

Is the FBI dumb, evil, or just incompetent? - kevin_morrill
http://techcrunch.com/2013/05/25/is-the-fbi-dumb-evil-or-just-incompetent/

======
lawnchair_larry
I'm one of the hard-headed privacy freaks usually sharpening my pitchfork when
there is an outrage against civil liberties. I'm _that guy_.

I once had a job that involved investigations of criminal activity (not law
enforcement or government related, just a company protecting its own users and
employees).

In this case, I had identified, with certainty, one individual that was
engaging in significant fraud. He appeared to have several accounts, and it
was appearing highly likely that he had a few accomplices.

During the investigation, I was fully willing to violate everyone's privacy to
find everyone in the fraud network. This included data that was already
submitted voluntarily, private communications, as well as embedding tracking
objects and invisible flash objects to retrieve IP addresses of users surfing
behind proxies (this used to be an effective way to unmask users). I didn't
have a second thought about it. Why would I? I didn't care what the legitimate
users were doing, wasn't going to stalk them, wasn't going to pay any
attention to their personal affairs. But, to weed out this problem
effectively, I needed to sweep everything. I'm trustworthy, just doing my job,
and I certainly trust myself enough to disregard or ignore information that
wasn't pertinent.

After being entrenched in the investigation, I had a fairly exhaustive list of
the bad actors. Initially this was just basic hard data, (such as correlating
IP addresses), but then there was kind of a "sixth sense" that I also started
relying on, where I couldn't articulate the signal, but some behavioral cues
just _felt_ like they were related. You know, "gut instinct". So I ended up
digging into those accounts, and confirmation bias took over. I did find many
more bad actors, but I was thoroughly convinced that a few cases were also
related, which ended up being suspended, and it turned out that they were
actually unrelated and legitimate. That's when I started to reflect a bit.

I didn't go through with the most blatant of the proposed violations, although
at the time I was willing to initially. I now realized how egregious that was,
and noticed how easily I fell into that mindset. If asked, I think the words
"If you've got nothing to hide, you've got nothing to fear" could have
naturally rolled off my tongue (though, this certainly would have alerted me
to the errors of my thought process).

So I concluded a few things:

\- _Most_ of the time, these blatant, sweeping violations, are most likely not
malicious and probably do have good intentions. I very much understand what
frame of mind most of those people are in. It's not an opaque three letter
agency, it's made up of regular individuals with tunnel vision on their
legitimate objectives (stopping crime).

\- When you look at criminals day in and day out, and are on a mission,
everybody starts to look like a criminal.

\- The "working backwards" approach - finding signatures of bad activity, and
applying it to other data, then "confirming" the new matches, is a well-
understood statistical fallacy, aptly named, the prosecutor's fallacy[1]. If
you spot it in court, your defense attorney can try and point it out to the
jury - and good luck explaining it to your "peers" who probably play the same
lotto numbers because theirs is "due eventually". But let's face it - your
life is already ruined by then. You're on all the watch lists, your vehicles
are bugged, you've got huge legal bills and no job, and maybe if you're
extremely unlucky, you're even in Guantanamo. Everything prior had little or
no judicial oversight, no way to defend yourself, and is from a system that is
invariably full of investigators who are not self-aware enough to always catch
themselves doing this, especially when the cost of missing an actual threat is
extremely high.

And for bonus points:

The interface that a coworker created to do some of the data mining (let's
call it the "lawful intercept interface") had an SQL injection bug in the
logic that parsed login history. It wouldn't have been difficult to discover
and exploit without even knowing this interface existed, due to the error a
user would see on login if they had certain bad characters in the affected
field. I found it roughly a year later and reported it to the CTO in a message
from his own account, after using the bug to take his auth cookie out of the
DB (we were friends, so I knew he would be a good sport).

tl;dr It's mostly good intentioned individuals with tunnel vision, who are
very misguided, and who don't understand the side effects and costs of what
they propose.

[1] <http://en.wikipedia.org/wiki/Prosecutor%27s_fallacy>

~~~
pekk
Please tell which US citizens are in Guantanamo because they were "extremely
unlucky". You make it sound as if the FBI is picking up Soccer Moms for no
reason and mysteriously spiriting them away to Guantanamo.

~~~
lawnchair_larry
No, I don't make it sound like that at all. Hence, "extremely unlucky." And I
didn't say US citizens went to Guantanamo.

If you aren't aware that there were many documented false positives who were
sent to Guantanamo or other CIA detention facilities, you aren't paying
attention, because there were some very high profile cases. Here is one
example:

<http://en.wikipedia.org/wiki/Khalid_El-Masri>

 _Khalid El-Masri is a German citizen who was mistakenly abducted by the
Macedonian Police, and handed-over to the U.S. CIA, whose officers
interrogated, sodomized and tortured him. While in CIA hands, he was flown to
Afghanistan, where he was held in a black site, interrogated, beaten, strip-
searched and subjected to inhuman and degrading treatment, tantamount to
torture. After El-Masri held hunger strikes, and was detained for four months
in the "Salt Pit", the CIA finally admitted his arrest and torture were a
mistake and released him._

 _In April 2004, CIA Director George Tenet was told by his staff that El-Masri
was being wrongfully detained. National Security Adviser Condoleezza Rice
learned of the German citizen's detention in early May and ordered his
release. Shortly before el-Masri was released, in May 2004 the US ambassador
to Germany informed the government for the first time of his detention._

* According to a December 4, 2005, article in the Washington Post, CIA agents discussed whether they should remove El-Masri from Macedonia in an extraordinary rendition. The decision to do so was made by the head of the al Qaeda division of the CIA's Counter-Terrorism Center, on the basis of "a hunch" that El-Masri was involved in terrorism; his name was similar to Khalid al-Masri, strongly suspected as a terrorist.*

I can't think of a worse way to completely ruin an innocent man's life. He was
basically a "Soccer Dad".

------
kenjackson
I think people have the FBIs motivations misunderstood. And I don't mean in
some evil conspiracy theory sort of way, but in one that is pretty consistent
with their mission.

Their main mission nowadays is to stop terrorism, etc... I I think that when
they look at this rationally they believe are better served by being able to
access these conversations.

The article theorizes that people with data to hide will use encryption, or
otherwise would be so stupid, that one can find them easily in any case. In
the real world a lot of these cases are broken on a "lucky" break or two.
Someone improperly or not using their encryption software once, for example.

I think it seems foolish to accuse them of being dumb, evil, or incompetent.
Given the stakes they deal with, and the amount of data they have to sift
through, I think its very reasonable that they try to reduce the amount of
work they need to do to find credible leads. And I'm sure they try to
institute methods to minimize abuse, but I'm sure they are also aware that
some abuse will happen.

While some of this feels like it may cross the line, I think it's a line that
a rationale organization, with their mission, should push against.

~~~
nathan_long
Yes. Most of us here are privacy advocates, and I think society needs our
voice. However, we're only one side of the coin.

Imagine a world where _every_ phone call, email, chat, forum post, etc is
fully anonymous or indecipherable to law enforcement. And imagine your loved
one has been abducted and law enforcement has no tools for finding those
responsible.

There are many kinds of dystopias. Big Brother is one. Rule by competing gangs
is another. We're shooting for some compromise where both individuals and
society's rights are balanced.

It's hard.

~~~
betterunix
"Imagine a world where every phone call, email, chat, forum post, etc is fully
anonymous or indecipherable to law enforcement. And imagine your loved one has
been abducted and law enforcement has no tools for finding those responsible."

So somehow, these abductors managed to leave no physical evidence at all and
no witnesses? What does communication privacy have to do with that?

There was once a time in this country when communications _could_ be anonymous
-- when law enforcement agencies did not have easy wiretapping access. We
still managed to prosecute criminals then. Yes, sometimes criminals got away
with their crimes, but _that is what striking a balance is all about_. The FBI
is not trying to strike a balance with this proposal, they are trying to shift
the balance in their favor.

~~~
rayiner
> There was once a time in this country when communications could be anonymous
> -- when law enforcement agencies did not have easy wiretapping access.

Federal authorities always had wiretapping powers pursuant to a warrant. If
you mean before that, it was also a time when limited communications forced
more visible means of coordination. Consider the difference between planning a
crime in a shady corner of a restaurant, with potential witnesses, versus
doing the same in an electronic chat room with no ability to capture the
communications, even pursuant to a warrant.

~~~
betterunix
"Consider the difference between planning a crime in a shady corner of a
restaurant, with potential witnesses, versus doing the same in an electronic
chat room with no ability to capture the communications"

I am not sure I see the difference. On the one hand, you have two people who
likely have a legitimate reason to meet at a restaurant speaking quietly to
each other. On the other, you have two people with a legitimate reason to have
an Internet connection using it to communicate. There is a matter of distance
I suppose, but so what? Postal mail has always allowed people to communicate
at a distance, and it has always allowed anonymous senders.

Why not require all restaurants to record their customers' conversations, just
in case the FBI needs to investigate it later on (with a requirement for a
warrant, of course)? The same reasoning applies to this FBI push for expanded
wiretapping power.

~~~
rayiner
The difference is that if you plot a crime in a restaurant, there are
potentially dozens of sources of evidence linking you to the meeting: patrons
and servers might see you, security cameras might record you, people might see
you drive there, a credit card bill might link you to a meeting there, etc. If
the same crime is planned in a chat room, the only thing police may have to go
on is logs hosted by the intermediate service provider. Technology makes the
real-time communication _more_ anonymous and less traceable than was practical
in the past. Even postal mail, besides not being real-time, isn't as anonymous
as electronic communications without the possibility of obtaining logs via a
warrant.

The focus of privacy activists is in my opinion misplaced. People want an
internet that's never monitored, never recorded, never wire-tappable. That's
never going to happen, nor is it apparent that it's desirable. What we want is
something that preserves the scope of investigative powers that have
historically existed with the telephone system. That means robust protections
against warrantless wiretaps, but also an effective way of getting access to
information pursuant to court-authorized warrants.

~~~
AnthonyMouse
Where does "restaurant" come from? Can conspiracies not be planned in a
private residence etc.?

Even with a restaurant, you're relying on someone present giving evidence to
law enforcement. That works just the same with encryption -- if you have an
encrypted chat room with five people and one of the participants sends the
logs to the FBI (or is an undercover agent), the FBI will have the logs. If no
one does, the FBI will not, which is the same as it is when co-conspirators
meet in a restaurant.

>That means robust protections against warrantless wiretaps, but also an
effective way of getting access to information pursuant to court-authorized
warrants.

The FBI has plenty of tools available. Even if data is encrypted, law
enforcement agents with a warrant would still be able to obtain information
from ISPs as to who is communicating and when. In the most serious cases
trotted out to justify new powers, the FBI can install a listening device or
put a trojan on the suspect's communications device.

The way to strike the right balance here is to make wiretapping extremely
technologically difficult but not impossible. That makes it very hard for
criminals or anyone without government-level resources, and makes it very
difficult for governments to engage in unjustifiable dragnet surveillance of
innocent people, while still allowing governments to capture the
communications of suspects in the rare and most serious cases where the
existing evidence justifies that extraordinary level of invasion into the
private communications of citizens.

------
HarryHirsch
The last line is the most important: if there is a backdoor (that is the
Lawful Interception interface) there is no guarantee that it won't be used by
unauthorized third parties.

Anyone could have predicted that something like the Google hack was going to
happen. I also seem to remember that there was a similar incident involving
the cellphone network in Greece.

~~~
rpgmaker
On top of this, the FBI doesn't have a "going dark" problem. For more on this
please read Trevor Timm (an activist for the EFF and Executive Director of the
Freedom of the Press Foundation) on the topic here:
[http://dprogram.net/2013/04/17/going-dark-whats-so-wrong-
wit...](http://dprogram.net/2013/04/17/going-dark-whats-so-wrong-with-the-
governments-plan-to-tap-our-internet/)

"Trevor Timm: Well, yeah. They’ve been complaining about this “Going Dark”
problem for years now and we’ve never really seen any actual evidence that
this actually exists. The FBI or the DOJ has to report the number of times
they run into encryption when they ask for surveillance. Every year they have
to report back how many times they ultimately couldn’t get the information
they sought; the number is always 0—for the last 11 years."

He shared this on twitter a while ago:
<https://twitter.com/trevortimm/status/331985318620327936>

------
Cieplak
Are there any video chat clients with end-to-end encryption?

I was trying to do this by piping the output of my webcam to openssl and then
to netcat, which sends the packets to a publicly addressable server (Amazon
instance) that relays the encrypted packets to another computer behind a
firewall, that decrypts the video stream and plays it in MPlayer. It works,
but the latency is about 10 seconds. To reduce the latency, I could delta-
encode the video stream, leverage the GPU somehow, but I'm not sure how to get
the latency down to the 200ms required for seamless conversation. Also, it
should be noted that there is little code behind this, mainly just unix
utilities and pipes.

PS: Also I could remove the Amazon piece and forge a direct P2P connection
using NAT hole punching if the routers on both ends permit, but this is not
always reliable and isn't a huge source of latency.

~~~
stephen_g
Apparently FaceTime [1] and iMessage are end-to-end encrypted with unique
session keys. Whether Apple has access to those keys is not known though (the
key exchange isn't documented as far as I can tell).

1\. [http://www.zdnet.com/blog/apple/facetime-calls-are-
encrypted...](http://www.zdnet.com/blog/apple/facetime-calls-are-encrypted-
and-hipaa-compliant-when-using-proper-encryption/11166)

~~~
venomsnake
Any communication that you don't set the keys/are able to track them should be
considered unencrypted in my opinion.

------
siculars
I say all of the above. There's basically one reason to work for law
enforcement: Authority and its slutty sister, Power. People who are attracted
to these things are susceptible to logic failures in pursuit of their interest
in exerting Authority and Power.

~~~
andrewljohnson
Many people are drawn to law enforcement out of the desire to help others and
do good for the world. Being an FBI agent is a very honorable and well-
respected profession, especially outside of an internet forum.

Your comment pisses on every person who ever went to school to study criminal
law, many of whom did so for noble or at least neutral reasons.

~~~
betterunix
"Being an FBI agent is a very honorable and well-respected profession"

Unless you are doing this:

[http://blogs.citypages.com/blotter/2011/01/secret_government...](http://blogs.citypages.com/blotter/2011/01/secret_government_informer_karen_sullivan.php)

It is not as though this is some kind of new, unprecedented behavior either:

<http://www.cnn.com/2008/US/03/31/mlk.fbi.conspiracy/>

<https://en.wikipedia.org/wiki/J._Edgar_Hoover>

So let's say a young man is thinking about joining the FBI; he wants to do
good for the world, maybe help catch a serial killer or take down a child
abuse group. How does he know he will not be asked to conduct surveillance on
an anti-war group? How does he know he will not be asked to dig up some dirt
on a civil rights leader?

This "honorable profession" you are defending has always had a dark side.

~~~
cma
So all the good guys who could disinfect the system from within should just
turn down the chance and ensure only bad guys get into the position of power
and authority?

~~~
moxie
It's not that "bad people" are the ones drawn to become cops and prison
guards, but the inverse: working as a cop or a prison guard changes you to
behave a certain way.

The "Stanford Prison Experiment" is a good example of this phenomenon:
<http://www.thoughtcrime.org/blog/career-advice/>

------
bediger4000
I vote a little dumb, a little evil (you know, the banality kind) and pretty
incompetent.

Anecdotal, but the FBI's first web site was hosted by a NASA machine. I think
the FBI was traditionally an IBM shop, and mainframes and the web didn't work
well together at first.

In more verifiable evidence of incompetence, there's the Virtual Case File
epic fail ([http://www.washingtonpost.com/wp-
dyn/content/article/2006/08...](http://www.washingtonpost.com/wp-
dyn/content/article/2006/08/17/AR2006081701485.html) just one of many articles
about it) followed by a minor debacle in Sentinel
(<http://www.pcmag.com/article2/0,2817,2407922,00.asp>)

~~~
lostlogin
This has happened on a vastly smaller scale at a few places I have worked.
Another flaw seems to be that none technical people ask for something to
appear in the new system when they have no idea. The system is built, exactly
as requested, and it sucks. Having a competent software engineer on staff who
understands the field is vastly more handy than a fat wad of cash paid to
outsource. I'm sure there is a good middle road, but companies I have worked
for haven't found it.

------
fixxer
I've read that quantum computing is picking up, so please correct me if I'm
wrong... it IS still pretty hard to factor very large primes, right?

This push to "stop terror" via reading the general public's email/chats/etc.
seems more like Big Bro and less like a viable method to stop the next 9-11.
Sure, the bros from Boston weren't exactly sophisticated, but I find it hard
to believe nobody in Al Qaeda knows how to use PGP.

Still, I'm voting for incompetent. If they want to know what kind of porno we
all like, fine.

~~~
arethuza
"it IS still pretty hard to factor very large primes"

I think you mean that it is hard to factor the _product_ of two primes,
factoring primes is pretty easy regardless their size.

~~~
fixxer
Of course. I took it for granted that the audience here would know what I
meant. My apologies.

------
vy8vWJlco
Most of these debates seem to start from the idea of a yes or no ballot to
formalize a panopticon and I think that only makes it more likely that society
will go there (I mean: please, somebody, think of the children).

IMHO, the idea that law enforcement should have either all or no access to
online data is a false dichotomy.

Wiretapping capability is less relevant than ever IMHO, in a time with more
privately-owned cameras and personal communication devices than ever; it is
more likely than ever that criminals _will_ leave physical evidence of
physical crimes, and so there is less reason than ever to invade people's
privacy or criminalize thoughts and suspicion/conspiracy/planning of physical
crimes when the damage comes from the follow-through, not the imagination.
Violent crime has been declining In Canada and the US for decades. This idea
of urgency simply doesn't fit those facts.

The Internet is basically a bunch of random thoughts. In a sense, people are
having public conversations, but in another people are simply thinking out
loud; the more we hold to criminalizing thoughts, the more we create problems
by that process and criminalize freedom of thought.

I'm for warrants, and against vigilante justice, but I also really think we
need to dissect this idea that only law enforcement should have, or even
already has, the tools to address all dangerous situations. IMHO, the less
individuals rely on institutions the better, since it is well known that power
corrupts. So far Canada and the US have had pretty good luck and the public
has had _some_ success holding institutions accountable for abuses of power,
but I don't get the impression that influence is as strong as it needs to be,
going forward (and I don't know how to fix it while continuing to empower
institutions that quite predictably stray from their mandates rather than
close shop). IMHO, Institutions pose an unnecessary risk as they continue to
grow and claw for more power - in this case, pushing for more surveillance
capabilities. I would rather be responsible for myself, without the help of
institutions, wherever possible.

As we create new potentials, and empower people to help themselves, I think
the role of institutions should decrease. Take the recent article on the
French police offloading missing person searches on Facebook for example. (
[http://www.itworld.com/networking/357720/french-police-
end-m...](http://www.itworld.com/networking/357720/french-police-end-missing-
persons-searches-suggest-using-facebook-instead) ) As much as I don't like
Facebook, I think that's the right tool for that job, and I would like to see
more work to empower individuals in that sense. It's a wonderful thing to be
not needed because you actually solved a problem. I, for one, would love to
not need to rely on (and pay for) the police or government because I was safe
and had a voice of my own.

------
Jun8
You don't need such a long argument to prove FBI's stunning incompetence, an
example like failing to prevent the Boston bombing where they couldn't find
their assess with two hands would suffice.

~~~
nathan_long
>> failing to prevent the Boston bombing

OK, you're in charge of the FBI now. There are tens of thousands of public
events today in tens of thousand of venues.

Protect them all. Go.

~~~
tomjen3
No I am not. I can't protect them so I wouldn't try to become the leader of
the FBI. I also can't do surgery but if I come in to have some work done on my
hand and leave with a foot chopped of I am going to sue the doctor.

~~~
Chronic24
Exactly. The FBI was unable to perform their job properly. Then they ask the
public for help. What, the bomber didn't leave behind any Facebook
conversations to track? Boo hoo.

~~~
tomjen3
Exactly, the US has DHS, FBI, CIA and a dozen other agencies.

Letting anything through should simply result in the leaders going to the
electric chair.

~~~
nathan_long
>> Letting anything through should simply result in the leaders going to the
electric chair.

My, you have high standards. I hope you've never released a bug. Every line of
code is available for your inspection and behaves deterministically. Unlike,
say, people, who are nearly uncountable, much less predictable, much less
controllable.

To avoid letting _anything_ through would require being omniscient and
omnipotent.

Please at least try to give others the benefit of the doubt that you'd like
them to give you.

------
charlesjshort
What happens when the FBI becomes infected with people like Lerner who use
their power to persecute political dissidents?

~~~
bediger4000
What do you mean "becomes"? J. Edgar Hoover actually did use his power to
persecute political dissidents. I say this whole FBI backdoor/legal intercept
thing reeks of trying to do that sort of thing again.

I mean, it's pretty easy to monitor Quaker anti-war activists: they do
everything publically and invite participation politely. No agency needs
wiretap access to monitor them. So, who are they going to monitor with this?

------
riggins
_So the FBI would only be able to wiretap suspects who are either too dumb to
use encryption — in which case they ought to be easy enough to catch without
wiretaps_

I think the author under-estimates the difficultly of catching criminals.

~~~
reeses
Agreed. The dumb ones will work out of 'the game' quickly enough and are
quickly replaced.

The bigger problem is not 'catching' them, but prosecuting them effectively.
This requires prioritization of limited resources based on severity of
offense, availability of sufficient evidence, and difficulty of prosecution.
The last is ugly because it's almost directly economic, in that the ability to
afford legal counsel creates some level of inequality.

------
LeoTolstoyJr
Maybe I'm being naive, but what's preventing Google or Facebook from using
their resources to launch a PR campaign against these requests from the FBI,
or at the very least be a bit more outspoken about them?

~~~
will_brown
Until recently the US Government was issuing tech companies National Security
Letters (different from subpoenas, they do not require judicial approval) and
the letters had built in gag orders. In other words if the recipient could not
discuss what was being requested by the government, or even challenge the
request in court without criminal penalties. Recently courts have reviewed
this and given a partial lift on the built in gag orders. (see:
<http://en.wikipedia.org/wiki/National_security_letter>)

------
venomsnake
Think like a sysadmin in a big corporation. Assume that there are devices (the
BYOD trend) that you have no root to/ no way to monitor them. It will drive
you crazy if you have a mild case of ODC(and in IT it comes with the
profession) no matter what the real risk is. Now you are in FBI shoes.

With the devices so closely integrated into the cloud we are already close to
the "day every iDevice was wiped irreversibly and huge part of the world
stopped". Let's not make it closer.

------
paullth
Cant the companies that would be affected just split off the operational side
of the business to be outside of US jurisdiction, you know like some do to
avoid paying tax (not to grossly over-simplify the issues...)? You know
facebook could still exist as a US corporation encompassing the intellectual
side of the company but create and icelandic company that actually deploys the
servers and processes the data. Or something.

------
nolite
d) all of the above?

~~~
reeses
Do FBI contradict myself? Very well then FBI contradict myself, (FBI am large,
FBI contain multitudes.)

------
ancarda
Why would the FBI be interested in social networks? I don't think criminals
and terrorists communicate using Facebook.

~~~
brown9-2
Not true.

~~~
ancarda
Can you cite any sources? I just find it implausible that anything other than
petty crime would be discussed over social networks.

~~~
josefresco
[http://www.cbc.ca/news/technology/story/2012/01/10/tech-
terr...](http://www.cbc.ca/news/technology/story/2012/01/10/tech-terrorist-
social-media.html)

[http://www.cnn.com/2013/04/27/world/rivers-social-media-
terr...](http://www.cnn.com/2013/04/27/world/rivers-social-media-terror)

------
ireadqrcodes
i guess they don't care about anything else as long as they can do their job

~~~
reeses
We obviously need a test-driven government framework. :-)

------
ianstallings
I'd say they're a little of all of those things and more. They are, after all,
human. They get paranoid and worry, they make mistakes, they grasp for power
when they can. It never works out like they want though, because they are
human.

------
X4
I believe that the CIA is much much worse than the FBI.

