I only want to know one thing: how does the government intend to prove beyond any reasonable doubt that the Geek Squad employees themselves didn't put the alleged porn pictures on the device? Does Geek Squad have a chain of custody and other such procedures? Was the device tracked every single moment and NEVER, not even for a second, allowed alone with anyone outside the government (this actually seems impossible unless agents were present when the device was taken in)? Seems to me like that would be a good way for Geek Squad scumbags to make some extra cash from the government while the government looks the other way and tries to convict innocent people. Also seems to me like this case should have been dismissed already based on these concerns.
"how does the government intend to prove beyond any reasonable doubt that the Geek Squad employees themselves didn't put the alleged porn pictures on the device?"
Well, that's the rub, isn't it? We're talking about non-law enforcement personnel who are going to be rewarded if they find something. And at that salary level, where people are frequently living month to month, it is indeed conceivable that somebody would place evidence just for the money.
Quite a few military personnel pick up few hard skills. Unless you're in a trade/rate with with high knowledge requirements it seemed like they preferred it to keep some people in.
That being said the current business 'prayer' of soft skills, has been an utterly massive boon to military personnel of any rate.
Well maybe you could have an expert identify when that file was placed onto your computer. If it coincides with when the Geek Squad member worked on your computer, then that guy will (hopefully) go to jail for a long time.
Disk blocks aren't timestamped, and the FBI is even looking at disk free space, so there may not even be a directory entry that can show when the image was placed there.
Besides, a "smart" Geeksquad employee could just backdate the comptuer's clock or manipulate the file creation time directly to make it look like the image was placed there when the owner had the computer in his posession.
Timestomping, the name for what you are describing, is easy to do and easy to detect.
There are lots of advanced techniques to manipulate various aspects of Time related artifacts, but there are also lots of advanced techniques for determining whether a system has been tampered with. A skilled person might be able to erase evidence of exactly what they did, but often this creates artifacts or even an absence of artifacts that can be used to determine that someone tampered with the system in an attempt to cover his tracks.
I specialize in forensics in the context of incident response, so I don't typically run into anti-forensic techniques as sophisticated as law enforcement analysts may encounter. Perhaps there are ways to completely avoid detection. However, I imagine it would be difficult.
If we assume they can't break full-disk encryption (which is not unlikely), are you certain?
A proper encryption protocol consists of not only the encryption itself, but also authentication, verification and integrity checks. These are for protection against things like replay-attacks and indeed, tampering.
IIRC, booting a laptop with an encrypted FS, normally you'd enter your password, it'd apply a key-generating function (to turn the password into a proper 256bit AES key, or whatever's required), discard the password from memory and then use the key for operating a symmetric cipher (like AES) on the FS's read/write operations.
However, that doesn't quite work, it's not enough to do just that. An encrypted FS also needs authentication and verification, otherwise you open up yourself against all sorts of sneaky attacks stripping your encryption. So AFAIK, the system also keeps checksums and signatures with HMACs or something.
Admittedly, I don't know the exact details. One thing I'm not sure about is if there's the option of having some public/private key available for a bit of assymmetric encryption. Performance-wise you can't afford running that over the whole data stream (but who does that) because it's so much slower than symmetric encryption (which is why we have handshake protocols). But maybe do it once per block (or N blocks), adding cryptographic signatures to whatever's written. Blocks would be timestamped and these timestamps would be included in the signature too[0].
I could imagine, booting, without the password, would give you read-only access. Without password, the FS can only access the public key. The read operation uses this key to check the signatures on whatever blocks it's called to read. The write operation cannot be used to write any valid blocks, because it can't sign them without the private key (you can still trash blocks by overwriting them with invalid data, but you could do that anyways). Booting with a password allows the FS to decrypt the private key, allowing both read and write access.
Basically you'd have an encrypted FS, with the encryption left off but the verification left on.
For a Geeksquad-style attack you even get another layer of protection because without the password, the whole system is read-only. The "evil website put CP in my browser cache" attack is still possible because you'd be logged in, however in that case, at least you got verifiable timestamps on the written blocks, as well as your browser history, that can be analysed to show there was no intent to get, save or view this data.
I think this could be made to work in concept, in theory. Question is if you'd really want to use it though, authenticated verifiable timestamps on all your data, can also be a liability. Because people who "got nothing to hide" are just unaware that even they in fact, do. It means that for whatever you do on your computer, whoever can access the harddisk, can verify that whatever is on it was done by you, and only by you, as well as an undeniable proof of when it was done. That means zero privacy. Forward secrecy won't help here, because the whole point (verifiable authenticated timestamps) is about not having it. It may be nice for certain company laptops, however if it was my own machine, I'd prefer full-disk encryption, get the same protection and the privacy.
[0] while at it, why not also tag it with other metadata, such as origin (local or remote / where) and the process or application that issued the write command
Where is the key stored? Itll have to be in memory so that means it can be extracted from there if the pc is on. If the pc is off then things change. But this discussion assumes the attacker can place files on the system which means they can tamper with possibly timestamps blocks. If the system is encrypted and off then they can't add files and obviously not tamper with blocks either.
Suppose an incompetent employee plants evidence on a computer. The accused will have to mount a defense and pay an expert to examine the evidence and testify. Maybe a jury will believe it.
If it's done in a competent way, the disk can be altered. Code can be installed on the hardware that will plant evidence after the victim returns home.
Unallocated space doesn't have filesystem entries, hence, no file change, access, or modification times.
Worse: many filesystems don't note creation time but change time. I'd have to check what the status is for NTFS (the most likely consumer FS), but that's the case for virtually all Unix-and-similar filesystems: ext3/4, HFS, etc.
The BSDs, Windows, OS X, and Mac OS classic and their corresponding filesystems all supported this for decades. Linux is the only major holdout, because according to Linus, "it's all totally useless and people can't even agree on a name." [1]
Thanks for that. I know that the inode structure doesn't, or at least didn't return this, for a long time (occupational hazard: outliving your education's "best used by" date). Which was why I'd already edited the initial "most" to "many" describing filesystems above (prior to posting).
I'll still maintain it's not universally available on filesystems. And is unreliable (many allow changing this value, see, e.g., touch(1)). And that unallocated space lacks filesystem metadata.
There are too many incentives to plant evidence: compensation, revenge, attention, power, diversion from their own crimes, etc.
The KGB encouraged Soviets to spy and report on one another for kickbacks. People would disappear to gulags over neighborly disputes and other petty things.
If you're going to reward people for hunting witches, expect a witch hunt.
Given that the poster responded to my comment about the KGB, this is really a stretch.
His point was that we'd fly people who were at the wrong place at the wrong time to black sites on the basis of tips and hearsay from insurgents, Afghani and Iraqi people.
If you know know you can throw innocent people, your enemy or a scapegoat under the bus for kicks and profit with no repercussions, it's going to happen. It isn't a uniquely American or Soviet thing.
I find rendition mentioned nowhere here. Your original point is very good, his conflation of the KGB's persecution of Soviet citizens with Guantanomo and with your point makes a couple of huge stretches, in the process polluting your original argument past the point of recognition much less sober consent. Objections to Guantanomo can't begin with the idea that it is a way of persecuting citizens of the country running it; since that's the precise opposite of the original legal basis for using a prison not in the United States - namely to keep non-US citizens from gaining any of the rights of US citizens. Contrary-to-fact is a poor start; I like your argument, it didn't benefit from his help, IMHO.
There are a lot of American citizens in Guantanamo? Yes
Really? You can bet on it. Around 33 soldiers or civilians for each captive human toy.
Since when?
Since bush created this shame and you are naively paying huge amounts of public money for it. After Miamigerald, only in 2015, the White House burned $445 million of the american citizens in this hole. Big sweet bussiness.
Ironically Guantanamo is helping a lot of people to be much more successful as terrorists than when they were free. Each one of the prisoners is creating damages to USA economy for $7.29 million/year. Since 2011 and without throwing a single bomb.
I think you're deliberately misinterpreting both my statement, which was obviously about jailed Americans.
If you simply wanted to state an opinion unrelated to my comment, as you go on to do - however worthy - you need to start your own reply thread to do that. Cost is a new subject, why crowbar it in here? To do so, you have to create the appearance of a disagreement with me, despite our disagreeing in no way at all. Why do that?
michalskop made the conflation, implying that just as the KGB jailed its own citizens, so the Americans were acting today. You are strenuously agreeing with me, in rejecting that conflation.
That is a huge problem with our justice system - the arrest and prosecution almost renders the actual outcome moot because of the damage that the mere accusation carries with it. This man was a doctor, and he will live under a cloud of suspicion for the rest of his life - undoubtedly affecting his professional and personal life. I would guess that very close to 100% of patients Google their doctor's name, and guess what will come up even a decade from now? These articles. If he has kids, all their friends and their parents will know, which will affect their social lives. And most people won't actually read the articles - they'll read headlines and walk away with the impression that he was accused and got off on a technicality (assuming the case is dismissed).
For all of this, he won't even receive an apology, much less any compensation from the government. True "justice" in this case would be for him to be able to sue the FBI agent that mischaracterized the image as porn to get the arrest warrant (she later testified that it was not, which should kill the case right there), Best Buy for conducting illegal surveillance, and the government for wrongful prosecution. However, all of those cases are long shots. The most likely outcome is yet another example of the extreme injustices perpetrated by law enforcement agencies against innocent US citizens on a daily basis. The worst part is that the catalyst of most of these injustices is money - individual law enforcement agents wanting to advance their government careers or pad their resumes to get better paying jobs in the private sector. The whole thing is disgusting.
The justice system is screwed up, no doubt, but is this really a problem with the justice system?
We as people just need to stop judging people based on assertion and innuendo. If someone is merely accused of something, and there's no evidence to back the charges, we need to judge (or refrain from judging) appropriately.
Similarly, if someone is not accused or convicted of a crime, despite having obviously committed (such as the police officers who murdered Kelley Thomas), we need to feel free to come to our own conclusions.
> The justice system is screwed up, no doubt, but is this really a problem with the justice system?
> We as people just need to stop judging people based on assertion and innuendo.
Yes, but.
Public arrest is a crucial freedom (secret arrests are a tool of totalitarian governments everywhere, including the British colonial government and, yes, Guantanamo too).
On the other hand the "perp walk" and other pretrial publicity/propaganda by governments seriously affect the accused's ability to get a fair trial, and should be stopped.
To be sure, it would be wonderful if society actually believed in "innocent until proven guilty," but we don't. One could argue that Google fans the flames of the problem by, for example, refusing to deindex news articles about arrests despite subsequent acquittals, or linking to blatantly libelous statements against millions of people at the top of its search results from sites with extortionate business models like RipOffReport.com.
But since society won't change, the justice system needs to. Prosecutors could refuse to file charges in flimsy cases that are highly unlikely to result in convictions, such as the one at issue here. They could also choose not to lie or embellish facts to obtain search or arrest warrants that propel unjust cases forward. Unfortunately, both of these activities seem to be accelerating, not slowing down. We are seeing more and more "novel" prosecutions - those where criminal intent is questionable at best. Prosecutors do these things to pad their stats so that they can get a higher salary when they switch to private practice, but at a tremendous cost to both the defendants and the taxpayers.
Prosecutors could choose to do those things, but our reliance on their good graces is foolish and naive. There is no meaningful feedback for these people when they do wrong. On the contrary, they are often rewarded as you say with higher political office or in private practice. There is no meaningful oversight. This is true for every element of the judiciary, prosecutors, police, and judges alike.
Yes, it is. Human nature isn't to blame here. It's a justice system that allows for those in power (position, authority, wealth, etc.) to accuse those with less means of defending themselves without repercussions.
Yeah, I absolutely agree that the immunity that various actors in the justice system enjoy, both legally and extra-legally, is absurd and a huge problem.
I'm also saying: we need to take accusations from these people with a grain of salt. They're wrong a huge part of the time.
I'm leaning strongly to the view that modern "free-market capitalism" is really a variant on mercantilism, in which liquidity has replaced gold and silver.
It's all about incentive and opportunity. The Geek Squad employee has a good incentive to do so as it means a $500 payday. Considering these guys' likely pay, that's a decent chunk of change. They also have plenty of opportunity to do so, they handle computers all day long.
The police on the other hand have less of an incentive to do so, unless they were specifically trying to hurt someone. They also have far less opportunity, as they would've already needed a reason to have said computer in their possession.
Consider access, similar behavior, similar prosecution and motivation.
Motivation:
Police structure and culture are set up so that catching more criminals gives kudos but not financial incentive. Other behaviors are valued higher, such as keeping calm in a situation, endurance, ability to negotiate intense situations. Crimes themselves are only a part of police work, much is peace-keeping, presence, simple observation and record-keeping. Television of course, focus on the most dramatic elements, but upon catching a pedophile, incentive isn't necessarily the highest perspective of importance. You still have to touch the creep, take their statements, deal with it emotionally, transport them all over the place in your vehicle.
Similar behavior:
With the extremely rare exception of a few bad apples, very few police plant evidence at crimes. It has happened, just like hot air balloons sometimes fall out of the sky, but it's not a system which incentivizes and rewards the behavior.
Access:
Police aren't at the keyboards of peoples' PCs, whereas Geek Squad people are given complete access to computers often in peoples' houses and in private. Moreover, they're typically working with an especially vulnerable population, those with little technical literacy. Fabricating that evidence remotely is a chore and supposing users employ half-decent passwords and ignore phishing, non-trivial. It requires special training and even equipment.
Similar Prosecution:
Piracy and other forbidden data is more efficiently done by cutting things of at the source, typically by sophisticated actors who won't be in contact with The Geek Squad. It only rarely pays to go after individuals like this, or maybe there's more to the story than we understand from what the media tells us.
Police malfeasance is not extremely rare in the United States. What's rare is one getting caught, and even more rare suffering a meaningful consequence, and rarer still prosecution for crimes committed by police.
>a few bad apples,
You do know that you're misusing the quip, right? A bad apple spoils the bunch.
>very few police plant evidence at crimes.
On what basis do you make that statement? They plant evidence, they invent it from thin air (I smelled marijuana, alcohol, etc.) They misuse drug dogs. Some of them are very much "ends justify the means" types who will take shortcuts to convict people they "know" to be dirtbags.
>it's not a system which incentivizes and rewards the behavior.
You should study what motivates police officers. Fact is, such malfeasance is rewarded, a lot of other terrible behaviors are rewarded officially and unofficially. But the thing that's rewarded the least in policework? Admitting mistakes.
Its true that you can be ordered by the court to decrypt drives. Then there is a documented point-in-time when the state received read/write access to your drives, and also, presumably the drives are already in custody etc.
I think the highest risk of evidence being planted would occur during the search and seizure process, so encryption would help you there. And it also prevents informants from doing it and then selling you out for their own benefit. And it prevents thieves from looking through your files if your bag gets snatched.
Overall I think disk encryption provides some great benefits.
Increasingly I'm convinced that if you want to keep a secret for any reason, the only way to do it these days is encrypted on an SSD that will physically self-destruct without regular maintenance of the "kill switch" (also cryptographically secure). It should do this on a regular enough basis that you could withstand the stay in a cell, but long enough that an unexpected weekend in the hospital doesn't wipe out your data.
The thing is that you must have this as your standard practice... you can't just adopt it when the feds kick down your down.
This is done for chain of custody reasons but would also effectively circumvent your security.
You need to have your storage medium self destruct if it is hooked up to a system other than the one it was paired with.
This system would have to rely on the logic board of the storage device so you would have to harden that so that a swap of the logic board also renders the storage device inoperable.
I mean physical destruction of the NAND gates... just kill it with a "hammer" kind of destroyed. Set it up so it's a fail-deadly switch, and there you go.
There are people who have programed their storage devices to zeroize when read sequentially over the whole drive; specifically to prevent an unauthorized party from cloning the drive.
People do not swap the logic boards of drives often, because unless you get an exact revision match they will be incompatible.
The great thing about old news is there is often more recent updates.
Regarding Ramona Fricosu
"Fricosu's attorney claimed it was possible she did not remember the password. A month later, Fricosu's ex-husband handed the police a list of potential passwords.[3] One of the passwords worked, rendering the self-incrimination issue moot."
We have no way of knowing what would have happened ultimately.
This case pisses me off. Truly. Not because of what the FBI did, but because of all these articles coming out, from the doctor's home town, that leave out a ton of detail. Then a bunch of people in the comments defending someone who had naked pictures of underage girls and works in a position of power. He's trying to get off on a technicality.
How could we possibly know?
>Mark Rettenmaier, a gynecologic oncologist on staff at Hoag Hospital, had the pornography on three portable hard drives, a laptop and his iPhone, according to a federal grand jury indictment filed in November.
I support all people's right to a fair trial, due process, and protection from unreasonable search and seizure. Suspected terrorists, drug dealers, and child pornographers included.
Talk to a millennial sometime. They don't teach these things in school any more. Talk about the presumption of innocence or the right to a fair trial and they look at you like you're from outer space.
Not only are Millennials I know as likely to be aware of those things as older people I know, Millennials are among the most passionate about protecting them.
I'm a 'millenial'. I also have a law degree and our lecturers were pretty hot on the importance of the right to a fair process and a fair trial above all else.
>The hard drive arrived at Best Buy’s Brooks, Kentucky facility on November 25, 2011, and an initial search was performed by a Best Buy employee at 9:00 p.m. on
November 28, 2011, revealing that the “drive appears to have been restored, underlying data visible.” (Bates 853.) Best Buy called Rettenmaier less than thirty minutes later; he authorized “Level 2” repair and identified “[p]ictures, excel files, quicken files, text and word documents” as the most important files to recover. (Id.)
>On or about December 20, 2011, Best Buy technician John “Trey” Westphal
observed what he deemed to be inappropriate content on the hard drive. (Dkt. 152 at 4.) His discovery occurred after the data recovery repair for images—“to determine that the repair was successful [Westphal] must access the files to verify that the files were recovered intact.” (Bates 823.)
The technician had a duty to notify authorities.
The technicians were classified as CHS so that the FBI could track their relationship with them.
>During 2007 and 2008, I am aware of four employees of Best Buy Geek Squad in Brooks, Kentucky, who contacted us regarding child pornography on customers' devices. To best track the relationship with these individuals and document contacts the FBI had with them, we classified these individuals as confidential human sources ("CHS's"), though they were simply employees at the Best Buy Geek Squad who happened to be in a position to report child pornography that technicians had come across on devices during the course of repair.
Further searches revealed child porn. Not the "grey-area" stuff that kicked off the investigation, if you can even call it that.
>A later search of the iPhone revealed alleged child pornography that is charged in Count 2 of the Indictment.
If best buy employees are acting as agents of the government they require a warrant and cannot search by acting as computer repair techs as a cover for an otherwise illegal search.
There is a reason that safeguards like attorney-client, priest-penitent, and spousal privilege exist. For most of civilization, these are the people with whom we entrust our deepest secrets. Society doesn't work if these relationships aren't respected.
Today, our deepest secrets are usually stored somewhere on a hard drive. When we turn them over to the "priests" of PC repair, there is no real protection beyond the terms of a one-sided, clickwrap contract. I've never used a repair service for this reason - I'll either fix the problem myself or throw the device away. It sucks, but articles like this suggest it's not a bad idea...
> safeguards like attorney-client, priest-penitent, and spousal privilege
Let's add the Fourth Amendment to the U.S. Constitution, protecting your "papers, and effects" though it's not currently respected. It seems obvious to me that your modern "papers" are what is on your hard drive.
> It seems obvious to me that your modern "papers" are what is on your hard drive.
And they are protected in your possession. If you turn over all your papers to a third-party, though, that changes things.
eta We may need more privileged communications, but they are very rare. Creating one is probably a good idea, but this will have to happen legislatively. Geek Squad finding child porn isn't much different from the photo processors of old finding it.
> isn't much different from the photo processors of old finding it
You hand your photos over to be processed, but unless you had some photo specific issues, a computer tech has no business accessing photographs on your computer. It is an unexpected invasion of your privacy for them to do so, even if though they have the access to do so.
It's like hiring someone to fix your kitchen sink and then stepping out for a bit and finding them going through your bedroom drawers.
> they are protected in your possession. If you turn over all your papers to a third-party, though, that changes things
I believe that interpretation is standard for U.S. courts. However, it's not in the wording itself.
(Courts of course, must interpret the law beyond the wording; I fully support that. The law is not an algorithm, and also someone must apply the law to individual situations. Otherwise the First Amendment, for example, would protect slander, threats, shouting fire in a crowded theater, etc.)
I don't like that particular interpretation. It implies the 4th Amendment applies only in your windowless basement, with no communication in or out. That isn't realistic, and is especially unrealistic in the age of the Internet.
>Otherwise the First Amendment, for example, would protect ... shouting fire in a crowded theater,
But that is protected speech, and the SCOTUS case it refers to was overturned long ago because it set a terrible precedent. Holmes used that analogy to support the prosecution and conviction of Charles Schenck under the Espionage Act for writing and distributing a pamphlet that expressed his opposition to the draft during World War I.
I don't know about that case, but if you falsely shout "fire" in a crowded, dark theater, I'm pretty sure you will be breaking the law. It probably would be breaking the law if you did it in a well-lit conference hall. (Whether you are arrested or just thrown out probably depends on if anyone gets hurt, physically or financially.)
[Brandenberg](https://en.wikipedia.org/wiki/Brandenburg_v._Ohio) is the case you want to look at. The court held that, to be unprotected “incitement,” speech must meet three requirements. The speaker must intend to cause violence. The violence must be the likely result of the speech. And the violence must be imminent. So, if equivalent circumstances are established, yes, the shouter might well be in trouble.
Before you quote the "fire in a theater" precedent again, please go and look up [Schenck](https://en.wikipedia.org/wiki/Schenck_v._United_States) as well, since that's the origin of the quote, and because it's apparent that there is very little distance between "speech that will cause immediate harm to people isn't protected" and "speech criticizing wars isn't protected when we're at war" when you're a SCOTUS chief justice.
If the container for those papers (computer net of storage and access systems) fails, what recourse does the individual have?
Best Buy here are pretty much shooting their own trusted basis straight through the heart here.
Paper records don't have a strong tendency to suddenly become unreadable, requiring expert technical assistance. Computerised record storage systems somewhat moreso.
This is a great example of why these issues are complex.
There's some argument that when you store things in a cloud provider or mailbox that the service is an extension of you.
But if you hand over a file cabinet full of papers to someone and give them the key so they can fix the drawers, that's a different situation. The PC in a repair shop in analogous.
The government sees the Fourth Amendment as a bug, and they have come up with various ad-hoc patches for it. The applicable "bug fix" here is that you give up your Fourth Amendment rights when you turn your property over to a third party for repair, storage, or safekeeping.
The opposite safeguards exist in some states. In at least CA and SC, computer technicians are mandatory reporters.
I don't think the analogy between lawyers and computer techs really works. I could make another analogy here--it's like taking your car to a mechanic and there's a bunch of blood in the trunk, so the mechanic calls the cops, and it turns out you murdered someone. My analogy doesn't completely work, and I think there are other grounds why the FBI's actions here might not be legal, but computer techs are not sacred.
Argument by analogy is a worthless pursuit every time you think of doing it please take a deep breath and think of a more honest useful argument.
Your car doesn't contain a full copy of most of the pertinent private information about your life and a copy of every private conversation for the last decade. Everything from your taxes to what kind of sex you enjoy.
Furthermore the blood would be evident just by casual examination whereas this suggests a fishing expedition.
Furthermore the mechanic would just be a good Samaritan rather than a paid agent of the government.
The relationship herein creates legal issues and a perverse incentive. Your repair tech shouldn't be acting as a government agent, shouldn't be paid for finding dirt on you, shouldn't be fishing, and shouldn't be the judge of what constitutes illegality especially when guessing wrong ruins someone's life.
I think this might be a response to some other comment, or perhaps a straw version of my comment, since I agree with basically everything you've written, especially the part about analogies.
The analogy is fatally flawed because, as GP points out, it's trivial to copy illicit material onto the medium in question. You can't copy blood, and I don't see how you can find and plant blood of a known murder victim.
I don't think that's really a fatal flaw. I mean, the mechanic could have killed someone, put the body in the trunk of your car while it was in the shop, and then disposed of the body elsewhere. The legal system is designed to handle cases that aren't exactly "open and shut" and there's a balance to be had between protecting against possibly tainted evidence and being able to bring criminals to justice.
Just copying child porn onto somebody's computer shouldn't be enough to convict them, and if its is, then the problem is with the legal system elsewhere, not with the system of mandatory reporters.
double win: it could put to "work" the hoards of unemployed, recent JD grads. Nice try border-guard, but I can't unlock this smartphone because my attorney is "reviewing" my European vacation photos.
Well this actually is interesting. Is a third party expected to respect atty client privilege if that third party is used for storage? Surely not. Also, could a law be passed that states some storage (like phones) is from the factory not protected by atty client privilege, like a usb drive? Could an atty be made aware of the contents of storage even though the storage is not in attys possession? What if atty just has cred access to the storage? That enough? Man, if any of that could be enforced, it would cause all kinds of chaos for LE.
The authorities aren't allowed to get the information from your attorney, that has nothing at all to do with asking you to give that information yourself.
I have always had the habit of taking out hard drives of computers before handing them over to Apple's Genius Bar. I don't know what I'll do when the next generation of laptops has the hard drives soldered in.
You say "next", but this has already been the case for many of Apple's laptops for many years now, and as of last year they now only sell one laptop which doesn't have the SSD soldered on (that's being he 13" MacBook Pro without TouchBar).
If you're willing to have some sites break a bit at first then improve for ones you visit regularly, uMatrix in Firefox is excellent. Many items are disabled by default, but for sites you visit regularly you simply save the rule tweaks you've made for future use.
Frankly, yes. The presumption that any website should be able to access location information should be taboo.
If it's necessary to determine a location for the purposes of a query (e.g., "where is a pizza restaurant (and personal information feed front-end to personal data tracking, FWIW) near <address> or <postal code>?"), then allow the user to state where they're interested in this.
I've got precisely the same gripes against Google (Maps, etc., Android), Apple, and any given mobile phone provider.
If I'm actively engaging in something, and there's the option to specify (note: not be interrupted by a pop-up) for location, manually input, that's within the realm of acceptability.
Though it's distantly possible I might have no idea of my location within, say, a 1km resolution at a point in time, that is an exceptionally distant and rare likelihood for me. And I've no interest in leaving a set of high-time-resolution location tracking datapoints across a slew of data repositories and "information partners".
> that is an exceptionally distant and rare likelihood for me
Congratulations on not getting out much? Please remember you're not everybody. For a lot of people, websites being able to ask for a location is a useful feature.
Keyword: ask. They're not just getting it, they're asking. If you don't want to "leave a set of high-time-resolution location tracking datapoints across a slew of data repositories", you can click no, just as I do almost all the time, except when it's useful.
The chances of a specific geek squad 'operative' chancing upon a 'target' the FBI is interested in is so low and minuscule one has to wonder how its worth it unless they are operating a dragnet or the FBI has too many people on staff.
If the bar is so low one has to wonder how many high value companies are not infiltrated by FBI, NSA and other 3 letter agencies.
When commentators here suggest the answer to privacy or surveillance is 'technical' it comes across as false empowerment. How can individuals or groups win against nation state actors with near endless resources, time, influence, power and armies of bureaucrats and engineers working 24/7 to achieve objectives? It's a nonstarter and the solution has to be socio-political.
The law doesn't stop them, if anything they are adept at skirting around laws, misleading judges, working the system and banding together to protect themselves. Even worse there is zero consequence when things blow up, and its those leaking information who are hounded.
I've worked in large scale IT and I'm aware of investigations and convictions of people having this shit on corporate devices. For a national chain like BestBuy serving the general public, they probably have an incident weekly.
This article was light in details. Seeing this type of material is traumatizing, and it's important to give employees clear protocols to follow so there's as little question as possible about what to do. I find the compensation for tips potentially troubling, but there isn't much context. There's a lot of smoke in this article, but not a ton of fire regarding specifics.
This is not smoke, it's a smoking gun. Protecting employees from child porn and trauma is no doubt a sensitive issue but given the article does not even touch on that this just muddies the waters.
The focus here was on FBI's illegal data collection methods, misleading judges and recruiting operatives in best buy.
These geek squad staff are for all essential purposes FBI operatives and as detailed in the article at one time there were 8 operatives including the manager in a single location! It will be amiss to expect more evidence or 'context' than this.
If the FBI can expend so much energy and time on lowly geek squad how much time do they expend on Facebook, Google, Intel, Amd, Linux, VC Funds, security standards, industry standards. The list goes on. Things are seriously broken but many of us seem to be in a kind of denial quick to think the worst of others while failing to hold ourselves accountable to the same high standards.
There are details missing in the story posted here. For one, the Louisville facility is a large service facility where at least some employees specialize in data recovery. This isn't a case of the whole service department in a BestBuy being deputized.
BestBuy also specificly stated that they do not condone employees accepting payment.
I'm not justifying what is or isn't happening. Just pointing out that there are a lot of holes in the story.
> BestBuy also specificly stated that they do not condone employees accepting payment.
"Do not condone" is different from "you're fired if you do that". BestBuy's position needs to be that it will fire people for this kind of stunt. If nothing else, it's tarnishing the brand's image.
How long before some disgruntled geek squadette plants illegal content on an innocent person's hard drive? From time to time analogous incidents occur in food preparation (contaminating food), medicine (injuring patients), and even law enforcement. The problem with digital crime is the difficulty in determining who did what, when, with certainty.
If you're repairing someone else's computer and come across child porn, aren't you obligated to report it? (if only to cover your own ass, as technically you are now in possession of cp).
Yes, if you come across anything illegal while repairing somebody's computer you are obligated to report it. However, you're not allowed to go looking for illegal stuff while repairing a computer.
And if the FBI is advertising cash rewards for "accidentally finding" illegal content, that sounds a lot like an illegal search.
The article seems to indicate that not only were they poking around but they were recovering deleted files.
Good that they may have caught this fellow -- especially given his profession -- but that's probably rather horrifying for a significant portion of other people who brought their computers in for repair.
Some professions are mandated to report any suspicion of child abuse. In NY, any teacher, medical provider and others can lose their license for failure to report.
Your general obligation, or obligation as an IT guy may vary... and you may have liability risk.
Personally, I'd consider it an ethical duty to report such a thing. But I wouldn't do so in an official capacity without advice of counsel.
Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.
For anything to do with children, quite a few professions are mandated reporters including LEOs, all public and private school personnel except volunteers, social workers, and several other rather large fields. Depending on the state that list expands considerably. Even the clergy of religious institutions are included in 27 states, superceding confidentiality.
Other than LEOs, mandated reporting for general crimes depends largely on state laws except for fiduciary duties.
I see your point, but I also think that is substantially different than:
> including evidence the agency trained company technicians on law-enforcement operational tactics, shared lists of targeted citizens and, to covertly increase surveillance of the public, encouraged searches of computers even when unrelated to a customer's request for repairs.
I am not sure if it is the law. But there is a moral and ethical reason to report a crime if observed, depending on the severity and impact to the victims.
I sent my Macbook into the Apple Store's Genius Bar to be fixed (yay unibody design). They wanted the drive's encryption password so that they could "backup" my data and add it to a new drive if needed. It looked as if they just store this password in the "notes" field. Of course I didn't give it to them, but it pays to be extra paranoid, even about services from companies you think you should trust.
I just want to post a few excerpts from court documents that always seem to be missing from these articles. Warning, descriptions of sexual imagery of children.
>The picture in question was “of a fully nude, white prepubescent female on her hands and knees on a bed, with a brown choker-type collar around her neck.” (Dkt. 152 at 7.) Presumably in the form of thumbnails, Agent Riley also saw “partial images of genitalia of young girls” and states that “[i]t appeared there was a lot of [child pornography] as the tech didn’t have to scroll, the window popped up with image after image of [child pornography] and child erotica/grooming images.” [1]
>A later search of the iPhone revealed alleged child pornography that is charged in Count 2 of the Indictment. [2]
On the classification of Best Buy workers as CHS
>During 2007 and 2008, I am aware of four employees of Best Buy Geek Squad in Brooks, Kentucky, who contacted us regarding child pornography on customers' devices. To best track the relationship with these individuals and document contacts the FBI had with them, we classified these individuals as confidential human sources ("CHS's"), though they were simply employees at the Best Buy Geek Squad who happened to be in a position to report child pornography that technicians had come across on devices during the course of repair. [3]
1. Case 8:14-cr-00188-CJC / Document 173 / Filed 12/19/16
2. Case 8:14-cr-00188-CJC / Document 76 / Filed 10/30/15
3. Case 8:14-cr-00188-CJC / Document 176-1 / Filed 01/05/17
It sounds like the techs were not on a fishing expedition, but came across the images in performance of their normal duties.
>The hard drive arrived at Best Buy’s Brooks, Kentucky facility on November 25, 2011, and an initial search was performed by a Best Buy employee at 9:00 p.m. on November 28, 2011, revealing that the “drive appears to have been restored, underlying data visible.” (Bates 853.) Best Buy called Rettenmaier less than thirty minutes later; he authorized “Level 2” repair and identified “[p]ictures, excel files, quicken files, text and word documents” as the most important files to recover. (Id.)
>On or about December 20, 2011, Best Buy technician John “Trey” Westphal observed what he deemed to be inappropriate content on the hard drive. (Dkt. 152 at 4.) His discovery occurred after the data recovery repair for images—“to determine that the repair was successful [Westphal] must access the files to verify that the files were recovered intact.” (Bates 823.)
The later search of Rettenmaier's home turned up child pornography on 5 separate device. Those facts lead me to stand where I do on this issue.
>The later search of Rettenmaier's home turned up child pornography on 5 separate device. Those facts lead me to stand where I do on this issue.
As abhorrent as CP is, the more important question here is whether the FBI's investigative tactics comply with our civil rights. It sounds exactly like the FBI set the Geek Squad on a fishing expedition. None of the stuff you added refutes that. Just because they found child pornography evidence independent of that discovered by the Geek Squad does not mean that we should be satisfied with their investigative tactics. You need to weigh this against the possibility that the FBI's "lists of targeted citizens" is obviously problematic. There are almost certainly people on that list who are in fact innocent of a crime. What if this list had been made public by a Best Buy employee? Simply having one's name on the list with [person recently prosecuted] for [abhorrent crime] could ruin a person's reputation.
Next thing we know, their store will be blown up by a rogue undercover female agent who loses her mind to a nefarious villain, but everyone will be saved by the local Geek Squad weirdo, his sleazy friend and irresponsible, lazy yet remarkably likeable slacker who has somehow managed to become store manager and whose best friend is a reluctant covert CIA agent with remarkable athletic and mental abilities.
People in the computer hardware/software repair industry should be infuriated by this as it erodes trust in their profession generally -- not just Best Buy.
I know I'll be recommending that friends and family just backup, destroy, and/or reinstall, and avoid repair shops unless absolutely necessary.
You say this, but I've noticed "servalince-fetegue" on (surprisingly) non-tech people. I think the general populace are starting to wise up to what is happening; perhaps not on a large enough scale to effect anything, but it's happening nonetheless.
I think the future might not be as bleak as it currently seems. Talk with people. Explain what's going on and why it's bad. Despite the common rhetoric of people not caring, many do.
Went to Best Buy to purchase a laptop for my Mom. Geek Squad had installed the "free anti-virus" that came with the laptop. They opened a brand new factory sealed laptop. I noped right out the door.
This story is shocking and deserves public exposure.
The OC Weekly seems like the bizarre indie magazines available at a Communist coffeeshop in Berkeley, CA. Maybe it's just the illustrations. Either way, the medium distracts from the message.
I wouldn't hand my computer over to anyone, Geek Squad or not. It's handing the keys to your life over to some person whose motivations you have no idea of. Rather than repair my computer, I would buy a new one. I recommend everyone do the same. Think of it as insurance for your livelihood, and the most guaranteed insurance at that. Well worth the money, especially considering the average lifetime of a laptop.
That's nothing. The Buy More in Burbank has a joint CIA/NSA lair hidden beneath it and the Nerd Herd are operatives. There's even this one guy with some kind of Database (possibly NoSQL) installed in his brain.
