December 11, 2018

FBI's Spyware Program

Note: I worked for the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS) from 2001 to 2005. The documents discussed below mention a memo written by somebody at CCIPS during the time I worked there, but absolutely everything I say below reflects only my personal thoughts and impressions about the documents released to the public today.

Two years ago, Kevin Poulsen broke the news that the FBI had successfully deployed spyware to help catch a student sending death threats to his high school. The FBI calls the tool a CIPAV for “computer and internet protocol address verifier.”

We learned today that Kevin filed a Freedom of Information Act request (along with EFF and CNet News) asking for other information about CIPAVs. The FBI has responded, Kevin made the 152 pages available, and I just spent the past half hour skimming them.

Here are some unorganized impressions:

  • The 152 pages don’t take long to read, because they have been so heavily redacted. The vast majority of the pages have no substantive content at all.
  • Page one may be the most interesting page. Someone at CCIPS, my old unit, cautions that “While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit,”
  • On page 152, the FBI’s Cryptographic and Electronic Analysis Unit (CEAU) “advised Pittsburgh that they could assist with a wireless hack to obtain a file tree, but not the hard drive content.” This is fascinating on several levels. First, what wireless hack? The spyware techniques described in Poulsen’s reporting are deployed when a target is unlocatable, and the FBI tricks him or her into clicking a link. How does wireless enter the picture? Don’t you need to be physically proximate to your target to hack them wirelessly? Second, why could CEAU “assist . . . to obtain a file tree, but not the hard drive content.” That smells like a legal constraint, not a technical one. Maybe some lawyer was making distinctions based on probable cause?
  • On page 86, the page summarizing the FBI’s Special Technologies and Applications Office (STAO) response to the FOIA request, STAO responds that they have included an “electronic copy of ‘Magic Quadrant for Information Access Technology'” on cd-rom. Is that referring to this Gartner publication, and if so, what does this have to do with the FOIA request? I’m hoping one of the uber geeks reading this blog can tie FBI spyware to this phrase.
  • Pages 64-80 contain the affidavit written to justify the use of the CIPAV in the high school threat case. I had seen these back when Kevin first wrote about them, but if you haven’t seen them yet, you should read them.
  • It definitely appears that the FBI is obtaining search warrants before installing CIPAVs. Although this is probably enough to justify grabbing IP addresses and information packed in a Windows registry, it probably is not enough alone to justify tracing IP addresses in real time. The FBI probably needs a pen register/trap and trace order in addition to the warrant to do that under 18 U.S.C. 3123. Although pen registers are mentioned a few times in these documents–particularly in the affidavit mentioned above–many of the documents simply say “warrant.” This is probably not of great consequence, because if FBI has probable cause to deploy one of these, they can almost certainly justify a pen register order, but why are they being so sloppy?

Two final notes: First, I twittered my present sense impressions while reading the documents, which was an interesting experiment for me, if not for those following me. If you want to follow me, visit my profile.

Second, if you see anything else in the documents that bear scrutiny, please leave them in the comments of this post.

Will cherry picking undermine the market for ad-supported television?

Want to watch a popular television show without all the ads? Your options are increasing. There’s the iTunes store, moving toward HD video formats, in which a growing range of shows can be bought on a per-episode or per-season basis, to be watched without advertisements on a growing range of devices at a time of your chooing. Or you could buy a Netflix subscription and Roku streaming box on top of your existing media expenditures, and stream many TV episodes directly over the web. Thirdly, there’s the growing market for DVDs or Blu-ray discs themselves, which are higher definition and particularly rewarding for those who are able to shell out for top-end home theater systems that can make the most of the added information in a disc as opposed to a  broadcast. I’m sure there are yet more options for turning a willingness to pay into an ad-free viewing experience — video-on-demand over the pricey but by most accounts great FiOS service, perhaps? Finally, TiVo and other options like it reward those who can afford DVRs, and further reward those savvy enough to bother programming their remotes with the 30-second skip feature.

In any case, the growing popularity of these options and others like them pose a challenge, or at least a subtle shift in pricing incentives, for the makers of television content. Traditionally, content has been monetized by ads, where advertisers could be confident that the whole viewership of a given show would be tuned in for whatever was placed in the midst of an episode. Now, the wealthiest, best educated, most consumer electronics hungry segments of the television audience–among the most valuable viewers to advertisers–is able to absent itself from the ad viewing public.

This problem is worse than just losing some fraction of the audience: it’s about losing a particular fraction of the audience. If x percent of the audience skips the ads for the reasons mentioned in the first paragraph, then the remaining 100-x percent of the audience is the least tech-savvy, least consumer electronics acquistive part of the audience, by and large a much less attractive demographic for advertisers. (A converse version of this effect may be true for the online advertising market, where every viewer is in front of a web browser or relatively fancy phone, but I’m less confident of that because of the active interest in ad-blocking technologies. Maybe online ad viewers will be a middle slice, savvy enough to be online but not to block ads?)

What will this mean for TV? Here’s one scenario: Television bifurcates. Ad-supported TV goes after the audience that still watches ads, those toward the lower part of the socioeconomic spectrum. Ads for Walmart replace those for designer brands. The content of ad-supported TV itself trends toward options that cater to the ad-watching demographic. Meanwhile, high end TV emerges as an always ad-free medium supported by more direct revenue channels, with more and more of it coming along something like the HBO route. These shows are underwritten by, and ultimately directed to, the ad-skipping but high-income crowd. So there won’t be advertisers clamoring to attract the higher income viewers, as such, but those who invest in creating the shows in the first place will learn over time to cater to the interests and viewing habits of the elite.

Another scenario, that could play out in tandem with the first, is that there may be a strong appetite for a truly universal advertising medium, either because of the ease this creates for certain advertisers or because of the increasing revenue premium as such broad audiences become rarer and are bid up in value. In this case, you could imagine a Truman Show-esque effort to integrate advertising with the TV content. The ads would be unskippable because they wouldn’t exist or, put another way, would be the only thing on (some parts of) television.

Greece Bans Electronic Games

CNet reports that Greece has banned all electronic games, including ones that run on PCs or on mobile phones, apparently in an effort to crack down on gambling.

This is yet another example of the inflationary theory of censorship. A ban on gambling would be too hard to enforce, because there is no way to tell whether a person playing, say, a card game is playing it for real money. So the censorship expands to a larger boundary that is supposedly more defensible.