Is your Digital Shadow Exempt from the 4th and 5th Amendment Rights?

Introduction

George Orwell wrote in 1984: “Big Brother is Watching You”, and while there is little evidence of large-scale government surveillance within the UK, there are, though, increased opportunities for governments around the world to snoop and gather evidence on citizens. Luckily we have acts such as DPA (Data Protection Act) which protects us from those who aim to gain access to data held within protected infrastructures, but the ease of access to this data increases the opportunities for spying. The flip side of DPA is RIPA (Regulation of Investigatory Powers) Act, which is a law which allows law enforcement agencies access to data on citizens for their Internet records. In the US the PRISM program provides an easier mechanism to access to cloud-based records, especially as it has now gained access to the nine major Internet companies, including Microsoft, Google, Facebook and Apple.

With the growth of the Cloud, social media and mobile devices, we are all leaving digital shadows of our activities, whether it be Twitter posts, Facebook activity, mobile phone records, and so on, and leave behind a digital shadow which is difficult to erase. Figure 1 outlines some of the traces that we leave, and much of these data sources are open source.

Screen Shot 2014-09-13 at 16.54.15Figure 1: Big Data traces

Law Enforcement Requests

Last week it was revealed that, in 2007, Yahoo refused a demand from the NSA for a bulk demand of email metadata, but subsequently lost its fight both in the Foreign Intelligence Surveillance Court (FISC) and in an appeal to the Foreign Intelligence Court of Review. Yahoo then, in 2008, finally ended its resistance to the NSA’s PRISM program when it faced a $250,000 a day fine if it didn’t comply. In fact it was one of the first of nine major Internet companies who were forced to comply with these requests, and who include Microsoft, Google, Facebook, Youtube, Skype, AOL and Apple.

Yahoo have since fought to unseal the case documents in order to provide some transparency around the data collection programs, and in the fact that the FISA Court’s has approved nearly every data request [Link]. Several companies such as Yahoo have been criticised for allowing data to be released, but the newly released records shows that they doggedly tried to fight against it.

Yahoo fought back on Fourth Amendment grounds, which prohibits unreasonable searches and seizures, and that these must be sanctioned by a judical warrent, and supported by probable causes. In the PRISM requests, Yahoo felt that the requests were too broad in their scope, and thus violated the Constitution.

Working across borders

One of the greatest challenge for investigators is working across national boundaries, and UK law enforcement often struggle to gain access to digital information which is held within US-based Cloud infrastructures. Government departments in the US seem, though, to have a much stronger ability to release information from Microsoft for information within their Dublin-based Cloud infrastructure.

In the UK, RIPA defines that law enforcement agencies can gain access to digital information on citizens, with the support of a warrant, whereas, in the USA, the PATRIOT Act has a much wider coverage for law enforcement agencies to obtain information on individuals, if relevant to counter-terrorism or counter-intelligence investigations. At the most extreme end, the USA PATRIOT Act is Section 215 allows the FBI to gain information from the Foreign Intelligence Surveillance Court related to international terrorism or espionage. This allows the US authorities access to personal data stored from within the EU by US-based companies, and which completely disregarding UK and EU legislation on data protection. These requests are known as National Security Letters (NSL), and are requests from the FBI to organisations, and should not relate to ordinary criminal, civil or administrative matters.

In 2013, Google published in its transparency report, that it received 53,356 requests for data affecting 85,148 accounts [2]. Table 1 outlines the requests within the USA, and the percentages of these that were accepted, along with the number of accounts affected. It can be seen that the rate of acceptable of the requests ranges from 75% to 100%. For 2013, Microsoft received a total of 35,083 requests related to 58,676 user account, and which resulted in a rejection rate of 3.4% [1] (although 17.85% of the requests resulted in no data being found). It can thus be seen that the majority of requests are accepted, and go forward to a disclosure of the requester.

Table 1: Google requests for personal information (2013, USA)

Type Requests Requests Accepted User Accounts affected
Other Court Orders 689 75% 1,588
Search Warrant 2537 81% 4,180
Emergency Disclosures 153 78 % 217
Subpoena 7,044 84% 11,999
Pen Register Order 140 90% 259
Wiretap Order 11 100% 11

Protecting data

Users should always encrypt sensitive data into cloud infrastructures, but they must be able to hand-over their encryption key when required. This was highlighted in 2014 when Christopher Wilson, from Tyne and Wear was jailed when he refused to hand encrypted passwords related to investigations related to an attack on the Northumbria Police and the Serious Organised Crime Agency’s websites. He handed over 50 encrypted passwords, but none of these worked, so a judge ordered him to provide the correct one, but after failing to do this, he received a jail sentence of six months.

In 2012, Syed Hussain and three other men, were jailed for discussing an attack on a TA headquarters using a home-made bomb mounted on a remotely controlled toy car. Syed, who admitted have terrorist sympathises, was jailed for an additional four months for failing to hand-over a password for a USB stick.

In the UK, citizens have the right to silence (a Fifth Amendment Right in the US – related to the right against self-incrimination) but there is an exception to this related to encryption keys, and the failure to reveal encryption keys can often be seen as a sign that someone has something to hide, and is covered by Section 49 of RIPA.

Who protects you?

As the Big Nine Internet companies final gave into the PRISM Act, there is a general worry about the scope of the PATRIOT Act in the US. Thus the EFF (Electronic Frontier Foundation) have awarded gold stars to organisations for the following [3]:

Star 1: Requires a warrant for content.
Star 2: Tells users about government data requests.
Sart 3: Publishes transparency reports.
Star 4: Publishes law enforcement guidelines.
Star 5: Fights for user privacy rights in courts.
Star 6: Fights for user privacy rights in Congress.

The six star companies include Dropbox, Google, Microsoft, Twitter, and Yahoo, while Amazon gains two stars (stars 1 and 5), along with AT&T (stars 3 and 4).

Getting rid of your digital shadow

Our digital footprint on the Internet is being traced on a continual basis, with information either logged on the information we readily provide to the Internet, but there is also a whole lot of information that is logged without us having control of it. Within the Google Cloud, there is information on our locations, our Web history, the Apps will install, and all of which can be used to build-up a picture of our activities.

Figure 2 shows an example of where I travelled from Edinburgh to Aberdeen for a Xmas Schools Cyber lecture. It shows the complete journey archived from location tracking from an Andriod phone. You can see it also contains a timeline, so that the speed over various parts of the journey can be calculated. Both Apple and Andriod phones, by default, gather this information can store it within cloud-based systems, giving a mine of information for investigators.

With the increasing usage of cloud infrastructures, it is extremely difficult to actually remove the full traces of digital footprint, especially with back-up systems storing deleting files and with disk systems still containing fragments on their disk, evening though the files have been deleted. In fact, a disk can contain a fragment of a file for years after it was deleted from a disk.

Screen Shot 2014-09-13 at 18.37.37Figure 2: Example location information in Google Cloud

Conclusions

We are increasingly creating a long digital shadow in the Cloud, and this information is typically stored within the cloud infrastructures created by US-based companies, such as Google, Microsoft and Apple. It has been seen that these companies often must comply with the PATRIOT Act, even when it overrules European data protection laws. Law enforcement agencies in the UK often struggle to gain access to US-based information, thus agencies within the US have an advantage over their UK based equivalents.

In terms of spying on citizens, there are increasing opportunities for this to happen, but our citizens should be protected in terms of data protection acts. The major change happens around criminal investigations, where RIPAA allows law enforcement to gather cloud-based data, typically held with ISPs (as these tend to be UK-based). They have a much greater challenge in gaining access to information held by US-based companies.

In terms of protecting information in Cloud-based systems, encryption is the best solution, but there is no guarantee that a law enforcement agency will not come along and demand the keys to decrypt the information. For many, with some many passwords, this might be difficult to comply with it, and innocent citizens could be improvised for just forgetting their password, or not known the place they have kept their secret keys.

For Yahoo, from being criticised for being one of the first Internet companies to comply with requests related to PRISM, they have now been shown to actually have fought against the request. For them they have fought to release the documents around the fine, in order that there is some transparency around it. For the major Internet companies, such as Microsoft, Google, Facebook and Apple, there is a strong focus on user trust, and they are keep to make sure that they can build trust with the user, in that the companies will fight on their behalf against PRISM requests.

References

[1] http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
[2] http://www.google.com/transparencyreport/userdatarequests/
[3] https://www.eff.org/who-has-your-back-2014

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s