Monday, March 26, 2012

Federal judge: Google free to tell user about mysterious gov requests, likely related to Wikileaks

Summary

In two 1-page orders issued today, a Federal judge in Virginia has (for a second time) ruled that Google is permitted to tell a customer (and only that customer) about two mysterious surveillance orders -- a 2703(d) order and a search warrant -- issued in June, 2011 for records (likely including communications content) associated with their Google account.

While Google is only permitted to notify the subscriber that was the subject of surveillance, that person is permitted to tell anyone else they wish, should they wish to do so.

Background

One month ago, a federal judge published two (pdf) orders (pdf) [hereafter the February 2012 orders], related to two previously secret surveillance orders obtained in June, 2011 by the government seeking data about a Google subscriber. In the two February 2012 orders, the judge ruled that Google could tell the user about the earlier surveillance orders.

Soon after, the government filed a motion with the court, seeking to clarify whether Google could tell any person about the orders, or merely the impacted user.

In the two orders issued today, the judge seems to have been convinced by the government's clarifying motion. Thus, in 14 days (unless the government appeals), Google will be free to tell the impacted user (and no one else) about the June 2011 surveillance orders.

This may involve Wikileaks

When Jeff Rollins at PaidContent first highlighted the existence of these two mysterious court orders, he suggested that they might be related to the Megaupload investigation. The Megaupload connection was mere speculation on his part (as he acknowledged), as there simply isn't anything solid in those two brief court orders that identifies a particular target.

However, for the reasons I outline below, I believe that these surveillance orders are actually related to the investigation of to Wikileaks.

First, in one of the February 2012 orders (page 2), the judge noted that "[t]he existence of the investigation in issue and the government’s wide use of § 2703(d) orders and other investigative tools has been widely publicized now."

The only high-profile federal investigation that I can think of in recent times involving 2703(d) orders is the government's investigation of individuals associated with Wikileaks. That is, while the Megaupload indictment was also filed in the Eastern District of Virginia, there has been little publicity surrounding the actual investigative legal instruments used in the case.

Specifically, I've not seen any published media report indicating that a 2703(d) order was used in that investigation. In contrast, the 2703(d) order issued to Twitter as part of the Wikileaks investigation has itself been a major story, as have the (failed) efforts of the ACLU, EFF and others to quash the order.

In December 2010, a judge from the same court issued a 2703(d) order to Twitter, forcing the company to disclose information about several users associated with Wikileaks. A month later, the Twitter judge agreed to unseal that order, allowing Twitter to notify the impacted individuals. Once existence of the surveillance order was made public, the media went crazy.

The Wall Street Journal later revealed that Google and California broadband provider Sonic had received similar requests as part of the same investigation. At the time of the WSJ report, those surveillance orders remained sealed.

Second, one persistent rumor in Washington DC over the past year has been that one of the main reasons DOJ has cited justifying the continued sealing of the Wikileaks/Google/Sonic orders is a fear of harassment from the Internet community directed at the prosecutors involved in the case.

As the WSJ revealed earlier this year, the address of Tracy Doherty McCormick, the prosecutor whose name was on the original Twitter order "was spread online, and the person's email account [tracy.mccormick@usdoj.gov] was subscribed to a pornography site." According to the unnamed officials quoted by the WSJ, she was also "bombarded with harassing phone calls."

The WSJ also reported that fear of similar harassment led "the government to take the rare step of keeping officials' names out of news releases and public statements when the government shut down the website Megaupload.com." It is likely that similar fears were the reason that no prosecutors names were listed in the recently published Lulzsec indictments.

Why do I mention this? Well, the two orders issued by the judge today specifically state that Google may share a copy of the 2703(d) order and search warrant with the impacted subscriber, but that the email address and name of the attesting official must be redacted first.

This suggests that someone at DOJ has told the judge they are fearful of retaliation from the Internet community -- thus also suggesting that this surveillance is related to a high-profile investigation of a target to whom Anonymous and other Internet activists may feel some sympathy. While this certainly could be the Megaupload case, I'd be willing to bet a few dollars that this involves Wikileaks.

Wednesday, March 21, 2012

Firefox switching to HTTPS Google search by default (and the end of referrer leakage)

A few days ago, Mozilla's developers quietly enabled Google's HTTPS encrypted search as the default search service for the "nightly" developer trunk of the Firefox browser (it will actually use the SPDY protocol). This change should reach regular users at some point in the next few months.

This is a big deal for the 25% or so of Internet users who use Firefox to browse the web, bringing major improvements in privacy and security.

First, the search query information from these users will be shielded from their Internet service providers and governments who might be using Deep Packet Inspection (DPI) equipment to monitor the activity of users or censor and filter search results.

Second, the search query information will also be shielded from the websites that consumer visit after conducting a search. This information is normally leaked via the "referrer header". Google has in the past gone out of its way to facilitate referrer header based data leakage (which led to me filing a FTC complaint against the firm in 2010).



However, in October 2011, Google turned on HTTPS search by default for signed-in users, and at the same time, began scrubbing the search query from the non-HTTPS URL that HTTPS users are redirected to (and that subsequently leaks via the referrer header) before they reach the destination website:

Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra “s”) when you’re signed in to your Google Account. This change encrypts your search queries and Google’s results page....

What does this mean for sites that receive clicks from Google search results? When you search from https://www.google.com, websites you visit from our organic search listings will still know that you came from Google, but won't receive information about each individual query.

At the time of the announcement, Google told the search engine optimization (SEO) industry (a community that very much wants to be able to continue to passively receive this kind of detailed user data) that the percentage of users whose search queries would be shielded would be a "single digit" -- and thus, at least 90% of Google users would still continue to unknowingly leak their search queries as they browse the web.

Shortly after Google's October announcement, search engine industry analyst Danny Sullivan told the SEO community that the days of referrer leakage were doomed:

By the future is clear. Referrer data is going away from search engines, and likely from other web sites, too. It’s somewhat amazing that we’ve had it last this long, and it will be painful to see that specific, valuable data disappear.

But from a consumer perspective, it’s also a better thing to do. As so much more moves online, referrers can easily leak out the location of things like private photos. Google’s move is part of a trend of blocking that already started and ultimately may move into the browsers themselves.

It looks like Danny was right.

Google's October 2011 decision to start proactively scrubbing search queries from the referrer header was a great first step, but a small percentage of Google's search users benefited. Now that Mozilla is switching to HTTPS search, hundreds of millions of Firefox users will have their privacy protected, by default.

The only surprising aspect to this otherwise great bit of good news is that the first major browser to use HTTPS search is Firefox and not Chrome. I reasonably assumed that as soon as Google's pro-privacy engineers and lawyers won the internal battle over those in the company sympathetic to needs of the SEO community, that Google's flagship browser would have been the first to ship HTTPS by default.

Just as it showed strong privacy leadership by being the first browser to embrace Do Not Track, Mozilla is similarly showing its users that privacy is a priority by being the first to embrace HTTPS search by default. For Mozilla, this is a clear win. For the Chrome team, whose browser has otherwise set the gold standard for security (and who have proposed and implemented a mechanism to enable websites to limit referrer leakage), this must be extremely frustrating and probably quite embarrassing. Hopefully, they will soon follow Mozilla's lead by protecting their users with HTTPS search by default.

(Just to be clear - the ultimate decision to enable HTTPS search by default was largely in the hands of Google's search engineers, who are responsible for dealing with the increased traffic. Mozilla's privacy team deserves the credit for pressuring Google, and Google's search engine team deserve a big pat on the back for agreeing to cope with encrypted searches from hundreds of millions of users.)

Wednesday, March 14, 2012

FBI seeks warrant to force Google to unlock Android phone

Today, I stumbled across a recent FBI application and accompanying affidavit for a search warrant ordering Google to unlock a screen-locked Android phone. The application asks Google to: "provide law enforcement with any and all means of gaining access, including login and password information, password reset, and/or manufacturer default code ("PUK"), in order to obtain the complete contents of the memory" of a seized phone.

The phone in question was seized from a gentleman named Dante Dears, a founding member of the "Pimpin' Hoes Daily" street gang. On January 17, 2012, a cellphone was seized from Dears by an FBI agent, who then obtained a search warrant to look through the device. According to the affidavit, the technicians at the FBI Regional Computer Forensics Lab (RCFL) were unable to get past the electronic "pattern lock" access controls protecting the phone (apparently, entering multiple incorrect unlock sequences will lock the memory of the phone, which can then only be accessed by entering the user's Gmail username and password).

So why is this interesting and noteworthy?

First, it suggests that the FBI's computer forensics lab in Southern California is unable, or unwilling to use commercially available forensics tools or widely documented hardware-hacking techniques to analyze seized phones and download the data from them.

Second, it suggests that a warrant might be enough to get Google to unlock a phone. Presumably, this is not the first time that the FBI has requested Google unlock a phone, so one would assume that the FBI would request the right kind of order. However, we do not know if Google has complied with the request. Given that an unlocked smartphone will continue to receive text messages and new emails (transmitted after the device was first seized), one could reasonably argue that the government should have to obtain a wiretap order in order to unlock the phone.

Third, on page 13 of the warrant application, the government asks that the owner of the phone not be told about the government's request to unlock his phone. It is surprising then that the warrant and the associated affidavit have not been sealed by the court.