2017-01-30 Patrick Walsh
Originally published at blog.ironcorelabs.com.
How the 4th Amendment Is Bypassed
The U.S. Constitution doesn’t pull any punches. The Government does not have the right to sift through the communications or property of citizens unless it has a specific reason to believe a targeted search would yield evidence of wrong-doing. And then there must be a court approved warrant. Here’s the fourth amendment (emphasis ours):
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
In other words, the U.S. Government needs a warrant, a particular target, and specific cause before snooping on a citizen.
Except, there’s a loophole.
If you voluntarily give your information to a third-party, such as a corporation, then you forfeit your “reasonable expectation of privacy.” That standard was first set in a 1967 Supreme Court ruling and is referred to as the “third-party doctrine.” Since then, the standard has been refined in other court cases and clarified in legislation like the Wiretap Act and the Electronic Communications Privacy Act.
This interpretation continues to have new implications as technology progresses. Here are some of the places where a targeted warrant is not required to seize and search property or to eavesdrop on communications.
Today, nearly all internet traffic goes through servers run by corporations, and much of that traffic is captured by the NSA through its PRISM program. PRISM captures both domestic and international traffic.
In other words, the Government is spying on everyone’s Internet documents, history, and communications, without specific targets or probable cause.
Until recently, we could at least say that the data was being used for national security purposes only, but that it wasn’t available in raw form to law enforcement. This is no longer the case. The outgoing Obama administration gave 16 law enforcement agencies the right to search the raw NSA databases without warrants.
The Department of Homeland Security asserts that border patrol agents have sweeping rights to search and seize property anywhere within 100 miles of the U.S. border, without reasonable suspicion, and without a warrant. It does not matter if the subject of the search is a citizen or not.
The Government is spying on everyone’s Internet documents, history, and communications, without specific targets or probable cause
The FBI bugged the outside of two California courthouses without a warrant, and last year a federal court ruled that this was legal. The ruling makes the warrantless bugging of any public place perfectly legal. The ruling essentially says that there is no expectation of privacy in public places anymore because video surveillance and smartphones are prevalent. Here is an excerpt from the judgment:
it is equally unrealistic for anyone to believe that open public behavior including conversations can be private given that there are video cameras on many street corners, storefronts and front porches, and in the hand of nearly every person who owns a smartphone
If being in a place where you know smartphones or cameras reside erodes the expectation of privacy, then what happens when you have smartphones in your house? What about always-on microphones, like Alexa or Google Home? Those microphones stream voice data over the Internet, which is already intercepted and likely decrypted by the NSA and other spy agencies.
That poses the question: does having an always-on microphone or even a smartphone in your house remove your expectation of privacy? It seems we are very close to that being reality, and we are very far from the fourth amendment right to be secure against unreasonable searches and seizures in our homes.
The U.S. Government already conducts mass surveillance that certainly includes the interception of digital papers and effects written and accessed from inside the borders of our homes. The right to privacy is eroded almost to the point of meaninglessness.
So if a warrant isn’t necessarily needed to gain access to data freely given to third party companies, and if third party companies control our communications and document storage infrastructure, how can one maintain privacy?
The answer is strong encryption. Not just https in your browser — that may be secure from your average coffee shop hacker, but likely isn’t against a sophisticated adversary — but strong encryption where you keep the key and your service providers have only the scrambled data.
Does this mean that law enforcement can’t do their job? No.
Law enforcement would need to go back to the days of crime fighting pre-dating mass surveillance and always-on GPS location trackers. That means building cases around informants, stings, and through the use of warrants with probable cause.
Encryption systems are not magic. They’re locked boxes, and someone has the key. A warrant should be enough to gain access to a key and therefore to the contents of the secure boxes. But this means law enforcement would have to serve that warrant directly on a suspect, rather than asking third-party corporations for the data.
Encryption systems are not magic. They’re locked boxes, and someone has the key.
Individual privacy is not the only issue here. Corporate privacy matters as well. Chinese hackers have stolen billions of dollars worth of intellectual property from U.S. companies. And when companies come under investigation for whatever reason, they want to know it and to defend themselves. This is hard when all of their data is stored in the cloud and secured only by transparent encryption, which protects against stolen hard drives, but little else. Transparent encryption is sufficient to be compliant with regulations like HIPAA and PCI, but woefully inadequate to defend against hackers and overly broad Government data fishing expeditions.
Customer-controlled keys are the lynchpin to companies and individuals reclaiming their privacy and taking control over their digital data. For now, only a few cloud software providers offer this level of control, but we believe this is changing. In the coming years, any software application that doesn’t provide this level of control will find itself at a severe disadvantage competing against those who do.
Help us to make this happen: push for customer-controlled keys and strong end-to-end encryption from every software vendor you know. The more who do, the faster we’ll transform to a more secure foundation.