A book about what the Cambridge Analytica scandal shows: That surveillance and data privacy is every citizens’ concern
An important look at how 50 years of American privacy law is inadequate for the today's surveillance technology, from acclaimed Ars Technica senior business editor Cyrus Farivar.
Until the 21st century, most of our activities were private by default, public only through effort; today anything that touches digital space has the potential (and likelihood) to remain somewhere online forever. That means all of the technologies that have made our lives easier, faster, better, and/or more efficient have also simultaneously made it easier to keep an eye on our activities. Or, as we recently learned from reports about Cambridge Analytica, our data might be turned into a propaganda machine against us.
In 10 crucial legal cases, Habeas Data explores the tools of surveillance that exist today, how they work, and what the implications are for the future of privacy.
|Publisher:||Melville House Publishing|
|Product dimensions:||6.60(w) x 9.20(h) x 1.20(d)|
About the Author
CYRUS FARIVAR is an investigative tech reporter at NBC News and the author of The Internet of Elsewhere. He is also a radio producer and has reported for the Canadian Broadcasting Corporation, National Public Radio, Public Radio International, The Economist, Wired, The New York Times, and others. He lives in Oakland, California.
Read an Excerpt
Habeas Data INTRODUCTION
I believe in big data. I believe that large scale aggregation changes our ability—that one plus one plus one can equal 23.
DEPUTY ASSISTANT SECRETARY FOR POLICY
DEPARTMENT OF HOMELAND SECURITY (2005–2009)
On December 13, 2010, two men ran into a RadioShack on East Jefferson Avenue in Detroit, just blocks away from Chrysler’s headquarters. One drew a gun, and demanded that the staff load up the latest smartphones into a few laundry bags. Within minutes, it was all over, and they’d made off with thousands of dollars worth of iPhones and Samsung handsets. Timothy “Little Tim” Carpenter sat in a nearby car, waiting for his accomplices to return.
Along with another man named Timothy “Big Tim” Sanders, Little Tim orchestrated a massive robbery ring, hitting T-Mobile and RadioShack stores in Michigan and Ohio. Eventually, some of the other robbers were caught, and they quickly flipped. Among the information that they gave to authorities was Little Tim’s phone number. This proved crucial. With it, authorities quickly got a court order and served it upon Little Tim’s cell phone company, MetroPCS. This court order, known as a d-order, for the portion of the 1980s-era Stored Communications Act, is routine. Companies respond to them all the time.
Under current law, no warrant is required to simply find out who called whom, when, and from where. Without batting an eye, MetroPCS turned over 127 days’ worth of Carpenter’s cell-site location data—effectively turning his own phone into a snitch. The 12,898 data points showed that yes, he was at the scene of the crime during the robberies. But the data also showed that he was at church many Sunday afternoons, and on occasion, spending the night somewhere that was not his known residence.
The case was successfully challenged all the way up to the Supreme Court. The question looms: Is it OK for law enforcement to obtain such a vast quantity of personal, intimate data about someone without a warrant?
On November 29, 2017, the nine justices heard oral arguments in Carpenter v. United States. Carpenter was represented by Nathan Freed Wessler, a thirty-five-year-old attorney with the American Civil Liberties Union (ACLU).
“At issue in this case is the government’s warrantless collection of 127 days of Petitioner’s cell site location information revealing his locations, movements, and associations over a long period,” Wessler said.
Before Wessler could even utter his fourth sentence in his opening argument, Justice Anthony Kennedy jumped in.
“What is the rule that you want us to adopt in this case, assuming that we keep [United States v.] Miller and Smith v. Maryland on the books?”
Justice Kennedy, most often dubbed the court’s crucial swing vote, was referring to two bedrock cases dating back to the 1970s, which enshrined the third-party doctrine. The idea of the third-party doctrine is that individuals relinquish their “reasonable expectation of privacy” when they transact via a third party, like a phone company. In other words, the data given up by Carpenter—not only what numbers he called, but where he was while doing so—can easily be obtained by the government.
In one short question, Kennedy was expressing the anguish that many judges have had to grapple with over the last half century: Where is the line between appropriate government action when it comes to the surveillance of its citizens? How much privacy do individuals have against the government’s use of surveillance technologies, ranging from simple microphones, to wiretaps, to thermal imagers, to cell-site simulators, to drones, and beyond?
In Carpenter’s case, rather than deploy humans to follow him or his fellow suspects, investigators simply went after his data at MetroPCS. Under the third-party doctrine, police did not need, much less try to obtain, a warrant. But to most ordinary citizens, myself included, this notion seems ludicrous. To the government, getting location data without a warrant is effectively the same thing as having a policeman make physical observations from the street. Modern technology has enabled so much data to be generated by all of us that it effectively has given the government superpowers.
“Although police could have gathered a limited set or span of past locations traditionally by canvassing witnesses, for example, never has the government had this kind of a time machine that allows them to aggregate a long period of people’s movements over time,” Wessler continued a few minutes later.
In other words, in the absence of a meaningful restraint, government authorities will continue to push as hard as they can.
Since the eighteenth century, some of the most aggressive law enforcement officers have known precisely where the legal limits were, and gone right up to them. Perhaps the most notable articulation of this idea in the twenty-first century came from General Michael Hayden, who served as both the head of the National Security Agency (NSA) and the Central Intelligence Agency. He has famously said since September 11, as a top intelligence official, he would play aggressively and fairly up to the line, so much so “that there would be chalk dust on my cleats.” While Hayden, as a lifelong Pittsburgh Steelers fan, was referring to the national security state, the same logic often applies for federal and local law enforcement as well.
However, the problem with playing to the edge is that sometimes the judicial system is given an impossible task: serving as a backstop to years of government overreach.
Where and how one can meaningfully withdraw from the watchful eye of the government in the early twenty-first century remains an open question. A half-century ago, the Supreme Court ruled that if someone steps into a phone booth and closes the door, we have a “reasonable expectation of privacy,” much in the same way that we do at home: in most cases the government needs a warrant first to legally surveil. But since that time, as technology has advanced incredibly quickly, the government has understandably adopted tools to its advantage.
When I first began as a professional reporter in 2004, I was largely dazzled by the excitement of new technology: Gmail was new. Facebook was just beginning. Ubiquitous Wi-Fi was just starting. Podcasts entered the lexicon. Rarely did I consider what impact all of this whizbang technology would have on society, and in particular, on law enforcement.
In 2005, I wrote my first story for Wired News about automated license plate readers (LPRs), and how they were being tested by the Los Angeles Sheriff’s Department (LASD). These specialized devices have quietly become pervasive in American law enforcement over the last decade. They rapidly scan, at 60 plates per second, when and where a license plate was seen. That data can be kept indefinitely.
When I was a young reporter, and didn’t really have the wherewithal to think about what it meant when then commander Sid Heal, of the LASD, told me that LPRs improved spotting stolen cars by “an order of magnitude.”
“This makes us more efficient than we’ve been in the past,” he said. “We would never check 12,000 license plates the conventional way.”
That sounded great! Who doesn’t want the police to retrieve more stolen cars? But, what I didn’t fully realize at the time was just like when Gmail made deleting e-mails practically obsolete, LPR data can also be kept forever. Given a large enough sample size, a pattern can easily be discerned.
I was slowly coming to the same conclusion that many in law enforcement and government circles had come to long ago: that the gathering of all kinds of our data, whatever it might be, was incredibly precious.
Eventually, I found out that LPR collection began in the city where I live, Oakland, California, way back in 2006. An early police analysis showed that nearly all of the plates collected were not a hit. In April 2008, the department reported to the city council that after using just four LPR units for 16 months, it had read 793,273 plates and had 2,012 hits—a hit rate of 0.2 percent. In other words, nearly all of the data collected by an LPR system concerns people not currently under suspicion of a crime. In late 2014, the Oakland Police Department (OPD) expanded its LPR-enabled fleet from 13 vehicles to 33, rapidly increasing the amount of LPR data collected: currently, 48,000 records are collected every day.
Our data is valuable to companies that are trying to sell advertisements and other products, and it’s attractive to the government, which is trying to hunt terrorists, miscreants, and scofflaws of all kinds. For the NSA and other federal agencies, that means using the most sophisticated tools against the most vicious of adversaries. For local law enforcement, it means catching car thieves, burglars, and other criminals.
Between April 2010 and April 2012, I lived and worked as a journalist in Bonn, Germany. From the former capital of West Germany, I was greeted almost immediately by the barrage of news about American tech companies. German public officials were generally not impressed: they were constantly berating American tech companies (usually Google and Facebook) over their practices.
I learned that in the decades since Nazism and the East German Stasi, Germans largely have been very sensitive to the type of data that the government can collect. As a result, German legal thinking about privacy originated from the central state of Hessen, which created the world’s first data protection law in 1970. That law evolved into a federal version in 1979, a non-binding 1981 version from the Council of Europe, and was last updated in Germany in 2003.
One of Germany’s most fundamental data protection principles describes practically the opposite of how we typically do things in America: “The collection, processing and use of personal data shall be admissible only if permitted or prescribed by this Act or any other legal provision or if the data subject has consented.”
In the United States, no one gave Google permission to go down all the roads in America and take pictures of every home. The company just did it. That’s why, when Street View arrived in Germany in 2010, politicians bent over backwards to show how opposed to Google they were. Notably, Guido Westerwelle, then the foreign minister, said, “I will do all I can to prevent it.”
Google came up with a compromise: it would allow Germans to opt out of the service. To do this, they would have to input their name and address, and Google would blur their home, as it does with faces and cars. In the end, less than 3 percent of people covered did so. But Google gave up Street View in Germany—it hasn’t updated its local photography there since the service’s German debut in 2010. Google has never said explicitly why it stopped updating the images in Germany, but it seems likely that the company did not want to be bogged down in both German courts and the court of public opinion for years on end.
This background was on my mind when I first began reporting again about LPRs. What law or precedent gives law enforcement the authority to capture this kind of data? How was this surveillance technology acquired? Who governs its use? How long is the data kept? How are abuses mitigated? These were questions I could now internalize in a way that I couldn’t previously.
In July 2013, I wrote a story about my efforts to learn what the police knew about me: I filed numerous public records requests with law enforcement agencies across California asking for records about my own car over the previous year. I discovered that the OPD scanned my car on May 6, 2013, at 6:38:25 PM at the corner of Mandana Boulevard and Grand Avenue.
This unremarkable hilly intersection boasts a 7-Eleven and a 76 gas station, although across the street is The Star, a hip Chicago-style pizza joint. It was just blocks away from the apartment that my wife and I had moved out of about a month earlier. It’s a crossroads I drive through fairly frequently even now, and the OPD’s LPR data bears that out.
I have lived in Oakland since 2005, other than my time abroad in late 2008 until early 2009 and again from 2010 until 2012. I have never been arrested. I have had nothing but positive and extremely brief interactions with police. I’ve been pulled over by the OPD exactly once—for accidentally not making a complete stop while making a right-hand turn at a red light back in 2009. Nevertheless, the OPD’s LPR system captured my license plate 13 times between April 29, 2012, and May 6, 2013, at various points around the city, and it retained that data for years. During this period, my car was neither wanted nor stolen. I paid my state registration fees like everyone else. The OPD had no reason to keep tabs on my movements, and yet, it did. Worse still, there’s no way to know if my license plate has been captured by a privately owned LPR system.
“Where someone goes can reveal a great deal about how he chooses to live his life,” Catherine Crump, a former ACLU lawyer and current law professor at the University of California, Berkeley, told me in 2015. “Do they park regularly outside the Lighthouse Mosque during times of worship? They’re probably Muslim. Can a car be found outside Beer Revolution a great number of times? May be a craft beer enthusiast—although possibly with a drinking problem.”
As I continued to report on LPRs, I realized the same questions I had about this technology applied to so much more: telephone metadata, cell-site simulators (aka stingrays), body-worn cameras, drones, facial-recognition technology, autonomous cars, artificial intelligence, and more. There was a torrent of technology that was becoming more ubiquitous and cheaper by the day, with little standing in its way. Legislators have generally seemed unable or unwilling to halt the ever-advancing technological mission creep. Courts seemed to always lag behind—by the time a technology was finally raised at an appellate court or at the US Supreme Court, it was far out of date. Carpenter’s criminal acts were committed in 2010 and 2011. His case didn’t reach the Supreme Court until late 2017. How much better has the smartphone in your pocket gotten during that time?
Many people say, “Yeah, whatever, I have nothing to hide.” But there’s probably something that you do (or have done), that you wouldn’t want known by anyone outside of a tight circle. Maybe you’re pregnant. Maybe you’re a gun owner. Maybe you ditched work yesterday to go to a baseball game. Whatever it is that you’re doing, what business is it of the government’s to know? With technology that can capture all of this information routinely for private companies and governments, de facto mass surveillance becomes trivial. Today, it’s almost impossible to hide from such data collection without essentially acting like a crazy person: ditching your phone, your car, and turning away from the modern world.
One of the most fundamental legal notions in the English legal system is encapsulated in the phrase habeas corpus. Roughly translated from medieval Latin, it means: “[We command] that you have the body [in court].” Basically, it is a brief judicial examination as to whether someone’s detention was proper. The goal is to provide a check on the government’s ability to arbitrarily arrest someone. The concept, which dates back centuries, is enshrined in the US Constitution: “The Privilege of the Writ of Habeas Corpus shall not be suspended unless when in Cases of Rebellion or Invasion the public Safety may require it.”
In the latter half of the twentieth century, largely inspired by German efforts, emerged the concept of habeas data. Like a writ of habeas corpus, a writ of habeas data allows an individual to obtain data from corporations or government agencies for the purpose of verifying it, modifying it, or perhaps even deleting it. In the wake of the authoritarian regimes of the 1980s, the Philippines and numerous Latin American countries codified this concept into law. Habeas data does not really exist in the same way in the United States. In America, we have public records laws both at the state and federal level, but there is no affirmative right to receive such information from corporations. Oftentimes, filing a lawsuit is required to obtain the best results from public agencies. Or, put another way, there is no inherent right to privacy in the United States, and often there’s little way to know exactly what technologies law enforcement, from the FBI down to the county sheriff, is using.
However, there is a historical skepticism of government power that we, as Americans, generally continue to hold. Our entire founding story revolves around violently overthrowing the reign of a distant monarch who exercised arbitrary power. A notable portion of the Declaration of Independence is essentially a laundry list of grievances: “He has refused his Assent to Laws, the most wholesome and necessary for the public good.”
In a world that can be and is so easily monitored and recorded by government authorities, we as a society have abrogated our responsibility. Here, I mean habeas data beyond the literal legal meaning: we ought to reveal the government’s vast stores of data to the public eye so that it can be scrutinized. After all, for nearly 250 years, our primary shield against government overreach has been ourselves.
“If men were angels, no government would be necessary,” James Madison wrote in February 1788. “If angels were to govern men, neither external nor internal controls on government would be necessary. In framing a government which is to be administered by men over men, the great difficulty lies in this: you must first enable the government to control the governed; and in the next place oblige it to control itself. A dependence on the people is, no doubt, the primary control on the government; but experience has taught mankind the necessity of auxiliary precautions.”
Now in the early twenty-first century, we are left with some lingering questions: Can the government force a company to act on its behalf—creating entirely new security-breaking software—simply by citing an obscure eighteenth-century law? Do we really relinquish all rights to data that we must give up to a cell phone provider, with cell phones a near-necessity in the modern world? Can law enforcement use a machine capable of tracking coarse or precise location data indefinitely without showing probable cause of a crime? Without a warrant, can police use an extrasensory machine to peer into the four walls of a home to learn about what is going on inside? What kinds of protections can and should we have over something as basic as e-mail? Should police use an invasive device that tricks our cell phones without adequate regulation or oversight from the public? Can cops search our phones without a warrant, potentially reaching into the most intimate of modern devices? Can or should they break the encryption on our phones?
This is a struggle that is happening all over the country, from the highest echelons of federal law enforcement, to the most local of police. Today, small towns across America already have LPRs and inexpensive drone units. Tomorrow, they will have standard facial recognition on all body-worn cameras, and perhaps even specialized hacking units—near-future digital SWAT teams. Unless we demand more from those who are sworn to uphold the law and protect us from the worst of our fellow citizens, this problem will only get worse.
Rather than wait years or decades for another Carpenter-like case to arrive at the Supreme Court, some communities—notably Oakland, California—have decided to take matters into their own hands. It is possible for city officials, activists, and even the police to talk about the realities of modern law enforcement and come up with a way for all sides to agree.
Table of Contents
1 Telephones: How a Fateful Call in 1965 from a Los Angeles Pay Phone Still Rings Out Today 3
2 How the Government Cracked an iPhone-Without Apple's Help 26
3 How One Mugger's Calls Helped Create the NSA's Post-9/11 Phone Metadata Surveillance Program 57
4 When Big Brother Rides in the Back Seat 81
5 Can the Police Use Extrasensory Technology to Look into Your House Without a Warrant? 107
6 Why (Amazingly) E-mail Providers Wont Give Up Messages Without a Warrant, Even Though the Supreme Court Has Never Ruled on the Issue 128
7 Why the Eighteenth-Century Constitution Protects Against Twenty-First-Century Satellite-Based Tracking 149
8 How Your Phone Can Lead the Authorities Right to Your Door 170
9 Can Police Search Your Phone When You're Arrested? 198
10 Why Privacy Needs All of Us 220
11 Who Watches the Watchers? 228