3rd party doctrine – Techdirt (original) (raw)

Fourth Circuit Appeals Court Announces It’s Going To Rethink Its Geofence Warrant Decision

from the these-warrants-seem-pretty-general-to-me dept

This is tentatively welcome news. I mean, it can’t result in anything worse than the original decision the Fourth Circuit handed down in the Chatrie case, which said there’s nothing constitutionally wrong with searching every Google user’s location info in hopes of finding the suspect law enforcement is actually looking for. (via FourthAmendment.com)

The Appeals Court took the Supreme Court’s Carpenter decision that created a warrant requirement for obtaining cell site location info over a long period of time and took that to mean that the location info law enforcement eventually obtained in the Chatrie case wasn’t worthy of Fourth Amendment protections.

[W]e find that the government did not conduct a Fourth Amendment search when it obtained two hours’ worth of Chatrie’s location information, since he voluntarily exposed this information to Google.

So, the lynchpin here was the length of time, even if the court expressed its reservations about the use of warrants that treat everyone in Google’s location database as a criminal suspect until proven otherwise, something the dissent pointed out in the court’s July 2024 decision:

[G]eofence intrusions are even broader than the intrusion in Carpenter because there is no limit on the number of users police can include in a geofence. With CSLI, police at least had to provide a specific phone number to search, so they had to identify a criminal suspect before they could pry into his or her historical CSLI data. By stark contrast, geofence intrusions permit police to rummage through the historical data of an unlimited number of individuals, none of whom the police previously identified nor suspected of any wrongdoing. Indeed, the very point of the geofence intrusion is to identify persons whose existence was unknown to police before the search.

In the end, though, the majority thought the intrusion in Chatrie’s movements was limited enough, it didn’t raise further constitutional issues. What was never really up for discussion was the constitutionality of the geofence warrants themselves, which allow the government to treat everyone as a suspect while trying to back into the probable cause needed to target only specific suspects.

This unexpected en banc rehearing is likely due to a more recent appellate decision — one handed down by the Fifth Circuit (yeah ikr?) in August, which said geofence warrants are themselves unconstitutional. These warrants are the “general rummaging” that was directly addressed by the Fourth Amendment. Just because it’s a warrant doesn’t mean it’s a lawful warrant, especially not when they’re deployed this way:

When law enforcement submits a geofence warrant to Google, Step 1 forces the company to search through its entire database to provide a new dataset that is derived from its entire Sensorvault. In other words, law enforcement cannot obtain its requested location data unless Google searches through the entirety of its Sensorvault—all 592 million individual accounts— for all of their locations at a given point in time. Moreover, this search is occurring while law enforcement officials have no idea who they are looking for, or whether the search will even turn up a result. Indeed, the quintessential problem with these warrants is that they never include a specific user to be identified, only a temporal and geographic location where any given user may turn up post-search. That is constitutionally insufficient.

Given the timing, there can be little doubt the Fifth Circuit’s take on this issue is forcing the Fourth Circuit to reconsider its own take. The Fourth Circuit limited itself to considering whether the data eventually obtained with a warrant constituted a Fourth Amendment violation.

The Fifth Circuit’s decision, on the other hand, makes it clear the end point of vague, exploratory and, yes, “general” warrants isn’t where the constitutional conversation should start. It should actually begin at the point the government commences its investigatory work: the first geofence warrant delivered to Google that requires it to search its entire database of location data under the shaky legal theory that there’s probable cause to believe Google may possibly discover location data investigators can use to create a list of suspects.

If the Fourth Circuit rolls back its inquiry to match the Fifth Circuit’s starting point, it’s hard to see how it will arrive at the decision that geofence warrants are constitutional. If it decides the rest of this inquiry isn’t worthy of discussion, it’s just going to end up back where it started, only with a lot more wasted time and effort. At worst, nothing changes. But at best, it could generate precedent that the Supreme Court won’t be able to ignore (for better or worse).

Filed Under: 3rd party doctrine, 4th amendment, 4th circuit appeals court, carpenter, geofence warrants, geolocation info

Fifth Circuit Flips The Script, Declares Geofence Warrants Unconstitutional

from the SCOTUS-has-entered-the-chat dept

Oh, Fifth Circuit, you crazy, crazy kid. I take back almost all the bad things I’ve said about you.

The cop-friendliest circuit in the nation has done the unimaginable: set up a circuit-on-circuit showdown that can only be resolved by a Supreme Court decision. Until that happens (don’t hold your breath), you and your Google location data are safer in the Fifth Circuit (Texas, Louisiana, Mississippi) than the Fourth Circuit (Virginia, Virginia’s AAA-affiliate, both Carolinas, and Washington DC’s largest suburb, Maryland).

We won’t know whether the timing of this decision is impeccable or fortuitous or whatever until further case law is developed. But we can say this: it was nipping at the heels. The Fourth Circuit released its decision on geofence warrants roughly a month ago. That decision went entirely the other way. While there were a few concerns expressed about a single warrant being capable of forcing Google to search its entire collection of location data (something that affects more than a half-billion people), the Fourth Circuit said the Fourth Amendment mattered less than the Third Party Doctrine.

The third-party doctrine therefore squarely governs this case. The government obtained only two hours’ worth of Chatrie’s location information, which could not reveal the privacies of his life. And Chatrie opted in to Location History on July 9, 2018. This means that he knowingly and voluntarily chose to allow Google to collect and store his location information. In so doing, he “t[ook] the risk, in revealing his affairs to [Google], that the information [would] be conveyed by [Google] to the Government.” He cannot now claim to have had a reasonable expectation of privacy in this information. The government therefore did not conduct a search when it obtained the data.

The Fourth Circuit’s decision basically says the government doesn’t even need a warrant to collect this data from Google. If people opt in to Google’s location data collection, it’s on them. And if the sharing is “voluntary,” the government can have it for as little as a subpoena, no matter how broad the original search performed on its behalf by Google.

The Fifth Circuit goes completely in the other direction, which will definitely come as a surprise to law enforcement. After all, this is the circuit that sides with the government more often than not when it comes to constitutional violations performed by law enforcement officers.

This decision [PDF] is astounding for that reason alone. But it’s an important one — a decision that says using a single warrant to force a third party to dig through data contributed by hundreds of millions of people makes a mockery of the Fourth Amendment and its prohibition of “general warrants.”

This case — like the one handled by the Fourth Circuit — involves a robbery. In this case, it was a Mississippi postal worker being robbed and assaulted in February 2018. Most of the investigation involved the investigative wing of the USPS. Postal inspectors failed to generate any leads for the next nine months. At that point, they decided Google should perform the investigative work for them.

After consulting with other law enforcement agencies which had already issued geofence warrants, the USPS wrote one of its own. Its warrant stated there was probable cause to believe Google housed the data it was seeking. A geofence was drawn around the scene of the crime — one that covered 98,192 square meters.

However, Google’s first search was even broader than the specifications delivered to it by postal inspectors. It covered an area of 378,278 square meters during the date and time noted in the warrant (a one-hour period on the day of the robbery) and required Google to search all of its 592 million Sensorvault accounts.

The first search resulted in three identifiers matching the time/date/location restrictions. Without writing a new warrant based on the search results, the investigators went back to Google and demanded further identifying info for the three numbers Google had given them. This set gave the inspectors the device IDs. Again without crafting a new warrant, the investigators told Google to cough up any account information linked to the devices. Using this information, the USPS now had two suspects to pursue. Three suspects, with the lead defendant being the person listed on the caption header of the decision (Jamarr Smith), were arrested, tried, and convicted.

Citing the Supreme Court’s Carpenter decision — one that erected a warrant requirement for cell site location info collected from cell service providers — the Fifth Circuit says the other observations made by the nation’s top court in that case apply here: it’s an oversimplification to assume any data-sharing with service providers is “voluntary.” Since it’s not always obvious what’s being collected by who (see also: third-party data brokers and the government agencies that love them), it’s insulting to the Fourth Amendment to assume the Third Party Doctrine applies. And it says this while quoting the district court which ruled in favor of the criminal suspect before the Fourth Circuit reversed the evidence suppression order.

[T]he fact that approximately 592 million people have “opted in” to comprehensive tracking of their locations itself calls into question the “voluntary” nature of this process. In short, “a user simply cannot forfeit the protections of the Fourth Amendment for years of precise location information by selecting ‘YES, I’M IN’ at midnight while setting up Google Assistant, even if some text offered warning along the way.” Chatrie (Dist.), 590 F. Supp. 3d at 936

But there’s something even more concerning about geofence warrants, even when warrants are used: the breadth of the search. That’s where this court parts ways with not only the Fourth Circuit, but most jurisprudence surrounding geofence warrants. Not only is the search extremely broad, but at the point the search is performed, law enforcement officers don’t even know who they’re looking for. (Emphasis in the original.)

When law enforcement submits a geofence warrant to Google, Step 1 forces the company to search through its entire database to provide a new dataset that is derived from its entire Sensorvault. In other words, law enforcement cannot obtain its requested location data unless Google searches through the entirety of its Sensorvault—all 592 million individual accounts— for all of their locations at a given point in time. Moreover, this search is occurring while law enforcement officials have no idea who they are looking for, or whether the search will even turn up a result. Indeed, the quintessential problem with these warrants is that they never include a specific user to be identified, only a temporal and geographic location where any given user may turn up post-search. That is constitutionally insufficient.

That, my Fifth Circuit-residing friends, is what we call a “general warrant.” And we kicked those to the curb shortly after we kicked out our former British overlords. We shouldn’t be returning to this pattern and practice just because technology and opportunity have fortuitously aligned to give law enforcement a new way to identify suspects without ever having to leave their desks. (Emphasis in the original.)

While the results of a geofence warrant may be narrowly tailored, the search itself is not. A general warrant cannot be saved simply by arguing that, after the search has been performed, the information received was narrowly tailored to the crime being investigated. These geofence warrants fail at Step 1—they allow law enforcement to rummage through troves of location data from hundreds of millions of Google users without any description of the particular suspect or suspects to be found.

Warrants are always supposed to be narrowly tailored to minimize intrusion and collateral damage to constitutional rights. A warrant that ignores that isn’t any more constitutional just because it’s a warrant.

This won’t do much for the three convicted men. The good faith exception applies. But this isn’t one of those cases where a court says a lot of good things about rights but decides the underlying constitutional questions are best saved for another day. Precedent is established here, which means that going forward, most, if not all, geofence warrants are worthless in the states the Fifth Circuit oversees.

We hold that geofence warrants are modern-day general warrants and are unconstitutional under the Fourth Amendment.

This is a huge decision. And, of course, plenty of people already have opinions of their own. We’ll start with Orin Kerr, who disagrees with the court’s view that warrants are unconstitutional when the target of the warrant is just “too big to search.” (Emphasis in the original.)

Second, and much more dramatically, the Fifth Circuit rules that because the database of geofence records is so large, and because the whole database must be scanned through to find matches, the Fourth Amendment does not allow courts to issue warrants to collect those records. In legal terms, it is impossible to have a warrant particular enough to authorize the surveillance. The government can’t gather these kinds of online records at all, in other words, even with a warrant based on probable cause.

Right. That’s the holding. It may not survive a Supreme Court challenge. Hell, it may not even survive an en banc review, which is one of those things the Fifth Circuit tends to engage in every time it accidentally upholds constitutional rights. This ruling may prove to be extremely short-lived. And yet, Kerr’s main concern appears to be the presumed negative impact it will have on bulk surveillance collections and other extremely broad searches enabled by advances in technology.

I’ll end with a prediction. In a few days there will be a news story about some national security surveillance program that either stopped, or paused, or at least was the subject of a lot of emergency meetings. You won’t be able to tell from the news story what the program was, or what was the cause of concern. But the untold explanation will be a roomful of very worried national security lawyers trying to figure out what the heck to make of the Fifth Circuit’s ruling in United States v. Smith.

Flow my tears, the NSA analyst (who only agreed to speak on background) said. I fail to see the downside! But that’s me and my antipathy towards law enforcement’s slew of shiny new “EASY” buttons.

Here’s the first counter-argument, presented by none other than Judge James Ho of the Fifth Circuit in his concurrence:

[I] fully recognize that our panel decision today will inevitably hamper legitimate law enforcement interests.

But hamstringing the government is the whole point of our Constitution.

So, there’s the first pointed answer that should be stapled to the forehead of the first “source” quoted by reporters as being worried about the ripple effects of a postal truck robbery in the deep South.

Then there’s this response from ACLU lawyers Jennfier Granick and Brett Kaufman in their response to Orin Kerr’s post, which Kerr graciously published at the Volokh Conspiracy (along with his response to their response):

We have a prediction, too. We may see an unnamed national security official cited in a news story, lamenting the possible interruption to some purportedly essential surveillance program because of Smith. No one will tell us what the program supposedly is, or how exactly some limitations on the ability of law enforcement to search huge databases of private information without individualized suspicion interferes with the nation’s security, but that is what the anonymous source will suggest.

Don’t believe it. National security lawyers excel at exploiting legal loopholes to justify secret programs and insulate them from judicial scrutiny. We find it extraordinarily hard to believe that they will read the Fifth Circuit’s opinion in an unnecessarily overbroad and self-defeating fashion to require the executive branch to shut down one of its ongoing national security surveillance programs. Instead, as they usually do, the lawyers will find a way to justify the program to themselves, even if only by saying that the Fourth Amendment applies differently to foreign intelligence surveillance than to criminal investigations.

The government will be fine. The NatSec apparatus will function as well as ever. If there’s bulk surveillance targeting Americans (like the residents of Texas, Mississippi, and Louisiana), that definitely shouldn’t be happening in the first place and this will only make what’s probably an illegal program more illegal.

If cops can’t figure out a better way to find suspects than Googling for them, that’s on them. They all like to talk big about their training and experience. Now, they’ll just have to start putting all that training and expertise to actual work, rather than just expecting everyone else to do it for them. On top of that, Google has already shifted location data storage back to phone owner’s devices, meaning it’s got a whole lot less data to search for when it gets hit with these questionable warrants. This decision won’t add much “hampering” of law enforcement to the status quo.

My prediction? This will change nothing. The government will swiftly appeal this decision and petition the court for an en banc review while waiting to see if this is the sort of thing the Supreme Court might actually want to tangle with. In the meantime, every geofence warrant issued prior to this decision in this circuit is still valid. And they’re still valid in the other 47 states, so I wouldn’t be surprised to see law enforcement agencies roping in out-of-state agencies to write some geofence warrants on their behalf while they work overtime trying to establish some sort of multi-state nexus.

To be this alarmed already is idiotic. And, in my personal view, this isn’t even cause for alarm. This is the court system doing what it’s supposed to do: stand up for the people when the government crosses the line.

Filed Under: 3rd party doctrine, 4th amendment, 5th circuit, geofence warrants, usps

Google Disrupts Geofence Warrants, Says (Most) Location Data Will Be Stored Locally

from the lolololooooooooooooool dept

For years, Google has collected all the data it can about its users. And for years, it has utilized this data to… well, it depends on who you ask.

For Google, it meant a whole lot of targeted advertising — something so valuable Google tended to collect the data even when it told users it wouldn’t.

Once law enforcement realized Google loved data, it started approaching Google to get data it couldn’t get elsewhere. Google was home to the most popular search engine and most popular map app in the world. For those to work, users needed to allow Google to collect data. And if Google was collecting the data, law enforcement knew exactly where to go with so-called “warrants” that assumed nothing else than the probability (as in “probable cause”) Google’s servers might contain this data.

Everything just took off from there. Another boost to law enforcement hoovering of data was given (inadvertently) by the Supreme Court’s Carpenter decision. That decision said law enforcement needed to obtain warrants before obtaining cell site location data, especially if it covered weeks, months, or years of collected data.

No problem, said the cops. We’ll just use questionable warrants to obtain data we could credibly argue is still subject to the Third Party Doctrine. That’s how geofence warrants came to be: warrants that seek data on everyone in a certain area at a certain time, even if this theoretically limited time/place might give law enforcement plenty of data on innocent people who happened to be in the wrong place at the wrong time.

Also enter keyword warrants, in which law enforcement submits search keywords to Google, seeking anyone who might have used those terms at a particular time and place. Sounds great… right up until you realize Google has to search all of its retained user data to find information responsive to these requests.

While not exactly novel, geofence and keyword warrants reside in the gray area of unsettled law. That means the government can rack up “wins” with little fear of being found deliberately on the wrong side of the Constitution.

Legislation is in the works to curb the government’s acquisition of location data from third parties (the data brokers buying data from app developers). On this front, however, there are only the courts (mixed results) and the location data collectors (collective shrugs to this point) standing between the government and mass collection of location data.

The government isn’t going to restrain itself. But, in a surprise announcement, a company that feasts on data says it will consume a little less if it means protecting users from government overreach.

This week, the company said it will begin changing where it stores that Timeline data. Currently, it lives on your devices and Google’s servers, but when the shift takes place, your location history will remain solely on the hardware you own. And less of that data will be stored over time, Google says — only three months’ worth by default, down from the 18 months that are currently saved.

The company says the changes will “gradually roll out through the next year.”

Well… holy shit… at least to some degree. It’s an in-progress rollout, which means not everyone is protected right out of the gate. And it means that users will have to decide whether limited data collection works better for them than the wholesale collection they’re used to. If the latter appeals more than the former, users will need to find their own way to create a long-running, rolling history of their movements.

For most people, the default option will work. For most cops, it obviously won’t. And even if users decide they want to store everything Google collects about their movements, there’s no easy way for law enforcement to access this information. That data will be encrypted by default — accessible to users, but not to the government.

This is a win for Google users, which comprise roughly 99.9% of the nation. It will be portrayed by government officials as a loss for law enforcement, which will now have to perform investigations the way it has for decades: by finding suspects first and looking for evidence after.

That shouldn’t be a problem for cops who have done things the old way for years. But, of course, there are always those willing to argue that protecting citizens from their government is a net loss for society. That’s where law prof Orin Kerr comes in with his post on this subject for the Volokh Conspiracy.

My very tentative sense, from a public policy standpoint, is that this seems like a bit of a bummer. Geofencing was being used to solve some really serious crimes—like murders, rape, and armed robberies—when there were no known suspects or leads and the case had gone cold. Having governments be able, with sufficient cause, to go to a court, get a court order, and then obtain potentially responsive location records that could provide a lead to investigate was, on the whole, a good thing.

I often disagree with Orin Kerr — a Fourth Amendment scholar for whom I still retain a great deal of respect. But today is no different. The respect and the disagreement are both present here.

Even given the links to crimes supposedly solved by access to Google location data, there’s no way allowing law enforcement to force Google to search all users’ data, compile a list of data involving almost entirely innocent people, and handing that over to the government, is “on the whole, a good thing.”

Without a doubt, law enforcement could solve a lot of major crimes by searching houses door-to-door with nothing more than a “because you’re home” warrant. Would that be a “good thing” for society? Or would it be what we’ve been witnessing for years: a willingness to operate in areas ungoverned by constitutional bright line decisions just because cops can?

There are plenty of net goods for humanity that could be realized with governmental abuses of power. But, at least in the United States, the balancing of the government’s needs against the rights of the people tends to favor the people most of the time. Why? Because they have the least power. And that imbalance of power doesn’t change just because it’s a third party collecting all the data. Google may be the 800 lb. gorilla of the internet but its power pales in comparison to what the government is capable of doing when it decides to flex its muscles.

This move won’t make Google any more popular with US law enforcement agencies. As as much as it may irritate US cops (and irk Orin Kerr), the fact remains that private companies serve their users, not the US government. If the government wants the access it used to have, it needs to have a long talk with itself. If it thinks now is the time to abridge rights, it can talk to sympathetic legislators and hope any resulting laws pass the constitutional sniff test. Otherwise, it can go back to performing investigations the way it used to before everyone carried a power computer in their pockets at all times.

What’s happening here is just a long-needed course correction from one of the thirstiest data collectors in internet history. What it definitely isn’t is a net loss for society.

Filed Under: 3rd party doctrine, 4th amendment, geofence warrant, law enforcement, location data, privacy, surveillance, warrants
Companies: google

NSA Asks Congress To Not Block Federal Agencies From Collecting Location Data Without A Warrant

from the well,-no-one-has-ever-stopped-us-before-so... dept

For several years, the government was able to route around the Fourth Amendment by turning cell service providers into proxy tracking devices. Thanks to the Third Party Doctrine, location data generated by cell phones wasn’t given an expectation of privacy.

A Supreme Court decision handed down in 2012 strongly suggested the government needed to obtain a warrant before placing tracking devices on people’s vehicles. No problem, said the government. People take their phones more places they take their cars and all that information can be obtained without a warrant.

If the Supreme Court closes a door, the government opens a window. That worked for another six years — a lifetime in terms of constitutional protections in an ever-evolving tech world. But, in 2018, the Supreme Court said the government needed a warrant to obtain long-term location tracking info. The decision mainly dealt with cell service providers but the implications ran beyond that, suggesting an expectation of privacy existed for any bulk, long-term collection of location data the government could use to track a person’s movements over weeks or months.

Once again, rather than seek warrants, the government looked for other warrantless options. And far too many data brokers were more than happy to help out. While the location information gleaned from apps might produce data that was less exhaustive than the data points generated by every cell tower a cell user connects to, it was still worth something to the government. Even better, the 2018 Carpenter decision did not explicitly say the government couldn’t use other means or methods to engage in the same long-term tracking the Supreme Court said was unconstitutional without a warrant.

This growth market in no-warrant-needed data sales has, at least, provoked congressional responses. For the past few years, Senator Ron Wyden has been attempting to pass a law instituting a warrant requirement for location data purchases. Those efforts finally appear to be moving forward, with the latest iteration of bill being passed out of committee where it may (eventually) be subjected to a vote on the Senate floor.

And his effort isn’t the only one. The must-pass National Defense Authorization Act (NDAA) bill has been hit with an amendment that would do the same thing the Wyden bill does: add a warrant requirement to location data purchases from data brokers.

A copy of the [Warren] Davidson- [Sara] Jacobs amendment reviewed by WIRED shows that the warrant requirements it aims to bolster focus specifically on people’s web browsing and internet search history, along with GPS coordinates and other location information derived primarily from cellphones. It further encapsulates “Fourth Amendment protected information” and would bar law enforcement agencies of all levels of jurisdiction from exchanging “anything of value” for information about people that would typically require a “warrant, court order, or subpoena under law.”

The NSA — which is one major beneficiary of defense budget bills — is alarmed that federal agencies might have to comply with Carpenter decision by securing warrants before seeking access to long-term location tracking info. It seems upset that refusing to follow the spirit of the Carpenter decision has resulted in a concerted effort to close a loophole government agencies have exploited for the last half-decade.

Not only does it need to continue to fight for its right to engage in the warrantless spying it already does as an enabler of decades of FBI abuses, it now needs to fight for its right to ignore Supreme Court precedent just because the precedent did not consider the limits it placed on location data collection would be sidestepped by data brokers who discovered selling to shady government agencies could be as profitable as selling to shady advertisers. Dell Cameron has the details for Wired:

Republican and Democratic aides familiar with ongoing defense-spending negotiations in Congress say officials at the National Security Agency (NSA) have approached lawmakers charged with its oversight about opposing an amendment that would prevent it from paying companies for location data instead of obtaining a warrant in court.

It’s unclear how often the NSA itself purchases data from brokers but some info has leaked out around the edges that suggests it considers it to be a useful part of its national security efforts. Considering it has a wealth of collection options not currently subject to warrant requirements suggests this effort is more about keeping options open for other federal law enforcement agencies, rather than the NSA itself being negatively effected by this amendment. That the military is known to purchase bulk location data from brokers likely factors into this lobbying effort, considering this amendment is attached to a bill that affects both the NSA’s and the US military’s budgets.

The NSA is fighting a battle on multiple fronts. And it’s not clear why this one appears to be worth the effort. The bigger concern for the NSA is the possible loss of its Section 702 surveillance authority — something that has been undermined for years by the FBI’s continuous abuse of its access to NSA Section 702 collections. But the NSA appears to believe its best move at this point is to persuade legislators no one in the government should be denied warrantless access to data brokers’ offerings. Perhaps it might be more useful for it to go after the FBI for undermining the public’s trust, setting it up for a fight it didn’t provoke and now finds itself faced with the suddenly, very real possibility of losing.

Filed Under: 3rd party doctrine, 4th amendment, location data, ndaa, nsa, privacy, surveillance, third party doctrine, warrant

Judge: No Expectation Of Privacy In User Info Voluntarily Shared With Facebook, OKs FBI’s User Data Grab

from the recording-evidence-of-your-own-crimes-is-always-a-bad-idea dept

While this ruling [PDF] is likely correct under current Fourth Amendment case law, it does raise questions about the propriety of mass data grabs that aren’t particularized to suspected criminals or investigation targets. (h/t Orin Kerr)

Tennessee resident Matthew Bledsoe was recently convicted during a jury trial for his participation in the January 6, 2021 raid of the US Capitol building. Here’s what the Justice Department has to say about Bledsoe’s actions that day:

According to the government’s evidence, in the days immediately following the Nov. 3, 2020, election, Bledsoe began posting to social media about the presidential election. On Jan. 6, 2021, he attended a rally near the Ellipse. Bledsoe then headed to the Capitol, and illegally entered the Capitol grounds shortly after 2:13 p.m. He then moved to the Capitol Building itself. He scaled a wall at the Upper Northwest Terrace and entered through a fire door at the Senate Wing. Among other things, he yelled, “In the Capitol. This is our house. We pay for this s—. Where’s those pieces of s—at?” He climbed a statue and was outside the corridor to the House Chamber and hallways near the Speaker’s Lobby. He left the building about 2:47 p.m., after approximately 22 minutes inside.

What’s not mentioned here is how the FBI began its search for Bledsoe and others like him. The FBI cast a very wide net first, using geofence warrants to obtain information on everyone in the area of the capitol building and working backwards from that haystack to open investigations on suspected insurrectionists.

Facebook received one of these requests. That’s the request that was challenged by Bledsoe — a challenge that ultimately failed. It appears the initial request did not involve a warrant. This is from Judge Beryl Howell’s decision:

As part of that investigation, and in the context of the emergency situation at the Capitol, the Federal Bureau of Investigation (“FBI”) requested from Facebook identification information for accounts using its platform to broadcast videos of this highly public event that were live-streamed or uploaded to Facebook while the account user was physically in the U.S. Capitol during the time period when the mob was storming and occupying the Capitol building. Armed with the account identifiers, in the days that followed, the FBI then sought search warrants requiring Facebook to disclose various records and content associated with the accounts that would constitute evidence of specific federal criminal law violations.

That’s exactly where it gets problematic. It was an “emergency” request, which allowed FBI to sidestep warrant requirements. And it obviously swept up plenty of people who weren’t actually committing criminal acts. Some may have just been documenting the mayhem. Others may have been near the building but not actually in it.

The FBI then worked backwards from this data haul to identify suspects. Bledsoe challenged both the initial request and the subsequent warrants, but had both challenges denied. Judge Howell’s conclusion is a single sentence, albeit one proceeding a much longer explanation of the issues. While the court does see this as a “novel Fourth Amendment issue,” it says the Fourth Amendment simply wasn’t implicated in the first request made by the FBI.

_[D]efendant has not established that he had a reasonable expectation of privacy in the non-content account information disclosed by Facebook_…

The FBI made three requests, using the emergency disclosure provision of the Stored Communications Act. Facebook provided three responses to this request, all of them voluntary.

In response to the FBI’s request, Facebook made three separate disclosures, on January 6, January 13, and January 22, 2021, voluntarily identifying Facebook and Instagram accounts that fell within the scope of the FBI’s request. For each qualifying account responsible for streaming or uploading a video to Facebook from within the U.S. Capitol building during the January 6, 2021 attack, Facebook disclosed both an Object ID, which is a unique, numeric code assigned to any video uploaded to Facebook or Instagram Live, and an associated User ID, which is a unique numeric code assigned to each Facebook or Instagram account, identifying the account that posted content indicative of being inside the U.S. Capitol building during the January 6 breach.

The FBI searched Facebook and Instagram using these identifiers but found “no publicly available content associated with these accounts.” Actual warrants followed, compelling Facebook to turn over private content associated with these accounts.

The court’s focus is on the initial data requests, though. If that’s constitutional, it makes the subsequent searches that obtained content constitutional. Applying the Supreme Court’s Carpenter decision — one creating a warrant requirement for obtaining long-term cell site location info — the court says this is a different thing entirely, even if it also deals with third-party location records collected by Facebook.

While cell site location info (CSLI) is created involuntarily simply by having a cell phone turned on, the records generated by Bledsoe while in the US Capitol building were far more voluntary: i.e., he opened an app and began recording, affirmatively generating a wealth of data (and evidence). Had Facebook collected any location data from Bledsoe’s device while the app was inactive, it would have put him in the initial disclosures to the FBI, but the subsequent warrants would not have produced any evidence from his account.

Thus, unlike the CSLI data at issue in Carpenter, the only way that Facebook was able to determine when and where a user engaged in account activity on January 6, 2021, is by virtue of the user making an affirmative and voluntary choice to download the Facebook or Instagram application onto an electronic device, create an account on the Facebook or Instagram platform and, critically, take no available steps to avoid disclosing his location, before purposefully initiating the activity of live-streaming or uploading a video of a highly public event, in a manner that occurs during the normal course of using Facebook as intended. Defendant has not identified a single instance where Facebook logs information concerning his account activity of posting any photo or video content on the Facebook platform without user action.

That last sentence is key. So is the fact that there’s no judicial precedent that deems Facebook to be an essential part of everyday life, unlike cell phones themselves, which provide communications, internet access, and other key components of modern life.

This suppression denial will likely be appealed. As the court observed, it’s a “novel Fourth Amendment issue.” And, as such, it probably needs a second pass. Whether or not it changes anything, it will at least give the next level of judiciary system something to contemplate — not just for this case, but its implications moving forward.

Filed Under: 3rd party doctrine, 4th amendment, data, doj, fbi, matthew bledsoe, social media, warrants
Companies: facebook

Report Shows ICE’s Massive Surveillance Apparatus Is All Up In Americans’ Everything

from the high-tech-thugging dept

Immigration and Customs Enforcement (ICE) has long made its own case for abolishment. Before ICE earned its current reputation as a fake-school running, report-altering, rogue agency interested in ejecting as many non-white people from America as possible, ICE ran interference for entrenched industries.

This led to things like ICE officers raiding small repair shops to prevent people from having their iPhones fixed without Apple’s explicit blessing (and premium fees), or seizing websites en masse without even the slightest nod towards due process.

That was supposedly the “customs” part of its enforcement efforts. Once Donald Trump took office, ICE was given permission to take the gloves off its immigration enforcement efforts. Galvanized by rhetoric that portrayed any brown person as inherently dangerous (and propelled by the enthusiasm of a failed casino owner who has filed for bankruptcy multiple times), ICE went all in on punishing people who didn’t seem white enough to be allowed to live in this country.

Because ICE mainly deals with people it doesn’t consider to be people (alleged scofflaws, undocumented immigrants), it has repeatedly decided things like local laws and/or the US Constitution do not apply to its activities. Sidestepping Supreme Court rulings and long-held constitutional rights, ICE has partnered with private contractors to engage in surveillance very few people would consider to be either lawful or constitutional.

What kind of monster has ICE become? A recent report — sourced from hundreds of public records gathered by several rights organizations — says ICE’s surveillance dragnet is almost unimaginably large. And it definitely surpasses anything its supposed first level of oversight (that’s your Congressional reps, folks!) believes ICE is engaged in.

Let’s just start with the set of bullet points listed in the “American Dragnet” report covering the results of this comprehensive, two-year investigation into ICE’s surveillance activities.

ICE has scanned the driver’s license photos of 1 in 3 adults.

ICE has access to the driver’s license data of 3 in 4 adults.

ICE tracks the movements of drivers in cities home to 3 in 4 adults.

ICE could locate 3 in 4 adults through their utility records.

So. Why does an agency mainly focused on non-Americans have access to so many records pertaining to actual Americans? Well… because it can. For several reasons.

The Third Party Doctrine eliminates the expectation of privacy needed to create a warrant requirement. State and local partnerships with federal agencies allow agencies like ICE to trawl local law enforcement databases. Advancements in tech have increased the number of inputs ICE can access, as well as the productivity of the devices adding those inputs. And hardly anyone in power seems to be interested in directly overseeing ICE, much less pushing back against its dragnet expansion.

Since its formation in 2003, ICE has desired more data and less oversight. Thanks to this combination of contributing factors, it is now sitting dead center in this perfect storm.

After 9/11, ICE paired those programs with much broader initiatives, tapping vast databases held by private data brokers as well as state and local bureaucracies historically uninvolved with law enforcement. Through those initiatives, ICE now uses information streams that are far more expansive and updated far more frequently, including Department of Motor Vehicle (DMV) records and utility customer information, as well as call records, child welfare records, credit headers, employment records, geolocation information, health care records, housing records and social media posts.

Since 2003, ICE has spent $2.8 billion on surveillance and data collection. The ROI has been tremendous. Leveraging law enforcement partnerships and private contractors has turned ICE into a surveillance entity on par with the NSA — and all without attracting too much attention from its Congressional oversight.

ICE trawls drivers license databases because some states allow immigrants to get licenses before they become citizens. This doesn’t mean every immigrant targeted is here illegally. Driving is essential in America, and immigrants (undocumented or not) need to get to work, buy groceries, visit relatives/friends… all of this requires the driver to possess a valid license. This may be an easy way to find immigrants subject to removal but it also gives ICE agents the ability to surf DMV databases for other reasons, including their own personal amusement.

Some immigrants may not trust the government. But they still need the basics of life, like electricity and running water. ICE is all over this as well. Not only does it harvest records from private utility companies, it leverages the capabilities of other private companies to make sense of this data, as well as make the agency one step further removed from both the process and accountability. This free ride to utility records may be (belatedly) coming to an end thanks to the efforts of Senator Ron Wyden, but for years it was just another way ICE was able to access records belonging to millions of actual Americans.

So, how does ICE end up running a massive surveillance apparatus that has mostly flown under the radar? Well, it doesn’t happen in a vacuum. The reasons listed above — the tech explosion, the support of multiple presidents, the lack of meaningful oversight, the resourcefulness and drive of the agency itself — all contributed to the erection of this massive dragnet.

But it also happens in a vacuum. This one is created by a nearly complete lack of oversight, something that’s likely prompted by ICE’s directives. When an agency is tasked with removing non-Americans, it’s easy to ignore its means and methods since it’s only dealing with people we (both as constituents and representatives) deem are not worthy of the rights the federal government can barely be persuaded to recognize when dealing with natural born citizens.

Most congressional leaders did not learn about ICE face recognition scans of DMV photos until The Washington Post ran an exposé on the practice, reporting on records obtained by the Center on Privacy & Technology. […] ICE’s surveillance initiatives have regularly flown under Congress’ radar. While a few political leaders have pressed ICE in oversight letters and used appropriations riders to end the most aggressive of ICE’s actions, to date there has not been one full congressional hearing or Government Accountability Office (GAO) report focused on ICE surveillance.

The report ends with several recommendations. At the top of the list is the request that Congress actually get back into the oversight business. It also recommends most state-level oversight to ensure local law enforcement agencies aren’t ignoring state laws to provide ICE with access to government databases or private companies’ records. And it says ICE should not be allowed to use utility company records for the purpose of seeking out people to deport.

Thanks to the release of this report, Congressional members will no longer be able to pretend they’re unaware of ICE’s massive surveillance dragnet. This will hopefully prompt fast and direct action that limits what ICE has access to and what it is allowed to do to carry out its deportation efforts. The fact that a majority of US citizens are subject to the same surveillance should hopefully tip the scale towards swift Congressional action.

Filed Under: 3rd party doctrine, 4th amendment, american dragnet, dmv database, drivers licenses, ice, surveillance

Federal Court Awards Immunity To Sheriff Who Searched An Officer’s Private Dropbox Account Without A Warrant

from the wrong-but-apparently-a-new-way-of-being-wrong dept

Law enforcement officers are more used to violating rights than having theirs violated, so this case — brought to us by Courthouse News Service — is something of an anomaly.

But it is a good discussion of some issues that don’t receive a lot of attention. Like, how is “reasonable” defined in terms of searches when both the searcher and the searchee are government employees? And how do company IT policies apply to searches of private accounts when the company is actually the government… and the private account is linked to a government email account?

The plaintiff is a government employee who perhaps got a little bit too carried away helping out the people producing a law enforcement-oriented TV show. From the decision [PDF]:

Plaintiff Steven Bowers was a sergeant for the Taylor County sheriff’s department. In 2017, the department started working with a television show called Cold Justice, a true-crime series that investigates unsolved crimes. The department gave the crew members access to one case file, but Bowers began sharing other case files with them, even though he didn’t have permission to do so. After Bowers admitted what he had done, Sheriff Bruce Daniels directed IT director Melissa Lind (formerly Melissa Seavers) to try to access Bowers’ Dropbox account, where Daniels believed that Bowers had stored the files. Lind was able to do so because the Dropbox account was linked to Bowers’s work email. Lind changed Bowers’s account password, accessed the account, and found the case files.

Bowers sued the IT director and the sheriff, alleging violations of his Fourth Amendment rights via the warrantless search of his private Dropbox account.

The court says a lot of things go into its determination that 1) rights were violated, but 2) immunity still applies, starting with this list:

The general rule is that a warrant is required for searches of private property. But there are more lenient standards involving some searches conducted by government employers. The Dropbox account was Bowers’s personal account, and it wasn’t stored on county servers, factors tending to support Bowers’s contention that a warrant was required. But other factors point the other way, including that Bowers linked the account to his work email and he placed work files taken from a work computer into the account. The account was password protected, but Bowers had shared access with several others.

The court notes the Supreme Court hasn’t exactly produced a wealth of case law that applies to cases like these, where both parties work for the government. Complicating things are choices Bowers did (like share documents using the account) that made his account perhaps a bit less private than accounts only accessible by their owners.

The defendants claimed the county’s IT policy gave it the unilateral right to do what they did, given that employees agreed to clauses stating they had no expectation of privacy when using department computer equipment. The court isn’t quite as charitable in its reading of the policy.

The policy states that employees have no expectation of privacy for material “on Taylor County equipment,” but it’s undisputed that Bowers’s Dropbox account was stored on the cloud, not on county servers. Defendants also point to the language that the county may “access any electronic communications at any time.” But Bowers’s Dropbox account wasn’t an electronic communication, so that provision doesn’t apply either.

This leaves the IT policy provision that gives the county the right to “monitor all information technology usage.” Defendants emphasize the word “all,” contending that it extends beyond the county’s own equipment. But that’s not a reasonable interpretation, as it suggests that the county could monitor its employees on any personal electronic device anytime, anywhere, and for any purpose. The more reasonable interpretation is that the policy applies to technology use that is either done while on the job or on a county device.

The fact that Bowers shared files from this Dropbox account also doesn’t weigh against his expectation of privacy… at least not as much as the defendants would like it to.

Linking the account to his work email blurs the boundary between his work and private spaces, but the county’s IT policy says nothing about monitoring private accounts that are linked to work email. In the absence of a clearer notice from the county, Bowers was entitled to assume that a private account was private.

As for sharing the account with the TV crew members and a friend, that doesn’t mean that Bowers was inviting anyone to view his account. By way of comparison, homeowners don’t forfeit a reasonable expectation of privacy against intrusions by the police if they invite friends to stay with them.

That last paragraph takes a pretty big swipe at the Third Party Doctrine, which assumes (nearly) anything shared with private companies to utilize goods and services can be obtained without a warrant. This statement makes it clear this court does not believe people give up any expectation of privacy just because they’ve shared information with others.

The court also discusses the terms of service Dropbox users agree to, which says Dropbox may access files at any time. Again, the court says assumptions made by the defendants about privacy expectations are wrong. And, although the court goes out of the way to point out this part is not a discussion about the Third Party Doctrine, it still seems pretty applicable.

Bowers’s claim is about restricting access to his account, not protecting the particular files at issue or preventing third parties from sharing the files. One can lose a right to keep information private by disclosing it to the public, but that doesn’t mean the government can force entry into someone’s home on the ground that the home contains public documents. As another example, if someone sends an email to a friend, the Fourth Amendment won’t prevent the friend from sharing the contents of the email with the police, but that doesn’t mean the police are entitled to hack an email account because all the emails are being shared with a third party.

This is a very good discussion of issues that are likely to resurface repeatedly as more storage of personal information and files moves to the cloud and away from local drives. But it’s only the beginning of this discussion — one being made without much assistance from precedential decisions. And that means the participants in the Fourth Amendment violations are immunized from this lawsuit.

But whatever the limitations of defendants’ authority, Bowers cannot prevail by showing that defendants have failed to disprove his claim. It is his burden to show that the law was clearly established. And the bottom line is that Bowers hasn’t cited Supreme Court or Seventh Circuit law clearly establishing that he retained a reasonable expectation of privacy against intrusions by the county despite his linking the account to his work email, putting confidential work files from a work computer in the account, and sharing access to the account with others. The precedential authority he relies on provide the general principles that provide the foundation for his claim. But that case law doesn’t show that the contours of the law were so well defined that it would be clear to a reasonable officer in defendants’ position that Bowers had a reasonable expectation in keeping his Dropbox account private from the county. In the absence of such a showing, defendants are entitled to summary judgment on the basis of qualified immunity.

And that means Bowers won’t have any luck suppressing this evidence in his criminal case. He’s charged with misconduct in public office and, presumably, the evidence against him was generated by this search of his Dropbox account. If the defendants can obtain immunity here, the trial court will likely find (if it hasn’t already) that even if the Fourth Amendment was violated, the violation was done in good faith.

That being said, it’s a well-written decision that’s willing to discuss issues that have somehow — despite it being 2022 — haven’t generated much precedent. And, at least in this court, the Third Party Doctrine isn’t nearly as expansive as the government believes it is, which will make it a handy decision to refer to in future litigation dealing with these issues.

Filed Under: 3rd party doctrine, 4th amendment, bruce daniels, qualified immunity, searches, steven bowers, taylor county, taylor county sheriff's department

Data Broker Looking To Sell Real-Time Vehicle Location Data To Government Agencies, Including The Military

from the come-get-ur-dystopia dept

Location data is the new growth market. Data harvested from apps is sold to data brokers who, in turn, sell this to whoever’s buying. Lately, the buyers have been a number of government agencies, including the CBP, ICE, DEA, Secret Service, IRS, and — a bit more worryingly — the Defense Department.

The mileage varies for purchasers. The location data generally isn’t as accurate as that obtained directly from service providers. On the other hand, putting a couple of middle men between the app data and the purchase of data helps agencies steer clear of Constitutional issues related to the Supreme Court’s Carpenter decision, which introduced a warrant mandate for engaging in proxy tracking of people via cell service providers.

But phones aren’t the only objects that generate a wealth of location data. Cars go almost as many places as phones do, providing data brokers with yet another source of possibly useful location data that government agencies might be interested in obtaining access to. Here’s Joseph Cox of Vice with more details:

A surveillance contractor that has previously sold services to the U.S. military is advertising a product that it says can locate the real-time locations of specific cars in nearly any country on Earth. It says it does this by using data collected and sent by the cars and their components themselves, according to a document obtained by Motherboard.

“Ulysses can provide our clients with the ability to remotely geolocate vehicles in nearly every country except for North Korea and Cuba on a near real time basis,” the document, written by contractor The Ulysses Group, reads. “Currently, we can access over 15 billion vehicle locations around the world every month,” the document adds.

Historical data is cool. But what’s even cooler is real-time tracking of vehicle movements. Of course the DoD would be interested in this. It has a drone strike program that’s thirsty for location data and has relied on even more questionable data in the past to make extrajudicial “death from above” decisions in the past.

Phones are reliable snitches. So are cars — a fact that may come as a surprise to car owners who haven’t been paying attention to tech developments over the past several years. Plenty of data is constantly captured by internal “black boxes,” but tends to only be retained when there’s a collision. But the interconnectedness of cars and people’s phones provides new data-gathering opportunities.

Then there are the car manufacturers themselves, which apparently feel driver data is theirs for the taking and are willing to sell it to third parties who are (also apparently) willing to sell all of this to government agencies.

“Vehicle telematics is data transmitted from the vehicle to the automaker or OEM through embedded communications systems in the car,” the Ulysses document continues. “Among the thousands of other data points, vehicle location data is transmitted on a constant and near real time basis while the vehicle is operating.”

This document wasn’t obtained from FOIA requests. It actually couldn’t be — not if Ulysses isn’t currently selling to government agencies. It was actually obtained by Senator Ron Wyden, who shared it with Vice’s tech-related offshoot, Motherboard. As Wyden noted while handing it over, very little is known about these under-the-radar suppliers of location data and their government customers. This company may have no (acknowledged) government customers at this point, but real-time access to vehicle movement is something plenty of government agencies would be willing to pay for.

And Ulysses has inroads with the military. Cox/Motherboard have worked with US Special Operations Command in the past to help it track financial transactions made by entities in foreign nations in hopes of better understanding how our enemies convert “buying local” into a weapon against US interests.

Unfortunately, the documents don’t explain how Ulysses obtains this data or which car manufacturers/OEM distributors are contributing to the real-time location data pool. But it could be dozens of interoperable parts. Manufacturers gather some data. So does the manufacturer of integrated entertainment systems and Bluetooth-compatible devices, including whoever’s combining forces to provide in-car navigation. Then there are services drivers use, like parking garages, which may collect additional data about vehicles in the area. It all adds up to an easy way to track cars. This data may not be able to say for sure who’s driving, but information gathered from connected devices may make it easier to determine identity. All of this adds up to a big pile of data that could easily be wielded to do things like engage in drone strikes.

Even if it’s not being used to kill people, it can be used to track people. It beats automatic license plate readers which only trigger responses when target vehicles pass cameras. It beats third-party app data because it can be used in real time. And it beats protections we’re supposed to have in place following the Supreme Court’s Carpenter decision. A car may not be a person, but it’s pretty damn close. And data only another data broker away can link cars to people and allow government agencies to make plenty of inferences about their day-to-day activities. This is happening now and it’s all under the radar, for the most part. It’s an unregulated market that wields useful tools against their users, subverting their expectations of privacy and making it easier for governments to engage in off-the-constitutional-books tracking.

Filed Under: 3rd party data, 3rd party doctrine, 4th amendment, data brokers, location info, military, realtime location info

Man Sues Hertz For Not Turning Over A Receipt That Would Have Cleared Him Of Murder Charges Until After He Spent Five Years In Jail

from the customer-service-0/5-stars dept

Law enforcement loves loves LOVES third parties. Anyone one step removed from someone they’re investigating generally isn’t covered by the Fourth Amendment, which means no one needs a warrant or probable cause to go fishing for “third party” data.

But when it comes to the accused, what’s easy for law enforcement is seldom simple for regular citizens. Third parties obtain tons of personal data when interacting with customers and users. But when a regular person asks for this information, third parties apparently feel free to blow them off. That’s the case when someone’s trying to do nothing more than dispute something on their credit record. And it’s also the case when someone’s life is literally on the line.

This cavalier approach to record keeping might finally cost a third party some money. A man falsely accused of murder is taking car rental agency Hertz to court for sitting on a receipt that would have cleared him for several years.

A Michigan man was convicted of second-degree murder in 2016, but he didn’t do it. Now, he’s suing the car rental agency that held onto the receipt proving his innocence.

Herbert Alford spent almost five years behind bars for the 2011 shooting death of Michael Adams before his conviction was overturned last year and he was released.

Hertz had the records that would have cleared Alford. But it didn’t hand them over until after he had already served five years for a crime he didn’t commit.

The rental records would have shown that Alford was miles away from the murder scene six minutes before the crime was committed. But Hertz took its time producing the exonerative evidence.

Alford’s lawyers repeatedly insisted that he was nowhere near the area at the time of Adams’ murder and instead was at Capital Region International Airport in Lansing, approximately 20 minutes away, renting a car from the Hertz station six minutes before the fatal shooting.

“If anybody has ever traveled Lansing from Pleasant Grove to the airport you know that is not possible to accomplish,” Alford’s lawyer, Jamie White, told WLNS. “You couldn’t even do it in a helicopter.”

Hertz got the records request in 2015. It took the company three years to produce it. Once it did, Alford was cleared of all charges. This is all Hertz has to say about its inability to keep Alford out of jail.

_“While we were unable to find the historic rental record from 2011 when it was requested in 2015, we continued our good faith efforts to locate it,” spokeswoman Lauren Luster told the Associated Press. “With advances in data search in the years following, we were able to locate the rental record in 2018 and promptly provided it._”

Whatever. If it had meant as much to Hertz as it meant to Alford, the records would have been found much earlier. The problem is it didn’t mean much to Hertz. So, it took its time locating records requested by a man facing decades in prison, resulting in him losing a half-decade of his life to the penal system. For Hertz, it’s nothing but a very minor PR black eye — one unlikely to deter renters who have yet to be falsely accused of committing crimes.

But for Hertz renters, records like these matter, even if they have yet to discover how much they matter. A subpoena for records shouldn’t be thrown on the back burner, whether it’s issued by a law enforcement agency or someone they’re trying to prosecute.

But there’s more ugliness to this case if Alford’s allegations are true. It’s more than a missing receipt. It’s the deliberate inducement of false testimony by investigators.

Police said that a police informant, Jessie Bridges, reported that he saw the shooting and identified the gunman as 38-year-old Herbert Alford. Bridges would later recant his statement and claimed that police had offered him $1,500 to falsely implicate Alford.

So, that’s another lawsuit waiting to happen. Maybe this didn’t actually happen, but it’s not so far removed from reality it’s immediately dismissible. Let’s not forget law enforcement thinks criminals who work for them are inherently trustworthy and everyone accused of a crime is inherently dishonest. But sometimes it takes a bit more — shall we call it “legwork” — to get informants to agree with the established narrative. And when some coaxing is required to seal a prosecutorial deal, the “good” criminals tend to be enriched. That’s what happens when the criminal justice system is more concerned with scoring wins than upholding justice.

Filed Under: 3rd party doctrine, herbert alford, law enforcement, receipt, rental car, third party doctrine
Companies: hertz

FBI Used Information From An Online Forum Hacking To Track Down One Of The Hackers Behind The Massive Twitter Attack

from the not-even-a-third-party-record dept

As Mike reported last week, the DOJ rounded up three alleged participants in the massive Twitter hack that saw dozens of verified accounts start tweeting out promises to double the bitcoin holdings of anyone who sent bitcoin to a certain account.

Three people were arrested. The ringleader appears to be a 17-year-old Tampa, Florida resident. The other two suspects are a 22-year-old Florida man and a 19-year-old from the UK. The hack was achieved through social engineering, giving the suspects access to an internal dashboard used by Twitter employees. This gave them access to multiple accounts, as well as all any direct messages sent to and from those accounts. That it was all just a bitcoin scam is somewhat of a relief, although not so much for victims who were duped out of nearly $100,000 via 400 transactions.

A rather interesting aspect of the investigation was pointed out by CNET reporter Alfred Ng. There are plenty of places investigators can go to obtain evidence stored on websites. But they don’t always need a subpoena or warrant. Sometimes the information is already out in the open, having been harvested by malicious hackers and shared online. No paperwork needed.

If you can’t read/see the tweet, it says:

wow, the FBI used a stolen database of OGUsers from April to identify one of the people allegedly involved in the Twitter hack

The information is contained in the criminal complaint [PDF] against 19-year-old UK resident Mason John Sheppard, a.k.a. “Chaewon.” Ironically, a forum used by social media account hackers was itself hacked, resulting in a stash of info investigators were able to access without having to approach the site directly. From the complaint:

On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database. The FBI found that the database included all public forum postings, private messages between users, IP addresses, email addresses, and additional user information. Also included for each user was a list of the IP addresses that user used to log into the service along with a corresponding date and timestamp.

I reviewed records and communications that are part of this publicly-released database. I also found that on February 4, 2020, Chaewon exchanged private messages on OGUsers with another user of the forum during which Chaewon made a purchase of a video game username and was instructed to send bitcoin to address 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4 (hereinafter, “the Chaewon purchase address”).

From there, the FBI was able to track bitcoin transactions, locate Sheppard’s email address, and use that additional information to obtain information from virtual currency exchanges, Binance and Coinbase. With all of this information, the FBI was able to connect “Chaewon” and other usernames to Mason Sheppard to locate him and charge him with assisting in the hacking and bitcoin scam.

No warrants were needed. The info from the forum hack was already in the public domain. Bitcoin transactions are considered financial records, standing outside of the Fourth Amendment’s protections. Even if it would possibly be more prudent to directly approach websites with subpoenas or warrants to obtain records, it appears to be far easier to just access data obtained from malicious hacking. And there are companies out there compiling information from data breaches and malicious hackings and selling access to law enforcement agencies who feel judges and additional paperwork will just slow them down.

Filed Under: 3rd party doctrine, 3rd party information, fbi, hacking, mason sheppard, ogusers, twitter hack, warrant