Stephanie K. Pell and Christopher Soghoian, Your Secret Technology’s No Secret Anymore: Will the Changing Economics of Cell Phone Surveillance Cause the Government to “Go Dark?”

Stephanie K. Pell and Christopher Soghoian, Your Secret Technology’s No Secret Anymore: Will the Changing Economics of Cell Phone Surveillance Cause the Government to “Go Dark?”

Comment by: Susan Landau

PLSC 2013

Workshop draft abstract:

Since the mid-1990s, U.S. law enforcement agencies have used a sophisticated surveillance technology that exploits security flaws in cell phone networks to locate and monitor mobile devices covertly, without requiring assistance from wireless carriers. This Article explores the serious privacy and security issues associated with the American government’s continued exploitation of cell phone network security flaws. It argues that legislative and industry action is needed if only to avoid a single ironic result: the government may unintentionally compromise its ability to conduct standard, carrier-assisted electronic surveillance. Without reform, it is likely that mobile device and software vendors will adopt end-to-end encryption to provide their customers with secure communications, causing wireless communications to go dark to law enforcement’s gaze. Moreover, the U.S. government’s reflexive obfuscation of this surveillance practice facilitates additional harms: enabling foreign espionage and domestic industrial espionage on U.S. soil and encouraging ubiquitous monitoring by private parties.

The U.S. government monitors mobile phones via cell site simulator(s) (CSS) that functionally mimic cell phone towers. CSS exploit a fundamental security flaw in all cellular devices: they cannot authenticate the origin of signals but merely connect to any nearby source whose signal purports to be from a tower operated by a licensed provider. Once a phone erroneously connects to a CSS, its location can be determined, and calls, text messages and data can be intercepted, recorded, redirected, manipulated or blocked.

Law enforcement, intelligence agencies, and the military have presumably used CSS to their advantage: when a target’s phone number is unknown or a mobile device has no GPS chip, they can monitor every phone in a geographic area using briefcase-sized CSS hardware. Moreover, when the government cannot obtain a phone company’s assistance, such as in operations abroad, it can use CSS to conduct surveillance without the carrier’s knowledge.

By intercepting signals directly, CSS circumvent the limited but useful privacy protections offered by commercial third parties. While privacy scholarship and recent Supreme Court jurisprudence often denounce the third party doctrine, this Article argues, counter intuitively, that third party control of data can protect privacy. When compared with warrantless, unmediated government surveillance, third parties can act as gatekeepers with the capacity to challenge government overreach, particularly when market incentives and customer interests align with privacy concerns. These intermediaries can even invoke judicial scrutiny of government surveillance practices. Their efforts can create opportunities for courts to develop new Fourth Amendment doctrine while scrutinizing surveillance practices, such as with the concurring opinions in U.S. v. Jones, and for Congress to regulate these practices by statute.

To date, legal scholarship has failed to consider the effects of CSS both within and outside of the domestic law enforcement context. Indeed, the privacy and security risks associated with CSS cannot be cabined by the Fourth Amendment or statute, for the problems extend beyond America’s borders. Western democracies no longer have a monopoly over access to CSS technology. There is a robust market in CSS technologies, and several vendors around the world sell to any government or individual who can pay their price.

Surveillance is also increasingly ubiquitous. Researchers have created low-cost, easy to construct CSS. For under $2,500, tech-savvy criminals can purchase offthe- shelf equipment to build their own CSS. Less robust “passive” interception of nearby calls is also possible by modifying a widely available $20 cell phone. Wiretapping is no longer the exclusive province of governments, but is equally available to private investigators, identity thieves, and industrial spies.

Despite this significant technological change, the U.S. government continues to shield information about its own use of CSS, ostensibly to protect such use in the future. This opacity comes at a cost: treating CSS as solely a “sources and methods” protection issue suppresses public debate and education about the security vulnerabilities in our cell phone networks. That trade-off might have been reasonable when access to CSS was privileged and expensive, but the rapid democratization of surveillance is changing the balance of privacy and security equities.

U.S. government use of CSS accentuates the fundamental tension between government surveillance capabilities and the security of networks. When Congress has grappled with this conflict in the past, it gave priority to surveillance capabilities. Today, however, the same threat environment that informs ongoing cyber security legislative efforts mandates that any solution crafted to cabin the harms of CSS recognize the primacy of network security.

Stephanie Pell & Christopher Soghoian, Towards A Privacy Framework For Law Enforcement Access to Location Information

Stephanie Pell & Christopher Soghoian, Towards A Privacy Framework For Law Enforcement Access to Location Information

Comment by: Bryan Cunningham

PLSC 2011

Workshop draft abstract:

Electronic Communication Privacy (ECPA) Reform was an active topic in 2010. The Digital Due Process coalition, a group of civil liberties groups, academic scholars and several major industry players, launched a significant policy initiative that called for reform of the two-decade old law.  Responding to this call, the 111th Congress took a firm interest in the topic, with three ECPA hearings held in the House Judiciary Committee and one in the Senate Judiciary Committee.

In any area of ECPA reform, Congress must strive to find the right balance among the (often competing) interests of law enforcement, privacy and industry. In some areas, it is relatively easy to agree on a common-sense path to improve the law.  The topic of cloud computing proved to be such an area – industry, academia and the public interest community all agreed that a probable cause warrant standard for all content requests would be a major improvement over the current standard, which varies depending on the length of time an email has been in storage, or if it has been read at least once.

Finding this balance in the area of location privacy, however, has proved to be far more challenging for Congress because:  (1) the technologies involved are exceedingly complex, far more so than cloud computing; (2) law enforcement agencies will not–and, in some instances, cannot (without compromising sources and methods)–publicly discuss their needs for and uses of this information; (3) major industry players are reluctant to disclose their own data retention policies for location information or to participate publicly in the legislative process, for example, by testifying at Congressional hearings; and (4) in the area of electronic communication privacy, where the courts have often “punted” , Congress must make proper judgments regarding consumers’ reasonable expectations of privacy and how they can be expressed in equally reasonable access rules.

Drawing on our unique expertise (as, respectively, a Counsel to the House Judiciary Committee in the 111th Congress, and a privacy and security researcher focused on law enforcement surveillance), we will plot a path forward for the location privacy problem.  This article will propose a regime of common sense, practical standards for law enforcement access to location information that is technology neutral, provides clear rules for law enforcement and industry to follow and courts to apply, and balances the interests of the three major ECPA stakeholders: law enforcement, consumer privacy and industry.