Posted by Taylor Armerding on July 5, 2018
The troops on the front lines of the war to protect personal privacy won a couple of significant battles last week.
Significant, but likely not seismic—at least not yet. It’s not like the clock got rewound to 1990, before the Internet became mainstream, when mobile phones were still relatively rare. And we still live in a world where most people are willing to give away their privacy to be able to use their favorite apps and social media platforms.
But yes—still significant. The first and most important was the U.S. Supreme Court’s (SCOTUS) landmark decision last week in Carpenter v. United States that law enforcement agencies must obtain a warrant before they can demand unlimited access to mobile phone location data from wireless carriers.
The cheers erupted from privacy advocates across the nation—among them the Center for Democracy and Technology (CDT), the Electronic Frontier Foundation (EFF), the Electronic Privacy Information Center (EPIC), the American Civil Liberties Union (ACLU), and U.S. Sen. Ron Wyden (D-OR), one of the most vocal privacy advocates in Congress.
Wyden declared in a press release that the decision “strikes a blow against the creeping expansion of government intrusion into the most personal parts of Americans’ lives.”
While other privacy advocates might substitute “runaway train” for “creeping,” the decision does pump the brakes on what advocates have been saying is Big Brother–level surveillance.
It doesn’t expressly eliminate all warrantless collection of cell-site location information (CSLI) by law enforcement but says that seven days of such information is enough to trigger Fourth Amendment protections against “unreasonable search and seizure.”
The seven days is far less than the 127 days collected on Timothy Carpenter, who appealed the use of that information in his conviction as a participant in a 2011 string of robberies of electronics stores in Michigan and Ohio.
The FBI sought, and was granted, access to his CSLI, which put him within a half mile to two miles of the robberies.
The ACLU noted that the agency “got almost 13,000 data points tracking Carpenter’s whereabouts during that period, revealing where he slept, when he attended church, and much more.”
According to numerous analysts and experts, there are two crucial components to the decision, which could eventually reach far beyond the specifics of the Carpenter case:
The third-party doctrine, a 1970s-era precedent, holds that individuals don’t have a legal right to the privacy of information that they voluntarily share with a third party, such as bank records or phone numbers dialed.
But Chief Justice John Roberts, writing for the 5–4 majority, noted the reality that just about everybody needs a mobile phone to participate in modern life and therefore simply turning on the phone doesn’t amount to volunteering to share personal location information.
People, he wrote, have a “reasonable expectation of privacy in the whole of their physical movements.”
He spent much more time on the level of surveillance that current and future technology will allow, calling it “tireless and absolute.”
As some critics and dissenters on the court noted, he went beyond the facts of Carpenter’s case, in which the CSLI placed Carpenter hundreds of yards to miles from where the crimes took place.
Roberts called it “near perfect surveillance, as if [the Government] had attached an ankle monitor to the phone’s user.” That time-stamped data, he said, “provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’”
“The Government’s position fails to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter’s location but also everyone else’s, not for a short period but for years and years.”
Roberts indirectly acknowledged that he was reaching beyond the facts of the case and projecting where the technology was going. He said it was important to ensure that the “progress of science” does not erode Fourth Amendment protections.
But he also made clear that the decision was “a narrow one.”
“We do not express a view on matters not before us: real-time CSLI or ‘tower dumps’ (a download of information on all the devices that connected to a particular cell site during a particular interval).
“We do not…call into question conventional surveillance techniques and tools, such as security cameras. Nor do we address other business records that might incidentally reveal location information.”
Indeed, he didn’t even address why security cameras are considered “conventional.” The decision doesn’t address what companies like Google and Facebook do with their vast trove of data on their users—images, messages, posts, browser histories. It doesn’t address smart devices like Amazon’s Echo, which collects data on musical tastes, shopping history, and in some cases personal conversations. It doesn’t address the personal health data that fitness apps and trackers collect.
Which means it will likely be a very long time before the overall issue is settled. As Orin Kerr, University of Southern California law professor and former clerk to Justice Anthony Kennedy, put it in a post on the Lawfare blog, “At the very least that is going to invite a boatload of litigation on how far this new reasoning goes.”
Less momentous, generating a lot fewer headlines, but still significant and highly relevant to the Supreme Court case was word about a week ago from Sen. Wyden that following a New York Times report about what Wyden labeled “the shady practice of wireless carriers selling Americans’ location [data] to third parties—sometimes without permission,” Verizon and AT&T had agreed to sever their relationship with location aggregators LocationSmart and Zumigo.
“T-Mobile and Sprint seem content to continue to sell their customers’ private information to these shady middle men, Americans’ privacy be damned,” Wyden said in the press release.
The Times reported that Securus Technologies, used by U.S. jails and prisons to provide and monitor calls to inmates, was also being used to track mobile phone locations of other people—just about any other people.
The data to do that were coming from companies like LocationSmart. And star security blogger Brian Krebs reported last month that besides providing data to customers like Securus, LocationSmart had been “leaking this information to anyone via a buggy component of its Web site—without the need for any password or other form of authentication or authorization.”
Krebs heard from Robert Xiao, a security researcher at Carnegie Mellon University, who told him he had found a vulnerability in the company’s demo site that allowed him to conduct mobile number location lookups at will.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao told him. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
“This is really creepy stuff,” he added.
LocationSmart took the demo site offline as soon as Krebs notified them. But Wyden told Krebs that its regular business practice of providing data to customers that then provide it to law enforcement amounts to an end run around the requirement that law enforcement—or government in general—get location data only directly from the wireless carriers.
“This practice skirts wireless carrier’s legal obligation to be the sole conduit by which the government may conduct surveillance of Americans’ phone records, and needlessly exposes millions of Americans to potential abuse and unchecked surveillance by the government,” he wrote to Krebs.
Last week’s SCOTUS decision doesn’t directly address that issue either.
Gary McGraw, vice president, security technology, with Synopsys Software Integrity Group, said he doubts the wireless carriers were surprised by what was going on.
“In my view, the carriers likely knew about this all along,” he said. “So did most sophisticated security-aware users of mobile technology. What is happening is that political circles are beginning—just beginning—to get a technical clue.”
McGraw said he welcomes limits on the use of tracking data, and praised Wyden “for making this into a public issue.”
But he said the reality remains that “most users have no idea how their technology works or its impact on their security and privacy. Heck, users are even willing to install listening devices in their kitchens now, on purpose.”
Get the latest AppSec news and trends sent directly to you.