Keeping Tabs

by | July 18, 2019

Imagine you’ve committed a crime. You’re going to court. Maybe you’re being accused of murder, or getting involved in a few burglaries. You’re guilty, but you’re desperate to walk free. You’re organising your case with your lawyer, and at a certain point in proceedings you have to present all the evidence you plan to use to the prosecutors, and they have to do the same. You’re making your way through their evidence when you get caught on this abbreviation, CSLI: cell site location information. It becomes clear what the prosecutors are doing. You realise that the police have contacted your cell-service provider (EE, 3, O2, etc.) and requested CSLI for this case. The information details which cell towers your phone connected to when searching for service. It links you very accurately, in location and timeframe, to the crimes.

This was the predicament in which US defendants Aaron Graham and Eric Jordan found themselves: on trial in a Maryland District Court in 2016, arguing that the acquisition of the CSLI was a violation of the Fourth Amendment (which prohibits unreasonable searches and seizures, and sets requirements for issuing warrants). Graham and Jordan were being charged with a series of armed robberies. Law enforcement had confiscated their phones and, without a warrant, contacted Sprint (their cell-service provider) for CSLI to place them near the robberies. Sure enough, Sprint provided the evidence linking Graham and Jordan to the time and location of four separate robberies. Their lawyers contested the evidence, claiming that it allowed the government “to paint an intimate picture of the defendants’ whereabouts over an extensive period of time,” but the court denied the request, prosecuted them, and they were sent to prison.

Until recently, the acquisition of CSLI without a warrant had been perfectly legal in the US. The US justice system works on precedent, as it does the UK, meaning that previous cases are cited to add validity to certain claims. United States v. Graham is just one of a host of cases that helped establish the government’s ability to access the location of any defendant without a warrant – until recently. In 2017, this discussion was thrust into the mainstream all across the US by one of the most significant privacy cases in history: Carpenter v. United States. A Michigan District Court jury had convicted Timothy Carpenter of armed robbery, and after a number of appeals from Carpenter to re-evaluate the case, it was eventually reviewed by the Supreme Court, the highest court in the United States. As in US v. Graham, government prosecutors were able to determine that Carpenter’s cellphone communicated with certain cell towers at certain times, and had used CSLI to link him to four robberies. All investigations were completed without a search warrant.

The legal specifics of the case are complicated. Like in US v. Graham, the dispute involves discussion of numerous different aspects of criminal justice procedure: the difference between court orders for disclosure and search warrants, the 1986 Stored Communications Act which  governs the privacy of stored Internet communications, and the ‘third-party’ doctrine, which determines whether citizens can expect privacy when disclosing information to a third-party (in this case, cell-service providers). To the average person, the legal justifications don’t seem important, but the June 2018 Supreme Court ruling was monumental; in a five-to-four majority decision, the court ruled that the government, when it accesses historical CSLI without a warrant, is in violation of the Fourth Amendment. In a seminal departure from precedent established by cases like Graham, the Court found that the proliferation of cell-phones in the modern world meant that the rules had changed. The Opinion of the Court neatly sums it up as follows:

[S]eismic shifts in digital technology […] made possible the tracking of not only Carpenter’s location but also everyone else’s, not for a short period but for years and years. Sprint Corporation and its competitors are not your typical witnesses. Unlike the nosy neighbor who keeps an eye on comings and goings, they are ever alert, and their memory is nearly infallible. There is a world of difference between the limited types of personal information addressed in Smith and Miller [landmark privacy cases from the 1970s] and the exhaustive chronicle of location information casually collected by wireless carriers today.

Cases like Graham and Carpenter provide insulated environments in which lawyers and judges can conceptually address data privacy, one of the most pressing issues of the modern world. It’s easy to feel distanced from the issue; after all, we aren’t criminals, are we? But the Supreme Court conspicuously mentions “everyone else”; that’s us. Unless people around the world acknowledge that the implications of conclusions around CSLI and location data ripple out far beyond the courtroom, Carpenter v. United States will have been for nothing. Criminals and defendants aren’t the only people affected by the concerns surrounding location data, and it doesn’t take much imagination to realise that location tracking can and does affect the regular consumer, in numerous ways, on a day-to-day basis.

You know when you’re talking about something with a friend, and then a minute later you check your phone and see an ad for the exact thing that you were talking about? Facebook and Instagram (who are usually the culprits) aren’t actually listening in; they’re exploiting your location data. In an episode of the tech podcast Reply All, hosts Alex Goldman and PJ Vogt debunked this urban myth. With the help of ex-Facebook employee Antonio Martinez, they demonstrated that location tracking (using CSLI) and the Facebook ‘check-in’ feature created a pretty accurate map of your surroundings, and that that, rather than sound recording, was one of the biggest factors in targeted ads. If you’ve been to Caffè Nero, Facebook knows you’ve been, and if you’ve been eight times in a week, Facebook knows you love Caffè Nero. In the all-too-common occurrence of feeling like your conversations are being listened in on, the likelihood is that Facebook knows that you and your friend are together, and bases your advertising profile on the recent consumer interactions of both parties. From patterns of movement, companies are able to weaponise your location data against you and tailor your advertising profile accordingly.

Even when location data is anonymised, it can be reliably traced back to you. Last December, The New York Times ran a piece on their website using forty-six-year-old maths teacher Lisa Magrin as an example: the data they accessed, which had been sold without her knowledge, traced her to her home, the school she taught at, her ex-boyfriend’s house, and even her weightwatchers class. Connecting the dots, you could pretty easily correlate her location data with her identity. Nine out of ten times, you could do the same with anyone; researchers at MIT and the Université Catholique de Louvain in Belgium found that it took very few pieces of data to uniquely identify ninety-five percent of users. Could someone identify you if they were just looking at a map with your footprints on it? Statistics suggest they could.

Even more concerning are examples of government agencies tracking the location of their citizens. This year, leaked government documents revealed that the Trump administration systematically identifies and monitors many journalists, attorneys, and even protestors who work on immigration and civil rights. In a secret database accessible to the Department of Homeland Security, suspects’ names, dates of birth, and passports are available, alongside suspected links to ‘migrant caravans,’ immigration journalism, anti-NRA protests, and immigration protests. The Western consciousness often relegates this kind of surveillance to China or North Korea, but it happens right under our noses. What if the Trump administration had obtained warrantless location data, too? Suddenly, the Carpenter ruling takes on the significance of protecting dissenting journalists and upholding the right to criticise government policy. If it hadn’t been for the landmark privacy case, location data would’ve made the database even more invasive, and even more troubling.

To make things more complicated, CSLI isn’t even the only way your location can be tracked. Whilst governments might not be able to access CSLI without a warrant, there’s plenty of other ways to obtain location profiles. Have you used Uber in the past year? If so, you’ve created a locational profile for yourself through their app, based on your rides. Up until 2017, Uber could track you even when you weren’t in the car; this controversial, since-removed feature, which they say was used to optimise pickups and dropoffs, was likely used to build locational profiles of users and establish how long the average user might walk before and after a journey. What about a fitness app? You’ll meet the same problems. In fact, running/cycling app Strava’s location services were so used by so many people that they unintentionally gave away the location of multiple secret US military bases. The company released a global heatmap visualisation of running routes as a way for users to see popular trails, but analysts quickly noticed that military personnel, who’d been using the app to keep in shape, had created accurate heatmap representations of operating bases in locations such as Afghanistan, Djibouti, and Syria. Whilst the average consumer doesn’t have the same considerations as the US military, it’s a stark reminder of just how intrusive running apps can be. Apple Pay, WiFi connections, Google searches from your IP address: all of them can be correlated to create an accurate map of your location through your phone. If you’re not worried, you should be, and if you don’t believe me, search up “meet jack ACLU” on YouTube. No spoilers.

In the UK, we haven’t had our Carpenter v. United States yet. If you Google “CSLI US” you’ll find hundreds of results about privacy, with news outlets reporting the monumental Supreme Court case, Youtube videos explaining how cell towers work, and article upon article celebrating the landmark ruling or looking forward to the future. Do the same with “CSLI UK”, and all that’s there is maths textbooks, computational linguistics analysis, and an NGO called the Lazarus Union whose website looks like it was made in 2002. In 2016, the British government released an appendix to its Codes of Practice and Conduct, put together by the inspiringly-titled Forensic Science Regulator. It’s pretty difficult to find, but the title reads “Appendix: Digital Forensics – Cell site analysis.” It’s 23 pages long (bear in mind that the pdf. of Carpenter v. US is an enormous 119-page document). Nowhere in the directives are the implications of the technique mentioned. The word ‘privacy’ doesn’t appear once. It’s interesting, if concerning, that the same discussions around the justifications and objections to CSLI and location tracking raised in the US just don’t seem to be happening in mainstream UK discourse.

The world over, we need to assess the way we think about location data. Some might use the word ‘reassess’, but in many ways this is the first time location data has been addressed at all; if the Supreme Court of the US is acknowledging the speed of technological development, we certainly need to as well. We need to think about it at an institutional level; there’s a very limited amount any given consumer can do to protect their location privacy. Google can track you in numerous ways even if you do turn off location history, and without a significant amount of time and effort, a regular user can’t reliably stop that. We’re relying on institutions like the Supreme Court and the government to take action, and that won’t happen without advocacy. We need to get started. 

 

Words by Mack Willett. Artwork by Alice Yang.