The Supreme Court’s recent ruling that police must get a warrant to access the vast trove of location information wireless carriers collect on their customers marks a breakthrough for privacy rights.
But the majority in Carpenter v. United States sidestepped key issues about whether police can still access location data in real time or for short periods without a warrant.
These gaps will likely give rise to a flurry of new legal challenges --- and are already sparking calls for Congress to step in to fix potential loopholes. Privacy advocates want lawmakers to regulate companies that sell real-time location data to law enforcement and to require that investigators get a warrant to access location data even for just a few days.
“I think Carpenter will be seen as a landmark case for civil liberties protections in the digital age,” said Elizabeth Joh, a criminal law professor at UC Davis School of Law. “But, Carpenter opens up many questions … There is quite likely to be disagreement among judges about how broadly Carpenter’s rationale applies beyond the government’s collection of historical cellphone location data.”
My colleague Robert Barnes reported that Friday's ruling means police won't have unfettered access to cell tower records that can offer investigators a virtual map of a person’s movements over time. Writing for the five-justice majority, Chief Justice John G. Roberts Jr. said that such “detailed, encyclopedic, and effortlessly compiled” information was protected from warrantless searches under the Fourth Amendment.
But Roberts went out of his way to note that the court didn’t “express a view” on whether law enforcement can gather users’ real-time location data without a warrant.
Jake Laperruque, senior counsel at the civil liberties group The Constitution Project, said the court “needlessly punted” on the issue.
“The Court willfully chose to avoid addressing real-time surveillance,” Laperruque tweeted, “which means we'll be back here in a few years AGAIN, and in the mean time, government will have the power that the court says is so 'remarkably easy, cheap, and efficient compared to traditional investigative tools' that it should require a warrant.”
It's also unclear how the court's refusal to address the issue will affect third-party companies that market real-time location data to law enforcement, as security blogger Brian Krebs noted.
Companies such as the prison phone company Securus have come under intense scrutiny recently for selling customer location data from mobile providers to police forces across the country. Their services allow police to potentially track the movement of millions of phones in real time, as my colleague Brian Fung reported.
With the Carpenter ruling, there's now a strong argument that law enforcement would need a warrant to access that type of data, wrote Krebs. Still, he noted, nothing in the law prevents mobile companies from sharing real-time data with other commercial entities. “For that reality to change, Congress would need to act,” he wrote.
Greg Nojeim, director of the Center for Democracy and Technology’s Freedom, Security & Technology Project, agreed that the ruling could offer an ideal opportunity for lawmakers to step in.
“Congress should also close the data-laundering loophole that has opened up to permit lawless location tracking,” said Nojeim, whose organization submitted a brief in the case urging the court to account for new technologies, in a statement. “Telecommunications companies are selling sensitive location information to third parties who sell the information to law enforcement, thereby evading the court order requirement that would apply if law enforcement had sought the location information directly from the carrier.”
The majority in Carpenter also left open the possibility that law enforcement might not need a warrant to look at a person's location data over a relatively short time. Roberts wrote that it was “sufficient for our purposes” that anything more than seven days of location data would constitute a search that required a warrant.
What does that mean for a shorter period? Not clear, said Albert Gidari, consulting director of privacy at the Stanford Law Center for Internet and Society.
“So can the government just ask for 6 days with a subpoena or court order,” he wrote in a blog post. “You can bet that will be litigated in the coming years, but the real question is what will mobile carriers do in the meantime — it could be a long wait for an appellate court to see a criminal defendant whose conviction rests on 6 days of location data, and in the meantime, it could be tomorrow when a carrier discloses a week of location data on less than a warrant.”
This is another area where Congress could clear the air, Nojeim said.
“It’s crucial for lawmakers to apply a warrant requirement for shorter periods or when the government wants to locate a person at one particular moment."
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: On the one hand, special counsel Robert S. Mueller III and Director of National Intelligence Daniel Coats say Russia continues to try to interfere in U.S. politics as the midterm elections approach. On the other hand, the Trump administration has been mostly muted when it comes to allegations of Russian threats to the 2018 midterms. And in between, lawmakers in the House and Senate wonder what to make of those apparent contradictions, Politico's Martin Matishak reports.
“We’re getting so many mixed signals, depending on what the agency is,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.) told Matishak. “It compels us to bring everybody together in the same room and try to figure out whether or not there’s some stovepipe issues.” Burr intends to gather intelligence officials in July, according to Matishak. Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee, told Politico that he has yet to see a coordinated response from the Trump administration on the matter. “What we would normally see in a normal administration is the principals meeting to discuss what are they doing individually, what are they doing jointly, or what they are communicating amongst themselves, what’s the whole of government plan to protect the midterms,” he said. “I just don’t see any evidence that’s happening.”
PATCHED: Illinois will probably have to wait to upgrade its aging voting machines. Illinois's State Board of Elections said most of the $13.9 million that the state is receiving in federal funds to strengthen election security will be dedicated to training and improving cybersecurity, the Associated Press's Sarah Zimmerman reports. “Because Illinois already conducts audits and uses machines with paper trails, the state will have to devote most of its $13.9 million sum on cybersecurity upgrades and training,” Zimmerman writes. “That puts a damper on the state’s initial plans to allow local officials to use some of the money to upgrade some of their deteriorating voting machines, many of which were initially purchased as early as 2004.” Those federal funds are part of the $380 million that Congress set aside in a massive spending bill that Trump signed in March to improve election security across the nation. (I wrote last month about how several states plan to use the money.)
Some local officials in Illinois say upgrading voting machines is urgent, according to Zimmerman. “Logan County Clerk Sally Turner said local clerks have yet to see any language as to how the state board interprets definitions of 'cybersecurity,' and whether new voting machines would fall under the term,” Zimmerman writes. " 'We all need new election equipment and I think we’re all hopeful that our state government recognizes the importance of this,' she said.”
PWNED: Employees of Amazon.com don't want their company's facial-recognition technology to be used for policing. A group of employees wrote to Amazon founder and chief executive Jeffrey P. Bezos to ask that the company stop selling its facial-recognition tool, called Rekognition, to law enforcement agencies and cut ties with companies that work with U.S. Immigration and Customs Enforcement, The Washington Post's Hamza Shaban reports. (Bezos is also the owner of The Post.)
“We don’t have to wait to find out how these technologies will be used,” the employees told Bezos in their letter. “We already know that in the midst of historic militarization of police, renewed targeting of Black activists, and the growth of a federal deportation force currently engaged in human rights abuses — this will be another powerful tool for the surveillance state, and ultimately serve to harm the most marginalized.” A coalition of civil rights organizations such as the American Civil Liberties Union and other groups also demanded last week that Amazon stop marketing Rekognition to law enforcement authorities. (I recently wrote about lawmakers' concerns that Amazon's facial-recognition technology could lead to an increase in racial profiling.)
Additionally, the Amazon employees' letter asked that the company stop providing cloud services to the data analysis firm Palantir amid concerns about the Trump administration's immigration enforcement policies, Shaban writes. “We also know that Palantir runs on [Amazon Web Services]," the letter says, as quoted by Shaban. “And we know that ICE relies on Palantir to power its detention and deportation programs.”
— More cybersecurity news:
— The Office of Personnel Management's 2014 huge data breach has come back to haunt federal employees whose information was exposed. Prosecutors last week announced that a Maryland couple pleaded guilty to using data that was stolen in the OPM hack for a fraudulent loan scheme, the Wall Street Journal's Dustin Volz and Robert McMillan report. “The Maryland scheme also confused cybersecurity investigators who, along with the U.S. government, had concluded the Chinese government was behind the breach, motivated by the espionage value of the database and not by financial gain,” according to Volz and McMillan.
— Government emails in Oregon were restored after a freeze that followed a cyberattack. “The freeze, initiated by providers at four popular email servers including Hotmail and Outlook, had blocked all messages from official Oregon.Gov email addresses from being delivered,” the AP's Tom James reports. The scheme involved tricking a state employee with an email that appeared genuine to provide attackers with oregon.gov log-in information, according to the AP. “Once that was obtained, the attacker sent out roughly eight million official-looking messages, trying to trick unsuspecting residents into sharing their own personal information,” James writes. “But at least some of the spam emails were recognized as fraudulent, leading Hotmail and Outlook, along with Live.com and MSN.com, to downgrade the state’s 'sender reputation score,' according to a notice sent out last week.”
— More cybersecurity news from the public sector:
— Abusers are using connected devices that are meant to assist people in their homes as tools to further torment their victims, the New York Times's Nellie Bowles reports. “Connected home devices have increasingly cropped up in domestic abuse cases over the past year, according to those working with victims of domestic violence,” Bowles writes. “Those at help lines said more people were calling in the last 12 months about losing control of Wi-Fi-enabled doors, speakers, thermostats, lights and cameras. Lawyers also said they were wrangling with how to add language to restraining orders to cover smart home technology.”
— Tesla dismissed a former employee's claim that he is a whistleblower. “He is nothing of the sort,” Telsa said in a statement provided on Friday to Ars Technica's Cyrus Farivar. “He is someone who stole Tesla data through highly pernicious means and transferred that data to unknown amounts of third parties, all while making easily disprovable claims about the company in order to try to harm it.” Tesla sued Martin Tripp last week, accusing him of hacking the company's computer systems and stealing secrets. Tripp says he's a whistleblower who had safety concerns about Tesla's car batteries.
— More cybersecurity news from the private sector:
— False information popping up on Facebook and some of its other services like WhatsApp ahead of the presidential election in Mexico next month illustrates the challenges it faces in countering online disinformation across the world and especially during electoral campaigns, The Post’s Elizabeth Dwoskin reports. “The Mexican election reflects the constantly mutating ways social media can be weaponized against democracy — and the immensity of Facebook’s global challenge,” according to Dwoskin. “Most of Facebook’s users live in countries like Mexico, where government corruption is endemic, distrust of the mainstream media is widespread, viral memes and WhatsApp messages are often perceived to be as credible as news stories, and the forces manipulating debate online are internal, tied to domestic political parties and other local actors.”
— More cybersecurity news from overseas:
- Cyber Security for Defense conference in Alexandria, Va., today through June 27.
- Karen S. Evans, Trump’s nominee for assistant secretary of energy for cybersecurity, energy security and emergency response at the Energy Department, appears before the Senate Energy Committee for her confirmation hearing tomorrow.
- Senate Judiciary subcommittee hearing on protecting elections tomorrow.
- Two House Science subcommittees hold a hearing on artificial intelligence tomorrow.
- The Council on Foreign Relations holds a discussion on the future of data privacy tomorrow.
- Tennessee Digital Government Summit in Nashville tomorrow.
- The New York City Bar Association organizes a panel discussion on the legal challenges from the Internet of Things in New York tomorrow.
- SIA GovSummit in Washington on June 27 through June 28.
A Brazilian asylum seeker was recently reunited with her son:
Restaurant owner who asked Sarah Sanders to leave speaks out:
Elephants beat the heat by splashing around their new pool: