06:06 AM
Pablo Valerio
Pablo Valerio
Connect Directly

Electronic Warrantless Surveillance: What IT Should Know

Today, in the name of public safety, federal and local government agencies are piling up advanced technologies to monitor people, with little regard for the basic principles of privacy. Here's what businesses and individuals need to know.

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

In 1972, the US Supreme Court ruled that an individual's right to privacy could only be breached by a court order, not at the discretion of law enforcement agencies. The majority in the case wrote: "The Fourth Amendment contemplates a prior judicial judgment, not the risk that executive discretion may be reasonably exercised."

A lot has happened in the 40-plus years since that decision.

Recently, San Jose city leaders approved a study of a plan to place license-plate readers on garbage trucks. Since garbage trucks go around every street of the city at least once a week, the trucks can be used to locate parked vehicles in places where police cruisers usually don't go. Garbage truck drivers wouldn't see the information collected.

The ALPR (Automatic License Plate Recognition) device would send its data directly to the police, who could then build a massive database of cars parked on the street. San Jose already has six ALPR systems mounted on police cars and has set aside $68,400 for more units next year.

This is just one example of law enforcement agencies' ongoing desire to deploy technologies to monitor people's location and movements without obtaining a warrant.

Automatic License (or Number) Plate Recognition has been around for several years.

[Is your car watching you? See With Great IoT Comes Great Insecurity.]

In the United Kingdom, a CCTV network -- with more than 15,000 cameras in the London area alone -- can be used to track vehicle movements in real time. The data is stored for five years and can be analyzed by intelligence services and used as evidence in a criminal case. When the system became operational in 2006, the ANPR center in north London was already able to store 50 million plate reads per day.

In the United States, many cities and towns have been purchasing ALPR systems for local police with grants from the US Department of Transportation.

(Image: stnazkul/iStockphoto)

(Image: stnazkul/iStockphoto)

At the same time, organizations such as the American Civil Liberties Union (ACLU) are working hard to raise awareness about the potential threat to citizens' privacy.

But the device with the most power to track people is the very cellphone that we carry around all day.

Keeping Track Of You

Even before the explosion of smartphones, and especially after Apple's introduction of the iPhone, carriers were already tracking people's phones using cellular location technology.

In 2010, Malte Spitz, a German Green Party politician, went to court to find out how much location data his provider, T-Mobile (Deutsche Telecom), was collecting and retaining through tracking his cellphone. The results astonished him: From September 2009 to February 2010, T-Mobile had stored his location more than 35,000 times, including on train rides.

Spitz decided to publish the data to show the public what kind of surveillance cellphone users are subject to every minute. "I want to show the political message that this kind of data retention is really, really big, and you can really look into the life of people for six months and see what they are doing where they are," Spitz said in 2011.

The ease in accessing tracking data makes some people believe there is no harm in it.

However, location-tracking and movement data is very sensitive information. It can be used for profiling and reveal relationships: It would be very easy for organizations with access to the information to track the people we meet, cross-reference databases with the location of our contacts, and check our location when we update our Facebook status, send/receive email, or just text messages.

Last year in Barcelona, during a policy workshop of the EU funded project RESPECT (Rules, Expectations Security through Privacy-Enhanced Convenient Technologies), Ian Readhead, chief executive of the UK Association of Chief Police Officers, declared that police forces in the UK were extremely happy that "everyone is always carrying a cellphone in their pockets."

One disturbing technology is the so-called "Dirtbox" (whose name comes from Digital Receiver Technology, a subsidiary of Boeing).

The Dirtbox and Stingray are both types of "IMSI catchers" (named for the system used by networks to identify individual cellphones), which act as fake cellphone towers and get phones in the area to link to them. Those devices, installed on small planes and unmarked vehicles, are being used to scan data from the cellphones of thousands of Americans who are not targets of any investigation.

Recently, the US Justice Department announced that it would start disclosing more about the use of those cellphone-tracking devices. Agencies such as the FBI, which for years didn't bother to get warrants to track suspects using those technologies, have begun requesting them from judges.

Continued on the next page.

However new, cheaper, passive technologies, based on WiFi and IMSI, are now in the police surveillance device market.

Jugular, PocketHound, and Wolfhound are trade names of a few handheld units that can be carried by officers and used to track cellphones in a limited area.

Those devices are not engaging the phones, they just "listen" to radio chatter when phones communicate with a cell tower and capture their unique IDs. At the same time, their manufacturers claim that "passive" listening doesn't require a warrant. It is like the ALPR technology but applied to anyone carrying a phone in his/her pocket.

Why IT Should Pay Attention

The rise of electronic surveillance creates serious problems for corporations, too.

More and more executives carry large amounts of information in mobile devices and connect to corporate servers through cellular mobile data. If data transmitted is not properly encrypted and secured it can end up in databases unknown to the company. Is there anything we can do to protect corporate data?

There are some steps CIOs can take to minimize the risk, although not completely eliminate it. First, ensure that any access to sensitive information is only allowed via secure VPN, with strong encryption and two-factor authentication.

Second, if possible, fully encrypt the mobile devices carrying corporate data. Both the iOS and Android operating systems permit full encryption of the devices, with keys known only to the owner, something that some law-enforcement agencies are trying to stop.

Many companies also use mobile device management solutions, such as one from AirWatch. This allows them to easily set up security policies, limit access to certain data and services, and remotely wipe data from stolen or compromised devices.

For some people who need maximum protection, solutions such as the one from Silent Circle can protect their devices against attacks from IMSI catchers, WiFi snoopers, and other forms of electronic surveillance.

[It may not be surprising, but learn Why AT&T's 'Willingness' To Help NSA Is Alarming.]

A few years ago Judge Lisa Pupo Lenihan, of the US District Court for Western Pennsylvania, wrote an opinion about a law enforcement request to access location records held by a cellphone carrier. She said, "permitting surreptitious conversion of a cellphone into a tracking device without probable cause raises serious Fourth Amendment concerns, especially when the phone is monitored in the home or other places where privacy is reasonably expected."

Lenihan added, "Law enforcement's investigative intrusions on our private lives, in the interests of social order and safety, should not be unduly hindered, but must be balanced by appropriate degrees of accountability and judicial review."

If you are really concerned about electronic surveillance and how cellular carriers, government agencies, and Internet companies are tracking you, use public transportation, pay everything in cash, and, most importantly, leave your phone at home.

Pablo Valerio has been in the IT industry for 25+ years, mostly working for American companies in Europe. Over the years he has developed channels, established operations, and served as European general manager for several companies. While primarily based in Spain, he has ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service