<https://www.theguardian.com/technology/2022/apr/04/us-law-enforcement-agencies-access-your-data-apple-meta>
A brazen hack that exposed consumer data collected by Apple and the
Facebook-parent company Meta has raised fresh questions about how secure our
data is in the hands of tech companies and how easily law enforcement can get
hold of the information big tech collects.
It was revealed last week that hackers obtained the information of some Apple
and Meta users by forging an emergency legal request, one of several mechanisms
by which law enforcement agencies can request or demand that tech companies
hand over data such as location and subscriber information.
Facebook demands LAPD end social media surveillance and use of fake accounts
Lawmakers and privacy advocates argued the forgery was a warning sign that the
system is in need of reform. “No one wants tech companies to refuse legitimate
emergency requests,” but the current system has “clear weaknesses”, Senator Ron
Wyden said in a statement following the hack.
A review of the myriad ways tech companies share consumer data with law
enforcement agencies reveals that it’s often fairly straightforward for such
bodies to get their hands on consumer data. “[Your data is] pretty much all
available to the government in one form or another,” said Jennifer Lynch, the
surveillance litigation director at the digital rights group the Electronic
Frontier Foundation.
“One of the real challenges with technology these days is that it is next to
impossible to figure out exactly all the data that companies are collecting on
us and to exert any kind of control over what happens to that data,” added
Lynch.
An emergency legal request, like the one the hackers forged, for instance,
doesn’t require a subpoena or warrant, unlike many other legal requests. It’s
supposed to be reserved for exceptional situations: Apple considers legal
requests an “emergency” if “it relates to circumstance(s) involving imminent
and serious threat(s) to: 1) the life/safety of individual(s); 2) the security
of a State; 3) the security of critical infrastructure/installation”. But, as
the hackers have shown, it can be easily exploited.
Apple and Meta did not respond to a request for comment.
Here are some of the main ways law enforcement can get hold of your data.
Accessing your device
Perhaps the most obvious way law enforcement can get your data is by accessing
your physical device. Police can subpoena your device or get a search warrant
to go through your phones. If your phone is locked or you only use encrypted
messaging apps, police can use mobile device forensic tools to break the
encryption or bypass your lock screens if they are armed with a warrant.
In February 2021, a US appeals court ruled that Customs and Border Protection
(CBP) can freely search your devices without a warrant at the borders. The move
created “a massive loophole to target anyone traveling into or out of the US”,
said Albert Fox Cahn, the founder of the privacy advocacy firm Surveillance
Technology Oversight Project.
Law enforcement requests
If you scan privacy policies of your most used apps you’ll probably find a
clause or two that says something along the lines of “we don’t share your user
data ever unless it’s in response to a law enforcement request”. That means
police, Immigration and Customs Enforcement (Ice), the FBI and other law
enforcement agencies can get your user data directly from tech companies
through various forms of legal requests, without having to search your device.
Sometimes, they can get it just by asking for it.
Google, for example, received more than 39,000 requests for user information
between July and December 2020, according to the company’s most recent
transparency report. Google handed over user info in response to more than 80%
of those requests, affecting the accounts of more than 89,000 users.
In many cases these requests come with gag orders, meaning the company cannot
notify users that their information has been requested for six months or more.
Sometimes it will be years before a user finds out their information has been
handed over to law enforcement.
There are a handful of different types of law enforcement requests, some more
sweeping than others and some carrying more legal weight. Three types of legal
requests in particular have recently sparked concern among activists and
experts: geofence warrants, keyword search warrants and administrative
subpoenas.
A keyword search warrant allows law enforcement to access the information of
anyone who searched for certain terms or keywords within a certain time period.
A geofence warrant allows law enforcement agencies to seek the device
information of all the users who were at a certain place at a certain time.
Google, the only company that currently discloses the number of geofence
warrants it receives, said it fielded a little under 3,000 in the last quarter
of 2020.
Both types of warrants, privacy experts say, are over-broad and thus violate
the constitutional protection against unreasonable searches. While many
warrants typically seek the information of a single person or group of people
who are suspected of a crime, geofence and keyword search warrants work
backwards and cast a wide net hoping to narrow down a list of suspects.
It’s not unlike cell-tower dumps, for which law enforcement agencies ask
cellphone companies for the information of all people who were connected to a
cell tower in the vicinity of a crime scene at the time the crime was suspected
to have occurred.
A federal judge in Virginia recently ruled that local authorities violated the
constitution when using a geofence warrant to investigate a 2019 robbery,
setting a precedent that attorneys representing people caught up in these types
of searches could use to receive remedies for being falsely suspected or
accused of a crime.
Administrative subpoenas carry less legal weight than other requests: law
enforcement agencies don’t need a judge to sign off on them but they also
aren’t self-enforcing. The only way the agencies can force a company to hand
over the data demanded in the request is by taking them to court after they
refuse to comply. Still, companies will often comply with the request even
though it is not a court-ordered subpoena. Some experts have expressed concern
of the use of this type of request by Ice, which has requested user data from
tech companies like Google, fearing the agency is using them to expand its
surveillance on US citizens. An Ice official previously said the agency does
not often send administrative subpoenas to tech companies for non-criminal
purposes. In a press release, Ice said it “uses statutorily-authorized
immigration subpoenas to obtain information as part of investigations regarding
potential removable aliens”.
Google did not immediately respond to a request for comment.
Data brokers
There is an entire industry of companies and firms that buy and sell your data
for a profit. The shadowy network of data brokers operates fairly under the
radar but often provides easy access to user data such as your location and
purchase history to other entities, including law enforcement.
Data brokers can collect your personal data from a handful of different
sources, such as your social media profiles, public records and other
commercial sources or companies. Some data brokers integrate directly into apps
to hoover up information like location and purchase history. These brokers,
which can include some telecommunications companies and credit reporting
agencies, then sell that raw data, or inferences and analysis based on that
data,to other companies and government agencies.
It’s not always clear whether a data broker has collected or sold your
information. In fact, recently data broker X Mode, whose customers include
military contractors, was exposed for buying location data from the Muslim
prayer app Muslim Pro without the knowledge of users of the app.
Surveillance tech companies
Law enforcement agencies also contract with surveillance tech companies like
Clearview AI and Voyager, which scrape your information from the internet and
social media and feed it into their own algorithms.
Consumer tech companies you may interact with on a daily basis also provide
services to police. Amazon’s smart doorbell Ring, for instance, gives some
police special access to their Neighbors social network and makes it easy for
the police to monitor and request Ring footage from consumers.
Contracts between tech companies and law enforcement agencies have become more
frequent as the tech industry seeks out new avenues of growth, experts say.
Because many of the spaces tech is already in have clear dominant players, law
enforcement contracts have become an appealing growth strategy because of the
seemingly endless supply of funding for agencies like the Department of
Homeland Security and local police.
Data-sharing
There’s also quite a bit of inter-agency data sharing happening at the local,
state and federal levels of government. While it might seem unsurprising that
law enforcement agencies share information, you might be surprised to learn
that an entity like the DMV shares information with agencies like Ice.
That data-sharing is made easier by services from companies like Palantir,
which creates a centralized network of digital records which include “chronic
offenders” and other people deemed of interest that can be easily accessed by
the company’s law enforcement partners at all levels – from many local police
departments to the FBI.
_______________________________________________
nexa mailing list
nexa@server-nexa.polito.it
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
