December's Cellebrite Drama and Thoughts on School Surveillance
An interesting note of information security drama that has recently happened. A few tech blogs reported that Cellebritee had claimed that it has the ability to break the Signal instant messenger app on phones. Bruce Schneier’s blog brought this to my attention and also, as a result of the rest of this, is one of the few times I’ve known him to apologize for a post.
Cellebrite, appears to have not at all claimed to be able to decrypt encrypted instant messages from Signal, but only that it can parse messages from an unlocked phone, as if you were just holding it in your hand ready to use it. And that is not in any way a big claim. Moxie Marlinspike (a personal hero of mine) wrote up a response to this claim and took some shots at the sloppy journalism.
A sizable part of Cellebrite’s business is selling boxes that can, or try to, open up cell phones that are locked. It seems as if current ones have mixed results with modern phones. Diminishing abilities for the most current models, which Apple and Google have done a pretty solid job of hardening their handsets. However, there is one area of business in which they seem to be doing well: American public schools.
In the Gizmodo article, the opening example of how a Cellebrite box has been used by a school district is a school resource officer searching a student’s phone (with the student’s consent, whether or not the student knew they had the ability to decline to have their phone scanned is not mentioned in the story) for evidence of a criminal romantic relationship with a teacher. Ultimately, it led to an arrest. The story does not include further details if it led to a conviction or not.
As I’ve wrote about and spoke about in the past, despite being on friendly terms with several school resource officers in my work, I dislike that there are embedded police in the schools, as I think that it normalizes armed people around children and the return-on-investment for the taxpayer. SRO programs are bad for liberty and bad for expenditure of municipal resources.
In the opening example, there was, in fact, a teacher who was conducting a relationship with a student that should not have happened. Why was this not just handled by the regular police? If there was suspicion on the part of the school’s staff or a parent, why wasn’t this simply taken to the regular police or sheriff’s department? No need to have someone in the school to have to have handled this.
However, the article does go on to discuss the larger problem:
While companies like Cellebrite have partnered with federal and local police for years, that the controversial equipment is also available for school district employees to search students’ personal devices has gone relatively unnoticed—and serves as a frightening reminder of how technology originally developed for use by the military or intelligence services, ranging from blast-armored trucks designed for use in war zones to invasive surveillance tools, keeps trickling down to domestic police and even the institutions where our kids go to learn.
I have not heard of any rumor of the sheriff’s department spending resources on Cellebrite machines for the system that I work in, but I have heard several SROs pitch the idea they we need to purchase and install vape detectors in the school bathrooms to alert them as to when students sneak off to vape out of the eyes of teachers. I am also against this as well. Another technocratic system of surveillance to address a behavioral problem will not solve the problem of underage nicotine consumption in the school buildings, but it will further normalize, for the student, that the state is always watching. My favorite quote from Moxie Marlinspike that I’ve taken to heart:
I’m of the opinion that law enforcement should be hard.
The easier it is for them to do their job, the more our personal liberties are eroded.
As a slight post-script, Vox’s recode has a nice article explaining how during the virtual learning that is happening in the United States, the proctoring software / services that some school system are using are very problematic:
Proctorio doesn’t use human proctors at all; it relies on software to detect and flag suspicious behavior. The company’s software can, among other things, use a simple web browser extension to record video and audio through students’ webcams and laptop microphones, to record their computer screens and collect a list of the websites a student visits while taking the test. Proctorio software also uses facial detection to see if a student is looking away from their screen, leaves the room, or if there’s another person in the frame — any of which could indicate cheating.
Defenders of online proctoring say it’s simply recreating remotely what exam-takers would experience in person. Preventing cheating ensures that students learn the material, rewards honest students, and maintains the value of their degrees, according to Proctorio. “When you graduate, you want to make sure your degree is worth something,” Olsen told Recode.
This, of course, is not true. The software cannot know why a student looked away from the computer. The software cannot know if another person being in the frame was helping them cheat or someone just passing by. A human proctor would not be a vector for a 3rd party to invade the student’s computer to surveil them forever.
The United States does prefer to use technocratic solutions to behavioral issues on as many things as possible with its students, instead of teaching the students that there are right ways and wrong ways to behave.