
FBI: If you knew what your phone company tells us, you'd probably sue - trotsky
http://www.aclu.org/blog/national-security/fbi-if-we-told-you-you-might-sue-1
======
fleitz
You know you might not be serving the public interest if... "The stigma of
working with the FBI might cause customers to ... file civil actions to
further prevent the disclosure of information"

~~~
Joakal
Serving national interest is different to serving public interest despite some
similarities.

~~~
nkassis
I'm with Kirk on this one, the Good of the one sometimes outweigh to good of
the many as is the case here.

~~~
potatolicious
I'm with Spock on this one, the needs of the many outweigh the needs of the
few... or the one.

Which is my roundabout way of saying that violating the constitutional
freedoms of an entire people is probably not worth it just to catch a few bad
guys.

~~~
nkassis
That was kinda what I meant here. The good of the one (Individual) and the
many (the gov and everyone's security)

~~~
bluedanieru
I think all you two have proven is that the proverb doesn't really apply here
:-)

------
wattsbaat
This why the recent iPhone location data "scare" doesn't make sense to me. The
wireless carriers must have MUCH more extensive location data on a much larger
user base. I understand the growing concern over privacy issues as more
companies begin aggregating user data etc, and I'm glad that people are
(hopefully) becoming more aware of this issue, but shouldn't we react a bit
more proportionately to corporate violations of user privacy?

~~~
MrVitaliy
The iPhone scare was about the availability of data. If someone finds/steals
your iPhone they can with little effort recover the GPS data. As oppose to
federal bureau or phone company who are, at least theoretically, bound by law.

~~~
stephen_g
"If someone finds/steals your iPhone they can with little effort recover the
GPS data."

Except that it wasn't GPS data - just a list of cell tower and wifi hotspot
pings.

~~~
bad_user
Except that it is GPS data ... the file "consolidated.db" does contain a list
of (your) latitude + longitude + timestamp -- and when this was discovered,
that file contained location data for the last 10 months (probably since iOS 4
was released).

This data is indeed used by Apple to build a database of Wifi hotspots and
cell towers, along with their locations, doing this to improve their location
services when GPS data is not available (the first iPhone could show you your
location by doing triangulation on the cell towers nearby).

The fact of the matter is that if you can get your hands on such an iPhone
(without a security fix, which I'm sure it's available by now) - you can find
out where that iPhone has been.

You know, a simple search on Google could have told you the answer to this --
now you've just added noise.

~~~
yellowbkpk
Can you point to a page that says there are indeed latitude + longitude +
timestamp that follow a user's location?

From what I've read, the database was a cache of nearby cell tower and wifi
hotspot locations from Apple's servers, not the GPS-calculated (or even tower-
triangulated) location of the user.

------
jcampbell1
This is why you should use Skype. The only phone service not based in the
US... oh, wait a second.

Seriously, though, I wonder if the FBI can eavesdrop on a Skype call. It seems
like it would be damn near impossible because it is peer to peer and
encrypted.

~~~
timmyd
See <http://en.wikipedia.org/wiki/Skype_security>

My understanding was that some global intelligence organisations can request
decryption and that China is doing this actively [see above link].

I also recall reading some time ago that organisations that work exclusively
with skype to provide some add-ons can be given access to decrypt.

Further, there was also that techcrunch article -
[http://techcrunch.com/2010/07/08/skypes-innermost-
security-l...](http://techcrunch.com/2010/07/08/skypes-innermost-security-
layers-claimed-to-be-reverse-engineered/) \- which spoke about this

------
rglover
Honestly at this point, most people should expect this sort of behavior from
any type of telecom company. Yeah, it sucks but it's the name of the game.
Take into consideration that the gov owns the air space/spectrum these
companies use, and you'll understand why they're so compliant with releasing
information. The only way this will change is if there's a privatization of
air space which at this point is seemingly impossible.

~~~
bluedanieru
I don't know that privatization is a panacea for the government corruption we
see here. And you are right that privatization of airspace is impossible
(read: undesirable). How about taking steps to curb government corruption?

~~~
cookiecaper
That's pretty pie in the sky too barring an entire reform of our economic
system. How about we take steps to get everyone using strong client-side
encryption?

~~~
dublinclontarf
Have you ever tried to get someone to use gpg?

Now take that pain, and multiply it by a million or more.

I do agree with you, and am using gpg.

~~~
cookiecaper
I've actually actively started to petition clients to use GnuPG since the
HBGary hack, but I agree that it's difficult to make progress. Someone has to
develop interfaces to make it usable. This is especially needed for web mail
clients, the Firefox extension that used to allow this on GMail is no longer
maintained.

I'm not a browser hacker so I'm not sure if it would be easy or hard to get
this integrated, but ideally the browser would have built-in support for
crypto on designated input fields, i.e., "encrypt this text box" option on
right-click. I'm sure it would be hard, but I bet if Mozilla and Google got
together and worked out a common interface that allowed Gmail et al to pass
information to the browser (like whose keys should be used), this would
eventually get implemented and be awesome.

As usual, Microsoft is the biggest roadblock with Outlook. Hopefully if your
company is using Outlook it can afford a license for PGP, which afaik is the
only complete crypto extension for Outlook.

~~~
nightpool
Actually, though I've dabbled but little, it seems pretty easy to get
arbitrary encryption on firefox. For an example, look at the LeetSpeak addon,
which provides a bunch of ways to transform text, both in textboxes and on the
page. The real challenge I can see is to provide a good interface for
sellecting from the (potentially hundreds of) public keys at you disposal to
encrypt with.

------
pstack
Are you kidding? While we're a litigation-happy society, we are also entirely
content with letting government and business trample all over us without
raising an eyebrow, much less a finger.

We let companies get away with destroying the economy through sloppy and
greedy irresponsible behavior and then we cover their asses by bailing them
out. Because the committees that determine their bailing out are filled with
former/current executives of the same companies they're bailing out (Goldman
Sachs, for example).

We let companies stick dangerous and unproven chemicals in our food, soda,
animals with little evidence that it's safe beforehand and little oversight
afterhand, because the various government agencies (FDA, for example) are
staffed primarily with executives of the companies that are trying to ram
these things through (aspartame, roundup-ready seeds, rbgh in milk, etc).

We have food that is mass produced in conditions that are horrifying to anyone
who, even if they love meat like I do, don't like to see living creatures
abused and tortured in the process and that are filthy and commonly spread
disease (that we see reports of all the time on the news when there are
outbreaks and recalls), because the FDA and other agencies are - again -
staffed with current/former executives of the biggest food manufacturers and
processors in the world.

Hell, we even have government officials shutting down public run juvenile
rehabilitation centers so that private ones can take their places and then
those private companies paying judges directly to incentive's them to send
juveniles to jail. I forget where this was (the northeast is what I remember),
but a couple years ago it was huge news and it actually happened. The judge in
question (and there may have been more than one) received millions of dollars
in payola from the private prison industry system that built the juvenile
detention centers. As a result, the judge just kept sending kids there. First
time offenders. Kids who did very little to deserve it (get in a fight at
school, use foul language, skip school) would get about two minutes of face
time with the judge before he sentenced them to the facility. And once at the
facility, they would keep kids indefinitely, until _they_ said it was time to
go. So a two week sentence could turn into a year. (Oh, found the story:
[http://www.reuters.com/article/2009/02/13/us-crime-usa-
judge...](http://www.reuters.com/article/2009/02/13/us-crime-usa-judges-
idUSTRE51B7B320090213) \-- "Two judges pleaded guilty on Thursday to accepting
more than $2.6 million from a private youth detention center in Pennsylvania
in return for giving hundreds of youths and teenagers long sentences.")

So if we know all of these things and we don't care (I'm sipping on a diet
coke and eating a processed microwave burrito right now, for example), why
should I expect that people are going to give much more concern to their
privacy or the liberties of anyone else around them? Unless they think you're
taking jesus away from them, cheap gasoline away from them, or their $5 latte
away from them, or their favorite television show away from them . . . _they
don't fucking care_.

Not only don't they care, but a big percentage will always play the role of
apologist. For _anything_. FBI pouring through your personal information,
using your geolocation data. Whatever it is, the complaining voices are always
few and the people taking action even fewer.

~~~
arthurgibson
RE: Juvenile centers, there was a 60 minutes recently about private companies
paying judges. Here is the link:

[http://www.cbsnews.com/video/watch/?id=4798743n&tag=mnco...](http://www.cbsnews.com/video/watch/?id=4798743n&tag=mncol;lst;8)

------
hugh3
Question: if you're embarrassed about the idea of the FBI knowing something
about you, then why are you cool with the idea of the phone company knowing
it?

~~~
ceejayoz
The phone company doesn't have the ability to bash down my door and point guns
in my face, and I can switch providers if I don't like them.

~~~
hugh3
Are you committing crimes?

If so, you can hardly complain about the FBI breaking down your door.

If not, then gaining additional evidence doesn't make it _more_ likely that
they're going to break down your door.

~~~
smokeyj
> If not, then gaining additional evidence doesn't make it more likely that
> they're going to break down your door.

Unless they tap your lines without a warrant to gain one. I thought we were
passed the "if you're not a terrorist you have nothing to hide" mentality.

------
forensic
I wonder how much of this applies to Facebook.

~~~
GoodIntentions
If the feds don't have root-level read access I would be shocked.

~~~
jrockway
Prepare to be shocked, but they don't. I mean, other than busting down the
doors and taking the servers they need.

Remember that guide that was leaked a few weeks ago, detailing the procedure
required for law enforcement agencies to get user info? Presumably that is not
some sort of elaborate conspiracy to convince Facebook users that the
government is not monitoring each and every one of their check-ins.

~~~
Devilboy
The FBI has free-range to do whatever it wants on Facebook. All they need to
do is submit a request to the FISC which approved 100% of such requests in
2010

[http://arstechnica.com/tech-policy/news/2011/05/domestic-
sur...](http://arstechnica.com/tech-policy/news/2011/05/domestic-surveillance-
court-approved-100-of-2010-warrant-requests.ars)

~~~
alexqgb
Was it really 100%? I thought it was only 99.998%, or something close to that.

------
drivebyacct2
Again, this is all ancient news. We've known for years now that the FBI has
had eavesdropping ability not just on phones but on the Internet. We've had
whistle blowers talk about installing large routers to duplicate and divert
Internet traffic on huge top-tier ISP levels.

Time and time again, no one cares or at least cares enough to do anything.

~~~
Lost_BiomedE
Many people I talk to only think about their cell calls and do not know about
mic recording as well. They also do not know that this can occur while the
phone is off.

~~~
drivebyacct2
That sounds a bit more tin-foiley. That would require modifications to
firmware and phone software that would require direct cooperation from a lot
more parties. It would also be relatively easy to discover (vs snooping of
traffic that is out of your control).

(edit) Thanks for all the info. I hadn't heard as much about this stuff.

~~~
shii
Actually it isn't. There's been documented evidence if this very thing being
carried our in at least 1 large case[1][2][3]. I'm actually sure there's been
some exploits in the wild that have even been presented at Blackhat before,
but I can't locate the links properly right now; on the iPhone.

[1] <http://en.m.wikipedia.org/wiki/Covert_listening_device>

[2] <http://news.cnet.com/2100-1029-6140191.html>

[3]
[http://www.schneier.com/blog/archives/2006/12/remotely_eaves...](http://www.schneier.com/blog/archives/2006/12/remotely_eavesd_1.html)

~~~
biotech
The documented evidence is from a case in 1996. According to the article:

 _Some handsets can't be fully powered down without removing the battery; for
instance, some Nokia models will wake up when turned off if an alarm is set._

I'm not so sure that this is still a common practice for modern phones.

~~~
slavak
As far as I'm aware all modern phones will at least partially wake up to sound
an alarm even when turned off/

Does the iPhone/Android phones do this?

~~~
drivebyacct2
"Wake up"??

If my Android phone is off, it's off. It doesn't turn itself on, period. If
it's just idle, screen off, with lots of stuff asleep, sure it will "wake up"
in that the screen turns on, and sound an alarm. But that's it.

~~~
satori99
That is not true at all for Android. Ask any Android developer. it is entirely
possible to code an alarm callback that will not activate the screen at all,
but can use a network to send and recieve data.

This is done commonly by builtin services.

