Tuesday, January 28, 2014

Questions I wished were asked on privacy, liberty, and surveillance

Today, the Minnesota House Civil Law Committee invited various head law enforcement officials to testify how their agencies do surveillance on Minnesotan's with emerging technologies. Two important functions of legislative oversight is to advance accountability and to raise and ask the tough questions of public officials to see what their activities are particularly on this subject.  A number of questions were asked.

These are some of the questions I WISH they would have asked:

- 4th amendment

Do you believe that a broad pattern of governmental surveillance activity - such as monitoring a person's location information on an ongoing basis - invades a reasonable expectation of privacy, and constitutes a search?

Do such things as license plate reader scans (LPR) and the Kingfish infringe on the protections of the First, Fourth, and Fifth amendments in your view?

With more and more of our private information being shared with third parties, should law  enforcement need a search warrant rather than lower thresholds such as "relevant" to an investigation to get the data?

Do you believe that personal data held by a third party has a right to privacy in 2014, even though 30 year old US Supreme Court court decisions say no?

 - License Plate Readers (LPR)

Does the federal government offer your department any assistance in enhancing or implementing LPR technology?  If so, what form does that assistance take?

Do you share your LPR data with any federal law enforcement agencies or local/state agencies? If so, what is the scope of the data sharing? What do those agencies use that data for?

In some states that have LPR's........they have a centralized database of all license plate scans collected by law enforcement.........they are shared with the Federal government through fusion centers.......what is Minnesota law enforcement thinking on this?

LPR data in some states is being shared with a national private company.......are any of you doing this?  Should this be prohibited?

- Location data

As you know location data about where one goes, where they are going can tell a lot about a person and their associations/interests.......because of ease of technology.....you can get it very easily with a subpoena (lower threshold) rather than a search warrant from T-Mobile.  In 2014, do you think that Minnesotan's deserve a higher expectation of privacy in their very personal data held by third parties?

 - Drones - surveillance

Would your department support the use of small, low-flying drones to serve as platforms for ongoing video surveillance or public areas?

Would your department support the use of those same, small drones to fly at window level in order to observe activities in private homes that might be visible from public areas?

If so, what sorts of regulations would govern the collection and retention of the video feeds that would be gathered?

At what point does your department believe that a warrant is needed to employ video surveillance capabilities in public areas?

Would your department consider the use of high-altitude drones for ongoing video surveillance of public areas?

- Drones - safety regulation

What sort of assurances would your department be able to provide that unmanned aircraft operating in urban areas would be safe?

If your department has considered employing drones, has your municipality considered the civil liability issues posed by unmanned aircraft use?

- Drones - other monitoring

Would your department, in conjunction with your municipality, consider employing drones mounted with cameras and radar guns to measure vehicle speeds, with the intention of using that information as the basis for issuing speeding citations?

- Cell phone location monitoring

Does your department consider the tracking or getting an individual's cellphone location information to be a search under the Fourth Amendment?

As costs come down, would your department consider installing multiple, networked cell phone location tracking devices in your municipality in order to locate persons of interest?

FLIR and infrared technology

Does your department believe that the use of Forward Looking Infrared (FLIR) or other infrared technology to detect heat patterns within a private home or residence constitutes a search?

Does your department have any such technology?  If so, how does it employ such technology?

- Surveillance cameras

Does your department share its live video feeds with other law enforcement agencies, and other parties including federal agencies?

Does your agency record video from its live feeds?  For how long?  To what purpose is this data put?

Does your agency plan on integrating facial recognition technology into its surveillance systems?

- Domain awareness/Predictive analytics

Has your department studied, or otherwise contemplated the use of, so-called "domain awareness" technology that integrates video feeds, Twitter feed monitoring, and other data streams with so-called "predictive" crime analysis software?  (The City of Oakland is considering installing such technology. Rochester Police Department now has the analytics software from IBM.  The City of Minneapolis signed a contract with IBM last year using similar technology)  

Would your department consider such broad-based surveillance schemes to comply with the Fourth Amendment?

Would you live in a municipality in which the government employed such broad-based surveillance activities?

Oversight by the Legislature gives the public a view on important issues, it's not only for the interest of the policymakers.

Oversight hearings on the intersection of surveillance, law enforcement, emerging technologies and our privacy/liberty rights with tough questions gives the opportunity for insight what law enforcement agencies are doing and how they implement their actions.  The hearing today allowed the public an occasion to see what their elected legislators do,  and if their elected officials are doing their jobs.

Today is only the beginning of discussion on the issue of emerging technologies and our civil liberties to be explored by the Minnesota Legislature.  I encourage you to look into the issues and let your opinion be known to your elected officials.

Saturday, January 25, 2014

Star Tribune: Story on LPR more fluff than stuff

The Star Tribune reported today how Ramsey County and other local police are getting license plate readers.  But the article was more fluff and puff than stuff in my view.

The story did not at all deal with the civil liberty and privacy issues that have been discussed with the implementation of the tool.  There is some opaque reference to "local and national debate surrounding police use of surveillance technology."

No discussion how plate scanners are used other than for stolen cars.  No discussion as to whether or not Ramsey County Sheriff, Maplewood, Moundsview, New Brighton, and White Bear Lake Police Departments are going to place all the scans they get in central database?  Are they going to be on fixed objects or on squad cars?

Across the county license plate scans on innocent people are being placed in central repositories, shared with private companies, and the federal government.  Here in Minnesota no one knows.

The Minnesota Department of Commerce "sells" the release of public dollars for buying of license plate scanners as a crackdown on stolen vehicles.  But it is much more than that.  Just read the manuals of the license plate scanners that law enforcement agencies have,  secondly, just review what some Minnesota law agencies are using it for......just more than looking for stolen cars.

It is very easy to set up a database with an electronic connection with license plate scanners.  The database could be filled up with late paying child supporters, people who have carry permits, the list can go on and on.  Remember names are attached to license plates.  So when that "buzzer" hits and the cop hears it, you may be stopped or detained depending on what data set it's hooked up to and what the agencies priority is.

Has Minnesota law enforcement mis-sold the license plate reader for only stolen vehicles?

Yes, the Star Tribune story helped them.

Friday, January 24, 2014

"Need permission, not a Legislator" (But I'm a member of the public)

As many of you know I have been on the tail of the Minnesota Department of Public Safety (DPS) to share with me (public data), for example, name of the company who they have a contract with for the cellular exploitative (surveillance) devices.  I also wanted a copy of the contract (public data).   So far I have gotten neither.

The newly revised figure spent on the Kingfish/Stingray is about $600,000 plus with most of it general funds from the Minnesota taxpayer per response sent by Commissioner Dohman of DPS to four Minnesota legislators who sent a letter asking a number of questions.  But what intrigued me in the response is that DPS gave the names of the cell spy devices:  Kingfish and Stingray 2.  I have been asking for that same data since September.  So when I saw that legislator's got it and I did not, I wanted to know why.

I asked a number of people why.  This is my take and view:

The Department of Public Safety had to ask the "unnamed company" for permission to give data to parties outside DPS.  When I first asked for public data I was given the run around with only limited disclosure.  That disclosure being they had a "cellular exploitative device" and public monies spent was approximately $732,000.

Why were the names of the devices given to legislators, but not me.  Because DPS went to the "unnamed" company and asked permission to do so.  But why did you not ask permission to give that data to me knowing that I was interested per my data request.  Because you're not a legislator, legislator's over see DPS to see how public dollars are spent and they make policy.  But does not the public do the same in interacting with their elected officials.  Should there be double standards for access to public data because you are an elected official?  No.

But still the question for me is who is the "unnamed" company and will the public or legislators see a copy of the contract which just may have a provision in it being interpreted to not give out "clearly" public data which in my view is contrary to law.

Wednesday, January 8, 2014

Dohman's response about Kingfish sounds like NSA

Today, Commissioner Dohman of the Minnesota Department of Public Safety provided a letter to legislators who had asked her about the Department's cell phone spy equipment.  Her response was terse, indirect, and parallels the responses given to Congress in regarding the leaked NSA operations. 

The Commissioner's letter gave new details to the public, but also raised many questions and issues.

First, what we learned from the Star Tribune copy of the letter is that the Bureau of Criminal Apprehension (BCA) has two cell phone spy devices, the Kingfish, but also a "bigger brother" called Stingray 2.  Secondly, the devices were purchased primarily by state general funds, not Homeland Security dollars from the Feds.  The Kingfish has been discussed in previous blogs.  The Stingray has not.
The Electronic Frontier Foundation (EFF), a national organization on privacy and civil liberty issues, has been in the forefront on a national level with the Stingray.  EFF characterizes how the Stingray works as follows:
"The Stingray is a brand name of an IMSI catcher targeted and sold to law enforcement. A Stingray works by masquerading as a cell phone tower—to which your mobile phone sends signals to every 7 to 15 seconds whether you are on a call or not— and tricks your phone into connecting to it. As a result, the government can figure out who, when and to where you are calling, the precise location of every device within the range, and with some devices, even capture the content of your conversations. (Read the Wall Street Journal’s detailed explanation for more.)"

Those capabilities are different then what the Commissioner describes in her response to legislators.  In her letter, the Commissioner stresses that content cannot be captured, and that no "specific personal identification" is viewed.

More detail on the Stingray can be found by reading the article, "Meet the machine that steals your phone data"  It has a section discussing the Kingfish, Stingray and Stingray 2.  It states in part:

"The Stingray can be covertly set up virtually anywhere—in the back of a vehicle, for instance—and can be used over a targeted radius to collect hundreds of unique phone identifying codes, such as the International Mobile Subscriber Number (IMSI) and the Electronic Serial Number (ESM). The authorities can then hone in on specific phones of interest to monitor the location of the user in real time or use the spy tool to log a record of all phones in a targeted area at a particular time."

Legislators had asked Commissioner Dohman about whether her Department obtained warrants before "accessing cell phone data or locations."  The Commissioner's response was cryptic and unclear about whether a warrant is required.  Her letter stated that a "court order" was required, and she attached a copy of a court order.  However, the example document is a court order that requires a low threshold - not a warrant that requires probable cause.  The sample order also relies on a more than 25 year state law which has not kept up with today's emerging technology.  Things such as Stingrays and Kingfish's were never dancing around in legislators and the public heads back then.   

Another part of the Commissioner's response that caught my attention was her answer to question 7: "Have these devices been used in or near the state Capitol to surveil people on the Capitol grounds?"  In NSA style, she replied  "No, they are not used as surveillance tools."  So my question, then, is what kind of tools are they?  I am sorry to say that they are surveillance tools.

The public discussion that is occuring around these cell phone detection devices is much broader than than the devices themselves.  It is about emerging technologies that law enforcement is getting and using without the knowledge of policymakers and public knowledge.  It also about how these new tech tools fit in with decades-old law, and how we can make sure that the use of these technologies does not compromise our privacy and liberties.

Personal note:
I wish to thank the four legislators who signed the letter to ask the Department of Public Safety for more information.  What the BCA gave to the officials were answers to questions....not the data itself.  Some of the answers given to the legislators were related to data that I asked for in my data practices request. But I have learned over the decades in tangling with law enforcement if they do NOT want to give out information or have to, they won't unless there is pressure.  This is a prime example.

Tuesday, January 7, 2014

In Rochester, debate on privacy, security, and accountability

Is big brother watching you?

Rochester Issues Forum features Privacy vs Security
January 15, 2014 – 6:30 PM – Rochester Public Library

The national debate on the monitoring of telephone data by security agencies and other electronic surveillance is also present in local police activity. The sheriff is using license plate readers to rapidly scan and identify motor vehicles, the obvious benefits of this technology in locating stolen motor vehicles and drivers wanted by police is challenged by privacy advocates when it is saved in data bases containing thousands of innocent owners. Rochester Police are using a powerful data base search engine to merge information from several public data bases and from police records to compile intelligence on individuals and how they contact others. This is similar to what NSA is doing with phone information, that is, linking individuals in hopes of finding patterns of behavior that that may provide information on potential or actual criminal activity. The question again is what is done with information on the vast members of the public that is captured, or collected, who are not actual or potential criminal suspects.

Recent Minnesota events are concerning because law enforcement officials and other authorized users have accessed information on individuals for purposes unrelated to their duties. What protection are in place to limit access to the information contained in the local systems? For example, until a temporary ruling of a state agency the license plate information was public and available to anyone who asked.

The presenters are Sheriff Dave Mueller, Olmsted County, Police Chief Roger Peterson, City of Rochester, Rich Neumeister, privacy and open government advocate, and Don Gemberling, known as the father of Minnesota Public Record Laws. Moderator will be Jay Furst, Editor Rochester Post Bulletin.

This program is believed to be one of the first public debates on many of these issues outside of the Legislature in Minnesota.

Saturday, January 4, 2014

Issues with Data Practices, 25 years later

As many readers of this post know I have "involved" myself at the Minnesota Legislature on issues of privacy, open government, and civil liberties.  This has been since the late seventies.

One of my focuses has been on the Minnesota Government Data Practices Act (MGDPA).  A main focus of the Act is to balance the right to privacy/secrecy and the right to know.  An amazing part of this law is that all data is presumed public, unless so classified not public by the Legislature.  This is why I spent so much at the Legislature.  The Legislature decides rather than the Courts which is the norm in many states.

Well, I ran across a memo (handwritten) which I sent to Senator Gene Merriam in the fall of 1988, explaining to him my observations about MGDPA issues.  They are the following:

"1) Impedimental and costly legal remedies under the Data Practices Act when persons are denied information by a governmental agency.

 2) Lack of leadership and priority given by top administrators to the full implementation and proper enforcement of the Act.

 3) Policy directions by units of government relying heavily on on public attorney's opinions.

 4) Lack of suitable training/orientation for governmental employees about the Act.

 5) Abuses and inconsistencies in fees.

 6) Delay in responding to an individuals request for information.

 7) Lack of on-going evaluation and oversight of state and local agencies.

On the next page are some possible solutions."

That memo was done over a quarter of a century ago, same issues, same problems?  Some solutions were introduced, some failed, others passed.  The "issues" still need to be addressed.

Thursday, January 2, 2014

MNsure raises points about state IT systems

MNsure's website problems have brought lot's of attention to the agency.  Many million's of your dollars have been spent to set up the agency and web portal.  But is it really the problem of MNsure or is it how the State of Minnesota organizes, processes, and builds it's information technology systems.

How much does state government spend on providing and setting up computer information services?  My educated guess for a biennium is at least $600 million. My number may be low per a Minnesota House of Representatives Report done in 1996 which stated $200 million a year was spent on information technology.

MNsure is not the only state agency or department alone in having computer technology problems.

One just has to go to the Legislative Auditor's website and with the help of their staff they can direct you to the reports that promised the tech goods for delivery of service, but ended up as being broken promises and cost overruns.

I remember the well known "MAXIS" computer tech failure just over twenty years ago with the Department of Human Services.  MAXIS was characterized as a "computerized megasystem" with a cost overrun of millions and millions of public dollars.

Commissioner Jesson has publicly commented that maybe the wrong vendor or vendors were picked for the market health exchange.  But the questions for the public is how were the vendors selected and who selected them?  Was it done with the lowest bid or done with the group that is most competent to set up such an adventure?  These broad questions are not just for MNsure, but also for the whole info technology process of the state that spends our hard earned tax dollars

Is the state agency responsible for overall development of IT services to be held blameless for MNsure problems?  Does MNsure type problems happen with other agencies?

I end with a quote from the Washington Post story that I read which gave me the idea for this post. The quote is about the Federal health exchange which had similar problems as MNsure. 

"The episode is all too typical of how government creates IT services," said Tom Lee, director of Sunlight Labs, the research arm of the Sunlight Foundation, which advocates for more government transparency. "The procurement process tends to select for firms that are good at navigating the procurement process, not providing good IT services for the dollar."

Was this the case for MNsure?  How much does the quote characterize Minnesota's information technology contracting/procurement processes?