Tag: warrant

School Laptop Spycams Took 56,000 Pictures

Last week, I wrote that we’d learned that the Lower Merion School District may have gathered many more photos of more students than had previously been revealed. Now, the Philadelphia Inquirer has put a number on it: A security program installed on laptops assigned to students captured 56,000 images over the course of two years, including screenshots (showing programs in use and private messages being sent) and surreptitious webcam photos of students at home.

Many of these images, it should be noted at the outset, do appear to have come from laptops that really had been stolen. Almost two-thirds of the total came from six laptops that had been stolen from a high school gym, and which kept transmitting for  almost six months, though even there it’s a close question whether a warrant should have been obtained. (Why it took six months to recover the laptops with an active security program running is a good question for another time.) But many of those pictures seem much harder to justify:

[I]n at least five instances, school employees let the Web cams keep clicking for days or weeks after students found their missing laptops, according to the review. Those computers - programmed to snap a photo and capture a screen shot every 15 minutes when the machine was on - fired nearly 13,000 images back to the school district servers.

Emphasis added. The district also says it only once activated the tracking program because a student had not paid the $55 insurance fee required before taking a laptop home. Blake Robbins, the student whose lawsuit brought the story to national attention, says that one case was his.  That raises obvious questions about whether school officials might have exercised their discretion to activate the tracking program more readily in the case of particular students. The activation procedure itself hardly imbues one with great confidence: Apparently 10 school officials had the authority to request laptop tracking, which they might do with a simple informal e-mail.

Just turn this over in your head for a moment. You’ve got ten different administrators—and in practice, the network techs themselves—able to turn a child’s home laptop into a remote surveillance camera just by sending an e-mail reporting that a laptop is missing, or that a fee didn’t get paid on time. The laptop can take thousands of photos over the course of days or weeks, with neither parents nor students any the wiser until a scandal forces closer scrutiny. If Robbins hadn’t been confronted, or if administrators had made a point of deleting these pictures of children at home rather than keeping them lying around in storage indefinitely, there’s no reason to think anyone would ever have known.  How many tens of thousands of parents have kids in one-to-one school laptop programs now? What don’t they know?

Cell Phone Searches? There’s an App for That.

Police hoping to rummage through a suspect’s cell phone after an arrest must apply for a warrant, the Ohio Supreme Court has ruled. That apparently makes it the first court to address a question I first wrote about two years ago, after Adam Gershowitz broached it in a law review article.

Normally, when police arrest someone—and recall that even trivial offenses may provide formal grounds for arrest—they’re entitled to conduct an incidental search of the person and their immediate vicinity, nominally for the purpose of uncovering any weapons and preventing the destruction of contraband.  The new wrinkle as Gershowitz noted, is that we’ve begun routinely carrying vast stores of personal data around with us in our pockets: photos, correspondence, music and movies,  Internet browsing histories, even whole libraries of books.  What’s more, these little archives are typically connected, sometimes automatically, to still more personal information held remotely: mailboxes, calendars, bank accounts, purchasing histories, or in principle just about anything accessible online.

Suddenly a narrow, reasonable-sounding exception to the ordinary Fourth Amendment warrant requirement starts looking like a pretty huge loophole.  The quantity of personal “papers and effects” that can be stored in an ordinary phone would have filled a house just a few decades ago. But if those smartphones are subject to “search incident to arrest,” there’s no longer any need to bother with judicial authorization for the search of a private home. And since a legal system governed by precedent subjects digital technologies to the tyranny of bad metaphors, there’s a disarmingly strong argument to be made that smartphones should be treated like any other physical “closed container”—a digital backpack or purse, at least with respect to the data stored locally on the phone.

This case involved more conventionally phone-like information: calling records. But the Court nevertheless saw the danger inherent in treating portable data storage devices as mere “containers,” holding that searches of phones were reasonable only to the extent they could be linked to the twin justifications of safety and preventing destruction of evidence.  But as the ruling and dissent both note, there are a handful of precedents that appear to cut in the other direction. The question now is whether other courts will follow Ohio’s lead or remain mired in inapposite comparisons to knapsacks and cigarette packs.

Three Keys to Surveillance Success: Location, Location, Location

The invaluable Chris Soghoian has posted some illuminating—and sobering—information on the scope of surveillance being carried out with the assistance of telecommunications providers.  The entire panel discussion from this year’s ISS World surveillance conference is well worth listening to in full, but surely the most striking item is a direct quotation from Sprint’s head of electronic surveillance:

[M]y major concern is the volume of requests. We have a lot of things that are automated but that’s just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.

To be clear, that doesn’t mean they are giving law enforcement geolocation data on 8 million people. He’s talking about the wonderful automated backend Sprint runs for law enforcement, LSite, which allows investigators to rapidly retrieve information directly, without the burden of having to get a human being to respond to every specific request for data.  Rather, says Sprint, each of those 8 million requests represents a time when an FBI computer or agent pulled up a target’s location data using their portal or API. (I don’t think you can Tweet subpoenas yet.)  For an investigation whose targets are under ongoing realtime surveillance over a period of weeks or months, that could very well add up to hundreds or thousands of requests for a few individuals. So those 8 million data requests, according to a Sprint representative in the comments, actually “only” represent “several thousand” discrete cases.

As Kevin Bankston argues, that’s not entirely comforting. The Justice Department, Soghoian points out, is badly delinquent in reporting on its use of pen/trap orders, which are generally used to track communications routing information like phone numbers and IP addresses, but are likely to be increasingly used for location tracking. And recent changes in the law may have made it easier for intelligence agencies to turn cell phones into tracking devices.  In the criminal context, the legal process for getting geolocation information depends on a variety of things—different districts have come up with different standards, and it matters whether investigators want historical records about a subject or ongoing access to location info in real time. Some courts have ruled that a full-blown warrant is required in some circumstances, in other cases a “hybrid” order consisting of a pen/trap order and a 2703(d) order. But a passage from an Inspector General’s report suggests that the 2005 PATRIOT reauthorization may have made it easier to obtain location data:

After passage of the Reauthorization Act on March 9, 2006, combination orders became unnecessary for subscriber information and [REDACTED PHRASE]. Section 128 of the Reauthorization Act amended the FISA statute to authorize subscriber information to be provided in response to a pen register/trap and trace order. Therefore, combination orders for subscriber information were no longer necessary. In addition, OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [REDACTED PHRASE] from the FISA Court. Therefore, OIPR decided not to request [REDACTED PHRASE] pursuant to Section 215 until it re-briefed the issue for the FISA Court. As a result, in 2006 combination orders were submitted to the FISA Court only from January 1, 2006, through March 8, 2006.

The new statutory language permits FISA pen/traps to get more information than is allowed under a traditional criminal pen/trap, with a lower standard of review, including “any temporarily assigned network address or associated routing or transmission information.” Bear in mind that it would have made sense to rely on a 215 order only if the information sought was more extensive than what could be obtained using a National Security Letter, which requires no judicial approval. That makes it quite likely that it’s become legally easier to transform a cell phone into a tracking device even as providers are making it point-and-click simple to log into their servers and submit automated location queries.  So it’s become much more  urgent that the Justice Department start living up to its obligation to start telling us how often they’re using these souped-up pen/traps, and how many people are affected.  In congressional debates, pen/trap orders are invariably mischaracterized as minimally intrusive, providing little more than the list of times and phone numbers they produced 30 years ago.  If they’re turning into a plug-and-play solution for lojacking the population, Americans ought to know about it.

If you’re interested enough in this stuff to have made it through that discussion, incidentally, come check out our debate at Cato this afternoon, either in the flesh or via webcast. There will be a simultaneous “tweetchat” hosted by the folks at Get FISA Right.

The FISA Amendments: Behind the Scenes

I’ve been poring over the trove of documents the Electronic Frontier Foundation has obtained detailing the long process by which the FISA Amendments Act—which substantially expanded executive power to conduct sweeping surveillance with little oversight—was hammered out between Hill staffers and lawyers at the Department of Justice and intelligence agencies. The really interesting stuff, of course, is mostly redacted, and I’m only partway though the stacks, but there are a few interesting tidbits so far.

As Wired has already reported, one e-mail shows Bush officials feared that if the attorney general was given too much discretion over retroactive immunity for telecoms that aided in warrantless wiretapping, the next administration might refuse to provide it.

A couple other things stuck out for me. First, while it’s possible they’ve been released before and simply not crossed my desk, there are a series of position papers — so rife with  underlining that they look like some breathless magazine subscription pitch — circulated to Congress explaining the Bush administration’s opposition to various proposed amendments to the FAA. Among these was a proposal by Sen. Russ Feingold (D-WI) that would have barred “bulk collection” of international traffic and required that the broad new intelligence authorizations specify (though not necessarily by name) individual targets. The idea here was that if there were particular suspected terrorists (for instance) being monitored overseas, it would be fine to keep monitoring their communications if they began talking with Americans without pausing to get a full-blown warrant — but you didn’t want to give NSA carte blanche to just indiscriminately sweep in traffic between the U.S. and anyone abroad. The position paper included in these documents is more explicit than the others that I’ve seen about the motive for objecting to the bulk collection amendment. Which was, predictably, that they wanted to do bulk collection:

  • It also would prevent the intelligence community from conducting the types of intelligence collection necessary to track terrorits and develop new targets.
  • For example, this amendment could prevent the intelligence community from targeting a particular group of buildings or a geographic area abroad to collect foreign intelligence prior to operations by our armed forces.

So to be clear: Contra the rhetoric we heard at the time, the concern was not simply that NSA would be able to keep monitoring a suspected terrorist when he began calling up Americans. It was to permit the “targeting” of entire regions, scooping all communications between the United States and the chosen area.

One other exchange at least raises an eyebrow.  If you were following the battle in Congress at the time, you may recall that there was a period when the stopgap Protect America Act had expired — though surveillance authorized pursuant to the law could continue for many months — and before Congress approved the FAA. A week into that period, on February 22, 2008, the attorney general and director of national intelligence sent a letter warning Congress that they were now losing intelligence because providers were refusing to comply with new requests under existing PAA authorizations. A day later, they had to roll that back, and some of the correspondence from the EFF FOIA record makes clear that there was an issue with a single recalcitrant provider who decided to go along shortly after the letter was sent.

But there’s another wrinkle. A week prior to this, just before the PAA was set to expire, Jeremy Bash, the chief counsel for the House Permanent Select Committee on Intelligence, sent an email to “Ken and Ben,” about a recent press conference call. It’s clear from context that he’s writing to Assistant Attorney General Kenneth Wainstein and General Counsel for the Director of National Intelligence Ben Powell about this press call, where both men fairly clearly suggest that telecoms are balking for fear that they’ll no longer be immune from liability for participation in PAA surveillance after the statute lapses. Bash wants to confirm whether they really said that “private sector entities have refused to comply with PAA certifications because they were concerned that the law was temporary.” In particular, he wants to know whether this is actually true, because “the briefs I read provided a very different rationale.”  In other words, Bash — who we know was cleared for the most sensitive information about NSA surveillance — was aware of some service providers being reluctant to comply with “new taskings” under the law, but not because of the looming expiration of the statute. One of his correspondents — whether Wainstein or Powell is unclear — shoots back denying having said any such thing (read the transcript yourself) and concluding with a terse:

Not addressing what is in fact the situation on both those issues (compliance and threat to halt) on this email.

In other words, the actual compliance issues they were encountering would have to be discussed over a more secure channel. If the issue wasn’t the expiration, though, what would the issue have been? The obvious alternative possibility is that NSA (or another agency) was attempting to get them to carry out surveillance that they thought might fall outside the scope of either the PAA or a particular authorization. Given how sweeping these were, that should certainly give us pause. It should also raise some questions as to whether, even before that one holdout fell into compliance, the warning letter from the AG and the DNI was misleading. Was there really ever a “gap” resulting from the statute’s sunset, or was it a matter of telecoms balking at an attempt by the intelligence community to stretch the bounds of their legal authority? The latter would certainly fit a pattern we saw again and again under the Bush administration: break the law, inducing a legal crisis, then threaten bloody mayhem if the unlawful program is forced to abruptly halt — at which point a nervous Congress grants its blessing.

State Secrets, State Secrets Are No Fun

Despite Barack Obama’s frequent paeans to the value of transparency during the presidential campaign, his Justice Department has incensed civil liberties advocates by parroting the Bush administration’s broad invocations of the “state secrets privilege” in an effort to torpedo lawsuits challenging controversial interrogation and surveillance policies. Though in many cases the underlying facts have already been widely reported, DOJ lawyers implausibly claimed, not merely that particular classified information should not be aired in open court, but that any discussion of the CIA’s “extraordinary rendition” of detainees to torture-friendly regimes, or of the NSA’s warrantless wiretapping, would imperil national security.

That may—emphasis on may—finally begin to change as of October 1st, when new guidelines for the invocation of the privilege issued by Attorney General Eric Holder kick in. Part of the change is procedural: state secrets claims will need to go through a review board and secure the personal approval of the Attorney General. Substantively, the new rules raise the bar for assertions of privilege by requiring attorneys to provide courts with specific evidence showing reason to expect disclosure would result in “significant harm” to national security. Moreover, those assertions would have to be narrowly tailored so as to allow cases to proceed on the basis of as much information as can safely be disclosed.

That’s the theory, at any rate. The ACLU is skeptical, and argues that relying on AG guidelines to curb state secrets overreach is like relying on the fox to guard the hen house. And indeed, hours after the announcement of the new guidelines—admittedly not yet in effect—government attorneys were singing the state secrets song in a continuing effort to get a suit over allegations of illegal wiretapping tossed. The cynical read here is that the new guidelines are meant to mollify legislators contemplating statutory limits on state secrets claims while preserving executive discretion to continue making precisely the same arguments, so long as they add the word “significant” and jump through a few extra hoops. Presumably we’ll start to see how serious they are come October. And as for those proposed statutory limits, if the new administration’s commitment to greater  accountability is genuine, they should now have no objection to formal rules that simply reinforce the procedures and principles they’ve voluntarily embraced.

A Chance to Fix the PATRIOT Act?

As Tim Lynch noted earlier this week, Barack Obama’s justice department has come out in favor of renewing three controversial PATRIOT Act provisions—on face another in a train of disappointments for anyone who’d hoped some of those broad executive branch surveillance powers might depart with the Bush administration.

But there is a potential silver lining: In the letter to Sen. Patrick Leahy (D-VT) making the case for renewal, the Justice Department also declares its openness to “modifications” of those provisions designed to provide checks and balances, provided they don’t undermine investigations. While the popular press has always framed the fight as being “supporters” and “opponents” of the PATRIOT Act, the problem with many of the law’s provisions is not that the powers they grant are inherently awful, but that they lack necessary constraints and oversight mechanisms.

Consider the much-contested “roving wiretap” provision allowing warrants under the Foreign Intelligence Surveillance Act to cover all the communications devices a target might use without specifying the facilities to be monitored in advance—at least in cases where there are specific facts supporting the belief that a target is likely to take measures to thwart traditional surveillance. The objection to this provision is not that intelligence officers should never be allowed to obtain roving warrants, which also exist in the law governing ordinary law enforcement wiretaps. The issue is that FISA is fairly loosey-goosey about the specification of “targets”—they can be described rather than identified. That flexibility may make some sense in the foreign intel context, but when you combine it with similar flexibility in the specification of the facility to be monitored, you get something that looks a heck of a lot like a general warrant. It’s one thing to say “we have evidence this particular phone line and e-mail account are being used by terrorists, though we don’t know who they are” or “we have evidence this person is a terrorist, but he keeps changing phones.” It’s another—and should not be possible—to mock traditional particularity requirements by obtaining a warrant to tap someone on some line, to be determined. FISA warrants should “rove” over persons or facilities, but never both.

The DOJ letter describes the so-called “Lone Wolf” amendment to FISA as simply allowing surveillance of targets who are agents of foreign powers without having identified which foreign power (i.e. which particular terrorist group) they’re working for. They say they’ve never invoked this ability, but want to keep it in reserve. If that description were accurate, I’d say let them. But as currently written, the “lone wolf” language potentially covers people who are really conventional domestic threats with only the most tenuous international ties—the DOJ letter alludes to people who “self-radicalize” by reading online propaganda, but are not actually agents of a foreign group at all.

Finally, there’s the “business records” provision, which actually covers the seizure of any “tangible thing.”  The problems with this one probably deserve their own post, and ideally you’d just go through the ordinary warrant procedure for this. But at the very, very least there should be some more specific nexus to a particular foreign target than “relevance” to a ongoing investigation before an order issues. The gag orders that automatically accompany these document requests also require more robust judicial scrutiny.

Some of these fixes—and quite a few other salutary reforms besides—appear to be part of the JUSTICE Act which I see that Sen. Russ Feingold (D-WI) introduced earlier this afternoon.  I’ll take a closer look at the provisions of that bill in a post tomorrow.

Obama’s Military Commissions

President Obama is expected to announce how his administration is going to prosecute prisoners for war crimes and perhaps other terrorist offenses.  Instead of civilian court, courts-martial, or new “national security courts,” Obama has apparently decided to embrace George W. Bush’s system of special military tribunals, but with some “modifications.”

Glenn Greenwald slams Obama for seeking to create a “gentler” tribunal system and urges liberals to hold Obama to the same standards that were applied to Bush:

What makes military commissions so pernicious is that they signal that anytime the government wants to imprison people but can’t obtain convictions under our normal system of justice, we’ll just create a brand new system that diminishes due process just enough to ensure that the government wins.  It tells the world that we don’t trust our own justice system, that we’re willing to use sham trials to imprison people for life or even execute them, and that what Bush did in perverting American justice was not fundamentally or radically wrong, but just was in need of a little tweaking.  Along with warrantless eavesdropping, indefinite detention, extreme secrecy doctrines, concealment of torture evidence, rendition, and blocking judicial review of executive lawbreaking, one can now add Bush’s military commission system, albeit in modified form, to the growing list of despised Bush Terrorism policies that are now policies of Barack Obama.

Greenwald is right.  The primary issue is not due process.  The tribunals might ultimately be “fair” and “unbiased” in some broad sense, but where in the Constitution does it say that the president (or Congress) can create a newfangled court system to prosecute, incarcerate, and execute prisoners?

For more about how Bush’s prisoner policies ought to be ravamped, see my chapter “Civil Liberties and Terrorism” (pdf) in the Cato Handbook for Policymakers.