DECRYPTING A DEFENSE NEWSLETTER
Vol. 2, Issue 5
May 3, 2021
Welcome to the newly updated Decrypting A Defense Newsletter. In order to open the newsletter to subscribers outside of the Legal Aid Society, we have moved to Substack. The newsletter will still be published on the first Monday of every month (excluding holidays) and continue to explore the intersection of technology and criminal justice.
In this month’s issue, we discuss Long Range Acoustic Devices (LRADs) and new limitations placed on NYPD in deploying this technology. We also explore the NYPD’s use of the controversial facial recognition service Clearview AI. The extent of which was discovered through a Freedom of Information Law request filed by the Digital Forensics Unit. Finally, Digital Forensics Staff Attorney Diane Akerman explains what data attorneys can acquire from social media and other internet-based companies through subpoenas.
The Digital Forensics Unit of the Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal justice system. Consisting of attorneys and forensic analysts and examiners, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of the Legal Aid Society.
In the News
New Restrictions on NYPD’s Use of Sound Cannons
The NYPD has long used Long Range Acoustic Devices (LRADs) against protestors and other massed groups of people. LRADs were developed in response to the bombing of the USS Cole. These devices are designed to be used as both megaphones and as sonic weapons that can force attackers away from a ship. After the NYPD purchased these devices, they began using them to disperse protestors.
LRADs are equipped with an “area denial” feature, which creates sonic “shrieks” above the decibel level safe for humans. People who have been exposed to the sound from the area denial feature have suffered from prolonged migraines, sinus pain, dizziness, facial pressure and ringing in their ears. As shown in the YouTube video, the NYPD used LRADs to disperse protestors during the 2014 Eric Garner demonstrations. Protestors sued New York City and the NYPD alleging that the use of LRADs constituted excessive force. This month, the city settled the lawsuit and agreed that NYPD would cease using the “area denial” feature. The City also agreed that the police will add new rules on the use of LRADs and require officers to “make reasonable efforts to maintain minimum safe distances between the LRAD and all persons within its cone of sound.” The attorneys for the protestors (Gideon Oliver, Elena Cohen, and Michael Decker) have made many of the settlement agreement documents public.
The use of LRADs by law enforcement agencies is a reminder of the continued militarization of domestic police departments. Technology such as LRADs were designed for military deployment and were never intended to be used on the general public. As the NYPD continues to adopt militaristic technology and practices, attorneys, advocates, and the public will need to vigilantly protect our civil liberties.
NYPD Used Clearview AI’s Facial Recognition Software
This month, the Digital Forensics Unit released documents showing the extent of the NYPD’s use of the controversial facial recognition software Clearview AI. The documents were obtained pursuant to a Freedom of Information Law request filed by Digital Forensics Supervising Attorney Jerome Greco and a subsequent lawsuit litigated by Digital Forensics Staff Attorney Jonathan McCoy. Among other points of interest, the records showed that NYPD officers had access to Clearview AI’s software on their personal mobile phones and were using the technology on active cases. This contradicts NYPD’s previous claims that they had no formal or informal relationship with Clearview AI. One officer remarked that she was collecting “success stories” involving the use of the software. NYPD’s Internal Affairs Bureau even used Clearview AI to identify officers accused of violating Department rules.
Clearview AI is significantly different than the NYPD’s in-house facial recognition technology, which is controlled by the Facial Identification Section (FIS). Clearview AI “scrapes” photographs from internet websites and social media platforms, like Facebook, without permission. These photos are deposited in a massive unregulated database and includes personally identifying private information. According to Buzzfeed News, over 1,800 entities have used Clearview AI to run facial recognition searches. Additionally, the founder of Clearview AI has allowed numerous individuals to access the database for non-law enforcement purposes. Clearview AI has also faced scrutiny for its connections with former NYPD officials and right-wing internet trolls.
Currently, we are unaware of how many criminal cases involved the use of Clearview AI facial recognition technology. Legal Aid attorneys should contact the Digital Forensics Unit if they believe any facial recognition occurred in their cases, whether through formal NYPD channels like FIS, or informally through Clearview AI.
In The Courts
Historical cell-site location information (CSLI) is used by law enforcement and criminal defense attorneys to try to establish the prior location of a cellular phone, based on its past connection to different cell-sites (or towers). By establishing the general location of a cell phone, analysts may help confirm a client’s alibi or establish that they were in the vicinity of a crime scene. Despite the seeming simplicity in making cell phone calls today, the science behind cell phones is complicated and generally misunderstood by the public. Although courts have allowed cell-site evidence, and the accompanying mapping (known as cell-site analysis) into evidence at trials, some courts are tightening the standards for its admission.
CSLI evidence and testimony can be divided into two distinct categories. The first type of evidence and testimony concerns the actual functioning of wireless networks and the underlying science that allows a mobile phone to connect to a specific cell-site. This testimony will focus on how wireless networks operate, the range of cell towers, and the process by which a cell phone will connect to the tower with the strongest signal (not necessarily the closest tower). Both federal and state courts have recognized that this type of evidence will require an expert witness, like a radio engineer. See United States v. Natal, 849 F.3d 530, 533 (2d Cir. 2017) (holding “that testimony on how cell phone towers operate constitutes expert testimony and may not be introduced through a lay witness”). In People v. Ortiz, the Appellate Division adopted the holding from Natal and further opined that “the possible ranges of cell phone towers and how they operate,” must be offered by an expert witness. See 168 A.D.3d 482, 483 (1st Dept., 2019). Thus, if any attorney or prosecutor seeks to elicit testimony about how wireless networks function, they should be prepared to call an expert witness with sufficient educational background and professional experience.
The second type of evidence that occurs in a case involving CSLI is cell-site mapping or analysis. This evidence consists of maps of cell towers. The data for these maps is drawn from Call Detail Records (CDRs) from the wireless company. Cell-site mapping can be performed by hand or with specialized software. CDRs contain data about the cell tower and sector that a mobile phone connected to and the directionality of the antenna. In the map above, you can see the results of cell-site mapping. While cell-site mapping requires some training, it does not require the analyst to have a engineering background or work for a wireless company. Based on the holdings in Natal and Ortiz, with proper limitations, cell-site maps should be admissible without the testimony of an expert witness. For example, the analyst may not be allowed to testify as to how a phone connected to a specific tower, or the range of that tower. Instead, the testimony may only elicit the basic information shown in the map, that the phone connected to this specific tower, at a specific time, and was in most likely located in a general area within the towers range. Although this testimony will not precisely locate a phone, it can still serve the purpose of confirming a client’s location.
Recently, in the Southern District of New York, Judge Jed Rakoff granted a defense motion to exclude testimony on cell towers presented by a prosecution witness. The Court noted that the witness “was not able to give a detailed account of the scientific methodology underlying his opinion that the interaction with certain cell towers of two cellphones . . .” United States v. Nieves, 19-cr-354 (SDNY, April 18, 2021). However, recognizing that a direct challenge to the scientific reliability of cell-site analysis was not before the Court, the decision further stated that if the witness’s proposed testimony was “more relevant” to the case, it may have allowed the evidence “subject to requiring that it be qualified by various statements that would reveal its limitations.” Id. The Court ultimately excluded the testimony under Federal Rule of Evidence 403, because its probative value was substantially outweighed by unfair prejudice and confusion of the issues.
Cell-site location information and the accompanying analysis still has flaws as an analytical tool in the criminal justice system. Attorneys should be wary of prosecution attempts to make unequivocal statements based on these records. At the same time, the defense bar should plan to call the necessary expert witnesses when CSLI evidence is helpful to a client’s case.
Ask An Attorney
I'm trying to get records that prove that my client was arrested in an Airbnb. I would also like to get the name and contact information of the person who was renting the apartment so I can reach out to them.
- Joseph Frumin
A: While the Digital Forensics Unit most frequently deals with social media websites like Facebook and Instagram, we also get numerous requests about obtaining information from websites like Airbnb, Cash App, and even Pornhub. Under the Stored Communications Act (SCA), non-law enforcement entities like public defenders have limited subpoena power when it comes to obtaining electronically stored data from electronic communication services and remote computing services. Very simply, most courts have interpreted the SCA to mean that these services can only provide “non-content” via subpoena, but can provide “content” pursuant to a lawful warrant. This puts defendants in criminal cases at a severe disadvantage. Defense attorneys are challenging the long-held belief that content can only be obtained via a warrant, but so far with limited success. Please reach out to the Digital Forensics Unit if you would like to mount such a challenge in one of your cases.
While currently limited by the SCA, there is still helpful information that can be obtained through a subpoena. The first step to figuring out what information you may be able to obtain is to read through the company’s legal compliance page. While these pages are often directed at law enforcement, they provide information about how and where to serve a subpoena, and oftentimes more detailed information about what data exists, and whether they will provide it in response to an order.
The information a company collects and retains, and for how long, will be detailed in their privacy policy and data retention policy. Reading through these pages will provide you with information about what data is and is not collected, how long data is stored, and whether and how long information is stored after an account is deactivated. These policies can quickly answer whether the information you need is even available, and even provide some ideas on other helpful information that may be stored that you had not considered. The simplest way to find these pages, rather than trying to navigate the complicated maze of some of these websites, is to simply google “legal compliance” and the company’s name.
Taking Airbnb as an example. Airbnb’s legal resources page, while focused entirely on law enforcement, describes what information must be included in a subpoena in order for them to identify and provide the data you are seeking. Their Account Security page describes their data retention policies. Both pages refers to their Privacy Policy, which details both what information users provide to Airbnb and what information Airbnb automatically collects. With a website like Airbnb, a subpoena should get you contact information, account, and profile information, such as a name, phone number, postal address, email address, and potentially a list of bookings and payment information. An example of something that might be considered “content” that cannot be disclosed pursuant to a subpoena, would be messages exchanged between users when booking a stay or the actual content of a posted ad.
As always, if you are seeking to obtain information from an app or website, please contact the Digital Forensics Unit.