USPS Phone Hacking/Surveillance. Does Librem 5 block?

Hello,

Recently, Judicial Watch discovered that the US Postal Service is hacking into cell phones and surveilling their customers.

Does anyone know if the Librem 5 I’ll receive someday is vulnerable to this attack or not? I’m one of the few in this dystopian society that still doesn’t have a cell phone for precisely this reason, and I won’t until I’m confident in the security of my phone or the 4th Amendment is restored.

I don’t know about whether the Librem 5 will be impervious to such hacking attempts of cell phones, but the article mentioned the USPS collecting data from people’s social media posts. In my opinion, a much bigger concern for society is not hacking (although that is a concern), but how much information people voluntarily put on public social media platforms.

I was a member of Faceplant and Twit-er for about 3 months more than 10 and 6 years ago. I posted very little personal information to either. Actually, I’m under the impression that most people who do these kind of things will be dead in 3 to 8 years, and as they will most likely not be part of the solution, I’m not concerned about them or their privacy.

I never Twitter-ed much, but I was on Facebook for probably 10 years and posted more personal info and personal thoughts than I should have. I have seen dozens (probably hundreds) of people post all kinds of personal information on Facebook for many years, so I’m not currently concerned about them dying because of that. That said, modern society as a whole seems to have given up on privacy as being a good thing, and I now think that’s a tragedy. Personally, I became privacy-conscious a couple of years ago and have been doing my best to remove my real identity from the public web (although once you give up information, you can never really erase it).

That’s slightly the wrong question. It’s not a specific individual attack as such. The article talks about

The hacking tools are known as Cellebrite and GrayKey and they were used by the agency to extract previously unattainable information from seized mobile devices.

You can easily look up each of those: https://en.wikipedia.org/wiki/Cellebrite and https://en.wikipedia.org/wiki/Grayshift

So let’s alter the question slightly to: Can tools from either of those companies extract data from a Librem 5?

I could give you lots of different answers to that but no answer will be certain.

• It is unlikely that those companies will be advertising all of the capabilities to the public. So we can’t easily know.
• Probably not at this stage because the Librem 5 is too niche, and it may remain niche for some time. Of course the strength of being Linux-based also means that any generic attacks against Linux are worth trying against the Librem 5, and may work. Security is an ongoing war between the owner of the device and those who would penetrate the device.
• Extracting data will for a start depend on whether you have amber or byzantium (or something later) but as you don’t have your phone yet, it won’t be amber.
• It will also depend on what security options you choose. If you didn’t choose full partition encryption or you chose it but didn’t set it up correctly then extracting data may be trivial.
• Regardless of whether you use encryption on the root partition, there are many other encryption technologies that you could use above the file system layer.
• Maximum security is not yet available with the Librem 5 e.g. no tamper detection and e.g. no integration between smart card and full partition encryption and e.g. no automatic re-encrypt - but I’m sure over the months Purism will be working on those.
• (Once you have your phone) There is one sure way to find out, but it’s not, um, an experiment you will want to conduct.

As far as I can tell, the extraction of data from phones occurred as a result of the USPS being in possession of the phones. As long as you retain custody of your Librem 5 at all times then I don’t think the tools being described will extract data without your knowledge, which is at least something.

That also begs the question of how the postal service ended up with hundreds of phones in the first place.

In the U.S., if a government agency has investigative/enforcement powers…and a department of the USPS apparently does…it can follow the usual legal process of obtaining court orders, subpoenas, etc., to conduct an investigation, seize property, etc. To use Cellebrite on a seized device, an agency would normally have to demonstrate the legal need to a judge and get the required authorization.

So, in essence, this case doesn’t seem that unusual from the procedure aspect. That said, I haven’t followed or read extensively about this particular case, so I can’t comment on whether it might have been a legally defensible use.

OK, but why is the postal service obtaining court orders, subpoenas, etc?

The USPS is more than just the people who process and deliver our mail:

https://www.uspsoig.gov/investigations

It still actually begs the question as to what is going on here.

Sending a phone through the post is not in and of itself an unusual thing to do. After all, that is how I received my Librem 5.

What is it about these hundreds of phones that is attracting law enforcement attention (in this case USPIS)?

What is leading a court to authorise seizing information from the phones, or indeed taking other actions regarding the phones?

What actual crimes, if any, are being committed in connection with the phones, either directly or indirectly? Is anyone being convicted?

Presumably they figure in some ongoing investigation (although I don’t know anything about these particular circumstances, not having looked into it). At least, by law they would need to be relevant to some ongoing investigation to get the needed authorizations.

In theory it could take months (or longer) before any details, results, or prosecutions get revealed to the public, if ever. Especially so in a major conspiracy/RICO case. In the case of a terrorism investigation, maybe never.

Indeed.

Excluding terrorism though, the original article refers to “fiscal year 2020” (and also 2019, but what is the fiscal year date period in the US?) and so by now cases should be coming to court - and there should be some transparency as to whether these powers are being used ineffectively or being abused or being used excessively.

Another question of interest would be: are these phones mainly on US domestic journeys? or inbound to the US? or outbound from the US?

That’s an excellent question. I would wager most are on their way in.

For the Federal Government, it’s Oct 1 to Sep 30; https://en.wikipedia.org/wiki/Fiscal_year#United_States

Unless the investigation results were deemed by the agency itself/the court/the U.S. Attorney, etc., not likely to lead to successful prosecution.

In either case, it would normally take a search warrant signed by a judge, whom the investigators would need to convince of the relevance/necessity to the investigation.

Yes. In Oz “no reasonable prospect of a conviction”. But if that is happening repeatedly / most of the time then it would seem like there is a problem, such as abuse of the power to seize property or excessive use. Is there a need for better training? improved procedures? or is this intentional disregard for the law or for procedures?

If the USPIS is seizing about one “device” every day, you are entitled to ask what is happening with that.

The article also raises the question in my mind as to how synonymous “device” and “phone” are. Are they seizing devices other than phones? If so, what kinds of devices? The references to “Cellebrite and GrayKey” suggest phones but could also be e.g. iPads. Does it go beyond phones and tablets?