Book Read Free

Habeas Data_Privacy vs. The Rise of Surveillance Tech

Page 7

by Cyrus Farivar


  In its court filing, the company argued that this went far beyond what was authorized under the Title III wiretap act, and its more modern update, the Electronic Communications Privacy Act of 1986. Among other concerns, ATX’s lawyers cited New York Telephone as a reason why the government should not be allowed to go forward. Their response would lay the groundwork for Apple’s own defense just a few years later.

  “In order to comply with the Court’s order, ATX must fundamentally restructure its business and change the manner in which it conducts business,” Bennee Jones, ATX’s lawyer wrote. “Courts do not have unfettered discretion to order assistance of private companies.”

  Eventually, the order was appealed up to the 9th US Circuit Court of Appeals in San Francisco. In a 2–1 decision, the court ruled in favor of ATX. However, the court found that ATX was covered by the language of the statute, and that it may be required to assist the government’s investigation. But that wasn’t the end of the story.

  “The question remains whether the order goes too far in interfering with the service provided by the Company, by preventing the Company from supplying the System’s services to its customers when a vehicle is under surveillance,” Circuit Judge Marsha Berzon wrote in the majority opinion in November 2003. “We conclude that it does.”

  In short, the 9th Circuit ruled in 2003 that because the government’s order to cartap the Mercedes activated the Tele Aid system—which made it impossible for the owner to actually turn it on of their own volition, thus effectively disabling the emergency roadside service call ability that it was designed for—it went too far.

  “The FBI, however well-intentioned, is not in the business of providing emergency road services, and might well have better things to do when listening in than respond with such services to the electronic signal sent over the line,” Berzon continued. “The result was that the Company could no longer supply any of the various services it had promised its customer, including assurance of response in an emergency.”

  Over a decade later, in his March 15, 2016, brief, Ted Boutrous reprised ATX’s arguments, and cited the 9th Circuit ruling. In essence, Apple made the “if you give a mouse a cookie” argument.

  The government nevertheless contends that because this Court issued a valid search warrant, it can order innocent third parties to provide any service the government deems “necessary” or “appropriate” to accomplish the search. Opp. 5. But that “broad” and “flexible” theory of the All Writs Act has no limiting principle…

  Indeed, it is telling that the government fails even to confront the hypotheticals posed to it (e.g., compelling a pharmaceutical company to manufacture lethal injection drugs, Dkt. 16 (“Mot.”) at 26), or explain how there is any conceivable daylight between GovtOS today, and Location-TrackingOS and EavesdropOS tomorrow.

  In other words, if Apple agreed to provide a bespoke solution for the government now, there’s no reason to think that it wouldn’t be required to do so again in the future. If Apple can be forced to open a locked iPhone today, maybe it could be compelled to turn the iPhone into a tracking device or a bugging device tomorrow.

  * * *

  The All Writs Act cropped up again in a surveillance case when US Magistrate Judge James Orenstein ruled in favor of privacy interests on August 25, 2005. The core facts of the case (not to mention the result) remain under seal, more than 12 years later.

  The government’s legal argument was essentially that it could combine a pen register order and a d-order (the same at issue in Carpenter v. United States) for business records to get a phone company to provide the ongoing cell-site location information of a suspect.

  But the judge denied the prosecutor’s efforts. In that landmark August 25 decision, the judge ruled that he would not let the government “effectively allow the installation of a tracking device without the showing of probable cause normally required for a warrant.” He is believed to be the first magistrate to reject the government’s argument for such a request under this hybrid theory—that is, a hybrid of pen register order and d-order, the worst of both worlds from a privacy standpoint.

  In other words, Judge Orenstein was not willing to let the government turn someone’s phone—even a criminal suspect’s—into something that could be used to track them without the authority of a warrant with supporting probable cause. It’s worth noting that this judge, who was appointed to the federal bench in 2004, served as a federal prosecutor in New York for 11 years, from the tail end of the George H. W. Bush administration, through both terms of the Clinton administration, all the way to the beginning of the George W. Bush administration. In short, he is quite sensitive to the needs of law enforcement.

  The government was not pleased with his ruling, and formally asked him to reconsider.

  A week later, an outside group asked to present adversarial arguments. This was very unusual. Normally, in an ex parte (one-sided), the judge only hears from the government. The Electronic Frontier Foundation (EFF), a digital privacy advocacy group based in San Francisco, wrote to the judge to ask to enter the case as an amicus curiae, or friend of the court. This only occurs when other companies, groups, or individuals wish to make their thoughts known to the court, usually in a novel legal issue. He granted it, and the EFF wrote that what the government was asking for was a “statutory chimera.”

  The dispute largely turned on one particular phrase within CALEA (47 USC 1002).

  A telecommunications carrier shall ensure that its equipment…are capable of…expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to access call-identifying information that is reasonably available to the carrier…in a manner that allows it to be associated with the communication to which it pertains, except that, with regard to information acquired solely pursuant to the authority for pen registers and trap and trace devices (as defined in section 3127 of title 18), such call-identifying information shall not include any information that may disclose the physical location of the subscriber (except to the extent that the location may be determined from the telephone number).

  The government interpreted the way this law was written to mean that the location information can be obtained via court order when combined with a pen/trap order. However, the EFF didn’t see it that way at all. The organization felt that the government was going far beyond what Congress intended: it felt that “determined from the telephone number” meant literally the number, including the area code itself, and not the actual location of the phone.

  On October 11, 2005, the government responded, largely reiterating its earlier arguments, and adding a notable new and final one, citing the All Writs Act. Responding in his October 25 opinion, Judge Orenstein was not convinced.

  “Thus, as far as I can tell, the government proposes that I use the All Writs Act in an entirely unprecedented way,” he wrote. “To appreciate just how unprecedented the argument is, it is necessary to recognize that the government need only run this Hail Mary play if its arguments under the electronic surveillance and disclosure statutes fail.”

  * * *

  In 2006, the FBI created its Science and Technology Branch, a distinct division within the agency, with the goal of staying “on top of technical innovation.” Among other things, that included regional computer forensics labs.

  “In today’s digital world, crime scenes have become much more complex,” said Kerry E. Haynes, executive assistant director of the FBI’s Science and Technology Branch, at the opening of one such lab in Buffalo, New York.

  “Digital technology is often more important than physical evidence. Cell phones, [personal digital assistants], computers—each and every one of these devices has its own unique story and can be tainted and destroyed, but we can also extract their evidence.”

  In January 2007, the iPhone was released. The iPhone, more so than the Treos, Blackberries, and flip phones that came before, had incredible capabilities. It could browse the Web, play music, e-mail, and far more
. But as consumer technology was getting better, law enforcement was upping its game, too.

  In fact, the same month that the iPhone was released, Marcus Thomas was promoted and named the assistant director of the Operational Technology Division. By at least early 2008, within the halls of government and the FBI itself, Haynes and Thomas began expounding on what they termed Going Dark. Essentially, the FBI was concerned that if newer tools, ranging from Skype to Xbox Live calls, began offering encryption enabled by default, that there would be no way for law enforcement to access such data. In other words, the FBI and other federal law enforcement agencies feared that their ability to surveil suspects and gather data as part of routine investigations was becoming more and more difficult.

  What worried Haynes and Thomas above all else was that “the ability of the FBI to collect intelligence and conduct investigations through the use of technology is shrinking every day,” according to an April 2008 document not released until over two years later as part of a Freedom of Information Act lawsuit.

  In 2009, the FBI asked Congress for $9 million for the Going Dark program as part of its fiscal year (FY) 2010 budget. (By FY 2017, the budget for this program had ballooned to over $38 million.) In 2010, the FBI started pushing more formally, along with other federal agencies, to get Congress to do something—essentially a CALEA for the Internet. That is, a new legal framework that would adjudicate FBI surveillance, while providing funds, training, and initiative for expanding their technology capacity.

  “We’re talking about lawfully authorized intercepts,” Valerie E. Caproni, the FBI’s top lawyer, told the New York Times in September 2010. “We’re not talking expanding authority. We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security.”

  Caproni’s language nearly exactly mirrored Thomas’ language of “not an increase in our ability” from a decade earlier. There remains a very real tension between the difficult job that law enforcement is tasked with—solving crimes—and the technological reality that they face. Investigators are understandably put in a bind, but there doesn’t seem to be a good way to balance the technological realities of easy-to-use strong encryption with the government’s ability to break into it when needed.

  Months later, in February 2011, Mark Marshall, the head of the International Association of Chiefs of Police, also warned a House committee of the potential danger.

  “Many agencies that need to be able to conduct electronic surveillance of real time communications are on the verge of ‘Going Dark’ because they are increasingly unable to access, intercept, collect, and process wire or electronic communications information when they are lawfully authorized to do so,” he said. “This serious intercept capability gap often undercuts state, local, and tribal law enforcement agencies’ efforts to investigate criminal activity such as organized crime, drug-related offenses, child abduction, child exploitation, prison escape, and other threats to public safety.”

  * * *

  For the most part, mainstream companies were not as concerned about countermanding a nebulous FBI effort that was slowly being discussed in Congress. Indeed, the June 2011 federal wiretap report noted dryly: “In 2010, encryption was reported during six state wiretaps, but did not prevent officials from obtaining the plain text of the communications.”

  Even Apple—a company that particularly since the 2016 San Bernardino case has really pushed for increased security—for years prior didn’t take all of the security steps that it could have taken in the design of iOS.

  “The lock screen is merely a screen saver lock, which as most people know doesn’t equate to real security anyway,” wrote Jonathan Zdziarski, an iOS security expert who now works for Apple, in April 2013.

  Under certain conditions, this is one technique law enforcement forensic engineers are able to perform to unlock a device they’ve seized, if all other forensic techniques fail. Apple is also capable of doing this, however to my knowledge they do not. Under a subpoena, Apple will, however, copy off the same readable contents of the file system if given a warrant.

  Google did not offer full-disk encryption on its Android devices either.

  However, everyone’s notion of security changed overnight when Edward Snowden became a household name in June 2013. Snowden, a young contractor for the NSA, leaked a trove of classified documents to two American reporters, Glenn Greenwald and Laura Poitras. (Greenwald famously almost missed the Snowden story as he found setting up encrypted e-mail too difficult.) They reported on a seemingly endless amount of materials from Snowden’s cache, describing in detail how the NSA was conducting its espionage and by what legal means. The net result was that all of a sudden journalists, activists, and even average citizens began taking these issues more seriously than ever before.

  Within months, companies began hardening their services: Google, Yahoo, and Microsoft began stepping up their game.

  “Recent press stories have reported allegations of governmental interception and collection—without search warrants or legal subpoenas—of customer data as it travels between customers and servers or between company data centers in our industry,” wrote Brad Smith, Microsoft’s top lawyer in December 2013. “If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an ‘advanced persistent threat,’ alongside sophisticated malware and cyber attacks.”

  * * *

  It wasn’t just companies that were taking notice and starting to think about privacy in a new way. A handful of federal magistrate judges started to push back against the government’s efforts in digital surveillance cases. Judge Orenstein’s ruling from 2005, where he found that the government was going too far with its interpretation of the All Writs Act, was one of the earliest instances of what came to be known, post-Snowden, as the “Magistrates’ Revolt.”

  The term came from an April 2014 article in the Washington Post, which described the effort as having “gained power amid mounting public anger about government surveillance capabilities revealed by former NSA contractor Edward Snowden.” Historically, most magistrates generally grant the government a lot of leeway when it comes to search warrant applications. But now at least a few judges in Texas, DC, and New York were starting to publicly push back against routine prosecutorial requests.

  The article focused on one DC-based magistrate, Judge John Facciola. In one March 2014 case, Facciola wanted government investigators, as part of an investigation into the manufacture of ricin on the campus of Georgetown University, to specify “whether the target devices would be imaged in full, for how long those images will be kept, and what will happen to data that is seized but is ultimately determined not to be within the scope of the warrant—or, more precisely, Attachment B—can only be addressed by a search protocol; after all, the imaging actually occurs as part of the search process.”

  In short, this ruling demonstrated a level of technical fluency not commonly seen across most federal courts. This was a clear instance of at least one judge starting to really sit up and take notice of the implications of broad—and largely unchecked—government power.

  Six months later—that is, only a year before the San Bernardino incident—Apple joined the security party: its latest version of the iPhone and iPad’s operating system, iOS 8, was designed in such a way that Apple could no longer get into a locked phone.

  “On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode,” the company wrote on its website.

  “Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

  That same day, in an open letter
Apple CEO Tim Cook took a direct swipe at Google, its primary mobile competitor. “Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers,” he wrote. “We don’t ‘monetize’ the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.”

  Google followed suit the next day.

  * * *

  In short, Snowden had the effect of making more individuals and companies care about privacy. Easy-to-use apps and strong encryption by default became a major roadblock in the government’s efforts to deal with its Going Dark problem.

  Government officials were not going to take this lying down. Within days of Apple’s announcement, in September 2014, FBI Director James Comey told reporters that he was concerned that “companies [are] marketing something expressly to allow people to place themselves beyond the law.”

  The following month, Attorney General Eric Holder expressed similar concerns. “It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy,” Holder said during an October 2014 speech before the Global Alliance Against Child Sexual Abuse Online conference. “When a child is in danger, law enforcement needs to be able to take every legally available step to quickly find and protect the child and to stop those that abuse children. It is worrisome to see companies thwarting our ability to do so.”

 

‹ Prev