For nearly two decades U.S. law enforcement agencies have used counter-terrorism devices known as “stingrays” after the brand name of one variant or ISMI (international mobile subscriber identity)-catchers to track locations in domestic investigations, but information about the devices has been kept carefully under wraps from the public and sometimes even from judges authorizing its deployment. Last week an Arizona judge ruled that a tracking warrant used to deploy the device against Daniel David Rigmaiden, who is accused of collecting millions of dollars in rebates by submitting fraudulent tax returns, was valid despite the fact that the FBI failed to disclose they would be using a stingray or explain how the devices functioned in that warrant.

Much of what is known about their current use in the U.S. comes from a treasure trove of heavily redacted documents being dripped out month by month thanks to an Electronic Privacy Information Center (EPIC) Freedom of Information Act (FOIA) lawsuit and a handful of public cases like Rigmaiden that have been released publicly. Speaking at a Yale Information Society Project (ISP) on biometrics and location tracking earlier this year, EPIC Appellate Advocacy Counsel Alan Butler noted:

“The biggest problem I see with stingrays is the secrecy aspect — The fact that we don’t know how they are used, how exactly they work, what different techniques are available [...] The accountability measures that would be in place for other warranted, more standard surveillance methods are really nonexistent here.”

One thing we do know, according to statement at the same conference from the American Civil Liberty Union’s (ACLU) Chris Soghoian, is that stingrays work by essentially exploiting a security vulnerability in cell service technology: Phones are constantly searching for the nearest signal so they know what tower to connect to when a call comes in, and phones will automatically connect to any tower identifying itself as having the strongest signal strength from your carrier.

The device sends out a signal pretending to be a nearby cell tower with the strongest signal, tricking phones into connecting and allowing the operator to harvest identifying information about devices in the form of the unique ID string of numbers associated with the device known as ISMI and in some variants even communications content, although U.S. law enforcement generally denies using them for the latter need. Whenever a phone is powered on, you can measure the strength of the phone responding to this signal and triangulate a location. This graphic adapted from one in Jennifer Valentino-Devries’ excellent Wall Street Journal coverage of the Rigmaiden case in 2011 shows how it works:

Due to the nature of the devices, they gather up all information within a certain signal range including information about non-target devices — meaning innocent bystanders are having their data sucked up as well. In court documents associated with the Rigmaiden case the FBI requested permission to “expunge” all data obtained in the process, but how much data operators generally have access to during the surveillance process or if that is the standard practice remains unclear leading to a number of questions about whether or not the Fourth Amendment rights of the general public are being compromised. Soghoian noted as much at the Yale ISP conference, saying “No matter how the stingray is used — to identify, locate or intercept — they always send signals through the walls of homes [...] The signals always penetrate a space protected by the Fourth Amendment.”

There are a variety of situations this could be used unrelated to criminal investigations, like aiding search and rescue teams, but when it’s used by law enforcement it’s usually because the phone company can’t find the phone for some reason (such as lacking a GPS chip), to identify what phones are being used by a suspect in a burner type situation (think the Wire), or when the phone company refuses to help with an investigation. But the legal framework for deployment in the United States is murky.

In the Rigmaiden case a warrant was sought because they were after the signal on a mobile wireless card believed to be within his residence where he might have a reasonable expectation of privacy. But FBI and Department of Justice officials have claimed investigators’ stingrays should be treated like “pen registers.” Pen registers are a category of tools that gather information on outgoing calls — normally, the numbers dialed on a particular phone — but don’t receive the content of the communications and do not require a warrant to deploy. Instead, they are allowed under the Electronic Privacy Communications Act of 1986 (ECPA) with a court order that only requires investigators to believe information gathered as a result of the order is likely to assist an ongoing investigation, a lesser standard than probable cause.

However, some judges have found that location information is more intrusive type of surveillance than call logs, and across the field courts appear to be applying different standards — with the prosecution in Rigmaiden saying that “decisions are made on a case-by-case basis” by magistrate and district judges. In US v. Jones, the Supreme Court ruled a GPS tracking device being placed on a suspect’s car constituted a search, but did not rule on if the search was warranted or constitutional.

Due to the lack of disclosure used by investigators pursuing stingray deployment, it is also unclear how often the devices are being used by law enforcement although evidence suggests they are being deployed in at least a handful of states. Reporting from the LA Times uncovered 21 uses of the devices by the LAPD in a four month period in 2012 “apparently without the courts’ knowledge that the technology probes the lives of non-suspects who happen to be in the same neighborhood.”

The lack of clarity around almost every aspect of stingray tech and its use by law enforcement did not happen by accident: The FBI delayed releasing the documents now being released thanks to EPIC’s FOIA lawsuit, only acquiescing when being ordered by a federal judge “to produce all records, except those subject to classification review, by August 1, 2013,” and among the documents already released in that inquiry was a nondisclosure agreement preventing FBI staff from discussing the technology.

(Credit: AP)

GOWDY: Greta, you were an attorney. There are lots of privileges — husband-wife, priest-penitent, attorney-client, none of them unqualified. So when you have a major national security leak, which is a compelling issue, and you juxtapose that with the right of the media to do its job and provide oversight, there’s a conflict. And there’s no federal statute on point. But the Supreme Court has said if there is a compelling interest, which there certainly is in national security cases, and the information is relevant which it has to be to justify a subpoena, and you have no alternative means of getting the information, then the Department of Justice had no choice. . . .

Think back a year ago. We had the attorney general and other Department of Justice employees, and we grilled them over national security leaks. And here they are doing what we asked them to do, investigate the leak.

While Gowdy’s admission that Republicans supported a probe into national security leaks like the one that led to the DOJ probe of AP is welcome, his willingness to largely excuse DOJ’s actions does not bode well for reform. When journalists face surveillance by law enforcement, many sources will be too frightened to talk to reporters, and that will lead to the public being less informed. The AP probe presents a strong argument for requiring law enforcement to obtain a warrant from a judge before they can obtain phone records from journalists — indeed, DOJ itself should support such a requirement, because a judicially issued warrant enables them to resist scandal after their investigations become public — but such a reform will almost certainly require an act of Congress.

Although there were initial signs that congressional Republican lawmakers would react to the DOJ probe with their typical degree of outrage, many GOP lawmakers are now responding with a collective “meh.” Sen. John Cornyn (R-TX), the second highest ranking member of the Republican caucus, said that he has “questions” about the AP surveillance, “but I’m wiling to wait and see how this plays out, whether it was narrowly targeted or whether it was a net that was too broadly cast.” Sen. John McCain (R-AZ) similarly offered up an uncharacteristic willingness to wait “before offering an opinion.”

Of course, there are still lawmakers, both Democrats and Republicans, who remain bothered by the probe. But the chances of reform now seem low.

(Credit: AP)

Yesterday, the Associated Press reported that phone records from nearly two dozen phone lines were obtained by the Department of Justice as part of what was likely an investigation into how AP reporters discovered the CIA’s involvement in foiling an Al Qaeda related bomb plot. As Hayes Brown explained yesterday, this investigation probably was motivated by concerns that reporting on CIA’s involvement could have compromised an intelligence operative working within Al Qaeda in the Arabian Peninsula.

Lawmakers on both sides of the aisle have expressed concerns over DOJ’s actions here, potentially providing a rare opportunity to enact law restricting government surveillance. Moreover, there are strong arguments for why DOJ should be required to obtain a warrant from a judge before obtaining journalists’ phone records, especially in a case such as this one where DOJ’s need for the information does not appear to be imminent, the information sought is particularly broad, and the records are likely to remain available even after a delay.

Yet, if change is going to happen, it will likely have to come from what is currently the most dysfunctional branch of government — Congress — rather than the one that is currently most capable of bold action — the judiciary. Ultimately, this incident is likely to be a test of whether Congressional Democrats who opposed expansive surveillance during the Bush Administration will also have qualms with DOJ’s actions now that one of their own is in the White House; and whether Republicans, many of whom had a very different view of media surveillance just a year ago, will be able to pause their political posturing to pass a law preventing similar incidents from occurring in the future.

While the full details of the investigation have not been revealed — AP’s reporting on the surveillance was based largely on a letter DOJ sent to AP informing them of the surveillance — it is unlikely that DOJ’s actions violate the Constitution as it has been interpreted by the Supreme Court. No evidence has emerged that DOJ obtained the contents of actual conversations by AP reporters. Rather, their investigation appears to be limited to discovering which numbers were dialed by AP employees subject to surveillance, and possibly a similar investigation of their incoming calls.

Under the Supreme Court’s 1979 decision in Smith v. Maryland, the Constitution’s ban on unreasonable searches and seizures simply do not apply to this kind of surveillance. According to the five justices who joined the majority opinion, individuals do not have a “reasonable expectation of privacy” in the numbers they dial on their phones because “[t]elephone users . . . typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes.” When information is voluntarily disclosed to a third party, the Court explained the person disclosing the information “assumed the risk that the information would be divulged to police.”

The best argument for applying a different rule to the AP is that journalists are different from other phone users. Journalists often depend on sources who will refuse to speak to a reporter if their conversation is not kept confidential. If government can discover who reporters have been speaking to, they will chill sources from providing information to journalists, and the public will ultimately be less well informed about the information they need to participate in a democracy. Most significantly, the First Amendment explicitly protects “the freedom of. . . the press,” so a strong textual argument can be made that activities that are essential to journalism enjoy heightened protection under the Constitution.

This argument, however, is unlikely to be embraced by our current Supreme Court. In Citizens United, the conservative justices did not just authorize corporations to spend unlimited money to influence elections, they also dismissed the idea that “the institutional press has any constitutional privilege beyond that of other speakers.” At least until one of these five justices leaves the bench, a robust interpretation of the First Amendment’s freedom of the press is unlikely.

The Constitution isn’t the beginning and the end of American law, and Justice Department regulations do place some significant restrictions on federal law enforcement’s ability to subpoena telephone records from journalists. Beyond requiring the surveillance of AP to eventually be disclosed to AP, they also typically require actions targeting journalists to be personally approved by the Attorney General. What they do not require, however, is for DOJ investigators to obtain a warrant before they conduct the surveillance at issue here. Placing this decision in the hands of the Attorney General is not nothing — the sheer volume of Eric Holder’s workload prevents him from personally reviewing and approving very many things — but it is also not an independent check on DOJ’s ability to target journalists.

At the moment, there appear to be a bipartisan consensus forming that the current checks on DOJ surveillance are not enough — at least in the media context. The question is whether Congress will actually decide to do something about it, or whether they will default to partisan posturing and reliance on a Supreme Court that shows little interest in protecting journalism.

One of the backbones of computer privacy law was written almost 30 years ago, when virtually no one stored massive amounts of personal information on remote computer servers. The computing world looked nothing like it does today, when our credit card information, love letters, health data and personal finances can often be found on Gmail’s servers or elsewhere in the computing ‘cloud.’

While technology and the way we have used it has changed, computer privacy law has not — but a bill that just passed the Senate Judiciary Committee today hopes to change that. The Senate Judiciary Committee just approved S.B. 607, the Electronic Communications Privacy Act Amendments Act of 2013, legislation updating the Electronic Communications Privacy Act of 1986 (ECPA) to require probable cause warrants before accessing the content of private communications and files stored in the cloud.

The bill was introduced by Sen. Patrick Leahy (D-VT) and Sen. Mike Lee (R-UT) earlier this year after a similar proposal was attached to bill loosening regulation on sharing of video watching habits over social networks last winter, but dropped without notice over the holiday break. Due to the expense of networked storage when the legislation was written, the law did not prepare for how most current email and cloud storage hosting options function — rather it assumed anything left in online storage over 180 days was abandoned, and such should only require an administrative subpoena rather than a warrant to obtain from internet service providers (ISPs).

Stakeholders including tech companies, civil liberties groups, and think tanks have advocated updating the law via groups like the Digital Due Process coalition, arguing it has not adapted with the technology, leaving a pathway for law enforcement to access most archived email without the same level of due process expected for other forms of personal communications under the Fourth Amendment. Many companies including Google, Facebook, Microsoft, and Yahoo announced earlier this year they are requiring warrants for email content data on Fourth Amendment grounds, and the most relevant case law is U.S. v. Warshak, a 2010 U.S. appeals court judgment that ruled strongly in favor of probable cause warrants from a court as a requirement before forcing service providers to turn over email content no matter the amount of time it was stored in the cloud.

Documents released by the American Civil Liberties Union (ACLU) just before tax day reveal that the Criminal Tax Division at the IRS stated “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server” in a 2009 handbook. However, an IRS spokesman flatly responded to reports about the release: “Contrary to some suggestions, the IRS does not use emails to target taxpayers. Any suggestion to the contrary is wrong.”

The bill still must pass the full Senate, the House, and be signed by the President for the law to be updated, but there are signs of ECPA movement on the House side. A similar cloud data warrant requirement proposal was introduced by Reps. Zoe Lofgren (D-CA), Ted Poe (R-TX) and Suzan DelBene (D-WA) earlier this year, and this morning the House Judiciary held a hearing on ECPA as it relates to geolocation privacy and surveillance.

Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-UT) introduced a bipartisan bill Tuesday to reform the Electronic Communications Privacy Act (ECPA) that would grant new privacy protections for email and other cloud stored data. Under current ECPA standards the government doesn’t need a warrant to access the content of emails that are more than 180 days old — instead all it requires is an administrative subpoena — although some companies including Google, Microsoft, Yahoo and Facebook have challenged that assertion on Fourth Amendment grounds.

Sen. Leahy,  the author of the original 1986 law, commented on how much times have changed since then:

“No one could have imagined just how the Internet and mobile technologies would transform how we communicate and exchange information today[...] Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world. Three decades later, we must update this law to reflect new privacy concerns and new technological realities, so that our Federal privacy laws keep pace with American innovation and the changing mission of our law enforcement agencies.”

A similar proposal was introduced by Reps. Zoe Lofgren (D-San Jose), Ted Poe (R-TX) and Suzan DelBene (D-WA) earlier this month, and the House Judiciary committee heard testimony on reforming ECPA this morning. In written testimony submitted before that hearing by acting assistant attorney general and former White House lawyer Elana Tyrangiel, the Obama administration dropped its claim that police should be able to look at Americans’ email content without warrants for the first time, but promoted a number of other expanded government surveillance powers.

These expansions include giving federal agency’s civil attorneys warrantless access to American’s electronic communications and eliminating some of the privacy protections currently applying to company records in order to reveal who is sending or receiving email, Facebook, Twitter, and other similar types of messages.

When the ECPA legislation was first passed in 1986, most people couldn’t imagine that online data storage would approach the point where it was so inexpensive people would leave their data online, so it was assumed that email left in networked storage over 180 days could be considered abandoned — like garbage on the curb. But with the rise of cheap, or in many cases free, storage in the cloud the 180 days rule has essentially become a way for law enforcement to access most archived email without the same level of due process expected for personal communications. Civil liberties advocates advocated for ECPA reform for years due to these technological and social changes and came very close to succeeding last year when it was almost passed as an amendment to a video-sharing bill backed by Netflix, but the amendment was inexplicably dropped over the Christmas break.

Just earlier this week, the American Civil Liberties Union, Americans for Tax Reform, and Center for Democracy & Technology announced a new coalition called the Digital 4th that, along with other broader groups including the Digital Due Process coalition, will advocate for privacy-driven ECPA reform, among other Fourth Amendment based privacy protections for current generation tech.

Twelve years ago, William Binney resigned from his post as a technical director at the National Security Agency over its domestic surveillance program. “The reason I left the NSA was because they started spying on everybody in the country,” he said in August. In light of revelations from the scandal surrounding General David Petraeus that the FBI was reading the emails of Petraeus, General David Allen and several other suspected players, Binney is reiterating that the FBI is collecting everybody’s emails, and can use the information collected against anybody it wants. In an interview with RT, Binney says:

[T]he FBI has access to the data collected, which is basically the e-mails of virtually everybody in the country. … All the congressional members are on the surveillance too, no one is excluded. … So, yes, this can happen to anyone. If they become a target for whatever reason – they are targeted by the government, the government can go in, or the FBI, or other agencies of the government, they can go into their database, pull all that data collected on them over the years, and we analyze it all. So, we have to actively analyze everything they’ve done for the last 10 years at least.

To those who say they have nothing to hide, Binney cautions, “The problem is if they think they are not doing anything that’s wrong, they don’t get to define that. The central government does … if their position on something is against what the administration has, then they could easily become a target.”

NSA Director Gen. Keith Alexander has said the agency “absolutely” does not keep files on Americans – an assertion Binney called “word games.

The Petreaus investigation comes amid increasing evidence that privacy protection is becoming little more than a pipe dream, with the New York Police Department amassing call logs, an increasing number of cities scanning license plates, and wireless carriers responding to more than a million law enforcement requests for subscriber information that includes location data.

To address some of this concern, Congress is now mulling changes to the Electronic Communications Privacy Act to limit warrantless access to cloud data. The amendments passed by the Senate Judiciary Committee would require a warrant for access to electronic communications that are more than 180 days old (newer emails already require a warrant). But accessing cloud data is seemingly a separate endeavor from searching emails and other data that the government may already have access to via an in-house database of the type described by Binney. Binney was reportedly one of the primary sources for a Wired Magazine exposé on NSA’s construction of a massive center to “intercept, decipher, analyze, and store vast swaths of the world’s communications” in Bluffdale, Utah.