Drone use by police agencies in the US is set to drastically escalate in the coming months and years, yet we have very little information on how they plan on using them. Given the plethora of privacy dangers that drones pose to American citizens, the Drone Census gives everyone a way to bring some transparency to the process. In recent weeks, responses have started to pour in, so we wanted to share our preliminary results.
It’s important to point out that user participation is vital to our success, as the vast majority of the requests were filed on behalf of citizens concerned about their local police agency. MuckRock and EFF owe those who have participated a big thank you. If you haven’t filled out your own request, please go here to help out.
Here is a summary of what we’ve found. Of the 202 requests filed so far:
89 are awaiting response.
74 agencies have indicated that they have no responsive documents (and ostensibly no interest in drones). However, 8 of these agency leads came from the FAA's list of COA applicants. We're following up with these agencies, as they clearly have expressed interest in drones at some point.
19 have sent responsive documents
7 agencies rejected the request on a variety of grounds
14 require some other fix (redirect, rewording, payment etc.)
California Bay Area
The Alameda county sheriff’s office, which serves the Bay Area, made waves when they announced two weeks ago they were “considering” getting a drone. The sheriff told NBC news they would use the drone mainly for “emergencies” but documents obtained through our Drone Census released last week show they’re past “considering” and are already seeking funding from the federal government.
Furthermore, in the interview with NBC, the sheriff also suggested the drone could be used to find marijuana growers—far from an emergency—but disturbing language in the new document shows also say they could use it for spying on “suspicious persons” and “large crowd control disturbances”—exactly the type of general surveillance we’re concerned about.
Also, in EFF’s backyard, the San Francisco police department wanted to apply for a $100,000 grant of Homeland Security money for the purchase of a drone through The Bay Area Urban Area Security Initiative Program, according to documents obtained through our Drone Census. (This request, and the Alamedia request were sent out on behalf of a concerned user).
The SF drone, which would’ve been equipped with video and infrared sensing capabilities, would have used “risk assessment for high-rise buildings or high-voltage power lines, monitoring large events and traffic and conducting search operations.” In other words, they would have used it for far more than just emergency situations, and could potentially have used it to spy on protests, track speeders, or conduct general surveillance.
The plan was ultimately rescinded, and it’s unclear if San Francisco is still pursuing grant money for a drone.
The documents we received from Seattle Police Department are perhaps the most troubling so far. Earlier this year, we reported how the Seattle City Council found out about the Seattle Police Department’s two drones only after Seattle’s name showed up on the FAA list released as part of EFF’s Freedom of Information Act lawsuit. When the police department went before the city council to apologize, they also pledged to work with the local ACLU affiliate to draw up privacy guidelines.
As MuckRock described, in July, Seattle Police Department issued departmental drone guidelines which, “limited UAS use to specific circumstances, underscoring that drones were not to be used ‘to provide random surveillance.’” But less than a month later, the policy was inexplicably eliminated: “A directive dated August 15, 2012 rescinded the drone deployment guidelines, without indicating any replacement guidelines or explaining the reasoning behind the move.”
While the department has rescinded the limitations, they also plan to expand their drone program and purchase two new units, despite the fact that the two drones they’ve already purchased sit unused. Given that the documents also suggest that “the FAA will significantly expand the area where [SPD] can operate [drones] in 2012” it is imperative that the City Council holds the police department to implementing binding privacy guidelines to protect its citizens.
Sadly, police agency interest in drones extends far beyond the Pacific Northwest. MuckRock has documents that show the Austin Police Department in Texas is aggressively pursuing drone funding, including an email from a police officer exclaiming “Wooo Hooo!” when the agency was initially accepted into a drone evaluation program of a drone manufacturer. We’ve also gotten more documents from Miami-Dade County to add to the documents EFF received earlier this year.
While we’ve seen results so far, Drone Census isn’t even close to over; in fact, it’s just beginning. You can go here to fill out MuckRock’s simple form that allows you to submit and track a public records request to your own local police station (or any police agency in your state). More than 200 agencies is a lot, but there are at least 18,000 law enforcement agencies in the country, so we need your help.
On Friday, EFF and the ACLU submitted an amicus brief in United States v. Rigmaiden, a closely-followed case that has enormous consequences for individuals' Fourth Amendment rights in their home and on their cell phone. As the Wall Street Journal explained today, the technology at the heart of the case invades the privacy of countless innocent people that have never even been suspected of a crime.
Rigmaiden centers around a secretive device that federal law enforcement and local police have been using with increased frequency: an International Mobile Subscriber Identity locator, or “IMSI catcher.” These devices allows the government to electronically search large areas for a particular cell phone's signal—sucking down data on potentially thousands of innocent people along the way—while attempting to avoid many of the traditional limitations set forth in the Constitution.
How Stingrays Work
The Stingray is a brand name of an IMSI catcher targeted and sold to law enforcement. A Stingray works by masquerading as a cell phone tower—to which your mobile phone sends signals to every 7 to 15 seconds whether you are on a call or not— and tricks your phone into connecting to it. As a result, the government can figure out who, when and to where you are calling, the precise location of every device within the range, and with some devices, even capture the content of your conversations. (Read the Wall Street Journal’s detailed explanation for more.)
In Rigmaiden, the government asked a federal judge in Northern California to order Verizon to assist in locating the defendant, who was a suspect in a tax fraud scheme. But after they received an order telling Verizon to provide the location information of an Aircard they thought to be the defendant’s, the government took matters into their own hands: they claimed this authorization somehow permitted its own use of a Stingray.
Not only did the Stringray find the suspect, Rigmaiden, but it also got the records of every other innocent cell phone user nearby.
The government now concedes that the use of the device was a “search” under the Fourth Amendment and claims it had a warrant, despite the fact that, as we explain in our brief, “the Order directs Verizon to provide the government with information and assistance, but nowhere authorizes the government to search or seize anything.”
In fact, the government's application made no mention of an IMSI catcher or a Stingray, and only has a brief sentence about its plans buried at the end of an 18-page declaration: “the mobile tracking equipment ultimately generate[s] a signal that fixes the geographic position of the Target Broadband Access Card/Cellular Telephone.”
A judge initially signed off on this order, but clearly, the government did not accurately and adequately explain what it was really up to.
General Warrants: Unconstitutional, All You Can Eat Data Buffets
Beyond the government's conduct in this specific case, there is an even broader danger in law enforcement using these devices to locate suspects regardless of whether they explain the technology to judges: these devices allow the government to conduct broad searches amounting to “general warrants,” the exact type of search the Fourth Amendment was written to prevent.
A Stingray—which could potentially be beamed into all the houses in one neighborhood looking for a particular signal—is the digital version of the pre-Revolutionary war practice of British soldiers going door-to-door, searching Americans’ homes without rationale or suspicion, let alone judicial approval. The Fourth Amendment was enacted to prevent these general fishing expeditions. As the Supreme Court has explained, a warrant requires probable cause for all places searched, and is supposed to detail the scope of the search to ensure “nothing is left to the discretion of the officer executing the warrant”.
But if uninformed courts approve the unregulated use of Stingrays, they are essentially allowing the government to enter into the home via a cellular signal at law enforcement’s discretion and rummage at will without any supervision. The government can’t simply use technology to upend centuries of Constitutional law to conduct a search they would be prevented from doing physically.
Stingrays Collect Data on Hundreds of Innocent People
And when police use a Stingray, it’s not just the suspects’ phone information the device sucks up, but all the innocent people around such suspect as well. Some devices have a range of “several kilometers,” meaning potentially thousands of people could have their privacy violated despite not being suspected of any crime. This is another fact the government didn’t fully explain to the magistrate judge in Rigmaiden.
The government now claims it protected privacy by deleting all third-party data on its own after it collected it. But the government’s unilateral decision to binge and purge comes with its own consequences. Now there’s no way to know what exactly the government obtained when it used the device.
Had the government told the court what it really was planning on doing and the amount of information it would obtain, the court may have exercised its constitutional role of ensuring the government narrowed its search. After all, it was for the court, not the government, to decide how best to balance the government’s need for information with third-party privacy, and any suspect’s future interest in access to potentially exculpatory information.
The French Data Protection Authority (CNIL), known to be one of the most assiduous data protection authorities in Europe, was designated by an EU committee to lead the investigation. The timing of the letter is significant: Next week, data protection commissioners from across the globe will congregate in Punta del Este, Uruguay for an annual convention on international privacy standards and emerging issues in the field of data protection.
The group of 27 data protection authorities, who submitted the letter under the banner of the Article 29 Data Protection Working Party, asked Google to revise its privacy practices in two key areas. They called for more transparency on the collection and use of individuals’ personal data, and changes to the newly implemented policy of combining user data across a range of Google services. On the transparency front, the EU data protection authorities are asking Google to provide clearer and more comprehensive information about what data it is collecting and how that information is being used. The commissioners suggest using “interactive presentations” to help get the message across.
The authorities also charged that Google failed to give European users control over the combination of data from across its numerous platforms, such as web searches, Blogger, YouTube or Gmail. To remedy this, the authorities are asking Google to give users the opportunity to choose when their data will be combined, and to “reinforce users’ consent” to have data about them rolled together from multiple accounts. The commissioners also asked Google to simplify users’ right to opt out of having data about them combined across multiple services.
But not everyone interprets the letter the same way. Privacy expert Simon Davies, writing in a blog post analyzing the EU move, characterized it as a first step toward litigation rather than a mere request:
“The reality is that the letter is an iron fist in a velvet glove. Although camouflaged with words such as “challenge” and “request” the letter clearly opens the litigation terrain to national regulators who will be doing more than “requesting”. Article 29 has created an evidence-based foundation for all regulators to commence legal proceedings.”
While there are a range of opinions on Google’s policy change, it’s clear to us that Google should not create European-specific products apart from their global services. Right now, the strong privacy laws in Europe benefit people all over the world because international companies (like Google) are striving to reach the tough European standards. We see an example of this with data portability, in which companies like Twitter and Google are increasingly providing users with simple ways to access the entire user dossier the company has compiled on them. This concept, which stems in part from data access rights under European privacy law, is increasingly being made available both to users in Europe and, in ripple effect, to people around the world.
So while we encourage the European regulators and Google to continue moving forward in productive conversations, we also remind both Google and European regulators that resolving this disagreement by balkanizing Google’s services won’t benefit users or innovation.
Today is Ada Lovelace Day, when EFF and technology users around the Internet celebrate women in science, technology, engineering, and math. What better excuse to revisit how some issues core to EFF's mission particularly impact women?
We often talk about just how dangerous the flawed U.S. patent system is for innovation. Our primary gripes surround software patents, but many misguided patent laws in other subject matter areas negatively affect our society, too. Case in point: ongoing litigation surrounding patents covering naturally occurring human genes that, when present, signal an increased likelihood of developing breast cancer.
The case, Association for Molecular Pathology v. Myriad, has been bouncing through the courts for some time now. The ACLU and the Public Patent Foundation filed the lawsuit in May 2009, representing 150,000 geneticists, pathologists, laboratory professionals, and individual breast cancer patients. The plaintiffs argued that the patents covered nothing more than laws of nature and asked that they be invalidated. The district court agreed, but the Federal Circuit reversed, holding that the isolated genes contained molecules that were "markedly different" than those that occur in nature. The parties challenging the patents asked the Supreme Court to review the case. While their petition was pending, the Supreme Court issued its ruling in Mayo v. Prometheus. Mayo invalidated a patent covering diagnostic testing and stated unequivocally that laws of nature could not somehow become patentable merely because an applicant included "well-understood, routine, conventional activity previously engaged in by researchers in [the] field."
This background is important. After the Supreme Court issued its unanimous opinion, it also sent the Myriad case back to the Federal Circuit, asking the judges to reconsider their ruling in light of Mayo. In August 2012, the Federal Circuit issued another opinion, again upholding Myriad's patents covering the "breast cancer genes" and claiming that the ruling in Mayo shouldn't apply because of the types of claims at issue. (The Federal Circuit has recently had some internal disagreement about just how to apply Mayo—we think it's easy: simply apply the rule to all § 101 inquiries. Period.)
It's safe to say that this case is not going away anytime soon. The patents' challengers will likely ask the Supreme Court to weigh in, and if the justices believe the Federal Circuit failed to property apply the Mayo ruling (as we do), there is a decent chance the Supremes could take the case.
The ACLU and the Public Patent Foundation have brought an important fight, one that highlights some of the most pernicious effects of improvidently granted patents. Because Myriad owned the patents, testing on these two genes could only take place in Myriad's own labs, meaning that others could not develop tests on those genes, depriving women from alternative (and cheaper) tests. The patent system is supposed to incentivize and spread innovation, not cut people—women, men, or children—off from its benefits.
This international meeting brings together commissioners working on privacy regulation and personal data protection with experts, nongovernmental organizations, and academics focused on these crucial issues. The conference is held to foster exchanges and promote knowledge sharing. Discussions will cover data protection and e-Government, the role of technology in open government, issues surrounding geo-location, security of health records, online behavioral advertising, biometrics and more.
Speakers will include leading academics, representatives from civil society organizations, representatives from tech companies, and government officials who work on issues concerning privacy and technology.
With increased collaboration between governments and corporate vendors of surveillance technologies, widespread use of CCTV cameras and biometric databases, and national legislative proposals under consideration to grant law enforcement agencies broader access to online communications, the time is surely ripe for an international check-in on policies designed to uphold the right to privacy around the world.
When this event was held in 2009, experts from more than 100 nongovernmental organizations representing 40 countries collectively drafted the Madrid Privacy Declaration, an expansive statement reaffirming privacy as a fundamental human right and calling upon countries to bolster national and international frameworks on privacy protection.
Have individuals been given stronger safeguards against the collection and use of their personal information since the recommendations and objectives of the Madrid Privacy Declaration were issued?
On the one hand, one only needs to scan the headlines to find horror stories – remember the LinkedIn data breach? Target’s use of behavioral advertising to figure out a teen was pregnant before her parents did, which became obvious when she began receiving ads for maternity needs? Or the FBI's growing use of facial recongition technology? Anecdotes like these illustrate that there is much work to be done before privacy is adequately safeguarded, particularly in the United States.
At the same time, there have been developments on privacy standards in the U.S. and at the international level. Two separate policy instruments created by intergovernmental organizations in the early 1980s, the Organisation for Economic Cooperation and Development (OECD) privacy guidelines and the Council of Europe Convention 108 privacy treaty, respectively, have come up for review. Civil society organizations such as EFF are weighing in on how these standards can be strengthened to better protect privacy, free speech and human rights, but it's still too soon to say how the policy discussions will play out.
Data protection agencies have also taken steps to enhance privacy in the commercial realm. For example, Facebook recently disabled its automatic facial recognition software in Europe following an investigation by the Irish Data Protection Commission. When it comes to governmental surveillance practices and law enforcement use of technology to intercept communications or gather personal information, there remains a critical need for strong due process standards and legal safeguards for government access to citizen's data.
Here in the United States, both the Federal Trade Commission and the Obama Administration (in conjunction with the Department of Commerce) have issued reports calling for stronger consumer privacy protections at the national level. A proposed consumer privacy framework known as the Consumer Privacy Bill of Rights, outlined in an Obama Administration white paper, is based upon the widely accepted Fair Information Practices – a set of privacy principles that are explicitly endorsed and supported by the Madrid Privacy Declaration. As EFF has noted before, the success of this initiative will ultimately depend upon how it is implemented and whether it is ultimately committed to formal legislation.
EFF looks forward to participating in this global meeting with prominent advocates on these issues, and we’re committed in the long run to enhancing privacy standards in the U.S. and around the world.
EFF's NSA Spying design is back by popular demand. This spot-on graphic depicts the National Security Agency's glowering red-eyed eagle using his talons to illegally plug into Americans' telecommunications system with the help of telecom giant AT&T. Show your support for EFF's fight against warrantless surveillance with the new NSA Spying zip-up hooded sweatshirt! Get your hoodie as a free gift when you become a Titanium level member or for a limited time at EFF's online shop.
Defending rights online means more than just standing up for abstract principles. It means supporting the users and developers who want to make technology better. And needless to say, women are an essential part of that project.
That's why we're excited to participate in Ada Lovelace Day, an international celebration of the accomplishments of women in technology and technology policy. Who is Ada and why should you care? Ada Lovelace is believed to have written the first algorithm read by a machine, making her one of the first computer programmers.
Originally organized by Suw Charman-Anderson in 2009, Ada Lovelace Day inspires thousands of peple to write blogs in support of women in science, technology, engineering and math fields. We're proud to have had our fearless leaders Shari Steele and Cindy Cohn featured by Ada Lovelace Day participants Adafruit and BoingBoing in the past.
Here's a round-up of some of our favorite posts in celebration of Ada Lovelace Day 2012 (and we'll keep updating this list throughout the day):
Women, Tech and OER by Cathy Casserly of Creative Commons: [We've] formed a task force to determine how open educational resources (OER) can support the success of girls and women in STEM fields. As I said in that announcement, the challenges of the future will require bright, ambitious, well-educated people of both genders.
Ada Lovelace Day San Francisco: Join Wikimedia, Mozilla and the Ada Initiative, Tues. October 16th for mingling, a short talk about Ada Lovelace, light snacks and drinks. People of all genders and interests are welcome to attend!
Feminist blogger Clarisse Thorn released her newest book, Violation: Rape in Gaming, an anthology about consent and online communities with tech journalist Julian Dibbell. She timed the release to be in conjunction with Ada Lovelace Day and the authors are donating 10% of the proceeds from ebook sales to the EFF. Thanks Clarisse!
Renata Avila of Global Voices has published an inspiring articleabout the women doing pioneering work in technology and free expression around the world.
EFF looked back at our past Pioneer Award winners and did a roundup of the 12 women we honored for their contributions to technology and tech policy.
The people who make design decisions and write company policies are more aware than ever of marginal use cases that primarily affect women. We've been fighting to defend the use of pseudonyms on social networks and keep control over gender identity in the hands of social network users. Organizations that track Internet censorship are highlighting the damage done to family planning and reproductive rights websites when censorship is carried out based on sexual language. And social networks are facilitating online collective action around controversial issues that could not be discussed on the street. But these victories did not happen by themselves. It took activists, technologists, lawyers, and policy makers who understood the problems to speak out.
Please join us — it's easy! Just blog, tweet #findingada, post on Google+, and tell your friends. You can write about women in technology that have inspired or influenced you, or you can write about technology issues that particularly affect women. If you do, we'd love to add your article to our list. Email firstname.lastname@example.org.
Courts are investigating the legality of a European Union regulation requiring biometric passports in Europe. Last month, the Dutch Council of State (Raad van State, the highest Dutch administrative court) asked the European Court of Justice (ECJ) to decide if the regulation requiring fingerprints in passports and travel documents violates citizens’ right to privacy. The case entered the courts when three Dutch citizens were denied passports and another citizen was denied an ID card for refusing to provide their fingerprints. The ECJ ruling will play an important role in determining the legality of including biometrics in passports and travel documents in the European Union.
The Dutch Council referred the question of legality the ECJ, arguing that the restrictions on privacy do not outweigh the ostensible aim of fraud prevention, and questioning the RFID technique. The Council also questioned whether fingerprints could be safeguarded so that they would only be used in passports or identity cards and not in databases for other purposes (known as function creep). The four cases that prompted this challenge to the biometric passport regulation are suspended pending the ECJ’s response.
The Netherlands has mandated fingerprints in passports and ID-cards since 2009. The Dutch biometric Passport Act is the misshapen offspring of the European Regulation (read here and here) compelling security features and biometrics in passports. The Regulation mandates that passports include two fingerprints taken flat in interoperable formats.
The Netherlands' storage of a biometric database was suspended in 2011, following privacy concerns as well as questions over the reliability of biometric technology. The Mayor of the City of Roermond reported that 21 percent of fingerprints collected in the city could not be used to identify any individuals. In April 2011, the Dutch Minister of Interior, in a letter to the Dutch House of Representatives, asserted that the number of false rejections was too high to warrant using fingerprints for verification and identification. Currently, only fingerprints stored in Radio Frequency Identification (RFID) chips embedded in ID documents are being collected.
The Amsterdam-based Privacy First Foundation (Stichting Privacy First) appreciates the critical stance on biometrics taken by the Dutch Council of State in line with the position taken by a German court.
We hope the ECJ will soon rule that the European Passport Regulation is invalid both in a formal, procedural sense (having been improperly adopted in 2004) and in a material sense (violating the human right to privacy and data protection). In the meantime, we hope the Dutch Parliament will scrap compulsory fingerprinting for Dutch ID cards as soon as possible.
A government proposal to this effect is currently before the Dutch House of Representatives.
The Dutch Council concerns echo questions raised by a German court earlier this year regarding the legality of the German biometric passports with RFID chips. The German court has questioned whether the EU regulation is compatible with the Charter of Fundamental Rights of the European Union (EU Charter) and the European Convention of Human Rights (ECHR). The German case was preempted when a German citizen, Michael Schwarz, refused to provide his fingerprints to obtain his new passport and the City of Bochum decided not to issue him one.
Mr. Schwarz argued that the regulation infringes privacy as protected under the ECHR and the EU Charter. In this case, the German court argued that the European Union has no legislative competence to enact rules on standards for security features and biometrics in passports as there is no direct relation of such rules to the protection and security of EU external frontiers.
The German court decided that the requirement of biometric data in passports is a “serious infringement” on privacy, arguing that the measure does not satisfy the proportionality test of being appropriate, necessary, or reasonable.
The German court outlined in detail the technical limitations of biometric passports, arguing that (paraphrased):
a biometric passport is not an appropriate measure because of the rate of mistakes which are made at border controls. Another problem is the durability of the RFID chips inside the passports, and their susceptibility to being read by people who have no legal authority to read them. … If the goal of the measure is to prevent terrorist attacks, then these biometric passports are suitable only to a very limited degree. The primary problem is the security risk that arises from the use of real passports that incorporate a fraudulently obtained identity.
In 2008, the European Court of Human Rights issued a landmark judgment on biometric privacy. In S. and Marper v. the United Kingdom, the Court held that the long-term retention of both fingerprints and DNA samples interfered with an individual’s right to privacy and, consequently, found a breach of Article 8 of the ECHR. The fingerprints and DNA samples were collected following the arrest of the complainants and retained even after their release, even though the complainants had asked for the destruction of the samples.
European countries are increasingly collecting and storing citizen’s biometric data. Throughout the world, countries are beginning to implement contactless 'RFID' chips in passports or mandatory national biometric ID cards. Other countries, such as the Netherlands, have implemented database storage. Last year, an alliance of more than 80 civil society organizations including EFF requested the Council of Europe's (CoE) Secretary General to start an in-depth investigation on the collection and storage of biometric data by Member States.
Based on Article 52 of the ECHR, the COE's Secretary General has a personal investigatory power to request an explanation from Member States as to how their internal law ensures the effective implementation of any of the provisions of the ECHR, including the right to privacy. This is why the alliance has requested that the COE's Secretary General asked its Members States to explain how their national biometrics laws comply with the ECHR and the rulings of the European Court of Human Rights. As of now, the Council of Europe has refused to carry out such an in-depth investigation. In light of the recent Dutch decision, EFF recalled the COE's Secretariat General the need to carry out such investigation.
EFF will continue to fight against the collection and storage of mandatory ID biometrics by governments, especially in view of its inherent unreliability and the new threats to privacy and security posed by such technology.