Online Privacy, Vehicle Surveillance, 5th Cir. Geofence Search Decision, CSAM Deepfakes, & More

Vol. 5, Issue 9

Sep 09, 2024

A photo of streetlights, one with a surveillance camera. — Photo by Enrique Alarcon on Unsplash

September 9, 2024

Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month Brandon Reim discusses online privacy in relation to hacks and leaks. Diane Akerman reviews the growing problem of vehicle surveillance. Joel Schmidt analyzes a new geofence warrant decision from the 5th Circuit, creating a split among the federal appellate courts. Finally, our guest columnist, Marc Canellas, explains the issues with CSAM and deepfakes.

The Digital Forensics Unit of The Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of The Legal Aid Society.

In the News

A photo of someone typing on a laptop with a screen of green computer code partially visible. — Photo by Sora Shimazaki on Pexels

Online Privacy and Control

Brandon Reim, Senior Digital Forensics Analyst

Bloomberg reported in the beginning of August that three billion people had their data stolen in a massive cyber hack. However, 3 billion might be a bit misleading, as reported on by Troy Hunt. A lot of the records have multiple entries for one person. The actual number is something closer to millions of affected people, rather than billions. The seriousness of the attack should not be underestimated, though, because sensitive data you might have provided for a background check, including social security numbers, past three addresses, and more, were all reportedly stolen and put online for sale.

Data leaks and hacks can lead to you receiving spam texts, emails, and calls or even losing large sums of money. It may seem, given the current landscape, it is inevitable that it will happen, but are there ways that we can defend ourselves against these attacks or keep life more private online?

Consumer Reports recently released a report highlighting some of the ways you can remove yourself from search engines online through both paid and free options that help reduce information people might find out about you with a simple Google search. You can hire companies like DeleteMe and Optery to try to monitor your public online footprint and try to automatically remove results for you. However, some research suggests just doing this yourself can lead to better or similar results to the paid services, with a little more time investment. Incogni, one of the paid services, has a nice summary blog post of how to do some of this for free (with a plug for their service mixed in). Yael Grauer, one of the authors of the report, also maintains the Big Ass Data Broker Opt-Out List, which is an extensive list of data brokers and how to opt-out of their sites.

These tools can all assist you with removing unwanted information online, but they won’t necessarily help when your info has been stolen. Mozilla and Google both also offer monitoring services to see if any of your information has been leaked on the dark web. Google provides a more in-depth service for customers through their “Google One” platform but also offers a free service if you have a Google account.

When we give our information to a third party, we assume a level of trust with any given platform. However, increasingly it seems like we need to give a piece of significantly personal information over to a stranger or unfamiliar company just to accomplish mundane tasks, like ordering a pizza. If you are wary of giving your email out to an unknown entity, you can always try something like Apple’s Hide My Email or Firefox Relay. This will give you some level of anonymity and give you an idea who might be selling your info when you start receiving spam emails at that specific address. In addition to obfuscating email, you also want to be wary of others obfuscating the emails they send you. Scammers with access to information about your online habits may mimic businesses or services you already expect messages from. Think twice and don’t give out your password to shipping updates or “Password Reset” emails that you didn’t initiate. If you are ever unsure of an email’s authenticity, you can always go to the site that it claims to come from and login from there instead of typing sensitive information into a link sent to your email.

At present, it’s almost impossible to not have anything about you online. Most of us probably have had some piece of personal information stolen. Being vigilant and wary of what information we give over is a step in the right direction to make sure our online privacy is protected.

A black iPhone 4 on a car dashboard. — Photo by Albert Vincent Wu on Unsplash

Tesla, Toyota, General Motors, Spy

Diane Akerman, Digital Forensics Staff Attorney

Increasingly, convenience comes at the expense of privacy. We love that Google maps remembers our most frequent locations, that our cell phone can store our credit cards and act as a payment device, that we can have our face scanned at the airport instead of just . . . having the person standing right there look at your ID. (Note: please decline these scans). Modern updates to cars are no different - adding increased conveniences and features for drivers can undermine even the limited amount of privacy one has in their vehicle. Not only does it allow private actors to collect data about drivers, but it makes the data available and easily accessible to law enforcement.

General Motors is currently facing a lawsuit from the Texas Attorney General for illegally collecting, recording, analyzing, and transmitting “highly detailed driving data about each time a driver used their vehicle,” including selling that information to insurance companies. Last year, Gizmodo reported that Tesla employees were spying on Tesla vehicle owners by viewing and sharing private videos. Now, law enforcement is taking advantage of the fact that Teslas are giant rolling surveillance devices and going so far as to get warrants allowing them to tow the vehicles and access the data. Rental companies can track the location of their vehicles in real time, but what about loaner vehicles given to owners while their own cars are being repaired? Should the owner of a personal vehicle find themselves the subject of real-time location tracking by the DEA while their car is in the shop?

The move to digitize some of the regulatory aspects of the vehicle industry - for example, license plates, or the move to mobile driver’s licenses - are also embraced for their convenience. But these solutions also threaten not only our privacy but in some cases make us less safe. Take for example, a bill to introduce GPS-enabled license plates. Not only has the company supplying the digital plates already been the target of a security breach, but the information can easily be obtained and used by bad actors to harm other individuals - including by abusive partners, or to criminalize abortion seekers.

The move to digital licenses is especially tempting, particularly where most of us have replaced our wallets with phones that can do everything. What this looks like in practice though, is handing an officer your phone, unlocked, during the course of what might be a tense interaction. Your driver's license very easily can become a license to search your phone [PDF] and all its contents.

We've long accepted a high level of oversight and fewer privacy rights in our vehicles in exchange for regulating safety, but do these high tech solutions actually make our roads safer? Maybe instead of encouraging drivers to let their insurance companies track their every movement in exchange for a discount, we address the scourge of placard abuse plaguing our fine city.

In the Courts

A photo of the U.S. Supreme Court building. — Photo by Claire Anderson on Unsplash

Fifth Circuit Holds Geofence Data is Protected by the Fourth Amendment and Cannot be Obtained Even with a Search Warrant

Joel Schmidt, Digital Forensics Staff Attorney

Last month this column reported on a ruling from a three judge panel of the United States Court of Appeals for the Fourth Circuit, holding that the police do not need a search warrant to obtain geofence data – information about which cellphones were in a given area at a given time – from tech companies such as Google. The majority held there was no reasonable expectation of privacy in the data, which removes it from the protections of the Fourth Amendment. But not all judges were in agreement, with one judge penning a 70-page dissent, providing a plethora of reasons for why we do indeed have an expectation of privacy in such data. The column ended with a hope that an “en banc” review by the full Fourth Circuit results in a reversal of the panel court’s decision.

A mere four days after the column was published, a legal ruling placing geofence data firmly under the protections of the Fourth Amendment came from a most unexpected source, a three judge panel of the United States Court of Appeals for the Fifth Circuit. “With great respect to our colleagues on the Fourth Circuit, we disagree.”

The Fifth Circuit reasoned that geofence data is no different than historical cell site location information (HCSLI) that the Supreme Court has already determined is subject to the protections of the Fourth Amendment. Carrying a cellphone “is essentially a prerequisite to participation in modern society” and, just as with HCSLI, allowing the police unfettered access to geofence data would allow the government to engage in unconstitutional monitoring of the population in violation of the Fourth Amendment. “Perhaps the most alarming aspect of geofences is the potential for permeating police surveillance.” In fact, the court held that probability is greater with geofence data because it “provides more precise location data than either CSLI or GPS.” So much so that “[w]ith just the click of a button the government can search the pinpoint locations of over half a billion people with Location History enabled.”

The court was unimpressed with the Fourth Circuit’s argument that there is no expectation of privacy with geofence data because the user affirmatively opts in to share that data with Google, with the court noting that “users are bombarded multiple times with requests to opt in across multiple apps” and few people realize what they’re opting into since the requests “typically innocuously promise app optimization” without revealing “that users' locations will be comprehensively stored in a ‘Sensorvault,’ providing Google the means to access this data and share it with the government.”

Once opted in, it is hard to opt out. “Even Google's own employees have indicated that deactivating Location History data based on Google's limited and partially hidden warnings is difficult enough that people won't figure it out.”

But the Fifth Circuit didn’t just hold that geofence data is subject to the protections of the Fourth Amendment, they also held that, unlike with HCSLI, geofence data cannot be obtained with a search warrant because such warrants “allow law enforcement to rummage through troves of location data from hundreds of millions of Google users without any description of the particular suspect or suspects to be found” and thus does not meet the stringent warrant requirements of the Fourth Amendment. “This court ‘cannot forgive the requirements of the Fourth Amendment in the name of law enforcement.’”

Although Google has recently made changes to Location History that would make it difficult, if not impossible, to release geofence data going forward, this Fifth Circuit decision is still important because it can apply to location data held by other tech companies, it can potentially apply to other reverse searches such as reverse keyword searches, and because nothing stops Google from ever reinstating their previous policy.

Hopefully the panel decision stands up to an en banc review by the full Fifth Circuit and ultimately by the United States Supreme Court, should either court choose to grant review of the matter.

Expert Opinions

We’ve invited specialists in digital forensics, surveillance, and technology to share their thoughts on current trends and legal issues. Our guest columnist this month is Marc Canellas, an assistant public defender in the Forensics Division of the Maryland Office of the Public Defender.

Realistic But Not Real: The Deep Challenges of Deepfakes

“We are engaged in a race against time to protect the children of our country from the dangers of AI. Indeed, the proverbial walls of the city have already been breached. Now is the time to act.” These urgent words from a 2023 letter from 54 attorneys general highlight one of the most challenging issues that our society faces today: AI-generated sexually exploitative images (here referred to as deepfakes for the lack of a better term). Society will have to grapple with the line-drawing problem of criminalizing deepfakes. But in the interim, the courts are left with a far more pragmatic challenge of how to apply current laws to deepfakes – a challenge, I argue, that the law is not prepared for.

The U.S. Supreme Court has outlined the criminalization of possession of child sexual abuse material (CSAM) in multiple cases including New York v. Ferber, 458 U.S. 747 (1982), Ashcroft v. Free Speech Coalition, 535 U.S. 234 (2002), and U.S. v. Williams, 553 U.S. 285 (2008). Collectively, they held that CSAM can only be criminalized if the material depicts a real, identifiable person, or “speaker believes or intends the listener to believe . . . [the image] depicts real” people (Williams, 553 U.S. at 303). The Supreme Court explains that this criminalization of the possession and distribution of CSAM (including innocent pictures “morphed” into sexualized ones) does not violate the First Amendment’s Free Speech Clause because there is a need to stop the continued reputational and emotional harm to the real, identifiable subjects of these images which document harm.

This question of real, identifiable people and documentary harm, combined with the rise of easily generated AI images has put our criminal legal system and the Constitution on a collision course. Today, creating AI-generated (or “synthetic”) media of any kind requires neither expertise nor time, significantly lowering the barrier to entry from past methods like Photoshop or physical cut-and-paste (called “morphing”). As Bellingcat has documented, beyond the general text-to-image methods like Stable Diffusion, DALL-E, and MidJourney, there are numerous “deepnudify” programs designed to produce deepfakes.

In May 2024, the U.S. Department of Justice put this standard to the test. In U.S. v. Anderegg, they charged a Wisconsin man for allegedly using AI to “to create thousands of explicit images of children.” This marked what is likely the first federal charge of creating child sexual abuse material (CSAM) entirely through AI (with another recent state-level case in Florida). As Deputy Attorney General Lisa Monaco stated, “CSAM generated by AI is still CSAM, and we will hold accountable those who exploit AI to create obscene, abusive, and increasingly photorealistic images of children.” Two months later, the U.S. Senate Commerce Committee, with bipartisan support, unanimously passed the TAKE IT DOWN Act criminalizing the publication of deepfakes, including AI-generated ones.

Courts and juries will soon grapple with the ultimate questions: Can the prosecution prove beyond a reasonable doubt that an image is a real, identifiable person? Or, if the image is AI-generated, did the creator intend viewer to believe it is a real, identifiable person? From a technical perspective, the answer is often no.

The goal of these image generation models is to create incredible realistic but not real images. Companies rely on and advertise this distinction for both creative and copyright reasons. The diffusion models [PDF] that underlie common image generation software do not create images by copying or cut and paste. Instead, they start from noise (like a TV screen with a bad signal) and move colors and lines around until they approximate what the software was instructed or “prompted” to create. For example, some software are specifically marketed as creating images of people who do not exist (for example, https://thispersondoesnotexist.com/) even if the generated images can bear a striking resemblance to a real person. Alternatively, a user could directly prompt the AI to generate “an image that looks realistic but not real.”

Because of the diffusion models’ ability to generate realistic but not real images out of noise, there are three main challenges:

Authentication (Is this an original image documenting harm?) – This is the traditional realm of criminalizing sexually exploitative images. However, synthetic images are increasingly indistinguishable from real images. Synthetic media detectors struggle with accuracy and face an “arms race between detection methods and evasion methods.” There are some attempts to determine whether an image is “camera original” but those methods are not yet fully proven as evidenced by the biggest tech companies continued struggles with detection.
Tracing (Was the image generated from source material that documented harm?) – This question comes when the images cannot be authenticated, like the Anderegg case above. The problem is that tracing back and identifying the specific images used to generate a specific synthetic image is likely impossible. Prosecutors may argue that a real, identifiable person is depicted if a model was trained on an image of a real person. However, diffusion models do not have training images in the traditional sense, making it difficult to trace back to any specific image. An argument that the model’s dataset merely contains CSAM material may have limited value, too, as many popular datasets already contain child sex abuse material. The most that can be said right now is whether a synthetic image is similar to an image in the dataset. But even then many dataset images themselves may be AI-generated – a phenomenon called “model collapse.”
Intent (Did the user intend to generate this specific image by leveraging material documented harm?) – The publicly-stated goal of these models is to create realistic but not real images. Users relying on that perspective may have no idea that the image is leveraging material that documents harm, instead believing it is merely very realistic. Furthermore, users cannot explicitly control the specific outputs as these models rely on a mixture of randomness and training data. AI often produces different, unreasonable, weird, inaccurate results for the same text prompts. These are often called “hallucinations” but the more accurate term is “bullshit” as these models are “designed to produce [media] that looks truth-apt without any actual concern for truth.” This lack of control over AI outputs was highlighted in 2023 when the U.S. Copyright Office denied an artist copyright protections for AI-generated images because the artist did not control the “unpredictable” [PDF] AI outputs. In sum, even if the generated image is shown to be a copy of a real image despite being output by an AI image generator, that is insufficient to show that was the intent of the user.

Deepfakes pose one of the most challenging technological and legal issues in our society. However, the challenges are likely even deeper than the public, politicians, or courts appreciate. We must properly confront these challenges and not simply ignore their complexity. For as Justice Souter explained in his dissent in Williams, 553 U.S. at 319, 321: “there must be a line between what the Government may suppress and what it may not,” and criminalizing speech without concerns for whether an expression is real, relates to something real, or even intended to be expressed at all, is an “end-run [around] that line” with an “unsettling significance well beyond the subject of [deepfakes].”

Marc Canellas (he/him) is an assistant public defender in the Maryland Public Defender's Forensic Division where he supports litigation of every type of forensic evidence from geofence warrants to DNA software. Marc has a Ph.D. in aerospace engineering from Georgia Tech and before coming to Maryland, he was a public defender in Arlington, Virginia, chair of the IEEE-USA AI Policy Committee, and a legislative assistant in the U.S. House of Representatives.