This is a topic that holds a lot of interest for me. As an infosec professional, I have some passing familiarity with Law Enforcement Officers (LEO). The open-source hacker in me resists these interactions by habit, but also usually has to acquiesce because the requests I see are typically legal and rational. My angle in this newsletter is to bring light to technology-adjacent topics, primarily focussing on the unintended consequences, or surprise niche issues, that technology creates in every day lives. The topic I’ve written about below is a slam dunk for this theme, but I hesitated to write it for a long time. This hesitation is because I am not deaf to the major issues facing police forces in the United States, and specifically, the “defund the police” protests taking place worldwide. For that reason, I’d like to make clear from the onset that what I’ve written about below has nothing to do with the current police issues in the US - I’m not commenting on them, and I am not offering any point of view on them.
The internet has facilitated mass surveillance on a scale that delights law enforcement and terrifies the rest of us who are “in the know.” The sole function of the internet is to route traffic to and from us and remote internet servers. Those remote internet servers are where the websites and emails and chats and ads are stored, waiting to be shot down the tubes into our eyeballs. In technical circles, we refer to this as convergence. The internet converges traffic from all over the world to specific destinations, just like a highway system converges traffic to little cities dotted all over the countryside. Convergence is the internet’s biggest asset and also the biggest lure for law enforcement.
Some of you may remember PRISM; one of the NSA surveillance programs revealed by Edward Snowden. Essentially, the PRISM program made a copy of all the internet traffic destined for big internet properties like Facebook, Amazon, Microsoft, and others. When PRISM was revealed, the outrage immediately focussed on those sites, asking “how could you spy on us without telling us?”, but a slightly deeper dive into the program revealed that the sites have plausible deniability it was happening. This may seem hard to believe, but our old friend convergence actually makes these denials credible.
To go back to the highway analogy, let’s check out some simple convergence ideas. If I wanted to get the license plate of every car that was heading into my home town, I could start out on the interstate highway and collect license plate numbers. However, there’s a lot of traffic on the interstate that isn’t headed to my town, so while I would have the numbers of those headed to town, I’d also have a lot of irrelevant numbers from cars that are blowing right by.
So I move in a bit more and I start collecting numbers from the secondary highway that leads from the interstate to my town. Again, I’d end up with the numbers of the cars going to my town, but they’d still be buried in with a bunch of irrelevant numbers because that secondary highway goes to many towns, but the ratio would be better.
The best place to collect this data is at a branch of the highway that only goes to my town and nowhere else, such as the exit ramp to my town. This is where the cars converge into my town, and I can be certain that every license plate I see is definitely headed to my town. That is the magic of convergence and the internet works the same way.
The architects of the PRISM program recognized this and put a traffic-copying device at the internet off-ramp leading to Facebook and other internet giants. This allowed the NSA to literally copy every bit of data sent to Facebook without needing Facebook’s cooperation or knowledge. It is still a highly contested debate whether Facebook and the other company’s did, in fact, know about the program, but the point is that their cooperation was not needed, so the eventual outcome of that debate is not relevant from a technical standpoint.
There are other examples of technology convergence that are attractive to law enforcement, such as cellular towers. There are relatively few cellular towers when compared to cell phone users and therefore many cell phones are connected to any given tower at any given time. This is a form of convergence where mobile phone packets are routed through the air. The cell phones are identifiable by phones’ SIM card’s IMEI number so that billing and operational data can be associated with a single customer. Law enforcement knows this and will regularly subpoena mobile provider’s tower records to get a list of all the phones that were connected to a particular tower - perhaps near a crime scene - and therefore end up with a list of everyone within earshot of the incident.
The problem with solutions like PRISM and cell tower dumps is that they are dragnets. They capture data on people that have nothing to do with the situation at hand and violate people’s privacy by tracking their movements when there is no legal reason to do so. At face value, it seems there is not a huge issue here because the police presumably discard the irrelevant data once it is known, but that is not the case. Instead, we see law enforcement creating huge databases of innocent people’s movements. There are two main arguments against this wholesale data collection and storage.
First, we have the argument that LEO does not discard irrelevant data. This means that LEO has a historical database of every person who drove into my town for as far back as they care to record it. This allows LEO to go “back in time” and see where Joe’s car was….say…three weeks ago because of the dragnet. While this may seem to be an OK use of that data, the reality is that we do not live in a surveillance state and there’s no reasonable expectation that our movements are being collected and sifted through by the government as we go about our daily lives.
The second argument is the security of this data. This is primarily where my concern lies. LEO is always government, and as such, it is a drudging, bureaucratic mess, rivaled in a level of incompetence and fiefdom-building surpassed by none. Governments have proven, repeatedly, that they are incompetent custodians of data either by accidental loss, insufficient security measures, or just plain old data theft. (links 1, 2, 3…I could go on…) Some governments elevate their risk to data loss even more by outsourcing the custodianship of their data to other similar companies that are also drudging, bureaucratic messes.
This wholesale dragnet of data harvesting is a problem. It reduces freedom, erodes citizen privacy, and incrementally moves us towards a police state where everyone’s movements are tracked and dutifully stored away forever in some unknown database of human activity. I don’t know of anyone who understands the problem that is in favor of it. The population of people who are in favor of surveillance, or don’t care about it, is wholly populated by people who do not understand how this data is used against them every single time they use an internet-connected device. It’s bad news for us proletariats.
Even though I am against this state of events, and concerned about how much worse it will get over time, I am still unable to come up with a good answer to the question “yeah, but what are the cops supposed to do?”
We’d be pissed off if [a cop] knowingly ignored these treasure troves of data
It’s a hard question to answer because we rely on LEOs to protect us, investigate past crimes to find the perpetrators, and warn us of bad things coming our way. We expect LEO to use every tool at its disposal to perform those duties. If an LEO is investigating an armed robbery at a convenience store and has no leads, we expect her to think about looking at the cell phone tower logs to compile a list of phones that were in the area at the time of the robbery. We expect her to subpoena search results from Google about IP addresses that searched robbery related information around the day of the robbery. We’d be pissed off if she knowingly ignored these treasure troves of data that could potentially quickly identify a small set of people to investigate, and let a bad guy walk the streets for longer than needed, perhaps forever.
Like many occupations, creativity pays off huge in law enforcement. The ability to think about novel ways to gather data about an incident is a top-shelf skill that good investigators need. Data collection has friction attached to it; some data is easier to get than others. Video camera footage from neighboring stores has almost zero friction - investigators can just ask the proprietors for it and store owners can surrender it as they see fit. Likewise with Facebook posts, or Tweets - they’re free for the taking. But as we ascend the hill of more valuable data, the friction grows. Cell phone tower dumps and requests for private emails usually need a subpoena which takes time but can provide much better information because users are aware that there is a modicum of protection associated with private communication and are therefore looser with their actions in email and phone calls.
My favorite “creativity” stories are ones like this. Quebec police were cracking down on drivers who texted while driving. They could have requested the cell tower dumps from a few towers along the way, correlated the time between tower jumps and data flow, and drawn up some pretty compelling data on which phones were both driving and texting at the same time all from the comfort of a desk. But that would take court orders and delays so instead, the officers hop on a transit bus and look down into cars as the bus goes by to see who is texting. It’s quick, it doesn’t violate anyone’s privacy rights because they’re already in the public space, and it doesn’t drag thousands of irrelevant people into the fray who have nothing to do with it. It’s also very effective because the police officer sees the offense first-hand, so there is no bumbling around in the court about the validity of the data which, quite frankly, I don’t think defense lawyers generally know how to do properly. I can poke reasonable doubt holes in pretty much any chunk of computer data you can throw at me, but that doesn’t seem to happen nearly enough in courts.
I am not a police apologist. I know they have a tough job to do, and I know they have competing demands to protect and punish citizens which is a conflicting mandate anyone would find difficult. I think police officers are like any other group of people; some are good and some are bad. And while I believe there are a lot of problems with policing in general, I also spend a lot of time wondering what we expect LEO to do when faced with the quick technological solution to an investigation, and also somehow make everyone happy in this impossible role they’ve chosen.