Student Surveillance, Location Tracking, Cell Phone Discovery Orders, Messaging & More
Vol. 3, Issue 9
September 12, 2022
Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. In this issue, Diane Akerman discusses the proliferation of school surveillance. Benjamin Burger looks at the recent reporting around Fog Reveal and law enforcement’s use of geolocation data. Jerome Greco reviews two recent cases about discretionary discovery orders. Finally, Allison Young discusses alternative methods for acquiring messaging data when a phone is in police custody.
The Digital Forensics Unit of the Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts and examiners, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of the Legal Aid Society.
In the News
Surveillance and Privacy Violations: School Edition
Diane Akerman, Digital Forensics Staff Attorney
With school beginning again this week, and with it the continued proliferation [PDF] of surveillance of students. The justification for the surveillance takes many forms, some claiming to protect safety, others touted as anti-bullying measures, and some implemented as anti-cheating mechanisms.
Anti-cheating surveillance became more prevalent during the shift to remote learning, and students are forced to put up with certain privacy invasions in order to take tests at home. Some schools record students as they take the test, others use software that actually scans the room a student is in. Recently, in response to challenge brought by a student at Cleveland State University, a Judge found the practice of remote scanning unconstitutional - a violation of the student’s Fourth Amendment rights. Recognizing the danger of such practices, the judge cited the “slippery slope” argument – finding that although these scans could be considered “relatively harmless” they represented the “silent approach and slight deviation from legal modes of procedure” that give “illegitimate and unconstitutional practices” their “first footing.”
In the wake of yet another school shooting, schools have taken more extreme measures, installing gun-detecting AI scanners under the guise of safety. The companies that sell the technology boast accuracy and efficiency, but they fail to deliver either.
Weapon detecting AI scanners have misidentified a broom as a gun, and cannot tell the difference between a Chromebook, or three-ring binder and a handgun. In one test, a Glock pistol made it through the scanners undetected. Many of these technologies, much like facial recognition, also rely on a mixture of AI and human intervention, and are riddled with the same racial biases.
Evolv, one of the major providers of the software, has conceded that these kinds of scanners do not prevent mass shootings. In most cases, guns were more frequently found on campus through more traditional means. The scanners have also created “chaos” – with students waiting on long lines to enter the building because of the frequent misidentifications.
Much like removing our shoes at the airport, these initiatives are nothing more than security theater, providing no real benefit and instead causing significant harm to students. The detrimental effect both physically and psychologically of such intense surveillance on students, in a place that should be a safe haven, cannot be overstated.
Mass Surveillance on a Budget
Benjamin S. Burger, Digital Forensics Staff Attorney
Documents obtained by the Electronic Frontier Foundation (EFF) and the AP show that law enforcement agencies across the country have accessed the geolocation data of millions of Americans without a warrant. The data is accessed through a cellphone tracking tool named “Fog Reveal.” The tool is used to search billions of records and create “patterns of life” that can reveal the identity and intimate details of a person’s life. The data contained in these records are generated by smartphone apps, compiled by data brokers, and sold to third parties. Fog Data Science, creator of Fog Reveal, purchases billions of records from data brokers and then makes the data available to law enforcement through a subscription fee.
Law enforcement agencies use Fog Reveal, and the underlying app data, to identify cell phones and their users in the proximity of a crime scene. Although the data is allegedly “anonymized,” the geolocation data can easily be used to locate and identify individuals through the use of advertising IDs. For example, if the unique advertising ID associated with your phone leaves the same address every morning and returns to that address in the evening, its easy to deanonymize the ID and identify you as the phone user.
By using Fog Reveal and privately collected data, police departments can bypass the Fourth Amendment and acquire location data without resorting to a geofence warrant. These types of warrants, which use location data collected by companies like Google, requires a warrant and a level of cooperation from the tech company. Geofence warrants have been under increasing scrutiny from the court system. However, Fog Reveal allows the police to create a geofence without involving a tech company and appears to allow unfettered searching of location data. After the EFF and AP published their reports, Vice uploaded the Fog Reveal user manual to their site. The manual confirms that Fog Reveal can be used to search geolocation records for millions of people and how easy it would be to reveal the identity behind each advertising ID.
At this point, the extent to which Fog Reveal has been used by law enforcement is unknown. Although some police agencies admitted using the tool to track people, the AP notes many agencies refuse to say whether they have paid for a subscription. According to publicly available city records, the New York City Police Department has contracted with Fog Data Science, but this usage was not reported by the NYPD pursuant to the POST Act. The lack of any meaningful regulation on the collection and sale of app data is both a consumer and privacy crisis. Both federal and state governments need to develop policies that will protect consumer data. Courts need to examine whether the principles underlying the Fourth Amendment are violated when state actors purchase data and use it to identify and track the general public.
In the Courts
Testing the Limits of New York State’s Discovery Law
Jerome D. Greco, Digital Forensics Supervising Attorney
New York State’s current discovery law, which went into effect in 2020, requires the prosecution to provide substantially more materials to the defense than the previous statute. One section of the statute that has not received as much attention as the rest is the “discretionary discovery order” part. CPL 245.30(3) grants the courts discretion to order:
“the prosecution, or any individual, agency or other entity subject to the jurisdiction of the court, to make available for disclosure to the defendant any material or information which relates to the subject matter of the case and is reasonably likely to be material” upon a showing by “the defendant that the request is reasonable and that the defendant is unable without undue hardship to obtain the substantial equivalent by other means.”
Typically, discovery is thought to only apply to parties to the case. However, New York’s broad discretionary statute leaves open the opportunity to include orders for non-parties. Two recent trial level decisions have interpreted the discretionary discovery order statute, as it relates to cell phone data from a third party. In People v. Dominicci, a Bronx Supreme Court determined that it had jurisdiction over the witness, despite the fact that she was not a party to the case. The Court also found that the standard for a discretionary discovery order for non-party cell phone content is “probable cause to believe it ‘relates to the subject matter of the case’ and ‘is reasonably likely to be material’ to the defense.” Ultimately, the Court denied the defense’s motion, finding that the defendant had failed to meet his burden that he was “unable without undue hardship to obtain the substantial equivalent by other means” because the prosecution had already extracted the requested data from the witness’ phone and agreed to turn it over to the defense. In People v. Mongan, an Orange County Court ordered the complainant to provide the prosecution access to her cell phone “for the purpose of making copies of text message exchanges” which “regard[ed] the subject matter of the incident” during a three-day period of time. Mongan does not include the same level of interpretation as Dominicci, but it is still informative.
Neither case discusses in sufficient depth some of the other issues that may arise under these circumstances. For example, does a court overstep its bounds to order the prosecution to search a non-party’s phone, when a search warrant would otherwise be required? If the court orders the witness or complainant to turn the device over to the defense, can the court also order the device to be unlocked? Lingering questions aside, the ability of the defense to use discretionary orders to obtain discovery from non-parties has opened a world of possibilities.
Ask an Analyst
Do you have a question about digital forensics or electronic surveillance? Please send it to AskDFU@legal-aid.org and we may feature it in an upcoming issue of our newsletter. No identifying information will be used without your permission.
Q. My client has a conversation on their phone relevant to their case, but the phone was seized by the police. How could we get a copy of these messages?
A. The Digital Forensics Unit is often asked to copy text messages from cellphones, and while our preferred method is to copy them from the phone itself, we are not always “out of luck” when the phone is unavailable.
If messages were sent within a group chat, you can request to preserve them from the phones of other members of the chat.
Text message content will not be available from a request for call detail records to a cell phone carrier (like T-Mobile or Verizon). While some carriers can provide content for law enforcement requests, that data is only available for a matter of days after the message is sent. A phone user may take advantage of text message backup services offered by carriers like AT&T or mobile device providers like Samsung. We have rarely seen users pay for these services, especially if they use Apple iMessage.
In addition to traditional text messages, billions of cell phone users communicate with third-party messaging applications like WhatsApp, (Facebook) Messenger from Meta, Telegram, Signal, and WeChat. There may be another copy of these messages on another phone, computer, tablet, or in the cloud. These services operate in different ways, but the main characteristics they share are that the messages are usually sent over internet data, like emails, and that they are often used to replace or supplement traditional text messaging. They may include additional content you might not associate with text messaging, such as chats that “self-destruct” and voice messages.
You are entitled to your client’s cell phone extraction if one was performed by the DA. This extraction would include any messages that were copied by the forensic software used by the prosecution’s digital forensics resources. Keep in mind: there may be messages missing if you receive a report of messages instead of the original forensic preservation. The report can be manually limited to the scope of a warrant, or it can miss messages not understood by the forensic software. You are also entitled to inspect your client’s phone while it is in law enforcement custody, but there may be reasons you do not want to do that.
Some third-party messaging apps use encryption, where an additional passcode or key is required to access message content. If you receive an extraction report where the key was not found or entered by the person who prepared it, those messages will not be included. Missing messages may be made available for review by another digital forensic expert’s analysis.
We recommend that regardless of whether you have access to the client’s device for preservation, you determine which method was used to send text messages. Message content can be time sensitive (as is the case with “self-destructing” chats), so be sure to prepare requests and arrange to preserve available devices or backup accounts as soon as possible to avoid losing data.
Allison Young, Digital Forensics Analyst
Upcoming Events
September 15, 2022
Accident Reconstruction Part 3: Event Data Recorders (NYSACDL) (Virtual)
September 20, 2022
Lawyers, Cloud and Mobile Computing Ethics (NYC BAR) (Virtual)
September 22, 2022
Public Benefits Tech Advocacy Hub: An Introduction (Upturn/Legal Aid of Arkansas/the National Health Law Program) (Virtual)
September 30, 2022
Emoticons, Emojis, Smileys & Stickers, Oh My (NYCLA) (Virtual)
October 10-12, 2022
Techno Security & Digital Forensics Conference (San Diego, CA)
October 18, 2022
The Metaverse, Crypto and Web3 (NYCLA) (Virtual)
November 21, 2022
The Role and Influence of Artificial Intelligence in the Workplace (NYC Bar) (Virtual)
April 27-29, 2023
16th Annual Forensic Science & Law Seminar (NACDL) (Las Vegas, NV)
Small Bytes
Cops Turn To Google Location Data To Pursue A Death Penalty For 2015 Murder (Forbes)
These Companies Know You’re Pregnant-And They’re Not Keeping It Secret (Gizmodo)
The Most Surveilled Place in America (The Verge)
Amazon Buys Roomba Company, Will Now Map Inside of Your House (Vice)
How a Third-Party SMS Service Was Used to Take Over Signal Accounts (Vice)
A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal. (The New York Times)
Most top mobile carriers retain geolocation data for two years on average, FCC findings show (CyberScoop)
The US May Soon Learn What a ‘Kid-Friendly’ Internet Looks Like (Wired)