Computers, Privacy & the Constitution

The NYPD Already Knows Your Phone Number (And They Might Know Every Place You Have Been in the Past Four Years)

-- By SeanBerens - 09 May 2013

Introduction

Over the past several years, there has been a massive uptick in law enforcement requests for geolocation data from private wireless carriers. The House Subcommittee on Crime, Terrorism, Homeland Security and Investigations held a hearing on April 25, 2013 to deal with this issue as part of an effort to consider updating the Electronic Communications Privacy Act of 1986 (ECPA). The written statements of the witnesses at the hearing provide a comprehensible and troubling explanation of the status quo in the tracking of Americans through their cell phones, including the tracking of those who exhibit absolutely no suspicious behavior.

The Law and Technology Currently Used for Acquiring Geolocation Data

Mark Eckenwiler, a former DOJ attorney, provided succinct testimony about the means by which law enforcement officials gain historic location information from wireless providers. Individual cell towers are serving smaller and smaller areas. In dense areas like Midtown Manhattan, where towers must accommodate many users, they may be spaced as little as 200 meters apart. The proliferation of tightly spaced towers allows for increasingly precise tracking of individual users without even resorting to GPS. If a user places a call or sends a text message, then the tower used for the call is recorded and that user’s rough location in relation to that tower can also be recorded. If they are moving during a call, then this geolocation data will show the path that they are taking with unprecedented precision as one tower “hands off” their call to the next. The trail goes back a long way. Verizon, T-Mobile and Sprint all keep information about every tower that a phone uses for between one and two years. AT&T remains in possession of information about every tower used by its customers “since 2008.” So, if you use AT&T and the NYPD is investigating you for some reason, they may be able to confront you with your whereabouts on, say, May 9, 2009, a full four years ago. If that doesn’t rattle you, they can confront you with every place that you have been (while in possession of your phone) between then and today.

That's not quite what you said the evidence showed. The witness correctly testified that the phone has to be active in the control channel (making or receiving a call, or sending or receiving a text message) in order to be logged by the cell router.

This capability is perhaps more troubling than it otherwise would be because law enforcement agencies do not need a warrant supported by probable cause to obtain this historical location information. Under the ECPA, as amended in 1994, law enforcement officials can get this location data from carriers by obtaining a “2703(d)” order from a court. All that the government must do to obtain this order is “offer specific and articulable facts showing that there are reasonable grounds to believe that ... the records or other information sought, are relevant and material to an ongoing criminal investigation.” As those testifying made clear, there is a huge disparity between judges when it comes to their determination of what rises to the level of “relevant and material” for the sake of a 2703(d) order.

A widespread practice is to simply request the information on every user of a particular cell tower within a given period of time. This is a called a “tower dump” and it represents an investigative practice that is just as repugnant to the Fourth Amendment as programs like New York’s “Stop and Frisk.” That program claims to use reasonable suspicion as the justification for the stopping and searching of hundreds of thousands every year and it has drawn extensive criticism for justifying stops with vague rationales like a person’s exhibition of “furtive movements.” The standard for obtaining a 2703(d) order is often no more stringent than the standard used for conducting Stop and Frisk. On what amounts to a simple hunch, law enforcement agencies may obtain information about every user in a given area at a given time. Then, they can comb through that information to establish patterns and add to their requests for information as they learn more.

A hypothetical might be useful to conceptualize this law enforcement practice. It is conceivable that police officers might be investigating a crime that occurred near Zucotti Park during the height of the Occupy Wall Street protests. Without evidence beyond the location and date of the alleged crime, they can probably obtain a court order that will give them information about every single cell phone present at the protest. Once they have those phone numbers, they do not even need a court order to request the names and addresses of the individual users from the wireless companies. Under the ECPA, that information can be obtained through a subpoena. I have trouble seeing how this is different from the NYPD simply detaining every protester until they can see their identification and log their presence at the protest. This information alone has the potential to chill participation in future protests.

Have you made an argument about why the cellphone information should be different from other business record bits that can be gotten by subpoena, or are you arguing for a right to be anonymous in public when attending, for example, demonstrations? Don't you think the latter might be the substantive right at stake, in which case this other stuff is merely a matter of implementation when it comes to protecting the underlying right?

Proposals for the Future

At the hearing on April 25th, an ACLU attorney implored the Subcommittee to protect the privacy of this historic location data by requiring a warrant before it can be obtained from wireless carriers. A law enforcement representative pleaded with the Subcommittee to retain the status quo because cell phone location data was so useful in investigations where no probable cause yet existed. A warrant requirement would be best but, perhaps, that is not necessary. What if the wireless carriers simply had to provide notice to customers of every response to a 2703(d) order that included the customer’s phone number? After all, this could be accomplished by sending an automated text message without great effort or expenditure on the part of carriers or law enforcement. If people knew when they were being tracked, then it might be easier to mobilize them as advocates for more robust privacy protections.

Or maybe we could go right to the more robust privacy protections, whatever they are, that are what we really want. I don't think the point is primarily to get warrants issued addressed to third parties who primarily object to the cost of dealing with them. The point is to disable tracking, not to arm the people who make a profit from tracking with rules they can use to reduce their cost of selling at a fixed price to law enforcement.

If you want not to be tracked everywhere you go by anyone who is really interested, you can't carry a mobile phone with a battery in it. The behavioral implantation of these tracking devices in every human body can be resisted. But even without the trackers we carry, the Net is increasingly collecting the information about our presence, through cameras and other sensors, and is within two decades going to be capable of recognizing us everywhere. So hadn't you better deal with the problem somewhere closer to the root than the wiring cabinets of one sort of network operator at a time?


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r2 - 12 May 2013 - 23:38:33 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM