
Police tracked a terror suspect until his phone went dark after Facebook warning - vo2maxer
https://www.wsj.com/articles/police-tracked-a-terror-suspectuntil-his-phone-went-dark-after-a-facebook-warning-11577996973
======
makomk
For context, this is the malware which Saudi Arabia used to gather the
conversations with journalist and activist Jamal Khashoggi that led them to
decide to brutally murder and dismember him in their embassy. If there was
ever any moral justification for keeping the users who'd been compromised in
the dark, I reckon it died with him.

~~~
jonplackett
Politicians just aren’t willing to get involved with the feasibility and the
nitty gritty of what it would mean to break encryption. Or maybe they aren’t
technically minded enough.

They ask for what seems like a reasonable request - let us read terrorists’
emails if we have a warrant, without affecting everyone else. Anyone non-
technical would probably vote for this no problem.

They don’t understand it’s just not possible without creating some impossible
to keep secret master key. I guess politicians are used to giving other people
problems and just expecting them to figure it out.

~~~
Haga
Like factory managers demanding robots to go faster then the physics of
momentum and brakes would allow.

------
Havoc
That's kinda how encryption works. Keeps everyones comminication safe. Incl
terrorists.

Society just need to decide how it wants to play this because its an either or
proposition.

There is no technical encryption protocol that works only for the good guys.
Unfortunately the legislators are too thick to realise this simple fact.

~~~
colechristensen
If I send a text message to my partner in the other room, nobody has any right
to intercept that whether I'm a "good guy" or not. Before technology I might
have walked into the other room and spoken, if I did that nobody would have
any right to enter my home and set up a recording device, that's obvious.

If I hired a messenger to take a spoken message to my partner across town, the
same applies. Nobody has any right to interrogate my messenger and he has no
obligation to answer.

If I send electronic messages it should be no different.

The fact that interception and surveillance is _possible_ doesn't suddenly
make it obligatory.

Technology is power, in whatever form it comes in from weapons to education to
communication. That power makes law enforcement more powerful and criminals
more powerful.

Law enforcement wants it both ways. They want the increased power of their own
encrypted communications, their own education, their own better tools and
techniques AND they want to use technology to _take away_ power that their
supposed adversaries wouldn't have even been able to lose before the tech
existed.

The technology exists. It can't be taken off the playing field. It doesn't
matter how bad the "bad guys" are, law enforcement does not deserve that much
power in a free society. The power balance between the state's monopoly on
force and the people needs to be maintained. If it is not, abuses are
inevitable.

~~~
caseysoftware
If we want to fix this problem, the first step is eliminating Third Party
Doctrine: [https://en.wikipedia.org/wiki/Third-
party_doctrine](https://en.wikipedia.org/wiki/Third-party_doctrine)

Basically, it says as soon as you involve a third party - _in your example, a
messaging app_ \- you can't expect privacy and therefore law enforcement
doesn't need a warrant.

If law enforcement _had_ to get warrants for all of this information from
services, providers, and vendors, they'd be forced to a) be more selective and
b) move slower for judicial review. Both constraints would significantly
improve the situation.

~~~
mikekchar
Interesting. How does this work for the telephone company? I was under the
impression you needed a warrant to get a "soft" wire tap. Once digital
switching was implemented, there was code that could record voice
conversations. Law enforcement agents could request that the recording be
turned on. Source: I implemented this on telephone equipment that most people
here are likely to have used ;-). Surely this would be the same.

Now that I think of it, the idea of end to end privacy never really was a
thing before we had ubiquitous encryption. Involving a third party _always_
meant that you were vulnerable at that third party. So, I _suppose_ that you
could implement laws that dissallow E2E encryption, but still allows
encryption from the client to the service -- allowing the service to record
the data if presented with a warrant. Now that I think about it, the "wire
tapping" code in the telephone switches were literally a legal requirement for
selling the equipment otherwise they would never have convinced me to write
the code! Now that I'm older and wiser, I'd never do it again... but I kind of
understand the symmetries....

~~~
dchichkov
I'm surprised you've put that ;-) smiley face in your message. Instead of a
sad one. You say you are older, wiser, would never do it again. Maybe, when
there is an autocratic regime in your country, you'd put that sad face there.

------
ThrowawayIP
Is this just a way of spinning that out of 1400 people targeted by this
spyware, ONE was an actual suspected terrorist?

Edited to show that the person was only suspected of terrorism.

~~~
JohnFen
> ONE was an actual terrorist

I have the disadvantage of not being able to read the article, but the
headline, at least, says he's a suspected terrorist, not an actual terrorist.

I know this was in western Europe, not the US, but in the US, the distinction
between "suspected" and proven is really very important, because we have a
strong track record of suspecting innocent people of being terrorists.

~~~
pergadad
The same distinction applies in any Western democracy. That said, most
European countries wouldn't go about tracking vast numbers of people -
especially with such a deep intervention there will be courts involved before
they are allowed to start tracking. So while the final evidence is not there
there certainly will have been quite strong hints else they'd never have
gotten the court order.

------
JumpCrisscross
> _The European official said his own unit is so secretive that senior
> security and government officials in his own country don’t know about the
> methods and tools they deploy. When evidence gathered by his unit is used in
> court, efforts are made to hide the true source of the evidence._

The "official" shot their pitch in the leg with this line.

~~~
ClumsyPilot
Accountability? Check and balances? Potential to abuse of power and position?
Justice and "hide the true source of the evidence in court"?

If this guy bragging or trolling? I am genuinely confused. But I can only
assume that many in intelligence services act in a similar manner, i.e. NSA,
GCHQ, etc.

------
alasdair_
As a reminder, the NSO group routinely sells to authoritarian regimes that use
the software to crack down on human rights activists and political opponents.
Their software was used in the murder of Jamal Kashogi by the Saudis as well
as being used to spy on journalists worldwide.

------
bartread
Well I can't read the entire article but here's a question: if 1400 people
were notified, is that likely to indicate the approximate number of accounts
targeted by NSO Group as part of this (or other) investigations?

~~~
GhettoMaestro
Check this link - it is non-paywall version:

[https://www.morningstar.com/news/dow-
jones/202001026663/poli...](https://www.morningstar.com/news/dow-
jones/202001026663/police-tracked-a-terror-suspect-until-his-phone-went-dark-
after-a-facebook-warning)

------
newnewpdro
"Technology companies such as Facebook and Apple Inc. over recent years have
strengthened the security of their systems to the point where even the tech
companies themselves can't provide law-enforcement agencies with messages
created on their own systems."

Riiight, that's certainly what they'd like the world to believe!

When the software can be modified OTA without the user's knowledge, even if
you did have e2e encryption without any sidechannels or backdoors at the
client software today, you might not when you wake up tomorrow.

~~~
londons_explore
So far, the principle that a company must not be required to do work to assist
law enforcement (ie. Make a new version of WhatsApp to upload to the suspects
phone) has held strong.

I suspect it won't for long though.

------
SeekingMeaning
[http://archive.is/ndYJv](http://archive.is/ndYJv)

~~~
antpls
I get an "ERR_CONNECTION_REFUSED" from France trying to access this link

------
meowface
This might be an unpopular opinion, but I think it's fine if Facebook refrains
from sending (attempted) breach notifications if the breaching entity involved
is considered to be in good standing with the global community _and_ if
there's a valid court order sent to Facebook. Then the relevant law
enforcement agencies can just tell Facebook "hey, please don't warn [X future-
mass murder suspect] about anything", and they can comply with a clean
conscience.

I think people should have a right to privacy, and I think law enforcement
agencies should have a right to monitor potential near-future massacre-
committers on a limited and singly-targeted basis. Dragnet surveillance is
very different from surveiling a single individual for a specific and dire
reason.

Now, if they never sent Facebook a signed court order related to this matter,
then it's entirely the agency's fault.

So, in my opinion, the issue here is the choice of contractor (and the agency
apparently not sending Facebook a court order??); NSO has so many ethical
issues (specifically that they're a hired gun that'll fire no matter the
wielder or their intent) that Facebook has a moral obligation to send these
warnings. Pick someone who actually aligns with your goals, agencies. A firm
you could actually theoretically work for yourself and still sleep peacefully
at night. And if you can't get one, then do it yourself.

~~~
brlewis
Here is evidence that agents of the Saudi government were in good standing
with at least one significant member of the global community:
[https://www.whitehouse.gov/briefings-statements/statement-
pr...](https://www.whitehouse.gov/briefings-statements/statement-president-
donald-j-trump-standing-saudi-arabia/)

Here is evidence that they used Pegasus to find and kill a dissident:
[https://en.wikipedia.org/wiki/Jamal_Khashoggi](https://en.wikipedia.org/wiki/Jamal_Khashoggi)

~~~
meowface
Right, by "in good standing" I mean a rigorous definition far beyond and far
wider than an endorsement from the US.

~~~
radu_floricica
The right move here is to update on evidence, not move the goalposts.

~~~
meowface
What do you mean? As I said, I consider NSO to not remotely be "in good
standing with the global community", and clearly many countries and people
strongly share that view. I maintain that even in light of two particular
governments supporting them.

It'd only be moving the goalposts if I had said "with some fraction of the
global community". I clearly meant the entire global community, not just one
or a few countries. Obviously at least some countries support this, else NSO
would get no business and would not exist; some governments supporting and
procuring them is the whole problem in the first place. So pointing to a few
countries supporting NSO doesn't really provide any counter-argument: it
emphasizes my point that there needs to be globe-level coordination here.
Perhaps you could remove certain rogue countries like North Korea from the
consensus list, but it would otherwise need to be a global consensus.

UN officials have also expressed their concern with their ethics, and the UN
is probably as close as you can get to representatives of the global community
(even if it's not at all perfect). Facebook could look to the UN's positions
as a starting point, for example (and perhaps that's exactly what they did
here and maybe is part of their legal grounds for why they consider NSO to be
a bad actor).

If it were the case that every country and regulatory body in the world
collectively decided that this kind of thing is ok, then yes, I'd need to
change my criteria.

I was just saying _if_ an intelligence contractor (in the same domain as NSO)
is universally in good standing with the global community and a court order is
sent, I think it's ok. I am not aware of any currently existing ones which are
in good universal global standing, so this will probably only ever apply in
many years or decades.

------
brlewis
I use Android, but I thought iOS had good defenses against this kind of attack
NSO's Pegasus used, as described in Forbes in this article under "A malicious
text arrives". What's the UX after a user clicks the link?

[https://www.forbes.com/sites/thomasbrewster/2018/11/21/exclu...](https://www.forbes.com/sites/thomasbrewster/2018/11/21/exclusive-
saudi-dissidents-hit-with-stealth-iphone-spyware-before-khashoggis-
murder/#404a8c462e8b)

------
Scoundreller
This is a risk that all “non-authoritarian” regimes face when renting RATs: if
the same RAT is being rented to “authoritarian” regimes, there’s a lot more
motivation by everyone to close the vuln.

“Not your 0day.... so not your 0day”.

------
rubyfan
It’s interesting that as a corporation one can do things that would otherwise
be illegal as an individual. It’s also interesting that governments are
willing to use these services which probably are illegal.

~~~
o-__-o
>It’s interesting that as a corporation one can do things that would otherwise
be illegal as an individual.

Can you elaborate on this one more? A corporation that does illegal things
cannot be criminally prosecuted, but if a member or director authorizes
criminal activity then the government can pierce the corporate veil and
prosecute the individual(s) directly.

Example: eCorp directors have a grudge against xCorp's cleaning lady so they
hire a hitman and pay for her death. the police would arrest the directors and
any parties involved and they will seize both personal and business assets
related to the crime. Cleaning lady's family hires a lawyer and sues eCorp and
each director personally for damages. eCorp loses and pays gobs of money. each
director loses and pays whatever gobs of money they have left. Ergo, a
corporation did something that was illegal (conspired and then paid for a
killing) which left them civilly liable. Then the corporate veil was pierced
and all of the guilty were found and charged.

The government wouldn't use this service because it is illegal. If you are
making an overly general and vague comment on the legality of stingrays..
there is nothing illegal about hosting a BSS/LTE station with Voip and SMS
integration and logging all of the MACs of local phones as they connect. The
secrecy comes from the police not wanting their methods coming out in legal
texts for public knowledge.

~~~
rubyfan
I was specifically referring to this case. To hack a phone or account is
generally an illegal activity. The government seems not even interested in
piercing the veil on this type of activity which is the issue I’m bringing up.

I’m not entirely sure why you’re mentioning stingrays and IANAL but what you
describe sounds illegal under 18 U.S. Code § 2511[1]. But again for some
reason a corporation is making these devices and selling them (also illegal
under §2512[2]). I presume they are selling to law enforcement and pseudo law
enforcement for use where a wiretap is not obtained (otherwise they can just
lean on the carrier who is legally obliged) which would seem illegal under
ECPA [3] even with its problems.

There’s a whole section of EU law that covers man in the middle, hacking, data
protection, etc. that would also make this specific case cut and dry. A
government agency crying that Facebook notified an account holder their
account was hacked by their corporate contractor seems beyond the pale.
Further that news agencies publish this story with a slant that Facebook or
Apple have somehow enabled terrorists is shameful. We should be holding our
governments accountable to follow the law and obtain warrants. In the US all
the corporate support they need is built into laws like CALEA and USA PATRIOT
Act, the least our governments can do is follow the laws we entrust them to
protect.

[1]
[https://www.law.cornell.edu/uscode/text/18/2511](https://www.law.cornell.edu/uscode/text/18/2511)

[2]
[https://www.law.cornell.edu/uscode/text/18/2512](https://www.law.cornell.edu/uscode/text/18/2512)

[3]
[https://en.m.wikipedia.org/wiki/Electronic_Communications_Pr...](https://en.m.wikipedia.org/wiki/Electronic_Communications_Privacy_Act)

------
chkaloon
Sounds like the court and agency messed up by not including Facebook in the
original court order. I don't blame Facebook here.

------
neonate
[http://archive.md/ndYJv](http://archive.md/ndYJv)

------
yellow_lead
Would love more details about how Fb detected this. As usual, the article is
light on those though.

~~~
Scoundreller
My guess is that WhatsApp is continuously doing scans of its binaries, memory
and other states that should be constant, and phones home with those
signatures.

When the phone homes are unexpected, a lot more than the signatures start
getting phoned home for further investigation.

Add some other constraints on how big the binary/memory space can be in the
sandbox and an attacker would have trouble running a shadow copy to provide
the right responses.

Maybe some timing checks too where the system denies anything that starts
taking longer than it should and phones home with it.

All just a thought though.

~~~
londons_explore
WhatsApp keeps debug logs of a lot of things. The exploit NSO used required a
video call, which requires Facebook's servers to initiate, so is probably
logged.

I would guess all those video calls had a few fields set differently compared
to the official client, so it was easy to filter the logs and find all
instances of it.

------
lazylizard
Or. Maybe. Instead of moaning about how tech is not helping. Fbi/nsa/cia can
roll a few crypto libraries of their own and then mandate that all american
companies/services must use those. And I'll use something else...

------
bf03ea71160
Oh, perhaps the govt shouldn't have imported this person to begin with?
Perhaps the govt also shouldn't have forced normal people to fund obviously
crazy people.

...but go on.

------
alanfranz
This will, again, spark the debate over the need for a "legal backdoor".
Facebook did a great service to the user, after all.

Disclaimer: I did only read the beginning of the article, because of the
paywall.

~~~
JohnFen
I'm guessing that sparking the debate over backdoors is the entire reason that
this article exists.

------
GhettoMaestro
Non-paywall link:

[https://www.morningstar.com/news/dow-
jones/202001026663/poli...](https://www.morningstar.com/news/dow-
jones/202001026663/police-tracked-a-terror-suspect-until-his-phone-went-dark-
after-a-facebook-warning)

