The House Intelligence Committee recently held an open hearing on commercial cyber surveillance, also known as “mercenary spyware.”
The hearing focused on new threats posed specifically by privately made, foreign-developed spyware that are bringing capabilities long associated with top-tier nation states to smaller countries and the private sector. PPSA has previously reported on one such foreign spyware, in particular the spreading “zero-click” Israeli-developed Pegasus.
Pegasus can transmit itself seamlessly into a smartphone without a single click or action from the victim. From there, it can watch you through your camera, listen to you through your microphone, copy your messages, record your calls, extract all your images, and follow your movements. In just a few years, Pegasus has been acquired by dozens of countries and entities, from Saudi Arabia to Mexican cartels, and has already been used to deadly effect against dissidents and journalists. It represents the most sophisticated and widely available form of spyware yet developed.
Among the hearing’s testimonials was John Scott-Railton, a senior researcher at The Citizen Lab of the University of Toronto's Munk School of Global Affairs & Public Policy. His testimony provided a stark picture to Congress:
Railton testified (see the 18:50 mark), “Your phone can be on your bedside table at two in the morning. One minute, your phone is clean. The next minute, the data is silently streaming to an adversary a continent away. You see nothing.” He added it was “capabilities available only to a handful of nation-states … It is too late,” he said, “to put the tech back into the bottle, and so we must take strong action now…”
Another witness was Carine Kanimba, an American citizen born in Rwanda. Her testimony (29:05) details the story of her stepfather, Paul Rusesabagina, portrayed by Don Cheadle in Hotel Rwanda. Rusesabagina was the manager of the Hôtel des Mille Collines in Kigali during the Rwandan genocide. He used the hotel to save more than a thousand refugees. Later, he and his family fled to the United States. Rusesabagina became a public speaker and was critical of the human rights violations of the Rwandan government and of the Rwandan President Paul Kagame. In August 2020, Kanimba’s stepfather was surveilled in the United States by the Rwandan government and lured from the family home in Texas. Rusesabagina was kidnapped in Dubai, transferred to Kigali, tortured, tried, and sentenced to 25 years in prison. Kanimba became a vocal and effective activist about the abduction of her stepfather.
In February 2021, Carine Kanimba was notified (33:11) by forensics experts that her smartphone had been infected by Pegasus.
“I was mortified, and I am terrified,” she said. The forensics report showed “the spyware was triggered as I walked in with my mom into a meeting with the Belgian Minister of Foreign Affairs. It was active during the calls with the U.S. Presidential Envoy for Hostage Affairs team and the U.S. State department, as well as U.S. human rights groups.”
Not only was Kanimba’s phone infected, but so was the phone of her cousin with whom she lives.
“I am frightened by what the Rwandan government will do to me and my family next,” she said. “It keeps me awake that they knew everything I was doing. Where I was, who I was speaking with, my private thoughts and actions, at any moment they wanted. Unless there are consequences for countries and their enablers which abuse this technology, none of us are safe.”
The threat by mercenary spyware companies and malware is too serious to ignore.
“It has taken us too long to have this conversation,” concluded Railton. His testimony included several suggestions for Congress (22:15):
Video starts at Sen. Mike Lee's questioning of FBI Director Wray (1:02:00 mark).
At a Senate Judiciary Committee hearing yesterday, Sen. Mike Lee (R-UT) neatly summarized the FBI’s spotty observance of Section 702 of the Foreign Intelligence Surveillance Act (FISA), up for reauthorization next year, in his questioning of FBI Director Christopher Wray. Sen. Lee’s questions follow up on the revelation that the FBI used U.S. person information in FISA queries some 3.4 million times in a recent one-year period.
Sen. Lee said:
“As you know, Director Wray, Section 702 authorizes the collection of electronic communications. Not just the metadata but the content of the communications themselves, including communications of non-U.S. persons outside the United States. But, as you know, this inevitably leads to the incidental collection of communications that involve or include U.S. persons, including U.S. citizens.”
The Utah senator reminded Director Wray that the 2018 reauthorization of Section 702 required the FBI to obtain an order from the Foreign Intelligence Surveillance Court to authorize querying the database for communications involving U.S. persons and citizens in criminal investigations not involving national security. Why then, Sen. Lee asked, did a recently released transparency report estimate that the FBI did not obtain a single order under section 702 from the Foreign Intelligence Surveillance Court in 2021?
The FBI itself, after all, identified at least four instances in which the electronic communications of U.S. persons “were unlawfully searched without the required order from the Court?” Sen. Lee asked: “Can you tell me how you found those four instances and how you can be certain that there are not more than four instances in which someone did a backdoor search of U.S. persons’ communications?”
The FBI Director said he could not recall the “various oversight mechanisms we have.” He noted that the FBI set up a new office of internal audit focused on FISA compliance.
Sen. Mike Lee replied that he understood these authorities are needed to protect the American people.
“But when it comes to American citizens, they have a reasonable expectation of privacy. When you have that much ability to collect that much information, record that many conversations of unsuspecting, law-abiding American citizens, there really do have to be procedures in place to make sure that there is probable cause and a probable cause-based warrant in order to search those, because that really is just a backdoor search and a potential end run around the Fourth Amendment.”
Senator Lee expressed skepticism that the four known surveillances of Americans did not require a FISC order. And said he would hold Director Wray to his promise to provide more information.
If you are ever a witness before a Congressional committee, the trick to surviving a contentious hearing is to run out the clock with smooth talking. Each committee member only has five minutes to ask questions. An expert witness will often respond to a precise and penetrating question by taking up minutes with a Wikipedia-level recitation of a law or process, wrapped within pleasing-sounding banalities and blandishments.
Even within time constrictions in facing a polished witness, Rep. Zoe Lofgren (D-CA), long-time watcher of the watchers, managed to challenge the Department of Justice on Section 702 of the Foreign Intelligence Surveillance Act (FISA) in the recent House Judiciary Committee hearing. Rep. Lofgren refused to be brushed off (29 minutes mark) by the Department of Justice’s top national security official, Assistant Attorney General Matthew G. Olsen, concerning the FBI’s use of Section 702 information – collected to catch foreign terrorists and spies – against Americans.
Rep. Lofgren began by noting that FISA Court Judge James E. Boasberg had found that the FBI improperly searched Americans’ personal information collected without a warrant. Some of these were run-of-the-mill criminal investigations involving healthcare fraud, bribery, and other purported crimes unrelated to national security.
Rep. Lofgren added that in Dec. 2020 to Nov. 2021, the FBI searched the personal identifiers of known Americans in 702 data some 3.4 million times. This was triple the number from the previous year. As PPSA has reported, that amounts to more than 9,300 searches by the personal identifiers of Americans every day.
Rep. Lofgren noted that when Olsen went before the Senate Intelligence Committee for his confirmation, he pledged that “restoring and maintaining trust in the FISA process was a critical priority.” She asked him what he has done since to prevent warrantless, improper, backdoor searches of Americans’ data conducted under Section 702?
After taking time to give a topline description of the law, Olsen admitted that the “issues you cite are ones of concern” and promised to improve FBI compliance with training and by upgrading FBI computer systems. “We are looking forward to improving the compliance record of the Department of Justice and the FBI in regard to Section 702,” Olsen said, “and I can assure you it is a priority.”
Rep. Lofgren had a sharp reply.
“We have had reassurances over the years and yet the performance continues to be poor, and it has been poor under both Republican and Democratic Administrations,” she said. “We have considered imposing a warrant requirement for queries of known Americans … probably a necessity unless we can get some further, definitive control of the warrantless search of Americans in the 702 database.”
Rep. Lofgren added that using Section 702 to conduct warrantless searches on Americans is “improper and yet it continues.” Olsen replied that Section 702 permits the creation of a database of non-U.S. persons overseas, and that when the FBI searches, it does so to simply find “connections,” not to target Americans.
Rep. Lofgren’s retort was sharp: “That is contrary to the report that we got from ODNI and from the FISA Court.”
As Section 702 faces reauthorization next year, civil libertarians should continue to press Rep. Lofgren’s questions and urge Congress to consider an explicit warrant requirement when queries target Americans.
In response to a Freedom of Information Act request from PPSA about classification procedures, the State Department reported that based on a representative sampling, only a tiny number of documents were improperly or overly classified. This seemed to us a mind-boggling response given the mountains of documents stamped classified every day at Foggy Bottom. Now, PPSA has obtained data from across the government to show the State Department’s response was misleading.
At a 2015 open house presentation by the National Archives and Records Administration, a graphic produced by the Information Security Oversight Office showed that nearly 100 million items are classified each year by the federal government. An Obama-era law and executive order provide the means for people within the agencies to challenge a classification decision without fear of retribution.
So how is that working out?
Of these 100 million decisions, only a minuscule fraction is challenged — in one year, much less than 1% of 1%. The graph demonstrates the extent to which the government continues to hide much of its operations from the American people.
Being called out by the People’s Republic of China for illicit surveillance is a bit like being accused of swindling by Charles Ponzi.
Chinese state media seized on a recent report based on a two-year exhaustive study by the Center on Privacy and Technology at Georgetown Law that revealed the U.S. Immigration and Customs Enforcement (ICE) is the latest federal agency to buy vast quantities of Americans’ personal data from utilities and state motor vehicle departments.
As PPSA has previously reported, the Center on Privacy and Technology found that ICE has used facial recognition technology to search the driver’s license photographs of 1 in 3 adults in the United States. ICE has access to the driver’s license data of 3 in 4 American adults and tracks the movements of cars in cities that are home to nearly 3 in 4 adults. And when adults in our country connect to gas, electricity, phone or internet service, ICE will automatically pick up the new addresses of 3 out of 4 Americans.
“The U.S. is the No. 1 empire in hacking, eavesdropping and stealing secrets,” said Zhao Lijian, spokesman for China’s Ministry of Foreign Affairs, on Monday. “This is an irrefutable fact and a brilliant satire of the U.S. boasting about human rights, the rule of law and rules.”
That is rich. China has installed a pervasive national system that uses artificial intelligence to weave together cameras in public and private spaces, facial recognition, sound recorders with voice recognition, and Orwellian “social credit scores” to create what scholars call the Chinese Panopticon.
It is galling to be attacked for abuses by a regime that keeps its citizens under such pervasive surveillance. But the hypocrisy of China’s bee sting does not quite pull out the stinger.
In the United States, at least 16 U.S. federal agencies and 75 local and state agencies employ “stingray” devices that mimic cell towers to compromise the information in cellphones within wide areas. As many as 3,000 local and state agencies rely on facial recognition technology. Federal agencies routinely sidestep the Fourth Amendment requirement to obtain a probable cause warrant to scan our personal information by purchasing it from shadowy, private data brokers.
And when all else fails, U.S. intelligence agencies claim to be able to perform any surveillance they deem necessary for national security not under any law, but under a presidential directive, Executive Order 12333.
Much of this information is used by the government to catch illegal aliens, predatory criminals, terrorists, and spies (most of them, by the way, from China). None of it will be used to put ethnic minorities in concentration camps, imprison men and women of conscience for challenging the regime’s lack of democracy, or grade us on our willingness to scroll through the Dear Leader’s turgid thoughts.
But we should take stock – the state of surveillance in the United States is a lot more like China’s than we’d like to admit. Absent reasonable legal reforms and guidelines, we could well be on our way to a Chinese Panopticon-light.
New Jersey law enforcement has reportedly on at least one occasion accessed a bank of blood samples drawn from newborns to conduct DNA tracing to charge a father with a crime. The law that governs the program was designed to test infants for 60 health disorders within 48 hours of birth, not to serve law enforcement.
“Parents, when this happens, trust the state to protect this sensitive information and not make it easily available to law enforcement agencies or other agencies,” Jeanne LoCicero, legal director of the American Civil Liberties Union of New Jersey, told The New Jersey Monitor.
These dried blood tests can be kept for up to 23 years. In the one case that has been publicly revealed, the blood samples were nine years old. An Open Public Records Acts request filed by the Office of the Public Defender and The New Jersey Monitor sought a list of subpoenas on the state-run lab. That request was denied in court and the state has declined to release information on the numbers of subpoenas served against the state’s Newborn Screening Laboratory.
It is easy to see why these blood samples represent a tempting target for law enforcement. The DNA trace in the nine-year-old case enabled a probable cause warrant for the father’s DNA, who was later charged with sexual assault.
This story illustrates the tension in American surveillance. It is a certainty that a large enough body of bulk information – whether DNA or digital – will reveal suspects of dastardly crimes. But it can only do so at the cost of everyone else’s privacy and Fourth Amendment rights. The future privacy of these babies is also being compromised. The state database will give the government knowledge of these babies’ congenital diseases and conditions, as well as a storehouse of their own profiles as they grow up.
Similar issues can be found in most every state. The Legal Aid Society recently filed a federal lawsuit against the New York Police Department for lifting drinks and cigarettes used by suspects to add their DNA profile to an immense and secret DNA database.
The unwillingness of the state to provide further information on its uses of newborn screening data is reason enough for legislators in Trenton to use their authority to bring the scale and scope of this program to light.
Vice Motherboard, through a Freedom of Information Act request, obtained a spreadsheet from the FBI that shows that the agency over a recent six-month period lost more than 200 desktop computers.
How does one lose a desktop?
The reasons listed in the spreadsheet for the FBI’s losses of computers and other items include “inadequate security,” “inattention to details,” “gross negligence” and “willful intent.”
Vice notes that “a law enforcement computer going missing can present a cybersecurity risk in that it may contain sensitive information such as documents or files, or it may include passwords or other authentication mechanisms for accessing law enforcement systems.”
The FBI responds that in the chaotic post-COVID-19 inventory management, it marked items sent to storage or for disposal as “lost.” Let us hope that is true for all the missing computers. Remember, the federal government has been buying up Americans’ personal digital information from private data brokers. A security breach for the FBI is a matter of national security and your personal security.
Tenth Circuit on Right-to-Record in Irizarry v. Yehia
The Fourth Amendment grants us protection against intrusive surveillance. Conversely, the First Amendment grants us the right to observe public actions by public authorities. The emergence of the cellphone demonstrates the integral nature of these two sets of rights. Courts are increasingly interpreting First and Fourth Amendments regarding cellphones to the advantage of citizens over government, a victory for civil liberties in law if not always in practice.
The U.S. Supreme Court in Riley v. California (2014) held that the police violate the Fourth Amendment when they try to gain warrantless access to the voluminous personal information inside our cellphones. On the other hand, the First, Third, Fifth, Seventh, Ninth, and Eleventh Circuit Courts of Appeal have upheld the right to record police officers going about their public duty, a right recognized as critical to the protections of the First Amendment.
Last summer, PPSA reported on the continued holdout stance by the U.S. Tenth Circuit Court of Appeals against the right to film police officers. Despite the weight of six other Courts of Appeal, the Tenth Circuit continued to insist that there was no “clearly established” right. In a recent ruling, however, the Tenth Circuit came close to fully joining its judicial peers by dropping its Draconian opposition to the right to record in the case of a self-identified journalist and blogger. On July 11th, the court ruled in Irizarry v. Yehia in favor of a right to record.
The incident in question occurred early in the morning of May 26, 2019, when blogger Abade Irizarry began filming a DUI traffic stop in Colorado. According to the ruling of the court, “Officer Ahmed Yehia arrived on the scene and stood in front of Mr. Irizarry, obstructing his filming of the stop. When Mr. Irizarry and a fellow journalist objected, Officer Yehia shined a flashlight into Mr. Irizarry's camera and then drove his police cruiser at the two journalists.”
PPSA welcomes the court’s adjustment on the right to record police activity, fundamental to the First Amendment and to Americans’ ability to protect themselves in court against potential police misconduct. The Tenth Circuit specifically cited the rulings of other Courts of Appeal, indicating that the right to record may be gaining traction, especially amid the public backlash against police misconduct in the wake of the killing of George Floyd.
PPSA urges courts to interpret the First and Fourth Amendments in ways that reinforce these rights. They are not in competition. There is – and should be –
a lopsidedness in the law. Citizens are free to film the police on official duty. But the police must obtain a warrant to search our cellphones.
In a free society that holds authority accountable, that is as it should be.
The U.S. Supreme Court held in Riley v. California in 2014 that cellphones are not like other objects. The texts, emails, instant messages, online searches, and apps inside a phone can reveal just about everything about us, what the Court called “the privacies of life.”
The Court ruled that the police need to obtain a probable cause warrant to investigate a suspect’s cellphone. But what are the rules if the cellphone is abandoned or thrown away? Courts are currently applying the law governing ordinary abandoned objects to cellphones.
This question arises from the case of a Virginia man, Antonio Daren Futrell, who realized that he had left his cellphone inside a restaurant. He tried to retrieve it, but it was past closing time, and the employees wouldn’t let him back in. There was an altercation and, long story short, Futrell was later convicted of firing a gun at a security guard before fleeing the scene. When the police found Futrell’s phone inside the restaurant – which was now considered abandoned after Futrell fled – they were able to access it because Futrell had not protected it with a passcode.
Now lawyers for Futrell have filed a petition asking the U.S. Supreme Court to clarify the question of whether a police officer who finds a discarded phone has free access to anything inside it.
“If you throw your phone away or discard it or trade it in, police can do whatever they want,” said Brandon Boxler, one of Futrell’s attorneys, told The Daily Press of Newport News. “They can access your emails, your bank records, your phone calls, text messages, photos – everything is fair game that’s on the phone.”
Futrell’s petition challenges Hester v. United States, a 1924 case in which the Supreme Court allowed the warrantless search of a moonshine bottle a suspect threw away. The Court later applied that doctrine to objects as disparate as a pencil and drug paraphernalia thrown in the trash.
“Cellphones are different,” Boxler wrote in the Daily Press in 2021. “They have massive storage capabilities. A search of a cellphone involves a much deeper invasion of privacy. The depth and breadth of personal and private information they contain was unimaginable in 1924.
“We use cellphones as cameras, personal assistants, navigation devices, web browsers, and everything in between,” Boxler wrote. “And with advances in cloud computing, cellphones can access years – if not decades – of bank records, medical records, emails, location data, and other sensitive information. Can anyone really ‘abandon’ this information, even if they discard a cellphone?”
While the chances the Supreme Court will take up this petition are remote, Futrell’s attorneys were heartened last Thursday when the Court asked the Virginia Attorney General’s office to respond to the petition.
Last week, the media was astir that videos from Amazon’s Ring doorbell cameras were shared with police without their owners’ permission. The company insists that it did so in eleven extreme cases this year in response to situations in which life and limb endangered.
This may fly in the face of company policy stating that police can’t view recordings unless the footage is posted publicly or intentionally shared. But the low number of such incidents, revealed in a letter by an Amazon VP of public policy to Sen. Edward Markey (D-MA), suggests the company is being upfront. To be fair, the media would be ablaze if Amazon had stood by and allowed someone to be beaten to death.
The biggest issue with Amazon Ring is not that it ignores the need to seek the permission of its customers to share videos with police. The bigger problem is that this network of more than three million online cameras across the United States encourages its customers to voluntarily provide for the surveillance of entire neighborhoods. One message from the company to its customers reads: “If you would like to take direct action to make your neighborhood safer, this is a great opportunity.”
The company has agreements with 2,161 law enforcement agencies to access an app called Neighbors, a social media platform in which owners can post Ring camera footage and leave comments. The transformation of home security into a venue for social media encourages users to post videos online – all of it available to law enforcement “partners.”
Even more worrying, Amazon’s agreements with law enforcement allow officers to solicit Ring doorbell footage from customers for entire neighborhoods. Such video and audio surveillance may be fine for the customer, but what about passersby? And while the number of incidents in which footage was shared without permission currently remains low, what about the capacity for future abuse by Amazon and law enforcement?
It is concerning that all it would take for Ring cameras to become a form of constant mass surveillance would be a change of one company’s policy.