The New Mexico legislature, which passed the most restrictive asset forfeiture reform bill in the nation, is once again targeting easily-abusable tools of the law enforcement trade. The Tenth Amendment Center reports that the proposed bill targets police use of Stingray devices, as well as other electronic data demands.
The bill would require police to obtain a warrant or wiretap order before deploying a stingray device, unless they have the explicit permission of the owner or authorized possessor of the device, or if the device is lost or stolen. SB61 does provide an exception to the warrant requirement for emergency situations. Even then, police must apply for a warrant within 3 days and destroy any information obtained if the court denies the application.
SB61 would also bar law enforcement agencies from compelling a service provider or any person other than the owner of the device without a warrant or wiretap order. This would include actual communication content such as phone conversations, text messages and email, location information and other metadata such as IP addresses pertaining to a person or device participating in the communication.
The bill does contain a few warrantless exceptions, but they're the expected exceptions (consensual searches, exigent circumstances) and they're limited to those two. Otherwise, deployment of a Stingray device requires a warrant or wiretap order. Law enforcement agencies will no longer be able to hide Stingray use behind pen register orders or wander into providers' offices without any paperwork and ask for historical cell site location info.
The bill also requires that any collected information be destroyed within ninety days. Information unrelated to the device targeted must be destroyed within thirty days. Any extended retention must be approved by a judge after the agency has shown cause for the additional storage and use of collected information.
Additionally, restrictions are placed on the sharing of collected information, limiting access only to those who will comply with the boundaries contained in the court order authorizing the collection. These entities will be subject to the same data destruction periods.
Stingray warrants will also receive additional judicial scrutiny. From the bill:
When issuing a warrant or order for electronic information or upon a petition of the target or recipient of the warrant or order, a court may appoint a special master charged with ensuring that only the information necessary to achieve the objective of the warrant or order is produced or accessed.
Emergency warrant exceptions won't be easy to obtain either. And, even if an exception is obtained, the law enforcement agency is required to notify the target within three days of the information's collection -- whether via a Stingray device or directly from the service provider. Law enforcement will be able to delay notification but this requires running more paperwork past a judge and convincing them that the delayed disclosure is essential to an ongoing investigation. All extension requests -- granted or denied -- will be publicly reported by the Attorney General's office on its website.
The bill also provides for a great deal of mandatory reporting on demands for information sought under the new law. This includes the number of times requests were made, the type of request, and the data/information sought. It applies to all government agencies.There's no wording contained in it that suggests this bill is solely limited to local law enforcement. That means the federal government would have to play by the same rules when deploying Stingrays or demanding information from local service providers -- something that could possibly see the feds intervening if the bill lands on the governor's desk.
The following is only part of the info list contained in the bill -- all of which must be reported to the state's Attorney General. There's a lot in there no agency is going to be in any hurry to hand over.
(b) the number of persons whose information was sought or obtained;
(c) the number of instances in which information sought or obtained did not specify a target natural person;
(d) for demands or requests issued upon a service provider, the number of those demands or requests that were fully complied with, partially complied with and refused;
(e) the number of times notice to targeted persons was delayed and the average length of the delay;
(f) the number of times records were shared with other government entities or any department or agency of the federal government and the government entity, department or agency names with which the records were shared;
(g) for location information, the average period for which location information was obtained or received; and
(h) the number of times electronic information obtained under the Electronic Communications Privacy Act led to a conviction and the number of instances in which electronic information was sought or obtained that were relevant to the criminal proceedings leading to those convictions.
If this passes, New Mexico will be leading the nation in protections of its constitutents' property and civil liberties. Expect lots of resistance as this makes its way through the legislature. And if it does become law, expect the Albuquerque PD to continue doing whatever the hell it wants to.
Reports started coming out this morning that the new Trump Administration had told the EPA that it needed to stop doing anything publicly without first getting approval from the White House (in addition to freezing grants and contracts). According to a memo that was sent around to EPA staff:
Of course, it quickly became clear that this was not just for the EPA. The USDA received similar marching orders. Same with the Department of Health & Human Services and possibly others as well, including the Department of Commerce, being told it can't even publish the basic research it releases for US companies.
It's possible to say that this is just the Trump administration hitting the pause button to figure out what's going on before moving forward again, but many in these agencies are quite worried that they're going to be muzzled for political reasons. Most of the people working in these agencies are civil servants, not political appointees, and their work is not at all political. The press releases and blog posts are generally to release new findings, research and data from taxpayer funded studies. This shouldn't be controversial or reviewed for political motives.
Of course, this kind of thing is hardly unprecedented. For many years, we wrote about the ridiculousness of then Canadian Prime Minister Stephen Harper gagging Canadian scientists from talking about factual research that was politically inconvenient (including a study on fish stock). This kind of gagging on "politically sensitive" but factual science was only lifted last year once Justin Trudeau came into office. Of course, just a few months before that, the UK similarly started muzzling scientists to stop them saying anything the politicians didn't like.
One hopes the Trump administration will not be putting in place similar policies.
Of course, if that is the plan, it should be a huge boon for investigative journalists. And they're already hunting for sources. As the reports on the gag order came out this morning, lots of reporters stepped up on Twitter with notes on how to contact publications with information:
If you work for the government and are now banned from providing basic info to the public, know that journalists will protect your identity.— Matt Pearce (@mattdpearce) January 24, 2017
Reminder for federal workers getting silence orders this week: here's a secure way to reach the Washington Post https://t.co/nHKduDCZ2s— Rebecca Sinderbrand (@sinderbrand) January 24, 2017
Techdirt Podcast Episode 106: An Office In A Bag (Bleeding Edge)
After years of working on the go, Mike has the mobile office down to a science — and wherever he sets it up, nearby gadget geeks have plenty of questions and comments (here's a rundown of his set-up). So this week we're joined by Espree Devora, host of the podcasts Women In Tech and We Are L.A. Tech, for a fun discussion about today's high-tech offices-in-bags.
Also: we're getting ready to record our first exclusive patron-only episode for our supporters on Patreon, which means it's time for those who backed us at a level of $5/month or more to submit questions for the Q&A portion. If you're one of those patrons, you can now find a post calling for questions in our Patreon feed and submit yours in the comments. If you're not, but you want to submit a question or just get access to the episode once it's released, now's the time to support the Techdirt Podcast on Patreon. We've only gotten a couple questions so far, but at least one is rich enough for us to do an entire episode in response — still, we want to give others a chance, so we're likely delaying the release of the episode until early next month. If you want to ask a question, don't wait around!
The British have a number of traditions. Some, such as drinking tea, are famous around the world. Less well-known is a habit of revealing highly-confidential information by carrying pieces of paper in public that photographers using long-focus lenses are able to snap and then magnify to read. The Guardian wrote an entire article on the subject, detailing how numerous embarrassing leaks occurred in the UK because people forgot to put the documents they were holding in some kind of opaque folder. On one occasion, an anti-terror operation had to be brought forward when Britain's most senior counterterrorism officer walked around with top secret documents on display -- a blunder that cost him his job.
This mistake is so common that there are notices by the door of the UK Prime Minister's residence at Number 10 Downing Street reminding people not to walk out with confidential material that is exposed. The fact that there is a photographer with a long-focus lens who hangs around outside No 10 in the hope that they do precisely that shows how often they ignore this warning.
Although the Brits have practically turned this activity into another weird sport alongside cricket, it's not unknown in the US. For example, the following happened at the end of November last year:
Potential Donald Trump cabinet pick Kris Kobach accidentally leaked Department of Homeland Security plans when posing for a press photograph with the president-elect. Using photo editing tools, a zoomed-in view on the documents being carried by Kansas Secretary of State Kris Kobach reveals a plan to put Trump’s hard-line immigration platform into practice.
Aside from the carelessness of the people involved, the problem has arisen because long-focus lenses are now so powerful and commonly-deployed that it is relatively easy to capture a high-quality image of an exposed document so that its contents can be read. That's a problem that will only get worse as camera technology advances, especially combined with digital enhancement techniques. If this story on the BBC's website is to be believed, it's not just documents that are now at risk as a result:
A Japanese researcher says doing the peace sign in a photo could lead to your fingerprints being stolen.
That's clearly a big problem at a time when fingerprints are increasingly being used to unlock digital devices, and to provide access to sensitive data. The British experience shows it's hard enough to shield confidential papers; keeping fingerprints out of high-resolution photos seems like an impossible task.
They might be easy to recreate if your digits are "in focus with strong lighting".
That claim is from Isao Echizen, from the National Institute of Informatics (NIII), who says prints could then be made "widely available".
The CIA has millions of declassified records stashed away in Maryland -- something it claimed was accessible to the public. Actual access, however, resembles something out of Terry Gilliam's "Brazil," rather than what any reasonable person would call "accessible."
This so-called "publicly accessible" database -- known as CREST -- has been the target of MuckRock contributor Mike Best, who kickstarted an effort to liberate records from the vault through the use of manual labor. The records can be accessed by computer, but only certain computers, and only if you know exactly where to find them.
This is the CIA's "publicly available" records system front-end.
And here's how you locate it.
Accessing the information isn't easy. Researchers have to go to the back of the 3rd floor library at the National Archives building in Maryland, which is unfortunately unstaffed for half the day. Tucked away in the library are the only computers that can access the millions of pages of declassified records. If researchers ask the the main "Information" desk, they're answered with confused stares and incorrect directions. Researchers trying to look up on the National Archive's website where to access the computers, won't find it on the page about doing research at that location or on the page for electronic records at that location. That information is tucked away on the page for online databases - despite not being online.
Best's crowdfunding effort sought to free these documents from their four-computer cage. But the only way to do so was to visit in person, print out pages, and rescan them. All of this would be done under multiple forms of surveillance at the National Archive.
To expedite the process, MuckRock turned to litigation. Three years after commencing its FOIA lawsuit against the CIA, MuckRock has emerged victorious. The CIA has released the contents of the CREST vault online at its site, something it repeatedly claimed would take dozens of years and hundreds of thousands of dollars to complete.
The story behind the CIA's forced transparency is amazing. The claims made by the CIA during its opacity efforts are simply astounding. MuckRock has published a long, detailed recounting of its FOIA battle against the agency at its site and I wholeheartedly encourage you to click through and read it. But here are some of the highlights.
First off, everything in the database is in an unsearchable format by choice. The CIA only uses TIFF files, claiming that these are more resistant to alteration. But when faced with litigation, the CIA reversed course on the supposed hardiness of TIFF files.
The declaration... says that CIA cannot release these TIFF files in electronic form because they can be so easily altered by the mere act of a CIA FOIA analyst looking at them, and that the security measures they must take to remove this accidental metadata for an electronic release (involving editing each file separately by hand) would take 28 years and 1,200 CDs.
And there's where the hilarity begins. These are the DOJ's claims as to the difficulty of releasing the database it just released well ahead of its 28-year estimate. Not only is the process supposedly far too onerous to even begin to consider undertaking, but the DOJ claims the documents it just made available to the public at the CIA's website are not of public interest -- this despite being (technically) available to for public viewing at the National Archive for several years now.
In another filing, the CIA admits the 1,200 CDs that would take 28 years to compile have actually already been compiled -- and there are actually 1,450 CDs of records, but it will only consider releasing the quoted 1,200 if forced to. Unless the CIA is still porting these documents over to the CREST system at the National Archive, its claim of "28 years" looks even more ridiculous. From one of MuckRock's filings:
"Moreover, when [CIA] estimates that it would take 28 years just to create copies of the CREST database, it begs the question of how CIA loaded CREST in the first place. The system has only been operational since 2000.”
Then it claimed it would need $108,000 and six months to make copies of the CDs it already had in hand. And it doubled down on its contradictory claims about TIFF files, stating they were so easy to alter because they were so difficult to alter.
This lead to one of the best rebuttals (and lead-offs) in FOIA history:
I file a sur-reply drawing on my extensive experience as a person with a working brain, closing with the following thought:
“Last, CIA claims that ‘the act of a CIA employee opening a document on his or her terminal may cause metadata to embed itself on the image header.’ This is a frivolous statement for two reasons. First, files on PCs are not altered unless they are saved after the alteration. Simply opening a file and then closing it without changing it does not embed metadata on the file. Second, if this were a valid concern, it would apply to every file processed by the CIA FOIA office, not just CREST files. Since it clearly does not (which would paralyze the FOIA office), then the Court should view this claim very skeptically.”
Kel McClanahan -- the author of the post and MuckRock's legal rep for this case -- digs into the DOJ/CIA's repeated assertions about the "burdensomeness" of complying with this FOIA request. By the time he's done, everyone and everything is covered with government bullshit.
In 2000, using cutting edge 2000 technology, CIA populates CREST over a matter of months. For the next 15 years they insist that the only way to protect this system is to videotape people who want to access it. In 2015 they say that, using cutting edge 2015 technology, it will take them 28 years to make CD copies of CREST. Then they say that they already MADE CD copies of CREST in a matter of months if not weeks, meaning that it will only take 6 years to copy THOSE copies.
But they can copy those records to the web in 4 years. Less than a year later, they say that because of the huge public interest in CREST over the last several years (that they expressly disavowed less than 6 months before, did you remember?) they will have all of CREST online within a year because nobody needs to be videotaped any more. Then, less than 2 months later, they put all of CREST online.
The CIA and DOJ insist this stonewalling had nothing to do with the CIA's online release of CREST files. Apparently, it did all of this out of the goodness of its heart, forfeiting a shot at $100,000+ in FOIA fees and chance to do next to nothing for the next 30 years. It's obvious the effort to move these records online increased once it became apparent the government was going to come out on the losing end of these FOIA lawsuits (Jason Smathers was suing the CIA over the same database). Rather than be on the hook for legal fees, the CIA preempted any judicial judgment by releasing them to the public (the same public it said had "no interest" in these files) in bulk before final rulings could be made.