DEF CON 31, Hacker Acceptance, Twitter Search Warrant, Location Information & More
Vol. 4, Issue 9
September 11, 2023
Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. In this issue, Diane Akerman and Allison Young recap the events of DEF CON 31, a hacker conference. Jerome Greco examines the changing views on hackers. Benjamin Burger discusses the recent search warrant decision involving Twitter (or “X”) and Donald Trump. Finally, Joel Schmidt explains different types of location information.
The Digital Forensics Unit of the Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of the Legal Aid Society.
In the News
DFU Goes to Las Vegas
Diane Akerman, Digital Forensics Staff Attorney & Allison Young, Digital Forensics Analyst
Last month, five members of the Digital Forensics Unit (DFU) attended DEF CON 31, a massive annual hacker conference that showcases exploits, creativity, policy, and security in technology.
This year included plenty of discussion around the use of AI, especially by the government, as well as the standard fare of exciting exploits (hacks). Do you want “free” cellphone minutes? There’s a hack for that. Need to reconstruct audio or private keys from a video of a light? Research shows this is possible (with limitations).
High school students hacked the CharlieCard, the Boston MetroCard/OMNY equivalent, to get unlimited rides without paying more than 25 cents. See what happens when you don’t just arrest innovative kids and instead work with and encourage them?
Policy@DEFCON had numerous panels and talks focusing on the role hackers can play in policy – both with regards to cybersecurity and more generally grappling with the ethical quandaries posed by the increase in AI in our everyday lives.
Nevertheless, the conference stayed true to its roots in hacker shenanigans when a researcher sent users unwanted prompts to connect to an “Apple TV” to demonstrate security shortcomings in iPhone settings.
Bodily Autonomy, Tech, and Getting to Speak at DEF CON
We (Diane and Allison) presented on how bad warrants and sensitive digital data intersect. You may have caught our CLE version of this talk (Private Until Presumed Guilty) earlier this year at the Decrypting a Defense conference. While this version had a different focus for an audience of hackers (who are typically not lawyers), it stirred up just as much concern. To sum it up from one attendee’s review: “I was appalled.” We’re also grateful to Katie Malone, who gave us a write-up in Engadget that you can read here.
While our talk focused on digital artifacts in the wake of the Dobbs decision, we were not the only ones considering threats to reproductive rights and bodily autonomy. EFF staffer members Daly Barnett (also of Hacking // Hustling), India McKinney, and Corynne McSherry, and Kate Bertash of the Digital Defense Fund discussed general legal and privacy issues surrounding abortion access, as well as what you can reasonably do to protect yourself (hint: it’s calling your representative, not hacking your car).
Police Share More Than They Mean To
Hacker “sally, who makes yachts” presented their experience with monitoring police radio to gather intelligence on the cops in the Atlanta Metro area, the epicenter of some pretty concerning law enforcement activity. While the NYPD recently started to encrypt their radio communications and other police departments are looking to follow, experts often find that this security isn't that great.
Bluetooth devices are increasingly common, and unfortunately create a trail of digital breadcrumbs that law enforcement has exploited to surveil citizens. But police departments also use suites of devices connected to the internet of things – body cameras, tasers, etc – and leave their own digital breadcrumbs that can be exploited by anyone. The creators of RFParty explained how bird watching can go both ways.
Lucky for us, some of the things that happened in Vegas won’t stay in Vegas, as recordings of many of the talks are posted online. We’re looking forward to watching what we missed and we’re already excited for what’s in store next year.
Hacker is Not a Dirty Word (or a Hacker by Any Other Name)
Jerome D. Greco, Digital Forensics Supervising Attorney
Pen tester, red team member, bug bounty collector. Despite the different titles used by many to avoid calling themselves hackers, hacker is not inherently a bad label, just as lawyer is not inherently a bad label. For both “hacker” and “lawyer,” the acts you take and the words you communicate determine good, bad, etc. Public-interest technologist Bruce Schneier defined “hack” in his recently released book, A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend Them Back, as:
1. A clever, unintended exploitation of a system that (a) subverts the rules or norms of the system, (b) at the expense of someone else affected by the system.
2. Something that a system allows but which is unintended and unanticipated by its designers.
As Schneier explained, hack or hacking are difficult terms to define, comparing it to the statement made famous in the legal world by Justice Potter Stewart regarding obscenity “I know it when I see it.” See Jacobellis v. Ohio, 378 U.S. 184, 197 (1964) (Stewart, J., concurring).
While in popular culture, a hacker was often described in terms of criminality or as someone to fear, many within the hacker scene have always pushed back on applying these negative stereotypes to the growing group of diverse people.
This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
The Conscience of a Hacker (aka The Hacker Manifesto) by The Mentor (aka Loyd Blankenship), Phrack, Vol. 1, No. 7 (1986). As the above quote implies, the motives and actions of hackers broadly as a group are not always so easily defined.
Government and general society’s views on hackers and hacking has started to conform to the way that some hackers have always viewed themselves, a potential source for good with a rebellious desire and an inability to turn off their curiosity. Harnessing that seemingly insatiable urge to find and exploit flaws could lead to better security and services.
To that end, the major tech companies offer “bug bounty” programs, which pay people who find flaws in their programs or services and report them through the proper channels, instead of releasing the information into the wild before the issues can be fixed. See Amazon, Apple, Google, Meta, and Microsoft. While not perfect, the financial incentive to report flaws seems to work better than threatening prosecution or financial ruin.
Diane Akerman and Allison Young described in this month’s Newsletter some of the presentations and competitions at last month’s DEF CON. Notably, the high school students who hacked the Boston subway cards for free rides were invited to the Massachusetts Bay Transit Authority (MBTA) headquarters to give a presentation on the vulnerabilities in the MBTA’s system. Their work had built upon the previous work of hackers from fifteen years earlier - who, at the time, the MBTA sued to stop the presentation and obtained a restraining order. The talk was canceled, but their slides were leaked and published online. The shift in how the MBTA handled the hack and the hackers this round displayed a meaningful change in policy.
Not to be outdone, the U.S. government sanctioned attacks on artificial intelligence programs and sponsored the hacking of a U.S. government satellite. Last month, the Defense Advanced Research Projects Agency (DARPA) announced the AI Cyber Challenge, with the semifinals and finals to take place at DEF CON in 2024 and 2025, respectively. Last year, the Department of Justice revised its policy in charging violations of the Computer Fraud and Abuse Act (CFAA) to exclude “good-faith security research.” Legislative reform and further DOJ policy revisions are still needed, but the update is a positive development. Additionally, public and private schools across the country are hosting their own “hackathons,” encouraging students to hone their hacking skills.
There is much discussion in the hacker community about the legitimacy of the establishment’s growing involvement in their spaces. There are also still going to be bad actors that use hacking to cause harm. However, it is clear that public perception has shifted, and the label “hacker” is no longer inherently negative, so, in the immortal words of Zero Cool, “hack the planet!”
In the Courts
Twitter Fights Trump Related Nondisclosure Order
Benjamin S. Burger, Digital Forensics Staff Attorney
An appellate court decision [PDF] revealed that earlier this year, prosecutors obtained and served a search warrant on Twitter (now “X”)1 for information pertaining to Donald Trump’s account. The search warrant appears to have sought the contents of the Twitter account, including direct messages sent and received by the former President, and deleted messages. Additionally, the Government also served Twitter with a non-disclosure order, which prevented the social media company from informing Trump of the existence of the warrant - and the accompanying federal investigation into attempts to overturn the 2020 elections - for 180 days.
Although numerous legal issues arose during the litigation surrounding the warrant, the most interesting was Twitter’s argument that the non-disclosure order violated the First Amendment. As background, the Stored Communications Act, 18 U.S.C. § 2701-2713, governs the process by which law enforcement can seize data, including the content of social media accounts, from electronic service providers. The statute also authorizes non-disclosure orders if a court determines that knowledge of the search warrant would result in endangering someone’s safety, causing flight from prosecution, destruction of evidence, intimidation of witnesses, or jeopardizing an investigation. See 18 U.S.C. § 2705(b). As it relates to the investigation into Trump, a court determined that Twitter’s disclosure of the warrant would jeopardize the investigation. See In re: Sealed Case, No. 23-5044, 4-5 (D.C. Cir. August 9, 2023). In response, Twitter filed a motion opposing the non-disclosure order. The company acknowledged that it may not have standing to assert an executive privilege claim on Trump’s behalf, but that the order infringed on their First Amendment right to communicate with a user. A district court judge denied Twitter’s motion. Id at 10. The court applied strict scrutiny - the most rigorous standard of judicial review - and determined that government had met the high burden of showing that the restriction on Twitter’s First Amendment right was narrowly tailored and designed to address the compelling interest of protecting an ongoing criminal investigation. Id.
Twitter appealed the district court decision on numerous grounds, including the First Amendment issue. The appellate court agreed with the lower court, and rejected Twitter’s First Amendment argument. Id. at 21-25. Applying the same strict scrutiny standard, the court determined that the government had a compelling interest in “preserving the integrity and maintaining the secrecy of its ongoing criminal investigation of the events surrounding January 6, 2021.” Id. at 21. The court also found that the restrict was narrowly tailored, noting that the only speech restricted - the existence and contents of the search warrant - was limited to information that Twitter only knew due to the fact that there was a ongoing criminal investigation. Id. at 22. The court suggested that this type of information was entitled to less protection under the First Amendment and, in any event, Twitter was still free to speak generally about warrants, nondisclosure orders, and the January 6 investigation. Id. at 22-23.
Nondisclosure orders pursuant to the Stored Communications Act are commonly used by state and federal prosecutors to prevent social media and other internet-based companies from revealing search warrants to their users. Usually, there is sparse litigation surrounding these orders because social media companies are compliant and the subject of the investigation is unaware of the warrant. Twitter’s actions in this case - whether a principled stand or a desire to help Trump - revealed that these orders implicate larger issues of free speech and prior restraint.
Ask an Attorney
Do you have a question about digital forensics or electronic surveillance? Please send it to AskDFU@legal-aid.org and we may feature it in an upcoming issue of our newsletter. No identifying information will be used without your permission.
Q: My client is accused of a burglary that he couldn’t have committed because he was elsewhere at the time. Can we use his cellphone to show where he was?
A: It may be possible to use his cellphone data to support an alibi defense. There are three frequent sources of location information and a number of potential other sources. The frequent sources are Google location history, historical cell site location information, and photo/video metadata.
If you have an Android phone, or have Google apps on your iPhone, Google may be constantly tracking your location history. An analyst can preserve the location history and map out the locations. For this data to exist, the Google location history function must have been previously enabled by the user, and the time of the preservation by an analyst must be within the data retention period, which can vary.
Another frequent form of location information is historical cell site location information. Whenever a person initiates or receives a phone call or text message, the carrier will log the cell phone tower (or cell site) that the phone was connected to. An attorney can then subpoena the carrier for that information, which an analyst can map out in an easy-to-review format. While it is still possible to obtain some location information even if there was no phone call or text message at the time, data usage for example, that information may not be as reliable. A subpoena takes time so this information may not be available instantly, though rush service is sometimes available for a fee.
The final frequent source of location information is the metadata embedded in photos or videos. Often when a person uses their phone to take a photo or video, the phone’s location is embedded in “metadata” within that photo or video file. The metadata can be extracted and presented in an easy-to-read format. This is most helpful when the client is depicted in the photo or video, but the metadata can potentially still be very helpful even when that is not the case because it can show the location of the phone, just like the other methods discussed in this article. To be reliable the metadata has to be preserved correctly, so you always want to make sure you have an analyst at the Digital Forensics Unit do that for you.
If these frequent sources of location information are unavailable, then there may be other methods available to acquire a person’s location information. For example, the company that owns the Citizen app logs and stores location information for thirty days. Or, if the person rented a new-generation ebike, CitiBike we may be able to obtain the person’s exact bike route from beginning to end, in addition to the standard pick up and drop off points. Similarly, it may be possible to get location information from Uber/Lyft or Apple/Samsung Pay transaction histories.
Joel Schmidt, Digital Forensics Staff Attorney
Upcoming Events
September 11-13, 2023
Techno Security & Digital Forensics Conference West (Pasadena, CA)
Check out the presentation from the Digital Forensics Unit’s own Brandon Reim, “Path of a Defense Case”
September 13, 2023
2023 Women of Legal Tech Summit (ABA) (Virtual)
Geofences and Other Reverse Search Warrants (Onondaga County Bar Association) (Virtual)
A Race, Tech, & Justice Salon: How Can Artificial Intelligence Be Used for Good in the Criminal Legal System (Multiple Sponsors) (Virtual)
September 14, 2023
Collision Reconstruction - Finding Order in the Chaos (Forensic Access Group) (Virtual)
September 18, 2023
Legal Ethics of AI Use by Attorneys (NYSBA) (Virtual)
September 22, 2023
SANS OSINT Summit 2023 (SANS) (Virtual)
September 28, 2023
Cybersecurity Nightmares and How to Avoid Them (NYC Bar) (Virtual)
September 29, 2023
Case Studies in Criminal Defense Successes (ArcherHall) (Virtual)
Artificial Intelligence & Machine Learning Summit 2023 (NYC Bar) (Virtual)
October 10, 2023
AI Admissibility and Use at Court Hearings and/or Trials (NYSBA) (Virtual)
October 19, 2023
The Ethics of Social Media Use by Attorneys (NYSBA) (Virtual)
February 14-17, 2024
ABA TECHSHOW 2024 (ABA) (Chicago, IL)
April 18-20, 2024
Making Sense of Science XVII: Forensic Science & the Law (NACDL) (Las Vegas, NV)
Small Bytes
How the Kids Online Safety Act puts us all at risk (The Verge)
Exclusive: DHS Used Clearview AI Facial Recognition In Thousands Of Child Exploitation Cold Cases (Forbes)
Sex Workers Took Refuge in Crypto. Now It’s Failing Them (Wired)
These Women Tried to Warn Us About AI (Rolling Stone)
Cellebrite asks cops to keep its phone hacking tech ‘hush hush’ (TechCrunch)
Police real-time crime centers are becoming data powerhouses (StateScoop)
You Are Not Responsible for You Own Online Privacy (Wired)
I Tracked an NYC Subway Rider’s Movements with an MTA ‘Feature’ (404 Media)
New York police will use drones to monitor backyard parties this weekend, spurring privacy concerns (AP News)
As car theft spikes, NYPD deploys a vehicle with a license plate reader in every precinct (Gothamist)
Although Twitter is now known as “X”, the decision uses the prior name for the company, as will this article.