• Tag Archives 4th Amendment

  • It’s Time for Answers on Yahoo’s Email Scanning

    Posted on by Azrael Comment

    You should know if the government thinks it can deputize your email provider to scan through your messages.

    Like most people, we were shocked at reports earlier this month that Yahoo scanned its hundreds of millions of users’ emails looking for a digital signature on behalf of the government. We join millions of Yahoo users in wanting to know how this happened.

    Together with a host of other civil liberties groups – including the Center for Democracy and Technology, the ACLU, and the Sunlight Foundation – we sent a letter today asking Director of National Intelligence James Clapper to release information about the scanning, how the U.S. government justified such a privacy-invasive search, and whether the government has conducted similar searches.

    The letter warns that Yahoo’s “massive scan of the emails of millions of people, particularly if it involves the scanning of email content, could violate the [Foreign Intelligence Surveillance Act], the Fourth Amendment, and international human rights law, and has grave implications for privacy.”

    Although the letter calls on the government to release additional details about the Yahoo scanning order, a recent law passed by Congress requires its declassification and release, or, alternatively, that the government produce a declassified summary.

    It’s crucial that Clapper follow through on his pledge for transparency and release information about how the U.S. government justified the email scanning under FISA, as has been reported. We need to know whether the Foreign Intelligence Surveillance Court has interpreted FISA – which authorizes targeted surveillance of certain foreigners’ (such as spies or terrorists) communications  – to mean that the government can conscript Yahoo into mass surveillance of all of its users’ emails.

    The letter also calls on Clapper to acknowledge whether the scan also involved scanning the content of the emails, disclose the kinds of search terms used in this surveillance, and to identify when this kind of surveillance first started and the total numbers of times an order like this has been used.



    📂This entry was posted in News and Politics 📎and tagged

  • Why the Warrant to Hack in the Playpen Case Was an Unconstitutional General Warrant

    Posted on by Azrael Comment

    Should the government be able to get a warrant to search a potentially unlimited number of computers belonging to unknown people located anywhere in the world? That’s the question posed by the Playpen case, involving the FBI’s use of malware against over a thousand visitors to a site hosting child pornography. The prosecutions resulting from this mass hacking operation are unprecedented in many ways, but the scope of the single warrant that purportedly authorized the FBI’s actions represents perhaps the biggest departure from traditional criminal procedure.

    The Need for Particularity

    Warrants are often considered the basic building block of the Fourth Amendment. Whenever the government seeks to engage in a search or seizure, it must first get a warrant, unless a narrow exception applies. In a previous post, we explained the significance of the Fourth Amendment “events”—several searches and seizures—that occurred each time the government employed its malware against visitors to Playpen.

    But simply calling something a warrant doesn’t make it a constitutionally valid warrant. In fact, the “immediate evils” that motivated the drafters of the Bill of Rights were “general warrants,” also known as “writs of assistance,” which gave British officials broad discretion to search nearly everyone and everything for evidence of customs violations. In the words of colonial lawyer James Otis, general warrants “annihilate” the “freedom of one’s house” and place “the liberty of every man in the hands of every petty officer.”

    As a result, the Fourth Amendment says exactly what a warrant has to look like in order to be constitutional: “no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

    These requirements—the demonstration of probable cause and the particular description—accomplish separate objectives, but both ultimately work to narrow the authority given to officers executing a warrant, ensuring they won’t go on fishing expeditions and will instead conduct only searches authorized by a neutral and detached magistrate. Probable cause is a notoriously nebulous concept, but it generally ensures that the government has significant evidence supporting its application for a search warrant. Meanwhile, the particularity requirement works to limit the scope of the warrant: law enforcement must tie the specific evidence they have to specific persons or places they want to search. But, critically, bothelements must be satisfied for the warrant to be valid.

    As with other unconstitutional searches, courts deter the government from obtaining insufficiently particular search warrants by throwing out or “suppressing” evidence that results from searches under these warrants.

    Was the Playpen Warrant Constitutional?

    No. The warrant [.pdf] that the FBI obtained to install malware on computers visiting Playpen was astonishingly broad: it allowed the FBI to deploy the malware against any “activating computer,” defined as any computer logging into the site. The warrant and its attachments say nothing about whose computers these are or where they are located. Court documents reveal that the site had as many as 150,000 users, and that in the two weeks that the FBI operated the site and deployed its malware, the number of visitors subject to search was in the thousands. And when the FBI identified the visitors, they were located all over the country and indeed all over the world.

    The argument—advanced by EFF in amicus briefs in several Playpen cases—is that this warrant fails the Fourth Amendment’s particularity requirement:

    The Warrant here did not identify any particular person to search or seize. Nor did it identify any specific user of the targeted website. It did not even attempt to describe any series or group of particular users. Similarly, the Warrant failed to identify any particular device to be searched, or even a particular type of device. . . . Compounding matters, the Warrant failed to provide any specificity about the place to be searched—the location of the “activating computers.”

    As the Ninth Circuit Court of Appeals has explained, “Search warrants . . . are fundamentally offensive to the underlying principles of the Fourth Amendment when they are so bountiful and expansive in their language that they constitute a virtual, all-encompassing dragnet[.]” A warrant that authorizes the FBI to search a potentially unbounded number of users without specifying their locations or otherwise limiting the search is far closer to a “virtual, all-encompassing dragnet” than a specific, particularized warrant that satisfies the Fourth Amendment.

    Uncharted Territory

    The nature of the technology the FBI used in investigating Playpen puts the warrant in uncharted territory. As the noted professor of constitutional law and computer crime Orin Kerrwrites, it’s a “serious question” whether searches conducted using the government’s malware pursuant to the Playpen warrant can be properly analogized to searches in the physical world.

    Even when compared to extreme examples of warrants that seem to push against the boundaries of the particularity requirement, the Playpen warrant is vastly less specific in its description. For example, some courts have authorized “all persons warrants,” which allow officers to search everyone in a specific place, in scenarios where simply being on the premises provides probable cause that the person is committing a crime. But these searches are tied to a physical location and thus provide spatial limitations on both the area to be searched and the number of people who can be present. No court we’re aware of has ever upheld an all persons warrant authorizing the search of even 100 people, let alone thousands. Similar limitations are involved in a “roving wiretap,” a type of warrant that authorizes electronic surveillance of specific individuals who may move from place to place. Roving wiretaps allow the government to follow these people as they use burner phones, for example, but the warrant must specify who will be subject to such a wiretap. No court would authorize a roving wiretap on unspecified persons because such a wiretap would be indistinguishable from a general warrant.

    Defenders of the Playpen warrant have described it as “anticipatory,” based on probable cause to believe that at some future time evidence of a crime will be found at a specific place. But anticipatory warrants require the government to demonstrate a likelihood that a “triggering condition” will occur in order to render the search valid. The Supreme Court has made clear that the government can’t get an anticipatory warrant to search every house in the country on the condition that a package containing contraband is delivered to the house; it has to demonstrate the likelihood that a specific house will receive such a package. The Playpen warrant does not demonstrate the likelihood of a specific user logging into the site, instead defining the activating condition as any user logging in. The result is a general search that can be executed on unknown computers in unknown places.

    Finally, it’s worth noting that the particularity requirement doesn’t mean the FBI is helpless to investigate serious crime occurring on hidden sites like Playpen and committed by users who take steps to hide their locations. As we described in an earlier post, the FBI took over the site’s server, enabling it to serve visitors with malware. But that also meant that the FBI had access to the server logs and a wealth of information about individual users (though the use of Tor would of course have obscured their public IP addresses). As a result, the FBI could have sought warrants to go after these individual users, describing their illegal activity on the site in a particularized way. This is more than just requiring the government to jump through hoops—it’s what stands between a constitutional, particularized search and precisely the type of generalized warrant the Fourth Amendment was designed to prevent.

    Source: Why the Warrant to Hack in the Playpen Case Was an Unconstitutional General Warrant | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • A Digital Rumor Should Never Lead to a Police Raid 

    Posted on by Azrael Comment

    Law Enforcement, Courts Need to Better Understand IP Addresses, Stop Misuse

    If police raided a home based only on an anonymous phone call claiming residents broke the law, it would be clearly unconstitutional.

    Yet EFF has found that police and courts are regularly conducting and approving raids based on the similar type of unreliable digital evidence: Internet Protocol (IP) address information.

    In a whitepaper released today, EFF challenges law enforcement and courts’ reliance on IP addresses, without more, to identify the location of crimes and the individuals responsible. While IP addresses can be a useful piece of an investigation, authorities need to properly evaluate the information, and more importantly, corroborate it, before IP address information can be used to support police raids, arrests, and other dangerous police operations.

    IP address information was designed to route traffic on the Internet, not serve as an identifier for other purposes. As the paper explains, IP addresses information isn’t the same as physical addresses or license plates that can pinpoint an exact location or identify a particular person. Put simply: there is no uniform way to systematically map physical locations based on IP addresses or create a phone book to lookup users of particular IP addresses.

    Law enforcement’s over-reliance on the technology is a product of police and courts not understanding the limitations of both IP addresses and the tools used to link the IP address with a person or a physical location. And the police too often compound that problem by relying on metaphors in warrant applications that liken IP addresses to physical addresses or license plates, signaling far more confidence in the information than it merits.

    Recent events demonstrate the problem: A story in Fusion documents how residents of a farm in the geographic center of America are subjected to countless police raids and criminal suspicion, even though they’ve done nothing wrong. A story in Seattle’s newspaper The Stranger described how police raided the home and computers of a Seattle privacy activist operating a Tor exit relay because they mistakenly believed the home contained child pornography. And these are just two stories that found their way into the media.

    These ill-informed raids jeopardize public safety and violate individuals’ privacy rights. They also waste police time and resources chasing people who are innocent of the crimes being investigated.

    The whitepaper calls on police and courts to recalibrate their assumptions about IP address information, especially when it is used to identify a particular location to be searched or individual to be arrested. EFF suggests that IP address information be treated, in the words of the Supreme Court, as more like “casual rumor circulating in the underworld,” or an unreliable informant. The Constitution requires further investigation and corroboration of rumors and anonymous tips before police can rely upon them to establish probable cause authorizing warrants to search homes or arrest individuals. The same should be true of IP address information.

    The paper also explains why the technology’s limitations can make it unreliable and how the Supreme Court’s rules around unreliable information provided by anonymous informants should apply to IP address information in warrant applications. The paper concludes with two lists of questions to ask and concrete steps to take: one for police and one for judges.  The goal is to better protect the public so that the misuse of IP address information doesn’t lead to a miscarriage of justice.

    We hope the whitepaper can serve as a resource for law enforcement and courts while also triggering a broader conversation about IP address information’s use in criminal investigations. In the coming months, EFF hopes to discuss these concerns with law enforcement and courts with the goal of preventing unwarranted privacy invasions and violations of the Fourth Amendment. We also hope that our discussions will result in better law enforcement investigations that do not waste scarce police resources. If you are a law enforcement agency or court interested in this issue, please contact info@eff.org.

    Source: A Digital Rumor Should Never Lead to a Police Raid | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged