115 posts categorized "Surveillance" Feed

FBI Bought Tool To Hack San Bernardino Attacker's iPhone. Plans Brooklyn Court Action To Force Apple To Unlock iPhone

Federal Bureau of Investigation logo A previous blog post discussed the assistance the U.S. Federal Bureau of Investigation (FBI) has received from an undisclosed company after abandoning its lawsuit against Apple, Inc. regarding the San Bernardino attackers. There have been two important developments this week.

First, CNN reported on Thursday about the hacking method:

"FBI Director James Comey said Wednesday that the government had purchased "a tool" from a private party in order to unlock the iPhone used by one of the San Bernardino shooters... FBI Director James Comey said Wednesday that the government had purchased "a tool" from a private party in order to unlock the iPhone used by one of the San Bernardino shooters."

FBI Director James Comey did not disclose the name of the tool nor the company's name. The CNN news story also discussed whether or not the government will inform Apple about the hacking method:

"Comey said the government was currently considering whether to tell Apple how it pulled off the hack. "We tell Apple, then they're going to fix it, then we're back where we started from," he said. "We may end up there, we just haven't decided yet."

Second, NBC News reported today that the government plans legal action in Brooklyn to force Apple to unlock an iPhone:

"The Justice Department notified a federal judge Friday that it intends to pursue a lawsuit in Brooklyn against Apple, seeking to force the company to open the iPhone of a convicted New York drug dealer. In February, the judge denied the FBI's request to force Apple to open the New York phone, but the Justice Department appealed that ruling... The method a third party provided to open the San Bernardino phone won't work on the Brooklyn phone, federal officials said. "

So the legal fight will continue to force a tech company to build "back door" software into its product. Three things seem clear: a) the FBI wants an updated legal precedent (rather than a 227-year-old law) to force any tech company to build "back door" software into its products and services; b) the FBI believes that it has a stronger case in Brooklyn. Having hacked an iPhone in California, it can argue with more credibility in court why it needs Apple's help in Brooklyn; and c) if successful in court in Brooklyn, the FBI gets investigative tools for free rather than having to pay.

Obviously, news about this story will continue to break. There is so much unknown and undisclosed.

Why iPhones Are Now Less Secure, And How This Affects Everyone

Federal Bureau of Investigation logo Tuesday's blog post discussed the announcement by the U.S. Department of Justice (DOJ) that it had withdrawn its lawsuit against Apple, Inc. because the Federal Bureau of Investigation (FBI), with the help of an unnamed third party, had successfully unlocked the San Bernardino attacker's iPhone and accessed the information in the device. That blog post also discussed several related issues and implications. The government did not disclose the exact method it used to unlock the iPhone.

Today's blog post explores another related issue: whether the government will inform Apple of the vulnerability. With information about the vulnerability, Apple can improve the security of its iPhones. That will help all iPhone users better protect their privacy. The Washington Post reported:

"The FBI plans to classify this access method and to use it to break into other phones in other criminal investigations."

The article described how security research usually works. When security engineers find a vulnerability, they inform the developer so a fix can be quickly built and distributed to users. Also, other developers learn:

"Vulnerabilities are found, fixed, then published. The entire security community is able to learn from the research, and — more important — everyone is more secure as a result of the work. The FBI is doing the exact opposite... All of our iPhones remain vulnerable to this exploit."

No doubt, the FBI and other U.S. government law enforcement (and spy) agencies will use the vulnerability to unlock more iPhones. People forget that iPhones are used by:

"... elected officials and federal workers and the phones used by people who protect our nation’s critical infrastructure and carry out other law enforcement duties, including lots of FBI agents... The problem with computer vulnerabilities is that they’re general. There’s no such thing as a vulnerability that affects only one device. If it affects one copy of an application, operating system or piece of hardware, then it affects all identical copies..."

The worst case scenario: by withholding vulnerability information, the government fosters a situation where Apple products are less secure than other brands developed abroad, whose governments freely shares vulnerability information. That could negatively affect the tech company's revenues and profitability... meaning lost jobs here.

There is one tiny bit of good news in this mess (bold added):

"The FBI did the right thing by using an existing vulnerability rather than forcing Apple to create a new one, but it should be disclosed to Apple and patched immediately."

So now, the bad guys - criminals, hackers, other governments' spy agencies -- know for sure that a vulnerability exists in newer iPhones. If they look hard enough and long enough, they can find it, too. (Many of the bad guys hire skilled, experienced engineers, too.) Once found, they too can use the vulnerability to hack iPhones.

The government's decision to classify the vulnerability seems myopic at best, and at worse extremely unfriendly to users and business. This weakens our defenses. It does not make our defenses stronger.

The government's approach seems to be surveillance trumps privacy. You could say: surveillance by any means necessary (sorry, Malcolm) and damn the consequences. Damn the collateral damage.

Is this wise? Ethical? Is this how you want your government to operate? Was there a debate about this? Did you provide any input to your elected officials? Have they listened?

Justice Department Withdraws Lawsuit Against Apple. Confirms Third Party Successfully Unlocked Attacker's iPhone

Federal Bureau of Investigation logo The U.S. Justice Department (DOJ) announced on Monday its decision to withdraw its lawsuit to force Apple, Inc. to unlock an iPhone used by one of the San Bernardino attackers. U.S. Attorney Eileen M. Decker, of the Central District in California, made the two-paragraph announcement:

"The government has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone that was used by one of the terrorists who murdered 14 innocent Americans in San Bernardino on December 2nd of last year. Our decision to conclude the litigation was based solely on the fact that, with the recent assistance of a third party, we are now able to unlock that iPhone without compromising any information on the phone.

We sought an order compelling Apple to help unlock the phone to fulfill a solemn commitment to the victims of the San Bernardino shooting – that we will not rest until we have fully pursued every investigative lead related to the vicious attack. Although this step in the investigation is now complete, we will continue to explore every lead, and seek any appropriate legal process, to ensure our investigation collects all of the evidence related to this terrorist attack. The San Bernardino victims deserve nothing less."

The announcement confirmed that a undisclosed third party had successfully unlocked the attacker's newer model iPhone and retrieved information from it without triggering the auto-erase security feature. Rumors have speculated that Israel-based Cellebrite is the third party assisting the Federal Bureau of Investigation (FBI). There also was speculation that the National Security Agency (NSA) assisted the FBI.

After a cancelled March 22 court hearing, the government had an April 5 deadline to provide a status to the court. In its original complaint, the government used a 227-year-old law to force the tech company to build software to unlock the newer model iPhone and bypass its security features. The judge agreed and Apple appealed the decision.

The announcement did not mention what, if any, useful information the phone revealed. The government had suspected the device may contain information about other persons working with the attackers.

The legal fight between the FBI and Apple probably is not over. The New York Times reported:

"... what happened in the San Bernardino case doesn’t mean the fight is over,” said Esha Bhandari, a staff lawyer at the American Civil Liberties Union. She notes that the government generally goes through a process whereby it decides whether to disclose information about certain vulnerabilities so that manufacturers can patch them. “I would hope they would give that information to Apple so that it can patch any weaknesses,” she said, “but if the government classifies the tool, that suggests it may not.”

Apple released a brief statement yesterday:

"From the beginning, we objected to the FBI’s demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government’s dismissal, neither of these occurred. This case should never have been brought.

We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated. Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk..."

At least for now, engineers at Apple can refocus on improving the device's security without being forced to do investigative work the government should have done. According to TechCrunch:

"... the Department of Justice said the method only works on this phone in particular. But it’s hard to believe this argument as there’s no reason the FBI wouldn’t be able to unlock other iPhones 5c running the same version of iOS 9. Moreover, if the FBI found a software exploit, this exploit should work with all iPhones running on this version of iOS 9 (and most likely the current version of iOS, iOS 9.3)..."

What to make of these events?

If the government didn't find any useful information on the attacker's phone, then this court case has been a huge waste of time and taxpayer's money. There was speculation that the government's strategy was to gain broader legal powers to force tech companies to help it break into encrypted devices. (Reread Decker's announcement above, including "... seek any appropriate legal process...") It didn't get that legal precedent by abandoning the case.

However, two U.S. Senators have drafted proposed legislation giving federal judges such broader powers. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee. Will this proposal continue now that the government has withdrawn its lawsuit? Should this proposal continue? If it does, that bears watching. I guess the DOJ didn't want to wait for a gridlocked Congress to act next year after elections.

What are your opinions of these events?

FBI vs. Apple: Cancelled Hearing, Draft Legislation, New Decryption Capabilities, And An Outside Party

Federal Bureau of Investigation logo A lot happened this week. A lot. Below is a recap of key headlines and events involving Apple, Inc. and the U.S. Federal Bureau of Investigation (FBI).

Late during the day on Monday, the government's lawyers got U.S. Magistrate Sheri Pym to cancel a Tuesday March 22 hearing between Apple and the FBI about an earlier court decision forcing Apple to unlock the iPhone used by one of the San Bernardino attackers. Apple did not object to the cancelled hearing. The FBI was ordered to file a status by April 5, 2016. The government filed court papers on Monday explaining why:

"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone. Testing is required whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for assistance from Apple Inc. set forth in the All Writs Act Order in this case."

So, on or before April 5 we will learn if this outside party successfully demonstrated the ability to unlock and decrypt information stored on this newer model iPhone without any loss of damage to the information stored on it.

Are these decryption capabilities a good thing? Ars Technica reported:

"Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, said that these new government decryption capabilities are not good for privacy and ever-expanding government surveillance. "The DOJ doesn't want bad precedent, and I think Apple had the better side in this argument," she told Ars. "Being able to hack helps DOJ for a while. Apple could upgrade beyond the capability..."

Meanwhile, two U.S. Senators have drafted proposed legislation giving federal judges broad powers to force technology companies like Apple to help law enforcement break into encrypted devices. Prior proposals died in Congress. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee.

Apple Inc. logo Who is this mysterious outside party helping the FBI unlock and decrypt information on newer model iPhones? There has been speculation that the National Security Agency (NSA) was helping the FBI. One would expect the NSA to have the decryption capabilities. BGR explored this on March 4:

"... the NSA can hack into the device but that it doesn’t want to tell that to the FBI because it never likes to reveal what it’s capable of doing. If that were the case, however, why wouldn’t the NSA help the FBI behind the scenes before the FBI went public with its request for Apple’s assistance? And besides, as The Intercept notes, “courts have affirmed the NSA’s legal right to keep its investigative methods secret.” In fact, security experts explained to Wired earlier this week that the FBI could recruit the NSA to connect the iPhone 5c to a Stingray-like rogue cellular network as it’s booting up, which could give the agency the ability to control the device before it even gets to the unlock screen..."

However, Inverse reported on Thursday who else it might be and why:

"Sun Corporation, the company currently getting rich off public speculation that it can help the FBI break into the notorious San Bernardino iPhone was not always such a fierce competitor. While it’s seen the value of its stock rise 36 percent since Reuters reported that the FBI had enlisted its subsidiary, an Israeli-firm called Cellebrite, to unlock the iPhone..."

NPR reported that it might be a publicity stunt by Cellebrite. Will the FBI meet its April 5 deadline? The NPR report discussed a possible decryption approach:

"Computer forensics researcher Jonathan Zdziarski argues that because the FBI has asked courts for only two weeks to test the viability of the new method, it's likely not highly experimental. It's also likely not something destructive, like the "decapping" method that relies on physically shaving off tiny layers of the microprocessor inside the phone to reveal a special code that would let investigators move the data and crack the passcode. The idea that's garnering the most focus is something called chip cloning, or mirroring or transplantation..."

During a press conference on Friday, FBI Director James Comey wouldn't disclose the name of the outside party. USA Today also reported:

"Law enforcement officials Thursday threw cold water on two recent theories on how the FBI was attempting to hack into an iPhone used by one of the San Bernardino terrorists... FBI Director James Comey, in response to a reporter's question at a briefing, said making a copy of the iPhone’s chip in an effort to circumvent the password lockout “doesn’t work”... A widely discussed scenario in the security world, put forward by a staff technologist at the ACLU, has been that the FBI had found a way to remove crucial chips from the iPhone, make digital copies of them and then run multiple passcode attempts against the digital copies, while keeping the phone's software itself untouched. That would avoid tripping the self-erase program built into the iPhone..."

So, who is helping the FBI -- Cellebrite, the NSA, or both? Or another entity?

Another line of speculation is that the FBI has received assistance from the NSA and has decided to use Cellebrite as a false front. Why might this be true? It allows the FBI to reveal (some) investigation methods without revealing the NSA's real methods. I'm no legal expert, but if this is true, I can't see any judge being pleased about being lied to.

We shall see on or before April 5. What are your opinions? Speculation?

Apple Engineers Consider Their Options, The FBI's Goals, And 'Warrant-Proof Phones' Spin

Apple Inc. logo The encryption engineers at Apple are considering their options, if the U.S. Federal Bureau of Investigation (FBI) is successful at forcing their employer to build back doors into one or several iPhones. The New York Times reported: that

"Apple employees are already discussing what they will do if ordered to help law enforcement authorities. Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created, according to more than a half-dozen current and former Apple employees. Among those interviewed were Apple engineers who are involved in the development of mobile products and security, as well as former security engineers and executives."

One explanation for this:

“It’s an independent culture and a rebellious one,” said Jean-Louis Gassée, a venture capitalist who was once an engineering manager at Apple. “If the government tries to compel testimony or action from these engineers, good luck with that.”

The tech company estimated it would take 10 engineers about a month to develop the back-door software, some have called, "GovtOS." That estimate assumed the encryption engineers would be on staff and available. Security experts have warned that more court orders to unlock iPhones will likely follow, if the FBI is successful with forcing Apple to unlock the San Bernardino attacker's phone. 

Since the "back doors" are really software, that software must be developed, debugged, tested, and documented like any other. Those tasks require a broader team across multiple disciplines; all of which could be working (instead) on other projects that generate revenue. Then, multiply this by multiple unlock demands. Will the government reimburse Apple for the new, broader project team it creates to build back-door software? Will the government reimburse Apple for the opportunity cost from lost projects and revenues the team members could have completed instead? Will the government reimburse Apple for the costs of hiring engineers and workers to replace those who quit? It will be interesting to see how the financial markets evaluate all of this, if the FBI successfully forces Apple to unlock iPhones.

By using a 227-year-old law, it seems that the FBI and Director James Comey want to direct the development work of private companies to do tasks they should do themselves, while ignoring the unintended consequences to business and jobs. (Remember, experts warned in 2014 that NSA spying could cost the tech industry billions of dollars.) Has the government really thought this through? It seems like they haven't.

Federal Bureau of Investigation logo What are the FBI's goals? An article in Quartz suggested that the FBI is:

"... worried about is the fast-approaching future when its best hackers will be stymied by powerful corporate encryption and security systems. Federal law, in its current state, is of little help. There is no precedent that will allow the government to force a private company to change its security systems so that the FBI can get inside and take a peek. In fact, the Communications Assistance for Law Enforcement Act (CALEA) could be interpreted to restrict the government from doing so. The FBI has apparently decided that it’s time for federal law to change. So its officials have been searching for a particular case that would give them a shot at changing the established legal precedent.."

Learn more about CALEA and the FBI's attempts since 2010 to expand it. An MIT Technology Review article debunked the government's spin and fear-mongering claims of a new period of "warrant-proof phones" (e.g., newer iPhones) and "going dark." There have always been warrant-proof products and services because these (analog or paper-based) items historically didn't archive or store information. So, historical government surveillance was always "dark." While law enforcement may lose some information surveillance sources in the future due to encryption, the multitude of new technologies, products, services, companies, web sites, and mobile apps during the past few years have provided it with far more sources with far more detailed information than it ever had. The old saying seems to apply: can't see the forest for the trees.

I agree. We definitely live in the golden age of surveillance.

The government's argument is weak also because it ignores the option that the well-funded bad guys, such as drug cartels and terrorist networks, can, a) purchase encrypted communications products and services elsewhere outside the USA, and b) hire engineers and programs to maintain their own encrypted systems.

What are your opinions?

John Oliver's Awesome Fake Apple Ad About Encryption, Privacy And iPhones

With the ongoing legal battle about encryption between Apple and the Federal Bureau of Investigation (FBI), John Oliver, the host of the "Last Week Tonight" show, presented a satirical advertisement for Apple to help consumers understand encryption. The segment is worth watching.

First, some background. The FBI used a 227-year-old law to force Apple to build a "back door" into an iPhone used by one of the San Bernardino attackers, who killed 14 persons. The FBI believes that there may be information on that phone that could lead to other persons involved. Apple has appealed the court decision, citing several security and privacy issues. The back doors, really software, can be stolen and/or modified to make all iPhones vulnerable.

Legal experts warned that the 227-year-old All Writs Act is too broad, and Congress should act to clarify the law. Since then, we've learned that the FBI made access to the phone more difficult after a failed attempt to hack the attacker's iCloud account. Experts also warned that if Apple is forced to build a back there may be unintended consequences, including tech companies moving their operations and jobs offshore to avoid heavy-handed government surveillance and intrusions. And, if the government weakens encryption and security in products made by U.S. tech companies, then users (both good guys and bad guys) will simply shop elsewhere since many security products are already made abroad.

This week, we learned that Apple said the government is lying when it claimed that the company produced advertisements stating that encryption keeps out law enforcement. No doubt, there will be more disclosures and revelations. This latest claim makes the fake ad even more timely. No doubt, the final outcome of the Apple versus FBI court case will affect everyone.

The entire 18-minute segment is a good, funny, entertaining primer about encryption. The about-face by technophobe and U.S. Senator Lindsey Graham (R-South Carolina) is priceless. The fake ad appears in the last two minutes:

Apple News: eBook Price Fixing, Brooklyn, And San Bernardino

Apple Inc. logo Apple, Inc. Has been in the news a lot recently. So, it can be a little confusing to keep track of events. Below is a brief summary of three separate court cases.

First, the U.S. Supreme Court (SCOTUS) declined to hear an appeal by the tech giant about ebook price-fixing with book publishers. The U.S. Justice Department had sued Apple and several book publishers in April, 2012. A lower court decision in 2013 found Apple guilty. Since the SCOTUS declined to hear the appeal, then the lower court decision stands, and Apple must pay a $450 million class-action settlement. Fortune Magazine reported:

"The publishers—Hachette, Penguin, Simon & Schuster, HarperCollins and Macmillan—promptly settled the case, but Apple chose to fight the charges in court. This led to a highly publicized trial in which U.S. District Judge Denise Cote issued a lengthy ruling that Apple had clearly violated Section 1 of the Sherman Act... The price-fixing case, which transfixed the publishing industry, began in 2010 when Apple’s late CEO, Steve Jobs, persuaded five major publishers to sell books on the iPod. Under the arrangement, which was designed to wrest pricing power from Amazon, the publishers shifted to a so-called “agency pricing” model in which they set the price and passed along a commission to Apple."

Second, in California Apple has appealed a lower court's decision forcing it to unlock an iPhone (running iOS 9) used by one of the San Bernardino attackers. A decision in that appeal is pending. The Federal Bureau of Investigation (FBI) admitted during testimony before Congress that it had erred when it reset the associated iCloud password, making it more difficult to access the attacker's iPhone.

Third, a court in Brooklyn (New York) ruled late in February that Apple did not have to unlock a Brooklyn drug dealer's iPhone running the iOS 7 operating system.The tech giant had initially agreed to unlock the phone, but then declined when the court demanded first more information before issuing a search warrant. Bloomberg Business reported:

"When the government first contacted Apple about the drug dealer’s phone, an Apple “data extraction specialist” said it could find data on pre-iOS 8 phones after receiving a search warrant. The next day, the government sought a warrant from [Judge] Orenstein..."

Federal Bureau of Investigation logo Prosecutors have used the All Writs Act in both the Brooklyn and San Bernardino cases. Bloomberg Business reported that prosecutors In the Brooklyn case argued:

That Apple routinely extracted data from such devices shows the government’s request is not “burdensome” and doesn’t violate the All Writs Act, a 1789 law that prosecutors used to demand that Apple help access data on locked phones, the U.S. said. In refusing the government, Orenstein sided with the company’s claim that prosecutors were taking the law too far. He said Congress should resolve the issue. In their appeal, prosecutors said the All Writs Act authorizes courts to issue such warrants and that Orenstein’s “analysis goes far afield of the circumstances of this case and sets forth an unprecedented limitation of federal courts’ authority.”

Bloomberg Business also reported:

"Apple helped the government access data on at least 70 iPhones before it stopped cooperating, according to prosecutors. For phones using older operating systems, the company can extract data from locked devices at its headquarters, according to a guide it produced for law enforcement..."

Apple vs. FBI: "Extraordinary" Government Actions May Cause U.S. Companies To Move Offshore

Apple Inc. logo There may be unintended consequences of the Federal Bureau of Investigation (FBI) is successful with forcing Apple, Inc. to build back doors into its iPhones. What might some of those unintended consequences be? TechCrunch reported that Lavabit filed an amicus brief supporting Apple. Never heard of Lavabit? Forgot about Lavabit? You may remember:

"... Lavabit, a technology company that previously judged it necessary to shutter its own service after receiving similarly “extraordinary” government demands for assistance to access user data, in the wake of the 2013 disclosures by NSA whistleblower Edward Snowden... the FBI sought the private encryption key used by Lavabit to protect the Secure Socket Layer (“SSL”) and Transport Layer Security (“TLS”) connections to their servers. With the SSL/TLS private key in hand, the FBI would be able to impersonate Lavabit on the Internet. This would allow them to intercept, decrypt, inspect, and modify (either with intent, or by accident) all of the connections between Lavabit and the outside world..."

Federal Bureau of Investigation logo In its brief, Lavabit argues that by being forced to build back doors into its devices. not only would Apple's brand be tarnished, but that the ability of iPhone users to receive reliable and secure operating-system security updates would be degraded. Some updates might include malware. If users' trust decreases and they choose to stop receiving security updates, then their devices become more vulnerable than otherwise. That's not good. And, if people blame government for starting this security mess, then that's not good either since it would erode trust in government.

Would companies relocate out of the United States due to privacy and surveillance concerns? Consider:

"... Silent Circle, moved its global headquarters from the Caribbean to Switzerland back in May 2014 — citing the latter’s “strong privacy laws” as one of the reasons to headquarter its business in Europe. Various other pro-encryption startups, including ProtonMail and Tutanota, have also chosen to locate their businesses in countries in Europe that have a reputation for protecting privacy."

Plus, there are money concerns. Since 1982, at least 51 companies completed tax inversions: moved their headquarters (and sometimes some employees) out of the United States to another country to enjoy lower taxes. So, Burger King is now a Canadian company. Pfizer is now an Irish company. And, lower tax payments by companies make government deficits (federal, state, local) worse. The bottom line: profitability matters. When companies suffer lower profitability -- as tarnished brands often do -- their executives take actions to improve profits. It's what they do.

Want to learn more about Lavabit? At about the two-thirds mark in the film "CitizenFour," Lavabit founder Ladar Levison shares some of his experiences.

Why The FBI Can't Access The San Bernardino Attacker's iPhone

Federal Bureau of Investigation logo On Tuesday, the head of the Federal Bureau of Investigation (FBI) admitted during House Judiciary Committee hearings that his agency lost an opportunity to access the San Bernardino attacker's iPhone when it reset the password to the iCloud account associated with the phone. The New York Times reported:

"There was a mistake made in the 24 hours after the attack,” James B. Comey Jr., the director of the F.B.I., told lawmakers at a hearing on the government’s attempt to force Apple to help “unlock” the iPhone. F.B.I. personnel apparently believed that by resetting the iCloud password, they could get access to information stored on the iPhone. Instead, the change had the opposite effect — locking them out and eliminating other means of getting in."

A Federal Court judge had ruled last month in favor of the FBI, and ordered Apple to develop the software to unlock the attacker's phone. Apple is appealing the ruling. FBI officials have claimed that the phone may contain information about what the attacker and his wife did before the attack, and who they communicated with. More details emerged during the hearing:

"When the dispute over Mr. Farook’s iPhone erupted two weeks ago, the Justice Department blamed technicians at San Bernardino County, which employed Mr. Farook as an environmental health specialist and which owned the phone he used. But county officials said their technicians had changed the password only “at the F.B.I.’s request.” Mr. Comey acknowledged at the hearing that the F.B.I. had directed the county to change the password."

Apple Inc. logo Bruce Sewell, the general counsel at Apple, also spoke at the hearing on Tuesday. He warned:

"... the F.B.I.’s demand for technical help to unlock Mr. Farook’s iPhone 5c “would set a dangerous precedent for government intrusion on the privacy and safety of its citizens.” Apple has said that in many cases investigators have other means to gain access to crucial information, and in some instances it has turned over data stored in iCloud."

Mr. Sewell also said:

"... before F.B.I. officials ordered the password reset, Apple first wanted them to try to connect the phone to a “known” Wi-Fi connection that Mr. Farook had used. Doing so might have recovered information saved to the phone since October, when it was last connected to iCloud. “The very information that the F.B.I. is seeking would have been available, and we could have pulled it down from the cloud..."

So, the FBI has only itself to blame for the current mess, and for making access to the attacker's iPhone more difficult.

Government Uses 227-Year-Old Law To Force Apple To Unlock Terrorist's iPhone

Federal Bureau of Investigation logo The U.S. Department government has used a law created in the 1700's to force Apple Computer to break into an iPhone used by a terrorist last year. The New York Times reported that on Tuesday:

"... Magistrate Judge Sheri Pym of the Federal District Court for the District of Central California ordered Apple to bypass security functions on an iPhone 5c used by Syed Rizwan Farook, who was killed by the police along with his wife, Tashfeen Malik, after they attacked Mr. Farook’s co-workers at a holiday gathering. Judge Pym ordered Apple to build special software that would essentially act as a skeleton key capable of unlocking the phone... The Justice Department had secured a search warrant for the phone, owned by Mr. Farook’s former employer, the San Bernardino County Department of Public Health, which consented to the search... the F.B.I., instead of asking Congress to pass legislation resolving the encryption fight, has proposed what appears to be a novel reading of the All Writs Act of 1789... The government says the law gives broad latitude to judges to require “third parties” to execute court orders. It has cited, among other cases, a 1977 ruling requiring phone companies to help set up a pen register, a device that records all numbers called from a particular phone line..."

Apple Inc. logo So far, Apple has refused to comply. Excerpts from a statement by Apple:

"The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake... Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us. For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe... But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone. Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession. The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control... The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe. We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data."

This is not the first use of the All Writs Act against Apple. NPR reported:

"Last fall, the Justice Department, using the All Writs Act, tried to force Apple to unlock an iPhone running iOS 7 in a case involving a suspected methamphetamine dealer. Apple responded that it might be technically capable of unlocking that phone (since iOS 7 has fewer security features than later operating systems) but said the cost to the company's reputation — and resulting harm to its business — would pose an "undue burden." That case is still pending.."

The NPR news story also mentioned:

"In 2014, at the Justice Department's request, a federal court in New York used the law to order a phone-maker to unlock a password-protected device. The Justice Department says various other companies have been ordered under the All Writs Act to provide otherwise inaccessible information to investigators."

This is huge news. It highlights several privacy issues:

  1. Has the government over-reached by using a 1789 law?
  2. How can the government force a company to build something -- software, malware -- that doesn't exist? This Atlantic article describes the coercion slippery slope.
  3. Can Apple successfully build a back door for a single iPhone?
  4. If #3 is not technically impossible, does the back door place all iPhones at risk?
  5. Are back doors the best way to fight terrorism? Like you, terrorists read the news and will simply switch to other products without built-in back doors.
  6. Are back doors really needed? The law enforcement community is split over this.
  7. Are back doors a benefit or a risk?
  8. How does the government ensure that criminals, terrorists, and other governments' hackers don't use the same "back doors" it uses? After all, the Federal government has had massive data breaches.
  9. Do "back doors" prevent businesses from adequately protecting their proprietary trade secrets, processes, and private information?
  10. Why haven't other technology companies resisted the government's demands for back doors, as Apple has? This Wired article discusses why Apple's position (including encryption and strong privacy protections) is good for business.
  11. What does this mean for consumers' privacy? Some iPhone users have already built a website for protests.

Regarding item #1, the American Civil Liberties Union (ACLU) wrote in December 2015:

"The All Writs Act permits a court to issue an order to give effect to a prior lawful order or an existing grant of authority, and has been used for such things as ordering a prisoner be brought before a court. The Act does not allow a court to invest law enforcement with investigative tools that Congress has not authorized — like the extraordinary and unconstitutional conscription of a third party into obtaining information the third party does not possess or control... it’s even more troubling to consider that the government, by its own admission, has invoked it successfully in at least 70 cases."

The ACLU, the ACLU of Northern California, and the Center for Internet and Society (CIS) at Stanford Law Scvhool, filed a Freedom of Information Act (FOIA) request in December to understand the government’s use of the All Writs Act to force device manufacturers to unlock devices. It is important to known the full scope of the government’s use of a 227-year-old law. The Electronic Frontier Foundation (EFF) announced that it will file an amicus brief supporting Apple.

Center for Internet and Society at Stanford law School logo The CIS responded to the recent court decision:

"The text of the court order is here. Although it does not direct Apple to break the encryption per se, it asks the company to disable features that make it more difficult to brute force the device security capabilities -- such as the function that disables (er, self-destricts) the device after multiple attempts to enter a PIN number. While that sounds innocuous enough, it is likely such access cannot be granted on a device-by-device basis upon demand by law enforcement, although some technologists believe it possible. Rather, unless Apple demonstrates the technical, economical, or temporal infeasability of complying with the judge's order or gets the order lifted, the consequence may well be an update/patch to IOS that would implement that proverbial "backdoor" feature that certain law enforcement officials -- specifically, FBI Director James Comey -- allege is needed to protect the country, citizens, and (think of the) children from Any Number of Evil-Sounding Things That May or May Not Be True(tm). By contrast, NSA Director Admiral Mike Rogers has already stated publicly there is no need for such back doors or law enforcement access, and that strong Internet security features are more of a benefit than risk to society -- despite that perennial and selectively sensational hand-wringing by prominent law enforcement and/or intelligence officials..."

The privacy-friendly DuckDuckGo.com search engine posted this tweet on Wednesday:

Tweet by DuckDuckGo.com search engine about Apple iPhone privacy and government back door demand

And former N.S.A. contractor Ed Snowden posted:

Tweet by former NSA contractor ed Snowden about the FBI demand for Apple to unlock an iPhone

New York Civil Liberties Union Reports 'Stingray' Usage By New York City Police

After several freedom-of-information requests, the New York Civil Liberties Union (NYCLU) announced yesterday:

"In response to an NYCLU FOIL request, the NYPD disclosed it used Stingrays nearly 1,016 times between 2008 and May of 2015 without a written policy and following a practice of obtaining only lower-level court orders rather than warrants. This is the first time the extent of the use of Stingrays by the NYPD has been made public... Authorities are able to conduct this surveillance without the involvement of cell phone companies... The NYPD also disclosed that it has no written policy for the use of Stingrays but that, except in emergencies..."

Stingrays are devices that simulate real cellular phone towers in order to track and collect data about phone users. Your phone cannot distinguish between a real and simulated cellular tower. The data collection affects many people besides the persons being tracked:

"... in some configurations, [stingrays] collect the phone numbers that a person has been texting and calling and intercept the contents of communications. Stingrays also sweep up information from nearby bystander cell phones even when used to target specific phones..."

So, you can be completely innocent, and still be tracked. Not good. The U.S. Justice department implemented a new policy in September 2015 requiring probable-cause warrants for some usage. Stingrays are used by federal, state, and local law enforcement in at least 18 states. Stingrays are used far beyond New York City:

"Last April, the NYCLU released records showing the Erie County Sheriff’s Office had used Stingrays 47 times in the last four years and only once indicated obtaining a pen register order before doing so... In May, NYCLU FOIL requests also revealed that the New York State Police spent hundreds of thousands of taxpayer dollars on Stingrays and related equipment."

The NYCLU is an affiliate of the American Civil Liberties Union (ACLU). Read this to learn more about stingray usage by law enforcement.

Blocking The Ad Blockers

The digital advertising arms race is well underway. Since many consumers have installed ad blocking software on their computing devices for privacy and a better online experience, some publishers have responded by blocking those online users... or at least those users' web browsers.

While attempting to stream the latest episode of a popular television show, I encountered the message below, which is an extremely poor implementation. It suggested that i disable all ad blocking software. A better, responsible implementation would include messaging about the specific advertising mechanism:

Blocked ad blocker at CBS website. Click to view larger image

Have you encountered any similar messages at other sites?

You've Got Email Trackers: A Tool Marketers Use To Spy On Consumers

The New York Times told the story of an executive who received a call at 10:30 pm on his smartphone from a marketer, minutes after opening an e-mail message from the same marketer. Coincidence? The executive didn't think so, and after some investigation found that the marketer had planted a tracking mechanism in the e-mail message.

This marketer took e-mail marketing to the creepy zone. The marketer arrogantly assumed the executive, a) wouldn't mind the tracking and privacy invasion; and b) was agreeable to receiving a late-night phone call. Inappropriate. If the executive was driving his car, the late-night call could have created a distracted driving risk. Dangerous.

This marketer isn't alone. According to The New York Times:

"The trackers are traditionally offered by email marketing services like GetResponse and MailChimp. They have a legitimate use: to help commercial entities send messages tailored for specific types of customers. The New York Times, too, uses email trackers in its newsletters. The Electronic Frontier Foundation, a nonprofit that focuses on digital rights, estimates that practically every marketing email now contains some form of a tracker."

The e-mail tracking is possible because most users view HTML e-mail messages. One e-mail vendor's website home page highlights the industry's position:

Image of Sidekick home page. Click to view larger version.

Marketers want to know when, where, what device you use, and what link(s) you click on with their e-mails and advertisements. Yes, marketers should be able to evaluate their e-mail and marketing programs. At the same time, consumers have valid needs, often including privacy and the desire not to be tracked.

According to Pew Research, consumers perform a variety of tasks to thwart online tracking and data collection: delete browser cookies or browser history (59 percent), refuse to provide personal information irrelevant to the transaction (57 percent), set their browser to disable or turn off browser cookies (34 percent), and more. 86% of internet users have taken steps online to remove or mask their digital footprints. Plus, the growth in usage of ad-blockers by consumers highlights the desire not to be tracked (since many advertising networks contain tracking mechanisms):

"Between 15 to 17% of the U.S. population reportedly use ad blockers, and the number is double that for millennials. The numbers are even higher in Europe, and up to 80-90% in the case of specialty tech and gaming sites."

So, balance and respect are key. If marketers and advertisers are going to plant trackers in e-mail messages, then be honest and transparent: say so. Notify consumers. Provide opt-in mechanisms for consumers that don't mind the tracking.

Don't be that creepy marketer.

Will marketers act with respect and not go to the creepy, dark side? History suggests otherwise, given the litany of covert technologies marketers and advertisers have used to track consumers online: browser cookies, zombie cookies, zombie e-tags, Flash cookies to regenerate browser cookies users have deleted, super cookiescanvas finger-printing, and more recently cross-device tracking.

Aware consumers realize that surveillance isn't performed only by government spy agencies. Private-sector corporate marketers and advertisers do it, too. The New York Times article discussed one of the e-mail trackers used:

"... MailTrack, which is a plug-in for Google’s Chrome browser that can quickly insert a hidden tracking pixel into a message..."

Unfortunately, both the good guys and bad guys (e.g., spammers, phishers) use e-mail trackers. Experts advise consumers to expect trackers planted in messages, and:

"A basic method for thwarting some email trackers involves disabling emails from automatically loading images, including invisible tracking pixels. But that doesn’t defeat all trackers, which are also hiding in other places like fonts and web links."

Ugly Email and Trackbuster, are tools consumers can use to detect trackers embedded in e-mail messages. The former is a Gmail plug-in.

What are your opinions of e-mail trackers? What software do you use to detect e-mail trackers?

[Editor's Note: an earlier version of this post linked the "cross-device tracking" text to a CBS News article. That link was updated to a more descriptive article at Ars Technica.]

ESPN Report Links Spygate To Deflategate. Chronicles Decisions By NFL

National Football League logo If you haven't read it, there is a very interesting article at ESPN about the National Football League (NFL) and the New England Patriots team. After reading this ESPN article, it seems that the NFL has a gigantic mess on its hands. If the article is accurate, and it's accuracy is questionable given ESPN's erroneous reporting previously of the number of deflated footballs, then the punishment by NFL Commissioner Roger Goodell for deflategate was linked to spygate.

A better-written ESPN would have included embedded text links, for fans to read more and verify certain statements. Also, the article reads like a hit job on the Patriots... to tarnish the team’s brand and its value, thereby hurting Kraft in the wallet since QB Tom Brady won in court the first round against the league. At the same time, Goodell’s decision to destroy spygate evidence tarnishes the league’s credibility. Hence, huge mess. Some gems from the article:

“To many owners and coaches, the expediency of the NFL's [2008 spygate] investigation -- and the Patriots' and Goodell's insistence that no games were tilted by the spying -- seemed dubious. It reminded them of something they had seen before from the league and Patriots: At least two teams had caught New England videotaping their coaches' signals in 2006, yet the league did nothing. Further, NFL competition committee members had, over the years, fielded numerous allegations about New England breaking an array of rules. Still nothing. Now the stakes had gotten much higher: Spygate's unanswered questions and destroyed evidence had managed to seize the attention of a hard-charging U.S. senator, Arlen Specter of Pennsylvania, who was threatening a congressional investigation. This would put everyone -- players, coaches, owners and the commissioner -- under oath, a prospect that some in that room at The Breakers believed could threaten the foundation of the NFL.”

The supposed linkages between spygate and deflategate:

“Interviews by ESPN The Magazine and Outside the Lines with more than 90 league officials, owners, team executives and coaches, current and former Patriots coaches, staffers and players, and reviews of previously undisclosed private notes from key meetings, show that Spygate is the centerpiece of a long, secret history between Goodell's NFL, which declined comment for this story, and Kraft's Patriots. The diametrically opposed way the inquiries were managed by Goodell -- and, more importantly, perceived by his bosses -- reveals much about how and why NFL punishment is often dispensed. The widespread perception that Goodell gave the Patriots a break on Spygate, followed by the NFL's stonewalling of a potential congressional investigation into the matter, shaped owners' expectations of what needed to be done by 345 Park Ave. on Deflategate.”


“... many former New England coaches and employees insist that the taping of signals wasn't even the most effective cheating method the Patriots deployed in that era. Several of them acknowledge that during pregame warm-ups, a low-level Patriots employee would sneak into the visiting locker room and steal the play sheet, listing the first 20 or so scripted calls for the opposing team's offense.”

A Patriots employee was caught filming in the Jets stadium during a 2007 game, and his camera confiscated. Goodell’s decision to destroy this video evidence in 2008:

“During the first half, Jets security monitored Estrella, who held a camera and wore a polo shirt with a taped-over Patriots logo under a red media vest that said: NFL PHOTOGRAPHER 138. With the backing of Jets owner Woody Johnson and Tannenbaum, Jets security alerted NFL security, a step Mangini acknowledged publicly later that he never wanted. Shortly before halftime, security encircled and then confronted Estrella. He said he was with "Kraft Productions." They took him into a small room off the stadium's tunnel, confiscated his camera and tape, and made him wait... On Monday morning, Estrella's camera and the spy tape were at NFL headquarters on Park Avenue... Belichick explained that he had misinterpreted a rule, which the commissioner did not believe to be true, sources say, and that he had been engaged in the practice of taping signals for "some time." The coach explained that "at the most, he might gain a little intelligence," Goodell would later recall, according to notes. Belichick didn't volunteer the total number of games at which the Patriots had recorded signals, sources say, and the commissioner didn't ask... The next day, the league announced its historic punishment against the Patriots, including an NFL maximum fine for Belichick. Goodell and league executives hoped Spygate would be over... When Estrella's confiscated tape was leaked to Fox's Jay Glazer a week after Estrella was caught, the blowback was so great that the league dispatched three of its executives -- general counsel Jeff Pash, Anderson and VP of football operations Ron Hill -- to Foxborough on Sept. 18. What happened next has never been made public: The league officials interviewed Belichick, Adams and Dee, says Glaser, the Patriots' club counsel. Once again, nobody asked how many games had been recorded or attempted to determine whether a game was ever swayed by the spying, sources say. The Patriots staffers insisted that the spying had a limited impact on games. Then the Patriots told the league officials they possessed eight tapes containing game footage along with a half-inch-thick stack of notes of signals and other scouting information belonging to Adams, Glaser says. The league officials watched portions of the tapes. Goodell was contacted, and he ordered the tapes and notes to be destroyed, but the Patriots didn't want any of it to leave the building, arguing that some of it was obtained legally and thus was proprietary. So in a stadium conference room, Pash and the other NFL executives stomped the videotapes into small pieces and fed Adams' notes into a shredder...”

The articled is filled with interviews with people who claimed this or that. No hard evidence. I guess this is how an oligopoly approaches investigations and “justice.” Lots of allegations, rumors, no proof, destruction of what little evidence existed, lots of fines (like big banks), and never true honesty with fans by telling fans everything.

Does your favorite NFL team cheat? Yes, according to the Your Team Cheats site.

Like I said, it’s a big mess. I'm glad I stopped watching the NFL back in 2013.

New Justice Department Policy Requires Warrants For Some Stingray Uses

Department of Justice logo Just before the holiday weekend, the U.S. Department of Justice (DOJ) announced a new policy where probable-cause warrants are required for federal agencies to use cellular-tower simulators or "stingrays." The new policy went into effect immediately. The DOJ announced on September 3 that the new policy:

"... will enhance transparency and accountability, improve training and supervision, establish a higher and more consistent legal standard and increase privacy protections in relation to law enforcement’s use of this critical technology... To enhance privacy protections, the new policy establishes a set of required practices with respect to the treatment of information collected through the use of cell-site simulators. This includes data handling requirements and an agency-level implementation of an auditing program to ensure that data is deleted consistent with this policy."

The new policy and stingray usage:

"... cell-site simulators may not be used to collect the contents of any communication in the course of criminal investigations. This means data contained on the phone itself, such as emails, texts, contact lists and images, may not be collected using this technology. While the department has, in the past, obtained appropriate legal authorizations to use cell-site simulators, law enforcement agents must now obtain a search warrant supported by probable cause before using a cell-site simulator. There are limited exceptions in the policy for exigent circumstances or exceptional circumstances where the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. Department components will be required to track and report the number of times the technology is deployed under these exceptions."

The Electronic Frontier Foundation (EFF) discussed the new DOJ policy:

"Most importantly, starting today all federal law enforcement agencies—and all state and local agencies working with the federal government—will be required to obtain a search warrant supported by probable cause before they are allowed to use cell-site simulators. EFF welcomes these policy changes as long overdue... Until recently, law enforcement’s use of Stingrays has been shrouded in an inexplicable and indefensible level of secrecy. At the behest of the FBI, state law enforcement agencies have been bound by non-disclosure agreements intended to shield from public scrutiny all details... Law enforcement has gone to extreme lengths to protect even the most basic information about them, even dropping charges rather than answering judges’ questions about them."

The EFF article discussed how stingrays work and what they collect:

"... cell-site simulators masquerade as legitimate cell phone towers, tricking phones nearby into connecting to them. This allows agents to learn the unique identifying number for each phone in the area of the device and to track a phone’s location in real time... all mobile traffic (voice, data, and text) from every phone in the area could be routed through the Stingray, giving the operator the option to do anything from recording entire calls and texts, to selectively denying service to particular phones."

Powerful technology. The new DOJ has limitations. According to the EFF:

"The new policy isn’t law and doesn’t provide any remedy to people whose data is swept up by Stingrays operated without a warrant. Indeed, it won’t even act to keep evidence collected in violation of the policy out of court (this is known as suppression). The policy doesn’t apply to the use of Stingrays outside of the criminal investigation context. For instance, when federal agents use cell-site simulators for “national security” purposes, they won’t be required to obtain a warrant by the terms of this policy..."

And, most importantly:

"... without a statute or court decision giving this voluntary policy the force of law, there will be no consequences if law enforcement agents flout its terms and continue using Stingrays as they have—without warrants. With only this policy shielding us, there’s nothing keeping warrantless Stingray evidence out of court, and therefore nothing to deter agents from behaving badly."

U.S. Senator Patrick Leahy (D-Vermont) issued this statement on September 4 (link added):

"The Department of Justice’s new policies are finally starting to catch up with the rapid advancement of this tracking technology. For more than a year, Chairman Grassley and I have pressed the administration about the use of cell-site simulators, which sweep up cell phone signals from innocent Americans who are not targets of an investigation. Today’s announcement is a welcome step forward, and has the potential to bring transparency and consistency to the Department’s use of these tracking devices. However, I have serious questions about the exceptions to the warrant requirement that are set forth in this new policy, and I will press the Department to justify them.”

Reportedly, earlier this year the Baltimore Police Department acknowledged that it had already used the stingray technology more than 4,300 times. The technology is used by many other police departments.

What are your opinions of the Justice Department's new policy? Just right, too little too late, or too much? Do your elected officials adequately represent your views on stingray usage?

Location Privacy. Does Your State Allow Warrantless Searches Of Cellphones?

Does your state's laws allow law enforcement to perform warrantless searches for cellphone location data? The American Civil Liberties Union (ACLU) released a report where it researched each state's current laws to determine whether residents' location privacy is protected or not:

"... 18 states now require law enforcement to get a probable cause warrant before obtaining people’s cell phone location information. Six of those states protect both historical and real-time location information from warrantless search... This year alone, legislation was introduced in 17 states. Instead of waiting for Congress or the courts to act, state legislatures are leading the way..."

Metadata about your phone calls reveals who you called, who called you, when the call happened, and how long you talked. Geo-location data reveals your travel patterns: where you went, when you left, when you returned, how long you stayed, places you passed by and didn't enter, and travel patterns (e.g., places you visit frequently and/or at certain times or on certain days).

The report included what's known (so far) about stingrays, the technology using fake cellular phone towers to spy and collect your phone usage and geo-location data:

"... New Hampshire has joined the ranks of states offering full probable-cause warrant protection to both historical and real-time cell phone location information. The Washington legislature unanimously passed a law requiring a warrant for use of “StingRay” cell phone tracking equipment, and Virginia enacted a similar law."

You can browse the report to read detail about the laws (or lack thereof) in the state where you live. For example, the state where I live:

ACLU report on warrantless search laws by state. Massachusetts. Click to view larger version

Besides stingrays, the use of other technologies threaten consumers' location privacy. The ACLU of Southern California and the Electronic Frontier Foundation (EFF) asked the California Supreme Court to review their lawsuit seeking access to automated license plate-reader (ALPR) data collected by the Los Angeles Police and Sheriff’s Departments. The EFF said in July:

"This case has significant precedential impact, setting a troubling standard allowing police to keep these records and details of its surveillance of ordinary, law-abiding citizens from ever being scrutinized. The appeals court ruling may apply not only to records collected with license plate cameras, but to data collected using other forms of automatic and indiscriminate surveillance systems, from body cameras and dash cameras to public surveillance cameras and drones. Without access to these records, we can’t ensure police accountability."

The case started in 2012 when local law enforcement refused to disclose ALPR data after the EFF filed a public records request:

"... cameras mounted on patrol cars and at fixed locations around the city and county of Los Angeles. ALPRs automatically take a picture of all license plates that come into view and record the time, date, and location where the vehicle was photographed. Because the agencies store the data for two to five years, they have been able to collect a massive amount of sensitive location-based information on mostly innocent Los Angeles residents..."

Reportedly, the reasons given by local law enforcement agencies:

"The agencies refused to turn over the records, claiming they could withhold the millions of license plate data points as “records of law enforcement investigations,” which are exempt from public review under the California Public Records Act. Incredibly, they argued that all drivers in Los Angeles are under criminal investigation at all times—whether or not the police suspect them of being involved in any criminal activity. The ACLU has estimated that as many as 99.8% of the vehicles photographed by ALPR cameras are never linked to any ongoing criminal investigation..."

Sadly, both the trial and appeal courts sided with the law enforcement agencies. So, the threat to consumers is two-fold: a) collection of law-abiding citizens without notice nor consent, and b) lack of accountability of government surveillance programs that could extend into more technologies such as body cameras.

Last, all of this does not minimize nor condone surveillance by corporations, which is arguably more extensive than government surveillance. Terms such as behavioral advertising, geo-fencing, and targeted advertising are often used to describe private-sector surveillance, with vague promises of relevant advertising benefits. At the end of the day, surveillance is surveillance; tracking is tracking. Many law enforcement and spy executives have probably looked at the extensive private-sector surveillance with weak consumer protections and concluded, "if they can do it, so should we."

View the ACLU report and status of warrantless search laws in your state.

History: Mississippi Sovereignty Commission Spied On Citizens And Civil Rights Activists

Mississippi State flag It was arguably the largest government spy program on U.S. citizens prior to September 11, 2001. And, you probably have not heard about it.

The documentary "Spies of Mississippi" describes the structure, goals, and activities of the Mississippi State Sovereignty Commission (MSSC) when it spied during the 1950s and 1960s upon more than 87,000 American citizens, mostly civil rights (voting) rights activists, to maintain a White-supremacist controlled government in the state:

"A no-nonsense group called the  Mississippi State Sovereignty Commission has quietly created a secret, state-funded spy agency answering directly to the Governor.  The Commission has infiltrated the civil rights coalition, eavesdropping on its most private meetings, and pilfering its most sensitive documents. The spies’ method of obtaining such sensitive information can be traced to an even more explosive secret known only to a handful of state officials that oversee the Commission and its anti-civil rights spy apparatus..."

Freedom Summer was a campaign during the summer of 1964 to register African-American voters in southern states. Campaign participants included mostly white college students from northern states working with African-American residents in several southern states to register voters. The MSSC, formed, funded, and controlled by the Mississippi state government, was central to using informants and paid investigators to identify, monitor, and track activists, who were often beaten and murdered. The murders received national and worldwide attention in 1963 with the murder of Medgar Evers, the head of the Mississippi NAACP, and in 1964 when three Freedom Summer students went missing. The students' bodies were later found buried underneath a 14-foot earthen dam.

Besides watching the documentary, you can learn more online.The Mississippi Department of Archives And History contains information and documents that describe the MSSC:

"... was created by an act of the Mississippi legislature on March 29, 1956. The agency was established in the wake of the May 1954 Brown v. Board of Education ruling. Like other states below the Mason-Dixon Line, Mississippi responded to Brown with legislation to shore up the walls of racial separation. The act creating the Commission provided the agency with broad powers. The Commission's objective was to "do and perform any and all acts deemed necessary and proper to protect the sovereignty of the state of Mississippi, and her sister states... the Commission was granted extensive investigative powers. The governor was appointed ex-officio chairman of the Commission. Other ex-officio members were the president of the Senate, who was vice-chairman of the Commission; the attorney general; and the speaker of the House of Representatives. In addition, the Commission comprised the following members: two members from the Senate, appointed by the president of the Senate; and three members from the House of Representatives, appointed by the speaker. The governor, attorney general and legislators served on the Commission during their tenures in office..."

The American Civil Liberties Union (ACLU) wrote that the documentary:

"... is a grim reminder of the depths that Mississippi authorities plumbed in their efforts to subvert the civil rights movement... The film draws on a trove of Commission records, which are available and searchable online thanks to a 1994 court order in a lawsuit brought by the ACLU of Mississippi... within a few years it had mushroomed into a full-scale spy agency, employing a network of investigators and agents who surveilled civil rights activists, tapped their phones, monitored their meetings, stole sensitive documents, and undermined voter rights efforts. The Commission was ruthless, waging an all-out war against change. Perhaps most painfully, it assembled a cadre of African American informants.. It destroyed the lives of people like Clyde Kennard, a Black Korean War veteran who attempted to enroll at what was then Mississippi Southern College. The Commission orchestrated the planting of evidence used to convict Mr. Kennard of stealing chicken feed. He served seven years in prison. Commission agents also funneled information to local law enforcement (which was rife with KKK members) about student activists who were descending on Mississippi for the "Freedom Summer" of 1964... films such as "Spies of Mississippi" serve two vital purposes: remembrance and reminder. They advance the long project of accounting for America's history of racial subjugation, in brutal detail. They also remind us, in the words of Mississippi Congressman Bennie Thompson, of the "need to keep us safe from terrorists, but also from ourselves." "

The MSSC highlights the consequences when a government spies upon its citizens without notice, consent, transparency, and accountability; and fails to comply with the U.S. Constitution. The documentary is currently being shown on Public Broadcasting Stations (PBS). The film and the book are available online for purchase and download. Watch the trailer:

Researchers Conclude AT&T Was The Best Corporate Collaborator With NSA Spying

N.S.A. logo Based upon recently released reports, experts have deduced that while many telecommunications companies helped the National Security Agency (NSA) perform various spy programs, AT&T had a closer relationship with the agency. The New York Times reported:

"... the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative,” while another lauded the company’s “extreme willingness to help.” AT&T’s cooperation has involved a broad range of classified activities... from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T... The N.S.A.’s top-secret budget in 2013 for the AT&T partnership was more than twice that of the next-largest such program, according to the documents. The company installed surveillance equipment in at least 17 of its Internet hubs on American soil..."

AT&T logo The documents, which discussed a program with the code name Fairview, do not mention AT&T by name. The documents came from former agency contractor Edward Snowden.

"After the terrorist attacks of Sept. 11, 2001, AT&T and MCI were instrumental in the Bush administration’s warrantless wiretapping programs, according to a draft report by the N.S.A.’s inspector general. The report, disclosed by Mr. Snowden and previously published by The Guardian, does not identify the companies by name but describes their market share in numbers that correspond to those two businesses..."

The New York Times and ProPublica reviewed the documents jointly.

What can consumers make of this? I see three messages.

First, ProPublica described well the privacy concerns with online surveillance:

".., a single email traverses the Internet in hundreds of tiny slices, called “packets,’’ that travel separate routes. Grabbing even one email requires a computer search of many slices of other people’s messages. Privacy advocates have long argued in court that grabbing portions of so many emails — involving people not suspected of anything — is a violation of the protection against unreasonable searches and seizures provided by the Fourth Amendment to the Constitution. The Electronic Frontier Foundation, a digital civil liberties group, is now hoping that the new documents will bolster their claims in a long-running case, Jewel v. NSA."

Second, after the terror attacks of September 11, 2001 American citizens wanted safety. It matters how government achieves safety while adhering to our values. Some people seem quick to trade freedoms for security. A wise person once said, you can't just run away from the Fourth Amendment.

Third, if you're the NSA and need to reach out and touch somebody, AT&T is your go-to company:

Justice Department Considers Changes To The Patriot Act And Rule 41 For Online Warrants

[Editor's Note: I am happy to feature another post by guest author Arkady Bukh. He leads the law firm of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. He is a frequent contributor on CNN, Wired, Forbes, Huffington Post, and several other sites.]

By Arkady Bukh, Esq.

In the days and months following 9/11, Americans shuffled between wincing in fear and screaming for retribution.

Forgetting Benjamin Franklin’s admonishment that people who give up security for liberty lose both, Americans sat by while some of the most restrictive legislation ever signed was enacted. Justified by claims of “national security,” American citizens watched as their rights were softened. The Patriot Act arguably was the legislative high point during President George W. Bush’s administration.

Lately, calmer heads have prevailed and Congress has started to move to relax some aspects of The Patriot Act as it eliminated others.

One small section of the Patriot Act, Rule 41, may get toughened and expanded while much of America is sidetracked by smartphones and the Kardashians. If the legislation is signed into law, the impact will not only be felt across American, but the tsunami wave of snooping and privacy invasion will perseverate globally.

Tweaks are “Monumental” Violation

While the U.S. Department of Justice (DOJ) has been working to modify a federal criminal procedure making it easier for judges to issue search warrants outside their areas of jurisdiction, Google has been busy warning others about the potential consequences.

Rule 41

The proposed change in Rule 41 of The Patriot Act would allow judges to assign warrants even if the source of a botnet, or another unidentified action, is anonymous and its location unknown. University of California Hastings law professor Ahmed Ghappour told the Ars Technica blog:

"This is another example of the FBI obtaining a warrant that they are not empowered to obtain based on the lack of technological expertise of the courts."

Ars Technica concluded:

"If the proposal is passed as currently drafted, federal authorities would gain an expanded ability to conduct "remote access" under a warrant against a target computer whose location is unknown or outside of a given judicial district. It would also apply in cases where that computer is part of a larger network of computers spread across multiple judicial districts."

In responding to public comments regarding the proposed expansion of Rule 41, the DOJ replied:

“These objections are misplaced here because the proposed amendment is solely about the appropriate venue for applying for such warrants. The existing rules already allow the government to obtain and execute such warrants when the district of the targeted computer is known. Thus, the issue before the Committee is not whether to allow warrants to be executed by remote search; it is whether such warrants should as a practical matter be precluded in cases involving anonymizing technology due to lack of a clearly authorized venue to consider warrant applications. Finally, we note that none of the commenters who expressed opposition to the proposal offered any substantive alternative solution...”

Google’s stance is that the proposal is too broad and would have unintended consequences. Google’s rebuttal adds that Congress should pass laws authorizing the changes, and not a DOJ proposal. Google’s response was filed along with 30 others during the comment period by groups that included the ACLU and the Electronic Frontier Foundation.

Under the proposed modifications, Rule 41 of the Federal Rules of Criminal Procedure authorizes the government to appear before a single Federal magistrate judge in any judicial district in which activities relating to terrorism may have occurred.

This means that the government could go before a single judge to get a warrant to search the property of a person — anywhere. If the state chose to appear in New York, an individual in California who wished to have the warrant squashed, would have to discover a way to appear before the New York Court that issued the warrant.

Rule 41 isn’t the only clause in The Patriot Act that concerns observers.

The Patriot Act

The dangers of The Patriot Act, specifically Section 802, is the definition of “terrorism.”  As defined, domestic terrorism is broad enough to include the actions of several prominent activist groups including Greenpeace, Operation Rescue and others.

The American Civil Liberties Union (ACLU) cited the Vieques Island protests as an example:

"... when many people, including several prominent Americans, participated in civil disobedience on a military installation where the United States government has been engaging in regular military exercises, which these protesters oppose. The protesters illegally entered the military base and tried to obstruct the bombing exercises. This conduct would fall within the definition of domestic terrorism because the protesters broke federal law by unlawfully entering the airbase and their acts were for the purpose of influencing a government policy by intimidation or coercion.The act of trying to disrupt bombing exercises arguably created a danger to human life - their own and those of military personnel."

Using the Vieques Island protests as a starting point, the new government powers can be examined.

Seizure of Assets

Section 806 of The Patriot Act would result in the civil seizure of individual assets without prior hearings and without being convicted of a crime. The language in Section 806 is widespread enough to authorize the government to seize any resources and belongings of any individual involved in Vieques or any group supporting the protests.

Additionally, any individual who supported the groups that supported the Vieques Island protesters would also be subject to Section 806.

The civil asset forfeiture power of the US government is incredible. The government can seize the assets based on the mere assertion that there is a possible cause to think that the assets were linked to“domestic terrorism.”

Educational Record Disclosure

Section 507 requires a judge to issue an order permitting the government to obtain private educational records if the US Attorney General certifies that the records are necessary for investigating terrorism. An independent judicial finding is not required to prove the records are relevant.

The types of records that can be seized include information such as a student’s grades, private medication information, and organizations the student belongs to.

Criminal defense attorneys do not oppose the criminal prosecution of people who violate the law — even if they are performing for political purposes. However, what is anathema is the broad definition of terrorism and the authorization that flows from that meaning.

One way to ensure that the behavior that falls within the meaning of terrorism is, in fact, to limit the scope of the behavior that triggers the charges.

Do Foreign Governments Have a Right To Spy On American Citizens Inside Their Homes? One Country Believes So

Just when you think that the surveillance news can't get any more bizarre, along comes this item. The Electronic Frontier foundation (EFF) will argue in a Federal court today at 2:00 pm for an American seeking to to proceed with a lawsuit against the Ethiopian government. Lawyers in the United States representing the Ethiopian government want the case dismissed and claim:

"... that foreign governments have a right wiretap Americans inside their own homes without court oversight, a right that not even the U.S. government claims for itself."

The plaintiff, an American, uses the pseudonym "Mr. Kidane" to protect his family both in the United States and in Ethiopia. Mr. Kidane wants to sue the Ethiopian government in a United States court for:

"... infecting his computer with secret spyware, wiretapping his private calls, and monitoring his family’s every use of the computer for weeks... EFF Staff Attorney Nate Cardozo will argue Tuesday that Ethiopia must answer in court for the illegal spying on Mr. Kidane. The case is also supported by the law firm of Robins, Kaplan, Miller and Ciresi, LLP."

According to the EFF press release, the spyware allegedly found on Mr. Kidane’s computer was identified as:

"... part of a systemic campaign by the Ethiopian government to spy on perceived political opponents. The malware in this case was a program called FinSpy, surveillance software marketed exclusively to governments by the Gamma Group of Companies. Just recently, leaked documents have shown that a competing spyware company called Hacking Team has also provided covert surveillance software to Ethiopia..."

The New York Times reported in August 2012 that FinSpy was:

"... one of the more elusive spyware tools sold in the growing market of off-the-shelf computer surveillance technologies that give governments a sophisticated plug-in monitoring operation. Research now links it to servers in more than a dozen countries, including Turkmenistan, Brunei and Bahrain, although no government acknowledges using the software for surveillance purposes."

In 2012, experts estimated the size of the spy-software market at $5 billion. I believe consumers can safely assume that the spyware market is far larger today. Founded during the 1990s, the Gamma Group sells turnkey surveillance software globally to governments. "Turnkey" means completed, finished software that is ready to operate. You might say it's plug-and-play.

The Washington Post reported in February 2014 that Mr. Kidane:

"... came to the United States 22 years ago, won political asylum and now is a U.S. citizen living in Silver Spring, Md. He provides “technical and administrative support” to an Ethio­pian opposition group, Ginbot 7, but is not a formal member of that group..."

The lawsuit highlights the risks when consumers use the Internet. What are your opinions of this lawsuit?