GeoLoc Privacy: Gov't Workarounds

CraginS · ‎01-23-2021

Your phone knows where it is, and thus most of the time, where you are. And your phone tells your phone company all of the time. Mobile phone companies know where your cell phone is all the time it is turned on. They have to, because they monitor which cell towers it uses. And they keep records of your phone's geographic location (geoloc). Who else knows?

The history of your phone locations is considered sensitive privacy data, and in many jurisdictions a law enforcement or intelligence activity must have a warrant or court order to obtain those records from the phone company. That sounds nice, but do not for a moment think your location privacy is protected from government surveillance by these legal requirements. Your geoloc history is on the market for purchase, and governments are buying.

Every smart phone is delivered with a batch of apps already installed, and almost every new owner adds more games and productivity apps in short order. They also very rarely read and understand the permissions they grant to those apps when they click the ACCEPT button to install each app. And a surprising number of apps ask for permission to know your location. Why in the world would a flashlight app or a picture-mapping app need to know where it is being used? Because those app companies build their own geoloc files for your phone, independent of the phone company's records. Then they sell that data to data brokers. And the data brokers aggregate that data from multiple app vendors to esll to other customers. Who buys from these data brokers? We can assume companies that want to do marketing analysis are primary buyers. However, another buyer category has come to light: government agencies.

See the Jan 22, 2021, Verge article US Defense Intelligence Agency admits to buying citizens’ location data. The title tells the core story: while the US Supreme Court Carpenter ruling said the government must have a warrant to obtain geoloc data from phone companies, both the DIA and law enforcement agencies assert that ruling does not restrict them from buying geoloc data from commercial data brokers, without any judicial approval in advance. You can read for yourself what the DIA said in their memo to Senator Wyden explaining their testimony in a recent Senate committee hearing. Basically, DIA says it is OK for them to have this data, and as long as they are not looking at it, they have not "collected location data on US persons.

Hmmm, that sounds a lot like the testimony years ago by a NSA Director that they had not "collected" the cell phone data being stored in their massive Utah data enter, because they had not looked at that data.

=-=-=-=

“When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘it means just what I choose it to mean — neither more nor less.’
’The question is,’ said Alice, ‘whether you can make words mean so many different things.’
’The question is,’ said Humpty Dumpty, ‘which is to be master — that’s all.”

Lewis Carroll, Through the Looking Glass

=-=-=-=

The above article originally appeared in my Randomness Blog.

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

AppDefects · ‎01-23-2021

Where do we go next given that the Supreme Court upheld in its 2018 Carpenter v. United States ruling that the government needs an actual search warrant to collect an individual's cell-site location data?

CISOScott · ‎01-25-2021

Yes but is collecting it versus buying it, the same in legal circles? I would think they would need a court order (warrant) to collect (through surveillance) or ask that it be given to them (turned over involuntarily by the providers), but purchasing it wouldn't require it.

CraginS · ‎01-26-2021

@CISOScott wrote:
Yes but is collecting it versus buying it, the same in legal circles? I would think they would need a court order (warrant) to collect (through surveillance) or ask that it be given to them (turned over involuntarily by the providers), but purchasing it wouldn't require it.

[Emphasis added]

That is pretty much the argument DIA made. They do not need a court order to buy merchandise on the open market.

However, there are strict laws against US intelligence organizations collecting information on US persons without specific legal approvals in advance. Even though they bought the data instead of using surveillance or other means, a common man wold likely say they have collected the data on US Persons. Thus, in this case the DIA has fallen back on the same argument made by NSA on their storing terabytes of telephone metadata in their server farm in Utah. They are claiming that they have not "collected" the data until they actually look at it for analysis.

I suppose if i buy a can of soup and put it in my basement, I have not "collected" it until I open the can and eat the soup.

Yeah, that makes sense, eh?

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

CISOScott · ‎01-27-2021

@CraginS wrote:
@CISOScott wrote:
Yes but is collecting it versus buying it, the same in legal circles? I would think they would need a court order (warrant) to collect (through surveillance) or ask that it be given to them (turned over involuntarily by the providers), but purchasing it wouldn't require it.
[Emphasis added]
However, there are strict laws against US intelligence organizations collecting information on US persons without specific legal approvals in advance. Even though they bought the data instead of using surveillance or other means, a common man would likely say they have collected the data on US Persons. Thus, in this case the DIA has fallen back on the same argument made by NSA on their storing terabytes of telephone metadata in their server farm in Utah. They are claiming that they have not "collected" the data until they actually look at it for analysis.

Craig

But what if they were just accessing the data stored on one of the networks they have access to that another "company" bought? They did not "collect" it, but they have access to it. They are smart enough to figure a way around it. There are reasons some Intelligence Community (IC) members do not trust other IC members with their data.