A cheeky hack which exposed consumer data collected by Apple and Facebook’s parent company Meta, raised new questions about how safe our data is in the hands of tech companies and how easily law enforcement can obtain information collected by big technologies.
It was revealed last week that hackers had obtained the information of certain Apple and Meta users by forging an emergency lawful request, one of several mechanisms by which law enforcement can request or demand that technology companies transmit data such as location and subscriber information.
Lawmakers and privacy advocates argued that the tampering was a warning sign that the system needed reform. “Nobody wants tech companies to refuse legitimate emergency requests”, but the current system has “obvious weaknesses”, Senator Ron Wyden said in a statement after the hack.
A review of the myriad ways tech companies share consumer data with law enforcement reveals that it’s often quite straightforward for these agencies to get their hands on consumer data. “[Your data is] pretty much all of them are available to the government in one form or another,” said Jennifer Lynch, director of surveillance litigation at digital rights advocacy group the Electronic Frontier Foundation.
“One of the real challenges with technology these days is that it’s nearly impossible to understand exactly all the data companies collect about us and to exercise any control over what happens to that data,” Lynch added.
An emergency legal request, like the one the hackers have forged, for example, does not require a subpoena or warrant unlike many other legal requests. It’s supposed to be reserved for exceptional situations: Apple considered the law calls for “emergency” if “it relates to circumstances involving imminent and serious threat(s) to: 1) the life/safety of the person(s); 2) State security; 3) security of critical infrastructure/facilities”. But, as hackers have shown, it can be easily exploited.
Apple and Meta did not respond to a request for comment.
Here are some of the main ways law enforcement can get your data.
Access your device
Perhaps the most obvious way for law enforcement to get your data is to gain access to your physical device. The police can subpoena your device or get a search warrant to search your phones. If your phone is locked or you only use encrypted messaging apps, the police can use forensic tools for mobile devices to crack the encryption or bypass your lock screens if they’re armed with a warrant.
In February 2021, a US Court of Appeals has ruled that Customs and Border Protection (CBP) can freely search your devices without a border warrant. The move created “a massive loophole to target anyone traveling to or from the United States,” said Albert Fox Cahn, the founder of privacy firm Surveillance Technology Oversight Project.
Law Enforcement Requests
If you scan the privacy policies of your most used apps, you’ll probably find a clause or two that says something like “we never share your user data unless it’s in response to a law enforcement request. the order”. This means that the police, Immigration and Customs Enforcement (Ice), FBI and other law enforcement agencies may obtain your user data directly from technology companies through various forms of legal demands, without having to search for your device. Sometimes they can get it just by asking.
Google, for example, received more than 39,000 requests for user information between July and December 2020, according to the company’s latest report. transparency report. Google passed on user information in response to more than 80% of these requests, affecting the accounts of more than 89,000 users.
In many cases, these requests come with gags, meaning the company can’t notify users that their information has been requested for six months or more. Sometimes it will be years before a user finds out that their information has been passed on to law enforcement.
There are a handful of different types of law enforcement requests, some more drastic than others and some with more legal weight. Three types of legal requests in particular have recently raised concern among activists and experts: geofencing warrants, keyword search warrants and administrative subpoenas.
A keyword search warrant gives law enforcement access to the information of anyone who has searched for certain terms or keywords within a certain time frame.
A geofence warrant allows law enforcement to search the device information of all users who were in a certain location at a certain time. Google, the only company that currently discloses the number of geofence warrants it receives, said it sent just under 3,000 in the last quarter of 2020.
Both Kindss warrants, say privacy experts, are too broad and therefore violate the constitutional protection against unreasonable searches. While many warrants typically seek the information of a single person or group of people suspected of a crime, geofencing and keyword search warrants work in reverse and cast a wide net in the dark. hoping to narrow down a list of suspects.
It’s no different cell tower dumpsfor which law enforcement asks cellphone companies for information about everyone who was connected to a cellphone tower near a crime scene at the time the crime was suspected to have occurred.
A federal judge in Virginia recently ruled that local authorities violated the constitution when using a geofencing warrant to investigate a 2019 robbery, setting a precedent that lawyers representing those caught up in such searches could use to receive remedies in case of wrongful suspicion or accusation of a crime.
Administrative subpoenas carry less legal weight than other requests: law enforcement does not need a judge to approve them, but they are also not self-executing. The only way agencies can force a company to hand over the data requested in the request is to sue them after refusing to comply. Yet companies will often comply with the request despite it not being a court-ordered subpoena. Some experts have expressed concern about Ice’s use of this type of query, which requested user data from tech companies like Google, fearing the agency could use it to extend its surveillance to US citizens. An ice cream official previously said the agency does not often send administrative subpoenas to tech companies for non-criminal purposes. In a press release, Ice said it “uses legally authorized immigration subpoenas to obtain information in connection with investigations of possible removable aliens.”
Google did not immediately respond to a request for comment.
Data brokers
There is a whole industry of companies and companies that buy and sell your data for profit. The dark network of data brokers operate fairly under the radar, but often provide easy access to user data such as your location and purchase history to other entities, including law enforcement.
Data brokers may collect your personal data from a handful of different sources, such as your social media profiles, public records, and other commercial sources or companies. Some data brokers integrate directly into apps to retrieve information such as location and purchase history. These brokers, which may include certain telecommunications companies and credit reporting agencies, then sell this raw data, or inferences and analyzes based on this data, to other companies and government agencies.
It is not always clear whether a data broker has collected or sold your information. In fact, recently data broker X Mode, whose clients include military contractors, was exposed for purchasing location data from the Muslim Pro Muslim Prayer App without the knowledge of the users of the application.
Surveillance technology companies
Law enforcement also contracts with surveillance technology companies such as Clearview AI and Voyager, which harvest your information from the internet and social media and feed it into their own algorithms.
Consumer technology companies that you can interact with on a daily basis also provide services to the police. Amazon’s smart doorbell, for examplegives select police officers special access to their Neighbors social network and allows police to easily monitor and request Ring images from consumers.
Contracts between tech companies and law enforcement have become more common as the tech industry seeks new avenues for growth, experts say. Given that many of the spaces the tech is already in have clearly dominant players, law enforcement contracts have become an attractive growth strategy due to the seemingly endless supply of funding for agencies like the Department of Homeland Security and local police.
Data sharing
There is also a lot of interagency data sharing at the local, state, and federal levels of government. While it might not come as a surprise that law enforcement would share information, you might be surprised to learn that an entity like the DMV shares information with agencies like Ice.
This data sharing is facilitated by services from companies like Palantizewhich creates a centralized network of digital records comprising “chronic offenders” and others deemed to be of interest, readily accessible by the company’s law enforcement partners at all levels – many police departments local to the FBI.
