Generalist Policing Models Remain Problematic

From the New York Time’s opinion section, this piece on“Why the F.B.I. Is so far behind on cybercrime?” reinforces the position that American law enforcement is stymied in investigating cybercrimes because:

…it lacks enough agents with advanced computer skills. It has not recruited as many of these people as it needs, and those it has hired often don’t stay long. Its deeply ingrained cultural standards, some dating to the bureau’s first director, J. Edgar Hoover, have prevented it from getting the right talent.

Emblematic of an organization stuck in the past is the F.B.I.’s longstanding expectation that agents should be able to do “any job, anywhere.” While other global law enforcement agencies have snatched up computer scientists, the F.B.I. tried to turn existing agents with no computer backgrounds into digital specialists, clinging to the “any job” mantra. It may be possible to turn an agent whose background is in accounting into a first-rate gang investigator, but it’s a lot harder to turn that same agent into a top-flight computer scientist.

The “any job” mantra also hinders recruitment. People who have spent years becoming computer experts may have little interest in pivoting to another assignment. Many may lack the aptitude for — or feel uneasy with — traditional law enforcement expectations, such as being in top physical fitness, handling a deadly force scenario or even interacting with the public.

This very same issue plagues the RCMP, which also has a generalist model that discourages or hinders specialization. While we do see better business practices in, say, France, with an increasing LEA capacity to pursue cybercrime, we’re not yet seeing North American federal governments overhaul their own policing services.1

Similarly, the FBI is suffering from an ‘arrest’ culture:

The F.B.I.’s emphasis on arrests, which are especially hard to come by in ransomware cases, similarly reflects its outdated approach to cybercrime. In the bureau, prestige often springs from being a successful trial agent, working on cases that result in indictments and convictions that make the news. But ransomware cases, by their nature, are long and complex, with a low likelihood of arrest. Even when suspects are identified, arresting them is nearly impossible if they’re located in countries that don’t have extradition agreements with the United States.

In the Canadian context, not only is pursuing to arrest a problem due to jurisdiction, the complexity of cases can mean an officer spends huge amounts of time on a computer, and not out in the field ‘doing the work’ of their colleagues who are not cyber-focused. This perception of just ‘playing games’ or ‘surfing social media’ can sometimes lead to challenges between cyber investigators and older-school leaders.2 And, making things even more challenging is that the resources to train to detect and pursue Child Sexual Abuse Material (CSAM) are relatively plentiful, whereas economic and non-CSAM investigations tend to be severely under resourced.

Though there is some hope coming for Canadian investigators, by way of CLOUD agreements between the Canadian and American governments, and the updates to the Cybercrime Convention, both will require updates to criminal law as well as potentially provincial privacy laws to empower LEAs with expanded powers. And, even with access to more American data that enables investigations this will not solve the arrest challenges when criminals are operating out of non-extradition countries.

It remains to be seen whether an expanded capacity to issue warrants to American providers will reduce some of the Canadian need for specialized training to investigate more rudimentary cyber-related crimes or if, instead, it will have a minimum effect overall.

  1. This is also generally true to provincial and municipal services as well. ↩︎
  2. Fortunately this is a less common issue, today, than a decade ago. ↩︎

How a Facial Recognition Mismatch Can Ruin Your Life

Via The Intercept:

“As an analytical scientist, whenever someone gives me absolute certainty, my red flag goes up,” said Jason Latham, who worked as a biochemist prior to becoming a forensic scientist and certified video examiner. “When I came from analytical sciences to forensic sciences, I was like some of these guys are not scientists. They are voodoo witchcraft.”

Forensic reports generally provide few details about the methods they use to arrive at points of similarity. But in Talley’s case, the FBI examiner’s report displayed a high degree of certainty. George Reis, a facial examiner who has testified more than 50 times for state, federal, and military courts throughout the country on forensic visual comparisons, pointed out that the report on Talley’s case was vague. “It is generally considered best practice to be specific in reports and to point out features of similarity, as well as differences, in any comparison illustration or chart,” Reis noted. “In the Talley case no such markings exist. The video frames that were used in the FBI illustration were of poor quality and limited value.”

Facial recognition: sorta fun if you’re using it for commercial stuff like tagging your friends, but really dangerous if its part of what is used to convict persons for crimes they’re alleged to have committed.


We have never had absolute privacy in this country. Cars, safe deposit boxes, our apartments, our houses, even the contents of our minds—any one of us, in appropriate circumstances, can be compelled to say what we saw. We have never lived with large swaths of our life off limits, where judicial authority is ineffective. That is something we need to talk about. I don’t think the FBI should tell people what to do. I don’t think tech companies should tell people what to do. The American people need to decide.

-James Comey, Director of the FBI

The problem is that Comey is simply wrong: the state has never held absolute power over citizens. The 5th Amendment in the United States guarantees a right to avoid testifying against oneself. Our devices are now so personalized with our communciations, thoughts, banking, business, and life that they are functionally a self-testamonial about our lives.

Moreover, even when some evidence is unavailable – be it because authorities don’t know to look for it, or cannot find it – that doesn’t immediately mean that a case is terminated. Instead, a range of powers as well as alternate charges can be brought to bear. And the price of a democracy is that, sometimes, authorities cannot bring charges against people they suspect but cannot prove may have broken the law. This restraint on state power is a core feature of liberal democratic governance and is a restraint that needs to be maintained so that we can all enjoy our freedoms.


FBI watched as hacker dumped Bell Canada passwords online

FBI watched as hacker dumped Bell Canada passwords online:

When Bell Canada’s website was hacked last year — and the accounts and passwords of more than 12,000 Canadians posted online — the Federal Bureau of Investigation was not only watching, but letting the hackers stage the attack from what was secretly an FBI server.

Christopher Parsons, a postdoctoral fellow who studies state access to telecommunication data at the Citizen Lab at the Munk School of Global Affairs in Toronto, said it made “good tactical sense” that the FBI used confidential informants and an undercover server to build their case.

It was the fact they did nothing to stop the crime before it occurred that makes this case unusual, Parsons said.

“In this case it sounds like the FBI had that ability, had that option to prevent these things from happening, perhaps with a weaker case, but instead they opted to endanger innocents in order to build a stronger case,” said Parsons. “The problem there is there is no indication Bell had been notified. This wasn’t dummy data that was released — this was live, real customer data.”



Secret Courts, Secret Evidence, and American Justice

Techdirt has recently covered a just shameful decision out of the US. The case involved an alleged domestic terror suspect who the FBI helped in every way to plan a bombing in Chicago. From the article:

Daoud’s lawyers made a much more thorough request for the evidence obtained via the FAA. As they note, there may be significant problems with the FISA information, including, but not limited to the FISA application for electronic surveillance may fail to establish probable cause that Dauoud was “an agent of a foreign power.” As they note, he was an American citizen and school student in suburban Chicago. They also suggest the FISA application may have contained material falsehoods or omissions and might violate the 4th Amendment. The surveillance also may have violated the FISA law. There are many other reasons they bring up as well.

The Justice Department (of course) argued that it shouldn’t have to hand over any of this info, in part because it’s classified and in part because they’re not going to use that evidence against Daoud.

Unfortunately, the court wasted little time in agreeing with the feds that they don’t need to turn over the evidence collected under FISA.

Just to be clear, this means that a secret court approved the secret surveillance of a domestically situated American citizen, and then refused to disclose the collected evidence. The American defendant, then, cannot know the totality of evidence that the state collected. This evidence might have played a key role in subsequent investigative efforts and, as a result, may have ‘poisoned’ the subsequent evidence.

Of course, we seemingly won’t ever know if such a poisoning theorem is true or not. All we’ll know is that American courts permit the state to engage in secret surveillance without disclosing what was collected to defence attorneys. And declare all subsequent proceedings as a ‘fair’ trial environment.


FBI: Smart Meter Hacks Likely to Spread

Though a little over a year old, this post concerning the security of smartmeters is particularly valuable considering the rapid adoption of the technologies throughout Canada. Particularly pertinent:

Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.

The FBI believes that miscreants hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

“The optical converter used in this scheme can be obtained on the Internet for about $400,” the alert reads. “The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact.”

The bureau also said another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage, while still providing electricity to the customer.

So, this suggests that insider threats and poor shielding enable significant fraud. Can’t say it’s surprising given how often these meters have been compromised when deployed in other jurisdictions.


The same vulnerabilities that enable crime in the first place also give law enforcement a way to wiretap — when they have a narrowly targeted warrant and can’t get what they’re after some other way. The very reasons why we have Patch Tuesday followed by Exploit Wednesday, why opening e-mail attachments feels like Russian roulette, and why anti-virus software and firewalls aren’t enough to keep us safe online provide the very backdoors the FBI wants.

* Matt Blaze and Susan Landau, “The FBI Needs Hackers, Not Backdoors

FYI: Governments Spy On Citizens. A Lot.

You often hear that if you’ve nothing to hide then government surveillance isn’t really something you should fear. It’s only the bad people that are targeted! Well….sorta. It is the case that (sometimes) ‘bad people’ are targeted. It’s also (often) the case that the definition of ‘bad people’ extends to ‘individuals exercising basic rights and freedoms.’ This is the lesson that a woman in the US learned: the FBI had secretly generated a 436 page report about her on the grounds that she and friends were organizing a local protest.

What’s more significant is the rampant inaccuracies in the report. The woman herself notes that,

I am repeatedly identified as a member of a different, more mainstream liberal activist group which I was not only not a part of, but actually fought with on countless occasions. To somehow not know that I detested this group of people was a colossal failure of intelligence-gathering. Hopefully the FBI has not gotten any better at figuring out who is a part of what, and that this has worked to the detriment of their surveillance of other activists. I am also repeatedly identified as being a part of campaigns that I was never involved with, or didn’t even know about, including protests in other cities. Maybe the FBI assumes every protester-type attends all other activist meetings and protests, like we’re just one big faceless monolith. “Oh, hey, you’re into this topic? Well, then, you’re probably into this topic, right? You’re all pinkos to us.”

In taking a general survey of all area activists, the files keep trying to draw non-existant connections between the most mainstream groups/people and the most radical, as though one was a front for the other. There are a few flyers from local events that have nothing to do with our campaign, including one posted to advertise a lefty discussion group at the university library. The FBI mentions that activists may be planning “direct action” at their meetings, which the document’s author clarifies means “illegal acts.” “Direct action” was then, and I’d say now, a term used to talk about civil disobedience and intentional arrests. While such things are illegal actions, the tone and context in these FBI files makes it sound like protesters got together and planned how to fly airplanes into buildings or something.

You see, it isn’t just the government surveillance that is itself pernicious. It’s the inaccuracies, mistaken profilings, and generalized suspicion cast upon citizens that can cause significant harms. It is the potential for these profiles to be developed and then sit indefinitely in government databases, just waiting to be used against law abiding ‘good’ citizens, that should give all citizens pause before they grant authorities more expansive surveillance powers.


Skype, the FBI, and MegaUpload

In the aftermath of the MegaUpload seizures we’ll hopefully learn more about how the FBI gained access to Skype transcripts. As reported by CNet:

The FBI cites alleged conversations between DotCom and his top lieutenants, including e-mail and Skype instant-messaging logs. Some of the records go back nearly five years, to MegaUpload’s earliest days as a cyberlocker service–even though Skype says “IM history messages will be stored for a maximum of 30 days” and the criminal investigation didn’t begin until a few months ago.

Sources told CNET yesterday that Skype, the Internet phone service now owned by Microsoft, was not asked by the feds to turn over information and was not served with legal process.

The U.S. Department of Justice told CNET that it obtained a judge’s approval before securing the correspondence, which wouldn’t have been necessary in the case of an informant. “Electronic evidence was obtained though search warrants, which are reviewed and approved by a U.S. court,” a spokesman for the U.S. Attorney for the Eastern District of Virginia said.

Skype saves chat records with contacts in a directory on the local hard drive, which could be accessed by FBI-planted spyware.

While it wouldn’t necessarily be surprising if spyware was used, it would be interesting to see more details of this come to public light. Moreover, was the spyware/electronic access authorization acquired in the US and then the malware implanted on computers in foreign jurisdictions, or did it target local (American) computers? If it was implanted on foreign computers, were local authorities aware of what was going on and did they have to give their approval?