Surveillance

Palantir had been selling its data storage, analysis, and collaboration software to police departments nationwide on the basis of rock-solid security. “Palantir Law Enforcement provides robust, built-in privacy and civil liberties protections, including granular access controls and advanced data retention capabilities,” its website reads. The scale of Palantir’s implementation, the type, quantity and persistence of the data it processes, and the unprecedented access that many thousands of people have to that data all raise significant concerns about privacy, equity, racial justice, and civil rights. But until now, we haven’t known very much about how the system works, who is using it, and what their problems are. And neither Palantir nor many of the police departments that use it are willing to talk about it.

Lawyers representing a man convicted of six robberies in the Detroit area have now filed their opening brief at the Supreme Court in one of the most important digital privacy cases in recent years. This case, Carpenter v. United States, asks a simple question: is it OK for police to seize and search 127 days of cell-site location information (CSLI) without a warrant? Previously, lower courts have said that such practices are compatible with current law. But the fact that the Supreme Court agreed to hear the case suggests that at least four justices feel that perhaps the law should be changed.

In Carpenter, as is the case in countless modern criminal cases, law enforcement was able to obtain the relevant records directly from the mobile phone provider with a court order that has less stringent requirements than a warrant. This is not a trivial distinction. A so-called "d-order" can be circumspect with how information is obtained by authorities. It does not, as the Fourth Amendment demands, require as much particularity. A warrant, unlike a d-order application, also mandates a signed and sworn affidavit ("on oath or affirmation"), as the Constitution requires, which describes the "places to be searched and the things to be seized." Carpenter's attorneys, many of whom are from the American Civil Liberties Union, argue in their filing that the current legal standard gives the government too much leeway. "If the Court were to accept this argument, the government could use this tool to monitor the minute-by-minute whereabouts of anyone—from ordinary citizens to prominent businesspersons to leaders of social movements," they wrote in their August 7 brief.

The Open Technology Institute team did a technical experiment at this Spring’s March for Science in Washington (DC) to try and answer these questions and explore new ways of detecting when your cell phone is being surveilled. The increasingly broad use of cell site simulators by law enforcement is controversial for many reasons. As a general matter, the devices themselves indiscriminately invade the privacy of everyone around them because they connect to, and can capture data from, all phones within their range. But the devices have also been used in controversial ways. In particular, they have been deployed disproportionately in areas made up predominantly of people of color.

We decided to conduct an experiment to see whether and how one might be able to detect the use of cell site simulators during a large protest. In particular, OTI conducted a spectrum survey at the March for Science in April 2017 to experiment with ways to identify these devices. Although our results were inconclusive, they gave us new insights into how best to tackle this problem, insights that we and others can apply to future experiments with the same goal: developing tools that give us the power to watch the watchers.

Sen Ron Wyden (D-OR), a member of the Select Committee on Intelligence, wants to know how many "backdoor" searches of e-mails and other communications the government has conducted. He is concerned about warrantless searches the attorney general can authorize of information collected from or about US citizens if it also involves a person from another country or agent of a foreign power. He also wants to know if the intelligence community can conduct searches of that information without an individual warrant and what limits there are in searching the information if that person is not the target—the target has to be a foreign power or agent on the other side of that communication collected under the Foreign Intelligence Surveillance Act (FISA). Sen Wyden is also concerned about the lack of public awareness of the breadth of the data collection and limits on oversight, as well as what he says is the vagueness of government procedures for collection and use.

Sealed law enforcement requests to track Americans without a warrant through cellphone location records or Internet activity grew sevenfold in the past three years in the District, new information released by a federal judge shows. Details about the growth come as the US Supreme Court weighs whether to rein in such rapidly expanding demands. Legal experts said the disclosure appears to mark a first, and that neither the Justice Department nor private companies have previously made public such specific data about how often law enforcement agencies seek those court orders. The summary data gave counts of requests by year from 2008 through 2016 made in criminal cases handled by the Justice Department or US attorney’s office for the District. Details about each individual case, such as the name of a suspect or what records were sought, were not disclosed.

The requests were made under a 1986 statute that enables law enforcement agencies to obtain court orders requiring ­communication service providers to turn over records about individual customers. The orders do not apply to information about telephone calls, such as the time, date, duration and numbers dialed, which can be obtained in other ways. Instead, the requests seek individuals’ Internet connection records or cellphone tower records. Those records exclude the content of communications but can be highly valuable to investigators seeking to establish a history or pattern of movement, conduct or relationships. The information requests can include Internet browsing logs and activity; the time, date, size, sender and recipient of email, instant or social media messages, or other transaction records; as well as computer identification numbers and information about websites that a user accessed.

Apparently, Facebook, Alphabet's Google, Apple, and other major technology firms are largely absent from a debate over the renewal of a broad US internet surveillance law, weakening prospects for privacy reforms that would further protect customer data. While tech companies often lobby Washington on privacy issues, the major firms have been hesitant to enter a fray over a controversial portion of the Foreign Intelligence Surveillance Act (FISA), industry lobbyists, congressional aides and civil liberties advocates said. Among their concerns is that doing so could jeopardize a trans-Atlantic data transfer pact underpinning billions of dollars in trade in digital services, apparently.

Technology companies and privacy groups have for years complained about the part of FISA known as Section 702 that allows the US National Security Agency (NSA) to collect and analyze e-mails and other digital communications of foreigners living overseas. Though targeted at foreigners, the surveillance also collects data on an unknown number of Americans - some privacy advocates have suggested it could be millions - without a search warrant. Section 702 will expire at the end of 2017 unless the Republican-controlled Congress votes to reauthorize it. The White House, U.S. intelligence agencies and many Republican senators want to renew the law, which they consider vital to national security, without changes and make it permanent. A coalition of Democrats and libertarian-leaning conservatives prefer, however, to amend the law with more privacy safeguards.

Personality quizzes have some sort of perennial appeal. Facebook newsfeeds are filled with BuzzFeed quizzes and other oddball questionnaires that tell you which city you should actually live in, which ousted Arab Spring ruler you are, and which Hogwarts house you belong in. But these new online quizzes have a dark edge that their analog predecessors didn’t.

In the wake of the US election, a secretive data firm hired by Donald Trump’s campaign boasted that it has been using quizzes for years to gather personal information about millions of voters. Its goal: the creation of digital profiles that can predict—and possibly exploit—Americans’ values, anxieties, and political leanings. Whether this firm, Cambridge Analytica, has actually used predictive profiles to influence people isn’t certain; reports suggest it hasn’t, at least not directly. But the company’s methods nonetheless expose the growing scale of personality analysis online—and the dangers that come with it. On the internet, anything you do is like taking a personality quiz: Everywhere you click reveals something about you. And you’re not the only one who sees the results.

The Federal 9th Circuit Court of Appeals ruled that gag orders issued with warrant-like national security letters do not violate the First Amendment. National security letters serve the same functions as a warrant but do not require judicial oversight. They are frequently used to solicit digital data from telecom companies and are frequently accompanied by nondisclosure orders barring the companies from informing customers that law enforcement has harvested their data.

Credo Mobile and CloudFlare, a cybersecurity firm, received a total of five national security letters between 2011 and 2013 and sued, arguing they had a First Amendment right to notify customers. In 2013, District Judge Susan Illston ruled that the letters were unconstitutional, but stayed her decision and later reversed it in 2016 once lawmakers added additional civil liberties protections. The appeals court upheld Illston's amended opinion, agreeing that civil liberties safeguards in place — including notifying recipients the letters could be challenged in court — were adequate. "The nondisclosure requirement in the NSL law therefore does not run afoul of the First Amendment," wrote Judge Sandra Ikuta in the decision.

While many technology companies continue to step up their privacy game by adopting best practices to protect sensitive customer information when the government demands user data, telecommunications companies are failing to prioritize user privacy when the government comes knocking, an Electronic Frontier Foundation annual survey shows. Even tech giants such as Apple, Facebook, and Google can do more to fully stand behind their users.

EFF’s seventh annual “Who Has Your Back” report digs into the ways many technology companies are getting the message about user privacy in this era of unprecedented digital surveillance. The data stored on our mobile phones, laptops, and especially our online services can, when aggregated, paint a detailed picture of our lives—where we go, who we see, what we say, our political affiliations, our religion, and more. AT&T, Comcast, T-Mobile, and Verizon scored the lowest, each earning just one star. While they have adopted a number of industry best practices, like publishing transparency reports and requiring a warrant for content, they still need to commit to informing users before disclosing their data to the government and creating a public policy of requesting judicial review of all NSLs.

The American Civil Liberties Union of New Mexico has sued the city of Albuquerque, seeking records by the city’s police department about its use of stingrays, also known as cell-site simulators. In May 2017, the ACLU of New Mexico filed a public records request to the Albuquerque Police Department (which has been under federal monitoring for years), seeking a slew of information about stingrays. The requested info included confirmation on whether the police had stingrays, "policies and procedures," and contracts with the Harris Corporation, among other materials. Albuquerque denied many of these requests, citing a state law that allows some public records to be withheld on the grounds that they reveal "confidential sources, methods." So, the week of July 3, the ACLU of New Mexico sued.