Police departments nationwide are using a controversial high-tech surveillance tool called a geofence warrant that allows them to capture the location data of anyone and everyone near a crime scene as a possible suspect.
A number of law enforcement agencies, including the Federal Bureau of Investigation (FBI) use such warrants, which glean data from tracking tools, such as the satellite based navigation system GPS, Bluetooth, Wi-FI, mobile connections, email and video apps. In the absence of a person’s legal objection filed in court, a service provider can release an individual’s personal data to law enforcement just for the asking.
For years, technology companies have complied with court orders to produce information on demand. But geofence warrants take it a step farther, looking for suspects in the absence of leads, casting a wide net without clues, and pursuing a person they don’t already suspect. In other words, police are able to round up data on people who may have nothing to do with the crime, often without their knowledge. In some cases, it has resulted in jail time for innocent people. In some cases, however, it has served as a tool without which law enforcement could not or may not have solved a crime in the absence of viable leads.
to take it a step farther, what if the government requests location information on a managed service provider’s (MSP) or managed security service provider’s (MSSPs) customers? How should an MSP or MSSP react considering tracking tools such as remote monitoring and management, backup and security are deployed as a matter of course? Should the service provider protect its customers’ privacy or comply with law enforcement’s demands?
There’s no denying the impact of an innocent ensnared in a geofence warrant, someone stuck in the wrong place at the wrong time. And, there’s no overstating the thin line between privacy and security danced on and around by law enforcement and privacy advocates. For instance, a recent police dragnet in Gainesville, Florida nabbed Zachary McCoy, a local resident, as a suspect in a robbery, as recounted in an NBC News report. The New York Times last year chronicled a similar case. In the McCoy incident, Gainesville police had identified him, an avid cyclist, riding his bicycle past the victim’s house a number of times. McCoy was simply exercising and tracking his miles on a Google app which the police ultimately tapped to locate him. The warrant and police suspicion turned McCoy’s life upside down until he was able to extricate himself with the assistance of an attorney months later.
The privacy/security/law enforcement access issues–as complicated by personal data sweeps–are here to say. Recently, Apple and Facebook remained resolute in their vow not to build back doors into their products for law enforcement to potentially view the private communications of billions of users, despite pressure from Senate Judiciary Committee legislators and the U.S. Attorney General. Senators and the tech giants continue a high profile squabble over security, privacy and national safety, with Apple and Facebook waving off accusations of harboring criminals in their refusals to back down.
Both Apple and Facebook have repeatedly said they support law enforcement’s efforts to safeguard the nation. Still, involuble user security and privacy is of paramount importance, both from a privacy and a corporate culture standpoint, not only for each company but also for the tech industry writ large. Nevertheless there are extenuating circumstances, the government argues, that transcend the security and privacy of individual users.
At this point, the tech industry hasn’t found a way to grant law enforcement access without intentionally creating a vulnerability that could imperil users through infiltration by hackers or government overreach or corporate spying. At some point, MSPs and MSSPs will likely be compelled to make similar decisions regarding requests from law enforcement for personal data of their customers on a larger scale than just one-offs. That will mean policies and procedures will have to be clarified and formalized.