Of Course The FBI Has Been Gradually Expanding Its Access To And Influence Over NSA's Data Trove

Privacy

from the because-of-course dept

It’s no secret that the FBI and the NSA often work hand in hand in surveillance activities. As we’ve discussed before, it’s actually the DOJ/FBI who goes to the FISA Court to put in the NSA’s requests to collect all your data. However, thanks to a FOIA lawsuit filed by the NY Times, a Justice Department Inspector’s General report from 2012 has been revealed (with significant black ink blocking out the juicy parts, of course) that reveals that beyond being the NSA’s FISA Court gopher, the FBI has been dipping its hands into the data pot as well:

In 2008, according to the report, the F.B.I. assumed the power to review email accounts the N.S.A. wanted to collect through the ?Prism? system, which collects emails of foreigners from providers like Yahoo and Google. The bureau?s top lawyer, Valerie E. Caproni, who is now a Federal District Court judge, developed procedures to make sure no such accounts belonged to Americans.

Then, in October 2009, the F.B.I. started retaining copies of unprocessed communications gathered without a warrant to analyze for its own purposes. And in April 2012, the bureau began nominating new email accounts and phone numbers belonging to foreigners for collection, including through the N.S.A.?s ?upstream? system, which collects communications transiting network switches.

Now, remember, just a few months ago it was revealed that the NSA, CIA and FBI all freely search this treasure trove of info — and the FBI admitted that it uses it so often that it does not even track how often it has done queries on that data concerning “US person identifiers.” So even though the entire point of Section 702 of the FISA Amendments Act was to set up procedures for “targeting certain persons outside the United States other than United States persons,” the FBI has basically thrown it wide open so that it can use it basically however it wants. And, the FBI doesn’t then track how it uses that info, because the less of a paper trail, the better, apparently.

As the report notes, basically, if the FISA Court said the NSA could have it (supposedly only for non-US persons), the FBI got its own damn copy to hang onto. Just because.

If you can’t read that, it notes:

On October 14, 2009, the FBI began to request that a portion of the raw 702-acquired data also be “dual routed” to the FBI so that it could retain this data for analysis and dissemination in intelligence reports.

As for the FBI starting to choose its own emails and phone numbers to snoop on, the details there involve a whole hell of a lot of black ink redacting the details, but it does note that:

The FBI plans to greatly expand its role in the 702 Program this year by nominating selectors for Section 702 Coverage. Because the nominations program was still being formulated during our review period, the OIG was unable to review these proposed activities in depth for this report. However, in Chapters Three and Four we identify certain FBI policies and practices under the 702 Program that may be affected by the nominations initiative, and thus briefly summarize the nominations proposal below.

This is followed by a paragraph and a half of the finest black ink your tax dollars can buy. Then we get:

Unlike the [REDACTED] process, the FBI, and not the NSA, would be the owning agency for the selectors it nominates, and would assume the primary obligation to review the content of incoming communications to ensure that the targeted account remains legally eligible for 702 collection and continues to produce foreign intelligence information.

This is followed by three paragraphs of black ink and then an admission that while the plan was supposed to start in early 2013, the FBI was so damn eager to get it started, that they’d actually begun in April 2012. Who knew the FBI were early adopters?

Either way, it seems clear that the FBI has had pretty broad access to this collection of data and the power to get selectors added on its own without much oversight or review. And, remember, it doesn’t track how often it dips into this data. So, for all the talk of how carefully monitored the NSA’s access is… who the hell knows what the FBI is doing with it?

Filed Under: access, fbi, nsa, section 702, surveillance

Convicted 'Eco-Terrorist' Released From Prison After Discovery Of 'Thousands Of Pages' Evidence Withheld By The FBI

Legal Issues

from the Build-your-own-terrorist!-Instructions-not-included! dept

Ladies and gentlemen: your Federal Bureau of Investigation.

• Former FBI Guy Lies, Claiming New Mobile Encryption Would Have Resulted In Dead Kidnap Subject
• Court Slams FBI For Saying It’s Okay For The Federal Government To Lie To A Court
• New Emails Show That Feds Instructed Police To Lie About Using Stingray Mobile Phone Snooping
• Your Word Against Ours: How The FBI’s ‘No Electronic Recording’ Policy Rigs The Game… And Destroys Its Credibility
• FBI Made Up ‘Threats’ At Peace Rally, Lied To Congress To Justify Spying Activity

Eric McDavid was sentenced to nearly 20 years in prison for alleged eco-terrorism, becoming the first person ever indicted for ELF (Earth Liberation Front)-related charges. WAS. He’s now free to continue his interrupted life, thanks to the FBI’s dishonesty.

Then, the government changed its mind, conceding that thousands of pages of evidence that should have been given to McDavid’s defense attorney years ago – including love notes to a young woman who turned out to be an FBI plant – had instead been secretly held in an FBI file in Sacramento until recently. The best course of action, the government ultimately decided, was to set McDavid free.

“I’ve never heard or seen of anything like this,” said U.S. District Judge Morrison C. England Jr., who originally sentenced McDavid. The judge ordered him released in accord with an unusual agreement between prosecutors and his appellate attorneys.

The judge demanded answers from the prosecution as to how this could have happened. From what’s reported by the Sacramento Bee, it appears those answers — like the previously-missing evidence — were nowhere to be found.

“I sat through the 10-day trial of Mr. McDavid,” a clearly exasperated England said, sometimes stopping to hold his head in his left hand.

“I know he’s not necessarily a choirboy, but he doesn’t deserve to go through this, either. It’s not fair.”

Officials from the US Attorney’s office joined Assistant US Attorney Andre Espinosa, but the brain trust came up with nothing.

Espinosa and John Vincent, chief of the U.S. attorney’s criminal division, said the documents had remained in the FBI’s possession in a file in Sacramento.

“We don’t know exactly why they weren’t turned over,” Vincent told the judge.

Great answer. Even better, the government contends that even if it had managed to turn over the evidence in a timely fashion, it still probably could have secured a conviction. But actions speak louder than this attempt to wedge an undeserved last word in sideways. McDavid is a free man after pleading guilty to a single conspiracy charge. And even that’s questionable. From what’s been turned over, it appears McDavid was another one of the FBI’s “homegrown terrorists.”

Despite Thursday’s guilty plea, his supporters say McDavid was never guilty of anything more serious than falling for a comely 18-year-old woman he met at an Iowa meeting in 2004, a woman who later prodded him to take violent action against government targets with promises that they would later consummate a romantic relationship.

The woman, named in court documents and at the trial only as “Anna,” turned out to be an FBI informant and played a critical role in McDavid’s arrest, as well as his release Thursday… Court documents spell out in detail how “Anna” provided money, transportation, housing and food to McDavid and his two co-defendants over an 18-month period, evidence his lawyers say shows the entire case was about entrapment rather than stopping terrorist attacks.

McDavid’s lawyer got in his own last word, a bit more deserved than the US Attorney General’s office.

“I hope she’s not ruining someone else’s innocent life.”

Keep hope alive. This is has been the main component of the FBI’s counterterrorism efforts: plots designed, built and put into motion by FBI informants and undercover agents, utilizing whatever weak-willed or weak-minded individuals they happen to talk into participating. Feeling any safer, America? Self-motivated terrorists roam free while the FBI plays dress-up with the easily-flattered and easily-duped.

The three targeted in this investigation were urged on by “Anna.” None of them had previous convictions. The arrests followed the purchase of household chemicals, supposedly for bomb-making. This was the culmination of a two-year “investigation” during which “Anna” repeatedly pushed the three men towards bombing targets in the area. Much of what was presented to the jurors was personal testimony by Anna that could not be corroborated by video or audio recordings (Anna frequently wore a wire and many of the meetings took place in her cabin, which had surveillance cameras installed). So, the FBI presented plenty of hearsay while withholding thousands of pages of evidence. Our words against yours.

In the end, “our word” wasn’t enough. McDavid — more lovestruck fool than eco-terrorist — is free and the world is no more dangerous than it would have been if he was incarcerated. Any bets that the FBI will be more forthcoming in the future? I’m guessing it won’t. Why should it? All it lost here was someone it had groomed for arrest. It didn’t lose a threat, or a public enemy. Win a few, lose a few. It will continue to play terrorist charades because it pays as much as real investigative work, but has a much higher chance of success.

Filed Under: criminal plots, eco-terrorism, eric mcdavid, fbi, foia, lies, made up crimes, own plots, withholding evidence

Former CIA Director May Face Charges Under Espionage Act, Showing How Ridiculous Espionage Act Is

Legal Issues

from the will-it-happen? dept

In a surprising development, the New York Times reported late Friday that the FBI and Justice Department have recommended felony charges against ex-CIA director David Petraeus for leaking classified information to his former biographer and mistress Paula Broadwell. While the Times does not specify, the most likely law prosecutors would charge Petraeus under is the same as Edward Snowden and many other leakers: the 1917 Espionage Act.

It remains to be seen whether Petraeus will actually be indicted (given how high-ranking government officials so often escape punishment), and the decision now sits on Attorney General Eric Holder’s desk. But this is a fascinating and important case for several reasons.

First, all of Petreaus’s powerful D.C. friends and allies are about to be shocked to find out how seriously unjust the Espionage Act is?a fact that has been all too real for many low-level whistleblowers for years.

By all accounts, Petraeus’s leak caused no damage to US national security. “So why is he being charged,” his powerful friends will surely ask. Well, that does not matter under the Espionage Act. Even if your leak caused no national security damage at all, you can still be charged, and you can’t argue otherwise as a defense at trial. If that sounds like it can’t be true, ask former State Department official Stephen Kim, who is now serving a prison sentence for leaking to Fox News reporter James Rosen. The judge in his case ruled that prosecutors did not have to prove his leak harmed national security in order to be found guilty.

It doesn’t matter what Petraeus’s motive for leaking was either. While most felonies require mens rea (an intentional state of mind) for a crime to have occurred, under the Espionage Act this is not required. It doesn’t matter that Petraeus is not an actual spy. It also doesn’t matter if Petraeus leaked the information by accident, or whether he leaked it to better inform the public, or even whether he leaked it to stop a terrorist attack. It’s still technically a crime, and his motive for leaking cannot be brought up at trial as a defense.

This may seem grossly unfair (and it is!), but remember, as prosecutors themselves apparently have been arguing in private about Petraeus’s case: “lower-ranking officials had been prosecuted for far less.” Under the Obama administration, more sources of reporters have been prosecuted under the Espionage Act than all other administrations combined, and many have been sentenced to jail for leaks that should have never risen to the level of a criminal indictment.

Ultimately, no one should be charged with espionage when they didn’t commit espionage, but if prosecutors are going to use the heinous Espionage Act to charge leakers, they should at least do it fairly and across the board?no matter one’s rank in the military or position in the government. So in one sense, this development is a welcome one.

For years, the Espionage Act prosecutions have only been for low-level officials, while the heads of federal agencies leak with impunity. For example, current CIA director John Brennan, former CIA director Leon Panetta, and former CIA general counsel John Rizzo are just three of many high-ranking government officials who have gotten off with little to no punishment despite the fact we know they’ve leaked information to the media that the government considers classified.

So hopefully Eric Holder does the right thing and indicts Petreaus like he has so many others with far fewer powerful connections. As Petraeus himself once said after CIA whistleblower John Kiriakou was convicted for leaking: “There are indeed consequences for those who believe they are above the laws.” 

But if Petraeus does get indicted, perhaps we should start a new campaign: “Save David Petreaus! Repeal the Espionage Act!”

Republished from Freedom of the Press Foundation

Filed Under: cia, david petraeus, doj, espionage act, fbi, leaks

FBI Says It Has A Warrant Requirement For Stingray Use; Has Exception Broad Enough To Ensure It Never Needs A Warrant

Privacy

from the the-warrant-that-wasn't-there dept

As Mike covered here earlier, Sens. Grassley and Leahy are asking the FBI for more answers on its Stingray usage. Not that anyone should be holding their breath in anticipation of a response. The government’s use of Stingray devices has been actively hidden from the public (and criminal defendants) for years. Local law enforcement’s use has also been hidden, thanks to a bizarre set of non-disclosure agreements, both with the manufacturer (Harris) and the FBI itself.

So, while we wait for the heavily-redacted responses to the senators’ queries to eventually arrive at an undetermined point in the far future, let’s take a closer look at what the FBI has actually gone on record with about its Stingray use.

The good news (that actually isn’t) is this: the FBI now has a warrant requirement for Stingray deployment. But there are (of course) exceptions.

[W]e understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

A Stingray device is rarely deployed from the comfort of the suspect’s living room. In fact, it’s safe to say this never happens. What does happen is that Stingrays are deployed from vehicles on public streets or flown overhead in aircraft. It would probably be safe to say that there has not been a Stingray deployment that didn’t occur in a public place.

So, there’s really no need to ever seek a warrant. The FBI can point proudly to its new warrant requirement as evidence of its respect for privacy, just as long as no one asks if there are any exceptions. Grassley and Leahy, however, have asked. And they have mastered the art of the understatement. They continue:

We have concerns about the scope of the exceptions.

The rule is demolished by the exception. There is no rule. There is no need for the FBI to ever seek a warrant for Stingray usage. If some weird situation does manage to crop up, it will probably involve some other exception (including ones that aren’t listed here), and we’re back to square one.

If and when the answers arrive, the numbers following these questions will be highly illuminating.

2.   From January 1, 2010, to the effective date of the FBI’s new policy:
a.   How many times did the FBI use a cell-site simulator?
b.   In how many of these instances was the use of a cell-site simulator authorized by a search warrant?
c.   In how many of these instances was the use of the cell-site simulator authorized by some other form of legal process? Please identify the legal process used.
d.   In how many of these instances was the cell-site simulator used without any legal process?
e.   In how many of the instances referenced in Question 2(d) did the FBI use a cell-site simulator in a public place or other location in which the FBI deemed there is no reasonable expectation of privacy?

Given the scope of the “public place” exception, the answers to (d) and (e) should be nearly identical. All that remains to be seen is how close those numbers are to 2(a).

Filed Under: 4th amendment, doj, fbi, privacy, stingray, warrant

FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks

(Mis)Uses of Technology

from the dangerous-ideas dept

It’s no secret that some in the computer security world like the idea of being able to “hack back” against online attacks. The simplest form of this idea is that if you’re a company under a denial-of-service attack, should you be able to “hack” a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such “hack backs” because, among other things, CISPA would grant immunity to companies “for decisions made based on cyber threat information.” Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker.

A new article from Bloomberg suggests that companies are still quite eager to get involved in hacking back, and the FBI (which supported CISPA) is investigating some such cases where it may have happened. However, companies like JP Morgan still love the idea:

In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.

The article notes, of course, that such attacks likely violate the CFAA (Computer Fraud and Abuse Act) (which is why some want immunity for hack backs). But, it’s a bad idea not just because it likely breaks the law, but because it’s stupid and dangerous. First, accurately determining who is behind a hack is quite difficult — as we’re seeing lately with all the recent skepticism about the FBI’s claim that North Korea was responsible for the Sony Hack. Launching a counterattack against the wrong party can have serious consequences — even more so when those counterattacks might target actual nation states, rather than just a group of script kiddies.

On top of that, the article notes, the hack back attempt could make the situation even worse:

Efforts to retaliate can make things worse, [Kevin Mandia] said, because attackers who aren?t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.

And, of course, the very real possibility that the wrong party is targeted in the hack back can create all sorts of collateral damage. Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.

Finally, think through the obvious consequences of this. If you’re a malicious hacker, it suddenly becomes a great opportunity. Pick two separate targets you want to harm — then attack one and make it appear like the attack is coming from the other. Then sit back and watch the two of them duke it out while you laugh away.

Hacking back is a vigilante Hollywood movie-style idea that pays no attention to the realities of the technology or the consequences of the actions. Hopefully companies are smart enough not to follow through — and lawmakers prevent it from being protected by law.

Filed Under: cybersecurity, fbi, hack back, hackback, vigilantes
Companies: jp morgan

FBI Still Standing By Its 'North Korea Did It!' Claims On The Sony Hack

Say That Again

from the still-pretty-sure dept

After the FBI formally named North Korea as being behind the Sony Hack, a lot of people in the cybersecurity community explained why they didn’t find the evidence at all compelling. There was pretty widespread disbelief in the story — though most admitted that it was possible that the FBI had additional evidence it wasn’t sharing. In the past few days, a lot of attention has been paid to a theory coming out of Norse Security, that the attack really came from a group of people (not associated with North Korea) including, in particular, a disgruntled ex-Sony employee. On Monday, the FBI met with Norse to hear what the company had to say, but apparently came away unconvinced. The FBI continues to stand by its assertion that North Korea did it.

Asked about the meeting and criticism on Monday, the FBI declined to comment beyond a prepared statement that they are confident the North Koreans are behind the crippling Thanksgiving attack and there is ?no credible information? to suggest otherwise.

Tuesday, a U.S. official familiar with the matter said after the three-hour meeting, law enforcement concluded that the company?s analysis ?did not improve the knowledge of the investigation.?

Ouch. Once again, it is entirely possible that the FBI has access to even more information that it has not shared. However, it does seem rather clear at this point that the evidence it has shared publicly is just as unconvincing to cybersecurity experts as the information those security experts have shared is unconvincing to the FBI.

Filed Under: fbi, north korea, sony hack
Companies: norse security, sony, sony pictures

When The FISA Court Rejects A Surveillance Request, The FBI Just Issues A National Security Letter Instead

Privacy

from the oversight! dept

We’ve talked quite a bit about National Security Letters (NSLs) and how the FBI/DOJ regularly abused them to get just about any information the government wanted with no oversight. As a form of an administrative subpoena — with a built in gag-order — NSLs are a great tool for the government to abuse the 4th Amendment. Recipients can’t talk about them, and no court has to review/approve them. Yet they certainly look scary to most recipients who don’t dare fight an NSL. That’s part of the reason why at least one court found them unconstitutional.

At the same time, we’ve also been talking plenty about Section 215 of the PATRIOT Act, which allows the DOJ/FBI (often working for the NSA) to go to the FISA Court and get rubberstamped court orders demanding certain “business records.” As Ed Snowden revealed, these records requests can be as broad as basically “all details on all calls.” But, since the FISA Court reviewed it, people insist it’s legal. And, of course, the FISA Court has the reputation as a rubberstamp for a reason — it almost never turns down a request.

However, in the rare instances where it does, apparently, the DOJ doesn’t really care, knowing that it can just issue an NSL instead and get the same information. At least that appears to be what the DOJ quietly admitted to doing in a now declassified Inspector General’s report from 2008. EFF lawyer Nate Cardozo was going through and spotted this troubling bit:

We considered the Section 215 request for [REDACTED] discussed earlier in this report at pages 33 to 34 to be a noteworthy item. In this case, the FISA Court had twice declined to approve a Section 215 application based on First Amendment Concerns. However, the FBI subsequently issued NSLs for information [REDACTED] even though the statute authorizing the NSLs contained the same First Amendment restriction as Section 215 and the ECs authorizing the NSLs relied on the same facts contained in the Section 215 applicants…

In other words, the FBI had a neat way to get around a rare FISA Court rejection: just issue an NSL and ignore the First Amendment concerns.

Apparently, to some, whatever weak “oversight” there is from the FISA Court really just means “find another door in to violate the same Constitutional issues.”

Filed Under: doj, fbi, national security letters, nsa, nsls, section 215, surveillance

FBI Formally Accuses North Korea Of The Sony Hack

Overhype

from the h4x0r! dept

Just this morning, Tim Cushing (aka, Other Tim) wrote about how likely it was that the White House would make a statement today on the Sony hack, naming North Korea as the perpetrator and treating this all like a far bigger deal than they probably should be. However, the FBI beat them to the punch, becoming the first alphabet agency to formally accuse North Korea of being 56th in line in the great 12 year hackathon that’s been Sony’s corporate networks.

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

-Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

-The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

-Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

Since the rumors that a formal accusation were on the way first began, the question on everyone’s mind has been exactly what evidence would be used to draw that conclusion. As it turns out, based on what the FBI is releasing, it seems fairly thin. Their press release makes it sound like the attacks upon which they’re drawing similarities are significantly alike, when a great deal of other reporting indicates that they simply use the same hacking software available on the black market and are routing through some locations known for their use by hackers. The similarity between the Sony attack and the attack on South Korea has more to do with the above plus the timing. The accusation that the hacks used were directly developed by North Korea are interesting, but meaningless without actual evidence. Simply saying it doesn’t make it so.

Regardless, even if North Korea does prove to have been responsible, there’s no excuse for saying things like:

North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves.

While I’m generally loathe to blame a victim, when that victim takes so lax an attitude toward its own security as to be hacked roughly five times a year and still not bother to implement basic password policies, what else am I supposed to do? This doesn’t show the grave, mega-scary, super-threat of cyber-terrorism. It shows that Sony has some exceptionally lazy security and IT people. As for the attack posing a threat to a freedom of expression, well, we have Sony’s cowardice and the cowardice of the theater chains for that. It’s unbelievable that companies operating within the American system should self-censor this way. It’s surrender of the mind and the thought. It’s the same thing as the Danish cartoons and Salman Rushdie. Sony and the theaters are allowed to self-censor and to deprive the American people of the movie, but that doesn’t make it okay.

You should expect to see the White House touting the FBI’s report as gospel and to rattle several sabers in the direction of Pyongyang, for all the good it will do. Giving in to a regime that can’t manage to feed its own people seems like a mistake to me, but what do I know?

Update: And, almost as this post was finished being written, President Obama appeared before the press to condemn the attacks. He also indicated that it was the wrong move for Sony to censor the movie. In fact, he suggested that Sony should have consulted with the administration to assess the threat. Both comments, of course, are quite easy to make now that it’s Friday and the decision cannot be reversed.

Filed Under: emails, fbi, north korea, sony email hack, sony hack

FBI Seizes 20 Boxes Of Documents Related To Los Angeles School District's $1.3 Billion iPad Program

Failures

from the $1.3-billion-is-a-motive-with-a-universal-adapter dept

The FBI is suddenly very interested in the Los Angeles School District’s $1.3 billion iPad purchase. Earlier this fall, the LASD board voted to lower retention periods on email to one year, bringing it conveniently back in line with the district’s policy, but more to the point, hopefully ensuring that it wouldn’t be embarrassed again by emails older than 365 days.

The decision comes less than three weeks after KPCC published two-year-old internal emails that raised questions about whether Superintendent John Deasy’s meetings and discussions with Apple and textbook publisher Pearson influenced the school district’s historic $500 million technology contract.

What’s detailed in these emails appears to be the impetus for the following:

L.A. school district officials turned over 20 boxes of documents Monday in response to a federal grand jury subpoena for documents related to its troubled iPad project, officials confirmed Tuesday afternoon.

The subpoena asked for documents related to the bidding process as well as to the winning bidders in the $1.3-billion effort to provide a computer to every student, teacher and campus administrator.

The contract, approved in June 2013, was with Apple to supply iPads; Pearson provided the curriculum as a subcontractor.

LASD’s attempt to put some sort of device in every one of its students’ hands has failed miserably. Students cracked the school’s proprietary lockdown measures within days of receiving them, loading up the tablets with unapproved software and photos, all the while browsing a now-uncensored web.

The district’s tech distribution plan has now ground to a halt. The allegedly crooked superintendent behind the iPad/Pearson partnership has since resigned and only 91,000 of the 650,000 iPads destined for students and teachers have actually been purchased. The district is now giving schools the option of picking up cheaper Chromebooks, which would have been a great idea if only the district hadn’t previously spent money purchasing laptops that were pricier than the $768 iPads (which also come bundled with $200 worth of Pearson software — software found to be mostly useless by evaluators, who noted that only one classroom in the 245 surveyed was actually using it for daily work).

The new superintendent (who inherited former superintendent John Deasy’s possibly illegal mess), Ramon Cortines, states that the iPad program is now off the table completely.

The morning after the FBI seized the documents, Supt. Ramon C. Cortines said he was shelving the contract.

Cortines said his decision was not based on the surprise visit by FBI agents to district headquarters.

Yes, well, maybe not “based” entirely on that, but the FBI’s removal of 20 file boxes of documents related to the iPad purchases certainly must have played a small part. Now, we’ll have to see what the FBI uncovers as a previous investigation by the LA County district attorney’s office found no evidence of wrongdoing — or at least, nothing wrong enough to result in criminal charges.

While the intention of the tech rollout was good (put devices in the hands of students who couldn’t otherwise afford them), everything else about it was wrong, not the least of which was the former superintendent’s cozy relationship with the two primary vendors. Nearly useless software tethered to locked down devices ensured that the only beneficiaries of this project were those selling hardware and software. This was $1.3 billion spent with little more to show for it than an open FBI investigation — hardly the sort of results anyone could call “encouraging.”

Filed Under: fbi, ipads, john deasy, lasd, los angeles school disstrict
Companies: apple, pearson

DOJ Using Antiquated 1789 'All Writs Act' To Try To Force Phone Manufacturers To Help Unlock Encrypted Phones

Legal Issues

from the any-and-all-methods dept

With the ongoing fight over mobile encryption in the last few months, it’s no secret that law enforcement has been pushing for new laws that require backdoors into encrypted offerings. However, the Wall Street Journal also noted another little trick that the Justice Department appears to be testing out: dumping the problem back on the phone manufacturer, by using a centuries old law to require the [nameless] phone manufacturer to help law enforcement decrypt a phone. And, Ars Technica then found another example of it being used on the very same day in a different case to try to pressure Apple into helping to decrypt a phone.

Specifically, the DOJ used the All Writs Act — a 1789 law, that is now codified as 28 USC 1651. It’s pretty straightforward (and broad):

(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.

(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction.

The case the WSJ found is not at all clear in the details. An order was issued to a phone manufacturer — whose name is redacted to [XXX] Inc. — saying that it needed to help the DOJ unlock the phone. Federal Court Magistrate Judge Gabriel Gorenstein (in the Southern District of NY) agreed, but issued the public ruling on it, perhaps recognizing that this is diving into slightly questionable territory. While noting that the All Writs Act was also the basis for so called “pen register” orders (recording phone numbers dialed by certain phones based on court orders), Gorenstein points out that this is a similar situation:

the Supreme Court held that a district court had authority under the All Writs Act to issue an order requiring a telephone company to provide technical assistance to the Government in its effort to install a “pen register” ? a device for recording the numbers dialed on a telephone…. Thus, we conclude that it is appropriate to order the manufacturer here to attempt to unlock the cellphone so that the warrant may be executed as originally contemplated.

However, Gorenstein points out that the All Writs Act isn’t without its limits, and thus he provides the phone manufacturer a chance to protest, arguing that the request is too burdensome:

The Government has provided a proposed Order that directs the manufacturer to provide “reasonable technical assistance” in unlocking the device. The proposed Order omits, however, any mention of a process by which the manufacturer may seek to the challenge the Order. Courts have held that due process requires that a third party subject to an order under the All Writs Act be afforded a hearing on the issue of burdensomeness prior to compelling it to provide assistance to the Government…. To the extent the manufacturer believes the order to be unduly burdensome or that it should be reimbursed for expenses, the manufacturer should be given clear notice that it has the opportunity to object to the Order.

It’s unclear if the manufacturer did object to the order or not. In the other case, in the Northern District of California, Magistrate Judge Kandis Westmore doesn’t hide Apple’s name, noting that the FBI has the phone and wants Apple’s help to decrypt it under the All Writs Act. The request, filed on the same day as the ruling in NY, notes that “in other cases, courts have ordered the unlocking of an iPhone under this authority.” In other words, it looks like the DOJ wasted no time using the ruling in NY to suggest this was a common way of forcing the phone manufacturer to help decrypt phones. Though, as others have pointed out, other courts have actually pushed back on attempts by the feds to use the All Writs Act to spy on people like this.

Either way, Westmore doesn’t go as far as Gorenstein, and rather notes that Apple only need provide “reasonable technical assistance” but “is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.” Instead:

Apple’s reasonable technical assistance may include, but is not limited to, bypassing the iOS Device’s user’s passcode so that the agents may search the device, extracting data from the Device and copying the data onto an external hard drive or other storage medium that law enforcement agents may search, or otherwise circumventing the Device’s security systems to allow law enforcement access to Data and to provide law enforcement with a copy of encrypted data stored on the iOS Device.

Westmore’s response seems somewhat limited. It basically says that Apple can help getting the (encrypted) data off the device if the FBI can’t figure out how, but it shouldn’t have to help to decrypt it. The NY case ruling seems much more open ended. It’s unclear if the nameless manufacturer in the NY case did push back on the ruling by protesting it. If it did, the efforts are probably sealed up. However, it does suggest that the DOJ is already figuring out a variety of ways to try to pressure even those who lock down information on devices to help the DOJ break those locks.

Filed Under: all writs act, doj, fbi, gabriel gorenstein, kandis westmore, mobile encryption, phone manufacturers