[ISN] Blanket discovery for stolen laptops

From: InfoSec News (alerts@private)
Date: Tue Mar 13 2007 - 22:14:02 PST


By Mark Rasch
13th March 2007

Comment: Bad things happen online. Trade secrets are lost or stolen. 
Personal information is compromised. Copyrights and trademarks are 
infringed. Bloggers post confidential information, defamatory 
information, or just annoying information. Websites host stolen credit 
cards, hacking tools and techniques, or other things that you might not 

In the course of investigating these things, companies or law 
enforcement agencies frequently need to rely on information in the hands 
of third parties. An example of this is the various companies that offer 
data or computer locator services. A sort of "LoJack(tm) for stolen 
computers. If a corporate computer is reported lost or stolen, these 
services use various means to identify the computer, or the data on it. 
When the target computer is then used - generally to get online - the 
computer essentially "phones home" with its location.

Here's the problem with this approach. The computer doesn't really give 
its location. At best, it can reveal the Internet Protocol (IP) address 
of the network it is on. While this information is helpful to the true 
owner of the computer, it is not sufficient to locate and/or recover the 
stolen hardware.

Imagine that your "On-Star(tm)" equipped car is stolen. OnStar is one of 
the various services that provides motorist assistance, including Global 
Positioning Satellite location data. If you report the car stolen, they 
can remotely turn the GPS on, track the car, and even turn the telephone 
inside the car on and listen into the thieves' conversations. All of 
this occurs on the network the real owners own and it reveals 
information about your vehicle. So, no problem, right?

Finding subscriber information

When it comes to network based investigations however, we cannot easily 
track where the computer went. Once we have the IP address, we would 
look up the network that was assigned that block of IP addresses. It 
might be an Internet caf in Riga, Latvia, or a giant Internet Service 
Provider in Dulles, Virginia.

What we really want is subscriber identification information. That is, 
what subscriber was assigned that particular IP address at that 
particular instant. Now of course, a lot of this information may be 
spoofed, and it is usually less than trivial to piggyback on a 
legitimate network (such as, a hacker using an open or insufficiently 
secured WiFi network.) Nonetheless, tracking down physical location data 
or subscriber data from a raw IP addresses is the ultimate goal of the 

This is where technology and the law intersect - and not in a good way 
for either of them. While you can do a traceroute or a WHOIS search in a 
couple of seconds, in order to get subscriber data from an ISP requires 
some form of legal process (usually). ISP privacy policies legitimately 
protect this data, but they generally contain a provision (and one would 
be implied by law even if it wasn't in the policy) that the information 
may be disclosed if there is a "valid legal order."

In the case of law enforcement agencies, there are many legal avenues 
for obtaining this information from ISPs. First, they can just ask for 
it - obtain consent. In extreme situations (imminent threat to health 
and safety) the promise of a later subpoena may be sufficient. In the 
United States, for example, they can also use various legal processes - 
a grand jury subpoena, a formal investigative demand, an administrative 
subpoena, a discovery order, a search warrant, a Title III wiretap 
order, an order issued by the Foreign Intelligence Surveillance Court. 
Or, as recently revealed in The New York Times, various agencies 
including the Department of Defense and the Central Intelligence Agency 
(and of course the FBI) can issue what is called a National Security 
Letter (NSL) on their own authority to get this information.

Building a subpoena

There are various levels or proof required to obtain different demands 
for information. A subpoena generally requires very little level of 
proof that the information demanded is relevant to whatever you are 
looking for, or may lead to the discovery of relevant information. Most 
people think that subpoenas are issued by a court or a judge that you 
apply for a subpoena to a court, show them that the information is 
relevant, and then get an order. Not true well, at least not for the 
most part. In reality, law enforcement (either the cops or the 
prosecutor) has a desk drawer filled with subpoenas. They just whip em 
out, type in the name and the information needed, and email or fax em to 
the ISP. No big deal - takes a couple of seconds and the court is not 
even notified.

Now technically (at least in the US federal system) all of this is 
illegal. You see, to issue a subpoena there has to be an investigation 
authorized by a grand jury: a group of citizens authorized by the court 
to investigate crimes. The grand jury engages in this charade of 
authorizing the prosecutor to investigate and issue subpoenas on their 
behalf - but they usually don't know what is being investigated or how. 
Moreover, even this bare charade is not followed in most investigations. 
A prosecutor unknown to the grand jury may be investigating crimes 
unknown to the grand jury and issuing subpoenas on their behalf without 
even the pretext of delegated authority. But who can argue with success?

On the civil side, things are even more difficult. As a general rule, in 
order for you and I to compel some third party (like an ISP) to produce 
information, we have to also get either a subpoena or a court order. Ah, 
there's the rub. To get the subpoena or court order, we have to have a 
lawsuit pending. To have a lawsuit pending, we have to have a "case or 
controversy" involving some violation or law or tort, which is capable 
of being heard in the court in which we have filed suit, which also has 
jurisdiction over the matter and the people involved. OK. End of law 
school class.

The legal discovery process, particularly for civil discovery, is slow, 
unwieldy and ungainly. Imagine having to file separate individual 
lawsuits for each piece of SPAM you receive, each Phishing attempt, each 
domain name hijacking, each pump-and-dump stock scam, each defamatory 
blog posting, each - well, you get the idea. What is worse is that you 
don't even know who you are suing. Just some "John Doe" who did the bad 
act. How do you show jurisdiction of John Doe? How do you get service of 
process to John Doe? Other than what is called "pre-filing discovery," 
the lawsuit has to be "pending" before you can get discovery. The 
lawsuit isn't "pending" until you have served the person you are suing - 
John Doe. I mean, it isn't fair to sue somebody without telling them 
they are being sued. Laws written in the 18th century allow you to give 
notice by publication, the printing in the newspapers for three 
consecutive weeks. Hardly a model for Internet discovery.

Discovery and blanket orders in other situations

Where else have we heard about the problem of quickly obtaining relevant 
information using antiquated tools and techniques? Oh yeah - getting 
wiretap or other orders for discovery related to national security, 
foreign intelligence and foreign terrorism under the Foreign 
Intelligence Surveillance Act (FISA.) The Bush administration has long 
argued that they were lawfully entitled to bypass the super-secret court 
set up under this law and demand records under what they later dubbed 
the "Terrorist Surveillance Network" because the FISA law was slow and 

You see, FISA, like the pesky Constitution of the United States, 
requires that you get a court order based on "probable cause," 
specifying the place to be searched and the thing to be seized - or in 
the case of a wiretapped conversation, who you are tapping and what 
conversations you are looking for. We have always read this to mean that 
you need a separate warrant for each search, although you could 
theoretically apply for a single warrant for, for example, a series of 
telephone numbers used by a particular person, or to search a number of 
apartments for particular things.

On the eve of hearings about the Terrorist Surveillance Network to be 
held by the new Democratic majority in the U.S. Senate, the 
administration after arguing that there was no alternative to bypassing 
the FISA Court, suddenly found religion and in a letter from the 
Attorney General notified the Senators that "a [single] Judge of the 
Foreign Intelligence Surveillance Court issued orders authorizing the 
government to target for collection international communications into or 
out of the United States where there is probable cause to believe that 
one of the communicants is a member of al Qaeda or an associated 
terrorist organization." That's all we know, and we don't know any more, 
as the Attorney General was mum about any further details.

What it looks like is a blanket order. The Court (well, the judge) may 
have said, "Look, if you can meet certain thresholds of showing 
membership in some associated terrorist organizations, here's a general 
order mandating people to provide you the information you want." Perhaps 
the order requires the government to report back to the FISA court, 
perhaps not.

Now I am not going into a discussion of whether this constitutes an 
improper delegation of judicial power to the executive branch (well, 
yeah) or violates the particularity requirements of the Fourth Amendment 
(that too). However, this may provide a model for civil discovery.

A more "civil" discovery for IP addresses

The problem with the "John Doe" lawsuit model that we currently have is 
that it encourages the filing of lawsuits where the remedy sought by the 
court is mostly frivolous. In many of the cases where a lawsuit is filed 
against, for example a virus writer, a spammer, or a purveyer of 
malware, we don't really seek monetary damages, or redress of 
defamation. What we really want is just to find out where it is coming 
from and make it stop. Besides, the spammers and other miscreants likely 
have no money to satisfy a judgement, and may not even eventually be 
found to be subject to the courts in a particular jurisdiction. The 
remedy for the most part is the discovery itself.

Since Courts can only settle "cases and controversies" and can only 
award damages or other injunctive relief, how can we use them to get 
this massive discovery?

If we can establish that we only seek IP address information when it is 
reasonable and appropriate, and that there are adequate privacy 
safeguards concerning the collection and use of information, we might be 
able to streamline the discovery process.

Take, for example the electronic LoJack service. Imagine a standing 
court discovery order from an appropriate court that says the following: 
if a computer protected by this service is reported stolen, and it finds 
itself on a strange network, and "pings" home with its IP address, then 
and only then the owner or the provider of the LoJack services is 
entitled to an order of discovery from the ISP from which the IP address 
is associated, permitting discovery of the customer data associated with 
that IP address. If the target is piggybacking off several different IP 
addresses, the discovery order permits discovery of all of them, which 
is up to the ultimate user. The information may ONLY be used for the 
purposes of either filing a lawsuit against the perpetrator, or to turn 
over to law enforcement, or other reasonable purposes. The court might 
also appoint a "Special Master" responsible for overseeing the discovery 

In practical terms, this is how it would work. The LoJack system would 
ping back the company with an IP address, date, time, etc. This 
information would be used to generate a discovery demand - automatically 
and digitally. The Special Master would be required to review each such 
demand for accuracy. The demand would then be automatically transmitted 
to the appropriate ISP that is associated with the IP address, which 
could (but would not be required to) automate the process of producing 
the requested records. The requested records would then be available to 
the Special Master in accord with the standing discovery order. In this 
way, discovery of the relevant information could occur in minutes, 
rather months.

Now there are, of course problems with such an approach. By making 
discovery so easy, it may encourage abuse. Clerical and other mistakes 
will not only be made, but will be automated. Judicial oversight will be 
reduced to a somewhat ministerial function, with most oversight assigned 
to the Special Master who is subject to not only boredom but corruption.

Since computer crime is instantaneous and international, the approach 
would have to be harmonized with international privacy laws, discovery 
laws, and jurisdictional laws. And there would have to be significant 
oversight with sanctions for abuse or misuse of the system. If we had 
all of these safeguards, we could streamline discovery of discrete 
classes of information (say IP log information) in discrete classes of 
cases. That might put a bunch of lawyers out of business. And what would 
be so bad about that?


SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the 
Justice Department's computer crime unit, and specializes in computer 
crime, computer security, incident response, forensics and privacy 
matters as Managing Director of Technology for FTI Consulting, Inc.

This article originally appeared in Security Focus.

Copyright 2007, SecurityFocus

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Tue Mar 13 2007 - 22:27:38 PST