedded within or maybe searched for yourself, outside of Techdirt, you would have found this same information.

      There are organizations that earn their pay with Fake News. Techdirt is not one of them.

      One has to wonder, with the type of news org that is Techdirt and those that follow it, why would you waste your time on weeks-old news on a blog that you don't care enough about to register and post under at least a pseudonym.

      reply to this | link to this | view in chronology ]

    • identicon
      R,og S/, 30 May 2019 @ 9:40am

      Re:

      Are you always an idiot, or just today?

      reply to this | link to this | view in chronology ]

  • icon
    UniKyrn (profile), 29 May 2019 @ 9:57am

    So much for that evidence

    Tainted, collected illegally, inadmissible.

    reply to this | link to this | view in chronology ]

    • identicon
      ANON, 29 May 2019 @ 10:52am

      Re: So much for that evidence

      Irrelevant.

      It does not matter - all the prosecutor is doing is establishing what is the public IP of the email recipient. (I.e. because he email downloaded the "transparent 1 pixel image" embedded in the HTML of the message, he now knows what the IP address is. if it was opened at home, he knows the journalist's home IP. From there, the prosecutor looks for any other people in the suspect group of leakers who may have had chats, sent items, etc. to that IP, thus making them suspects. He searches the navy base firewalls, which log all sorts of data about connections to outside.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2019 @ 11:55pm

        Re: Re: So much for that evidence

        From the military times:

        “He was instructed that the embedded image contained a cyber-tool known as a ‘splunk’ tool,’ which can allow the originator full access to his computer, and all the files on the computer,” according to a Portier defense motion filed Tuesday.

        reply to this | link to this | view in chronology ]

  • identicon
    Burning woodchipper, 29 May 2019 @ 10:11am

    Navy Times is not part of the Navy

    For those who don't know, the Navy Times is NOT part of the Navy, or the DoD in any way. Sightline Media Group publishes the Navy Times, the Army Times, and the Air Force Times - and frequently goes head-to-head with the powers that be in the military.

    As a former sailor ... the Navy Times was most often a realistic counterpoint to the propaganda the official Navy channel published.

    Just in case you thought it was OK for a navy prosecutor to go after a Navy publication because they're both DoD - they're not.

    reply to this | link to this | view in chronology ]

  • identicon
    timlash, 29 May 2019 @ 10:20am

    CFAA Violation?

    "...could be a violation of existing privacy laws, including the Electronic Communications Privacy Act."

    What about a violation of the CFAA for unauthorized access of a computer network?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2019 @ 10:21am

    Not entirely accurate

    It could have gathered email metadata as well, which can be almost as revealing as the content of the emails, especially when prosecutors are looking for sources of leaks.

    Um, no, not really. These "tracking devices" are typically 1 pixel square transparent images linked to an external server, i.e. the image is downloaded from some server via http. This is how HTML email, the kind that displays more than simple text, works. The request from your mail client for the image from the server hosting the image passes along the "user agent" (your email client name and version) and your IP address. Nothing more.

    There is no chance of exposing "email metadata" or anything else necessary to put attorney-client privilege or news sources at risk. This article demonstrates a typical yet fundamental lack of understanding of how email and the internet work.

    Yeah, it's crappy that they're collecting IP addresses but that and the time/date their emails were viewed are all they get out of this. They're also super easy to defeat: Disable automatic remote content in emails and only download remote content for emails for which you choose to do so.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2019 @ 10:30am

      Re: Not entirely accurate

      According to the story:

      Finding that suspicious, McCue contacted his Air Force communications squadron, according to court documents filed by the defense. “He was instructed that the embedded image contained a cyber-tool known as a ‘splunk’ tool,’ which can allow the originator full access to his computer, and all the files on the computer,” according to a Portier defense motion filed Tuesday.

      It also specifically says software was included, not just an image. But an earlier paragraph describes a suspicious image, so I think you're right that the malware claim is bullshit. I get the impression that neither the reporter nor the squadron tech people know what they're talking about.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2019 @ 1:21pm

        Re: Re: Not entirely accurate

        sent an email to the editor of Navy Times that was embedded with a secret digital tracking device.

        Everything in an email is digital. Most is hidden. Unless there's either an embedded exploit or an embedded phishing attack, the most they can do is embed a callback script or image reference that calls home. And most email clients are designed to NOT call home on those unless you load images or agree to run a script.

        I'd really like to know what sort of "NIT" was used here, because if it's not one of the simple ones that can be ignored by the mail client, it breaks all sorts of laws by being deployed against civilians by the military.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 May 2019 @ 5:07pm

          Re: Re: Re: Not entirely accurate

          Doesn't "NIT" specifically refer to something that uses an exploit? I certainly wouldn't use the term for a tracking image, which would lead us to the conclusion "OMG Facebook like buttons are hacking our computers!!!"". They're using a feature as designed, which as noted only shitty email clients will even allow.

          reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Piccorolo Fragasso, 29 May 2019 @ 10:34am

      Re: Not entirely accurate - Dang. Techdirt's shrieking misled me

      Yup, fell into the trap of thinking this was a big deal with code executed, when you're probably right: just pixel based tracking, as GOOGLE and every other SPY corporation uses.

      You need to "host out" the known commercial ones to defeat it when merely browsing, though of course that wouldn't work for a custom server.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2019 @ 1:23pm

        Re: Re: Not entirely accurate - Dang. Techdirt's shrieking misle

        I think you'll find the shrieking was in the courtroom; TD's just reporting it.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2019 @ 11:04am

      Re: Not entirely accurate

      They're also super easy to defeat: Disable automatic remote content in emails and only download remote content for emails for which you choose to do so.

      There is no such option in PINE (nor is it probably even needed)

      Another 'solution' is to use a proxy or VPN, as well as make sure that all scripting is disabled, though that doesn't prevent the attacker from using some other zero-day exploit that can peek behind proxies. And let's not forget that TOR was thought to be untraceable, until the FBI proved otherwise.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2019 @ 7:44pm

        Re: Re: Not entirely accurate

        And let's not forget that TOR was thought to be untraceable, until the FBI proved otherwise.

        Please be careful with statements like this. It gives the impression that the FBI discovered some fundamental flaw in the design of Tor--when in reality they did what any attacker would do and attacked not the strong foundation but a weaker upper layer, viz., Firefox which is the basis of the Tor Browser. Tor Browser is not the same as Tor, and a browser bug doesn't make all uses of Tor traceable.

        reply to this | link to this | view in chronology ]

    • icon
      TKnarr (profile), 29 May 2019 @ 11:20am

      Re: Not entirely accurate

      And it shouldn't work anyway, all email clients I know of (well, all non-Web-based ones anyway) default to not fetching remote content in email bodies at all and you have to deliberately enable it before it'll go fetch the embedded image. A reporter probably shouldn't be using a Webmail client simply because it doesn't let you disable things like remote content and scripts.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2019 @ 12:26pm

        Re: Re: Not entirely accurate

        A reporter probably shouldn't be using a Webmail client simply because it doesn't let you disable things like remote content and scripts.

        There's no reason a webmail service has to send the original, possibly harmful, HTML to the browser. That's laziness at best (more cynically, we might note that many webmail services are run by advertising companies...).

        reply to this | link to this | view in chronology ]

    • identicon
      Rekrul, 29 May 2019 @ 3:30pm

      Re: Not entirely accurate

      Um, no, not really. These "tracking devices" are typically 1 pixel square transparent images linked to an external server, i.e. the image is downloaded from some server via http. This is how HTML email, the kind that displays more than simple text, works. The request from your mail client for the image from the server hosting the image passes along the "user agent" (your email client name and version) and your IP address.

      I have Thunderbird set to never load remote content.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2019 @ 4:30pm

      Re: Not entirely accurate

      Yeah, I'd go so far as to say that over 75% of the emails most people receive have these tracking pixels in them, including every email you get from any major business. Outlook has the option to include them in your private email.

      In fact, pretty much any email with an image in it, hidden or not, is probably causing a server log to be updated with your IP, software, operating system, etc. It's just how the internet works.

      reply to this | link to this | view in chronology ]

    • icon
      Ben (profile), 30 May 2019 @ 5:07am

      Re: Not entirely accurate

      You're missing the fact that many HTML tags can have event tracking attributes that cause JavaScript scripts to run, and said scripts can harvest a great deal of data, not unlike the urchin script that is at the core of Google Analytics' page tracking code. You'd be amazed at how much 'anonymized' data you can see in Google Analytics, and that's not even explicitly malicious.

      reply to this | link to this | view in chronology ]

    • icon
      Tanner Andrews (profile), 8 Jun 2019 @ 5:57am

      Re: Not entirely accurate

      There is no chance of exposing "email metadata" or anything else necessary to put attorney-client privilege or news sources at risk.

      This is, of course, a load of fetid dingo's kidneys. Tracking pixels are not normally anonymous. Each one does, or should, identify the mail with which it was included.

      Example will illustrate. You send potentially forwardable e-mails to persons A, B, and C, including mail identifier and recipient identifiers. Watch to see what lights up. Not only do you know who brought up your e-mail when, but you can keep watching. When you see the e-mail marker for a message to B light up again, from a different IP address, you know which e-mail got forwarded.

      Spam trackers generally work on a similar principle. When you fetch tracking pixels , they can send back your e-mail address, or an index into a table of sent e-mails, along with some sort of campaign identifier, to verify that your address is a live one and a good prospect for future spam.

      Here is an example. [<img src="https://track.firmfinder.net/o.z?j=320920807&email=marklegal@yandex.com" height=24 width=24 title="tracking pixel example">]. Due to bugs with this "markdown" stuff, which ought to be ditched in favor of standard HTML, it is hard to illustrate here.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 29 May 2019 @ 10:36am

    1 comment

    Monkey see, monkey do..

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2019 @ 10:59am

    Ok, I'm really getting tired of the press continually suggesting that because they're "journalists" they individually deserve more rights than the average person. This is patently NOT the case. The rights of journalists are the the SAME as that of private citizens. The field of journalism enjoys a few extra protections in First Amendment law because of its nature in exposing relevant information to the public at large, but any single journalist has no greater or lesser rights than any single Joe off the street before the Law.

    There is no exception in the US Constitution for journalists because it was well understood that the rights of citizens are the same as those of the rights of journalists. Any single individual could be a reporter at any instant of time and serving in the same capacity. It's the pursuit of journalism that has the protection. This has very vividly been exposed with the advent of the Internet and the democratization of news dissemination taking the reporting of news and divesting it of those more traditional media conglomerates and back into the hands of the independent citizenry as it was when the US was founded.

    "The prosecutor needs his own defense attorney.”
    Doubt it. Prosecutors are rarely prosecuted for any laws, especially federal ones and especially civil rights laws. He may need a specialist in civil law, but even that is iffy because many courts decline to hear cases against prosecutorial civil rights abuses.

    reply to this | link to this | view in chronology ]

  • icon
    teknosapien (profile), 29 May 2019 @ 11:06am

    This is not criminal court

    First off I don't agree with the tactics here.This is a military court that falls under the UCMJ Military code of conduct.
    Civilian laws do not apply here they are playing on a completely different field when it comes to law different rules. I don't believe that they don't have to prove guilt rather the defense must prove innocents (at least that's what they told up in boot camp)

    reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 29 May 2019 @ 11:49am

      Re: This is not criminal court

      I can't speak to the specifics of military courts, but I'm pretty goddamn sure being a military prosecutor doesn't make it legal to engage in unauthorized surveillance of a privately-owned newspaper.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2019 @ 11:55am

    Even USAF doesn't like this

    Amusingly even the US Air Force is annoyed with this and is investigating what the hell is going on.

    https://www.airforcetimes.com/news/your-air-force/2019/05/21/why-the-air-force-is-investigating-a-c yber-attack-from-the-navy/

    Not a good sign when your fellow brethren in arms, even if different branch of DoD, thinks you're shady.

    reply to this | link to this | view in chronology ]

  • identicon
    norahc, 29 May 2019 @ 1:04pm

    Let's give the government some credit here...at least they didn't pull the SFPD bullshit of raiding a journalist's home and seizing all the electronics....

    YET

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 29 May 2019 @ 2:07pm

    'Well, not YET anyway...'

    The US government continues to downplay this as just a normal thing done in leak investigations. But it isn't. It targeted journalists and defense attorneys -- two parties that definitely shouldn't be on the receiving end of anything even mildly nefarious originating from government prosecutors.

    Let's be honest though, if they thought they could get away with it(or, you know, did in the case of the FBI/Playpen...) it would be a regular, 'normal' action.

    'Make the government look bad? The rules/laws no longer apply when it comes to investigating/prosecuting you.'

    reply to this | link to this | view in chronology ]

  • identicon
    bobob, 29 May 2019 @ 4:03pm

    All you have to do is look at how infrequently prosecutorial misconduct has any repurcussions to realize that it's a way of life for prosecutors.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.