June 2016

Stingray Update: Federal Judge Suppressed Warrantless Evidence

United States District Court Judge William H. Pauley, III suppressed evidence located and seized through use of a cell-site simulator.  With the technology, DEA investigators were able to locate a specific apartment where the suspect’s phone was located.  The investigators then obtained consent to enter the apartment and obtained consent to search the suspect’s bedroom.  Narcotics, scales and paraphernalia were located.  Judge Pauley granted a motion to suppress the evidence, holding that the warrantless use of the cell-site simulator device was unreasonable under the Fourth Amendment.

Sources: Nate Raymond, “In first, U.S. judge throws out cell phone ‘Stingray’ evidence,” reuters.com, July 13, 2016: http://www.reuters.com/article/us-usa-crime-stingray-idUSKCN0ZS2VI.  Link to opinion in U.S. v. Lambis, decided July 12, 2016 (15cr734): https://www.documentcloud.org/documents/2992109-Pauley-Stingray-Opinion-7-12-16.html

No Privacy in Computers Hooked to Internet, Says Virginia Court

United States District Court Judge Henry Coke Morgan, Jr., in the Eastern District of Virginia, recently ruled that “[i]n today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can – and eventually will – be hacked.”  Accordingly, the judge determined a “subjective expectation of privacy – if one even existed in this case – is not objectively reasonable.”   The case involved the FBI infiltration and temporary controlling of a hidden internet site commonly used for child exploitation; several hundred arrests resulted from the FBI action.  A warrant was not needed, Judge Morgan stated.

The Electronic Frontier Foundation, a digital rights and privacy group, issued a statement saying that the decision “underscores a broader trend in these cases … Courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone’s rights.”

Sources: Robert Lemos, “Home Computers Connected to the Internet Aren’t Private, Court Rules,” eweek.com, June 28, 2016: http://www.eweek.com/security/home-computers-connected-to-the-internet-arent-private-court-rules.html.  Link to opinion in U.S. v. Matish, decided June 23, 2016 (4:16er16): https://www.eff.org/files/2016/06/23/matish_suppression_edva.pdf

FBI Has Over 400 Million Photos in Facial-Recognition Database

The General Accounting Office [GAO] recently released a report indicating that the FBI facial-recognition data systems hold over 411.9 million photos on individuals, a number substantially higher than the 29.7 million previously disclosed. The system is called the Facial Analysis, Comparison and Evaluation (FACE) system.   The additional images were collected from passport and visa data (about 140 million photos), military records, and driver’s license data (at least 200 million photos, and including records from Michigan), and arrest and prison records.   The GAO faulted the FBI for not following Privacy Impact Assessment (PIA) procedures, which mandate that the public be informed of programs affecting personal privacy.

Sources: Henry T. Casey, “FBI using 400 million photos for facial recognition,” foxnews.com, June 16, 2016: http://www.foxnews.com/tech/2016/06/16/fbi-using-400-million-photos-for-facial-recognition.html?intcmp=hplnws. GAO May, 2016, report: Face Recognition Technology: FBI Should better Ensure Privacy and Accuracy: http://www.gao.gov/assets/680/677098.pdf

Computers Can Be Hacked Even When Offline – Through the Fan

According to a recent report, Israeli scientists have found a way to extract information from computers even when the computers are “air-gapped,” or not network-connected.  The process is done with a malware program called Fansmitter, that – once installed on a computer – “acoustically exfiltrate[s] data from air-gapped computers, even when audio hardware and speakers are not present,” by regulating the computer fans to generate readable acoustic waveforms.  The emitted signals can be read and interpreted by nearby device.  “Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone).”  The program extracts data at a rate of about 900 bits per hour.

Source: Peter Dockrill, “Scientists just showed you can hack an offline PC by listening to its fans,” http://sciencealert.com, June 28, 2016: http://www.science alert.com/scientists-just-showed-you-can-hack-an-offline-pc-by-listening-to-its-fans?perpetual=yes&limitstart=1

by Neil Leithauser
Associate Editor