Police Abuse of Social Media, ICE Uses Private Data Brokers, Internet Scraping, Thumbnail Images & More
Vol. 3, Issue 5
May 2, 2022
Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month, Jerome Greco discusses law enforcement abuse of social media, and Diane Akerman explores how Immigration and Customs Enforcement skirt sanctuary city laws. Shane Ferro review a recent Ninth Circuit decision involving internet scraping. Finally, Allison Young answers a question about thumbnail images on a phone.
The Digital Forensics Unit of the Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts and examiners, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of the Legal Aid Society.
In the News
Police Abuse of Social Media
Jerome D. Greco, Digital Forensics Supervising Attorney
Despite negative views of social media in the United States and its slowed growth last year, its overall use continues to rise. This continual upward trend has little variation when users are divided by race, gender, or income. The most significant difference is based on age, followed by education. However, notwithstanding the similar social media habits across diverse groups, police have expanded their unlawful targeting of Black people into the online world.
Not content with the incredible ease in which they can obtain search warrants for social media accounts, police have also resorted to using fake profiles to gain access to information about individuals and groups. Earlier this year, Business Insider reported on police being trained to create fake social media accounts using AI-generated images, including the encouraged use of the This Person Does Not Exist tool. Last week, the Minnesota Department of Human Rights released a 72 page report on their Investigation into the City of Minneapolis and the Minneapolis Police Department [PDF], which had been commissioned after the murder of George Floyd by then police officer Derek Chauvin. Among other abuses, the Dept. of Human Rights found that the Minneapolis Police Department used “covert social media to target Black leaders, Black organizations, and elected officials without a public safety objective.” The report only gave a few specific examples, but they confirm online surveillance is not devoid of the racism that infects its offline counterpart: “MPD officers used language to further racial stereotypes associated with Black people, especially Black women…In one case, an MPD officer used an MPD covert account to pose as a Black community member to send a message to a local branch of the NAACP criticizing the group.”
While the monitoring of social media by police is not new, most law enforcement agencies still appear to lack any restrictions on officer use. Even when a department has policies, they are often insufficient or encourage invasive surveillance. This past September, records obtained by the Brennan Center for Justice revealed that the Los Angeles Police Department was using social media monitoring tools, and the Department’s Social Media User Guide [PDF] allowed for officers to create a “Fictitious Online Persona.” Three months later the Brennan Center published additional documents from the LAPD, which showed the Department collected tweets from millions of users and that they disproportionally targeted activity related to protests.
The New York City Police Department has an entire unit in their Real Time Crime Center dedicated to social media monitoring, The Social Media Analysis & Research Team (S.M.A.R.T.). In April 2021, the NYPD released its Internet Attribution Management Infrastructure [PDF] and Social Network Analysis Tools [PDF] Impact and Use Policies, pursuant to the newly passed Public Oversight of Surveillance Technology (POST) Act. In combination with these policies, the NYPD Detective Guide [PDF] permits the use of an “online alias,” and states “no prior authorization is ever required for information contained on publicly available internet sources.”
All of the abuses of social media by law enforcement are too numerous to cover in this short article (e.g. 1, 2, 3, and 4), but it is clear that, just like in other contexts, the police are not capable of setting their own boundaries and our legislatures need to step in.
How ICE finds Ways Around Sanctuary Laws
Diane Akerman, Digital Forensics Staff Attorney
A recent report detailed how U.S. Immigration and Customs Enforcement (ICE) contracts with private data brokers to circumvent state and city sanctuary laws. The report [PDF], released by a coalition of immigrant rights organizations led by Mijente, focused on Colorado, but it affects any jurisdiction with similar sanctuary laws, restricting cooperation between local law enforcement or corrections and ICE.
ICE relies heavily on the use of detainers and assistance from local authorities to hold individuals for transfer to ICE custody. Sanctuary laws prohibit cooperation with ICE detainers, and prohibit local law enforcement from sharing certain crucial data with ICE, such as release dates, or parole information. Lack of access to that information has forced ICE to get creative and backdoor a solution.
This is where private data brokers come in. As the report details, ICE contracts with LexisNexis for use of its Accurint Virtual Crime Center, and an add on service known as Justice Intelligence, run by Appriss Solutions. Appriss Solutions is most widely known for VINE, a service which provides information about an individual’s release date to crime victims. Colorado, and many other states and municipalities, share local jail management information with Appriss for the sole purpose of notifying victims through Vine.
If you didn’t follow that: local law enforcement shares information with VINE for a limited purpose, Vine is owned by Appriss, Appriss repackages that data for sale as Justice Intelligence, which Lexis then offers to customers of Accurint Virtual Crime Center.
Similar revelations in Cook County, Illinois, prompted a resolution requesting a public hearing this month to investigate ICE’s relationship with data brokers. The resolution noted that, “it is estimated that ICE has purchased extensive personal information on over 283 million ‘consumer identities’ from more than 10,000 government and commercial sources.”
These revelations reveal a two-fold problem: the lack of regulation around data brokering more generally, and a patchwork series of sanctuary laws that often don’t address these back channel alternative sources of information.
In the Courts
Ninth Circuit Holds (Again) that Scraping Publicly Available Information Does Not Violate the CFAA
Shane Ferro, Digital Forensics Staff Attorney
This month, the Ninth Circuit held (again) that web scraping of publicly available information is likely not a violation of the Computer Fraud and Abuse Act (CFAA) in the case HiQ Labs v. LinkedIn Corp [PDF].* If this sounds familiar, it’s because The Ninth Circuit previously made more or less the same ruling against LinkedIn in this case, which LinkedIn appealed to the Supreme Court (938 F.3d 985 (9th Cir. 2019)). SCOTUS remanded the case in light of their 2021 decision in Van Buren v. United States, 593 U.S. ___ (2021) [PDF], but the Ninth Circuit was not moved, concluding that “the reasoning of Van Buren reinforced its interpretation of the CFAA.”
While this case involves a private company scraping information from the website of another private company, web scraping is also often done by journalists, academics, and other researchers compiling data for analysis in the public interest, and a ruling in LinkedIn’s favor would have severely limited access to public information. The Electronic Frontier Foundation (EFF) explains that, “So-called good bots allow researchers to investigate racial discrimination on Airbnb, journalists to reveal price disparities on Amazon, and companies like DuckDuckGo and Google to use bots to make search engines return useful results.”
This case concerns 18 U.S.C. § 1030(a)(2), which says someone who “intentionally accesses a computer without authorization” is in violation of the CFAA and can be subject to criminal punishment. In this case, HiQ is a data analytics company that was scraping LinkedIn for for publicly available information that did not require a login to access. LinkedIn knew about the scraping and sent HiQ a cease and desist. Continued scraping would violate LinkedIn’s terms of service. LinkedIn argues that that violation constitutes “intentionally accessing a computer without authorization,” and therefore is a CFAA violation.
The caselaw in the Ninth Circuit prior to this decision was not great, as the court had previously held in United States v. Nosal (Nosal II), 844 F.3d 1024, 1050 (9th Cir. 2016), that there was a CFAA violation in a similar situation where the obtained information required some sort of login (and was therefore “private” information). But here, the court draws a line between information that requires some sort of prior authorization, even if that is as simple as a login and password, and public information that any person can obtain on the internet without logging in.
The court spends some time discussing the original purpose of the CFAA, which was to prevent and criminalize hacking, and thankfully draws a clear distinction between an automated version of collecting public information, the conduct at issue here, and hacking into someone else’s private information. As the EFF explained in its analysis of the original 2019 decision, the court rightly determined that “using automated scripts to access publicly available data is not the sort of ‘breaking and entering’ into computers that the Computer Fraud and Abuse Act is intended to police.“
The Supreme Court’s Van Buren decision, which caused the Ninth Circuit to have to take another look at the HiQ case, also limited the scope of the CFAA. In that case, a police officer used his valid credentials to access a law enforcement computer in order to look up license plate numbers for money. While that was a violation of his department rules, that alone did not make it criminal conduct under the CFAA, SCOTUS held. Breaking the rules at work is not the same as breaking into an office without a key, is essentially what the decision stands for.
In light of that and its prior decision in this case, the Ninth Circuit concluded that it “favor[s] a narrow interpretation of the CFAA’s ‘without authorization’ provision so as not to turn a criminal hacking statute into a ‘sweeping Internet-policing mandate.’”
* The conclusions here about the scope of the CFAA is only “likely,” rather than definite, because the case has yet to move from the preliminary injunction stage.
Ask an Analyst
Do you have a question about digital forensics or electronic surveillance? Please send it to AskDFU@legal-aid.org and we may feature it in an upcoming issue of our newsletter. No identifying information will be used without your permission.
Q. I've been provided with photos from my client's phone that appear to have been created on a particular date, but my client says that they did not take the photos. Some of them are also too small to make out what's being shown in the photo. What would explain these pictures?
A. Not all photos saved on a cell phone are captured from the phone’s camera. Pictures are received from text messages, cached from the internet, or downloaded as resources for games and applications. There are hundreds of pictures saved to cell phones from other sources. These include “thumbnails,” which are smaller preview images that have their own timestamp information independent from the source image. Thumbnails can be cached, or temporarily saved, from application or internet use without the intent or knowledge of the device user and are insufficient on their own in interpreting the relevance of an image on a device.
Thumbnails are created by the phone’s default gallery or photo viewer application to fit photos into a grid view, as well as by other applications that provide previews of full-size documents or images. A thumbnail is only meant to preview the contents of a photo and can be optimized to take up less storage space than the original, so the original photo’s source, capture date, and other metadata are not typically included in the thumbnail file.
A thumbnail may be cropped, where only the center or another area of the image are displayed as a preview. It may also only represent a single frame preview of a video file – without its source, you would literally miss the “whole picture!”
Thumbnail images may provide valuable insight into user activity on a phone or computer, but thorough analysis is needed to determine how, when, and why they were saved to a device.
- Allison Young, Digital Forensics Analyst
Upcoming Events
May 9-12, 2022
Techno Security & Digital Forensics Conference (Myrtle Beach, SC)
May 12, 2022
Forensic algorithms: The future of technology in the US legal system (Brookings) (Virtual)
May 16-17, 2022
Unlocking the Black Box (NACDL & Samuelson Clinic Seminar) (Chicago, IL)
June 6-10, 2022
RightsCon (Virtual)
July 22-24, 2022
A New HOPE (Hackers on Planet Earth) (Queens, NY)
August 11-14, 2022
DEF CON 30 (Las Vegas, NV)
September 7, 2022
Intro To Artificial Intelligence (AI) Part 2: AI As A Litigation Tool (NYSBA) (Virtual)
October 10-12, 2022
Techno Security & Digital Forensics Conference (San Diego, CA)
Small Bytes
Police Records Show Women Are Being Stalked With Apple AirTags Across the Country (vice.com)
Europe Is Building a Huge International Facial Recognition System (Wired)
Trial by File Formats: Exploring Public Defenders' Challenges Working with Novel Surveillance Data (Proceedings of the ACM on Human-Computer Interaction)
Police surveillance and facial recognition: Why data privacy is imperative for communities of color (Brookings)
Class-Action Lawsuit Targets Company that Harvests Location Data from 50 Million Cars (vice.com)
How Democracies Spy on Their Citizens (The New Yorker)
NYC Councilwoman wants top NYPD official investigated for possible perjury after Muslim surveillance comments (New York Daily News)
American Phone-Tracking Firm Demo’d Surveillance Powers by Spying on CIA and NSA (The Intercept)
When Police Do Marketing for Surveillance Tech Companies (vice.com)