​The American Civil Liberties Union last week filed a lawsuit in Manhattan accusing the FBI of violating the Freedom of Information Act law by refusing to acknowledge the existence of any documents that contractually prohibit police from disclosing information about “stingrays.”
 
PPSA has long reported on these devices – cell-site simulators that spoof cellphones in a given area to react to the simulator as if it were a cellphone tower. This allows law enforcement to sweep up metadata from Americans’ cellphones, from location information, to contacts, to potentially communications content. In its filing, ACLU notes that stingrays are used “even in constitutionally protected places traditionally immune from warrantless searches, such as a home.”
 
As of 2018, according to the ACLU, 16 federal agencies, as well as 75 agencies in 27 states and the District of Columbia employ stingrays to snoop on Americans. This is in part because the FBI has been keen to help distribute this technology to U.S. local law enforcement. It has also long been known that the FBI requires local law enforcement to sign Non-Disclosure Agreements, barring any discussion of the use of this technology.
 
ACLU is suing because the FBI refuses to acknowledge the existence of these contracts with police in response to a Freedom of Information Act request. By issuing a “Glomar response” – which neither confirms nor denies the existence of these NDA and related documents – the FBI is resorting to a legal strategy once reserved for the nation’s most closely held secrets.
 
Dell Cameron of Gizmodo reports that whatever the FBI says, “these documents do, in fact, exist. I should know. I’m staring at several of them right now.” Thanks to the work of the Center for Human Rights and Privacy, 26 such FBI/local and state police agreements are online.
 
They restrain law enforcement agencies from discussing the use of stingray technology with the public, the press, and most disturbing of all, “in court documents” and “judicial hearings.” Read it, you can see for yourself.
 
This means that the provenance of stingray-derived evidence is prevented from being presented in court, denying defendants, judges and juries access to that important information. The FBI is so insistent on this, that it holds the right to seek the dismissal of any charges brought against a suspect if the case is likely to result in disclosure of the use of this technology.
 
ACLU’s lawsuit could be a landmark for several distinct issues.

• First, it challenges the government’s increasingly prolific use of the Glomar non-response response to gut the purpose and effectiveness of the Freedom of Information Act. The Glomar exception was devised in the aftermath of reporting on a covert CIA project to raise a Soviet nuclear submarine. The existence of an NDA agreement is not a nuclear secret or a revelation into deep-cover sources and methods. ACLU lawyers told Cameron, “the FBI’s Glomar response doesn’t come close to passing the sniff test.”

 

• Second, this lawsuit exposes the parallel construction that is surely at the heart of many of these cases. Information gleaned from communications on a cellphone can be used to verify the same information from another source. As a result, the FBI appears to be encouraging local law enforcement and prosecutors to deceive courts by hiding the origin of evidence.

 

• Third, this technology exposes the warrantless examination of Americans’ most sensitive and personal information. The U.S. Supreme Court in Riley (2014) held that the digital information in our phones hold “the privacies of life.” The Court ruled it is illegal to conduct a warrantless search of a cellphone during an arrest.

 
So why is it okay to warrantlessly sweep this same information remotely?
 
Kudos to the ACLU for challenging the FBI. PPSA will follow this case and report on major developments.

​The Project for Privacy and Surveillance Accountability today joined with seven other major civil liberties organizations to urge House Judiciary Committee Chair Jerry Nadler to hold hearings on The Fourth Amendment Is Not for Sale Act (H.R. 2738) in early 2022.
 
The coalition letter notes that many law enforcement and intelligence agencies allege they can lawfully avoid the constitutional requirement for probable cause warrants by simply buying our personal information from commercial data brokers. They can do this, they claim, because the relevant federal statutes were written at a time when apps and digital brokers did not exist and therefore do not specifically prohibit such actions.
 
As a result, the federal government skirts the Fourth Amendment by buying Americans’ personal information that can reveal our “activities, associations, and even beliefs.”
 
The letter praises Chair Nadler’s long history of leadership on surveillance and privacy issues. The coalition asserts that hearings in the House Judiciary Committee in early 2022 would underscore the disturbing reality behind government data purchases, perhaps uncover new facts, and encourage the passage of The Fourth Amendment Is Not For Sale Act in the coming session.
 
In addition to PPSA, the letter was signed by the American Civil Liberties Union, Americans for Prosperity, Brennan Center for Justice, Demand Progress, Due Process Institute, Free Press Action and FreedomWorks.

To live in the People’s Republic of China, or another repressive regime that purchases its technology, is to exist constantly under the eye of an all-seeing state. (For a panoramic look at just how thorough China’s internal surveillance is, check out Atlantic’s frightening piece on the Chinese “panopticon.”)
 
In China, the use of such keywords such as “Tiananmen” in an email or post on a website would surely trigger the automatic detection systems of state internet surveillance. There are many other words, topics and complicated ideas that trigger China’s state snooping and censorship. Now the University of Maryland, whose prowess in computer science and cybersecurity has been attracting admiration from around the world, has come up with a work-around for those who live in such repressive regimes and wish to discuss forbidden ideas or topics.
 
Two computer scientists at the University of Maryland have created an artificial intelligence software they call “Geneva.” This program is a heuristic learner, adjusting to the changing pathways of censoring technology and finding ways to close them off. Sometimes, Geneva instructs the censor to accept the forbidden keywords as benign. Other times, it tells the censor to move on – that the job is already done.
 
Most important of all, the user doesn’t have to install Geneva’s incriminating software. It can lurk in the background of a web browser until needed. Similar work is being done by the Open Technology Fund, a non-profit American corporation that has helped to create more secure communications for internet users around the world.
 
Given the deep interconnections of the internet, the capabilities of a repressive regime on the other side of the world should be a matter of great concern to us all. China can and does turn its eyes on American users. And given the growth of surveillance by U.S. law enforcement and intelligence agencies, we might someday need something like Geneva to protect us from threats to our privacy that are even closer to home.

​Thanks to investigative reporting by The Wall Street Journal and other media, we know that the Department of Homeland Security, Customs and Border Protection, Immigration and Customs Enforcement, the FBI, the Department of Defense and other law enforcement and intelligence agencies are routinely buying vast amounts of our private information from data brokers.
 
This information is soaked up by the apps and devices we use and then sold by data merchants in a lightly regulated $200 billion market. In this way, millions of Americans lose control of data that contain what the U.S. Supreme Court has called “the privacies of life.” The legal memos released by federal agencies admit that the government is exploiting a loophole in the Electronic Communications Privacy Act (ECPA) of 1986, written before digital security was a great concern.
 
Some abuses arising from these purchases have been reported. The FBI, Secret Service and Department of Defense have warrantlessly acquired smartphone location data. Muslim prayer and dating apps have been used to target Americans by their religion. But our knowledge about the totality of such practices is spotty at best.
 
Now the Center for Democracy & Technology has shed needed light on data purchases in a new report, “Legal Loopholes and Data for Dollars: How Law Enforcement and Intelligence Agencies Are Buying Your Data from Brokers.” CDT reviewed 150 government documents about data purchases, including Requests for Proposals for 30 contracts valued at $86 million. What CDT found is not comprehensive, but it is the best look to date into this shadow world.
 
The collection of our personal information starts with our mobile apps, which often share our location and other personal data with third parties and brokers without our knowledge. Brokers then “scrape” or “mine” our data in violation of the terms of service of social media companies. As a result, government agencies have a sea of data in which to go fishing.
 
CDT reports: “Multiple forms of sensitive data, including location, communications, biometric, and license plate reader data, are sold by data brokers to law enforcement and intelligence agencies, and the practice is increasing, with multiple agencies spending upwards of tens of millions of dollars on multi-year contracts.”
 
Many government agencies disingenuously state in their purchase orders and contracts that the sought-after information will be from “publicly available” and “open” sources.
 
CDT: “The broad and misleading usage of these terms undermines governmental claims that agencies are permitted to collect such information on the basis that it is generally out there in the public and individuals therefore lack a reasonable expectation of privacy in such sensitive data.” Notably, CDT found that it is “unclear whether the FBI considers ‘open source’ to include data compiled specifically for the FBI to purchase, even when no other customer would actually be able to find or purchase that information.”
 
Agencies also categorize procurement contracts through opaque or technical designations that “obscure the nature of the data being purchased, the uses to which they will be put, and the privacy consequences.”
 
It is undeniable that when law enforcement and intelligence agencies buy personal data about Americans from data brokers – such as location data – they are evading constitutional safeguards recognized by the Supreme Court. In short, “government agencies have been able to purchase sensitive data from brokers in an end run around otherwise applicable legal requirements under ECPA and the Fourth Amendment.”
 
The report concludes by urging the passage of the bipartisan-supported The Fourth Amendment Is Not for Sale Act, which would close the loopholes in ECPA and end the practice of the circumvention of the Constitution through data purchases. They recommend requiring government agencies to be transparent about their procurement policies. Among CDT’s other recommendations is one that should resonate with anyone concerned about foreign surveillance capabilities – “Congress should conduct hearings to examine data brokers sales to foreign governments …”
 
CDT deserves the gratitude of the civil liberties community for stepping up to document these privacy abuses and to provide us a framework for thinking about them analytically. Most encouraging of all is that one of the four authors of this report is Sharon Bradford Franklin, who has recently been nominated by President Biden to chair the Privacy and Civil Liberties Oversight Board (PCLOB).
 
It will be interesting to see what fresh perspectives Ms. Franklin brings to her new assignment.

​You are probably not aware that when you sign up for water, power or some other utility, your name, home address, Social Security number and other personal information can be bought and sold. Not only can your “utility header data” be sold for commercial use. It can also be sold to private investigators and government intelligence and law enforcement agencies.
 
Today, a glimmer of good news came when the National Consumer Telecom & Utility Exchange (NCTUE) agreed to end the sale of the personal data of 170 million people. This exchange has directed the credit bureau, Equifax, to stop selling this data.
 
NCTUE’s move was undertaken after pressure from civil liberties organizations concerned that intelligence agencies and law enforcement are accessing Americans’ personal digital information by buying it from data brokers. Agencies ranging from the Drug Enforcement Administration, to the FBI, Immigration and Customs Enforcement, and the Department of Homeland Security are reported to be getting around the constitutional requirement for a warrant through these purchases.
 
“The personal privacy of hundreds of millions of people should not depend upon the goodwill of corporations worried about negative headlines,” Sen. Ron Wyden (D-OR) said in a statement. There are still innumerable sources of personal data from apps, the cloud and digital devices for the government to exploit.
 
Concerned that so much of our personal data can still be easily acquired by the government, Sen. Wyden and House Judiciary Committee Chairman Jerry Nadler (D-NY) are sponsoring The Fourth Amendment Is Not for Sale Act. This legislation would close the loophole in pre-digital law that allows such purchases.

Whatever you think about former President Donald Trump, the facts Special Counsel John Durham is unearthing about the FBI’s investigation of the 2016 Trump campaign should disturb any civil libertarian.
 
In a dramatic floor speech last week, Sen. Chuck Grassley (R-IA) highlighted these concerns, making a plea to Durham to keep his eye on government misconduct by the FBI and the Department of Justice.
 
“The Justice Department and FBI hid critical information from the FISA court that would’ve cut against their case,” Grassley said. “They failed to correct the court record when they should’ve. Simply put, the Justice Department and FBI misrepresented information to the court. That conduct can’t be allowed to pass.”
 
Sen. Grassley, the ranking member on the Senate Judiciary Committee, noted that the FBI was treating Brookings analyst Igor Danchenko as a reliable source of information, even though it had opened a counterintelligence case on this Russian emigre.
 
“If this fact pattern was a movie script, nobody would believe it,” Sen. Grassley said, noting recent indictments of the Russia-connected Danchenko and a Clinton-connected lawyer. “With Durham’s recent indictments, we now have even more proof that the Trump-Russia collusion investigation had the wrong name; it should’ve been the Clinton-DNC-Russia collusion investigation.”
 
Sen. Grassley’s speech points to the greatest irony of this overlong drama – the hunt for Russian disinformation in American politics began with Russian disinformation. The obvious takeaway here is that Vladimir Putin knows how to stimulate Americans to chase their own tails. Sen. Grassley is right: Regarding the roles of the Department of Justice and FBI in this fiasco, a report may not be equal to the misconduct.

It’s comforting to look at the little green or blue tile on the screen of your smartphone and realize that you have access to messaging apps that offer secure, end-to-end encryption. Billions of people use Apple’s iMessage, as well as Signal, Viber, WhatsApp, WeChat, and other messaging services to keep their voice and email conversations private.
 
But to what extent can you be sure that your communications, despite the assurances of these companies, will not be surveilled?
 
Thanks to Property of the People, which specializes in using Freedom of Information Act requests to ferret out government documents, we now have a chart for FBI trainees (hat tip to journalist Catalin Cimpanu of The Record as well) that helpfully sets out exactly how much protection you get with each encrypted service.
 
The FBI document, dating to early 2021, shows that with Apple iMessage, the government can gain limited access to content information. Content in iMessage, as with WhatsApp, can be accessed on backups on iCloud, but only if encryption keys are provided. With Signal, message content cannot be accessed (as far as we can know). The government can learn the date and time a Signal user registered the account and last used the account.
 
In recent years, the Department of Justice and Apple have tangled in very public battles over the efforts to force the company to hand over the keys to unlocking its phones. We can see in this FBI chart the government remains deeply interested in breaking this type of encryption.
 
There are other chinks in encryption armor. Ars Technica reports that if the recipient of a WhatsApp message “flags” it for review, it will be referred to Facebook/Meta (which owns this service). That message is then batched with four previous messages in that thread for review by Facebook for illegal activities.
 
Overall, these messaging apps offer reasonable protection against hackers and a degree of protection against government snooping. The bottom line: encrypted messaging apps are a good way to enjoy enhanced security for sensitive communications. As with most digital activities, however, security is always a relative concept, never an absolute.

The Project for Privacy and Surveillance Accountability, joined by seven other civil liberties organizations across the ideological spectrum, today urged the leaders of three Senate committees to require the making public of many years’ worth of classified decisions, opinions and orders issued by two secret surveillance courts.
 
“The withheld opinions in question set the scope and powers of programs that were used to conduct warrantless, bulk surveillance of millions of Americans before June, 2015,” said Bob Goodlatte, PPSA senior policy advisor. “To deny a free society the right to know judicial opinions is troubling. To deny Americans the right to know the governing rules set by courts for domestic surveillance is to step outside the Constitution and the American legal system altogether.”
 
The letter, jointly signed by a coalition that includes the American Civil Liberties Union, Americans for Prosperity, the Brennan Center for Justice, Demand Progress, Due Process Institute, Free Press Action and FreedomWorks, urged Senate leaders to attach an amendment offered by Sen. Patrick Leahy (D-VT) and Sen. Mike Lee (R-UT) to the National Defense Authorization Act (NDAA) of 2022.
 
With strong, bipartisan support for passage of the USA Freedom Act in June, 2015, Congress required the declassification of significant decisions made by the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISCR). The executive branch, however, interpreted the statute in a way that allowed it to decline to release FISC and FISCR decisions that were made before the passage of that act.
 
The proposed NDAA amendment would grant the Director of National Intelligence one year to complete a declassification review of earlier FISC and FISCR decisions, with the power to withhold any information that would harm national security. Such safeguards, in place for decisions made after the passage of the USA Freedom Act, allowed disclosures of decisions after June, 2015, without any evidence of compromise to national security.
 
“These older decisions are even less likely to contain currently sensitive information,” Goodlatte said. “With the attachment of this amendment to the NDAA, Congress can complete what it began in 2015, shedding light on a body of secret law that few know about, but all live under.”
 
The coalition’s open letter is addressed to the chairs and ranking members of the Senate Armed Services, Intelligence and Judiciary committees, as well as to the leadership of the Senate and House.

In the 2010 Roman Polanski film, The Ghost Writer, the protagonist (played by Ewan McGregor) gains important clues to unmasking the secret behind a murder by driving the victim’s car. He simply follows the last route on the car’s GPS, leading him turn by turn to discover who the victim had visited last. At the time, it was a thrilling new twist for a neo-noir detective film.
 
Eleven years later, the Internet of Things is beginning to become a reality, with our cars revealing more about us than ever before. A contemporary car can accumulate 4,000 gigabytes of data every day. Our cars’ entertainment and communications systems track our address books, call logs and what we listen to. Systems made to monitor performance can report our weight, as well as where we’ve driven, and if we’ve driven there alone or with someone else. With the emergence of autonomous features, records of in-vehicle camera feeds and voice commands will become more prevalent and accessible.
 
In short, governments can learn much more about us than Ewan McGregor’s character did by simply driving.
 
The threat to privacy inherent in digital car technology is exacerbated by those seeking to collect and sell data pulled from our vehicles. One company, Ulysses, even obtains vehicle telematics data transmitted from embedded sensors around a vehicle. Ars Technica reports that Ulysses aspires to sell to the federal government such granular data, including locations, from every car on earth, excluding North Korea and Cuba.
 
The law, moreover, has yet to catch up to the reality that the automobile has become a digital device. In Riley v. California, the Supreme Court held that a cellphone is a “minicomputer” holding voluminous amounts of personal information, and thus should require a probable cause warrant under the Fourth Amendment to examine its texts, images and emails. But laws governing car searches are still in the analog world. The government thus asserts an “automobile exception” to the Fourth Amendment because a car, unlike a house, can be driven off with evidence. It is also not practical to seek a warrant from the side of a highway. But when it comes to the storehouse of digital data contained within a car’s computers, clearly the Riley standard should prevail.
 
Sens. Ron Wyden (D-OR) and Cynthia Lummis (R-WY) have recently proposed legislation to ensure that result, as have Reps. Peter Meijer (R-MI) and Ro Khanna (D-CA). Under their proposal, law enforcement will have to obtain a warrant based on probable cause before they can search data from any vehicle that does not require a commercial driver’s license. Under the “Closing the Warrantless Digital Car Search Loophole Act,” any vehicle data obtained in violation of this law would be inadmissible in court.
 
Sen. Wyden in a statement said:
 
Americans’ Fourth Amendment rights shouldn’t disappear just because they’ve stepped into a car.
 
He’s right. And the Project for Privacy and Surveillance Accountability (PPSA) urges Congress to enact this proposal promptly.

By ELIZABETH HOLTZMAN and MARK UDALL
NEW YORK DAILY NEWS

What can data from the smartphone in your hand tell me about you? A better question: What can’t it tell me about you?

Our digital trails tell the story of our lives, from dating apps, to medical conditions revealed by our search queries, to religious and political beliefs, to our financial difficulties or windfalls. Like the colored dots in a pointillistic portrait, these data points compose a complete portrait of individuals. Our digital devices often upload these most intimate details of our lives into “the cloud,” a system that stores and distributes our data to computers around the world. It’s as if we allowed hordes of strangers to pass around our diaries and private financial ledgers, while trusting them not to ever take a peek.