Mobile Surveillance, Body-worn Camera Audit Logs, Facial Rec. Source Code, & Threads Data

Vol. 4, Issue 7

Jul 10, 2023

A picture of Who is Watching? painted on a wall — Photo by Claudio Schwarz on Unsplash

July 10, 2023

Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. In this issue, Benjamin Burger explains how your car became a surveillance tool. Shane Ferro discusses a recent victory in Queens that held that body worn cameras audit trails are discoverable. Jerome Greco summarizes a recent win in New Jersey regarding facial recognition technology source code. Finally, Allison Young answers your questions about the Threads app.

The Digital Forensics Unit of the Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of the Legal Aid Society.

In the News

A vintage print advertisement that says "Volkswagen's electronic brain. It's smarter than a carburetor."

Mobile Surveillance

Benjamin Burger, Digital Forensics Staff Attorney

Modern cars and trucks are more than internal combustion engines and synthetic rubber tires. In 1968, Volkswagen produced the first car with a standard computer controlled fuel injection system. Today, all cars contain computer components, and vehicles that aspire for autonomous driving contain cutting-edge technology and hardware. However, like other contemporary consumer products, the upside of convenience comes with the downside of a lack of privacy.

Bloomberg News reported that law enforcement officials are increasingly using search warrants to seize video footage from autonomous or self-driving cars. Companies like Waymo and Cruise deploy autonomous taxis in cities like San Francisco and Los Angeles. Autonomous vehicles use a suite of sensors - including video cameras - to safely travel on roadways. Police officers realized that these vehicles are mobile surveillance systems, which record and retain data that can be accessed with a court order or warrant. As the Bloomberg article explained, the police have used autonomous vehicle footage in homicides, hit-and-runs, and other felony cases. Judicial oversight seems minimal, if it exists at all. The use of autonomous vehicle video echoes other consumer products that have become surveillance tools for law enforcement. To the extent there was a discussion about the benefits of deploying autonomous vehicles in urban areas, it did not include the significant privacy loss created by a mobile fleet of surveillance cameras.

Unfortunately, the United States has no national privacy laws that regulate the data acquired, stored, and sold by private companies. Instead, individual states and foreign entities have passed laws that regulate data privacy in an attempt to protect consumers. National legislation that regulates what data can be collected and how it can be used is desperately needed. Otherwise, the conveniences of modern technology - when it works - will be offset by a loss of privacy and the potential for law enforcement abuses. And sometimes, the solution is more complex than simply using a traffic cone.

In the Courts

Supreme Court of the United States building — Photo by Claire Anderson on Unsplash

Finally A Judge Understands BWC Audit Logs

Shane Ferro, Digital Forensics Staff Attorney

In Criminal Court in Queens this June, Legal Aid got a great decision holding that body-worn camera audit logs are discoverable under New York CPL 245.20(1)(e), (k), and (u). It’s People v. Torres, 79 Misc 3d 1204(A) (Queens County Crim. Ct. 2023).

The decision is lengthy, and goes into 1) what audit logs are, and 2) the many parts of these documents that make them discoverable under Article 245. It also includes hit after hit of quotable dicta about the ways in which the prosecution fails to grasp the point of the new discovery statute and often acts as if their version of the case is the only one that could possibly exist.

“Our criminal legal system is not an inquisitorial one. The People do not unilaterally determine that a person is guilty. The People do not choose what the accused's defense will be.”

There have been a handful of decisions going both ways on the discoverability of body-worn camera audit logs in the past few years. However, this is the first time a judge really seems to understand (and explain) what audit logs are and why they might be important for the defense to see.

Audit logs trace everything that happens with body-worn cameras (BWC). The program that the NYPD uses to upload, store, and track their body cams creates six different kinds of audit logs, but the ones most important to receive in discovery are the device log and the evidence log.

The device log will say everything that happened to the camera itself. The exact date and time a button was pressed, what the battery level was, whether the device malfunctioned for a certain reason. This is an especially important document for the defense to have if there is any sort of issue or question with the timing of when a BWC video stops or starts.

There is also an evidence audit log, which tracks everything that happens to the video itself. It starts with the button press to record, but goes on to detail everything that happens to a BWC video after it is uploaded. This includes every time someone watches the video (including supervisors or other officers unrelated to the case), as well as tags and categories that the officer adds to the video. The evidence audit log contains the officer’s subjective opinions about what happens in that BWC video. It can contain notes of the officers. It can tell you if an officer watched a video 17 times or only once, if the officer’s supervisor watched the video, or if another unrelated officer watched the video.

In her opinion, Judge Licitra recognizes both the relevance and the importance of these logs to the case. She holds that not only are they discoverable under the most general subsection, electronically created information (245.20(1)(u)), but are also discoverable as police writings since there are tags and notes involved (245.20(1)(e)), and as potential impeachment material (245.20(1)(k)). The logs have records of when the cameras were started and stopped, officers put their subjective opinions about what happened into these logs by tagging and categorizing them, and potentially identify the footage as related to other videos. The decision is explicit that these are fair topics for cross examination, so the defense should have access to that information.

Licitra also recognizes and underlines the presumption of openness that is baked into Article 245, and pushes back against the general unwillingness of prosecutors in New York City to hand over information they have easy access to simply because it is not expressly spelled out in the statute. She writes:

Automatic discovery is not a game whereby defense attorneys are tasked with guessing what the People or police have sitting on their computer accounts. Under the law, it is the People who are tasked with exercising due diligence to ascertain the existence of discoverable information in the first instance. (C.P.L. § 245.50[1]) … [T]he People should disclose evidence any time there is a 'colorable legal argument' that it does fall within the statute. The discovery statute requires the People to engage in information sharing, not information suppression. And they are to build mechanisms to support the free flow of information, not construct arbitrary walls that block access.

Hopefully, this decision will help educate other judges on what these documents actually are and why they are important for the defense to see in every case.

The logo of the NYPD’s Facial Identification Section (FIS)

New Jersey Appellate Court Finds Facial Recognition Technology’s Source Code Discoverable

Jerome D. Greco, Digital Forensics Supervising Attorney

Congratulations to our friends in the New Jersey Office of the Public Defender for another big win on source code discoverability. The New Jersey Appellate Court, building upon its decision in State v. Pickett, 466 N.J. Super. 270 (App. Div. 2021) [PDF], recently ruled that the defendant was entitled to a copy of the source code of the facial recognition technology (FRT) used to identify him as a possible suspect.

In State v. Arteaga, A-3078-21, 2023 WL 3859579 (N.J. Super. Ct. App. Div. June 7, 2023) [PDF], the defendant was accused of robbery in the first degree, among other charges, related to the robbery of a store at gun point. Detectives collected surveillance video from the store and a nearby property, and then sent still images from the videos to the New Jersey Regional Operations Intelligence Center (NJROIC) for facial recognition analysis. The NJROIC was unable to produce a match. The Detectives then sent the surveillance video to the NYPD’s Facial Identification Section (FIS) in the Real Time Crime Center (RTCC). An FIS detective generated a still image from the video. Then, using the NYPD’s own flawed facial recognition process, determined Francisco Arteaga as a possible match. Arteaga was arrested after the complainant and another potential witness identified him as the perpetrator, each in separate photo arrays.

In Pickett, the NJ Appellate Division found that the defendant articulated a particularized need for the source code of TrueAllele, a mixture DNA software, to challenge the scientific reliable of the DNA evidence in a Frye hearing. Here in Arteaga, the Court similarly found that the defendant was entitled to the source code of the FRT used in his case, along with other related records demanded by the defense. While acknowledging that, unlike Pickett, the purpose of the source code in Arteaga was not for a Frye or Daubert challenge, the Court still found it was discoverable. Writing the decision for the Court, Judge Hany A. Mawla found “[t]he evidence sought here is directly tied to the defense's ability to test the reliability of the FRT. As such, it is vital to impeach the witnesses’ identification, challenge the State’s investigation, create reasonable doubt, and demonstrate third-party guilt.” Arteaga at *9. Elaborating further, he stated:

The reliability of the technology bears direct relevance to the quality and thoroughness of the broader criminal investigation, and whether the potential matches the software returned yielded any other viable alternative suspects to establish third-party guilt. Defendant's request for the identity, design, specifications, and operation of the program or programs used for analysis, and the database or databases used for comparison are relevant to FRT's reliability.

Id. at *11.

While it is always nice to see our friends across the Hudson succeed on behalf of their clients, we should not have to rely on New Jersey to solve the problems with the NYPD’s FRT. We have plenty of courts capable of doing that right here in New York City. Maybe Arteaga can be a wake-up call to NYC courts: New Jersey is ahead of you, again, and this time it relates to your own police department. I hope that the courts in New York and around the country find the reasoning in Arteaga persuasive and pen similar decisions.

Ask an Analyst

Do you have a question about digital forensics or electronic surveillance? Please send it to AskDFU@legal-aid.org and we may feature it in an upcoming issue of our newsletter. No identifying information will be used without your permission.

Threads is a new text-based social media that Meta (AKA Facebook and Instagram) released this month as another competitor to Twitter (and by extension, Mastodon and Bluesky, two other text-based platforms similar to Twitter). If you haven’t heard yet, Twitter is currently perceived as an app on the verge of complete destruction with news of security issues, locking popular features behind a paywall, and doomscroll limitations. This may account for the rapid growth of Threads, which “was the most downloaded non-game app on a launch day in the past decade” and had over 30 million sign-ups overnight.

This month, I decided to prepare answers to questions about Threads that you may have started to consider, as social media frequently comes up in investigations. Threads may still incorporate additional features or adapt to support data privacy pressures both in the US and internationally; these answers are subject to change depending on how the app advances.

Example thread on Threads. — Example of a thread on Threads.

Q: How do I get Threads data from the cloud and what kind of data comes back?

A: Threads data is currently tied (pun unintended) to Instagram data. There is a separate “Threads” category of data that can be returned when you make a user request to download data from an account. The data download request is made through Instagram. For this article, I confirmed that the following steps on an iPhone would produce a zip file containing Threads data:

Open Threads
Go to “Settings” --> “Account” --> “Download your information.”
This step will open the Instagram app.
Click “Request a download” --> (Select Instagram account) --> “Complete copy” (or “Select types of information” --> “Threads”)
Click “Submit Request”

Cropped preview of the last screen shown in the Instagram app when submitting a data download request. — Currently, Threads account data is available for a user to request and download from within the linked Instagram account settings.

Once the data download request is ready, you should receive reports containing Threads activity, such as who a user follows, what posts they’ve liked, and posts they’ve made on the platform.

Screenshot showing files returned for the "Threads" Instagram data category. — Files provided from Meta/Instagram in a download request for Threads data.

Screenshot (content altered) of "threads_and_replies.html" report provided through the data download request. — The content in the above screenshot was altered but shows how Threads posts will appear when returned from an account data download request.

Q: Can I get deleted data from a Threads account?

A: Deleted threads/posts currently do not appear recoverable. Some deleted content may still be available in backups of phones and screenshots made prior to deletion.

However, it appears that deleted data may be recoverable with a preservation request and/or warrant, as the Threads Terms of Use states:

“deletion of your Threads Content from Threads Servers may not occur within 90 days where . . . deletion would restrict our ability to . . . comply with a request of a judicial or administrative authority, law enforcement, or a government agency.”

Speaking of complying with the law and legal requests, Meta is under scrutiny for collecting lots and lots of additional data from Threads users (compared to similar social platforms). Meta complies with a majority of the requests it receives from the government, as disclosed by their transparency reports. We may see sensitive data about Threads users included in future warrant returns.

Q: Can I just get Threads data from the phone?

A: Initial testing on an iPhone showed Threads data of interest in the folder “mobile/Containers/Data/Application/[{uuid} or com.burbn.barcelona]” (“Burbn” being the original name of the Instagram app and Barcelona the name used by Threads while it was still in development).

Data identified included:

Snapshot images of a previous app state (KTX files in folder mobile/Containers/Data/Application/{uuid}/Library/SplashBoard),
Traces of Threads post content (one post was available in a plist file in folder mobile/Containers/Data/Application/{uuid}/Library/Application Support/Barcelona/PostCreation/[redacted]/Store.Small but was unavailable after a second collection of the phone),
Traces of accounts viewed (mobile/Containers/Data/Application/{uuid}/all_users_generic_cache.plist),
Cached images/video of content that may have been viewed by a user, and
Time-in-app statistics (mobile/Containers/Data/Application/[{uuid} or com.burbn.barcelona]/Documents/time_in_app_[redacted].db)

From this first pass of analysis, only the time-in-app statistics appeared to be available in a standard Advanced Logical/iTunes Backup style preservation of the phone. The other data of interest was located in files acquired through a file system backup, which requires a phone to have vulnerable hardware or software. In other words, it may be difficult to access this data on newer iPhones that are kept up to date with the latest operating system. Tools that are provided to Law Enforcement/Government Agencies (and not to public defender labs) may have additional device support.

These findings have not yet been validated and Threads is not yet supported by leading forensic tools, but you may want to look out for Threads artifact issues in any limited reports or cases you receive in the coming months.