I'm okay with the method the FBI is pursuing. They clearly have a case (or enough of a case to take to court), they know exactly what data they need, and they have obtained a warrant for the information. I don't think wiretap laws should come into play on this unless they plan on intercepting communication beyond what is already stored on the phone. The case so far is exactly what the law intended and holds just as relevant today as it did in the 1700s.
Like drivebyacct2 mentioned, though, asking Google for the SSN of a user is kind of odd, and I really hope Google doesn't know that. It's possible the carrier might know, but Google shouldn't unless the suspect was receiving payment from AdWords or Google Checkout/Wallet (do they need SSN for tax reasons at that point?)
Here's my issue: Google could, in theory, provide them access to the device. But that's not what they're asking for. They're asking for usernames, passwords, SSN, etc. By all means, the FBI can submit a warrant to a lock manufacturer to open a lock. They can not, however, tell the lock manufacturer to give them the contents of whatever the lock is protecting. That's a separate warrant.
> In it, the FBI asks for a warrant to be served on Google. It wants to know:
> The subscriber's name, address, Social Security number, account login and password
I would hope the FBI is bright enough to know that in all likelyhood Google stores their users passwords in hashed form. How would Google actually be able to comply with this request for the password?
What would happen if they can't comply (they can't)? Would this eventually lead to legislation that forces services to store passwords in plain text or reversible encryption (which is pretty much the same thing)?
Google can give you a new password if you forget yours. There is no technical barrier to giving the FBI access and clearly no requirement for plaintext passwords anywhere (setting aside how the request was expressed in the article as a request for a password).
Soghoian wonders about the legality of accessing a still-operational cell phone. ... But a US Magistrate Judge disagreed.
As a side note, I really dislike this style of reporting. I doubt the judge disagreed with Soghoian if Soghoian published his blog post after the judge published his opinion. The article makes it sound like a stupid judge made the wrong decision by not reading some expert opinion that was available to him. If the judge disagreed with anybody, it was defense counsel. But the article doesn't mention any objection by the defense. Perhaps, because as a lawyer, he is in a better position to know what's legal and what's not?
I noticed that too and agree entirely. There is absolutely nothing in the article that suggests this argument was actually made and rejected. At the end of the day, judges are people too and can't possibly have the entirety of all case law in their minds at all times. It is up to defense attorneys to research the case and bring up relevant arguments. I just can't see anything in the article that even suggests that the idea of a wiretap warrant being more appropriate was even discussed.
Ah I just figured something out. So some people here are calling FBI's stupidity for mucking with the phone, as in trying patterns that eventually locked the device. In other words if phones are known to lock they shouldn't just randomly try patterns on it.
But I believe the attempts were not random. They probably did what you suggested, inspects trace of the fingertip grease and discovered a much more constrained set of possible possible patterns.
So they basically got an un-directed graph and now they thought they could figure out the most likely directed path in the graph that would unlock the phone.
Somebody probably made an educated (but eventually bad) guess about what the unlock path would be.
It's a pattern lock, so it must not be using disk encryption (only available on Ice Cream Sandwich with either PIN or password). Is there some reason they can't just open it up and see what's on it?
Text messages are on internal storage, which becomes unmountable when the device is locked.
Depending on the phone, they should be able to get into recovery mode and connect via adb. However, if it has a locked bootloader, they're SOL, and my schaudenfreude is without limit :)
You must have already have root but since they mentioned it's a Samsung phone then all you do is find a CWM/Rooted kernel tar and flash via Odin then do the steps below.
I just assumed that they had search warrants allow this form of discovery for years now. It is funny to thing that an investigator tried one time too many pattern attempts and accidentally erased the phone contents. I'm going to go on record as haha'ing the slip up.
The FBI Forensics Lab mis-entered the pattern lock too many times? The FBI uses the same tactic as my little brother to get into peoples phones? At a forensics lab? And the stuff they want from google kind of blows my mind. "The times and duration of every webpage visited"... As far is I can see that's completely undeliverable by anyone but possibly the carrier. Who do they have working down there?
This is also super interesting: "His parole conditions prevented him from doing anything to hide or lock digital files."
So if convicted of a crime they can require you to not use basic personal and identity safety measures.
Not even the network carrier should be able to tell the duration of a web page visit. Only the browser (or tracking javascript) could record this, but that's still dubious. I've had some browser tabs open on my phone for months... but that doesn't mean I've been constantly looking at them for months. I doubt Android keeps a big database of every page you visit and how long it takes you to close the page or navigate away. I guess Google Analytics might have some of that data, but only for sites that use GA.
> So if convicted of a crime they can require you to not use basic personal and identity safety measures.
Not really a new concept, it's fairly similar to banning a paedophile from going near schools, banning someone on parole from leaving the country (or state), or enforcing a curfew, etc. Similar in that it's restricting what would normally be anybody's right.
Completely agree with you. How amateurish! Lock pattern is saved on the device, not in the cloud. I am not a hacker myself but FBI not having one that downloads entire OS out of it and either cracks the pattern or disable "wait X seconds to retry" and run a cracking app on it makes me wonder. Especially this is not some rocket science we talking about -- his lock pattern most likely is max 5 pins.
Some of the things they're asking for are beyond absurd. How does someone work at the FBI and not realize that asking Google for a user's SS# or detailed browsing logs not realistic?
IANAL, but I'm assuming Google doesn't have to hand over anything that's not explicitly listed in the warrant. If you're the FBI, you might as well ask for the world and see what you get back.
Often enough if someone is smart enough to even realize such things they wouldn't be working for the government. And if you deal with the government you start seeing this kind of stupidity quite often. I am sure you'll see in any large bureaucratic structure (private too) it is just the govt is the largest one of all.
It's not about being realistic, it's about finding out what sort of information Google retains about its users. Low-profile cases are the best times to test these sorts of fishing expeditions because attention and resistance to teh subpoena will be low. (In contrast, in a high-profile case, the defendant is likely to vigorously oppose any such attempt.)
In other words: The FBI doesn't care if they actually get the information in this case; they want to know if they'll be able to get such information in future, more important cases.
the implications at the end are really lame. "the phone may have received sms after the judge issued the order"
like that would be held in court for anything? let's thing analogically: would a mob king be freed if a judge authorized a safe with evidence to be opened on the 4th but it was only opened on the 7th, and new evidence was put into the safe by other agents on the 6th?
[+] [-] freehunter|14 years ago|reply
Like drivebyacct2 mentioned, though, asking Google for the SSN of a user is kind of odd, and I really hope Google doesn't know that. It's possible the carrier might know, but Google shouldn't unless the suspect was receiving payment from AdWords or Google Checkout/Wallet (do they need SSN for tax reasons at that point?)
[+] [-] redthrowaway|14 years ago|reply
[+] [-] pilif|14 years ago|reply
> In it, the FBI asks for a warrant to be served on Google. It wants to know:
> The subscriber's name, address, Social Security number, account login and password
I would hope the FBI is bright enough to know that in all likelyhood Google stores their users passwords in hashed form. How would Google actually be able to comply with this request for the password?
What would happen if they can't comply (they can't)? Would this eventually lead to legislation that forces services to store passwords in plain text or reversible encryption (which is pretty much the same thing)?
[+] [-] vrotaru|14 years ago|reply
[+] [-] andersh|14 years ago|reply
[+] [-] tedunangst|14 years ago|reply
As a side note, I really dislike this style of reporting. I doubt the judge disagreed with Soghoian if Soghoian published his blog post after the judge published his opinion. The article makes it sound like a stupid judge made the wrong decision by not reading some expert opinion that was available to him. If the judge disagreed with anybody, it was defense counsel. But the article doesn't mention any objection by the defense. Perhaps, because as a lawyer, he is in a better position to know what's legal and what's not?
[+] [-] inchcombec|14 years ago|reply
[+] [-] dsr_|14 years ago|reply
[+] [-] rdtsc|14 years ago|reply
But I believe the attempts were not random. They probably did what you suggested, inspects trace of the fingertip grease and discovered a much more constrained set of possible possible patterns.
So they basically got an un-directed graph and now they thought they could figure out the most likely directed path in the graph that would unlock the phone.
Somebody probably made an educated (but eventually bad) guess about what the unlock path would be.
[+] [-] mahmud|14 years ago|reply
[+] [-] FaceKicker|14 years ago|reply
[+] [-] tadfisher|14 years ago|reply
Depending on the phone, they should be able to get into recovery mode and connect via adb. However, if it has a locked bootloader, they're SOL, and my schaudenfreude is without limit :)
[+] [-] cleverjake|14 years ago|reply
[+] [-] pwf|14 years ago|reply
Do you know where in the source this is?
[+] [-] Qweef|14 years ago|reply
You must have already have root but since they mentioned it's a Samsung phone then all you do is find a CWM/Rooted kernel tar and flash via Odin then do the steps below.
adb -d shell
sqlite3 data/data/com.android.providers.settings/databases/settings.db
sqlite> update system set value=0 where name='lock_pattern_autolock'; sqlite> .exit
exit
Reboot from there and the lockscreen is bypassed.
Remember kids, use this for good and not evil muahahhahaahhaah
[+] [-] driverdan|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] DanBC|14 years ago|reply
(http://paranoia.dubfire.net/2012/03/fbi-seeks-warrant-to-for...)
PDF of the application.
(http://www.archive.org/download/gov.uscourts.casd.378626/gov...)
[+] [-] brown9-2|14 years ago|reply
[+] [-] kenj0418|14 years ago|reply
[+] [-] kitanata|14 years ago|reply
[+] [-] nomaningme|14 years ago|reply
[deleted]
[+] [-] koenigdavidmj|14 years ago|reply
[+] [-] signalsignal|14 years ago|reply
[+] [-] SNK|14 years ago|reply
[+] [-] lost-theory|14 years ago|reply
[+] [-] trzaska|14 years ago|reply
[+] [-] dm8|14 years ago|reply
Face unlock was even weaker since anyone who had access to your photo could unlock it.
[+] [-] eta_carinae|14 years ago|reply
[+] [-] user2459|14 years ago|reply
This is also super interesting: "His parole conditions prevented him from doing anything to hide or lock digital files."
So if convicted of a crime they can require you to not use basic personal and identity safety measures.
[+] [-] rhubarbquid|14 years ago|reply
[+] [-] corin_|14 years ago|reply
Not really a new concept, it's fairly similar to banning a paedophile from going near schools, banning someone on parole from leaving the country (or state), or enforcing a curfew, etc. Similar in that it's restricting what would normally be anybody's right.
[+] [-] joering2|14 years ago|reply
[+] [-] drivebyacct2|14 years ago|reply
[+] [-] potshot|14 years ago|reply
[+] [-] rdtsc|14 years ago|reply
[+] [-] rprasad|14 years ago|reply
In other words: The FBI doesn't care if they actually get the information in this case; they want to know if they'll be able to get such information in future, more important cases.
[+] [-] gcb|14 years ago|reply
like that would be held in court for anything? let's thing analogically: would a mob king be freed if a judge authorized a safe with evidence to be opened on the 4th but it was only opened on the 7th, and new evidence was put into the safe by other agents on the 6th?
[+] [-] saraid216|14 years ago|reply