FBI, COVID, Cellebrite, Crumbs, and FISA

Your round up of surveillance news for the week of May 3, 2021

John Cameron / Unsplash

#148: Court Chides F.B.I., but Re-Approves Warrantless Surveillance Program

April 26, 2021 | The New York Times by Charlie Savage | ~1070 words

The Foreign Intelligence Surveillance Court (FISC) released a ruling last Monday that chastised the FBI for overreaching its authority granted to them by a warrantless surveillance program, yet the court renewed the program anyway. To be fair, the program is for the National Security Agency to which the FBI is only a tangential benefactor. As explained by the Times the program gives the NSA the ability to warrantlessly gather the calls and messages of non-US citizens with the help of American corporations.

The Times explains why the FBI’s access is particularly concerning:

" . . .the C.I.A., the National Counterterrorism Center and the F.B.I. — also receive access to streams of ‘raw’ messages intercepted without a warrant for their analysts to use. Of those, the F.B.I. is the only one that also has a law enforcement mission, heightening the stakes."

Only 3.6% of the data collected through the program is passed onto the FBI.

The majority of the backlash received by the FBI from the FISC was for overly broad searches of these streams. One example provided showed an analyst searching among 16,000 individuals when only seven were relevant to an FBI investigation.

The Bureau has apparently put better training and safeguards in place to prevent this in the future but claims the pandemic has prevented them from measuring their effectiveness.

#149: Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t

April 27, 2021 | The Markup by Alfred Ng | ~1358 words

Have you installed your state or country’s COVID contact tracing app? The one that uses your phone’s Bluetooth to see what other Bluetooth devices it has been near. If the owner of any of those devices uses the app to say they’ve tested positive for COVID-19, you’ll receive an alert. While not perfect, the framework, collaborated on and built by both Apple and Google, is a semi-decent way to do that while preserving privacy as the connections your phone has seen aren’t uploaded to any servers and never leaves your phone.

Well, the Markup reported on the finding of a security researcher who found that the implementation on Android phones wasn’t as private as originally thought. Apparently Android was writing the logs of those connections in such a way that made them accessible to dozens of other pre-installed apps on the phone. When the researcher made Google aware of the problem, Google did not respond seriously until contacted by the Markup for comment.

However, it does appear that Google did fix the error and began rolling out the changes in a timely manner. As such, this seems to be an innocent yet unforunate oversight.

150: Signal’s Cellebrite Hack Is Already Causing Grief for the Law

April 27, 2021 | Gizmodo by Lucas Ropek | ~792 words

Attorneys around the world are moving to throw out evidence obtained by popular police phone cracking tool Cellebrite. Moxie Marlinspike, creator of the encrypted messaging app Signal, published a blog post documenting dozens of vulnerabilities in Cellebrite along with a video of him exploiting at least one of the vulnerabilities. The tool is often used by law enforcement to gather evidence from those suspected of committing a crime.

In the post, Marlinspike claims that it would be possible to install an app on the phone that could then modify the output of Cellebrite, essentially fabricating evidence. While there is not proof of this actually happening, it was enough for Roman Rozas to challenge the conviction of one of his clients, according to Gizmodo. The same questions are raising legal concerns in Australia as well.

Gizmodo notes that at this point, it’s hard to know what will happen in cases such as Rozas’.

#151: Google’s plan to eradicate cookies is crumbling

April 29, 2021 | Wired UK by Matt Burgess | ~1451 words

Once again, more organizations and businesses are expressing concern over Google’s proposed FLoC implementation previously discussed in surveil-links #77, #134, and #138. Burgess cites the concerns previously noted in surveil-links – such as those from DuckDuckGo, Vivaldi, Brave, and WordPress – but he also quotes several European data regulators – namely those of France, Belgium, and Ireland – voicing worry over the new program.

While Burgess notes that Google seems to be making an effort to make the rollout at least somewhat transparent and address concerns seriously, it really is a question of “how much will Google really change” or will it leverage its power to force the adoption of FLoC? The worry if perhaps best summarized by this paragraph from the article:

“[Google] owns the world’s largest browser, biggest search engine, a huge advertising network, and can collect huge swathes of data. For many people, Google’s services are the internet. Nine of its apps are used by more than a billion people each. That’s an awful lot of data and an awful lot of power. Google’s historic abuse of people’s information has led many not to trust it – and that includes competitors and regulators, as well as consumers.”

#152: National Security Surveillance Plummeted Amid Pandemic and Russia Inquiry Fallout

April 30, 2021 | The New York Times by Charlie Savage | ~1184 words

Not only is this Savage’s first time featured in surveil-links, but he’s the first reporter to make the list twice in one week, writing about the same agency no less!

In his reporting of the Office of the Director of National Intelligence’s transparency report released on Friday, Savage notes that the number of wiretaps and search warrants obtained by the FBI from the FISC dropped for the second year in a row. In 2018, the number was 1,833, followed by 1,059 in 2019, and dropping even more sharply to 451 in 2020.

Don’t confuse these warrants with FBI targets surveilled as part of the NSA program discussed in surviel-link #148 above. As explained, that program does not require a warrant and only affects US citizens communicating with others abroad. The numbers in the above paragraph are the times the FISC approved an FBI search warrant in the name of national security.

That said, the report does also give insight into the warrantless NSA program as well, showing that the number of foreign targets slightly dropped from 204,968 in 2019 to 202,703 in 2020.

Enjoying Surveil-links? Subscribe today and never miss it!

Newsletter Podcast Blog
Get surveil-links directly to your inbox:
Listen wherever you get your podcasts:
Read here or subscribe to the RSS feed:
Email submission is protected by hCaptcha. Its Privacy Policy and Terms of Service apply. You may receive a verification prompt.

Enjoy this piece? Consider letting me know by leaving a tip!

Leave me a tip 🙏🏻