News – Hawk Toolbox by LeadsOnline

Geofence Warrant Decision Exposes Hole in Fourth Amendment Law

July 12, 2024/in News /by Samantha Roussel

July 12, 2024 | By Cassandre Coyer & Tonya Riley | Bloomberg Law |

Split Fourth Circuit ruling leaves ‘lurking issue’ on scope
Case attempts to fill gaps left by Supreme Court’s Carpenter

A split appeals court opinion clearing the government’s acquisition of users’ mobile-device location data from Google of constitutional scrutiny will likely spark more friction between emerging technologies and the scope of law enforcement searches, attorneys warned.

The US Court of Appeals for the Fourth Circuit’s ruling in US v. Chatrie concluded, over a dissent, that the use of such geofencing doesn’t constitute a search under the Fourth Amendment.

It comes six years after the Supreme Court’s landmark decision in Carpenter v. United States, which held the government has to obtain a search warrant to access historical cell site location records covering a period of more than seven days. In that time, courts have continued to struggle with questions of digital surveillance and the scope of Fourth Amendment protections in the age of mobile devices.

The Fourth Circuit’s July 9 opinion, determining that a warrant isn’t needed for limited digital dragnets of location data collected by third-parties, opens the floodgates for police surveillance, some lawyers said.

“The ruling essentially says you can look at someone’s location in the past at any time, as long as you don’t do it too much,” said Matthew Tokson, a law professor at the University of Utah focusing on the Fourth Amendment’s application to new technologies. “But that subjects our whole lives to potential police surveillance.”

Location Data
Okello Chatrie pleaded guilty in May 2022 to robbing a bank after a district court judge refused to suppress evidence on his location obtained from Google. His appeal marked the first instance of a criminal defendant challenging a conviction that was based in part on evidence from a geofence warrant, which seek information for all users within a geographic area during a particular period in time.

Circuit Judge Julius N. Richardson’s majority opinion affirmed the lower court’s decision but used different reasoning. Judge M. Hannah Lauck of the US District Court for the Eastern District of Virginia had found the warrant to violate the Fourth Amendment but allowed the evidence into the record because the officers thought in good faith they were executing a valid warrant. Richardson’s opinion, however, concluded that Chatrie, who had voluntarily opted into Google’s location data collection, didn’t have a reasonable expectation of privacy and his constitutional rights weren’t implicated by the geofence.

Shortly after the December oral argument in the case, Google announced it would begin to limit its own access to users’ location information, making it inaccessible to law enforcement. But even with Google’s move to cut itself and police off, other companies collect similar data and could nevertheless turn it over to investigators, said Jake Laperruque, deputy director of the Center for Democracy and Technology’s security and surveillance project.

“It’s very likely that other companies that collect location data get these kinds of orders as well,” Laperruque said.

The ruling also opens the door for unchecked use of other dragnet technologies that can place individuals in a given location, such as facial recognition and license plate readers, Laperruque said.

Richardson’s analysis in Chatrie also may have ramifications for other types of information beyond location data, such as in cases where police are looking to identify suspects through reverse search warrants or are using pole cameras to surveil an area.

“The technique of dipping into a large pool of data to find a suspect out of thin air is something that’s going to continue to be an issue,” said Brett Max Kaufman, senior staff attorney at the American Civil Liberties Union’s Center for Democracy. “And so that’s why, even though geofence warrants—maybe for the moment, at least through Google—might be on the decline, the principles being litigated in this case are really important going forward for the Fourth Amendment.”

The Chatrie opinion suggests that unless a court finds an excessive amount of information was taken, it won’t conclude the Fourth Amendment applies, lawyers said. But Richardson didn’t delineate exactly how much data collection would trigger Fourth Amendment scrutiny.

The opinion “adopted this idea that there’s a distinction between a little bit of surveillance and a lot of surveillance,” said University of California Berkeley School of Law professor Orin Kerr, who focuses on Fourth Amendment and criminal procedure. “And if you take that view as correct, you have to figure out, where is that line? That’s a big lurking issue.”

Filling a Void
The ruling is reflective of the questions unanswered by the Supreme Court since the Carpenter decision, leaving circuit courts to decide how to interpret the Fourth Amendment as it applies to new technologies.

However, “a lot of the federal circuit courts are cautious about innovating at all in the Fourth Amendment space,” said Tokson.

Until now, most courts have shied away from deciding whether the collection of location records qualifies as a search, Kerr said, focusing instead on debating the appropriate scope of warrants.

“It’s a reminder that Carpenter didn’t make all location data queries a search,” Kerr added, noting that many courts have yet to grapple with that threshold question.

Chatrie is not the end of the road, he said, because the ruling brings new questions for courts about how to apply Carpenter to warrants involving other emerging technologies. Meanwhile, he and others noted, the Supreme Court hasn’t been eager to weigh in on privacy and Fourth Amendment issues.

“The Supreme Court’s refusal to take up future location privacy questions—or any Fourth Amendment cases on new technologies and surveillance in the six years since Carpenter—has left a void and opened the door to this type of regressive ruling,” said Laperruque.

Next Steps
Though Chatrie’s attorneys from the Federal Public Defender’s Office and the national Association of Criminal Defense Lawyers haven’t signaled their next move, they have multiple options—including seeking a rehearing by the panel or the full Fourth Circuit or petitioning the Supreme Court to take up the case.

If he seeks a rehearing, the appeals court’s precedents indicate it may rule differently than the three-judge panel’s majority. The Fourth Circuit ruled en banc in 2021 that a warrantless aerial surveillance program in Baltimore violated the Fourth Amendment, reversing a panel decision.

Tokson said an en banc rehearing could also explore an idea in Circuit Judge James Andrew Wynn’s Chatrie dissent, which called for a more rigorous standard for searches based on Carpenter. Tokson has called for such a standard in his scholarship, arguing it could include establishing a multifactor test involving the amounts of data collected, how revealing that data is, and whether the third-party disclosure was in fact voluntary.

The debate around warrants’ scope is ultimately a longstanding one, Kerr noted, and the Chatrie ruling brings a “new angle” to the story—especially amid fast-evolving Big Tech developments.

“The big question will be when the next technology comes along that is not something you have to opt into: How broadly can warrants extend in those cases?” Kerr said. “So switch to another technology that is more clearly covered by Carpenter as a search, the scope of the warrant then becomes big in those cases.”

The case is US v. Chatrie, 4th Cir., No. 22-4489.

Read the original article HERE.

Automatic license plate reader data suppressed

June 17, 2024/in News /by Samantha Roussel

June 10, 2024 | By Nick Hurston | Virginia Lawyers Weekly |

A trial court found that Norfolk’s newly installed automatic license plate reader, or ALPR, camera system constituted a Fourth Amendment search and granted a defendant’s motion to suppress evidence and poisonous fruit gathered from the warrantless search.

Citing U.S. Supreme Court precedent, the commonwealth argued that “what a person knowingly exposes to the public … is not subject of Fourth Amendment protection.”

Judge Jamilah D. LeCruise, however, said a person doesn’t surrender all Fourth Amendment protection by venturing into the public sphere.

“Prolonged tracking of public movements with surveillance serves to invade the reasonable expectation citizens possess in their entire movements and thus requires a warrant,” the Norfolk Circuit Court judge wrote.

Since the commonwealth didn’t obtain a warrant in this case, LeCruise suppressed evidence the police gathered via ALPR in Commonwealth v. Bell (VLW 024-8-039).

FLOCK system
Last year, the Norfolk police installed a FLOCK system of 172 ALPRs that could track the location of vehicles by license number and physical description. Stored for 30 days, the data is available for any Norfolk officer to access and is shared with other police departments.

The Norfolk FLOCK system discovered a “hit” on a vehicle described by witnesses as being involved with a robbery in Chesapeake, leading to their arrest of Jayvon Bell.

Bell moved to suppress photographs of the vehicle he was driving, as well as an incriminating statement he made as fruit of the poisonous tree, because the police didn’t seek a warrant to obtain the license plate information from FLOCK.

Privacy expectation
LeCruise found “the collection and storage of license plate and location information by the FLOCK system constitutes a search within the meaning of the Fourth Amendment and should require a warrant.”

She also agreed with Bell that, in the current technology age, vehicles are akin to cellular telephones as they reveal the continued location of civilians.

“Courts have already determined that the government’s acquisition of a defendant’s historical cell-site location information (CLSI) from wireless carriers is a search under the Fourth Amendment,” the judge said, looking to Carpenter v. United States.

Absent exigent circumstances, the Carpenter court found a warrant was required to obtain CLSI.

“Furthermore, the Court found that an individual maintains a legitimate expectation of privacy in the record of his or her physical movements as captured through cell-site information,” LeCruise pointed out.

She rejected the commonwealth’s position that Bell didn’t have a reasonable expectation of privacy in his vehicles while a public sphere.

“‘[A] person does not surrender all Fourth Amendment protection by venturing into the public sphere,’” LeCruise wrote. “‘To the contrary, what one seeks to preserve as private, even in an area accessible to the public may be constitutionally protected. Individuals have a reasonable expectation of privacy in the whole of their physical movements.’”

The judge found the FLOCK system collected and recorded a vehicle’s movements similarly to CLSI or installation of a global positioning system device on a vehicle, both of which are searches requiring a warrant.

Thus, she held that “the breadth of FLOCK cameras covering the entire City of Norfolk and the storage component is also akin to a GPS device and requires a warrant.”

Also, in Leaders of a Beautiful Struggle v. Baltimore Police Department, the 4th U.S. Circuit Court of Appeals found that aerial surveillance with data storage was an unconstitutional warrantless search because it permitted law enforcement to deduce from the whole individual’s movements.

“Like the aerial surveillance in Baltimore, the highway surveillance program in Norfolk must comply with the warrant requirement,” LeCruise said.

Foundational issue
LeCruise couldn’t overlook the “foundational issue” systems like FLOCK presented to courts that regularly hear testimony from custodians of records for 911 calls and related event chronologies, cell phone data, social media and red-light cameras.

“In each of those instances, the Defendant himself or herself or counsel may cross examine and challenge these witnesses in accordance with court procedural rules that safeguard the reliability of admitted evidence,” the judge said.

She emphasized that her concern about warrantless use of the FLOCK system “about which the courts of the Commonwealth know so little is due in part to the many ways in which it could be abused.”

With modern technology enabling governments to acquire information about the population at an “unprecedent scale,” the Supreme Court of Virginia noted in Neal v. Fairfax County Police Department that governments could use that information “for a variety of administrative purposes and to help apprehend dangerous criminals.”

“But knowledge is power, and power can be abused,” the Neal court acknowledged.

Unconstitutional search
Here, Norfolk didn’t require training in the FLOCK system. The city also provided all officers with “unfettered” access to FLOCK data stored for 30 days and shared it with neighboring jurisdictions.

“It would not be difficult for mistakes to be made tying law-abiding citizens to crime due to the nature of the FLOCK system and in the event a law enforcement officer would seek to create a suspect where one did not otherwise exist, it would be a simple task and no custodian of record would be presented to the court for testimony or cross examination,” LeCruise wrote. “The court cannot ignore the possibility of a potential hacking incident either.”

Opining that Norfolk’s citizens may be concerned to learn the extent to which police were tracking and maintaining a database of their every movement for 30 days, the judge agreed with Bell’s argument that FLOCK created a “dragnet over the entire city.”

LeCruise observed that times have “undoubtedly changed since Katz [v. United States] and advances in technology will only continue to provide law enforcement with more avenues to combat crime.”

“However, courts must not neglect the underpinning of the Katz decision that ‘Wherever a man may be, he is entitled to know that he will remain free from unreasonable searches and seizures,’” she pointed out.

Undecided law
Assistant public defender Christopher Bettis, who represented Bell, said the Supreme Court has clearly voiced concerns about the Fourth Amendment privacy implications of 24-hour surveillance and storage of that data.

“Despite that, the Norfolk police installed these FLOCK cameras without any oversight, with very little public discussion, and did so before the General Assembly had passed any law authorizing this sort of thing,” he told Virginia Lawyers Weekly.

Bettis said this decision in no way limited the police’s power to use the FLOCK system while on the lookout for a vehicle that was stolen or involved in an active crime.

Ramin Fatehi, Norfolk’s commonwealth attorney, said he was surprised no defendant had challenged the FLOCK system earlier. He respectfully disagreed with LeCruise’s decision and cautioned against heavy restrictions on using ALPR data.

“If we put unreasonable restrictions on this technology, it will effectively become unusable,” he told Virginia Lawyers Weekly. “Then what we’re going to get is poor people in communities of color being over policed with as many pretextual stops as the law will allow — or, God forbid, back to stop and frisk.”

Noting that LeCruise’s decision isn’t binding authority, Fatehi expressed confidence that another circuit or appellate court will reach a different conclusion.

“We will see a ruling which demonstrates that use of this technology is constitutionally sound,” he said.

Lauren Whitley, executive director of the Virginia Association of Criminal Defense Lawyers, called this a complicated and undecided area of law.

“I think the judge rightly noted the inability to cross-examine or challenge the authenticity and foundation of a recording,” she noted.

Whitley also found it problematic that FLOCK cameras hold data for 30 days.

“The concern from our perspective is abuse, as well as about private entities and public partnerships where we don’t know where this is data going,” she said.

VLW 024-8-039

Read the original article HERE.

T-Mobile to Acquire UScellular Wireless Operations and Deliver Exceptional Value, a Superior 5G Experience and Unparalleled Benefits to Millions of Customers

May 28, 2024/in News /by Samantha Roussel

May 28, 2024 | T-Mobile Newsroom |

Un-carrier Will Give UScellular and T-Mobile Customers More Value and Better Experiences, and Spur Growth and Competition that Offers More Choice for Wireless Consumers

Bellevue, Wash. – May 28, 2024 – T-Mobile (NASDAQ: TMUS) and UScellular (NYSE: USM) today announced that T-Mobile has agreed to acquire substantially all of UScellular’s wireless operations. This includes UScellular’s wireless customers and stores, as well as certain specified spectrum assets.

Upon closing, T-Mobile’s leading 5G network will expand to provide millions of UScellular customers, particularly those in underserved rural areas, a superior connectivity experience, moving from a roaming experience outside of the UScellular coverage area to full nationwide access on the country’s largest and fastest 5G network. Additionally, UScellular customers will have the ability to fully participate in the Un-carrier’s industry-leading value-packed plans filled with benefits and perks, and best-in-class customer support with the opportunity to save UScellular customers hundreds of millions of dollars. T-Mobile customers will also get access to UScellular’s network in areas that previously had limited coverage and the benefit of enhanced performance throughout UScellular’s footprint from the addition of the acquired UScellular spectrum to T-Mobile’s network. And wireless consumers across the country will benefit from the enhanced choice and competition that this proposed transaction will create.

“With this deal T-Mobile can extend the superior Un-carrier value and experiences that we’re famous for to millions of UScellular customers and deliver them lower-priced, value-packed plans and better connectivity on our best-in-class nationwide 5G network,” said Mike Sievert, CEO of T-Mobile. “As customers from both companies will get more coverage and more capacity from our combined footprint, our competitors will be forced to keep up – and even more consumers will benefit. The Un-carrier is all about shaking up wireless for the good of consumers and this deal is another way for us to continue doing even more of that.”

“T-Mobile’s purchase and integration of UScellular’s wireless operations will provide best-in-class connectivity to rural Americans through enhanced nationwide coverage and service offerings at more compelling price points,” said Laurent Therivel, CEO of UScellular. “The transaction provides our customers access to better coverage and speeds, as well as unlimited texting in more than 215 countries, content offers, device upgrades and other T-Mobile benefits.”

Best-in-Class Network Experience
The combination of both companies’ spectrum and assets will provide UScellular customers a superior connected experience on T-Mobile’s industry-leading nationwide 5G network that offers best-in-class performance, coverage, and speed. Customers of both companies, particularly those in underserved rural areas, will receive access to faster and more reliable 5G service they would not otherwise have.

Value-Packed Plans
UScellular customers will have the option to stay on their current plans or move to an unlimited T-Mobile plan of their choosing with no switching costs, which include beloved Un-carrier benefits such as streaming and free international data roaming. If UScellular customers choose to switch to T-Mobile, they could save hundreds of millions of dollars combined annually. Some will also have access to plans with increased savings previously not available to them, including T-Mobile’s 5G Unlimited 55+ plans. All customers will be able to take advantage of T-Mobile’s award-winning customer service team, and have better, more accessible in-person and digital retail support.

More Choice and Increased Competition
This transaction will create a much-needed choice for wireless in areas with expensive and limited plans from AT&T and Verizon, and for those that have been limited to one or no options for home broadband connectivity. By tapping into the additional capacity and coverage created through the combined spectrum and wireless assets, T-Mobile will spur competition and expand its fast-growing home broadband offering and fixed wireless products to communities without competitive broadband options, further bridging the digital divide for hundreds of thousands of customers in UScellular’s footprint.

Proven Un-carrier Playbook
T-Mobile has a proven industry-leading track record of bringing companies together in the name of enhanced connectivity, choice, and value for consumers. The integrations of MetroPCS in 2013 and Sprint in 2020 have been noted as two of the most successful merger combinations in wireless history that resulted in competition-enhancing shifts benefiting millions of consumers. Leveraging its tried-and-true playbook for successful integrations, T-Mobile will continue to deliver exceptional value and experiences to more people across the country, while forcing others to follow suit, for the good of customers.

Transaction Details and Financial Profile
T-Mobile will pay approximately $4.4 billion for the assets being acquired from UScellular in the transaction in a combination of cash and up to $2.0 billion of debt to be assumed by T-Mobile through an exchange offer to be made to certain UScellular debtholders prior to closing. To the extent any debtholders do not participate in the exchange, their bonds will continue as obligations of UScellular and the cash portion of the purchase price will be correspondingly increased. Following the closing of the transaction, UScellular will retain ownership of its other spectrum as well as its towers, with T-Mobile entering into a long-term arrangement to lease space on at least 2,100 additional towers being retained. T-Mobile does not expect the transaction to impact the company’s 2024 guidance or 2024 authorized shareholder return program. T-Mobile expects this transaction will yield approximately $1.0 billion in effective total opex and capex annual run rate cost synergies upon integration, with total cost to achieve the integration currently estimated at between $2.2 billion to $2.6 billion. The company plans to reinvest a portion of synergies toward enhancing consumer choice, quality and competition in the wireless industry.

The transaction, which is subject to the satisfaction of customary closing conditions and receipt of certain regulatory approvals, is expected to close in mid-2025.

Read the original article HERE.

Why Your Wi-Fi Router Doubles as an Apple AirTag

May 22, 2024/in News /by Samantha Roussel

May 21, 2024 | By Brian Krebs | Krebs on Security |

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.

Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.

With Google’s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths — via an application programming interface (API) request to Google — whose WPS responds with the device’s computed position. Google’s WPS requires at least two BSSIDs to calculate a device’s approximate position.

Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.

In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.

That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.

They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.

UMD Associate Professor David Levin and Ph.D student Erik Rye found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list is maintained by the Institute of Electrical and Electronics Engineers (IEEE), which is also sponsoring the privacy and security conference where Rye is slated to present the UMD research later today.

Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.

The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.

The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.

The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.

“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”

In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.

“This includes residential addresses throughout the world,” Levin said. “We even believe we can identify people who have joined the Ukraine Foreign Legion.”

Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.

Starlink’s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple’s API.

They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID/MAC:

“In early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.”

The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.

“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”

Apple did not respond to requests for comment. But in late March 2024, Apple quietly tweaked its privacy policy, allowing people to opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location.

Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.

“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”

The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.

“It’s a good first step,” Levin said of Apple’s privacy update in March. “But this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.”

The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.

“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”

The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.

“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”

For example, they discovered that certain commonly used travel routers compound the potential privacy risks.

“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”

A copy of the UMD research is available here (PDF).

Read the original article (with infographics) HERE.

Cars & Consumer Data: On Unlawful Collection & Use

May 20, 2024/in News /by Samantha Roussel

May 14, 2024 | By Staff in the Office of Technology and The Division of Privacy and Identity Protection | Federal Trad Commission |

Some say the car a person drives can say a lot about them. As cars get “connected,” this turns out to be truer than many people might have realized. While connectivity can let drivers do things like play their favorite internet radio stations or unlock their car with an app, connected cars can also collect a lot of data about people. This data could be sensitive—such as biometric information or location—and its collection, use, and disclosure can threaten consumers’ privacy and financial welfare.

Connected cars have been on the FTC’s radar for years. The FTC highlighted concerns related to connected cars as part of an “Internet of Things” workshop held in 2013, followed by a 2015 report. In 2018, the FTC hosted a connected cars workshop highlighting issues ranging from unexpected secondary uses of data to security risks. The agency has also published guidance to consumers reminding them to wipe the data on their cars before selling them—much as anyone would when trying to resell a computer or smart phone.

Over the years, privacy advocates have raised concerns about the vast amount of data that could be collected from cars, such as biometric, telematic, geolocation, video, and other personal information. News reports have also suggested that data from connected cars could be used to stalk people or affect their insurance rates. Many have noted that when any company collects a large amount of sensitive data, it can pose national security issues if that data is shared with foreign actors.

Car manufacturers—and all businesses—should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data. Recent enforcement actions illustrate this point:

– Geolocation data is sensitive and subject to enhanced protections under the FTC Act. Cars are much like mobile phones when it comes to revealing consumers’ persistent, precise location. In a series of seminal cases in recent years, the Commission has established that the collection, use, and disclosure of location can be an unfair practice. In X-Mode, the FTC alleged that the data could be used to track people’s visits to sensitive locations like medical or reproductive health clinics, places of worship, or domestic abuse shelters. Similarly, in InMarket, the Commission alleged that the company’s internal use of sensitive data to group consumers into highly sensitive categories for advertising purposes was unlawful. The orders resolving these matters prohibit these companies from selling sensitive location information.
– Surreptitious disclosure of sensitive information can be an unfair practice. Companies that have legitimate access to consumers’ sensitive information must ensure that the data is used only for the reasons they collected that information. For example, the Commission recently alleged that BetterHelp, which offers online counseling services—including those marketed to specific groups like Christians, teens, and the LGBTQ+ community—revealed consumers’ email addresses and health questionnaire information to third parties for advertising purposes. Similarly, the Commission took action against mental telehealth provider Cerebral for, among other things, the company’s unfair privacy and security practices. The FTC obtained settlements requiring BetterHelp and Cerebral to pay millions of dollars so that affected consumers could receive partial refunds, and the Cerebral settlement bans the company from using or disclosing consumers’ personal information for advertising purposes.
– Using sensitive data for automated decisions can also be unlawful. Companies that feed consumer data into algorithms may be liable for harmful automated decisions. The FTC recently took action against Rite Aid, saying in a complaint that the company enrolled people into a facial recognition program that alerted employees when suspected matches entered their stores. The complaint includes allegations that Rite Aid failed to take reasonable steps to prevent low-quality images from being used with the program, increasing the likelihood of false-positive match alerts. In some cases, false alerts came with recommended actions, such as removing people from the store or calling the police, and employees followed through on those recommendations. As a result of the FTC’s action, Rite Aid agreed to a 5-year ban on the use of facial recognition technology.

These cases underscore the significant potential liability associated with the collection, use, and disclosure of sensitive data, such as biometrics and location data. As the FTC has stated, firms do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service, and firms shouldn’t let business model incentives outweigh the need for meaningful privacy safeguards.

The easiest way that companies can avoid harming consumers from the collection, use, and sharing of sensitive information is by simply not collecting it in the first place. When they are motivated to, all businesses—including auto manufacturers—are capable of building products with safeguards that protect consumers.

Read the original article HERE.