Texas site of four mysterious fake cell towers: Who's using them?

Grits has discussed police use of fake cell-phone towers (or "IMSI catchers," colloquially known by the brand name "Stingrays") by police, but it turns outs cops may not be the only ones using this technology. Seventeen different fake cell tower devices have been identified around the country - four of them in Texas - by a company specializing in making secure mobile phones. CBS News quoted:

Ross Rice, a former FBI agent, [who] said it’s likely [they are] being used illegally.

“I doubt that they are installed by law enforcement as they require a warrant to intercept conversations or data and since the cell providers are ordered by the court to cooperate with the intercept, there really would be no need for this,” Rice said.

“Most likely, they are installed and operated by hackers, trying to steal personal identification and passwords.”

I wouldn't be too sure about that: Some law enforcement do have Stingrays - Fort Worth PD definitely owns one and several people have told me Houston PD does too, though I've never confirmed it. Departments must sign non-disclosure agreements when they purchase Stingrays so it's impossible right now to know which agencies have them. And Texas law does not specifically regulate the devices.

Given that, IMO most IMSI catchers the company found are likely run by law enforcement or spooks (many of the devices are located near military bases, reported Computer World).  Perhaps it's just the NSA doing their thing. The feds have even used wearable Stingray devices to covertly monitor political demonstrations. Who knows?

Still, it's notable that, while criminals can't buy the necessary equipment pre-fabbed from the Harris Corporation (Stingray's manufacturer), the tech involved isn't particularly high end stuff and there's nothing to stop someone with nefarious motives from making their own if they have the technical chops.

The Federal Communications Commission recently established a task force to study whether these devices are being misused. But Grits agrees with this expert quoted by the Washington Post that the FCC shouldn't seek to regulate the devices (let courts and legislatures do that) but to eliminate the vulnerabilities that allow them to operate:

Stephanie K. Pell, a cyber-ethics fellow at the Army Cyber Institute at the U.S. Military Academy, said the FCC should investigate not only the illegal uses of IMSI catchers but the network vulnerabilities that allow them to work.

“I think it would be prudent to assume that the Chinese government and criminal gangs don’t care if IMSI catchers are illegal,” said Pell, who has written extensively about the technology. “Ultimately if we are going to get to the root of the problem, we will have to deal with this from a network vulnerability perspective.”

Law enforcement won't like that suggestion because it would eliminate one of their favorite new toys, but technology is value neutral. An IMSI catcher doesn't care if it's used to catch crooks or commit crimes. So if cops want to stop the bad guys from using them, the tradeoff will be that they must also remove this tool from their own toolbox.

Until a technical solution is in place, Grits will continue to support laws regulating the use of IMSI catchers by government. But the safer approach would be for the FCC to require companies to fix the vulnerability and, eventually, make the issue moot.

State-level anti-NSA surveillance bills popping up

Reported Mother Jones (Jan. 21):

This month, lawmakers in six states introduced versions of model legislation designed to deny the NSA state resources or cooperation from state officials. The bills cover everything from banning evidence collected by the NSA from being introduced in state courts to shutting off the supply of water and electricity to the agency's in-state data centers.

"If the feds aren't going to address the issue, then it's up to the states to do it," says David Taylor, a GOP member of the Washington state House of Representatives whose Yakima Valley district hosts an NSA listening post. Taylor's bipartisan bill, introduced last week, would cut off "material support, participation or assistance" from the state and its contractors to any federal agency that collects data or metadata on people without a warrant. Practically speaking, it would mean severing ties between the NSA and state law enforcement, blocking state universities from serving as NSA research facilities and recruiting grounds, and cutting off the water and power to the agency's Yakima facility.

Similar bills, some of them less broad, have been floated in California, Oklahoma, Indiana, Missouri and Kansas. Others are expected in coming months in Michigan, Arizona, and Utah.

Given that one of the NSA's main spook data centers resides in San Antonio, I'd love to see similar legislation filed in Texas during the 84th legislative session in 2015. According to this video from the Tenth Amendment Center, an NSA data center in Utah uses 1.7 million gallons of water per day. If the San Antonio location uses anywhere near that much, it's not an insignificant thing given that city's chronic water shortage:


Since Barack Obama will still be president when the Texas Legislature meets again, I could see this gathering significant attention and momentum among the Tea Party crowd, though it would be virtually impossible to pass: The fact that House Speaker Joe Straus hails from San Antonio probably means it could never get a floor vote in that chamber, while the 2/3 rule would probably keep it from getting a vote in the Texas Senate. Still, the tactic would raise the profile of electronic privacy issues and, if something like that ever passed in a state like Texas or Utah where the NSA has a big physical plant, it'd be awfully fun to watch what happens.

RELATED: What can states do to rein in NSA phone surveillance?

NSA jams San Antonio garage openers; forensic cookie capers

A couple of stories related to digital forensics caught my eye this morning that may interest Grits readers.

NSA jams San Antonio garage openers
First, a Texas-specific item. It's a shame we have to read this from a German magazine instead of the Texas media, but there's a must-read story from Der Spiegel (Dec. 30) about the NSA facility in San Antonio that opens:

In January 2010, numerous homeowners in San Antonio, Texas, stood baffled in front of their closed garage doors. They wanted to drive to work or head off to do their grocery shopping, but their garage door openers had gone dead, leaving them stranded. No matter how many times they pressed the buttons, the doors didn't budge. The problem primarily affected residents in the western part of the city, around Military Drive and the interstate highway known as Loop 410.

In the United States, a country of cars and commuters, the mysterious garage door problem quickly became an issue for local politicians. Ultimately, the municipal government solved the riddle. Fault for the error lay with the United States' foreign intelligence service, the National Security Agency, which has offices in San Antonio. Officials at the agency were forced to admit that one of the NSA's radio antennas was broadcasting at the same frequency as the garage door openers. Embarrassed officials at the intelligence agency promised to resolve the issue as quickly as possible, and soon the doors began opening again.

It was thanks to the garage door opener episode that Texans learned just how far the NSA's work had encroached upon their daily lives. For quite some time now, the intelligence agency has maintained a branch with around 2,000 employees at Lackland Air Force Base, also in San Antonio. In 2005, the agency took over a former Sony computer chip plant in the western part of the city. A brisk pace of construction commenced inside this enormous compound. The acquisition of the former chip factory at Sony Place was part of a massive expansion the agency began after the events of Sept. 11, 2001. ...

One of the two main buildings at the former plant has since housed a sophisticated NSA unit, one that has benefited the most from this expansion and has grown the fastest in recent years -- the Office of Tailored Access Operations, or TAO. This is the NSA's top operative unit -- something like a squad of plumbers that can be called in when normal access to a target is blocked.

According to internal NSA documents viewed by SPIEGEL, these on-call digital plumbers are involved in many sensitive operations conducted by American intelligence agencies. TAO's area of operations ranges from counterterrorism to cyber attacks to traditional espionage. The documents reveal just how diversified the tools at TAO's disposal have become -- and also how it exploits the technical weaknesses of the IT industry, from Microsoft to Cisco and Huawei, to carry out its discreet and efficient attacks.

The unit is "akin to the wunderkind of the US intelligence community," says Matthew Aid, a historian who specializes in the history of the NSA. "Getting the ungettable" is the NSA's own description of its duties. "It is not about the quantity produced but the quality of intelligence that is important," one former TAO chief wrote, describing her work in a document. The paper seen by SPIEGEL quotes the former unit head stating that TAO has contributed "some of the most significant intelligence our country has ever seen." The unit, it goes on, has "access to our very hardest targets."

Indeed, the unit maintains a catalog of spy tools, described in another Spiegel article, which "reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell."

Have a cookie, delete a cookie, give a cookie to a cop
Speaking of "getting the ungettable," while poking around various digital forensics blogs this morning I ran across this recent article on how to access incredibly detailed information from Google Analytics cookies, even if the computer user has deleted them. These aren't techniques only available to the NSA but to workaday computer forensic folk at police departments and domestic security agencies.  Wrote computer forensics examiner Mari DeGrazia:

The real power of the Google Analytic artifacts comes into play when deleted artifacts are recovered. By using Scalpel [ed. note: a file carving tool] and then parsing the carved files you can have some new data to play with and analyze.

Based on some initial and limited testing with Internet Explorer 11 and Windows 7, it appears the browser deletes then creates a new cookie when visiting a website rather then overwriting the old cookie. This means there could be a lot of cookies waiting to be recovered.

This technique not only allows forensic examiners to see what websites you visited and when but what keywords were used to get you there. In the faux example in the post, the last keywords listed on the spreadsheet created by the technique were "How to Clear History."

All kind of creepy, huh?

Should the Fourth Amendment apply to foreigners?

In the wake of reports that the US tapped the phone of German Chancellor Angela Merkel and other world leaders, Washington Post editorialist David Ignatius offered up an interesting discussion of whether the Fourth Amendment should apply to foreigners. Responding to a blog post from Georgetown law prof David Cole advocating the affirmative, George Washington University law prof Orin Kerr offered an opposing view, suggesting that his differences with Cole "are based on two different conceptions of government. I tend to see governments as having legitimacy because of the consent of the governed, which triggers rights and obligations to and from its citizens and those in its territorial borders. As I understand David, he has more of a global view of government, by which governments are accountable to all humans worldwide." By Kerr's reckoning, their arguments were "essentially playing out the majority and dissenting opinions in United States v. Verdugo-Urquidez, with me echoing Chief Justice Rehnquist’s majority opinion and David echoing Justice Brennan’s dissent."

When you actually read that case, though, Kerr misrepresented Justice Brennan's views. Brennan's stance was not based on some fuzzy-headed citizen-of-the-world mentality but instead the argument that the Constitution imposes limits on government, not just the citizenry. From his dissent in Verdugo-Urquidez (citations omitted):

What the majority ignores, however, is the most obvious connection between Verdugo-Urquidez and the United States: he was investigated and is being prosecuted for violations of United States law and may well spend the rest of his life in a United States prison. The "sufficient connection" is supplied not by Verdugo-Urquidez, but by the Government. Respondent is entitled to the protections of the Fourth Amendment because our Government, by investigating him and attempting to hold him accountable under United States criminal laws, has treated him as a member of our community for purposes of enforcing our laws. He has become, quite literally, one of the governed. Fundamental fairness and the ideals underlying our Bill of Rights compel the conclusion that when we impose "societal obligations," such as the obligation to comply with our criminal laws, on foreign nationals, we in turn are obliged to respect certain correlative rights, among them the Fourth Amendment.

By concluding that respondent is not one of "the people" protected by the Fourth Amendment, the majority disregards basic notions of mutuality. If we expect aliens to obey our laws, aliens should be able to expect that we will obey our Constitution when we investigate, prosecute, and punish them. We have recognized this fundamental principle of mutuality since the time of the Framers.

So Brennan wasn't saying that the American government should be accountable to foreigners, he was arguing that it should be accountable to the Constitution. Verdugo-Urquidez was handed down in 1990, an example of the Supreme Court denuding the Fourth Amendment in deference to the drug war. There's a growing array of cases in which SCOTUS has eroded Fourth Amendment protections to make it easier for the government to prosecute and convict drug offenders, and this is an example where application of those precedents leads to unintended consequences.

NSA's mass collection of cell-phone geolocation data occurred without court approval

So reported the Washington Post this week. Though Grits hasn't closely tracked the NSA surveillance debacle, I mention it because the reasoning outlined in the article for why they claimed a court order wasn't necessary have implications for how domestic law enforcement uses geolocation data. Here's how the article ended:

Much of the U.S. government's authority to collect metadata without a warrant is derived from a 1979 Supreme Court ruling over the small-scale collection of call records. But that ruling was made long before the widespread use of cellular technology and the surveillance applications that came along with it. The courts haven't set clear precedents on how location data should be handled given those more current applications.

A July ruling from the United States Court of Appeals for the Fifth Circuit held that individuals don't have a reasonable expectation of privacy for location data collected by phone companies, calling the data the equivalent of a "business record." But the U.S. Court of Appeals for the Third Circuit recently held that police need a warrant to attach a GPS tracker to the vehicle of a suspect. And in a ruling on similar GPS case last year, five Supreme Court Justice suggested that even without a physical trespass, ongoing electronic surveillance may be "an unconstitutional invasion of privacy." But the court did not rule specifically on how the government may use private data collected by modern technology.

So it's problematic that the NSA didn't seek judicial approval before embarking on trials with cell site data. The FISC is supposed to be the judicial oversight for legal issues involving sensitive national security concerns. But it never had an opportunity to weigh in on this case.

Turns out, according to emptywheel, Congressional intelligence oversight committees weren't notified of the project before it began, either. In the wake of the 5th Circuit case mentioned in the story (see Grits' discussion here), it's more important than ever that state legislatures and ultimately Congress address this issue head on.

Roundup: Top stories cropping up during Grits' recent absence

Grits is still poking around at news stories that cropped up while this blog was on a brief hiatus and thought I'd share a few that may not make it into independent posts.

Houston police union balks at mandatory DWI blood draws
The Harris County DA now requires blood tests in every DWI case where drivers refuse a breath test. The police union, reported the Houston Chronicle (July 28) objects because it takes police off the street and makes them unavailable for other routine tasks. "'They're not going to be as savvy on how to do these warrants, so it's going to take them six to eight hours, and that means the officer is off the street for that entire time,' [HPOU President Ray] Hunt said. 'It's a major issue.'" Grits' take: The new DA is willing to sacrifice police coverage to make securing DWI convictions easier, an option available to him because police and prosecutors' funding come from different pots (city vs. county). Whether that's a wise public policy choice depends on whether you think maximizing police coverage or misdemeanor convictions improves safety more. IMO the strongest evidence argues for the former, but reasonable folks may disagree.

Bribery investigation targets Denton Sheriff
Reported the Dallas Morning News (Aug. 9), "The Denton County sheriff (William Travis) is under investigation over allegations that he tried to bribe a political opponent to quit an election and also tried to bribe a former deputy into abandoning a lawsuit against the department." All involved deny the allegations. Here's a link to the affidavit written by Texas Ranger James Holland to seize the cell phone of Constable Jesse Flores as part of the investigation into Sheriff Travis. As an aside, readers in the comments pointed out that a Denton County Sheriff was convicted of bribery 25 years ago, also based on offering a political opponent a job to drop out of the race.

Light sentence for cop who stole from crime scene
A Houston police officer pled guilty for stealing cash from a crime scene. He received deferred adjudication with two years of probation and could ultimately have the conviction wiped from his record. After all, one supposes, he was only stealing from criminals.

GOP critic blasts Montgomery County private prison maneuvers
A blogger at GOP Vote complains that the Montgomery County Commissioners Court has launched into a seemingly never-ending jail building spree without consulting voters.

Opposition mounting to McAllen's private jail scheme
Fifty groups have signed onto a letter opposing a speculative jail privatization scheme in McAllen, the McAllen Monitor reported. Here's a copy of the letter. Notably, the Monitor knew about the proposed deal and intentionally failed to report it for more than a year. If they hadn't, the opposition might have a better chance of influencing the process.

News flash: Parole board must follow laws
This story from ABC's Good Morning America about Texas parole laws is possibly the most ignorant thing I've seen written by a professional reporter in 2013, which is saying something. The writer complains of a "loophole" requiring murderers (or anyone else) convicted between 1977 and 1987 to be released via a since-eliminated "mandatory supervision" law, under which they're let go when time served plus good time equals their sentence. What a crock! Since when is it a "loophole" to apply the law as written? Anyway, that hasn't been the case for years but it would be unconstitutional (in spades) to apply ex post facto rules to sentences issued under the old regime. This story was a) 26 years old, so not "news," b) utterly ignorant of the law and reality, and c) blatant demagoguery. Pathetic that this garbage passes for journalism at a major national news outlet.

Pot busts lowered to Class Cs in Hudspeth County to save jail space
Hudspeth County has no room at the inn jail for drivers caught with marijuana at the Border Patrol checkpoint in Sierra Blanca so the Sheriff gives folks Class C paraphernalia tickets and sends them on their way. Said Sheriff Arvin West, "The last thing in this world I want to be is a pothead hero, but the laws we’ve got now don’t work. Something’s gotta change."

Did Texas DPS unwittingly conspire in using NSA spy intel for drug cases?
Despite my intense interest, Grits hasn't written much about the NSA metadata collection scandal because it's being intensively covered at the national level and isn't a Texas-specific issue. But the revelation that the DEA uses that intel then lies about its sources in court, pretending probable cause was generated at traffic stops, almost certainly has implications for cases in Texas, and our Department of Public Safety may have been an unwitting accomplice to this fraud. Reported Reuters:

two senior DEA officials defended the program, and said trying to "recreate" an investigative trail is not only legal but a technique that is used almost daily. (Emphasis added.)

A former federal agent in the northeastern United States who received such tips from SOD described the process. "You'd be told only, ‘Be at a certain truck stop at a certain time and look for a certain vehicle.' And so we'd alert the state police to find an excuse to stop that vehicle, and then have a drug dog search it," the agent said.

DPS wouldn't have known about the NSA angle. From their perspective, the state police just received and acted on tips from the DEA. But if they then conspired to pretend the stop was based solely on a traffic violation and failed to disclose the DEA intel to defense counsel, that would be a significant breach of trust. Though not Texas-specific, Gideon at A Public  Defender lays out the implications of this revelation as well as anyone I've seen.

New Holder policy either 'conservative,' 'lawless,' or (most likely) just pro-prosecutor
Conservatives are split over US Attorney General Eric Holder's announcement that the USDOJ will no longer pursue charges with mandatory minimums in drug possession cases. Marc Levin and Vikrant Reddy from the Texas Public Policy Foundation wrote in The National Review that Holder had adopted "conservative sentencing reforms" while columnist Charles Krauthammer bloviated that the decision amounted to "lawlessness." Our old pal Vanita Gupta had a column in the New York Times framing the issue of drug-war based overincarceration in terms of Texas' Tulia episode and suggesting more effective ways to reduce it. Ken at Popehat provided a good explanation of what Holder's new policy will mean in practice and the drawbacks of relying on prosecutorial discretion to limit mass incarceration. At Forbes, Jacob Sullum reminds us that the Obama Administration's record on the drug war has been generally atrocious. He points out that if Holder's "criteria identify people who do not deserve mandatory minimums, they also identify people who deserve the president’s mercy" via the pardon process. Don't hold your breath.

Texas pols provided swing votes to keep NSA metadata collection going

The US House of Representatives this week voted down an amendment to eliminate funding for the National Security Agency's collection of metadata from domestic phone calls. Looking at the vote count, one can make the argument that Texas' congressional delegation, particularly Democrats, were the swing faction killing the amendment, allowing the NSA to continue its massive domestic surveillance program. The final vote was 205 Ayes and 217 Nays, with 12 not voting. So if seven members had voted differently, it would have passed.

As it happens, although 57% of Democrats in Congress supported the amendment (111-83),  two-thirds of Texas Democrats (eight members) voted to kill it, including several Grits thinks should know better: The no votes from that group were Sheila Jackson Lee, Eddie Bernice Johnson, Ruben Hinojosa, Joaquin Castro, Marc Veasey, Al Green, Henry Cuellar and Pete Gallego. If those eight votes go the other way, the amendment would have passed.

Texas' GOP delegation was similarly split, with 10 members voting for the amendment and 14 against. Republicans voting against the amendment were Michael McCaul, Sam Johnson, Jeb Hensarling, John Culberson, Kevin Brady, Mike Conaway, Kay Granger, Mac Thornberry, Bill Flores, Randy Neugbauer, Lamar Smith, Pete Olson, John  Carter, and Pete Sessions. Overall, 94 Republicans voted for the amendment, and 134 against it.

One wonders whether some of the Republicans on the list might find themselves defending this vote in next year's primary against Tea-Party oriented challengers. I doubt any of the Democrats will face electoral consequences for the vote, but they still should be ashamed of themselves. Texas pols aren't the only reason the amendment failed, but had they shown a little more backbone, they could have been the reason it succeeded.

Note: The original story misstated the Texas GOP vote count and has been corrected.

On celebrity, the NSA, and the hypocrisy of DOJ perjury prosecutions

Not a Texas-specific issue, but this has been bugging me: Can anyone justify why the US Justice Department (unsuccessfully) tried to prosecute "Rocket" Roger Clemens for perjury but somehow James Clapper, the director of national intelligence, not only hasn't been indicted for blatantly lying to Congress about the NSA phone spying program, the Obama Administration and senior US senators are publicly praising him?

At the time, Grits expressed dismay bordering on disgust that the DOJ would waste resources prosecuting athletes like Roger Clemens and Marion Jones over allegedly lying about steroid use while turning a blind eye to far more serious crimes. But that sordid spectacle appears even more embarrassing when compared to what's happening with Mr. Clapper. The basis of the Roger Clemens prosecution was the uncorroborated word of a shady informant and the government couldn't prove the charges in court. Clapper's perjury before Congress was both blatant and (thanks to revelations by Edward Snowden) entirely demonstrable.

The USDOJ's approach to those accused of lying to Congress smacks of shameless hypocrisy. They'll go after a celebrity for alleged perjury over trivia, then the Administration praises this mendacious NSA official for far more blatant, provable lies to Congress regarding much more serious subjects. My prediction is Mr. Clapper won't ever be prosecuted because he's in a position to reveal many more illicit activities about which the executive branch has probably also been lying.

Grits doesn't care if you're a Democrat or Republican, black, white, brown or green. This sort of calculated sophistry has denuded the Obama Administration of any remaining shred of credibility when it comes to defending, or even discussing, the Bill of Rights. And DOJ's failure to consistently pursue perjury prosecutions, declining to act when an Administration official lies but going after celebrities in a high-profile fashion, speaks to a smarmy unctuousness that's incredibly disingenuous. Just sickening.

Public opinion and privacy: Weird contradictory polling on NSA phone spying scandal

Hard to know what to make of this. To my knowledge, there have been two national polls thus far regarding US public opinion on privacy issues related to revelations that the National Security Agency keeps metadata from domestic US phone calls in a massive database. A Pew-Washington Post poll found that 56% of American adults support the phone-spying program and 41% oppose it, a result I found surprising and a tad depressing. Then almost immediately thereafter a Gallup poll came out reaching virtually the opposite conclusion, finding that Americans disapprove of the program by a margin of 53%-37%.

Both, obviously, cannot be accurate. Maybe neither are. The Gallup poll conforms more to my own predilections, a fact which makes me hesitant to instantly embrace it given the risk of confirmation bias. But I'll admit I was relieved to see evidence contradicting that Pew-WP poll, whose results seemed fantastically out of kilter with my own experience and expectations. Basically, this means we'll have to wait for multiple additional polls on the topic and average them before it's possible to guess what the public really thinks. These two polls don't jibe with one another even at the extreme ends of their confidence intervals. There's no way to accept them both.

One element that did stand out in both surveys: Support for the NSA phone-spying program would be much lower were it not for Democrats who appear so intent on Obama apologia that they're willing (IMO hypocritically) to back him on policies they criticized George W. Bush over just a few years ago. (See the fourth table here titled "Partisan shifts in views of NSA surveillance programs.") That's an embarrassment.

The truth is, whether or not there's majority support for privacy reform, and there might be, there's no doubt a vocal, bipartisan minority ardently supports it and the pro-life folks have shown that's more than enough to organize an effective political movement. These are issues that cut across party lines. The trick is going to be to convince partisans not to be fair-weather privacy advocates, criticizing Big Brother abuses only when they're undertaken by a member of the opposite political party. If that hump can be overcome, IMO the public would heartily welcome pretty sweeping privacy reforms at both the state and federal levels.

FISA court gave NSA authority to monitor local phone call data

Just because you're paranoid doesn't mean no one's out to get you, the old saying goes, and despite commenters recently accusing Grits of paranoia and "tin-foil hat" thinking vis a vis electronic privacy, headlines like this one today from the Guardian (UK) - "NSA collecting phone records from millions of Verizon customers daily" - seem to confirm some healthy skepticism is in order. The story opened:

The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America's largest telecoms providers, under a top secret court order issued in April.

The order, a copy of which has been obtained by the Guardian, requires Verizon on an "ongoing, daily basis" to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.

The document shows for the first time that under the Obama administration the communication records of millions of US citizens are being collected indiscriminately and in bulk – regardless of whether they are suspected of any wrongdoing.

The secret Foreign Intelligence Surveillance Court (FISA) granted the order to the FBI on April 25, giving the government unlimited authority to obtain the data for a specified three-month period ending on July 19.

Under the terms of the blanket order, the numbers of both parties on a call are handed over, as is location data, call duration, unique identifiers, and the time and duration of all calls. The contents of the conversation itself are not covered.

The disclosure is likely to reignite longstanding debates in the US over the proper extent of the government's domestic spying powers.

Remarkably, the order (see here) included "all call detail records or 'telephony metadata' created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls." So no content, but basically the header information from the phones of both parties. Still, local phone calls, too? Wow. Talk about a Big Data Bonanza! Perhaps Grits hasn't been paranoid enough.

MORE: From Orin Kerr at the Volokh Conspiracy. AND MORE: See a followup from the Guardian and related coverage from the Washington Post. By one account, the NSA gathers information in this fashion from more than 50 companies. ALSO: AP has an excellent Q&A parsing the scope of the NSA phone-data order.

POSTSCRIPT: According to the bevy of followup reporting on this yesterday, data from this order was going into a massive database of Americans' phone calls that the feds began compiling seven years ago. In the coming days and weeks there will be many calls for this program to be discontinued. Grits considers it critical that those political efforts also focus on demands that the database itself be destroyed.

Biometrics and profiling: The door to the phone booth is now open

The next to last panel at the Yale Law School's March 3rd Location Tracking and Biometrics Conference was related to biometric identification and its implications for privacy in the hyper-connected world of the 21st century. Moderated by Wired magazine contributing editor Noah Shactman, the panel arguably was the creepiest of the day, with truly surreal implications for personal privacy. The panel featured Georgetown law professor Laura Donohue, Jennifer Lynch from the Electronic Frontier Foundation, NYU Ph.D candidate Travis Hall, a postdoctoral fellow from Carnegie Mellon named Ralph Gross, and Alvaro Bedoya, who is an aide to Minnesota Sen. Al Franken. Go here to watch it online, beginning at the 7:31:48 mark. Here's a summary from my notes:

Biometrics then and now
Shachtman opened the discussion by pointing out that the use of biometrics for identification dates at least to 2,400 years ago, when the Chinese used hand prints and thumbprints on official documents. In the mid-19th century, the British East India Company used them to authenticate documents and track prisoners (in the aftermath of the Indigo Revolt, 1859-1861). The first use of fingerprints in modern criminal case, he said, occurred in in Brazil.

The US government has funded biometrics research from ear lobes to body odors as potentially unique, personal identifiers, many of which can be used from a distance. Some 31 states (including Texas, see Grits' discussion from 2004 here, here and here) use facial recognition with DMV photos. The Department of Justice has a database with fingerprints of 130 million people.

Biometrics have three characteristics which make them useful for identification: They are immutable, readily accessible, and individuating. Those characteristics, though are a source of both benefits and problems. Notably, while biometrics are individualized, your computer turns them into ones and zeroes, meaning they can be electronically captured. Biometrics data can be gathered from a distance in public settings on a mass scale and monitored continuously, telling more about a person than just their identity. It's one thing, said Schactman, to get a fingerprint or DNA swab upon arrest. But today telescopes can capture an iris scan from 1,000 meters away. Thus setting the stage, we turn to the panelists:

Game changer: Remote identification, 'multimodal' biometrics

Georgetown law professor Laura Donohue described how the recent "technological leap" into the 21st century has created a "statutory gap" and a "constitutional abyss." (See her related law review article.) Kraft Foods is in talks with Facebook, she said, so that a commecial kiosk identifies you through facial recognition to tailor individualized marketing. In Las Vegas, there's a billboard that analyzes your age and gender to market different products to different people (these are also proliferating in Japan). According to Donohue, there were 633 facial recognition patents issued between 2001 and 2011 compared to just a handful the decade before. She identified four emerging trends:

• Move to multimodal biometrics. Pairing fingerprints with iris scans, DNA.
• Pairing of biographic information and biometrics.
• Interoperable databases
• Collapsing distinction between law enforcement, homeland security and national security.

The FBI sees multimodal biometrics as a key law enforcement tool of the future, hoping to fuse contextual, biographical and biometric information in connected databases. E.g., facial recognition at political rallies can identify people who were at multiple rallies and checked against a "Repository of Individuals of Special Concern" (RISC). These functions are also being privatized. The company Rapback lets employers submit their employees' biometrics, which it then gives to the FBI and is notified in return of the employee's criminal and in some cases civil activities. The service could even notify an employer, she said, when an employee is spotted at a political rally if it's caught on film.

Historically biometrics were used for immediate, one-to-one identification: Fingerprints identified someone booked into the jail, or an iris scan let them enter a secure corporate facility. But now many biometrics can be matched remotely and instead of one-to-one matching, can to one-to-many, potentially wiping out any remaining vestiges of privacy in public spaces. The dynamic of biometrics use is changing, said Donohue, along the following axes:

• One-to-one vs. one-to-many.
• Close up or at a distance
• Custodial detention vs. public spaces
• Notice or consent vs. none
• A one time, limited occurrence vs. continuous and ongoing manner.

On the statutory side, the laws "have not grappled with new technology." And on the constitutional front, the focus in US v. Jones (finding the placement of a location tracking device on a car was a "search") on the physical intrusion of placing a tracker on a car ignores the growing array of tracking technologies like remote biometrics that require no physical intrusion. One could read Jones as including a "shadow majority" of justices endorsing the "mosaic theory" that holds continuous tracking over time violates one's reasonable expectation of privacy, but there are other cases, she said, that blur that distinction.

Immigration enforcement driving interoperable government databases
NYU's Travis Hall discussed biometrics, interoperability and immigration reform, with a particular focus on the FBI and the Department of Homeland Security's "Secure Communities" program, where people arrested on state and local criminal charges are matched with federal immigration databases to check for immigration violators and people for whom a criminal offense might itself be an immigration violation under the terms of their visa. Defense Department and Department of Justice databases don't talk to each other, he said, but they communicate indirectly through the Department of Homeland Security. The United States has a "federated system," said Hall, with four main biometric databases that after 9/11 all began to share data directly or indirectly. Fingerprints from federal, state and local arrestees are uploaded to the FBI which sends them to DHS to check for immigration violators. That way, DOD and intelligence agencies end up with access to data from state and local law enforcement activities.

At first, Secure Communities was pitched to the states as an opt-in program and only 13 states signed up to be notified of immigration violators in their jails. Then, when Illinois and Boston tried to opt out, the feds said "no, you can't."

What's the problem? The lines between criminal and civil enforcement mechanisms are becoming blurred, said Hall. Immigration status is often not static but "fuzzy," making bright-line enforcement under Secure Communities problematic. This blurring of criminal and civil enforcement mechanisms could also have unforeseen consequences down the line in areas of law completely unrelated to immigration. (I found myself wishing he'd given more hypotheticals about what that might look like.) With the advent of mobile biometrics, immigration agents can perform fingerprinting and iris scans in the field that instantly connect up to all the above-mentioned federal databases. (See an EFF white paper by Jennifer Lynch on the conjunction of biometrics and immigration enforcement.)

The expansion of immigration-related biometrics may impact youth eligible under the DREAM Act (or the administrative equivalent announced last year by President Obama), which states that applicants must demonstrate "good moral character." Applicants go through background checks and must give up their biometrics in order to qualify for provisional status, a process that's resulted in an "entrenchment of surveillance tools." In order to be lenient on “the good guys,” he said, government needs surveillance on everyone to identify bad actors.

Facebook as Big Brother
In an earlier panel, 9th Circuit Presiding Judge Alex Kozinski pointed out that in the Katz case, in which SCOTUS first articulated the concept of a "reasonable expectation of privacy," the court based its interpretation of Mr. Katz's expectations in large part on the anachronistic fact that he closed the door to the wiretapped phone booth - an factor that appears quaint in the modern age of cell phones. Sen. al Franken's aide, Alvaro Redoya, said that today, "the phone booth door is very much open." He added that "the future is now," and "this is a big deal."

We shouldn't just be concerned about the Minority Report scenario where advertising is funneled to us based on remote identification, he said. Now your driver's license, passport and Facebook account are all connected to facial recognition applications.

Facebook is honing its facial recognition software through its tag suggestions program, which presently is active everywhere but Europe where privacy laws prevent its implementation. On the back end, Facebook makes a "faceprint" they can match like a fingerprint. When your friends upload pictures, they are prompted, "would you like to tag" the people in them. The company has rolled this out on an "opt out" basis, meaning they're gathering faceprint data unless you've specifically declined to participate. The average person has 53 photos on their Facebook page, he said. Assuming a 60% non-participation rate (which is probably way too high), the company would have a faceprint for one out of 20 people on the planet. Assuming a 20% opt-out rate, which is perhaps more realistic, Facebook has pictures of one out of 10 humans in their facial  recognition system. Every time Facebook suggests, "is this so-and-so?" and asks if you want to tag them, and you say "no, it's not that person," the company improves their algorithm. Essentially, Facebook has crowd-sourced refinement of its system. Facebook does not promise they won't sell information to third parties. There are scenarios with real person to person (P2P) harms. In early 2010 an Israeli company rolled out Click App, a facial recognition system which Facebook purchased last year. Someone hacked it and figured out you could download pictures from Facebook and use it as a private facial recognition system.

Prof. Donohue had earlier described how the FBI had developed facial recognition technology to scan individuals at political rallies, identifying everyone who had attended two or more events. Redoya said the events in the FBI's example were from Obama and Clinton political rallies. In all states where such facial recognition technology has been rolled out, he said, it's a crime to block a sidewalk, for example, so it's easy to find a law enforcement justification for its use in such settings. Your faceprint remains roughly the same between ages 20 and 50, he said.

In Katz, the Supreme Court considered it important that the phone booth door was closed. But every time you walk outside you knowingly expose your face to the public, Redoya observed. Unless the law catches up to that sort of functionality, those sorts of outdated distinctions will obliterate personal privacy.

Privacy in the age of augmented reality
Carnegie Mellon's Ralph Gross discussed "Privacy in the age of augmented reality" (see an FAQ) having conducted experiments analyzing the convergence of public self-disclosure in social networks, improvements in facial recognition accuracy, cloud computing, "ubiquitous computing," and "statistical re-identification" of de-identified data The results, he said raise the question of whether in an era of "augmented reality" we have finally reached “the end of anonymity”?

Combining publicly available social network data and off-the shelf facial recognition technology, Gross and his fellow Carnegie Mellon researchers downloaded images from Facebook and then from dating service websites, trying to match them. One out of 10 dating-site members could be identified, he said. A second experiment set up cheap webcam and asked students to let them take three photos from different angles. They could identify one out of three subjects, not just from their profile pictures but also from tagged images.

Even more disturbing was Gross' success at predicting social security numbers (!). Think for a moment: How many times have you given out the last four digits of your social security number as an identifier for online services? Have you ever thought about what happens if the other five digits could be inferred from public records? For 27% of subjects from Facebook, Carnegie Mellon researchers could guess the first five digits of their Social Security Number within four attempts. In other words, their algorithm could come up with four guesses and one of them was right 27% of the time. So starting with a photo and using information of Facebook, it's possible to guess those first five digits around a quarter of the time. Over time and with more data, that algorithm could become even more robust.

Gross said modern facial recognition technology can go from an anonymous face to matching it to a presumptive name, then get online information, demographics, their friends, and potentially predict their social security number and credit score, not to mention their political and sexual orientation. This could all be done, he said, "in real time with a smart phone app. The implications are staggering and include:

• Faces as conduits between online and offline data.
• The emergence of personally predictable information
• The rise of visual, facial searches
• Democratization of surveillance, and
• Social network profiles as Real IDs

When your face can be connected to so much information about you, it essentially becomes your ID.  Today's technology has reached the stage where such capability is no longer purely the domain of science fiction but a real-world scenario which courts and legislatures have yet to address.

Location data as biometrics: You are where you go

EFF's Jennifer Lynch spoke about "location data as biometrics." To my mind, the takeaway from her presentation was "you are where you go." The same thing can't be in two places at the same time and two different things can't occupy the same place, said Lynch, so by its nature location data is individualizing.

Cell phones generate staggering amount of location data totaling 600 billion transactions per day worldwide, data which frequently is shared with third parties in volume and in real-time and constitutes a significant potential new market for cell-phone carriers. Your movements quickly reveal where you spend your time, when, and with whom, as well as what's typical and what's not. Though cell-tower data is "de-identified," she said, once you know all that information, "re-identification" - i.e, figuring out who is who - is a somewhat trivial technical feat (as Ralph Gross had earlier demonstrated).

The more cell-phone towers and antennas that exist, the more precise location tracking by cell phones becomes. Using a site called AntennaSearch, Lynch found that there were 74 cell towers and 529 antennas within four miles of the Yale Law School. (Running the same search for Grits' own home in Central East Austin, I found 145 towers and 675 antennas within a four mile radius.)

A young German politician named Malte Spitz sued his cell phone company for all his location data and partnered with a newspaper to produce an amazing graphic tracking his movements for six months. The graphic includes not just his location but how many phone calls and text messages he received and sent, also linking the data to his Facebook and Twitter timelines to add context, creating a stunning diary of his life. Given the foibles of human memory, it shows your cell-phone carrier (and by extension any government agency or third party that accesses that data) in some ways may know more about your life than you do.

Following in his footsteps, so to speak, Lynch tracked herself for a month with a Google program called “Latitude” that records everywhere you've been. Nothing earth shattering - she mostly went from home to office to her kid's school, with an occasional trip to a store or other destination - but really it's the mundane data that identifies you and provides the most information about who you are and how you live your life. Location data combines and amplifies all the problems with biometrics, said Lynch.

Aren't biometrics 'awesome'?

Wired editor Noah Schactman interjected to ask the panel, "Isn't the idea of your face as universal recognizer awesome?" It would make passwords useless, he said, since someone can't hack your face in the way you can hack a password. Not true, said Lynch, noting that Japanese kids hack cigarette machines with facial recognition tech by holding up magazine ads of older people. (Grits wrote in 2005 that, for that very reason, biometrics make terrible passwords. To a computer your fingerprint, iris scan or facial structure are just ones and zeros which are easily replicable.)

Travis Hall pointed out that, while we live just one life, there are "siloed" aspects to everyone's existence. New technology breaks down those silos in ways that people don't want broken down. Identity in one context may be open, but can now be linked to other contexts in ways that people would prefer remain closed. Prof. Donohue added that, for that reason, there's a public or social harm from long-term storage of this information. New guidelines allow the National Counter Terroism Center to retain personal information about non-suspects for five years instead of 180 days, generating an ever-more detailed and robust data set about individuals over time.

One-to-one biometrics are not as big a problem compared to "one to many" apps. It's one thing to verify identity of an individual and another to identify strangers from a crowd, especially in an era when cameras are so ubiquitous.

During the Q and A, Chris Soghoian pointed out that there are dating websites for people from specific religions, people with particular STDs, gay people, etc., asking if the data could all be scraped and dumped into some sort of uber-database. Gross replied that it may or not be legal to do that - most likely it would violate the sites' terms of service - but technologically, we're at a point where it can be done. Hall pointed out that the "real problem" with data analytics is that "you don't know you're being tracked.'

Judge Kozinski stepped to the questioners' mic to ask about the implications of the NSA's “Solar Wind” project in Utah - a data processing facility where information accessed by intelligence services may be churned through at an astonishing 4 terrabytes per second. "Can they apply these technologies to all that data?" he wondered, essentially answering his own question. I'm not sure many people in the room had considered that. There was a moment of stunned silence as everyone took in the implications, before Prof. Donohue pointed out that such massive data processing capacity was especially a problem when combined with indefinite data retention.

Another questioner asked, "Can you opt out of information being shared?" The answer is sometimes. Your cell phone, for example, must ping the nearest tower periodically so it can receive phone calls. Android phones, it was pointed out, automatically link phone numbers you dial to your Google contacts list. Could there be an automatic opt in instead of opt out? Sure. But it's not required, and in practice people opt in via terms of service agreements they never read.

Travis Hall observed that the "persistence of data is astounding."  Data has long shelf life. In Europe there is an ongoing debate about the “right to be forgotten.” As it turns out, it's very had to be forgotten. Engineers having trouble comprehensively deleting even a single photo.

For the most part, unlike the politician from Germany, you have no right to review records the government keeps about you, Hall observed, especially for data gathered under national security authority. Schactman pointed out that, ironically, Al Quaeda members may be the only people not being tracked in the government's biometric databases.

See prior, related Grits posts from the conference:

• Cell phone tracking by government: How it's done
• On the Fourth Amendment implications of location tracking
• Secrecy and federal court dockets: On the nuts and bolts of authorizing government surveillance
• Bypassing the telecoms: 'Stingrays' allow direct government phone surveillance with little oversight 
• Video, resources from location tracking conference