DECRYPTING A DEFENSE NEWSLETTER
Vol. 2, Issue 6
June 7, 2021
Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month, we examine a previously unknown surveillance program run by the United States Postal Service and privacy issues regarding the Citizen app. Benjamin Burger reviews a recent court decision that addressed Per Call Measurement Data. In the Ask an Attorney feature, Jerome D. Greco explains how the NYPD uses facial recognition technology. Finally, additional links to news stories that involve technology, surveillance, or digital forensics can be found in Small Bytes.
The Digital Forensics Unit of the Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal justice system. Consisting of attorneys and forensic analysts and examiners, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of the Legal Aid Society.
In the News
United States Post Office Delivers Social Media Surveillance
The United States Postal Service has employed sophisticated intelligence and facial recognition tools to surveil social media and monitor protests. The Internet Covert Operations Program (iCOP) was first uncovered by Yahoo! news. The program uses facial recognition software created by Clearview AI, which scrapes publicly available images from a variety of social media websites. Clearview AI has been embroiled in controversy since its software was first revealed. iCOP also uses Zignal Lab’s Inspection Service, which allows users to run keyword searches on social media event pages, and Nfusion, a software program that allows the creation of anonymous email and social media accounts.
iCOP is used to monitor mass demonstrations and protestors’ social media accounts. Ostensibly, the purpose of the program is to protect USPS employees from violence, however, it is unclear how widespread social media monitoring would further this goal. Last year, after the death of George Floyd, the program was used to monitor racial justice protests. Later, after supporters of Donald Trump rioted in the United States Capitol, the program began to focus on right-wing social media accounts. The information generated by iCOP is shared with other law enforcement agencies. Some of these reports are even shared with agencies that, by law, may not be able to collect this information. It is also unclear whether the USPS has the authority to acquire this information in order to protect postal employees.
Social media is increasingly used to organize political protests and spur political conversations. The federal government has responded by increasing its monitoring of social media and political activists. As demonstrated by iCOP, sometimes these surveillance programs are divorced from the mission of their agencies. One of the missions of the Digital Forensics Unit is to educate the public about the increasing use of surveillance technology and provide advice on how to securely, and privately, use social media.
Citizen App Expands Into Bounties and Private Security
The Citizen App, which provides real-time crowd-sourced crime and emergency information, appears to be further expanding its business into rewards and private security. Last week, Citizen offered a $30,000 bounty for the arrest of a California man wanted for arson. It was later determined that the man had no connection to the brush fire caused by the arson and another individual was eventually arrested. Citizen shared the man’s name and image in a alert that was sent to more than 861,000 users. According to a statement to the Guardian, the reward was offered “without formal coordination” with law enforcement agencies.
Citizen is also taking steps to enter the private security business. As seen in the above photo, private security vehicles branded with the Citizen logo were recently observed in Los Angeles. According to Citizen, they plan to offer a security response, outsourced to Securitas, to their users. An app user could request security assistance and the Citizen app would dispatch a car to the person, focusing on a quick reaction time. This may be part of Citizen’s “Protect” product, which is described as a digital bodyguard. Protect users can send their location and livestreamed video directly to a Citizen employee for “protection.”
Privacy advocates are concerned that Citizen infringes on privacy and reinforces existing problems with racism on many crowd-sourced crime apps. The app was originally known as “Vigilante” before it was pulled from Apple’s App Store. After the app renamed itself as Citizen, it returned to mobile phones and refocused on crime reporting. Its most well known feature, user reporting of crimes and emergencies, is also its most controversial. The company actively recruits people to monitor police scanners and other sources of crime information. However, there are concerns about the data collected by the app - including location information and video metadata - and how that data is being used by advertisers and law enforcement. Additionally, Citizen suffers from the same racial paranoia prevalent on social media. Citizen is an example of how social media and technology can be used to exacerbate long-standing criminal system issues while also creating new opportunities to exploit their user’s privacy.
In the Courts
Trial Court Misunderstands Cell Phone Data & Denies Frye Hearing
Trial courts, defense attorneys, and prosecutors have grown increasingly comfortable with using historical cell site location information (“CSLI”) at hearings and trials. Historical CSLI, with certain limitations, can provide a general location of a cellular phone based on the specific cell sites, or towers, that the phone is connected to during a phone call or when sending a text message. Courts have admitted the analyses of these records into evidence, provided the proper foundation was laid and appropriate expert witnesses were called. See People v. Littlejohn, 974 N.Y.S.2d 77, 82 (2nd Dep’t., 2013); People v. Ortiz, 168 A.D.3d 482, 483 (1st Dep’t. 2019) (“Testimony on how cell phone towers operate must be offered by an expert witness because an analysis of the possible ranges of cell phone towers and how they operate is beyond a juror's day-to-day experience and knowledge.”) (internal quotations omitted).
However, historical CSLI is only one type of location data maintained by the three major wireless network providers. Each provider also tracks “ranging data” for engineering and network optimization, called “specialized location data” or “precision location data.” All three carriers call their specialized location data by different names: Network Event Location System (NELOS) (AT&T), Round Trip Time (RTT) (Verizon), and TrueCall/PCMD (T-Mobile/Sprint). On a basic level, specialized location data measures the amount of time required for a signal to travel from a cell site to a mobile phone and then back to the cell site. Unlike historical CSLI, which can provide the location of the cell site that a mobile phone connected to during usage, specialized location data can show the relative location of the phone itself. However, this simplistic explanation does not fully explain the limitations of specialized location data. First, and most importantly, specialized location data and the corresponding location of the mobile phone is the wireless carrier’s best estimate of the mobile phone. For example, AT&T’s NELOS records can include estimated error radii that can range from 25 to 25,000 meters (82 feet to 15.5 miles). Furthermore, the wireless carriers will not corroborate the accuracy of their specialized location data. AT&T includes a warning in their NELOS records that the location results may be “less than exact.” Second, specialized location records may be drawn from various databases, some which are not controlled or owned by the wireless carriers. The accuracy of these third-party databases are unknown and not verifiable. As such, it appears that prosecutors in New York have been reluctant to use specialized location data at trial.
However, a recent case out of Nassau County, People v. Owen, Ind. No. 236N-20 (Sup. Ct., February 8, 2021), denied a defense motion to preclude admission of specialized location data data or, in the alternative, hold a Frye hearing. The Court noted that no other New York court had ruled on whether a Frye hearing was necessary to determine whether specialized location data was generally accepted in the relevant scientific community. Without discussing the notable differences between historical CSLI and specialized location data, or the accuracy limitations involved with the latter, the Court concluded that specialized location data should be treated the same way as CSLI and denied a Frye hearing. Notably, the Court cited People v. Ortiz, the First Department case that concluded that an expert witnesses like a radio engineer was necessary to make deductions from CSLI. It is unclear what kind of witness the prosecution would call, pursuant to Ortiz, when introducing specialized location data. As the wireless carriers themselves have highlighted the accuracy issues surrounding this data, it would seem that a company representative would be incapable of laying the proper foundation for admission of this evidence. In fact, AT&T has stated that they will not provide an expert witness for the purposes of introducing NELOS data.
Attorneys should contact the Digital Forensics Unit if their adversaries seeks to use specialized location data at hearing and trial. We can assist you in litigating the admission of this evidence, including moving for a Frye hearing.
Ask an Attorney
Q. How does the NYPD use facial recognition technology?
- J.Q.P.
A. There are multiple ways that the NYPD uses facial recognition technology, but I will limit my answer to the method we most frequently encounter. Typically, a case detective will create a still image of an unknown suspect from a surveillance video. The still is then sent for identification to the NYPD’s Facial Identification Section (FIS). An FIS detective may then edit or “enhance” the still, including changing lighting, adding lips, and adding eyes, among other alterations. The FIS detective runs an automated comparison of the edited picture, referred to as a probe photo, against the NYPD’s facial recognition database, which consists of arrest photos from cases resulting in conviction or that remain open. It also may include images from other sources. Despite the NYPD’s denials, there is evidence that the other sources include social media photos and sealed photos. The system returns 200+ potential matches, called a candidate list, ranked in order that the system thinks is most similar to the person in the probe photo. The FIS detective reviews the possible matches and decides which he believes is the person in the original still image.
The FIS detective then sends the case detective a copy of the “matching” photo with the information on the person depicted (name, DOB, crime of conviction, etc.). The possible match notification, or lead form, will include a warning that the possible match is not enough for probable cause, however, it will not make any mention of the other 200+ candidates. The case detective will then usually generate and conduct a photo array, with the possible match photo included. If the witness identifies the person selected by FIS, the case detective will issue a probable cause I-Card for the person’s arrest. If someone else is identified or no one is identified, the detective will continue the investigation, usually with the goal of trying to gather evidence that the person chosen by the facial recognition system is the perpetrator of the alleged crime.
Patrol Guide section 212-129 and Detective Guide section 504-01 govern the NYPD’s use of facial recognition technology. Both are insufficient, fail to address the many issues with the use of facial recognition technology, and contain significant exceptions. There are numerous articles and studies about the flaws in facial recognition technology, particularly about the racial and gender biases in these systems. Garbage In, Garbage Out by Clare Garvie takes a deep look at the NYPD specifically, using materials created by and obtained from the NYPD.
- Jerome D. Greco
Small Bytes
The Instagram ads Facebook won’t show you (Signal)
Your Car Is Spying On You, And A CPB Contract Shows The Risks (The Intercept)
Police Departments Adopting Facial Recognition Tech Amid Allegations Of Wrongful Arrests (60 Minutes/CBS News)
Camera Registry Helps Agencies Close Cases Faster (Evidence Technology Magazine)
AirTags Can Be Used To Figure Out When a House Is Empty, Researcher Warns (Vice)
CPD launched secret drone program with off-the-books cash (Chicago Sun Times)
Blue Bailout: Covid-19 Cash Is Militarizing Cops Across the Country (Rolling Stone)
Crash Course: Data for Black Lives (Data For Black Lives/YouTube)
This facial recognition website can turn anyone into a cop - or a stalker (Washington Post)