Skip

"Nothing. You're screwed."
January 27, 2014 11:55 AM   Subscribe

During their Freedom Hosting investigation and malware attack last year, the FBI unintentionally obtained the entire e-mail database of popular anonymous webmail service Tor Mail. And now, they've used it in an unrelated investigation to bust a Florida man accused of stealing credit card numbers.

Here’s the catch: In theory, it shouldn’t even matter if an NSA agent is browsing through each email at this very moment. Smarter, more careful users of Tor Mail have never sent a clear text email. Software such as PGP (Pretty Good Privacy) takes 15 minutes to master and provides virtually unbreakable encryption, placing emails out of even the NSA’s reach. It’s a breeze. Any cybercriminal worth his weight in stinky California marijuana would take the time to use it, right?

Wrong.
---

PDF of the complaint mentioned in the article. The revelation that the FBI now has Tor Mail's database is on page 11.
posted by zarq (39 comments total) 14 users marked this as a favorite

 
At least they did get a seperate search warrant to go through the data for the subsequent case.
posted by The 10th Regiment of Foot at 11:59 AM on January 27 [6 favorites]


the FBI unintentionally obtained the entire e-mail database of popular anonymous webmail service Tor Mail

Yes. Unintentionally. I'm sure they're really kicking themselves over that blunder.
posted by Sys Rq at 12:09 PM on January 27 [18 favorites]


That "at least" is pretty critical to the legality of the whole thing, actually. That is to say, if no search warrant was required, there would be many more folks up in arms about this. Quite a few people will be up in arms anyway over the fact that the FBI held on to the database, but it's an important distinction.
posted by Going To Maine at 12:09 PM on January 27


At least they did get a seperate search warrant to go through the data for the subsequent case.

That's not all that great; it sounds like that's on a par with the DEA reverse-engineering reasonable suspicion through other channels based on evidence that they would otherwise not have had, and that was obtained through what would have been an illegal search if they hadn't gone back and carefully built a pathway to something they knew was there through another route.

It's basically retconned legality. Permitted in practice, provided everyone's meticulous and secretive about it. (And that's what we want from a justice system, right?) But clearly not legitimate in principle.
posted by mhoye at 12:09 PM on January 27 [10 favorites]


But clearly not legitimate in principle.

Well, that's certainly debatable. Cops come upon evidence of other crimes in raids all the time. They have to go through the motions of investigating the other crime and obtaining a warrant to use that evidence legitimately, which it looks like they did here. If this were a drug raid and they came upon an murder weapon from an unassociated crime would that evidence be illegitimate? What if they were wire-tapping a mobster and his associate uses his phone to plot a seperate crime from what the initial warrant was issued for, but they can obtain a seperate warrant for that crime under a seperate investigation?
posted by The 10th Regiment of Foot at 12:17 PM on January 27 [6 favorites]


It's basically retconned legality. Permitted in practice, provided everyone's meticulous and secretive about it. (And that's what we want from a justice system, right?) But clearly not legitimate in principle.

I dunno. On the one hand, you have "Give me any six lines written by the most honest of men, and I can find in there enough to have him hanged". On the other hand, Al Capone only went to jail for tax evasion instead of his many other, actual, crimes.
posted by Pogo_Fuzzybutt at 12:18 PM on January 27


Okay, so here's the thing: the NSA changed the legal meaning of the verb "to collect". In their new definition, having something in their database isn't collecting it. Looking at the thing is collecting it. So imagine you have a library of a million books and your friend is like "wow, so many books in your library!" You'd then say "no, there's not many. I've only read about a dozen."

[This metaphor came from a talk by EFF lawyer Kurt Opsahl called Through a PRISM, Darkly. Well worth watching.]

So the FBI/NSA investigated Freedom Hosting in order to arrest the owner of said service for hosting child porn and other shit. But then they just decided to collect all the other stuff there just for kicks. Oh, sorry did I say collect? I mean "magically it just appeared in the database".

And then this is retroactively queryable.

So everything that was on Freedomhost, legal or not, is now in their paws to be subpena'ed any time they see fit.

It's like taking a photocopy of every letter in the mail system just to be sure that, if it maybe becomes important later, you just have it. But more than photocopied, your letters are transcribed and indexed so whenever the NSA wants to see what "terrorists" are up to they just search for "terrorist" and read all the letters that have that word. And I guess if they find something unrelated but illegal in the process, they can just request a new warrant for that letter and any related to it, and on and on.

Man, I don't even... like... I don't know what to say.
posted by sixohsix at 12:20 PM on January 27 [25 favorites]


It's like taking a photocopy of every letter in the mail system just to be sure that, if it maybe becomes important later, you just have it.

U.S. Postal Service Logging All Mail for Law Enforcement [NYT]
posted by ryanshepard at 12:35 PM on January 27 [4 favorites]


Ideally, any evidence obtained by exceeding any warrant should be inadmissible in court, if not criminally prosecutable. And that blunder should certainly not be correctable by obtaining another warrant from another judge later.

I'd go along with their retaining the data if they'd asked the original judge who granted the original warrant for permission to retain the information for explicit purposes supported by probable cause.

In particular, I'd maybe support the original judge allowing retention for compliance with business records retention laws, thus allowing them to prosecute businesses for violating whatever laws for which business records retention laws exist and/or the retention laws themselves. It's critical in my hypothetical business records case that they provide cause to suspect that Freedom Hosting is being used by businesses to violate the retention laws themselves though. Individuals should not be compelled to retain records in that way of course.
posted by jeffburdges at 12:39 PM on January 27


It's like taking a photocopy of every letter in the mail system just to be sure that, if it maybe becomes important later, you just have it.

Not quite. It's like seizing all the mail stored in a warehouse office where there's a meth lab and then when you see there are letters there from a serial killer getting a warrant to use them to pin him to the murders.
posted by The 10th Regiment of Foot at 12:41 PM on January 27 [2 favorites]


I'm still unclear as to why they're copying all of my phone calls, email, messages, and web usage to permanent databases without warrants or anything even resembling due process.
posted by mikelieman at 12:43 PM on January 27 [7 favorites]


It's like seizing all the mail stored in a warehouse office where there's a meth lab and then when you see there are letters there from a serial killer getting a warrant to use them to pin him to the murders.

The DEA should get informants to set up meth labs in every Post Office.
posted by ryoshu at 12:43 PM on January 27 [2 favorites]


But what if the only reason the warrant was ever requested, or that authorities ever even became aware of the crime was on the basis of information gathered by the NSA without a warrant? This just seems like a convoluted little bureaucratic shell game to get around years of legal precedent meant to protect people from being randomly targeted for scrutiny in the absence of legally obtained evidence or probable cause. I guess the US gov't has taken a tip or two on skirting the intent of its own laws from the private sector, too.
posted by saulgoodman at 12:47 PM on January 27 [5 favorites]


The DEA should get informants to set up meth labs in every Post Office.

Note: I can't believe I'm defending these guys, oy.

Anyway, the data was extant on a drive that the FBI had a legitimate reason to be combing through. They had to look at what was on the drives to find all evidence linking to the initial crime. It does not seem like an unreasonable stretch in this case for them to have seized the drive and its full contents in investigating an electronic crime. Had it been a meat world crime and they took the whole drive, maybe, but it wasn't in this case.

But what if the only reason the warrant was ever requested, or that authorities ever even became aware of the crime was on the basis of information gathered by the NSA without a warrant?

That might be different. What appears to have happened here is that they were seperately investigating a crime that involved the same data set that they already had in their posession because it was seized in the prior raid, so they asked for and obtained a warrant to search that data.
posted by The 10th Regiment of Foot at 12:50 PM on January 27 [1 favorite]


What am I supposed to do if this stuff upsets me? Call my congressman? Please.

I mean, shit, that syntax probably gets flagged as potentially seditious.
posted by stinkfoot at 12:52 PM on January 27 [3 favorites]


I'd imagine they exceeded the original warrant, or the warrant was over broad, because user accounts keep different user's data separate. It's technical of course.
posted by jeffburdges at 1:05 PM on January 27


"I'm still unclear as to why they're copying all of my phone calls, email, messages, and web usage to permanent databases without warrants or anything even resembling due process."
posted by mikelieman

I'm even more unclear as to why this is happening to me when I am English. I thought we had a special relationship?
posted by marienbad at 1:14 PM on January 27


How do you tell one user's account from the next when they use pseudonyms?
posted by The 10th Regiment of Foot at 1:15 PM on January 27


I doubt that Freedom Hosting was "free as in beer", presumably this guy didn't pay in bitcoins or even pre-paid credit cards.
posted by jeffburdges at 1:17 PM on January 27


The 10th Regiment of Foot: "How do you tell one user's account from the next when they use pseudonyms?"

The pdf goes into this a bit. The person under investigation for credit card fraud listed his email address (with a Tor Mail domain) on at least one document the FBI had obtained.

The investigators presumably thought, "Hey, we have the entire Tor Mail email database on file. Let's see if we can determine if that email account contains a record of illegal activity."
posted by zarq at 1:36 PM on January 27 [1 favorite]


they're copying all of my phone calls, email, messages, and web usage to permanent databases without warrants

I'm still unclear why, given the remarkably detailed revelations about exactly what the NSA is and isn't doing that Snowden has provided, the myth that they're simply recording everything persists. If you believe they're "copying all your phone calls, email, messages and web usage" you also have to believe that Snowden is either a patsy or a stooge. Or, I guess, you mean that you, personally, have been singled out for these attentions for some reason.
posted by yoink at 1:36 PM on January 27


"I'm still unclear as to why they're copying all of my phone calls, email, messages, and web usage to permanent databases without warrants or anything even resembling due process."
posted by mikelieman
I'm even more unclear as to why this is happening to me when I am English. I thought we had a special relationship?

It's a special relationship between intelligence agencies, not general citizens. A loophole to spy on you is one of the perks.
posted by cosmic.osmo at 2:01 PM on January 27


I'm more and more convinced that David Brin has judged correctly on this stuff. Ubiquitous surveillance is inevitable, what we can and should try to influence is how transparent it is.
posted by Wretch729 at 2:14 PM on January 27 [1 favorite]


If you believe they're "copying all your phone calls, email, messages and web usage"

They have the ability to, almost trivially. It is exceedingly likely they are copying email, messages, and web usage temporarily, even if they actually do discard much of the content. HTTP headers, web usage, was one of the things specifically indicated.
posted by save alive nothing that breatheth at 2:39 PM on January 27


What am I supposed to do if this stuff upsets me? Call my congressman? Please.
I mean, shit, that syntax probably gets flagged as potentially seditious.


Sure seems like you are making the right call.

3rd Grade Government Homework: 'Good Citizens Do Not Argue'
posted by rough ashlar at 2:40 PM on January 27 [1 favorite]


I'm still unclear why, ... the myth that they're simply recording everything persists.

How does anyone "know" what the NSA is doing?

What is "evidence" and "truth" in this whole NSA-is-doing-X bru-ha-ha?

Self admissions are usually the gold standard - what has the NSA admitted to and is the assumption if they have not admitted to something or denied doing something then by gum they aren't doing it?
posted by rough ashlar at 2:47 PM on January 27


Note: I can't believe I'm defending these guys, oy.

Anyway, the data was extant on a drive that the FBI had a legitimate reason to be combing through. They had to look at what was on the drives to find all evidence linking to the initial crime. It does not seem like an unreasonable stretch in this case for them to have seized the drive and its full contents in investigating an electronic crime. Had it been a meat world crime and they took the whole drive, maybe, but it wasn't in this case.


The problem is when the FBI collects the data and stores it in perpetuity for future investigation. Warrants should be limited in scope and time. This type of thing allows the FBI to keep data forever and hope it turns up something useful in the future.
posted by ryoshu at 4:19 PM on January 27


Software such as PGP (Pretty Good Privacy) takes 15 minutes to master ...

I'll stop right there, because anyone who makes that statement is likely to say damn-near-anything without any basis in fact.

The PGP interface is a damned inscrutable mess, meticulously complicated and guaranteed to drive away oneone who isn't swimming in the time it takes to comprehend what it does, learn how to use it, and make sure it's working correctly.

It's also an accusatory finger pointing right at the computer industry, which could easily have devised a fail-proof interface for it decades ago, and could never be bothered. Because, ya know, who cares about the "lusers".

Try out the CryptoCat plug-in. THAT's an example of something effective you can learn to use in 15 minutes. And it doesn't make stupid statements about how perfect it is ... quite the opposite. When it comes to security, COMPLEX is DANGEROUS.
posted by Twang at 4:30 PM on January 27 [9 favorites]


When you put a splitter on the optical backbone of the network, by definition, you are copying everything. See Mike Klein's deposition for the gory details.
posted by mikelieman at 5:01 PM on January 27


the myth that they're simply recording everything persists

You don't know whether they're recording everything you're doing right now. You might think it's unlikely, but what are the chances that you're two hops away from a person of interest? You would never, ever know. So even if they're not recording everything, they still may be recording anything.

And remember, we didn't know about the current scale of surveillance until recently. The obstacle to recording everything is merely technical; they actually do record everything they can. Why would you imagine that in a few years they won't record everything?
posted by Joe in Australia at 5:31 PM on January 27 [1 favorite]


I'm even more unclear as to why this is happening to me when I am English. I thought we had a special relationship?

Oh, that sounds like a cultural misunderstanding.
Americans might be under the impression that "special relationship" is how British people say "being rogered" when they're in polite company. Were the Americans wrong?
posted by anonymisc at 6:54 PM on January 27




Oh, this is rich: DOJ accuses firm that vetted Snowden of faking 665,000 background checks
As Edward Snowden prepares to defend himself in a worldwide webinar Thursday, the Justice Department is accusing the private contractor that vetted him and thousands of other intelligence workers of bilking U.S. taxpayers out of tens of millions of dollars by conducting phony background checks.

So basically, the US government outsourced its secret IT work to contractors, and outsourced its monitoring of those contractors to other contractors. If they had only thought to outsource the DOJ they'd have gotten away with everything.
posted by Joe in Australia at 7:40 PM on January 27 [1 favorite]


>> Software such as PGP (Pretty Good Privacy) takes 15 minutes to master ...

> I'll stop right there, because anyone who makes that statement is likely to say damn-near-anything without any basis in fact.
>
>The PGP interface is a damned inscrutable mess


Just getting your hands on "PGP" is an inscrutable mess. Network Associates permanently fucked the name as a useful way to find personal encryption tools. You want something OpenPGP compatible like GnuPG.

While Symantec (who bought PGP from McAfee) offers source code to "PGP Desktop", they don't seem to offer binaries, but instead a bewildering array of products and ways to buy them. Maybe "Symantec File Share Encryption (powered by PGP Technology)" is what you want?

GnuPG w/ GUI for Mac OS at gpgtools.org, but would I recommend my mom use it? Nope.

Never forget how they got Scarfo (key logger for his passphrase). Attacking the endpoints is not a new technique.
posted by morganw at 7:57 PM on January 27 [1 favorite]


This does seem like a fourth amendment issue that the EFF/ACLU could possibly raise — it feels analogous to searching a seized warehouse where they're keeping the warehouse forever and rifling through it whenever someone suggests that there might be illicit content in one of the crates. In a normal physical search, law enforcement does a search and then seizes the evidence but they don't get to revisit it over and over for things they might have missed.

It's also interesting that they secured the server through MLAT, which is a pretty high bar and arduous process (but that's a discussion for another place).
posted by Han Tzu at 11:28 AM on January 28


Oh, this is rich: DOJ accuses firm that vetted Snowden of faking 665,000 background checks

Never mind that 665,000 people needed to be vetted for clearances...
posted by Hal Mumkin at 5:55 PM on January 28 [3 favorites]


CryptoCat is just OtR implemented in JavaScript, right? How does it configure the XMPP connection? Does it detect Facebook, Google, etc. XMPP software?

Just configure Jitsi for your Facebook, Google, etc. accounts once, generate yourself some OtR keys, and OtR chat without leaving your browser logged in.
posted by jeffburdges at 9:30 AM on January 29


On the Windows side, use GPG for Windows with the Thunderbird mail client and Enigmail.

There really needs to be a Tor Browser Bundle for mail, bundling GPG4Win with an Enigmail-enabled Thunderbird that can't load remote content.
posted by anemone of the state at 11:53 AM on January 29




« Older No frills, no scarf, no messing, just 100 per cent...   |   "Senator, if you want your... Newer »


This thread has been archived and is closed to new comments



Post