FBI Hacks Alleged Mobster -- PGP was not compromised.


FBI Hacks Alleged Mobster
by Declan McCullagh

2:00 a.m. Dec. 6, 2000 PST

WASHINGTON -- Nicodemo S. Scarfo, the son of Philadelphia's former mob boss, was almost paranoid enough.

Scarfo, who has been charged with masterminding a mob-linked loan sharking operation in New Jersey, reportedly used the popular PGP encryption software to shield his computer's secrets from prying eyes.

See also: Carnivore to Continue Munching FCC Wiretap Order Overturned Keep an eye on Privacy Matters Everybody's got issues in Politics

But when the feds learned of Scarfo's security measures, they decided to do something that would bypass even the best encryption software: FBI agents sneaked into Scarfo's office in Belleville, New Jersey, on May 10, 1999, and installed a keyboard-sniffing device to record his password when he typed it in.

A seven-page court order authorized the FBI and cooperating local police to break into Scarfo's first-floor "Merchant Services of Essex County" office as many times as necessary to deploy, maintain, and then remove "recovery methods which will capture the necessary key-related information and encrypted files."

The case, which is awaiting trial, appears to be the first in which the U.S. government used such aggressive surveillance techniques during an investigation, and some legal observers say the FBI's breaking-and-entering procedures go too far.

"I don't think it's constitutional," says David Sobel, general counsel of the Electronic Privacy Information Center in Washington, D.C. "This case has the potential to establish some very important precedents on this issue."

Scarfo's prosecution comes at a time when the FBI's Carnivore surveillance system is under increasingly heavy fire from privacy groups, and the use of data-scrambling encryption products appears to be growing. Last week, for instance, news leaked out about Yahoo's encrypted Web-based e-mail service it introduced through a deal with Zixit, a Dallas firm.

Scarfo has been charged with supervising "an illegal gambling business" in violation of state and federal law and using extortionate loan shark tactics, according to a three-count indictment filed in federal court in June 2000. He has pleaded not guilty.

"There's nothing that we can talk about or are at liberty to talk about in the case," says Michael Drewniak, a spokesman for the U.S. Attorney's office for the District of New Jersey. Drewniak would not comment on the use of encryption, saying "we do not discuss evidence."

The elder Scarfo, who once ran the Philadelphia mob that also dominated the Atlantic City gambling racket, was imprisoned in 1991 on racketeering charges.

The spring 1999 investigation of the younger Scarfo, who is 35 years old, may be what prompted the Clinton administration to recommend changing federal law to allow police to conduct electronic "black bag" jobs.

The idea first publicly surfaced in mid-1999, when the Justice Department proposed legislation that would let police obtain surreptitious warrants and "postpone" notifying the person whose property they entered for 30 days.

After vocal objections from civil liberties groups, the administration backed away from the controversial bill. In the final draft of the Cyberspace Electronic Security Act submitted to Congress, the secret-search portions had disappeared.

In January 2000, the Clinton administration seemed to change its mind. "When criminals like drug dealers and terrorists use encryption to conceal their communications, law enforcement must be able to respond in a manner that will not thwart an investigation or tip off a suspect," Attorney General Janet Reno and Deputy Defense Secretary John Hamre wrote in a seven-page letter to Congress.

That letter, however, suggested the feds didn't need a new law -- and would instead rely on "general authorities" when asking judges to authorize black bag jobs. A related "secret search" proposal resurfaced in May 2000 in a Senate bankruptcy bill.

In the Scarfo case, the FBI in May 1999 asked for "authority to search for and seize encryption-key-related pass phrases" from his computer as well as "install and leave behind software, firmware, and/or hardware equipment which will monitor the inputted data entered on Nicodemo S. Scarfo's computer by recording the key related information as they (sic) are entered."

Although the government has refused to release details, this appears to indicate the FBI was using either a hardware device -- inserted into the keyboard or attached to the keyboard cable -- or a software program that would quietly run in the background and record keystrokes. With the PGP private key and Scarfo's secret password, the government could then view whatever documents or files he had encrypted and stored on his computer.

Ruling that "normal investigative procedures to decrypt the codes and keys necessary to decipher the 'factors' encrypted computer file have been tried and have failed," U.S. Magistrate Judge G. Donald Haneke granted the FBI's request.

EPIC's Sobel suggested that Haneke did not, under federal law, have the authority to grant such an order. "The interesting issue is that they in those (court) documents specifically disclaim any reliance on the wiretap statute," Sobel says. "If they're on record saying this isn't communications -- and it isn't -- then that extraordinary authority they have under the wiretap laws does not apply."

"If we're now talking about expanding (black bag jobs) to every case in which the government has an interest where the subject is using a computer and encryption, the number of break-ins is going to skyrocket," Sobel said. "Break-ins are going to become commonplace."

Eugene Volokh, a law professor at UCLA, said he believed the government could successfully argue the break-in was constitutional. "There's nothing in the Constitution that prohibits this kind of anticipatory search," says Volokh. "In many respects it's no different from a wiretap."

A lawyer for Scarfo told the Philadelphia Inquirer that he would file a motion challenging the legality of the FBI's black bag job.

"Anything he typed on that keyboard -- a letter to his lawyer, personal or medical records, legitimate business records -- they got it all," attorney Donald Manno told the paper. Manno could not be reached for comment on Tuesday.

Scarfo, who is out on bail, was scheduled to appear in court Tuesday for a hearing before U.S. District Judge Nicholas Politan. The purpose of the hearing was to appoint a new attorney -- Manno has represented a client who may testify for the government against Scarfo.


The views and opinions stated within this web page are those of the author or authors which wrote them and may not reflect the views and opinions of the ISP or account user which hosts the web page. The opinions may or may not be those of the Chairman of The Skeptic Tank.

Any text written by other authors which may be quoted in part or in full within this coverage of this issue is provided according to U. S. Code Title 17 "Fair Use" dictates which may be reviewed at http://www4.law.cornell.edu/uscode/17/107.html If you're an author of an article and do not wish to allow it to be mirrored or otherwise provided on The Skeptic Tank web site, let us know and it will be removed fairly promptly.

Return to The Skeptic Tank's main Index page.

E-Mail Fredric L. Rice / The Skeptic Tank