Stephanie K. Pell and Christopher Soghoian, Your Secret Technology’s No Secret Anymore: Will the Changing Economics of Cell Phone Surveillance Cause the Government to “Go Dark?”

Stephanie K. Pell and Christopher Soghoian, Your Secret Technology’s No Secret Anymore: Will the Changing Economics of Cell Phone Surveillance Cause the Government to “Go Dark?”

Comment by: Susan Landau

PLSC 2013

Workshop draft abstract:

Since the mid-1990s, U.S. law enforcement agencies have used a sophisticated surveillance technology that exploits security flaws in cell phone networks to locate and monitor mobile devices covertly, without requiring assistance from wireless carriers. This Article explores the serious privacy and security issues associated with the American government’s continued exploitation of cell phone network security flaws. It argues that legislative and industry action is needed if only to avoid a single ironic result: the government may unintentionally compromise its ability to conduct standard, carrier-assisted electronic surveillance. Without reform, it is likely that mobile device and software vendors will adopt end-to-end encryption to provide their customers with secure communications, causing wireless communications to go dark to law enforcement’s gaze. Moreover, the U.S. government’s reflexive obfuscation of this surveillance practice facilitates additional harms: enabling foreign espionage and domestic industrial espionage on U.S. soil and encouraging ubiquitous monitoring by private parties.

The U.S. government monitors mobile phones via cell site simulator(s) (CSS) that functionally mimic cell phone towers. CSS exploit a fundamental security flaw in all cellular devices: they cannot authenticate the origin of signals but merely connect to any nearby source whose signal purports to be from a tower operated by a licensed provider. Once a phone erroneously connects to a CSS, its location can be determined, and calls, text messages and data can be intercepted, recorded, redirected, manipulated or blocked.

Law enforcement, intelligence agencies, and the military have presumably used CSS to their advantage: when a target’s phone number is unknown or a mobile device has no GPS chip, they can monitor every phone in a geographic area using briefcase-sized CSS hardware. Moreover, when the government cannot obtain a phone company’s assistance, such as in operations abroad, it can use CSS to conduct surveillance without the carrier’s knowledge.

By intercepting signals directly, CSS circumvent the limited but useful privacy protections offered by commercial third parties. While privacy scholarship and recent Supreme Court jurisprudence often denounce the third party doctrine, this Article argues, counter intuitively, that third party control of data can protect privacy. When compared with warrantless, unmediated government surveillance, third parties can act as gatekeepers with the capacity to challenge government overreach, particularly when market incentives and customer interests align with privacy concerns. These intermediaries can even invoke judicial scrutiny of government surveillance practices. Their efforts can create opportunities for courts to develop new Fourth Amendment doctrine while scrutinizing surveillance practices, such as with the concurring opinions in U.S. v. Jones, and for Congress to regulate these practices by statute.

To date, legal scholarship has failed to consider the effects of CSS both within and outside of the domestic law enforcement context. Indeed, the privacy and security risks associated with CSS cannot be cabined by the Fourth Amendment or statute, for the problems extend beyond America’s borders. Western democracies no longer have a monopoly over access to CSS technology. There is a robust market in CSS technologies, and several vendors around the world sell to any government or individual who can pay their price.

Surveillance is also increasingly ubiquitous. Researchers have created low-cost, easy to construct CSS. For under $2,500, tech-savvy criminals can purchase offthe- shelf equipment to build their own CSS. Less robust “passive” interception of nearby calls is also possible by modifying a widely available $20 cell phone. Wiretapping is no longer the exclusive province of governments, but is equally available to private investigators, identity thieves, and industrial spies.

Despite this significant technological change, the U.S. government continues to shield information about its own use of CSS, ostensibly to protect such use in the future. This opacity comes at a cost: treating CSS as solely a “sources and methods” protection issue suppresses public debate and education about the security vulnerabilities in our cell phone networks. That trade-off might have been reasonable when access to CSS was privileged and expensive, but the rapid democratization of surveillance is changing the balance of privacy and security equities.

U.S. government use of CSS accentuates the fundamental tension between government surveillance capabilities and the security of networks. When Congress has grappled with this conflict in the past, it gave priority to surveillance capabilities. Today, however, the same threat environment that informs ongoing cyber security legislative efforts mandates that any solution crafted to cabin the harms of CSS recognize the primacy of network security.

Stephanie Pell & Christopher Soghoian, Towards A Privacy Framework For Law Enforcement Access to Location Information

Stephanie Pell & Christopher Soghoian, Towards A Privacy Framework For Law Enforcement Access to Location Information

Comment by: Bryan Cunningham

PLSC 2011

Workshop draft abstract:

Electronic Communication Privacy (ECPA) Reform was an active topic in 2010. The Digital Due Process coalition, a group of civil liberties groups, academic scholars and several major industry players, launched a significant policy initiative that called for reform of the two-decade old law.  Responding to this call, the 111th Congress took a firm interest in the topic, with three ECPA hearings held in the House Judiciary Committee and one in the Senate Judiciary Committee.

In any area of ECPA reform, Congress must strive to find the right balance among the (often competing) interests of law enforcement, privacy and industry. In some areas, it is relatively easy to agree on a common-sense path to improve the law.  The topic of cloud computing proved to be such an area – industry, academia and the public interest community all agreed that a probable cause warrant standard for all content requests would be a major improvement over the current standard, which varies depending on the length of time an email has been in storage, or if it has been read at least once.

Finding this balance in the area of location privacy, however, has proved to be far more challenging for Congress because:  (1) the technologies involved are exceedingly complex, far more so than cloud computing; (2) law enforcement agencies will not–and, in some instances, cannot (without compromising sources and methods)–publicly discuss their needs for and uses of this information; (3) major industry players are reluctant to disclose their own data retention policies for location information or to participate publicly in the legislative process, for example, by testifying at Congressional hearings; and (4) in the area of electronic communication privacy, where the courts have often “punted” , Congress must make proper judgments regarding consumers’ reasonable expectations of privacy and how they can be expressed in equally reasonable access rules.

Drawing on our unique expertise (as, respectively, a Counsel to the House Judiciary Committee in the 111th Congress, and a privacy and security researcher focused on law enforcement surveillance), we will plot a path forward for the location privacy problem.  This article will propose a regime of common sense, practical standards for law enforcement access to location information that is technology neutral, provides clear rules for law enforcement and industry to follow and courts to apply, and balances the interests of the three major ECPA stakeholders: law enforcement, consumer privacy and industry.

Christopher Soghoian, An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government

Christopher Soghoian, An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government

Comment by: Paul Ohm

PLSC 2010

Published version available here:

Workshop draft abstract

Today, when consumers evaluate potential mobile phone carriers – they are likely to consider several differentiating factors: The available handsets, the cost of service, and the firm’s reputation for network quality and customer service. The carriers’ divergent approaches to privacy, and their policies regarding government access to customers’ private data, are not considered in the purchasing process – perhaps because it is practically impossible for consumers to discover this information when they are choosing their carrier.

The differences in the privacy practices of the major players in the telecommunications and Internet applications market are quite significant – some firms retain identifying data for years, while others retain no data at all. For a mobile phone user investigated by the government, this difference in logging practices can significantly impact their freedom.

A naïve reader might simply assume that the law gives companies very little wiggle room – when they are required to provide data, they must do so. However, this is not the case. Companies have a huge amount of flexibility in the way they design their networks, in the amount of data they retain by default, the exigent circumstances in which they share data without a court order, and the degree to which they fight unreasonable requests.

This article will outline the numerous ways in which telecommunications carriers and Internet services currently assist the government, providing easy access to their customers’ private communications and documents. Relying on several case studies, this article will analyze the specific product design decisions that firms can make that either protect their customers’ private data by default, or make it trivial for the government to engage in large scale surveillance. This article will also examine the flow of money between the government and carriers, who are statutorily permitted to demand reasonable compensation for their assistance, and will discuss the public policy advantages of surveillance as either a corporate profit center or a corporate tax.

Overall, this article will attempt to deliver some degree of transparency which is currently missing from the privacy market, and will outline a path to an eventual scenario in which consumers evaluate privacy approaches in advance, and firms can effectively compete for consumers on their willingness to disclose data to the government. Such a degree of transparency will permit the market to punish (or potentially reward) firms that put the governments’ needs first.


Christopher Soghoian, Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era

Christopher Soghoian, Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era

Comment by: Michelle Finneran Dennedy

PLSC 2009

Published version available here:

Workshop draft abstract:

For the last twenty years, users have largely maintained digital possession of their own writings. Consumers would use programs like Microsoft Word and Corel’s WordPerfect to draft letters, and programs like Microsoft Excel or Intuit’s Quicken to manage their own finances. Were the government to take an interest in a document produced by one of these PC owners, law enforcement would have to first obtain a search warrant, and then later visit the person’s home in order to seize their computer. Cloud computing has changed everything. Companies like Google, Microsoft and Adobe provide free access to fully functioning word processing, spreadsheet, presentation and image manipulation software, all through a web browser. End-users can collaborate with others, access their own files from any computer around the world, and not have to worry about the problems of data loss or backups — as the files are automatically backed up, and stored “in the cloud.” While this shift to cloud computing (and in particular, “software as a service”) has brought significant benefits to consumers, it has also come with a hidden cost — their privacy, and the evisceration of traditional Fourth Amendment protections. Because users no longer hold the only copy of their files, law enforcement agents are no longer required to seek a warrant in order to obtain those personal documents. Now, thanks to the third party doctrine, law enforcement can use turn to a subpoena to force Microsoft, Google and the other service providers to turn over user’s private files.

This raises a number of significant privacy issues, such as the far lower evidentiary threshold required for a subpoena, the fact that the service providers often have little to no incentive to fight the request as well as the lack of notification provided to the end user.

Furthermore, this shift provides both law enforcement and intelligence agencies with significant economies of scale in surveillance — that is, instead of obtaining and serving individual warrants on hundreds (or thousands) of users, they can now go to a handful of service providers to obtain that same private information.

This article will examine these an other privacy issues related to cloud computing. First, it will trace the legal history of the third party doctrine, and explore its impact upon cloud based services. It will also explore key cases in which law enforcement agencies were able to force technology companies to modify their products in order to better surveill end-users.

Moving on, it will explore the development and widespread adoption of key cloud computing services. It will highlight some likely future trends which may impact users’ expectation of privacy, including the placement of cloud-based product icons on the desktops of new computers and the development of single-site browsers which may make it difficult for naive users to be aware that they are using an Internet-based product. The article will then trace out a series of “what ifs” to explore potential future pro-privacy developments in cloud computing, such as the local encryption of user’s documents before storing them online, and highlight how even these efforts could be frustrated by law enforcement. Finally, it will conclude with a set of policy and technology recommendations that could help to tip the privacy scales back towards the end-user.