WASHINGTON, D.C. /PRNewswire-USNewswire/ — The Digital 4th coalition unveiled new poll results showing broad and diverse support for stronger email privacy protections – both nationally and in early primary states. According to a survey by Vox Populi Polling, 86% of voters nationwide support an update to the Electronic Communications Privacy Act (ECPA), the 29-year-old law setting standards for government access to emails and online communications. In Iowa, 81% of Democratic voters and 74% of Republican voters are behind ECPA reform. The numbers were similar in New Hampshire, with 84% of Democrat voters and 75% of Republicans in support.
Moreover, 77% of voters across the country believe the government should be required to get a warrant from a judge before obtaining access to emails, photos and documents stored online.
“ECPA reform is overwhelmingly bipartisan and overwhelmingly supported by Americans across the country. There is tremendous momentum with more than 300 members of Congress co-sponsoring legislation requiring a warrant for emails and online communications. The legislation would simply extend Constitutional protections online,” said Gabe Rottman, Legislative Counsel and Policy Advisor at the American Civil Liberties Union (ACLU) and a member of the Digital 4th coalition.
“What’s particularly illuminating is that more than three out of every four voters believe that the government needs to get a warrant before accessing emails and other online communications. Federal agencies like the Securities & Exchange Commission (SEC) have been advocating to circumvent the warrant requirement. It’s clear that Americans see this as nothing more than a power grab. We hope Congress stands up to federal agencies and preserves our constitutional rights online,” said Katie McAuliffe, Federal Affairs Manager at Americans Tax Reform (ATR) and member of the Digital 4th coalition.
“Support for strengthening online privacy spans across all ages, races and political affiliations. This level of support is typically unheard of in politics today. It is clear from our results that Americans want online privacy laws to be updated,” said Michael Meyers of Vox Populi Polling.
Other notable numbers from the poll include:
- 84% of voters feel that privacy is important (63% extremely or very important) when it comes to the government accessing their online information. Only 16% of voters feel that it is not very important or not important at all.
- 77% of voters reported that a warrant should be required to access these online communications. 78% of Democrats and 76% of Republicans supported the requirement of a warrant.
- ECPA reform does have an effect on presidential candidate choice for a majority of American voters. 53%of all likely general election voters stated that they would be more inclined to vote for a candidate who supported strengthening online privacy through ECPA reform.
To read a memo on the full polling results, click here.
“Purported CIA email hacker pushed for ‘Free Palestine,’ praised Allah on Twitter,” Fox News, October 20, 2015:
Details are emerging about the motivations and the methods behind the alleged hack of CIA Director John Brennan’s personal AOL email account, with the supposed hacktivist identifying on Twitter as an advocate for a “free” Palestinian state — and claiming he and others broke in simply by fooling a Verizon agent.
He also praised Allah in his Twitter bio.
Meanwhile, questions are being raised about Brennan potentially having sent work-related emails through his personal account, a move one tech expert called “just plain stupid.” And if any work-related emails were sent containing classified information, it could pose a legal problem similar to the one facing Hillary Clinton.
A law enforcement source confirmed to Fox News Monday that the FBI was looking into claims that Brennan’s personal AOL email was hacked.
Analysts noted the cyber-vandals may have used a tactic known as “social engineering,” and not traditional hacking. The anonymous hacker claiming credit told WIRED that he and two other people, after learning Brennan was a Verizon customer, posed as a Verizon technician to trick another Verizon employee into giving them access to the company’s customer database.
From there, they reportedly were able to access Brennan’s account number, his backup cell phone, the last four digits of his bank card number and his AOL email address. With that information, they were able to call AOL and gain access to the account on Oct. 12, the hacker told WIRED.
The hacktivist’s Twitter account includes links to files he says are Brennan’s contact list, a log of phone calls by then-CIA deputy director Avril Haines, and other documents.
One document purporting to come from Brennan’s AOL email account contains a spreadsheet of people, including senior intelligence officials, along with their Social Security numbers, although the hacker redacted the numbers in the version he posted on Twitter.
The hacker told the New York Post he had also obtained a 47-page version of Brennan’s application for a security clearance, known as an SF86. That document contains detailed information about past jobs, foreign contacts, finances and other sensitive personal details. No such document appears to be posted on the hacker’s Twitter account, but it’s not clear whether the hacker posted it elsewhere.
“His SF86 contains information on references on bosses, on managers, on friends. If that file gets out, it could actually put these people’s lives in danger. Their identity is not supposed to be known by the general public,” Morgan Wright, a cybersecurity expert, told Fox News.
The hacker, whom the New York Post described in an article published Sunday as “a stoner high school student,” appears to have been motivated in part by his support for a Palestinian state.
The hacker told WIRED that when they called Brennan’s cell phone, he asked them what they wanted, to which they replied: “We just want Palestine to be free and for you to stop killing innocent people.”
The supposed hacker’s Twitter page also referenced the Palestinian cause.
In his bio on Twitter, the hacker also posted “La il laha il Allah, Muhammad a rasool Allah” which translates as “There is no god but Allah. Muhammad is the messenger of Allah” – a traditional Islamic statement of faith.
It’s unclear to what extent Brennan may have used the AOL account for work-related business. A CIA spokesman told Fox News they are aware of the claims: “We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”
As the matter is under review, the veracity of the hacker’s claims is unclear. But one tech expert told FoxNews.com that the story sounded credible.
“[Hackers] learn the jargon and pose as line workers or switch operators and get access to restricted areas of the network,” Roger Kay, of Endpoint Technologies Associates, told FoxNews.com. “Security at AOL and other networks is reasonable, but weak passwords can always be cracked, and password recovery schemes are typically based on information about people stored from questions like ‘What was the name of your first pet?’”
Kay said that, if the claims are true, the breach shows poor judgment from the man in charge of the nation’s central intelligence.
“The CIA director was just plain stupid to use a common service like AOL for sensitive communications. He really should have known better,” Kay said….
“A statement from the U.S. Department of Justice said Mr Ferizi, known by his moniker ‘Th3Dir3ctorY’, hacked into a U.S. company’s systems in order to take the personal details of 1,351 U.S. military and government staff.” The repercussions of that theft could be felt for quite some time.
“Malaysia arrests Kosovo man for ‘hacking US files for IS,’” BBC, October 16, 2015 (thanks to Lookmann):
A Kosovan man has been arrested in Malaysia for allegedly hacking into a computer database and providing information on US security officials to the so-called Islamic State group.
The man, who is in his 20s, was detained on 15 September, Malaysian police said in a statement on Thursday.
Separately, the US identified him as Ardit Ferizi, thought to head a hacker group called Kosova Hacker’s Security (KHS).
Mr Ferizi will be extradited to the US.
A statement from the US Department of Justice said Mr Ferizi, known by his moniker “Th3Dir3ctorY”, hacked into a US company’s systems in order to take the personal details of 1,351 US military and government staff.
He will be charged with computer hacking and identity theft, and faces up to 35 years in jail, the statement added….
Between June and August this year, Mr Ferizi is alleged to have passed the data on to IS member Junaid Hussain, also known as Abu Hussain al-Britani, who later posted the details online along with a threat to target the officials….
Malaysia has arrested more than 100 people this year, suspected of links to IS, including ten people in August – six of them members of Malaysia’s security forces.
What? 100 people in modern, moderate Malaysia misunderstood Islam so drastically as to adhere to the Islamic State?
Cars are part of the “Internet of Things.” They run not just on gas, which you’re free to analyze, but on computer code, which you aren’t. If this sounds worrisome, it is. Internal computers can greatly improve a car’s performance and safety, but they can have problems that show no symptoms under normal circumstances.
A couple of hackers, with a knowing volunteer at the wheel, took remote control of a Jeep Cherokee over the Internet and could have wrecked it at high speed if they hadn’t stopped when asked to. More recently, Volkswagen was caught rigging its emissions-control software to cheat during EPA testing, letting them publish false information about millions of cars.
Car computers are formally called “electronic control units” (ECUs). One car may have over a hundred of them, running millions of lines of code, networked together. Figuring out what they do takes determination; it’s necessary to pull out their memory chips, read them, and work backwards from machine code to the design logic.
But the biggest barrier may not be technical but legal; copyright laws make it illegal to do this kind of reverse engineering, and the EPA itself has helped automakers to keep their emissions-testing code secret.
The Digital Millennium Copyright Act puts restrictions on extracting copyrighted information from computers, even for legitimate diagnostic purposes. Car makers like this; it puts serious limits on independently created diagnostic tools and gives the advantage to shops that pay for licenses.
The EPA has formally opposed a DMCA exception for car systems, arguing that it would let people modify the code to circumvent limitations on emissions. It said that “the majority of modifications to engine software are being performed to increase power and/or boost fuel economy.” That’s just what Volkswagen did, and it was harder to catch them precisely because of those prohibitions.
The Alliance of Auto Manufacturers, which includes Volkswagen, has taken the same stand. Ironically, their statement declares:
Many of the ECUs embodied in today’s motor vehicles are carefully calibrated to satisfy federal or state regulatory requirements with respect to emissions control, fuel economy, or vehicle safety.
Allowing vehicle owners to add and remove programs at whim is highly likely to take vehicles out of compliance with these requirements, rendering the operation or re-sale of the vehicle legally problematic.
John Deere explicitly opposes a free market in car software:
In contrast to the seemingly benign stated purpose of the proposed exemption, the practical effect of circumventing the TPMs [Technical Protection Measures] at issue will stifle creativity and innovation for vehicle software. Third-party software developers, pirates, and competing vehicle manufacturers will be encouraged to free-ride off the creativity and significant investment in research and development of innovative and leading vehicle manufacturers, suppliers, and authors of vehicle software.
The way to promote creativity and innovation is, apparently, to make it illegal for anyone but themselves.
ECUs can be subject to external attacks as well as internal cheatware. Some devices are connected to the Internet for purposes like traffic alerts and entertainment. If they’re part of the car’s internal network, attackers might be able to subvert the whole car, as the Cherokee hackers did. Good design requires firewalls against such attacks, but developers struggling with requirements and hardware limits may neglect security. With no other eyes on their code, it’s easy to be sloppy.
People have tinkered with cars ever since they were first made. They swap in their own parts, making their cars faster, powerful, and sometimes a lot more annoying. This tradition has helped people to learn how the original parts work and catch problems with them. Spotting flaws and cheats in computer code isn’t as easy as catching bad brakes, but it’s easier when the only barriers are technical. When the government and car manufacturers combine to keep the software secret, the rest of us are stuck in the breakdown lane.
Gary McGath is a freelance software engineer living in Nashua, New Hampshire.
In May of 2015, the federal government suffered a massive data breach, a hack that exposed the names and Social Security Numbers of over 21 million people.
In a press release, the Office of Personal Management reported that as a result of its “aggressive effort to upgrade the agency’s cybersecurity posture,” the agency discovered the massive theft of background records, reportedly originating in China, including
identification details such as Social Security Numbers residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.
Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.
This was a new breach — not the same looting of 4.2 million of records that the agency discovered in April of this year.
The news didn’t stop OPM Director Katherine Archuleta, appointed to the post in 2013, from congratulating herself for the agency’s great strides in security. It was her “comprehensive IT strategic plan” that led to the knowledge that these incidents had happened.
Sounds like congratulations are in order. But now it’s September, Archuleta is long gone (she lasted about one day after praising herself for noticing the theft), and the latest news is that the fingerprints of 5.6 million people were also grabbed in the mega-hacking of OPM’s “cybersecurity posture.”
OPM assures us that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” As of right now… this second… as we hit the press… you probably have nothing to worry about if your fingerprints got stolen from OPM’s data banks. Hurrah.
Even Archuleta would probably concede that discovering a robbery is not quite as good as preventing it. Let’s even go so far as to say that she is less to blame for having failed to fix how her agency functions than is the nature of bureaucracy itself.
Of course, governmental organizations are not the only organizations vulnerable to being cyber-attacked in consequence of lax security. Other victims in recent years have included Target, Chase, and Sony.
But it’s the decades-old privacy-invading policies of the federal government that have routinely converted all such breaches of personal data into potentially limitless disasters for the victims.
The federal government which, decades ago, assured us on the cards stamped with our Social Security Numbers that these digits were “not to be used for purposes of identification” is the same government that now mandates the SSN’s ubiquitous deployment to monitor and tax us.
Today, the Social Security Number is like the number to a combination lock: perhaps not enough by itself to enable a bad guy to rob the safe, but a big, big help. Once your SSN-tagged info is out there in badland, your stolen data can be sold and re-sold and re-re-sold. And your cyber-housed, SSN-tagged stuff can be targeted again and again.
Yet it has become harder and harder to refrain from giving others that number. You can join a club without divulging your SSN. You can open an email account or buy a book, a hamburger, a refrigerator, or a gift card without reporting your SSN. But you cannot put ten dollars in the bank, nor open an investment account, nor apply for a credit card or a job without reporting it. Most often, you cannot rent an apartment or buy a house without reporting it.
Absent unusual efforts to protect your financial and personal privacy (of the kind outlined in J.J. Luna’s book How to Be Invisible), the most you can do by way of preventing cyber-assaults is to take such precautions as using different and non-obvious passwords for different cyber-accounts, and withholding your address, data of birth, and SSN from persons who may ardently request these data but will still do business with you if you refuse.
If your data has been grabbed, you can also — if and when you learn of the theft — arrange to monitor your credit and to block routine access to your credit reports, and perhaps take a few other barn-door-slamming measures. But you cannot, short of engaging in fraud, supply anything other than your actual Social Security Number when a government agency requires that it be supplied.
Our most personal information hasn’t always been thus exposed. Today we are so used to privacy-violating mandates like the Social Security Number tag that we take the necessity of such poisonous violations for granted. But poison does not become nutritious merely because it has become, for now, unavoidable.
This is the kind of person that the U.S. intelligentsia was applauding and abetting when it condemned us for standing up for the freedom of speech in Garland.
“U.S. confirms Islamic State computer expert killed in air strike,” Reuters, August 29, 2015:
The U.S. military confirmed on Friday that a British hacker who was one of the Islamic State movement’s top computer experts and active in encouraging people abroad to carry out “lone wolf” attacks was killed in Syria by a U.S. air strike.
Junaid Hussain of Birmingham, England, was killed on Aug. 24 by a U.S. military air strike on the Islamic State stronghold of Raqqah, said Air Force Colonel Pat Ryder, a spokesman for U.S. Central Command.
Hussain had been involved in “actively recruiting ISIL sympathizers in the west to carry out ‘lone wolf’ style attacks,” Ryder said, using an acronym for the militant group that has seized large parts of Syria and Iraq.
Hussain was responsible for releasing personal information of around 1,300 U.S. military and government employees in recent weeks, and “sought to encourage” attacks against them, U.S. officials said.
One official, speaking on condition of anonymity, said Hussain had also been linked to the release of the names, addresses and photos of 100 U.S. service members on an Islamic State website in March.
Another official said that Washington had evidence that Hussain was in contact with two men who were shot dead when they tried to attack a “Draw Mohammed” cartoon contest in Garland, Texas in early May.
Islamic State claimed in a radio message after the shooting that the two men were “brothers” connected to the group….
Under Obama, every American is fair game, every American a sitting duck.
Who does Obama strong arm and threaten? Those opposing his nuclear pact with the Islamic State of Iran.
Clearly, I have redacted the names and did not run the scores of names online, or the ISIS stream of downloaded personal info from their website.
Whom is the FBI targeting? Those of us who are opposing jihad terror. Mind you, ISIS has now published FBI targets, names, locations, phones, IPs, etc.
Obama is arming a jihad state with nukes — madness.
Obama is woefully unprepared to face the threat of ISIS: he CREATED the threat by leaving Iraq precipitously and giving an opportunity to this group. Instead, he provides cover to the savages, insisting that the Islamic State has nothing to do with Islam, despite its name, and despite ISIS’s explicit threats to the US.
His airstrikes were purely cosmetic and did nothing to stop ISIS.
He has armed the Syrian rebels — many of these arms fell into the hands of ISIS, and the Syrian rebels he armed have the same jihad goal that ISIS does. But in Iraq, these people he has supported and armed became the enemy.
The most dangerous threat to America is Obama’s next move.
Thanks to Joy S.
He hacked the Pentagon. He apparently incited one of the Muslims who attacked our free speech event in Garland, Texas to do so. This is one piously lethal individual. One thing he would almost certainly deny being, however, is “British” — contrary to the witless Mailonline headline. His citizenship with the umma and only with the umma.
“British computer geek, 21, who hacked the Pentagon after fleeing to Syria is No3 on the ‘kill list’ of ISIS militants drawn up by US forces – just after Jihadi John and group leader al-Baghdadi,” by Imogen Calderwood, Mailonline, August 2, 2015:
A young computer hacker from Birmingham has been named as Number Three on the Pentagon’s ‘kill list’ of key ISIS operatives.
Junaid Hussain, 21, fled to Syria in July 2013 and is now believed to be leading the ‘Cyber Caliphate’, ISIS’ own branch of hackers.
US officials said there is an ‘intense’ desire to assassinate Hussain, who operates under the alias Abu Hussain al-Britani and was jailed in 2012 for stealing personal information of Tony Blair.
Only Mohammed Emwazi, the hostage killer known as Jihadi John, and the group’s leader Abu Bakr al-Baghdadi are higher on the list, reported The Sunday Times.
After fleeing the UK, when he was on police bail for an alleged violent disorder offence, Hussain has risen rapidly through the ISIS ranks.
He married 45-year-old Sally Jones, a former punk rocker from Chatham, Kent, who converted to Islam and fled to Syria with her 10-year-old son.
Yet another convert somehow gets the idea that Islam requires treason and violence. Yet no authorities are in the least interested in studying this phenomenon.
Jones, who now uses the nomme de guerre Umm Hussain Al-Britani, is believed to have snuck into Syria at the end of last year after an online romance with Hussain.
She is suspected of leading the violent all-female ISIS contingent, known as the Khanssaa Brigade. The group imposes strict Sharia law in the de facto capital of the so-called Islamic State, Raqqa.
The couple, who have been dubbed Mr and Mr Terror, also reportedly used Twitter and the hashtag #LondonAttack in May to incite terror in Britain.
US officials believe he is behind the online radicalisation of at least one of the two gunmen who opened fire at a Prophet Mohammed cartoon competition in Garland, Texas, in May….
Three Chechen women pretended to be jihadi brides through fake social media accounts, but kept the travel money ISIS sent them instead.
Three young Muslim women have scammed the Islamic State out of over $2,500. The Chechen women set up fake social media accounts and contacted the Islamic State, claiming to be aspirational jihadi brides, titillated by the prospect of moving to Syria.
They only required the funds for travel.
Once ISIS militants had wired them the money, the girls promptly deleted their accounts and pocketed the money.
Chechen police have now arrested them for the scam. Officer Valery Zolotaryov told Moskovsky Komsomolets “I don’t recall any precedent like this one in Chechnya, probably because nobody digs deep enough in that direction.”
He added “Anyhow, I don’t advise anyone to communicate with dangerous criminals, especially for grabbing quick money.”
For women who travel to Syria to become jihadi brides, their husbands hold complete power over them and they face the possibility of a life of sexual abuse.
For more information about the Islamic State, see Clarion Project’s Special Report: The Islamic State (ISIS: ISIL)
In May 2014, CNN aired footage of a Ukrainian helicopter being shot [down] by pro-Russian militants. Taken with a cell phone camera and posted on social media, the video showed compelling evidence of the scale and technological sophistication of the Ukrainian conflict.
The video was also fake — it was actually over a year old, and from Syria. CNN retracted the footage and apologized, but the “incident” was still widely discussed on Russian and Ukrainian social media.
In the wake of the Arab Spring, enthusiasm for the power of social media ran high. Nothing else had shown the same power to mobilize protestors living under repressive regimes. With information democratized, the logic ran, dissidents could outflank the centralized media control and propaganda machines so crucial to authoritarian states.
But this logic is flawed, as the faked helicopter video demonstrates. Although social media may have given tech-savvy dissidents a temporary advantage over repressive governments that were unable to keep up, Twitter and its regional analogues are now a fully mature technology.
Just like radio and television, repressive regimes can and do use social media to solidify their grips on power. As a result, the net effects of social media on the possibility of democratic revolution are at best ambiguous. They may actually be negative.
This point has been underappreciated in the enthusiasm for what social media seems to make possible. Our optimism leads us to overlook what is at stake for those in power — and their capacity to evolve new strategies using new tools. We want to believe in magic bullets, hoping that the right technological advancement will empower people to successfully rise up. But it’s at least as likely that the millions or billions of tweets sent by dissidents make them vulnerable, because they are extremely visible, while the strategic responses of government actors often go unnoticed. It’s an ironic inversion of Frédéric Bastiat’s “That Which Is Seen and That Which Is Not Seen.” Rather than people overvaluing government actions because their direct benefits mask the hidden cost borne by individual citizens, those citizens’ actions on social media allow government action to hide in their midst.
Some egregious and sophisticated uses of social media by repressive regimes have recently come to light. In a fascinating story in the New York Times Magazine, Adrian Chen explains the operations of a shady Russian “troll farm” that engages in large-scale, multiplatform acts of misinformation. At one point, they made up an explosion in a chemical plant in Louisiana, started a hashtag (#ColumbianChemicals), and relied on ordinary people to pass the story along, knowing they were unlikely to verify the details. This kind of operation, carried out on “foreign soil,” shows how seriously this Russian agency takes social media. The chemical plant explosion may simply have been an experiment, a proof of concept for what such attacks might accomplish in the future.
Their bread-and-butter social-media strategy is to pay people to pose online as regime supporters. People have acted as “sock puppets” — adopting fake personas on the Internet — since computer networks were first connected, but never at this scale, or with this degree of coordination.
Chen discusses this widespread practice in the Russian context. The existence of Chinese “50 centers” (bloggers and Weibo users paid 50 cents per pro-government post) has been known for nearly a decade. The presence of these people in online communities, voicing pro-regime sentiment, may have a profound dampening effect on protest movements.
Political scientists model the process of protest and revolution as a “coordination problem.” There are two parts to the problem: individual knowledge and common knowledge.
It makes no sense to act alone. Even if I’m completely convinced that the government is evil and needs to be overthrown, it still doesn’t make sense for me to go into the street by myself — I’ll just end up in prison, and the government will be stronger than ever.
But the main force of pro-regime sock puppetry need not be to persuade dissidents that they are wrong. All that is necessary is to confuse dissidents about what other people think. If dissidents think they are isolated, and that most other people support the regime — or even if they are merely uncertain about other peoples’ feelings — they will remain compliant. They have no way of getting accurate information about public opinion. Dissidents likely know that the people they talk to regularly are not a representative sample, and polls are either manipulated or suppressed. A horde of “50 centers” may be enough to cloak widespread resentment in a cloud of regime-supported “approval.”
And, as Duke University economics and political science professor Timur Kuran and others have argued, it’s not even enough to solve the individual knowledge problem; dissidents also must solve the common-knowledge problem. It’s not even enough for me to be convinced that everyone hates the government; unless everyone (or some threshold percentage of people) knows that everyone knows that everyone hates the government, a revolution cannot be successful.
That’s why these sock puppets and “trolls for hire” can be so powerful: they make it a lot harder to get a clear impression of what everyone else thinks, and thus whether a revolution will be successful. Because shared knowledge is so crucial to a revolution, uncertainty can be a killer.
The competition between dissidents and regimes to take advantage of new technology is constantly evolving, and no one can know what the next equilibrium will be. Hopefully, one effect of greater public awareness of repressive regimes’ online strategies will be an increased skepticism of unsubstantiated claims on social media — and an increased demand for depth in how we understand the world.
Kevin Munger is a third-year PhD student in the department of politics at New York University.
Does the government need a search warrant to know where you’ve been? Not if your cell phone provider knows. If you don’t like how that sounds, there may be ways to change it.
Take the case of Quartavious Davis, a Florida man convicted of robbing at gunpoint a pizzeria, a gas station, a drugstore, an auto parts store, a beauty salon, a fast food restaurant, and a jewelry store. The prosecution offered multiple lines of evidence, but there was one in particular that Davis’s lawyers objected to: records the government obtained from Davis’s cell phone provider, MetroPCS.
The records, which MetroPCS kept in its normal course of business, showed “the telephone numbers for each of Davis’s calls and the number of the cell tower that connected each call.” From this information, police concluded that “calls to and from Davis’s cell phone were connected through cell tower locations that were near the robbery locations, and thus Davis necessarily was near the robberies too.”
Prosecutors got their hands on the MetroPCS cell tower records using a court-ordered subpoena. In criminal cases like Davis’s, courts may grant subpoenas on “specific and articulable facts showing that there are reasonable grounds to believe” that the records sought “are relevant and material to an ongoing criminal investigation.” Although this standard is higher than that for typical subpoenas, it’s lower than the Fourth Amendment’s probable cause standard.
Not Even a Search
On appeal, Davis argued that the cell tower records were obtained in violation of the Fourth Amendment’s prohibition on unreasonable searches and seizures. But the 11th Circuit — the federal appeals court encompassing Alabama, Georgia, and Florida — disagreed (United States v. Davis).
In fact, the government’s actions weren’t even a “search,” according to the court. In legal terms, a search occurs only when police invade a person’s reasonable expectation of privacy. For example, you have a reasonable expectation of privacy in the content of your phone conversations — what is actually said during your call — so eavesdropping on the conversation would constitute a search.
In Davis’s case, though, the police didn’t eavesdrop on his conversations. Nor did they use GPS to track his precise movements while he was making them. Because they merely obtained business records from a third party, the court says that the police didn’t invade Davis’s privacy:
Davis has no subjective or objective reasonable expectation of privacy in MetroPCS’s business records showing the cell tower locations that wirelessly connected his calls at or near the time of six of the seven robberies.… Instead, those cell tower records were created by MetroPCS, stored on its own premises, and subject to its control. Cell tower location records do not contain private communications of the subscriber. This type of non-content evidence, lawfully created by a third-party telephone company for legitimate business purposes does not belong to Davis, even if it concerns him.
Because there wasn’t a “search,” the Fourth Amendment didn’t even apply.
Outdated Doctrine Meets Modern Society
Despite the court’s logic, something about this case still makes many observers feel uneasy. Even AT&T filed a brief in the case, arguing that the government’s actions were illegal. We all turn over huge amounts of information to third parties every day, and almost all of our activities can be tracked through our “smart” devices. And as the amount of data that businesses collect on us grows, so do concerns over the government’s ability to access that data.
So when the 11th Circuit focused its decision in Davis on something called the third-party doctrine, there was reason for a little gasp. The third-party doctrine was developed by the Supreme Court in the 1970s to draw a line between a person’s “reasonable” expectation of privacy and the information that person voluntarily shares with third parties. Back then, the Supreme Court held that a person has no reasonable expectation of privacy over his or her bank records, because that information was voluntarily provided to the bank. Nor can you have a reasonable expectation of privacy over the phone numbers you dial, because you furnish those numbers to the phone company in order to place calls. And so the government may subpoena these records from the business collecting them without meeting heightened standards under the Fourth Amendment.
The Davis court discussed these cases to support the premise that when people turn over their data to third parties by virtue of using those parties’ services, that information falls outside Fourth Amendment protection. A breathtakingly low point can be found in one of the judges’ concurring opinions:
If a telephone caller does not want to reveal dialed numbers to the telephone company, he has another option: don’t place a call. If a cell phone user does not want to reveal his location to a cellular carrier, he also has another option: turn off the cell phone.
In other words, if you want your information protected by heightened privacy standards, go off the grid.
Today, that position is practically untenable. And this is what makes the 11th Circuit’s opinion troubling: it allows the government easy access to your data by virtue of your participation in modern society. The court’s holding helps grease the slippery slope that takes us away from historically reasonable expectations of privacy.
The court attempted to soften the blow by categorizing the subject information as noncontent data. In other words, the data in the Davis case was less private because it was not the actual substance of phone calls, texts, or other communications. Instead, it was the nonsubstantive cell-tower data that allowed the government to track where Davis was when he made or received calls. But we all know that a precise record of our movements reveals a lot about us, as the dissenting judge in the Davis case pointed out:
A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.
There is still a chance that the Supreme Court will reverse the 11th Circuit’s holding. Even if it doesn’t, other options exist. As mentioned in the Davisdecision, Congress can still legislate greater privacy protections.
The market provides another option. Although a court order forced MetroPCS to provide its records, “federal law did not require that MetroPCS either create or retain these business records.” As technology changes, and as we all become more attuned to privacy issues, we will look to the market for options. When this happens, cell phone providers will benefit from offering an “enhanced privacy” version of their services. Some customers will prefer that their data not be collected at all — or that it be anonymized. Providers could charge a higher price for anonymous services, or customers could forego certain personalized services.
By providing customized levels of privacy, the market can create de facto immunity from third-party “searches.”
Nicole Kardell is an attorney with Ifrah Law, a Washington, DC-based law firm. She represents clients in government enforcement actions and other regulatory compliance matters before federal and state agencies.
Joseph S. Diedrich is a Young Voices Advocate and a law student at the University of Wisconsin.
I have written about how technology can be used for both good and evil. Technology has become ubiquitous, it is everywhere. Our children and grandchildren are becoming more addicted to technology, as they do so the evil side may rear its ugly head.
The Guardian reports:
Apple’s early-adopting, outspoken co-founder Steve Wozniak thinks humans will be fine if robots take over the world because we’ll just become their pets.
After previously stating that a robotic future powered by artificial intelligence (AI) would be “scary and very bad for people” and that robots would “get rid of the slow humans”, Wozniak has staged a U-turn and says he now thinks robots taking over would be good for the human race.
“They’re going to be smarter than us and if they’re smarter than us then they’ll realise they need us,” Wozniak said at the Freescale technology forum in Austin. “We want to be the family pet and be taken care of all the time.”
Artificial intelligence was the theme of the movie Ex Machina. The prime character is another tech billionaire who believes, like Wozniak, that he can create the perfect AI robot. This dream results in his death and the death of others. As I wrote in my column “Ex Machina: Consciousness without a Conscience“:
This film is disturbing because is shows how humans without a conscience (morality) can, when given the chance, pass along their lack of morality to a machine.
[ … ]
Humans must control their urges to use technology to become God, as Caleb points out to Nathan. Robots must never be allowed to act alone. Think of the film The Terminator. You see machines may have a goal but lack a soul.
If the goal of AI machines is to have us as pets then perhaps we need to rethink having AI machines?
In “Cyber Security: Where are we now and where are we headed?” I warned:
The more we tune in, turn on and hook in to technology the greater the threat to individual privacy and freedom.
[ … ]
What are the future threats?
Restorative and enhancement technologies, biohackers, cyborgs, grinders and sub-dermal technology (chipping). Restorative technologies include devices used to help individuals medically. They are devices, that include a computer chip, used to restore the lives of individuals to normal or near normal. Restorative technologies include devices such as: heart pace makers, insulin pumps and prosthetic devices.
Enhancement devices are those which the individual implants into their bodies outside of the medically approved arena. Individuals can for just $39 buy a glass-encased embeddable chip that works with some Android smartphones. A full DIY cyborg kit, including a sterilized injector and gauze pads, runs about $100. Amal Graafstra, a cyborg who creates and sells biohacking devices, said, “Some people see the body as a spiritual vessel not to be tampered with. And some people understand their body is their own, treating it like a sport utility vehicle. I see [biohacking] as, I got fancy new fog lights on my SUV. “
Some of these enhancement devices are being designed to be used with computer games. The idea is to give the gamer a more realistic experience by using sub-dermal technology to provide pleasure and pain as the game is played. Mr. Jorgensen states that the gaming industry is “spending $300 million annually” to provide sub-dermal gaming chips, effectively turning gamers into cyborgs.
Will your grandchild become a cyborg’s pet or become a cyborg? It is immoral to have a human become the “pet” of a robot.
Pet is another name for slave.
In the 1990s, the Clinton administration fought furiously against privacy and security in communication, and we’re still hurting from it today. Yet people in powerful positions are trying to commit the same mistakes all over again.
In the early days, the Internet was thoroughly insecure; its governmental and academic users trusted each other, and the occasional student prank couldn’t cause much damage. As it started becoming available to everyone in the early ‘90s, people saw the huge opportunities it offered for commerce.
But doing business safely requires data security: If unauthorized parties can grab credit card numbers or issue fake orders, nobody is safe. However, the Clinton administration considered communication security a threat to national security.
Attorney General Janet Reno said, “Without encryption safeguards, all Americans will be endangered.” She didn’t mean that we needed the safeguard of encryption, but that we had to be protected from encryption.
In a 1996 executive order, President Clinton stated:
I have determined that the export of encryption products described in this section could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States, and that facts and questions concerning the foreign availability of such encryption products cannot be made subject to public disclosure or judicial review without revealing or implicating classified information that could harm United States national security and foreign policy interests.
The government prohibited the export of strongly secure encryption technology by calling it a “munition.” Putting code on the Internet makes it available around the world, so the restriction crippled secure communication. The Department of Justice investigated Phil Zimmerman for three years for making a free email encryption program, PGP, available.
The administration also tried to mandate government access to all strong encryption keys. In 1993 it proposed making the Clipper Chip, with a built-in “back door” for government spying, the standard for serious encryption. Any message it sent included a 128-bit field that would let government agencies (and hopefully no one else) decrypt it.
But the algorithm for the Clipper was classified, making independent assessments impossible. However strong it was, it would have offered a single point to attack, with the opportunity to intercept virtually unlimited amounts of data as an incentive to find weaknesses. Security experts pointed out the inherent risks inherent in the key recovery process.
By the end of the ‘90s, the government had apparently yielded to public pressure and common sense and lifted the worst of the restrictions. It didn’t give up, though — it just got sneakier.
Documents revealed by Edward Snowden show that the NSA embarked on a program to install back doors through secret collaboration with businesses. It sought, in its own words, to “insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices” and “shape the worldwide cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS.”
The NSA isn’t just a spy agency; it’s one of the leading centers of expertise in encryption, perhaps the best in the world. Businesses and other organizations trying to maximize their data security trust its technical recommendations — or at least they used to. If it can’t get the willing collaboration of tech companies, it can deceive them with broken standards.
Old software with government-required weaknesses from the nineties is still around, along with newer software that may have NSA-inspired weaknesses. There are still restrictions on the exporting of cryptography in many cases, depending on a complicated set of criteria related to the software’s purpose. Even harmless file identification software, used mostly by librarians, may have to carry a warning that it contains decryption code and might be subject to use restrictions.
With today’s vastly more powerful computers, encryption that was strong two decades ago can be easily broken today. Some websites, especially ones outside the United States that were denied access to strong encryption, still use the methods which they were stuck with then, and so do some old browsers.
To deal with this, many browsers support the old protocols when a site offers nothing stronger, and many sites fall back to the weak protocols if a browser is limited to them. Code breakers have found ways to make browsers think only weak security is available and force even the stronger sites to fall back on it. Some sites have disabled weak encryption, only to be forced to restore it because so many users have old browsers.
You’d think that by now people would understand that secure transactions are essential, but politicians in the US and other countries still want to weaken encryption so they can spy on people’s communications.
The FBI’s assistant director of counter-terrorism claims that strong encryption gives terrorists “a free zone by which to radicalize, plot, and plan.” NSA Director Michael S. Rogers has said, “I don’t want a back door. I want a front door.” UK Prime Minister Cameron says,
In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications. The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.
In 2015 over eighty civil society organizations, companies, and trade associations, including Apple, Microsoft, Google, and Adobe, sent a public letter to President Obama expressing concern about such actions. The letter states:
Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats — be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.
In the United States, we have a tradition of free speech, but in many countries, even mild criticism of the authorities needs to travel in secret.
A country can pass laws to weaken its law-abiding citizens’ access to cryptography, but criminals and terrorists exchanging secret messages would have no reason to pay attention to them. They can keep using the strong encryption methods that are currently available and get new software from countries that don’t have those restrictions.
Governments would gain increased ability to spy on people who follow the law, and so would free-lance data thieves, while competent criminals would still be able to communicate in secret. To crib David Cameron, we must not let that happen — again.
Gary McGath is a freelance software engineer living in Nashua, New Hampshire.