I'm finally getting around to compiling my thoughts about how the Signal-Cellebrite news from yesterday. https://signal.org/blog/cellebrite-vulnerabilities/
Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be...

https://signal.org/blog/cellebrite-vulnerabilities/
This is all still preliminary and I'm sure there are a thousand caveats I haven't thought of. But ultimately, I think we won't know the effect on how we should handle phone extractions in actual cases for (probably) years.
Here are some things that jumped out at me as I read the post.
I'll note that as a lawyer who thinks about and litigates tech in criminal cases regularly, I would actually be surprised if Cellebrite had been extremely cautious about its own software's security.
I see this a lot when I talk to technologists about what they would expect to see re: software security, development practices, etc. They're nearly universally appalled by what is done with law enforcement tech.
Law enforcement tech companies don't have good practices because--generally--they don't need to. (Skilled developers identifying ways to exploit vulnerabilities in the software is not a regular occurrence for a host of reasons.)
The reality is that courts are often loathe to dig into the issues far enough or in ways that might make the companies have better business (or programming) practices. They *should* dig in, but they don't.
Non-tech examples of this problem run rampant through the 2016 PCAST (President's Council of Advisors on Science & Tech) report. https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/PCAST/pcast_forensic_science_report_final.pdf And in real cases like those chronicled in @radleybalko & @wtc465's book, The Cadaver King & the Country Dentist.
To be clear, software vulnerabilities like those discussed in the Signal post are really important and they're a really big deal for how trustworthy we think digital evidence in criminal cases is.
But getting courts to learn enough about what normal software security and development practices are, and what the exploitation of these vulnerabilities means, is an uphill climb for defense attorneys. Getting judges to care enough to get up to speed is a real (and big) hurdle.
Then, depending on the jurisdiction, they may have to show that the exploit actually happened in their client's case or that the Cellebrite device was compromised. Mere possibility of exploitation often isn't enough.
But, what stands out most to me is the dire need for technical experts who understand just how bonkers some of what law enforcement tech companies do is. And then take the time to work with defense attorneys to get judges engaged.
Law in this area would be SO MUCH BETTER (fairer, more just, better reasoned) if courts stopped relying on older cases and grappled with the hard and complicated issues raised by digital evidentiary questions. That culture shift is a tall, time-consuming (worthy) endeavor.
You can follow @meganmcgraham.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more