Wednesday, March 27, 2013

Your past is not your own: Police say historic location data not invasive

Graphic via End the Lie
In the wee hours of the morning, long after the 101st co-author had signed on to HB 1608, prosecutors and police argued to the House Criminal Jurisprudence Committee, as they had to the Senate Criminal Justice Committee earlier in the afternoon, that they should not be required to get a warrant for cell-phone users' historical location data. Police from Houston and Dallas, the Harris County DA's office and an expert from the US Marshals Service all contended (to greater and lesser effect in the Senate and House committees respectively) that it was okay for "real time" and prospective location data to require a warrant but historic location data should not.

At the House hearing (go here to watch; debate on HB 1608 begins at the 3:37:15 mark.), bill author Rep. Bryan Hughes had a screen drop behind the committee as he laid out the bill and played a bit from the online graphic created by a newspaper based on six months of German politician Malte Spitz's cell-phone location records. That presentation took a bit of the edge off of arguments (which had been better received in the Senate committee) about how inexact historic location records could be. Spitz's graphic was created from 2009 data he obtained through a lawsuit against his cell-phone carrier. A newspaper married a map of his cell-phone location data with a narrative derived from his Facebook and Twitter accounts. Since 2009, the number of cell towers and antenna spiraled upward to handle the massive amounts of data associated with smartphone functionality, pointed out Dr. Chris Soghoian of Yale's Information Society Project, who is one of the leading national experts on cell-phone surveillance. (For anyone wanting to delve into the details of cell-phone tracking, his dissertation [pdf] submitted last year is a must read, which I don't say about many dissertations.) Over time, as more cell towers and antenna are constructed, "historic" location data will only become more accurate.

Similarly effective rebuttals were offered to the phony "real-time vs. historic" hair splitting, an obsessive refrain that had scarcely been raised before the hearing, though a national legal expert from ACLU had predicted the tack. (Personally I don't get it: In an era where your phone pings the nearest tower once a minute to check for email, location data becomes "historic" - i.e., stored on a third party server - within seconds. Is there really a meaningful difference anymore?) Anyway, I wish I'd known yesterday that, while we were waiting around at the capitol, a site called The Security Ledger was publishing an item titled, "Mobile Phone Use Patterns: The New Fingerprint," reporting on a newly published on-point study, "Unique in the Crowd: The privacy bounds of human mobility." Apparently researchers found that:
data from just four, randomly chosen “spatio-temporal points” (for example, mobile device pings to carrier antennas) was enough to uniquely identify 95% of the individuals, based on their pattern of movement. Even with just two randomly chosen points, the researchers say they could uniquely characterize around half of the 1.5 million mobile phone users. The research has profound implications for privacy, suggesting that the use of mobile devices makes it impossible to remain anonymous – even without the use of tracking software.
Not only does this news rebut the late-night argument from law enforcement that historical data can't identify someone - as if Malte Spitz's cell-phone diary hadn't proved the point - it confirmed observations by the Electronic Frontier Foundation's Jennifer Lynch (reported in this Grits post) that location data is essentially itself a "biometric" because no two things can be in the same place and human habits are as unique as they are personal. You are where you go. Arguably, your location is one of the most unique and personal things about you.

The other main law enforcement argument mirrored those from the Obama Administration which aggressively maintains that cell phone users have no privacy interest in their cell-phone location data because that information belonged to the cell-phone company and thus was accessible to law enforcement as a third-party business record.

That dubious point was rebutted well enough at the hearings by EFF-Austin board member Matt Henry (see his column in the Houston Chronicle) who compared the situation to US v. Miller, which similarly relied on the third party doctrine to hold that people's bank records were the property of the bank and not subject to a warrant requirement. Two years later Congress responded by passing the "Right to Financial Privacy Act" which essentially reversed Miller for purposes of personal financial records. Too much of our digital fingerprint today lies in the hands of third parties for that anachronistic doctrine to remain valid, which is why I hope the Lege gives freshman Jon Stickland's HB 3164, which would require a warrant for stored email, a fair shake this session.

The third-party doctrine as a premise of the courts is likely here to stay for the lifetime of anyone reading this. But legislative bodies can carve out exceptions - let's call them zones of privacy - and this should be one of them. For me, SB 786 and HB 1608 are not just about requiring a warrant for location data, but also encouraging the legislative branch to continue the reconsideration of the third-party doctrine begun by Justice Sonia Sotomayor in her concurrence to US v. Jones. In an era of cloud computing, its strict application becomes antiquated and ill-considered. Nobody reasonably expects that their cell-phone is being tracked on the minute scale that Herr Spitz was tracked. And if the courts are going to create a "reasonable expectation of privacy" exception to the Fourth Amendment, the law must adjust, through legislation, where courts aren't up to the job, when technology forces "reasonable" expectations to change.

Courts are not the only branch of government that's sworn to uphold the Constitution. That burden falls just as heavily on the legislative branch, particularly when the judiciary cannot confront the issue in a timely manner. The telephone was invented in the 1870s, I reminded the committee last night, but the Supreme Court didn't get around to requiring a warrant for wiretapping until 1967 in the Katz decision where the court coined the term "reasonable expectation of privacy." Today, people's reasonable expectations are different than in 1967, when the high court placed so much import on the fact that Mr. Katz closed the door to the phone booth to establish his reasonable expectation of privacy. The door to the phone booth is open.

Much energy was spent at both hearings on what to me was a rather pointless question. Some in law enforcement claimed that this information already required a "court order," but they kept misrepresenting the standard. The so-called "d" order from the federal code or the comparable Art. 18.21 Sec. 5 in Texas Code of Criminal Procedure  both tell judges they "shall" grant the order if the location data is relevant to an investigation - a far cry from "reasonable suspicion," much less "probable cause." A few, vocal police detectives maintained aggressively throughout the hearing that everyone who gets location data does so under a federal "d" order and cell phone companies were prohibited by law from giving out that information otherwise. This was contradicted by an attorney for small cell-service providers who said his clients handed over information in response to administrative subpoenas, Section 5 orders under the Texas Code of Criminal Procedure, federal "d" orders, orders based on "reasonable suspicion" as well as straight-up, probable cause based search warrants (which some DAs seek of their own volition). For myself, I couldn't see a point to the debate: If Rep. Hughes and Sen. Hinojosa want to apply a "probable cause" standard, why should the fact that they meet the much lower "relevant" standard be, well, relevant?

Anyway, law enforcement (mostly from Dallas and Houston) vigorously denied the notion that location information was available by subpoena until the next to last witness: A poor gal from the Texas Department of Insurance who signed up "on" the bill as a resource witness. Resolving the dispute once and for all, their law-enforcement division, she said, obtained location information using administrative subpoenas and she was there to explain to the committee how they used location information and why it was a useful tool. A generally "anti-" resource witness from the US Marshal's office, testifying "on" the bill, grumbled that the Department of Insurance and any cell-phone carriers they'd subpoenaed had committed federal crimes. I noticed, though, that he didn't arrest anybody, at least before the chair pended the bill a bit after 1:30 a.m. and mercifully ended what for me had been about a 16-hour day at the capitol.

MORE: EFF-Austin's Twitter feed had a blow by blow recounting of the day's events.


Anonymous said...

I was listening online. I heard you testify and I thank you for being a Texan that cares

Anonymous said...

If you don't want to be tracked, take the battery out of your phone. Just turning it off won't work.

Anonymous said...

We must be in Texas! It's a cop in a Klansman white robe. But he's Christian, so it's ok!

rodsmith said...

i think we need to do two things. One the public can force. the other will take a massive effore to amend the United States Constitution.

The easy one. The public needs to use the power of the wallet to force the compnaies to STOP keeping the data. once registred it's automatically deleted. No more history for this neo-nazi's to collect.

the hard one. time for a new amendment that strips all the little exemptions from the 4th. No warrant no evidence.

based on the fact that most of them were created back before the information age. hell most were created before the ELECTRONIC AGE.
when it took days or weeks to move the necessary paperwork around the sytem. when the cop of the street might be hrs if not days away from hq. Now they all have a computer on the belt if not in their car and a printer in the vehicle as well. They are now min's if not hrs. away from any needed warrant. So there is no longer any friggin excuse NOT to get one!