Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Cloud Crime Google Government Privacy Apple

How The FBI Easily Retrieved Michael Cohen's Data From Both Apple and Google (cnn.com) 153

Court documents unsealed Tuesday showed just how much information America's FBI was able to gather on Donald Trump's lawyer Michael Cohen -- from both Google and Apple products. An anonymous reader quotes CNN: Notably, the FBI made use of Cohen's use of Touch ID and Face ID on his Apple devices, which allow users to quickly log into iPhones and computers by scanning their face or fingerprint rather than typing in a password... But that gives law enforcement an additional means to access those devices. In one warrant application for Cohen, an FBI agent requested authorization "to press the fingers (including thumbs) of Cohen to the Touch ID sensors of the Subject Devices, or hold the Subject Devices in front of Cohen's face, for the purpose of attempting to unlock the Subject Devices via Touch ID or Face ID...."

One warrant requested not simply access to three of Cohen's Gmail accounts, as well as other email accounts, but also some of the wide array of information Google keeps for its users by default, including search history, web cookies associated with an account, device information, and a host of other metadata categories. One affidavit describes how the FBI narrowed down Cohen's temporary location at the Loews Regency Hotel in New York through his cell phone location data. Agents then used a "triggerfish" -- a reference to a stingray, or IMSI catcher, a suitcase-sized device that mimics a cell tower to convince a cell phone to connect and reveal its location...

Prosecutors also made use of a new law that Trump recently signed. Investigators in the Southern District of New York compelled Google to turn over some documents on Cohen, but the tech giant initially "declined to produce data that it stored on computer servers located outside of the United States," according to an affidavit submitted to the court by an FBI agent working on Cohen's case. Weeks later, Trump signed the CLOUD Act into law, which gave US law enforcement more legal pathways to pursue data stories overseas.... In an April 2018 affidavit, the FBI agent argued that "providers are required to disclose data even if it is stored abroad" under the new law. The judge approved the new search warrant later that day, giving investigators access to additional information from Google, including Cohen's emails, attachments, address book and files stored on Google Drive.

One technology law expert told CNN that police now seek access to more and more information.

"I think any of the electronic debris that people leave online on these services is all potentially subject to being used against you."
This discussion has been archived. No new comments can be posted.

How The FBI Easily Retrieved Michael Cohen's Data From Both Apple and Google

Comments Filter:
  • by AHuxley ( 892839 ) on Sunday March 24, 2019 @12:51AM (#58323404) Journal
    Understand what is now a legal search and seizures.
    How to use your OS to ensure your digital "papers" stay secure from unreasonable search attempts.
    When and how your rights stay protected.
    • Can't be done and here's why:

      The technology you use shares familial DNA with every other goddam technology on the planet. It's a level playing field.

      Look: As for weapons, some people are allowed to own jet fighters, aircraft carriers and grenades. You don't get those.

      As for technology, let's look to CaptainDork's Corollary: "For every motherfucker out there with a computer, there's another mother fucker out there with a computer."

      The shit the government (or businesses) use to secure their papers is precisel

  • by Anonymous Coward

    is this someone I should know?

  • Just put up a Miranda Warning. Makes more sense

    • "You have no rights. You lose. All your data are belong to us. This is a no free speech zone. Everything you have ever said can and will be used against you. You are presumed guilty, but at our whim you may (or may not) be given a chance to prove your innocence, if you have enough money. Bend over. Fuck you, pleb, that's why.

      Thank you for your compliance."

      • This is true and it's voluntary.

        Those of us who read the ToS fully appreciate that it's a binding contract whereby the user of a product waives all rights and, in fact, agrees to defend the product if it is involved in litigation.

        No one is usurping rights -- people are giving away rights.

        • Oh c'mon, brohamley - does the bootleather taste _that_ good?

          Everybody and his brother knows these leonine "contacts" are undisguisedly one-sided; always "accepted" without a shed of informed consent, much less meeting of the minds; never even read; imposed as mandatory on simple commerce, utterly out of proportion with the elaborate convolutions of the leonine "contract"; and a general travesty of the Law.

  • by mentil ( 1748130 ) on Sunday March 24, 2019 @01:59AM (#58323528)

    With biometric authentication, you are only protected by the 4th amendment. Your finger/face/etc. are akin to a key, and a warrant can compel you to unlock the device with it.

    With a password, it can be argued that divulging it would constitute self-incrimination, which keeps you protected by the 5th amendment as well, even if they get a warrant. Case law is unclear on the matter, at least, with contradictory rulings.

    This is true in the USA at least. UK has a law that mandates divulging passwords, although I don't recall hearing about it being used much.

    • by Tom ( 822 )

      With a password, it can be argued that divulging it would constitute self-incrimination,

      That's one part. The other part is that the stress of prosecution is well known to cause your memory to go hazy and even top politicians who are used to a lot of stress have a tendency to suddenly not be able to remember important details anymore. How will you, a normal person, remember your password under such circumstances?

      "I don't remember." is the get-out-of-jail-card you only have if the thing they need is something that is in your memory.

      • by tinkerton ( 199273 ) on Sunday March 24, 2019 @04:45AM (#58323800)

        I have a lot of accounts where I don't know the password because they're generated strings I just copy from the password manager. So I cannot access these accounts from the smartphone even if I want to.

        Not all that convenient and not intended. It just sort of happened. Also, what if I'm forced to open my laptop with password manager at the airport. All my passwords are in there!

        • by Tom ( 822 ) on Sunday March 24, 2019 @06:34AM (#58324038) Homepage Journal

          One reason why all my really important passwords are not in a password manager. Eggs and baskets and all that.

    • I think this may have changed recently. I remember hearing in the last month or two that biometrics are now considered the same as a numeric password, or passphrase. You cannot be compelled to use biometrics anymore, or at least that it has the same legal protections now that a password has.

      Rubber hoses aside, of course. Those still work.

      Not sure if this is state-specific or federal. I don't remember the exact details, but I do remember thinking, "That's cool, now I don't have to turn off the fingerprin

      • by JaredOfEuropa ( 526365 ) on Sunday March 24, 2019 @06:25AM (#58324014) Journal
        In the Netherlands, a judge recently ruled that unlocking a phone with a fingerprint or holding it up to a suspect's face does not constitute self-incrimination. Which actually makes sense if you look at the law (not sure how it compares to the 5th amendment): that law does not exist to protect your private data, it exists to ensure that you cannot be punished for not volunteering self-incriminating evidence. Compare this to a safe with a combination lock versus a safe with a key: you cannot be compelled to provide the combination nor the location of the key, but if the cops search you and find the key on you, they are free to open the safe with that.

        There are some legislators who now seek to change the law on the grounds that people not unreasonably expect biometrics to provide the same (legal) protection of private data as passwords do. But that's a matter of privacy rather than self-incrimination.
        • Again, the distinction exists, regardless of jurisdiction, between what a person HAS and what a person KNOWS.

    • by JaredOfEuropa ( 526365 ) on Sunday March 24, 2019 @07:05AM (#58324118) Journal
      iPhone users, read this [imore.com]. There are ways to quickly disable the fingerpint scanner and Face ID using the physical buttons on the phone. Easy to do quickly and quietly in case you get arrested. It can also be done through Siri. And Android phones have a similar mechanism I am told.
      • There's another solution that's slicker than deer guts on a door knob.

        If you're a developer, you can have two passcodes.

        One will unlock the phone.

        The other will brick it.

        • by EvilSS ( 557649 )
          And enjoy being prosecuted for destruction of evidence if you give them the 2nd code.
          • by Trogre ( 513942 )

            The really smart ones don't actually brick the phones, they just destroy the account with which you store your sensitive data and appear to log in to a nearly as-new device.

    • True.

      Face, fingerprint, iris, palm prints, ... these are things you have.

      Passwords and pass codes are things you know.

  • by 93 Escort Wagon ( 326346 ) on Sunday March 24, 2019 @02:07AM (#58323542)

    We already knew that, in the US, a person can be compelled to unlock his/her phone if it can be done with a fingerprint or by showing their face.

    If you're really paranoid you need to turn all that off, require a complex passcode to be entered on any of your electronic devices, and be willing to put up with a little inconvenience on a regular basis.

    Personally, I'm not that paranoid - I'm aware that I'm simply not that important of a person.

    • by Tom ( 822 ) on Sunday March 24, 2019 @04:00AM (#58323732) Homepage Journal

      Long passwords (please, please stop this complexity nonsense. Length > complexity !) are too inconvenient to be used constantly.

      Something that allows me to use my fingerprint if the phone hasn't left my possession but requires a long password if it has been off for a day, etc. would be a nice solution.

      The better solution would be to have "lock fingers" as well as unlock fingers. Let me use some of my fingers to tell the device that I'm not trying to unlock it voluntarily, and it should instead lock down, encrypt everything, turn off the unlock fingers and require the long password to unlock. Then let them guess which finger is which.

      • The better solution would be to have "lock fingers" as well as unlock fingers. Let me use some of my fingers to tell the device that I'm not trying to unlock it voluntarily, and it should instead lock down, encrypt everything, turn off the unlock fingers and require the long password to unlock. Then let them guess which finger is which.

        While I think length + complexity is the answer, special characters made dictionary words safe to use providing the password is long enough. However you have a great point on this one, I would never use touch ID because its garbage for someone like me in a construction field who specifically doesn't wear gloves as it takes away from my feel therefor impeding my work. The shit just don't work for me. I tried it for about a week and decided when I was able to unlock my phone the whole 2 times that is was a wa

        • A function that allowed an "authorized" fingerprint to either encrypt and turn off face/touch ID and or wipe the phone silently would be a nice feature to rid the issue of compelled unlocking. I'm sure if you did it in a court room you would have hell to pay but if you did it before you actually got arrested they wouldn't(well shouldn't) be able to use it against you.

          Actually, as of iOS 12 you can just press the power button five times in a row and it’ll disable Touch ID / Face ID.

          • From previous posters comments it seems to only be temporary.

            • From previous posters comments it seems to only be temporary.

              I was pretty sure this was incorrect, but figured I'd test it. So about 5 hours ago I did the 5x power button press on my iPhone and then set it aside. I just picked it up again now, and it is still requiring a passcode.

              Now, after it's been unlocked with a passcode, then TouchID or FaceID will be re-enabled. But until that happens, they stay disabled.

              • Hmm, if I used touchID that would be nice to know, but you can scroll around for my rant as to why it sucks. Thanks for the clarity though.

          • by Tom ( 822 )

            I dimly remember that turning it off will also require your passcode the first time after it turns on again. But I could be wrong.

        • by Tom ( 822 )

          While I think length + complexity is the answer,

          No, it isn't. I've given speeches about this. Complexity is bullshit. On the contrary, a number of attacks (such as shoulder surfing) are made easier with complexity, because you type slower.

          special characters made dictionary words safe to use providing the password is long enough.

          No, it doesn't. Every cracking tool worth the name uses permutations to replace letters with special characters. If you've had the idea, don't you think people who do this stuff for a living haven't ?

          • I know plenty of professional pen testers. I know most of the tactics. I have yet to have an issue. I have tried to brute my own passwords, to no avail. I didn't say use common dict words. You frequent IRC? Maybe you can be the one to prove me wrong? I would love to see it as I have yet to see someone give me a password over 8 characters of mine to me. As far as your comment on shoulder surfing. That's about the oldest trick in the book, and I didn't start using computers yesterday. Plus muscle memory goes

      • Oh, come on!

        We're goddam coders.

        One finger unlocks.

        Another bricks.

        • by Tom ( 822 )

          You don't want to brick because you can easily use the lock finger by mistake. But it should be a hassle to unlock after, and require something non-biometric.

  • by gweihir ( 88907 ) on Sunday March 24, 2019 @02:34AM (#58323578)

    Seriously, people, your phones have back-doors, front-doors, compromised apps, malware, etc. on them and send data into insecure clouds. Do not trust your phones. The only way you could ever trust your phones was is there was strong legal protection for your data. There is not. Thanks to the raising authoritarians and proto-fascists in the West, there is the opposite.

    • Problem is even if you get rid of your phone, pretty much every device nowadays is littered with sensors and internet access. TVs, cars, fitness devices, furniture etc. . Even if you got rid of everything in your own room, its even possible to spy on you from adjacent rooms (Wifi).

      Privacy has competed with humans need for comfort and lost.

      • by gweihir ( 88907 )

        I never said to get rid of it. Whatever gave you that idea? Just do not put stuff on it you want to keep secret.

      • I would never own an "internet connected" vehicle. I may purchase one and then rip out the wifi/GSM module. But the sad part is the normies don't even understand what they are doing to their self. They think "OH LOOK I can browse facebook faster in my car now that I have car wifi!!" when in reality they are just helping track their family and children. The internet has been destroyed since the non nerds took over. I want it back damnit!

    • by gtall ( 79522 )

      and the rising authoritarians in China and Russia, although admittedly they had a head start.

      India is not far behind, nor Pakistan. Cuba was always in the vanguard ever since Castro decided to be la Suprema.

      • by gweihir ( 88907 )

        Indeed. But the West was supposed to be the model that showed everybody how it could be done differently. Seems that failed and the whole world is going to hell. Again.

    • In this case the phones were unlocked because of the use of biometrics instead of password only protection. If they were locked only with passwords and Cohen didn’t cooperate, the FBI would have had to employ hackers.
  • If you use a password or code to unlock your encrypted devices and data then (according to quite a few different court rulings) you are protected by the 5th amendment and can't be forced to give up the password or code (although exactly how far that protection extends depends on which court ruling(s) apply in your jurisdiction). No such protection exists when it comes to things like fingerprint or facial recognition or other biometrics.

    Plus its a lot easier for bad guys (whoever they may be) to defeat biome

  • by NicknameUnavailable ( 4134147 ) on Sunday March 24, 2019 @07:07AM (#58324122)
    Biometrics are notorious for being easy to fool, even the emerging 3D-face-scanning stuff coming out is going to be as bad, because the sensors can't be integrated into the chips themselves, in turn you could always just remove the sensor, replace it with a serial line, and spoof whatever signal it expected to see from a "3D" scan using an image.
    Two-factor authentication is a joke when biometrics are involved, because the biometric component negates any other component. Security can't be about something someone has (e.g. CAC cards) and is (e.g. biometrics) alone - the something someone knows (e.g. password) is the most critical factor because it can't be stolen, it can't be spoofed, and in extreme cases it can't even be cut off with a saw or scooped out of an eyesocket with a spoon (at least, not directly.)
    Making biometrics a part (yes, even a part) of a security deployment of any kind is akin to making everyone set up their full name as a username with their social security number as their password - it's fucking dumb to use public information (no matter how convoluted to spoof, because if it can be done it will be done) for security.
  • Well, who cares if government has more and more and more access to your "papers" as long as political factions aren't using it in violation of the 4th and 5th amendment to harm their political opponen...OH FUCK

  • This is the event that made me realize digital privacy is important to anyone, not just those who know they are doing something they need to hide. There was a case a few years ago where some guy left his toddler in the carseat instead of dropping him off at daycare and the kid died. The police went through his online history and found he was talking to prostitutes and engaging in other extramarital, sexually deviant behavior. On that alone, they gave him life in prison because a jury believed he intentio

Computer programmers do it byte by byte.

Working...