gps – Techdirt (original) (raw)
EU’s ‘Going Dark’ Expert Group Publishes 42-Point Surveillance Plan For Access To All Devices And Data At All Times
from the they-never-give-up dept
Techdirt has been covering the disgraceful attempts by the EU to break end-to-end encryption — supposedly in order to “protect the children” — for two years now. An important vote that could have seen EU nations back the proposal was due to take place recently. The vote was cancelled — not because politicians finally came to their senses, but the opposite. Those backing the new law were worried the latest draft might not be approved, and so removed it from the agenda, to allow a little more backroom persuasion to be applied to holdouts.
Although this “chat control” law has been the main focus of the EU’s push for more surveillance of innocent citizens, it is by no means the end of it. As the German digital rights site Netzpolitik reports, work is already underway on further measures, this time to address the non-existent “going dark” threat to law enforcement:
The group of high-level experts had been meeting since last year to tackle the so-called „going dark“ problem. The High-Level Group set up by the EU was characterized by a bias right from the start: The committee is primarily made up of representatives of security authorities and therefore represents their perspective on the issue.
Given the background and bias of the expert group, it’s no surprise that its report, “Recommendations from the High-Level Group on Access to Data for Effective Law Enforcement”, is a wish-list of just about every surveillance method. The Pirate Party Member of the European Parliament Patrick Breyer has a good summary of what the “going dark” group wants:
according to the 42-point surveillance plan, manufacturers are to be legally obliged to make digital devices such as smartphones, smart homes, IoT devices, and cars monitorable at all times (“access by design”). Messenger services that were previously securely encrypted are to be forced to allow for interception. Data retention, which was overturned by the EU Court of Justice, is to be reenacted and extended to OTT internet communications services such as messenger services. “At the very least”, IP connection data retention is to be required to be able to track all internet activities. The secure encryption of metadata and subscriber data is to be prohibited. Where requested by the police, GPS location tracking should be activated by service providers (“tracking switch”). Uncooperative providers are to be threatened with prison sentences.
It’s an astonishing list, not least for the re-appearance of data retention, which was thrown out by the EU’s highest court in 2014. It’s a useful reminder that even when bad laws are overturned, constant vigilance is required to ensure that they don’t come back at a later date.
Follow me @glynmoody on Mastodon and on Bluesky.
Filed Under: cars, chat control, children, cjeu, data retention, encryption, eu, european parliament, going dark, gps, iot, location tracking, messenger services, netzpolitik, ott, patrick breyer, pirate party, smart homes
Can Google Be Held Liable For Man Who Died Following Google Maps Over A Collapsed Bridge?
from the tragic-story dept
There’s a pretty well known scene from The Office, when Michael Scott (played by Steve Carrell) follows his GPS device’s instructions (incorrectly, obviously) and drives into a lake:
The writer of that scene says the inspiration was a number of stories of people doing exactly that. In fact, in the earlier days of Techdirt, we wrote about a number of such stories. And not just once. But many times. Many, many times. Many, many, many times. When it happened on The Office, it was funny. In some of the links here, when no one got hurt, it was also kind of funny. But… when someone ends up dying because of it, it’s not funny at all.
Tragically, though, it happened again last year, where Philip Paxson followed his GPS to a bridge that had collapsed a decade ago and was effectively non-existent, and had not been repaired. And now Paxson’s wife is suing. The story is making headlines because beyond suing the private property owners who own the property where the bridge had been, they’re suing Google, because Google Maps recommended Philip drive over the bridge.
The horrifying bit, to me, is the simple fact that there were allegedly no barriers or other warning signs telling people that the bridge was out (and had been for years). I could see that simple fact (if accurate), leading to serious problems for the property owners (the bridge was over private property, and apparently it was not the local government’s responsibility).
The Google part… however… seems like a long shot, legally speaking. The complaint is designed to tug at your heart strings, and everything about the situation seems unfortunate and tragic. But can Google be held liable? That’s a tougher argument to make, though the lawyers here try valiantly to do so.
Normally, though, all liability falls on the driver to be aware of their own surroundings and the road ahead of them. While the complaint, repeatedly, notes that he drove down this road late at night, when there was no external lighting and it was “pitch black” out, his car must have had headlights, which can be pretty bright. And if he was paying attention to the road in front of him, it seems like he should have noticed that a large section of the bridge was missing.
That said, the part that makes this slightly trickier, is that the complaint has clear evidence that Google was informed of the broken bridge, as a nearby resident had alerted the company to the issue using Google Maps’ “Suggest an Edit” feature, and the complaint shows an acknowledgement from Google to that resident that it had received her “suggested edit” (nearly two years before the accident.)
The complaint also shows another “suggested edit” after the accident, telling Google that someone had died there while following Google Maps. As the complaint notes, when the lawyers checked again in April of this year (nearly half a year after the accident), Google Maps still listed the non-existent bridge as drivable.
Yikes?
That’s pretty bad, no matter how you look at it, but I’m still not sure that it’s so bad that Google will be found liable. Google Maps tries to map the entire world, and it likely receives a very large number of edit requests on a regular basis, and not all of them are legit. Indeed, people have written about how sneaky competitors might use “suggest an edit” to harm a business. Which means that Google can’t just rely on the submitted data as accurate, and will likely often have to send someone out to check on these things. It seems likely that not everything gets checked, and the backlog may take a while. Also, the first “notification” in the complaint came in the midst of the COVID pandemic lockdowns, which makes me wonder if Google Maps checkers were less able to check on these things as well at the time.
On top of that, another photo in the complaint itself shows the bridge in daylight, which seems to suggest that while there may not have been barriers blocking the bridge, there did appear to be trees growing across the road. From the images in the complaint, the car ended up against the far wall in the image below. And you can see what appear to be trees, or very large weeds of some kind growing there, which he would have had to drive through to reach the hole if he was driving from that side. If, instead, he was somehow driving from the foreground side, the fact that his car ended up wedged against that far wall, might also suggest he was going quite fast for such a road.
Still, every bit of this story is tragic and unfortunate. The bridge should have been blocked off and clearly marked as non-existent. Google should have been better about responding to user requests to update the map to avoid showing that as a legitimate road.
But… it’s unclear to me that this raises to the level of negligence required for the case to succeed against Google.
Filed Under: bridge, google maps, gps, liability, philip paxson
Companies: google
Parole Violator Who Raided Senate Building Sold Out By The GPS Unit Attached To Him For Previous Parole Violations
from the GOP-might-not-be-attracting-the-best-and-brightest dept
Here’s the latest stupid way pro-Trump rioters are getting arrested for their participation in the Little Insurrection That Couldn’t. Surprisingly, the inauguration went off without a hitch, but no one could have seen that coming a couple of weeks ago, when Trump fans raided the Senate building in an attempt to prevent election results from being certified.
Opsec was the last thing on many invaders’ minds. Providing great content for Parler followers or whatever seemed to be more important. The fierce opposition to wearing masks for health reasons carried over to a reluctance to wear masks for “committing federal crimes” reasons. Plenty of public posts to various social media services have made it exceedingly easy for investigators to track down perpetrators without having to leave their desks.
I hesitate to call this the peak of January 6th related stupidity. There’s always a chance this will be topped. But this is just gobsmackingly idiotic. As we’re all painfully aware, cellphones generate a ton of useful (to investigators) location data that can track movements and tie people to criminal activities.
It’s one thing to forget your cellphone is an omnipresent snitch. It’s quite another to forget you’re wearing a device specifically designed to deliver your current location data to law enforcement. May I introduce to this fucking guy:
Bryan Betancur is one of dozens of people that have been arrested in the wake of the insurrection at the Capitol. He was arrested on Sunday, and is expected to make his first court appearance in D.C. on Monday afternoon.
A screenshot of Betancur’s Instagram account allegedly shows him outside the U.S. Capitol on Jan. 6 flashing a sign linked to white supremacist groups.
Screenshots are good. Precise location data is better. And Betancur delivered that to investigators in a way few others involved in the half-assed insurrection have. Behold this galaxy brain at work.
Investigators say their case relies in part on location data produced by the GPS unit that the man was wearing for a prior offense.
Someone who committed some crimes and committed another crime by violating his parole decided to commit more crimes — all while wearing something that was supposed to encourage him to commit fewer crimes by informing law enforcement of his whereabouts at all times.
And, while Betancur originally admitted he had been in the Capitol and was on the receiving end of tear gas dispensed by Capitol police, he walked some of those statements back when questioned further. Unfortunately, he couldn’t walk back his previous footsteps inside the Capitol building, which means he too will likely be facing charges beyond (yet another) parole violation.
Filed Under: bryan betancur, capitol, gps, insurrection, parole violator
Law Enforcement Also Using 'Reverse' Warrants To Obtain Google Searches
from the no-suspects,-just-search-terms dept
Hunting down suspects these days doesn’t require canvassing the area of a crime scene for witnesses and suspects. All it takes is a warrant. But these are not your regular warrants. To start with, there’s no suspect to target and no property of theirs to search. These “reverse” warrants work the way you’d expect them to: backwards. Law enforcement agencies approach companies like Google with demands for the information on everyone in areas near crime scenes and work backwards from the data dump to find suspects.
It doesn’t always work. Sometimes they get the wrong person. Other times, investigators are shot down by judges who recognize it’s impossible to generate probable cause for the search of everyone in a certain area at a certain time. Reverse warrants for location data and devices turn everyone into a suspect when investigators seek this information.
But reverse warrants aren’t just for location data, as c|net reports. A warrant first spotted by Robert Snell of the Detroit News sought something else: everyone who performed a Google search for a certain home address.
In August, police arrested Michael Williams, an associate of singer and accused sex offender R. Kelly, for allegedly setting fire to a witness’ car in Florida. Investigators linked Williams to the arson, as well as witness tampering, after sending a search warrant to Google that requested information on “users who had searched the address of the residence close in time to the arson.”
This warrant appeared to have worked, at least in terms of locating a suspect. The original warrant is still sealed, but the response returned by Google contained only a single search, immediately narrowing the suspect list down to a single person. Further investigation showed the device that performed this search traveled from Georgia to the address in Florida and then back to Georgia after the vehicle torching took place.
Obviously, this raises another set of Constitutional questions a court will have to address. The attorney for Michael Williams plans to challenge this search as a Fourth Amendment violation. That’s where the probable cause factor for search warrants comes into play. There are plenty of innocuous reasons for someone to search for a particular address. In this case, only one person did and phone records obtained following this initial “reverse” search established a pretty suspicious travel record.
But is there probable cause to believe a search for an address is evidence of a crime? That’s a questionable assertion and it has the possibility to turn plenty of innocent people into suspects if their Google search histories can be obtained through keyword searches by law enforcement. Many people have an interest in crime. But a much smaller subset actually commit crimes. Searches for terms related to criminal activity will turn curiosity into possible criminal intent. Just because there’s a warrant involved doesn’t mean it’s Constitutional. Slurping up people’s Google searches en masse aligns these reverse warrants with the general warrants of this nation’s colonial days.
Of course, the downside to pushing back against these warrants is the possibility of creating precedent that says law enforcement doesn’t even need a warrant to obtain this info. It’s almost impossible for anyone to claim they didn’t knowingly and voluntarily share their searches with their search engine provider. That might nudge courts towards finding Google searches to be third-party records, obtainable with only a subpoena.
Filed Under: 4th amendment, general warrants, gps, michael williams, privacy, r. kelly, reverse warrants, search terms, surveillance
Companies: google
Days After FCC Commissioner Mike O'Rielly Suggests Trump's Section 230 Exec Order Is Unconstitutional… His Renomination To The FCC Is Withdrawn
from the petty-shit dept
Earlier today we wrote about how Ajit Pai was pushing ahead with the Commerce Department’s silly FCC petition regarding a re-interpretation of Section 230 of the Communications Decency Act. We noted that it wouldn’t actually be that hard to just say that the whole thing is unconstitutional and outside of the FCC’s authority (which it is). Some people have pushed back on us saying that if Pai didn’t do this, Trump would fire him and promote some Trump stan to push through whatever unconstitutional nonsense is wanted.
Well, now at least there’s some evidence to suggest that Trump also views the FCC — a supposedly “independent” agency — as his personal speech police. Of the Republican Commissioners, Brendan Carr has been quite vocal in his Trump boot-licking, especially with regards to Section 230. He’s been almost gleeful in his pronouncements about how evil “big tech” is for “censoring conservatives,” and how much he wants to chip away at Section 230. Pai has been pretty much silent on the issue until the announcement today. But the other Republican Commissioner, Mike O’Rielly, has at least suggested that he recognizes the Trump executive order is garbage. Six weeks ago he said he hadn’t done his homework yet, but suggested he didn’t think Congress had given the FCC any authority on this matter (he’s right).
Just last week, during a speech, he made it pretty clear where he stood on this issue. While first saying he wasn’t necessarily referencing the Trump executive order, he said the following:
Today, I would like to address a particularly ominous development in this space. To be clear, the following critique is not in any way directed toward President Trump or those in the White House, who are fully within their rights to call for the review of any federal statute’s application, the result of which would be subject to applicable statutory and constitutional guardrails. Rather, I am very troubled by certain opportunists elsewhere who claim to be the First Amendment?s biggest heroes but only come to its defense when convenient and constantly shift its meaning to fit their current political objectives. The inconsistencies and contradictions presented by such false prophets would make James Madison?s head spin, were he alive to witness them.
The First Amendment protects us from limits on speech imposed by the government?not private actors?and we should all reject demands, in the name of the First Amendment, for private actors to curate or publish speech in a certain way. Like it or not, the First Amendment?s protections apply to corporate entities, especially when they engage in editorial decision making. I shudder to think of a day in which the Fairness Doctrine could be reincarnated for the Internet, especially at the ironic behest of so-called free speech ?defenders.? It is time to stop allowing purveyors of First Amendment gibberish to claim they support more speech, when their actions make clear that they would actually curtail it through government action. These individuals demean and denigrate the values of our Constitution and must be held accountable for their doublespeak and dishonesty. This institution and its members have long been unwavering in defending the First Amendment, and it is the duty of each of us to continue to uphold this precious protection.
To be clear: I agree 100% with that statement, and am glad that O’Rielly was willing to stand up on principle to defend it.
And then, today, it was announced that the White House is pulling his renomination to the FCC. In other words, the White House is being a petty asshole, again, and firing anyone for not being in lockstep with the President’s ridiculous unconstitutional whims.
There was some talk last week about how Senator James Inhofe’s office was blocking O’Rielly’s renomination over a different issue: the approval of L-Band spectrum for use by Ligado (formerly LightSquared). A variety of government organizations had opposed the use of this spectrum, fearing that it might interfere with GPS systems. However, the Ligado deal was unanimously approved by all five commissioners, so it’s difficult to see why O’Rielly would be singled out, other than his nomination was up. The Inhofe/Ligado thing feels like a smokescreen for the 230 issue.
The question now is whether or not O’Rielly will serve out his term, or if he’ll leave now that his renomination is not being considered. One hopes that he’ll at least stick it out long enough to vote down the Petition on 230. Even if he did leave, it’s unclear if a new Commissioner would get through any confirmation process prior to the election. Either way, at least it’s nice to see one Republican Commissioner willing to stand up to Trump. We’ve criticized O’Rielly plenty of times in the past, but at least he’s not taking the path of Carr (and even Pai) in dealing with this nonsense.
Filed Under: 5g, donald trump, fcc, free speech, gps, james inhofe, mike o'rielly, networks, renomination, section 230, speech police
Companies: ligado
Everyone Agrees That Contact Tracing Apps Are Key To Bringing COVID-19 Under Control; Iceland Has Tried Them, And Isn't So Sure
from the solution-or-solutionism? dept
Given the massive impact that the coronavirus is having on life and the economy around the world, it’s no wonder that governments are desperately searching for ways to bring the disease under control. One popular option is to use Bluetooth-based contact tracing apps on smartphones to find out who might be at risk from people nearby who are already infected. Dozens of countries are taking this route. Such is the evident utility of this approach, that even rivals like Apple and Google are willing to work together on a contact tracing app framework to help the battle against the disease. Although it’s great to see all this public-spirited activity in the tech world, there’s a slight problem with this approach: nobody knows whether it will actually help.
That makes the early experience of Iceland in using contact tracing apps invaluable. An article in the MIT Technology Review notes that Iceland released its Rakning C-19 app in early April, and persuaded 38% of Iceland’s population of 364,000 population to download it. Here’s what this nation found in its pioneering use of a tracing app:
despite this early deployment and widespread use, one senior figure in the country’s covid-19 response says the real impact of Rakning C-19 has been small, compared with manual tracing techniques like phone calls.
“The technology is more or less ? I wouldn?t say useless,” says Gestur Pàlmason, a detective inspector with the Icelandic Police Service who is overseeing contact tracing efforts. “But it’s the integration of the two that gives you results. I would say it [Rakning] has proven useful in a few cases, but it wasn?t a game changer for us.”
It’s only one data point, of course, but it’s an important one. Iceland was not only early in tackling the coronavirus, it has done so with great success. And yet it seems that the contact tracing app played a relatively small part in that. Manual tracing techniques, by contrast, were absolutely key.
That’s not to say other countries may not have more success with their apps. It’s interesting to note, for example, that Iceland’s Rakning C-19 tracks users’ GPS data in order to establish where they have been, and who they met with. It’s generally agreed that GPS information is too coarse for this, and that a Bluetooth approach should, in theory, provide better insights. It will be interesting to hear how apps based on Bluetooth interactions work in practice. Maybe they will provide the hoped-for means to bring the COVID-19 virus under control. Let’s hope so, and that the eager embrace by governments of contact tracing apps is not just another example of “solutionism” — the idea that any problem can be solved simply by throwing technology at it.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Filed Under: contact tracing, covid-19, gps, iceland, rakning
Feds Used A 'Reverse' Warrant To Try To Track Down Bank Robbers In Wisconsin
from the doesn't-appear-to-have-worked dept
Reverse warrants are the new tech-related toy law enforcement is experimenting with. Oddly, a lot of what’s come to light so far originates in the Midwest, an area not exactly known for early adoption. Outside of the NYPD and feds confirming they use warrants to seek a list of possible suspects (rather than targeting any specific suspect), most reporting has covered deployments by law enforcement agencies in Minnesota.
We can add Wisconsin to the list of areas where cops are working backwards to suspects by using the copious amount of GPS data hoovered up by Google and others. Russell Brandom of The Verge has more details:
[P]olice and federal agents have struggled to track down the bank robbers. Local media sent out pictures from the bank’s security cameras, but it produced no leads. Finally, police hit on a more aggressive strategy: ask Google to track down the bank robbers’ phones.
In November, agents served Google with a search warrant, asking for data that would identify any Google user who had been within 100 feet of the bank during a half-hour block of time around the robbery. They were looking for the two men who had gone into the bank, as well as the driver who dropped off and picked up the crew, and would potentially be caught up in the same dragnet. It was an aggressive technique, scooping up every Android phone in the area and trusting police to find the right suspects in the mess of resulting data. But the court found it entirely legal, and it was returned as executed shortly after.
The warrant [PDF] was requested by a federal agent. This doesn’t rule out the use of reverse warrants by local law enforcement, but this request originated at the federal level. The feds are involved in almost every bank robbery, so the appearance of federal officers here isn’t a surprise.
Nor is the use of the reverse dragnet. In this case, the submitted geofence was far more constrained than some we’ve seen in other cases. But considering how many people go into (or near) banks for completely innocent reasons, the GPS data/phone info of hundreds of non-bank robbers ended up in the hands of the feds. It’s up to investigators to sort through the data for possible suspects and they can make mistakes. The more data investigators get, the less likely it is they’ll find who they’re looking for and the more likely it is they’ll mistake innocent people in heavily-trafficked areas for criminals.
Right now, it’s just another tool for law enforcement to use. But it’s one that inverts the normal expectations of warrant procurement. Instead of targeting an individual or place, the warrants allow cops to search Google’s data stores for information about anyone who wandered into a targeted area during a certain time period. This shouldn’t be acceptable but there’s no record of any court rejecting these broad demands for data about thousands of people no one suspects of committing crimes. Until a court steps up to shut these down, their use will continue to escalate. The problems already seen in limited use will escalate right along with them. That’s bad news for cell phone users, which at this point is pretty much everybody.
Filed Under: 4th amendment, gps, location data, reverse warrant, surveillance, wisconsin
Companies: google
EFF Sues CBP, ICE Over Refusal To Hand Over Its GPS Tracking Device Policies
from the Garmins-in-boxes-marked-'CLASSIFIED' dept
Roughly a year ago, the government attempted to argue the border search exception applied to GPS tracking devices it surreptitiously attached to a truck crossing the border from Canada and tracked for the next 48 hours, following it from its arrival point in Michigan to its destination in California.
The court disagreed with the government’s interpretation of the border search exception. While it may have covered the original warrantless placement of the tracking device, it did not cover the next two days of tracking while the truck traveled far inland.
The government lost its evidence and, eventually, its case. Stuck with evidence solely derived from an unconstitutional search, the government dismissed the charges and the two arrested Canadians were free to return to their home country.
During this case, the government claimed these apparently illegal searches were within policy. Specifically, affidavits filed by the DOJ stated ICE and CBP both had policies that permitted the warrantless, suspicionless installation of tracking devices on vehicles at border crossings.
If these policies exist, no one has seen them. The EFF would like to. It filed FOIA requests with both ICE and CBP, asking the agencies to produce the policies referred to in court. To date, it has received nothing from either agency.
According to the EFF’s FOIA lawsuit [PDF], both agencies have violated the law with their continued refusal to produce the requested documents. ICE received the EFF’s request last November. Four months later, it said it had found three responsive pages, but that all three pages would be withheld, citing Exemption 7(E). This exemption protects “law enforcement sensitive information” that might give bad guys the jump on the feds if they knew the feds might try to sneak tracking devices onto their vehicles at border crossings.
It would seem the case above — the one cited in the EFF’s lawsuit — kind of exposed ICE’s GPS device subterfuge. The only thing surprising about the use of GPS devices was the government’s assertion that the border search exception applies everywhere in the United States, not just at or near its borders.
The EFF’s appeal of ICE’s decision also pointed out that the Supreme Court’s 2012 decision on tracking devices made it pretty clear this super-secret law enforcement technique was actually well-known and understood pretty thoroughly by cops and criminals alike. Upon receipt of this appeal, ICE apparently decided it would no longer discuss its ridiculous exemption deployment.
The CBP, on the other hand, has refused to do anything at all. It too received the EFF’s FOIA request last November, but apparently can’t even be bothered to look for documents, much less pretend discussion of GPS tracking devices would undermine its covert operations.
The lawsuit seeks the full disclosure of the documents as well as any legal fees incurred by the government’s refusal to comply with FOIA law. Should this finally dislodge the documents, we’ll all know just a little more about the apparently minimal standards border agencies apply to their use of tracking devices.
Filed Under: cbp, foia, gps, ice, policies, public records, tracking, transparency
Companies: eff
Federal Court Says Warrants Are Needed To Grab GPS Data From Third-Party Tracking Services
from the seems-like-an-obvious-extension-of-Carpenter dept
In 2012, the Supreme Court decided that GPS tracking devices require warrants. Notably, this wasn’t because the GPS data was deserving of Fourth Amendment protections but because officers had to trespass on private property (a car parked in a driveway) to attach the device.
That left law enforcement with a lot a gray area in which to operate. Since there was no distinct finding that GPS data was protected, it could theoretically be harvested from third-party devices without a warrant. The Supreme Court’s decision in the Carpenter case, however, appeared to extend protections to the records themselves. It declared the acquisition of cell site location info requires the use of the warrant, extending Fourth Amendment protections to third party records of people’s movements. It could be argued this decision covers GPS data pulled from third party services, since it’s basically the same thing: gathering records of a person’s movements.
In a recent federal case [PDF], both of these Supreme Court decisions are in play. It appears law enforcement thought it had found a way to route around the Jones decision. Investigating a robbery, detectives approached the dealership that had sold the vehicle spotted at the scene of the crime. The dealership had installed a tracking device to make the car easier to find in case of a repo. This was the data detectives obtained without a warrant.
On March 29, 2017, Hinsdale detectives issued an alert “on multiple databases” seeking information about the Lexus. Id. at 3. On April 4, 2017, a Headers employee told one of the detectives that the Lexus was equipped with a GPS tracking device serviced by Air Assault Asset Track GPS Systems. The Headers employee gave the detective her login credentials for Air Assault’s website and authorized him to access “all the GPS records associated with the Devinn Adams/Lexus RX account.” The GPS records included historical data tracking the Lexus’s “movement and global position.”
Without first obtaining a warrant, the detective downloaded a spreadsheet containing GPS data for the period from March 1, 2017 through April 4, 2017. The spreadsheet sets forth time-stamped entries giving the Lexus’s approximate street address (usually at the block level, such as “5701-5799 S Campbell Ave, Chicago, IL, 60629”) each time it was turned on, approximately every five minutes while it was being driven, and each time it was parked. According to the detective, “[g]reater detail” beyond those approximate street addresses “c[ould] be extracted from the map points” using “the software program that manages the GPS data,” which allowed the detective to “narrow[]” each recorded location “to specific latitude and longitude way points.”
Tobias Diggs, the alleged driver, moved to suppress the evidence, stating that both the Jones and Carpenter decisions prohibited this information being obtained without a warrant. The government argued that neither decision mattered.
The government responds that acquiring the data was not a Fourth Amendment search because: (1) unlike in Jones, the police made no physical intrusion on the Lexus, Doc. 55 at 10-12; and (2) under the third-party doctrine, Diggs lacked a reasonable expectation of privacy in the data because he voluntarily provided it to the third party (Headers) from which the police obtained it, id. at 5-10.
Wrong, says the court. This is exactly what’s covered by these two decisions.
The GPS data at issue here fits squarely within the scope of the reasonable expectation of privacy identified by the Jones concurrences and reaffirmed in Carpenter. The GPS data provide “a precise, comprehensive record of [Diggs’s] public movements” over the course of a month.
It goes on to point out the data collected here is pretty much indistinguishable from the data at the heart of the Carpenter decision.
Applying the third-party doctrine to the GPS data here would require essentially the same extension of the doctrine that the Court rejected in Carpenter. Carpenter understood CSLI to present “many of the qualities of the GPS monitoring … considered in Jones”—both are “detailed, encyclopedic, and effortlessly compiled”; both “provide[] an intimate window into a person’s life”; and, in the context of historical information, both provide a “tracking capacity [that] runs against everyone” without any need for the police to “know in advance whether they want to follow a particular individual, or when.” Indeed, at the time of the search in Carpenter, CSLI was still “less precise than GPS information.” Accordingly, Carpenter compels the conclusion that, given the privacy concerns implicated by the “detailed and comprehensive record of [Diggs’s] movements” captured by the Lexus’s GPS tracker, “the fact that the [police] obtained the information from a third party does not overcome [Diggs’s] claim to Fourth Amendment protection.”
The government also tried to get the good faith exception applied. Given that this search occurred prior to the Carpenter decision, the government says the detectives had no reason to believe a warrant was needed. The court disagrees. The government can point to no prior cases specifically authorizing this sort of warrantless search. But more importantly, it reiterates that the Carpenter decision can — and should — be applied retroactively.
The Supreme Court could have described what it was doing in Carpenter, not as declining to extend the third-party doctrine to a context not addressed in Smith and Miller, but as partially scaling back the once-categorical doctrine to account for “the seismic shifts in digital technology” that gave rise to widespread, long-term location tracking. 138 S. Ct. at 2219. Had it done so, the Davis good-faith exception might very well have applied here. […] But instead, the Court said that the third-party doctrine was never broad enough to encompass technology-enabled long-term location tracking in the first place.
[…]
Carpenter thus teaches that general statements of the third-party doctrine uttered in pre-Carpenter decisions not only do not cover CSLI, but never did. And as noted above, what Carpenter said about the third-party doctrine as to CSLI applies with full force to GPS data. It follows that for the Davis good-faith exception to apply to the GPS search here, the government needs more than general statements of the third-party doctrine in a binding appellate decision issued before the search; rather, the government must point to binding appellate precedent applying the doctrine to long-term historical GPS data or its equivalent.
The government loses the GPS data evidence. And it may lose even more than that if any of its other evidence was derived from this unlawful acquisition of data, which possibly includes DNA samples and social media records.
Not every court has read the Carpenter decision as retroactive, but this court’s opinion makes really good points about why it should be read that way in all instances. The Third Party Doctrine was altered significantly by this decision, even if it only dealt with cell site location info. It has changed the contours of what can be considered a “reasonable” search of records held by third parties. Location info is only the beginning. The court’s extension of this protection to third-party GPS records sends a message to law enforcement that the stuff they did for the last 40 years (thanks to Smith v. Maryland) may no longer survive a suppression challenge.
Filed Under: 4th amendment, carpenter, gps, jones, supreme court, third party doctrine, warrants
GPS Service Vulnerability Opened Door To Remote Vehicle Shutdown
from the I'm-sorry-I-can't-do-that,-Dave dept
Wed, May 1st 2019 06:21am - Karl Bode
We’ve highlighted for years how flimsy (read: often nonexistent) privacy and security standards in the internet of things space is opening the door to all kinds of problems, from historically-massive DDOS attacks to your refrigerator leaking your Gmail login data. And while your your not-so-smart kettle exposing your network credentials is intimidating enough, the problem is far more worrisome in the “smart” automobile space, where a compromised system could prove decidedly more, oh, fatal.
Most modern car infotainment GUIs hint at the sloppiness lingering just beneath. Security researchers have routinely highlighted how many cars are absurdly vulnerable to not just hacking but a near-total takeover of in-car systems. They’ve similarly noted how historically, automaker efforts to patch these vulnerabilities are slow to arrive–if they arrive at all.
Granted it’s not just retail vehicles that pose a security risk. Last week, researchers highlighted how GPS units installed in many fleet automobiles (designed to help companies track their shipments or employees as they travel) could also be somewhat easily compromised, allowing attackers to track these vehicles and their drivers without their permission:
“The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines.”
The origin of this vulnerability? The manufacturers of these systems thought it would be a good idea to give all customer accounts the default password of…”123456.” Worse perhaps, because these systems are so closely tied to a vehicle’s network and computers, the hacker found he could actually disable some vehicle systems (since that’s a function already embedded in these services app platforms). In this case (fortunately), only if the vehicles are traveling at speeds slower than 12 miles per hour.
The researcher who discovered the problem noted it wouldn’t be hard to use such vulnerabilities to create some notable urban headaches:
“On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices…?My target was the company, not the customers. Customers are at risk because of the company,? L&M told Motherboard in an online chat. ?They need to make money, and don’t want to secure their customers.”
Comforting. Over the last decade some have tried to argue that dismal vehicle security practices are being over-hyped, yet a steady parade of reports have indicated the problem is very real. As everything becomes interconnected and the quest to build interlinked smart cities and smart vehicles takes off, the door opens ever so wider to somebody using our collective privacy and security apathy in a very troubling way at an even more troubling scale — something security experts like Bruce Schneier have been warning about for some time.
Filed Under: cars, gps, remote vehicle shutdown, security, vulnerability