Today in History – June 23

Today in History – June 23

EFF: Victory! Supreme Court Says Fourth Amendment Applies to Cell Phone Tracking

Victory! Supreme Court Says Fourth Amendment Applies to Cell Phone Tracking

The Supreme Court handed down a landmark opinion today in Carpenter v. United States, ruling 5-4 that the Fourth Amendment protects cell phone location information. In an opinion by Chief Justice Roberts, the Court recognized that location information, collected by cell providers like Sprint, AT&T, and Verizon, creates a “detailed chronicle of a person’s physical presence compiled every day, every moment over years.” As a result, police must now get a warrant before obtaining this data.

This is a major victory. Cell phones are essential to modern life, but the way that cell phones operate—by constantly connecting to cell towers to exchange data—makes it possible for cell providers to collect information on everywhere that each phone—and by extension, each phone’s owner—has been for years in the past. As the Court noted, not only does access to this kind of information allow the government to achieve “near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” but, because phone companies collect it for every device, the “police need not even know in advance whether they want to follow a particular individual, or when.”

For years, the government has argued that the sensitive nature of this data doesn’t matter; the mere fact that it’s collected by phone companies makes it automatically devoid of constitutional protection.

This argument is based on an outdated legal principle called the “Third Party Doctrine,” which was developed by the Supreme Court in two main cases from the 1970s involving records of phone calls and bank transactions. Courts around the country had long been deeply divided on whether the Third Party Doctrine should apply to cell phone location information or whether the invasiveness of the tracking it enables should require a more privacy-protective rule.

…there is a “world of difference between the limited types of personal information addressed in” prior Supreme Court cases and “the exhaustive chronicle of location information casually collected by wireless carriers today.”

EFF has been involved in almost all of the significant past cases, and in Carpenter, EFF filed briefs both encouraging the court to take the case and urging it to reject the Third Party Doctrine. We noted that cell phone usage has exploded in the last 30 years, and with it, the technologies to locate users have gotten and continue to get ever more precise.

Thankfully, in Carpenter, Justice Roberts rejected the government’s reliance on the Third Party Doctrine, writing that there is a “world of difference between the limited types of personal information addressed in” prior Supreme Court cases and “the exhaustive chronicle of location information casually collected by wireless carriers today.” The Court also explained that cell phone location information “is not truly ‘shared’ as one normally understands the term,” particularly because a phone “logs a cell-site record by dint of its operation, without any affirmative act on the part of the user beyond powering up.”

We were pleased that the Court cited our amicus brief in its opinion and agreed with many of the points we raised. In particular, Justice Roberts noted that because cell phones generate a record of location information all the time and “because location information is continually logged for all of the 400 million devices in the United States—not just those belonging to persons who might happen to come under investigation—this newfound tracking capacity runs against everyone.” What’s more, cell phone tracking enables the government to compile an “exhaustive chronicle of location information” so that “unlike the nosy neighbor who keeps an eye on comings and goings, [phone carriers] are ever alert, and their memory is nearly infallible.”

As we pointed out, this means that the government can engage in long-term monitoring. In Carpenter, for example, the government obtained 127 days of the defendant’s cell phone records from MetroPCS—without a warrant—to try to place him at the locations of several armed robberies around Detroit. Other cases have involved even longer periods of time. In a footnote, the Supreme Court declined to reach the question of whether very short periods of tracking, less than the 7 days used at trial in Carpenter, might not be covered by the Fourth Amendment. We think the right rule is to require a warrant for any cell phone tracking, but that will have to wait for another day.

Perhaps the most significant part of today’s ruling for the future is its explicit recognition that individuals can maintain an expectation of privacy in information that they provide to third parties. The Court termed that a “rare” case, but it’s clear that other invasive surveillance technologies, particularly those than can track individuals through physical space, are now ripe for challenge in light of Carpenter. Expect to see much more litigation on this subject from EFF and our friends.

Published June 23, 2018 at 12:40AM

EFF: Illinois Declines to Adopt Proposed Arbitrary Drone Surveillance of Protests

Illinois Declines to Adopt Proposed Arbitrary Drone Surveillance of Protests

Observers often forget that surveillance offends not only privacy, but also the right to dissent. A recently defeated Illinois bill illustrates how First and Fourth Amendment rights intersect, by proposing to undermine the right to dissent not obliquely, but rather directly. That’s why EFF joined the successful fight to defeat this spying proposal.
The proposal, promoted by the City of Chicago, was embodied in SB 2562 and its companion bill, HB 4405. Theywould have authorized police to use surveillance drones to monitor peaceful protests without first securing a judicial warrant. Had the measure been adopted, it would have permitted police to use facial recognition technology to identify individual demonstrators photographed by drones even absent any suspicion of wrongdoing.
The defeated proposal would have rolled back a well-received state law passed in 2013 that led the country in protecting dissent from drone surveillance, and which enjoyed overwhelming bipartisan support. Illinois’ 2013 law sharply limits law enforcement from using drones, generally requiring agencies to first obtain a judicial warrant based on probable cause to suspect that a crime has been committed.
Warrants are important. They serve the crucial function of preventing police fishing expeditions against political dissenters, andthe politicization of public safety measures to pursue personal vendettas. Moreover, they’re not a burden for police to secure. That makes a warrant requirement a reasonable (yet increasingly threatened) way to protect vital (and increasingly threatened) rights on which democracy depends.
In sharp contrast, the defeated 2018 measure would have authorized drone surveillance of any gathering of more than 100 people for “legitimate public safety purposes,” which expressly include “assessing public safety vulnerabilities or weaknesses…or identifying possible criminal activity.”
As explained by the International Human Rights Clinic at the University of Chicago Law School, “Police already have the power to use drones in response to dangerous situations. What this legislation adds — and which current law explicitly rejects — is the active, continuous, and suspicion-less surveillance by drone of anyone and everyone at an event.”
Karen Sheley, Director of the ACLU Police Practices Project, said, “This is too much unchecked power to give to the police – in Chicago or anywhere.” The Chicago Sun-Times agreed, noting: “Unwarranted snooping, as any Chicagoan who knows our city’s history can attest, could become a real danger.”
Ultimately, the proposed 2018 measure invited the kind of historically documented abuses and recurring problems that flourish behind a continuing wall of executive secrecy.
Incidentally, but of crucial relevance to state policymakers: President Trump is widely known for bearing petty grudges. The propensity of the President to pursue personal piques represents precisely why our Founders required warrants as a precondition to justify any police search: without review by an independent auditor, the executive branch is too prone to act arbitrarily. That’s why due process and access to justice are so important.
Beyond President Trump, even federal oversight bodies have been recently implicated in politicizing national security secrets. Closer to home, the Chicago Police Department (CPD) has also spied on political groups not only in the past, but also more recently.
Just two years ago, the CPD was caught spying for years on peaceful local dissenters including “union members, anti-Olympics protesters, anarchists, the Occupy movement, NATO demonstrators and critics of the Chinese government. And it has continued to [monitor them], according to…records….which the police department fought to withhold.”
Political grudges should not be enough to trigger surveillance by legal authorities.
Molly Armour, a Chicago attorney whose clients include grassroots activists facing police investigations based on their speech, explained that “Surveillance stifles dissent. And that’s dangerous for all of us.” And as explained by local activist Claude Walker in his letter to the editor:

“Giving City Hall or cops the right to dispatch drones to protests…without warrant – makes Red Squad tactics seem quaint….This technology has developed faster than our ability to use or regulate it….[L]awmakers should err on the side of privacy in drone laws.”

The “Red Squad” was the Chicago police unit that spied on political dissent for much of the Twentieth Century.
Fortunately, advocates of free speech and privacy defeated the 2018 proposal. While the Illinois House and Senate each approved a version of this bill, the state legislative session expired on May 31 without reconciling their conflicting versions.
Illinois has retained its leading protections of dissent from drone surveillance for this year, but this struggle will likely recur. Fortunately, local grassroots allies including Lucy Parsons Labs and the Chicago Committee to Defend the Bill of Rights—both of which are members of the Electronic Frontier Alliance—are monitoring the situation. If the City of Chicago persists in trying to undermine constitutional rights by seeking more expansive powers to spy on demonstrators using surveillance drones without any basis for suspicion, we look forward to responding by raising the alarm.

Published June 22, 2018 at 11:48PM

EFF: Journalists and Digital Security: Some Thoughts on the NYT Leak Case

Journalists and Digital Security: Some Thoughts on the NYT Leak Case

The leak investigation involving a Senate staffer and a New York Times reporter raises significant issues about journalists, digital security, and the ability of journalists to protect confidential sources.

The New York Times recently revealed that the FBI had been investigating a former aide to the Senate Intelligence Committee, James Wolfe, for possibly leaking classified information to reporters. So far Wolfe has only been indicted for making false statements to investigators about his contacts with reporters.

The investigation appears to have been focused on how New York Times reporter Ali Watkins, when she worked for Buzzfeed News, learned that Russian spies had attempted to recruit a former advisor to President Trump, Carter Page.

Reading the New York Times article, three things jumped out at us.

First, according to the article, FBI agents “secretly seized years’ worth” of Watkins’ phone and email records. “Among the records seized were those associated with her university email address from her undergraduate years.” However, “Investigators did not obtain the content of the messages themselves.”

We read this to mean that the FBI obtained “metadata” such as to/from and date/time information for each call and email, probably using a subpoena or court order authorized by the Electronic Communications Privacy Act (ECPA)/Stored Communications Act (SCA).

Many digital security resources, including EFF’s own Security Self-Defense (SSD) guide, emphasize using end-to-end encryption. However, it’s important to understand that while encryption protects the contents of communications, encryption does not mask metadata. Thus, without listening to or reading the communications themselves, government agents can see who you talked to and when, and sometimes from what location.

Metadata can be extremely revealing. Just the fact that Wolfe denied talking to reporters, when the metadata showed otherwise, earned him criminal charges.

Unfortunately, completely masking communications metadata is nearly impossible. Creating a temporary email account through an anonymizing tool like Tor can make it more difficult to associate that account with a particular person. Features like Signal’s Disappearing Messages will automatically delete some metadata after a set period of time, making it harder for law enforcement to acquire it after the fact.

Second, the government obtained the contents of communications Wolfe had with reporters over encrypted messaging apps (apparently Signal and WhatsApp).

Our guess is that the FBI got a warrant for Wolfe’s phone and somehow accessed the apps—perhaps his phone wasn’t locked, agents had his password, or they used a forensic tool to bypass the lock screen and any device-based encryption. It’s also possible investigators found backups stored in the cloud or on a hard drive that contained the unencrypted messages. (This issue has also come up in the Mueller investigation.)

If this is what happened, then it’s important to understand that although end-to-end encryption thwarts interception of communications content, if that content is sitting unencrypted at an end point—that is, in an app or a backup—then anyone who has access to the journalist’s or suspected source’s phone or backup may be able see those messages. Therefore, deleting unencrypted messages is an added security precaution. Once again, Signal’s Disappearing Messages feature is an effective way to defend against future device searches.

Third, a non-technical question is: did the Justice Department follow its own news media regulations? These regulations have been around for four decades and were most recently revised in 2014 after the shocking revelation that President Obama’s Justice Department in 2013 seized two months’ worth of phone records for reporters and editors of the Associated Press.

Among other requirements, such as first exhausting other avenues of information, the regulations require Justice Department investigators to provide journalists with prior notice and an opportunity to negotiate before seizing their records. But this is not what happened—as the New York Times article explains, Watkins received a letter from the Justice Department only after her phone and email records had already been obtained.

It wouldn’t be surprising if it came to light that the Justice Department invoked the exception to the prior notice requirement: where “such negotiations would pose a clear and substantial threat to the integrity of the investigation, risk grave harm to national security, or present an imminent risk of death or serious bodily harm.” But these details have not been revealed.

The bottom line is that journalists shouldn’t expect to always be notified ahead of time. Accordingly, they should take as many precautions as possible—digital and otherwise—to protect their confidential sources.

In addition to EFF’s Security Self-Defense (SSD) guide, we published a digital privacy guide to crossing the U.S. border that journalists might find helpful, as journalists have been harassed at airports and border crossings. Other journalism groups have useful digital privacy and security guides, such as those from Freedom of the Press Foundation, the Committee to Protect Journalists, and Reporters Without Borders.

Finally, the seizure of Watkins’ phone and email records has once again highlighted the desperate need for a federal shield law so that the government can’t go after journalists—whether through their service providers or in court—to try to uncover their confidential sources. Vice President Mike Pence was a lead sponsor of the Free Flow of Information Act when he was in the House of Representatives.

We renew our call for Congress to pass a robust federal shield law to protect not only journalists and their confidential sources—but also the public’s right to know.

Published June 22, 2018 at 09:55PM

EFF: Supreme Court Opens Door to Worldwide Patent Damages

Supreme Court Opens Door to Worldwide Patent Damages

The Supreme Court issued a disappointing opinion [PDF] today holding that a company could recover patent damages for lost profits overseas. The court’s reasoning could make overseas damages available in many patent cases. This will disadvantage companies that do research and development in the United States. When patent law discourages domestic innovation, it achieves the opposite of its intended purpose. 

The case, called WesternGeco LLC v. ION Geophysical Corp., involved a patent on a method of conducting marine seismic surveys. ION exported components that, when combined, were used to infringe the patent overseas. Under Section 271(f) of the Patent Act, exporting components of a patented invention for assembly abroad is considered infringement. WesternGeco received damages for the U.S. sales of the components. The court considered whether WesternGeco could also receive damages for lost profits for the use of the invention overseas.

Together with the R Street Institute, EFF filed an amicus brief [PDF] in the case explaining that worldwide damages are not consistent with the domestic focus of the patent act. Our brief, co-written with Professors Bernard Chao and Brian Love, provided an example of how such a ruling could harm U.S. innovation:

[C]onsider how such a regime might impact two hypothetical companies. Two companies, a domestic one A and a foreign one B, design and test semiconductor chips and contract with a foreign manufacturer to produce their designs. A patent owner claims that both companies’ testing processes infringe a patent, and demands damages for the manufactured chips on the theory that those chips’ manufacture and sale are proximately and factually caused by the infringing testing. [If the Court allows worldwide damages then] Company A could be liable for a reasonable royalty on its worldwide sales. In contrast, Company B would likely only be liable for royalties on its U.S. sales. This would effectively punish Company A for conducting research and development in the United States. 

Justices Gorsuch and Breyer broadly agreed with this reasoning. Indeed, Justice Gorsuch’s dissent includes a similar hypothetical and notes that it is a “very odd role for U. S. patent law to play in foreign markets.” Unfortunately, the other seven justices were unpersuaded. 

Most patent cases are brought under Section 271(a) of the Patent Act, which concerns infringement “within the United States.” As noted, today’s case considered a claim under Section 271(f), which concerns the export of components. It is tempting to hope that the court’s ruling will only apply to 271(f) cases. Unfortunately, the Supreme Court’s reasoning might result in patent owners arguing they deserve damages in all patent cases where domestic infringement supposedly causes harm overseas. In our view, that would be a terrible result. 

It may be that courts will apply proximate cause principles to find that overseas damages are not available for sales loosely linked to US research and development. We hope that damages will be not awarded in cases where there was U.S. research and development but the manufacture and sales occur overseas. If that became the norm, it would be a big disincentive to innovate within the United States.

Published June 22, 2018 at 09:37PM

EFF: Happy Birthday Alice: Four Years Busting Software Patents

Happy Birthday Alice: Four Years Busting Software Patents

This week marks the fourth anniversary of the Supreme Court’s decision in Alice v. CLS Bank. In Alice, the court ruled that an abstract idea does not become eligible for a patent simply by being implemented on a generic computer. Now that four years have passed, we know the case’s impact: bad patents went down, and software innovation went up.

Lower courts have applied Alice to throw out a rogues’ gallery of abstract software patents. Counting both federal courts and the Patent Trial and Appeal Board, there are more than 400 decisions finding patent claims invalid under Alice. These include rulings invalidating patents on playing bingo on a computer, computerized meal plans, updating games, and many more. Some of these patents had been asserted by patent trolls dozens or even hundreds of times. A single ruling threw out 168 cases where a troll claimed that companies infringed a patent on the idea of storing and labeling information.

EFF’s Saved By Alice project collects stories of small businesses that used the Alice decision to defend themselves against attacks by entities asserting abstract software patents. Our series includes a photographer sued for running a website where users could vote for their favorite photo. Another post discusses a medical startup accused of infringing an extremely broad patent on telehealth. Without the Alice ruling, many of these small businesses could have been bankrupted by a patent suit.

Meanwhile, software innovation has thrived in the wake of Alice. R&D spending on software and Internet development shot up 27% in the year following the Supreme Court’s decision and has continued to grow at a rapid rate. Employment growth for software developers is also vastly outpacing growth in other sectors. At the end of 2017, PwC concluded that the “computer and software industries still shine in the R&D stakes, outperforming all other organizations in terms of billions spent.” A recent paper found evidence that the increase in software R&D was linked to the Alice decision.

Unfortunately, Alice is under threat both in Congress and the courts. The patent lobby—in the form of the Intellectual Property Owners Association and the American Intellectual Property Law Association—wants Congress to undo Alice through legislation. Two recent decisions from the Federal Circuit, in Berkheimer v. HP and Aatrix Software v. Green Shades Software, may make it more difficult for defendants to assert Alice early in litigation. We filed an amicus brief [PDF] in the Berkheimer case urging the Federal Circuit to reconsider, but the court recently denied that petition. These rulings could help patent trolls use the cost of defending a suit as leverage, even when the trolls are asserting patents that are invalid under Alice.

Opponents of the Alice decision ignore the post-Alice boom in software innovation. Instead, they complain that it has become harder to get certain business method and software patents. But the patent system exists for the constitutional purpose of promoting the progress of the useful arts—not to provide work for patent prosecutors and litigators. With software R&D accelerating ahead of all other sectors, there is no need to return to the pre-Alice world of “do-it-on-a-computer” patents.

Published June 22, 2018 at 06:20PM

EFF: Border Spy Tech Shouldn’t Be a Requirement for a Path to Citizenship

Border Spy Tech Shouldn’t Be a Requirement for a Path to Citizenship

The Border Security and Immigration Reform Act (H.R. 6136), introduced before Congress last week, would offer immigrants a new path to citizenship in exchange for increased high tech government surveillance of citizens and immigrants alike. The bill calls for increased DNA and other biometric screening, updated automatic license plate readers, and expanded social media snooping. It also asks for 24 hours-a-day, five-days-a-week drone surveillance along the southern U.S. border.

This bill would give the U.S. Department of Homeland Security broad authority to spy on millions of individuals who live and work as far as 100 miles away from a U.S. border. It would enforce invasive biometric scans on innocent travelers, regardless of their citizenship or immigration status.

An Upcoming Vote

In mid-June, after months of stalled negotiations and failed legislative proposals, the Republican caucus of the House of Representatives agreed to a plan on immigration reform: Representatives would vote on two immigration bills.

Representatives smartly rejected one of those bills. The Securing America’s Future Act (H.R. 4760), which EFF opposed, failed in a 193-231 vote. That bill took a hardline stance on immigration and proposed the increased use of invasive surveillance technologies including biometric screening, social media monitoring, automatic license plate readers, and drones.

A vote is expected soon on the second bill: the Border Security and Immigration Reform Act. It would give children who came to this country without documentation—known as “Dreamers”—a path to citizenship. Unfortunately, this bill includes nearly the same bad border surveillance provisions as the bill that failed Thursday.

Given the grave impact this bill would have on individual privacy and rights, we urge Congress to vote the same way as it did Thursday and reject the Border Security and Immigration Reform Act.

More Surveillance Technologies and Drone Flights

The Border Security and Immigration Reform Act would fund multiple surveillance technologies across the United States. Near Detroit, for example, the bill calls for “mobile vehicle-mounted and man-portable surveillance capabilities” for U.S. Customers and Border Protection (CBP) agents. In Washington, the bill similarly calls for “advanced unattended surveillance sensors” and “ultralight aircraft detection capabilities.”

The bill also requires that CBP’s Air and Marine operations fly unmanned drones “on the southern border of the United States for not less than 24 hours per day for five days per week.”

This type of increased drone surveillance was proposed in H.R. 4760. As we previously wrote:

“Drones can capture personal information, including faces and license plates, from all of the people on the ground within the range and sightlines of a drone. Drones can do so secretly, thoroughly, inexpensively, and at great distances. Millions of U.S. citizens and immigrants live close to the U.S. border, and deployment of drones at the U.S. border will invariably capture personal information from vast numbers of innocent people.”

Similar to H.R. 4760, the Border Security and Immigration Reform Act includes no meaningful limitations on the drones’ flight paths, or the collection, storage, and sharing of captured data. The bill could lead to deep invasions into innocent bystanders’ lives, revealing their private information and whereabouts.

More Biometric Screening

The Border Security and Immigration Reform Act also proposes the establishment of a “biometric exit data system” that would require everyone leaving the country—immigrant or citizen—to have their biometric data screened against government biometric databases.

Relatedly, the bill would authorize the CBP Commissioner, “to the greatest extent practicable,” to use facial recognition scanning to inspect citizens traveling to the U.S. from nearly 40 visa waiver program countries, which include Japan, New Zealand, Australia, France, Germany, Italy, and Taiwan.

Further, the bill authorizes the Secretary of Homeland Security to “make every effort to collect biometric data using multiple modes of biometrics.” That means that fingerprints, facial recognition data, and iris scans could all be up for grabs in the future, so long as the Secretary of Homeland Security deems it necessary.

These proposals are similar to those included in H.R. 4760. They are worrying for the very same reasons:

“Biometric screening is a unique threat to our privacy: it is easy for other people to capture our biometrics, and once this happens, it is hard for us to do anything about it. Once the government collects our biometrics, data thieves might steal it, government employees might misuse it, and policy makers might deploy it to new government programs. Also, facial recognition has significant accuracy problems, especially for people of color.”

More Social Media Snooping on Visa Applicants

The Border Security and Immigration Reform bill also borrows the same deeply-flawed social media monitoring practices as those included in H.R. 4760.

The Border Security and Immigration Reform bill would authorize the Department of Homeland Security to look through the social media accounts of visa applicants from so-called “high-risk countries.” As we said about the proposal in H.R. 4760:

„This would codify and expand existing DHS and State Department programs of screening the social media of certain visa applicants. EFF opposes these programs. Congress should end them. They threaten the digital privacy and freedom of expression of innocent foreign travelers, and the many U.S. citizens and lawful permanent residents who communicate with them. The government permanently stores this captured social media information in a record system known as ‚Alien Files.'“

And similar to H.R. 4760, the Border Security and Immigration Act authorizes the Secretary of Homeland Security to use literally any criteria they find appropriate to determine what countries classify as “high-risk.” This broad authority would allow the Secretary of Homeland Security to target Muslim-majority nations for social media collection.

No Compromising on Civil Liberties

As Congress weighs different factors in the ongoing immigration debate, we urge them to look closely at the expanded high-tech surveillance provisions in this proposed package. This bill would undermine the privacy of countless law-abiding Americans and visitors, regardless of citizenship. So, we urge a “no” vote.

Published June 22, 2018 at 04:52AM