Feeds

Tracked by cellphone

The astounding arguments of the US government

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

A third standard applies for the installation of "tracking devices" to monitor the location of people or things. To install or monitor such a device, the government would have to show (albeit in an affidavit that the target never gets to see or challenge in advance) that it was more likely than not that this would reveal evidence of some crime by somebody - and not necessarily that the person being tracked was committing a crime.

Finally, as noted above, the highest standard is for the interception of the contents of communications (voice or electronic) in transmission. These warrants can be issued either on a finding of probable cause by a regular court, or on certain finding by a special intelligence court, or as recently disclosed by the New York Times, by executive order and with no warrant (as was done with the National Security Agency).

Government argues "real time" electronic data doesn't exist

In the New York, Maryland and Texas cases, the government wanted to track the location of cell phone holders in advance under the lower standard of simply demonstrating some facts as to why they wanted it, rather than the slightly higher standard of providing probable cause. They argued that the records are merely stored records of "communications." The courts in these cases pointed out that the signal being measured (for signal strength to determine location) was not a "communication" under the statute. The government then argued that, despite language in the statute mandating that phone companies cooperate in pen registers or trap and trace installations (the infamous Communications Assistance to Law Enforcement Act, or CALEA), which stated that "the authority for pen registers and trap and trace devices cannot be used to obtain tracking or location information…" that they could get such information under a lower standard than probable cause.

The next government argument is somewhat astounding. The courts all agreed that the lower standard of "articulable facts" would apply to the disclosure by the cell phone company of "historical call site information". That is, if your phone company retained records of where you were, the government could get them with a subpoena, a search warrant, or even a warrant on a lower standard. Indeed, the court recognized that the government could demand that the phone company retain and not destroy such records in anticipation of a later court order. The higher "probable cause" standard applied only to the creation and dissemination to the cops of records that didn't yet exist. This is where the astounding argument comes in - the government claimed (with a straight face, no less) that as soon as the cell towers in question determined your location and recorded this fact, these were now "historical" records subject to the lower standard. Thus, according to the government, there is no such thing as "real time" data or even data "in transmission."

As a technical matter, this is likely true. Indeed, I have argued that there is no such thing as interception of packets "in transmission." The packets have to be stopped, copied, and reassembled to be read. Nevertheless, the law makes a distinction between historical data and real time data. That the government would seek to extinguish this distinction in this case does not bode well for the government's position in other cases. The government could then argue that it could listen in on your VOIP calls with nothing more than a subpoena (for which no probable cause is required) because all it is doing is looking at "historical" packets - albeit merely hundredths of a second in the past. This is clearly the opposite of the delicate balance Congress sought to strike. Thus, it appears that the government is seeking to convert all interceptions into seizures of "historical" data, and adopt the lower standards for such data.

What about your privacy?

All of this discussion is somewhat beside the point, however. The real issue is whether people have a reasonable expectation of privacy in the location data in the first place. As a general rule, the US Supreme Court has adopted what I call the "breeze rule". Effectively, if I am outside (and can feel a breeze), I probably don't have an expectation of privacy in what I am doing. Thus, if I am growing pot in my backyard with a 20 foot un-scalable fence, the cops with a helicopter and a telescope (or, presumably a geostationary satellite and a keyhole telescope) can monitor me without probable cause or a warrant. If I am walking or driving down the street, the cops can follow me without a warrant or even suspicion. The same goes for using technology to enhance the ability to search. Thus, drug, money or explosive sniffing dogs can sniff me, my briefcase, my car, and presumably my house (if there is no trespass to do so) without any legal restriction. If I walk into my house however, the Supreme Court has ruled, the cops can't for example use and infrared detector to monitor my activities in the house without some kind of warrant.

Thus, the cops can follow me around, either directly or using technology. If they use their eyes, binoculars, a telescope, a helicopter or other similar technologies, they don't need probable cause or a warrant. If they install a tracking device on me, however, they do need probable cause. But what do they need to simply obtain records from the phone company (whether in real time, slightly historical or historically) to accomplish the same thing?

The real problem here is that the cell phone providers have the ability to collect, store, collate and aggregate location data on hundreds of millions of people. These records then become a commodity: subject to use, sale, transfer, subpoena or other discovery. In past cases, the government (with a warrant) has turned on people's On*Star GPS tracking and telephones to track them and listen in on their conversations. Technically, the government isn't "installing" a tracking device on you - it is merely retrieving the records of a tracking device you didn't know you already had. What this means is that Congress needs to step in and establish guidelines for both private, public, law enforcement and intelligence acquisition and use of this passive tracking information. Will they do this? As Dr. Heisenberg might say, it's uncertain.

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

This article was first published at SecurityFocus

Copyright © 2005, SecurityFocus

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.