Skip to main content

iCloud may have doxxed a journalist’s Twitter attacker

iCloud may have doxxed a journalist’s Twitter attacker

/

An anonymous SIM card in a non-anonymous iPhone

Share this story

federal courthouse virginia

In theory, it was the perfect setup: an anonymous Twitter account on a prepaid SIM card, bought with cash. With no credit card or other identifiable info tied to the account, there should have been no way to trace tweets back to a human.

But on Friday, after taking all those precautions, a man named John Rivello was arrested for sending seizure-inducing tweets to Newsweek journalist Kurt Eichenwald. The arrest came three months and a day after the initial incident, and a newly unsealed complaint reveals how police tracked the man down.

First, police sent a court order to Twitter, which agreed to hand over all its data on @jew_goldstein, the account that had sent the seizure-inducing image. But that data showed only a dummy email address, along with an IP address and phone numbers linking to a prepaid Tracfone. But since Tracfone didn’t have any subscriber information associated with the number, police were left with few leads.

Rivello complaint.
Rivello complaint.

The break came thanks to AT&T, which was supporting Tracfone’s SIM card. While AT&T didn’t have any directly identifying data, the company’s toll records showed that the SIM card had been used by an iPhone 6. That sent investigators looking for an iCloud account linked to the same number. After another search warrant to Apple, they got what they were looking for. According to the complaint, the number was linked to a five-year-old iCloud account owned by John Rivello of Salisbury, Maryland. A search of iMessages and photos in the account provided further evidence of Rivello’s interest in Eichenwald.

That iCloud account is particularly damning given how tightly Apple ties specific phone numbers to accounts. Users can’t manually alter the number on an account, so the only way to associate a number is to physically insert a SIM card into a device.

It remains to be seen whether that logic will hold up in court. Still, the case is a powerful reminder of how difficult it is to maintain anonymity in modern devices. A prepaid SIM is enough to keep the phone network from knowing who you are, but your device itself also creates a powerful identity trail, particularly for iCloud users.

While Apple has resisted law enforcement requests to break phone encryption, it routinely cooperates with lawful search warrants for iCloud accounts, providing data on 7,963 accounts in the first half of 2016. Twitter maintains a similar policy, and provided data on 8,009 accounts during the same period.