Monthly Archives: April 2021

Alleged Flaws in Cellebrite UFED May Allow Throwing Out of Locked Smartphones Evidence

Posted on by

It is inevitable in today’s world that law enforcement is sometimes faced with mobile devices that a suspect locked prior to their seizure by authorities. Locking your devices is good common sense security: This goes for you and I, and, yes, for criminals. As a result, the police will sometimes need to break the encryption on such mobile devices in order to get to the data within, either for investigative or evidentiary purposes. That’s when tools such as Cellebrite UFED come into play. By using UFED, law enforcement can break into otherwise secure devices, such as iPhone smartphones, and get to the data within.

Unfortunately for the prosecution side, someone recently obtained access to UFED and analyzed its security features. These were found to be, shall we say, lacking. Indeed, according to Moxie Marlinspike (creator of the Signal app), ironically, cybersecurity isn’t exactly UFED’s strong suit. In fact, according to his report, after looking at the product, he believes this tool’s security is so weak that even scanning a booby-trapped device may result in an alteration of the data that was or is later extracted using UFED.

In short, in their efforts to secure some evidence, it seems that some police forces are using a tool whose reliability may be called into question. Indeed, if the tool at issue cannot be counted on to provide data that is a reliable record of what really was found in a particular device, should such evidence not be thrown out?

Legally, the fact that a tool used to extract information is prone to tampering may not bode well for convictions obtained on the basis of the resulting evidence, at least if the vulnerabilities reported by Moxie Marlinspike can be substantiated. Some American defense attorneys intend to argue against convictions secured by the authorities based on evidence extracted from locked smartphones. This could lead to the need for new trials in some cases.

UFED is apparently used by many law-enforcement agencies throughout the world. We don’t yet know how many convictions this inconvenient revelation may eventually allow defence attorneys to call into question.

This is yet another example of the perpetually problematic relationship between cybersecurity and the law.

Québec Court Rejects Privacy-related Class Action Filed After Loss of Laptop

Posted on by

The Québec Superior Court recently rendered judgment in the matter of Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (2021 QCCS 1093), further to a class action resulting from the loss of a portable computer containing personal information.

Contrary to what often happens with such class actions, this one did make it through the whole process, up to and including an actual judgment on the merits of the case. In the end, the Québec Superior Court rejects the claims, including those for ordinary damages as well as the claim for punitive damages. In doing so, however, the court does provide us with some principles that seem worth remembering.

This case stems from the loss of a portable computer by an employee of the defendant, a non-encrypted device which contained sensitive information about certain individuals. Even though these individuals may have worried and have been somewhat anxious at the thought of having their identities stolen, the court held that this was, in and of itself, insufficient to qualify as a real prejudice at law. As often happens is such cases, the judge found that more was required before the legal system would be required to intervene, including by awarding monetary compensation.

The class representative in this case was also alleging that certain attempts had been made to steal his identity, something more likely to deserve redress by the court. However, the plaintiff was unable to demonstrate causation between the fault of the defendant (in handling his data and the incident at issue) and such attempted identity theft. Given this absence of a causal link between the fault and the alleged damages, the court also rejected this portion of the claim.

Interestingly enough, this case provides us with a good example of the steps taken by an organization faced with a loss of data and which the court validates as appropriate under the circumstances. The defendant organization here performed an adequate inquiry, hired a specialized consultant, notified the privacy authorities, and notified potential victims. The organization also paid for credit-report surveillance services for these individuals, all of which lead the Superior Court judge to also reject this final claim (for punitive damages), given that the steps taken were adequate under the circumstances.

Online Censorship: Chloé Zhao’s and Nomadland’s Academy Awards Zapped from the Chinese Web

Posted on by

The New York Times reported this week that China recently tweaked its Great Firewall, systematically blocking and deleting any mention of Chloé Zhao’s win of an Academy Award, along with any mention of her movie Nomadland also winning an Oscar.

As everyone now knows, China has implemented technological measures that allow the country to control what its citizens see when looking at the Web, at search engines or social media. This allows China to sanitize the Internet, ensuring that Chinese citizens are not shown content contrary to the country’s and society’s interests as determined by the Chinese government.

According to The New York Times, Internet users who type a query about Zhao or Nomadland and Oscars in the Chinese search engine Weibo are simply shown a message that reads: “According to relevant laws, regulations and policies, the page is not found.”

The reason Chloé Zhao is thus targeted may relate to a 2013 interview during which she criticized her home country as one where lies were widely circulated.

This is another example of the perils of a country implementing any system allowing the control of information. Once a regime starts in such a direction, for example by eliminating information from enemies of the state, it’s virtually impossible not to keep going until, one day, you’re zapping news about a citizen winning the most prestigious award in cinema based on one interview she gave almost a decade earlier, in which she obliquely referred to this government’s questionable informational practices.

By the way, I saw Nomadland and encourage you to do so as well, not only for the quality of its direction but also for Frances McDormand’s performance.