Christopher Soghoian, an electronic privacy researcher and activist, opened the one-day conference with a quote from Supreme Court Justice Louis Brandeis from 1928 in Olmstead vs. United States in which he opined, "The progress of science in furnishing the Government with means of espionage is not likely to stop with wiretapping." Boy, was that a prescient observation! Unfortunately, he made that comment in a dissent and SCOTUS would not actually require a warrant for the government to wiretap phones until 1967, by which time not just law enforcement but numerous private entities engaged in rampant wiretapping, according to Prof. Susan Freiwald from the University of San Francisco. Then, in Katz v. United States, the high court finally, belatedly issued a warrant requirement and the following year Congress banned the practice for private entities as well.
The debate over wiretapping finds many parallels in the internet era since today when not just government but numerous private entities engage in all sorts of surveillance activities, many of which people either passively or voluntarily opt into by using smart phones and other modern gadgets. A recurring theme throughout the event, which I'll expound upon in a later post, was that the ability of private companies to invade privacy in many ways exceeds that of the government. Unfortunately, for the most part government can usually access that personal information without a warrant because it's considered a third-party business record.
Soghoian opened the event with an enlightening overview of how cell phone signals operate and the government's means of using them for location tracking. There are two types of data involved - your historical location and present location - though increasingly that's becoming a moot distinction. If your smart phone is pinging the nearest cell phone tower(s) every minute or two to check for your email, your current location data becomes "historic" as soon as it's stored on a server by your cell service provider.
Soghoian explained that your cell phone is connected to multiple cell towers at any time. It can tell which towers are nearby and which signals are strongest, so your phone automatically sends information either through the nearest tower, or to the next if the first one is at capacity.
Cell towers have a defined range of coverage and each tower has three faces. From the information they gather, your cell-service provider, or through them, the government, can tell not just where the tower is but the signal strength when it reaches your phone and which of the three faces of the tower was used, allowing them to triangulate. The rise of smart phones, said Soghoian, has meant increasingly more towers had to be built to handle the crushing load of data those instruments use. Especially in dense cities, that effectively shrank each tower's coverage area and in recent years has made location tracking by cell phones much, much more precise.
There are two kinds of historical requests for location data, he continued. The first is for information about a single person: E.g., "Where has John Smtih been the last X days." Government can also ask the cell companies, "Tell us every phone that was near place X at time Y." These are called "tower dumps," and in that case the vast majority of people whose information is acquired are not targets.
Of course, the only information available is whatever the phone company actually saved, so one reform recurringly suggested throughout the event was that companies should limit the data they gather and delete it from their records as soon as possible.
Government can also get real time data by “pinging” a phone. He compared this to playing the game Marco Polo: The cell tower asks your phone, “Where are you?” and it answers, “I'm over here.” The FCC requires phone companies allow pinging because of the need for 911 services, but the agency didn't require a specific technology. T--Mobile and ATT use triangulation. Sprint and Verizon use GPS. Under FCC regulations, 67% of calls must be identifiable in 100 meters, 90% at 300 meters. These days, customer location can frequently be calculated much more closely than that.
These fake towers trick your phone to get it to identify themselves and could also be used to access content, though that in theory should require a warrant. The tech is essentially based on a fraud: The Stingray device says “I'm an ATT tower, send me your data,” and because there's no authentification required by your phone, it automatically does.
Such devices are now small enough to use from a patrol car. There's a version of the Stingray that can be worn covertly as a vest. That way, police can walk through a protest, for example, and pick up cell-phone registration numbers from everyone there, identifying them later through the companies' business records. These devices actually send out signals, they're not just passive. Signals penetrate walls, vehicles, clothes, you name it - a fact that may have implications after the ruling in US v. Jones by the Supreme Court revitalizing "trespass" as a standard by which to judge Fourth Amendment violations.
Next up: A discussion of legal frameworks surrounding government access to cell-phone location data.