Credit to the Department of Justice for a voluminous response to our Freedom of Information Act (FOIA) request. Our request concerned the use of stingrays, or cell-site simulators, by that department and its agencies. Out of more than 1,000 pages in DOJ’s response, we’ve found a few gems. Perhaps you can find your own.
Review our digest of this document here, and the source document here.
The original FOIA request concerned DOJ policies on cell-site simulators, commonly known by the commercial brand name “stingrays.” These devices mimic cell towers to extract location and other highly personal information from your smartphone.
The DOJ FOIA response shows that the FBI in 2021 invested $16.1 million in these cell-site simulators (p. 209) in part to ensure they “are capable of operating against evolving wireless communications.” The bureau also asked for $13 million for “communications intercept resources.” This includes support for the Sensitive Investigations Unit’s work in El Salvador (p. 111).
On the policy side, we’ve reported that some federal agencies, such as the Bureau of Alcohol, Tobacco, Firearms and Explosives, maintain that stingrays are not GPS location identifiers for people with cellphones. This is technically true. Stingrays do not download location data or function as GPS locators. But this is too clever by half. Included in this release is an Obama-era statement by former Department of Justice official Sally Yates that undermines this federal claim by stating: “Law enforcement agents can use cell-site simulators to help locate cellular devices whose unique identifiers are known …” (p. 17)
This release gives an idea of how versatile stingrays have become. The U.S. Marshals Service (p. 977) reveals that it operates cell-site simulators and passive wireless collection sensors to specifically locate devices inside multi-dwelling buildings.
Other details sprinkled throughout this release concern other, more exotic forms of domestic surveillance.
For example, the U.S. Marshals Service Service has access to seven aircraft located around the country armed with “a unique combination of USMS ELSUR suite, high resolution video surveillance capability … proven to be the most successful law enforcement package” (p.881-883).
A surveillance software, “Dark HunTor,” exposes user data from Tor, the browser meant to make searches anonymous, as well as from dark web searches for information. (p. 105) In addition, the U.S. Marshals Service Service “has created the Open-Source Intelligence Unit (OSINT) to proactively review and research social media content. OSINT identifies threats and situations of concern that may be currently undetected through traditional investigative methods. Analyzing public discourse on social media, its spread (‘likes,’ comments, and shares), and the target audience, the USMS can effectively manage its resources appropriate to the identified threats.” (p. 931)
The DOJ release also includes details on biometric devices, from facial recognition software to other biometric identifiers, (p.353), as well as more than $10 million for “DNA Capability Expansion” (p.365).
Is that all? Feel free to look for yourself.
Another “Zero-Click” Spyware Discovered
Targeted Journalists, Political Opponents, NGO Around the World
Now another Israeli company joins the NSO Group for its flagrant disregard for human rights, democracy, and digital privacy in the name of profit.
QuaDream has been identified by The Citizen Lab at the Monk School of Global Affairs and Public Policy as the developer of a new spyware, Reign. Like the more notorious Pegasus, Reign infiltrates phones without requiring the target to click on a malicious link or to even take any action at all.
Citizen Lab found that Reign can:
And when the job is complete, Reign self-destructs, removing most of the evidence that it was at ever at work in the victim’s phone.
For decades, iPhone users enjoyed superior security. Reign took a big bite out of Apple’s vaunted security features. It infected some victims’ phones by sending them an iCloud invitation, following up on previous invitations, which makes the fake resend invisible to the user. Meanwhile, Google has issued some software patches to address vulnerabilities with its Android smartphone.
Microsoft, which partnered with Citizen Lab, reported that the technology has been used to surveil journalists, political opposition figures, and an NGO in countries ranging from the Middle East to Central Europe and Latin America.
We have seen time and again that commercially developed spyware finds its most lucrative market in sales to repressive governments and the world’s most dangerous criminal enterprises. While the Israeli government seems alert now to the threat posed by the commercial spyware sector, other actors around the world are surely poised to pick up the slack. The arms race between Apple, Google, and Samsung against spyware developers will continue apace. In the meantime, as former Vice President Nelson Rockefeller said: “If you don’t want it known, don’t say it over the phone.”
Or anywhere within twenty feet of your smartphone.
The New York Times broke the story that a front company in New Jersey signed a secret contract with the U.S. government in November 2021 to help it gain access to the powerful surveillance tools of Israel’s NSO Group.
PPSA previously reported that the FBI had acquired NSO’s signature technology, Pegasus, which can infiltrate a smartphone, strip all its data, and transform it into a 24/7 surveillance device. Mark Mazzetti and Ronen Bergman of The Times now report that the FBI in recent years had performed tests on defenses against Pegasus and “to test Pegasus for possible deployment in the bureau’s own operations inside the United States.” An FBI spokesperson told these journalists the FBI’s version of the software is now inactive.
The secret contract also grants the U.S. government access to NSO’s powerful geolocation tool called Landmark. Mazzetti and Ronen report that such NSO technology has been used thousands of time against targets in Mexico – and that Mexico is named as a venue for the use of NSO technology. Two sources told the journalists that the “contract also allows for Landmark to be used against mobile numbers in the United States, although there is no evidence that has happened.”
This story is catching the Biden Administration flat-footed, which had declared this technology a national security threat while placing NSO on a Commerce Department blacklist. In light of these new revelations, Members of Congress should ask the Directors of National Intelligence, the CIA, FBI, and DEA:
This breaking story will likely force the Biden White House to promulgate new rules limiting the use of NSO technology by federal law enforcement and intelligence agencies. As it does, Congress should be involved every step of the way.
This technology is frightening because NSO tools can be installed remotely on smartphones with the most updated security software, and without the user succumbing to phishing or any other obvious form of attack. The need for a detailed policy limiting the use of these tools is urgent. NSO technology is to ordinary surveillance what nuclear weapons are to conventional weapons. Because nuclear weapons are hard to make, Washington, D.C. had time to plan and enact a global non-proliferation regime that delayed their proliferation. In the case of Pegasus and Landmark, however, this technology easily proliferated in the wild before Washington was even fully aware of its existence.
Pegasus has been used by drug cartels to track down and murder journalists. It has been used by an African government to listen in on conversations between the daughter of a kidnapped man and the U.S. State Department. It was famously used to plan the murder of Adnan Khashoggi. Does anyone doubt that Russian and Chinese intelligence have secured their own copies? Now Washington is both racing to catch up with foreign adversaries and limit the use of this technology at the same time.
NSO, through its amoral proliferation of dangerous technology, has made the world a riskier place. As federal agencies seek to get their hands on this technology, Congress should paint a bright red line – DO NOT USE DOMESTICALLY, EVER.
Our government can operate in grey areas of the law because agencies have become adept at exploiting every loophole, exception, or tiny bit of leeway in a statute. PPSA announces today the submission of two Freedom of Information Act requests to the Department of Justice to shed light on practices in two such areas of concern – surveillance of cellphone data by devices that imitate cell towers, and the role of privacy experts in a secret court.
The first FOIA request concerns cell-site simulators that law enforcement agencies use to mimic cell towers, allowing them to snatch location data and other information from the cellphones of people at a given location. These devices, commonly known as “stingrays,” are used to track people by pinging their phones. This digital intrusion is at odds with the spirit of the Supreme Court opinion in Carpenter v. United States, where the Court in 2018 rejected unlimited government access to cellphone location data.
But the high Court did not specifically ban cell-site simulators. So, with this tiny distinction, stingrays are still commonly used by 14 federal agencies and police in cities around the country. In 2015, the Department of Justice did produce a memo requiring a warrant for some uses of this technology. That memo, however, allows federal agencies free use of this technology in “exigent” circumstances.
How dire does a circumstance have to be to be “exigent”? Virtually everyone agrees that if a child is thrown into a stranger’s car, or a terrorist is known to be planting a bomb, law enforcement should be able to get their hands on stingray data in an instant. But given the slipperiness with which the government defines legal terms, what are the actual circumstances in which stingrays have been used?
In this way, PPSA is seeking to discover if federal agencies are playing fair with the “exigent” exception.
PPSA’s second FOIA request concerns the use – or rather, the non-use – of amicus advisors by the FISC. A little history is in order. When Judge James E. Boasberg of the secret court heard requests from the FBI for permission to surveil presidential campaign aide Carter Page, the judge could have sought advice from a privacy lawyer with high-security clearance. Such an amicus could have helped guide the judge through the competing issues in a case fraught with civil liberty concerns, not the least of which were the First Amendment rights of 137.5 million voters.
Judge Boasberg demurred. It appears he did not seek an amicus and missed spotting a circus of misdirection and shocking omissions in the FBI’s requests, including submission by an FBI lawyer of a forged document.
It is with this in mind that we supported the Leahy-Lee measure in the previous Congress that would bring checks and balances into FISC proceedings. This legislation would bring to the one-sided nature of FISC hearings a privacy-oriented advocate to independently verify the FISA application’s material assertions whenever a case touches on the civil rights of sensitive cases involving political campaigns, federal officials, the practice of journalism, religious minorities, or other sensitive areas.
Since this is not the law, PPSA filed this FOIA request.
We would prefer not to have to pull out a legal microscope. But given the disingenuous way our government finds exceptions for lawless acts, we feel they have given us no choice.
PPSA will report on any responses.
In “A Scanner Darkly,” a 2006 film based on a Philip K. Dick novel, Keanu Reeves plays a government undercover agent who must wear a “scramble suit” – a cloak that constantly alters his appearance and voice to avoid having his cover blown by ubiquitous facial recognition surveillance.
At the time, the phrase “ubiquitous facial recognition surveillance” was still science fiction.
Such surveillance now exists throughout much of the world, from Moscow, to London, to Beijing. Scramble suits do not yet exist, and sunglasses and masks won’t defeat facial recognition software (although “universal perturbation” masks sold on the internet purport to defeat facial tracking).
Now that companies like Clearview AI have reduced human faces to the equivalent of personal ID cards, the proliferation of cameras linked to robust facial recognition software has become a privacy nightmare. A year ago, PPSA reported on a technology industry presentation that showed how stationary cameras could follow a man, track his movements, locate people he knows, and compare all that to other data to map his social networks. Facial recognition doesn’t just show where you went and what you did: it can be a form of “social network analysis,” mapping networks of people associated by friendship, work, romance, politics, and ideology.
Nowhere is this capability more robust than in the People’s Republic of China, where the surveillance state has reached a level of sophistication worthy of the overused sobriquet “Orwellian.” A comprehensive net of data from a person’s devices, posts, searches, movements, and contacts tells the government of China all it needs to know about any one of 1.3 billion individuals.
That is why so many civil libertarians are alarmed by the responses to an ACLU Freedom of Information (FOIA) lawsuit. The Washington Post reports that government documents released in response to that FOIA lawsuit show that “FBI and Defense Department officials worked with academic researchers to refine artificial-intelligence techniques that could help in the identification or tracking of Americans without their awareness or consent.”
The Intelligence Advanced Research Projects agency, a research arm of the intelligence community, aimed in 2019 to increase the power of facial recognition, “scaling to support millions of subjects.” Included in this is the ability to identify faces from oblique angles, even from a half-mile away.
The Washington Post reports that dozens of volunteers were monitored within simulated real-world scenarios – a subway station, a hospital, a school, and an outdoor market. The faces and identities of the volunteers were captured in thousands of surveillance videos and images, some of them captured by drone. The result is an improved facial recognition search tool called Horus, which has since been offered to at least six federal agencies. An audit by the Government Accountability Office found in 2021 that 20 federal agencies, including the U.S. Post Office and the Fish and Wildlife Service, use some form of facial recognition technology.
In short, our government is aggressively researching facial recognition tools that are already used by the Russian and Chinese governments to conduct the mass surveillance of their peoples.
Nathan Wessler, deputy director of the ACLU, said that the regular use of this form of mass surveillance in ordinary scenarios would be a “nightmare scenario” that “could give the government the ability to pervasively track as many people as they want for as long as they want.”
As we’ve said before, one does not have to infer a malevolent intention by the government to worry about its actions. Many agency officials are desperate to catch bad guys and keep us safe. But they are nevertheless assembling, piece-by-piece, the elements of a comprehensive surveillance state.
What’s Behind ATF’s Redactions?
PPSA recently reported that the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), in a response to our Freedom of Information Act (FOIA) request, downplayed its use of stingrays, as cell-site simulators are commonly called. Yet one agency document revealed that stingrays are “used on almost a daily basis in the field.”
This was a critical insight into real-world practice. These cell-site simulators impersonate cell towers to track mobile device users. Stingray technology allows government agencies to collect huge volumes of personal information from many cellphones within a geofenced area.
We now have more to report with newly-released documents that, as before, include material for internal training of ATF agents. One of the most interesting findings is not what we can see, but what we can’t see – the parts of documents ATF takes pains to hide. The black ink covers a slide about the parts of the U.S. radio spectrum. Since this is a response to a FOIA request about stingrays, it is likely that the spectrum discussed concerns the frequencies telecom providers use for their cell towers. What appears to be a quotidian training course for agents on electronic communications has the title of the course redacted.
If that is so, was there something revealing about the course title that we are not allowed to see? Could it be “Stingrays for Dummies?”
The redactions also completely cover eleven pages about pre-mission planning. Do these pages reveal how ATF manages its legal obligations before using stingrays?
This course presentation ends somewhat tastelessly, a slide with a picture of a compromised cell-tower disguised as a palm tree.
In the release of another tranche of ATF documents, forty-five pages are blacked out. It appears from the preceding email chain that these pages included subpoenas for a warrant executed with the New York Police Department. The document assigns any one of a pool of agents to “swear out” a premade affidavit to support the subpoena.
The ATF reveals it uses stingrays on aircraft, which requires a high level of administrative approval. It seems, however, from an ATF PowerPoint presentation that this is a policy change, which suggests that prior approvals were lax. Was this a reaction to the 2015 Department of Justice’s policy on cell-site simulators? If aerial surveillance now requires a search warrant, what was previously required – and how was such surveillance used? Was it used against whole groups of protestors?
Finally, the documents reveal that the ATF has had cell-site simulators in use in field divisions in major cities, including Chicago, Denver, Detroit, Houston, Kansas City, Los Angeles, Phoenix, and Tampa, as well as other cities.
PPSA will report more on ATF’s ongoing document dumps as they come in.
By The Way... Here's How ATF Glosses Over Its Location Tracking
The training manual of the Bureau of Alcohol, Tobacco, Firearms and Explosives states that cell-site simulators “do not function as a GPS locator, as they do not obtain or download any location information from the device or its applications.” This claim is disingenuous. It is true that exact latitude and longitude data are not taken. But by tricking a target’s phone into connecting and sending strength of signal data to a cell tower, the cell-site simulator allows the ATF to locate the cellphone user to within a very small area. If a target uses multiple cell-site simulators, agents can deduce his or her movements throughout the day.
Below is an example from a Drug Enforcement Agency document that shows how this technology can be used to locate a target (seen within the black cone) in a small area.
The Privacy and Civil Liberties Oversight Board (PCLOB) has posted a rich discussion among its board members, civil libertarians, and representatives of the intelligence community.
General Paul Nakasone, who heads the U.S. Cyber Command, gave the group a keynote address that is a likely harbinger of how the intelligence community will approach Congress when it seeks reauthorization of Section 702, an amendment to the Foreign Intelligence Surveillance Act that authorizes the government to surveil foreigners, with a specific prohibition against the targeting of Americans, but also allows “incidental” surveillance of Americans.
Gen. Nakasone detailed cases in which would-be subway bombers and ISIS planners were disrupted because of skillful use of 702 surveillance. Mike Harrington of the FBI doubled down with a description of thwarted attacks and looming threats. April Doss, general counsel of the National Security Agency, emphasized how each request from an analyst for surveillance must be reviewed by two supervisors.
Civil liberties scholar Julian Sanchez reached back to the formation of the U.S. Constitution to compare today’s use of Section 702 authority to the thinking behind the Fourth Amendment. He asked if a program that mixes the private data of Americans with surveilled foreigners could possibly clear the Founders’ objection to general warrants. (31:50)
Jeramie Scott (40:25) of the Electronic Privacy Information Center, who argued for greater transparency in 702 collection, questioned whether “about” collection truly ended with downstream collection (i.e., information taken directly from Google, Facebook, and other social media companies). The NSA declared in 2017 it had ended the practice of such “about” collection, which moves beyond an intelligence target to email chains and people mentioned in a thread. Could such collection still be occurring in downstream surveillance?
Travis LeBlanc, a board member who had previously criticized a milquetoast report from PCLOB for a lack of analysis of key programs, seemed liberated by the board’s new chair, Sharon Bradford Franklin. (Chair Franklin also brings a critical eye of surveillance programs, reflecting her views at the Center for Democracy and Technology.) LeBlanc asked Julian Sanchez if the Constitution requires warrants when an individual’s data is searched under Section 702. Sanchez said that delegating such an authority under the honor system has led to FBI’s behaving as if compliance were a game of “whack-a-mole.” (57:15)
Cindy Cohn of the Electronic Frontier Foundation suggested PCLOB examine Section 702’s tendency to be subject to “mission creep,” such as the recent practice of using Section 702 to justify surveillance for “strategic competition” as well as the statutory purpose of anti-terrorism. Cohn said she was not aware of any defendant in a criminal trial ever getting access to Section 702 evidence. (128:45)
“I think we have to be honest at this point that the U.S. has de facto created a national security exception to the U.S. Constitution.”
A revealing insight came from Jeff Kosseth, cybersecurity professor at the U.S. Naval Academy. He pointed to a paper he wrote with colleague Chris Inglis that concluded that Section 702 is “constitutional” and “absolutely essential for national security.” (See 143:40) That opinion, Kosseth added, is something he has “reconsidered” over “deep concern about the FBI’s access” to 702 data, especially concerning U.S. persons.
“At a certain point, we must stop giving the nation’s largest law enforcement agency every benefit of the doubt. The FBI cannot play fast and loose with Americans’ most private information. This has to stop now. And if the FBI cannot stop itself, the Congress has to step in.”
Congress needs to “step in” regardless: surveillance of Americans should never occur without express authority in a statute passed by the people’s representatives.
Is the Bureau of Alcohol, Tobacco, Firearms and Explosives Using Stingrays to Illegally Track Americans?
In response to a Freedom of Information Act request filed by PPSA, the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) responded with a batch of documents, including internal training material. In those documents, the ATF confirmed that it uses cell site simulators, commonly known as “stingrays,” to track Americans.
Stingrays impersonate cell towers to track mobile device users. These devices give the government the ability to conduct sweeping dragnets of the metadata, location, text messages, and other data stored by the cell phones of people within a geofenced area. Through stingrays, the government can obtain a disturbing amount of information.
The ATF has gone to great lengths to obfuscate their usage of stingrays, despite one official document claiming stingrays are “used on almost a daily basis in the field.”
The ATF stressed that stingrays are not precise location trackers like GPS, despite the plethora of information stingrays can still provide. Answers to questions from the Senate Appropriations Committee about the ATF’s usage of stingrays and license plate reader technology are entirely blacked out in the ATF documents we received. An ATF policy conceals the use of these devices from their targets, even when relevant to their legal defense. Example: When an ATF agent interviewed by a defense attorney revealed the use of the equipment, a large group email was sent out saying: "This was obviously a mistake and is being handled."
The information released by the ATF confirms the agency is indeed utilizing stingray technology. Although the agency attempted to minimize usage the usage of stingrays, it is clear they are being widely used against Americans.
PPSA will continue to track stingray usage and report forthcoming responses to pending Freedom of Information Act requests with federal agencies.
In Christopher Nolan’s magnificent movie The Dark Knight, Bruce Wayne presents his chief scientist, Lucius Fox, with a sonar technology that transforms millions of cellphones into microphones and cameras. Fox surveys a bank of screens showing the private actions of people around the city.
The character, played by Morgan Freeman, takes it all in and then declares the surveillance to be “beautiful, unethical, dangerous … This is wrong.”
What was fiction in 2008 became reality a few years later with Pegasus: zero-click spyware that allows hackers to infiltrate cellphones and turn them into comprehensive spying devices, no sonar needed. A victim need not succumb to phishing. Possessing a cellphone is enough for the victim to be tracked and recorded by sound and video, as well as to expose the victim’s location history, texts, emails, images, and other communications.
This spyware created by the Israeli NSO Group might have originally been developed, as most of these surveillance technologies are, to catch terrorists. It has since been used by various dictatorships and cartels to hunt down dissidents, activists, and journalists, sometimes marking them for death – as it did in the cases of Jamal Khashoggi and Mexican journalist Cecilio Pineda Birto.
PPSA reported earlier this year that the FBI had purchased a license for Pegasus but has been keeping it locked away in a secure office in New Jersey. FBI Director Christopher Wray has assured Congress that the FBI was keeping the technology for research purposes. Now, Mark Mazzetti and Ronen Bergman of The New York Times have updated their deep dive into FBI documents and court records about Pegasus produced by a Freedom of Information Act request.
PPSA waded through these now-declassified documents, half of each page blanked out by censors. What we could see was alarming.
One document, dated Dec. 4, 2018, pledged that the U.S. government would not sell, deliver, or transfer Pegasus without written approval from the Israeli government. The letter certified that “the sole purpose of end use is for the collection of data from mobile devices for the prevention and investigation of crimes and terrorism, in compliance with privacy and national security laws.”
Since many in the national security arena and their allies assert that executive order EO 12333 gives intelligence agencies unlimited authority, the restraining influence of privacy and national security laws is questionable. And true to form, the FBI documents show that the agency did, in fact, give serious consideration to using Pegasus for U.S. criminal cases.
Why the turnaround? It was at time that a critical mass of Pegasus stories – with no lack of murders, imprisonments, and political scandals – emerged in the world press. That is surely why the FBI left this hot potato in the microwave. One wonders, however, what to make of the attempt of a U.S. military contractor, L3Harris, to purchase NSO earlier this year? If the FBI was out of the picture, was this aborted acquisition an effort by the CIA to lock down NSO and its spyware menagerie? And if the CIA has found some other route to possess this technology – and to be frank, they’d be guilty of malfeasance if they didn’t – is the agency staying within its no-domestic-spying guardrails in deploying this invasive technology? Recent revelations of bulk surveillance by the CIA does not inspire confidence.
Nor can we discount what the FBI might do in the future. Despite the FBI’s decision to avoid using the technology, Mazzetti and Bergman report that an FBI legal brief filed in October stated: “Just because the FBI ultimately decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate and potentially deploy other similar tools for gaining access to encrypted communications used by criminals.”
No doubt, targeted use of such technologies would catch many fentanyl dealers, human traffickers, and spies. But as Lucius Fox asks, “at what cost?”
Evan Greer and Anna Bonesteel of Fight for the Future have an impassioned piece on NBC’s News Think on the effects of near-ubiquitous doorbell cameras like Amazon’s Ring, Google’s Nest, and Wyze. Reading their piece feels being the proverbial frog that finally understands it is already in boiling hot water.
Greer and Bonesteel write:
“Devices like Ring and the apps associated with them are made to keep us on constant alert. They ping us with notifications, demanding our attention, and offer ‘infinite scroll’ like Facebook and Instagram, but for neighborhood crime. These devices make watching one another constantly feel acceptable, expected and even addicting.”
As we’ve reported, Amazon encourages customers to share images with about 2,000 police and fire departments. Greer and Bonesteel write that Amazon is “effectively giving police an easy push-button portal to request video from Ring camera owners in exchange for officers’ help in marketing Amazon products.”
They add that “Ring’s lax security practices in the past have allowed stalkers and hackers to break into people’s cameras … This dystopian vision of a private police camera on every home would have been unthinkable a generation ago.” We would add to that observation the disturbing fact that general counsels of federal law enforcement and intelligence agencies assert a right to purchase Americans’ personal data from digital data brokers without a warrant.
In China, the erection of universal surveillance is the result of a deliberate campaign by the Chinese Communist Party to watch and listen in on everyone. In the United States, a similar Panopticon is being erected, piece by piece, out of desire to gain market share for doorbell cameras, lawn furniture, and home fitness equipment sold online. But the destination is beginning to look the same.
Luxury Surveillance: What Could Go Wrong?
Chris Gilliard in Atlantic describes a day of “luxury surveillance” – what an affluent consumer experiences by being willing to have his heartbeat, sleep, fitness, mood, digital orders, and daily queries continuously tracked.
This is not, Gilliard writes, a dystopian vision. In Gilliard’s “day in the life” description all the services and devices are current Amazon products endowed with what the company calls “ambient surveillance.” They could just as easily be Apple Watches, Apple, Samsung or Google smartphones, or Google Nest devices. What could be wrong, then, with consumers by the millions opting into ambient surveillance?
Gilliard sees a lot wrong. He offers a cautionary note from personal experience:
“Growing up in Detroit under the specter of the police unit STRESS – an acronym for ‘Stop the Robberies, Enjoy Safe Streets’ – armed me with a very specific perspective on surveillance and how it is deployed against Black communities. A key tactic of the unit was the deployment of the surveillance in the city’s ‘high crime’ areas. In two and a half years of operation during the 1970s, the unit killed 22 people, 21 of whom were Black.”
Now, Gilliard writes, “think of facial recognition falsely incriminating Black men, or the Los Angeles Police Department requesting Ring-doorbell footage of Black Lives Matter protests.”
We would add that one problem with luxury surveillance is that all this data being compiled on us can be easily acquired by local law enforcement, as well as by federal agencies ranging from the Department of Defense to the Department of Homeland Security. It is one thing to be surveilled in order to have an ad slipped into your social media feed. It is something else to find a SWAT team knocking down your door at dawn. Luxury surveillance is a boon for consumers until it isn’t. All the more reason why Americans should support the Fourth Amendment Is Not for Sale Act, which would at least constrain the ability of the government to get around the Constitution by buying our most personal information.
Facial recognition software is a problem when it doesn’t work. It can conflate the innocent with the guilty if the two have only a passing resemblance. In one test, it identified 27 Members of Congress as arrested criminals. It is also apt to work less well on people of color, leading to false arrests.
But facial recognition is also problem when it does work. One company, Vintra, has software that follows a person camera by camera to track any person he or she may interact with along the way. Another company, Clearview AI, identifies a person and creates an instant digital dossier on him or her with data scrapped from social media platforms.
Thus, facial recognition software does more than locate and identify a person. It has the power to map relationships and networks that could be personal, religious, activist, or political. Major Neill Franklin (Ret.) Maryland State Police and Baltimore Police Department, writes that facial recognition software has been used to violate “the constitutionally protected rights of citizens during lawful protest.”
False arrests and crackdowns on dissenters and protestors are bound to result when such robust technology is employed by state and local law enforcement agencies with no oversight or governing law. The spread of this technology takes us inch by inch closer to the kind of surveillance state perfected by the People’s Republic of China.
It is for all these reasons that PPSA is heartened to see Rep. Ted Lieu join with Reps. Shelia Jackson Lee, Yvette Clark and Jimmy Gomez on Thursday to introduce the Facial Recognition Act of 2022. This bill would place strong limits and prohibitions on the use of facial recognition technology (FRT) in law enforcement. Some of the provisions of this bill would:
The introduction of this bill is the result of more than a year of hard work and fine tuning by Rep. Lieu. This bill deserves widespread recognition and bipartisan support.
A new report by the United Nations Human Rights Council highlights how much of a global issue spyware has become. The Office of the High Commissioner for Human Rights calls for greater attention to threats to data privacy, to the development of state-sponsored spyware capabilities, and especially to the dangerous software Pegasus, which can remotely infiltrate smartphones and turn them into spying devices. PPSA has reported in the past on the emerging threat Pegasus poses to nations and individuals around the world. It is heartening to see the UN take this data privacy crisis seriously as a human rights issue.
The UN report focuses on three core trends relating to the role of member states in safeguarding and promoting the right to privacy:
The report draws special attention to Pegasus.
“The extent of Pegasus spyware operations and the number of victims are staggering… Reporting in 2021 revealed that at least 189 journalists, 85 human rights defenders, over 600 politicians and government officials, including cabinet ministers, and diplomats were affected as targets.”
The report notes that at least 65 governments have acquired commercial spyware surveillance tools. NSO Group, the Israeli company that developed Pegasus, reported that 60 government agencies in 45 countries are among its customers.
The UN report states: “While purportedly being deployed for combating terrorism and crime, such spyware tools have often been used for illegitimate reasons, including to clamp down on critical or dissenting views and on those who express them, including journalists, opposition political figures and human rights defenders…”
The report also condemned efforts by governments to undermine the security and confidentiality of encrypted communications – a key goal not just of repressive regimes, PPSA would add, but of some in the Department of Justice and FBI.
Governments continue to take steps to undermine that privacy, either by legislative fiat or by sophisticated hacking techniques. In some countries, encryption providers have been required to ensure that law enforcement or other government agencies have access to all communications upon request, effectively obliterating any privacy that encryption may have provided.
This is a brave report. PPSA is pleased to see the UN Human Rights Council recognize privacy as a human right, contrary to the practice of repressive governments, including China and Russia, which have seats on the UN Security Council. Unfortunately, the UN’s warnings on pervasive surveillance also need to be taken seriously by democratic governments, including some in positions of authority in the United States.
If you thought being subjected to “random” TSA screenings at airports was dehumanizing, just imagine your most sensitive, personal digital information being secretly reviewed by any one of thousands of government agents operating without a warrant or public oversight.
The Customs and Border Protection Commissioner Christopher Magnus revealed to Sen. Ron Wyden (D-OR) that the agency is scooping data from thousands of seized electronic devices every year. (Hat tip to Drew Harwell of The Washington Post for detailing this abuse of privacy.) That data is then added to a CBP database accessible by more than 2,700 CBP agents. That data – which can include call logs, messages, contact lists, and photos – can be kept for up to 15 years.
This story is just the latest development in a long-running series of data privacy breaches by federal law enforcement officials. Sen. Wyden criticized the agency for “allowing indiscriminate rifling through Americans’ private records.”
CBP conducted more than 37,000 searches of travelers’ devices in the 12 months ending in October 2021. According to The Washington Post, the default configuration for some data searches has been to download and retain all contact lists, call logs and messages. This means potentially millions of calls, contacts, and text messages from thousands of phones could be compromised.
It has long been known that CBP makes generous use of the “border search” exception in Fourth Amendment law. Sen. Wyden’s revelation about the scale and the scope of this loophole reveals an egregious new threat to the security of Americans’ data privacy. Congress must act now to bolster protections for data privacy.
It is high time for the Supreme Court to review and modify the judicially created border search exception in light of the massive amounts of information being seized from law-abiding citizens and then stored for long periods of time. If the Court does not protect the Fourth Amendment, then Congress should step up.
Last year, Sens. Wyden and Rand Paul (R-KY) introduced legislation that would require border officials to get a warrant before searching a traveler’s device. Congress should also pass the Fourth Amendment Is Not for Sale Act to ensure this database doesn’t fall into the hands of data brokers.
Disturbing Details on Fog Technology
Last week, PPSA reported on Fog Reveal, a product from Fog Data Science that sells billions of data points extracted from apps on 250 million mobile devices to local police departments. An unlimited-use, one-year subscription costs a department only $7,500.
For this price, Fog Reveal offers a powerful capability, the ability to track hundreds of millions of Americans in their daily movements. It allows police to locate every device in a given geo-fenced area. It also allows police to trace the location history of a single device (and therefore, its user) over months or years.
Fog Data Science claims that it is respectful of privacy because it does not reveal the names or addresses of individual users. But a slide show from Fog Data Science prepared for police highlights how this technology can easily be used to track a suspect to his or her “bed-down” over a 180-day period. (Hat tip to the Electronic Frontier Foundation, which helpfully added yellow highlights to significant passages of Fog documents.)
It is more than a stretch then to call this data “anonymized” when it follows people to their homes, as well as to their houses of worship, meetings with friends or lovers, trips to health or mental health clinics, journalists meeting with whistleblowers, or other locales that reveal sensitive and personal information.
For those in law enforcement who go through the motions of filing a warrant, Fog Data Science offers a template warrant. Such warrants are misbegotten. They can be employed to follow a number of people in the vicinity of a crime or track everyone who attended a political protest. The Fourth Amendment requires “probable cause” in which a warrant describes “the place to be searched, and the persons or things to be seized.” It makes a mockery of the Constitution’s requirement for particularity when the police have at their fingertips a whole ocean of data involving many people. How can such a requirement be fulfilled when Fog technology allows police to go on a fishing expedition in that ocean, with any American potentially being a catch?
It is through technologies such as Fog Reveal that our country, device by device, is moving steadily toward becoming a full-fledged surveillance state.
Such details should spur Congress to investigate the uses of this technology. It should also inspire Congress to pass the Fourth Amendment Is Not for Sale Act, which would block the auctioning of our private, personal information to all government agencies.