Topic: Telecom, Internet & Information Policy

State ID Databases Hacked

It won’t surprise anyone who follows data security to know that this past summer saw a hack of databases containing Louisiana driver information. A hacker going by the ironic handle “NSA” offered the data for sale on a “dark web” marketplace.

Over 290,000 residents of Louisiana were apparently affected by the data breach. The information stolen was typical of that which is held by motor vehicle bureaus: first name, middle name, last name, date of birth, driver’s license number, state in which the driver’s license was issued, address, phone number, email address, a record of driving offenses and infractions, and any and all fines paid to settle tickets and other fines.

This leak highlights the risks of state participation in the REAL ID Act. One of the problems with linking together the databases of every state to create a national ID is that the system will only be as secure as the state with the weakest security.

REAL ID mandates that states require drivers to present multiple documents for proof of identity, proof of legal presence in the United States, and proof of their Social Security number. The information from these documents and digital copies of the documents themselves are to be stored state-run databases just like the one that was hacked in Louisiana.

For the tiniest increment in national security—inconveniencing any foreign terrorist who might use a driver’s license in the U.S.—REAL ID increases the risk of wholesale data breaches and wide-scale identity fraud. It’s not a good trade-off.

Transparency and its Discontents

A preliminary draft paper on transparency that Cass Sunstein posted last month inspired Vox’s Matthew Yglesias to editorialize “Against Transparency” this week. Both are ruminations that shouldn’t be dealt with too formally, and in that spirit I’ll say that my personal hierarchy of needs doesn’t entirely overlap with Yglesias’.

In defense of selective government opacity, he says: “We need to let public officials talk to each other — and to their professional contacts outside the government — in ways that are both honest and technologically modern.”

Speak for yourself, buddy! The status quo in government management may need that, but that status quo is no need of mine.

A pithy, persuasive response to Yglesias came from the AP’s Ted Bridis, who pointed out via Twitter the value of recorded telephone calls for unearthing official malfeasance. Recordings reveal, for example, that in 2014 U.S. government officials agreed to restrict more than 37 square miles of airspace surrounding Ferguson, Missouri, in response to local officials’ desire to keep news helicopters from viewing the protests there. Technological change might counsel putting more of public officials’ communications “on the record,” not less.

It’s wise of Sunstein to share his piece in draft—in its “pre-decisional” phase, if you will—because his attempt to categorize information about government decision-making as “inputs” and “outputs” loses its intuitiveness as you go along. Data collected by the government is an output, but when it’s used for deciding how to regulate, it’s an input, etc. These distinctions would be hard to internalize and administer, certainly at the scale of a U.S. federal government, and would collapse when administered by government officials on their own behalf.

The Weird World of Data (and Your Privacy)

In 2007, Judge Richard Posner found it “untenable” that attaching a tracking device to a car is a seizure. But the Supreme Court struck down warrantless attachment of a GPS device to a car on that basis in 2012. Putting a tracking device on a car makes use of it without the owner’s permission, and it deprives the owner of the right to exclude others from the car.

The weird world of data requires us to recognize seizures when government agents take any of our property rights, including the right to use and the right to exclude others. There’s more to property than the right to possession.

In an amicus brief filed with the U.S. Court of Appeals for the D.C. Circuit last week, we argued for Fourth Amendment protection of property rights in data. Recognition of such rights is essential if the protections of the Fourth Amendment are going to make it into the Information Age.

The case arises because the government seized data about the movements of a criminal suspect from his cell phone provider. The government argues that it can do so under the Stored Communications Act, which requires the government to provide “specific and articulable facts showing that there are reasonable grounds to believe that [data] are relevant and material to an ongoing criminal investigation.” That’s a lower standard than the probable cause standard of the Fourth Amendment.

As we all do, the defendant had a contract with his cell phone provider that required it to share data with others only based on “lawful” or “valid” legal processes. The better reading of that industry-standard contract language is that it gives telecom customers their full right to exclude others from data about them. If you want to take data about us that telecom companies hold for us under contract, you have to get a warrant.

The Fourth Amendment Protects Your Cell-Location Data

When the federal district court in D.C. ordered a seizure of Alonzo Marlow’s cell service location information (CSLI) held by his cell provider, it held that the federal government didn’t need a warrant to obtain CSLI data from a person’s phone provider. The Stored Communications Act of 1986 (SCA) governs the searching of such data, and under § 2703(d) of that act, federal investigators need not demonstrate probable cause in order to search—but merely to show “specific and articulable facts” that there is criminal wrongdoing. Thus, the Fourth Amendment requirement that “no warrants shall issue, but upon probable cause” is effectively removed.

NSA Hackers, Hacked

Screenshot of files from the Equation Group Hack

The Equation Group was like something out of a Hollywood film: A hacking team of unparalleled sophistication and skill who cracked open computer systems around the world like pistachio shells, yet escaped detection for 14 years until being noticed by the security researchers at Kaspersky Lab last year. They were also widely believed to be affiliated with the National Security Agency—most likely working with or from the NSA’s elite Tailored Access Operations unit.  Last weekend, the world learned that these hackers nonpareil had themselves apparently been hacked, when a group calling themselves the Shadow Brokers (likely a reference to the popular Mass Effect video game series) posted a cache of what they claimed were some of Equation Group’s “cyberweapons,” or computer exploitation tools, on the Web for all to see—along with an offer to sell even more valuable intrusion software they’d obtained to the highest bidder.

Understanding U.S. v. Ackerman

The Supreme Court has eschewed the “reasonable expectation of privacy” test in its most important recent Fourth Amendment cases. It’s not certain that the trend away from the so-called “Katz test,” largely driven by Justice Scalia, will continue, and nobody knows what will replace it. But doctrinal shift is in the air. Courts are searching for new and better ways to administer the Fourth Amendment.

A good example is the Tenth Circuit’s decision last week in U.S. v. Ackerman. That court found that opening an email file was a Fourth Amendment “search,” both as a matter of reasonable expectations doctrine and the “distinct line of authority” that is emerging from the Supreme Court’s 2012 decision in U.S. v. Jones.

Here are the facts: AOL scans outgoing emails for child porn by comparing hashes of files sent through its network to hashes of known child porn. When it becomes aware of child porn, it is required by law to report them to the National Center for Missing and Exploited Children. NCMEC is a governmental entity and agent. (That point takes up the bulk of the decision; Congress has made huge grants of governmental power to the organization.) NCMEC opened the file without a warrant.

Economics Will Be Our Ruination II

Economics appears to be a neutral tool, but it often subtly embeds values that we are better off surfacing and discussing. In a recent post henceforth to be known as “Economics Will Be Our Runiation I,” I pointed out how, by preferring to measure the movement of dollars, orthodox economics treats leisure as a bad thing and laments advances in technology-based entertainments.

This installment of EWBOR focuses on an interesting and insightful article recently published in the University of Pennsylvania Law Review, “An Economic Understanding of Search and Seizure Law.” In it, George Washington University Law School professor Orin Kerr shows that the Fourth Amendment helps increase the efficiency of law enforcement by accounting for external costs of investigations. Here is his model:

The net benefit of any particular investigative step can be described as P*V – Ci – Ce, where P represents the increase in probability that the crime will be solved and successfully prosecuted, V represents the net value of a successful prosecution resulting from deterrence and incapacitation, Ci represents the internal costs of the investigative step, and Ce represents its external costs.

Ci means things like the cost of training and equipping police officers and paying their salaries, as well as their own use of their time. Ce, external costs, “include privacy harms and property losses that result from an investigation that is imposed on a suspect. They also include the loss of autonomy and freedom imposed directly on the subject of the investigation (who may be guilty or innocent) as well as his family or associates.” Kerr rightly includes in Ce more diffuse burdens such as community hostility to law enforcement.