Security

EFF: Technology Can Help in Absence of Privacy Laws

If you're a developer and you're worried about digital privacy issues, the Electronic Frontier Foundation has a job for you.

On Wednesday, EFF Civil Liberties Director Jennifer Granick put out a call for new technology.

"We need technology. Citizens need technology to protect themselves because the law is not doing it," she said in an address to privacy experts at the Privacy Enhancing Technologies Symposium held at the University of Washington in Seattle.

She described several scenarios created by modern technology where legal privacy protections are absent because laws have not kept up. She's hopeful that developers will build tools that people can use to protect themselves from undue invasion of privacy by the government.

Perhaps the most worrisome issue she described is the use by law enforcement of GPS tracking technologies. GPS radios have become so cheap and small that agents are using blow darts to attach them to cars, she said.

"There's no statute that controls [GPS monitoring], so if the Fourth Amendment doesn't protect you, you're out of luck," she said. The Fourth Amendment, which protects people in the U.S. from unreasonable search and seizure, will only protect people from GPS tracking in their homes. So law enforcement can use GPS to track people in other places, where legal precedent says people don't have a reasonable expectation of privacy, she said.

A couple of states, including Washington and New York, have laws that require law enforcement to get a warrant before using GPS to track people.

The bigger issue is the potential for law enforcement to engage in mass surveillance. Granick imagines at some point every car, for example, is required to have GPS so that agents can track people's movement. That issue has not been examined in court.

Another scenario that she finds troublesome is the right of agents to search computers and phones of people crossing borders. In the U.S., the borders are considered an exception to the Fourth Amendment, so agents are not required to get warrants to search essentially anything a person has. "The idea is that a sovereign has the right to protect the border. And I can see why it's important to protect the border," she said.

But the EFF has tried to argue in court that laptop searches are invasive because computers contain special and personal information, but it has lost using that argument. It has also tried to use the First Amendment, arguing that people have the right to protect information about who they talk to and about what, but the court disagreed.

It's unclear yet if using simple passwords to restrict access to data on computers or phones can protect people from searches at the border. Granick said she's had lengthy debates with her colleagues on the issue, which has yet to be tried in court. One case in Connecticut approached the issue but had unique characteristics, so the outcome should not set a precedent, she said.

So far, the border authority has declined to reveal its policy for handling situations where people refuse to give up their passwords, she said. "I think they haven't had to confront it because they're so good at making people talk," she said. Agents may convince people to reveal their passwords by suggesting that they'll be detained until they do.

"There have to be ways that normal people can avoid search and seizure and maybe some way to avoid the password problem," Granick said. People should have an easy enough way to come into the U.S. with trade secrets or confidential client information and be able to keep that data private, she said.

Another issue she finds troublesome is the lack of privacy laws around e-mail and other data that people store online. "We are in a very fundamental debate with the government now in a variety of cases about what level of protection the Electronic Communications Privacy Act provides," she said. That law, set in 1986, provides "extremely low protection" for some information like subscriber details, she said.

The EFF argues that as with a letter or a phone call, the content of an e-mail should be protected. "The government argues different," she said. The government believes that if you've opened an e-mail and left it on the server, they can access it without a warrant. In addition, if a user leaves an e-mail on a server for more than 180 days, officials don't need a warrant to retrieve it.

But the reasoning behind that policy, set in the 1986 act, is antiquated, she said. "The theory is, in 1986 if you left something lying around that long it was like garbage, it wasn't important to you. Now we know that with Gmail and cheap storage it's quite the opposite. You keep stuff that's important to you and throw away what's not," she said.

Until new laws are set to deal with modern developments, technology can help, she said. "We civil libertarians are doing what we can to make the law better, but we have a really long way to go. We have huge gaps and we need technology to fill that void. We need good, secure technology that works but is simple enough for normal people to use," Granick said.

Subscribe to the Security Watch Newsletter

Comments