Ten months ago, Digital Fourth submitted a public records request to Boston’s fusion center, the Boston Regional Intelligence Center. It took two appeals to the Secretary of State to get it, but we finally got a response.
The states operate a network of 78 fusion centers across the nation, which coordinate intelligence-related information between federal agencies and state and local law enforcement, in the name of thwarting terrorist attacks. They have never, to anyone’s knowledge, actually thwarted one, and they have become bywords in Washington for waste and ineffectiveness. Previously, we reported on constitutional violations and the results of a FOIA request at Massachusetts’ “Commonwealth Fusion Center”, operated by the State Police; now it’s the turn of Massachusetts’ other fusion center, headquartered at the Boston PD.
The most interesting document we received is the “2013 Fusion Center Assessment Individual Report: Boston Regional Intelligence Center”. This report was heavily redacted, but luckily the State of Colorado has posted on its website an unredacted 2014 report from Colorado’s fusion center that is absolutely identical in format to the Boston report we received, rendering all of the redactions in the Boston report moot. So if you’d like to understand what the BRIC didn’t want us to see, read on.
Without your knowledge or permission, your smartphone’s calls could be being intercepted right now by your local police department, and your taxes are definitely being misused to pay for unconstitutional police snooping.
We have reported before on “stingrays”, which started being used by local police departments in around 2006. These devices impersonate a cellphone tower and intercept the calls that would otherwise flow to other actual nearby towers. Initially bulky, stingrays can now be laptop-sized or smaller, and the most advanced models are light enough to be carried by drones. Police departments conceal their use of this technology when applying for warrants to conduct surveillance, so judges can’t distinguish between applying for a “regular” interception on an individual phone and a stingray interception which gathers all traffic from nearby cellphone towers. The devices’ main manufacturer, Harris Corporation, even obliges police departments contractually to conceal their use of stingrays. The Obama administration is so keen to preserve the cloak of secrecy around stingrays that they sent in the US Marshals to prevent the ACLU from obtaining documents relating to stingray use by a north Florida police department. The courts are beginning to recognize the intrusive nature of cellphone tower dump data, but have not yet grappled with the fact that using stingrays, law enforcement don’t have to ask a cellphone company for the data; they can just suck it up without permission.
Now there is a new way to rip that cloak. Popular Science quotes the CEO of ESD America, which manufactures the $3,500 “CryptoPhone 500”, eagerly describing how his phones could detect when stingrays were being used in their vicinity. While testing the CryptoPhone 500 in August, users found 17 sites around the country where stingrays appeared to be being used on passersby. They could detect the use of stingrays because stingrays downgrade your connection from 4G to the less secure 2G and then turn off your phone’s encryption. Normal Android smartphones or IPhones are oblivious to this process.
Twitter users have been speculating whether these 17 sites map onto the sites of fusion centers around the country. Since we’re familiar with both stingrays and fusion centers, we can say conclusively that they don’t. Most sites seem to be in commercial areas, not around fusion center or military locations. ESD is not providing the precise site locations, and stingrays’ mobility further complicates the process of detecting them. We think that CryptoPhone users have captured what is likely to be only a small subset of stingray usage not by fusion centers, or by the NSA, but by regular local police departments around the nation. We’re supporting the efforts of researchers like Muckrock who want to get more transparency about stingray use by police departments, and to keep an eye out for proposals in your community to “upgrade” police department technology.
So, do we all have to go out and upgrade to the CryptoPhone 500 in order to feel safe in our communications? Well, no; there’s another, cheaper way to find out whether the government is using stingrays in your community.
On July 22, at 3:30am, in place of the Stars and Stripes that usually fly over the Brooklyn Bridge, bleached-out American flags appeared instead. Despite three surveillance cameras and allegedly round-the-clock police surveillance, four or five people, their identities still unknown, were able to cover up the lights trained on the flags, take them down, and hoist up their own.
What interests us here is not so much the action itself, as the police reaction.
“If they had brought a bomb up there, it would have been over,” said a high-ranking police source. “If they were able to bring something large enough to cover the lights, then they would have been able to bring some kind of explosive up there.” […] A police helicopter on Wednesday made repeated passes around the Brooklyn Bridge. NYPD radio cars patrolled the spans’ roadways, and police boats scoured the span from the water. New security cameras were also installed, and numerous officers – some from the Intelligence Division and Counterterrorism Bureau – were assigned to foot patrols, walking back and forth between Manhattan and Brooklyn. [CBS]
New York police are so determined to catch the vandals who replaced the American flags atop the Brooklyn Bridge that they’re using an investigative technique known as “tower dumping” to examine all of the cell phone calls made near the bridge around the time the flags were replaced. […] The NYPD is also using social media data, video, facial recognition technology and approximately 18,000 license plate pictures in trying to solve the case. [IBT]
Horrified at the exposure of a security lapse, the NYPD turned its immense resources toward finding the people who had embarrassed them. The local press described them as “vandals” and quoted local residents as wanting them to be “punished to the fullest extent of the law.”
Today’s news in Wired that the federal government is willing to send in the US Marshals to prevent disclosure of how local police departments are using stingrays, makes it seem that what they’re hiding is pretty important.
Our friends at public information service Muckrock.com are launching a new research project to find out exactly what police are doing with this kind of data. Shawn Musgrave describes their project below. We strongly encourage supporters of Digital Fourth to help them fund this important work. We don’t know yet whether any police departments in Massachusetts are using this secrecy-laden technology – wouldn’t you like to find out?
The New York Times revealed last week that the National Counterterrorism Center now has access to all data, not minimized for privacy in any way, that was authorized for collection via the Foreign Intelligence Surveillance Act, or FISA. That includes the phone metadata dragnet on all US calls, and much else besides.
Sounds legit? It really isn’t. This is why. NCTC provides an enormous amount of data to the now-80+ “fusion centers” around the country. These spy centers act as clearinghouses where federal and local law enforcement data meet; Massachusetts’ ones are run out of the Massachusetts State Police and the Boston PD. So what does this revelation – again, coming to us courtesy of Edward Snowden & Co. – mean? It means that local police forces across America, without a warrant or subpoena of any kind, are able to access what the NSA has on you – and, as we already know, they’re collecting everything they can on everyone. In consequence, the Fourth Amendment now only exists for you if law enforcement (a) isn’t that interested in you or (b) has everything it wants on you already. That’s not much of a “right” at all. It’s more of a trivially revocable privilege. Imagine: any time you get stopped by the police, for any reason, they can now provably access the last five years of, say, your movements by car and your phone communications.
On February 18, the Massachusetts Supreme Judicial Court declared that here in Massachusetts, state cops actually do have to get a warrant if they want to access your cellphone location data.
This is what an independent judiciary looks like. The Justices of our Supreme Judicial Court have withstood over half a century of New England winters. They have endured the long decades of the Curse of the Bambino. Their knotted muscles are carved from whalers’ scrimshaw.They are not to be messed with. The obsequious servants of the surveillance state on the FISA Court could learn a thing or two from them.
Just before Christmas, Muckrock and the ACLU of Massachusetts brought out excellent articles based on a full year of Muckrock’s investigative reporting into Boston PD’s use of automated license plate recognition technology.
ALPR systems automatically photograph and store in a police database the license plates of any car an ALPR-equipped police vehicle passes. The car may be parked or driving. It could be on the Pike, in a driveway, or anywhere a camera can reach. The question was, what does the Boston PD do with the mountain of data once it has it?
Democratic nominee Katherine Clark and Republican nominee Frank Addivinola spent a substantial portion of their only televised debate sparring over privacy and surveillance. It has been great to see these issues playing such an important role in a Congressional campaign. However, there have been two less good outcomes, independent of who wins. First, it’s still not clear that either the Republican or the Democratic candidate will be skeptical enough about the claims of law enforcement and the intelligence agencies. Second, given that that’s so, it is unfortunate that the debate excluded the voices of the two independent candidates, Jim Aulenti and Jim Hall.
Here’s a transcript of the relevant section of the NECN debate, which is no longer available online. Our comments and fact-checking are in italics, and any significant commitments made by the candidates are in bold.
Boston Police Department bosses want to install GPS monitoring devices in every patrol car, to enable dispatch to more efficiently process 911 calls. But police officers and their union are outraged, saying that the ubiquitous tracking is too invasive of their personal privacy. Tracking the location of officers as they go about their days would reveal incredibly detailed information about their lives, the officers say.
It must be just awful to go about your daily life looking over your shoulder, conscious that your every movement and activity is being recorded and could be used against you. Oh, wait. That’s what the entire American public is already dealing with, in this age of mass electronic surveillance. But the way the police union is hissing’n’flapping about it, it’s almost as if there was something wrong with that. Don’t they know that youhavenothingtofear, ifyouhavenothingtohide?
Police officers are public employees, and they would be monitored during, and only during, the performance of their duties as public officials employees. We require elected officials to disclose their votes publicly, and require secrecy for private individuals at the ballot box, even though that’s inconsistent, because public disclosure of how public business is conducted is vital to maintain democratic accountability. In the same way, close monitoring of law enforcement is vital, to ensure that police don’t abuse the vast and special powers society gives them. When you put cameras on cops, complaints about police misbehavior and brutality drop like a stone. We have the right – affirmed by the federal courts in the First Circuit and across America – to record the police in the commission of their duties. The Fourth Amendment constrains the actions of the government, not the actions of members of the general public.
The Boston police may not like it – last week’s PINAC case shows that they’re willing even to threaten people with felonies to avoid public embarrassment over misconduct – but they are not entitled to a high level of privacy protection in their capacity as police officers. That distinction matters. Doxxing police officers’ personal names and phone numbers and addresses is not cool. But recording them, having them record themselves, and encouraging people to call their office numbers and hold them accountable to the public, is vitally important in order to preserve freedom for the rest of us.
Massachusetts’ Supreme Judicial Court is soliciting amicus briefs from interested parties in two cases highly relevant to electronic privacy.
First up is Commonwealth vs. Shabazz Augustine, where they seek to establish:
“whether there is a warrant requirement for cell phone records collected and held by the phone company, namely historic cell site location information, sought by police to establish a person’s location at various times.”
The case is attracting heavyweight legal attention from the Electronic Frontier Foundation, who have already filed an amicus brief, assisted by local information activist, Harvard legal scholar and all-around side-of-the-angels guy Kit Walsh. It will most likely be argued on October 10.
The question underlying the case is whether we all have a reasonable expectation of privacy in our movements as recorded by a third party. In the context of Fourth Amendment jurisprudence, this depends on whether the person moving can be said to have abandoned all proprietary interest in the record of their movements that is held by their cell phone company. Supreme Court precedents from the 1980s indicate that people have no reasonable expectation of privacy in this kind of telephonic “metadata”, but those rulings look increasingly out of date in a technological context where cellphone metadata can reveal a great deal more about you than the metadata associated with a 1980s landline could. EFF’s amicus brief reports that the lower court ruled that cellphone subscribers cannot be said to have “voluntarily conveyed” their interest in data on their movements to a third party simply because that party holds the data, and asks the SJC to let that part of the lower court ruling stand.
As is the case with the Supreme Court, it is worrying that the Supreme Judicial Court has accepted the case for review. The best outcome for defenders of digital privacy would have been for it to allow the lower court ruling to stand, and their acceptance indicates a significant risk of its being overturned. We urge the Supreme Judicial Court to heed the arguments of EFF’s amicus brief, and to err, if they err, on the side of liberty.