ARTS & FARCES internet

Earlier this week Alasdair Allan and Pete Warden announced their discovery (re-discovery, actually, this one has already gone around the block at least once but few noticed) that iPhones and iPads with 3G radios that are running iOS 4.0 or later regularly record the location of the device in a hidden file. The file is restored across backups and migrations.

The information has always been collected; it was just stored in a different, less accessible place on the device (h-cells.plist in the Library folder).

This is, of course, a privacy and security issue. To make matters worse, Allan and Warden report that the file is stored in an unencrypted and unprotected format and resides on any machine with which you’ve synched your iOS device. Apparently the only information available is the physical location of your device, stored as not-always-accurate latitude-longitude coordinates and a timestamp. Allan and Warden figure that the location coordinates are determined by cell-tower triangulation with a widely varying frequency of recording updates.

Let’s not get carried away—the mobile phone companies have always had this information (although it usually takes a court order to access it). You may find it creepy—I’m sure many folks really, honestly do—I’m pretty fanatical about personal privacy and I just assumed a mobile phone with a GPS radio that seemed to almost continually ask me if it could use my location is storing this data somewhere. What’s really creepy is that unencrypted file sitting on every machine you’ve synched your iPhone with is tempting bait for law enforcement wanting location information without a court order.

As it turns out, as Brian X. Chen, writing for Wired reports, Apple explained its location information collection policy (.pdf; 540KB) almost a year ago. The explanation came on the heels of a request from US Representatives Joe Barton (R-Texas) and Edward Markey (D-Massachusetts). The location information for a given device is transmitted to Apple only if the user turns on the Location Services option. Any information transmitted to Apple is anonymized. Apple claims this is used to provide faster and more accurate location services. But the original data file remains unnecessarily stored, unprotected, on the iOS device (and any synched computers).

Why would Apple (and Google, it’s collecting location information from its Android users including a unique phone identifier) want this information? Julia Angwin and Jennifer Valentino-Devries, writing for the Wall Street Journal, follow the money and find it’s “part of their race to build massive databases capable of pinpointing people’s locations via their cellphones. These databases could help them tap the US$2.9 billion market for location-based services—expected to rise to US$8.3 billion in 2014, according to research firm Gartner Inc.”

The reason why this is getting so much attention this round is because Allan and Warden built an application that plots your device’s location data on a map.

Best advice? If this information stored on your device bothers you, encrypt your backups in iTunes.

As Tim O’Reilly, founder of O’Reilly Media, told Nick Bilton, writing for the New York Times, “It is more symbolic than anything else. It is one more sign of how devices are collecting data about us and potentially sharing it with others. This is the future. We have to figure out how to deal with it.”

In the latest installment of its Top Secret America investigation, Washington Post reporters Dana Priest and William M. Arkin recently filed “Monitoring America.” Priest and Arken report that the US continues to assemble a “vast domestic intelligence apparatus to collect information about Americans, using the FBI, local police, state homeland security offices and military criminal investigators.” This surveillance apparatus—one in which the goal is to have law enforcement agencies in every locality and every state feed information to the FBI—is used to collect, store, and analyze information about US citizens, many of whom have not been charged with any crime.

The FBI is amassing a colossal database containing personal information on US citizens “whom a police officer or fellow citizen believed to be acting suspiciously.” All under the guise of the need to prevent violent attacks within the country. Priest and Arkin report that the US Department of Homeland Security “has given US$31 billion in grants since 2003 to state and local governments for homeland security and to improve their ability to find and protect against terrorists, including US$3.8 billion in 2010.”

As a result, 890 state and local law enforcement agencies have filed 7,197 reports in the past two years. Reports include individuals taking cellphone pictures of ferries, government buildings, and the like. According to Priest and Arkin, 103 of those reports have evolved into full investigations, resulting in at least five arrests.

Privacy and civil liberties activists, among others, have grave concerns about the scope of the FBI database and potential for misuse of it. According to Priest and Arkin, FBI officials respond to such concerns by saying “anyone with access has been trained in privacy rules and the penalties for breaking them.”

The American Civil Liberties Union (ACLU), the New York Civil Liberties Union (NYCLU), and the National Association of Criminal Defense Lawyers (NACDL) have brought a federal lawsuit (.pdf; 868KB) against an Obama administration policy allowing suspicionless search and seizure of electronic devices—laptops, smart phones, digital cameras, etc.—by US border officials. The lawsuit claims the Department of Homeland Security’s (DHS) policy permitting border agents to search, copy, and confiscate electronic devices is unconstitutional.

The lawsuit was filed on behalf of the NACDL, the National Press Photographers Association (NPPA), and Pascal Abidor, a 26-year-old Islamic Studies PhD student with dual French-American citizenship whose laptop was searched and confiscated at the Canadian border.

Abidor was travelling from Montreal to New York on Amtrack when he was questioned, handcuffed, taken off the train, and kept in a holding cell before being released without charge several hours later. His laptop, the password for which he was forced to enter, was confiscated and when it was returned 11 days later, there was evidence that his personal files had been searched.

“As an American, I’ve always been taught that the Constitution protects me against unreasonable searches and seizures. But having my laptop searched and then confiscated for no reason at all made me question how much privacy we actually have,” said Abidor in an ACLU media release. “This has had an extreme chilling effect on my work, studies and private life –- now I will have to go to untenable lengths to assure that my academic sources remain confidential and my personal dignity is maintained when I travel.”

A federal magistrate judge in Colorado has ordered Yahoo to disclose—without probable cause or a warrant—email less than six months old to law enforcement officials. Yahoo has declined, citing the Stored Communications Act that requires probable cause and a warrant for disclosure of email to or from US citizens.

That six months old bit is more important than it appears. Disclosure of unopened email, less than 180 days old, requires probable cause and a warrant. After 180 days, disclosure of email—opened or unopened—does not require a warrant.

The Obama administration is claiming that email less than 180 days old that has been read by the recipient can be obtained without probable cause or a warrant—and never mind about the Fourth Amendment to the Constitution. Think of it as Obama’s warrantless email wiretapping. Kevin Bankston, Electronic Frontier Foundation (EFF) senior staff attorney, disagrees. “The government is trying to evade federal privacy law and the Constitution,” said Bankston in an EFF media release. “The Fourth Amendment protects these stored emails, just like it does our private papers. We all have a reasonable expectation of privacy in the contents of our email accounts, and the government should have to make a showing of probable cause to a judge before it rifles through our private communications.”

Judge Vaughn R. Walker, chief of the Federal District Court in San Francisco, ruled Wednesday that George W. Bush’s warrantless wiretapping program, first disclosed by the New York Times in December 2005,  was illegal. Walker, in his 45-page decision (.pdf; 116KB), ruled that the National Security Agency violated a 1978 federal statute—the Foreign Intelligence Surveillance Act (FISA)—requiring warrants for domestic surveillance.

Bush argued vehemently that the president’s wartime powers allowed him to override FISA. Both Bush and President Obama have strenuously argued that the case should be dismissed for fear of revealing state secrets. Walker ruled that such use of the state-secrets privilege was “unfettered executive-branch discretion” that carried “obvious potential for governmental abuse and overreaching” and that Congress had passed FISA “specifically to rein in and create a judicial check for executive-branch abuses of surveillance authority.” Nonetheless, as emptywheel argues on Firedoglake, Walker’s ruling mostly leaves the state-secrets privilege intact.

In 2008, Congress modified FISA to legalize most of what the Bush administration had been doing in secret. Obama, then a senator, voted in favor of the modifications. Even with the modifications, however, FISA requires a warrant for surveillance of a US citizen or US-based organization.

Writing for the New York Times, Charlie Savage and James Risen point out this is the second time a federal court has found Bush’s warrantless wiretapping program to be illegal. “But a 2006 decision by a federal judge in Detroit, Anna Diggs Taylor, was reversed on the grounds that those plaintiffs could not prove that they had been wiretapped and so lacked legal standing to sue.” In this case the government accidentally disclosed a classified document—the document was later declared a state secret—that clearly showed the plaintiff, defunct Oregon-based Islamic charity Al Haramain and its lawyers, had been surveilled without warrants. While Al Haramain was prohibited from using the classified document, other public information (.pdf; 1.6MB) confirmed that the charity and its lawyers had been wiretapped without warrants.

Kevin Bankston, writing for the Electronic Frontier Foundation (EFF), notes that since ACLU v. NSA was overturned in 2007, “the focus of the government’s litigation strategy since then has been to avoid having any court rule on the merits of the issue.”

The penalty for violating FISA is five years in prison and a US$10,000 fine for each offense. Why isn’t anyone in jail? Salon‘s Glenn Greenwald may have a piece of the answer.