Posts

Wednesday: Time Travel

In this roundup: A short film about a mother’s time travel adventure, the Internet of Stupid Things, and more.

Read more

Monday Morning: Feeling Rather Mussorgsky

It’s not even 7:00 a.m. here as I start to write this post, and the day is already frantic — like Mussorgsky’s Night on Bald Mountain. I don’t expect a placid ending to the first day of this week, either.

Strap in, lock and load.

Volkswagen on a roll — downhill, fast

  • A former employee who worked at the Michigan-based Volkswagen Group of America’s data processing center filed suit for wrongful termination. The employee lost their job after warning against data deletion after the U.S. Department of Justice ordered VW to halt normal data deletion processes to preserve potential evidence. Michigan is an at-will state, meaning employees can be fired for any reason at any time if they do not have a contract. However, employers may not fire workers in retaliation for refusing to do illegal acts or for reporting violations of health and safety code. Not a sketchy situation at all…this case might be an opportunity for discovery.
  • VW cutting jobs back home in Germany, with administrative roles taking the biggest hit. At the same time, VW says it intends to hire more software and technology personnel as it shifts away from traditional automotive technology. Huh — not a move I would expect when VW clearly hasn’t a handle on electronic vehicle technology.
  • Car sales are up 6.3 percent in the EU, but VW-brand car sales are off 4 percent. Ford and GM’s Opel picked up what VW lost in terms of sales.

Asking oranges from Apple

  • USDOJ hint-hints with little subtlety it will demand Apple’s source code. By subtlety, I mean a footnote shaped like a cudgel in its response to #AppleVsFBI:

    The FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature.

    The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labour by Apple programmers.

    You can read Marcy’s take on the USDOJ’s Lavabit gambit for more.

  • The mega-sized tech companies who support Apple are now doubling down on encryption. Couldn’t see that coming, huh?
  • Some speculate WhatsApp as a communications technology may be the next focus of law enforcement in wake of #AppleVsFBI.
  • John Oliver does a Deep Dive into #AppleVsFBI — amusing take, but Oliver and his writing team have far too simplistic a take on this case. It’s not just that FBI wants a ‘master key,’ or that the FBI relies on All Writs to make its demand on Apple. It’s about forcing a company to create something entirely new, and something that’s not intrinsically part of its product.

Another energy industry executive dead
Josh Comstock, CEO of C&J Energy Services in Houston, Texas, died unexpectedly on Friday. He passed away in his sleep at age 46. Comstock was a supporter of NHRA drag racing. His company, which provided hydraulic fracturing (fracking) services, lost considerable value over the last year with the sharp drop in oil prices and field development.

Oil dudes are under a lot of stress these days.

And it being a Monday, so are we. Relax when you can, gang. I’m clocking out.

Wednesday Morning: All the Range from Sublime to Silly

We start with the sublime, welcoming astronaut Scott Kelly back to earth after nearly a year in space — 340 days all told. Wouldn’t you like to know how these first hours and days will feel to Kelly as he regains his earth legs?

And then we have the silly…

Apple’s General Counsel Sewell and FBI Director Comey appeared before House Judiciary Committee
You’d think a Congressional hearing about FBI’s demand to crack open Apple iPhone would be far from silly, but yesterday’s hearing on Apple iPhone encryption…Jim Comey likened the iPhone 5C’s passcode protection to “a guard dog,” told Apple its business model wasn’t public safety, fretted about “warrant-proof spaces” and indulged in a thought exercise by wondering what would happen if Apple engineers were kidnapped and forced to write code.

What. The. Feck.

I think I’ll read about this hearing in French news outlets as it somehow sounds more rational: iPhone verrouillé: le patron du FBI sur le gril face au Congrès américain (iPhone locked: FBI boss grilled by US Congress – Le Monde). Other kickers in Comey’s testimony: an admission that a “mistake was made” (oh, the tell-tale passive voice here) in handling the San Bernardino shooter’s phone, the implication that the NSA couldn’t (wouldn’t?) backdoor the iPhone in question, and that obtaining the code demanded from Apple would set precedent applicable to other cases.

Predictably, Apple’s Bruce Sewell explained that “Building that software tool would not affect just one iPhone. It would weaken the security for all of them.” In other words, FBI’s demand that Apple writes new code to crack the iPhone 5C’s locking mechanism is a direct threat to Apple’s business model, based on secure electronic devices.

Catch the video of the entire hearing on C-SPAN.

Facebook’s Latin American VP arrested after resisting release of WhatsApp data
Here’s another legal precedent, set in another country, where a government made incorrect assumptions about technology. Brazilian law enforcement and courts believed WhatsApp stored data it maintains it doesn’t have, forcing the issue by arresting a Facebook executive though WhatsApp is a separate legal entity in Brazil. Imagine what could happen in Brazil if law enforcement wanted an Apple iPhone 5C unlocked. The executive will be released today, according to recent reports. The underlying case involved the use of WhatsApp messaging by drug traffickers.

USAO-EDNY subpoenaed Citigroup in FIFA bribery, corruption and money laundering allegations
In a financial filing, Citigroup advised it had been subpoenaed by the U.S. Attorney’s office. HSBC advised last week it had been contacted by U.S. law enforcement about its role. No word yet as to whether JPMorgan Chase and Bank of America have been likewise subpoenaed though they were used by FIFA officials. Amazing. We might see banksters perp-walked over a fútbol scandal before we see any prosecuted for events leading to the 2008 financial crisis.

Quick hits

I’m out of here, need to dig out after another winter storm dumped nearly a foot of the fluffy stuff yesterday. I’m open to volunteers, but I don’t expect many snow shovel-armed takers.

How the Government Uses Location Data from Mobile Apps

Screen shot 2015-11-19 at 9.24.26 AMThe other day I looked at an exchange between Ron Wyden and Jim Comey that took place in January 2014, as well as the response FBI gave Wyden afterwards. I want to return to the reason I was originally interested in the exchange: because it reveals that FBI, in addition to obtaining cell location data directly from a phone company or a Stingray, will sometimes get location data from a mobile app provider.

I asked Magistrate Judge Stephen Smith from Houston whether he had seen any such requests — he’s one of a group of magistrates who have pushed for more transparency on these issues. He explained he had had several hybrid pen/trap/2703(d) requests for location and other data targeting WhatsApp accounts. And he had one fugitive probation violation case where the government asked for the location data of those in contact with the fugitive’s Snapchat account, based on the logic that he might be hiding out with one of the people who had interacted with him on Snapchat. The providers would basically be asked to to turn over the cell site location information they had obtained from the users’ phone along with other metadata about those interactions. To be clear, this is not location data the app provider generates, it would be the location data the phone company generates, which the app accesses in the normal course of operation.

The point of getting location data like this is not to evade standards for a particular jurisdiction on CSLI. Smith explained, “The FBI apparently considers CSLI from smart phone apps the same as CSLI from the phone companies, so the same legal authorities apply to both, the only difference being that the ‘target device’ identifier is a WhatsApp/Snapchat account number instead of a phone number.” So in jurisdictions where you can get location data with an order, that’s what it takes, in jurisdictions where you need a probable cause warrant, that’s what it will take. The map above, which ACLU makes a great effort to keep up to date here, shows how jurisdictions differ on the standards for retrospective and prospective location information, which is what (as far as we know) will dictate what it would take to get, say, CSLI data tied to WhatsApp interactions.

Rather than serving as a way to get around legal standards, the reason to get CSLI from the app provider rather than the phone company that originally produces it is to get location data from both sides of a conversation, rather than just the target phone. That is, the app provides valuable context to the location data that you wouldn’t get just from the target’s cell location data.

The fact that the government is getting location data from mobile app providers — and the fact that they comply with the same standard for CSLI obtained from phones in any given jurisdiction — may help to explain a puzzle some have been pondering for the last week or so: why Facebook’s transparency report shows a big spike in wiretap warrants last year.

[T]he latest government requests report from Facebook revealed an unexpected and dramatic rise in real-time interceptions, or wiretaps. In the first six months of 2015, US law enforcement agencies sent Facebook 201 wiretap requests (referred to as “Title III” in the report) for 279 users or accounts. In all of 2014, on the other hand, Facebook only received 9 requests for 16 users or accounts.

Based on my understanding of what is required, this access of location data via WhatsApp should appear in several different categories of Facebook’s transparency report, including 2703(d), trap and trace, emergency request, and search warrant. That may include wiretap warrants, because this is, after all, prospective interception, and not just of the target, but also of the people with whom the target communicates. That may be why Facebook told Motherboard “we are not able to speculate about the types of legal process law enforcement chooses to serve,” because it really would vary from jurisdiction to jurisdiction and possibly even judge to judge.

In any case, we can be sure such requests are happening both on the criminal and the intelligence side, and perhaps most productively under PRISM (which could capture foreign to domestic communications at a much lower standard of review). Which, again, is why any legislation covering location data should cover the act of obtaining location data, whether via the phone company, a Stingray, or a mobile app provider.