A hacking group said Monday it released more than 1 million Apple device numbers allegedly pulled from an FBI agent's laptop, a claim that raises troubling questions about the scope of government snooping into the lives of citizens.
At least if it's true. The FBI press office denied AntiSec's claims, characterizing them in a tweet as: "Totally false." Late Tuesday, the "hacktivist" group hadn't provided any additional response, and many questions remained unanswered.
But in its original post, AntiSec said it leaked the unique device identifiers, or UDIDs, to call attention to what it sees as evidence of the federal agency collecting iPhone and iPad data that could allow it to track the activity of citizens. The organization claims the original file it downloaded included information about some 12 million devices, often including personal details like names, addresses and cell phone numbers.
If it is true, privacy experts and civil liberties groups said it would be an alarming development - yet part of a troubling trend.
"It is a piece of the puzzle that suggests the extent to which the government has moved beyond targeted surveillance in particular cases to massive surveillance of all Americans," said Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society. She added that it should be unacceptable for an FBI agent to carry around a trove of citizens' personal details on a lightly secured laptop.
"Someone in the government should launch an investigation into this practice and find out what purpose, if any, the collection of this data serves," she said.
Actions defended
AntiSec defended the decision to release the numbers by arguing the privacy questions they raise would have otherwise been ignored. It also stressed that it didn't publish the full batch of UDIDs, and stripped out personal details.
"Looking at the massive number of devices concerned, someone should care about it," the post read.
The AntiSec initiative is made up of members of the Anonymous and LulzSec hacking groups, which have claimed responsibility for high-profile attacks on the Department of Justice, the Recording Industry Association of America, Sony and others.
In this case, AntiSec claims that in March it breached a Dell notebook used by a supervisor special agent with the FBI Regional Cyber Action Team. They allegedly downloaded a number of files, including one that contained UDIDs, user names, ZIP codes or other personal details for 12,367,232 Apple devices.
In its statement to the media Tuesday afternoon, the FBI stopped just short of denying AntiSec's allegations outright.
"At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," the agency said.
Apple didn't respond to an inquiry from The Chronicle.
Practical use
UDIDs are akin to Social Security numbers for cell phones and tablets, providing one number that can identify a particular device for its lifetime. App developers and ad networks routinely collect UDIDs from cell phones and tablets. Handset makers like Apple and wireless carriers have access to this data as well.
Many of these companies have come to use UDIDs like tracking cookies in Internet browsers, helping them to build user profiles and target ads. Apple announced last year that it was phasing out all access to UDIDs, likely in part over growing privacy concerns.
If AntiSec's allegations are true, one of the chief legal questions is how these numbers ended up in the hands of the FBI. It's possible that the agency sought them from private businesses using subpoenas or warrants, in pursuance of a large-scale investigation into copyright infringement, drug trafficking or terrorism. But even if that's the case, the massive scope of the database raises concerns about government overreach and adequate due process, said Ryan Calo, an assistant law professor at the University of Washington who focuses on privacy.
"Absent a mandate from Congress or some very compelling legal need for enforcement purposes, I just don't see why the FBI would have this," he said.
Other observers seized on the acronym in the file name in question, "NCFTA_iOS_devices_intel.csv," as a hint that the FBI might have gotten the database from the National Cyber-Forensics & Training Alliance. Some suspect the Pittsburgh group acts as a go-between for the government and communications providers, which are prevented from passing consumer information to law enforcement directly in many circumstances under the Electronic Communications Privacy Act of 1986.
Legal loophole
In other words, the FBI, the NCFTA and others might have taken advantage of a loophole in the law: Providers can give that data to other businesses, which - as long as they aren't communications providers - can then hand it to the government.
"The NCFTA claims they scrub the data and anonymize it," said Dan Auerbach, staff technologist with the Electronic Frontier Foundation. "But if it did come from them, it demonstrates they didn't do a good job."
So what could the FBI do with this information?
Basically, the UDID can link digital footprints to a particular individual. For instance, the FBI could subpoena wireless carriers for information about which UDIDs visited specific sites online or even in the real world, thanks to GPS and other location signals. The agency could, in turn, cross-reference that information against their databases to match behaviors, locations and interests to names.
"It takes very little of this additional information to create a story about someone that can be very revealing," Granick said.
Obvious fix
Christopher Soghoian, principal technologist at the ACLU's speech, privacy and technology project, raised another thorny legal question: If the claims do prove true, would the FBI have an obligation to inform citizens that the data it possessed about them was accessed by hackers? Many states have so-called data breach notification laws requiring this of agencies and businesses under certain conditions. California's rules are among the most stringent in the nation.
Regardless of the veracity of AntiSec's claims in this case, UDIDs pose clear security and privacy vulnerabilities. The obvious fix is for Apple and other device companies to simply give users the ability to easily change their UDIDs, in the way that Internet users can delete most cookies, Soghoian said.
As long as that static number exists, advertisers, law enforcement agencies and others will seek to take advantage of it.
"If you build it, they will come," Soghoian said. "They cannot help themselves."
James Temple is a San Francisco Chronicle columnist. E-mail: jtemple@sfchronicle.com Twitter:@jtemple
No comments:
Post a Comment