Who’s watching the watchers?

Recently, two changes were made to US Government policy on protecting US citizen’s right to privacy.


While these changes may each seem huge, and a “win” for citizen’s rights activists, I think in reality, things are no better.

Let’s look at both of these changes.

  1. The Justice Dept has decided that fake cell tower equipment, known as “stingrays”, can no longer be used by Federal employees without a warrant. Also, they must immediately delete any data that isn’t covered in the warrant, instead of archiving everything forever.  So, the FBI or DHS can’t setup fake cell towers anywhere they like anymore, anytime they like, collect as much data as they like, then go home and see what they can learn about each of us, just to see if anything interesting is going on. They need to get a warrant, specifying what they are looking for, and why.
  2. The NSA has been instructed to stop collecting (forever) all US cell phone call information, text messages and locations in federal data centers. So, all the law enforcement agencies in the country can’t spy on local citizens, or do big data analysis of everyone’s activity, just to “see what’s up.”

<paranoid rant>

Given just these headlines, they sound like huge wins for privacy advocates. But in reality, I feel the risk for abuse has not changed all that much. Things might, in fact, be a little worse.

In the first case, the DHS has authorized or issued stingrays to thousands of local police departments all across the country. My hometown has at least one. The new law only covers federal employees, so guess what, no fewer warrantless stingray deployments will occur. It’ll just be the local boys the feddies hit up when they want a neighborhood or special event monitored, “just in case”.

The REAL problem with warrantless stingray deployments is all the secrecy surrounding the stingray. The FBI has been absolutely demonic in its efforts to suppress any and all information about the “stingray” device themselves, including what services and features they actually offer. If they aren’t doing anything wrong with these devices, why are they trying to make their very existence a secret, much less when, where, how and why they are using them.  I wouldn’t mind the FBI monitoring cell phones when they have a stated purpose, and an independent judge has reviewed the info and signed off, and they stick to the rules.  That way, someone is watching the watchers. Sure, you still have to deal with corruption between agencies and judges and how do you ensure they are following the law? What features of the devices can be used to audit their use to ensure compliance?

In the second case, the new law states the PHONE companies must retain all that info (mobile phone locations, texts,and call info) on the feddies behalf, and when a warrant is presented, they will pull out all the data the feds want.

The real problem with any agency collecting warrantless privacy data about mobile phones (eg location) is the same problem.  Who’s watching the watchers? When the NSA is collecting that data, the answer is clearly nobody. The NSA was making access to all kinds of data available to just about anybody with a badge or donut belly. They had no independent judicial review, because all their court proceedings are held in secret (for “our protection”), all orders had gag orders on them, so none of the businesses or government employees could comment on them to anyone.

Of course, now that the phone companies will be storing the data, and warrants are required for government access to the data, that means any corruption in federal realm is reduced to the same as the previous example.  But what about the fact that your phone company, a business, is collecting privacy related data about all it’s paying customers, ON BEHALF of the federal government, just in case they decide they need access to it. What about corruption in phone company employees? That doesn’t change at all, in fact, it makes it easier for phone company employees (and anyone who hacks in) to access that data, because instead of just forwarding it to the feds, now they have to store and proect it. We all know how historically lousy phone companies have been at network security.

I think phone data collection need to return to the way it used to be, where nobody is allowed to track anybody’s location, until and unless the police get a warrant and ask for it, then start and stop tracking them when the warrant specifies.  Because really, changing who collects and who stores your privacy data does little to prevent abuse of said data.

I’m quickly becoming convinced that simply quitting facebook for paranoid reasons has little value, unless you also quit mobile phones, which would be much harder. My next phone may have to be one with a removable battery, which would mean leaving Apple (horrors!). Might be easier to just quit cell phones altogether, than to try and find a phone that works that isn’t monitoring everything you do.

Normally, I would scoff at paranoid rumors about government agencies developing methods to secretly infect phones via apps and software updates, but I know that in fact it’s technically possible for everything they claim to have occurred. I cannot, in all honesty, say that I know my phone doesn’t have some spyware installed on it. There are SO MANY bad players out there these days, you just can’t know for sure.

</paranoid rant>