Kojo chats with two reporters who spent the past year following the launch of Ron Brown College Preparatory High School, D.C.'s new school for boys of color. Their stories are now featured in "Raising Kings," a collaboration between NPR and Education Week.
Guest Host: Rebecca Roberts
Can a police officer download information from your cellphone without a warrant? Members of Congress and others were concerned to learn location information is regularly being transmitted by phones, iPods, and other mobile devices. Technology forensic specialists have uncovered location logs in iGizmos, and at least some Android phones. We look at the way data extraction devices are being used by law enforcement are causing concern among those concerned about technology and civil liberties.
- Declan McCullagh Chief Political Correspondent, CNETnews.com
- Kevin Bankston Senior Staff Attorney, Electronic Frontier Foundation
- Mark Rasch Director, Cybersecurity and Privacy Consulting at CSC
MS. REBECCA ROBERTSFrom WAMU 88.5 at American University in Washington welcome to "The Kojo Nnamdi Show," connecting your community with the world. I'm Rebecca Roberts sitting in for Kojo.
MS. REBECCA ROBERTSA smart phone in every pocket, that means you and I and everyone we know are carrying our entire lives with us, even records of where we've been. According to recent reports, Apple, Google and Microsoft have received transmissions from customer's smart phones which tell the companies where you were, or at least which cell towers or Wi-Fi spots you've been near. And law enforcement organizations from local to federal are equipped to use that information.
MS. REBECCA ROBERTSNow, the ACLU of Michigan has questioned the way state police are doing just that and the Department of Homeland Security is controversially reserving the right to scan mobile devices at the border for any reason. With us to discuss the question surrounding personal privacy and the computers we carry everywhere, here in the studio is Mark Rasch, the director of Cybersecurity and Privacy Consulting at CSC, an IT services company. Welcome to the show.
MR. MARK RASCHThank you, Rebecca.
ROBERTSAnd in KQED in San Francisco we have two guests Declan McCullagh is the chief political correspondent for the tech news website CNET and Kevin Bankston is the senior staff attorney for the Electronic Frontier Foundation which is a digital civil liberties group. Declan McCullagh and Kevin Bankston, welcome to you.
MR. DECLAN MCCULLAGHThank you.
MR. KEVIN BANKSTONHi there, thank you.
ROBERTSSo let's start with today's news which was written by you Declan that pretty much everybody, Apple, Google and now Microsoft according to your piece today are collecting the location histories of phones. What exactly are they doing and do they differ from each other, Declan McCullagh?
MCCULLAGHRight, the piece that went up last night on CNET that I wrote yesterday and it says that Microsoft, like Apple and like Google, collects records of the physical locations of customers who use in this case the Windows Phone 7. And so they all collect information from wireless devices. The details differ, but Microsoft does not, unlike the other two, actually store location histories directly on the device. Apple seems to do this with no limit. Google's approach, by contrast, records only the last few dozen locations of where the Android phones are.
MCCULLAGHSo there are some DSR. There are some differences and details and some important differences, but they all do phone home with your location.
ROBERTSAnd Mark Rasch, these companies aren't necessarily saying why they're collecting this data. What's your guess?
RASCHWell, we can only speculate right now as to why they're doing it, but the basic reason that from a technical standpoint is when you have a regular GPS, a handheld GPS, it has to find a satellite's signal and that can take 10, 15, 20 seconds to do that. If you've cached where you thought it was the last time around, then it makes it a lot easier to find a signal from the satellite. That explains why they collect it. It doesn't explain why they have to store it on the phone for days, weeks, months or years.
ROBERTSAnd Kevin Bankston, what do we know about how law enforcement has been using that location data and actually, you know, any smart phone data? And what do you think about how concerned your average smart phone user should be?
BANKSTONWell, traditionally, when the government wants to find out where you were or where you're going based on your cell phone, it would go to your cell phone company and get the information from them about which towers you were closest to or if it's available GPS data. And we at the EFF have been deeply involved in the legal controversy over whether or not the government needs to get a warrant if it wants to do that.
BANKSTONBut we've also seen and been involved in cases where the government searches your cell phone incident to an arrest. Traditionally, the government has been able to search your person and areas near you in order to check for weapons or to preserve any evidence that you might otherwise destroy. Based on that rationale, we've seen several courts now bless the practice of searching your cell phone when you're arrested, whether it be by flipping through the phone at the moment of arrest or taking the phone and searching it offsite later.
BANKSTONSimilarly, we've seen a bunch of U.S. courts of appeal bless the practice of border agents searching your laptop, another mobile computer that includes a great deal of information about you, allowing them to search those at the border or to allow them to take them away from the border for search without any particularized suspicion whatsoever. And so the concern here is that we are all, whether it be our cell phones or our laptops, carrying around mountains of personal data about ourselves in our everyday lives that are now much more vulnerable to government access than ever before.
BANKSTONAnd one of the reasons this is a problem particularly with smart phones is that we lack the tools necessary to secure that data. For example there aren't widespread tools for you to encrypt the data on your cell phone so that the government would actually have to attempt to compel you to disclose a password before they could search your data. And so there's a problem of law here and we at the EFF are fighting to keep the law strong so that the government actually needs suspicion and ideally a warrant to search your phone.
BANKSTONBut there's also a problem of a lack of necessary security technology for users to make use of and finally a lack of adequate and informative user interfaces so that the device manufacturers are adequately informing users about what data is actually being stored on their phones.
ROBERTSWell, let's turn this out to the audience. Has a police officer ever asked you for your phone or a tablet during a traffic stop and did you turn it over? And when do you think law enforcement should have the ability to scan electronic devices, under what circumstances? You can join us by phone 800-433-8850. You can send us e-mail email@example.com and you can get in touch through Facebook or tweet us at kojoshow. Declan McCullagh let me just ask you to clarify something because I see that Steve Jobs, Apple chief, Steve Jobs has actually responded to this information that the Apple iPhone tracks users.
ROBERTSA Mac Rumors reader e-mailed Jobs saying, maybe you could shed some light on this for me before I switch to a Droid. They don't track me and Jobs wrote back, oh, yes, they do. We don't track anyone. The info circulating around is false.
MCCULLAGHRight, this was an exchange that was publicized in the last day or so, or I should say alleged exchange. There's no actual evidence that this was Steve Jobs. It's pretty easy to fake e-mail and I don't know if I want to say I think but I suspect there's a very good chance that that's what happened there. And so until Apple actually confirms this, it could well be a late April Fool's joke.
ROBERTSVery late. And while we're with you, Declan, why don't you bring us up to date on the Michigan ACLU who is concerned about law enforcement's use of data extraction devices. What is a data extraction device? What does it do?
MCCULLAGHRight, this is part of a broad and quickly-growing and not really that well known field called computer forensics. And even though we, the general public, didn't really know what was going on with Google and Apple devices. And it's not just the iPhone. It's also the iPad, by the way, in terms of what location info is being stored. It turns out that law enforcement has known about this for quite a while since at least last year.
MCCULLAGHAnd this idea that you can extract location logs, including nearby cell phone tower coordinates or GPS coordinates from a handheld device has turned out to be a sales pitch for computer forensics software makers to target customers and police, military intelligence agencies and so I can go through a long list of companies that are advertising this, but the point is that they sell the software that can extract the info and that raises some privacy concerns.
MCCULLAGHI mean, the privacy concerns, I suspect even Kevin might agree that they're attenuated when you have a search warrant and probable cause and all this traditional due process that we like to think happens in criminal investigations. But when you can have law enforcement go through and gain access to location histories on gadgets after an arrest where you don't have the 4th Amendment requirement of a search warrant applied in all cases. And the Justice Department under the Obama administration has taken the position that no warrant is necessarily required to search a cell phone or laptop after an arrest and that the border is another case.
MCCULLAGHThe Department of Homeland Security under both Presidents Bush and Obama has said hey we have the right to copy all data from your electronic devices at the border even if there's no suspicion or evidence for illegal activity.
RASCHWell what's going here is people are carrying in their pockets things that contain so much information and so much intimate personal information, not just location data where you are, where you've been, who you've met with, who you've talked to, every communication you've had, every book you're reading and everything that you've purchased. All this intimate data is now being held in a device, either an iPad, an iPhone, or an Android device that you're carrying with you. And I think most businesses don't understand this and most businesses that invade privacy through their business plans don't understand this so we need a new legal regime to deal with that and because we're using analogies.
RASCHIf you're coming across the border with a briefcase full of documents, we expect that the police, the border patrol, the border agents can rummage through those papers. We don't expect that they can figure out what organizations am I a member of? When did I join? Who am I talking to? And that's the stuff we're carrying with us all the time.
RASCHSo at the CSC, we work with companies to try to protect privacy and to secure these kinds of devices.
ROBERTSThat's Mark Rasch, director of Cybersecurity and Privacy Consulting at CSC. We're also joined by Kevin Bankston of the Electronic Frontier Foundation and Declan McCullagh of CNET. You can join us at 800-433-8850 or send us an e-mail at firstname.lastname@example.org I'm Rebecca Roberts and you're listening to "The Kojo Nnamdi Show" more after this quick break.
ROBERTSWelcome back. I'm Rebecca Roberts sitting in on "The Kojo Nnamdi Show." We're talking about what information might be stored in your mobile device including where you actually are physically and what access law enforcement should have to that information. My guests are Mark Rasch director of Cybersecurity and Privacy Consulting at CSC, Kevin Bankston, the senior staff attorney for the Electronic Frontier Foundation and Declan McCullagh, the chief political correspondent for CNET. You can join us at 800-433-8850 or send us an e-mail email@example.com And Kevin Bankston, just before the break Mark Rasch was saying we need actually a new legal regime to understand some of these issues. Do you agree?
BANKSTONAbsolutely, I think that we have a lot of new problems that we need to find new solutions for. In the industrial age, to use a metaphor originated by security expert Bruce Schneider, we have the new problem of industrial pollution. We had all these new things that we could do and new services and whatnot but they generated these new types of destructive pollution. And, I think, that in the information age, we're kind of generating a new type of pollution.
BANKSTONWhen we use these devices, we're generating a whole lot of personal data that we weren't generating before. And just like we had to figure out and are still trying to figure out with industrial pollution, we need new strategies to mitigate the production of this information and to mitigate the damage that can come from it. One of the biggest parts of that is trying to update our electronic communication privacy laws, federal laws that were written back in the 1980s and we've been working with a coalition of civil liberties groups and companies as part of something called the Digital Due Process Coalition.
BANKSTONTo raise the standards of these privacy laws to insure that the data that you store or that is collected about you by your service providers, be it Apple or Google or anyone else, are very strongly protected against government access. And we hope, strongly protected against civil litigant access, as well or disclosure to anyone. We also need, and these are battles we're fighting in court right now, we need stronger protections about -- against government searches of your digital devices.
BANKSTONAs Mark pointed out earlier, there's a real sea change in terms of how much information we're carrying about ourselves on our persons every day. And that -- the law has not caught up to that. And we've been fighting in court to make sure that the law takes account of that. But it may be, particularly, looking at the border search situation, that congress needs to step in and write a protective law because 4th amendment law isn't keeping up.
MCCULLAGHAnd there's a relationship between privacy and security. For example, if the police want to see what's on your phone and let's assume they even have a warrant to do so, you would think they'd have to go to your phone or go to your phone provider, well, they can install remote software that can scan everything on your phone and send it back to them. So we need to -- companies need to be able to secure their data and use these devices. These are great devices and have great utility if we can secure them and protect privacy.
ROBERTSLet's take a call from Ryan in Washington, D.C. Ryan, welcome to the Kojo Nnamdi show.
ROBERTSHi, you're on the air.
RYANWe now know that Google is storing location information on its servers that tie to particular users, mobile devices. My question is, if law enforcement wants to compel Google to hand over that location data, what's the relevant legal standard? Do they -- law enforcement would have to get a search warrant, a D order or a subpoena?
BANKSTONI think that's a very hotly contested question. Just as it is a very hotly contested question when you're talking about similar data in the hands of your cell phone provider. In terms of tracking you overtime prospectively, in real time, there have been a lot of disagreement in the courts. Most courts have found that you need a warrant to do that, a probable cause based search warrant. While others have allowed it on a much easier to meet intermediate standard. The caller referred to a D order, that's a particular type of court order under federal privacy law that only requires a showing of facts demonstrating that the information sought is going to be relevant.
BANKSTONBut, I think, the question, what legal standard is going to be required there? The answer to that is, whatever the compliance lawyers at those companies demand. And then the government needs to decide whether it's going to meet that or it's going to go to court to fight over it. And if they go to court to fight over it, we and I'm sure other organizations will jump in as we have before and press for a warrant standard. But right now, I think, the answer to your question, we don't know the answer.
BANKSTONWe don't know how often the government has gone to these companies, if it has at all for this type of location information. Again, we know they routinely go to the phone companies so it's not quite clear why they would need to go to these companies at this point unless they thought they could get it on a lower standard. But if anything, right now, the biggest concern is, we don't have enough information to answer those types of questions.
BANKSTONOur position, of course, though would be that a warrant should be required.
ROBERTS...and is it clear that we as users through our terms and service agreement have even given those companies the right to collect that information regardless of who they pass it on to?
RASCHWell, I think most people don't even know it's being collected and they don’t know the import of it. But one of the things that Kevin's pointing out here is, what the government's allowed to do and the standard to get it is frequently dependent on how they do it, what the technology is. And what we haven't really done is step back and said, "Do people really have privacy expectations in their location?" And so, for example, if you're driving around Washington, D.C., the police can follow you in their car without a warrant.
RASCHAnd we recognize that. And unfortunately what courts do, is they start with that assumption, "Well, clearly what you're doing outside, you have no privacy expectation." And then the police use that and not just the police but anyone then can use that and say, "All right, now I'm going to follow you with a helicopter, an airplane, a satellite, a tracking device, use your phone data to track you, use laser darts that I'm going to point at your car to track you." All these things are happening.
RASCHAnd now, if you start with the assumption, well, where you're driving to isn't private and that it's somehow public, then they can get all of that stuff without a warrant.
ROBERTSLet's take a call from Michael who's calling from Georgetown University. Michael, welcome to the Kojo Nnamdi show.
MICHAELGlad to be there -- be here. My question isn't about the data that's stored on my device, I'm concerned about how more and more of my personal data is moving to the cloud. So I might be backing up all the information I have on my cell phone to a server that's run by Google or Amazon or Microsoft. What are the rules going to be for that and are companies making clear who gets access to that data when it's in their hands, on their property even though it's my data?
RASCHYeah, well, you know, it's interesting because the cloud both can offend privacy and protect it at the same time. Usually your rights to privacy with respect to data stored over the -- on the cloud is dependent on your contract with the cloud provider and that can be overcome with a court order. So, for example, let's say you're crossing the border and you've got files on your computer that you don't want someone to see, putting aside the -- your ability to encrypt them, one way, if you're traveling across the border, the government's going to say, "Well, we can take them, we can examine them, we can copy them, do anything we want with them."
RASCHSo to protect that, you say, "I'm not even going to travel across the border with the files. The files are going to stay on the cloud, I'm going to travel across the border with an iPad and access the files when I want to. Well, that way, the cloud can protect privacy. Unfortunately, your documents now, are sitting on a cloud provider. And there was a case a couple of years ago involving the guy who invented Enzyte, the male enhancement pills. And he was under investigation by the justice department who subpoena his e-mail from Yahoo.
RASCHAnd from a number of internet service providers. And in that case, the guys name was Steven Warshak, he argued successfully, well partially successfully, that, "Hey, you can't subpoena my e-mail just because it's on the hands of a -- " effectively, " -- cloud provider. You've got to get a search warrant to me." Or to the -- it's like going to a landlord and saying, "I want to examine your tenants files." The landlord can't turn them over, only you can. So the law's in flux.
BANKSTONYeah, this is Kevin at EFF. EFF actually litigated that case. The Warshak case in the 6th circuit and got a great opinion just this past December holding that the 4th Amendment protects the privacy of your e-mail's stored with your e-mail provider. Such that the government does need a warrant. That's a good thing because federal law, at this point, inconsistently requires a warrant, if at all, for data you store in the cloud. And that's actually something that we're trying to get congress to update.
BANKSTONWe think that, the government should have to get a warrant for your data stored in the cloud regardless of what type of data it is or how old it is or what type of service it is. Right now, under federal law, for example, if your e-mail is less than six months old, it requires a warrant but after six months, it can be obtained with only a subpoena, a weird anachronism coming from the fact that this law was written in 1986. But we are trying to make the federal law consistent with the latest rulings on 4th Amendment protections. And the latest ruling coming out of this Warshak case is that the 4th Amendment does protect the data you store in the cloud.
ROBERTSAnd, Kevin Bankston, we have an e-mail from John who says, "Wire lined phone companies are subject to strict rules about how long they can store subscriber information. And these are subject to court order although pen, trap and trace is subject to a reduced relevant standards for dial digits. Why shouldn't these rules simply be applied to location data on handheld devices? Wireless carriers faced similar rules under the communications assistance for law enforcement act and the courts found a middle ground."
BANKSTONWell, they're actually a lot of issues in -- mixed together in that e-mail. First off, I'm not aware of any limits on how long the phone company can keep logs of your calls. The caller may -- the writer made mention of pen register and trap and trace surveillance. That's surveillance of who you're calling and who's calling you. And the Patriot Act extended that law to internet transactional information about who you're e-mailing or instant messaging. And that can be obtained on a very low showing of relevance.
BANKSTONAnd then he also mentioned the communication assistance for law enforcement act or CALEA which mandates that phone networks and since 2005, broadband networks have the capability to conduct interceptions for the government. But amongst all those different issues mushed together, I'm not really quite certain what the question was. So I'm not sure how to answer it.
ROBERTSWell, in general, I think he's probably asking, is there a current standard that could be extended to mobile devices? And sounds like the answer's no.
BANKSTONI mean, we're talking about two different things here. There's the issue of, when the government can search your stuff that you are carrying. And then there's the issue of when the government can access data that is stored about you or stored for you. And under current law, there is no distinction between, say, your wireless provider and your wire line provider in the context of the data they store about you.
RASCHAnd by the way...
BANKSTONThe stand -- go ahead, Mark.
RASCH...it's not just them who have the data. I mean, if you use Facebook, you're telling Facebook where you are. And these are all with some degree of consent. Groupon knows where you are, your Google maps knows where you are. If you're trying to find a local restaurant, you have to tell where you are. Your internet service provider knows where you are. Your phone company knows where you are. So there's, now, dozens or hundreds of companies that know where you are because of the Geo location data in your phone.
ROBERTSLets here from Adam in Washington, D.C. Adam, welcome to the Kojo Nnamdi show.
ADAMThank you so much for having me.
ADAMMy question is -- rather my comment. It's just to clarify the difference between Apple and Google's location data. And what they collect on their devices. Because there's been a lot of recent, sort of, hullabaloo about the way that they handle it and, "Oh, is this file collected." I mean, like, I've been using, developing Apple devices and I've been working on the most recent Android device the last couple of years. What that file is, all it is, is really cache. You know, and what it is, is it's basically allowing a company like Apple who wants to make further end user, like, a really fast, really localized maps experience.
ADAMWhen they use that, it allows it to be really fast because it's using regular locations that they're at all the time. Now, that file itself, their problem with it, was necessarily not that existed, but that it wasn't automatically encrypted (word?). I think that the biggest point about this, is that when you compare a company like Apple to a company like Google, Google is automatically data up in the cloud and Apple is keeping on the device which can be wiped by any user. I think that makes a big difference when we talk about the legal ramifications of collecting this data.
ADAMThe big issue is Google, not Apple.
ROBERTSAdam, thanks for your call.
MCCULLAGHThat -- this is -- Declan. That's actually not entirely right. Now, we've been pressing Apple for details on what they're doing. And Adam is right, that they store the data locally and there are some benign reasons for it. It'd be nice if they actually acknowledge this and let us turn it off. But he's wrong in saying that the information stored only on the device. Apple acknowledged in a letter to congress last year that I'm quoting from now, "Cell tower and WiFi access point information is intermittently collected and transmitted to Apple every 12 hours."
MCCULLAGHI'm now -- so Apple transmits, Google transmits, Microsoft transmits. We have not yet heard details from any of these companies which is a kind of worrisome. And I've been pressing them from, at least a week ago, and I think other journalists have as well. So it's a little odd that they haven't actually said, "Hey, okay, look this is consumer friendly. We're doing this to benefit users, reduce battery life, improve speed, here's what we do." We have Senator Franken scheduling a senate hearing on May 10th. We have the Illinois attorney general asking these companies for a meeting.
MCCULLAGHSo eventually we're going to get details. It'd be nice if we got them sooner than later.
BANKSTONYeah, this is Kevin at EFF. There's an additional point to be made that, assuming that the caller is right and that the intent of this file is that it serves as a cache of your recent locations to better the performance of your phone. Well, let's look at other caches. You have a cache in your web browser and you have settings such that you can say, "Clear my cache, don't keep a cache, only keep a cache that's this big, only keep a cache of where I've been in the past X number of days." There are plenty of options for user control. And those options for user control also educate the user that there is in fact this cache that tracks where they're going online.
BANKSTONIf there's a cache on my phone also tracking where I'm going offline, I should know about that and have control over it. Right now, the user doesn't have that knowledge or that control.
MCCULLAGHIn other words, turn it off even if it means your battery life is a little worse or the phone acts a little slower. Makes sense.
ROBERTSAnd we're about out of time. But Declan, I just want you to clarify a couple of questions from e-mail's. Bill asks, "Can an extraction device read the data my iPhone if it's password protected?" And Sandy asks, "What about my Blackberry, is RIM, the makers of Blackberry smart phones, also doing this?"
MCCULLAGHTwo questions, the first one, first. And the answer is, yes. There are plenty of forensic software applications that are sold by -- one of them is iXAM, another one is Cellebrite, there's a Katana forensics. I interviewed the technical lead for that company and a CNET piece I did last, I think, Thursday. The software's called Lantern 2. Yes, they can bypass the pass code. That's not an obstacle. The second question was, what? I'm not blanking.
ROBERTSWhat day is Blackberry still -- is Blackberry also collecting location device?
MCCULLAGHRight, we've asked, almost a week ago, RIM for a response and have not yet heard back. And I'll let you know as soon as we do.
ROBERTSThat's Declan McCullagh, chief political correspondent for the tech news website, CNET. He joined us from member station KQED in San Francisco. As did Kevin Bankston, the senior staff attorney for the Electronic Frontier Foundation which is a digital civil liberties group. And here in studio in Washington, Mark Rasch, the director of Cybersecurity and Privacy Consulting at CSC which is an IT services company. Gentlemen, thank you all so much for being here.
MCCULLAGHThank you, Rebecca.
ROBERTSComing up next, 21 years of the Hubble space telescope. I'm Rebecca Roberts. You're listening to the Kojo Nnamdi show.
Most Recent Shows
For the first time since 2009, more people are leaving the Washington region than arriving ––including millennials. Kojo sits down with researchers to understand why migration to D.C. has slowed, and how millennials factor into the makeup of the city.
Many gardeners think that cooler weather means an end to gardening, but our roundtable of urban farmers offers tips for maintaining your garden throughout the fall months and preparing it for spring.
As D.C. and jurisdictions around the region put in their pitches for Amazon's second headquarters, we explore what winning that bid would mean for the region, and what it might cost taxpayers.