Professor Dryer's 2018 Privacy in a Digital Age Honors Class Blog: February 2018

Monday, February 26, 2018

Q. OF THE WEEK NO 7

Congress mandated that the FAA pass regulations integrating the use of drones into the U.S. navigable airspace. The FAA did so, but declined to address the issue of privacy when operating drones. Various states, including Utah, have enacted laws regulating the use of drones by state and local law enforcement because of privacy concerns.

Should Congress prohibit the use of drones by federal law enforcement for surveillance purposes without first obtaining a search warrant?

Thursday, February 22, 2018

Blog Post 6: Police Body Cameras

Topic:

Video surveillance is becoming more and more ubiquitous in both public and private spaces. Police departments, in response to various high profile incidents involving the use of deadly force against citizens, have begun deploying body cameras on officers. Both the Salt Lake City Police Department and the West Valley Police Department use body cams mounted on glasses worn by officers. Such use raises a host of privacy issues.

Blog Post:

Quis custodiet ipsos custodes? “Who will watch the watchmen?”

Police body cameras are slowly becoming more and more ubiquitous with law enforcement procedure, and the way law enforcement personnel interact with the public. A common assumption regarding the use of body cameras is that they will help to either dissuade “bad cops” from abusing their power or using excessive force, or that they will help us hold those who do abuse their power responsible for that abuse. Proponents also hope that police body camera footage, like footage from dash cams, can be used to clear up mistakes in memory or determine the truth of differing claims when the facts of a case are disputed. Interactions between police and the public have a history of being volatile or negative leading to vastly different accounts of events. Cameras could potentially provide the clarity we’ve lacked for so long.

Manufactures and law enforcement are looking at many potential camera designs to accomplish these goals. From the chest-mounted cameras to small cameras mounted to the side of headgear, the models are widely variable and contain many different components. According to the Atlantic, this technology can be expensive, costing a police department between a few hundred and a few thousand dollars a set. But is the potential cost worth it to increase transparency and accountability? The opinions are mixed.

Potential Problems with Body Cameras

Alongside the cost of the cameras themselves, departments must think about secondary costs associated with the collection of that much footage. Law enforcement faces questions about when to record, what to store, and for how long to store it. Will that data be public? How will it be accessed? Can it be protected? To keep the cameras rolling the entire time an officer is on duty would amass vast amounts of film data that would need to be stored. Allowing an officer to turn the camera on and off could potentially erase its watchdog effects. And still more argue that body cameras don’t make police behave better at all. Last October the New York Times reported on a study done in the Washington D.C. police department that showed no significant difference in the use of force or number of civilian complaints between officers who had cameras and those who did not. A reasonable argument can be made that these cameras serve little more than to record what can be our most vulnerable moments which could become public record at taxpayer expense.

Current Laws and Policies Regarding Police Body Cameras (Utah)

Utah does have several laws in place regarding the use of police body cameras. H.B 300 is one (of several) such law(s) that made its way through the state legislature in 2016 determining basic guidelines for the use of body cameras. The Salt Lake City police department had 295 body cameras in use at the end of 2014, one for each officer who would be deployed in the field. Depending on the crime, camera footage is usually stored between one and three years, and access to any footage is processed through a Government Records Access Management Act (GRAMA) request and can be denied. Each unit cost the city $3,368.

My Opinion

I personally tend to agree with the general implementation of police-worn body cameras. While an increase in government surveillance is not generally something I find myself agreeing with, I am a member of the majority of Americans who believe that at the very least, body cameras will help to increase transparency in police-public interactions. I do however think the use of this technology needs strong regulation, including limits on the length of time footage can be stored as well as who has access to the footage. With proper supervision, I believe body cameras can make our communities at the very least, more honest.

Takeaways for Week Seven

1. Tracking of online activity is accomplished by various means, including

· Cookies

o A number/text file downloaded to your computer (principally on your browser) that the website can correlate with that computer, recognizing that you've been there before

o Enable you to get around putting in all your information every time you visit that site

· Example: Cookies on Amazon allows the website to remember your billing info

o Super Cookies: Even if you log out of a site (like Facebook), it will still track your online activity

o Don't work as well on mobile devices

· Web beacons

o Small, often undetectable bits of code that are embedded in websites/documents. Identify and monitor user activity on that particular website. Will tell the server how long you were on that particular page.

· Canvas fingerprinting

o Also known as digital fingerprinting.

o Performs the same functions as Cookies. It will instruct your browser to draw a unique, hidden image that will identify your device

o Allows tracking over multiple platforms

· Info is sold to online ad agencies that target the sites you visit with specific advertisements

o Targeted or behavioral advertising advertises items that match your interests based on collected data. Has a higher reception rate than typical advertising.

o Advertising agencies are using info they've gained about you either directly or from other sources to develop these targeted advertisements.

o Online ads are what economically support the internet and allow free internet services without paywalls.

· Discomfort for these tracking methods led to Do Not Track initiative

o Original intent to allow the consumer to opt out of having their web surfing tracked. Similar to the "Do Not Call" list, where people are allowed to opt out of solicitation calls.

o After about 5 years, the parties could not come to an agreement to do this voluntarily, and the Do Not Track effort failed.

o Major browsers began to build in a Do Not Track header. When they attempt to connect to a website, they now include a header a signal that says that this individual does not want to be tracked. This does not mean you are being tracked, as the website owners do not have to honor that signal.

o The Digital Advertising Association represents all the major online advertisers, opposed Do Not Call, proposed a voluntary program for users to opt out of being sent targeted adds, although you would still be tracked online

· In response to failure to adopt DNT various ad blocking software was developed.

o Data brokers and web sites began to develop counter programs to counter adblockers

· Technology arms race between the blockers and anti-blockers; some sites will not allow access if ads are blocked

2. Consequences of Anti-Tracking

· 6 in class have installed adblockers

· If majority of consumers used adblocking software most sites would lose their primary source of revenue, might resort to putting up a paywall

· 5 in class have upgraded to YouTube Red, Spotify Premium, Google Play, etc. which are add free service but charge a fee instead

3. Online Behavioral Advertising

· The online trade agency DAA (Digital Advertising Agency) opposed Do Not Track, and implemented a self-regulatory program for behavioral advertising, The program allows a consumer to click on an icon to access the Adchoices program where a consumer may exercise some control over the behavioral advertising he/she receives.

· Only one person in class recognized the DAA icon

· Can go on the DAA site and see how many companies are tracking you.

4. Question of the Week

· Would you be willing to pay a monthly fee of $25 to access the WWW is ad free and no tracking?

o Yes…5

o No….7

· For some the answer was a function of cost (e.g. I would pay $5 but not $25)

· For some, it was an issue of equality, that the Internet is a democratic platform that everyone should have access to, don't want different "classes" of users

· For some, use of ad blocking software was sufficient.

5. Garet’s Blog Post

· Data Broker ‘s “absolutely need to be regulated.”

· Majority of class agreed

6. Data Brokers

· $156 Billion industry, a "shadow industry"

· Congress has been unwilling to regulate this industry for legitimate and illegitimate reasons

· Data Brokers collect huge amounts of information, and very little laws regulate use and collection

o Can't use certain information for employment reasons

o Can't ask someone their race or gender to determine housing

o Can't ask someone about medical conditions when seeking health insurance

· Acxiom has profiles on over 500 million individuals, sometimes with over 1500 data points on a person

o Created a website where you can request the core data it has about you, but not the "inferred" or modeled data about you based on analytics

o Provides info on demographics, home, vehicles, purchases, and economics

o Some consumer classifications that Acxiom uses to classify people include

· Addictive personality

· Reckless behavior

· Allergy sufferer

· Dieter

· Heavy social media user

· HIV/aids sufferer

· Gambler

· Non-English speaker

· Single mother struggling in an urban setting

· Rape/Sexual assault victim

Monday, February 19, 2018

Q. OF THE WEEK NO. 6

Would you be willing to pay a monthly fee of $25 to access and use the worldwide web if search engines, social networks and websites were ad free and did not collect information about you or track your web activity?

Friday, February 16, 2018

Data Brokers: They Know More About You Than You Do

Overview

It’s almost impossible to use the internet anymore without seeing an ad targeted to your specific interests and recent searches. This is largely because of the massive and incredibly lucrative data brokerage industry. Data brokers are entities that “park” themselves on websites to gather and sell information about what you search for online, what web pages you visit, your activity on social media, and just about everything else you do online that could be useful for marketing. There are thousands of brokers gathering and using this information, and the average consumer would have no idea it’s happening. It’s an industry with little transparency and very little regulation. As you use the internet these mysterious entities are able to gather just about every piece of information about you, from your age to more intimate details, like sexual orientation and medical conditions. They can even use computer algorithms to predict other details about an individual's personal life. (1)

Concerns about Data Brokers

The data brokerage industry is incredibly secretive. In 2016, Newsweek requested interviews from representatives in dozens of companies and were only granted permission by one, a large and successful broker called Acxiom. This lack of transparency combined with an absence of any real regulations creates great cause for concern. Newsweek also states in its article that information gathered by data brokers can be used to create “consumer scores.” These scores can predict how likely someone is to get sick or pay off a debt. It’s possible that an insurance company could use this information to charge more to someone whose consumer report says they’re likely to develop a chronic illness, or that a college would deny admission to a student because the family’s report says they can’t pay for four years of tuition. The major flaw with a consumer score is that it’s nearly impossible to correct flawed information collected by brokers. From the Acxiom data that was analyzed, only about half of it was correct. These are life changing decisions that are possibly relying on a consumer score that is based on only 50% correct data. Additionally, there is the potential for harmful data being purchased by those with nefarious intentions. A few years ago, InfoUSA (another large broker) sold a list of 19,000 elderly people to a group of scam artists. Every individual on the list had participated in some sort of sweepstakes. This behavior was associated by the scammers with gullibility, giving them a long list of easy targets. (2)

My Opinion

In my opinion, data brokers absolutely need to be regulated. In September, 2017 the Data Broker Accountability and Transparency Act of 2017 was introduced in the Senate. This bill would keep data brokers from obtaining data in any manner that would be considered fraudulent, force them to establish procedures to ensure accuracy of information, including allowing individuals to request corrections, and make it possible for individuals to prevent their information from being used or distributed in any way, if they wish. (3) I believe that these three regulations are necessary, along with increased transparency concerning how information is distributed and what it is to be used for.

Relevant Links

Thursday, February 15, 2018

Takeaways For Week No. 6

1.

There are so many different ways that you can track people or be tracked now with modern technology. The scary part about this is that it is very difficult to avoid when some of the methods of tracking use your phone or car which in this modern era are objects that you almost need to have with you to function.

2.

In using all of these tracking methods and in court cases regarding them the U.S. courts have to decide if the tracking breaks the "unreasonable search" portion of the 4th amendment. This leads to so many different scenarios because the context of every case and search method is different.

3.

The 4th amendment only protects U.S. citizens from government searches. This opens the door for potential searches from 3rd party organizations that can gather data without you knowing and sell it to the government and you can't do much about it.

4.

Utah has laws set about the usage of automatic license plate reading technologies.

Only applies to the government
Collection is banned except for toll collection, enforcing traffic laws, and public safety concerns
Data is a protected record
Data can be preserved no more than 90 days
The Utah government can not access private data without a warrant

5.

The University of Utah has its own ALPR laws separate and more strict from that of the State's

Used only for parking management
Info only retained 24 hours and stored on the laptop of the ALPR
Info not shared with others, in or out of the University
May not sell data for marketing
Access limited to drivers and supervisors
Tracking movement not allowed
Password protected data
Quarterly audits must be completed
Sanctions for non-complience

6.

The national government requires a warrant for Sting Rays, but not all states do.

Personal Observation:

Knowing how many ways there are to track people and gather data through one form or another terrifies me because you never know if you're being watched. Especially since they can follow your car or phone which people use almost everyday. However, it is nice to read a few articles and know that even if it isn't the most ethical thing some of this technology is making a huge difference in protecting the public and tracking down criminals. It is also good to know that the government does recognize this as a privacy concern and is slowly making steps towards creating laws to protect the general public from unreasonable and unwanted following.

Monday, February 12, 2018

Q. OF THE WEEK NO. 5

There is a growing privacy concern with the proliferation of automatic license plate readers primarily centering around the creation of massive databases that potentially could be used for surveillance purposes. ALPR devices are being used by both government and private businesses and several states, including Utah, enacted laws regulating their use. The use of such technology by law enforcement has proven to be valuable for solving crimes and recovering stolen vehicles.

Do you believe the privacy implications of the use of ALPR technology are serious enough to warrant a federal law regulating its use?

Friday, February 9, 2018

Takeaways for Week No. 5

1.

The FBI has access to 16 states', including Utah's, DMV photographs to be used for identification and other purposes. Utah itself collects facial recognition information for law enforcement purposes through their Statewide Information and Analysis Center (SIAC).

2.

Some of the commercial uses for facial recognition are:

- Fast food restaurants
- Airports
- Hotels
- Apps
- Department stores

3.

If you do not have a reasonable expectation of privacy, then by society’s standard, your privacy rights have not been violated.

4.

The privacy concerns relating to face prints include:

- Notice/consent
- Storage/retention
- Usage
- Access
- Data security
- Accuracy/data errors
- Regulation/compliance
- Protections against "big or little brother" (government and business)

5.

Utah is currently a one-party consent state. House bill 330 (a local Utah House of Rep. bill) would change it to an two-party consent state, joining the eleven other states of California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania and Washington who all practice two-party consent.

Personal obs.

Before learning about facial recognition issues and privacy relating to images, I had never really given it much thought. About a week before our class, I downloaded Google Arts & Culture, and took a picture of myself to see which portrait I best compared to. I hadn't even considered the implications of doing such, which are (not exhaustively) listed in takeaway no. 4. After discussing these sorts of issues this week, I'd probably think twice about taking a picture of my face and scanning it in to the internet without any idea of whether or not it will be retained or sold. The same goes for other camera-based apps on my phone, such as Snapchat, Instagram, or even FaceTime.

Thursday, February 8, 2018

StingRays: A More Dangerous “Fish”

Brief Overview

In the context of privacy and technology, the word “StingRay” has drastically different connotations than when talking to marine biologist or oceanic enthusiast. As defined by the ACLU,

"Stingrays, also known as 'cell site simulators' or 'IMSI catchers,' are invasive cell phone surveillance devices that mimic cell phone towers and send out signals to trick cell phone in the area into transmitting their locations and identifying information. When used to track a suspect's cell phone, they also gather information about the phones of countless bystanders who happen to be nearby," [1]. The term StingRay comes from the metonymization of the Harris Corporation’s StingRay I and StingRay II, arguably the most popular of the IMSI catchers available to law enforcement and government agencies. Traditionally, law enforcement mounts the StingRay inside of their vehicles. It then connects to their laptops and an application allows them to interface with the device and begin tracking it. Although all IMSI catchers have various abilities, they share the ability of extracting the IMSI (International Mobile Subscriber Identity) and ESN (Electronic Serial Number. The StingRay I/II and other IMSI catchers can generally also track the location of the intended target, as well as everyone else within ~200 meters. The StingRay does both of these by simulating a cell tower and forcing phones to connect to it; as long as a phone is on and not currently calling another device, it is susceptible to tracking and data collection.

Use Within the United States

The ACLU and other related organizations have identified at least 72 state and local law enforcement agencies within 24 states and 13 different government organizations which actively use StingRays and other similar devices. However, the secrecy surrounding the use of StingRays and the difficulty in detecting their use makes it difficult to speak for the accuracy of this number. The ACLU estimates that “this number dramatically under represents the actual use of stingrays by law enforcement agencies nationwide,” [1]. The secrecy surrounding the use of StingRays stems from an non-disclosure agreement signed by all entities using Harris products and the FBI [5]. In a recent statement, the FBI has rescinded the mandated non-disclosure agreement, leaving local and state agencies more capable of discussing and disclosing the use of StingRays [6]. Recent court documents and agency admissions show that San Bernardino’s Sheriff's Department used the device 300 times in the short span of 17 months [3]. In 2014, Wired magazine disclosed the use of StingRay devices in over 200 cases by Florida police. From the same article, it notes that “an FBI agent described using a cell site emulator more than 300 times over a decade and indicated that they were used on a daily basis by U.S. Marshals, the Secret Service, and other federal agencies” [4].

Privacy Concerns and Implications

Until recently, the use of StingRay devices has been largely unregulated. In the case of the San Bernardino Sheriff’s Department, use of StingRays was disguised as pen/trap orders. A pen/trap order, more formally known as a pen register and trap and trace order, allows law enforcement to see the incoming and outgoing calls without seeing the content. Pen/trap orders require only a “reasonable suspicion”, rather than the “probable cause” required by a warrant [8]. Although originally limited to location tracking and metadata collection, software updates and “add-ons” offered by the Harris Corporation allow StingRays to collect data off of phones and intercept phone calls and text messages. However, both the warrant-less use and surreptitious data collection pale in comparison to the largest privacy concern related to the use of StingRays and other related devices; devices such as these have no control over who connects to them and what data is captured. The StingRay has an effective range of ~200 meters, which can be increased by addons like the “Harpoon”. The next generation in IMSI catchers, the “Hailstorm”, has a reported effective range larger than that [10]. In active mode, the StingRay can simultaneously simulate several cell towers and monitor multiple bands. In essence, it captures the IMSI/IMEI of every device within the effective radius, without consent or notice.

The tracking and location gathering is not limited to phones. In a gross violation of privacy, the FBI used a StingRay device in conjunction with a cell provider to reprogram the data-only SIM of Daniel David Rigmaiden. The reprogramming allowed the FBI to interrupt his data service and place calls to the SIM card. In turn, this forced the SIM to reconnect to a cell tower, which the FBI substituted with a StingRay device. The connection allowed the FBI to track Rigmaiden to his apartment and later discover which apartment was his all without a warrant. Without the use of a StingRay device, Rigmaiden would have remained anonymous because he rented the room under a different name. After discovering his location, the FBI surveilled the apartment and waited for Rigmaiden to leave, upon which they arrested him for identity theft [7].

Law Enforcement Response

Law enforcement has long used StingRays and other similar devices as an integral part in drug and criminal investigations. Their efficacy is undeniable, and often cited as a reason to keep using them without changing how they are used, i.e. not requiring warrants. Other notable defenses of their warrantless use rely on their definition as a pen/trap device, rather than a wiretap or data collection device. By default, the devices only collect the IMEI, ESN, and relatively vague location data; however, software options allow the devices to also collect and intercept phone calls, text messages, and other private information. Law enforcement also contends regulations on the use of StingRays with the assertion that they help with counter-terrorism. The Electronic Frontier Foundation’s Jennifer Lynch disputes this assertion, noting that “[She is] not aware of any case in which a police agency has used a cell-site simulator to find a terrorist”. Recently, the FBI changed their policy to require warrants for the use of StingRays unless “exigent circumstance” dictates otherwise; twelve states have followed suit [12].

My Opinion

I feel strongly that all use of StingRays should require a warrant. In my opinion, the warrantless use of such devices completely violates my “reasonable expectation to privacy” while using my phone. The use of one in my general vicinity exposes me to an unwanted entity, and I have no way of determining if I am connected to one or not. The only real countermeasure involves disabling or abandoning one’s cell phone, which seems excessive for something that shouldn’t happen without my consent. Furthermore, the lack of formal training on how to use these devices, and more importantly, when to use these devices by local law enforcement agencies frightens me. Inadvertent data collection seems inevitable, given the frequency and variety of use by law enforcement agencies nationwide. Additionally, the ability of StingRay devices to track locations seems particularly invasive in an increasingly connected age. Many cars now come with internet connectivity; this gives the government the ability to track the location of a vehicle, much like they did with Rigmaiden’s “data-only” SIM card. Other internet connected devices have the same vulnerability, which allows the government and other agencies to track both myself and others, without our consent, almost everywhere we go. The potential for misuse, even with a warrant, seems high; however, by requiring a warrant judges gain access to how these devices are used, and can then place limits on their use.

Interesting Links:

User Manuals published by the Harris Corporation: Quick Start Guide & Software Operation Manual, provided by The Intercept [2]

General information about StingRays: https://en.wikipedia.org/wiki/Stingray_phone_tracker

Resources