The Federal Bureau of Investigation’s refusal to discuss even the broad strokes of some of its secret investigative methods, such as implanting malware and tracking cellphones with Stingrays, is backfiring – if the goal is to actually enforce the law.
In the most recent example, the FBI may be forced to drop its case against a Washington State school administrator charged with possessing child porn because it doesn’t want to tell the court or the defense how it got its evidence – even in the judge’s chambers.
The FBI reportedly used a bug in an older version of the free anonymity software Tor to insert malware on the computers of people who accessed a child-porn website it had seized. The malware gave agents the ability to see visitors’ real internet addresses and track them down.
Defense lawyers for Jay Michaud of Vancouver, Wash., argued they had the right to review the malware in order to pursue their argument that the government compromised the security of Michaud’s computer, leading to the illicit material ending up there unintentionally.
U.S. District Court Judge Robert Bryan in Tacoma agreed.
“The consequences are straightforward: the prosecution must now choose between complying with the court’s discovery order and dismissing the case,” Michaud’s defense attorneys wrote in a brief filed last week.
The FBI’s lawyers took what they described as the “unusual step” in late March of asking the judge to reconsider his order, repeating earlier arguments that revealing the full details of the technique would be “harmful to the public interest.” The information might damage future investigations by allowing potential targets to learn about the FBI’s tactics, its attorneys argued, and might “discourage cooperation from third parties and other governmental agencies who rely on these techniques in critical situations.” The bureau sometimes pays third parties for exploitable security flaws, which lose their market value when they are made public and get fixed.
FBI officials declined to comment to The Intercept about their legal strategy.
In their frequent public arguments against unbreakable encryption, FBI officials have been arguing that public safety takes precedence over personal privacy.
But if this case gets dropped, the “defendant walks because the government has decided that its secrecy trumps someone else’s becoming a victim of Crime Everyone Hates,” Scott Greenfield, a criminal defense lawyer, wrote in his blog Simple Justice.
“The FBI would rather let a criminal go free than actually follow a court order designed to ensure a fair defense” even though revealing the bug “would almost certainly not help the defense,” tweeted Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, California.
And this isn’t the first time FBI has expressed “its preference for secrecy over public safety,” tweeted Amie Stepanovich, U.S. policy manager for digital rights group Access Now.
Indeed, the FBI’s insistence on keeping certain surveillance tools secret – particularly the Stingray, or IMSI catcher, which imitates a cellphone tower to secretly grab up data about nearby phones – is letting criminals go free.
In Baltimore, 2,000 convictions may be overturned because of evidence that the police and the FBI purposefully withheld and then lied about the capabilities of the technology.
And last week, a city judge in Baltimore reluctantly tossed out key murder evidence gathered with the use of a cell site simulator because the police, who had been concealing use of the device as part of a nondisclosure agreement with the FBI, used it without getting a search warrant. She called it an “unconstitutional search.”
Journalists have also reported on cases in New York and Florida where the FBI instructed prosecutors to offer a deal or drop the case entirely to hide details about the technology. In Milwaukee, the FBI simply tried to hide its use entirely from the record.
At least 20 local agencies have signed non-disclosure agreements when they purchased Stingrays, according to privacy advocate Mike Katz-Lacabe, who keeps track. The American Civil Liberties Union and other groups have chronicled federal and local law enforcement use of Stingrays in at least 23 states.
“We still don’t know all of the law enforcement agencies that actually have StingRay/HailStorm/DRTbox devices,” Katz-Lacabe wrote in an email to The Intercept. “With a few exceptions, we don’t know how they are used by each agency or how frequently. We don’t know their full range of impact on nearby phones as we don’t know the technical capabilities of the amplifiers and antennas that are used with the devices. We don’t know which agencies are using equipment that can actually intercept calls instead of just track them. I think that more cases will be thrown out as defense attorneys, judges, and the public learn about the technology that law enforcement has tried to keep secret,” he wrote.
Nathan Wessler, an attorney with the ACLU’s Speech, Privacy, and Technology Project, says the FBI’s openness about Stingrays seems to have gotten a little better since the DOJ updated its Stingray policy in September 2015 to increase privacy protections and legal requirements. “It looks like the DOJ policy has had an effect at least on what the FBI is telling judges when it seeks judicial authorization. The FBI should have exercised at least this level of candor with judges starting years ago, but at least there’s evidence that they’re doing so now,” he wrote in an email to The Intercept.
And yet, he wrote: “The biggest continuing problem involving FBI secrecy about Stingrays is at the state and local level, where the FBI’s nondisclosure agreement has kept judges, defense attorneys, and the public in the dark.”
When it comes to hacking tools, the FBI’s secrecy is “still intense,” Wessler concluded.