Thursday, February 25, 2010

Patriot Act Renewal, Whole-Body-Imaging, and Cell Phone Tracking

In my effort to deal with the two pronged problem of having no time AND finding three important privacy related stories to discuss today, I'm just going to include some links and info on each topic in one post.

The Patriot Act Extended by the Senate

That's right...the DEMOCRATIC Senate not only voted to renew one of the most egregious legislative assaults on the Constitution ever enacted - a law Democrats promised to reform if not outright end - but what few privacy protections that had recently been added were stripped at the last minute. My "outrage meter" is broken from overuse in recent months.

I have written in painstaking detail about this Act, and the Senate Judiciary Committee's initial attempts to improve it. In fact, I was extremely critical of it BEFORE what few additional protections were stripped!

Instead, the Senate voted to reauthorize three expiring provisions of the Patriot Act adopted just after the September 11th attacks. As I wrote in the past, also not widely reported was the fact that President Obama worked behind the scenes to ensure that absolutely no meaningful reforms to the Act were adopted...essentially a complete reversal of his positions as a Senator and Presidential candidate.

Though Senators Feingold and Durbin put up an admirable fight on a variety of fronts in Committee, it approved allowing broad warrants to be issued by a secretive court for any type of record, from financial to medical, without the government having to declare that the information sought is connected to a terrorism or espionage investigation.

The Senate also renewed the so-called “roving wiretap” provision, allowing the FBI to obtain wiretaps from the secret court, known as the FISA court, without identifying the target or what method of communication is to be tapped.

Finally, the so-called “lone wolf” measure that allows FISA court warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist was also approved.

The already very limited privacy protections that were agreed upon by the Judicial Committee that were dropped were the requirement that the government publish audits, including how many times the Patriot Act’s provisions were used, including the number of targets. Much of the government’s public reporting on the topic has been voluntary, and very little is known about how often each power has been used and why.

Another change centered on library records. In order to obtain warrants for them from the FISA court, the new plan requires a tangential connection to a terror investigation or foreign power. The expiring version does not.

The Judiciary Committee bill would also have restricted FBI information demands known as national security letters and made it easier to challenge gag orders imposed on Americans whose records are seized.

And want to know the excuse offered by Senator Leahy why even those modest protections didn't make it into the final product? Get a vomit bag read, he said ""I would have preferred to add oversight and judicial review improvements to any extension of expiring provisions in the USA Patriot Act. But I understand some Republican senators objected."

God forbid protecting the Constitution and the privacy of the American people if some Republicans object!!

Congress to Address Cell Phone Tracking

Here's another topic I've been zeroing in on a lot lately. As I wrote just two weeks ago, the issue at hand is over what the proper legal standard should be when prosecutors demand cell phone location data.

A little case history first: Last April, the Washington Post reported that while serving as a U.S. attorney during the Bush administration, Christopher Christie tracked the whereabouts of citizens through their cell phones without warrants. The ACLU obtained these documents from the Justice Department in an ongoing lawsuit over cell phone tracking. While the documents reveal 79 such cases on or after Sept. 12, 2001, they do not specify how many of the applications were made during Christie's tenure.

Tracking without a warrant disregards an internal U.S. Justice Department recommendation that prosecutors obtain probable cause warrants before gathering location data from cell phones. Of the cases in which probable cause wasn't established, documents showed 19 allowed the most precise tracking available. Those cases occurred after the November 2007 Justice Department recommendation that prosecutors seek warrants.

Documents released by the ACLU have also shown that of the states randomly sampled, New Jersey and Florida used GPS tracking without obtaining probable cause or warrants. Four other states, California, Louisiana, Indiana, Nevada and the District of Columbia reported having obtained GPS data only after showing probable cause.

Those documents were part of the ongoing lawsuit by the ACLU and Electronic Frontier Foundation on how the government tracks cell phone users. As these two privacy protection stalwarts argued in those cases, government tracking without a probable cause or warrant is a violation of the Constitution's Fourth Amendment, which guards against unreasonable search and seizure. Government prosecutors have argued that only a court order showing the tracking data is relevant to a criminal investigation is needed.

On that front, Congressional hearings regarding impending privacy legislation typically have focused on behavioral ad targeting, but location-based mobile targeting could be regulated, too. Two congressional subcommittees met this morning to discuss location-based technologies and their impact on consumer privacy and safety.

From ClickZ.com: Several witnesses agreed that use of location-based mobile data must be dealt with by privacy legislation expected to be proposed sometime this year. Among their concerns is the need for privacy controls to not only be present, but easily accessible to consumers. The familiar phrase of "notice and consent" - one that's become common during hearings on behavioral ad targeting - was mentioned throughout the discussion.

While some lawmakers cautioned that any new rules must not hamper industry innovation or benefits of geographic data usage to consumers, at least one legislator suggested personal privacy is more important than business in some cases.

But perhaps of more interest, was an article in Truthout.org entitled Cell Phone Tracking: The New Constitutional Crisis. William Fisher writes:

If you own a cell phone, you should care about the outcome of a court case that "could well decide whether the government can use your cell phone to track you - even if it hasn't shown probable cause to believe it will turn up evidence of a crime."

That was the warning issued to the public by several major civil liberties organizations as they appeared in federal court in Philadelphia to argue for more privacy protections in the use of cell phones as tracking devices by law enforcement agents.


The case is at the heart of the constitutional crisis now being played out in the US federal court. Civil liberties groups are asking the court to require that the government show probable cause before it can track your whereabouts.

...

The plaintiffs in the court case hope the court will "send a message that merely carrying a cell phone should not make people more susceptible to government surveillance." They add, "No one wants to feel as if a government agent is following her wherever she goes - be it a friend's house, a place of worship, or a therapist's office - and innocent Americans shouldn't have to feel that way."

The government has argued that "One who does not wish to disclose his movements to the government need not use a cellular telephone." But the civil liberties groups say this is "a startling and dismaying statement coming from the United States. The government is supposed to care about people's privacy. It should not be forcing the nation's 277 million cell-phone subscribers to choose between risking being tracked and going without an essential communications tool."

...

Two years ago, a US magistrate in Pittsburgh ruled that the data they were seeking could easily be misused to collect information about sexual liaisons and other matters of an "extremely personal" nature.

In federal appeals court last week, a Justice Department lawyer urged the judges to overturn the magistrate's ruling. They claimed the government was seeking "routine business records."


But after one of the judges said there were some governments, like Iran's, that would like to use such records to identify political protesters, she asked whether the "government can assure us" that the Justice Department would never collect cell-phone data for this kind of use in the US. The government lawyer grudgingly acknowledged that such data "could be used constitutionally."

EPIC wants TSA to halt implementation of body scanners at airports

FROM ZDNET: In a letter sent to the White House, the Electronic Privacy Information Center (EPIC) President Marc Rotenberg, along with Ralph Nader, request that body scanner technology be halted until several health, safety and privacy issues are resolved.

Body scanner devices have been deployed at 18 different airports in the U.S. and should be implemented at all international airports by the end of this year. One of the key concerns EPIC has is privacy and how images could be stored. The same issues were raised in Canada during pilot testing of similar body scanning devices. In a
Privacy Impact Assessment (PIA), investigators asked many of the same questions EPIC is concerned with.

You can also read my article, "The Politics of Fear and "Whole-Body-Imaging"

Tuesday, February 23, 2010

EPIC Urges Court to Block Google Book Deal

Before I get to the latest on the Electronic Privacy Information Center's (EPIC) court filings urging a judge to block the deal struck with Google books months ago, let's refresh all of our minds on what the privacy principle is that we're fighting over here (with Google of course).

The ACLU does a good job framing the issue in their Google Book search campaign: What you choose to read says a lot about who you are, what you value, and what you believe. That’s why you should be able to learn about anything from politics to health without worrying that someone is looking over your shoulder. The good news is that millions of books will be available for browsing and reading online. The bad news is that Google is leaving reader privacy behind. Under its current design, Google Book Search can monitor the books you browse, the pages you read, and even the notes you take in the "margins." Without strong privacy protections, all of your browsing and reading history could be collected, analyzed, and turned over to the government or third parties without your knowledge or consent.

As I wrote last year: we're not talking about just another library mind you - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

The concerns of privacy advocates are not hypothetical - nor should they be discarded as paranoia. Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information.

Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't ask a company like Google to turn over the treasure trove of private personal information it has on millions of Americans? For these reasons and more, it is essential that Google Book Search incorporate strong privacy protections.

It wasn't more than a few months ago that the Electronic Frontier Foundation (EFF) along with the ACLU and the privacy authors and publishers they represent, which include the American Library Association, the Association of Research Libraries and the Association of College and Research Libraries, CDT, EPIC, SFLC, Professor James Grimmelman sent a joint letter to Google urging it to include privacy protections along with its reconsidered Google Book Search Settlement.

A key passage from the letter reads:

As you know, the failure of the settlement to ensure that readers using the Google Book Search services will have their privacy protected as much as readers using physical books has been a key concern for many authors, libraries and the reading public.

It is the basis for some objections to the settlement, but has also been raised as a concern by those who support the settlement. As author Jonathan Lethem put it, “now is the moment to make sure that Google Book Search is as private as the world of physical books. If future readers know that they are leaving a digital trail for others to follow, they may shy away from important but eccentric intellectual journeys.”

While we appreciate the statements made in the privacy policy released in early September, that policy does not go far enough. We believe that it is vital that Google commit to additional privacy protections and that such commitments be enforceable by the court presiding over the settlement. The Electronic Frontier Foundation, the Center for Democracy & Technology, and the Electronic Privacy Information Center in their respective briefs have offered recommendations, many of which are quite similar, and would be happy to assist you in navigating any real or perceived differences between them.

As the plaintiffs’ motion correctly notes, “depending on the contours of the amended settlement agreement, some objectors may no longer object and would choose not to travel to New York at all for the hearing.” Providing real, enforceable privacy protections may help reduce the number of objections that the court must consider as the case moves forward.

That leads me to today's post, and what appears to be, but not a shock to anyone that follows the "privacy issue", Google's failure to adequately address advocates concerns.

Doug Hanchard of ZDNet writes:

As the negotiations continued throughout 2009 to the present day, EPIC has consistently voiced serious concerns on how the agreement has ignored several key issues concerning privacy of potential users of the service. Today’s press release is no exception.

In federal district court in New York, EPIC President Marc Rotenberg urged Judge Denny Chin to reject the revised settlement now before the court in Authors Guild v. Google. Mr. Rotenberg said that the settlement would “turn upside down” well established safeguards for reader privacy, including state privacy laws, library confidentiality obligations, and the development of techniques that minimize privacy intrusions. Mr. Rotenberg warned that the settlement would eviscerate legal safeguards for library patrons, commercialize access to information, consolidate Google’s control of the Internet, and put in place an elaborate system of user authentication and watermarking. “A person at any library or any university in the United States that attempted to retrieve information from Google’s digital library would be uniquely tagged and tracked. There is simply no precedent for the creation of such power.”

...

EPIC’s arguments warrant serious consideration by the court. Copyright issues can be fairly negotiated between Google and authors. EPIC believes that component is but a small part of the overall program that Google Books unleashes. At stake is the monitoring of our reading habits, what information sources we use, what’s popular and even how often we read. This data translates into information that has commercial value and has potential to influence in what we read and have in our collection of books. This may lead to future consequences that surprise us. A hypothetical example is what we read becomes analyzed and (eventually) be revenue generating by making specific items available - at a surcharge. These surcharges will be aimed specifically at you and you alone. Google will have information that reviews what your specific reading taste are, and if you want more books related to Google analyzed reading habits, Google potentially has the ability to strategically market and sell books and services that cater and maximize potential future purchases you make.

I'll just go back to my initial post on this subject about a year ago:

...it is essential that Google Book Search incorporate strong privacy protections. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives." Again, these concerns are not hypothetical.

Just three years ago the U.S. attorney subpoenaed Amazon for the used book purchase records of over 24,000 customers in the course of a grand jury probe investigating a single individual. The good news was a federal judge agreed that Amazon should not have to turn over this information about its customers, saying that if word spread over the Internet that the federal government was probing book purchase information , “the chilling effect on e-commerce would frost keyboards across America."

If there ever was a time to make sure that Google doesn't put an end to reader privacy as we know it would be now. At present, all Google has done is make a lot of informal statements about privacy, while failing to provide an actual privacy policy with specific promises to consumers.

Friday, February 19, 2010

More on The Smart Grid and Privacy

I've written quite extensively on the growing debate over smart electricity meters and the potential threat they pose to privacy (if we don't take the proper precautions). To read any or all of those, just click here.

At this moment, Public Utilities Commission's (PUC) across the country are considering how to implement such a grid, and in response to a rulemaking by the California PUC, and the lack of attention being paid to the concerns of privacy advocates to date on this issue, the Consumer Federation of California (CFC) recently joined The Utilities Reform Network (TURN) in urging the Commission to allow for a more comprehensive review and debate regarding such concerns.

For today, I noticed an article from a Canadian news site called CBN News, entitled Smart grid could turn appliances into spies, experts warn" that I want to share.

Paul Gallant reports:

Do you want your fridge talking about you behind your back?

With the rapid adoption of a North American "smart grid" aimed at helping consumers conserve electricity, it's also possible that smart appliances will be able to transmit information about their activities (and yours) through the power lines. Your electricity utility may not yet be able to determine when you snack, do laundry or shower, but privacy advocates are sounding the alarm that systems need to be put in place to guard details about a household's electricity usage from prying eyes.

...

In its most basic form, the smart grid allows utilities to read meters without sending out an employee; instead the meters send a reading back to the utility automatically. But Ontario's push into smart meters has been aimed at changing consumer behaviour, so the launch in that province goes further.

...

Many households with smart meters can already go online and log in to an energy-use account to see how much energy they used during a specific time period. By giving people more detailed information about their electricity usage, the assumption is that they will be willing to reduce their consumption or re-schedule it to off-peak hours when the rate may be cheaper.

...

Things get trickier from a privacy perspective if the system offers real-time statistics, since electricity use is a good indication of whether someone is at home at that very moment and what they are doing - if they're awake or asleep, for example.

Eventually, utilities will have the ability to allow consumers to see how their energy use compares to that of their neighbours, information that, if not sufficiently protected, could reveal many things about your neighbours' comings and goings as well.

Utilities promise this data will be encrypted and assigned an anonymous number that can't be tracked back to an individual customer. But the cyber security co-ordination task group that has been addressing smart grid privacy concerns in the U.S. has warned, "there is a lack of formal privacy policies, standards, or procedures by entities who are involved in the smart grid and collect information." It added that, "comprehensive and consistent definitions of personally identifiable information do not generally exist in the utility industry."

...

Hydro One has policies in place that prohibit it from selling customer information to third parties. But the pressure for third-parties to access power-usage information will only increase.

Many companies are working on new products — electric vehicles, smart appliances and energy-production systems like solar panels — that have the potential to take advantage of the smart grid's two-way communication system to send usage information from individual appliances and devices to a central office where it can be accessed by the utility or by the user. Whirlpool Corp., for example, announced in January it would produce one million smart appliances by the end of 2011 and make all its appliances smart grid-compatible by the end of 2015.

Device-specific information would be useful to the consumer to get credit, for example, if they were feeding electricity back into the grid from solar panels or a windmill. Some appliances could adjust their own energy consumption according to the time of day or by monitoring what other appliances were running in the home.

This kind of information could help make a home more efficient in terms of energy consumption, but it would also be tempting information for marketers, governments and even thieves. The Future of Privacy report suggests that extensive information could be gleaned from the grid — everything from when you shower or watch TV to which appliances and gadgets you have in your home, and when you use them.

The report urges that any third-party access to the information should not be a deal between the utilities and the third parties, but between the consumers and the third parties. As well, third parties should agree not to correlate data with data obtained from other sources or the individual, without the consent of the individual.

Click here to read more.

For more information on this subject, and more of my thoughts, check out my article The Privacy Implications and Challenges of a Smart Grid Electrical System.

Wednesday, February 17, 2010

Google Buzz...Here We Go Again...Yet Another Privacy Debacle

Another day, another Google privacy debacle. For every post - and there have been A LOT OF THEM - regarding Google's latest product that treats privacy as its personal whipping boy, I have to republish my usual caveat:

Anyone that has read this blog knows I have written a number of posts about Google's confrontational relationship with privacy, and the variety of ways this can be demonstrated in a host of its products. I've written about the approaching launch of Google Books just around the corner in which the ACLU, Electronic Frontier Foundation, and the Samuelson Clinic have even launched a Google Book Search privacy campaign to address.

I've written about the loss of "Locational Privacy" and how a host of Google products relate to that growing privacy protection challenge. And I've posted a lot about other examples demonstrating Google's less than stellar record on privacy in the past, from their lobbying efforts in Congress, to cloud computing, and to its increasing usage and expansion of behavioral marketing techniques.

Then, there was last week's news that Google - the world's largest and ever expanding privacy allergic technological empire - had enlisted the National Security Agency (the agency responsible for such privacy violation greatest hits as warrantless wiretapping) for technical assistance. Oh Joy!

But apparently Google wasn't through! I speak of Google's big release of their latest innovation "Google Buzz", and the subsequent outcry from privacy advocates, and the now official apology from Google.

Let's give a little back story. First, the technology itself. As described by out-law.com:

Google Buzz is the search giant's attempt to convert its Gmail service into a social network, but it has alienated many users by mining personal information in other Google-run services to boost Buzz usage.

When it was launched last week Buzz was set to automatically use information from people's Google web mail accounts and RSS-reading Reader service in a bid to kick-start the service.

It automatically signed users up to 'follow' the Buzz activity of the people they communicated with most on Gmail and connected followers to items shared by a user through the Reader service.

The company was accused not only of violating users' privacy but of burying the mechanism to change the settings in an obscure part of the service's menus. It has twice modified the service in a bid to allay users' concerns.

Google first made the option for switching off the auto-follow more prominent, then changed it altogether so that it only suggested people a user might like to follow.


Since last week's initial release of the new "service", Google has received, and now responded to, a whole lot of criticism (i.e. Google now asks Buzz users to manually approve their followers instead of automatically including them on their Buzz lists, and improved the visibility of the privacy controls).

So I guess the first question that comes to mind is how did Google - a company with a seemingly endless supply of bright minds working there - bungle this project so badly?

C-Net's Tom Krazit has the scoop:

Buzz was just tested inside Google before it launched to the general public, said Todd Jackson, Google Buzz product manager. Several layers of Google employees participated in the process, from the initial design team to wider and wider circles of employees. And a source familiar with the product development process said Google put Buzz through its usability lab, where it brings in outsiders to evaluate products in secret before they are launched.

However, either no one brought up the privacy concerns that Buzz users raised within a day of its launch, Google didn't ask the outsiders for the thoughts on Buzz privacy, or Google engineers dismissed those concerns as unfounded. For whatever reason, Google has taken a hit over the Buzz launch from a public that is already skeptical about the search giant's motivations with the enormous amount of personal data it already has accumulated.

...

...the incident exposes a real problem for Google: does its unique culture really understand the markets in which it wants to participate?

Social media has already been
a minefield for Google, with stops and starts amid charges that the engineers who built Google don't understand the wider world of social networking. Fairly or unfairly, incidents such as the Google Buzz launch underscore that Google employees--among the smartest and most tech-savvy group of workers in Silicon Valley--may not be the best testing ground for products designed to reach the general public.

Google is famous--infamous, really--for keeping products in "beta" mode for an inordinate amount of time while they work out the kinks. Gmail--the host product for Google Buzz--was in beta for five years, with Google unwilling to lift the qualifier tag until last year amid a push into corporate accounts.

The company also tests products through invitation-only groups, such as it did for Google Voice and Google Wave. Then, over time, it opens those groups to wider and wider circles until the general public is welcome.


But when it came to making that decision for Google Buzz, the company decided that social networks only really start to become compelling when a user has a lot of contacts, according to a source familiar with its thinking. Therefore, it wanted to seed Buzz users with as many contacts as possible when they first logged into the system, so they could get up and Buzzing right away.

As I mentioned, apparently Google at least did get the "get your sh** together" memo this time, as the company moved quickly over the weekend to try to contain this public relations disaster by first apologizing to users for features that endangered the privacy of its customers and announcing product changes to address those concerns - such as instead of automatically connecting people, in the future Buzz will merely suggest to new users a group of people they may want to follow or be followed by.

Still, what's astonishing to me is this wasn't done BEFORE the service went live! My god...this should be basic privacy 101 stuff, shouldn't it????

Generally, the reaction by privacy advocates to these changes has been mildly positive.

AS the New York Times reports:

Some critics said the latest modifications to Buzz, which is tightly coupled with Gmail, appeared to have addressed the most serious privacy concern.

Turning off the auto-follow was a huge improvement,” Danny Sullivan, a longtime Google analyst and the editor of SearchEngineLand, said in an e-mail message.

But Marc Rotenberg, executive director of the Electronic Privacy Information Center, said his organization still intended to file a complaint with the Federal Trade Commission this week pending its review of Google’s changes.

Even with these changes, there is still the concern that Gmail users are being driven into a social networking service that they didn’t sign up for,” Mr. Rotenberg said in an interview on Sunday.

The privacy concerns about Buzz, and Google’s rapid efforts to address its critics, echo episodes that have bedeviled other social networks, most notably Facebook. None of those events have slowed the growth of Facebook, which recently said it had reached more than 400 million users. Gmail has 176 million users, according to the research firm comScore.

“I think the privacy issues earlier this week with Buzz will blow over and not harm the product in the long term,” Mr. Sullivan said. But privacy will continue to haunt Google, he said, and many people will point to the release of Buzz as an overreach by Google and a reason that the company could not be trusted.

...

Google also said that it would create a new Buzz tab in Gmail’s settings page to allow users to hide Buzz from Gmail completely. The page gives users the option to disable Buzz, deleting their posts and removing their Google profile, which in many cases listed publicly their circle of contacts in Buzz. The new feature could address concerns that disabling Buzz and removing a public profile was a multistep process that confused many users and that some described as a game of whack-a-mole.

Google also will no longer automatically connect public Picasa albums and items shared on Google Reader, another feature that had been widely criticized by some users and privacy advocates.

Click here to read more of the Times article.

So what should we take away from this latest Google privacy debacle? Certainly, the company seems to remain completely tone deaf on the issue of privacy, but at the same time, it did respond quicker and more thoroughly to criticisms.

In all, I think Tom Krazit of C-Net hits the nail on the head:

With all the scrutiny on Google these days, however, it appears that the time is ready for privacy to become as important a part of Google's product design philosophy as the placement of pixels. Google says it takes this responsibility very seriously, but despite including tens of thousands of Googler on pre-launch Buzz testing, the privacy mistakes still slipped through the cracks.

How can Google avoid making these mistakes in the future?

For one, the company needs to make sure it strikes a better balance between internal and external feedback. It's understandable that Google would prefer to test things with its own employees to prevent product leaks, but unless Google wants to invest in ethnographers and social scientists to balance the engineers, it will need to solicit outside feedback to make sure it understands the needs of regular people.


Also, Google does not have a chief privacy officer listed as part of its operating committee, and the word "privacy" does not appear in the job description of any of the dozens of top executives listed on Google's management page.

A company representative said that Google has chosen a strategy where "rather than having a single, isolated privacy department, here at Google we embed the importance of privacy into our products and systems from engineers through executives, guided by trained privacy professionals." However, despite that focus, the privacy controls in Google Buzz were deemed adequate by those people.

That can't happen again: Google simply can't afford to make any more mistakes regarding privacy. Otherwise, it will start to lose the trust of its users, who have been reminded for years that the competition is just a click away.

I think Google would do well to take heed to the advice of Mr. Krazit. Time will tell....

Friday, February 12, 2010

More on GPS Tracking of Cell Phones and the Fourth Amendment

I want to add to the recent discussion I've been having here on the upcoming landmark privacy rights legal battle. The issue at hand is over what the proper legal standard should be when prosecutors demand cell phone location data.

A little case history first: Last April, the Washington Post reported that while serving as a U.S. attorney during the Bush administration, Christopher Christie tracked the whereabouts of citizens through their cell phones without warrants. The ACLU obtained these documents from the Justice Department in an ongoing lawsuit over cell phone tracking. While the documents reveal 79 such cases on or after Sept. 12, 2001, they do not specify how many of the applications were made during Christie's tenure.

Tracking without a warrant disregards an internal U.S. Justice Department recommendation that prosecutors obtain probable cause warrants before gathering location data from cell phones. Of the cases in which probable cause wasn't established, documents showed 19 allowed the most precise tracking available. Those cases occurred after the November 2007 Justice Department recommendation that prosecutors seek warrants.

Documents released by the ACLU have also shown that of the states randomly sampled, New Jersey and Florida used GPS tracking without obtaining probable cause or warrants. Four other states, California, Louisiana, Indiana, Nevada and the District of Columbia reported having obtained GPS data only after showing probable cause.

Those documents were part of the ongoing lawsuit by the ACLU and Electronic Frontier Foundation on how the government tracks cell phone users. As these two privacy protection stalwarts argued in those cases, government tracking without a probable cause or warrant is a violation of the Constitution's Fourth Amendment, which guards against unreasonable search and seizure. Government prosecutors have argued that only a court order showing the tracking data is relevant to a criminal investigation is needed.

And if that wasn't enough, there was last December's revelation that Sprint received 8 million law enforcement requests for GPS location data in just one year.

You can read a host of past posts on this topic, here, here and here.

Now, before I get to two more articles on this case that is going before the 3rd Circuit, I want to re-post the rather hilarious "coverage" of the revelations regarding Sprint from Stephen Colbert on the Colbert Report:


The Colbert ReportMon - Thurs 11:30pm / 10:30c
The Word - Spyvate Sector
http://www.colbertnation.com/
Colbert Report Full EpisodesPolitical HumorSkate Expectations


Now to the Wall Street Journal's take:

But how easy should it be for the FBI or other law enforcement authorities to pull cell-phone data showing a user’s location? Is it enough for authorities to show that it has “reasonable grounds” to believe that the data is “relevant and material to an ongoing investigation?” Or should a higher standard apply? Should a law enforcement have to have “probable cause,” as established by the Fourth Amendment?

The issue is all teed up for argument Friday at the Third Circuit in Philadelphia. Click here for a preview from Proskauer’s Jeff Neuberger, who’s not involved in the case; click here for an op-ed in Thursday’s Philadelphia Inquirer; here for a piece on the case from Newsweek, which has links to filings in the case.

The quick backstory: In late 2007, the United States applied for court permission to obtain information about the location of an individual’s cell phone, without showing probable cause that tracking the individual would turn up evidence of a crime. A magistrate judge denied the government’s request and a district court upheld that decision in September 2008. The government is appealing the ruling in the U.S. Court of Appeals for the Third Circuit. According to Newsweek, the hearing will represent the first time a federal appellate court has hear arguments on the legality of the data-collecting methods.

The Electronic Frontier Foundation, along with the ACLU, are arguing that the Third Circuit should uphold a lower court’s ruling that the higher standard should apply.

Wrote the ACLU’s Catherine Crump, in her Inquirer op-ed:

What’s at stake in the case is not whether it’s OK for the government to track the locations of cell phones; we agree that cell-phone tracking is lawful and appropriate in certain situations. The question is whether the government should first have to show that it has good reason to think such tracking will turn up evidence of a crime.

We believe it should. This case is not about protecting criminals. It’s about protecting innocent people from unjustified violations of their privacy.

Now, let's see what PC World had to say about this landmark case:

The U.S. Department of Justice will argue that it does not need to present a judge with probable cause of a crime to obtain mobile-phone tracking information in a hearing scheduled for Friday in Philadelphia.

The DOJ will argue before the U.S. Court of Appeals for the Third Circuit that it does not need a court-ordered warrant to obtain cell site location information from mobile phone carriers, in an appeal of a magistrate judge's ruling against the agency's effort to get its hands on mobile phone locations records in a drug trafficking investigation.

...

"You've got probably 250 million Americans walking around with tracking devices," said Jim Dempsey, vice president for public policy for the Center for Democracy and Technology (CDT), a digital liberties advocacy group. "The question is, what does it take for the government to turn that on and to secretly track you?"

...

"Does the Constitution apply to these new -- completely unprecedented, really -- technologies?" Dempsey said. "The Justice Department says the Constitution was a horse-and-buggy kind of thing. We say, no, the Constitution was written for the ages, and it should be applied to these new, intrusive capabilities that technology provides to the government."

...

...the cell tower records "provide only a very general indication of a user's whereabouts at certain times in the past," the DOJ said. Because the records do not pinpoint an exact location, they do not constitute an unreasonable privacy invasion prohibited by the Fourth Amendment, the DOJ said. Cell site records do not even indicate a phone's distance from the serving tower, let alone its specific location, the DOJ said.

However, U.S. law enforcement agencies have used cell site information to track suspects, Dempsey said. The cell site information is close enough for law enforcement investigators to infer that a suspect was at home at the time of a phone call or at his workplace, he said. U.S. law enforcement agencies have used cell site information to establish suspects' locations during trials, he noted.

Click here to read more.

Look, I'm a huge fan of the HBO show The Wire - and god knows I was rooting for the cops to get clearance to track a variety of the dealers cell phones. But that's a show, this is the real world that I have to live in. And if I remember correctly, there was some significant probable cause established anyway...as there should be in the here and now too.

What's at stake here is whether it's okay for the government to track the locations of cell phone users without having to demonstrate there's good reason to do so. If we've learned anything post Patriot Act, its that law enforcement and the government do abuse unchecked power, even if only in certain, and rare situations. But to me, that's enough of a reason to require probably cause, period.

As the ACLU points out, "This case is not about protecting criminals. It's about protecting innocent people from unjustified violations of their privacy."

Tuesday, February 9, 2010

3rd Circuit Court to Take Landmark Cell Phone Privacy Case

We now have a location for the upcoming landmark privacy rights legal battle over what the proper legal standard should be when prosecutors demand cell phone location data. As reported in Law.com the 3rd U.S. Circuit Court of Appeals will hear arguments this week.

First, some background: What makes GPS devices a useful law enforcement tool (i.e. they track our whereabouts) is precisely what also makes them a privacy threat.

An editorial by the New York Times last year on the case, and whether law enforcement has the right to install GPS tracking devices in suspects vehicles without probably cause or a warrant hit the nail on the head:

A federal appeals court in Washington, D.C., heard arguments last week about whether police should have to get a warrant before putting a GPS device on a suspect’s car. It is a cutting-edge civil liberties question that has divided the courts that have considered it. GPS devices give the government extraordinary power to monitor people’s movements. The Washington court should rule that a warrant is required.

...

The Supreme Court has not considered the question of whether the police need a court order to install a GPS device. The government has tried to draw an analogy to a 1983 case in which the court ruled that the police do not need a warrant to use a radio beeper to track a vehicle on public roads, but the circumstances were different. In that case, the police were conducting visual surveillance of a particular suspect’s movements, and a beeper augmented the officers’ senses. A modern GPS device is a far more potent means of tracking people than a beeper

....

The New York Court of Appeals, the highest New York court, got it exactly right earlier this year, insisting that permitting police to install GPS devices without judicial oversight would be “an enormous unsupervised intrusion by the police agencies of government upon personal privacy.” As technology advances, government will continue to acquire new and more efficient ways of monitoring people. It is critical that the privacy rights guaranteed by the Fourth Amendment keep up with those advances.

Documents released by the ACLU have showed that of the states randomly sampled, New Jersey and Florida used GPS tracking without obtaining probable cause or warrants. Four other states, California, Louisiana, Indiana, Nevada and the District of Columbia reported having obtained GPS data only after showing probable cause.

Those documents were part of the ongoing lawsuit by the ACLU and Electronic Frontier Foundation on how the government tracks cell phone users. As these two privacy protection stalwarts argued in those cases, government tracking without a probable cause or warrant is a violation of the Constitution's Fourth Amendment, which guards against unreasonable search and seizure. Government prosecutors have argued that only a court order showing the tracking data is relevant to a criminal investigation is needed.

Adding fuel to the fire was last December's rather astonishing news that Sprint received 8 million law enforcement requests for GPS location data in just one year. The Talking Points Memo ("How Easy Is It For The Police To Get GPS Data From Your Phone?") added some needed context on the revelations:

Police can in some cases track cell phone location by merely telling a court that the information is relevant to an investigation, a legal expert tells TPM - a fact that may partly explain how law enforcement racked up 8 million requests for GPS data from a single wireless carrier in a year. An increasingly popular and easy-to-access surveillance tool for police, GPS data is not currently protected by the Fourth Amendment, and the standards for gaining access to the information are murky and highly variable. That's partly because one of the statutes that bears on the issue was passed in the mid-1980s, before many of the technologies involved were invented. And Congress hasn't done much to update the law since.

Now, we are one step closer to getting a final answer - or at least some precedence - on this fundamental and uncharted Constitutional question.

Law.com reports:

Justice Department lawyers argue that, by statute, they need only show "reasonable grounds" to believe that such records are "relevant and material to an ongoing criminal investigation." But a federal magistrate judge in Pittsburgh strongly disagreed in February 2008, issuing a 52-page opinion that said the prosecutors must meet the "probable cause" standard.

...

Now, in an appeal of Lenihan's ruling, the 3rd Circuit will become the first federal appellate court to tackle the question as Justice Department lawyers square off against a coalition of privacy and civil liberties lawyers from the Electronic Frontier Foundation, the Center for Democracy & Technology and the American Civil Liberties Union.

...

As cell phone users change locations, the cell phones "automatically switch cell towers," she wrote, and telephone companies "track the identity of the cell towers serving a phone."

In urban areas, where towers have become increasingly concentrated, Lenihan said, tracking the location of just the nearest tower itself can place the phone within approximately 200 feet, and triangulation data can provide an even more precise location, as close as 50 feet.

Phones equipped with global positioning system, or GPS, capabilities, can be tracked extremely accurately, Lenihan noted. Lenihan concluded that the data sought by the prosecutor amounted to "tracking information," and that Congress clearly intended to require prosecutors to meet a probable cause test to secure such data.

The Justice Department argues that Lenihan got the issues wrong because the statutes clearly allow the government to require "a provider of electronic communication service" to disclose "a record or other information pertaining to a subscriber."

...

But Freiwald argues in her brief that "to deny Fourth Amendment protection based on the government's assurance that it seeks only limited [cell phone location data] flouts the fundamental principle that Fourth Amendment protections may not be left in the hands of law enforcement agents."

Bankston, in a brief jointly filed by the Electronic Frontier Foundation, the ACLU and the Center for Democracy & Technology, urges the 3rd Circuit to uphold Lenihan's ruling on the grounds that Congress intended to give judges the discretion to deny such requests and require prosecutors to meet the ordinary standard for a search warrant.

Cell phone users, Bankston argues, have an expectation of privacy in such data because they "simply do not voluntarily expose their location whenever they make calls and receive calls ... nor do they do so merely by turning on their cell phones."


Click here for more.

I'd like to know more about those specific cases in which probable cause was not established and the tracking was done without warrants. We have seen too many examples of the government and law enforcement - particularly in recent years - using surveillance technologies not to actually protect Americans or "fight terrorism", but rather to stifle dissent (i.e. anti-war activists, economic and social justice protesters, etc.), monitor political "enemies", bust small time drug dealers, and even eavesdrop on journalists.

I am eager to find out who some of these cell phone users were (if not by name, but reason) and why they were tracked. And of course, because the government says it will only use this new surveillance power when its warranted, doesn't mean it true! Let's not let yet another privacy protection and cornerstone of our judicial system fall prey to the pervasive and unwarranted fear of terrorism and the subsequent abuses it tends illicit from our government. Stay tuned...as this case will effect the way in which the Fourth Amendment is interpreted in today's technological age for the years to come...

Friday, February 5, 2010

Google and the NSA? Really?

When I heard that Google - the world's largest and ever expanding privacy allergic technological empire - had enlisted the National Security Agency (the agency responsible for such privacy violation greatest hits as warrantless wiretapping) for technical assistance to learn more about the computer network attackers who breached the company’s cybersecurity defenses last year, I thought, "what could possibly go wrong with this partnership?"

I'm being facetious of course, and I can't say I believe there's something necessarily nefarious going on here, but I wouldn't go so far as to say I believe the "anonymous sources" version of the story either.

Anyone that has read this blog knows I have written a number of posts about Google's confrontational relationship with privacy, and the variety of ways this can be demonstrated in a host of its products.

I've written about the approaching launch of Google Books just around the corner in which the ACLU, Electronic Frontier Foundation, and the Samuelson Clinic have even launched a Google Book Search privacy campaign to address. I've written about the loss of "Locational Privacy" and how a host of Google products relate to that growing privacy protection challenge.

And I've posted a lot about other examples demonstrating Google's less than stellar record on privacy in the past, from their lobbying efforts in Congress, to cloud computing, and to its increasing usage and expansion of behavioral marketing techniques.

In a nutshell, as I wrote a few months back, "It's inarguable that Google is rapidly becoming the official technology sponsor of the nation and globe. For the sake of argument, let's just accept this as truth, and assume this company's reach and breadth will only grow. With that in mind, it becomes paramount - and beholden on all those that relish privacy - to keep a close eye on this global leader's attention to privacy as it relates to their technological innovations."

My problems with the NSA are too numerous to detail here for you now, but let's just say they aren't known for their deep respect for privacy or the fourth amendment. In other words, we have the largest search engine company in the world teaming up with the federal agency in charge of global electronic surveillance...and what they're doing is confidential. Hmmm....

Noah Shachtman of Wired magazine makes some important points to consider:

The National Security Agency is widely understood to have the government’s biggest and smartest collection of geeks — the guys that are more skilled at network warfare than just about anyone on the planet. So, in a sense, it’s only natural that Google would turn to the NSA after the company was hit by an ultrasophisticated hack attack. After all, the military has basically done the same thing, putting the NSA in charge of its new “Cyber Command.” The Department of Homeland Security is leaning heavily on the NSA to secure .gov networks.

But there’s a problem. The NSA and its predecessors also have a long history of spying on huge numbers of people, both at home and abroad. During the Cold War, the agency worked with companies like Western Union to intercept and read millions of telegrams. During the war on terror years, the NSA teamed up with the telecommunications companies to eavesdrop on customers’ phone calls and internet traffic right from the telcos’ switching stations. And even after the agency pledged to clean up its act — and was given wide new latitude to spy on whom they liked – the NSA was still caught “overcollecting” on U.S. citizens.

According to The New York Times, the agency even “tried to wiretap a member of Congress without a warrant.”

All of which makes the NSA a particularly untrustworthy partner for a company that is almost wholly reliant on its customers’ trust and goodwill. We all know that Google automatically reads our Gmail and scans our Google Calendars and dives into our Google searches, all in an attempt to put the most relevant ads in front of us. But we’ve tolerated the automated intrusions, because Google’s products are so good, and we believed that the company was sincere in its “don’t be evil” mantra.


That’s a lot harder to swallow, when Google starts working cheek-to-jowl with the overcollectors. The company pinkie-swears that its agreement with the NSA won’t violate the company’s privacy policies or compromise user data. Those promises are a little hard to believe, given the NSA’s track record of getting private enterprises to cooperate, and Google’s willingness to take this first step.

So what exactly is the agreement between these two behemoths? That, unfortunately, isn't really clear - unless you believe those oh so trustworthy "anonymous sources". Here's what the New York Times had to say about the deal:

By turning to the N.S.A., which has no statutory authority to investigate domestic criminal acts, instead of the Department of Homeland Security, which does have such authority, Google is clearly seeking to avoid having its search engine, e-mail and other Web services regulated as part of the nation’s “critical infrastructure.”

The United States government has become increasingly concerned about the computer risks confronting energy and water distribution systems and financial and communications networks. Systems designated as critical infrastructure are increasingly being held to tighter regulatory standards.

On Jan. 12, Google announced a “new approach to China,” stating that the attacks were “highly sophisticated” and came from China. At the time, it gave few details about the attacks other than to say that a theft of its intellectual property had occurred and that a primary goal of the attackers had been to gain access to the Gmail accounts of Chinese human rights activists. In reaching out to the N.S.A., which has extensive abilities to monitor global Internet traffic, the company may have been hoping to gain more certainty about the identity of the attackers.

And the Washinton Post adds a bit more detail:

Google approached the NSA shortly after the attacks, sources said, but the deal is taking weeks to hammer out, reflecting the sensitivity of the partnership. Any agreement would mark the first time that Google has entered a formal information-sharing relationship with the NSA, sources said. In 2008, the firm stated that it had not cooperated with the NSA in its Terrorist Surveillance Program.

Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks -- doing so is a nearly impossible task after the fact -- but building a better defense of Google's networks, or what its technicians call "information assurance."

...

The NSA would also be able to help the firm understand what methods are being used to penetrate its system, the sources said. Google, for its part, may share information on the types of malicious code seen in the attacks -- without disclosing proprietary data about what was taken, which would concern shareholders, sources said.

In other words, there's a lot still "unknown" here, outside of a few anonymous sources assuring us there will be no disclosures of proprietary data, on say, the tens of millions of google users. I'd also argue that it brings some perhaps some undesired, but needed attention on the Constitution subverting ways of the NSA.

As Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based policy group, noted: “Google and N.S.A. are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world."

He also believes the agreement covers much more than the Google hack, particularly in light of the fact that the search giant and intelligence agency were in talks prior to Google discovering that it had been hacked, stating, “What they’ve told you is that this is about an investigation of a hack involving China. I think and have good reason to believe that there’s a lot more going on.”

Wired magazine adds some needed depth to the Post and Times stories:

On Thursday, the organization filed a lawsuit against the N.S.A., calling for the release of information about the agency’s role as it was set out in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 , a classified 2008 order issued by President George W. Bush dealing with cybersecurity and surveillance.

The FOIA request also seeks NSA communications with Google regarding Google’s failure to encrypt Gmail and cloud computing services. Rotenberg says EPIC wants to know what role the NSA has played in shaping privacy and security standards for Google’s services.

EPIC also filed a lawsuit against the NSA and the National Security Council, seeking a key document governing the government’s broader national cybersecurity policy, which has been shrouded in secrecy.

We can’t afford to have secret cybersecurity policy that impacts the privacy rights of millions of internet users,” said Rotenberg.


...

Matthew Aid, NSA historian and author of The Secret Sentry, said the move troubled him. “I’m a little uncomfortable with Google cooperating this closely with the nation’s largest intelligence agency, even if it’s strictly for defensive purposes,” he told the Post.

The NSA has been embroiled since 2005 in allegations that the agency violated federal laws in conducting illegal surveillance of Americans’ phone and internet communications. Giving the agency authority over coordination of the government’s cybersecurity plan — which would include working with telecoms and other critical companies in the private sector — could put the agency in the position of surreptitiously monitoring communications.

Click here to read the rest of the Wired article.

I want to conclude by going back to Noah Shachtman of Wired magazine, and his take on the business angle in all this:

Google may need help in fighting off these hacks. But turning to Ft. Meade could wind up permanently damaging the company’s image — and the foundation of its incredible success. Already, the Russian press are talking about Google’s decision to spy with NSA, for instance. Hackers might be able to compromise some of Google’s services, for a little while. The association with the NSA could permanently cripple the company. The telegram companies and the old-school telcos were virtually monopolies; customers had nowhere to turn, if they wanted private communications. Bing and Yahoo Mail are just a click away.

Needless to say, I'll be watching this story...

Tuesday, February 2, 2010

Congress and the FBI's Illegal Collection of Phone Records

I want to follow up today on a recent post I wrote about revelations regarding the FBI illegally collecting more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply by persuading phone companies to provide records (remember Retroactive Immunity for the Telecoms...well, you're welcome you guys).

E-mails obtained by The Washington Post detailed how counter terrorism officials inside FBI headquarters did not follow their own procedures that were put in place to protect civil liberties. The stream of urgent requests for phone records also overwhelmed the FBI communications analysis unit with work that ultimately was not connected to imminent threats - another disturbing and re-occurring theme I want touch on more today.

The reason I'm coming back to this story is because the Los Angeles Times actually editorialized on the subject today - in favor of privacy and transparency I might add.

Since the editorial is short, I'll post it here in full:

A recent report from the Justice Department's internal watchdog adds new and disturbing detail to its previous criticism of the FBI for cutting legal corners to obtain telephone records of U.S. citizens. As with past evidence of wrongdoing, the bureau insists that it has changed its ways, but senators rightly are pressing the Obama administration to close a possible loophole that could allow future abuses.

In the aftermath of 9/11, between 2002 and 2006, FBI agents obtained thousands of calling records without following legal procedures. Nor were all the violations examples of unintentionally failing to cross a bureaucratic "T" or dot a technical "I." Some agents clearly regarded legal constraints on their actions as nuisances to be ignored.

In its third report on the subject in three years, the Office of the Inspector General describes an "egregious breakdown" in oversight. It details how agents abused "exigent letters" -- a device for obtaining records in an emergency -- and informally elicited information from compliant employees of telephone companies, requesting records through e-mails or by scribbles on Post-it notes. Sometimes investigators engaged in "sneak peeks" of confidential records in which they looked over the employees' shoulders at their computer screens. The FBI also made inaccurate statements about its use of exigent letters in court filings.

According to Inspector General Glenn A. Fine, the relationship between the FBI and the telephone companies was so intimate that company representatives were stationed in FBI communications centers. Thus firms with access to sensitive personal information were essentially partners with a powerful law enforcement agency in violation of Americans' privacy rights. The FBI insists that errors were unintentional and that improperly obtained information will be sealed or destroyed. But that doesn't alter the offensiveness of skirting procedure.

The inspector general's latest report concludes with specific recommendations -- including additional training and greater scrutiny of contracts with telecommunications firms -- to ensure that both the bureau and the companies abide by privacy laws. It also recommends the FBI consider disciplinary action for those who ignored or violated the law. Atty. Gen. Eric H. Holder Jr. should implement these recommendations.

Finally, the report suggests that the Justice Department may be reserving the right of the FBI to inspect telephone records "without legal process or a qualifying emergency." Several senators have rightly asked Holder to share a Jan. 8 memo that apparently outlines such an exception. Holder should comply. Congress needs to make sure for itself that the FBI is not being encouraged to return to its old ways.

Rather than re-invent the wheel, I'll just point readers to my post on this topic two weeks ago...because I "went off" on the disturbing pattern of government and corporate abuses of the peoples' privacy and constitutional rights since 9/11.

Here are a couple clips that I think are worthy of republishing today:

With each new "privacy revolting" revelation to make it public has come the subsequent validation of many of my darkest fears regarding how the government and law enforcement would abuse the unprecedented powers granted them in reaction to the September 11th attack. We should all be giving special thanks for the Freedom of Information Act and the work of privacy rights and civil liberties groups.

...

An undeniable pattern has emerged over the past few years that fundamentally challenges the entire premise of a "war on terror" and exposes just how ineffectual and counterproductive these policies have actually been. The reoccurring theme goes like this: Powerful interests - inside and outside of government - sell fear as way to justify the steady assault on our civil liberties, increased spending on military defense, and the growth of the surveillance state.

But here's another important piece of the puzzle that keeps popping up: more often than not the government HASN'T USED these expanded powers to actually fight terrorism (instead often to thwart anti-war protesters, bust small time drug dealers, monitor journalists, and who knows what else?) - as was promised. This begs a larger question, "Who has been targeted and why?"

...

...do these increasingly intrusive and even unconstitutional anti-terrorism measures actually make us any safer (or less so)? And if so, is it worth the price? And, how can any free society benefit from, or reconcile, such policies as illegal search and seizures (including of laptops), warrantless wiretapping, the tracking of GPS devices in peoples cell phones, the utilization of "whole-body-imaging" (digital strip search) scanners in airports, the evisceration of Habeus Corpus, Rendition, Military Tribunals, and the Patriot Act?

Another question worth pondering: Can we really "defeat" terrorism by embracing a less free and more fearful society (two primary goals of terrorists)? Similarly, don't many of these government abuses constitute a form of terrorism in and of itself? And finally, a growing amount of evidence now suggests that we are gathering TOO MUCH information, and our expanding surveillance state is making us LESS safe, not more.

...

It is this irrational fear of terrorism that seems to be at the root of our nation's current "civil liberties and privacy" crisis. It is hard to imagine that without this fear, we would so easily give up our rights, support wars on countries that did nothing to us, and accept wasting precious resources on ineffective and burdensome security systems that diminish our quality of life (think of airports)?

Read the rest here.