The Wiretap is your weekly digest of cybersecurity, internet privacy and surveillance news. To get it in your inbox, subscribe here.

In late 2023, a man suspected of dealing narcotics went into a Toyota garage in Puyallup, Washington to have his GMC Yukon repaired. While it was being fixed up, the dealership loaned him a 2023 Toyota 4Runner.

In March, the Drug Enforcement Agency (DEA) approached the Toyota dealer with a warrant, requiring it to provide “real-time” locations of the loaner vehicle, because agents wanted to know if the suspect was using it as part of a drug dealing conspiracy. The DEA alleged that the car had been used to pick up and transport narcotics, including fentanyl and methamphetamine, between Washington and Oregon.

The DEA knew the Toyota garage tracked the location of its loaner cars using their in-built telematics system, so it had an easy way to monitor the suspect’s movements. “Real-time location data on the target vehicle would assist investigators in identifying [drug trafficking organization] associates, their residences and possibly any stash locations used to store controlled substances,” a DEA agent wrote in applying for the tracking warrant, which was granted and the vehicle monitored between March 13 and April 3 2024.

The suspect was charged in a criminal complaint in late March with drug manufacture and distribution, alongside an alleged co-conspirator. Because the investigation is ongoing and the DOJ may charge other suspects, Forbes is withholding the defendant’s name. He has not issued a plea and his lawyer declined to comment on the case. The DOJ hadn’t commented at the time of publication.

While it’s long been known that rental companies can track their fleet vehicles in real-time for the police, it’s novel for a dealership to be told to do the same with a loaned-out car. “Getting a loaner car shouldn’t mean selling out your privacy. This case is a sobering reminder that the sensors that track our every movement on the road can so easily be used against us in a court of law,” said Albert Fox-Cahn, executive director of the Surveillance Technology Oversight Project ( S.T.O.P).

“For car buyers it’s a scary reminder that the more connected our cars become, the more harm they can do to our rights.”

Toyota didn’t respond to a request for comment.

Fox-Cahn alluded to a note in the warrant that the Toyota dealership was asked to assist the government “by initiating a signal to determine the location of the target vehicle at such intervals and times directed by the government and/or by permitting access by the government to the computerized system used to remotely access such location information.”

“Not only was Toyota forced to hand over the huge volumes of location data its vehicle already collects, it was required to work with police to change their software to track the target even more closely,” Fox-Cahn added.

According to court records, these demands from the government recently caused a stir in New Mexico. Without naming the specific case, magistrate judge Steven Yarborough told the government he would reject a Justice Department request to locate a car by asking its in-car internet provider, AT&T, to initiate such a signal. The judge’s reasoning rested on the fact that the government was asking tech providers to create records they would not otherwise have created in the normal operation of their business, which was not within the bounds of the laws cited by the U.S. to get the data, namely Rule 41 of the Federal Rules of Criminal Procedure and the Stored Communications Act.

“Although I have been rejecting the United States’ request for an initiate-a-signal command for the past 10 years, most of the magistrate judges in our district have not had a problem with this language,” Yarborough said, in an email chain included in court documents filed in July. The government later retracted the language, saying “AT&T would not be creating records it would not otherwise create.”

In accepting the government’s changes, the judge still said there remained an argument to be had over whether other parts of the DOJ should be allowed to include demands for tech providers to initiate a signal in their warrants, writing, “The United States’ long history of routinely submitting search warrant applications that include the language at issue, to include recent submissions, provides fodder for an argument that this controversy is capable of repetition, yet evading review.”

Got a tip on surveillance or cybercrime? Get me on Signal at +1 929-512-7964.

FBI Blames Iranian Hackers For Election Meddling

In a joint announcement, the FBI, the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency publicly blamed Iran for an attack on former President Trump’s campaign. The statement landed a week after media were leaked files appearing to come from Trump’s team, including a research document on his running mate JD Vance.

The agencies said both Republicans and Democrats had been targeted. “Such activity, including thefts and disclosures, are intended to influence the U.S. election process. It is important to note that this approach is not new. Iran and Russia have employed these tactics not only in the United States during this and prior federal election cycles but also in other countries around the world,” the statement read.

Stories You Have To Read Today

British tech tycoon Mike Lynch and his former colleague Stephen Chamberlain, who worked alongside each other at cybersecurity firm Darktrace and enterprise software company Autonomy, died in separate accidents over the last week. Lynch was one of six people who went missing when a yacht sank off the coast of Italy in violent storms. He was confirmed dead on Thursday, while his daughter is still missing. Chamberlain was hit by a car while out running in the U.K.

A data broker called National Public Data has admitted a breach, after cybercriminals began posting information they claimed to have obtained from the company, including emails and social security numbers. Though initial reports claimed 3 billion individuals could’ve been affected, the severity of the leak remains unclear. Security expert Troy Hunt found that much of the information shared by the hackers is false or pertained to dead people, and said the story got “way more attention than the data itself warranted.”

Big data analytics company Palantir is phasing out all Android phones because of what it claimed was Google’s slow and opaque response to security researchers’ warning of a flaw in its operating system, Wired reports. Per the report, the vulnerability has been “present in every Android release for Pixel since September 2017 and could expose the devices to manipulation and takeover.”

Winner of the Week

A U.S. appeals court has ruled that geofence orders are unconstitutional, TechCrunch reports. Such warrants require a tech provider, whether that’s Google or a telecoms giant like AT&T, to tell law enforcement what devices were in the area of a given crime. The ruling applies to Louisiana, Mississippi and Texas, and declared geofence warrants are “categorically prohibited by the Fourth Amendment,” which protects against unwarranted searches and seizures. The ruling comes half a year after Google announced an Android update that will make it technically infeasible to provide data in response to geofence requests.

Loser of the Week

In November last year, Forbes revealed Jesse Kipf from Somerset, Kentucky, had been accused of hacking into death registration databases in order to fake his own death. It was later alleged he’d done that to avoid paying child support. Now Kipf has been sentenced to 81 months in prison.

More On Forbes

Share.

Leave A Reply

Exit mobile version