San Diego’s homegrown FBI hacking hit

Mobile phone and computer snooping by police, long a staple in the war against crime, got a boost here 15 years ago with the opening of the nation's first FBI-run regional computer forensics laboratory.

"The San Diego RCFL has been a pioneer in providing top-quality digital forensic services since the year 2000 when the laboratory was launched as a cooperative venture among federal, state, and local law enforcement agencies," noted San Diego Special Agent in Charge Daphne Hearn in an October 2013 news release.

During 2012, Hearn's statement continued, "Laboratory personnel trained 533 local investigators in various digital forensic tools and techniques and the San Diego RCFL's self-service kiosks were used more than 2,100 times by officers to examine cell phone and loose digital media."

The laboratories' annual report describes the kiosks as an easy way for local law enforcement to pry into computers and cell phones, unhindered by federal bureaucracy: "Self-service kiosks for cellular telephones and loose media allow investigators to review the contents of mobile telephones and most types of loose media on their own.”

Adds the report, “The process is simple: investigators make an appointment at [a regional computer forensics laboratory], bring their evidence, use the Loose Media Kiosk or Cell Phone Investigative Kiosk to view the contents, extract data of interest, save it to a report, and burn the report to a CD or DVD. All of this is accomplished without submitting the evidence to the RCFL."

Now, an audit released this month by the inspector general's office of the U.S. Justice Department has found that the kiosks, widely used by the FBI centers across the country, are too user-friendly, carrying the potential for massive misuse by rogue cops and prosecutors.

"Kiosks are vulnerable to potentially serious abuse," says the document.

"During our fieldwork, the FBI did not provide any information to show that...kiosk users were required to sign-in, identify the case related to the evidence being examined, or, as required by FBI policy, confirm that they possessed the proper legal authority to search for evidence on the cell phone."

Continues the audit, "In addition, the FBI did not provide us with any information regarding controls in place...to ensure that users do not use the kiosks for non-law enforcement matters."

Auditors found that "It was possible that a kiosk user could use this tool to view private cell phone information for non-law enforcement purposes," the report says.

"It was also possible for a user to use a kiosk without proper legal authority, thereby engaging in a Fourth Amendment violation."

The report notes that while "FBI policy requires kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media," enforcement has been lax.

A form "acknowledging that the user had the appropriate legal authority to use the kiosk for an official purpose" is supposed to be required, but "approximately 24 percent of the entries in the visitor’s log did not have a corresponding Acknowledgment Form and approximately 13 percent of the Acknowledgment Forms did not correspond with an entry in the...visitor’s log."

The findings of the audit were based on a review of the regional forensics lab in Philadelphia, but apply nationally, according to the document.

"We believe it is important that the FBI evaluate [regional computer forensics laboratory] implementation of FBI policy for kiosk usage at RCFLs nation-wide and, if necessary, promptly revise controls to ensure compliance with that policy and minimize the risk of inappropriate use of kiosks."

According to the report, San Diego's unit received 2525 service requests during fiscal years 2011 through 2013, the second largest of the network. Orange County — like San Diego, a center of drug trafficking — was first, with 2703.

Training of agents regarding use of the kiosks and keeping track of their usage became even more problematic when unidentified hackers attacked the national Training Registration System used by the forensic labs.

"According to the FBI," the audit says, "in early 2014, TRS was compromised after an intruder gained unauthorized access and it was taken out of service until a more secure website could be deployed."

"The FBI told us that the [forensics headquarters office] is in the process of building and deploying a new training website. FBI officials also told us that security is a top priority in developing the new system because it will contain the names of law enforcement officers."