FBI can secretly turn on webcams without the indicator light being activated

The FBI’s elite hacker team designed a piece of malicious software that was to be delivered secretly when Mo signed on to his Yahoo e-mail account, from any computer anywhere in the world, according to the documents. The goal of the software was to gather a range of information — Web sites he had visited and indicators of the location of the computer — that would allow investigators to find Mo and tie him to the bomb threats.

Such high-tech search tools, which the FBI calls “network investigative techniques,” have been used when authorities struggle to track suspects who are adept at covering their tracks online. The FBI surveillance software can covertly download files, photographs and stored e-mails, or even gather real-time images by activating cameras connected to computers, say court documents and people familiar with this technology.

The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years.

Online surveillance pushes the boundaries of the constitution's limits on searches and seizures by gathering a broad range of information, some of it without direct connection to any crime. Critics compare it to a physical search in which the entire contents of a home are seized, not just those items suspected to offer evidence of a particular offense.

A federal magistrate in Denver approved sending surveillance software to Mo’s computer last year. Not all such requests are welcomed by the courts: An FBI plan to send surveillance software to a suspect in a different case — one that involved activating a suspect’s built-in computer camera — was rejected by a federal magistrate in Houston, who ruled that it was “extremely intrusive” and could violate the Fourth Amendment.

“You can’t just go on a fishing expedition,” said Laura K. Donohue, a Georgetown University law professor who reviewed three recent court rulings on FBI surveillance software, including one involving Mo. “There needs to be a nexus between the crime being alleged and the material to be seized. What they are doing here, though, is collecting everything.”

The FBI team works much like other hackers, using security weaknesses in computer programs to gain control of users’ machines. The most common delivery mechanism, say people familiar with the technology, is a simple phishing attack — a link slipped into an e-mail, typically labeled in a misleading way.

When the user hits the link, it connects to a computer at FBI offices in Quantico, Va., and downloads the malicious software, often called “malware” because it operates covertly, typically to spy on or otherwise exploit the owner of a computer. As in some traditional searches, subjects typically are notified only after evidence is gathered from their property.

“We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union. “Judges are having to make up these powers as they go along.”

http://www.washingtonpost.com/business/technology/2013/12/06/352ba174-5397-11e3-9e2c-e1d01116fd98_story.html

Police department usage of warrantless smartphone 'Tower Dumps' is growing:

Police officers in Richland County, South Carolina are currently defending the use of a controversial investigation method that grants their departments access to thousands of cell phone users’ data in the search for criminals.

The technique, in which law enforcement officials rely on what are known as “tower dumps,” is an increasingly common policing tactic in local departments across the country. Following a crime, law enforcement officials locate nearby cell towers and request all of the call, text, and data transmissions that occurred during the crime from the tower’s provider. The majority of the data collected belongs to individuals with no connection to the crime.

How does one's info end up being swept up in a tower dump? Does one have a cellphone with a signal? Yeah, that's how. Checking your email? Surfing the web? Making a call? Sending a text message? It all goes in the dump. And South Carolina cops are helping themselves to all of this data because, hey, it makes capturing bad guys a little easier.

The Richland County Sheriff's Department used Tower Dumps during the investigation into a string of car breakins, where weapons and computers were stolen. They combined the Tower Dump information with DNA evidence and in 2011 arrested Phillip Tate on three counts of "breaking and entering a motor vehicle" and one count of "larceny."

Cops seeking to use these tower dumps just can't call up the provider and ask for them. But neither do they have to jump through the probable cause hoops a warrant entails. All they need is a court order, which is considerably easier to obtain than a warrant, thanks to the (somewhat ironically-named) Electronic Communications Privacy Act of 1986.

The Richland PD is just one of several law enforcement entities making frequent use of these untargeted, unminimized data dumps. And the numbers keep increasing every year.

In 2011, AT&T and Verizon received 1.3 million requests for cell phone data (many of which were tower dumps) and filled more than 500,000 of them. Verizon estimates that over the last 5 years, law enforcement’s tower dump requests have increased by 15% annually. T-Mobile reported increases of approximately 12%-16%.

In 2012 law enforcement agencies nationwide accessed individual cell phone records well over a million times.

Check out Senator Edward Markey's responses received from wireless carriers on law enforcement requests.
 The three biggest, Sprint, Verizon, and AT&T, reported that in 2012 they also received 56,400 so-called “emergency” requests for personal cellphone information from law enforcement officials that did not require a warrant or court order.

AT&T has to employ more than 100 full-time workers to process them.

Wireless communications providers profited from these requests:

• AT&T received $10 million
• T-Mobile received $11 million
• Verizon received less than $5 million

How long do the companies keep this private information about us, their customers? The details vary by company and by data type, ranging from no storage at all (AT&T says it doesn’t keep text messages) to seven years (the length of time AT&T keeps subscriber information, after you’ve canceled your service). 
Thanks to the ease of obtaining tower dumps, it's becoming a go-to tool for law enforcement.

Not only can they collect these without needing to show probable cause, they're also under no obligation to inform any of the millions of unrelated cellphone customers whose information they've obtained that they've swept up their data.

It used to be impossible for law enforcement agents to monitor all of the people all of the time, but now our cellphone carriers do it for them. The contents of the communications aren’t even necessary for law enforcement to glean insight into you. The carriers also know whom you call and text, and they hold on to that information for years. These records reveal your social network and hint at the nature of those connections. The relationship you have with someone you text repeatedly at 2 a.m. is not the same as the relationship you have with someone you call once a week on Sunday afternoons.

The companies keep records of where you have traveled in the past and can track you in real time—so law enforcement can do it, too. In some ways having a police officer track you in real time electronically is even worse, because you never know when it’s happening. Historical records can be even more sensitive than real-time tracking, stretching back for months or even years, and reveal your daily routine and every deviation from it. https://www.techdirt.com/articles/20131205/09583725469/warrantless-cellphone-tower-dumps-becoming-go-to-tool-law-enforcement.shtml
http://www.huffingtonpost.com/2013/12/09/cell-phone-data-requests_n_4414059.htmlhttp://www.slate.com/blogs/future_tense/2013/12/09/ed_markey_letters_from_cellphone_companies_how_often_at_t_t_mobile_give.html