How The FBI Easily Retrieved Michael Cohen's Data From Both Apple and Google

Court documents unsealed Tuesday showed just how much information America's FBI was able to gather on Donald Trump's lawyer Michael Cohen -- from both Google and Apple products. An anonymous reader quotes CNN: Notably, the FBI made use of Cohen's use of Touch ID and Face ID on his Apple devices, which allow users to quickly log into iPhones and computers by scanning their face or fingerprint rather than typing in a password... But that gives law enforcement an additional means to access those devices. In one warrant application for Cohen, an FBI agent requested authorization "to press the fingers (including thumbs) of Cohen to the Touch ID sensors of the Subject Devices, or hold the Subject Devices in front of Cohen's face, for the purpose of attempting to unlock the Subject Devices via Touch ID or Face ID...."

One warrant requested not simply access to three of Cohen's Gmail accounts, as well as other email accounts, but also some of the wide array of information Google keeps for its users by default, including search history, web cookies associated with an account, device information, and a host of other metadata categories. One affidavit describes how the FBI narrowed down Cohen's temporary location at the Loews Regency Hotel in New York through his cell phone location data. Agents then used a "triggerfish" -- a reference to a stingray, or IMSI catcher, a suitcase-sized device that mimics a cell tower to convince a cell phone to connect and reveal its location...

Prosecutors also made use of a new law that Trump recently signed. Investigators in the Southern District of New York compelled Google to turn over some documents on Cohen, but the tech giant initially "declined to produce data that it stored on computer servers located outside of the United States," according to an affidavit submitted to the court by an FBI agent working on Cohen's case. Weeks later, Trump signed the CLOUD Act into law, which gave US law enforcement more legal pathways to pursue data stories overseas.... In an April 2018 affidavit, the FBI agent argued that "providers are required to disclose data even if it is stored abroad" under the new law. The judge approved the new search warrant later that day, giving investigators access to additional information from Google, including Cohen's emails, attachments, address book and files stored on Google Drive.
One technology law expert told CNN that police now seek access to more and more information.

"I think any of the electronic debris that people leave online on these services is all potentially subject to being used against you."

Be secure in your papers

[AHuxley]

Understand what is now a legal search and seizures.
How to use your OS to ensure your digital "papers" stay secure from unreasonable search attempts.
When and how your rights stay protected.

Re:

[AHuxley]

Parallel construction is out in the open AC.

Re:

[CaptainDork]

Can't be done and here's why:

The technology you use shares familial DNA with every other goddam technology on the planet. It's a level playing field.

Look: As for weapons, some people are allowed to own jet fighters, aircraft carriers and grenades. You don't get those.

As for technology, let's look to CaptainDork's Corollary: "For every motherfucker out there with a computer, there's another mother fucker out there with a computer."

The shit the government (or businesses) use to secure their papers is precisel

who?

[Anonymous Coward]

is this someone I should know?

Re:Extraterritoriality

[Mister Transistor]

Probably Ireland, they have a European HQ located there, but not sure if they have a server farm there too.

Also, it's probably not very relevant where the data is actually stored these days, it's most likely replicated and backed up in several countries. Most global companies now use off-site backups and replicate their data in geographically separate locations, with data centers in many countries spread throughout the world. This gives them more redundancy and a better shot at handling an international disaster; a given country would likely be unaffected while another is having a disaster like a tidal wave or whatever.

    The whole point of the new law was to deal with exactly this sort of situation, where the local laws or agencies of other countries are either not enforceable or somehow otherwise are an impediment to them getting legal access to the data. The other country really doesn't have any chance to say anything in the matter, if they're even aware of it. If Google or whoever refuses the request, they would no doubt prosecute them as though they had denied law enforcement's access to the data just the same as if it was located in the U.S.

Not saying it's right or wrong. Personally, I'm not a fan of laws that give Government expanded powers to nose into people's lives, either real or online, but I'm not a fan of crime, obviously. If nothing else, this was expected. Many of our laws need to be updated to be meaningful and reflect the new digital reality we live in - the legal system is lagging behind reality in many ways by anywhere from 5-10 years to about 50.

Instead of a "Privacy Policy"

[fustakrakich]

Just put up a Miranda Warning. Makes more sense

Re: Instead of a "Privacy Policy"

[astrofurter]

"You have no rights. You lose. All your data are belong to us. This is a no free speech zone. Everything you have ever said can and will be used against you. You are presumed guilty, but at our whim you may (or may not) be given a chance to prove your innocence, if you have enough money. Bend over. Fuck you, pleb, that's why.

Thank you for your compliance."

Re:

[CaptainDork]

This is true and it's voluntary.

Those of us who read the ToS fully appreciate that it's a binding contract whereby the user of a product waives all rights and, in fact, agrees to defend the product if it is involved in litigation.

No one is usurping rights -- people are giving away rights.

Re: Instead of a "Privacy Policy"

[astrofurter]

Oh c'mon, brohamley - does the bootleather taste _that_ good?

Everybody and his brother knows these leonine "contacts" are undisguisedly one-sided; always "accepted" without a shed of informed consent, much less meeting of the minds; never even read; imposed as mandatory on simple commerce, utterly out of proportion with the elaborate convolutions of the leonine "contract"; and a general travesty of the Law.

Passwords Still Rule

[mentil]

With biometric authentication, you are only protected by the 4th amendment. Your finger/face/etc. are akin to a key, and a warrant can compel you to unlock the device with it.

With a password, it can be argued that divulging it would constitute self-incrimination, which keeps you protected by the 5th amendment as well, even if they get a warrant. Case law is unclear on the matter, at least, with contradictory rulings.

This is true in the USA at least. UK has a law that mandates divulging passwords, although I don't recall hearing about it being used much.

Re:

[Tom]

With a password, it can be argued that divulging it would constitute self-incrimination,

That's one part. The other part is that the stress of prosecution is well known to cause your memory to go hazy and even top politicians who are used to a lot of stress have a tendency to suddenly not be able to remember important details anymore. How will you, a normal person, remember your password under such circumstances?

"I don't remember." is the get-out-of-jail-card you only have if the thing they need is something that is in your memory.

Re:Passwords Still Rule

[tinkerton]

I have a lot of accounts where I don't know the password because they're generated strings I just copy from the password manager. So I cannot access these accounts from the smartphone even if I want to.

Not all that convenient and not intended. It just sort of happened. Also, what if I'm forced to open my laptop with password manager at the airport. All my passwords are in there!

Re:Passwords Still Rule

[Tom]

One reason why all my really important passwords are not in a password manager. Eggs and baskets and all that.

Re:

[Highdude702]

How does a backup stop somebody from stealing your passwords? It doesn't. Tom was talking specifically about people not being able to steal important passwords. I don't use a password manager at all. All of my important passwords are semi-unique 8-22 characters long depending on what its being used for. its surprisingly easy to remember them.

Re:

[CaptainDork]

Password managers are precisely the same technological base that we all use. It's not a special, hardened, gated community.

Use LastPass [cnet.com]? Update now to protect your passwords (explainer)

Re:

[Mister Transistor]

I think this may have changed recently. I remember hearing in the last month or two that biometrics are now considered the same as a numeric password, or passphrase. You cannot be compelled to use biometrics anymore, or at least that it has the same legal protections now that a password has.

Rubber hoses aside, of course. Those still work.

Not sure if this is state-specific or federal. I don't remember the exact details, but I do remember thinking, "That's cool, now I don't have to turn off the fingerprin

Re:Passwords Still Rule

[JaredOfEuropa]

In the Netherlands, a judge recently ruled that unlocking a phone with a fingerprint or holding it up to a suspect's face does not constitute self-incrimination. Which actually makes sense if you look at the law (not sure how it compares to the 5th amendment): that law does not exist to protect your private data, it exists to ensure that you cannot be punished for not volunteering self-incriminating evidence. Compare this to a safe with a combination lock versus a safe with a key: you cannot be compelled to provide the combination nor the location of the key, but if the cops search you and find the key on you, they are free to open the safe with that.

There are some legislators who now seek to change the law on the grounds that people not unreasonably expect biometrics to provide the same (legal) protection of private data as passwords do. But that's a matter of privacy rather than self-incrimination.

Re:

[CaptainDork]

Again, the distinction exists, regardless of jurisdiction, between what a person HAS and what a person KNOWS.

Re:Passwords Still Rule

[JaredOfEuropa]

iPhone users, read this [imore.com]. There are ways to quickly disable the fingerpint scanner and Face ID using the physical buttons on the phone. Easy to do quickly and quietly in case you get arrested. It can also be done through Siri. And Android phones have a similar mechanism I am told.

Re:

[CaptainDork]

There's another solution that's slicker than deer guts on a door knob.

If you're a developer, you can have two passcodes.

One will unlock the phone.

The other will brick it.

Re:

[EvilSS]

And enjoy being prosecuted for destruction of evidence if you give them the 2nd code.

Re:

[Trogre]

The really smart ones don't actually brick the phones, they just destroy the account with which you store your sensitive data and appear to log in to a nearly as-new device.

Re:

[CaptainDork]

True.

Face, fingerprint, iris, palm prints, ... these are things you have.

Passwords and pass codes are things you know.

Re:

[Mr. Dollar Ton]

If you say "I forgot", fully expect to stay in prison for "contempt of court" until you remember.

Re:

[CaptainDork]

This happens quite a bit. People do actually forget. They spend time locked up until the courts decide to give up.

ymmv

Re:

[Mr. Dollar Ton]

The other circumstance is obviously that this is your phone. Refusing to provide a password because you "forgot" it will hardly be an acceptable excuse unless you have a medical condition or something. In which case you won't be using a password anyway.

you are behind a judicially-sponsored life sentence

Not me, I'm just pointing out what will happen to you if you try it.

it should be an explicit statute.

And it will be if the push comes to shove -- it is already so in the UK, for example. An explicit statute

Re:

[CaptainDork]

An explicit statute is not something hard to get through a legislature ...

Brexit

Sorry. Low-hanging fruit.

No real surprises here

[93 Escort Wagon]

We already knew that, in the US, a person can be compelled to unlock his/her phone if it can be done with a fingerprint or by showing their face.

If you're really paranoid you need to turn all that off, require a complex passcode to be entered on any of your electronic devices, and be willing to put up with a little inconvenience on a regular basis.

Personally, I'm not that paranoid - I'm aware that I'm simply not that important of a person.

Re:No real surprises here

[Tom]

Long passwords (please, please stop this complexity nonsense. Length > complexity !) are too inconvenient to be used constantly.

Something that allows me to use my fingerprint if the phone hasn't left my possession but requires a long password if it has been off for a day, etc. would be a nice solution.

The better solution would be to have "lock fingers" as well as unlock fingers. Let me use some of my fingers to tell the device that I'm not trying to unlock it voluntarily, and it should instead lock down, encrypt everything, turn off the unlock fingers and require the long password to unlock. Then let them guess which finger is which.

Re:

[Highdude702]

The better solution would be to have "lock fingers" as well as unlock fingers. Let me use some of my fingers to tell the device that I'm not trying to unlock it voluntarily, and it should instead lock down, encrypt everything, turn off the unlock fingers and require the long password to unlock. Then let them guess which finger is which.

While I think length + complexity is the answer, special characters made dictionary words safe to use providing the password is long enough. However you have a great point on this one, I would never use touch ID because its garbage for someone like me in a construction field who specifically doesn't wear gloves as it takes away from my feel therefor impeding my work. The shit just don't work for me. I tried it for about a week and decided when I was able to unlock my phone the whole 2 times that is was a wa

Re:

[93 Escort Wagon]

A function that allowed an "authorized" fingerprint to either encrypt and turn off face/touch ID and or wipe the phone silently would be a nice feature to rid the issue of compelled unlocking. I'm sure if you did it in a court room you would have hell to pay but if you did it before you actually got arrested they wouldn't(well shouldn't) be able to use it against you.

Actually, as of iOS 12 you can just press the power button five times in a row and it’ll disable Touch ID / Face ID.

Re:

[Highdude702]

From previous posters comments it seems to only be temporary.

Re:

[93 Escort Wagon]

From previous posters comments it seems to only be temporary.

I was pretty sure this was incorrect, but figured I'd test it. So about 5 hours ago I did the 5x power button press on my iPhone and then set it aside. I just picked it up again now, and it is still requiring a passcode.

Now, after it's been unlocked with a passcode, then TouchID or FaceID will be re-enabled. But until that happens, they stay disabled.

Re:

[Highdude702]

Hmm, if I used touchID that would be nice to know, but you can scroll around for my rant as to why it sucks. Thanks for the clarity though.

Re:

[Tom]

I dimly remember that turning it off will also require your passcode the first time after it turns on again. But I could be wrong.

Re:

[93 Escort Wagon]

Yes, that is correct. But that might be slightly harder to do when you’re being pulled over.

Re:

[Tom]

While I think length + complexity is the answer,

No, it isn't. I've given speeches about this. Complexity is bullshit. On the contrary, a number of attacks (such as shoulder surfing) are made easier with complexity, because you type slower.

special characters made dictionary words safe to use providing the password is long enough.

No, it doesn't. Every cracking tool worth the name uses permutations to replace letters with special characters. If you've had the idea, don't you think people who do this stuff for a living haven't ?

Re:

[Highdude702]

I know plenty of professional pen testers. I know most of the tactics. I have yet to have an issue. I have tried to brute my own passwords, to no avail. I didn't say use common dict words. You frequent IRC? Maybe you can be the one to prove me wrong? I would love to see it as I have yet to see someone give me a password over 8 characters of mine to me. As far as your comment on shoulder surfing. That's about the oldest trick in the book, and I didn't start using computers yesterday. Plus muscle memory goes

Re:

[CaptainDork]

Oh, come on!

We're goddam coders.

One finger unlocks.

Another bricks.

Re:

[Tom]

You don't want to brick because you can easily use the lock finger by mistake. But it should be a hassle to unlock after, and require something non-biometric.

Re:

[Tom]

Because nobody has ever, in the history of the world, been wrongfully indicted by the police.

I have a newsflash for you: Terrorists aren't caught by the methods they sell us to fight terrorism. Quick quiz: How many terrorists have been caught at the body scanners and pat-down checks at the airport?

Re:

[Anonymous Coward]

It is natural for humans to deviate from the rules, whether written or unwritten, whether harmful or not harmful. Therefore, individuals must protect themselves from other individuals and their outsourced rule-enforcement body, a.k.a, 'the police'.

Re:

[alexo]

This. A million times. Seriously, what's so hard about being part of a community and following rules?

Rosa Parks would like to have a word with you.

Re:

[Highdude702]

I love how you guys are still using the same bullshit years gone. Grow up, maybe you're the problem. Have you ever stopped for even 30 seconds to think about that? Maybe the shit like this has pushed the sane half of the country to do what ever is necessary to push back against your ignorance. Please for the sake of the country seek help.

Re:

[Highdude702]

I walk down the street with my cock out all the time, fortunately its small and everyone just thinks I have bubble gum stuck to my crotch.

Re:

[CaptainDork]

Unless you're a foreigner who was in the wrong place at the wrong time and went to Gitmo with no due process, no lawyer, no trial, and subjected to torture.

Unless you're a civilian minding your own fucking business when the US dropped a goddam bomb on your motherfucking hospital on your own goddam sovereign soil.

Unless you're an American citizen in Puerto Rico.

Unless you have the goddam unmitigated gall to be driving while Black.

Re:

[CaptainDork]

Why isn't this modded up?

Why would anybody trust a mobile listening device?

[gweihir]

Seriously, people, your phones have back-doors, front-doors, compromised apps, malware, etc. on them and send data into insecure clouds. Do not trust your phones. The only way you could ever trust your phones was is there was strong legal protection for your data. There is not. Thanks to the raising authoritarians and proto-fascists in the West, there is the opposite.

Re:

[gweihir]

And why would I do that? Are you stupid? (Well, you are an AC, so the question is redundant...)

Re: Why would anybody trust a mobile listening dev

[j-turkey]

I'm curious - why are you so quick to call anyone who questions your comment or respectfully disagrees with you stupid (or other ad hominem insults that aren't germane to the discussion )?

Re:

[gweihir]

Are you deranged? Why would I not use anything just because it is not trustworthy? Listen, moron, here is how you do it: You use it but you do not trust it. Takes two brain cells to rub together to see that though and you clearly do not have them.

Re:

[Highdude702]

You're wasting your time. The AC seems like a police-state apologist.

Re:

[gweihir]

Yes to both. I am trying to follow George Charlin's advice to "just not give a shit" about ACs, but I clearly have some way to go still. Stupidity just sets me off.

Re:

[Pitawg]

You give them more detail of the inner workings of you, when you play with their broken toys. You are mapping out more of your tiny little brain by trying to fool the collection pile. Think you can outsmart a pile? They are not looking at your data live, while you are inputting or taking actions. They collect the everything. They process what is in it, from every direction, once they finally gain interest in you. (thinking "Eww, I will search for "cats" at midnight, that will fool them. They will totally no

Re:

[gweihir]

You have no clue how things actually work. They do most decidedly not "collect everything". That would cause numerous problems, among them that their collection methods would be far too easy to detect. This is not a game that works well with a big ego (which you have in spades), bit one that requires some actual insight (of which you have none).

Re:

[Pitawg]

You went from telling of the concerns and danger of the collectors' toys, to arguing there is no danger "if you're smart", within a few exchanges with the AC. You even flustered your response, seething hate, but not actually saying anything more that was useful.

The collector is not one party, as everyone collects their little parts. The pile, and "the everything" is not a single collection. However, telling a questioning person, that does not seem to have a grip on how anything works, to go ahead and use th

Re:

[Dirk Becher]

Problem is even if you get rid of your phone, pretty much every device nowadays is littered with sensors and internet access. TVs, cars, fitness devices, furniture etc. . Even if you got rid of everything in your own room, its even possible to spy on you from adjacent rooms (Wifi).

Privacy has competed with humans need for comfort and lost.

Re:

[gweihir]

I never said to get rid of it. Whatever gave you that idea? Just do not put stuff on it you want to keep secret.

Re: Why would anybody trust a mobile listening dev

[chill]

That's a red herring. The phone isn't so much a storage device itself, as it is conduit to all of your online data.

Re:

[gweihir]

Ah, no? It is not?

Re:

[Highdude702]

I would never own an "internet connected" vehicle. I may purchase one and then rip out the wifi/GSM module. But the sad part is the normies don't even understand what they are doing to their self. They think "OH LOOK I can browse facebook faster in my car now that I have car wifi!!" when in reality they are just helping track their family and children. The internet has been destroyed since the non nerds took over. I want it back damnit!

Re:

[Highdude702]

If you think there inst an ESP8266 or equivalent somewhere in that PCM you dont understand how electronics work. Once you found the module you could easily disable it numerous ways. If it would cause the vehicle to stop working, well you return it as garbage and laugh at the poor fuck that has to push onto the lot after the AAA driver drops it in the middle of the driveway at my request. You seem to be the internet warrior going on about, well whatever it was that i could tell was a waste of time reading. g

Re:

[gtall]

and the rising authoritarians in China and Russia, although admittedly they had a head start.

India is not far behind, nor Pakistan. Cuba was always in the vanguard ever since Castro decided to be la Suprema.

Re:

[gweihir]

Indeed. But the West was supposed to be the model that showed everybody how it could be done differently. Seems that failed and the whole world is going to hell. Again.

Re:

[UnknowingFool]

In this case the phones were unlocked because of the use of biometrics instead of password only protection. If they were locked only with passwords and Cohen didn’t cooperate, the FBI would have had to employ hackers.

Re:

[Highdude702]

That's why you use your dick! Fool proof!

Another reason not to use biometrics

[jonwil]

If you use a password or code to unlock your encrypted devices and data then (according to quite a few different court rulings) you are protected by the 5th amendment and can't be forced to give up the password or code (although exactly how far that protection extends depends on which court ruling(s) apply in your jurisdiction). No such protection exists when it comes to things like fingerprint or facial recognition or other biometrics.

Plus its a lot easier for bad guys (whoever they may be) to defeat biome

Biometrics Are Universally Insecure

[NicknameUnavailable]

Biometrics are notorious for being easy to fool, even the emerging 3D-face-scanning stuff coming out is going to be as bad, because the sensors can't be integrated into the chips themselves, in turn you could always just remove the sensor, replace it with a serial line, and spoof whatever signal it expected to see from a "3D" scan using an image.
Two-factor authentication is a joke when biometrics are involved, because the biometric component negates any other component. Security can't be about something someone has (e.g. CAC cards) and is (e.g. biometrics) alone - the something someone knows (e.g. password) is the most critical factor because it can't be stolen, it can't be spoofed, and in extreme cases it can't even be cut off with a saw or scooped out of an eyesocket with a spoon (at least, not directly.)
Making biometrics a part (yes, even a part) of a security deployment of any kind is akin to making everyone set up their full name as a username with their social security number as their password - it's fucking dumb to use public information (no matter how convoluted to spoof, because if it can be done it will be done) for security.

Ok

[Impy the Impiuos Imp]

Well, who cares if government has more and more and more access to your "papers" as long as political factions aren't using it in violation of the 4th and 5th amendment to harm their political opponen...OH FUCK

Re: Ok

[astrofurter]

Papers please, comrade.

Why privacy matters to everyone, even the innocent

[overlook77]

This is the event that made me realize digital privacy is important to anyone, not just those who know they are doing something they need to hide. There was a case a few years ago where some guy left his toddler in the carseat instead of dropping him off at daycare and the kid died. The police went through his online history and found he was talking to prostitutes and engaging in other extramarital, sexually deviant behavior. On that alone, they gave him life in prison because a jury believed he intentio

Re:President Trump owned the libs

[gweihir]

You are cheering for the downfall of your own country? Fascinating.

Re:

[gweihir]

Being dumb does change reality. Although dumb people are known to not get that. Well, I look forward to morons like you saying dumb things like "How could we have known?" and "It was xyz that ruined it!"

Re:

[gweihir]

Since you are listening (well, as far as you are capable, which is clearly rather pathetic), obviously not.