Many of the Capitol rebels may be discovering this now, as the cases against them are based on evidence taken from Internet services such as Facebook and Google. While they left a trail of digital evidence for investigators (and Internet detectives), not all of this data was publicly available. If you read the cases of people accused of crimes related to the events in Washington on January 6, you will find that the FBI also obtained internal tapes from various social networks and mobile operators.
But you don’t have to be the alleged rebel for law enforcement to get information about you from another company. In fact, you don’t need to be suspected of a crime. Police are increasingly using tactics such as a search warrant to seize the data of many people in the hopes of finding a suspect among them. You can get into one of them only because you were in the wrong place and at the wrong time, or you were looking for the wrong request. And you may never know that you are trapped.
“Investigators go to these vendors without suspects and ask for a wide range of non-targeted information in order to basically identify suspects they haven’t already had in mind,” Jennifer Granik, surveillance and cybersecurity advisor, told the ACLU. , confidentiality and technology project, – said Recode. “These more massive methods of surveillance are becoming more common.”
Basically, if a company collects and stores your data, then the police can probably get it. And when it comes to your digital life, there is a lot of your data that third parties can get. This is how they get it.
How law enforcement buys your data, no warrant is required
The good news is that there are some privacy laws that govern whether and how the government can receive your data: The Electronic Communications Privacy Act (ECPA), first enacted in 1986, established these rules.
But this law is several decades old. Although it has been updated since 1986, many of its principles do not really reflect how we use the Internet today or how much of our data remains in the hands of the companies that provide these services to us.
This means that there are gray areas and loopholes, and on some issues the government does not need to go through any legal procedures at all. Law enforcement agencies can and do buy location data from, for example, data brokers. And while location data companies claim their data has been anonymized, experts say people can often be re-identified.
“The idea is that if it’s available for sale, it’s okay,” said Kurt Opsal, deputy executive director and general counsel for the Electronic Frontier Foundation (EFF). “Of course, one problem is that many of these data brokers get their information without going through the consent process you might need.”
And it’s not just location data. The entire business model of facial recognition company Clearview AI is to sell law enforcement access to its facial recognition database, much of which was taken from publicly available photos retrieved by Clearview from the Internet. Unless you live in a city or state where facial recognition is illegal, it is now legal for the police to pay for your facial data. no matter how flawed the technology behind it may be.
That could change if something like the Fourth Amendment to the Non-Sale Act, which prohibits law enforcement from buying commercially available data, were to become law. But for now, the loophole is open.
“One of the problems with any technology law is that technology is advancing faster than the law,” Opsal said. “It is always difficult to enforce these laws in today’s environment, but [ECPA] all these decades later still provided strong privacy protections. There could definitely be improvements, but today it still works well. ”
What law enforcement agencies can go through the courts
If you are suspected of a crime and the police are looking for evidence in your digital life, then the ECPA says they must have a subpoena, court order, or warrant before the company can provide the requested data. That is, the company cannot simply transfer it voluntarily. There are a few exceptions – for example, if there is reason to believe that there is an imminent danger or a crime is being committed. But in the case of criminal investigations, these exceptions do not apply.
In general, the legal process that investigators must follow depends on what kind of data they are looking for:
Subpoena: This gives investigators so-called subscriber information such as your name, address, lifespan (for example, how long have you had your Facebook profile), log information (when you made phone calls or logged in and from your Facebook account) and credit card details.
The court order, or Order “D”: D refers to Section 2703 (d) of USC 18, which states that a court may require ISPs to provide law enforcement with any subscriber records other than the content of their messages. As such, this can include who sent you the email and when, but not the content of the actual email.
Search Warrant: This gives law enforcement access to the content itself, in particular stored content, which includes emails, photos, videos, messages, direct messages, and location information. While the ECPA says that emails that are stored for more than 180 days can only be received with a subpoena, this rule dates back to the time when people used to save their emails on another company’s server (how far does your email go? Gmail inbox?) Or used it as a backup. For now, several courts have ruled that a warrant is required for the content of e-mail, regardless of the age of the letters, and service providers usually require a warrant before they agree to transfer them.
Если вы хотите получить представление о том, как часто правительство запрашивает данные у этих компаний, некоторые из них выпускают отчеты о прозрачности, которые содержат базовую информацию о том, сколько запросов они получают, какого типа и сколько из этих запросов они выполняют. Они также показывают, насколько количество запросов увеличилось с годами. Вот Отчет о прозрачности Facebook, вот Google, а вот и Apple. EFF также выпустить руководство в 2017 году показывает, как несколько технологических компаний отвечают на запросы правительства.
You do not need to be a suspect or involved in a crime for law enforcement to obtain your data.
So, let’s say you decide that you will never commit a crime, so getting your data to law enforcement will never be a problem for you. You’re wrong.
As mentioned above, your data may be included in a purchase from a data broker. Or it could be collected on a digital network, also known as a search warrant, where police ask for data on a large group of people in the hope of finding a suspect.
“These are new methods of detecting things that could never have been discovered in the past and that can affect innocent people,” said Granik of the ACLU.
Two examples: where did you go and what you were looking for. In a geofencing warrant, law enforcement agencies get information about all devices that were in a certain area at a certain time – say, where the crime was committed – then narrow them down and get information about the accounts for the devices that they believe belong to their suspects. … For a keyword warrant, the police can query the browser for all IP addresses that were looking for a specific term related to their case, and then identify a possible suspect from that group.
These situations still represent a legal gray area. While some judges called them a violation of the Fourth Amendment and rejected requests from the government for warrants, others granted them. And we have seen at least one case where a return search warrant resulted in the arrest of an innocent person.
You may not be told for years that your data was received – if you are told at all
Another worrying aspect is that, depending on what is being requested and why, you may never know if the police requested your data from the company or if the company provided it to them. If you are charged with a crime and this data is used as evidence against you, you will know. But if your data is obtained through a purchase from a data broker or as part of a bulk request, you might not. If a company informs you that law enforcement agencies want your data and notifies you in advance, you can try to challenge their request yourself. But investigators can get court orders prohibiting companies from telling users anything, at which point you can hope that the company will fight for you.
According to their transparency reports, Google, Apple, and Facebook seem to sometimes resist or resist – for example, if they think the request is invalid. too broad or cumbersome means that not every request is successful. But they are. This is not necessarily true for everyone.
“Not every ISP is Google or Facebook, which has a solid legal department with solid expertise in federal surveillance law,” Granik said. “We don’t know what some of the providers are doing. Maybe they don’t do anything. This is a real problem. ”
Most government inquiries, even to the largest companies in the world, lead to the disclosure of at least some user data, and we have seen cases where someone’s data was transferred to the government, and that person did not know about it for years. For example, the Justice Department received from Apple a list of Democrats Adam Schiff and Eric Swalwell’s subscribers (and their families) via a grand jury subpoena. This happened in 2017 and 2018, but members of Congress only found out about it in June 2021, when the injunction expired.
If your information is included in something like a search warrant, but you are never identified as a suspect or accused, you may never know about it at all unless the company that provided it tells you. EFF’s Opsal said most of the big tech companies publish transparency reports and this is considered best practice in the industry. This does not mean that everyone follows them and is not obliged to do so.
How can you prevent this
When it comes to your data held by third parties, you have no particular control or decision as to if and what they disclose. You rely on laws written before the modern Internet, their interpretation by a judge (assuming it comes to a judge and there may not be a subpoena) and companies that have your data to fight them. If you receive a pending order notification, you can fight it yourself. This is not a guarantee that you will win.
The best way to protect your data is to use services that don’t receive it at all. Privacy concerns, including the ability to communicate without government oversight, have made encrypted messaging apps like Signal and private browsers like Duck the Duck popular lately. They minimize the data they collect from users, which means they have nothing to say if investigators try to collect it. You can also ask the services to remove your data from their servers, or not upload it to them at all (assuming those are options). The FBI can’t get much out of Apple iCloud if you haven’t uploaded anything to it.
At this point, investigators will have to try to get the data they want from your device … which is a whole can of legitimate worms.