A hack using a forged legal request that exposed consumer data collected by Apple and Meta shed light on the reach of the law
Your digital data is ‘pretty much all available to the government in one form or another,’ says Jennifer Lynch of the Electronic Frontier Foundation. Photograph: Justin Lane/EPA
A brazen hack that exposed consumer data collected by Apple and the Facebook-parent company Meta has raised fresh questions about how secure our data is in the hands of tech companies and how easily law enforcement can get hold of the information big tech collects.
It was revealed last week that hackers obtained the information of some Apple and Meta users by forging an emergency legal request, one of several mechanisms by which law enforcement agencies can request or demand that tech companies hand over data such as location and subscriber information.
Lawmakers and privacy advocates argued the forgery was a warning sign that the system is in need of reform. “No one wants tech companies to refuse legitimate emergency requests,” but the current system has “clear weaknesses”, Senator Ron Wyden said in a statement following the hack.
A review of the myriad ways tech companies share consumer data with law enforcement agencies reveals that it’s often fairly straightforward for such bodies to get their hands on consumer data. “[Your data is] pretty much all available to the government in one form or another,” said Jennifer Lynch, the surveillance litigation director at the digital rights group the Electronic Frontier Foundation.
“One of the real challenges with technology these days is that it is next to impossible to figure out exactly all the data that companies are collecting on us and to exert any kind of control over what happens to that data,” added Lynch.
An emergency legal request, like the one the hackers forged, for instance, doesn’t require a subpoena or warrant, unlike many other legal requests. It’s supposed to be reserved for exceptional situations: Apple considers legal requests an “emergency” if “it relates to circumstance(s) involving imminent and serious threat(s) to: 1) the life/safety of individual(s); 2) the security of a State; 3) the security of critical infrastructure/installation”. But, as the hackers have shown, it can be easily exploited.
Apple and Meta did not respond to a request for comment.
Here are some of the main ways law enforcement can get hold of your data.
Accessing your device
Perhaps the most obvious way law enforcement can get your data is by accessing your physical device. Police can subpoena your device or get a search warrant to go through your phones. If your phone is locked or you only use encrypted messaging apps, police can use mobile device forensic tools to break the encryption or bypass your lock screens if they are armed with a warrant.
In February 2021, a US appeals court ruled that Customs and Border Protection (CBP) can freely search your devices without a warrant at the borders. The move created “a massive loophole to target anyone traveling into or out of the US”, said Albert Fox Cahn, the founder of the privacy advocacy firm Surveillance Technology Oversight Project.
Law enforcement requests
If you scan privacy policies of your most used apps you’ll probably find a clause or two that says something along the lines of “we don’t share your user data ever unless it’s in response to a law enforcement request”. That means police, Immigration and Customs Enforcement (Ice), the FBI and other law enforcement agencies can get your user data directly from tech companies through various forms of legal requests, without having to search your device. Sometimes, they can get it just by asking for it.
Google, for example, received more than 39,000 requests for user information between July and December 2020, according to the company’s most recent transparency report. Google handed over user info in response to more than 80% of those requests, affecting the accounts of more than 89,000 users.
In many cases these requests come with gag orders, meaning the company cannot notify users that their information has been requested for six months or more. Sometimes it will be years before a user finds out their information has been handed over to law enforcement.
There are a handful of different types of law enforcement requests, some more sweeping than others and some carrying more legal weight. Three types of legal requests in particular have recently sparked concern among activists and experts: geofence warrants, keyword search warrants and administrative subpoenas.
A keyword search warrant allows law enforcement to access the information of anyone who searched for certain terms or keywords within a certain time period.
A geofence warrant allows law enforcement agencies to seek the device information of all the users who were at a certain place at a certain time. Google, the only company that currently discloses the number of geofence warrants it receives, said it fielded a little under 3,000 in the last quarter of 2020.
Both types of warrants, privacy experts say, are over-broad and thus violate the constitutional protection against unreasonable searches. While many warrants typically seek the information of a single person or group of people who are suspected of a crime, geofence and keyword search warrants work backwards and cast a wide net hoping to narrow down a list of suspects.
It’s not unlike cell-tower dumps, for which law enforcement agencies ask cellphone companies for the information of all people who were connected to a cell tower in the vicinity of a crime scene at the time the crime was suspected to have occurred.
A federal judge in Virginia recently ruled that local authorities violated the constitution when using a geofence warrant to investigate a 2019 robbery, setting a precedent that attorneys representing people caught up in these types of searches could use to receive remedies for being falsely suspected or accused of a crime.
Administrative subpoenas carry less legal weight than other requests: law enforcement agencies don’t need a judge to sign off on them but they also aren’t self-enforcing. The only way the agencies can force a company to hand over the data demanded in the request is by taking them to court after they refuse to comply. Still, companies will often comply with the request even though it is not a court-ordered subpoena. Some experts have expressed concern of the use of this type of request by Ice, which has requested user data from tech companies like Google, fearing the agency is using them to expand its surveillance on US citizens. An Ice official previously said the agency does not often send administrative subpoenas to tech companies for non-criminal purposes. In a press release, Ice said it “uses statutorily-authorized immigration subpoenas to obtain information as part of investigations regarding potential removable aliens”.
Google did not immediately respond to a request for comment.
There is an entire industry of companies and firms that buy and sell your data for a profit. The shadowy network of data brokers operates fairly under the radar but often provides easy access to user data such as your location and purchase history to other entities, including law enforcement.
Data brokers can collect your personal data from a handful of different sources, such as your social media profiles, public records and other commercial sources or companies. Some data brokers integrate directly into apps to hoover up information like location and purchase history. These brokers, which can include some telecommunications companies and credit reporting agencies, then sell that raw data, or inferences and analysis based on that data,to other companies and government agencies.
It’s not always clear whether a data broker has collected or sold your information. In fact, recently data broker X Mode, whose customers include military contractors, was exposed for buying location data from the Muslim prayer app Muslim Pro without the knowledge of users of the app.
Surveillance tech companies
Law enforcement agencies also contract with surveillance tech companies like Clearview AI and Voyager, which scrape your information from the internet and social media and feed it into their own algorithms.
Consumer tech companies you may interact with on a daily basis also provide services to police. Amazon’s smart doorbell Ring, for instance, gives some police special access to their Neighbors social network and makes it easy for the police to monitor and request Ring footage from consumers.
Contracts between tech companies and law enforcement agencies have become more frequent as the tech industry seeks out new avenues of growth, experts say. Because many of the spaces tech is already in have clear dominant players, law enforcement contracts have become an appealing growth strategy because of the seemingly endless supply of funding for agencies like the Department of Homeland Security and local police.
There’s also quite a bit of inter-agency data sharing happening at the local, state and federal levels of government. While it might seem unsurprising that law enforcement agencies share information, you might be surprised to learn that an entity like the DMV shares information with agencies like Ice.
That data-sharing is made easier by services from companies like Palantir, which creates a centralized network of digital records which include “chronic offenders” and other people deemed of interest that can be easily accessed by the company’s law enforcement partners at all levels – from many local police departments to the FBI.