UK Attacks End-to-End Encryption, ICE Surveillance Increases, Searches of FISA Data Decision, the Private Search Doctrine & More

Vol. 6, Issue 3

Mar 03, 2025

A photo of a metal sign that features a black and white clipart camera with a red lens. The sign states "WARNING 24 HOUR VIDEO SURVEILLANCE" — Surveillance Warning Sign by Jerome D. Greco is licensed under CC BY 4.0

March 3, 2025

Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month, Jerome Greco explains the effects of the secret order served on Apple by the British government. Diane Akerman discusses increasing surveillance by ICE. Shane Ferro discusses the recent ruling on the legality of searching American data incidentally collected under section 702 of FISA. Finally, our guest columnist, Benjamin Burger, analyzes the application of the private search doctrine in the digital age.

The Digital Forensics Unit of The Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts, the Unit provides support and analysis to the Criminal Defense, Juvenile Rights, and Civil Practices of The Legal Aid Society.

In the News

A cropped screenshot of the Advanced Data Protection settings screen from an Apple iPhone, which gives a description of the ADP feature. — A cropped screenshot of the Advanced Data Protection settings screen from an Apple iPhone

Governments Hate this One Weird Trick

Jerome D. Greco, Digital Forensics Director

Despite the intentionally clickbaity title, recent news from the United Kingdom has once again confirmed that end-to-end encryption is the enemy of overreaching government authority. On February 7th, The Washington Post broke the story that a secret order from the U.K. government threatened privacy for Apple iCloud users across the globe.

Almost a decade ago, seemingly still jealous of its former colonies’ passing of the PATRIOT Act years earlier, the U.K. passed the Investigatory Powers Act 2016, dubbed the Snoopers’ Charter by critics. The Snoopers’ Charter granted designated British authorities extensive surveillance powers and created additional requirements for communication service providers to help effectuate the invasions of privacy.

Six years later, Apple announced a series of new security features, including the optional Advanced Data Protection (ADP). Enabling ADP significantly expands the categories of data that are encrypted end-to-end. Without ADP, iCloud data is encrypted in transit and on Apple’s server, but Apple holds the keys to decrypt it. This means that Apple can still provide the unencrypted data to law enforcement or intelligence agencies throughout the world, pursuant to search warrants, court orders, or various differing laws. However, for data that is protected by ADP, i.e. encrypted end-to-end, Apple states that “[n]o one else can access [it] — not even Apple — and this data remains secure even in the case of a data breach in the cloud.” Apple had previously sought to implement end-to-end encrypted backups in 2018, but withdrew those plans after complaints from the FBI.

This past January, the British government served Apple a technical capability notice, essentially ordering the company to create a back door in its end-to-end encryption, which would have allowed security officials to obtain all iCloud content and significantly diminished ADP’s security benefits. The order was not targeted to a specific account or limited to British subjects. If Apple had complied, it would have affected all iCloud users that had enabled ADP. Two weeks after the notice became public, Apple announced that it would stop offering ADP for new U.K. users and that ADP would eventually be disabled for current British users, rather than make their own product less secure as the U.K. had demanded. Additionally, the company declared “we have never built a backdoor or master key to any of our products or services and we never will.”

The move by British authorities was reminiscent of when the FBI tried to force Apple to build a backdoor into its iPhone encryption in 2016 under the All Writs Act. Law enforcement was attempting to access the data of an iPhone used by one of the two shooters involved in the 2015 San Bernardino attack. Apple fought back and ultimately won because the FBI withdrew its demand before the federal court could rule on the issue. A third party had found a way to access the data on the device without requiring Apple to create a backdoor. At the time, many speculated that it was Cellebrite that had figured out how to access the locked phone, but five years later it was revealed that a small Australian firm, Azimuth Security, had discovered the solution.

Since the current administration appears to encourage angering our allies, maybe we can use that for good for once. Flip off the U.K. and enable Advanced Data Protection for your iCloud; it’s the American way. Do it before the U.S. follows the British’s lead. Make encryption an American value.

An image of a computer monitor displaying a close up of a human eye.

Immigration, Customs, and (Thought) Enforcement

Diane Akerman, Digital Forensics Staff Attorney

The history of surveillance of immigrant communities is well-documented, and ICE, like most law enforcement, invests heavily in privacy invading technology in the name of safety and enforcement. Immigrants can still be subject to warrantless border searches, ankle monitoring, and collection of biometric data. Data brokers happily share their information with even the lowest bidder, and politicians bargain their lives. Law enforcement agencies have even considered using facial recognition technology to track children as they age.

The surveillance goes beyond those targeted for immigration enforcement to anyone who might be critical of the agency or their actions. Though ICE already has extensive social media surveillance capabilities, they are seeking to expand. ICE has requested proposals for “internet based threat risk mitigation and monitoring services statement of objectives.”

The solicitation requests “proactive threat monitoring,” identification of individuals or organizations who may post a threat to ICE or have “a proclivity for violence.” ICE expects the contractor to use “psychological profiles” to determine those proclivities, use facial recognition to conduct further investigation, and collect significant PII on individuals.

This monitoring is in no way limited to those defined as posing an actual threat, nor is it limited to targets of immigration enforcement, or even just immigrants. It’s clear that ICE is amassing a database of dissenters, requesting “‘monitoring and analysis of behavioral and social media sentiment (i.e. positive, neutral, and negative).’ This includes regular updates on the ‘total number of negative references to ICE found in social media’ from week to week.’”

ICE is not worried about winning popularity contests – high profile raids, public presence of ICE agents, and a crackdown on critical speech are all part of attempts to sow fear and panic. While social media monitoring by the US Government is nothing new, each new administration redefines what rhetoric they see as a threat and thereby, what thoughts must be policed. With this ICE request coming three weeks into the new administration, it’s clear that immigrant activists will be increasingly targeted.

In the Courts

A photo of the U.S. Supreme Court building. — Photo by Claire Anderson on Unsplash

After the Seizure Comes the Search: The Case of Agron Hasbrajrami

Shane Ferro, Digital Forensics Staff Attorney

In January, Agron Hasbrajrami saw justice after over a decade of litigation asserting his Fourth Amendment rights as an American permanent resident. On a long-awaited remand decision from the Second Circuit, EDNY judge LaShann DeArcy Hall held the government needs a warrant to search for an American’s communications in a database of “foreign” communications warrantlessly intercepted under section 702 of the Foreign Intelligence Surveillance Act (FISA).

In the DOJ’s original press release after sentencing in 2015, it describes Hasbajrami as an “Albanian citizen” (he was a legal permanent resident living in Brooklyn). His material support for terrorism included: wiring “over $1000” to Pakistan, some emailed statements about wanting to engage in jihad, and attempting to board a flight to Turkey with “a tent, boots, and cold weather gear.” He was arrested at JFK airport in 2011. With the caveat that I have not read the trial transcript, the government presumably relied heavily on his emails about wanting to engage in jihad to give his wired $1000 the heft needed to prove “material” support for terrorism.

The Assistant Director in Charge of the FBI New York Field Office, Diego Rodriguez, was quoted in the press release saying that Hasbajrami, “used technology to propagate terrorist messages and create a plan to attack U.S. interests.”

The-Acting U.S. Attorney Kelly Currie gave a quote about how “lawful surveillance” can allow the government to neutralize terrorists, and the sentence (16 years prison) “leaves no question as to the defendant’s role in a very serious offense.” How much could serious terrorism cost, Kelly? $1000?

It was not until after Hasbajrami’s conviction that the government informed his lawyers that some of the communications obtained in the case were the result of law enforcement querying a database of communications hoovered up under Section 702. (For more of the history, see the EFF page about the case.)

The Second Circuit’s ruling in Hasbajrami’s appeal on this issue is confusing but important: Section 702 allows the government to collect vast troves of communications from outside the United States, and the Second Circuit upheld this massive data collection because the targets are foreign persons. If communications of Americans are “incidentally” collected because they are communicating with foreigners, that’s not unconstitutional. However, the court bifurcated the analysis between 1) government collection of the data and 2) a government search of the resulting database.

The Second Circuit held, essentially, that the collection of the incidental data is fine—but they were skeptical that the government can then search that database for the communications of an American. They sent the case back to EDNY to answer that second part, while noting specifically that “we may assume that a United States person ordinarily has a reasonable expectation in the privacy of his e-mails sufficient to trigger a Fourth Amendment reasonableness inquiry…” United States v. Hasbajrami, 945 F.3d. 641, 645 (2d Cir. 2019).

Finally, half a decade later, EDNY held that it was a Fourth Amendment search to query the 702 database specifically for communications from Hasbajrami, who is an American.

This is a partial win against section 702, which was just reauthorized in Congress last summer, but it also has spillover effects for us who practice in state courts, and especially in large cities like New York. Public defenders here know the city has massive databases of information on its citizens, particularly those who interact with government benefits. The NYPD typically has more or less unfettered access to a lot of those databases. Consider the automated license plate reader database, which is ostensibly for tolling but can be and frequently is used by law enforcement to track people’s movements across the city and the state.

Together, Hasbajrami’s Second Circuit and EDNY decisions make a strong case that just because a government agency has access to a database of information for one purpose does not mean that information can be warrantlessly searched by law enforcement for a different purpose. In an age where we can’t escape the cameras or the trackers or digital payments, this is one brief glimmer of hope that some shred of due process and Fourth Amendment protection might remain.

Expert Opinions

We’ve invited specialists in digital forensics, surveillance, and technology to share their thoughts on current trends and legal issues. Our guest columnist this month is Benjamin Burger, a Senior Staff Attorney at the Perlmutter Center for Legal Justice at Cardozo Law.

On What Terms Do You Have a Reasonable Expectation of Privacy?

You’ve probably never read a website’s terms of service. And you’re not alone. No one wants to read the fine print before you’re allowed to access social media or begin messaging your friends. What are we missing when we scroll through the terms of service and immediately click the “accept” button? More importantly, how do terms of service affect our conceptions of privacy, especially when we don’t know what they contain.

Courts have struggled to clarify privacy expectations in the digital age, particularly in the context of the Fourth Amendment. In Katz v. United States, 389 U.S. 347 (1968), the Supreme Court expanded the scope of the Fourth Amendment in determining that people have an expectation of privacy even if the Government does not physically trespass into a seemingly private area, like a telephone booth. However, an individual’s reasonable expectation of privacy can be extinguished when they make something public. These concepts developed before the rise of the internet and social media.

Last year, the United States Court of Appeals for the Second Circuit tackled this issue in United States v. Maher, 120 F.4th 297 (2d Cir. 2024). In Maher, the defendant uploaded child sexual abuse material (“CSAM”) to his Google email account. Using a hashing algorithm, Google determined that the hash value of the uploaded file matched the hash value of known CSAM. Although no Google employee looked at the uploaded file, it sent a report to the National Center for Missing and Exploited Children (NCMEC). Similarly, no one at NCMEC looked at the file. Instead, it was forwarded to the New York State Police, where an investigator opened the file uploaded by the defendant, observed that it was CSAM, and applied for a search warrant based on the observation.

The defendant moved to suppress the search warrant, arguing that the government’s search extended beyond the “private search” conducted by Google. In response, the government argued that the defendant did not have a reasonable expectations of privacy in the contents of the uploaded file because Google’s Terms of Service stated that Google “may” review content that was illegal or violates their policies. See Maher, 120 F.4th at 307. The Second Circuit, noting the novelty of the argument, rejected it, reasoning that just because a third-party can access the contents of a communication, it does not mean that an individual relinquishes their expectation of privacy. Id. at 307-08. The Court further opined that even if Google had used unqualified language – that it would review and share illegal content – it may still not extinguish a reasonable expectation of privacy, as the Supreme Court had shown a previous reticence to craft per se rules based on private contractual language. Id. at 309. In particular, in the context of rental car agreements, the Supreme Court has held that the terms of those agreements do not prevent a non-authorized driver from having an expectation of privacy in the car. See Byrd v. United States, 584 U.S. 395 (2018).

The Maher Court observed that there was still an open question as to whether an individual has a reasonable expectation of privacy in electronic communications. To that end, the Court unequivocally held, for the first time, that “a United States person ordinarily has a reasonable expectation in the privacy of his e-mails sufficient to trigger a Fourth Amendment reasonableness inquiry.” Id. at 307 (citing United States v. Hasbajrami, 945 F.3d 647, 666 (2d Cir. 2019)). To a non-lawyer, it would be surprising to learn that in 2024, a prominent federal appellate court decided that Fourth Amendment applies to a communication technology first developed in 1971. While the decision is correct, it highlights the struggle courts have with new technology. Social media is even more difficult to figure out than email. Some parts of an account are public, some are private, and based on privacy controls, those categories can intertwine with one another. Our state and federal courts have struggled to comprehend these distinctions. As we enter a period where government abuse of technology is a present danger, courts will need to quickly determine where the Fourth Amendment draws the line. We can’t wait 54 years for courts to answer the question.

Benjamin Burger is a Senior Staff Attorney at the Perlmutter Center for Legal Justice at Cardozo Law and a former member of the Legal Aid Society’s Digital Forensics Unit. Benjamin co-teaches the Freedom Clinic, which investigates the use of “junk” science in the criminal legal system. He also litigates wrongful conviction and resentencing cases.

Upcoming Events

March 6, 2025

A Retrospective on Ferguson: Reflecting on 10 Years of Body Cameras (NYU School of Law Student Groups: EPIC, RLSC, BLSA, APALSA, LALSA, PILSA, NLG, & OUTLAW) (New York, NY)

March 17-19, 2025

Magnet User Summit (Magnet Forensics) (Nashville, TN)

March 20, 2025

AI Rising: Integrating and Fighting the Use of Artificial Intelligence (NACDL) (Virtual)

March 20-21, 2025

Privacy and Emerging Technology National Institute (ABA) (Washington, DC)

March 21, 2025

The Ethics of AI in Litigation (NYS Academy of Trial Lawyers) (Virtual)

March 22-30, 2025

NYC Open Data Week (New York, NY)

March 24-27, 2025

Legalweek New York (ALM) (New York, NY)