from the and-privacy-and-security-for-none... dept
Documents FOIA’ed by Ryan Shapiro and shared with the New York Times shed some new light on previous FBI efforts to break encryption. Back in 2003, the FBI was investigating an animal rights group for possibly sabotaging companies that used animals for testing. The FBI’s Department of Cutesy Investigation Names dubbed this “Operation Trail Mix,” which I’m sure endeared it to the agents on the case. At the center of the investigation were emails the FBI couldn’t read. But it found a way.
They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption.
That effort, revealed in newly declassified and released records, shows in new detail how F.B.I. hackers worked to defeat encryption more than a decade before the agency’s recent fight with Apple over access to a locked iPhone.
The documents don’t detail what the exploit was, but it targeted PGP — the encryption method used to keep the group’s communications private. The FBI was able to obtain a “full access” warrant to grab every communication, but that did nothing to decode the scrambled emails. The documents don’t specify what the FBI used, but language suggests it either copied the decryption keys or deployed a keylogger to snag passwords.
Either way, it apparently was the first time the FBI had deployed its own malware.
“This was the first time that the Department of Justice had ever approved such an intercept of this type,” an F.B.I. agent wrote in a 2005 document summing up the case.
The secrecy surrounding the FBI’s tactics was nearly absolute. The wiretap order was disclosed to the defense but not the use of an exploit/keylogger. On top of that, the DOJ never mentioned the FBI’s efforts in its 2002 and 2003 annual reports, despite being required to report any instance where it runs across encryption during a wiretap investigation.
Not that the DOJ and FBI’s lack of transparency harmed their case. It resulted in six convictions, and a higher court basically said the use of encryption was suspicious in and of itself.
An appeals court upheld the convictions in 2009, and said that the use of encryption, among other things, was “circumstantial evidence of their agreement to participate in illegal activity.”
What the documents do show is that the FBI has been in the fight against encryption for a long time and in the business of deploying malware and exploits without judicial oversight for about as long. What has changed is that it’s now openly fighting encryption by trying to force compliance throught the use of All Writs Acts. It’s also deploying a variety of exploits that can — with a single warrant — access info about any computer/device visiting a website.
It may be more open about its intents and tool usage now, but that’s not because it’s gained new respect for things like due process and accurate warrant applications. It’s doing this now because it needs an upper-level court ruling in its favor to basically excuse the things it’s been doing in secret for years, as well as give it the permission it needs to continue to undermine encryption in the future.