Thursday, December 22, 2011

Electronic Health Record Data Breaches Surge

Most of us have come to the obvious, inevitable realization that we are going to shift (and in fact are doing so right now) what are currently called personal health records from a paper system to an electronic one. Having your medical records computerized and stored electronically promises to reduce medical errors - including prescribing the wrong medications. The National Academy of Sciences' Institute of Medicine estimates between 44,000 and 98,000 people in the United States die each year because of errors such as being prescribed medicine to which they are allergic.

These EHR’S offer an easier way to collect, double-check and complement the information you receive from your physician. At the very least, your records can help you speed through waiting room forms and prompt important conversations with your physicians. If your doctor writes a new prescription, you can use your current medication list to ask about any interactions with the new drug. Or if your records suggest it’s time for a colonoscopy, you might make time to discuss the pros and cons of the procedure.

EHR’S can also allow you to access your health information to prepare for medical appointments. As laid out by Patient Privacy Rights, "It can enable you to communicate better with your healthcare providers about your medical needs. People with chronic health conditions may use them to keep track of such things as how their medications are affecting them, or how they’re feeling from day to day. People with hypertension might want use it to track their blood pressure readings."

Transitioning to a health information exchange will create much more patient data in electronic formats than ever before in history. The privacy threat posed by the interoperability of a national network is a key concern because in order for the records to be readily available and accessible they would have to be linkable and searchable.

If medical records fell into the wrong hands at worst they could be used for a host of purposes unrelated to improving your health: advertisers might flood our email inboxes with even more spam and patients may not feel so comfortable having an honest conversation with their doctor if it could end up for all to see. This treasure trove of personal information would also be a goldmine for insurance companies, drug companies, data mining companies, and software companies.

I give you this backdrop because we are witnessing increasing numbers of data breaches that are exposing - on a mass level - peoples personal health records.

Before I get to the latest news on partly why these breaches are occurring (hospitals skimping on their security costs), let me layout some of the data and its costs we ALREADY knew about:

  • More than 11 million consumers have had medical data stolen or inappropriately disclosed since September 2009, and the privacy breaches are expected to rise as more health information is put online, according to the report released today by the New York-based accounting firm’s health research institute.
  • While the report didn’t specify how many security thefts were carried out by insiders, 40 percent of surveyed providers reported an incident of improper internal use of protected health information during the past two years. 
  • Health organizations notified approximately 5.4 million individuals affected by patient health data breaches in 2010, compared to approximately 2.4 million individuals in 2009.
  • HHS' latest report to Congress revealed that in 2010 theft was the most common cause of large breach incidents that affected 500 or more individuals. Among the 207 breaches that covered entities such as healthcare providers, health plans, and healthcare clearinghouses reported last year, 99 incidents involved theft of paper records or electronic media, combined affecting approximately 3 million individuals. 
  • In 2010, the second highest number of data breaches involved the loss of electronic media or paper records, with 33 reported cases that affected more than 1 million individuals. There were 31 breaches that involved unauthorized access to, or uses or disclosures of, protected health information that affected approximately 1 million individuals. Other breaches included 19 incidents resulting from human or technological errors that affected approximately 78,663 individuals. Eleven covered entities reported breaches caused by the improper disposal of protected health information that affected approximately 70,000 individuals.
Now that we've gone over just a few of the reasons why this is all so important, and why concerns articulated by privacy advocates that STRICT privacy safeguards, at every step of the transition process must be implemented have been proven true, lets get to some of the reasons WHY such breaches are occurring.

As Business Week reported:
 

Data breaches at U.S. health-care providers are increasing as hospitals adopt electronic medical records and mobile technology without spending enough on security to ensure patient privacy, a research group said.

The frequency of data breaches at health organizations jumped 32 percent in 2011 from a year earlier, costing the industry an estimated $6.5 billion, according to a study released today by the Ponemon Institute LLC, a Traverse City, Michigan-based information-security research group.

Forty-nine percent of health organizations said that lost or stolen devices were to blame for breaches, according to the institute, which surveyed 72 hospitals and health providers. The study didn’t name the organizations surveyed.


...

Fifty-three percent of the organizations surveyed said that inadequate funding was the biggest barrier to preventing data breaches, according to the study.

U.S. data-breach notification laws for health organizations are making providers more aware of their security vulnerabilities, Ponemon said. Data breaches affecting more than 500 people must be reported to the Health and Human Services Department, which posts a list of incidents on its website.

Health providers, insurers and their business partners reported 373 breaches affecting almost 18 million individuals between September 2009 and October of this year, according to the list, which is tended by the Health and Human Services Department’s Office of Civil Rights.


In  fact, the Privacy Rights Clearinghouse listed the now notorious Sutter Health data breach as one of the largest of the year. Amber Yoo, the organization's Communications Director recently wrote in the California Progress Report, "Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of October 15th. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law....The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information were apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.

In addition, Amber points out another massive breach, writing, "Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification."

The good news, as if there is any in all this, is that California recently implemented one of the strongest data breach notification laws in the country - one we here at the Consumer Federation of California worked hard to pass the legislature and convince Governor Brown to sign. Now, thanks to the law, any breached entity must submit their notice letters to the California Attorney General. The AG's office will then post the letters on its website. In addition, the notifications sent to individual who's private information was breached will be clearer, more detailed, with specific recommendations for what to do no next, including who to call.

As for the larger issue of electronic health records, as these breaking news stories make clear, time is running out, because states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of dispute.

We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent, and state laws often conflict with federal ones.

For instance, the federal law on the books only require that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

Clearly, what is MORE than clear now is that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

Thursday, December 15, 2011

Federal Probe Of Carrier IQ Launched

For all the background you could ever need on the Carrier IQ controversy check out my recent posts on the subject, starting from earliest to the latest, here, here, and here.

As we know, executives from Carrier IQ — the company whose spying software was secretly installed in as many as 150 million cellphones — went to Washington to answer questions posed by the Federal Trade Commission and the Federal Communications Commission.

As I have written too many times to count on this blog, a lot of this comes down to data ownership and control - as in its OUR data and it should be in OUR control. Clearly, in the case of Carrier IQ and increasing numbers of telecom companies, third party marketers, and many more, we are seeing the invasion of individual privacy on a mass scale, including locational tracking and web search monitoring.

Now to the latest news: The FTC and FCC are looking into this matter closely...but we need and deserve more than just a questioning of Carrier IQ, but an investigation into what companies like AT&T, Sprint and T-Mobile are doing with our data as well.

With that, let's get to the Washington Posts coverage of these new inquiries:

Federal investigators are probing allegations that Carrier IQ software found on about 150 million cellphones tracked user activity and sent the information to cellphone companies without informing consumers, according to government officials...The FTC inquiry was confirmed by officials who spoke on condition of anonymity because it is private. An FTC spokeswoman said she could not confirm or deny whether the agency was investigating Carrier IQ. But a spokesman for Carrier IQ said company executives were cooperating with federal agencies.
...

Carrier IQ has said that its software is not designed to capture keystrokes or the content of messages but that in some cases that might have happened by accident. The data are intended to help improve the user experience with smartphones, the company said.

Woods said Carrier IQ chief executive Larry Lenhart and Coward met with regulators at the FTC and the FCC. The Carrier IQ executives also met with the staffs of three senators — Richard Blumenthal (D-Conn.), Christopher A. Coons (D-Del.) and Al Franken (D-Minn.) — who each had written letters of concern to Lenhart.

Three of the four major cellular providers — AT&T, T-Mobile and Sprint — have said they use the company’s software in line with their own privacy policies. A Verizon spokesman said the program is not on any of the company’s mobile devices. Apple has said it would remove Carrier IQ from i­Phones in a future software update.

Rep. Edward J. Markey (D-Mass.) asked the FTC on Dec. 2 to investigate the practices of Carrier IQ as possibly unfair or deceptive. “I have serious concerns about the Carrier IQ software and whether it is secretly collecting users’ personal information, such as the content of text messages,” said Markey, co-chairman of the Bi-Partisan Congressional Privacy Caucus. “Consumers and families need to understand who is siphoning off and storing their personal information every time they use their smartphone.”

...

While Carrier IQ executives were meeting with federal regulators, another controversy about the company erupted in the blogosphere. A response by the FBI to a reporter sparked rumors that the bureau was using the software for domestic surveillance.

The FBI denied a request for information regarding Carrier IQ filed by a reporter for MuckRock News under the Freedom of Information Act. The reporter had asked for “manuals, documents or other written guidance used to access or analyze data” gathered by any Carrier IQ program. In denying the request, the FBI said it had information but could not disclose it, because it was considered “law enforcement records.”


...

The backlash following Eckhart’s research has prompted several lawsuits against the company, mobile carriers and handset makers, including two class action lawsuits in Illinois. A class-action lawsuit has also been filed against AT&T, Sprint Nextel, Apple, T-Mobile USA, HTC, Samsung, Motorola and Carrier IQ by mobile phone customers in Delaware.


Click here to read more.

There are two particularly important developments here, one, that the FTC and FCC are looking into this controversy and two, the fact that the FBI and its potential use of this technology is being discussed and questioned. From the beginning, when I see the potential "uses" of this kind of tracking technology, in addition to the usual concerns, from stalkers to identity thieves to third party marketers, I worry about law enforcement access.

These concerns are especially resonant with me because two major battles over smart phone privacy are being fought in the courts and the California legislature as we speak: one being whether law enforcement can track individuals locations in real time without a warrant, and two, whether law enforcement can search someones smart phone, also without a warrant. Its not much of a leap to also suspect they'd want access to the treasure trove of information being collected by a technology like Carrier IQ.

As I detailed last post, there is debate now over whether Carrier IQ actually collects every keystroke, and therefore the contents of text messages and emails.  However, The Electronic Frontier Foundation has just released a technical report on Carrier IQ that concluded that "keystrokes, text message content and other very sensitive information is in fact being transmitted from some phones on which Carrier IQ is installed to third parties."

As CNET reported, "This is most likely inadvertent and "happens when crash reporting tools collect copies of the system logs for debugging purposes," Peter Eckersley, technology projects director for the EFF, wrote in the report.

"Our software does not communicate with Android and does not transmit any files up to Google or anybody else," Coward said today. "Our implementation, the only thing we are sending out is metrics ... if other information is going out of the device to Google or anyone else it has nothing to do with Carrier IQ."

"There should not be personal information written into the Android log files. Applications can get ahold of them, on the one hand, which is not good," he continued. "We've implemented a new procedure as we qualify our software on devices (and) we check that...We saw the Android log file may be receiving messages from our software but ... also from other applications too. So it's a generic issue here with regard to Android log files that the industry needs to address and we point that out in the report." 


Clearly there are a lot more questions in need of answers. 

As the Free Press noted in a recent action alert, "Mobile phones are the new frontlines in the battle over our right to communicate." As for next steps, I'm also in agreement with Free Press in that its time Congress takes a closer look at the role of companies like AT&T, T-Mobile, and Sprint - particularly as it relates to what's being done with our data.

Monday, December 12, 2011

Does Carrier IQ Record Text Messages and Emails?

There are now conflicting analyses regarding whether Carrier IQ's software (that was kept secret from consumers) goes as far, and captures as much, information as initially suspected. Now, this is NOT to say there aren't all kinds of questions that remain unanswered, nor is this to say that there still aren't deeply disturbing components to this story (See my past two posts for a complete detailing of this continually evolving story).

But, we now have heard from Carrier IQ's Vice President and a Linux kernel hacker who just completed his own analysis of the software, and they say its incapable of recording keystrokes or "perusing SMS messages and e-mail correspondence."

These assertions contradict the initial claims made by Android developer Trevor Eckhart (and demonstrated on video). Before I get to them, let's be clear on some of the real concerns and questions that remain, including: what the company does with all the data they've been collecting (even if they can't read emails and texts...they still know your searches, location, and app purchases...and more), what kinds of data it collects, why the software was buried so deep within the operating system and without consumer knowledge (or choice), what devices have this code installed, what carriers are aware of it (and what they might be doing with it, if anything), whether government/law enforcement has had any role in this process (including requests for access to data), and many more.

With that said, let's get to the latest analysis of this code from Cnet:

He found that contrary to what a slew of initial -- and erroneous -- reports claimed, the Carrier IQ software is not a keylogger and "cannot" be configured as one. "CarrierIQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so," Rosenberg concludes. "There is simply no metric that contains this
information."


...

Rosenberg determined that Carrier IQ can, as a YouTube video by Trevor Eckhart indicated, record what digits are pressed in the dialer application. But it "cannot record any other keystrokes besides those that occur using the dialer," wrote Rosenberg, who says he has no affiliation or relationship with Carrier IQ.

...

Rosenberg suggested that carriers need to let consumers "opt out of any sort of data collection," that there should be "more transparency on the part of carriers in terms of what data is being collected from users," and that there "needs to be third-party oversight on what data is collected to prevent abuse." 

...

It's true that carriers already know what URLs you're visiting when you use their network--meaning that, in many cases, Carrier IQ can be configured to send them data they already have. Privacy concerns arise when a list of URLs is stored on the device and accessible to forensic analysis, when a list of URLs visited on a Wi-Fi network is transmitted, or when encrypted HTTPS URLs are leaked.

Sprint and AT&T, which have acknowledged they use Carrier IQ, have not elaborated on what options they have chosen to enable, except to indicate that the use is consistent with their privacy policies. 


Click here to read more.

Network World has a lot more:

In his blogpost, a table lists the metric ID, the metric itself, the data sent, and the "situation" that triggers the metric:

* browser page render event

* location event, which can use GPS or other location data
* HTTP request sent, or response received (the URL, request type, content length, and so on but not page contents)

* network state changes, sending an "internal identifier"

* a range of telephony and radio events (such as a dropped call,  service issues, and so on)

* hardware event, sending data such as voltage, temperature, battery level

* key presses, but only in the phone dialer application

* miscellaneous GUI state changes, such as battery state

* starting or receiving a call or a failed call, which sends CallerID, state, and phone number

* application events such as a stopped app, or a new app, sending the application name

* questionnaire event, used when Carrier IQ is configured to present the user with a service questionnaire

* SMS message received or sent, which includes message  length, phone, number, status, but no text from the body of the message.


...

HTC's failure to disable the display of the debug statements constitutes a legitimate potential security threat to user information. These are a "risk to privacy," Rosenberg says, and HTC should mitigate that risk by disabling these debugging messages. But it's not a risk created by the CIQ software or the data it is able to collect.

In his blogpost, Rosenberg spells out what the deconstruction of the CIQ code reveals about how the application actually works, as revealed by the metrics enabled for his Samsung phone. 

"Taking this information into account, all of the data that is potentially being collected supports Carrier IQ's claims that its data is used for diagnosing and fixing network, application, and hardware failures," Rosenberg concludes. "Every metric in the above table has potential benefits
for improving the user experience on a cell phone network. If carriers want to improve coverage, they need to know when and where calls are dropped. If handset manufacturers want to improve battery life on phones, knowledge of which applications consume the most battery life is essential."


...

Nonetheless, Rosenberg is critical of the way the Carrier IQ application has been implemented in the carrier-manufacturer relationship. End-users should be able to opt out of any sort of data collection; carriers should be clearer and plainer about what data is being collected from the phone, and why; and "there needs to be third-party oversight on what data is collected to prevent abuse."

Finally, he says, the "legality of gathering full URLs with query parameters and other data of this nature should be examined."


Click here to read more.

Due to time constraints, I'm going to have to discuss the interview with the VP of Carrier IQ in a future post, but you can check it out here...its very comprehensive. What I will include is the conclusion reached by reporter Sean Hollister after conducting the interview (who's been all over this story from the outset):

Carrier IQ claims that it is not the source of the insecure log files discovered on HTC devices. Other technical details — including how exactly Carrier IQ stores and transmits its data and how carriers utilize it — are both comforting and disquieting by turns. Although more secure and less nefarious than originally feared, there may still be ample opportunity for malware to access its data. At the very least, how Carrier IQ’s software is implemented on various devices needs wider scrutiny from both security experts and regulators.

...the biggest takeaways are that Carrier IQ and its client operators have logical reasons for taking most of the information they do — and mind you, many forms of personal data, like the contents of SMS and emails, aren’t being tracked at all, and no data is tracked in real time — but by the same token, it feels like there may be a lack of oversight when it comes to mobile privacy.


We are slowly beginning to see a clearer picture of what this all means and what the potential threats to privacy really are...at this point, I think its safe to say that the Carrier IQ software isn't as outwardly nefarious as initially suspected, and perhaps erroneously claimed by Mr. Eckhardt. On the other hand, this in no way should dissuade anyone from demanding more questions be answered - particularly how this code, with this kind of tracking capabilities, EVER could have been slipped into these products without the consumer's knowledge or ability to opt-out (let alone opt-in). This, in itself, is a dangerous precedent.

I think its also important to point out that even the VP of Carrier IQ and the Linux hacker were clear in their support for a consumers right to opt-in to such tracking, as well as their dismay they weren't even given this choice, and the code was kept secret.

Clearly, this entire episode, with its many questions still unanswered, points to the need for GREATER consumer control over data, which could be achieved, at least partially, through a Do Not Track mechanism. Another takeaway from this whole controversy is the need for improved transparency.

Jonathan Zittrain, Harvard Law School professor and cofounder of the Berkman Center for Internet and Society, has an idea for addressing this concern, stating, "It would be good to have some form of auditing function built into our devices. The auditing function can be implemented by Apple and by handset makers through Android. Make it part of the 'About' tab. And it would show with whom the phone has been communicating and the sorts of things it has been sending."

I will continue to follow this story here...

Monday, December 5, 2011

Latest Carrier IQ Revelations: Franken Steps Up, 141 Million "Products" Have Code

This story is moving fast so I want to get you the latest news regarding the revelations that a secret code (Carrier IQ) was discovered that allows your smart phone (and who knows what else) to not only be tracked at all times, but in fact, every key stroke made is monitored and stored – including the content of text messages. And perhaps most incredible, the ability to opt-out, let alone opt-in, of this kind of “super surveillance” was not made available, as the fact that this code even existed, or was being utilized, wasn’t even shared or made known to the consumer.

Now we discover that since the Carrier IQ story broke last week, we’ve learned that the company’s spying technology is present on 141 million phones, including Androids and iPhones and possibly models made by BlackBerry, Nokia and other manufacturers.

As I touched on last post, this data collected by Carrier IQ represents a virtual treasure trove of information for those seeking to access it, particularly advertisers and the government. And we know how willing the telecom industry was to give up such private information to the government in the past, just as we know how the government used the Patriot Act, not to track and catch terrorists, but rather, to target peace protesters (think Occupy) and suspected drug users/dealers.

But government desire to access this data aside, what about the likelihood that a corporate entity is tracking/recording EVERYTHING you do (i.e. where you shop, when you shop, while you shop, what you search for on the internet, who you talk and text, and what you say and write), then turning that information into a detailed digital profile (98% of Google's profits come from advertising) that they can then sell – for huge profits - to third party advertisers so they can market their products to you more effectively??? 

Thankfully it didn’t take long for privacy stalwart, Senator Al Franken, to demand answers, stating, “Consumers need to know that their safety and privacy are being protected by the companies they trust with their sensitive information. The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer.” 

In his letter to Carrier IQ President and CEO Larry Lenhart, he writes, “I am very concerned by recent reports that your company’s software—pre-installed on smartphones used by millions of Americans—is logging and may be transmitting extraordinarily sensitive information from consumers’ phones, including:

•           when they turn their phones on;
•           when they turn their phones off;
•           the phone numbers they dial;
•           the contents of text messages they receive;
•           the URLs of the websites they visit;
•           the contents of their online search queries—even when those searches are encrypted; and
•           the location of the customer using the smartphone—even when the customer has expressly denied permission for an app that is currently running to access his or her location.


It appears that this software runs automatically every time you turn your phone on.  It also appears that an average user would have no way to know that this software is running—and that when that user finds out, he or she will have no reasonable means to remove or stop it. 

He goes on to ask a series of pointed questions in which he demands answers by December 14th, including (among many), “Is that data transmitted to Carrier IQ?  Is it transmitted to smartphone manufacturers, operating system providers, or carriers?  Is it transmitted to any other third parties? If Carrier IQ receives this data, does it subsequently share it with third parties? With whom does it share this data?  What data is shared?”

Read the whole list of questions...impressive...disturbing. So let's all mark our calendars...as I'm eagerly awaiting answers to them.

As I also pointed out last post, these revelations reaffirm the need for an opt-in, Do-Not-Track mechanism available to all consumers, whether online or using something like a smart phone. I would also encourage readers to sign and send the Free Press's action alert: “Tell Congress and the Department of Justice: My mobile phone is mine, and I have the right to be free from being spied on. “    

Thursday, December 1, 2011

New Smart Phone Privacy Revelations Uncovered

I wasn't planning on following up my last post entitled "Smart Phones and Privacy" with yet another post about the technology and some of its privacy implications. But, after reading this headline "Your Smartphone Is Spying on You"- on the front page of Yahoo no less -  I feel I have little choice.

I'm not going to go over what I just did in my last post, but suffice it to say, I detailed a number of concerns with the technology, including government/law enforcement locational tracking without a warrant or even probable cause as well as law enforcement searching peoples smart phones (also without a warrant).

The context, particularly in light of growing Occupy protests, is important here. We should be wary of giving up more and more information - including location, text messages, and internet searches, to ANYONE, let alone when considering it could fall into the hands of forces that may be seeking to stifle dissent and intimidate (as well as break the law and violate the constitution).

But this article takes the cake!! I know this sounds incredibly Orwellian, but a secret code (Carrier IQ) has been discovered that allows your smart phone to not only track you, but take and keep every keystroke you make - even the content of your text messages. And perhaps most incredible, the consumer is not even given the ability to opt-out, let alone opt-in!). In fact, the consumer doesn't even know this code is in the phone. 

Such information represents a treasure trove of information for all kinds of interests desiring access to it, particularly advertisers and the government. And of course, we know how willing and ready the telecom industry has been to do anything our government wants despite the rights and desires of their customers.

But government aside, what about the basic right to not have EVERYTHING you do recorded (i.e. where you shop, when you shop, while you shop, what you search for on the internet, who you talk and text, and what you say and write), and then have that information turned into a detailed digital profile of you (98% of Google's profits come from advertising), and then have that profile sold on the market for HUGE profits to advertisers so they can market their products to you more effectively??? Its more than our right to privacy that is being violated...its the very idea that we "own" our own private information...and that others can't take it and profit off it without our consent.

So there are two VERY disturbing aspects of this story, from the treasure trove of personal data it offers to a law enforcement, surveillance state apparatus that is becoming increasingly authoritarian, to the "commodity" we, and what we do, has become - but without our control or right to privacy.

If these revelations don't demand an opt-in, Do-Not-Track mechanism available to all consumers, whether online or using something like a smart phone I don't know what does. We should be looking for Congress, and state houses to take this issue up, and start MANDATING that such mechanisms are provided. Perhaps in that sense, this discovery will help this important cause, and legislation that will take it on.

So let's get straight to the article in the Atlantic Wire because I'm practically speechless. Adam Clark Estes reports:

The reason for this invasive Android app seems reasonable enough at face value. Even though it's on most Android, BlackBerry and Nokia devices, most users would never know that Carrier IQ is running in the background, and that's sort of the point. Described on the company's website as software to gain "unprecedented insight into their customers' mobile experience," Carrier IQ is ostensibly supposed to help mobile carriers and device manufacturers gather data in order to improve their products. Tons of applications do this, and you're probably used to those boxes that pop up on your screen and ask if you want to help the company by sending your data back to them. If you're concerned about your privacy, you just tap no and go about your merry computing way. As security-conscious Android developer Trevor Eckhart realized, however, Carrier IQ does not give you this option, and unless you were code-savvy and looking for it, you'd never know it was there. And based on how aggressive the company has been in trying to keep Eckhart quiet about his discovery, it seems like Carrier IQ doesn't want you to know it's there either. … 

This week, Eckhart fired back with a 17-minute long video showing in painstaking detail how much data CarrierIQ collects, effectively undercutting the company's denial. It was even logging contents of text messages! Wired posted the video on Tuesday night and cemented CarrierIQ's status "as one of nine reasons to wear a tinfoil hat." The magazine explains how CarrierIQ even undercuts other companies' security measures...



Tracking is creepy. In an Orwellian kind of way, it makes people nervous -- especially Americans -- that the government or the corporations or the system is closing in on them and stealing their freedom. Of course, not everybody feels so strongly about privacy, but as long as you can opt out, it should be fine. This seems be where privacy agnostics as well as advocates both get concerned. Some people don't mind being tracked, but nobody wants to be tricked. Last week, Sen. Charles Schumer spoke out about a program at some malls in Virginia and Southern California that were anonymously tracking shoppers' movements by tracking their cell phone signals, and the only way to opt was by not going to the mall. Schumer did not approve. "Personal cell phones are just that -- personal," the New York senator said in a statement. "If retailers want to tap into your phone to see what your shopping patterns are, they can ask you for your permission to do so." The CarrierIQ software is not dissimilar to the shopper tracking program. In fact, it's arguably worse since it follows you everywhere. In the age of social media, everybody is becoming increasingly aware of and often angry about the amount of private data companies are scooping up with or without their consent. 

This week, the Federal Trade Commission and Facebook came to an agreement that the social network must make all of their new programs opt-in so as not to break the law by violating users' privacy. Even Mark Zuckerberg admitted in a sincere-sounding blog post that his company had "made a bunch of mistakes" on the privacy front in the past. He went on to detail how "offering people control over the information they share online" was a top priority. This is Mark "Privacy Is Over" Zuckerberg we're talking about here. With Facebook reportedly building its own mobile phone platform, wouldn't it be super ironic if people started defecting from the Android army and switching to the Facebook phone in the name of privacy? 

Your move, Google.

Here's the video:



So what to do? Thankfully, it didn't take long for the Free Press's "Save the Internet" campaign to jump on this today and provide us with an opportunity to let Congress and the Justice Department know that we don't appreciate being spied on. Here's some of the language from the action alert (I'll skip the stuff that repeats what I've already included in today's post), with the link to the action page...interestingly, their experts ALSO made the connection I did this reeks of like "wiretapping".

Free Press: Tell Justice Department and Congress You Don't Want to Be Spied On!

Are you being watched? A researcher just discovered a hidden application that records what millions of people write, view and search for on their mobile phones. It sends all of that data to a company no one’s ever heard of. And we have no idea what that company is doing with our information.1

Sounds like 1984. But it’s happening in 2011. Earlier today, Sen. Al Franken demanded answers from the company, Carrier IQ, calling its technology "deeply troubling." We now need a full investigation.2


The fact that one company is secretly storing away the data of millions of mobile phone users — without our knowledge, and with no way for us to opt out — is just incredible. You’d expect this sort of thing from the Chinese government — not from a company operating in the present-day U.S.


This is not only a privacy problem. It’s a democracy problem. Mobile phones have become the ultimate democracy devices. Activists from Cairo to New York City to Los Angeles have used their phones to broadcast images of pepper-spraying cops, handcuffed journalists and squares full of protesters. We must ensure that the most important movements of our time aren’t compromised by data spies with little regard for our free speech or privacy.


Law professor and former Department of Justice attorney Paul Ohm says that Carrier IQ’s snoopware “is very likely a federal wiretap,” which means that the company could be prosecuted for breaking federal law.4 “Consumers need to know that their safety and privacy are being protected by the companies they trust with their sensitive information,” Sen. Franken said. “ … Carrier IQ has a lot of questions to answer.”

We agree. Let’s get some answers.

Monday, November 28, 2011

Smart Phones and Privacy

I want to follow up yet again on my series of posts on the historic case currently before the Supreme Court that could determine just how much privacy smart phone users can expect in the future. The case in question seeks to determine whether law enforcement should be required to attain a warrant BEFORE tracking a suspect (or alleged suspect) using GPS technology - which all smart phones happen to now have.

Before I get to the article delving into the smart phone aspect of this case, let me provide a brief summary of how we got here: The case in question involved police covertly tracking a suspected cocaine dealer's car using a GPS device for an extended period of time without getting a warrant. Thanks to this tracking, the suspect was initially convicted. But, a ruling by the D.C. Court (by Judge Ginsburg) of Appeals overturned that decision, arguing that the use of a secret GPS tracking device on the man’s vehicle for two months violated the Fourth Amendment’s protection against unreasonable searches and seizures. The idea being, no one wants to feel as if a government agent is following you wherever you go - be it a friend's house, a place of worship, or a therapist's office - and certainly innocent Americans shouldn't have to feel that way.

The problem was that two federal appellate courts had first upheld the use of GPS devices without warrants on the grounds that we have no expectation of privacy when we are in public places and that tracking technology merely makes public surveillance easier and more effective. Now this case is being heard by the Supreme Court.

Now, in some of my past posts I haven't focused on what this ruling could mean to ALL smart phone users, but instead, simply on the way the police tracked this particular suspect (see past posts for more detail). But let's be real, if law enforcement can argue, and win, the right to track someone's whereabouts without a warrant (or even probable cause) using a device implanted in the car, it goes to reason that this would be done in many cases through an individuals smart phone instead.

And of course, this isn't the only area in which privacy and smart phone technology are being debated. This year in California - to the dismay of civil liberties advo­cates - the Governor vetoed SB 914 (Leno). The legislation was a response to a recent California Supreme Court decision (People v. Diaz) allowing police to rummage through all of the private information on a smart phone as part of an arrest, including text mes­sages and e-mails. 

SB 914 would have clarified that an arrestee’s smart phone can only be accessed with a warrant, except in cir­cumstances where there is an immedi­ate threat to public safety or the arrest­ing officer. The bill acknowledged that accessing the detailed, private infor­mation contained on a smart phone is fundamentally different than searching an arrested person’s wallet, cigarettes or pockets. Senator Mark Leno has announced he will bring this legislation back next year. 

Here's more from a BBC News report entitled "How much privacy can smart phone users expect?": 

Millions of us happily invade our own privacy every day on Twitter and Facebook, sharing personal details with the world and broadcasting our location in a way previous generations would have found bizarre. Even those who shy away from social media and new technology in general are not immune. The most basic mobile phones are in constant contact with the nearest mast, sending information about the whereabouts of their users to phone companies, who can later hand that data over to the police, if requested.

 

There are signs that governments and law enforcement agencies around the world are taking advantage of this increasingly relaxed attitude towards privacy to step up surveillance of citizens. The case currently before the Supreme Court, US vs Jones, hinges on whether police officers should be allowed to plant GPS tracking devices on suspects' cars without a warrant…Lawyers for the Obama administration argued that Jones did not have a "legitimate expectation of privacy" - the standard legal test in the US for the past 45 years - because his car was in a public place.

 

But law enforcement officers no longer have to physically plant a bug on a suspect's car or person. In the US, they are increasingly using mobile phone tracking software. 

"Police officers can sit in the comfort of their own stations and use this technology to watch not just one person, but many people, over long periods of time," says Catherine Crump, an attorney for American Civil Liberties Union. This is far more invasive than traditional surveillance, she argues. "GPS tracking can actually be quite revealing about who a person is and what they value. It can show where a person goes to church, whether they are in therapy, whether they are an outpatient at a medical clinic, whether they go to a gun range."

 

But the London force is also reportedly using software that masquerades as a mobile phone network, allowing it to intercept communications and gather data about users in a targeted area, such as a demonstration.

Most civil liberties campaigners do not want the police banned from using new technology and accept that telecoms companies are "not the Gestapo", as Catherine Crump puts it. But, argues the ACLU lawyer: "People should not have to choose between using new technology, which is becoming increasingly commonplace and hard to live without, and giving up their privacy." 

Some believe the moment when that choice has to be made has arrived.

Click here to read more.

Again, my mind goes to social movements and protests and the government's insatiable desire to stifle dissent. These concerns are all the more disconcerting in light of the Occupy protests, and what we already know about how the Patriot Act was used to target peace/anti-war activists. 

No doubt in my mind we are indeed reaching a watershed moment - as highlighted by the current case before the Supreme Court. As technology advances, and becomes a more and more integral part of our lives, so too is the opportunity for authorities, both corporate and governmental, to use it in ways that violate our civil liberties.

Smart phones (and the information we have/use on social media like Facebook and Twitter) represent a clear line in the sand that must be drawn...no government has the RIGHT to track our whereabouts OR access all the information now stored in this technology unless they have a warrant.

Tuesday, November 22, 2011

Surveillance State Ironies

All the incredible video documenting grotesque police abuse of peaceful protesters across the country provides a bit of irony: Just as we citizens are being increasingly watched by both commercial and governmental interests, so too can we now watch them - and use it to our advantage.

I don't need to go into too much detail regarding our burgeoning surveillance state and our loss of privacy in just about all areas of life. But, consider the bigger picture...as I wrote on this blog in the past, whether its the knowledge that everything we do on the internet is followed and stored, that we can be wiretapped for no reason and without a warrant or probable cause, that smart grid systems monitor our daily in home habits and actions, that our emails can be intercepted, that our naked bodies must be viewed at airports and stored, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, and that RFID tags and GPS technology allow for the tracking of clothes, cars, and phones (and the list goes on)...what is certain is privacy itself is on life support in this country...and without privacy there is no freedom. I also fear how such a surveillance society stifles dissent and discourages grassroots political/social activism that challenges government and corporate power...something that we desperately need more of in this country, not less.

With that overview, I think its particularly fascinating, and ironic, that "we the people" are so effectively documenting, through smart phones and video cameras, the kinds of law enforcement abuses that we otherwise would not have been able to in the past - and thus would have remained unknown and unpunished.

With this in mind, I found an article by one of my favorite writers - Will Pitt of Truthout - that describes how this "Peoples Surveillance State" is being used, particularly in the documenting of the pepper spray incident at UC Davis. Pitt writes: 

In the aftermath of September 11, there was a big push to create a national surveillance system in the name of national security. Cameras were installed at traffic lights, ostensibly to catch people running red lights and stop signs, but those cameras came with a nifty side benefit: they recorded everyone within reach of the lens in their comings and goings. Cameras were installed at street corners, ostensibly to provide security against crime, but again, you were recorded wherever you went. Bank machines all come with security cameras, and those added to the ever-broadening web of national surveillance. Finally, almost every cell phone now comes with software that, so long as the thing is turned on, can track your every step by triangulating your position via GPS and the cell towers your phone signal bounces off of.


Those with a fealty to the quaint ideals of American civil liberties had, to no great surprise, a big problem with putting this system in place. Combine the concern over having millions of innocent people on camera with the fact that the Bush administration decided to spy on pretty much everyone by way of the NSA because no one had the guts to stop them, and what you had - and have to this day - is a pretty damned paranoid situation where everyone is being watched by The Man. Today, it is almost impossible to be anywhere in America without something tracking you. After this technology had been in place for a few years, it even became fodder for cop shows; half the episodes of "Law & Order: SVU" after 2008 involve catching criminals using this web of eyes and ears. As you can imagine, the bad guys almost never got away.

The basic idea behind setting up this incredibly invasive system, if you listen to its advocates, is that security is paramount in the aftermath of 9/11. There were plenty of people, after the Towers came down, who were very happy to surrender their liberties in the name of security, despite Benjamin Franklin's warning about deserving neither and losing both. Nowadays, the existence of such a system is established fact, leading to yet another bout of cognitive dissonance: those in favor of such a system a few years ago, because it meant the state was looking out for their safety, are now in all likelihood the same people railing against the state with guns on their hips at Tea Party rallies...but that's a brain cramp to be dealt with another day.

The advent of the Occupy movement, the length of time that movement has been able to hang fire, and the vast number of cities in which it is taking place, has led to an astonishingly violent reaction from the very state we are supposedly trusting to watch over our every move. There have been a dozen incidents of gruesome official violence against peaceful, non-violent protesters, including the near-murder of an Iraq war veteran by police in Oakland...violence the likes of which has not been seen in America since the dogs and firehoses days of Birmingham, Alabama.

Last Friday, students at UC Davis in California were subjected to an attack by police that beggars likeness. Here's the thing, though: this time, it's all on film. 

If you haven't seen it yet, what you're looking at is a dozen or so protesters seated with their heads down, arms linked, in peaceful non-violent resistance. An armored UC Davis police officer calmly pulls out a can of pepper spray the size of a fire extinguisher, shakes it up, and hoses these seated students down from one side to the other and then back again. Several of the students subjected to this attack required hospitalization, and there is an unconfirmed report that one of the protesters had a UC Davis cop shove the nozzle of his pepper spray canister into her mouth and then pulled the trigger.

As Pitt also mentions, the result of this video has been millions of hits, calls for the firing of the Chancellor and cops responsible, an investigation of the incident, and even greater resolve in students across the state and country to continue to speak out against ever increasing tuition costs and fee increases (among MANY legitimate complaints). Granted, we will see if justice is served, and we all know that video alone isn't enough to convict even the most glaringly abusive and illegal tactics. Nor does video guarantee real, systemic reforms to what is clearly an increasingly authoritarian, and militarized police force.

But certainly, it VASTLY improves the potential that justice will be realized - and reforms will be instituted. More than anything though, what this kind of peoples surveillance offers is the ability to educate the larger public about what is really going on in this country - particularly when you have the temerity to speak out against "the elites". This education opportunity, and how it might serve to motivate and inspire more people to get involved with their democracy and demand change (as well as make cops think twice about their actions) shouldn't be discounted.

If you want to see what I mean, check out Joshua Holland's Caught on "Camera: Ten Shockingly Violent Police Assault on Occupy Protesters"and consider whether it impacts your opinion on these matters.

Wednesday, November 16, 2011

The Need for Internet Privacy

I want to alert everyone to a fantastic op-ed in the San Diego Union Tribune by one of my most relied upon privacy experts - Beth Givens of the Privacy Rights Clearinghouse. But, before I share some choice clips, let me provide some backdrop (taken from what I've written on the blog in the past...as there's no reason to reinvent the wheel) on why this has become such an important privacy debate. The fact is, there's been a virtual explosion in data collection, data analysis and use of behavioral marketing on the internet without the requisite privacy protections to go along with it.  Billions of dollars at stake, and your private information is the currency.


We know for instance, and they have been sued for it, companies like Google, Yahoo, Microsoft and other Internet companies track and profile users and then auction off ads targeted at individual consumers in the fractions of a second before a Web page loads.

That in itself, may not be all that threatening to most. But it raises some interesting questions: What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government's access to this new world of data storage?

The argument from privacy advocates has largely been that this massive and stealth data collection apparatus threatens user privacy and regulators should compel (not hope that) companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

More generally, particularly on the issue of privacy on the Internet, the fact that we have next to no privacy standards as related to these technological innovations and trends is disturbing, and more than enough of a reason for legislation like California's SB 761 (Do Not Track).

The Do Not Track flag is a rather simple concept
that's already been built into Firefox and IE9. If users choose to turn on the option, every time they visit a web page the browser will send a message to the site, saying “do not track.”

SB 761 (Lowenthal) would offer consumers such a mechanism, something the bill's sponsor describe as "one of the most powerful tools available to protect consumers' privacy." The mechanism will allow anyone online to send Websites the message that they do not want their online activity monitored.

Certainly one strong point of the legislation is that it is in line with public opinion, as detailed by a poll by Consumer Watchdog last summer that found 80% of Americans support a Do Not Track option. In addition, a recent USA Today/Gallup poll found that most Americans are worried about their privacy and security when they use Facebook and Google.

The fact is, there's no longer any anonymity on the Web. The most personal information about people's online habits is collected and eventually bought and sold, often instantaneously and invisibly. Data collection practices have become a business in themselves, driven by profits at consumers' expense. The Wall Street Journal recently highlighted these practices—which included targeting children—in its groundbreaking series "What They Know."

Now let's get to Beth's thoughts on this subject:

Individuals are increasingly using the Internet as their primary information source, often seeking information on sensitive matters such as finances, health, personal relationships, divorce, sexuality, workplace difficulties and legal conflicts. But few individuals realize the extent to which they are being tracked by companies that create rich profiles of their web-browsing activities. The 2010 Wall Street Journal series, “What They Know,” reported that the nation’s top 50 websites installed an average of 64 pieces of tracking technology onto each visitor’s computer. Tracking tools go beyond the cookies many of us routinely delete. Some companies deploy “Flash cookies” or other “supercookies” that are not only extremely difficult to delete but can also be used to reinstall cookies that a user has removed.

Such data-gathering and profiling activities are largely invisible, except that they can result in the real-time display of behaviorally targeted ads. You might ask, “What’s the harm in receiving ads based on my web-surfing history?” In a legislative primer presented to members of Congress by 10 organizations, including ours, several potentially harmful effects of behavioral tracking and targeting were identified: (1) targeting economically distressed individuals with payday loans and subprime mortgages; (2) sending ads for bogus cures to individuals with serious medical conditions; (3) engaging in discriminatory pricing in which some people are offered products or services at higher prices than others; and (4) targeting children who lack the judgment capacity of adults. Further, profiles compiled originally for the ad industry may be sold to non-advertising third parties such as insurance companies.

Harms aside, let’s not forget, simply, the right to privacy. The definition of privacy that guides my organization’s work is the ability of individuals to control the use of their personal information. Everyone has a different comfort level regarding the collection and use of their personal information. We believe individuals’ choices must be respected, no questions asked.

...

However, studies show that robust profiles generated from anonymous data can be matched with other data sources, offline and online, to determine individuals’ identities. These days, the anonymity argument is largely a myth. Another myth is that young people are not concerned about privacy. These “digital natives” have not known a world without the Internet, so the argument goes, and they are not worried about their personal information being revealed online. However, a 2009 academic survey found there are no significant differences between young adults and older individuals regarding online privacy concerns. While some believe that in a generation or two, concerns about online privacy will vanish, we at the Privacy Rights Clearinghouse are not so quick to accept that argument.

In closing, effective online privacy protection requires a multipronged approach involving policymakers, industry, nonprofits and consumers. It must not be lost to bogus arguments and unfounded myths.


As I have also written before, its not by accident that we are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore, or that it will "kill business". Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with - and profiting off our personal information without our consent.

More to the point is the simple, unavoidable fact that consumers should have MORE control, not less, over what information of ours is used, shared, and profited off. This basic principle is at the heart of the ACLU's DotRights campaign.

There remains an interesting dichotomy in all this: While people seem to "care" about privacy on one level, they tend to do very little to actually protect it. Which in my mind, makes easy to use, clear options to protect privacy so paramount. Once people are given such a choice, not only will more people choose to "not be tracked", I think more people will become more AWARE of just how all pervasive such monitoring of nearly everything we do has become."

Thursday, November 10, 2011

Cell Phone Providers Urged to Stop Collecting Data on Customer Movements

In light of the current Supreme Court case regarding the GPS tracking of a suspect by law enforcement, I thought the ACLU's letter to the CEO's of the nation's biggest cell phone providers asking that they "stop routinely collecting and storing data on their customers’ daily movements" was worth delving into today too.

The essential argument by privacy advocates, be it the tracking of a cell phone user, or tracking a suspect's vehicle, is that in either case you should not be more susceptible to government surveillance. The idea being, no one wants to feel as if a government agent is following you wherever you go - be it a friend's house, a place of worship, or a therapist's office - and certainly innocent Americans shouldn't have to feel that way. The other major distinction between such constant, all pervasive surveillance, from say, simply following a person or suspect, is just that: its constant, over time, and all pervasive...unlike a simple "tailing" of a person by authorities.

Before I share some of the ACLU letter, I want to go a little into the back story regarding why cell phone tracking should be a concern for all of us. Consider:

  • In just a 13-month period, Sprint received over 8 million demands for location information;  
  • Michigan police sought information about every mobile phone near the site of a planned labor protest;
  • Last spring, researchers revealed that iPhones were collecting and storing location information;
  • A few months ago the general counsel of the National Security Agency suggested to members of Congress that the NSA might have the authority to collect the location information of American citizens inside the U.S.
  • The FBI has used 'dragnet'-style warrantless cell phone tracking.
And then there's the Patriot Act. The fact remains that we still don’t know how the government might be using the Act, highlighted by recent statements made by US Senators regarding what they termed “secret Patriot Act provisions”. Senator Ron Wyden (D-OR), an outspoken critic of the recent reauthorization, stated, "When the American people find out how their government has secretly interpreted the Patriot Act they will be stunned and they will be angry." As a member of the Senate Intelligence Committee Wyden is in a position to know, as he receives classified briefings from the executive branch.

In recent years, three other current and former members of the US Senate - Mark Udall (D-CO), Dick Durbin (D-IL), and Russ Feingold (D-WI) - have provided similar warnings. We can't be sure what these senators are referring to, but the evidence suggests, and some assert, that the current administration is using Section 215 of the Patriot Act - a provision that gives the government access to "business records" - as the legal basis for the large-scale collection of cell phone location records. 

With that, let's get to what the ACLU urged these CEO's to do (or NOT do):

The fact is our cell phone companies know more about where we are throughout the day than our closest friends. One of the byproducts of the way cell phones work – staying in constant touch with the nearest cell tower – is that our carriers can tell roughly where we are. And over time, that data is getting increasingly accurate.

But the major carriers – AT&TVerizonT-Mobile and Sprint – don’t just know where we are from moment to moment. They also retain detailed data about our location for extended periods of time, as we learned recently when we receivedthis document in response to our national public records request on how the authorities are using location data. The carriers also readily share the information they gather with government agencies and law enforcement…We pay them money, they provide us with phone and data services. Being tracked everywhere we go was never part of the bargain…

We don’t know exactly how precise the data the carriers retain is, or how they are using it. Often these days there is often an automatic, reflexive impulse to retain data – any and all. But it also seems that the companies are looking at how to monetize this information as they do with other information they gather.Verizon, for example, recently announced that it was selling location information about its customers. Although it is doing so only on an aggregate basis, that still represents a step closer to sharing our own individual movements, which the carriers are surely tempted to do.

Either way, if we roll over and accept this practice, then we’ll be accepting a world that totalitarian dictators can only dream of: an entire population carrying location tracking beacons that precisely record their every movement. This is not something we should be just taking in stride. It’s not something that we have to accept.

The best protection for privacy is for the carriers to not record our locations, even though the phone reveals them, unless we decide to give permission (and not through the fine print in some boilerplate click-through agreement). We should demand nothing less
.

Wednesday, November 9, 2011

Update on GPS Tracking Case Being Debated by Supreme Court

I want to follow up on my last post regarding the historic case before the Supreme Court - for which hearings began yesterday - as to whether law enforcement should be required to attain a warrant BEFORE tracking a suspect (or alleged suspect) using GPS technology.

I've written on this case, and issue, extensively on this blog, so I'm not going to rehash all that now (see last post for a decent summary). Suffice it to say, there is a WHOLE lot riding on this case. 

For today's purposes,  I'm just going to share some excerpts from a variety of news media that covered yesterday's hearings.

As NPR reported:

George Orwell's 1984 was very much on the minds of the Supreme Court on Tuesday, as the justices grappled with a question that pits the use of modern technology in law enforcement against individual privacy interests. At issue is a case testing whether police must obtain a warrant before putting a GPS tracking device on a car to monitor a suspect's movements.

...

Dreeben, in his argument, urged the court to stick to the line it has drawn in the past — no warrant is needed for surveillance of activities conducted on public roads. Chief Justice John Roberts, however, seemed skeptical about applying that rationale to new technologies, asking if the government could "put a GPS device on our cars and monitor us?" Dreeben responded that under the government's theory and the court's precedents, "the justices of this court, when driving on the streets, have no greater expectation of privacy" against a GPS device attached to the car "than they would if the FBI followed them around the clock."


Justice Stephen Breyer struck a more ominous tone, asserting that "if you win this case, then there is nothing to prevent the police or the government from monitoring 24 hours a day the public movements of every citizen in the United States," a scenario that "sounds like 1984." Discussion of Orwell's dystopic novel arose five times during the argument.


Justice Sonia Sotomayor asked Dreeban to explain the difference between the warrantless use of GPS devices and the general search authority that outraged the Founding Fathers and inspired the Fourth Amendment ban on searches without court authorization. Dreeben maintained, however, that putting a GPS device on a car is not a search. And he seemed to suggest that people have different expectations of privacy in an era of technological advances.


That is "too much for me," interjected Justice Elena Kagan, suggesting that people would think their privacy interests are violated by having a robotic device monitoring their movements 24 hours a day.

Read more here.

And this from the New York Times:

On Tuesday, Chief Justice John G. Roberts Jr. said there might be a constitutional difference between discrete pieces of data and the collection of vast amounts of information. “You’re talking about the difference between seeing the little tile and seeing a mosaic,” he said.


But Michael R. Dreeben, a deputy United States solicitor general, said there were no constitutional limits to the government’s ability to track people’s movements in public. He said a device surreptitiously attached to clothing would be permissible so long as it did not convey information from inside a home. He added that the police could track the movements of the justices’ cars without a warrant.


On hearing those statements, Justice Ruth Bader Ginsburg said the “endpoint” of the government’s argument was that “an electronic device, as long as it’s not used inside the house, is O.K.” Mr. Dreeben said that was correct regarding people’s movements in public. Other forms of monitoring — of conversations inside cars, say — were subject to different rules, he said. 


That means, Justice Stephen G. Breyer told Mr. Dreeben, that “if you win this case, then there is nothing to prevent the police or the government from monitoring 24 hours a day the public movement of every citizen of the United States.” And that, Justice Breyer said, “sounds like ‘1984.’ ”
...


Mr. Dreeben said, “The court should address the so-called ‘1984’ scenarios if they come to pass, rather than using this case as a vehicle for doing so.” But Justice Sonia Sotomayor indicated that the scenario might have already arrived. “It wouldn’t take that much of a budget, local budget, to place a GPS on every car in the nation,” she said.

...

Justices Samuel A. Alito Jr. and Antonin Scalia said such arbitrary limits should be imposed by legislatures rather than a court.

Read more here.

And finally, the Washington Post also chimed in:


It is allowed under the court’s own precedents, replied Deputy Solicitor General Michael R. Dreeben, and is no different than if the FBI “put its team of surveillance agents around the clock on any individual and follow that individual’s movements as they went around on the public streets.”


But to many of the justices, something did seem different. In an intense hour-long exchange in which the Big Brother of George Orwell’s novel “1984” was referenced six times, the justices wondered how the dizzying pace of technology has changed a person’s reasonable expectation of privacy.

The justices pondered a world in which satellites can zero in on an individual’s house, cameras record the faces at a crowded intersection and individuals instantly announce their every movement to the world on Facebook. They wondered about the government placing tracking devices in overcoats or on license plates.

...

The court is trying to apply the Constitution’s centuries-old protection against unreasonable searches and seizures at a time when devices such as a GPS can essentially do police officers’ work for them.But the justices also appeared conflicted about where to draw a constitutional line.

Stephen C. Leckar, representing Jones, said police should be required to persuade a judge to issue a warrant for each use of a GPS device. But the justices wondered how that squared with their previous rulings that no warrant is needed when the person being targeted was being monitored in public places.

“If there is no invasion of privacy for one day, there is no invasion of privacy for 100 days,” Justice Antonin Scalia said. 
Alito said Leckar had not shown that using a GPS device was any different from traditional police surveillance.



Obviously there's no way I can get a real "feel" for which way the court may rule. I'm ALWAYS deeply skeptical that the 4 extremists, and the one conservative, will ever rule in favor of the public interest when either corporate interests, or civil liberties, are concerned. Nonetheless, some of the questions posed by Roberts and Alito are at least modestly hopeful. Of course, the real wildcard, Justice Anthony Kennedy, was not quoted in any of the articles I've seen...and he remains the judge I'll be keeping my eye on.

I think today's editorial in the USA Today hit the nail on the head,  "The government's argument is that police don't need a warrant when they track people on public roads where they can be watched by cameras and other drivers — and where police could physically tail them without a warrant.

But of course, the technology changes everything. Even with speed cameras, red-light cameras and a squadron of pursuers, authorities would have a very hard time amassing a record of every place someone travels for 28 days.

The idea is, indeed, Orwellian, not to mention downright "creepy and un-American," to use the words of the chief justice of the 9th Circuit Court of Appeals. At a minimum, police should first have to convince a judge that there's probable cause to issue a search warrant — and use it properly.

The Founding Fathers, brilliant though they were, could not possibly have envisioned GPS technology. But they certainly understood the principles of personal freedom, and two centuries later those haven't changed a bit.

First and foremost, the Constitution they wrote guarantees individual rights against unnecessary government intrusion. Let's hope that when the Supreme Court rules in this case, it does the same.

With that, stay tuned.

Wednesday, November 2, 2011

Supreme Court to Hear GPS Tracking Case on Tuesday

I've been covering this case here for a long time now....and its finally about to reach its conclusion. Before I get to the USA Today article detailing the case and its Tuesday Supreme Court hearing, let me summarize some of what I've written on it in the past. 

The case in question involved police covertly tracking a suspected cocaine dealer's car using a GPS device for an extended period of time without getting a warrant. Thanks to this tracking, the suspect was initially convicted. But, a ruling by the D.C. Court (by Judge Ginsburg) of Appeals overturned that decision, arguing that the use of a secret GPS tracking device on the man’s vehicle for two months violated the Fourth Amendment’s protection against unreasonable searches and seizures. The idea being, no one wants to feel as if a government agent is following you wherever you go - be it a friend's house, a place of worship, or a therapist's office - and certainly innocent Americans shouldn't have to feel that way. 

The problem was that two federal appellate courts had first upheld the use of GPS devices without warrants on the grounds that we have no expectation of privacy when we are in public places and that tracking technology merely makes public surveillance easier and more effective. Now this case is scheduled to be heard by the Supreme Court.

Jeffrey Rosen, a law professor at George Washington University, made some important points on this case a few months back I think are worth repeating. He noted, "Judge Ginsburg realized that ubiquitous surveillance for a month is impossible, in practice, without technological enhancements like a GPS device, and that it is therefore qualitatively different than the more limited technologically enhanced public surveillance that the Supreme Court has upheld in the past (like using a beeper to help the police follow a car for a 100-mile trip)...If the court rejects his logic and sides with those who maintain that we have no expectation of privacy in our public movements, surveillance is likely to expand, radically transforming our experience of both public and virtual spaces.

For what’s at stake in the Supreme Court case is more than just the future of GPS tracking: there’s also online surveillance. Facebook, for example, announced in June that it was implementing face-recognition technology that scans all the photos in its database and automatically suggests identifying tags that match images of a user’s friends with their names. (After a public outcry, Facebook said that users could opt out of the tagging system.) With the help of this kind of photo tagging, law enforcement officials could post on Facebook a photo of, say, an anonymous antiwar protester and identify him.  

 

To preserve our right to some degree of anonymity in public, we can’t rely on the courts alone. Fortunately, 15 states have enacted laws imposing criminal and civil penalties for the use of electronic tracking devices in various forms and restricting their use without a warrant. And in June, Senator Ron Wyden, Democrat of Oregon, and Representative Jason Chaffetz, Republican of Utah, introduced the Geolocation Privacy and Surveillance Act, which would provide federal protection against public surveillance.

Their act would require the government to get a warrant before acquiring the geolocational information of an American citizen or legal alien; create criminal penalties for secretly using an electronic device to track someone’s movements; and prohibit commercial service providers from sharing customers’ geolocational information without their consent — a necessary restriction at a time of increasing cellphone tracking by private companies.

Click here to read more 

As previously laid out in the article in Wired Magazine, "Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one’s not visiting any of these places over the course of a month. The sequence of a person’s movements can reveal still more; a single trip to a gynecologist’s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story."

So with that backdrop, here's the latest on the case and the upcoming hearing:

In a potentially groundbreaking case on high-tech tracking by police, the Supreme Court will decide whether constant surveillance is such an intrusion on people's lives that police need a warrant before attaching a GPS device to a person's car.

The case, to be heard Tuesday, tests law enforcement's use of the latest technology to fight crime as it raises the specter of a "Big Brother" government knowing one's every move. GPS tracking lets police engage in round-the-clock surveillance — without a person's knowledge — over a prolonged period that could seldom be matched by cops on a beat or other traditional observation. 

Global Positioning System receivers, originally developed for military use, rely on a constellation of satellites in fixed orbits. Receivers on the ground use satellite transmissions to calculate the latitude and longitude of a location. Data can be transmitted remotely to police computers and stored.

 

Solicitor General Verrilli is urging the high court to rely on its 1983 ruling in United States v. Knotts, which said the use of a beeper to track a suspect driving to a drug lab was not a search under the Fourth Amendment. Verrilli says the lower court hearing Jones' appeal wrongly abandoned a longstanding line between private information and information that is "exposed to the public," for example, on roadways.

The lower court said, however, that a month of detailed tracking could not be considered "public" in the usual sense because it was unlikely anyone would actually have observed all of Jones' travels. Verrilli counters that information does not become "less public" simply because it is collected with in a more sophisticated technology. 

The high court will also be looking at whether just the installation of the device violated Jones' rights. Justice Department lawyers say installing the GPS device was permitted because it didn't interfere with Jones' driving or take up any space inside the vehicle.

Stephen Leckar, representing Jones, tells the justices in his brief that unrestrained GPS monitoring has become "a grave threat to expressive and political association, as well as to the personal privacy and security of every individual in the country."

Its important to consider this case in the larger context of an increasingly unjust economic system (AND Judicial system) that's leading people, literally, to the streets in protest. We must, at all costs, now more than ever, stand firm against the ever encroaching and watchful eye of both government and corporate interests.

But don't just take my word for it, check out a recent post I did on the fact that $150 million of taxpayer money has gone to funding a government facility in lower Manhattan where Wall Street firm representatives have joined the New York Police Department to spy on  law-abiding citizens simply taking advantage of their First Amendment rights.

As Pam Martens wrote, "According to newly unearthed documents, the planning for this high tech facility on lower Broadway dates back six years. In correspondence from 2005 that rests quietly in the Securities and Exchange Commission’s archives, NYPD Commissioner Raymond Kelly promised Edward Forst, a  Goldman Sachs’ Executive Vice President at the time, that the NYPD “is committed to the development and implementation of a comprehensive security plan for Lower Manhattan . . . One component of the plan will be a centralized coordination center that will provide space for full-time, on site representation from Goldman Sachs and other stakeholders.”


And then there's Naomi Wolfe, who was recently arrested for peacefully protesting herself, making another critical point, writing, "America is waking up to what was built while it slept: Private companies have hired away its police (JPMorgan Chase gave $4.6m to the New York City Police Foundation); the federal Department of Homeland Security has given small municipal police forces military-grade weapons systems; citizens' rights to freedom of speech and assembly have been stealthily undermined by opaque permit requirements."

Clearly, this dispute, particularly because it deals with technology that is becoming increasingly ubiquitous (i.e. smartphones, vehicles), will have an enormous impact on future fights over police tactics and our 4th Amendment rights. 

Perhaps most persuasive was Judge Ginsburg herself in her decision to overrule the appellate court decision, stating,  "A single trip to a gynecologist's office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story...A person who knows all of another's travels can deduce whether he is a weekly churchgoer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups -- and not just one such fact about a person, but all such facts."

Let's also remember, back in 2009 we learned that Sprint received 8 million law enforcement requests for GPS location data in just one year. While that issue is slightly different than the one headed to the Supreme Court (it was based on putting a GPS tracking device in the suspects car, rather than tracking the cell phone), the general concerns are applicable: Tracking citizens without a warrant (or even probably cause!). We know these GPS chips can locate a person to within about 30 feet. They're also able to gather less exact location data by tracing mobile phone signals as they ping off cell towers. 

The ACLU’s Catherine Crump recently provided one more argument for why the government should not win this case, stating, "What’s at stake in the case is not whether it’s OK for the government to track the locations of cell phones; we agree that cell-phone tracking is lawful and appropriate in certain situations. The question is whether the government should first have to show that it has good reason to think such tracking will turn up evidence of a crime. We believe it should. This case is not about protecting criminals. It’s about protecting innocent people from unjustified violations of their privacy."

And now we await the decision from a Supreme Court that consistently rules in favor of corporations and a more powerful national security state...and nearly always against the interests of the public good. As usual, all eyes will be on Anthony Kennedy.