Sunday, January 12, 2014

Cost of surveillance and the 4th amendment

The 4th amendment protects against unreasonable searches.  Of course, the government gets an exception by seeking a warrant.  The problem is that in many cases the government claims they can't be bothered to get a warrant to track someone's otherwise public movements.  A warrant is generally not required to follow someone in public, while it would be required to search the same person's home.  I'm no lawyer, but I'll figure that's reasonable.  After all, a warrant requires the court to agree that there is probable cause for the search.  Law enforcement has to convince the court, and the court acts to protect the interests of the citizen. 

The legal system seems to focus a lot of energy on defining a search.  It used to be that tracking of public movements by a suspect did not constitute a search.  However, when law enforcement placed a GPS tracking device on a suspect's car without a warrant and tracked him for 28 days, the Supreme Court ruled that this was a search and did require a warrant.  They stopped short of saying when precisely it became a search (kicking the can so to speak) but did say that 28 days was too long.  The real issue here is that technology is providing law enforcement with an information asymmetry against the average citizen.  With sufficient technology and authorization, the average citizen can no longer shield his activities from view. 

Some legal scholars wrote this phenomenal article explaining what they think should require a warrant.  They think that any method that provides law enforcement with a reduction in surveillance costs by an order of magnitude or more over manual techniques should require a warrant.  I think this has huge implications in information security.  With recent revelations about NSA digital surveillance, what are the costs to use this data?  Supposedly none of that can be used without a warrant, but we already know about the DEA's program for "evidence reconstruction."  So what evidence is used to start an investigation is difficult, if not impossible, to know.

One item not addressed in the article though is the concept of using digital endpoints for surveillance.  It is hard to quantify the cost to install covert software on a phone or laptop and then use the nearby wireless access points for location data, as Tim Tomes illustrated last year with HoneyBadger.  Presumably this would constitute a search, so hopefully the courts have this on their radar.  A scarier proposition is using data from access points not owned by the suspect to track their movements.  This was demonstrated last year at Blackhat.  Would this require a warrant?  This is a question I certainly hope the courts are pondering now. 

For now, I'll break and just note that security is great.  For me... and law enforcement.


  1. Not only do you have to define what constitutes a search, but what is an "unreasonable search" as defined in the Constitution. When an officer pulls a car over for a traffic violation and smells marijuana, he or she has the right perform a search of the vehicle. What if the officer pulls someone over that he or she has arrested on previous drug charges. Absent the indication of drugs (smell or sight), the officer cannot search the vehicle without permission.

    Another thing that caught my attention, although I admit I didn't read the Court's full opinions, was that nothing was said about verifying the intended target was the one actually driving the vehicle. If you only have GPS evidence without documented visuals, how could that be admissible in court? I guess those who have passed the bar will have that burden.

    1. Craig, you have an excellent point about the GPS surveillance actually tracking the right target. I expect that we will have the same challenges as law enforcement moves to endpoint exploitation for tracking targets. I know of no cases where this is currently happening, but it only makes sense as a logical step.


Note: Only a member of this blog may post a comment.