Habeas Data Read online

  HABEAS DATA

  Copyright © Cyrus Farivar, 2018

  All rights reserved

  First Melville House Printing: May 2018

  Melville House Publishing

  46 John Street

  Brooklyn, NY 11201

  and

  8 Blackstock Mews

  Islington

  London N4 2BT

  mhpbooks.com

  facebook.com/​mhpbooks

  @melvillehouse

  ISBN: 9781612196466

  Ebook ISBN 9781612196473

  eBook design adapted from printed book design by Euan Monaghan

  A catalog record for this book is available from the Library of Congress

  v5.2

  a

  To Nora and Kas,

  I know you will see the world with your own eyes, and make it better in your own way.

  With love,

  —Papa

  The fantastic advances in the field of electronic communication constitute a great danger to the privacy of the individual; that indiscriminate use of such devices in law enforcement raises grave constitutional questions under the Fourth and Fifth Amendments; and that these considerations impose a heavier responsibility on this Court in its supervision of the fairness of procedures in the federal court system.

  —CHIEF JUSTICE EARL WARREN

  LOPEZ v. UNITED STATES (1963)

  I just hate Fourth Amendment cases.

  —JUSTICE ANTONIN SCALIA (2009)

  CONTENTS

  Cover

  Title Page

  Copyright

  Dedication

  Epigraph

  Introduction

  1. Telephones: How a Fateful Call in 1965 from a Los Angeles Pay Phone Still Rings Out Today

  2. How the Government Cracked an iPhone—Without Apple’s Help

  3. How One Mugger’s Calls Helped Create the NSA’s Post-9/11 Phone Metadata Surveillance Program

  4. When Big Brother Rides in the Back Seat

  5. Can the Police Use Extrasensory Technology to Look into Your House Without a Warrant?

  6. Why (Amazingly) E-mail Providers Won’t Give Up Messages Without a Warrant, Even Though the Supreme Court Has Never Ruled on the Issue

  7. Why the Eighteenth-Century Constitution Protects Against Twenty-First-Century Satellite-Based Tracking

  8. How Your Phone Can Lead the Authorities Right to Your Door

  9. Can Police Search Your Phone When You’re Arrested?

  10. Why Privacy Needs All of Us

  11. Who Watches the Watchers?

  Notes

  Acknowledgments

  INTRODUCTION

  I believe in big data. I believe that large scale aggregation changes our ability—that one plus one plus one can equal 23.

  —PAUL ROSENZWEIG

  DEPUTY ASSISTANT SECRETARY FOR POLICY

  DEPARTMENT OF HOMELAND SECURITY (2005–2009)

  On December 13, 2010, two men ran into a RadioShack on East Jefferson Avenue in Detroit, just blocks away from Chrysler’s headquarters. One drew a gun, and demanded that the staff load up the latest smartphones into a few laundry bags. Within minutes, it was all over, and they’d made off with thousands of dollars worth of iPhones and Samsung handsets. Timothy “Little Tim” Carpenter sat in a nearby car, waiting for his accomplices to return.

  Along with another man named Timothy “Big Tim” Sanders, Little Tim orchestrated a massive robbery ring, hitting T-Mobile and RadioShack stores in Michigan and Ohio. Eventually, some of the other robbers were caught, and they quickly flipped. Among the information that they gave to authorities was Little Tim’s phone number. This proved crucial. With it, authorities quickly got a court order and served it upon Little Tim’s cell phone company, MetroPCS. This court order, known as a d-order, for the portion of the 1980s-era Stored Communications Act, is routine. Companies respond to them all the time.

  Under current law, no warrant is required to simply find out who called whom, when, and from where. Without batting an eye, MetroPCS turned over 127 days’ worth of Carpenter’s cell-site location data—effectively turning his own phone into a snitch. The 12,898 data points showed that yes, he was at the scene of the crime during the robberies. But the data also showed that he was at church many Sunday afternoons, and on occasion, spending the night somewhere that was not his known residence.

  The case was successfully challenged all the way up to the Supreme Court. The question looms: Is it OK for law enforcement to obtain such a vast quantity of personal, intimate data about someone without a warrant?

  On November 29, 2017, the nine justices heard oral arguments in Carpenter v. United States. Carpenter was represented by Nathan Freed Wessler, a thirty-five-year-old attorney with the American Civil Liberties Union (ACLU).

  “At issue in this case is the government’s warrantless collection of 127 days of Petitioner’s cell site location information revealing his locations, movements, and associations over a long period,” Wessler said.

  Before Wessler could even utter his fourth sentence in his opening argument, Justice Anthony Kennedy jumped in.

  “What is the rule that you want us to adopt in this case, assuming that we keep [United States v.] Miller and Smith v. Maryland on the books?”

  Justice Kennedy, most often dubbed the court’s crucial swing vote, was referring to two bedrock cases dating back to the 1970s, which enshrined the third-party doctrine. The idea of the third-party doctrine is that individuals relinquish their “reasonable expectation of privacy” when they transact via a third party, like a phone company. In other words, the data given up by Carpenter—not only what numbers he called, but where he was while doing so—can easily be obtained by the government.

  In one short question, Kennedy was expressing the anguish that many judges have had to grapple with over the last half century: Where is the line between appropriate government action when it comes to the surveillance of its citizens? How much privacy do individuals have against the government’s use of surveillance technologies, ranging from simple microphones, to wiretaps, to thermal imagers, to cell-site simulators, to drones, and beyond?

  In Carpenter’s case, rather than deploy humans to follow him or his fellow suspects, investigators simply went after his data at MetroPCS. Under the third-party doctrine, police did not need, much less try to obtain, a warrant. But to most ordinary citizens, myself included, this notion seems ludicrous. To the government, getting location data without a warrant is effectively the same thing as having a policeman make physical observations from the street. Modern technology has enabled so much data to be generated by all of us that it effectively has given the government superpowers.

  “Although police could have gathered a limited set or span of past locations traditionally by canvassing witnesses, for example, never has the government had this kind of a time machine that allows them to aggregate a long period of people’s movements over time,” Wessler continued a few minutes later.

  In other words, in the absence of a meaningful restraint, government authorities will continue to push as hard as they can.

  Since the eighteenth century, some of the most aggressive law enforcement officers have known precisely where the legal limits were, and gone right up to them. Perhaps the most notable articulation of this idea in the twenty-first century came from General Michael Hayden, who served as both the head of the National Security Agency (NSA) and the Central Intelligence Agency. He has famously said since September 11, as a top intelligence official, he would play aggressively and fairly up to the line, so much so “that there would be chalk dust on my cleats.” While Hayden, as a lifelong Pittsburgh Steelers fan, was referring to the national security state, the same logic often applies for federal and local law enforcement a
s well.

  However, the problem with playing to the edge is that sometimes the judicial system is given an impossible task: serving as a backstop to years of government overreach.

  Where and how one can meaningfully withdraw from the watchful eye of the government in the early twenty-first century remains an open question. A half-century ago, the Supreme Court ruled that if someone steps into a phone booth and closes the door, we have a “reasonable expectation of privacy,” much in the same way that we do at home: in most cases the government needs a warrant first to legally surveil. But since that time, as technology has advanced incredibly quickly, the government has understandably adopted tools to its advantage.

  When I first began as a professional reporter in 2004, I was largely dazzled by the excitement of new technology: Gmail was new. Facebook was just beginning. Ubiquitous Wi-Fi was just starting. Podcasts entered the lexicon. Rarely did I consider what impact all of this whizbang technology would have on society, and in particular, on law enforcement.

  In 2005, I wrote my first story for Wired News about automated license plate readers (LPRs), and how they were being tested by the Los Angeles Sheriff’s Department (LASD). These specialized devices have quietly become pervasive in American law enforcement over the last decade. They rapidly scan, at 60 plates per second, when and where a license plate was seen. That data can be kept indefinitely.

  When I was a young reporter, and didn’t really have the wherewithal to think about what it meant when then commander Sid Heal, of the LASD, told me that LPRs improved spotting stolen cars by “an order of magnitude.”

  “This makes us more efficient than we’ve been in the past,” he said. “We would never check 12,000 license plates the conventional way.”

  That sounded great! Who doesn’t want the police to retrieve more stolen cars? But, what I didn’t fully realize at the time was just like when Gmail made deleting e-mails practically obsolete, LPR data can also be kept forever. Given a large enough sample size, a pattern can easily be discerned.

  I was slowly coming to the same conclusion that many in law enforcement and government circles had come to long ago: that the gathering of all kinds of our data, whatever it might be, was incredibly precious.

  Eventually, I found out that LPR collection began in the city where I live, Oakland, California, way back in 2006. An early police analysis showed that nearly all of the plates collected were not a hit. In April 2008, the department reported to the city council that after using just four LPR units for 16 months, it had read 793,273 plates and had 2,012 hits—a hit rate of 0.2 percent. In other words, nearly all of the data collected by an LPR system concerns people not currently under suspicion of a crime. In late 2014, the Oakland Police Department (OPD) expanded its LPR-enabled fleet from 13 vehicles to 33, rapidly increasing the amount of LPR data collected: currently, 48,000 records are collected every day.

  Our data is valuable to companies that are trying to sell advertisements and other products, and it’s attractive to the government, which is trying to hunt terrorists, miscreants, and scofflaws of all kinds. For the NSA and other federal agencies, that means using the most sophisticated tools against the most vicious of adversaries. For local law enforcement, it means catching car thieves, burglars, and other criminals.

  Between April 2010 and April 2012, I lived and worked as a journalist in Bonn, Germany. From the former capital of West Germany, I was greeted almost immediately by the barrage of news about American tech companies. German public officials were generally not impressed: they were constantly berating American tech companies (usually Google and Facebook) over their practices.

  I learned that in the decades since Nazism and the East German Stasi, Germans largely have been very sensitive to the type of data that the government can collect. As a result, German legal thinking about privacy originated from the central state of Hessen, which created the world’s first data protection law in 1970. That law evolved into a federal version in 1979, a non-binding 1981 version from the Council of Europe, and was last updated in Germany in 2003.

  One of Germany’s most fundamental data protection principles describes practically the opposite of how we typically do things in America: “The collection, processing and use of personal data shall be admissible only if permitted or prescribed by this Act or any other legal provision or if the data subject has consented.”

  In the United States, no one gave Google permission to go down all the roads in America and take pictures of every home. The company just did it. That’s why, when Street View arrived in Germany in 2010, politicians bent over backwards to show how opposed to Google they were. Notably, Guido Westerwelle, then the foreign minister, said, “I will do all I can to prevent it.”

  Google came up with a compromise: it would allow Germans to opt out of the service. To do this, they would have to input their name and address, and Google would blur their home, as it does with faces and cars. In the end, less than 3 percent of people covered did so. But Google gave up Street View in Germany—it hasn’t updated its local photography there since the service’s German debut in 2010. Google has never said explicitly why it stopped updating the images in Germany, but it seems likely that the company did not want to be bogged down in both German courts and the court of public opinion for years on end.

  This background was on my mind when I first began reporting again about LPRs. What law or precedent gives law enforcement the authority to capture this kind of data? How was this surveillance technology acquired? Who governs its use? How long is the data kept? How are abuses mitigated? These were questions I could now internalize in a way that I couldn’t previously.

  In July 2013, I wrote a story about my efforts to learn what the police knew about me: I filed numerous public records requests with law enforcement agencies across California asking for records about my own car over the previous year. I discovered that the OPD scanned my car on May 6, 2013, at 6:38:25 PM at the corner of Mandana Boulevard and Grand Avenue.

  This unremarkable hilly intersection boasts a 7-Eleven and a 76 gas station, although across the street is The Star, a hip Chicago-style pizza joint. It was just blocks away from the apartment that my wife and I had moved out of about a month earlier. It’s a crossroads I drive through fairly frequently even now, and the OPD’s LPR data bears that out.

  I have lived in Oakland since 2005, other than my time abroad in late 2008 until early 2009 and again from 2010 until 2012. I have never been arrested. I have had nothing but positive and extremely brief interactions with police. I’ve been pulled over by the OPD exactly once—for accidentally not making a complete stop while making a right-hand turn at a red light back in 2009. Nevertheless, the OPD’s LPR system captured my license plate 13 times between April 29, 2012, and May 6, 2013, at various points around the city, and it retained that data for years. During this period, my car was neither wanted nor stolen. I paid my state registration fees like everyone else. The OPD had no reason to keep tabs on my movements, and yet, it did. Worse still, there’s no way to know if my license plate has been captured by a privately owned LPR system.

  “Where someone goes can reveal a great deal about how he chooses to live his life,” Catherine Crump, a former ACLU lawyer and current law professor at the University of California, Berkeley, told me in 2015. “Do they park regularly outside the Lighthouse Mosque during times of worship? They’re probably Muslim. Can a car be found outside Beer Revolution a great number of times? May be a craft beer enthusiast—although possibly with a drinking problem.”

  As I continued to report on LPRs, I realized the same questions I had about this technology applied to so much more: telephone metadata, cell-site simulators (aka stingrays), body-worn cameras, drones, facial-recognition technology, autonomous cars, artificial intelligence, and more. There was a torrent of technology that was becoming more ubiquitous and cheaper by the day, with little standing in its way. Legislators have generally seemed unable or unwilling to halt the ever-advancing technological miss
ion creep. Courts seemed to always lag behind—by the time a technology was finally raised at an appellate court or at the US Supreme Court, it was far out of date. Carpenter’s criminal acts were committed in 2010 and 2011. His case didn’t reach the Supreme Court until late 2017. How much better has the smartphone in your pocket gotten during that time?

  Many people say, “Yeah, whatever, I have nothing to hide.” But there’s probably something that you do (or have done), that you wouldn’t want known by anyone outside of a tight circle. Maybe you’re pregnant. Maybe you’re a gun owner. Maybe you ditched work yesterday to go to a baseball game. Whatever it is that you’re doing, what business is it of the government’s to know? With technology that can capture all of this information routinely for private companies and governments, de facto mass surveillance becomes trivial. Today, it’s almost impossible to hide from such data collection without essentially acting like a crazy person: ditching your phone, your car, and turning away from the modern world.

  One of the most fundamental legal notions in the English legal system is encapsulated in the phrase habeas corpus. Roughly translated from medieval Latin, it means: “[We command] that you have the body [in court].” Basically, it is a brief judicial examination as to whether someone’s detention was proper. The goal is to provide a check on the government’s ability to arbitrarily arrest someone. The concept, which dates back centuries, is enshrined in the US Constitution: “The Privilege of the Writ of Habeas Corpus shall not be suspended unless when in Cases of Rebellion or Invasion the public Safety may require it.”

  In the latter half of the twentieth century, largely inspired by German efforts, emerged the concept of habeas data. Like a writ of habeas corpus, a writ of habeas data allows an individual to obtain data from corporations or government agencies for the purpose of verifying it, modifying it, or perhaps even deleting it. In the wake of the authoritarian regimes of the 1980s, the Philippines and numerous Latin American countries codified this concept into law. Habeas data does not really exist in the same way in the United States. In America, we have public records laws both at the state and federal level, but there is no affirmative right to receive such information from corporations. Oftentimes, filing a lawsuit is required to obtain the best results from public agencies. Or, put another way, there is no inherent right to privacy in the United States, and often there’s little way to know exactly what technologies law enforcement, from the FBI down to the county sheriff, is using.