cbp – Techdirt (original) (raw)

Another Federal Court Says Warrants Are Needed For Device Searches At The Border

from the the-4th-amendment-must-mean-something dept

Another anomaly has popped up, which has the chance to create enough of a circuit split that the Supreme Court will need to weigh in on this issue. The good news (albeit undercut a bit by “good faith”) is that another federal court has ruled the Riley warrant requirement applies at the nation’s borders.

Here’s more about the case from the Knight First Amendment Institute, which filed a brief in this case arguing for a warrant requirement.

A federal court has held that the government must obtain a warrant based on probable cause before searching travelers’ electronic devices at the border. The ruling came in a case in which a criminal defendant, Kurbonali Sultanov, moved to suppress evidence obtained from a search of his cellphone when he entered the U.S. at John F. Kennedy Airport in New York. In October 2023, the Knight First Amendment Institute at Columbia University and the Reporters Committee for Freedom of the Press filed an amicus brief in the case, arguing that warrantless searches of travelers’ phones violate the First Amendment’s protection of the freedoms of the press, speech, and association, as well as the Fourth Amendment’s protection against unreasonable searches and seizures. The judge relied heavily on the amicus brief in issuing her ruling.

“As the court recognizes, warrantless searches of electronic devices at the border are an unjustified intrusion into travelers’ private expressions, personal associations, and journalistic endeavors—activities the First and Fourth Amendments were designed to protect,” said Scott Wilkens, senior counsel at the Knight First Amendment Institute. “The ruling makes clear that border agents need a warrant before they can access what the Supreme Court has called ‘a window onto a person’s life.”

This ruling has the opportunity to provide more protection for travelers within this circuit, but it will take this decision being upheld by the Second Circuit Appeals Court before anyone can actually expect a warrant requirement to be established.

And it doesn’t help Sultanov much, because while a warrant requirement might be the end result of the ruling, the CBP and DHS officers involved in the multiple searches were awarded good faith because no precedent has been established.

There’s a lot to like about the ruling, even if it’s of little use to Sultanov other than the suppression of some of the statements he made to federal officers. And there’s a lot to be concerned about as well, as testimony from officers involved in the phone searches made it clear it takes almost nothing to initiate the secondary screening that almost always results in device searches. Worse, it shows the supposedly less-invasive search (i.e., the non-forensic search) is way more invasive than travelers might imagine.

Some very enlightening answers were provided to the court, which are recounted in its ruling [PDF]. We’ve already covered the ridiculousness that is law enforcement’s assertions about “source cities” for drug running (which means basically any city with an interstate connecting it to other cities). Here’s what CBP Officer Marves Pichardo told the court about “source countries,” while being questioned about the search of Sultanov’s phone:

If they’re coming from source countries, so Europe and — anyone from Europe, and they’re — they’re traveling there often or they’ve been away from the United States for a certain amount of time, it kind of draws questions to why were they away, what information are they bringing back with them, what kind of baggage are they bringing back with them. Just things to clarify their reasons for them going abroad and coming back into the United States.

Literally just going to Europe and returning is enough to trigger a “secondary” questioning by border officers. I mean, I don’t want Americans to be subjected to the same sort of abuse, but this alone should be enough for European nations to start treating the US as inherently suspicious: a “source” country for criminals, terrorists, or other people just worth keeping an eye on.

Sultanov had a couple of strikes against him. He was returning from Uzbekistan and had already triggered an alert from TECS (Treasury Enforcement Communication System) asserting that he was a “possible purchaser or possessor of child sexual abuse material.” And, indeed, at least one image fitting that description was found during the first (warrantless) search. That triggered a second search — this one backed by a warrant — and the discovery of more images.

But going back to the first search, which the government likes to portray as cursory or basic and somehow less intrusive. It’s actually extremely intrusive. The same CBP officer said this search is unlimited. Any app that can be opened will be opened. Any communication can be read. All emails can be accessed. Basically, anything that doesn’t require a password to access can be accessed by officers during this screening. All without a warrant.

And if an app does ask for a password, federal officers will simply demand that from the traveler. Much like access to the device itself, this is treated as something the government is owed by travelers. If they refuse to hand over passwords, the government will simply seize the phone. At that point, the traveler may be free to go, but they’ll have to move forward without the essentials of everyday life.

Then there’s this, which shows federal officers will exploit people’s lack of knowledge of the law (along with a language barrier in this case) to demand things they can’t legally demand.

Sultanov’s account of his interaction with Pichardo, as memorialized in an affidavit he submitted in support of his motion to suppress, differs in certain respects from Pichardo’s testimony. Sultanov alleges that he “refused to provide the phone and the phone’s password” to the officers in the secondary inspection area. Once he refused, he was provided with a computer printout that looked like a flyer (presumably the “tear sheet” Pichardo described). Sultanov alleges that he could not understand the printout and asked for clarification. In response, the CBP officers told Sultanov that the “printout states that [he has] to provide them [his] phone’s password and the phone and [he doesn’t] have a choice or right to refuse to provide it.”

When the court says “differs,” it’s showing a bit of deference to the government. The officer’s testimony only differed in the fact that Pichardo either claimed he “couldn’t recall” saying certain things or was extremely vague about the specific things he said to Sultanov during this screening. As for the “tear sheet,” it was in English (not Sultanov’s native language) and contains nothing informing travelers they have the right to refuse to provide passwords and/or hand over devices for “inspection.”

The end result is the warrant requirement, with the court pointing out that it’s simply astounding for the government to argue it should be able to search phones without one simply because that phone happens to have crossed a border. These are arguments that didn’t work in the Riley case and they shouldn’t work here either.

The government takes the remarkable position here that cell phones should not be treated any differently for Fourth Amendment purposes than any other property a traveler carries across a border. It urges this Court to deem such searches “routine” and to hold that no individualized suspicion whatsoever is needed for border officials to search a traveler’s cell phone upon entry into the United States. In essence, the government argues that no practical limits should be placed on cell phone searches at the border whatsoever, as long as they fall into what agents categorize as a “manual” search (i.e., one unaided by extrinsic technology but limited only by the border agents’ time and interest in examining the phone’s contents). However, “the level of intrusion into a person’s privacy is what determines whether a border search is routine.” And the government’s position fails to account for both the substantial privacy intrusions at issue here, as well as the Supreme Court’s Fourth Amendment jurisprudence concerning other advanced technologies that carry with them the potential to reveal vast amounts of the owner’s personal data.

The government still wants to pretend a phone is no different than the contents of a person’s pockets or whatever luggage they might be bringing across the border with them. While there’s a justifiable government interest in preventing physical contraband from crossing the border, the justification falls apart when it’s data, which cannot be stopped at the border — not when it’s available through cloud storage or from websites located outside of the US but easily accessible by US residents and citizens.

That means no “manual” searches without a warrant.

Many courts have found the distinction between manual and forensic searches of electronic devices to have constitutional significance. This Court concludes, however, that the privacy intrusion of a manual search is substantially the same, for Fourth Amendment purposes, as the privacy intrusion of a forensic search, at least as those searches are conducted by CBP at the border. Each involves such a vast intrusion on a traveler’s privacy that, under the Fourth Amendment, both must generally be supported by a warrant.

Good faith saves the search in this case. But there will be no good faith exception to the warrant requirement moving forward. This will undoubtedly be appealed because the US government has zero interest in respecting rights anywhere near a national border or within our multiple international airports. It will soon be in the Second Circuit’s hands. Hopefully, the Appeals Court will do the right thing and apply the Riley warrant requirement to device searches at the border.

Filed Under: 4th amendment, border search exception, border searches, cbp, privacy

$1 Million Awarded To 9-Year-Old US Citizen Held For 34 Hours By CBP

from the ugly-all-the-way-down dept

As has often been said about ICE and CBP, the cruelty is the point. Both agencies have seemingly gone out of their way to harm people, even though their directives don’t demand the often cruel actions they take. Both CBP and ICE have been separating immigrant families for years, even though Trump’s decision to badmouth pretty much every country people are fleeing from as producers of garbage people and criminals meant he took most of the heat for this tactic.

The problem here is discretion: too much of it. Now that both agencies consider themselves to be a part of the national security apparatus (something that often is echoed by courts), they believe they’re justified to do almost anything they want, no matter how horrific. After all, the people hurt the most aren’t actual Americans, so who cares?

That mindset is tough to switch off. And that’s why the American people will be paying out more than a million dollars to the family of a child CBP officers pretty much kidnapped for 34 hours.

Julia Amparo and her brother Oscar Amparo Medina routinely traveled across the border from Mexico into San Ysidro, California to attend school. Their parents and siblings all lived in Tijuana, but Oscar and Julia were US citizens. For years, they had crossed the border without incident. In March 2019, that all changed.

After a CBP officer claimed to have detected a facial “mole” on Julia’s passport that wasn’t present on her face, the siblings were routed to secondary inspection. (This happened despite Julia producing a school ID that did not have the alleged “mole.”) Once they were there, everything went to hell.

Both children were aggressively interrogated by CBP Officer Willmy Lara (who other CBP officers claimed “had a reputation for obtaining confessions”). The siblings were interviewed together and separately. Every time the kids stumbled on an answer, Officer Lara chose to believe this was an indication of guilt.

As Lara stated during his testimony, it is CBP policy to have multiple officers in the room where children are interrogated, supposedly for their own safety. He claimed three other officers were present during the interrogation, but as the court notes in its judgment, there’s no record of any other officer being present and the officers referred to by Lara testified that they were not present during these questioning sessions.

That leads to the first finding the court makes en route to its judgment in favor of the children. From the decision [PDF], coming to us via Courthouse News Service.

Though other officers could see part of the room, no one else was in the room or within clear listening distance and the interview was not audio or video recorded. The Court finds that Officer Lara violated the CBP policy requiring a witness for interviews of children and otherwise failed to record the interview.

These interviews led to a “confession” from Julia, who — while being pressured to make this statement by Officer Lara — claimed to be her cousin, instead of herself. Her brother made a similar “admission.” This led to Oscar being held for 14 hours before being released. Julia’s nightmare lasted much longer: 34 hours. Julia’s wrongful detention only appears to have ended because her family appeared on Mexican television to talk about their missing children and got the Mexican consul involved.

The government continued to claim its assertions were truthful despite the lack of supporting evidence. The court doesn’t find the government credible, especially when represented by Officer Lara.

The United States contends that Julia and Oscar stated that Julia was [her cousin] Melany unprompted and then continued to say that throughout their interviews. The United States does not offer a coherent explanation as to why Julia would falsely confess that she was her cousin Melany. Further, because Officer Lara failed to have a witness present and prepared a report lacking in details, there is no corroboration of either claim.

True, there’s a lack of evidence on the plaintiffs’ side as well, but what there is of it (along with the court’s own observations during this lawsuit) tends to support the plaintiffs’ allegations.

Officer Lara’s report makes no reference as to what prompted Julia to (falsely) confess that she was Melany. Ex. 9. Officer Lara testified “it was just a normal interview” and that he did not remember Julia crying during or after the interview. However, according to Julia, Oscar, and Officer Melendrez, Julia was crying after the interview and Oscar consoled her. Additionally, at trial, Officer Lara testified with a confident and intense manner. Meanwhile, Julia was soft-spoken, easily confused by leading questions, and prone to freezing up and unthinkingly agreeing with the questioner, resulting in contradictory answers.

[…]

Because there were no witnesses or recording of the interview, it is not possible to determine whether Julia was threatened, pressured, or coerced to make a false confession. At the very least though, the Court finds that Officer Lara’s intense manner in questioning a scared 9-year old who was prone to freezing up and automatically agreeing when questioned by authority caused Julia to falsely admit that she was her cousin, Melany.

Discretion means something. And if you want to avail yourself of the benefits of discretionary functions, you need to be far more judicious when you utilize it. This was just an abuse of discretionary power — one that kept a nine-year-old separated from her family for 34 hours.

It was not reasonable to detain a 9-year-old and 14-year-old on suspicion of a false claim of citizenship while their mother and Julia’s godmother were trying to reach them and without doing any further investigating for over 5 hours in the middle of the workday. Officers failed to pursue opportunities to interview Thelma and Cardenas at 9:40 a.m., later in the morning, around noon, around 3:30 p.m., and again around 6 p.m.⸺opportunities created not by CBP but by Thelma and Cardenas looking for the Children. In determining that the actions of the officers were unreasonable, the Court has taken into account the CBP officers’ failures to abide by common sense and CBP directives aimed to protect the children, such as: (1) having a child’s interview witnessed or recorded; (2) providing timely parental notice; and (3) preserving recorded interviews.

There’s no immunity to be had here and Officer Lara is a genuine unicorn: someone who abused his position so fully it has allowed the plaintiffs to not only clear the extremely high “sovereign immunity” bar but secure a monetary judgment from a US federal court.

For these reasons, the Court therefore holds that the duration of the Children’s detention was unreasonable and violated the Fourth Amendment. As a result, the government has not met its burden to show that the discretionary function exception to the FTCA’s waiver of sovereign immunity applies.

The follow-up is quite the kicker:

The Court also need not address whether the discretionary function exception does not apply because CBP violated its own non-discretionary policies.

Here’s how the damages break down: 1.1millionforJulia,becauseshewastheyoungestandheldthelongest.Herbrotherreceives1.1 million for Julia, because she was the youngest and held the longest. Her brother receives 1.1millionforJulia,becauseshewastheyoungestandheldthelongest.Herbrotherreceives175,000. And their mother, Thelma, will receive $250,000. All of this is sure to be appealed, but the judgment is in place. More importantly, the ruling accompanying breaks this whole debacle down in great detail, providing a startling glimpse into the routine inhumanity of the people this country employs to supposedly secure our borders. And if that means locking up a nine-year-old for 34 hours, so be it.

Filed Under: border patrol, cbp, dhs, immigration, lawsuit

CBP’s Top Doctor Tried To Obtain ‘Fentanyl Lollipops’ For ‘Pain Management’ In Case Of A Helicopter Crash

from the failing-upward dept

Man. I have seen some shit since taking up a regular post at this fine website. I have had my mind blown with an alarming frequency. I have been sent into waves of mocking laughter more times than anyone writing for a respected website should admit. I have, in other words, been ruined by the internet.

Despite all of this unaddressed trauma, I continue to write for this site. Why? Well… several reasons. First and foremost, I enjoy writing. This site has an amazing group of regular readers. Some days, the hate is as enjoyable as the love. And, if nothing else, I’m provided constant opportunities to see things I’ve never seen before, even considering my many trips around the internet block. In other words, I need help but still prefer the company of others in my same position.

We’re seeing some amazing stuff right now. Fentanyl does indeed have the power to kill. People unfamiliar with its power are at risk of overdosing.

But fentanyl is, at its base, just another opiate. These have always presented this sort of risk, especially because getting high is almost indistinguishable from getting dead, which tends to result in a higher number of overdoses.

Meanwhile, everyone on one side of the drug experience (the DEA, FBI, and the local media) portrays this drug as capable of killing people who aren’t even ingesting it. Every drug bust is broken down to the minimum lethal level — 2 milligrams — by government spokespersons or journalists willing to push the government’s narrative forward.

While it’s likely true two milligrams can kill someone, that dosage would most likely only be able to end the life of an infant forced to ingest this dosage while having its mouth and nose held shut by DEA agents or entirely-too-credulous reporters.

Then there’s the DEA’s insistence drug cartels are not just seeking to addict children but kill them by offering up multi-colored variations of fentanyl products. While it’s undeniably true the drug trade often involves death, very few drug dealers actually want their customers to die. If kids are uniquely susceptible to a product, it makes little sense to market to them, especially when their funds are limited to allowances and birthday cards.

So, it’s unlikely cartels are marketing to children. But that hasn’t stopped the DEA from claiming otherwise. The real reason for multi-colored pills isn’t to make them attractive to children (who are capable of ending their own lives using any number of OTC and prescription medicines that are also multi-colored). It’s marketing. It’s brand differentiation and an indicator to buyers what product they’re getting and what its potency is.

While the government is busy claiming drug cartels are turning deadly drugs into candy, the government is also seeking to obtain deadly drugs in the form of candy. I am not making this up. Here’s Julia Ainsley with the details for NBC News.

The chief medical officer for Customs and Border Protection pressured his staff to order fentanyl lollipops for him to take to the United Nations General Assembly meeting in New York in September, according to a whistleblower report sent to Congress on Friday.

The whistleblowers said Dr. Alexander Eastman’s staff raised questions about why he would need to order fentanyl lollipops to take with him, and he answered that it was part of his duties to make sure that any injured CBP operators were cared for, making the argument that the lollipops would be necessary for pain management should an emergency occur.

lololololollipop

This sounds like the actions of a person with a drug problem. This sounds exactly like Dr. Eastman wanted a personal stash of fentanyl edibles to get him through the day(s). What this doesn’t sound like is an actual medical need for these products.

Dr. Eastman claimed he was concerned about those flying him to his UN appointment via a Marine helicopter. He also claimed they might be useful in case he or the others on his flight “encountered a patient in need.”

The real reason can only be imagined. But there are some eye-opening things here:

Eastman’s staff initially responded to his request by explaining that Narcan, which can save the lives of those who overdose on fentanyl, has been requested for CBP operations in the past, but not fentanyl itself. The whistleblowers say staff members raised questions about how he would store the lollipops and what he would do with unused fentanyl at the end of the operation, according to the report.

Eastman responded by writing his own policy regarding procurement of Schedule II narcotics, which omitted any mention of how narcotics were to be stored and disposed of, the whistleblowers allege.

Absolutely on the up and up here. Definitely not the actions of an opiate addict. I mean, we all know the saying: a thief will steal your stuff; a junkie will help you look for it.

On top of this, the whistleblowers pointed out the doctor was an uninvited guest. The chief medical officer is rarely, if ever, asked to attend UN general assemblies. But Eastman inserted himself (and his desire for opioid lollipops) into this equation by insisting his presence was necessary because [squints at report] the CBP was assisting the Secret Service with event security. The addition of a doctor with fentanyl lollipops would apparently make this security even more secure.

While it’s nice the whistle was blown, it appears Dr. Nick Eastman still retains his position as the chief medical officer for the CBP. I guess that’s good news for the boys in green, who will be able to indulge their opiate sweet tooth without fear of reprisal. On top of that, we’re now assured it’s safe to bring opioid edibles on board a government aircraft without having to worry about killing everyone on board with these airborne contaminants. Let’s hope Dr. Eastman continues to maintain his position while simultaneously undercutting the federal government’s “every milligram is a killer” narrative. The more he destroys his own reputation, the more he dismantles anti-drug hysteria that makes people stupider, rather than safer.

Filed Under: alexander eastman, cbp, fentanyl, fentanyl lollipops

DHS Releases Previously-Withheld Report Detailing Agencies’ Abuse Of Location Data Purchased From Data Brokers

from the now-that-everyone-knows,-I-guess-we'll-share dept

This report [PDF], obtained by the newly-formed 404 Media, contains a lot of what we know, some of what we don’t know, and confirms a lot of suspicions.

The reliance on data brokers for cell location data very likely predates the Supreme Court’s 2018 Carpenter decision. But it’s safe to assume this market really took off following that decision. Prior to that, law enforcement needed, at best, a subpoena, to obtain a wealth of historical cell location data.

That decision erected some privacy protections for cell site location info. But the finding was limited to large quantities of historical data. And it had nothing to say at all about obtaining this information from third-parties-once-removed: i.e., data brokers collecting location data from apps and selling access to this data to government agencies.

The Carpenter decision dealt explicitly with location data gathered by cell service providers — the sort of data capable of creating a detailed history of a person’s movements. That appears to be the main contributing factor to the increased reliance on data brokers. Unlike service providers, which require cell phone owners to connect with towers for service, location data gathered by apps is not always a requirement to use the app. And denying access to location data gathering may prevent cell phone owners from using certain apps, but it won’t prevent them from using their phones as, well, phones.

For the past few years, report after report has surfaced detailing the federal government’s reliance on data brokers to obtain data that would otherwise require a warrant. DHS component agencies have figured heavily into these reports. The CBP, for example, not only spent hundreds of thousands on data broker access but continued to buy from one data broker even while it was under congressional investigation. ICE also makes use of this data, as does the Secret Service, which is somehow a DHS agency despite it being almost solely focused on protecting key White House residents.

The CBP, for its part, has recently sworn off data broker purchases, at least according to what it has told Senator Ron Wyden. Presumably, this concession was made in hopes that Wyden will drop his legislation that would codify a warrant requirement for obtaining location data from third parties — something that would extend Carpenter’s protections to all location data generated by cell phone users.

This report makes the case the DHS and its agencies can’t be trusted. The Inspector General’s report — originally designated “law enforcement sensitive” and hidden from the general public — shows DHS components helping themselves to location data while violating laws, internal policies, and refusing to engage in even minimal oversight. From the opening of the report:

U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and the United States Secret Service (Secret Service) did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD). Specifically, the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which require certain privacy-sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured. This occurred because the components did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance…

Additionally, the components did not have sufficient policies and procedures to ensure appropriate use of CTD. According to CBP, its CTD rules of behavior were interim policies and procedures until complete policies and procedures were developed. ICE and Secret Service did not develop CTD-specific policies and procedures…

We also noted that the Department does not have a DHS-wide policy governing component use of CTD. Given the number of components using CTD and the significant congressional and public interest in the potential privacy implications with law enforcement use of CTD for investigative purposes, the Department should take a proactive approach to providing DHS-wide guidance.

Deploying before mandated PIAs is just normal day-to-day government business. Why slow the roll towards more surveillance when you can act first and hand in the homework months or years after the fact?

That the use of CTD violated federal law is a bit more concerning, but it will be an unseasonably cold day on the Potomac before any administration actually holds a federal agency involved in national security accountable for violating laws.

While the opening notes what went wrong and hints towards what should be done, nothing else in the report suggests that a few years from now we’ll have anything more than periodic reviews of repeatedly “failures” to implement changes to restore our trust in the DHS and its component agencies.

It sucks but it’s what we’re used to. And DHS may have finally allowed this report to be released, but it also made sure to redact anything it thought might be too “sensitive” to be shared with the general public. There are several paragraphs completely redacted and it’s up to each reader to make a judgment call on what lies behind the black bars. Some of it may be nothing more than boilerplate about “law enforcement means and methods.” But some of it may hide some of the more egregious misuses of this data — data obtained via this process because the thing law enforcement agencies like least is getting a warrant.

Both CBP and ICE told the Inspector General they believed they had up to a year to access CTD without a Privacy Impact Assessment in place. Both agencies believed temporary assessment agreements during trial phases of location data collection nullified this requirement. The IG pointed out both assumptions were wrong. It also noted that thousands of searches (16,000 of them by ICE) were performed without required PIAs in place and without anything approaching actual oversight.

The Secret Service made the same convenient assumption, acquiring 25 licenses to access location data with the mandated privacy assessments in place. When asked about the missing documentation, Secret Service officials blamed it on employee turnover, saying those “responsible” for creating and submitting the required PIAs were “no longer with the component.” That’s like telling OSHA your business didn’t comply with federal safety requirements because your safety team lead quit. That bullshit doesn’t fly in the private sector. And it certainly shouldn’t be humored here, where its millions of Americans at the mercy of agencies that feel they don’t need to have a succession plan in place.

And the DHS can’t blame its component agencies for dropping the paperwork ball. The buck has to stop somewhere, and the DHS is the final backstop.

Based on CBP’s and ICE’s own language, DHS Privacy was aware when it approved the CBP and ICE PTAs that the components had already procured access to CTD without approved PIAs and that they intended to use it operationally.

So, it wasn’t just tacit or implicit approval of privacy violations and lawbreaking. It was explicit approval, handed down by none other than DHS’s supposed “privacy” watchdog.

Then there’s the sort of thing that always tends to happen when you give someone powerful tools with minimal instruction, oversight, or accountability. The IG report portrays this as an isolated incident, but I bet the DHS Director’s salary this is only the tip of the iceberg.

In addition to these oversight gaps, we identified one instance in which, unrelated to an investigation, a CBP employee used CTD inappropriately to track coworkers. The individual told the coworkers they had tracked their location using CTD. According to CBP, the complaint was reported by an ICE employee on August 20, 2020.

This revelation is accompanied by this rather dour note from the Inspector General’s office:

It is unlikely the inappropriate use of CTD would have been discovered due to the lack of policies and procedures governing CTD oversigh requirements.

In other words, other abuses are more than likely, they’re inevitable. And most of those likely will never be discovered via the DHS’s internal auditing and accountability processes because… well, the DHS just doesn’t have any of those.

Since the intent of using third-party data brokers was always to bypass other restrictions on location data-gathering, there was never any hurry to implement policies and processes to limit abuse or introduce accountability. The abuse was the point. Adhering to privacy laws and privacy impact assessment mandates would only prevent these agencies from giving the Fourth Amendment the slip. Worse, it would allow legislators and [gasp!] the general public to start asking questions about this apparent abuse of (constitutional) process. The less anyone knew, the better off these agencies would be. And the less anyone on the inside demanded, the more plausible the shrugs delivered to Inspector General’s office when it finally decided to stick its nose into the DHS’s business.

And while the DHS has at least agreed to many of the IG’s recommendations, it’s important to recognize there’s a whole lot of distance between agreeing to do something and actually doing something. For the DHS and its components, agreeing with recommendations simply means letting the clock run until the next IG investigation into this very specific issue. And, until that happens, DHS, ICE, CBP, and the US Secret Service don’t have to change a thing.

Filed Under: cbp, data brokers, dhs, ice, location data, privacy

Oversight Report Finds Several Federal Agencies Are Still Using Clearview’s Facial Recognition Tech

from the look,-we-honestly-thought-no-one-would-keep-asking-questions dept

Two years ago, the Government Accountability Office (GAO) released its initial review of federal use of facial recognition tech. That report found that at least half of the 20 agencies examined were using Clearview’s controversial facial recognition tech.

A follow-up released two months later found even more bad news. In addition to widespread use of Clearview’s still-unvetted tech, multiple DHS components were bypassing internal restrictions by asking state and local agencies to perform facial recognition searches for them.

On top of that, there was very little oversight of this use at any level. Some agencies, which first claimed they did not use the tech, updated their answer to “more than 1,000 searches” when asked again during the GAO’s follow-up.

While more guidelines have been put in place since this first review, it’s not clear those policies are being followed. What’s more, it appears some federal agencies aren’t ensuring investigators are properly trained before setting them loose on, say, Clearview’s 30+ billion image database.

That’s from the most recent report [PDF] by the GAO, which says there’s still a whole lot of work to be done before US residents can consider the government trustworthy as far as facial recognition tech is concerned.

For instance, here’s the FBI’s lack of responsibility, which gets highlighted on the opening page of the GAO report.

FBI officials told key internal stakeholders that certain staff must take training to use one facial recognition service. However, in practice, FBI has only recommended it as a best practice. GAO found that few of these staff completed the training, and across the FBI, only 10 staff completed facial recognition training of 196 staff that accessed the service.

The FBI told the GAO it “intends” to implement a training requirement. But that’s pretty much what it said it would do more than a year ago. Right now, it apparently has a training program. But that doesn’t mean much when hardly anyone is obligated to go through it.

This audit may not have found much in the way of policies or requirements, but it did find the agencies it surveyed prefer to use the service offered by an industry pariah than spend taxpayers’ money on services less likely to make them throw up in their mouths.

Yep. Six out of seven federal agencies prefer Clearview. The only outlier is Customs and Border Protection, although that doesn’t necessarily mean this DHS component isn’t considering adding itself to a list that already includes (but is not limited to) the FBI, ATF, DEA, US Marshals Service, Homeland Security Investigations, and the US Secret Service.

We also don’t know how often this tech is used. And we don’t know this because these federal agencies don’t know this.

Six agencies with available data reported conducting approximately 63,000 searches using facial recognition services from October 2019 through March 2022 in aggregate—an average of 69 searches per day. We refer to the number of searches as approximately 63,000 because the aggregate number of searches that the six agencies reported is an undercount. Specifically, the FBI could not fully account for searches it conducted using two services, Marinus Analytics and Thorn. Additionally, the seventh agency (CBP) did not have available data on the number of searches it performed using either of two services staff used.

In most cases, neither the agency nor the tech provider tabulated searches. Thorn only tracked the last time a source photo was searched against, not every time that photo had been searched. And, as the GAO notes, its 2021 report found some agencies couldn’t even be bothered to track which facial recognition tech services were being used by employees, much less how often they were accessed.

Most of the (undercounted) 63,000 searches ran through Clearview. Almost every one of these searches was performed without adequate training.

[W]e found that cumulatively, agencies with available data reported conducting about 60,000 searches—nearly all of the roughly 63,000 total searches—without requiring that staff take training on facial recognition technology to use these services.

All of the surveyed agencies have been using facial recognition tech since 2018. And here’s how they’re doing when it comes to handling things like mandated privacy impact assessments and other privacy-focused prerequisites that are supposed to be in place prior to the tech’s deployment. In this case, green means ok [“agency addressed requirement, but not fully”], baby blue means completed fully, and everything else means incomplete.

If there’s any good news to come out of this, it’s that the US Secret Service, DEA, and ATF have all halted use of Clearview. But just because Clearview is the most infamous and most ethically dubious provider of this tech doesn’t mean the other options are so pristine and trustworthy, these agencies should be allowed to continue blowing off their training and privacy impact mandates. These agencies have had two years to get better at this. But it appears they’ve spent most of that time treading water, rather than moving forward.

Filed Under: cbp, dhs, facial recognition, fbi, gao, us government
Companies: clearview, clearview ai

CBP Tells Senator Ron Wyden It Will Stop Buying Location Data From Third Parties

from the definitely-the-most-trustworthy-of-pinkie-swears dept

In 2018, the Supreme Court handed down the Carpenter decision. That decision built on the one declaring phones off limits without a warrant — one delivered four years earlier. The rationale was this: phones are always on, all-knowing, and everywhere all the time.

Given the amount of data generated by everyday smartphone use, the Supreme Court (in these two decisions) decided to expand Fourth Amendment coverage not only to phones, but to the location data they generated continuously in order to provide service to phone owners.

The Carpenter decision said obtaining long-term location data from cell service providers now required a warrant. These records were no longer mere “third party” records. Instead, they were records capable of allowing the government to track a person’s whereabouts (and infer things about those locations). As such, probable cause was needed to obtain these records — ones now removed from the blanket coverage of the Third Party Doctrine.

Faced with this new reality, the government began searching for warrantless alternatives. Brokers hoovering data from unaware phone users (via installed apps that may or may not have warned them location data would be gathered) became the new source for third party records. In fact, this collection of data was one third party removed from the original third party: the app collecting the data.

Given this distance, the government assumed it was constitutional to do the same thing the Carpenter decision prohibited, since it wasn’t gathering location data directly from cell service providers. And by “government,” I mean pretty much all of it. The feds got on top of it, spending tax dollars to provide the DEA, ICE, CBP, Defense Department, and many other federal agencies with location data harvested from phone app users.

Once this new collection became public knowledge, other components of the federal government — namely, certain legislators actually interested in protecting Americans’ rights — got involved. Senator Ron Wyden led the charge to end this warrantless collection of location data determined by the highest court in the land to be protected by the Fourth Amendment (albeit within narrow confines).

Congressional investigations were opened into this new breed of data merchants. That did little to deter federal agencies from purchasing data from brokers currently under investigation. Legislators applied more pressure. But these actions had little result… at least, up until now.

As Joseph Cox reports for the recently-formed 404 Media, the CBP has, at least for the time being, assured Senator Wyden it will no longer purchase location data from opportunistic brokers.

Customs and Border Protection (CBP) has told Sen. Ron Wyden that it plans to stop using commercially sourced smartphone location data at the end of this month, Wyden’s office told 404 Media.

This is good news. But there are caveats, the first of which is the timing. Apparently, the CBP is willing to collect it all until the end of this month, which seems a bit opportunistic for someone promising to kick the data broker habit cold turkey.

Then there’s this, which suggests the CBP has found another source for this data — one that has not, as of yet, been made public.

CBP told 404 Media it determined the agency does not have a current need to buy more access to such data.

No “current need” to “buy more access.” Hmm. I wonder what that means in plain English. It could be that it’s found another source for this data. Or it could mean it’s currently in possession of so much data, it doesn’t feel the need to add more to its current collection. Or it could mean the data harvested by data brokers is less useful than alternatives that may actually require warrants.

The latter might be the most likely explanation, at least according to statements obtained by Cox and 404 Media. Sure, it’s easy to gather location data in bulk from brokers, but the data collected from (likely intermittent) app use is going to be incomplete. And, in cases, where suspects are already difficult to identify, the data may only serve to obscure the intended target, rather than help law enforcement hone in on its prey.

Agencies have not necessarily been successful at tracking individual targets with such data. Senator Wyden’s office previously found that the criminal investigation unit of the IRS tried and failed to track criminal suspects in a year-long Venntel contract.

Of course, the government isn’t adverse to throwing good money at bad intel. That’s how so many government contractors remain lucrative. But when results matter, paying for access to inconsistent data may frustrate federal agents enough they’re willing to give up heavily criticized collection methods and actually act a bit more constitutional when performing investigations.

Whatever the case, it’s probably best federal agencies begin weaning themselves off this particular data teat. A lot of federal agencies are already considered flagrant rights violators. And not just because they routinely violate rights. A Republican cabal with considerable power is seeking to punish the so-called “deep state” by limiting surveillance powers. While the CBP and its foreigner-ousting directives may align with these Republicans’ interests, the overall distrust of federal surveillance efforts might see warrantless collections like these curbed in the future.

And that means Senator Wyden may have unlikely allies willing to push through his legislation that would mandate warrants for collecting location data from sources not specifically covered by the Carpenter decision. Sometimes the best bedfellows Americans can have are the strange ones.

Filed Under: cbp, data, data brokers, dhs, privacy, ron wyden

DHS Continues To Violate Facebook Policies By Allowing CBP, ICE Officers To Create Fake Social Media Profiles

from the fake-people,-real-harms dept

The US government may try to prosecute you for violating sites’ terms of service. But it won’t be handling its own actions the same way.

Instead, the government embraces fakery of all sorts, from fake colleges used to eject immigrants just trying to further their education to setting up fake drug stash houses to entrap people desperate to improve their personal financial situations. And then there’s the FBI’s 20 years of radicalizing people in terrorist stings where the government does all the conspiring and the “terrorists” it creates do all the jail time.

While it’s understood a certain amount of subterfuge is necessary to engage in law enforcement, social media services have made it clear not even the federal government is exempt from policies forbidding the creation of fake profiles. Not that it matters to the government. While it has considered this sort of behavior from mere citizens to be a criminal act, it treats willful violation of site policies as just another day at the office.

More evidence of the government’s unwillingness to play by the rules. The Guardian reports the DHS’s encouragement of fake profile creation by officers working for its many underlying agencies continues unabated, despite having drawn the attention of these services, along with the occasional legislator.

US immigration officials sought to expand their abilities to monitor and surveil social media activity and allowed officers to create and use fake social media profiles in a wide range of operations, including covertly researching the online presence of people seeking immigration benefits, new documents show.

Authorities within several Department of Homeland Security (DHS) immigration agencies, including Customs and Border Protection (CBP) and Immigration and Customs Enforcement (Ice), have repeatedly discussed using “aliases”, or undercover online accounts for investigations, according to records obtained through an open records request by the civil rights non-profit Brennan Center for Justice and shared with the Guardian. Officials have also expressed concern about social media sites’ policies that prohibit the use of fake profiles and discussed bypassing those rules.

Facebook has repeatedly warned government entities that their employees are subject to the same “real name” policies that apply to regular people who wish to use the service. These warnings have been constantly ignored, which is definitely the expected outcome, but one that ensures the federal government can’t pretend it didn’t know it was violating policies if it ever comes to the point where someone within the government is willing to do anything about these routine violations.

The documents discussed here make it clear the government will continue to violate site policies for as long as it believes it’s beneficial to do so. As of now, DHS components are in the constant expansion phase of this scenario.

In August 2019, Ice’s Enforcement and Removal Operations (ERO), which tracks and jails people for deportation, expressed interest in using social media for “fugitive” and “detainee” operations, according to emails between DHS privacy officials.

“I’m mainly concerned with ERO’s authority to create a fake profile and how we would get around the terms of service of certain social media providers,” one DHS privacy officer wrote.

At about the same time, DHS officials wrote that the department’s Homeland Security Investigations (HSI) branch, which conducts criminal inquiries, was planning to soon use “aliases”. And one HSI policy document on social media use, written in 2012, said that “undercover operations” could require investigators to “befriend or become business associates with potential violators”.

There’s no end point in sight. Facebook will continue to remove accounts it determines to be bogus. DHS employees will continue to create fake profiles while ignoring the guidance of the DHS’s own privacy officers, who obviously feel the continued abuse of site policies is likely going to end badly for the agency and its component entities.

Meanwhile, social media surveillance continues uninterrupted. The documents show CBP is still allowed to create fake profiles to passively monitor public Facebook posts. ICE can go a bit further. It has been given explicit permission to create fake accounts to engage in undercover investigations as long as the tactics used online are somewhat analogous to undercover activities carried out in the real world.

I guess that’s the standard the DHS will hold itself to: if it can lie to people in person, it can lie to them online. The difference is in-person surveillance is limited to a small set of targets while online undercover efforts — combined with powerful third-party tools offered by government contractors — make placing thousands of people under surveillance so simple even a government agent can do it.

Filed Under: cbp, dhs, fake social media profiles, ice, immigration, real names, social media
Companies: facebook, meta

CBP Adding To Its Border Surveillance Arsenal With The Help Of The Creator Of The Oculus Rift

from the eyes-everywhere-all-the-time dept

There are plenty of reasons to be concerned about Customs and Border Protection’s (CBP) pretty much unregulated use of surveillance technology. Courts have given considerable leeway to border agencies, reasoning that national security concerns outweigh the countless violations of constitutional rights.

The protections the highest court in the land erects are waved away anywhere CBP operates, which includes international airports located hundreds of miles away from the nation’s physical borders. So does the CBP’s surveillance tech, which can often be found miles inland as well, scooping up US residents in the CBP’s sizable dragnet.

Even when the CBP decides Supreme Court decisions might apply to its surveillance efforts, the agency finds ways to route around this mild inconvenience, utilizing private companies to do its unconstitutional work for it.

Lots of private companies are pitching in to help surveil both sides of the border. The EFF has used information gleaned from public records requests to give researchers (and concerned citizens) some idea of the extent of the CBP’s wall o’ surveillance, which includes at least 290 surveillance towers and 50 automatic license plate readers.

It has compiled a dataset anyone can download, remix and reuse, as well as an interactive map of camera/ALPR locations.

Obviously, the CBP can’t do all of this on its own. So, it’s relying heavily on private sector contractors to help build the surveillance network, as well as make use of everything the CBP collects. The biggest contributor is a company founded by none other than the man who gave us the Oculus Rift, Palmer Luckey. Luckey has long since pivoted from giving people the opportunity to engage in virtual reality. He’s now in the far more lucrative surveillance sector, crafting tech for government agencies that have often shown they can’t be trusted with this much power.

The tower systems are able to automatically detect and track objects up to 7.5 miles away and assist agents in classifying objects 3 miles away, depending on regional requirements. Dozens more towers will be added at the Canadian border. Meanwhile CBP is in the process of installing 200 Autonomous Surveillance Towers (ASTs) from Anduril Industries that are controlled by artificial intelligence software, which will also be part of the IST program. In the short term, CBP has earmarked $204 million for this program in its 2023 and 2024 budgets, which covers the deployment of 74 ASTs by the end of FY 2024 and 100 new towers by the end of FY 2025.

Anduril is Luckey’s company, formed with some former employees of Palantir, the surveillance tech company formed by venture capitalist/free speech enemy Peter Thiel. Anduril stands to make $250 million alone from the creation and installation of the 200 surveillance towers, which can detect people from nearly two miles away.

And the towers aren’t just keeping an eye on the border. The EFF has discovered some rather unusual CBP installations that don’t appear to be border security focused.

The map also includes unusual and novel surveillance towers, such as a new Elbit tower that was installed on the Cochise County Community College campus and a tower installed on the property of Warren Buffet’s son’s ranch, both near Douglas, Ariz. Another Anduril tower was located 30 miles north of the San Diego border, where it watches the Pacific Ocean from the cliffs near the Del Mar dog beach.

Sure, you can make some money offering goods and services to the US citizens. But if you want to make real money, you’re sometimes better off helping fulfill the government’s surveillance state desires. Fortunately, the Freedom of Information Act ensures that not all of this passive, not-exactly-border-targeting surveillance flies under the public’s radar. Sometimes we need to be the ones who watch the watchers, and thanks to the efforts of the EFF and others, we are sometimes given the opportunity to perform this very necessary task.

Filed Under: ast, autonomous surveillance tower, border wall, cbp, dhs, palmer luckey, surveillance
Companies: anduril

Senator Wyden Asks State Dept. To Explain Why It’s Handing Out ‘Unfettered’ Access To Americans’ Passport Data

from the having-fucked-around,-State-Dept.-now-in-process-of-finding-out dept

There are supposed to be limits on what the federal government can do with all the data it forces people to hand over in exchange for government services. But much of the limiting appears to be left up to the discretion of federal agencies. Discretion is the better part of valor, as they say. If these agencies are ever going to become valorous, they’re probably going to have to steal it.

Customs and Border Protection (CBP) has never exhibited much discretion when it comes to respecting rights. Whatever rights haven’t been waived into irrelevance by the “Constitution-free zone” have been routed around by asking third parties for data the CBP can’t legally obtain directly.

In 2018, a blockbuster report detailed the actions of CBP agent Jeffrey Rambo. Rambo apparently took it upon himself to track down whistleblowers and leakers. To do this, he cozied up to a journalist and leveraged the wealth of data on travelers collected by federal agencies in hopes of sniffing out sources.

A few years later, another report delved deeper into the CPB and Rambo’s actions. This reporting — referencing a still-redacted DHS Inspector General’s report — showed the CBP routinely tracked journalists (as well as activists and immigration lawyers) via a national counter-terrorism database. This database was apparently routinely queried for reasons unrelated to national security objectives and the information obtained was used to open investigations targeting journalists.

That report remains redacted nearly a year later. But Senator Ron Wyden is demanding answers from the State Department about its far too cozy relationship with other federal agencies, including the CBP.

The State Department is giving law enforcement and intelligence agencies unrestricted access to the personal data of more than 145 million Americans, through information from passport applications that is shared without legal process or any apparent oversight, according to a letter sent from Sen. Ron Wyden to Secretary of State Antony Blinken and obtained by Yahoo News.

The information was uncovered by Wyden during his ongoing probe into reporting by Yahoo News about Operation Whistle Pig, a wide-ranging leak investigation launched by a Border Patrol agent and his supervisors at the U.S. Customs and Border Protection’s National Targeting Center.

On Wednesday, Wyden sent a letter to Blinken requesting detailed information on which federal agencies are provided access to State Department passport information on U.S. citizens.

The letter [PDF] from Wyden points out that the State Department is giving “unfettered” access to at least 25 federal agencies, including DHS components like the CBP. The OIG report into “Operation Whistle Pig” (the one that remains redacted) details Agent Rambo’s actions. Subsequent briefings by State Department officials provided more details that are cited in Wyden’s letter.

More than 25 agencies, but the State Department has, so far refused to identify them.

_Department officials declined to identify the specific agencies, but said that both law enforcement and intelligenc_e agencies can access the [passport application] database. They further stated that, while the Department is not legally required to provide other agencies with such access, the Department has done so without requiring these other agencies to obtain compulsory legal process, such as a subpoena or court order.

Sharing is caring, the State Department believes. However, it cannot explain why it feels this passport application database should be an open book to whatever government agencies seek access to it. This is unacceptable, says Senator Wyden. Citing the “clear abuses” by CBP personnel detailed in the Inspector General’s report, Wyden is demanding details the State Department has so far refused to provide, like which agencies have access and the number of times these agencies have accessed the Department’s database.

Why? Because rights matter, no matter what the State Department and its beneficiaries might think.

The Department’s mission does include providing dozens of other government agencies with self-service access to 145 million American’s personal data. The Department has voluntarily taken on this role, and in doing so, prioritized the interests of other agencies over those of law-abiding Americans

That’s the anger on behalf of millions expressed by Senator Wyden. There are also demands. Wyden not only wants answers, he wants changes. He has instructed the State Department to put policies in place to ensure the abuses seen in “Operation Whistle Pig” do not reoccur. He also says the Department should notify Americans when their passport application info is accessed or handed over to government agencies. Finally, he instructs the Department to provide annual statistics on outside agency access to the database, so Americans can better understand who’s going after their data.

So, answers and changes, things federal agencies rarely enjoy engaging with. The answers are likely to be long in coming. The requested changes, even more so. But at least this drags the State Department’s dirty laundry out into the daylight, which makes it a bit more difficult for the Department to continue to ignore a problem it hasn’t addressed for more than three years.

Filed Under: cbp, data protection, operation whistle pig, passports, privacy, ron wyden, state department

Defense Department Latest To Be Caught Hoovering Up Internet Data Via Private Contractors

from the haystacks-at-wholesale-prices dept

Everyone’s got a hunger for data. Constitutional rights sometimes prevent those with a hunger from serving themselves. But when they’ve got third parties on top of third parties, all Fourth Amendment bets are off. Data brokers are getting rich selling government agencies the data they want at low, low prices, repackaging information gathered from other third parties into tasty packages that give US government agencies the data they want with the plausible deniability they need.

Relying on the third-party doctrine that mostly ignores the Fourth Amendment and the public claims of data brokers that the massive amount of data being hawked to willing buyers cannot, in and of itself, positively ID anyone, federal agencies are amassing haystacks without having to worry too much about upsetting the probable cause cart.

Who’s grabbing all this data from data brokers? Well, it’s DC’s heaviest hitters, including ICE, CBP, the FBI, IRS, Secret Service, and — according to this report from Joseph Cox for Motherboard — the Department of Defense.

Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world’s internet traffic, and which in some cases provides access to people’s email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard.

The report is drawn from the information revealed by Senator Ron Wyden in his letter [PDF] to the Inspectors General of the FBI and DHS, as well as (most relevantly here) the Defense Department’s oversight.

The material reveals the sale and use of a previously little known monitoring capability that is powered by data purchases from the private sector. The tool, called Augury, is developed by cybersecurity firm Team Cymru and bundles a massive amount of data together and makes it available to government and corporate customers as a paid service.

As Cox points out, there are non-privacy violating uses for this data. Analysts and security researchers use this treasure trove to track malicious hackers and/or do due diligence for cyberattack attribution.

How the US military utilizes this data is unknown. Much of it appears to be foreign-facing, which means most collections won’t raise constitutional eyebrows. The procurement record shows the Defense Department is particularly interested in accessing data from collection points around the world, including those found in Europe, the Middle East, Africa, and Asia. But the procurement request also notes the data accessed might originate in North America, which is where plenty of US citizens reside.

Even if the Defense Department makes an effort to steer clear of US persons’ data, there’s no way Team Cymru can guarantee the military won’t end up with plenty of local data in its possession. Its (defensive) statements in response to questions from Motherboard suggests that by the time the data is packaged for sale, the company doing the harvesting (either directly or indirectly) doesn’t have much insight into its country of origin.

“Our platform does not provide user or subscriber information, and it doesn’t provide results that show any pattern of life, preventing its ability to be used to target individuals. Our platform only captures a limited sampling of the available data, and is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same. Results are then further limited in the scope and volume of what’s returned,” Team Cymru said in another email.

If the platform truly laundered data into near-obscurity, it would be useless to those seeking it. So, either Team Cymru is relying on things unsaid to imply it isn’t helping federal agencies bypass constitutional protections, or it’s providing a service that asks end users to do all the analytic heavy lifting. It seems unlikely federal agencies (which include the FBI and DHS) would pay good money for access to a bunch of data that can’t be used to observe “patterns of life” or otherwise assist in pulling needles from Augury’s haystacks.

And a *lot* of money has been spent. Wyden’s letter notes the DoD has been evasive when asked direct questions by the senator.

While I have been able to make public important details about government agencies’ purchase of location data, my efforts to probe and shed light on the government’s purchase of internet browsing records have been frustrated by the Pentagon.

[…]

After DOD refused to release this information without restrictions, my staff learned that public contract information had been posted online, showing that multiple DoD agencies purchased data from data brokers that reveal internet browsing history: The Defense Counterintelligence and Security Agency spent more than $2 million purchasing access to netflow data, and the Defense Intelligence Agency purchased Domain Name System data. My office asked DOD to re-review their decision to maintain the CUI restrictions on the written answers DOD had previously provided, in light of these public contracts. DOD yet again refused, on May 25, 2022.

The Defense Department appears very reluctant to discuss its $2 million contract that allows it to hook itself up to Team Cmyru’s firehose. Rest assured, these government dollars are not being misspent. The DoD is definitely getting what it paid for.

Public contracting records confirm that the Augury tool provides access to “petabytes” of network data “from over 550 collection points worldwide” and “is updated with at least 100 billion new records each day.” The contracting records also confirm that Augury provides access to email data (“IMAP/POP/SMTP pcap data”) and data about web browser activity (“cookie usage,” “UserAgent data” and “URLs accessed”).

For those not familiar with the term used by Wyden, “pcap” is all-encompassing when it comes to internet traffic data.

PCAP data is “everything,” Zach Edwards, a cybersecurity researcher who has closely followed the data trade, told Motherboard in an online chat. “It’s everything. There’s nothing else to capture except the smell of electricity.”

Massive amounts of data, only limited by the government’s desire and Team Cmyru’s internal controls, whatever they actually are. That’s a lot of info on internet users’ habits, all of which can be had for a few million dollars a year, unrestrained by constitutional restrictions. As far as the government is concerned, a bunch of data that can be used to identify people and track their internet habits, if not their actual location (thanks to the wealth of location data generated by devices, apps, and on-the-go software) isn’t a Fourth Amendment issue because there are a few degrees of separation (and, possibly, meaningless “anonymization”) separating data generators from the government agencies buying access to this data.

That the Defense Department is unwilling to speak honestly to Wyden about this data haul signals there’s something questionable about its actions. Hopefully, this pressure will persuade the DoD to terminate its contract with Augury/Team Cmyru and find more constitutionally-sound ways to gather data.

Filed Under: cbp, defense department, dhs, fbi, ice, irs, secret service, third party doctrine