Coalition member GritsForBreakfast.org has been keeping up with the growing list of states that now require a warrant for police to access cell phone location data. This summer, Tennessee’s law went into effect.

Tennessee joins Montana, Virginia, Utah and Maine — states that also passed state legislation to grant citizens this protection. Courts gave the citizens of New Jersey and Massachusetts similar protections.

We expect Senate State Affairs to look closely at the activity in other states as it considers doing the same for Texas. The committee will hear testimony from the public on September 16th. Add your voice!

{ 0 comments }

Dust off your Sunday shoes and come to the Capitol!

by Kathy Mitchell on August 25, 2014

If you don’t want the police, or for that matter anyone else, to be able to find you anywhere, anytime from your cell phone’s tracking data, then we’ve got the event for you.

COMMITTEE:    State Affairs
TIME & DATE:  8:00 AM, Tuesday, September 16, 2014
PLACE:        Texas State Capitol Extension, Rm. E1.012 (Hearing Room)
CHAIR:        Senator Craig Estes

The Senate’s State Affairs Committee – a powerful committee with broad jurisdiction – will take testimony on some of the most important electronic privacy issues of our time: who can track your whereabouts from your phone without a warrant (hint: the government), what data is being collected about you (a lot), who can view that data (just about anyone).

The Committee will produce a report on these topics that is likely to launch a heated debate about Texas EPC’s main proposal (“officer, get a warrant!”) in the coming legislative session.

We expect the Senators will hear from some national experts (possibly Christopher Soghoian) and some locals like Scott Henson of Grits for Breakfast, and then it will be our turn. The committee is taking public testimony, so find a clean shirt, brush the dust off your Sunday shoes, and come tell them you don’t want the government to be able to access your cell phone data without a warrant. You can tell them other stuff too, but please be sure and say that. And keep your comments short and clear. Like kittens, politicians are easily distracted.

{ 0 comments }

The NSA’s various data collection programs have been (finally) subjected to some public scrutiny. No limits have been imposed yet, but at least people understand more about what’s being collected.

There’s been far less discussion about the fact that your local police have many of the same tools and use them. (Map of states like Texas where local police have Stingrays)

Let’s stop for a moment and consider why we should care about that.

The NSA arrests almost no one (as far as we know anyway). Although a handful of cases always garner publicity, the federal government arrests relatively few people. Texas police agencies, however, arrest a lot of people.

In 2010 federal agencies including immigration made almost 180,000 arrests.  That sounds like a lot! But let’s hop over to the TxDPS stats page for 2010, and we find that in 2010 Texas state and local police agencies made 1.14 MILLION arrests. In case we think the drop in crime has changed the picture, Texas was still arresting more than a million people a year as of the most recent data. For those of you who think Texas must just have a lot more criminals than the rest of the world, Texas also ranks first among states in the number of innocent people exonerated as of this year.

The 4th Amendment was created by our founding fathers as a protection against the unreasonable incarceration of masses of people based on cases trumped up from evidence collected through the indiscriminate search of people’s stuff.

In its recent decision in Riley v California, SCOTUS pointed out that we have so much information in our phones, that any diligent investigator could well find something indicating that we’ve committed a crime.

“It would be a particularly inexperienced or unimaginative law enforcement officer who could not come up with several reasons to suppose evidence of just about any crime could be found on a cell phone. Even an individual pulled over for something as basic as speeding might well have locational data dispositive of guilt on his phone. An individual pulled over for reckless driving might have evidence on the phone that shows whether he was texting while driving. The sources of potential pertinent information are virtually unlimited…”

It is pretty creepy to think about the NSA collecting massive amounts of data about our calls and emails, storing it in a giant building in Utah (eventually), and poking around in it at will. But when it comes to the real possibility that government agents can actually take our freedom (arrest us, put us in a cell, and possibly even convict us of a crime we didn’t commit), we need to be most concerned about what our local and state police can do, and what protections we have right here in Texas.

Texas lawmakers can re-establish basic 4th Amendment protections for Texans long before SCOTUS will be able to opine on what the NSA has been doing.  And Texas’ next steps could well become the path for other states. Two years ago, Texas took a giant leap forward, the first state to protect email and other “stored” content. California passed something similar in the fall of that same year. Far away Maine passed protections for cell phone location data, after a historic House vote overriding the Governor’s veto. Its time for Texas to step up again and use what we’ve learned about what law enforcement can now do to set reasonable limits. Other states will surely follow.

{ 0 comments }

It’s hard to believe, but Edward Snowden was NOT a household name when this coalition showed up at the legislature last year with one basic idea: if law enforcement wants to read your email or sweep up your cell phone location data, it should get a warrant. A lot has happened since then. Thanks to Mr. Snowden, we don’t have to spend too much time anymore proving that law enforcement has ready access to data that most of us consider deeply personal.

Last week’s SCOTUS decision, Riley v. California, was a bright spot, and not the only one, as we head into session with a newly energized coalition of Texas based privacy advocates and the ongoing support of unlikely allies like Texans for Accountable Government and the ACLU of Texas. In case you are living under a rock (or perhaps you have better things to do than read SCOTUS decisions on a hot Texas summer day), our nation’s top judges recently agreed 9-0 that police officers can’t just download the contents of your phone if you are arrested. The contents of your phone, the judges opined, are a bit more personal than the contents of your pocket.

Well, yes. Indeed.

And yet, it was not clear we would get this good decision. Why? Because the contents of your phone can be considered “third party” information — owned not by you but by your cell phone carrier or the dozens (perhaps hundreds) of companies that manage your apps and digital services. Longstanding SCOTUS precedent gives law enforcement ready access to information held by third parties.

But that is exactly where this decision got most interesting. The judges never specifically mention the “third party” doctrine, as it has come to be called. Instead, they follow precedents related directly to the application of the 4th amendment to objects in our possession, and found that phone data privacy should be protected whether information is on a phone’s memory card or in the cloud. The judges further opined that internal policies and procedures are not enough to guide law enforcement officers as they troll through data in the cloud.

“the Government proposes that law enforcement agencies “develop protocols to address” concerns raised by cloud computing. Reply Brief in No. 13-212, pp. 14-15. Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.”

While this decision was limited to the search of a suspect’s phone at the time of arrest, it is a big step in the right direction. We expect the courts to take further steps in the coming years as cases involving various federal programs for collecting the “third party” cell phone data of all Americans (not suspected of any crime) come before SCOTUS.  In the meantime, Justice Alito in his concurrence, encouraged state legislatures to step into the breach.

“it would be very unfortunate if privacy protection in the 21st century were left primarily to the federal courts using the blunt instrument of the Fourth Amendment. Legislatures, elected by the people, are in a better position than we are to assess and respond to the changes that have already occurred and those that almost certainly will take place in the future.”

Last session, when this coalition and its various member groups showed up at the Texas Legislature requesting cell-phone privacy protection, law enforcement showed little interest in negotiating bills that would reduce their vast and largely unregulated powers of digital search and seizure. Despite steep and often hysterical opposition from police and prosecutors, Texas lawmakers stepped up to require police to get a warrant if they want to read your email. And 126 Texas House members voted to require warrants to access cell-phone location data. Now its time to come back and pass that warrant requirement for cell phone location data as well as protections for other highly personal information collected and retained by smart phones, apps, phone service providers and tower simulators (stingray tech).

{ 0 comments }

Verizon, the NSA, and Your Privacy

by Kathy Mitchell on June 6, 2013

Wow.
Are you a Verizon phone customer? Then the NSA is right now collecting call data about you under a no-longer-secret order leaked to The Guardian.

The breadth of the order is breathtaking. All Verizon customers, and all calls between people located within the U.S. (including local calls) or between a U.S. location and a foreign location. Only calls exclusively between people outside the U.S. are excluded. The order requires Verizon to give the NSA “comprehensive communications routing information” (numbers called, calls received, length of call, location of call). The file doesn’t include your name and address but does include a unique identifier.

This order was approved by a FISA court under the Patriot Act, but the underlying legal theory giving the government access to “business records” that are “relevant” to an investigation applies to local and state police as well under different statutes (18 USC 2703(d)). Because, you know, customers have no “reasonable expectation of privacy” in records held by our cell phone companies.

This is exactly the problem we’ve asked the Texas Legislature to study during the interim, after HB 1608 failed to pass this session.

If you want to help, take a moment right now and call the Speaker and the Chair of the House and Senate committees and ask for this interim study so next session we can do something here in Texas to protect ourselves.

And, of course, if you’re a Verizon customer you should contact them and let them know you don’t expect them to give up your privacy without a fight!

{ 0 comments }

Help protect geolocation privacy with Texas HB1608

by Gregory Foster on May 8, 2013

TxEPC Action!TxEPC Action!

(Cross-posted from EFF-Austin.)

This Thursday May 9th, the Texas House of Representatives votes on HB1608 to determine whether our state will respect the privacy of your mobile phone geolocation data. Mobile phones are designed to track everywhere they go, and we think law enforcement should have to demonstrate probable cause to a judge before gaining access to such intimate information about one’s whereabouts, associations, and activities.

EFF-Austin, as a founding member of the Texas Electronic Privacy Coalition, has been helping shepherd this legislation forward from its inception. This is a crucial moment in the bill’s progress, and we need you to help remind our State Representatives that they should vote YES on HB1608.

Here’s an online petition to do just that. This will send an email to your state Rep letting them know that you want them to support HB1608. It takes just a few minutes to help ensure the privacy of Texans’ geolocation data.

Thursday is the LAST day for bills to receive a House floor vote for the next two years. We’ll be sitting in the public gallery to observe the show – which could get pretty interesting given the nature of the bill! If you’re interested in joining us, or helping pass out flyers to legislators before the vote, sign up on our volunteer page and we’ll be in touch.

Please send your petition here then let your fellow Texans know! And thank you for your time.

{ 0 comments }

The Texas House protected the privacy of our email today. Full report at Grits for Texas:

Great news! This afternoon, Rep. Jon Stickland successfully attached a version of his HB 3164, requiring police to obtain warrants for emails stored with third parties (think cloud computing) older than 180 days, to legislation by Rep. John Frullo, HB 2268…..

{ 0 comments }

A handful of law enforcement critics have raised concerns about HB 1608 (Hughes, et. al) and its companion SB 786 (Hinojosa) that deserve rebuttal. While most of the specific concerns are addressed in the committee substitute to the House version, here is a rebuttal of the particular criticisms being launched against the bill.

ISSUE: Location data belongs to the cell phone company, not the customer.

RESPONSE: The “third party doctrine” is a court-authored exception to the Fourth Amendment under which the Supreme Court has held that we don’t have a “reasonable expectation of privacy” when we knowingly give information to a third party. Thus, the argument goes, cell-phone customers have no reasonable expectation of privacy regarding historical location data and government should be able to access that information without a warrant. This may be technically true but to most cell-phone users the idea is viscerally offensive, especially in light of the level of detail it reveals about them. In the ‘70s, the Supreme Court ruled bank records weren’t protected by the Fourth Amendment under the third-party doctrine and Congress swiftly acted to legislatively reverse the decision, which is what this bill would do for historic cell-phone tracking.

ISSUE: Historic location data is less accurate and therefore does not violate privacy as much as current or prospective surveillance.

RESPONSE: Historic location data is very accurate and becomes more exact as more cell phone towers or antenna go up to support the smart phone market. The data allows far closer tracking than is publicly portrayed by law enforcement (Google “malte spitz tell-all telephone” for a real-world example from 2009—there are a lot more towers now). Historic data is arguably more problematic as a violation of one’s “reasonable expectation of privacy” because nothing is more personal than where we have been every minute of the day—a retrospective of our lives containing details we ourselves have probably forgotten.

ISSUE: The warrant standard should be reduced from “probable cause” to “reasonable suspicion.”

RESPONSE: Probable cause is the standard set out in the Fourth Amendment for government searches of our “persons, houses, papers, and effects.” Reasonable suspicion, by contrast, is a far lower standard created by the courts to govern brief police interactions with the public like Terry stops (aka, “stop and frisks). That’s not the appropriate standard by which to judge long-term location tracking. The question becomes, in a modern world where “papers and effects” are now largely digitized and held by cell-phone companies and cloud-based data vendors, should the Fourth Amendment still apply? Cell-phone location data is incredibly detailed, documenting everywhere you go and everything you do. It may well include your visits to churches, political rallies, gun shows, or that private visit to a psychiatrist or medical specialist. It includes stops you’ve made that you yourself have probably forgotten. In that sense, your cell-phone company knows more about you than you do and the data creates a diary of your life more detailed than anyone would take the time to write. Courts are slowly concluding that the Fourth amendment should apply to location data, including in two of Texas four federal districts, but that process could take years. In the meantime, Texas should require a probable-cause based warrant by statute.

ISSUE: This bill will dangerously expose police informants and undercover officers.

RESPONSE: The bill requires that information about cell phone location tracking used in an investigation must eventually be made public. However, the author has agreed to amend this section in the committee substitute to allow the identity of informants and undercover officers to be redacted from any documentation that is ever made public.

ISSUE: All cell-phone location tracking already requires a judicial order, so there is already adequate court supervision to prevent abuses.

RESPONSE: The Texas Department of Insurance told the House Criminal Jurisprudence Committee that their law enforcement division used administrative subpoenas to get historic location data. Some law enforcement agencies say they can and do use a federal “18 USC 2703(d) order,” often referred to as a “D order,” or the Texas equivalent in CCP Art. 18.21 section 5. These orders for location data are formally signed by a judge but the standard under which they’re granted – that the judge “shall” issue the order if location data might be “relevant” to the case – is too low, falling far short of Fourth Amendment warrant protections.

The wireless industry receives requests for location information through administrative subpoenas (which have no judicial supervision), court orders (using the “relevant” standard), and sometimes warrants, an attorney for cell-service providers testified at the hearing, but only the latter approach requires showing probable cause. Much of this surveillance activity is carried out in secret. Since there is almost no public information about Texas-based location requests, whether subpoenas, orders or warrants, we have no way to know which methods have been used nor their relative proportions throughout the state. Regardless of prior practices, HB 1608 and SB 786 would require that, going forward, a search warrant must be secured upon a showing of probable cause.

ISSUE: The bill is poorly drafted and overly broad.

RESPONSE: Prosecutors object that the bill is overly broad, but have specified few types of location data that should be exempted from the probable cause warrant requirement. The author has accepted suggestions from prosecutors and law enforcement for narrowly crafted exceptions like finding a felony fugitive. And the bill already contained clear exceptions for life threatening situations or finding a stolen cell phone. Rather than being overly broad, the bill makes clear that a probable-cause warrant will be required for requests to cell-phone carriers for personal location data, simplifying a needlessly byzantine statute that arguably is one of the most confusing and poorly written subsections (CCP 18.21) in Texas law.

ISSUE: The bill will require extra paperwork and locating a judge in cases when time is of the essence.

RESPONSE: The bill includes a clear exception for emergency where time is of the essence. The exception includes “hostage, barricade or other emergency situation” in which a person threatens another with death or exposes them to a “substantial risk of serious bodily injury.” This is a broad exception which gives police significant leeway to determine when a particular situation requires immediate location data from the carriers. Cell phone companies already understand the emergency exception and will respond with immediate location data when requested under such circumstances. Besides, to the extent it’s true that law enforcement already seeks judicial approval on these sorts of orders, as some have claimed (see the prior question) it lessens the impact of requiring them to seek out a judge to get a warrant. They already must find a judge, anyway.

ISSUE: Reporting requirements are too onerous.

RESPONSE: The reporting requirements for cell phone companies involve only aggregated billing data – which agencies they reported location data to and how much they charged them. Given that law enforcement pays for these services, essentially this amounts to an aggregated receipt. The reporting requirements on courts and prosecutors are there because currently it’s impossible to know to what extent information collected about individuals is actually being used in criminal cases. United States Magistrate Stephen Smith in Houston has written that the sparse objective information that does exist on a nationwide level indicates that in too many instances “the government is spending more time chasing the innocent” than the criminal. Without additional reporting, no one can know if that’s true. This legislation requires aggregate reporting about cell-phone location orders that will clarify many of the speculative debates surrounding this legislation, giving us hard data to analyze instead of assurances and promises.

{ 0 comments }

Senator Estes says “Get a warrant!”

by Kathy Mitchell on March 16, 2013

Thank you to Senator Craig Estes (R-Wichita Falls) for filing a different version of the bill to require a warrant for location data off our cell phones. Estes filed SB 1088 in the final week before the deadline. That both Republican and Democratic Texas state senators filed legislation to require a warrant for cell-phone location orders speaks volumes about the developing bipartisan consensus that location privacy deserves protection.

We have to say, we still love this bill even though it doesn’t have the reporting requirements of SB 786 by Sen. Juan “Chuy” Hinojosa (D-McAllen). SB 1088 would extend the 4th Amendment to the surveillance of private citizens by government, but the public would still remain largely in the dark about how much surveillance is going on and by which police agencies.

The reporting requirement in SB 786 (and Rep. Bryan Hughes’ HB 1608) requires the telcos to provide some baseline data about the number of requests they get and from which police agencies. But that will only tell part of the story. The real question is, does all this surveillance actually make us safer? For that, we need data from police agencies and courts.

Police agencies already must report that they have issued a subpoena for cell phone location data to the Texas Department of Public Safety (Code of Criminal Procedure Chapter 18.21 Sec. 15). There is supposed to be enough information there for DPS to assess if police are issuing subpoenas in accordance with written policy. But there’s no annual (or public) reporting of this information and no way to look across all the individualized records to assess the current state of surveillance in Texas. Nor is there any effort to connect surveillance performed with convictions.

The reporting requirement in SB 786 builds on the existing requirement to create a public report that connects what the cell companies know (how many requests they get) and what police report to DPS to the most import piece of the puzzle — whether these surveillance requests are actually resulting in convictions in criminal cases. Most Americans will cut the police some slack if their snooping around ends up putting a violent offender in jail. But if they are just snooping, that’s an entirely different kettle of fish.

In any event, thank you Senator Estes. We support and applaud your bill, which will reinstate the 4th Amendment for the modern era. We hope you will reconsider the need for public reporting, and consider adding even some of that back into your bill before it finally passes, this bill will give Texans both rights and information they can use to better exersize those rights.

{ 0 comments }

Support HB 1608/SB 786: Warrants for location data

by Kathy Mitchell on March 16, 2013

Problem: Using the data transferred from, received by, and stored in your cell phone or smart phone, police are now able to track your every move without leaving their desks. Our antiquated surveillance laws need updating.

  • Cell phones now transmit your location hundreds of times a day, creating a virtual diary of your life.
  • Cell phone companies get so many law enforcement requests (1.3 million last year) that they have hired hundreds of people and created simple fee schedules to manage the volume.
  • The Computer and Communications Industry Association has publicly called for warrant protection for online and mobile content and locational information.
  • Law enforcement requests for locational tracking of Texans are confidential so nothing is or can be known about the scope of surveillance. Locational tracking using a device attached to a car is sealed permanently, and cell tracking requests are confidential under 552.108 according to agencies.
  • A few Texas judges have started to publicly denounce the overuse of cell phone surveillance by police agencies and call for reform. Information compiled by federal Magistrate Judge Stephen Smith in Houston indicates few criminal cases are made despite thousands of requests.

HB 1608/SB 786 fixes these problems by amending Article 18 of the Texas Code of Criminal Procedure to:

  • require a warrant for locational tracking of individuals (regardless of the type of device) except in the case of a life threatening emergency;
  • allow an order for tracking to be sealed only up to 180 days unless a judge finds good cause to extend the seal;
  • require reporting of aggregate information about the amount, type, and outcome of locational tracking by police agencies in Texas.

Legal framework: Texas law – focused on increasingly obsolete technologies like the Pen Register and Trap and Trace device – was crafted before the invention of the “smart” phone. It does not provide adequate guidance for police, carriers or the public around the detailed locational data smart phones transmit.

  • In January of 2012, the Supreme Court in U.S. v. Jones determined that locational data from a tracking device attached to a car constitutes a “search” but did not specify any required procedure.
  • In a case now before the Fifth Circuit (case# NO. 11-20884), the Obama administration argues that historical locational data from a cell phone is not subject to the 4th Amendment because it is held by the cell phone company (it is a “business record”) and that people don’t have a “reasonable expectation” of locational privacy.
  • New technology makes the distinction between “historical” and “real time” data increasingly blurry.
  • It may be years before the U.S. Supreme Court catches up with today’s technology. In the meantime, state law should create a clear and protective privacy standard for Texans

{ 1 comment }