As a society we are increasingly dependent on electronic communications. We can call each other from the grocery store, telecommute into work, or instant message (IM) our colleagues when we need to collaborate. I’ve even been known to IM coworkers sitting on the other side of a desk from me (nice because it doesn’t break their workflow). By communicating using these tools we give all kinds of information to third parties and in so doing we give up some of our constitutional protections. Pretty much everyone carries a cell phone in their pocket at all times, and as the cell phone sits, it maintains a connection to the nearest cell phone towers, and this gives cell phone companies a rough picture of where it is at all times. Recently this situation has been frequently discussed as citizens become increasingly concerned with protecting their privacy.
Legal Background
There are several kinds of requests that the US Government can issue to a content provider regarding electronic communications. Most are covered by the Electronic Communications Privacy Act (ECPA) and the Wiretap Act. These include: subpoenas, court orders, search warrants, pen registers, and wiretap orders. The first three all pertain to existing records and do not allow law enforcement to request information in real time. Pen registers and wiretap orders allow for the request of information to be provided in real-time. Only subpoenas and pen registers can be issued without consulting a judge. More details can be found here. While the 4th amendment protects citizens from unreasonable searches and seizures, in the 1970s the supreme court found in United States v. Miller and Smith v. Maryland that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties”. This “third party doctrine” has been used as a standard in many subsequent cases, notably in United States v. Graham (2012) which ruled that cell phone location information is voluntarily turned over, and thus covered by the doctrine.
The third party doctrine has been vocally criticized in recent years, especially when the NSA’s program requesting bulk telephony information of citizens came to light. Critics point out that we live in a world increasingly dominated by electronic communications, and that surrendering data to third parties is unavoidable. In response to increasingly privacy-minded consumers, cell phone manufactures have started to create devices with privacy protections in place.
Metadata
Most of the options to request information protected under the ECPA only allow access to metadata. Metadata is all the information pertaining to a communication that isn’t the communication itself. Some examples of metadata are: the location of each of the participants, the duration of the communication, and the time the communication took place.
While it is incredibly difficult to protect metadata data from a technical standpoint, some options exist. Since cell networks offer so much information and are already well equipped to hand over subscriber information, any option that avoids the use of cell phone networks helps protect communications. The only way to hide both metadata and content is the use of a trusted third party which will act as an intermediary (known as a proxy).
Case study: Apple
In response to growing demands for consumer data, Apple began to implement software and hardware to protect their consumers’ privacy. Recent iOS devices (Apple’s phones, iPods, and tablets) feature a “secure enclave”, a separate piece of hardware with a built in unique key. Hardware is built in such a fashion that no software could ever extract the key (this has been claimed by Apple and verified by their party researchers hacking the device, but it is possible a backdoor exists). They use the this hardware key coupled with the device's unlock passcode to encrypt all the user’s files. Because the key is irrecoverable from the device, any cracking attempts require the use of the unique phone’s physical hardware. This slows down any attempt to recover the information stored in the device (making it take years to crack the the encryption and removing the possibility that custom hardware could be built to decrypt the device faster).
In addition to hardware protections Apple is applying software protections as well. Public statements from Apple indicate that all FaceTime and iMessage communications (this includes audio-video, audio only, and text communications) are end-to-end encrypted. This means that only the parties involved in the conversation can decode the conversation. Third parties could recover some or all of the metadata. This technology only works between two Apple devices, and, while iMessages gets enabled by default whenever two iPhones text each other, phone calls still use traditional cellphone voice communications unless specifically requested by the caller.
Manufacturers other than Apple have implemented some of the above protections for their devices although certain Android devices have come under fire for not sufficiently protecting user data. Many third party developers are creating secure messaging applications with varying degrees of success. This is clearly an issue that is square in the public’s attention right now and I think that we will be hearing a lot more about it in years to come.
Open Source
In light of all the flaws with many secure messaging implementations, free software proponents advocate open protocols. One of the basic precepts of encrypted communication is that the cryptosystem should remain secure even if all the algorithms are publicly available, meaning that the only part of the system that should be secret is the encryption key. This is important so that we can discuss algorithms and prove security without weakening the algorithm. This is also important so that reverse engineering an encryption code will not help you break communications protected by the code. All modern encryption algorithms satisfy this requirement. In light of these facts Apple’s iMessage (and most other secure communication apps) have come under fire for not submitting themselves to scrutiny. Researchers contend that iMessage’s protections could be subverted by an attack by Apple (namely a man-in-the-middle attack on the key exchange). Open source software is software where the code for the software is publicly accessible. This software can be vetted by professionals and the community and is generally considered to be the safest option for privacy minded individuals.
Author's thoughts
Electronic communications are a complicated and integral part of modern life. To solve the problems this technology presents we need to improve both the public and private sectors. Our legal code should be updated to correctly protect 21st century communications, creating or modifying laws to appropriately support both privacy and law enforcement. Private corporations should use well vetted protocols to ensure that their customers are afforded the degree of protection they desire. They should offer as much documentation of their practices as to make it possible for security researchers to vet their software while not revealing their corporate secrets.
I agree with Sheyne's thoughts. Cell phones, computers, and the Internet are all essential parts of daily life and it is nearly impossible to avoid using electronic communication all together. While I'm not familiar enough with computers to suggest ways to protect data to ensure privacy, I do think that privacy policies for cell phone companies should be widely accessible to the public as well as understood by the public. I agree that privacy laws and data protection practices should make sure information is safe and limit who has access (I suggest the information stays private unless the owner of the records releases the information or it is subpoenaed, although this brings up the issue of who owns what records) I also think it is equally important the public understands privacy law regarding cell phone surveillance along with other electronic communication info. It is far more difficult to take advantage of an informed population than an ignorant one and knowledge of privacy law is as important as putting the law into place so people do not forfeit the protection given to them.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI agree with both Sheyne and Tara. As times change, laws should change with them. I don't believe the Third Party laws are applicable anymore. Everything we do online is being moderated by a third party. If you do your banking online, there is a third party involved; if you use a chatroom, it is hosted by a third party; if you purchase something online or view items to purchase, you are using a third party; etc. I think this information should not be readily available to the government just because it is being moderated by some entity. I think they should have to obtain search warrants to view this information, like in the example here of cellphone metadata. Although it is not technically "private" information, I think it should be legally viewed as such.
ReplyDeleteWhen it comes to the third party doctrine, I find myself agreeing with Justice Sotomayor that we need to rethink what kind of privacy people expect with the digital age. She says: "...it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks..." I believe that the fourth amendment should ensure wider protection regarding information that passes through third parties. In our reading "What You Need to Know About the Third-Party Doctrine" it talked about the idea presented by Kerr. He suggested that the Third-Party Doctrine should only apply in cases where the third party is the recipient of the information rather than the conduit. While I think this could be a potential compromise regarding the use of the Third-Party Doctrine, I'm not totally satisfied by it. I think that we need more protection for our everyday interactions and transactions and that information should only be accessed when law enforcement has gone through the proper avenue of getting a warrant, subpoena, court order, pen register, or wiretap order.
ReplyDeleteThe third party doctrine made sense when most forms of communication took place over systems where disclosure to a third party was not the norm. Today, almost every new form of communication requires disclosing the content of your message (let along metadata), as most people just can't be bothered with end to end encryption. I'm not quite sure I even agree with the United States Vs Miller decision to allow the government warrantless access to bank records. That decision obviously is easier to swallow than the possibility of having my communications intercepted without warrant, but I still think that decision seems like an overreach. I don't actually have much of a problem with metadata (barring things like location tagging), as much as I do with the mass collection aspect. I don't like the concept of bulk surveillance in general, as it seems a little too close to a social panopticon, as mentioned in one of the first videos we watched.
ReplyDeleteIn our class Professor Dryer brought up the fact that it is unrealistic to expect certain privacy protection from sites such as Facebook because it is a free service. Cell phones are not a free service, I payed for my cell phone and I pay for my service. I agree that in the case of cell phones it is impossible not to have the information go through a third party because the way cell phones work, I think that the Kat's test is still applicable in this situation. If I am in my room talking on my cell phone in my house with the door shut I think I have a reasonable expectation of privacy and any agency that wants information from that phone call needs to have a search warrant. That includes information about who I am calling, where I am calling and how long I am talking.
ReplyDeleteI too agree that the laws should be amended to reflect the changes in technology. It is nearly impossible to function in today’s society without using traceable technology (cell phones, computers, the internet, etc). The ability to trace a cell phone is intrinsic to the device: the phone uses cell towers which give at least a general location. With smart phones, the exact location is even easier to be found. Given that GPS units can’t be attached to cars (US v. Jones, 2012) without a court order, GPS location of phones should also be protected. The first privacy tort is intrusion upon solitude. If I’m alone in my apartment reading on my computer, I assume that no one is looking over my shoulder – I have a reasonable expectation of privacy and seclusion. However, if my metadata is being examined, someone is “looking over my shoulder”, seeing what I am reading. There should be protections for electronic communications.
ReplyDeleteElectronic communication has become at least as ubiquitous as old-school face-to-face interaction in the United States today. So for me it follows that there needs to be legal protections concerning the privacy of such communication. I also agree that there should be protections against tracking a phone's location, if that is logistically possible. Another point that I believe to be important is public transparency and behind the services in common use. Third parties need to be very clear about how any software or service transmits, uses, encrypts, protects, etc. one's data and information. For example, I did not know the details of many of the protections surrounding messaging and like services discussed by Sheyne. This needs to be readily available public knowledge, so that even if sufficient privacy regulations are not in place, individuals are cognizant of standing policies. The extent to which electronic communication has become pervasive in our lives, however, creates justification to say that one can have a reasonable expectation of privacy. Otherwise significant amounts of everyday interaction has no protection, which is unacceptable.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteLike everyone else, I agree that the current laws that we have in place are antiquated and don't apply well in the highly digital age that we live in today. I feel like with he third party rule, it makes it hard for us to trust third party resources. WhatsApp, one of the most popular messaging platforms in the world is owned by Facebook and that has a scary implication. All the information that is sent through WhatsApp can potentially be used by Facebook to set up or add to the profile that they already have on us. We know that the NSA has backdoors to services like Google, Microsoft, and Facebook through PRISM and all this third party data is available to them.
ReplyDeleteI think some aspects of this topic are unavoidable - like how it is mentioned that our cell signal going to and from a cell tower gives a general idea of our location. This is one example of privacy rights we are begrudgingly forced to give up in order to enjoy the marvels of modern technology. I agree with what has been said that in a lot of cases, the current legal framework we have for privacy issues on issues like this is too antiquated to accurately reflect the society we live in. It's very difficult to apply laws to situations that were almost unimaginable when they were created. Times are changing, and it is unfair to try to hold the 21st century, in all aspects. to standards set in the 20th century. I agree with Junkang's point about services like WhatsApp. It is used globally, and it's entirely possible due to the third party doctrine that much of this information is being collected and used with its users none the wiser.
ReplyDelete