Tag: cell phones

Three Keys to Surveillance Success: Location, Location, Location

The invaluable Chris Soghoian has posted some illuminating—and sobering—information on the scope of surveillance being carried out with the assistance of telecommunications providers.  The entire panel discussion from this year’s ISS World surveillance conference is well worth listening to in full, but surely the most striking item is a direct quotation from Sprint’s head of electronic surveillance:

[M]y major concern is the volume of requests. We have a lot of things that are automated but that’s just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.

To be clear, that doesn’t mean they are giving law enforcement geolocation data on 8 million people. He’s talking about the wonderful automated backend Sprint runs for law enforcement, LSite, which allows investigators to rapidly retrieve information directly, without the burden of having to get a human being to respond to every specific request for data.  Rather, says Sprint, each of those 8 million requests represents a time when an FBI computer or agent pulled up a target’s location data using their portal or API. (I don’t think you can Tweet subpoenas yet.)  For an investigation whose targets are under ongoing realtime surveillance over a period of weeks or months, that could very well add up to hundreds or thousands of requests for a few individuals. So those 8 million data requests, according to a Sprint representative in the comments, actually “only” represent “several thousand” discrete cases.

As Kevin Bankston argues, that’s not entirely comforting. The Justice Department, Soghoian points out, is badly delinquent in reporting on its use of pen/trap orders, which are generally used to track communications routing information like phone numbers and IP addresses, but are likely to be increasingly used for location tracking. And recent changes in the law may have made it easier for intelligence agencies to turn cell phones into tracking devices.  In the criminal context, the legal process for getting geolocation information depends on a variety of things—different districts have come up with different standards, and it matters whether investigators want historical records about a subject or ongoing access to location info in real time. Some courts have ruled that a full-blown warrant is required in some circumstances, in other cases a “hybrid” order consisting of a pen/trap order and a 2703(d) order. But a passage from an Inspector General’s report suggests that the 2005 PATRIOT reauthorization may have made it easier to obtain location data:

After passage of the Reauthorization Act on March 9, 2006, combination orders became unnecessary for subscriber information and [REDACTED PHRASE]. Section 128 of the Reauthorization Act amended the FISA statute to authorize subscriber information to be provided in response to a pen register/trap and trace order. Therefore, combination orders for subscriber information were no longer necessary. In addition, OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [REDACTED PHRASE] from the FISA Court. Therefore, OIPR decided not to request [REDACTED PHRASE] pursuant to Section 215 until it re-briefed the issue for the FISA Court. As a result, in 2006 combination orders were submitted to the FISA Court only from January 1, 2006, through March 8, 2006.

The new statutory language permits FISA pen/traps to get more information than is allowed under a traditional criminal pen/trap, with a lower standard of review, including “any temporarily assigned network address or associated routing or transmission information.” Bear in mind that it would have made sense to rely on a 215 order only if the information sought was more extensive than what could be obtained using a National Security Letter, which requires no judicial approval. That makes it quite likely that it’s become legally easier to transform a cell phone into a tracking device even as providers are making it point-and-click simple to log into their servers and submit automated location queries.  So it’s become much more  urgent that the Justice Department start living up to its obligation to start telling us how often they’re using these souped-up pen/traps, and how many people are affected.  In congressional debates, pen/trap orders are invariably mischaracterized as minimally intrusive, providing little more than the list of times and phone numbers they produced 30 years ago.  If they’re turning into a plug-and-play solution for lojacking the population, Americans ought to know about it.

If you’re interested enough in this stuff to have made it through that discussion, incidentally, come check out our debate at Cato this afternoon, either in the flesh or via webcast. There will be a simultaneous “tweetchat” hosted by the folks at Get FISA Right.

Technology: Debating the Pace of Progress

Last night, thanks to Craigslist and a Web-enabled cell phone, I unloaded two extra tickets to tonight’s World Cup qualifying game between the U.S. and Costa Rica in under an hour. (8:00, ESPN2 “USA! USA! USA!”)

Wanting to avoid the hassle of selling the tickets at RFK, I placed an ad on Craigslist offering them at cost, figuring I might find a taker and arrange to hand them off downtown today or at the stadium tonight. Checking email as I walked to the gym, I found an inquiry about the tickets and phoned the guy, who happened to live 100 feet from where I was walking. A few minutes later, he had the tickets and I had the cash.

This quaint story is a single data point in a trend line—the high-tech version of It’s Getting Better All the Time. Everyone living a connected life enjoys hundreds, or even thousands, of conveniences every day because of information technology. Through billions of transactions across the society, technology improves our lives in ways unimaginable two decades ago.

Before 1995, nobody ever traded spare soccer tickets in under an hour, on a Tuesday night, without even changing his evening routine. If soccer tickets are too trivial (you must not understand the game), the same dynamics deliver incremental, but massive improvements in material wealth, awareness, education, and social and political empowerment to everyone—even those who don’t live “online.”

Sometimes debates about technology regulation are cast in doom and gloom terms like the Malthusian arguments about material wealth. But the benefits we already enjoy thanks to technology are not going away, and they will continue to accrue. We are arguing about the pace of progress, not its existence.

This is no reason to let up in our quest to give technologists and investors the freedom to produce more innovations that enhance everyone’s well-being even more. But it does counsel us to be optimistic and to teach this optimism to our ideological opponents, many of whom seem to look ahead and see only calamity.

A Federal Ban on Texting While Driving?

text-messaging-while-drivingIn response to claims that texting-while-driving (TWD) causes traffic accidents, Congress is considering “a federal bill that would force states to ban texting while driving if they want to keep receiving federal highway money.”

This approach to forcing a particular policy on the states mimics the 1984 Federal Uniform Driving Age Act, which threatened to withhold federal highway funds unless states adopted a 21-year-old minimum legal drinking age. The justification for that law was reducing traffic fatalities among 18-20 year olds.

A federal ban on TWD is not compelling:

1. Federal imposition of the 21-year old minimum drinking age did not save lives.

2. A ban on texting might increase other distractions: adjusting the radio, putting on makeup, eating a sandwich, reading a map, and so on. Relatedly, the evidence that TWD causes accidents is far from convincing. Traffic fatalities per vehicle mile travelled have declined substantially over the past 15 years, despite the explosion in text messaging.

3. TWD has benefits, not just costs. Truckers, for example, claim that

Crisscrossing the country, hundreds of thousands of long-haul truckers use computers in their cabs to get directions and stay in close contact with dispatchers, saving precious minutes that might otherwise be spent at the side of the road.

4. If the benefits of banning TWD become clear, most states will ban on their own.

Thus laws that penalize TWD might make sense. But this is an issue for states, not the federal government.

C/P Libertarianism, from A to Z.

Online Privacy and Regulation by Default

My colleague Jim Harper and I have been having a friendly internal argument about Internet privacy regulation that strikes me as having potential implications for other contexts, so I thought I might as well pick it up here in case it’s of interest to anyone else. Unsurprisingly, neither of us are particularly sanguine about elaborate regulatory schemes—and I’m sympathetic to the general tenor of his recent post on the topic. But unlike Jim, as I recently wrote here, I can think of two rules that might be appropriate: A notice requirement that says third-party trackers must provide a link to an ordinary-language explanation of what information is being collected, and for what purpose, combined with a clear rule making those stated privacy policies enforceable in court. Jim regards this as paternalistic meddling with online markets; I regard it as establishing the conditions for the smooth functioning of a market. What do those differences come down to?

First, a question of expectations. Jim thinks it’s unreasonable for people to expect any privacy in information they “release” publicly—and when he’s talking about messages posted to public fora or Facebook pages, that’s certainly right. But it’s not always right, and as we navigate the Internet our computers can be coaxed into “releasing” information in ways that are far from transparent to the ordinary user. Consider this analogy. You go to the mall to buy some jeans; you’re out in public and clearly in plain view of many other people—most of whom, in this day and age, are probably carrying cameras built into their cell phones. You can hardly complain about being observed, and possibly caught on camera, as you make your way to the store. But what about when you make your way to the changing room at The Gap to try on those jeans? If the management has placed an unobtrusive camera behind a mirror to catch shoplifters, can the law require that the store post a sign informing you that you’re being taped in a location and context where—even though it’s someone else’s property—most people would expect privacy? Current U.S. law does, and really it’s just one special case of the law laying down default rules to stabilize expectations.  I think Jim sees the reasonable expectation in the online context as “everything is potentially monitored and archived all the time, unless you’ve explicitly been warned otherwise.” Empirically, this is not what most people expect—though they might begin to as a result of a notice requirement.

Now, as Jim well knows, there are many cases in which the law sets defaults to stabilize expectations. Under the common law doctrine of implied warranty, when you go out and buy a toaster, you do not explicitly write out a contract in which it’s stipulated that the thing will turn on when you get home and plug it in, that it will toast bread without bursting into flames, and so on. Markets would not function terribly well if you did have to do this constantly. Rather, it’s understood that there are some minimal expectations built into the transaction—toasters toast bread!—unless the seller provides explicit notice that this is an “as is” sale. This brings us to a second point of divergence: Like Jim, I think the evolutionary mechanism of the common law is generally the best way to establish these market-structuring defaults. Unlike Jim, I think sometimes it’s appropriate to resort to statute instead. This story from Techdirt should suggest why:

It’s still not entirely clear what online agreements are actually enforceable and which aren’t. We’ve seen cases go both ways, with a recent ruling even noting that terms that are a hyperlink away, rather than on the agreement page itself, may be enforceable. But the latest case, involving online retailer Overstock went in the other direction. A court found that Overstock’s arbitration requirement was unenforceable, because, as “browserwrap,” the user was not adequately notified. Eventually, it seems that someone’s going to have to make it clear what sorts of online terms are actually enforceable (if any). Until then, we’re going to see a lot more lawsuits like this one.

Evolutionary mechanisms are great, but they’re also slow, incremental, and in the case of the common law typically parasitic on the parallel evolution of broader social norms and expectations. That makes it an uneasy fit with novel and rapidly changing technological platforms for interaction. The tradeoff is that, while it’s slow, the discovery process tends to settle on efficient rules. But sometimes having a clear rule is actually more important—maybe significantly more important—than getting the rule just right. These features seem to me to weigh in favor of allowing Congress, not to say what standards of privacy must look like, but to step in and lay down public default rules that provide a stable basis for informed consumers and sellers to reach their own mutually beneficial agreements.

Finally, there’s the question of whether it’s constitutionally appropriate for federal legislators, rather than courts, to make that kind of decision. I scruple to say how “the Founders intended” the Constitution to apply to e-commerce, but even on a very narrow reading of the Commerce Clause, this seems to fall safely within the purview of a power to “make regular” commerce between the several states by establishing uniform rules for transactions across a network that pays no heed to state boundaries. A patchwork of divergent standards imposed by judges and state legislators does not strike me as an especially market-friendly response to people’s online privacy concerns, but that appears to be the alternative. If there’s a way to address those concerns that’s both constitutionally appropriate and works by enabling informed choice and contract rather than nannying consumers or micromanaging business practices, then it seems to me that it makes sense for supporters of limited government to point that solution out.

IRS Wants Worker Cell Phones to Be Taxable

With about 100,000 employees (more than the CIA and FBI combined), the IRS has plenty of people who daydream about new ways of taking money from taxpayers. The latest scheme to emanate from the tax bureaucracy is to classify employer-provided cell phones as a taxable fringe benefit.

To be fair, non-pecuniary forms of compensation should be treated the same as cash income, but a bit of common sense should apply. What happens with cell phone plans with unlimited minutes, meaning that a business is not paying extra for personal calls? And if the IRS does go down this path, why harrass individuals when it would be much easier to simply make a portion of cell phone costs non-deductible for companies? It almost seems as if the IRS wants to instigate a tax revolt.

The Wall Street Journal reports:

The Internal Revenue Service proposed employers assign 25% of an employee’s annual phone expenses as a taxable benefit. Under that scenario, a worker in the 28% tax bracket, whose wireless device costs the company $1,500 a year, could see $105 in additional federal income tax….

The IRS move, which is spurring efforts by the wireless industry and others to kill the idea, would mark a stricter enforcement of an existing rule that classifies employer-provided cellphones as a taxable benefit, rather than a 24-hour-a-day work tool. Under a 1989 law, workers who use company-provided mobile phones for personal calls are supposed to count the value of those calls as income and pay federal income taxes accordingly. But businesses and workers have long ignored the requirement, prompting the IRS to consider steps the agency said would make it easier for businesses and workers to comply.

…Wireless companies also argue the IRS rule is outdated. Rates have declined so dramatically in the past decade — with night and weekend calls free under many plans — that it makes little sense for the IRS to assess employee benefits by nickels and dimes. “This is a regulation from a bygone time, dating back to the infancy of the cellphone business, and it is in desperate need of updating,” said Howard Woolley, a senior vice president with Verizon Wireless, a venture of Verizon Communications Inc. and Vodafone Group PLC.