Monday, April 6, 2015

Privacy, Technology, and the Fourth Amendment: "The Fourth Amendment in the Digital Age" Master Post

The following blog post contains all of the guest posts that the Criminal Law Practitioner published in anticipation of "The Fourth Amendment in the Digital Age" symposium.




Surveillance, Grown Up: Broader and Deeper than Eavesdropping of Yore

The revelations of mass global surveillance in recent years by the United States and its global partners have exposed a dramatic shift in how law enforcement and intelligence agencies conduct and justify surveillance activities.  Modern surveillance has gone from passive capture of signals to active interference with devices, systems, networks, and communications; from targeted scrutiny of individuals to surveillance of millions in bulk; from examining basic communications content and metadata to fundamentally intrusive analytical techniques.  All of these changes are occurring over a backdrop of rapid changes in communications technologies and services that have rendered legal distinctions between foreign and domestic communications artificial and unworkable.


Wiretapping and other forms of eavesdropping have traditionally been the standard for law enforcement and intelligence agencies that need to gain access to the communications of alleged criminals to prevent crime and enforce the law.  While much of this activity involved passive capture of communications – essentially the equivalent of listening in on a conversation – increasingly we see evidence of active attacks – that is, actively interfering and modifying the communications en route to accomplish a surveillance goal.  For example, this can involve performing what is technically referred to as an active “man in the middle” (MITM) attack against encrypted communications, where an eavesdropper pretends to be another party in a communication, but modifies the relevant credentials attached to the communication, and then passes the underlying communication on to the intended recipient.  This is called “active” by the technical community because the MITM must send erroneous credentials to the sender so that the sender unknowingly encrypts their communications to the MITM instead of the intended recipient.  The MITM then decrypts the communication, re-encrypts with a different set of spoofed credentials and passes the communication on to the recipient.  Further, systems like those revealed as part of the NSA’s QUANTUM program go even further to mount attacks: QUANTUM represents what is essentially an automated attack infrastructure embedded in the internet, where not only can it perform active surveillance – like the active MITM attack described above – but also it can inject malicious software into the communication stream intended to compromise a user’s device and establish a presence for other forms of surveillance.

The first revelation from Edward Snowden in June of 2013 showed that the NSA was compelling US domestic telecommunications providers to produce each day, comprehensive databases of many millions of call details, including all phone numbers people call and the time and length of each call.  This evidence provided the first hint that surveillance and national security activities were not narrowly targeted to potential wrongdoers or those that law enforcement had probable cause of committing a crime.  Increasingly, surveillance is performed in bulk, capturing and storing information and communications of many millions of individuals, most of which are decidedly innocent.  In a particularly audacious program, MUSCULAR, the NSA and the UK’s Government Communications Headquarters (GCHQ) captured all the data shared on internal networks of Yahoo! and Google, hoovering up emails, phone calls, files, chat sessions, and video conferencing sessions.  The NSA and its global surveillance partners appear to be one of the earlier converts in the 2000s to what we today call “big data” – collecting as much data as possible about a population and employing sophisticated algorithmic techniques to infer relationships and predict behaviors.

Whereas historically only narrow classes of communications – telephone, fax, postal mail, etc. – could be captured and analyzed by surveillance authorities, the increasing use of computerized networked technologies by society and the increasing sophistication of analytical techniques – including powerful machine learning and social network analysis techniques coupled with technical subversion of hardware and software – result in modern surveillance being comparatively much more intrusive.  For example, the NSA regularly captures account login credentials through its XKEYSCORE program, which indexes metadata (email addresses, phone numbers, usernames, passwords, etc.) globally for intelligence and law enforcement use.

Finally, the characteristics of historical telecommunications technologies and services tended to ensure a well-bounded geographic extent of their operations while modern networking and internet-based analogs have very little grounding in geographic and political boundaries.  That is to say, the shortest “distance” between two computing devices over a network like the internet may often have very little correspondence with geographic distance between the two points, and instead internet traffic favors network routes that result in the quickest transmission of the data from sender to receiver, even if two neighbors result in sending information around the world to reach one another.  Given the extent to which national law enforcement and surveillance authorities distinguish between foreign and domestic communications – typically requiring much greater protection of domestic persons – modern technologies render those distinctions increasingly unworkable and artificial.  It can be very difficult to determine the geographic location of someone engaged in an internet communication, especially since technologies like Virtual Private Networks (VPN) – used by many business customers to secure their connections to corporate servers – may result in the communication appearing to come from a very different geographic location than where the person is actually located.

These factors – passive to increasingly active, targeted to increasingly bulk, narrow to increasingly intrusive, and unworkability of classifying communications as foreign or domestic – together combine to make the surveillance climate of today much broader and deeper than the surveillance activities of the past.

Chief Technologist, Center for Democracy & Technology 


Of Drones, Phones and Privacy Zones

Back when I started in the privacy advocacy community -- about 20 years ago, at the ACLU -- we used to talk about the incredible shrinking Fourth Amendment.  It was a riff on the Lilly Tomlin movie – The Incredible Shrinking Woman.  In the movie, Tomlin’s character shrank because she was exposed to an experimental perfume.  The question we face today is whether the zone of privacy protected by the Fourth Amendment will shrink on account of our use of technology.

On so many fronts, the scope of Fourth Amendment protection is becoming smaller and the exceptions to the warrant requirement that it imposes are becoming bigger.  For example, the administrative search doctrine – the doctrine pursuant to which passengers can be made to undergo a warrantless search in the airport before they board an airplane – extends to more and more contexts.  The automobile – what many people think of as their very own moving room – is not protected by the Fourth Amendment nearly as much as is a room in a home.  Even the scope of the exclusionary rule – the means by which the Fourth Amendment is enforced, has shrunk:  The police get a pass when they violate the Constitutional prohibition on searching and seizing so long as they violate the Constitution in good faith.  U.S. v. Leon (1984).  The privacy zones the Fourth Amendment protects have been shrinking, and the bite of the exclusionary rule is loosening.

As the digital age unfolds, civil libertarians are rightly concerned that this trend will continue, if not accelerate, for a variety of reasons: 
  • Data – ranging from email logs to tax returns – are stored increasingly by third parties, and under the business records doctrine, may not be subject to Fourth Amendment protection. 
  • More and more of the digital footprints people leave behind as they go through life is available to the government, and it is getting better at analyzing these bits of personal information to draw inferences, and the 4th Amendment has little to say about it.
  •  Law enforcement agencies can fly drones to look for criminals and evidence of crime, and in public spaces, the Fourth Amendment will likely be interpreted to permit such warrantless surveillance
  • Perhaps the primary means of communication in the digital age – the smart phone – is also a little tracking device revealing its user’s location from moment to moment.
  •  The airport searches that used to be conducted by means of a slightly intrusive search for metal objects by a magnetometer have grown into full blown electronic strip searches that reveal objects underneath a passenger’s clothing, with no warrant required.

Will the advance of technology inevitably shrink the zone privacy that the Fourth Amendment protects with the warrant requirement?  Is it destined to become just a speck of an island in a vast sea, with the ocean level constantly rising?

I think not, and for two reasons:  First, the Supreme Court has shown that it understands how technology impacts privacy and that it cannot simply apply rules born in the analog world to the digital world.  Second, the business interest in Fourth Amendment protections is rising. 

The Supreme Court showed its growing understanding of technology last year in Riley v. California, the case in which the Court used sweeping language in its unanimous decision that the police may not, without a warrant, search a cell phone incident to an arrest.  The Court recognized that modern technologies create new risks to privacy and embraced its constitutional role as guardian of Fourth Amendment rights.  It signaled its discomfort with the Justice Department’s argument that a search of data on a cell phone of a person under arrest is materially indistinguishable from the search of contents of an item found on an arrestee’s person:  “That is like saying a ride on horseback is materially indistinguishable from a flight to the moon.  Both are ways of getting from Point A to Point B, but little else justifies lumping them together.”  In other words, the Court found that when it comes to the scope of a search, size matters. 

Riley isn’t an outlier.  In 2012 in U.S. v. Jones the Court ruled that warrantless GPS tracking by means of affixing a device to a vehicle moving on open roads violated the Fourth Amendment.  And, in the 2001 case Kyllo v. U.S., the Court found that use of thermal imaging technology to explore activity in a private home that would be otherwise unknowable without a physical intrusion violates the Fourth Amendment.

As in Riley, the Court in both cases rejected the government’s arguments that searches of new technology or facilitated by new technology were permissible based on analogies drawn to other searches that did involve such technologies. 

Support for Fourth Amendment protections by major companies is also growing, and they are a powerful constituency in policy development and constitutional litigation.  In the context of email privacy, a growing number of tech and telecom companies are insisting that law enforcement obtain a warrant in order to access email content, citing not a Supreme Court case, but a circuit court case, U.S. v. Warshak.   And, they have joined a broad-based effort to change the law to require such warrants.  One tech company, Yahoo!, brought a constitutional challenge to surveillance conducted in the U.S. of non-US persons abroad, though threatened with a fine of $250,000/day if it did not comply with Government demands it believed unconstitutional.  In the wake of the Snowden revelations, many tech companies, after pledging that they would not voluntarily turn over user information in bulk to the National Security Agency, joined in efforts to reform government surveillance.  Two of those companies, Google and Apple, are defying government demands that they build in backdoors to their products and services to make them more wiretap ready.  As it turns out, privacy is good for business.

These two trends – growing industry support for privacy as against government intrusion and the Supreme Court’s concerns about the impact that technology can have on privacy – give rise to hope that the zone of privacy enjoying meaningful Fourth Amendment protection will not vanish and might even increase in the coming years.

Senior Counsel and Director
Freedom, Security, & Technology Project
Center for Democracy & Technology


Six Months’ Probation for a Crime Carrying a 4-year Minimum Sentence

That’s the unusual plea deal that Tadrae McKenzie struck earlier this year in a case involving a “stingray” – a controversial device being used by law enforcement around the country to track individuals’ movements and phone calls.

For more information on how these devices operate, click here.
During the course of his trial, McKenzie’s defense attorneys sought information on how exactly the police had tracked his location.  When the judge took the unprecedented step of requiring state prosecutors to demonstrate exactly how a stingray (also called “cell site simulators,” “dirtboxes,” and “IMSI catchers”) worked, they offered McKenzie a deal he couldn’t refuse to avoid disclosing information about the device.
And the McKenzie trial isn’t the only example of the extraordinary lengths the government will go to in order to hide information about these devices from the courts. 

The Department of Justice has requested that local law enforcement misleadingly refer to information collected by these devices in court filings as information from a “confidential source,” forced local agencies to sign non-disclosure agreements prohibiting them from sharing information, offered attractive plea deals in cases where defendants have challenged the use of these devices, and instructed prosecutors to dismiss cases in lieu of disclosing information.

The DOJ’s secrecy prevents judges from deciding whether these devices are being used in a way that violates the law, impedes defense attorneys’ access to information, and hinders public scrutiny.

It also helps to mask the failure of the DOJ – which has been charged with coordinating the use of these devices by law enforcement – to adopt commonsense policies to mitigate their harms.  But the DOJ can and should take steps to minimize the likelihood that these devices will threaten the privacy of the public or run awry of the Constitution. 

First and foremost, the DOJ should require states and localities who receive federal assistance to purchase these devices to comply with minimum privacy standards.  The government doesn’t let people drive without a license.  By the same token, they shouldn’t provide powerful new technologies to local law enforcement without ensuring that there are policies in place to prevent them from being used without appropriate cause or from impacting third parties.

Second, the DOJ should explicitly require a probable cause warrant prior to using a stingray or similar device.  Stingrays are extremely invasive.  They allow the police to gather information about an individual’s location and who they called.  Some versions of the device can even sweep up the contents of their communication.  Disturbingly, in some cases, it appears as if law enforcement agencies either aren’t using a warrant or are erroneously submitting pen trap and trace applications.

Third, the DOJ should put in place protections for non-targets who have their information collected.  Stingrays collect the phone number and device information of everyone within range – not just law enforcement targets.  The DOJ should require that all information of non-targets be immediately purged, and it should prohibit the use of non-target data in any circumstance.

Finally, DOJ should stop requesting that prosecutors and law enforcement officials mislead judges, defense attorneys, and the public about how and when these devices are used.  Challenging the admission of evidence in court is a cornerstone of our criminal justice system, but right now the DOJ’s secrecy policies threaten this cornerstone.

Defendants and judges should be informed when evidence being submitted has been obtained or derived from information obtained from a stingray.  And judges presented with warrant applications should be provided sufficient information about how these devices operate and the impact they will have.

Stingrays and other similar surveillance technologies were originally designed for military use, in critical circumstances.  But, unfortunately, they have been put into the hands of our local police and onto the streets of our neighborhoods – with the help of the federal government.

Now information gathered from these devices is filtering its way into our courtrooms.  And unless the federal government requires enhanced transparency and greater protections, we may never even know about it.


Neema Singh Guilani
Legislative Counsel
American Civil Liberties Union



Uncovering Secret Surveillance

It’s hard to read the newspaper these days without coming across an article describing yet another powerful government surveillance tool, often one that has been used for years without being disclosed to the public.  The most striking recent example is the use of stingray surveillance devices by local law enforcement around the country.  The secrecy has been so thick in part because the FBI requires law enforcement agencies to sign non-disclosure agreements before acquiring stingrays.  In this sort of environment, what’s a diligent criminal defense attorney to do?


This is not an easy question to answer.  The first step is simply to be aware of the broad range of surveillance technologies available today.  We’ve known for years that law enforcement agencies can obtain cell phone usage information from cell phone companies.  Now we are getting a better understanding of stingrays, which force cell phones to register their location with the device.  A police officer can use a stingray to drive around a neighborhood to pick out the location of one phone whose identifying information is known, or she could use it to identify all phones at a particular location. 

Another commonly used surveillance tool is the automatic license plate reader.  These cameras are mounted on patrol cars or on fixed objects such as highway overpasses and snap photos of every passing car.  They convert cars’ plate numbers into machine-readable text and check those numbers against lists of cars that are wanted for various reasons.  But more than that, all of this data—the cars’ locations, the photo, the plate number—increasingly get dumped into large databases that can then be searched historically.

And although their practical use may be a bit further off, there is an array of powerful aerial surveillance tools in development and in limited use.  Although small drones flown by individuals and police departments have garnered the most attention, more interesting is the idea of wide area surveillance that monitors an entire city in real time (as well as generating footage that can be reviewed later).

Some of these technologies are more likely than others to be used in relatively routine law enforcement investigations.  That’s the case for obtaining cell phone records from phone companies and using license plate readers and stingrays.  Of course, that doesn’t mean that district attorneys will be forthright about their use of these technologies—far from it.  It’s been well documented by now that prosecutors have made a deliberate strategy decision to conceal as much as possible about their use of stingrays—and in some cases, they’d rather settle than reveal more.

This secrecy has a number of negative consequences.  For individual criminal defendants, it makes it difficult even to formulate a suppression argument.  And for the criminal justice system more broadly, it means that Fourth Amendment case law addressing the use of these technologies is slow to develop.

There are some resources out there to help, although more could definitely be done in this area.  On the stingray issue, the ACLU of Northern California put together a terrific paper on the topic, designed to describe stingrays, help criminal defense attorneys figure out if one was likely to have been used in their cases, and outlines potential arguments for a motion to suppress.  (You could also check out this brief.)  On obtaining cell phone location records from phone companies, check out this Sixth Circuit brief the ACLU and others filed on historical cell site location data.  For a recent brief on real-time tracking, here’s one brief recently filed before the North Carolina Court of Appeal.

Assistant Clinical Professor
Berkeley Law School

1 comment: