Last week, the FBI and the Dallas Police Department identified and arrested a man who allegedly Tweeted a strobing image at journalist Kurt Eichenwald, causing Eichenwald to experience a serious epileptic episode.
But now, details of how law enforcement identified John Rayne Rivello, Eichenwald’s alleged virtual attacker, are emerging, thanks to an unsealed criminal complaint filed in Texas, where Eichenwald lives. The document details how the agencies’ cyber-crimes units used Twitter and Apple to track down Rivello’s whereabouts and learn how he planned to attack Eichenwald using a strobing GIF.
It also shows how quickly communications companies respond to law enforcement requests.
According to the complaint, the Dallas Police Department submitted a search warrant to Twitter, requesting information on Rivello’s “@jew_goldstein” account. Twitter responded by providing the agency with Rivello’s email address, wireless carrier, IP address, and the phone number for the cellphone Rivello used to operate Twitter’s app.
Twitter, the document reveals, keeps an IP log on each of its users, recording his/her location every time that person logs into the program. They also keep a log of each Twitter user’s direct messages, and in this case, they turned that log over to DPD, revealing that Rivello had, allegedly, discussed his plot to harm Eichenwald with other Twitter users.
DPD then sent a request to AT&T for more information on Rivello’s phone. It turns out Rivello was using a Tracfone—or a “burner phone”—but AT&T retains metadata on its customers so that it can regularly charge them for using AT&T’s service.
Using that metadata, they were able to conclude that Rivello had an Apple iPhone, and by extension, an Apple serial number, which revealed an iCloud account—so DPD then filed a search warrant with Apple.
That turned up more information:
As well as a not-so-smart decision by Rivello to upload a picture of himself holding his own driver’s license to his iCloud account—and a retained copy of the exact GIF Rivello supposedly sent to Eichenwald.
Rivello also allegedly took a number of screenshots with his phone, mostly of Eichenwald’s Wikipedia page, but also of articles about photosensitive epilepsy, lists of “commonly recorded epileptic triggers,” and even mainstream news coverage of Eichenwald’s medical episode.
The complaint also seems to note that Rivello wasn’t working alone.
The investigation is a fascinating look into traditional sleuthing adapted for the Internet age, but also a warning to potential Internet trolls. It seems that of the three big public companies that were asked for evidence in this case —Twitter, AT&T and Apple—all of them responded immediately and without fuss to the Dallas Police Department warrants.
Not a single one forced law enforcement to go to court to demand the records, or issue a subpoena to compel the records’ production.
The expectation of privacy is low on a social network—after all, using a social network implies an understanding that you are communicating on someone else’s server, in full view. But it might be surprising for consumers to learn that Apple, especially, which spoke out against the FBI when it requested to unlock a terrorist’s iPhone, would simply hand over a user’s iCloud account pursuant to a simple warrant.