In September 2017, we, along with the Electronic Frontier Foundation, sued the federal government for its warrantless and suspicionless searches of phones and laptops at airports and other U.S. ports of entry.
The government immediately tried to dismiss our case, arguing that the First and Fourth Amendments do not protect against such searches. But the court ruled that our clients — 10 U.S. citizens and one lawful permanent resident whose phones and laptops were searched while returning to the United States — could move forward with their claims.
Since then, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement have had to turn over documents and evidence about why and how they conduct warrantless and suspicionless searches of electronic devices at the border. And their officials have had to sit down with us to explain — under oath — their policies and practices governing such warrantless searches.
What we learned is alarming, and we’re now back in court with this new evidence asking the judge to skip trial altogether and rule for our clients.
The information we uncovered through our lawsuit shows that CBP and ICE are asserting near-unfettered authority to search and seize travelers’ devices at the border, for purposes far afield from the enforcement of immigration and customs laws. The agencies’ policies allow officers to search devices for general law enforcement purposes, such as investigating and enforcing bankruptcy, environmental, and consumer protection laws. The agencies also say that they can search and seize devices for the purpose of compiling “risk assessments” or to advance pre-existing investigations. The policies even allow officers to consider requests from other government agencies to search specific travelers’ devices.
CBP and ICE also say they can search a traveler’s electronic devices to find information about someone else. That means they can search a U.S. citizen’s devices to probe whether that person’s family or friends may be undocumented; the devices of a journalist or scholar with foreign sources who may be of interest to the U.S. government; or the devices of a traveler who is the business partner or colleague of someone under investigation.
Both agencies allow officers to retain information from travelers’ electronic devices and share it with other government entities, including state, local, and foreign law enforcement agencies.
Let’s get one thing clear: The government cannot use the pretext of the “border” to make an end run around the Constitution.
The border is not a lawless place. CBP and ICE are not exempt from the Constitution. And the information on our phones and laptops is no less deserving of constitutional protections than, say, international mail or our homes.
Warrantless and suspicionless searches of our electronic devices at the border violate the Fourth Amendment, which protects us against unreasonable searches and seizures – including at the border. Border officers do have authority to search our belongings for contraband or illegal items, but mobile electronic devices are unlike any other item officers encounter at the border. For instance, they contain far more personal and revealing information than could be gleaned from a thorough search of a person’s home, which requires a warrant.
These searches also violate the First Amendment. People will self-censor and avoid expressing dissent if they know that returning to the United States means that border officers can read and retain what they say privately, or see what topics they searched online. Similarly, journalists will avoid reporting on issues that the U.S. government may have an interest in, or that may place them in contact with sensitive sources.
Our clients’ experiences demonstrate the intrusiveness of device searches at the border and the emotional toll they exact. For instance, Zainab Merchant and Nadia Alasaad both wear headscarves in public for religious reasons, and their smartphones contained photos of themselves without headscarves that they did not want border officers to see. Officers searched the phones nonetheless. On another occasion, a border officer searched Ms. Merchant’s phone even though she repeatedly told the officer that it contained attorney-client privileged communications. After repeated searches of his electronic devices, Isma’il Kushkush, a journalist, felt worried that he was being targeted because of his reporting, and he questioned whether to continue covering issues overseas.
Crossing the U.S. border shouldn’t mean facing the prospect of turning over years of emails, photos, location data, medical and financial information, browsing history, or other personal information on our mobile devices. That’s why we’re asking a federal court to rule that border agencies must do what any other law enforcement agency would have to do in order to search electronic devices: get a warrant.
Blog by Hugh Handeyside, Senior Staff Attorney, ACLU National Security Project; Nathan Freed Wessler, Staff Attorney, ACLU Speech, Privacy, and Technology Project; and Esha Bhandari, Staff Attorney, ACLU Speech, Privacy, and Technology Project.
Date
Tuesday, April 30, 2019 - 2:00pm
Featured image
Show featured image
Hide banner image
Related issues
Privacy and Surveillance
Show related content
Pinned related content
Merchant v. Mayorkas (formerly Alasaad v. Wolf)
Tweet Text
[node:title]
Type
Menu parent dynamic listing
Show PDF in viewer on page
Style
Standard with sidebar
This blog post was written by Emiliano Falcon, Technology for Liberty Program Policy Counsel.
A state judge in Virginia ruled earlier this month that license plate tracking data collected by automatic license plate reader (ALPR) systems are personally identifiable information, outlawing their storage when law enforcement has no good reason to collect and retain them.
The impact of the ruling by Virginia Fairfax County Circuit Court Judge Robert J. Smith is likely to be enormous, as it effectively bans law enforcement in the state from conducting dragnet surveillance.
The lawsuit dates back to 2015. That year, the American Civil Liberties Union of Virginia sued the Fairfax County Police Department on behalf of Harrison Neal. Through a public records request, Neal discovered that the Fairfax police department had collected data on his whereabouts using license plate readers. The police collected and maintained these records on Neal—and millions of other Virginians—even though they never suspected him of involvement in any criminal activity. The ACLU filed suit representing Neal, arguing that the police department’s collection and retention of information on his whereabouts for nearly a year violated Virginia’s Government Data Collection and Dissemination Practices Act, a state law controlling how government agencies in Virginia are allowed to collect, store, and share personal information about residents.
License plate readers are surveillance devices mounted on police vehicles or stationary objects like light poles or bridges. The cameras read and record every license plate that comes into their field of vision—as many as 3,600 plates per minute, or 216,000 an hour. Each time the cameras capture a license plate, they create a file containing an image of the car, the license plate number, and the time, date, and location where the surveillance occurred.
The ACLU has been sounding the alarm about the use of ALPRs all over the country since 2012. While some states have regulated their use, limiting the time police departments can retain non-derogatory information, most police departments use the systems to conduct both active and passive surveillance—that is, to actively search for cars connected to suspected criminal activity, and to collect and retain for long periods information about drivers who are not suspected of any crimes.
In this ACLU lawsuit in Virginia, the key question was whether the collection and storage of Neal’s license plate data without suspicion of any criminal activity was legal under Virginia state law. To determine if the surveillance violated that law, the ACLU had to prove two things. First, the ACLU had to demonstrate that the state data protection law applied to the police department’s collection of license plate reader data—specifically, that the records constituted personal information and that the license plate reader record keeping system was an information system as defined under the state law. Second, provided the law applied, the ACLU had to prove that the police department’s passive surveillance was not exempt from the law and that therefore the creation of the database violated it. To do that, the ACLU argued that this type of surveillance violated the law’s provision requiring a clear and established need to collect information.
The ACLU lost at the circuit court, which held in favor of the police department. But the ACLU appealed, and the Virginia Supreme Court reversed the lower court’s decision, ruling in favor of the ACLU and Neal. Writing for the Court, Justice Powell’s decision hinged on three main questions. First, does ALPR information constitute “personal information” as defined by the statute? Second, is the ALPR database an “information system” protected under the state law? And finally, if the answers to the first two questions are ‘yes,’ is there an exemption from the data protection law that applies to the personal records and information system at issue?
To answer the first question, the Court looked to the nature of the information collected. The Justices used a framework that distinguished license plate numbers per se from ALPR data. While the former is not personal information, the latter is, the Court held. Under Virginia law, information is considered “personal information” when it affords a basis for inferring personal characteristics or the presence of an identified individual. The Court ruled that license plate numbers alone are just a combination of characters, and that whether or not they constitute personal information depends on the context in which they are used. But ALPR data is different, the Court held, because it contains not only the license plate number, but also images of the vehicle, its license plate, its immediate surroundings, and the GPS location, time, and date captured with the image. Taken together, this information allows its holder to infer personal characteristics and show where individuals have been. Consequently, the Justices decided, ALPR records fall under the statutory definition of “personal information.”
Next, the Court examined whether the ALPR system constitutes an “information system” protected under the statute. Unsurprisingly, there is a direct connection between this issue and the previous one: the law defines an information system as a record-keeping process that contains both personal information and identifiers (like names or personal numbers) of particular individuals. Here, the Court ruled that the ALPR information constitutes personal information. But given the information before it, the Court could not discern if there was a sufficient link between the license plate number and Neal to characterize that number as one of the identifiers that would complete the information system equation. Accordingly, the Justices remanded the case to the lower court to decide this issue.
Finally, the Court looked at the scope of the law enforcement exemption in the state law. The exemption excludes from the statute’s protections information systems that relate to investigations and intelligence gathering related to criminal activity. Here, in accordance with the opinion of the Attorney General, issued in 2013, the Court decided that the exemption did not apply to passive surveillance. The 2013 AG opinion concluded that the state police’s passive collection of ALPR data violated state law because there was not a clear “need” for its collection. The AG reasoned that the value of records revealing where people not suspected of criminal activity have traveled to a criminal investigation was “wholly speculative”—a value the data protection statute does not incorporate in any of its exceptions. In other words, the AG and the High Court agreed: There’s no valid need for cops to track the movements of people not suspected of criminal activity.
On remand to the lower court, the only issue left to decide was whether license plate numbers could effectively identify Neal, meaning the ALPR system constituted an information system.
The evidence the lower court heard was very clear: In Virginia, police officers have unlimited access not only to ALPR information but also DMV records and other law enforcement databases—including the National Crime Information Center maintained by the FBI. It’s therefore a trivial matter for a Virigina law enforcement official to connect ALPR data to a person’s name and address. The circle therefore closed. The passive surveillance database was an information system that permitted police to identify people using ALPR data and license plate numbers. Accordingly, its existence was against the law because there was no established need for it to exist.
The Virigina High Court has dealt a major blow to law enforcement surveillance of people not suspected of criminal activity, giving privacy advocates cause to celebrate. Put simply: Despite common claims to the contrary, license plate numbers are not anonymous.
“The spectator makes the picture,” Marcel Duchamp said. It does not matter if police need to toggle between two discrete databases to perform the identification—it’s nonetheless an identification.
Generally, the legality of data collection hinges on the purpose for which it is collected. Privacy cannot protect itself; it requires principles, safeguards, and rules. Only then we can speak about the legitimate collection and storage of information. Government surveillance is not exempt from this rule. Virginia is on the right track. Governments should be required to prove the existence of a valid—real, not speculative—reason for collecting information about residents.
State privacy laws ought to incorporate this bedrock principle and, following Virginia’s lead, start to dismantle passive, dragnet surveillance. Thankfully, according to the Virginia Supreme Court, Virginia’s Government Data Collection and Dissemination Practices Act does the job.
Read more technology news on PrivacySOS.org.
Date
Tuesday, April 30, 2019 - 11:00am
Featured image
Show featured image
Hide banner image
Override default banner image
Related issues
Privacy and Surveillance
Show related content
Tweet Text
[node:title]
Type
Show PDF in viewer on page
Style
Standard with sidebar
Blog by Kade Crockford, director of the Technology for Liberty Program at the ACLU of Massachusetts
In June 2018, the United States Supreme Court issued a landmark digital privacy ruling, holding that police must obtain a warrant before asking our cellphone companies to turn over information showing where we’ve been in the past. In that case, Carpenter v. US, police had obtained—without a warrant—cell site location information revealing Mr. Carpenter’s movements over a period of several months. The ACLU represented Mr. Carpenter, arguing that this surveillance constituted a violation of his Fourth Amendment rights. In his opinion for the majority, Chief Justice John Roberts was careful to note that the Court’s decision was a narrow one, applying only to law enforcement surveillance of historical location information. The facts before the court in Mr. Carpenter’s case did not involve warrantless, real time cell phone location tracking, Roberts wrote, and therefore the constitutionality of that method of digital surveillance would be decided on a different day.
For the people of Massachusetts, that day has arrived.
Today, in a momentous victory for the privacy and liberty interests of people across Massachusetts, the Supreme Judicial Court—the state’s highest—extended warrant protections to real time surveillance of cell phone location information.
There are numerous ways law enforcement can track our physical locations using digital technologies. Today, because most people carry their cellphones with them everywhere they go, and because it’s cheap and easy for law enforcement to track them, cellphone tracking is the most common.
In most states, lawmakers have failed to update the law to require warrants for cellphone location surveillance. Congress likewise hasn’t updated federal privacy law to reflect our new digital reality. So the courts have stepped into that void, and, over the years, have steadily applied warrant protections to 21st century forms of surveillance and tracking.
Ever since June 2018, when the Supreme Court issued its ruling in Carpenter, police nationwide have been required to go to a judge to get a warrant before demanding seven or more days of historical cell site location information. This is data collected and retained by cellphone companies for business purposes—for example, it can help companies determine where to place more cellphone towers. (Thanks to years of ACLU litigation at the state level, starting with the landmark Commonwealth v. Augustine, Massachusetts residents have since 2014 benefitted from a warrant requirement guarding our historical cellphone location information.)
But until today in Massachusetts, there was no law on the books that required police to get a warrant to track our phones in real time. Today’s ruling changes that, clarifying that real time GPS surveillance of a cellphone constitutes a search under the state constitution, the Declaration of Rights.
Real-time GPS tracking: You’re gonna need a warrant for that
In the case at issue, Commonwealth v. Almonor, the government suspected Mr. Almonor of involvement in a homicide. Police obtained Mr. Almonor’s cellphone number, and reached out to the cellphone company, asking them to “ping” the target phone to discover its real time location. The phone company complied, and told police where they could find Mr. Almonor’s phone. Police later found Mr. Almonor, a weapon, and a bulletproof vest in a house in the vicinity of the GPS ping. At trial, Mr. Almonor filed a motion to suppress the evidence police seized from the house, arguing that law enforcement had violated his constitutional rights by demanding the cellphone company snitch on his real time location absent a warrant or a showing of probable cause.
The Supreme Judicial Court held in Mr. Almonor’s favor, explaining that “society reasonably expects that the police will not be able to secretly manipulate our personal cell phones for any purpose, let alone for the purpose of transmitting our personal location data.” Because this “extraordinarily powerful surveillance tool finds no analog in the traditional surveillance methods of law enforcement and therefore grants police unfettered access ‘to a category of information otherwise unknowable,’” the state constitution requires judicial oversight in the form of a warrant.
(The ruling benefits the rest of us, but it actually doesn’t help Mr. Almonor. While the Court agreed with Mr. Almonor that the real time tracking of his cellphone constituted a search, and was therefore protected by article 14 of the Massachusetts Declaration of Rights, it denied his motion to suppress the evidence, holding that the specific facts of the case showed police could have lawfully performed the search without a warrant due to “exigent circumstances.”)
Not so narrow this time: Mass. High court requires warrant for stingray surveillance
Crucially, the ruling takes a different approach from the Supreme Court’s Carpenter decision in one key respect: Instead of confining its mandate to the narrow circumstances of the case before the Court, the ruling extends the warrant protection to other types of real-time cellphone tracking, including where the government uses its own technology rather than requesting the assistance of cellphone companies. In a huge victory for Massachusetts residents, the ruling explicitly specifies that it additionally applies to law enforcement’s use of so-called “stingrays,” also known as cell-site simulators, or devices that police can use to directly track cellphones—enabling police to cut out the cellphone company from the equation entirely.
“We recognize that the government's ability to compel a cell phone to reveal its location is not limited to the pinging that occurred in this case,” the Court held. “For instance, law enforcement in other jurisdictions have used "cell site simulators" to track down persons of interest by "trick[ing] all nearby phones" into revealing their location information…Nor do we doubt that as technology continues to advance, the government will develop new ways to compel an individual's cell phone to reveal its location. The privacy concerns raised by pinging a cell phone apply equally to any circumstance where the cell phone's location information is generated as a direct result of the government's manipulation of an individual's cell phone. [Emphasis mine.]”
The ruling in Almonor today is yet another sign that courts in Massachusetts and across the nation are increasingly aware of how digital technology tips the scales in the balancing test between the government’s authority to investigate crimes and our rights to be free from government interference in our private affairs. Once again, the Massachusetts SJC affirmed that digital is different. Going forward, if police in Massachusetts want to track our cell phones, they’re almost always going to need a warrant to do it—no matter if the surveillance is historical, real time, or involves a police stingray device.
Read more from Kade on PrivacySOS.org.
Date
Tuesday, April 23, 2019 - 4:15pm
Featured image
Show featured image
Hide banner image
Override default banner image
Related issues
Privacy and Surveillance
Show related content
Tweet Text
[node:title]
Type
Menu parent dynamic listing
Show PDF in viewer on page
Style
Standard with sidebar
Pages
