Even NSA BFF Verizon Thinks Warrantless Location Data Collection May Have Gone Too Far

from the bridge-too-far dept

You'd be hard pressed to find companies more bone-grafted to the nation's intelligence gathering apparatus than AT&T and Verizon. So much so that it's often difficult to determine where the government ends, and where the telecom duopoly begins. From Mark Klein highlighting how AT&T was giving the NSA live access to every shred of data that touched the AT&T network, to Snowden's revelation of Verizon's handover of customer metadata, these are companies that were not only eager to tap dance around privacy and surveillance law, but actively mocked companies that actually stood up for consumer privacy.

That's why it's notable to see one of Verizon's top lawyers, Craig Silliman, penning an op-ed over at Bloomberg implying that location data hoovering has jumped the shark. Silliman details the problems arising in the age of location data collection, and specifically how four recent district courts have ruled that law enforcement can get location data without a warrant. These rulings relied on the "third-party doctrine," or the argument that consumers lose privacy protections to this information if they're willing to share it with a third party -- aka Verizon.

But Silliman notes that the cases in question leaned on data collection and networks from 2010 and 2011, before the rise of even more precise small cell (femto) technology, deployed in many areas to shore up tower coverage gaps:

A femto cell may have a cell radius of between 100 feet and 500 feet. Knowing that an individual’s cellphone is within a few hundred feet of a cell obviously is more precise than knowing that it is within a few miles. All of these changes – particularly, the surge in our customers’ use of data and the fact that many of today’s cell sites have smaller ranges – mean that our network now collects more voluminous and more precise location information than when, in 2010 and 2011, law enforcement obtained the location information that gave rise to the four appellate cases described earlier.

Silliman proceeds to note that he hopes that should these cases stumble toward the Supreme Court, the court will realize the game has changed dramatically in the last half decade:

The defendants in the two location information cases that were decided this Spring are asking the Supreme Court to review their cases and the third-party doctrine. I think it’s a matter of time before the Court takes a case like this and when it does, I hope that it takes into account how quickly technology — including the volume and precision of location information — is changing.

Verizon tells The Intercept that while the op-ed comes on the heels of the recent surveillance scandal at Yahoo (soon to be owned by Verizon), the two are not related, and Silliman's editorial was penned weeks before the news of Yahoo's e-mail searches surfaced. Silliman claims that Verizon's motivation here is just an interest in protecting consumer privacy as it collects this data for troubleshooting (and, of course, sale):

Like other carriers, Verizon retains this information to troubleshoot, maximize network efficiency, and for other business purposes. We keep cell site and sector information that we need for these business purposes for one year, while we keep other location information, like multiple location points collected during a data session and the approximate distance a device is from a cell site for eight days.

We take our customers’ privacy very seriously, of course, and protect this information carefully.

Well, let's not go that far. This is the same company that was caught covertly modifying user data packets to track their behavior around the internet, failing to inform customers this was happening or provide working opt-out tools. Verizon's also actively working to prevent new privacy protections for consumers at the FCC. And again, this is the same company that, hand in hand with AT&T, consistently went above and beyond in handing over vast oceans of data to intelligence services while never challenging the government and actively mocking companies that did.

That said, it's still amazing to see one of the government's closest allies on domestic surveillance suggesting that just maybe we've taken this whole warrantless hoovering of information thing a little too far.

Filed Under: craig silliman, data collection, law enforcement, surveillance, warrants
Companies: verizon

License Plate Reader Company Sues Another State For 'Violating' Its First Amendment Right To Build A 1.8-Billion-Image Database

from the we're-really-just-like-some-dude-with-a-point-and-shoot dept

Private companies engaging in large-scale surveillance are pushing back against the push back against large-scale surveillance… by filing lawsuits alleging their First Amendment right to photograph license plates is being infringed on by state laws forbidding the use of automatic license plate readers by private companies.

Now, these laws aren't saying law enforcement agencies can't use these readers. They can. What they do say (or did… Utah's law was amended after a lawsuit by license plate reader company Vigilant) is that private companies, like repossession firms and tow truck services, can't use these readers. But apparently they do, and those who manufacture and support the equipment would like to continue capturing this market.

Cyrus Farivar at Ars Technica reports that Vigilant has filed another lawsuit, this time against the state of Arkansas, arguing that a state law curbing the use of LPRs by private companies tampers with its free speech rights.

In this case, the two firms in question—Digital Recognition Network (DRN) and Vigilant Systems—generate, maintain, and share access to the license plate reader database with law enforcement.

The new Arkansas state law took effect in 2014, and it bans the private collection of license plate reader data while still allowing the cops to use the devices, usually mounted on patrol cars. The two companies say that their First Amendment rights are being violated, as they are allowed to photograph—even under an automated, high-speed process that is then shared with law enforcement—any and all license plates, anywhere.

There's a bit of a disconnect in Viglant's/DRN's logic, but one that's a bit troublesome for the courts to address. By portraying the capture of license plates at a rate of nearly 1,000 per hour as little more than a digital version of someone taking individual photographs of publicly-displayed plates, the companies hope to make its technology look less intrusive than it is.

The troublesome part is that courts have held that privacy violations that don't exist in the singular can't magically be summoned by en masse collections. There are definitely privacy concerns, however, especially when this information is used (and misused) by law enforcement. But the companies argue that there's nothing personally identifiable about a license plate, at least without access to other databases like those held by states' departments of motor vehicles. (Oddly, law enforcement officials have made the same argument, despite having this access.) This is true, but it's of little comfort when the privately-held database contains 1.8 billion records and is growing at the rate of 70 million per month.

Here's the crux of Vigliant's First Amendment assertions.

Plaintiffs' dissemination of license-plate information collected by ALPR systems is speech protected by the First Amendment. Similarly, the use of ALPR systems to collect and create information by taking a photograph amounts to constitutionally protected speech.

The Act is a content-based speech restriction. The illegality of speech under the statute turns on the content of what is being photographed and transmitted through ALPR systems-license-plate information is covered, but other content is not. The Legislature has singled out the collection and dissemination of "images of license plates" and the resulting "computer-readable data." Ark. Code§ 12-12-1802(2), 12-12-1803(a); see also § 12-121082(3). Moreover, the Act's extensive exceptions further demonstrate that it discriminates based on the content of the speech and the identity of the speaker.

This is a tough hurdle for the state to leap and is likely what prompted Utah to heavily amend its state law in exchange for Vigilant dropping the lawsuit. Unfortunately, in Utah's case, the state seems to have overcompensated. The amendment strikes any prohibition of a private entity collecting license plate data and allows these same entities to sell collected data to other third parties, something it expressly forbids government agencies from doing. It also allows for these companies to hold onto the data for as long as nine months, something that was only 30 days in the original bill.

So, Vigilant's point remains that what it does in terms of collection is not a violation of privacy because it does not have access to DMV databases holding personally-identifiable information. It glosses over the fact that it provides access to hundreds of law enforcement agencies around the US, all of which can acquire the connecting data. But that does seem to put the onus on law enforcement agencies to provide adequate privacy protections, including timely disposal of non-hit data. So far, very few agencies have attempted to so. In Utah's case, there are nine months of historic, non-hit data at law enforcement's fingertips, all with time and location info.

In the singular (as Vigilant's argument goes), this isn't a privacy violation -- no different that someone taking a picture of a vehicle in public. But several months of time and location data creates something that can only be achieved through dedicated surveillance, something that does raise privacy questions, especially in light of the recent court decision finding that law enforcement officers need warrants to track cell phone users' locations. This is the same principle. Law enforcement agencies shouldn't be accessing months of plate location/time data unless it's part of an investigation -- and if it is, someone neutral needs to be deciding whether or not every license plate hit is relevant to the situation.

Filed Under: alpr, arkansas, data collection, first amendment, license plate reader, license plates
Companies: vigilant

NSA Targets Pirate Bay And Wikileaks Despite 'Inadvertent' Collection Of US Data According To Latest Leak

from the speech-keeps-getting-chillier dept

The Intercept (Glenn Greenwald's new home) has just published a new leaked document that shows, among other things, the NSA's interest in both Wikileaks and The Pirate Bay. An included NSA internal-wiki page mentions both sites by name, along with analyst's concerns about Anonymous. The Intercept has also added two additional slides to the deck previously published by NBC News on SQUEAKY DOLPHIN, the NSA's cross-platform, real-time data harvesting tool that attempts to quantify the "human networks" surrounding its targets utilizing information gleaned from YouTube, Facebook, Twitter, etc.

The additional slides give some insight as to who the NSA believes is a worthy target.

The efforts – detailed in documents provided previously by NSA whistleblower Edward Snowden – included a broad campaign of international pressure aimed not only at WikiLeaks founder Julian Assange, but at what the U.S. government calls “the human network that supports WikiLeaks.” The documents also contain internal discussions about targeting the file-sharing site Pirate Bay and hacktivist collectives such as Anonymous...

Illustrating how far afield the NSA deviates from its self-proclaimed focus on terrorism and national security, the documents reveal that the agency considered using its sweeping surveillance system against Pirate Bay, which has been accused of facilitating copyright violations. The agency also approved surveillance of the foreign “branches” of hacktivist groups, mentioning Anonymous by name.

While some concern is expressed by NSA guidance that US citizens' data will be caught in this program's nets, the general response seems to be, "report it," but otherwise "it's nothing to worry about." What's worse, however, is how simple it is for the NSA to flip the switch on total surveillance (including US persons) while still remaining in the clear, legally-speaking.

A third document, from July 2011, contains a summary of an internal discussion in which officials from two NSA offices – including the agency’s general counsel and an arm of its Threat Operations Center – considered designating WikiLeaks as “a ‘malicious foreign actor’ for the purpose of targeting.” Such a designation would have allowed the group to be targeted with extensive electronic surveillance – without the need to exclude U.S. persons from the surveillance searches.

This designation itself is relatively meaningless, needing only a 51% "confidence" (whatever that means) to be able to search "without defeats" (minimization). This low bar puts the designation on par with other tools deployed frequently by intelligence and investigative agencies, like NSLs (national security letters) and administrative subpoenas.

So, simply visiting any of the sites listed could result in your data being swept up "inadvertently." This will probably be noted on the OGC's report, but otherwise it just seems to be considered unavoidable collateral damage. Anything on those reports isn't considered to be abuse because of the lack of intent. The document seems very clear that intentionally targeting US persons or US-to-US communications is forbidden (and indeed the latter will return "no results"), but the inadvertent collection is still a concern, especially when the only obstacle can easily be removed by calling TPB, Wikileaks and others "malicious foreign actors."

How targeting these sites (and their users) fights terrorism is completely unclear. The TPB may post a link to "stolen documents" but it's not the host (unless the NSA has also been tasked with playing copyright cop). As for Wikileaks, the "stolen documents" discussed in the internal wiki have been public for years without creating anything more serious than diplomatic embarrassment.

This does, however, seem to fall in line with the law enforcement and intelligence agencies' increasing tendency to portray "dissent" as "terrorism" when the only similarity between the two is an antipathy towards those in power.

Filed Under: data collection, glenn greenwald, nsa, privacy, the pirate bay, wikileaks

Belgian 'Royal Decree' Requires ISPs To Log All Sorts Of Info For A Year

from the invest-in-encryption-now dept

Theo Lietaert alerted us to the very troubling news out of Belgium, that a "royal decree" has been passed requiring Belgian telcos, internet service providers, information service providers, email providers, etc. to log a ridiculous amount of metadata for a year. The full decree (in French) includes an awful lot of information that will be tracked (though it's been published in a manner that's nearly impossible to read). Among the examples listed: how many emails you send, if you use a VoIP provider (like Skype), how long your calls are, how you pay your bills -- basically any and all (non-content) data that ISPs can collect, they are required to keep. And then they need to make it available to basically all law enforcement. That is, this is not just for anti-terrorism purposes, but for any government purpose under the sun, allowing them to troll through basically all of your internet activity.

The justification for all of this? Because law enforcement "needs" this data do their job better. This is not all that different than the excuses we've heard from those defending NSA surveillance, that this data is somehow "needed" because it might stop "bad guys." But that turns the privacy questions upside down entirely. As we've noted, law enforcement would, most likely, be able to stop a lot more crime if we were all required to have video cameras hooked up to a giant database installed in every room in every home. But we don't do that because it's a massive breach of privacy.

The ministers behind this abomination, Johan Vande Lanotte and Annemie Turtelboom appear to recognize that this goes "far beyond" what's allowed under the European privacy directive, but they don't seem to care, claiming that the privacy directive is "obsolete." The whole situation is fairly sketchy as well, since it was done by royal decree, allowing them to totally bypass Parliament, but is equally binding. I guess they're worried that Parliament (*gasp*) might actually protect the rights of the people.

This seems like a horrifyingly broad attack on privacy rights in Belgium, and while the Privacy Commission is reviewing the issue, it's possible that this will be considered the law in Belgium. If you're a VPN vendor, it would seem like a marketing campaign in Belgium might be appropriate just about now.

Filed Under: belgium, data collection, data retention, eu, metadata, privacy, privacy directive, royal decree

North Carolina State University Gets $60 Million To Help NSA Build Bigger And Better Haystacks

from the institute-of-spy-er-learning dept

Who wants to work on a collaborative data project with a badly wounded intelligence agency? I'm not seeing a lot of hands... How about if I ask it with a couple of exclamation points thrown in?!?! Still nothing...

Given what we know now, it's probably safe to assume that no one wants to sign a deal with this particular devil if the NSA's abortive recruitment drive at the University of Wisconsin is any indication. The recruiters appeared to believe they could just walk in and harvest a few souls hand out a few heavily-redacted business cards while talking up Team NSA's anti-terrorism efforts.

Instead, the recruiters found themselves on the receiving end of their own words, wielded with deadly accuracy by a handful of mouthy linguistics students. Forced to defend themselves, the recruiters delivered phrases like, "We don't tell complete lies," and "we drink heavily and sing karaoke while wearing wigs."

In what has to be one of the most unfortunate press releases ever released, another institute of higher education has just announced its partnership with the NSA. You can practically feel the aching jaws of several forced smiles that accompany this bit of "good news" from North Carolina State University.

A $60.75 million grant from the NSA is the largest research grant in NCSU’s history – three times bigger than any previous award.

The Laboratory for Analytic Sciences will be launched in a Centennial Campus building that will be renovated with money from the federal agency, but details about the facility are top secret. Those who work in the lab will be required to have security clearance from the U.S. government.

NCSU officials say the endeavor is expected to bring 100 new jobs to the Triangle during the next several years. The university, already a leader in data science, won the NSA contract through a competitive process.

There's nothing like two solid months of negativity to take the shine off a hard-won grant battle. If the race started today, one imagines the field might have a bit more breathing room. Everyone involved is quick to point out that the university won't be involved in the NSA's day-to-day privacy violations.

“As a university, we’re not going to be involved in the operational intelligence work of the National Security Agency,” [Chancellor Randy] Woodson said. “Our partnership with them is really about the science of big data and data analysis. I don’t think there’s anything more difficult right now for both government and the private sector than making sense out of the deluge of data that we’re all swimming in every day.”

Well, if there's anything the NSA needs, it's more haystack wranglers. Someone might want to point out that targeted surveillance efforts usually result in much more manageable "deluge." Of course, the NSA's really not interested in shallow pools of data. It would much rather swim in accumulated data, even inadvertently if it has to.

As for not being "involved?" That's probably true as far as data harvesting goes. But the leaks have shown us that every American has the chance to "get involved" by inadvertently lending their data to the NSA at some point or another, like say, the residents of Tallahassee, FL, whose area code (850) is also North Korea's country code.

Timing is everything and, through no fault of its own, NCSU has nothing. The original announcement was supposed to happen back in early June, but Snowden's first batch of leaks altered those plans. Presumably everyone was waiting for the whole "leaks thing" to blow over, but with time running off the clock to get the grant allotted before the end of the fiscal year, the university rushed out its belated announcement, just in time to coincide with the most damaging leak yet.

Synergy.

You know how it goes -- the morning starts out bright and full of promise but by the end of the day you're issuing statements that put you as far away as possible from the foul odor emanating from the NSA while still keeping the grant money within reach of your outstretched arm.

The NSA's statement, on the other hand, bears the devilish grin of someone who has not so much lost $60 million but gained a rare ally, albeit one that keeps pointing out that it's not involved with the unpleasantness.

In the announcement from the NSA, the agency’s director of research, Michael Wertheimer, said NCSU is the ideal location for the new lab.

“We have chosen the Research Triangle area for its vibrant academic and industry interest in large data analytics, and NC State for having the nation’s first, and preeminent, advanced degree program in data analytics,” Wertheimer’s statement said. “By immersing intelligence analysts with NC State’s diverse group of scientists, we hope to discover new and powerful ways to meet our foreign signals intelligence and information assurance missions – giving us an edge to better protect the nation.”

Well, it would be nice if the experts at NCSU could give the NSA some guidance on how to keep its "foreign signals intelligence" foreign and its "information assurance missions" a bit more focused. But this isn't what the NSA wants from NCSU. It's looking for bigger haystacks and better pitchforks and the occasional needle to justify it all.

Filed Under: bad timing, data collection, north carolina state, nsa, nsa surveillance

Did The NSA Think The Public Can't Do Math? Attempt To Downplay Data Collection Fails Miserably

from the carry-the-one... dept

Last week we wrote about the NSA's ridiculous attempt to justify its surveillance efforts, including this really wacky callout designed to show just how "little" data the NSA collects.

Scope and Scale of NSA Collection

According to figures published by a major tech provider, the Internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6% of that. However, of the 1.6% of the data, only 0.025% is actually selected for review. The net effect is that NSA analysts look at 0.00004% of the world's traffic in conducting their mission -- that's less than one part in a million. Put another way, if a standard basketball court represented the global communications environment, NSA's total collection would be represented by an area smaller than a dime on that basketball court.

This was bizarre on a number of levels, not the least of which is the wacky basketball court-to-dime scale. Next time, maybe we can play "is it bigger than a breadbox" with the NSA. But, as for what any of this meant, it hasn't been at all clear. Since the NSA has already redefined basic English words like "collect," "target," "datamine," and "relevant" it's not at all clear what is meant by "touch." However, some are starting to dig into the numbers, and contrary to the NSA's attempt to suggest that this is "nothing to fear," a bit of analysis certainly suggests they're collecting quite a bit of info.

First up, we have Jeff Jarvis, who highlights a bunch of important comparative datapoints including that Sandvine claims that only 2.9% of US traffic is communication traffic and 68.8% of all email is spam -- meaning that it's entirely possible that the NSA collects nearly all non-spam email and it would still be within its 1.6% number. He also points out that 62% of traffic on the internet is considered entertainment, and we can assume that the NSA doesn't need to collect every copy of Game of Thrones that people are passing around (I'm sure one or two will do the job). He similarly points out that Google itself claims to only index approximately 0.004% of traffic on the internet, suggesting that the NSA may be collecting more info than Google indexes by two orders of magnitude.

Meanwhile, Sean Gallagher, over at Ars Technica, digs a bit deeper into the numbers, suggesting that the NSA's data collection is closer to being on par with Google, but still greater than Google:

The dime on the basketball court, as NSA describes it, is still 29.21 petabytes of data a day. That means NSA is "touching" more data than Google processes every day (a mere 20 petabytes).

Gallagher also looks much more closely at the recently revealed details of the Xkeyscore program, to show how that 1.6% of "touched" internet communications can cover pretty much everything important.

As a result, if properly tuned, the packet analyzer gear at the front-end of XKeyscore (and other deep packet inspection systems) can pick out a very small fraction of the actual packets sent over the wire while still extracting a great deal of information (or metadata) about who is sending what to who. This leaves disk space for "full log data" on connections of particular interest.

In other words, while the 1.6% number was put forth by the NSA to try to make people think this is no big deal, when you look at what it means, it suggests it's a very big deal indeed. In fact, the NSA may be collecting even more information that people had believed before.

Filed Under: data, data collection, internet traffic, nsa, nsa surveillance, scale

Verizon Lobbying Congress Over NSA Data Collection

from the but-of-course-they-are dept

The latest lobbying disclosure forms are out for lobbying efforts in the second quarter, and as Dave Maass points out, wouldn't you know, Verizon's lobbyist, Mike McKay disclosed that he was lobbying the House of Representatives on "NSA's data collection of of phone records." Now, there's no indication over what the argument being made was -- but it's notable in that while various tech companies have been quite vocal about the whole NSA situation, AT&T and Verizon have been deafeningly silent. If they were working Congress hard to protect consumers' privacy rights... wouldn't that be something they'd be talking about publicly?

Filed Under: data collection, lobbying, metadata, nsa, nsa surveillance, privacy
Companies: verizon