
Apple health data used in murder trial - erentz
http://www.bbc.com/news/technology-42663297
======
TuringNYC
A more troubling use of the data, not mentioned in the discussion so far,
would be _query_ driven usage, for example: Prosecutor: OK, lets query all
phones with activity showing X among men in this geography and find ourselves
a suspect.

This type of use would be very troubling to everyone because, given enough N
value, you can always find _some_ people to fit a criteria. Then, it becomes a
matter of making a case that fits very narrow criteria. Hard to defend
against, possibly very expensive to defend against.

Now, in the US, for these types of cases you need to prove beyond a reasonable
doubt. But in reality, many people with limited funds for expensive lawyers,
when faced with 30year sentences, will just plea bargain for 2 years -- which
is _not_ something that needs proof beyond a reasonable doubt.

In summary, using phone data to independently support an already strong case
might be a good way to set innocent people free. Using phone data to _find
culprits_ might be a great way to innocent people to get a false accusation
just based on statistics and the laws of querying on large datasets.

~~~
stfwn
> Let's query all phones with activity showing X among men in this geography
> and find ourselves a suspect.

Afaik this technically impossible with Apple Health at this point.

> Many people with limited funds for expensive lawyers will plea bargain for 2
> years

Plea bargains rarely (if ever) happen in the Netherlands, and I suspect they
don't in Germany either. The reasoning behind this is probably that when the
state sues they should go for justice, not victory. Plea bargains may
incentivize strong arming, bluffing tactics and money politics that don't
belong in a court room.

~~~
Xylakant
Plea bargains (Verständigung in Strafsachen, § 257c StPO) happen in Germany,
but not in murder cases, though a sentence might be reduced for a cooperative
accused. They are more common in complicated financial crimes or small scale
crimes like theft. There’s also a limited frame in which the judge decides on
the punishment, it would be extremely odd that a potential sentence of 30
years is reduced to 2 years. Having less extreme prison sentences and a right
to a paid lawyer reduces the pressure on the defendant.

------
tpush
"The suspect - identified by a hair found at the scene of the crime - refused
to provide police with the PIN code to his phone so investigating officers
turned to an unnamed cyber-forensics firm in Munich, which broke into the
device."

Really interested in knowing how they got in (and what model of iPhone it
was.)

~~~
lern_too_spel
Especially since Apple claimed this was impossible in 2014.

[https://www.google.com/amp/appleinsider.com/articles/14/09/1...](https://www.google.com/amp/appleinsider.com/articles/14/09/17/apple-
says-incapable-of-decrypting-user-data-with-ios-8-even-for-government-
agencies/amp/)

~~~
grzm
The forensics team may have been able to brute force the PIN, depending on the
settings, if I'm reading this correctly:

[https://arstechnica.com/gadgets/2016/03/there-are-ways-
the-f...](https://arstechnica.com/gadgets/2016/03/there-are-ways-the-fbi-can-
crack-the-iphone-pin-without-apple-doing-it-for-them/)

(Please use direct links rather than amp links.)

~~~
lern_too_spel
Which again contradicts Apple's statement from 2014.

My link is also a direct link to a faster loading page. I tried to load the
appleinsider.com page, and it hung for nearly ten seconds waiting for a
response from the server before I gave up. It's not worth my time, and it's
not worth the reader of my comment's time.

~~~
ubernostrum
The main problem with a lot of these stories is that there are combinations of
iPhone models, operating systems, and settings which are believed not to be
breakable by general law enforcement agencies, and others which are known or
strongly suspected to be.

Apple tends to make its claims regarding latest iPhone model combined with
latest iOS version combined with particular settings.

Thus, for example, in the San Bernardino case, the fact that the phone in
question was a 5C mattered. The 5C is not just an older phone, it has
different security-oriented hardware inside, and that does change the security
characteristics of the device.

Also, the Apple statement you keep pointing to said that Apple, as of iOS 8,
is unable to retrieve or reconstruct the key used to encrypt the phone's
storage. Which is true -- Apple cannot do that, and has designed things so
that Apple cannot do that. What the FBI wanted in that case was _not_ for
Apple to supply a key or a passcode (which they don't have). What the FBI
wanted was for Apple to create and sign and load a custom firmware which would
disable anti-brute-force protection for the passcode, allowing the FBI to
determine the passcode via brute force. Apple could do that, but refused to do
so.

And for completeness' sake, that avenue is no longer available on more recent
phones with more recent versions of iOS; performing an iOS update now requires
the passcode, regardless of whether the update is initiated from the phone or
from a connected device (even one previously designated as trusted).

------
bobsil1
If you drill down on the motion log in the iOS Health app, it's _very_
granular, like a web server log.

------
ozten
Perhaps it as improved, but last time I looked HealthKit data is buggy and end
user editable. Seems like one of those things that is useful, but not
definitive.

~~~
mtgx
Chances are the prosecutor can manipulate that evidence to look good to the
judge/jury much better than the defense lawyer can make a counter-argument for
why it cannot be used in court. At least that has been the trend with
stingrays and other bleeding-edge surveillance technology that is poorly
understood by judges.

The prosecutors are backed by government and FBI resources (including
technical expertise). Your average defense lawyer isn't. Hell, the FBI was
even teaching prosecutors and the police to say that using a stingray was
_under NDA_ with the company providing it and therefore they couldn't talk
much about using it in court (but still benefited from the gathered evidence).

[https://www.scmagazine.com/fbi-stingray-nda-instructs-
police...](https://www.scmagazine.com/fbi-stingray-nda-instructs-police-to-
use-parallel-construction/article/528046/)

~~~
gok
This was in Germany, so I highly doubt the FBI was involved. Also there isn’t
really a jury system.

------
nicolashahn
Note to self: if I'm ever going to murder someone, turn off my phone, or at
least the things in my phone that track what I'm doing and where I am.

~~~
tjoff
So they will see that the phone was on continuously for two years, then the
night of the murder it was switched of for 6 hours and has been on ever since.
Not at all suspicious...

(this is data your service provider already has, and I wouldn't be surprised
if this is already used to flag weird behaviour)

~~~
QAPereo
Even better, I find that not murdering people is a much easier solution to
this problem.

~~~
Fnoord
Murder is -obviously- a hyperbole (though I'm sure a certain H. Reiser would
agree).

You can make a case for anything voluntarily involving destroying your
privacy. Compare to GDR. You were always watched, period. The same's true now,
but its partly voluntarily. Is it desirable? You should decide on that on a
case-by-case scenario. Schneier wrote several essays on this matter (here's
one [1] and a more recent one [2]) and his latest book, Data and Goliath also
covers this subject.

Interestingly the more we centralise on our smartphones, the more difficult
voluntarily leaving it home becomes. We already put all kind of NFC cards like
our bank and public transport on our phones these days. What's next, unlocking
the car via NFC?

[1]
[https://www.schneier.com/essays/archives/2006/05/the_eternal...](https://www.schneier.com/essays/archives/2006/05/the_eternal_value_of.html)

[2]
[https://www.schneier.com/essays/archives/2016/03/data_is_a_t...](https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html)

~~~
baud147258
My brother is building appartement buildings. In some they are using NFC card
as access key for the appartements. So you might one day enter your home with
your phone (without adding IoT or something, out of the box).

------
zodPod
>Age will play a part in sentencing. The maximum for someone under 18 is 10
years, whereas the adult sentence for such a crime could be up to 30 years.

 _Up to_ 30 years for rape and murder? 30 years is a long long time but that's
a max sentence for this crime?! What in the world?

EDIT: I agree that 30 years is _effectively_ life just living in the US where
they typically give people one (or sometimes multiple) life sentences for
crimes like this has made my judgement odd.

~~~
roenxi
You are underselling how long 30 years is. In my honest opinion, you just
can't punish someone for that long because the person you have after 20 years
isn't going to be the same person who committed the crime. Sure the crime
deserves worse; but I don't believe we can deliver on that, and holding
someone is very expensive.

I'm still under 30, so I am literally forced to imagine what it is like. 30
years is currently outside the scope of my experience. It is beyond my gut
conception of forever.

Once I get old enough to have a practical idea of what 30 years is (say, 40),
a 30 years sentence might as well be a life sentence as it would easily
consume the remainder of my productive life.

~~~
discoursism
Punishment (retribution) is only one of a number of reasons to incarcerate
someone (the three others normally cited are deterrence, rehabilitation, and
incapacitation). I wish we had better metrics for the probability of
recidivism. If we knew with a high degree of certainty that a given murder was
a one time thing, we could let the perpetrator out very early. On the other
hand, if we know that the perpetrator is likely to reoffend, or if we could
show that light punishments had less of a deterrent effect, or if society just
wouldn't stand for a lesser punishment, we could keep them locked up for
longer. Unfortunately we just don't have that level of introspection into the
human psyche.

