Trial Of Alleged "Vault 7" CIA Leaker Ends In Hung Jury
The trial of a former CIA computer engineer accused of the largest leak of classified information in the spy agency's history has ended with a hung jury.
On Monday, a federal jury in Manhattan could not agree on whether to convict 31-year-old Joshua Schulte on eight counts, including illegal gathering and transmission of national defense information, according to the New York Times.
Schulte was convicted on two other counts; contempt of court and making false statements to the FBI.
The motivation for the alleged theft, prosecutors said, was Mr. Schulte’s belief that C.I.A. management did not take his workplace complaints seriously. His feuding with co-workers led to his resignation in November 2016 to join Bloomberg L.P. as a software engineer.
The partial verdict came after six days of chaotic deliberations. One juror was dismissed in the middle of the discussions because she violated the judge’s orders by researching the case, and the lawyers involved, on her own, and then shared that information with the jury. The judge declined to replace her with an alternate, leaving a panel of 11 people. - New York Times
The jury reportedly complained about one juror who was not cooperating with the rest, causing concern over "her attitude." One juror described the deliberations as a "horrible experience" - her eyes welling with tears as she finished talking to reporters.
Schulte, who created malware for the U.S. Government to break into adversaries computers, was named as the prime suspect in the cyber-breach one week after WikiLeaks published the "Vault 7" series of classified files.
As we noted in 2018, Vault 7 - a series of 24 documents which were released beginning on March 7, 2017 - revealed that the CIA had a wide variety of tools to use against adversaries, including the ability to "spoof" its malware to appear as though it was created by a foreign intelligence agency, as well as the ability to take control of Samsung Smart TV's and surveil a target using a "Fake Off" mode in which they appear to be powered down while eavesdropping.
The CIA's hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a "fingerprint" that can be used by forensic investigators to attribute multiple different attacks to the same entity.
The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.
With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from.
UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques. -WikiLeaks
Vault 7 also revealed:
- The Frankfurt consulate is a major CIA hacking base of operations.
In addition to its operations in Langley, Virginia the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering Europe, the Middle East and Africa.
CIA hackers operating out of the Frankfurt consulate ( "Center for Cyber Intelligence Europe" or CCIE) are given diplomatic ("black") passports and State Department cover.
- Instant messaging encryption is a joke.
These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.
- The CIA laughs at Anti-Virus / Anti-Malware programs.
CIA hackers developed successful attacks against most well known anti-virus programs. These are documented in AV defeats, Personal Security Products, Detecting and defeating PSPs and PSP/Debugger/RE Avoidance. For example, Comodo was defeated by CIA malware placing itself in the Window's "Recycle Bin". While Comodo 6.x has a "Gaping Hole of DOOM".
- iPads / iPhones / Android devices and Smart TV’s are all susceptible to hacks and malware. The agency's "Dark Matter" project reveals that the CIA has been bugging “factory fresh” iPhones since at least 2008 through suppliers. Another, "Sonic Screwdriver" allows the CIA to execute code on a Mac laptop or desktop while it's booting up.
Schulte previously worked for the NSA before joining the CIA, then "left the intelligence community in 2016 and took a job in the private sector," according to a statement reviewed in May of 2018 by The Washington Post.
The verdict showed that the jury had doubts about the government’s most important evidence, which came from a C.I.A. server. Trial witnesses guided jurors through a complicated maze of forensic analysis that, according to prosecutors, showed Mr. Schulte’s work machine accessing an old backup file one evening in April 2016.
He did so, prosecutors said, by reinstating his administrator-level access that the C.I.A. had removed after his workplace disputes. The file matched the documents posted by WikiLeaks nearly a year later, according to the government.
The defense argued that the C.I.A. computer network had weak passwords and widely known security vulnerabilities, and that it was possible other C.I.A. employees or foreign adversaries had breached the system. -New York Times
As the Times notes, Schulte's legal troubles are far from over, as the government could retry the case. He also faces a separate trial after federal agents found over 10,000 images and videos of child pornography on electronic devices in his home.
Through apps, not warrants, ‘Locate X’ allows federal law enforcement to track phones
Federal agencies have big contracts with Virginia-based Babel Street. Depending on where you've traveled, your movements may be in the company's data.
By Charles Levinson - 05. March 2020
U.S. law enforcement agencies signed millions of dollars worth of contracts with a Virginia company after it rolled out a powerful tool that uses data from popular mobile apps to track the movement of people's cell phones, according to federal contracting records and six people familiar with the software.
The product, called Locate X and sold by Babel Street, allows investigators to draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months, the sources told Protocol.
They said the tool tracks the location of devices anonymously, using data that popular cell phone apps collect to enable features like mapping or targeted ads, or simply to sell it on to data brokers.
Get what matters in tech, in your inbox every morning. Sign up for Source Code.
Federal records show that U.S. Customs and Border Protection purchased Locate X, and the Secret Service and U.S. Immigration and Customs Enforcement also use the location-tracking technology, according to a former Babel Street employee. Numerous other government agencies have active contracts with Reston-based Babel Street, records show, but publicly available contract information does not specify whether other agencies besides CBP bought Locate X or other products and services offered by the company.
None of the federal agencies, including CBP, would confirm whether they used the location-tracking software when contacted by Protocol. Babel Street's other products include an analytics tool it has widely marketed that sifts through streams of social media to "chart sentiment" about topics and brands.
A former government official familiar with Locate X provided an example of how it could be used, referring to the aftermath of a car bombing or kidnapping. Investigators could draw what is known as a geo-fence around the site, identify mobile devices that were in the vicinity in the days before the attack, and see where else those devices had traveled in the days, weeks or months leading up to the attack, or where they traveled afterward.
"If you see a device that a month ago was in Saudi Arabia, then you know maybe Saudis were involved," this person said. "It's a lead generator. You get a data point, and from there you use your other resources to figure out if it's valid."
A former Babel Street employee said the technology was deployed in a crackdown on credit card skimming, in which thieves install illegal card readers on gas station pumps, capturing customers' card data to use or sell online. The Secret Service was the lead agency in those investigations, which, according to published reports, led to arrests and the seizure of devices.
A spokesperson for the Secret Service declined to comment on its work with Babel Street, saying the agency does not reveal methods used to carry out missions.
While federal records show that CBP purchased Locate X and last year upgraded, paying for "premium" licenses, the records neither describe what Locate X does nor define the difference between a basic and premium license. A CBP spokesperson would not comment in detail about the use of the tool, but said the agency follows the law when deploying "open-source information."
Told of Protocol's reporting on Babel Street, Sen. Ron Wyden, a Democrat from Oregon who has pushed for tougher privacy legislation, questioned whether uses of the technology might violate the Fourth Amendment ban on unreasonable searches.
The Supreme Court, in the landmark case Carpenter v. United States, ruled in June 2018 that the government must obtain a search warrant to access cell-tower location data for individual phone accounts. The court "recognized that the government needs a warrant to get someone's location data," Wyden said. "Now the government is using its checkbook to try to get around Carpenter. Americans won't stand for that kind of loophole when it comes to our Fourth Amendment rights."
A spokesperson for Babel Street, Lacy Talton, declined to answer specific questions about the company's government sales or its Locate X technology, but said the firm handles data carefully to comply with both the law and internet terms of service. There is no indication Babel Street is doing anything illegal.
Sen. Ron Wyden said the U.S. Supreme Court has "recognized that the government needs a warrant to get someone's location data."Photo: Sarah Silbiger via Getty Images
"Although data content is freely available without restriction from thousands of vendors and suppliers, Babel Street employs a variety of measures to ensure appropriate use of the data," Talton said in a statement to Protocol. "This is not required by most vendors but stems from Babel Street's ethos of proper data compliance. The company regularly ensures that the data accessed through its software is in compliance with ever-changing global privacy regulations, data use rights, and terms of service."
The details of Babel Street's location-tracking technology and its contracts with the federal government have not been reported before. Last month, The Wall Street Journal reportedthat border and immigration agents were tracking the location of cell phones, and looking for activity in suspicious places near the border, after buying data from Venntel Inc. of Herndon, Virginia.
Venntell is a subsidiary of location-based marketing company Gravy Analytics of Dulles, Virginia. Gravy Analytics has provided location data to Babel Street, according to former employees of both firms.
Taken together, the revelations suggest that the sale of personal location data from commercial firms to the government is more widespread and has been going on longer than previously known. The emergence of the technology comes amid growing, broader concern over the tracking of people's movements, whether through facial recognition, their license plates or the phones in their pockets.
While consumers enable location-based services on their cell phone apps, privacy advocates said people are generally unaware of how far their personal information could travel — and in particular that it could be piped to law enforcement.
The sources who spoke to Protocol, who independently described the location-tracking technology, were three former Babel Street employees, a former government official with firsthand knowledge of the company's products, and two former employees of Gravy Analytics. They requested anonymity because the information is sensitive, and some feared retribution from employers for speaking to the media.
A spokesperson for Gravy Analytics declined to comment on the company's relationship with Babel Street. She said Venntel is a "wholly owned subsidiary of Gravy Analytics that supports public sector initiatives."
From brand to threat management
While there is little public information about Locate X, government contracting records provide a picture of Babel Street's growth and increasing popularity in federal law enforcement circles. The company registered Locate X with the U.S. Patent and Trademark Office in May 2017, and sales to federal agencies shot up afterward — from $64,000 in fresh contracts in 2016 to more than $2.1 million in 2017 to nearly $5.3 million in 2018.
Babel Street's sales spike was fueled in large part by four new customers: CBP, which signed $3.2 million in contracts, ICE ($1.1 million), the State Department's Bureau of Diplomatic Security ($710,000), and the Secret Service's Criminal Investigations Division ($313,858), the records show.
CBP signed a first contract worth $981,000 for "Babel software" in September 2017. The Targeting and Analysis Systems Directorate, the CBP branch that purchased the software, apparently liked what it received. A year later, the agency signed a fresh contract worth $2.2 million for "Babel software licenses." In March 2019, CBP filed an amended contract, worth an extra $130,000, to "upgrade the current Babel Street Locate X licensing from basic to premium licenses as well as add an additional 10 licenses."
Asked about its use of Locate X, a CBP spokesperson told Protocol the agency uses a "variety of tools" that "may include tools to facilitate access to open-source data relevant to its border security mission. All CBP operations in which open-source information may be used are undertaken in furtherance of CBP's responsibility to enforce U.S. law at the border and in accordance with relevant legal, policy and privacy requirements."
In September 2018, ICE officials signed a one-year, $1.1 million contract with Babel Street. The deal included Locate X, according to a former Babel Street employee. Last August, ICE signed a fresh five-year deal worth up to $6.5 million with Babel Street for "data subscription services," records show.
A spokesperson for ICE said, "We do not discuss specific law enforcement tactics or techniques, or discuss the existence or absence of specific law-enforcement-sensitive capabilities." She also said, referring to cell phone location data, "ICE does not generally use this type of information for routine enforcement operations."
Other agencies with active Babel Street contracts include the Department of Justice, the U.S. Marshals Service, the Army, the Coast Guard, the Drug Enforcement Administration and the Department of Transportation's Office of Intelligence, Security and Emergency Response. The contract records are from USAspending.gov, the official source for U.S. government spending.
A spokesperson for the Department of Transportation, which signed a yearlong contract with Babel Street last May, said the Office of Intelligence, Security and Emergency Response "utilizes Babel Street software features depending on the nature of particular incidents."
Spokespeople for the Army, the Bureau of Diplomatic Security, the DEA and the Marshals Service declined to comment on the contracts with Babel Street. The Department of Justice and the Coast Guard did not respond to requests for comment.
A spokesperson for a regional DEA office in El Paso, Texas, which signed a separate $12,978 contract for a one-year Babel Street software license last September, denied that the agency had purchased the location-tracking data tool.
The technology was controversial enough that some agencies, including the FBI and the ATF, declined to purchase Locate X after those agencies' lawyers nixed it, a former Babel Street employee said.
A spokesperson for the FBI declined to comment. A spokesperson for the ATF, April Langwell, declined to comment on ATF procurement decisions. "ATF always works within DOJ guidelines with regard to the investigative techniques that we use and ensure that they are consistent with federal law and subject to court approval," Langwell said.
The former Babel Street employees and the former government official said Babel Street was careful about its clients for location data technology. For example, they said, it did not sell to commercial clients, local law enforcement agencies or foreign governments.
The software included pop-ups that reminded users it was to be used only in the investigation of serious crimes and matters of national security, one former employee said. However, after users complained that the pop-ups were annoying, the company removed them, the employee said. Babel Street did not respond to emailed questions about the pop-ups.
Secrecy to the extreme
Despite the apparent power of the tool, Protocol could not find a single instance in which a federal agency had publicly described using Locate X, in an investigation or in any other capacity. And Babel Street appears to have taken a number of steps to keep the technology secret. The company advertises other products on its website and in press releases, but makes no mention of Locate X or the tracking of mobile devices.
"These secrecy provisions prevent the courts from providing oversight," Wessler said. "That is really corrosive to our system of checks and balances."
In the past, Wessler noted, courts have been critical of nondisclosure agreements with law enforcement that are designed to protect sensitive surveillance technologies, notably in cases involving devices that mimic cell towers in order to capture phone information, often referred to by the brand name StingRays.
Scores of U.S. law enforcement agencies deployed the devices for years in secret without judicial scrutiny or public transparency. When use of the technology began to be exposed in criminal trials, the courts did not take a favorable view of the secrecy agreements. One of the more pointed opinions came in a 2016 ruling by a Maryland state appeals court judge, involving Baltimore police and an attempted murder suspect.
The use of a nondisclosure agreement to protect the technology is "inimical to the constitutional principles we revere," Judge Andrea M. Leahy wrote for the three-member court panel.
In 2015, both the Department of Justice and Homeland Security updated their policies to require law enforcement to disclose the use of cell site simulator technologies to the courts when used as part of an investigation. "In all circumstances, candor to the court is of paramount importance," the Homeland Security policy reads. "Applications for the use of a cell site simulator must include sufficient information to ensure that the courts are aware that the technology may be used."
The limits of anonymity
One of the former Babel Street employees who spoke to Protocol cited another example of how Locate X could be used to protect U.S. national security. Investigators, this person said, could identify mobile devices carried near popular border crossing points into the U.S. and pull up the historical location data for those devices, viewing where they've been in the preceding months.
"If you are thinking about attack planning, and you know these devices were just at a Hezbollah or ISIS training camp, and now they're sitting in Juarez, maybe that matters," the former employee said.
Still, privacy experts told of Protocol's reporting on Locate X asserted that law enforcement officials' practice of buying data they would otherwise need a warrant to access amounts to a form of data laundering.
"That consumers can have data being collected that tracks their location, and the government, instead of getting a warrant, which they would normally need to do, can just go to a private company and buy it directly, that's hugely concerning," said Serge Egelman, a computer science professor at UC Berkeley who works on privacy issues.
In the Supreme Court's Carpenter v. United States case, the court held that investigators violated the Fourth Amendment by obtaining cell tower records without a warrant that placed a robbery suspect near the crimes. Chief Justice John Roberts wrote, in the majority opinion, that authorities in that case had failed "to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter's location but also everyone else's, not for a short period but for years and years."
But whether courts would hold anonymous location data culled from mobile apps to the same standard is an open question.
A spokesperson for Wyden said the senator's aides had a phone call with Venntel attorneys on Feb. 20, in response to The Wall Street Journal article, to discuss the company's sale of location data to the government. A Wyden aide said Venntel's counsel declined to answer most questions, would not identify the company's government clients, and would not reveal the source of the data.
Babel Street's sale of location data to the government could also raise potential liability issues for app developers under the Stored Communications Act, said Wessler, the ACLU lawyer. The 1986 law prohibits providers of computing services or electronic communication to the public from knowingly divulging customer information to any government entity.
"The question for the app companies themselves is whether, now that they know that Babel Street is taking their customers' location data and providing it to law enforcement, are those companies themselves now liable under the Stored Communications Act," Wessler said.
Location data culled from mobile apps is said to be anonymized, with each device masked behind a nameless ID number. But experts say data can be traced back to individual users, based on their particular movements.
The New York Times reviewed a database of location data and reported in December 2018 that it was able to identify a woman as she traveled to her dermatologist's office, hiked with her dog and stayed over at her ex-boyfriend's home. Babel Street did not respond to an emailed question about whether Locate X data can be de-anonymized.
Big sales, big hires
Babel Street was founded in 2009 as Agincourt Solutions by former U.S. Navy Officer Jeff Chapman, and became Babel Street in 2014. On its website and in marketing materials, it describes itself as "the world's data-to-knowledge company," focusing on a service that analyzes streams of social media activity in multiple languages, often for brand management and sometimes linked to locations such as sports arenas.
Early on, the promise of gleaning meaningful intelligence from Twitter feeds and other social media applications drew clients to Babel Street, according to government records, published reports and the former employees. The NFL has used Babel Street's analytics software. So, too, have at least 10 local law enforcement agencies around the country, according to the Brennan Center for Justice at New York University Law School.
Motherboard and The Washington Post wrote about the company's social media analytics software in 2017, noting heavy interest from police agencies overseeing major events like Super Bowls. On the government side, the FBI and the Army were among Babel Street's early customers. Michael Flynn, who served briefly as President Trump's national security adviser and later pleaded guilty to lying to the FBI, was once an adviser to the firm, according to Flynn's financial disclosure forms.
Just before the rollout of Locate X, the company hired a veteran Department of Justice privacy lawyer, Jill Maze, to be the company's chief privacy officer, according to former employees and Maze's LinkedIn account.
Subsequent hires suggest the company viewed location data as a growth area. In February 2019, Babel Street hired retired Maj. Gen. Mark Quantock, a former director of intelligence for U.S. Central Command, which includes the Middle East and Central Asia, and the former director of operations for the National Geospatial Intelligence Agency, essentially the government's headquarters for location data intelligence.
Three months later, the company hired a 20-year Pentagon veteran, Dave Dillow, who since 2003 has worked with special operations forces focused on integrating "publicly available information," or PAI, into the intelligence pipeline for those forces. Commercial location data is one type of PAI.
The data used by Babel Street, said the former employees of Babel Street and Gravy Analytics, comes largely from third-party data aggregators who broker deals with mobile app developers, offering revenue in return and sometimes detailed analysis about how users are engaging with the app. Data aggregators who spoke to Protocol said they enable services like mapping and marketing, and comply with privacy regulations, which include requiring all app users to give their consent to sharing their data.
Privacy advocates say such consumer opt-ins are often buried in small print or otherwise clouded in vague or bureaucratic language, and that users have little visibility into how their data is used.
"That's the fundamental problem," said Egelman, the UC Berkeley professor. "The trafficking in this data is totally opaque to everyone who isn't a party to these transactions."
Charles Levinson (@levinsonc) is a senior reporter at Protocol. Previously, he worked on investigative projects at Reuters, where he won awards for his reporting on Guantanamo Bay and skullduggery on Wall Street. Before that, he spent 12 years as a foreign correspondent in the Middle East for The Wall Street Journal. He covered the U.S. occupation of Iraq and that country’s sectarian civil war, the Arab Spring uprisings in Tunisia, Egypt, Libya, Bahrain, and Syria, and Israel’s wars in Lebanon and Gaza. He has reported from over 20 countries. He lives outside New York City.