Posts

60 Minutes Comey Refutes 60 Minutes Comey

Jim ComeyToday, Jim Comey will give what will surely be an aggressively moderated (by Ben Wittes!) talk at Brookings, arguing that Apple should not offer its customers basic privacy tools (congratulations to NYT’s Michael Schmidt for beating the rush of publishing credulous reports on this speech).

Mr. Comey will say that encryption technologies used on these devices, like the new iPhone, have become so sophisticated that crimes will go unsolved because law enforcement officers will not be able to get information from them, according to a senior F.B.I. official who provided a preview of the speech.

Never mind the numbers, which I laid out here. While Apple doesn’t break out its device requests last year, it says the vast majority of the 3,431 device requests it responded to last year were in response to a lost or stolen phone request, not law enforcement seeking data on the holder. Given that iPhones represent the better part of the estimated 3.1 million phones that will be stolen this year, that’s a modest claim. Moreover, given that Apple only provided content off the cloud to law enforcement 155 times last year, it’s unlikely we’re talking a common law enforcement practice.

At least not with warrants. Warrantless fishing expeditions are another issue.

As far back as 2010, CBP was conducting 4,600 device searches at the border. Given that 20% of the country will be carrying iPhones this year, and a much higher number of the Americans who cross international borders will be carrying one, a reasonable guess would be that CBP searches 1,000 iPhones a year (and it could be several times that). Cops used to be able to do the same at traffic stops until this year’s Riley v, California decision; I’ve not seen numbers on how many searches they did, but given that most of those were (like the border searches) fishing expeditions, it’s not clear how many will be able to continue, because law enforcement won’t have probable cause to get a warrant.

So the claims law enforcement is making about needing to get content stored on and only on iPhones with a warrant doesn’t hold up, except for very narrow exceptions (cops may lose access to iMessage conversations if all users in question know not to store those conversations on iCloud, which is otherwise the default).

But that’s not the best argument I’ve seen for why Comey should back off this campaign.

As a number of people (including the credulous Schmidt) point out, Comey repeated his attack on Apple on the 60 Minutes show Sunday.

James Comey: The notion that we would market devices that would allow someone to place themselves beyond the law, troubles me a lot. As a country, I don’t know why we would want to put people beyond the law. That is, sell cars with trunks that couldn’t ever be opened by law enforcement with a court order, or sell an apartment that could never be entered even by law enforcement. Would you want to live in that neighborhood? This is a similar concern. The notion that people have devices, again, that with court orders, based on a showing of probable cause in a case involving kidnapping or child exploitation or terrorism, we could never open that phone? My sense is that we’ve gone too far when we’ve gone there

What no one I’ve seen points out is there was an equally charismatic FBI Director named Jim Comey on 60 Minutes a week ago Sunday (these are actually the same interview, or at least use the same clip to marvel that Comey is 6’8″, which raises interesting questions about why both these clips weren’t on the same show).

That Jim Comey made a really compelling argument about how most people don’t understand how vulnerable they are now that they live their lives online.

James Comey: I don’t think so. I think there’s something about sitting in front of your own computer working on your own banking, your own health care, your own social life that makes it hard to understand the danger. I mean, the Internet is the most dangerous parking lot imaginable. But if you were crossing a mall parking lot late at night, your entire sense of danger would be heightened. You would stand straight. You’d walk quickly. You’d know where you were going. You would look for light. Folks are wandering around that proverbial parking lot of the Internet all day long, without giving it a thought to whose attachments they’re opening, what sites they’re visiting. And that makes it easy for the bad guys.

Scott Pelley: So tell folks at home what they need to know.

James Comey: When someone sends you an email, they are knocking on your door. And when you open the attachment, without looking through the peephole to see who it is, you just opened the door and let a stranger into your life, where everything you care about is.

That Jim Comey — the guy worried about victims of computer crime — laid out the horrible things that can happen when criminals access all the data you’ve got on devices.

Scott Pelley: And what might that attachment do?

James Comey: Well, take over the computer, lock the computer, and then demand a ransom payment before it would unlock. Steal images from your system of your children or your, you know, or steal your banking information, take your entire life.

Now, victim-concerned Jim Comey seems to think we can avoid such vulnerability by educating people not to click on any attachment they might have. But of course, for the millions who have their cell phones stolen, they don’t even need to click on an attachment. The crooks will have all their victims’ data available in their hand.

Unless, of course, users have made that data inaccessible. One easy way to do that is by making easy encryption the default.

Victim-concerned Jim Comey might offer 60 Minute viewers two pieces of advice: be careful of what you click on, and encrypt those devices that you carry with you — at risk of being lost or stolen — all the time.

Of course, that would set off a pretty intense fight with fear-monger Comey, the guy showing up to Brookings today to argue Apple’s customers shouldn’t have this common sense protection.

That would be a debate I’d enjoy Ben Wittes trying to debate.

Sonia Sotomayor, John Roberts, and the Riley Decision

In a piece just published at Salon, I look at John Roberts’ citation in his Riley v. California decision of Sonia Sotomayor’s concurrence in US v. Jones, the opinion every privacy argument has invoked since she wrote it two years ago. I argue Roberts uses it to adopt her argument that digital searches are different.

A different part of Sotomayor’s concurrence, arguing that the existing precedent holding that you don’t have a privacy interest in data you’ve given to a third party “is ill suited to the digital age,” has been invoked repeatedly in privacy debates since she wrote it. That’s especially true since the beginning of Edward Snowden’s leaks. Lawsuits against the phone dragnet often cite that passage, arguing that the phone dragnet is precisely the kind of intrusion that far exceeds the intent of old precedent. And the courts have – with the exception of one decision finding the phone dragnet unconstitutional – ruled that until a majority on the Supreme Court endorses this notion, the old precedents hold.

Roberts cited from a different part of Sotomayor’s opinion, discussing how much GPS data on our movements reveals about our personal lives. That appears amid a discussion in which he cites things that make cellphones different: the multiple functions they serve, the different kinds of data we store in the same place, our Web search terms, location and apps that might betray political affiliation, health data or religion. That is, in an opinion joined by all his colleagues, the chief justice repeats Sotomayor’s argument that the sheer volume of this information makes it different.

Roberts’ argument here goes beyond both Antonin Scalia’s property-based opinion and Sam Alito’s persistence-based opinion in US v. Jones.

Which seems to fulfill what I predicted in my original analysis of US v. Jones — that the rest of the Court might come around to Sotomayor’s thinking in her concurrence (which, at the time, no one joined).

Sotomayor, IMO, is the only one ready to articulate where all this is heading. She makes it clear that she sides with those that see a problem with electronic surveillance too.

I would take these attributes of GPS monitoring into account when considering the existence of a reasonable societal expectation of privacy in the sum of one’s public movements. I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.

[snip]

I would also consider the appropriateness of entrusting to the, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent“a too permeating police surveillance,”

And in a footnote, makes a broader claim about the current expectation of privacy than Alito makes.

Owners of GPS-equipped cars and smartphones do not contemplate that these devices will be used to enable covert surveillance of their movements.

Ultimately, the other Justices have not tipped their hand where they’ll come down on more generalized issues of cell phone based surveillance. Sotomayor’s opinion actually doesn’t go much further than Scalia claims to when he says they can return to Katz on such issues–but obviously none of the other Republicans joined her opinion. And all those who joined Alito’s opinion seem to be hiding behind the squishy definitions that will allow them to flip flop when the Administration invokes national security.

Sotomayor’s importance to this decision likely goes beyond laying this groundwork two years ago.

There’s evidence that Sotomayor had a more immediate impact on this case. In a recent speech — as reported by Adam Serwer, who recalled this comment after yesterday’s opinion — Sotomayor suggested she had to walk her colleagues through specific aspects of the case they didn’t have the life experience to understand.

The Supreme Court has yet to issue opinions on many of its biggest cases this term, and Sotomayor offered few hints about how the high court might rule. She did use an example of a recent exchange from oral argument in a case involving whether or not police can search the cell phones of arrestees without a warrant to explain the importance of personal experience in shaping legal judgments.
“One of my colleagues asked, ‘who owns two cell phones, why would anybody?’ In a room full of government lawyers, each one of them has two cell phones,” Sotomayor said to knowing laughter from the audience. “My point is that issue was remedied very quickly okay, that misimpression was.”
The colleague was Chief Justice John Roberts, who along with Justice Antonin Scalia,seemed skeptical during oral arguments in Wurie v. United States that anyone but a drug dealer would need two cell phones.

“That’s why it’s important to have people with different life experiences,” Sotomayor said. ”Especially on a court like the Supreme Court, because we have to correct each other from misimpressions.”

In my Salon piece, I suggest that some years from today, some Court observer (I had Jeffrey Toobin in mind) will do a profile of how Sotomayor has slowly brought her colleagues around on what the Fourth Amendment needs to look like in the digital age.

I come away from this opinion with two strong hunches. First, that years from now, some esteemed court watcher will describe how Sonia Sotomayor has gradually been persuading her colleagues that they need to revisit privacy, because only she would have written this opinion two years ago.

Of course, it likely took Roberts writing the opinion to convince colleagues like Sam Alito. Roberts wrapped it up in nice originalist language, basically channeling James Madison with a smart phone. That’s something that surely required Roberts’ stature and conservatism to pull off.

But if this does serve as a renewed Fourth Amendment, with all the heft that invoking the Founders gives it, I’ll take it.

Riley Meets the Dragnet: Does “Inspection” amount to “Rummaging”?

It’s clear today’s decision in Riley v. California will be important in the criminal justice context. What’s less clear is its impact for national security dragnets.

To answer the question, though, we should remember that question really amounts to several. Does it affect the existing phone dragnet, which aspires to collect the phone records of every person in the US? Does it affect the government’s process of collecting massive amounts of data from which to cull an individual’s data to make up a “fingerprint” that can be used for targeting and other purposes? Will it affect the program the government plans to implement under USA Freedumber, in which the telecoms perform connection-based chaining for the NSA, and then return Call Detail Records as results? Does it affect Section 702? I think the answer may be different for each of these, though I think John Roberts’ language is dangerous for all of this.

In any case, Roberts wants it to be unclear. This footnote, especially, claims this opinion does not implicate cases — governed by the Third Party doctrine — where the collection of data is not considered a search.

1Because the United States and California agree that these cases involve searches incident to arrest, these cases do not implicate the question whether the collection or inspection of aggregated digital information amounts to a search under other circumstances.

Orin Kerr reads this as addressing the mosaic theory directly — which holds that a Fourth Amendment review must consider the entirety of the government collection — (and he is the expert, after all). Though I’m not impressed with his claim that the analogue language Roberts uses directly addresses the mosaic theory; Kerr seems to be arguing that because Roberts finds another argument unwieldy, he must be addressing the theory that Kerr himself finds unwieldy. Moreover, in addition to  this section, which Kerr says supports the Mosaic theory,

An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual’s private interests or concerns—perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD. Data on a cell phone can also reveal where a person has been. Historic location information is a stand-ard feature on many smart phones and can reconstruct someone’s specific movements down to the minute, not only around town but also within a particular building. See United States v. Jones, 565 U. S. ___, ___ (2012) (SOTOMAYOR, J., concurring) (slip op., at 3) (“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.”).

I think the paragraph below it also supports the Mosaic theory — particularly its reference to a “revealing montage of the user’s life.”

Mobile application software on a cell phone, or “apps,” offer a range of tools for managing detailed information about all aspects of a person’s life. There are apps for Democratic Party news and Republican Party news; apps for alcohol, drug, and gambling addictions; apps for sharing prayer requests; apps for tracking pregnancy symptoms; apps for planning your budget; apps for every conceivable hobby or pastime; apps for improving your romantic life. There are popular apps for buying or selling just about anything, and the records of such transactions may be accessible on the phone indefinitely. There are over a million apps available in each of the two major app stores; the phrase “there’s an app for that” is now part of the popular lexicon. The average smart phone user has installed 33 apps, which together can form a revealing montage of the user’s life.

I’d argue that the opinion as a whole endorses the notion that you need to assess the totality of the surveillance in question. But then the footnote adopts the awkward phrase, “collection or inspection of aggregated digital information,” to suggest there may be some arrangement under which the conduct of such analysis might not constitute a search requiring a higher standard. (And all that still leaves the likely possibility that the government would scream “special need” and get an exception to get the data anyway; as they surely will do to justify ongoing border searches of computers.)

Of crucial importance, then, Roberts seems to be saying that it might be okay to conduct mosaic analysis, depending on where you get the data and/or whether you actually obtain or instead simply inspect the data.

That’s crucial, of course, because the government is, as we speak, replacing a phone dragnet in which it collects all the data from everyone and analyzes it (or rather, claims to only access only a minuscule portion of it, claiming to do so only through phone-based contacts) with one where it will go to “inspect” the data at telecoms.

So Roberts seems to have left himself an out (or included language designed to placate even Democrats like Stephen Breyer, to say nothing of Clarence Thomas, to achieve unanimity) that happens to line up nicely with where the phone dragnet, at least, is heading.

All that said, Robert’s caveat may not be broad enough to cover the new-and-improved phone dragnet as the government plans to implement it. After all, the “connection” based analysis the government intends to do may only survive via some kind of argument that letting telecoms serve as surrogate spooks makes this kosher under the Fourth Amendment. Because we have every reason to expect that the NSA intends to — at least — tie multiple online and telecom identities together to chain on all of them, and use cell location to track who you meet. And they may well (likely, if not now, then eventually) intend to use things like calendars and address books that Roberts argues makes cell phones not cell phones, but minicomputers that serve as “cameras,video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.” Every single one of those minicomputer functions is a potential “connection” based chain.

So while the new-and-improved phone dragnet may fall under Roberts’ “inspect” language, it involves far more yoking of the many functions of cell phones that Roberts finds to be problematic.

Then there’s this passage, that Roberts used to deny the government the ability to “just” get call logs.

We also reject the United States’ final suggestion that officers should always be able to search a phone’s call log,as they did in Wurie’s case. The Government relies on Smith v. Maryland, 442 U. S. 735 (1979), which held that no warrant was required to use a pen register at telephone company premises to identify numbers dialed by a particular caller. The Court in that case, however, concluded that the use of a pen register was not a “search” at all under the Fourth Amendment. See id., at 745–746. There is no dispute here that the officers engaged in a search of Wurie’s cell phone. Moreover, call logs typically contain more than just phone numbers; they include any identifying information that an individual might add, such as the label “my house” in Wurie’s case. [my emphasis]

The first part of this passage makes a similar kind of distinction as you see in that footnote (and may support my suspicion that Roberts is trying to carve out space for the new-and-improved phone dragnet). Using a pen register at a telecom is not a search, because it doesn’t involve seizing the phone itself.

But the second part of this passage — which distinguishes between pen registers and call logs — seems to be the most direct assault on the Third Party doctrine in this opinion, because it suggests that data that has been enhanced by a user — phone numbers that are not just phone numbers — may not fall squarely under Smith v. Maryland.

And that’s important because the government intends to get far more data than phone numbers while at the telecoms under the new-and-improved phone dragnet. It surely at least aspires to get logs just like the one Roberts says the cops couldn’t get from Wurie.

Think, too, of how this should limit all the US person data the government collects overseas that the government then aggregates to make fingerprints, claiming incidentally collected data does not require any legal process. That data is seized not from telecoms but rather stolen off cables — does that count as public collection or seizure?

Perhaps the language that presents the most sweeping danger to the dragnet, however, is the line that both Kerr and I like best from the opinion.

Alternatively, the Government proposes that law enforcement agencies “develop protocols to address” concerns raised by cloud computing. Reply Brief in No. 13–212, pp. 14–15. Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.

Admittedly, Roberts is addressing a specific issue, the government’s proposal of how to protect personal data stored on a cloud that might be accessed from a phone (as if the government gives a shit about such things!).

But the underlying principle is critical. For every single dragnet program the government conducts at NSA, it dismisses obvious Fourth Amendment concerns by pointing to minimization procedures.

The FISC allowed the government to conduct the phone dragnet because it had purportedly strict minimization procedures (which the government ignored); it allowed the government to conduct an Internet dragnet for the same reason; John Bates permitted the government to address domestic content collection he deemed a violation of the Fourth Amendment with new minimization procedures; and the 2008 FISCR opinion approving the Protect America Act (which FISCR and the government say covers FAA as well) relied on targeting and minimization procedures to judge it compliant with the Fourth Amendment. FISC is also increasingly using minimization procedures to deem other Section 215 collections compliant with the law, though we know almost nothing about what they’re collecting (though it’s almost certain they involve Mosaic collection).

Everything, everything, ev-er-y-thing the NSA does these days complies with the Fourth Amendment only under the theory that minimization procedures — “government agency protocols” — provide adequate protection under the Fourth Amendment.

It will take a lot of work, in cases in which the government will likely deny anyone has standing, with SCOTUS’ help, to make this argument. But John Roberts said today that the government agency protocols that have become the sole guardians of the Fourth Amendment are not actually what our Founders were thinking of.

Ultimately, though, this passage may be Roberts’ strongest condemnation — whether he means it or not — of the current dragnet.

Our cases have recognized that the Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself.

Roberts elsewhere says that cell searches are more intrusive than home searches. And by stealing and aggregating that data that originates on our cell phones, the government is indeed rummaging in unrestrained searches for evidence of criminal activity or dissidence. Roberts likely doesn’t imagine this language applies to the NSA (in part because NSA has downplayed what it is doing). But if anyone ever gets an opportunity to demonstrate all that NSA does to the Court, it will have to invent some hoops to deem it anything but digital rummaging.

I strongly suspect Roberts believes the government “inspects” rather than “rummages,” and so believes his opinion won’t affect the government’s ability to rummage, at least at the telecoms.  But a great deal of the language in this opinion raises big problems with the dragnets.

Unanimous: Cops Need a Warrant to Access Your Phone Data

SCOTUS just unanimously held that cops generally need a warrant to access your cell phone data. Chief Justice Roberts wrote the opinion. The opinion is here.

I’m reading now to figure out what it means. Will update accordingly.

This passage is getting widely cited:

These cases require us to decide how the search incident to arrest doctrine applies to modern cell phones, which are now such a pervasive and insistent part of daily life that  the proverbial visitor from Mars might conclude they were an important feature of human anatomy. A smart phone of the sort taken from Riley was unheard of ten years ago; a significant majority of American adults now own such  phones.

I’m amused by the way Roberts deals with the government’s belated encryption argument.

Encryption isa security feature that some modern cell phones use in addition to password protection. When such phones lock, data becomes protected by sophisticated encryption that  the password. Brief for United States as Amicus Curiae in No. 13–132, p. 11.

[snip]

And data encryption is even further afield. There, the Government focuses on the ordinary operation of a phone’s security features,apart from any active attempt by a defendant or his associates to conceal or destroy evidence upon arrest.

We have also been given little reason to believe that either problem is prevalent.

[snip]

Similarly, the opportunities for officers to search a password-protected phone before data becomes encrypted are quite limited. Law enforcement officers are very unlikely to come upon such a phone in an unlocked state because most phones lock at the touch of a button or, as a default, after some very short period of inactivity. See, e.g., iPhone User Guide for iOS 7.1 Software 10 (2014) (default lock after about one minute). This may explain why the encryption argument was not made until the merits stage in this Court, and has never been considered by the Courts of Appeals

Read more