James Orenstein Archives

Posts

Between the Annual Release of FISA Statistics and the Release of the FISA 702 Opinion, FBI Rolled Up Turla

May 24, 2023/3 Comments/in Cybersecurity, FISA /by emptywheel

I’m curious about the timing of the release of the FISC 702 opinion, dated April 21, 2022, approving Section 702 certificates that would last until April 21, 2023. I laid out a Modest Proposal in response to that opinion here.

In the past, the government has often released the prior year’s FISC opinion around the same time as it releases all the FISA transparency reports, which it released this year on April 28, 2023. But ODNI didn’t release the opinion itself until May 19, eight days after the FBI released a FISA-related audit that covers many of the same violative queries laid out in the FISC opinion and three weeks after the other transparency filings. The delayed release resulted in the release of significantly overlapping bad news twice, a week apart, at a time when the spooks already face an uphill climb to get 702 reauthorized before the end of the year.

One possible explanation for the delayed release is that there was a one-month delay in reapproval of new 702 certificates, meaning that ODNI held back the opinion until such time as a new opinion had replaced the old one.

But as I read, especially, a separate opinion released along with the 702 one, I couldn’t help but note that between the date when ODNI would customarily release the prior FISC authorization and the date it did, FBI rolled up the Turla malware.

May 4, 2023: Search warrant affidavit

May 8, 2023: Planned operation

May 9, 2023: DOJ Press release; NSA press release; Joint Cybersecurity Advisory

When I wrote my post on the operation, I laid out how, starting in 2016, the FBI had learned how Turla worked via voluntary monitoring of US-based victims from whose servers the malware was launching attacks in other countries.

A key part of the affidavit’s narrative describes that monitoring process. The FBI discovered that Turla compromised computers at US Victim A in San Jose, which let the FBI monitor how the malware worked. Using US Victim A, Turla compromised US Victim B in Syracuse, which in turn let the FBI monitor what happened from there. Using both US Victims A and B, Turla compromised US Victim D in Columbia, SC, which in turn let the FBI monitor traffic. Using Victim B, Turla compromised US Victim C, in Boardman, OR, which in turn let the FBI monitor traffic.

Over seven years, then, the FBI has been monitoring communications traffic from a growing number of US victim companies that Turla used as nodes. The affidavit emphasizes that these sites were used to attack overseas targets — like the presumed German and French targets mentioned in the affidavit. Aside from the journalist working for a US outlet (who could be stationed overseas), the affidavit doesn’t mention any US collection targets. Nor does it explain whence Turla targets US collection targets.

But there were two or three companies that refused to allow the FBI to engage in consensual monitoring of their victimized servers: Victim-E, Victim-F, and Victim-G, all of which were discovered in 2021 or 2022 (Victim-F went defunct and destroyed its computers).

According to the FBI search warrant, then, it launched a global operation to roll up the Turla Snake’s many nodes around the world without the benefit of at least two US-based nodes from which it could discover other victims. That didn’t make sense to me.

The other FISA opinion released with the 702 one sought authorization to conduct physical surveillance of two locations in the US used by an agent of a foreign power; the government uses physical surveillance to obtain data in rest on a server. DOJ first submitted the application in early 2021. FISC appointed former cybersecurity prosecutor and current tech attorney Marc Zwillinger and retired EDNY Magistrate James Orenstein as amici and conducted several rounds of briefing and a hearing. Orenstein would have still been a Magistrate in EDNY when the grand jury behind this operation was seated there in 2018; he retired in 2020.

The heavily redacted opinion itself is pretty short — just 6 pages. It explains that “the Court has little difficulty finding probable cause to believe that the intended targets … are agents of a foreign power.” It had a harder time with two other issues, though: proving that the premises to be searched “is or is about to be owned, used, possessed by … that foreign power.” Suggestions from Zwillinger and Orenstein provided limits to the order such that FISC presiding Judge Rudolph Contreras could meet that standard.

The government also noted that the data in the targeted location “might not be owned or used by” the agents of the foreign power in question. Contreras imposed a 60-day deadline for the government to destroy everything that was not.

With those limitations, Contreras approved the FISC order on September 27, 2021.

Both of these issues are common ones in cybersecurity surveillance. Hackers hijack others’ servers, and from that sanctuary, victimize others. And then hackers transport data that are the fruits of theft, not communications about such a crime, via these nodes. So one way or another, the opinion sounds like it could pertain to cybersecurity surveillance. The timing is what makes me wonder whether the order was withheld until the end of the Turla operation.

Zwillinger and Orenstein were appointed as amici in 2022 as well.

Note, there’s a technique that got authorized in the 702 opinion, first proposed in March 2021, which involved two different amici, Georgetown Professor Laura Donohue, who asked for the assistance of Dr. Wayne Chung, the Chief Technology Officer of BlueVoyant, a cybersecurity company. That discussion is even more heavily redacted. But the issues debated appear to include:

Whether the thing obtained using 702 was included in the definition of intelligence permitted for collection
Whether the assistance required in the US came from an Electronic Communications Service Provider (Victim A from the Turla operation was located in San Jose, and the Victim G that refused to cooperate was described as a cloud service provider located in Gaithersberg)
Whether the assistance from the ECSP is covered by 702
Whether the intended use of the information fit the definition of querying
Whether NSA should have used another provision of FISA
Whether all the targets were overseas
What kind of minimization procedures the kind of information that would be obtained required

The 702 application is even more obscure than the physical search one. But if the latter pertains to Turla, it’s not inconceivable that the former does too.

Just Following Orders: Raymond Dearie’s Strict Compliance with Aileen Cannon’s Orders

Yesterday, two different filings were added to the Trump v. America docket. The first was an order from Judge Aileen Cannon, stripping the language pertaining to classified documents from her order appointing Raymond Dearie to be Special Master. The second, posted shortly thereafter, was Judge Raymond Dearie’s draft order for work flow.

Dearie’s order has rightly attracted attention for the lengthy instructions on how Trump must make any challenges the detailed inventory FBI released in the next week. (Note, according to the current schedule, Trump will have 4 days after receiving the documents to make such challenges.)

I. VERIFICATION OF THE DETAILED PROPERTY INVENTORY

No later than September 26, 2022, a government official with sufficient knowledge of the matter shall submit a declaration or affidavit as to whether the Detailed Property Inventory, ECF 39-1, represents the full and accurate extent of the property seized from the premises located at 1100 S. Ocean Boulevard, Palm Beach, Florida 33480 (the “Premises”) on August 8, 2022, excluding documents bearing classification markings (the “Seized Materials”). See Appointing Order ¶ 2(a); Order Following Stay ¶

1. No later than September 30, 2022, Plaintiff shall submit a declaration or affidavit that includes each of the following factual matters:

a. A list of any specific items set forth in the Detailed Property Inventory that Plaintiff asserts were not seized from the Premises on August 8, 2022.

b. A list of any specific items set forth in the Detailed Property Inventory that Plaintiff asserts were seized from the Premises on August 8, 2022, but as to which Plaintiff asserts that the Detailed Property Inventory’s description of contents or location within the Premises where the item was found is incorrect.

c. A detailed list and description of any item that Plaintiff asserts was seized from the Premises on August 8, 2022, but is not listed in the Detailed Property Inventory.

This submission shall be Plaintiff’s final opportunity to raise any factual dispute as to the completeness and accuracy of the Detailed Property Inventory.

No later than October 14, 2022, the government shall submit a declaration or affidavit from a person with sufficient knowledge of the matter responding to any factual disputes as to the completeness and accuracy of the Detailed Property Inventory raised in Plaintiff’s submissions. Upon reviewing the parties’ submissions, the undersigned will schedule further proceedings as needed to resolve any such disputes including, if necessary, an evidentiary hearing at which witnesses with knowledge of the relevant facts will provide testimony. To the extent that the resolution of any such factual disputes identifies additional materials that should be reviewed, the undersigned will set further proceedings as needed.

The identification and resolution of any factual disputes as to the completeness and accuracy of the Detailed Property Inventory will proceed concurrently with the substantive review procedures described below

From reports of the hearing the other day, it seemed that Dearie asked if this was really necessary. Jim Trusty admitted Trump doesn’t know what’s in the boxes. So this seems like a concession to Trump’s team, an extended focus on whether the FBI accurately cataloged the items taken from Trump’s house. But in practice it ends up being a very strict requirement on Trump that he substantiate things — such as his claim to Hannity, the other day, that the FBI agents took his will — that he has said publicly. Trump also admitted to Hannity that his video of the search doesn’t show the actual rooms from which items were seized, something I predicted (because there’s no way Trump would take video of his office accessible from New York). So while this is precisely what Trump had asked for, it ends up locking Trump in in ways that may limit any criminal defense strategies in the future.

As Dearie said the other day, Trump chose to make himself a plaintiff, and in that posture, he may be forced to make affirmative claims he would never be forced to make as a defendant.

Dearie also required that Trump differentiate the documents he claims are Executive Privileged that can be accessed by the Executive from those that cannot.

Plaintiff shall provide the Special Master and the government with an annotated copy of the spreadsheet described above that specifies, for each document, whether Plaintiff asserts any of the following:

a. Attorney-client communication privilege;

b. Attorney work product privilege

c. Executive privilege that prohibits review of the document within the executive branch;

d. Executive privilege that prohibits dissemination of the document to persons or entities outside the executive branch;

e. The document is a Presidential Record within the meaning of the Presidential Records Act of 1978, 44 U.S.C. § 2201, et seq. (“PRA); see id. § 2201(2); and/or

f. The document is a personal record within the meaning of the PRA; see id § 2201(3).

This takes Trump’s claims of (and Cannon’s unilateral reimagination of) Executive Privilege literally. But it also requires Trump to make a claim that will be easier to defeat on appeal. It effectively requires Trump to create a new category of documents that will make DOJ’s appeal easier.

Dearie’s order requires Trump to pay his bills or face sanction.

No later than seven calendar days after the undersigned has resolved any such disputes (or seven calendar days after receiving an invoice as to which Plaintiff raises no objections), Plaintiff will submit payment in full as directed on the invoice. Failure to make timely payment will be deemed a violation of the Special Master’s order subject to sanction pursuant to Federal Rule of Civil Procedure 53(c)(2).

Finally, Dearie revealed that retired Magistrate Judge James Orenstein will assist him in the review — and that only Orenstein will be getting paid, and that at a rate below what other Special Masters make — Trump got off easy on this front!

The undersigned has determined that the efficient administration of the Special Master’s duties requires the assistance of the Honorable James Orenstein (Ret.), a former United States Magistrate Judge for the Eastern District of New York, who has experience with complex case management, privilege review, warrant procedures, and other matters that may arise in the course of the Special Master’s duties. Judge Orenstein has served as an appointed amicus curiae in the Foreign Intelligence Surveillance Court pursuant to 50 U.S.C. § 1803(i)(2) and currently holds Top Secret clearance.

[snip]

As a United States District Judge in active service, the undersigned will seek no additional compensation for performing the duties of Special Master in this action. The undersigned proposes that Judge Orenstein be compensated at the hourly rate of $500.

As a Magistrate, Orenstein has repeatedly pushed back on governmental surveillance, first on “combined orders” as part of what was called the “Magistrate’s Revolt” in the 00s, and then refusing an All Writs Act order on Apple to break into an Apple phone. Dearie’s revelation that Orenstein served as an appointed amicus on the FISC was news to me and other close FISC watchers, but I’ve got a few guesses about what role he may have played. In short, this is further evidence of the seriousness of this review.

Meanwhile, no one really knows what effect Cannon’s order will have. Along with the orders pertaining to classified information, her order takes out this paragraph, requiring interim reports.

The Special Master and the parties shall prioritize, as a matter of timing, the documents marked as classified, and the Special Master shall submit interim reports and recommendations as appropriate. Upon receipt and resolution of any interim reports and recommendations, the Court will consider prompt adjustments to the Court’s orders as necessary.

But it leaves these two passages in.

The Special Master shall make ex parte reports to the Court on an ongoing basis concerning the progress of resolving the issues above.

[snip]

The Special Master may communicate ex parte with the Court or either party to facilitate the review; provided, however, that all final decisions will be served simultaneously on both parties to allow either party to seek the Court’s review.

I had thought this might be an attempt to narrow the scope of DOJ’s appeal, taking the classified records off the table. There’s some dispute whether she’s even permitted to do this given the pending appeal before the 11th Circuit. But, the actual injunction, now stayed, remains in place, as does the original September 5 order, so that will still be within the scope of DOJ’s appeal. This change was about the order to Dearie, not Cannon’s usurpation of authority she doesn’t have.

But I find the order interesting given how literally Dearie took Cannon’s order to test the inventory and let Trump make Executive Privilege claims that will be easier to defeat on appeal.

In the hearing the other day, Trump lawyer Jim Trusty suggested that Dearie had overstepped his mandate by asking Trump to provide proof he had declassified anything. Dearie responded by saying that he was doing exactly what he had been told.

The judge, a veteran of the Foreign Intelligence Surveillance Court, expressed puzzlement about what his role would be if the government says certain documents are classified and Trump’s side disagrees but doesn’t offer proof to challenge that.

”What am I looking for?….As far as I am concerned, that’s the end of it,” Dearie said. “What business is it of the court?”

James Trusty, one of Trump’s attorneys, called it “premature” for Dearie to consider that issue right now. “It’s going a little beyond what Judge Cannon contemplated in the first instance,” he said.

In one of several moments of palpable tension with the Trump team, Dearie replied: “I was taken aback by your comment that I’m going beyond what Judge Cannon instructed me to do. … I think I’m doing what I’m told.”

Cannon revised her order to Dearie so that, in ignoring the classified documents, he can continue to do “what he’s told.”

Dearie (and Orenstein) likely saw precisely what I did: Cannon edited the standard boilerplate on Special Masters to allow herself the authority to remove Dearie for reasons beyond the timeliness of the review.

So it’s possible Dearie made sure Cannon’s order to him was revised so he can continue to strictly follow her orders, with all the pain that will cause Trump.

Monday Morning: Calm, You Need It

April 18, 2016/5 Comments/in Culture, Cybersecurity /by Rayne

Another manic Monday? Then you need some of Morcheeba’s Big Calm combining Skye Edward’s mellow voice with the Godfrey brothers’ mellifluous artistry.

Apple’s Friday-filed response to USDOJ: Nah, son
You can read here Apple’s response to the government’s brief filed after Judge James Orenstein’s order regarding drug dealer Jun Feng’s iPhone. In a nutshell, Apple tells the government they failed to exhaust all their available resources, good luck, have a nice life. A particularly choice excerpt from the preliminary statement:

As a preliminary matter, the government has utterly failed to satisfy its burden to demonstrate that Apple’s assistance in this case is necessary—a prerequisite to compelling third party assistance under the All Writs Act. See United States v. N.Y. Tel. Co. (“New York Telephone”), 434 U.S. 159, 175 (1977). The government has made no showing that it has exhausted alternative means for extracting data from the iPhone at issue here, either by making a serious attempt to obtain the passcode from the individual defendant who set it in the first place—nor to obtain passcode hints or other helpful information from the defendant—or by consulting other government agencies and third parties known to the government. Indeed, the government has gone so far as to claim that it has no obligation to do so, see DE 21 at 8, notwithstanding media reports that suggest that companies already offer commercial solutions capable of accessing data from phones running iOS 7, which is nearly three years old. See Ex. B [Kim Zetter, How the Feds Could Get into iPhones Without Apple’s Help, Wired (Mar. 2, 2016) (discussing technology that might be used to break into phones running iOS 7)]. Further undermining the government’s argument that Apple’s assistance is necessary in these proceedings is the fact that only two and a half weeks ago, in a case in which the government first insisted that it needed Apple to write new software to enable the government to bypass security features on an iPhone running iOS 9, the government ultimately abandoned its request after claiming that a third party could bypass those features without Apple’s assistance. See Ex. C [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, Cal. License Plate #5KGD203 (“In the Matter of the Search of an Apple iPhone” or the “San Bernardino Matter”), No. 16-cm-10, DE 209 (C.D. Cal. Mar. 28, 2016)]. In response to those developments, the government filed a perfunctory letter in this case stating only that it would not modify its application. DE 39. The letter does not state that the government attempted the method that worked on the iPhone running iOS 9, consulted the third party that assisted with that phone, or consulted other third parties before baldly asserting that Apple’s assistance remains necessary in these proceedings. See id. The government’s failure to substantiate the need for Apple’s assistance, alone, provides more than sufficient grounds to deny the government’s application.

Mm-hmm. That.

Dieselgate: Volkswagen racing toward deadline

Thursday, April 21 is the extended deadline for VW to propose a technical solution for ~500,000 passenger diesel cars in the U.S. (Intl Business Times) — The initial deadline was 24-MAR, establishing a 30-day window of opportunity for VW to create a skunkworks team to develop a fix. But if a team couldn’t this inside 5-7 years since the cars were first sold in the U.S., another 30 days wouldn’t be enough. Will 60 days prove the magical number? Let’s see.
VW may have used copyrighted hybrid technology without paying licensing (Detroit News) — What the heck was going on in VW’s culture that this suit might be legitimate?
After last month’s drop-off in sales, VW steps up discounting (Reuters) — Trust in VW is blamed for lackluster sales; discounts aren’t likely to fix that.

Once around the kitchen

California’s winter rains not enough to offset long-term continued drought (Los Angeles Times) — Op-ed by Jay Famiglietti, senior water scientist at the NASA Jet Propulsion Laboratory–Pasadena and UC-Irvine’s professor of Earth system science. Famiglietti also wrote last year’s gangbuster warning about California’s drought and incompatible water usage.
Western scientists meet with North Korean scientists on joint study of Korean-Chinese volcano (Christian Science Monitor) — This seems quite odd, that NK would work in any way with the west on science. But there you have it, they are meeting over a once-dormant nearly-supervolcano at the Korea-china border.
BTW: Deadline today for bids on Yahoo.

There you are, your week off to a solid start. Catch you tomorrow morning!

US Secretly Acting Like China Does in Public

March 17, 2016/4 Comments/in Cybersecurity /by emptywheel

As this ZDNet article notes, some of the Snowden disclosures revealed that NSA had asked for the source code of various tech companies (though it links to a Jake Appelbaum article that I believe to be sourced to someone else). What is new in its report of US government demands for source code, however, is how the government is getting it: through secret civil or FISA orders.

The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We’re not naming the person as they relayed information that is likely classified.

With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing “most of the time.”

When asked, a spokesperson for the Justice Dept. acknowledged that the department has demanded source code and private encryption keys before.

That is, at a time when we condemn public Chinese demands to be able to review source code of companies doing business in China, the US has been doing the same thing, albeit without the reputational hit of doing so publicly.

All of which makes the point I made here — that the government is fairly explicitly threatening to demand source code from Apple — all the more significant, in part for an issue I’ve been meaning to return to.

Contrary to popular belief, the FISA Court does not operate in complete isolation from traditional courts. On several known issues — notably, the access to location data and the collection of Post Cut Through Direct Dial numbers — FISC has taken notice of public magistrate’s opinions and used that to inform, though not necessary dictate, FISC practice. As I have noted, at least until 2014, the FISC used the highest common denominator from criminal case law with respect to location data, meaning it requires the equivalent of a probable cause warrant for prospective (though not historic) data. And FISC first seemed to start tracking such orders during the magistrate’s revolt of 2005-6. That’s an area where FISC seems to have followed criminal case law. By contrast, FISC permits the government to collect, then minimize, PCTDD, though it appears to have revisited whether the government’s current minimization procedures meet the law, the most recent known moment of which was 2009.

In other words, this Apple fight (as well as magistrate James Orenstein’s order) may affect what FISC will approve — or has already approved in secret — for other tech companies (or even for Apple), something the tech companies that submitted amicus briefs likely know. That makes FBI’s decision to hold this fight in public, which Apple preferred not to do, all the more significant. Because if Apple prevails, it will make it a lot harder to secretly jurisdiction shop anywhere in the US, whether in a secret magistrate’s proceeding or an even more secret FISC one.

James Orenstein’s Order Sets Up Congressional Hearing

March 1, 2016/9 Comments/in Cybersecurity /by emptywheel

As Rayne noted this morning, yesterday James Orenstein released his order stating that the government can’t use the All Writs Act to force Apple to unlock the phone of a meth dealer, Jun Feng, who has already pled guilty. My favorite part of the order comes in the middle where he argues that those who passed the All Writs Act in 1789 were substantially the same people who wrote the Constitution guaranteeing Congress the right to legislate. He argued it would be unlikely that those same men would so quickly hand off that authority to the courts.

It is wholly implausible to suppose that with so many of the newly-adopted Constitution’s drafters and ratifiers in the legislature, the First Congress would so thoroughly trample on that document’s very first substantive mandate: “All legislative Powers herein granted shall be vested in a Congress of the United States[.]” U.S. Const. Art. I, § 1. And yet that is precisely the reading the government proposes when it insists that a court may empower the executive to exercise power that the legislature has considered yet declined to allow.

I’m sad that that argument, which is probably the first in a series of court rulings that will end up at SCOTUS, won’t have Scalia there to enjoy it.

Ultimately, though, Orenstein makes the very same argument he made back in October when he asked Apple to weigh in on this issue, updated with the point that I made — the same day the government asked for this order Jim Comey told Congress they don’t need legislation to get the same result.

It is also clear that the government has made the considered decision that it is better off securing such crypto-legislative authority from the courts (in proceedings that had always been, at thetime it filed the instant Application, shielded from public scrutiny) rather than taking the chance thatopen legislative debate might produce a result less to its liking. Indeed, on the very same day that thegovernment filed the ex parte Application in this case (as well as a similar application in the SouthernDistrict of New York, see DE 27 at 2), it made a public announcement that after months of discussionabout the need to update CALEA to provide the kind of authority it seeks here, it would not seek suchlegislation. See James B. Comey, “Statement Before the Senate Committee on Homeland Security andGovernmental Affairs,” (Oct. 8, 2015), https://www.fbi.gov/news/testimony/threats-to-the-homeland (“The United States government is actively engaged with private companies to ensure theyunderstand the public safety and national security risks that result from malicious actors’ use of theirencrypted products and services. However, the administration is not seeking legislation at this time.”).

Whether because it knew it would lose (and had lost), or because it wanted to pretend it respected encryption when in fact it did not, the Obama Administration adopted a strategy by which it told Congress it didn’t need new legislation, all while asking the courts to rewrite CALEA in secret.

Whether accidentally or not (I suspect it is no accident), Orenstein’s order comes at a particularly useful time, hours before the House Judiciary Committee will have what will be one of the more important hearings on this debate, featuring Jim Comey first, and then NY District Attorney Cy Vance, Apple’s General Counsel Bruce Sewell, and rock star academic Susan Landau. It is likely to be the one hearing to which Apple will willingly provide a witness, and the committee is made up of a mix of former US Attorneys, shills for law enforcement, but also defenders of privacy and online security.

In his testimony for the hearing, Sewell said much the same thing Orenstein did:

The American people deserve an honest conversation around the important questions stemming from the FBI’s current demand:

Do we want to put a limit on the technology that protects our data, and therefore our privacy and our safety, in the face of increasingly sophisticated cyber attacks? Should the FBI be allowed to stop Apple, or any company, from offering the American people the safest and most secure product it can make?

Should the FBI have the right to compel a company to produce a product it doesn’t already make, to the FBI’s exact specifications and for the FBI’s use?

We believe that each of these questions deserves a healthy discussion, and any decision should be made after a thoughtful and honest consideration of the facts.

Most importantly, the decisions should be made by you and your colleagues as representatives of the people, rather than through a warrant request based on a 220 year old-statute.

For years, the government has stopped short of demanding legislation, presumably because they knew they wouldn’t get what they wanted. They’re finally being called on it.

Tuesday Morning: Guidance to Be True

March 1, 2016/9 Comments/in automobiles, Culture, Cybersecurity /by Rayne

Now an oldie but goodie, this Fiona Apple ditty. The subtle undertow of irony seems fitting today.

Speaking of guidance…

Google’s self-driving car went boom
Oops. Autonomous vehicles still not a thing when they can’t avoid something the size of a bus. Thank goodness nobody was hurt. Granted, until now Google’s self-driving test cars were not the cause of accidents — human drivers have been at fault far more often. In this particular accident, both the car and the human test driver may have been at fault.

VW’s CEO Mueller spins the (PR) wheels on agreement with U.S.
This is now a habit: before every major international automotive show, VW’s Matthias Mueller grants an interview to offer upbeat commentary on the emissions standards cheating scandal, this time ahead of the 2016 Geneva International Auto Show. Not certain if this is helping at all; there’s not much PR can do when no truly effective technical fix exists while potential liability to the U.S. alone may approach $46 billion. Probably a better use of my time to skip Mueller’s spin and spend my time slobbering over the Bugatti Chiron. ~fanning self~

Apple all the time

Court rules against government in Brooklyn Apple iPhone case (Ars Technica)
Not to be confused with the San Bernardino Apple iPhone case; this case involved a different iPhone model. (Link to Judge Orenstein’s order here.)
List of For/Against/On The Fence in Apple’s pushback against the government (The Guardian)
More obvious separation of Microsoft’s current management from its progenitor.
Law prof Neil Richards says an Apple win against government on First Amendment grounds would be a bad move (MIT Technology Review)
This will surely generate some rebuttals. Worth a read.

#YearInSpace ends this evening for astronaut Scott Kelly
Undocking begins at 7:45 p.m. EST with landing expected at 11:25 p.m. EST, barring any unforeseen wrinkles like negative weather conditions. NASA-TV will cover the event live. Can’t wait to hear results of comparison testing between Scott and his earth-bound twin Mark after Scott’s year in space.

Department of No

Amazon partners with Brita to create WiFi-enabled water filters (CNET) — Just, no.
Doing work or conducting personal business over airline WiFi: bad idea (Ars Technica) — Come on. You know this. Work offline or read a damned book.
Even before the disastrous Aliso Canyon methane leak, U.S. methane emissions greatly underestimated (MIT Technology Review) — Not good. Not at all. We badly need more aggressive effort toward better measurements and remediation.

That’s enough for now. I’m off to be a bad, bad girl. Stay safe.

Why Did Apple “Object” to All Pending All Writs Orders on December 9?

February 26, 2016/22 Comments/in Cybersecurity /by emptywheel

As I noted the other day, a document unsealed last week revealed that DOJ has been asking for similar such orders in other jurisdictions: two in Cincinnati, four in Chicago, two in Manhattan, one in Northern California (covering three phones), another one in Brooklyn (covering two phones), one in San Diego, and one in Boston.

According to Apple, it objected to at least five of these orders (covering eight phones) all on the same day: December 9 (note, FBI applied for two AWAs on October 8, the day in which Comey suggested the Administration didn’t need legislation, the other one being the Brooklyn docket in which this list was produced).

The government disputes this timeline.

In its letter, Apple stated that it had “objected” to some of the orders. That is misleading. Apple did not file objections to any of the orders, seek an opportunity to be heard from the court, or otherwise seek judicial relief. The orders therefore remain in force and are not currently subject to litigation.

Whatever objection Apple made was — according to the government, anyway — made outside of the legal process.

But Apple maintains that it objected to everything already in the system on one day, December 9.

Why December 9? Why object — in whatever form they did object — all on the same day, effectively closing off cooperation under AWAs in all circumstances?

There are two possibilities I can think of, though they are both just guesses. The first is that Apple got an order, probably in an unrelated case or circumstance, in a surveillance context that raised the stakes of any cooperation on individual phones in a criminal context. I’ll review this at more length in a later post, but for now, recall that on a number of occasions, the FISA Court has taken notice of something magistrates or other Title III courts have done. For location data, FISC has adopted the standard of the highest common denominator, meaning it has adopted the warrant standard for location even though not all states or federal districts have done so. So the decisions that James Orenstein in Brooklyn and Sheri Pym in Riverside make may limit what FISC can do. It’s possible that Apple got a FISA request that raised the stakes on the magistrate requests we know about. By objecting across the board — and thereby objecting to requests pertaining to iOS 8 phones — Apple raised the odds that a magistrate ruling might help them out at FISA. And if there’s one lawyer in the country who probably knows that, it’s Apple lawyer Marc Zwillinger.

Aside the obvious reasons to wonder whether Apple got some kind of FISA request, in his interview with ABC the other day, Tim Cook described “other parts of government” asking for more and more cases (though that might refer to state and city governments asking, rather than FBI in a FISA context).

The software key — and of course, with other parts of the government asking for more and more cases and more and more cases, that software would stay living. And it would be turning the crank.

The other possibility is that by December 9, Apple had figured out that — a full day after Apple had started to help FBI access information related to the San Bernardino investigation, on December 6 — FBI took a step (changing Farook’s iCloud password) that would make it a lot harder to access the content on the phone without Apple’s help. Indeed, I’m particularly interested in what advice Apple gave the FBI in the November 16 case (involving two iOS 8 phones), given that it’s possible Apple was successfully recommending FBI pursue alternatives in that case which FBI then foreclosed in the San Bernardino case. In other words, it’s possible Apple recognized by December 9 that FBI was going to use the event of a terrorist attack to force Apple to back door its products, after which Apple started making a stronger legal stand than they might otherwise have done pursuant to secret discussions.

That action — FBI asking San Bernardino to change the password — is something Tim Cook mentioned several times in his interview with ABC the other night, at length here:

We gave significant advice to them, as a matter of fact one of the things that we suggested was “take the phone to a network that it would be familiar with, which is generally the home. Plug it in. Power it on. Leave it overnight–so that it would back-up, so that you’d have a current back-up. … You can think of it as making of making a picture of almost everything on the phone, not everything, but almost everything.

Did they do that?

Unfortunately, in the days, the early days of the investigation, an FBI–FBI directed the county to reset the iCloud password. When that is done, the phone will no longer back up to the Cloud. And so I wish they would have contacted us earlier so that that would not have been the case.

How crucial was that missed opportunity?

Assuming the cloud backup was still on — and there’s no reason to believe that it wasn’t — then it is very crucial.

And it’s something they harped on in their motion yesterday.

Unfortunately, the FBI, without consulting Apple or reviewing its public guidance regarding iOS, changed the iCloud password associated with one of the attacker’s accounts, foreclosing the possibility of the phone initiating an automatic iCloud back-up of its data to a known Wi-Fi network, see Hanna Decl. Ex. X [Apple Inc., iCloud: Back up your iOS device to iCloud], which could have obviated the need to unlock the phone and thus for the extraordinary order the government now seeks.21 Had the FBI consulted Apple first, this litigation may not have been necessary.

Plus, consider the oddness around this iCloud information. FBI would have gotten the most recent backup (dating to October 19) directly off Farook’s iCloud account on December 6.

But 47 days later, on January 22, they obtained a warrant for that same information. While they might get earlier backups, they would have received substantially the same information they had accessed directly back in December, all as they were prepping going after Apple to back door their product. It’s not clear why they would do this, especially since there’s little likelihood of this information being submitted at trial (and therefore requiring a parallel constructed certified Apple copy for evidentiary purposes).

There’s one last detail of note. Cook also suggested in that interview that things would have worked out differently — Apple might not have made the big principled stand they are making — if FBI had never gone public.

I can’t talk about the tactics of the FBI, they’ve chosen to do what they’ve done, they’ve chosen to do this out in public, for whatever reasons that they have.What we think at this point, given it is out in the public, is that we need to stand tall and stand tall on principle. Our job is to protect our customers.

Again, that suggests they might have taken a different tack with all the other AWA orders if they only could have done it quietly (which also suggests FBI is taking this approach to make it easier for other jurisdictions to get Apple content). But why would they have decided on December 9 that this thing was going to go public?

Update: This language, from the Motion to Compel, may explain why they both accessed the iCloud and obtained a warrant.

The FBI has been able to obtain several iCloud backups for the SUBJECT DEVICE, and executed a warrant to obtain all saved iCloud data associated with the SUBJECT DEVICE. Evidence in the iCloud account indicates that Farook was in communication with victims who were later killed during the shootings perpetrated by Farook on December 2, 2015, and toll records show that Farook communicated with Malik using the SUBJECT DEVICE. (17)

This passage suggests it obtained both “iCloud backups” and “all saved iCloud data,” which are actually the same thing (but would describe the two different ways the FBI obtained this information). Then, without noting a source, it says that “evidence in the iCloud account” shows Farook was communicating with his victims and “toll records” show he communicated with Malik. Remember too that the FBI got subscriber information from a bunch of accounts using (vaguely defined) “legal process,” which could include things like USA Freedom Act.

The “evidence in the iCloud account” would presumably be iMessages or Facetime. But the “toll records” could be too, given that Apple would have those (and could have turned them over in the earlier “legal process” step. That is, FBI may have done this to obscure what it can get at each stage (and, possibly, what kinds of other “legal process” it now serves on Apple).

October 8: Comey testifies that the government is not seeking legislation; FBI submits requests for two All Writs Act, one in Brooklyn, one in Manhattan; in former case, Magistrate Judge James Orenstein invites Apple response

October 30: FBI obtains another AWA in Manhattan

November 16: FBI obtains another AWA in Brooklyn pertaining to two phones, but running iOS 8.

November 18: FBI obtains AWA in Chicago

December 2: Syed Rezwan Farook and his wife killed 14 of Farook’s colleagues at holiday party

December 3: FBI seizes Farook’s iPhone from Lexus sitting in their garage

December 4: FBI obtains AWA in Northern California covering 3 phones, one running iOS 8 or higher

December 5, 2:46 AM: FBI first asks Apple for help, beginning period during which Apple provided 24/7 assistance to investigation from 3 staffers; FBI initially submits “legal process” for information regarding customer or subscriber name for three names and nine specific accounts; Apple responds same day

December 6: FBI works with San Bernardino county to reset iCloud password for Farook’s account; FBI submits warrant to Apple for account information, emails, and messages pertaining to three accounts; Apple responds same day

December 9: Apple “objects” to the pending AWA orders

December 10: Intelligence Community briefs Intelligence Committee members and does not affirmatively indicate any encryption is thwarting investigation

December 16: FBI submits “legal process” for customer or subscriber information regarding one name and seven specific accounts; Apple responds same day

January 22: FBI submits warrant for iCloud data pertaining to Farook’s work phone

January 29: FBI obtains extension on warrant for content for phone

February 14: US Attorney contacts Stephen Larson asking him to file brief representing victims in support of AWA request

February 16: After first alerting the press it will happen, FBI obtains AWA for Farook’s phone and only then informs Apple

James Orenstein Calls Out Jim Comey on His Prevarications about Democracy

October 13, 2015/7 Comments/in Intelligence, Law /by emptywheel

At a 10 AM Senate Homeland Security hearing on October 8, Jim Comey read prepared testimony that reiterated his claim that encrypted devices are causing FBI problems, but stated that the Administration is not seeking legislation to do anything about it.

Unfortunately, changing forms of Internet communication and the use of encryption are posing real challenges to the FBI’s ability to fulfill its public safety and national security missions.. This real and growing gap, to which the FBI refers as “Going Dark,” is an area of continuing focus for the FBI; we believe it must be addressed given the resulting risks are grave both in both traditional criminal matters as well as in national security matters. The United States Government is actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services. However, the Administration is not seeking legislation at this time.

That statement got the Administration a lot of good press, with the WaPo declaring “Obama administration opts not to force firms to decrypt data — for now” and the NYT, even after this ruling had been unsealed, reporting, “Obama Won’t Seek Access to Encrypted User Data.” In the actual hearing, Comey was more clear that he did intend to keep asking providers for data and that the government was having “increasingly productive conversations with industry” to get them to do so, inspired in part by government claims about the ISIS threat. Part of that cooperation, per Comey, was “how can we get you to comply with a court order.”

Sometime that same day, on October 8, government lawyers submitted a request to a federal magistrate in Brooklyn to obligate Apple to help unlock a device law enforcement had been unable to unlock on their own.

In a sealed application filed on October 8, 2015, the government asks the court to issue an order pursuant to the All Writs Act, 28 U.S.C. § 1651, directing Apple, Inc. (“Apple”) to assist in the execution of a federal search warrant by disabling the security of an Apple device that the government has lawfully seized pursuant to a warrant issued by this court. Law enforcement agents have discovered the device to be locked, and have tried and failed to bypass that lock. As a result, they cannot gain access to any data stored on the device notwithstanding the authority to do so conferred by this court’s warrant.

The next day the judge, James Orenstein, deferred ruling on whether the All Writs Act is applicable in this case (though he did suggest it probably wasn’t) pending briefing from Apple on how burdensome it would find the request. Orenstein released his memo after giving the government opportunity to review his order.

This is not the first time the government has tried to use the All Writs Act to force providers (Apple, in at least one of the known cases) to help unlock a phone. EFF described two instances from last year in a December post. It also reviewed a 2005 ruling where Orenstein refused to allow the government to use All Writs Act to force telecoms to provide cell site location in real time.

Of course, as Lawfare seems to suggest, it has taken a decade for the decision Orenstein made in that earlier ruling — that the government needs a warrant to get cell tracking from a phone — to finally get fully developed into a debate and some Supreme Court (US v. Jones) and circuit rulings. That’s because in the interim, plenty of magistrates continued to compel providers to give such information to the government.

It’s quite possible the same is true here: that this is not just the third attempt to get a court to issue an All Writs Act to get Apple to provide data, but that instead, a number of magistrates who are more compliant with government wishes have agreed to do so as well. Indeed, as Orenstein noted, that’s a suggestion the government made in its application when it claimed “in other cases, courts have ordered Apple to assist in effectuating search warrants under the authority of the All Writs Act [and that] Apple has complied with such orders.”

What Orenstein did, then, was to make it clear this continues to go on, that even as Jim Comey and others were making public claims (and getting public acclaim) for not seeking legislation that would compel production of encrypted data the government — including, presumably, the FBI — was seeking court orders that would compel production secretly. The key rhetorical move in Orenstein’s order came when Orenstein compared Comey’s public statements claiming to support debate on this issue to the attempt to claim the government had to rely on the All Writs Act because no law existed. In a long footnote, Orenstein quoted from Comey’s Lawfare post,

Democracies resolve such tensions through robust debate …. It may be that, as a people, we decide the benefits here outweigh the costs and that there is no sensible, technically feasible way to optimize privacy and safety in this particular context, or that public safety folks will be able to do their job well enough in a world of universal strong encryption. Those are decisions Americans should make, but I think part of my job is [to] make sure the debate is informed by a reasonable understanding of the costs.

Then Orenstein pointed out that relying on the All Writs Act would undercut precisely the democratic debate Comey claimed to want to have.

Director Comey’s view about how such policy matters should be resolved is in tension, if not entirely at odds, with the robust application of the All Writs Act the government now advocates. Even if CALEA and the Congressional determination not to mandate “back door” access for law enforcement to encrypted devices does not foreclose reliance on the All Writs Act to grant the instant motion, using an aggressive interpretation of that statute’s scope to short-circuit public debate on this controversy seems fundamentally inconsistent with the proposition that such important policy issues should be determined in the first instance by the legislative branch after public debate – as opposed to having them decided by the judiciary in sealed, ex parte proceedings.

To be fair, even as the government was submitting its secret request to Orenstein, Comey was disavowing his former pro-democratic stance, and instead making it clear the government would try to find some other way to get orders forcing providers to comply.

But, given Orenstein’s invitation for Apple to lay out how onerous this is on it, Comey might get the democratic debate he once embraced.

Update: When I wrote this in the middle of the night I misspelled Judge Orenstein’s name. My apologies!