A new report by the United Nations Human Rights Council highlights how much of a global issue spyware has become. The Office of the High Commissioner for Human Rights calls for greater attention to threats to data privacy, to the development of state-sponsored spyware capabilities, and especially to the dangerous software Pegasus, which can remotely infiltrate smartphones and turn them into spying devices. PPSA has reported in the past on the emerging threat Pegasus poses to nations and individuals around the world. It is heartening to see the UN take this data privacy crisis seriously as a human rights issue.
The UN report focuses on three core trends relating to the role of member states in safeguarding and promoting the right to privacy:
The report draws special attention to Pegasus.
“The extent of Pegasus spyware operations and the number of victims are staggering… Reporting in 2021 revealed that at least 189 journalists, 85 human rights defenders, over 600 politicians and government officials, including cabinet ministers, and diplomats were affected as targets.”
The report notes that at least 65 governments have acquired commercial spyware surveillance tools. NSO Group, the Israeli company that developed Pegasus, reported that 60 government agencies in 45 countries are among its customers.
The UN report states: “While purportedly being deployed for combating terrorism and crime, such spyware tools have often been used for illegitimate reasons, including to clamp down on critical or dissenting views and on those who express them, including journalists, opposition political figures and human rights defenders…”
The report also condemned efforts by governments to undermine the security and confidentiality of encrypted communications – a key goal not just of repressive regimes, PPSA would add, but of some in the Department of Justice and FBI.
Governments continue to take steps to undermine that privacy, either by legislative fiat or by sophisticated hacking techniques. In some countries, encryption providers have been required to ensure that law enforcement or other government agencies have access to all communications upon request, effectively obliterating any privacy that encryption may have provided.
This is a brave report. PPSA is pleased to see the UN Human Rights Council recognize privacy as a human right, contrary to the practice of repressive governments, including China and Russia, which have seats on the UN Security Council. Unfortunately, the UN’s warnings on pervasive surveillance also need to be taken seriously by democratic governments, including some in positions of authority in the United States.
If you thought being subjected to “random” TSA screenings at airports was dehumanizing, just imagine your most sensitive, personal digital information being secretly reviewed by any one of thousands of government agents operating without a warrant or public oversight.
The Customs and Border Protection Commissioner Christopher Magnus revealed to Sen. Ron Wyden (D-OR) that the agency is scooping data from thousands of seized electronic devices every year. (Hat tip to Drew Harwell of The Washington Post for detailing this abuse of privacy.) That data is then added to a CBP database accessible by more than 2,700 CBP agents. That data – which can include call logs, messages, contact lists, and photos – can be kept for up to 15 years.
This story is just the latest development in a long-running series of data privacy breaches by federal law enforcement officials. Sen. Wyden criticized the agency for “allowing indiscriminate rifling through Americans’ private records.”
CBP conducted more than 37,000 searches of travelers’ devices in the 12 months ending in October 2021. According to The Washington Post, the default configuration for some data searches has been to download and retain all contact lists, call logs and messages. This means potentially millions of calls, contacts, and text messages from thousands of phones could be compromised.
It has long been known that CBP makes generous use of the “border search” exception in Fourth Amendment law. Sen. Wyden’s revelation about the scale and the scope of this loophole reveals an egregious new threat to the security of Americans’ data privacy. Congress must act now to bolster protections for data privacy.
It is high time for the Supreme Court to review and modify the judicially created border search exception in light of the massive amounts of information being seized from law-abiding citizens and then stored for long periods of time. If the Court does not protect the Fourth Amendment, then Congress should step up.
Last year, Sens. Wyden and Rand Paul (R-KY) introduced legislation that would require border officials to get a warrant before searching a traveler’s device. Congress should also pass the Fourth Amendment Is Not for Sale Act to ensure this database doesn’t fall into the hands of data brokers.
Last week, PPSA reported on Fog Reveal, a product from Fog Data Science that sells billions of data points extracted from apps on 250 million mobile devices to local police departments. An unlimited-use, one-year subscription costs a department only $7,500.
For this price, Fog Reveal offers a powerful capability, the ability to track hundreds of millions of Americans in their daily movements. It allows police to locate every device in a given geo-fenced area. It also allows police to trace the location history of a single device (and therefore, its user) over months or years.
Fog Data Science claims that it is respectful of privacy because it does not reveal the names or addresses of individual users. But a slide show from Fog Data Science prepared for police highlights how this technology can easily be used to track a suspect to his or her “bed-down” over a 180-day period. (Hat tip to the Electronic Frontier Foundation, which helpfully added yellow highlights to significant passages of Fog documents.)
It is more than a stretch then to call this data “anonymized” when it follows people to their homes, as well as to their houses of worship, meetings with friends or lovers, trips to health or mental health clinics, journalists meeting with whistleblowers, or other locales that reveal sensitive and personal information.
For those in law enforcement who go through the motions of filing a warrant, Fog Data Science offers a template warrant. Such warrants are misbegotten. They can be employed to follow a number of people in the vicinity of a crime or track everyone who attended a political protest. The Fourth Amendment requires “probable cause” in which a warrant describes “the place to be searched, and the persons or things to be seized.” It makes a mockery of the Constitution’s requirement for particularity when the police have at their fingertips a whole ocean of data involving many people. How can such a requirement be fulfilled when Fog technology allows police to go on a fishing expedition in that ocean, with any American potentially being a catch?
It is through technologies such as Fog Reveal that our country, device by device, is moving steadily toward becoming a full-fledged surveillance state.
Such details should spur Congress to investigate the uses of this technology. It should also inspire Congress to pass the Fourth Amendment Is Not for Sale Act, which would block the auctioning of our private, personal information to all government agencies.
An elegant essay by Adrian Wooldridge in Bloomberg makes a connection between the Chinese surveillance state – “using the awesome power of data harvesting and artificial intelligence to compile more information on its citizens than any society has ever managed before” – and Western “surveillance capitalists” who are making our country a little more like China day by day.
PPSA has long warned that all the elements are falling into place to create an American surveillance state.
Here are just a few of the ways in which this is happening: The federal government and local police departments use “stingray” technology to trick Americans’ phones to betray your location and other personal information. Authorities can purchase your location history with Fog Reveal technology and capture all your comings and goings. Or they can just buy your personal information from a private data broker, as many federal agencies do.
The growing web of the “internet of things” will only produce more reportable data about you, from the cars we drive, to our refrigerators and other appliances in our home. A surveillance loophole was even recently found in a Chinese-made coffee maker.
Wooldridge reports that the Chinese Communist Party is at the cutting edge, “developing a new sort of ‘digital phrenology’ by monitoring people’s facial expression for signs of anger and new forms of racial profiling by creating a world-leading DNA database.” Governments, including our own, exert “relentless pressure for the misuse of information even as the quality and quantity of available information grows exponentially.”
The techno-optimists of the 1990s waxed rhapsodic about how the internet was going to liberate the human mind. Wooldridge comes to an opposite conclusion with these chilling words: “The arc of the digital revolution bends toward tyranny.”
Agencies Avoid Answering Questions About the Purchase of Private Information of Members of Congress
Since the mid-1960s, the Freedom of Information Act (FOIA) has allowed American citizens and civil liberties organizations to obtain unclassified documents from federal agencies, shedding light on official actions and policies. In recent years, however, the government has devised many creative ways to stall, obfuscate, and outright withhold answers to FOIA requests, while seeming to be as responsive as possible. Cato Institute scholar Patrick Eddington calls these tactics “constructive denial.”
For over two years, Cato filed FOIA requests to obtain FBI records on militia groups of the left and the right, including the white supremacist Patriot Front. “Groups like the Patriot Front,” Eddington writes in The Hill, “are, in the view of most Americans, a moral and political blight that the country would be far better off without. At the same time, the protection of offensive ideas and speech are at the heart of the purpose of the First Amendment.” Thus, Cato sought records to better understand the threat posed by these groups and the nature of the government’s response.
In defiance of FOIA’s requirement that the FBI send the requested documents to the requester himself, the FBI replied to Cato that it would eventually file the documents on an FBI website. “You will be notified when releases are available.”
In other words, buzz off.
Constructive denial can be seen in another form after PPSA filed suit against the National Security Agency, the CIA, the Department of Justice and FBI, and the Office of the Director of National Intelligence in June to compel the release of records pertaining to the possible purchase of the personal information of more than 100 current and former Members of the House and Senate Judiciary Committees from private data brokers.
This is understandably a sensitive question, given that current and former judiciary committee lawmakers include Chairman Jerrold Nadler, Ranking Member Jim Jordan, Chairman Dick Durbin, Ranking Member Chuck Grassley, as well as Vice President Kamala Harris and Florida Gov. Ron DeSantis. Still, it would be a matter of public interest – not to mention to these legislators themselves – if the government were buying up their personal information. Such an act could yield leverage for executive branch agencies to bully leading Members of Congress, subtly undermining democracy.
The agencies’ response to PPSA’s FOIA request over summer 2021 was to issue Glomar responses, a judicially invented doctrine that neither confirms nor denies that such records exist.
Now that PPSA has sued to enforce its request, these agencies have come back with an answer that doubles down on a government theory that it would be too dangerous to national security for these agencies to even search for such documents. At the same time, government responses strike a tone of wanting to be as cooperative as possible.
One choice example: PPSA asserted a “right of prompt access to requested records under the law.” The National Security Agency responded: “To the extent that a response is required, Defendant NSA denies the allegation, including the fact that NSA has wrongfully withheld records.” This is a construction worthy of Joseph Heller’s Catch-22.
Gene Schaerr, PPSA general counsel, responds: “The government’s answers disingenuously conflate an internal search for documents with an external response to a question. The government feels free to treat FOIA as polite supplication instead of a law that must be obeyed. PPSA will continue to press on for a serious answer in federal court.”
In the meantime, expect the government to come up with many new forms of constructive denial.
Local law enforcement agencies have been caught using a cheap new cell phone tracking tool called Fog Reveal. (A hat tip to The Associated Press for compiling this story). The tool gives police agencies “the power to follow people’s movements months back in time,” according to The Associated Press.
Fog Reveal has been used since at least 2018 in criminal investigations, can search billions of records from 250 million mobile devices, and is possibly a potent workaround of the 4th Amendment. It is no wonder why police rarely mention Fog Reveal “in court records, something that defense attorneys say makes it harder for them to properly defend their clients in cases in which the technology was used.”
Fog Reveal “relies on advertising identification numbers, which Fog officials say are culled from popular cell phone apps such as Waze, Starbucks, and hundreds of others” according to police emails obtained by The Associated Press. That information is then sold to companies including Fog, further demonstrating the role of data brokers in undermining the digital privacy of Americans.
“The capability that it had for bringing up just anybody in an area whether they were in public or at home seemed to me to be a very clear violation of the Fourth Amendment,” said Davin Hall, a former crime data analysis supervisor for the Greensboro, North Carolina, Police Department.
Congress must investigate the use of Fog Reveal by law enforcement agencies and bolster legal protections against such 4th Amendment violations. Congress could begin by passing The Fourth Amendment Is Not for Sale Act, which would block data brokers from selling our personal information to law enforcement and intelligence agencies without authorization by a court. Congress must work to ensure the privacy of all Americans is safe and secure.
Earlier this month, former Vice-President Mike Pence called out criticism of the FBI lodged by members of his own party. In his speech, Pence stated “I … want to remind my fellow Republicans we can hold the attorney general accountable for the decision that he made without attacking the rank-and-file law enforcement personnel at the FBI..” While the intent of Pence’s statement is certainly laudable, it comes at a time when the public is increasingly distrustful of the agency’s activities.
Pence’s comments have been received so poorly because they dismiss the credible concerns emanating from all sectors of the American public. The distrust towards the agency turned into full-blown outrage when the FBI raided former President Trump’s Mar-a-Lago estate earlier this month on August 8th. It has been weeks since the raid, and there has been little official explanation provided. What information we do have has been pieced together from an unsealed warrant and source leaks. From the warrant, the search was related to potential violations of three laws including the Espionage Act. Attorney General Merrick Garland said during remarks on August 11 that he would not explain why he personally signed off on seeking a search warrant. Even though documents were recovered, distrust of the agency has become so severe, that swaths of the American public may choose to believe that the evidence seized was forged and planted.
Also worried is Michael Horowitz, Inspector General of the U.S. Department of Justice. Across multiple reports, Horowitz details the abuses, noncompliance, and mishandling that is currently ongoing within the FBI. For a few examples, in September of 2021, the office of the Inspector General released a report stating that there “was widespread non-compliance with the Woods Procedures,” a set of procedures to ensure factual accuracy in FISA applications. In August of 2019, the office of the Inspector General released a report detailing the multiple rules violations by former FBI Director James Comey, indicating a culture of secrecy and noncompliance at the highest level in the chain of command. There are multiple reports detailing commercial sex, accepting illegal gifts from the media, the violation of ethics rules, and a “lack of candor.”
When American citizens display “a lack of candor,” they can be fired from their jobs. When senior officials at the FBI do it, prosecution is declined and the offending party is “reassigned to a nonsupervisory role.”
In 2019, the Foreign Intelligence Surveillance Court criticized the FBI for misleading it in applications to wiretap former Trump campaign aide, Carter Page. Inspector General Horowitz found that the FBI had omitted facts and provided false statements to the FISA court when the FBI filed for a warrant to conduct surveillance on Page. FISA court presiding Judge Rosemary Collier stated in her opinion that “The FBI’s handling of the Carter Page applications, as portrayed in the OIG report, was antithetical to the heightened duty of candor described above…”
So, not only is the public concerned, but so is the office of the Inspector General and the FISA courts, two organizations which either oversee or directly liaise with the FBI.
Just this week, the escapades of the FBI were on full display during a trial to convict two men involved in the 2020 plan to kidnap Michigan Governor Gretchen Whitmer. The already high-profile nature of the case was catapulted into the stratosphere when the FBI revealed there were at least five informants or undercover agents embedded among the suspected planners. Defense attorneys have argued there were at least twelve. The involvement of FBI agents and informants was so significant, that a trial for a separate set of suspected planners failed to get a single conviction. One informant became second-in-command of a militia. Another undercover agent offered to provide explosives to the group. It calls into question whether the FBI was engaged in entrapment.
FBI agents assigned to the case became subjects of scrutiny themselves. As the New York Times reports, “one F.B.I. agent on the case was fired last year after being charged with domestic violence, and another agent, who supervised a key informant, tried to build a private security consulting firm based in part on some of his work for the F.B.I.…” That FBI agents so close to an ongoing plan to kidnap a governor were themselves so compromised is very chilling.
It seems obvious from the last several years that the FBI is in need of both oversight and reform. An agency with significant investigatory and enforcement powers, Congress can and should do more to monitor the activities of the agency.
If you think HIPAA medical privacy laws mean your medical data is secure, think again. Digital health companies have been caught funneling sensitive data that patients have shared with them to Facebook/Meta to help target advertisements.
A recent study by the data privacy research group Light Collective surveyed the actions of five health companies and found that third-party ad trackers used by those companies followed patients online and marketed to them based on their activities. Three of the companies went against their own privacy policies in the process, raising concerns about HIPAA violations.
Four of the five digital health companies did not respond to requests by Forbes for comment. The authors of the study said that after they disclosed their findings to the five companies, only two responded: Ciitizen and Invitae. Both said they were investigating the matter.
Andrea Downing, cofounder of the Light Collective, said that poor health data privacy is “one of the biggest threats to online patient communities.” The study is indicative of larger data-sharing trends across digital health and social media. An investigation published earlier this summer by The Markup showed that hospital websites are currently using data trackers to gather and share sensitive patient information with Facebook for marketing. Facebook’s parent company, Meta, has said that sharing such information is a violation of the company’s rules.
This is a concerning development for digital health privacy. Digital health companies are allegedly violating their own privacy rules and possibly the law. It also demonstrates the failure of the government to ensure critical patient health data is safe and secure.
A lot has been written about a provision of the upcoming Inflation Reduction Act, which will provide an additional $80 billion in funding to the Internal Revenue Service. Most of this funding will go to bolstering enforcement work, meaning more audits.
While this is bad news for millions of taxpayers, and good news for the makers of Tums Antacid Products for Fast Heartburn Relief, the creation of a new army of auditors is bound to significantly warp the already warped privacy landscape in America.
Big numbers for new IRS hires have been estimated. A Treasury Department report from May 2021 estimated that the agency would be able to hire roughly 87,000 employees by 2031 with the additional funding, more than doubling the agency’s staff dedicated to enforcing tax laws. But even media defenses of the plan, which have tried to downplay the number, still estimate anywhere between twenty to thirty thousand new employees.
At either number, the IRS expansion will undoubtedly expand the capability of the agency to investigate American citizens. Jonah Goldberg put it best recently when he wrote:
“Unlike normal law enforcement, the IRS doesn’t require probable cause to investigate you. It can choose people at random or investigate people based on a theory or a hunch—often sanitized by saying it was the algorithm that made the call. Even if you did nothing wrong, the process itself is punishing and often expensive. One of the bedrocks of our constitutional order, most obviously enshrined in the Fourth Amendment, is the idea that citizens should not be subjected to unreasonable searches without probable cause. Stop and frisk was canceled because it was seen as an outrageous and demeaning affront to civil liberties. I’m conflicted on that. But I certainly get the objections, and I would never say, ‘If you did nothing wrong, you have no reason to complain about being frisked.’ Well, an audit is a forensic frisking of virtually everything you did for a year. What did you spend money on? Where did you spend it? How did you get the money? Show us your receipts. Prove you’re not guilty.”
Also concerning are the new methods and technologies the IRS could deploy against the whole country. In February, we reported on the bipartisan resistance to the IRS’s plan to implement facial recognition technology. Under this plan, the IRS would require taxpayers to submit to digital facial recognition scans to obtain tax transcripts and other records. The plan was halted amid significant pushback noting the privacy and technological flaws of facial recognition, but not before 7 million Americans surrendered their biometric data to the IRS and a third-party verification company, ID.me.
In May, we reported on the Transparency and Accountability in Service Providers Act, a draft bill circulating that would have deputized millions of “financial gatekeepers” into spying on their clients for the federal government. Virtually the entire financial services industry would be required to report any “suspicious” activity to the government. If the Act were to pass, and the 7.6 million employees of the financial services sector were “deputized,” there would be one informer for every 43 Americans.
Where there is a will, there is a way. The IRS is already trying to spy on you. With this new funding, the IRS now has a way.
Courts throw out cases in which the government violated the Fourth Amendment to gain evidence obtained illegally. Prosecutors, dreading such a rebuke, have sometimes resorted to “parallel construction” – using illicitly gained knowledge to turn up evidence from a source acceptable in court.
Suppose, for example, that an illegal wiretap by federal investigators reveals that a target will deliver drugs to a certain street corner. They could then alert local police to decide that specific corner is a good place for a spot-check with drug-sniffing dogs.
In this way, evidence obtained by illicit surveillance can be laundered. This seems to be especially prone to happen when law enforcement relies on “stingrays” – the common name for cell-site simulators, equipment that mimics a cellphone tower to ping the location of a cellphone.
The FBI, in 2014, after providing the Oklahoma City police with stingray technology, sent that department a memo telling the police that the stingray is for “lead purposes” only and “may not be used as primary evidence in any affidavits, hearings or trials.” Instead, the FBI required the police to use “additional and independent investigative means and methods, such as historical cellular analysis, that would be admissible at trial” to corroborate information obtained using the stingray. The Cato Institute’s Adam Bates analyzed such agreements and concluded that “law enforcement uses some surreptitious and, perhaps, constitutionally dubious tactics to generate a piece of evidence. In order to obscure the source of that evidence, police will use the new information as a lead to gather information from which they construct a case that appears to have been cracked using routine police work.”
Perhaps because of reporting like Cato’s analysis, formal FBI agreements to sell stingrays to local law enforcement – at least those released to the public – appear to be missing this language.
But what about informal agreements?
In two responses to PPSA’s Freedom of Information Act requests, the FBI has used similar language in 2015 and 2020 deals to allow police to use stingrays. To be fair, these may be one-off situations. Both cases seem to have been loaner deals, in which stingrays were deployed in “exigent” or emergency circumstances.
For example, one 2015 email chain shows that an agency agreed to the FBI’s request that “it is required to use additional and independent investigative means and methods, such as [redacted] that would be admissible at trial to corroborate information concerning the location of the target obtained through the use of this equipment.”
Comparing this redacted language to the unredacted provisions imposed on the Oklahoma City police, it appears that the FBI continues to push local law enforcement to hide their stingray use from the courts. On the other hand, this language is missing from other NDA forms PPSA has obtained. Has the FBI abandoned this practice? Or is it continuing “off the books” in some fashion to encourage local law enforcement to launder evidence?