Inspector General Says FBI Not Doing Enough To Prevent Abuse Of Cell Phone Forensic Equipment By Law Enforcement Officers
from the but-we-maintain-strict-control-of-the-cables! dept
The FBI’s Inspector General has released a report on the New Jersey FBI branch’s Computer Forensics Laboratory. For the most part, the report is positive and shows this branch tends to handle its forensics work competently. The problem comes when it opens up its tools up to local law enforcement.
The FBI lab has a phone/media forensics kiosk located in the lobby of its building.
The Cell Phone Investigative Kiosk (Kiosk) allows users to quickly and easily view data stored on a cell phone, extract the data to use as evidence, put the data into a report, and copy the report to an electronic storage device such as a compact disk.8 In addition to the Kiosk, there is also a Loose Media Kiosk, which processes digital evidence stored on loose media, such as a DVD or memory card.
Because it’s outside of the actual lab, the FBI apparently feels it’s ok if it doesn’t track who’s using the kiosk.
To use the Kiosk, law enforcement personnel are required to schedule an appointment. However, the NJRCFL does not require Kiosk users to sign its Visitors Log since users do not go beyond the reception area or enter the NJRCFL’s laboratory space.
That leads to this sort of thing.
According to the Director, sometimes one investigator will schedule a Kiosk appointment and another investigator will show up in his or her place, or more than one investigator may accompany the scheduled investigator to use the Kiosk. According to the Director, NJRCFL personnel assume that all of the personnel who arrive for a scheduled appointment are part of the same case. However, he said that the NJRCFL does not verify that everyone arriving for a scheduled appointment is working on the same investigative matter.
This is a problem because there are rules in place for use of the forensics kiosk, which include law enforcement officers having the proper authority to perform the search, the training to do so and the permission of the local AUSA (Assistant US Attorney). The FBI’s decision to skip this verification step by not requiring signatures on the visitor’s log means anyone could show up and use the kiosk without having secured the permission to do so.
The FBI does have this control in place, which couldn’t possibly be circumvented.
While the Kiosk is housed in the reception area, the cables necessary to connect the Kiosk to a cell phone are not stored with the Kiosk. Instead, the NJRCFL examiner responsible for supervising the Kiosk provides the cables to a visiting user. Without the cables, cell phones cannot be connected to the Kiosk, ensuring that the examiner on duty would have to know that a person was attempting to use the Kiosk because the examiner would have to supply the appropriate cable.
These “cables” sound a lot like your standard USB cables. There may be a proprietary connection on the FBI kiosk which prevents the use of off-the-shelf cables, but it’s not as though no one in law enforcement could secure this sort of cable through other means. Even if these are cables that are only found at FBI offices, there’s nothing stopping law enforcement officers from searching removable media without checking in with the reception desk first.
On top of that, there’s nothing preventing law enforcement officers from asking for a cable and then performing illegal searches or using the forensics software for non-law enforcement reasons.
As a result of the procedures and practices described above, we found that the NJRCFL did not have adequate controls over the access to and use of its Kiosk. FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media. During our fieldwork, neither the FBI nor the NJRCFL provided any confirmation to show that NJRCFL Kiosk users possessed the proper legal authority to search for evidence on the devices examined. In addition, the FBI did not provide us with any information regarding controls in place at the NJRCFL to ensure that users do not use the Kiosk for nonlaw enforcement matters, an inherent risk of Kiosks without adequate controls.
While the form officers are required to fill out to use the kiosk contain statements about having the legal authority to perform the search, the documents do not ask for any specifics about these authorities. It’s just boilerplate text that anyone can sign, knowing that the lack of a visitor’s log means no one can cross-reference possibly bogus affirmations with kiosk use.
This same problem is likely found at most other FBI offices with forensics kiosks. The report notes the same issues were discovered during its audit of the Philadelphia field office. The form — and the “best practices” — provide only the most minimal of safeguards against abuse. And the fact that the changes made in Philadelphia in response to the OIG’s investigation never trickled down to the New Jersey office suggests this problem will be corrected on a case-by-case basis following an Inspector General’s audit, rather than adopted across all offices.
A new form has been put into use — at least at the New Jersey office — that will capture more information about the legal authorities used to perform kiosk searches. However, there’s nothing in the report that indicates this office — or any others — have stepped up to require kiosk users to sign a visitor’s log. In addition, more than a quarter of kiosk users reported they did not have the training in place to use the equipment, yet are accessing it anyway. Until more improvements are put in place, FBI offices can’t say they’re doing everything they can to ensure lawful use of its forensic equipment.
Filed Under: abuse, fbi, forensic kiosks, forensic lab, law enforcement, new jersey
Comments on “Inspector General Says FBI Not Doing Enough To Prevent Abuse Of Cell Phone Forensic Equipment By Law Enforcement Officers”
It is hard to prevent abuse when you are the one’s promoting that abuse.
Without the cables, cell phones cannot be connected to the Kiosk
Really. Their security method is proprietary cables. Because Apple succeeded in preventing anyone from buying some knock off, right?
Re: Re:
It is only an assumption, an IF, on TechDirt’s part.
It is unknown whether proprietary cables are needed.
Given that the FBI would want to promote abuse of these kiosks, why should they require anything other than standard off the shelf cables. And yes, it is correct to assume that they deliberately intend to promote abuse. Otherwise why go to all the trouble to put these into kiosks that anyone can access with no controls other than a mere token that allows them to claim that usage is controlled by an appointment, a form and required cables.
If the cables requirement is so easy to work around, how difficult is it to work around the appointment requirement and the signature requirement.
Re: Re: Re:
I mean in general the FBI openly promote law enforcement breaking laws to catch criminals. Instead of trying to prevent such law breaking from occuring
Farmer says fox isn’t doing enough to protect the hen house.
Re: Re:
The hen house is well protected. But outside the protection area are hen kiosks which may be visited by foxes who have an appointment to use the kiosk.
We are going to put hack-a-phone® Kiosks in malls around the country. With a direct link back to us of course.
Re: Re:
why would you do that when all you government idiots can just screw everyone over by hacking into phone from yours
Re: Re:
Maybe FBI should offer an inducement for everyone entering the mall to plug their phone into a kiosk each time they visit the mall.
NEW!! FIB Hack-A-Fone Kiosk!
Chance to win up to $1000 each time you visit the mall!
That would save law enforcement from having to round up every US citizen to ‘inspect’ their phones. And after all, this is about pirac… er, I meant to say, about terrorism.
And just like any offer to win up to $1000, you only have to pay it once. And the meaning of ‘up to’ is not well defined. And you can pay it to any of your cronies or hired goons.
UPCOMING: House E&C Oversight hearing April 19
Yesterday, the United States House of Representatives, Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, announced an upcoming hearing, scheduled to take place on Tuesday, April 19, 2016 at 10:00am EDT. The hearing is entitled—
“Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives”
Invited witnesses TBA. Hearing will be webcast.
Re: UPCOMING: House E&C Oversight hearing April 19
The Energy and Commerce, Oversight and Investigations Subcommittee has—
The subcommittee’s listed membership includes twenty-four representatives from eighteen states (if I counted right). Although the witnesses for this upcoming hearing have not yet been announced, all the same, some constituents might think to bring any concerns arising from this FBI OIG audit to the attention of their representative.
So basically the FBI is blatantly putting all their external digital forensic cases in jeopardy because they can’t be bothered to correctly handle evidence. Our wonderful tax dollars at work.
Re: Re:
Our wonderful tax dollars at work.
Of course! That’s what’s so wonderful about tax dollars!
Re: Re: Re:
That aside from the bit you stuff your pockets with it’s not your money you waste?
FBI: Heads They're Transparent, Tails They're Not
Inspector General Says FBI Not Doing Enough To Prevent Abuse Of Cell Phone Forensic Equipment By Law Enforcement Officers
This is the same FBI that forces local police departments to sign non-disclosure agreements regarding the use of electronic surveillance gear?
The paragraph below was excerpted from The Intercept:
Stingrays
A Secret Catalogue of Government Gear for Spying on Your Cellphone
Jeremy Scahill, Margot Williams
Dec. 17 2015, 12:23 p.m.
When state or local police purchase the cell-site simulators, they are routinely required to sign non-disclosure agreements with the FBI that they may not reveal the “existence of and the capabilities provided by” the surveillance devices, or share “any information” about the equipment with the public.
https://theintercept.com/2015/12/17/a-secret-catalogue-of-government-gear-for-spying-on-your-cellphone/
So on one hand FBI would like to be more forthcoming and transparent in it’s use of electronic surveillance gear and on the other they require local police departments to sign non-disclosure statements regarding their use even going so far as dropping all charges so the methods utilized in collecting the data can remain secret.
The paragraphs below was excerpted from Techdirt:
New Documents Show FBI Instructing Law Enforcement To Throw Out Cases Rather Than Give Up Info On Stingray Use
by Tim Cushing
Wed, Apr 8th 2015 12:20pm
In short: parallel construction. The Sheriff’s Office can hand over the results of Stingray collections, but not divulge how it arrived at these results. If it’s going to deploy a Stingray, it either needs to do it without a warrant, or mislead the judge on its search techniques when applying for one.
When not lying to judges, the Sheriff’s Office will need to lie to defendants and their counsel. Most incredibly, the FBI instructs the law enforcement agency to directly disobey court orders, if it would mean turning over Stingray information.
If any of this seems unavoidable, our nation’s top law enforcement agency encourages its colleagues to toss out criminal prosecutions rather than risk exposing Harris Technology’s equipment.
https://www.techdirt.com/articles/20150408/10242230590/new-documents-show-fbi-instructing-law-enforcement-to-throw-out-cases-rather-than-give-up-info-stingray-use.shtml
So which is it FBI guys/gals? Are you going to be more transparent or will you continue force local police departments into signing non-disclosure statements and drop charges when it becomes too inconvenient.
The FBI’s electronic surveillance gear scheme sounds mighty arbitrary and as any student of the law should know:
Arbitrary application of the law is tyranny.
New Jersey TRANSIT
A bit off topic but you might note that New Jersey transit has installed microphones on all its trains to record rider conversations in a bid to reduce ‘terrorism’. Uhh, where?
So, recording your cell phone conversation in a train by the police is ok??? Makes all this sting-ray stuff seem tame by comparison.
http://www.nj.com/traffic/index.ssf/2016/04/nj_transit_is_recording_the_conversations_of_thousands_of_its_riders.html
this whole story is a joke and is meant to mislead you. if people were aware of what top law enforcement in california can do on the fly to their cell phones without ever physically touching their phone. it would start a revelution. And probably should.
This whole story is a joke and is meant to mislead you. if people were aware of what top law enforcement in california can do on the fly to their cell phones without ever physically touching their phone. it would start a revelution. And probably should.
Anybody who knows knows what i mean. Law enforcement in california can get in into your cell phone at at any time anywhere. as a matter of fact they can get all he data from any device that has wifi and do whatever they want to. they can erase evidence from your phone. they can erase phone calls or text from your phone and from your service provider. They can block phone calls or text to or from anybody. they can even erase any of your recipients of your text or calls and their service providers too. they can copy all your phone information with the click of a button. do you wonder why other software companies seem to have ESP that is because they have teamed with a high ranking law enforcement person who is simply stealing information directly from other companies computers and making a fortune in the process. it is and has been happening for years. and people still wonder how. It is crooked thieving law enforcement that are the criminals. and they are making a killing. article about kiosk is soooo lame…..