- Home
- Cyrus Farivar
Habeas Data_Privacy vs. The Rise of Surveillance Tech Page 28
Habeas Data_Privacy vs. The Rise of Surveillance Tech Read online
Page 28
“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode,” the company wrote on its website.
“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”
Shortly thereafter, Google’s latest update to Android enabled full-disk encryption as well.
In other words, within just a few months of the Supreme Court’s decision in Riley, the technology itself had changed the game. Full-disk enabled encryption by default makes it notably harder for law enforcement to conduct searches of computers and smartphones. The prevalence of such encryption is what contributed to the late-2017 revival of the government’s efforts to combat Going Dark.
In order to get around this level of encryption, and knowing that a fingerprint hasn’t historically been considered by the Supreme Court to be testimonial, the Department of Justice (DOJ) has, at least in some instances, tried to get around the encryption with some unusual tactics. On at least three known occasions since the technology became available in 2013, federal prosecutors have gotten a judge to sign off on an order authorizing a compelled fingerprint depression in an attempt to unlock a seized iPhone.
As Ars Technica reported in February 2016, a woman in Glendale, California, just outside of Los Angeles, was ordered to depress her fingerprint on a seized iPhone. Months later, federal investigators, also in Los Angeles County, were successful in getting judicial approval for two highly unusual searches of seized smartphones at two different Southern California homes, one in Lancaster and one in West Covina, about 90 miles away. The signed warrants allowed the authorities to force a resident reasonably believed to be a user to press their fingerprints on the phone to see if it would unlock. (Under both iOS and Android, fingerprints as passcodes only work for 48 hours; after that timeframe, the regular passcode is required. Court records show that the warrants were presumably executed within that 48-hour window.)
It’s still not clear whether this stratagem was legal: no challenge was ever made.
* * *
Riley also does not answer another pesky question that continues to linger: Can someone be forced to provide a passcode to unlock an encrypted device, cell phone or otherwise, or can a suspect use the Fifth Amendment to shield themselves from the government’s demands?
It turns out that such cases involving compelled decryption are relatively new and still somewhat rare—the first such case only goes back to 2007. Courts have generally protected the Fifth Amendment rights of defendants who refuse to hand over passwords that could decrypt a computer.
In 2012, the 11th US Circuit Court of Appeals ruled in favor of a Florida man (“John Doe”) who invoked his Fifth Amendment privilege in relation to accusations that he had child pornography across numerous encrypted external hard drives. For now, the Doe case (known formally as In re: Grand Jury Subpoena Duces Tecum Dates March 25, 2011) remains the highest federal court to address the issue. In 2013, a federal judge in Milwaukee allowed a child porn suspect to invoke a Fifth Amendment privilege, and refused to force him to give up the passcode.
There is a crucial exception to this Fifth Amendment privilege: the “foregone conclusion.” In other words, if, for example, the government already knows that the target files exist on a particular computer, a suspect can’t simply use that part of the Constitution as an impenetrable shield. Indeed, on the same day that the Supreme Court ruled in Riley, the Massachusetts Supreme Judicial Court, the state’s highest court, concluded in a 5–2 decision that a criminal suspect could be ordered to decrypt his seized computers. Why? Because the defendant had already admitted to the police that they were his, and that he had the ability to decrypt them: in other words, it was a foregone conclusion.
An extreme example of this is the case of Francis Rawls, who, as of September 30, 2017, has been held in jail for two years and counting for refusing to disclose the password to a seized laptop, drive, and iPhone that the government alleges contains child pornography. Rawls, a former Philadelphia police sergeant, has failed in his attempts to get his contempt order thrown out—again due to the foregone conclusion doctrine.
In early August 2017, the 3rd US Circuit Court of Appeals ruled that because, at his earlier contempt hearing, prosecutors had brought witnesses, including Rawls’ sister, who testified that she had witnessed him enter the passwords and showed her some child pornography files. So, the magistrate judge ruled, and the appellate court agreed, that forcing him to give up the password would be a foregone conclusion and not violate the Fifth Amendement.
In July 2016, a Miami reality TV star, Hencha Voigt, and her friend Wesley Victor were charged with extortion of another South Florida woman: Julieanna Goddard, also known online as “YesJulz.”
According to court records, which the Miami Herald provided to Ars Technica, Voigt contacted Goddard’s assistant, Imani Simmons, on July 20, 2016. Voigt told Simmons that someone was trying to sell sex videos of Goddard and even provided examples to prove that she was telling the truth. (Other filings indicate that Voigt herself had “compromising pictures/videos” published online without her consent prior to this incident.)
Voigt warned Simmons that someone would be contacting Goddard from a trap phone (burner phone) and further warned: “Don’t threaten them, be super nice.” While Voigt was texting Simmons, she was also calling and texting Victor.
While Voigt only used an iPhone 6 (referred to as “Phone A”), complicating matters, Victor used three different phones, including an iPhone 6S (“Phone B”). The messages that the government wanted were the iMessages between Voigt and Victor, which, as the government explained, “do not appear in telephone service provider records as anything other than generic data usage. Therefore, the only practical way of determining whether iMessages were sent or received from a particular phone is to actually examine the contents of the phone.” The government wanted these messages to further link Voigt and Victor.
Hours later, Victor asked Voigt for Goddard’s number, which Voigt provided. Victor then allegedly provided further examples of the racy material he possessed. The next day, Goddard asked how she could get the images and videos back or prevent their release. Victor asked for $18,000 in cash. Minutes later, Victor and Voigt were “apprehended together” in a car parked in Miami Beach—according to police records, Voigt even tried to hide the phone by sitting on it.
Weeks later, the Miami Beach police obtained a warrant to search Voigt’s iPhone and Victor’s three phones. Authorities were stymied by the two iPhones, as they were both passcode-protected.
By May 2017, a Florida judge ruled against Voigt, likening the disclosure of the iPhone passcode to be analogous to handing over the key to a safe-deposit box—a non-testimonial act not protected by the Fifth Amendment. Two months later, after Voigt still refused to help authorities, the FBI stepped in and offered to cover the state’s costs to get at the messages contained on the iPhone. The FBI paid the costs of doing so to Cellebrite, an Israeli digital forensics firm that frequently provides services to American law enforcement.
In the Voigt case, according to the Miami Herald, evidence from the newly unlocked iPhone “seem[s] to show Voigt and her then-boyfriend actively plotting to get $18,000 from a social-media celebrity known as Yes-Julz, in exchange for not releasing the video clips to the Internet. ‘We on some Bonnie Clyde shit I couldn’t have choose a Better partner [in] crime lol,’ reads one text sent from Victor’s phone.”
In another message, Voigt added in a warning to Victor: “Change all your passwords in your accs she doesn’t try some slick shit to u.”
This was highly unusual: the last time that the public knew that the FBI had paid for such a service was in the “FBI v. Apple” showdown of 2016 (and
covered in Chapter 2). Here, this was not a terrorism case, nor was it even a federal crime. This was a relatively low-level extortion dispute involving small amounts of money, and very local Instagram celebrities.
* * *
As discussed earlier, the Fourth Amendment does not prohibit all searches, simply unreasonable ones. It has been long-settled law that a search when crossing the US border does not require a warrant. The border search exception is what authorizes customs searches that all travelers must be subjected to upon th in a dissenting opinion eir arrival in the United States. The idea is that in maintaining sovereign boundaries, the government has a compelling interest in what comes into the country.
Despite the strong finding for privacy in Riley, the border search exception remains key. On September 28, 2015, Sergio Caballero was driving into the United States from Mexico, and tried to cross at the Calexico, California, border checkpoint. A drug dog alerted agents to the possible presence of narcotics—he was found to have 33 pounds of methamphetamine and 2.75 pounds of heroin inside the gas tank of his car. Agents also searched his phone, which contained some incriminating photos of large piles of cash.
Caballero’s federal public defender, Nathan Feneis, tried to argue that Riley was the Supreme Court decision that should dictate the outcome. But the judge ruled in April 2016 that the border search exception superseded it.
“The question presented by this case is this: once a person is placed under arrest at the border, may officers conduct a cursory search of the arrestee’s cell phone without a warrant?” US District Judge Roger Benitez wrote. “Riley says, ‘No.’ But, Riley does not address a search at the border. The border search exception says, ‘Yes.’ But, neither the Supreme Court, nor the Ninth Circuit, has decided a case involving the heightened privacy interests implicated by a cell phone search at the border after an arrest.”
It turns out that between 2015 and 2016, during the tail end of the Obama administration, digital searches at the border increased five-fold, according to Customs and Border Patrol’s (CBP) own figures. However, despite the large jump by percentage, federal authorities maintain that such searches are exceedingly rare.
“In [fiscal year 2016], CBP processed more than 390 million arrivals and performed 23,877 electronic media searches,” a statement sent to Ars Technica by Robert Brisley, a CBP spokesman based in Atlanta, said. “This equates to CBP performing an electronic search on 0.0061% of arrivals. This is an increase over the FY15 numbers when 4,764 electronic media searches were conducted, accounting for .0012% of arrivals. CBP officers processed 383 million arrivals in [fiscal year 2015].”
Under the Trump administration, this figure has grown even more, with no discernible explanation as to why. In March 2017, NBC reported that 2017 was to be on pace to be a “blockbuster year” for border searches of electronic devices. According to the news outlet, 5,000 “devices were searched in February alone, more than in all of 2015.”
In early 2017, there were a few high-profile examples of warrantless border searches of electronic devices, including one of a Jet Propulsion Laboratory scientist and a California artist. In September 2017, those men, along with several others, sued CBP in federal court in Massachusetts. They are being represented by attorneys from the American Civil Liberties Union and the Electronic Frontier Foundation (EFF) in the case, known as Alasaad v. Duke.
“The border doctrine does not say that the Constitution doesn’t exist at the border. What it does say is that the balance between privacy and security is drawn differently,” Adam Schwartz, one of their EFF lawyers, told Ars Technica.
“What we say is that Riley redraws the equation. Your phone, it’s not like your backpack, it’s like every backpack and every desk and every movie theatre you ever walked into. It’s profoundly different in quality and quantity than what people have historically carried over the border.”
All the plaintiffs, during their interrogation at the border, decided to provide the passcodes to their phones. But what authority grants federal border agents this power?
The most recent public document to date on this topic appears to be an August 2009 Department of Homeland Security (DHS) paper titled “Privacy Impact Assessment for the Border Searches of Electronic Devices.” That document states that “for CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist.”
The policy also states that CBP or Immigration and Customs Enforcement “may demand technical assistance, including translation or decryption,” citing 19 US Code Section 507. The 2009 DHS document also says that “officers may seek such assistance with or without individualized suspicion.” An individual refusing to comply with this statute is “guilty of a misdemeanor and subject to a fine of not more than $1,000.”
But as Orin Kerr, the University of Southern California law professor, tweeted in February 2017: “Border agents say that this law requires people crossing border to disclose their password if asked. But does it say that? No cases.”
As of this writing, in late 2017, it remains unclear as to whether the judge hearing Alasaad will find Riley controlling, or if, like Judge Benitez, they will hold that the border search exception doctrine wins the day.
* * *
It turns out that digital is different in another way too: the act of investigation. Since at least 2002, federal authorities have created their own specialized software to go after technically sophisticated targets. This strategy has a specialized, almost-sanitized name, too: lawful hacking.
Just as a stingray can locate someone whose whereabouts are unknown in the physical world, a network investigative technique (NIT) can locate or describe someone online by forcing a computer or phone to give up its IP address.
A NIT is essentially a fancy government phrase for a piece of unauthorized software, often known as malware, that can infiltrate a target computer and reveal information about it. While NITs, and their precursors, known as Computer and Internet Protocol Address Verifiers (CIPAV), have been around for at least 15 years, it’s only within recent years that more cases have come to the fore.
One of the best-known cases involving a NIT emerged in July 2012, after a deranged man shot and killed 12 people in a movie theater in Aurora, Colorado. The day after the shooting, a man who identified himself as “Andrew Ryan” called the Arapahoe Sheriff’s Department and claimed to be a “friend” of the alleged killer, James Holmes. (In reality, the link between the two men is extremely unlikely.)
Ryan, who spoke with some sort of non-native English-speaking accent, demanded that Holmes be freed, and threatened to blow up a building if the authorities did not comply. The number he called from turned out to be facilitated via Google Voice, while a proxy server obscured his true Internet Protocol (IP) address. Ryan, who later told the Arapahoe deputy he regularly spoke with to call him “Mo,” made over 12 similar threats to various hotels, universities, and airports. By September 2012, investigators got ahold of some identifying information from Google (via a warrant) indicating that Mo may, in fact, be in Iran.
Finally, in December 2012, a Denver police officer went to a judge, asking for a warrant to install a NIT on Mo’s computer—in other words, authorities wanted to send a link to Mo and trick him into clicking it, which would surreptitiously install software on his computer, akin to what malevolent hackers do. It would collect various details, including Mo’s operating system, IP address, media access control (MAC) address, time zone, and more.
The judge signed off on it, and the warrant was executed. Court records indicate that the NIT was only “partially successful.” While the NIT itself did not run, the recipient of the e-mail did attempt to click the link from an Iranian IP address. News of the NIT didn’t become public for about a year, until the Washington Post reported on it.
A few months later, in April 2013, US Magistrate Judge Stephen Smith (one of the judges commonly identified with the privacy-minded group of judges known as the Magistrate’s Revolt) in the Souther
n District of Texas, issued a ruling against a federal agency seeking to install a NIT against a certain target. Like many warrant applications, the entire case remained sealed until the judge’s order.
As Judge Smith explained, sometime in early 2013, “unknown persons” gained access to a person’s (“John Doe”) e-mail account. Those scofflaws used this unauthorized access to then gain access to Doe’s bank account. While the judge’s order doesn’t say how much money was transferred abroad, it must have been large enough to draw the ire of federal authorities. Either way, the magistrate was highly skeptical of what the government was asking for.
“The Government does not seek a garden-variety search warrant,” he wrote. “Its application requests authorization to surreptitiously install data extraction software on the Target Computer. Once installed, the software has the capacity to search the computer’s hard drive, random[ly] access memory, and other storage media; to activate the computer’s built-in camera; to generate latitude and longitude coordinates for the computer’s location; and to transmit the extracted data to FBI agents within this district.”
Judge Smith rejected the government’s warrant application for three major reasons: under Rule 41 of the Federal Rules of Criminal Procedure, magistrates were only allowed to sign off on warrants within their own district; the warrant didn’t fulfill the particularity requirement; and the video element is subject to Title III super-warrant standards, which the affidavit does not fulfill.
It’s worth noting that reporting on this type of novel surveillance order, even years after it was issued, remains sealed. The only public document on the entire docket that exists is the judge’s order, likely because he wanted others to read it. It’s impossible for anyone to know if this technique was attempted with a different judge, and if so, how successful it was. As such, it is difficult to evaluate these novel legal questions—the government will always have the upper hand, as only it knows the techniques that it is keeping a secret.