Warning: This post requires some length by way of background but you'll like the ending . . .
Last week, I read a story from Sophos describing how federal prosecutors are creating a cloud-based database full of personal data extracted from the locked phones of Trump protesters arrested on Inauguration day. The prosecutors want to make the data available to the lawyers of 214 defendants accused of felony rioting but are seeking an order from the court that would prohibit the defense lawyers from copying or sharing the information unless it's relevant to defend their clients.
As you may recall, on the day of the arrests, January 20th, prosecutors claimed that more than 200 protesters marched through the heart of Washington DC, causing more than $100,000 in damage. The protesters shattered store windows, set fire to a limo, and hurled projectiles at police in riot gear, who responded with flash-bang grenades, tear gas and pepper spray.
Police arrested what they said were about 230 people who rioted or incited to riot. Not all of those arrested were protesters: rather, as reputable media reported, sweeping arrests during the inauguration parade indiscriminately targeted rioters, protesters, medics, lawyers and journalists alike.
Police seized the phones of more than 100 of those arrested. Although all of the devices were locked, the government is now in the process of extracting data from the phones and "expects to be in a position to produce all of the data from the searched Rioter Cell Phones in the next several weeks," according to the filing. This is where my BS filter started to kick in.
Police also turned to Facebook to mine data about the protesters: subpoenas for account information were being served on Facebook within a week of the arrests, and one arrestee's Gmail account showed account activity from his or her mobile device while it was in police possession.
The government plans to put each defendant's extracted phone data in a separate folder on a portal called USAfx. Through that portal, every defendant's lawyer will be able to access every other defendant's phone data, including all the personal stuff. The feds have requested a protective order that would keep defense lawyers from copying and disseminating the private phone data from defendants besides their own clients… unless it's relevant to preparing a defense.
The story mentioned the Cellebrite Physical Analyzer as a tool to search a phone's contents. In some, but not all cases, the courts have decided that law enforcement requires reasonable suspicion to use such a tool. In the case of the Trump protesters, government officials said they have search warrants to extract data from the phones.
If encryption precludes using a tool like Cellebrite's, there are partners who can give decryption a try. Forbes cited Mitre Corporation, classified as a Federally Funded Research and Development Center, which is often relied on by government agencies to search mobile devices. As the story notes, the police could have simply forced those arrested to unlock their phones with their fingerprints or convinced them to give over their PINs.
So how could there be 100% certainty of getting the data from the phones? As always with a thorny security question, I queried Dave Ries and John Simek, my frequent cybersecurity co-authors and presenters. Dave found a story from Threatpost which seems to belie the notion that the feds can get into any phone.
The March 8th story talked about FBI director James B. Comey reviving the" Going Dark" discussion during a keynote address at the Boston Conference on Cyber Security, saying it's time for an adult conversation on the prevalence of strong encryption and how it hinders criminal and national security investigations.
Comey said that between October and December of last year, the FBI took possession of 2,800 devices, and there were 1,200 that the bureau could not crack and access stored data.
"There is no absolute right to privacy," Comey said, adding, "with respect to default, strong encryption, it changes that bargain, and shatters it, in my view."
There was never much doubt as to where Comey stood. But the admission that there were 1,200 phones that the FBI could not crack and the rest of his remarks clearly indicate something that our friend Dave reduced to an equation worth remembering by all of us as we seek to protect the private data in our smartphones.
How to defeat the feds? Modern, strong encryption + a current phone + the current OS + all updates installed = a pretty good chance that you will successfully ward off efforts to get to your data.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology