August 2, 2021
Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month, we discuss the worldwide hacking scandal involving Pegasus spyware designed by the NSO Group and the myth of “anonymized” mobile device location information. We also review a recent Fourth Circuit decision holding aerial surveillance as violative of the Fourth Amendment. Finally, Benjamin Burger answers a question about ShotSpotter gunshot detection and location technology.
The Digital Forensics Unit of the Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal justice system. Consisting of attorneys and forensic analysts and examiners, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of the Legal Aid Society.
In the News
Pegasus Spyware Hacks Phones Across Globe
In a blockbuster series of reports, a consortium of news agencies, titled the Pegasus Project, revealed how an Israeli company, NSO Group, licensed spyware to governments that is capable of hacking smartphones through “no-click” attacks. The Pegasus Project confirmed that 37 smartphones belonging to journalists, activists, and business leaders were hacked. The 37 phones were part of a larger list of 50,000 phone numbers that are concentrated in countries that spy on their own citizens and are clients of NSO. Most prominently, the spyware was found on two phones belonging to women close to murdered Saudi journalist Jamal Khashoggi. In addition to the two women, the spyware was used to hack the phones of Hungarian and Indian journalists and activists, and even a runaway princess from Dubai. NSO denied that its technology had been used inappropriately and released a statement claiming that the Pegasus Project story had no factual basis.
Spyware is malicious software that collects data from a digital device. It can collect almost anything on a device, including emails, messages in encrypted apps, call logs, and social media posts. Some spyware can even activate cameras and microphones on devices to record the phone user. Most spyware operates silently and without warning. Most device users will have no awareness that spyware has infected their phone. Furthermore, end-to-end encryption, which is used by messaging services like Signal and WhatsApp, does not protect against spyware because its focused on the interception of messages in transit, not the messages that reside on the end user’s mobile device. In fact, WhatsApp is suing NSO in federal court, alleging that the company illegally helped governments hack mobile phones.
The best way to protect a mobile device from spyware is to update the device’s software. Developers like Apple continuously update their operating systems to address malicious software. Users should also create and use complex passwords for devices and websites and enable two-factor authentication. You should also not click on links or attachments from unknown senders. Finally, and most importantly, users should understand that no device is ever completely secure and that anything that exists on a mobile device can be searched and seized by hackers or law enforcement.
The Myth of “Anonymous” Mobile Device Location Data
Early in the pandemic, the data company Tectonix released an animation showing the nationwide movements of Florida spring break attendees and how a lack of social distancing could spread coronavirus.
Tectonix was using so-called “anonymous” location data from mobile devices. Privacy advocates have repeatedly explained that this data can be de-anonymized. For instance, after the Capitol insurrection on January 6, 2021, the New York Times was able to identify individuals from anonymous location data. In the article, the reporters explained that they were able to match 2,000 “anonymous devices . . . with email addresses, birthdays, ethnicities, ages and more.” Location data companies act as brokers, selling location information to customers without any regulation. There are no legal requirements preventing the customers from de-anonymizing the data. Essentially, the idea that location data can be anonymous is a fantasy.
Further evidence for this can be seen in the recent outing and subsequent resignation of a Catholic priest. The Pillar, a Catholic news site, obtained commercial location data sold by a data vendor. Although the location data was “anonymous,” the site was able to determine that the location information, corresponded to the priest’s location on numerous occasions, including his home, place of business, and vacations. Further, the location data was generated through Grindr, a dating and “social networking app for gay, bi, trans, and queer people.” Although the Pillar violated no laws, many reporters and privacy advocates have used the story to highlight the lack of privacy associated with supposedly anonymous data. Until governments choose to regulate the flood of data sold to companies, de-anonymization of data will continue to undermine individual privacy.
In the Courts
Fourth Circuit Rules Aerial Surveillance Program Violates Fourth Amendment
Last month, the United States Court of Appeals for the Fourth Circuit, sitting en banc, reversed a three-judge panel and held that Baltimore’s warrantless aerial surveillance program violated the Fourth Amendment because it “enables police to deduce from the whole of individuals’ movements[.]” See Leaders of a Beautiful Struggle v. Baltimore Police Dep't, 2 F.4th 330, 346 (4th Cir. 2021). The program at issue, the Aerial Investigation Research program (AIR), began in December 2019 and involved the use of aerial photography to track individual movements throughout the city. Planes above Baltimore flew 40 hours per week and collected imagery of 90% of the city each day. The system allowed for individual people and cars to be visible, although only as a blurred dots. Using the program, Baltimore police were still able to track individuals for up to 12 hours each day, and potentially longer.
The program was challenged in federal court as violating the Fourth Amendment. An initial three-judge panel upheld the program in November 2020. However, the entire appeals court later decided to hear the case. In the meantime, Baltimore ended the AIR program and argued that any appeal was moot.
The Fourth Circuit initially determined that the matter was not moot, as Baltimore had retained some of the data generated by the AIR program. Leaders of a Beautiful Struggle, 2 F.4th at 339. Next, the court determined that the holding in Carpenter v. United States, 138 S.Ct. 2206 (2018), which requires law enforcement to procure a warrant before seizing historical cell-site location information, also applied to the aerial surveillance program. Id. at 341. As Chief Judge Roger Gregory explained “because the AIR program opens ‘an intimate window’ into a person’s associations and activities, it violates the reasonable expectation of privacy individuals have in the whole of their movements.” Id. at 342. The Court also observed that the long-term nature of the surveillance combined with the ability of law enforcement to use other sources of data to de-anonymize individuals meant that the program “transcend[ed] mere augmentation of ordinary police capabilities.” Id. at 345. The Court concluded by admonishing that program was like a “general search, enabling the police to collect all movements, both innocent and suspected, without any burden to articulate an adequate reason to search for specific items related to specific crimes.” Id. at 348.
Aerial surveillance, a technology developed by the military for battlefield use, can easily be exploited to track individuals and degrade privacy. The application of the Fourth Amendment to new technologies is one of the most important modern legal issues confronting civil libertarians and privacy advocates.
Ask an Attorney
Do you have a question about digital forensics or electronic surveillance? Please send it to AskDFU@legal-aid.org and we may feature it in an upcoming issue of our newsletter.
Q: I think ShotSpotter was involved in my case. How do I know if it was used and what documents should I be looking for?
A: ShotSpotter, Inc. (“SST”) is a publicly traded company that sells policing and security related products to law enforcement and private entities. The company’s flagship product is ShotSpotter Respond (“ShotSpotter”), an acoustic gunshot detection and location system that is sold to law enforcement agencies. The system uses both hardware and software to analyze sounds of potential gunfire and locate the source of those sounds. It also makes determinations about certain characteristics of the gunfire, such as the number and timing of the gunshots. According to SST, ShotSpotter Respond has been installed in over 100 cities, including over 74 square miles of New York City as of August 2020.
ShotSpotter evidence will typically exist in cases involving the alleged discharge of a firearm. Generally, attorneys will learn about a ShotSpotter activation through discussions with the prosecution or in references to ShotSpotter alerts in the discovery. ShotSpotter activations can be found in both the standard discovery in most criminal cases and in ShotSpotter specific documents that are produced by SST.
In New York, ShotSpotter alerts are tied into NYPD’s Real Time Crime Center and accompanying data systems, like department issued cell phones and the Intergraph Computer Aided Dispatch System (I/CAD or ICAD) system. Attorneys will often see references to ShotSpotter alerts in these documents. For example, ShotSpotter alerts may be seen in arrest and complaint reports, I/CAD reports, and other police reports. ShotSpotter activations in standard discovery should inform attorneys that ShotSpotter was involved in their case and that there should be additional ShotSpotter specific discovery.
There are two different reports commonly created by SST when a ShotSpotter activation occurs. The first document, the Investigative Lead Summary (“ILS”) should exist in every case with a ShotSpotter activation. The second document, the Detailed Forensic Report (“DFR”) will only be present in cases where the prosecution has ordered the report from ShotSpotter and intends to call an expert witness at hearing and trial.
ShotSpotter has been challenged in multiple courts throughout the United States as unscientific and inaccurate. If the prosecution intends to introduce ShotSpotter evidence, attorneys should strongly consider filing a Frye or Daubert challenge and consulting with an expert. Legal Aid Society attorneys should contact the Digital Forensics Unit for strategic advice and litigation support.
- Benjamin Burger, Digital Forensics Staff Attorney
Small Bytes
How Does The Secret Service Track Fugitives? One Romance Scammer Hunt Started With A Simple Text (Forbes)
This Manual for a Popular Facial Recognition Tool Shows Just How Much the Software Tracks People (The Markup)
Section 230 Continues To Not Mean Whatever You Want It To (Techdirt)
Inside the Industry That Unmasks People At Scale (Vice)
A Facebook engineer abused access to user data to track down a woman who had left their hotel room after they fought on vacation, new book says (Insider)
It’s time to end the trade secret evidentiary privilege among forensic algorithm vendors (Brookings)
Study Suggests Digital Forensic Experts are Prone to Bias (Forensic)
Black teen kicked out of skating rink after facial recognition camera misidentified her (FOX 2 Detroit)
I, Obscura - Illuminating deceptive design patterns in the wild (UCLA Center for Critical Internet Inquiry on Issuu)
Judge forces US Capitol rioter to unlock laptop seized by FBI (CNN)
The FBI Is Locating Cars By Spying On Their WiFi (Forbes)
What Should Happen to Our Data When We Die? (New York Times)
Citizen pays New Yorkers $25 an hour to livestream crimes scenes (New York Post)
Police Are Telling ShotSpotter to Alter Evidence From Gunshot-Detecting AI (Vice)