Monday, November 26, 2012

'Standing up for Mr. Nesbitt,' tracking the cell-phone trackers, and other digital forensics stories

Electronic privacy continues to gain more attention in the wake of the Petraeus scandal and other recent revelations about the scope of law enforcement snooping around people's electronic communications. Here are a few more recent tidbits that caught Grits' eye:

For starters, check out New York Times (Nov. 26): No accord on cell-phone search: Courts haven't figured out how and when authorities can gain access, in which we learn that a US Senate committee will meet on Thursday to consider "changes to the Electronic Communications Privacy Act, a 1986 law that regulates how the government can monitor digital communications. Courts have used it to permit warrantless surveillance of certain kinds of cell phone data."

Perhaps even more critical, and maybe even more disturbing, "A proposed amendment would require police to obtain a warrant to search email, no matter how old it is, updating a provision that allows warrantless searches of emails more than 180 days old." Until the aftermath of the Petraus scandal, I didn't know older emails had no privacy protections - my own Inbox certainly goes back farther than that, and in some cases I've archived emails from many years ago. It never occurred to me that law enforcement could look at those without a warrant.

The Houston Chronicle has a related, notable story today titled, "Email not in the Fourth Amendment: Outdated law enforcement regulations let law enforcement spy via Internet companies and social networks." That story gives this additional tidbit about the contents of the legislation: "Sen. Patrick Leahy, D-Vt., who has proposed an amendment to the act, said the Senate Judiciary Committee will consider the changes Thursday. The crux of the amendment would require investigators to serve either a warrant to the service provider or a subpoena directly to the user when seeking personal digital information."

See a summary of the contents of Leahy's proposed amendment. Sen John Cornyn sits on the Judiciary Committee which will consider Chairman Leahy's proposal. Texas readers who support the measure should go here to email Sen. Cornyn to ask him to support the Leahy Amendment on cell-phone location data. Or even better, bone up on what the amendment does and contact Sen. Cornyn's office by phone at one of these locations. MORE: Orin Kerr at the Volokh Conspiracy calls the NYT article "somewhat confusing," while Scott at Simple Justice says mostly the article is confusing because the law is confusing.

* * *

Meanwhile, on a related topic, see an item from the Wall Street Journal published last month (Oct. 22) titled "Judge Questions Tools that Grab Cell Phone Data on Innocent People." That story opens,
A judge in Texas is raising questions about whether investigators are giving courts enough details on technological tools that let them get data on all the cellphones in an area, including those of innocent people.

In two cases, Magistrate Judge Brian Owsley rejected federal requests to allow the warrantless use of “stingrays” and “cell tower dumps,” two different tools that are used for cellphone tracking. The judge said the government should apply for warrants in the cases, but the attorneys had instead applied for lesser court orders.
changes to the Electronic Communications Privacy Act, a 1986 law that regulates how the government can monitor digital communications. Courts have used it to permit warrantless surveillance of certain kinds of cell phone data. A proposed amendment would require the police to obtain a warrant to search email, no matter how old it is, updating a provision that allows warrantless searches of emails more than 180 days old.

Read more: http://www.post-gazette.com/stories/news/us/no-accord-on-cell-phone-search-663693/#ixzz2DLIq7S5K
changes to the Electronic Communications Privacy Act, a 1986 law that regulates how the government can monitor digital communications. Courts have used it to permit warrantless surveillance of certain kinds of cell phone data. A proposed amendment would require the police to obtain a warrant to search email, no matter how old it is, updating a provision that allows warrantless searches of emails more than 180 days old.

Read more: http://www.post-gazette.com/stories/news/us/no-accord-on-cell-phone-search-663693/#ixzz2DLIq7S5K
a Senate committee considers limited changes to the Electronic Communications Privacy Act, a 1986 law that regulates how the government can monitor digital communications. Courts have used it to permit warrantless surveillance of certain kinds of cell phone data. A proposed amendment would require the police to obtain a warrant to search email, no matter how old it is, updating a provision that allows warrantless searches of emails more than 180 days old.

Read more: http://www.post-gazette.com/stories/news/us/no-accord-on-cell-phone-search-663693/#ixzz2DLIbK8NM
a Senate committee considers limited changes to the Electronic Communications Privacy Act, a 1986 law that regulates how the government can monitor digital communications. Courts have used it to permit warrantless surveillance of certain kinds of cell phone data. A proposed amendment would require the police to obtain a warrant to search email, no matter how old it is, updating a provision that allows warrantless searches of emails more than 180 days old.

Read more: http://www.post-gazette.com/stories/news/us/no-accord-on-cell-phone-search-663693/#ixzz2DLIbK8NMHere's a copy of Judge Owsley's order. By contrast, the Sixth Circuit federal appellate court (whose opinions are not binding on Texas) ruled earlier this year that federal agents need not get a warrant to obtain cell phone tracking data from private cell phone providers. (See that opinion [pdf]). Attentive Grits readers may recall that the Fifth Circuit, whose jurisdiction covers Texas, Louisiana and Mississippi, has litigation pending before it focused on many of the same questions.
Image via ACLU.
After issuing the ruling that spawned the pending Fifth Circuit case on cell-phone location data, Houston Magistrate Judge Stephen Smith gave a speech on the issues surrounding the ruling, which has been posted on line here, titled, "Standing Up for Mr. Nesbitt." For those insufficiently geekish to catch the reference, "Mr. Nesbitt" refers to a classic Monty Python sketch to which the judge helpfully provides a link in a footnote, see here. (Go ahead and watch it; it's worth the 2.5 minutes of your life you'll never get back!) Today, says Judge Smith, its possible for private companies as proxies for the government "to figure out exactly where you are at any given time. And this is true even if, like the unfortunate Mr. Nesbitt, you don’t want to be seen, and refuse to stand up when asked."

I've linked to Judge Smith's comments before but thought I'd point out this particular observation he made that bears repeating as debates over online monitoring and GPS tracking come to a head:
If Mr. Nesbitt cannot afford to stand up himself, who does stand up for him, and all the other Nesbitts in the world? That is, who stands between ordinary citizens like us and an increasingly surveillance-happy state? Now, I am the first to admit that some Nesbitts are dangerous and deserve to be watched. If Mr. Nesbitt heads up a drug cartel, runs a mortgage fraud scam, or commits a series of ax- murders, he should surely be found and brought to justice. But what about all the other Nesbitts who are law abiding: the soccer moms, the Sunday school teachers, the law school professors, the newspaper reporters?

You may say that’s not a big concern, because the government would not bother to target them unless they were committing a crime. But you would probably be wrong to say that, at least if the government’s response to a 2008 FOIA suit is accurate. Asked to furnish docket information about all criminal cases brought against individuals who had been subject to warrant-less cell phone tracking since 2001, the Department of Justice identified a total of just 255 criminal prosecutions. This works out to about 38 cases a year. Given that the federal government obtains tens of thousands of these orders every year, this data suggests that the government spends more time chasing the innocent Nesbitts than the black sheep and ne’er-do-wells.
So the USDOJ could identify just 38 cases per year nationwide where prosecutions had been brought against individuals on whom the feds had gathered cell-phone location data. But by most accounts the number of law enforcement requests is enormous: 1.3 million in 2011 alone, representing millions in revenue for cell phone companies. Reported Fox News earlier this year:
At AT&T, a team of more than 100 workers handles the requests pouring in from local, state and federal law enforcement agencies. More than 250,000 such requests came in last year — a more than two-fold increase over five years ago.
Sprint said it received about 500,000 subpoenas in 2011. Verizon and T-Mobile, two other major U.S. carriers, both reported annual increases in requests exceeding 12 percent. Cricket has seen a steady increase every year since 2007, and although the company once had a 10-person team handling inquiries, it has now outsourced that task to a company called Neustar.
Many of the requests cover a number of cellphone subscribers.
The costs have become so large that carriers have started charging law enforcement for the records they turn over. AT&T collected almost $8.3 million in 2011 in fees from police agencies, although the company said it believes that number falls far short of what it costs AT&T to accommodate the requests.
Police requesting data from U.S. Cellular are asked to pay $25 to locate a cellphone using GPS (the first three requests are free), $25 to retrieve a user's text messages and $50 for a "cell tower dump" — a breakdown of all the cellphones that interacted with a given cellphone tower at a specific time.


Read more: http://www.foxnews.com/us/2012/07/09/surveillance-requests-to-cellphone-carriers-surge/#ixzz2DLcIS1vb
At AT&T, a team of more than 100 workers handles the requests pouring in from local, state and federal law enforcement agencies. More than 250,000 such requests came in last year — a more than two-fold increase over five years ago.

Sprint said it received about 500,000 subpoenas in 2011. Verizon and T-Mobile, two other major U.S. carriers, both reported annual increases in requests exceeding 12 percent. Cricket has seen a steady increase every year since 2007, and although the company once had a 10-person team handling inquiries, it has now outsourced that task to a company called Neustar.

Many of the requests cover a number of cellphone subscribers.

The costs have become so large that carriers have started charging law enforcement for the records they turn over. AT&T collected almost $8.3 million in 2011 in fees from police agencies, although the company said it believes that number falls far short of what it costs AT&T to accommodate the requests.

Police requesting data from U.S. Cellular are asked to pay $25 to locate a cellphone using GPS (the first three requests are free), $25 to retrieve a user's text messages and $50 for a "cell tower dump" — a breakdown of all the cellphones that interacted with a given cellphone tower at a specific time.
If the average fees for handling such requests were $25 (just a guesstimate, based on the ranges cited in the Fox New story), then cell providers would have earned more than $32 million collectively in 2011 selling user location data to law enforcement, mostly in cases that will never be prosecuted, if Magistrate Judge Smith's data is accurate.

* * *

Finally, one practical aspect of law enforcement gaining access to this mass of electronic data regarding suspects and non-suspects alike as part of routine criminal investigations: It requires more digital forensics expertise at police departments and crime labs which in many cases is understaffed and/or underdeveloped. KXAN-TV in Austin recently ran a story documenting investments in staffing and equipment that allowed DPS' digital forensics division to reduce its backlog by 2/3 in the past three years. However, expected growth in demand for digital forensics services - stemming from both the dizzying array of new products and the increasing ubiquity of their use - means the backlog will increase again without further legislative action, said KXAN. "DPS said it will work with state lawmakers in the upcoming legislative session to figure out how best to keep up with the growing demand."

Grits, of course, thinks a market-based, fee for service solution would be the best approach. The state is already facing competition for analysts in the labor market from private sector firms set up for employers to snoop on their employees, some of which already provide services to law enforcement with much faster turnarounds than DPS labs. In the near term, both the costs of quality analysts and the volume of digital forensics work law enforcement generates undoubtedly will stay on a steep upward curve thanks to technological change that's far surpassing the quaint, 20th century regulatory structures that in theory should constrain them. For the time being, as is so often the case, it may not be (mostly non-existent) civil liberties protections that most significantly constrain law enforcement from widespread privacy violations but limited resources, a lack of technical expertise at police agencies, and above all, budgetary constraints.

RELATED: New police tech tracks cell-phone location data without provider intermediary

4 comments:

doran said...

I remain an advocate of pitching digital sabots into the digital machinery.

cell action explosive ak 47 secret meeting jihad ied bring rpg

Ashley Casas said...

The thought that the government knows so much about me is scary. No wonder most people live in paranoia. I'm leaving the country. Just kidding. But really, it's scary.

Anonymous said...

Well, what does anyone really expect? I think the term "Slippery Slope" could be applied to this story. Americans were perfectly OK with the tracking of people they FELT were dangerous, so when the government kept taking it to the next level, and the next and the next...then hell they are pretty much looking at anything they want to. Kind of like public registries. First Sex Offenders and now there are DUI, Arson, Animal Abuse, Domestic Abuse registries popping up. Do you think it will stop there? How long until there is a Bully Registry? A Bad Check Registry? It's not so far fetched.......

doran said...

Anon 4:02, you are absolutely correct. When I worked for the Texas Civil Liberties Union in the 1970s, it was only the "radical liberals" who were warning against the "slippery slope." It was like nailing jello to a wall to get conservatives -- so called conservatives -- to pay attention to what was happening.

In the eighties, not even Libertarians were paying attention. They, and their bastard offspring the Tea Party, were only concerned with the possibility that the government would take away their "stuff" -- their money, their stock, their guns and their second homes in the mountains. Talk to them about the Fourth Amendment, the growing police state, the slow but sure emasculation of the Fourth Amendment, and all you could get was blank stares and maybe some muttering about putting the bad guys -- the Willy Hortons -- in prison where they belong and supporting their local Sheriff. Civil liberties be damned if it was necessary to lock'em up.

The primary thing that gives me hope now is that Libertarians, both left and right, main stream conservatives, and 60s and 70s left wing radicals -- the SDS of the present (Seniors For a Democratic Society) are starting to say the same things and starting to sound like they have some common ground.

My current opinion -- subject to change as things go on -- is that the First Amendmenters, the Second Amendmenters, the Fourth and Fifth Amendmentners, and the Tenth Amendmenters really need to start talking with each other about details. It is about time for a Second Constitutional Congress to meet.