According to Forbes, which spoke with sources close to local and federal investigations, it’s becoming standard operating procedure for cops to use dead people’s fingerprints to unlock their Apple iPhones.
FBI forensic specialist Bob Moledor detailed for Forbes the first known instance of law enforcement making such an attempt, during an investigation into the motives of an attacker killed by Ohio police back in 2016. Continue reading →
In a Supreme Court case beginning Wednesday, the ACLU is arguing that Americans should not be expected to give up privacy rights every time they use a cell phone that pings phone towers nearby, as analog-era legal arguments would hold. (Photo: Mike Mozart/Flickr/cc)
The Supreme Court will hear the first arguments in a landmark case regarding digital privacy rights on Wednesday as civil liberties advocates, joined by tech companies and journalists, argue the court must acknowledge that privacy rights and free speech protections should align with the reality of 21st century technology.
The case, known as Carpenter vs. United States centers around Timothy Carpenter, who was convicted in 2011 of several robberies after the police, without a probable cause warrant, gathered data from his cell phone company. Months of records were turned over, showing that he had been near cell towers close to the sites of the robberies when they took place. Continue reading →
Fear of hackers reading private emails in cloud-based systems like Microsoft Outlook, Gmail or Yahoo has recently sent regular people and public officials scrambling to delete entire accounts full of messages dating back years. What we don’t expect is our own government to hack our email – but it’s happening. Federal court cases going on right now are revealing that federal officials can read all your email without your knowledge.
The federal government is getting access to the contents of entire email accounts by using an ancient procedure – the search warrant – with a new, sinister twist: secret court proceedings.
The earliest search warrants had a very limited purpose – authorizing entry to private premises to find and recover stolen goods. During the era of the American Revolution, British authorities abused this power to conduct dragnet searches of colonial homes and to seize people’s private papers looking for evidence of political resistance.
To prevent the new federal government from engaging in that sort of tyranny, special controls over search warrants were written into the Fourth Amendment to the Constitution. But these constitutional provisions are failing to protect our personal documents if they are stored in the cloud or on our smartphones.
Fortunately, the government’s efforts are finally being made public, thanks to legal battles taken up by Apple, Microsoft and other major companies. But the feds are fighting back, using even more subversive legal tactics.
Searching in secret
To get these warrants in the first place, the feds are using the Electronic Communications Privacy Act, passed in 1986 – long before widespread use of cloud-based email and smartphones. That law allows the government to use a warrant to get electronic communications from the company providing the service – rather than the true owner of the email account, the person who uses it.
But relatively little notice has come to a similar Microsoft effort on behalf of customers that began in April 2016. The company’s suit argued that search warrants delivered to Microsoft for customers’ emails are violating regular people’s constitutional rights. (It also argued that being gagged violates Microsoft’s own First Amendment rights.)
It’s very difficult to get a copy of one of these search warrants, thanks to orders sealing files and gagging companies. But in another Microsoft lawsuit against the government a redacted warrant was made part of the court record. It shows how the government asks for – and receives – the power to look at all of a person’s email.
On the first page of the warrant, the cloud-based email account is clearly treated as “premises” controlled by Microsoft, not by the email account’s owner:
“An application by a federal law enforcement officer or an attorney for the government requests the search of the following … property located in the Western District of Washington, the premises known and described as the email account [REDACTED]@MSN.COM, which is controlled by Microsoft Corporation.”
The Fourth Amendment requires that a search warrant must “particularly describe the things to be seized” and there must be “probable cause” based on sworn testimony that those particular things are evidence of a crime. But this warrant orders Microsoft to turn over “the contents of all e-mails stored in the account, including copies of e-mails sent from the account.” From the day the account was opened to the date of the warrant, everything must be handed over to the feds.
Reading all of it
In warrants like this, the government is deliberately not limiting itself to the constitutionally required “particular description” of the messages it’s looking for. To get away with this, it tells judges that incriminating emails can be hard to find – maybe even hidden with misleading names, dates and file attachments – so their computer forensic experts need access to the whole data base to work their magic.
If the government were serious about obeying the Constitution, when it asks for an entire email account, at least it would write into the warrant limits on its forensic analysis so only emails that are evidence of a crime could be viewed. But this Microsoft warrant says an unspecified “variety of techniques may be employed to search the seized emails,“ including “email by email review.”
If Microsoft wins, then citizens will have the chance to see these search warrants and challenge the ways they violate the Constitution. But the government has come up with a clever – and sinister – argument for throwing the case out of court before it even gets started.
The government has asked the judge in the case to rule that Microsoft has no legal right to raise the Constitutional rights of its customers. Anticipating this move, the American Civil Liberties Union asked to join the lawsuit, saying it uses Outlook and wants notice if Microsoft were served with a warrant for its email.
The government’s response? The ACLU has no right to sue because it can’t prove that there has been or will be a search warrant for its email. Of course the point of the lawsuit is to protect citizens who can’t prove they are subject to a search warrant because of the secrecy of the whole process. The government’s position is that no one in America has the legal right to challenge the way prosecutors are using this law.
Far from the only risk
The government is taking a similar approch to smartphone data.
Where does this all leave us now? The judge in Ravelo is expected to issue a preliminary ruling on the feds’ arguments sometime in October. The government will be filing a final brief on its motion to dismiss the Microsoft case September 23. All Americans should be watching carefully to what happens next in these cases – the government may be already watching you without your knowledge.
“This bill is a clear threat to everyone’s privacy and security,” said Neema Singh Guliani, legislative counsel with the ACLU. (Photo: Laura Bittner/flickr/cc)
A draft of a proposed bill mandating companies give, under a court order, the government access to encrypted data is being derided by technology experts as “ludicrous,” as it “ignores technical reality” and threatens everyone’s security.
The bill’s proposers, Senators Richard Burr (R-North Carolina), Chair of the Senate Intelligence Committee, and Dianne Feinstein (D-California), top Democratic on the committee, neither disavowed the document nor confirmed its legitimacy, the Wall Street Journalreports. Continue reading →
What is privacy and what is an individual’s right to it?
That is the question that renowned linguist and MIT professor Noam Chomsky, National Security Agency (NSA) whistleblower Edward Snowden, and Intercept co-founding editor Glenn Greenwald sought to answer on Friday evening as the three (virtually) shared a stage for a panel discussion at the University of Arizona in Tuscon.
Coming amid the FBI’s public battle against Apple as well as days after the bombings in Brussels last week, which have spurred another round of calls for heightened security and surveillance, the conversation challenged the rhetoric that national security requires that governments can access individual communications. Continue reading →
The ongoing fight between Apple and the FBI over breaking into the iPhone maker’s encryption system to access a person’s data is becoming an increasingly challenging legal issue.
With a deadline looming, Apple filed court papers explaining why it is refusing to assist the FBI in cracking a password on an iPhone used by one of the suspects in the San Bernardino shooting. CEO Tim Cook has declared he will take the case all the way to the Supreme Court.
The tech company now wants Congress to step in and define what can be reasonably demanded of a private company, though perhaps it should be careful what it wishes for, considering lawmakers have introduced a bill that compels companies to break into a digital device if the government asks.
But there is an irony to this debate. Government once pushed industry to improve personal data privacy and security – now it’s the tech companies who are trumpeting better security. My own research has highlighted this interplay among businesses, users and regulators when comes to data security and privacy.
For consumers, who in coming years will see ever more of their lives take place in the digital realm, this heightened attention on data privacy is a very good thing.
The business case for better privacy grows
Not too long ago, everyone seemed to be bemoaning that companies aren’t doing enough to protect customer security and privacy.
The White House, for example, published a widely cited report saying that the lack of online privacy is essentially a market failure. It highlighted that users simply are in no position to control how their data are collected, analyzed and traded. Thus, a market-based approach to privacy will be ineffective, and regulations were necessary to force firms to to protect the security and privacy of consumer data.
The tide seems to have turned. Repeated stories on data breaches and privacy invasion, particularly from former NSA contractor Edward Snowden, appears to have heightened users’ attention to security and privacy. Those two attributes have become important enough that companies are finding it profitable to advertise and promote them.
Whether it is through its payment software or operating system, Apple has emphasized security and privacy as an important differentiator in its products. Of course, unlike Google or Facebook, Apple does not make money using customer data explicitly. So it may have more incentives than others to incorporate these features. But it competes directly with Android and naturally plays an important role in shaping market expectation on what a product and service should look like.
These features possibly play an even more critical role outside the U.S. where privacy is under threat not only from online marketers and hackers but also from governments. In countries like China, where Apple sells millions of iPhones, these features potentially are very attractive to end users to keep their data private from prying eyes of authorities.
Regulators hum a different tune
It is clear that Apple is offering strong security to its users, so much so that FBI accuses it of using it as a marketing gimmick.
It seems we have come a full circle in the privacy debate. A few years ago, regulators were lamenting how businesses were invading consumers’ privacy, lacked the proper incentives to do so and how markets needed stronger rules to make it happen. Today, some of the same regulators are complaining that products are too secure and firms need to relax it in some special cases.
While the legality of this case will likely play out over time, we as end users can feel better that in at least in some markets, companies are responding to a growing consumer demand for products that more aggressively protect our privacy. Interestingly, Apple’s mobile operating system, iOS, offers security by default and does not require users to “opt-in,” a common option in most other products. Moreover, these features are available to every user, whether they explicitly want it or not, suggesting we may be moving to a world in which privacy is fundamental.
Data sharing gets complicated
At its core, this debate also points to a larger question over how a public-private partnership should be structured in a cyberworld and how and when a company needs to share details with either the government or possibly with other businesses for the public good.
When Google servers were breached in China in 2010, similar questions arose. United States government agencies wanted access to technical details on the breach so it could investigate the perpetrators more thoroughly to unearth possible espionage attempts by Chinese hackers. The breach appeared to be aimed at learning the identities of Chinese intelligence operatives in the U.S. that were under surveillance.
Information sharing on data breaches and security infiltration is something the government has widely encouraged, last year passing the Cybersecurity Information Sharing Act of 2015 to encourage just that.
Unfortunately, various government agencies themselves have become self-interested parties in this game. In particular, the Snowden disclosures revealed that many government agencies conduct extensive surveillance on citizens, which arguably not only undermine our privacy but compromise our entire information security infrastructure.
These agencies, including the FBI in the current case, may have good intentions, but all of this has finally given profit-maximizing companies the right incentives they need to do what the regulators once wanted. Private businesses now have little incentive to get caught up in the bad press that usually follows disclosures like Snowden’s, so it’s no wonder they want to convince their customers that their data are safe and secure, even from the government.
With cybersecurity becoming a tool for government agencies to wage war with other nation-states, it is no surprise that companies want to share less, not more, even with their own governments.
The battle ahead
This case is obviously very specific. I suspect that, in this narrow case, Apple and law enforcement agencies will find a compromise.
But the Apple brand has likely strengthened. In the long run, its loyal customers will reward it for putting them first.
However, this question is not going away anywhere. With the “Internet of things” touted as the next big revolution, more and more devices will capture our very personal data – including our conversations.
This case could be a precedent-setting event that can reshape how our data are stored and managed in the future. But at least for now, some of the companies appear to be – or least say they want to be – on our side in terms protecting our privacy.
About the Author: Rahul Telang is Professor of Information Systems and Management, Carnegie Mellon University.