How The FBI Easily Retrieved Michael Cohen's Data From Both Apple and Google

Court documents unsealed Tuesday showed just how much information America's FBI was able to gather on Donald Trump's lawyer Michael Cohen -- from both Google and Apple products. An anonymous reader quotes CNN: Notably, the FBI made use of Cohen's use of Touch ID and Face ID on his Apple devices, which allow users to quickly log into iPhones and computers by scanning their face or fingerprint rather than typing in a password... But that gives law enforcement an additional means to access those devices. In one warrant application for Cohen, an FBI agent requested authorization "to press the fingers (including thumbs) of Cohen to the Touch ID sensors of the Subject Devices, or hold the Subject Devices in front of Cohen's face, for the purpose of attempting to unlock the Subject Devices via Touch ID or Face ID...."

One warrant requested not simply access to three of Cohen's Gmail accounts, as well as other email accounts, but also some of the wide array of information Google keeps for its users by default, including search history, web cookies associated with an account, device information, and a host of other metadata categories. One affidavit describes how the FBI narrowed down Cohen's temporary location at the Loews Regency Hotel in New York through his cell phone location data. Agents then used a "triggerfish" -- a reference to a stingray, or IMSI catcher, a suitcase-sized device that mimics a cell tower to convince a cell phone to connect and reveal its location...

Prosecutors also made use of a new law that Trump recently signed. Investigators in the Southern District of New York compelled Google to turn over some documents on Cohen, but the tech giant initially "declined to produce data that it stored on computer servers located outside of the United States," according to an affidavit submitted to the court by an FBI agent working on Cohen's case. Weeks later, Trump signed the CLOUD Act into law, which gave US law enforcement more legal pathways to pursue data stories overseas.... In an April 2018 affidavit, the FBI agent argued that "providers are required to disclose data even if it is stored abroad" under the new law. The judge approved the new search warrant later that day, giving investigators access to additional information from Google, including Cohen's emails, attachments, address book and files stored on Google Drive.
One technology law expert told CNN that police now seek access to more and more information.

"I think any of the electronic debris that people leave online on these services is all potentially subject to being used against you."

Be secure in your papers

[AHuxley]

Understand what is now a legal search and seizures.
How to use your OS to ensure your digital "papers" stay secure from unreasonable search attempts.
When and how your rights stay protected.

Re:Be secure in your papers

[CaptainDork]

Can't be done and here's why:

The technology you use shares familial DNA with every other goddam technology on the planet. It's a level playing field.

Look: As for weapons, some people are allowed to own jet fighters, aircraft carriers and grenades. You don't get those.

As for technology, let's look to CaptainDork's Corollary: "For every motherfucker out there with a computer, there's another mother fucker out there with a computer."

The shit the government (or businesses) use to secure their papers is precisely the same as yours.

It's a level playing field.

How insane is that?

Instead of a "Privacy Policy"

[fustakrakich]

Just put up a Miranda Warning. Makes more sense

Re: Instead of a "Privacy Policy"

[astrofurter]

Oh c'mon, brohamley - does the bootleather taste _that_ good?

Everybody and his brother knows these leonine "contacts" are undisguisedly one-sided; always "accepted" without a shed of informed consent, much less meeting of the minds; never even read; imposed as mandatory on simple commerce, utterly out of proportion with the elaborate convolutions of the leonine "contract"; and a general travesty of the Law.

Passwords Still Rule

[mentil]

With biometric authentication, you are only protected by the 4th amendment. Your finger/face/etc. are akin to a key, and a warrant can compel you to unlock the device with it.

With a password, it can be argued that divulging it would constitute self-incrimination, which keeps you protected by the 5th amendment as well, even if they get a warrant. Case law is unclear on the matter, at least, with contradictory rulings.

This is true in the USA at least. UK has a law that mandates divulging passwords, although I don't recall hearing about it being used much.

Re:Passwords Still Rule

[Tom]

With a password, it can be argued that divulging it would constitute self-incrimination,

That's one part. The other part is that the stress of prosecution is well known to cause your memory to go hazy and even top politicians who are used to a lot of stress have a tendency to suddenly not be able to remember important details anymore. How will you, a normal person, remember your password under such circumstances?

"I don't remember." is the get-out-of-jail-card you only have if the thing they need is something that is in your memory.

Re:Passwords Still Rule

[tinkerton]

I have a lot of accounts where I don't know the password because they're generated strings I just copy from the password manager. So I cannot access these accounts from the smartphone even if I want to.

Not all that convenient and not intended. It just sort of happened. Also, what if I'm forced to open my laptop with password manager at the airport. All my passwords are in there!

Re:Passwords Still Rule

[Mr.+Dollar+Ton]

If you say "I forgot", fully expect to stay in prison for "contempt of court" until you remember.

Re:Passwords Still Rule

[JaredOfEuropa]

In the Netherlands, a judge recently ruled that unlocking a phone with a fingerprint or holding it up to a suspect's face does not constitute self-incrimination. Which actually makes sense if you look at the law (not sure how it compares to the 5th amendment): that law does not exist to protect your private data, it exists to ensure that you cannot be punished for not volunteering self-incriminating evidence. Compare this to a safe with a combination lock versus a safe with a key: you cannot be compelled to provide the combination nor the location of the key, but if the cops search you and find the key on you, they are free to open the safe with that.

There are some legislators who now seek to change the law on the grounds that people not unreasonably expect biometrics to provide the same (legal) protection of private data as passwords do. But that's a matter of privacy rather than self-incrimination.

Re:Passwords Still Rule

[Tom]

One reason why all my really important passwords are not in a password manager. Eggs and baskets and all that.

Re:Passwords Still Rule

[JaredOfEuropa]

iPhone users, read this. There are ways to quickly disable the fingerpint scanner and Face ID using the physical buttons on the phone. Easy to do quickly and quietly in case you get arrested. It can also be done through Siri. And Android phones have a similar mechanism I am told.

Re:Passwords Still Rule

[Highdude702]

How does a backup stop somebody from stealing your passwords? It doesn't. Tom was talking specifically about people not being able to steal important passwords. I don't use a password manager at all. All of my important passwords are semi-unique 8-22 characters long depending on what its being used for. its surprisingly easy to remember them.

Re:Passwords Still Rule

[CaptainDork]

There's another solution that's slicker than deer guts on a door knob.

If you're a developer, you can have two passcodes.

One will unlock the phone.

The other will brick it.

No real surprises here

[93+Escort+Wagon]

We already knew that, in the US, a person can be compelled to unlock his/her phone if it can be done with a fingerprint or by showing their face.

If you're really paranoid you need to turn all that off, require a complex passcode to be entered on any of your electronic devices, and be willing to put up with a little inconvenience on a regular basis.

Personally, I'm not that paranoid - I'm aware that I'm simply not that important of a person.

Re:No real surprises here

[Tom]

Long passwords (please, please stop this complexity nonsense. Length > complexity !) are too inconvenient to be used constantly.

Something that allows me to use my fingerprint if the phone hasn't left my possession but requires a long password if it has been off for a day, etc. would be a nice solution.

The better solution would be to have "lock fingers" as well as unlock fingers. Let me use some of my fingers to tell the device that I'm not trying to unlock it voluntarily, and it should instead lock down, encrypt everything, turn off the unlock fingers and require the long password to unlock. Then let them guess which finger is which.

Re:No real surprises here

[Highdude702]

The better solution would be to have "lock fingers" as well as unlock fingers. Let me use some of my fingers to tell the device that I'm not trying to unlock it voluntarily, and it should instead lock down, encrypt everything, turn off the unlock fingers and require the long password to unlock. Then let them guess which finger is which.

While I think length + complexity is the answer, special characters made dictionary words safe to use providing the password is long enough. However you have a great point on this one, I would never use touch ID because its garbage for someone like me in a construction field who specifically doesn't wear gloves as it takes away from my feel therefor impeding my work. The shit just don't work for me. I tried it for about a week and decided when I was able to unlock my phone the whole 2 times that is was a waste of time. however it would be funny to watch the cops in frustration if that ever happened. However my wife uses it and has no issues with it at all. A function that allowed an "authorized" fingerprint to either encrypt and turn off face/touch ID and or wipe the phone silently would be a nice feature to rid the issue of compelled unlocking. I'm sure if you did it in a court room you would have hell to pay but if you did it before you actually got arrested they wouldn't(well shouldn't) be able to use it against you. you know use the claim you did it when first stopped so the cops wouldn't snoop through the naked pictures of your wife/girlfriend/boyfriend(s). Because everyone knows that cops can be scumbags when not in front of a judge. And you could probably use that defense justifiably with very little digging into recent cop douche baggery.

Re:No real surprises here

[CaptainDork]

Unless you're a foreigner who was in the wrong place at the wrong time and went to Gitmo with no due process, no lawyer, no trial, and subjected to torture.

Unless you're a civilian minding your own fucking business when the US dropped a goddam bomb on your motherfucking hospital on your own goddam sovereign soil.

Unless you're an American citizen in Puerto Rico.

Unless you have the goddam unmitigated gall to be driving while Black.

Re: No real surprises here

[alexo]

This. A million times. Seriously, what's so hard about being part of a community and following rules?

Rosa Parks would like to have a word with you.

Why would anybody trust a mobile listening device?

[gweihir]

Seriously, people, your phones have back-doors, front-doors, compromised apps, malware, etc. on them and send data into insecure clouds. Do not trust your phones. The only way you could ever trust your phones was is there was strong legal protection for your data. There is not. Thanks to the raising authoritarians and proto-fascists in the West, there is the opposite.

Re:President Trump owned the libs

[gweihir]

You are cheering for the downfall of your own country? Fascinating.

Re:Extraterritoriality

[Mister+Transistor]

Probably Ireland, they have a European HQ located there, but not sure if they have a server farm there too.

Also, it's probably not very relevant where the data is actually stored these days, it's most likely replicated and backed up in several countries. Most global companies now use off-site backups and replicate their data in geographically separate locations, with data centers in many countries spread throughout the world. This gives them more redundancy and a better shot at handling an international disaster; a given country would likely be unaffected while another is having a disaster like a tidal wave or whatever.

    The whole point of the new law was to deal with exactly this sort of situation, where the local laws or agencies of other countries are either not enforceable or somehow otherwise are an impediment to them getting legal access to the data. The other country really doesn't have any chance to say anything in the matter, if they're even aware of it. If Google or whoever refuses the request, they would no doubt prosecute them as though they had denied law enforcement's access to the data just the same as if it was located in the U.S.

Not saying it's right or wrong. Personally, I'm not a fan of laws that give Government expanded powers to nose into people's lives, either real or online, but I'm not a fan of crime, obviously. If nothing else, this was expected. Many of our laws need to be updated to be meaningful and reflect the new digital reality we live in - the legal system is lagging behind reality in many ways by anywhere from 5-10 years to about 50.

Biometrics Are Universally Insecure

[NicknameUnavailable]

Biometrics are notorious for being easy to fool, even the emerging 3D-face-scanning stuff coming out is going to be as bad, because the sensors can't be integrated into the chips themselves, in turn you could always just remove the sensor, replace it with a serial line, and spoof whatever signal it expected to see from a "3D" scan using an image.
Two-factor authentication is a joke when biometrics are involved, because the biometric component negates any other component. Security can't be about something someone has (e.g. CAC cards) and is (e.g. biometrics) alone - the something someone knows (e.g. password) is the most critical factor because it can't be stolen, it can't be spoofed, and in extreme cases it can't even be cut off with a saw or scooped out of an eyesocket with a spoon (at least, not directly.)
Making biometrics a part (yes, even a part) of a security deployment of any kind is akin to making everyone set up their full name as a username with their social security number as their password - it's fucking dumb to use public information (no matter how convoluted to spoof, because if it can be done it will be done) for security.

Re:Why would anybody trust a mobile listening devi

[gweihir]

I never said to get rid of it. Whatever gave you that idea? Just do not put stuff on it you want to keep secret.

Re: Why would anybody trust a mobile listening dev

[chill]

That's a red herring. The phone isn't so much a storage device itself, as it is conduit to all of your online data.