Wednesday: Time Travel
In this roundup: A short film about a mother’s time travel adventure, the Internet of Stupid Things, and more.
Posts
Monday Morning: Feeling Rather Mussorgsky
It’s not even 7:00 a.m. here as I start to write this post, and the day is already frantic — like Mussorgsky’s Night on Bald Mountain. I don’t expect a placid ending to the first day of this week, either.
Strap in, lock and load.
Volkswagen on a roll — downhill, fast
- A former employee who worked at the Michigan-based Volkswagen Group of America’s data processing center filed suit for wrongful termination. The employee lost their job after warning against data deletion after the U.S. Department of Justice ordered VW to halt normal data deletion processes to preserve potential evidence. Michigan is an at-will state, meaning employees can be fired for any reason at any time if they do not have a contract. However, employers may not fire workers in retaliation for refusing to do illegal acts or for reporting violations of health and safety code. Not a sketchy situation at all…this case might be an opportunity for discovery.
- VW cutting jobs back home in Germany, with administrative roles taking the biggest hit. At the same time, VW says it intends to hire more software and technology personnel as it shifts away from traditional automotive technology. Huh — not a move I would expect when VW clearly hasn’t a handle on electronic vehicle technology.
- Car sales are up 6.3 percent in the EU, but VW-brand car sales are off 4 percent. Ford and GM’s Opel picked up what VW lost in terms of sales.
Asking oranges from Apple
- USDOJ hint-hints with little subtlety it will demand Apple’s source code. By subtlety, I mean a footnote shaped like a cudgel in its response to #AppleVsFBI:
The FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature.
The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labour by Apple programmers.
You can read Marcy’s take on the USDOJ’s Lavabit gambit for more.
- The mega-sized tech companies who support Apple are now doubling down on encryption. Couldn’t see that coming, huh?
- Some speculate WhatsApp as a communications technology may be the next focus of law enforcement in wake of #AppleVsFBI.
- John Oliver does a Deep Dive into #AppleVsFBI — amusing take, but Oliver and his writing team have far too simplistic a take on this case. It’s not just that FBI wants a ‘master key,’ or that the FBI relies on All Writs to make its demand on Apple. It’s about forcing a company to create something entirely new, and something that’s not intrinsically part of its product.
Another energy industry executive dead
Josh Comstock, CEO of C&J Energy Services in Houston, Texas, died unexpectedly on Friday. He passed away in his sleep at age 46. Comstock was a supporter of NHRA drag racing. His company, which provided hydraulic fracturing (fracking) services, lost considerable value over the last year with the sharp drop in oil prices and field development.
Oil dudes are under a lot of stress these days.
And it being a Monday, so are we. Relax when you can, gang. I’m clocking out.
Wednesday Morning: All the Range from Sublime to Silly
We start with the sublime, welcoming astronaut Scott Kelly back to earth after nearly a year in space — 340 days all told. Wouldn’t you like to know how these first hours and days will feel to Kelly as he regains his earth legs?
And then we have the silly…
Apple’s General Counsel Sewell and FBI Director Comey appeared before House Judiciary Committee
You’d think a Congressional hearing about FBI’s demand to crack open Apple iPhone would be far from silly, but yesterday’s hearing on Apple iPhone encryption…Jim Comey likened the iPhone 5C’s passcode protection to “a guard dog,” told Apple its business model wasn’t public safety, fretted about “warrant-proof spaces” and indulged in a thought exercise by wondering what would happen if Apple engineers were kidnapped and forced to write code.
What. The. Feck.
I think I’ll read about this hearing in French news outlets as it somehow sounds more rational: iPhone verrouillé: le patron du FBI sur le gril face au Congrès américain (iPhone locked: FBI boss grilled by US Congress – Le Monde). Other kickers in Comey’s testimony: an admission that a “mistake was made” (oh, the tell-tale passive voice here) in handling the San Bernardino shooter’s phone, the implication that the NSA couldn’t (wouldn’t?) backdoor the iPhone in question, and that obtaining the code demanded from Apple would set precedent applicable to other cases.
Predictably, Apple’s Bruce Sewell explained that “Building that software tool would not affect just one iPhone. It would weaken the security for all of them.” In other words, FBI’s demand that Apple writes new code to crack the iPhone 5C’s locking mechanism is a direct threat to Apple’s business model, based on secure electronic devices.
Catch the video of the entire hearing on C-SPAN.
Facebook’s Latin American VP arrested after resisting release of WhatsApp data
Here’s another legal precedent, set in another country, where a government made incorrect assumptions about technology. Brazilian law enforcement and courts believed WhatsApp stored data it maintains it doesn’t have, forcing the issue by arresting a Facebook executive though WhatsApp is a separate legal entity in Brazil. Imagine what could happen in Brazil if law enforcement wanted an Apple iPhone 5C unlocked. The executive will be released today, according to recent reports. The underlying case involved the use of WhatsApp messaging by drug traffickers.
USAO-EDNY subpoenaed Citigroup in FIFA bribery, corruption and money laundering allegations
In a financial filing, Citigroup advised it had been subpoenaed by the U.S. Attorney’s office. HSBC advised last week it had been contacted by U.S. law enforcement about its role. No word yet as to whether JPMorgan Chase and Bank of America have been likewise subpoenaed though they were used by FIFA officials. Amazing. We might see banksters perp-walked over a fútbol scandal before we see any prosecuted for events leading to the 2008 financial crisis.
Quick hits
- Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies screwed up, to be renegotiated on sales of “intrusion software” tools (Ars Technica) — another case where government failed to understand the technology it was regulating.
- Automakers three years behind on cybersecurity for internet-enabled cars (Threatpost) — Sadly, article doesn’t point out cyber threats aren’t limited to connected car systems if one really thinks about the design of electronic control units in all other vehicles.
- Facebook’s behemoth size in Germany may allow it to bypass data protection rules (Phys.org) — Too Big To Fail, the software edition, and the Germans aren’t happen with this flavor of TBTF.
I’m out of here, need to dig out after another winter storm dumped nearly a foot of the fluffy stuff yesterday. I’m open to volunteers, but I don’t expect many snow shovel-armed takers.
Friday Morning: All That Jazz
![[image: Leo Reynolds via Flickr]](https://www.emptywheel.net/wp-content/uploads/2016/02/LiveJazzFriday_LeoReynolds-Flickr.jpg)
[image: Leo Reynolds via Flickr]
If you have to ask what jazz is, you’ll never know. — Louis Armstrong
It’s Friday. Don’t ask, just play.
If you thought FBI vs Apple was part of a plan to break Silicon Valley on encryption, it was
This will be the big buzz today: a secret “decision memo” reveals the government set out to access encrypted user data while putting on a good front about its relations with software companies. No information available about the source (or timing) of the memo; wouldn’t it be ironic if this secret memo had been hacked from a smartphone user’s data?
The Atlantic looks at the government’s attempt to force Apple to write code for their purposes as conscription. The secret memo bolsters this argument.
Looks like Apple may also claim the government is compelling speech. They’ve pulled out the big guns by hiring lawyers Ted Olson and Theodore Boutrous to work on this case.
Whiny telcos upset with Facebook eating their lunch with WhatsApp messaging
Like they couldn’t have seen this coming? Telcos in parts of the world like Central America and Europe have long charged uncompetitive rates for poor messaging service. Enter Facebook, which snapped up WhatsApp and integrated the messaging app in its social media platform. Facebook members now have a free messaging platform that works almost globally. The telcos are now upset that Facebook has eaten their text messaging profits. ¡Qué lástima! Though I admit I wonder if part if this grousing is really a front for governments who don’t like WhatsApp’s threat to intelligence access via telcos’ messaging services.
Citigroup’s Corbat gets a 27% pay increase
Too Big to Fail pays very well, for a very few. For Citigroup’s CEO Michael Corbat, it pays roughly $16.5 million this past year, up from $13 million the previous year. Corbat’s raise rewards him for Citibank’s improved fortunes, based in part on cutting less profitable businesses — like exiting retail banking in Argentina and Brazil.
Mercedes sued for not-so-clean diesel emissions
In a slightly different situation than with automaker VW, Daimler’s Mercedes is accused of selling diesel powered vehicles that do not meet emissions standards at low temperatures. The lawsuit was filed yesterday in New Jersey by a vehicle owner in Illinois, based on information published in Der Spiegel and the results of a study conducted by independent testing agency TNO for the Dutch Ministry of Infrastructure and the Environment. The problem at the heart of the suit:
“…the device in Mercedes’s diesel models turns off pollution controls at temperatures below 50 degrees Fahrenheit (10 Celsius), allowing the autos to violate emissions standards, according to the complaint.”
Mercedes did not disclose to buyers that its BlueTec technology, a system relying on use of urea-based NOX reduction, emitted NOX levels well above emissions standards at low temperatures. I would not be surprised to see more cases soon against Daimler and its Mercedes brand as BlueTec technology has been used in both passenger vehicles and commercial trucks for most of the last ten years.
On our mind: SKYNET
We haven’t forgotten the issue of U.S. military killing innocents *Oops!* from the sky based on metadata. Worth reading:
- The NSA’s SKYNET program may be killing thousands of innocent people (Ars Technica)
- Has a rampaging AI algorithm really killed thousands in Pakistan? (The Guardian)
A “machine learning algorithm”? Imagine this in self-driving cars, hijacked via backdoors by hackers and governments. The ethics behind this technology must be widely debated in public now, before it moves beyond its already-abused role in drone-based warfare.
Should be an entertaining Friday; watch for government spokespersons to indulge in a lot of fancy-footwork jazz today.
How the Government Uses Location Data from Mobile Apps
The other day I looked at an exchange between Ron Wyden and Jim Comey that took place in January 2014, as well as the response FBI gave Wyden afterwards. I want to return to the reason I was originally interested in the exchange: because it reveals that FBI, in addition to obtaining cell location data directly from a phone company or a Stingray, will sometimes get location data from a mobile app provider.
I asked Magistrate Judge Stephen Smith from Houston whether he had seen any such requests — he’s one of a group of magistrates who have pushed for more transparency on these issues. He explained he had had several hybrid pen/trap/2703(d) requests for location and other data targeting WhatsApp accounts. And he had one fugitive probation violation case where the government asked for the location data of those in contact with the fugitive’s Snapchat account, based on the logic that he might be hiding out with one of the people who had interacted with him on Snapchat. The providers would basically be asked to to turn over the cell site location information they had obtained from the users’ phone along with other metadata about those interactions. To be clear, this is not location data the app provider generates, it would be the location data the phone company generates, which the app accesses in the normal course of operation.
The point of getting location data like this is not to evade standards for a particular jurisdiction on CSLI. Smith explained, “The FBI apparently considers CSLI from smart phone apps the same as CSLI from the phone companies, so the same legal authorities apply to both, the only difference being that the ‘target device’ identifier is a WhatsApp/Snapchat account number instead of a phone number.” So in jurisdictions where you can get location data with an order, that’s what it takes, in jurisdictions where you need a probable cause warrant, that’s what it will take. The map above, which ACLU makes a great effort to keep up to date here, shows how jurisdictions differ on the standards for retrospective and prospective location information, which is what (as far as we know) will dictate what it would take to get, say, CSLI data tied to WhatsApp interactions.
Rather than serving as a way to get around legal standards, the reason to get CSLI from the app provider rather than the phone company that originally produces it is to get location data from both sides of a conversation, rather than just the target phone. That is, the app provides valuable context to the location data that you wouldn’t get just from the target’s cell location data.
The fact that the government is getting location data from mobile app providers — and the fact that they comply with the same standard for CSLI obtained from phones in any given jurisdiction — may help to explain a puzzle some have been pondering for the last week or so: why Facebook’s transparency report shows a big spike in wiretap warrants last year.
[T]he latest government requests report from Facebook revealed an unexpected and dramatic rise in real-time interceptions, or wiretaps. In the first six months of 2015, US law enforcement agencies sent Facebook 201 wiretap requests (referred to as “Title III” in the report) for 279 users or accounts. In all of 2014, on the other hand, Facebook only received 9 requests for 16 users or accounts.
Based on my understanding of what is required, this access of location data via WhatsApp should appear in several different categories of Facebook’s transparency report, including 2703(d), trap and trace, emergency request, and search warrant. That may include wiretap warrants, because this is, after all, prospective interception, and not just of the target, but also of the people with whom the target communicates. That may be why Facebook told Motherboard “we are not able to speculate about the types of legal process law enforcement chooses to serve,” because it really would vary from jurisdiction to jurisdiction and possibly even judge to judge.
In any case, we can be sure such requests are happening both on the criminal and the intelligence side, and perhaps most productively under PRISM (which could capture foreign to domestic communications at a much lower standard of review). Which, again, is why any legislation covering location data should cover the act of obtaining location data, whether via the phone company, a Stingray, or a mobile app provider.
Footer column 1
