 Hi everyone, thank you for coming So we're gonna be talking to you about how the law doesn't protect you. I'm Allison Young I'm a digital forensics analyst at the Legal Aid Society of New York It's the oldest public defender in the United States and the largest provider of indigent criminal defense services in New York And I'm Diane Ackerman. I am a public defender at the Legal Aid Society for the last 10 years and I work in our digital forensics unit So yeah, the laws don't protect you. We're gonna talk about how if the government wants your data, they can pretty much get it This is definitely of more concern as we have more criminalization of bodily autonomy most notably for our talk You know pregnancy outcome cases Diane's gonna talk about the laws and I'm gonna talk about what that data looks like when you pull it off of you know phones Or the cloud a couple of disclaimers to start we are not your attorneys. We are not giving you legal advice We are also not telling you how to protect yourself like how to configure your phones or your computers or your op-sec You can certainly use the examples that I'm going to show you today to sort of make informed decisions But really our point is it's kind of hard to protect yourself There are some vulnerabilities in the law and the legal system that make it nearly impossible. It's sort of like a backdoor Another thing to note is that the data we're going to show you some of it is real client data That's been redacted for the privacy of our clients Some of it is test data that I generated just to sort of demonstrate some things and a couple of items that I'll call out are actually from my own personal digital data footprint So working on the criminal defense side We see all of the ways that people's data is used against them in the criminal legal system and the depth and the breath of governmental invasion into people's privacy in the name of criminal investigations is enormous The amount of data that's collected in search for every single crime from the pettiest of theft To the most heinous of homicides is really invasive and very rarely justified So while a lot of the headlines now post-dobs are about period and health apps on your phone or Facebook messages that are being used Against people to pick to prosecute pregnancy outcomes the methods are not new and Perhaps more importantly The criminalization of abortions or pregnancy outcomes is not new at all people have been prosecuted for their pregnancy Outcomes for their abortions for many many years So in a post-dobs world all we're going to see is an extension of the existing tactics used to prosecute Existing crimes all this does is just expand the world of who the government can more easily label a criminal Increased criminalization will always help the government justify invasions of privacy because once you are declared a criminal by the legal System and I don't mean convicted. I mean Suspected of being a criminal you cease to have any privacy at all We're going to focus today particularly on fitness and health data because that's what is we believe likely to be used to prosecute pregnancy outcomes and I'm sure there are a lot of people sitting here thinking about all these other laws that might exist to protect this data So what about HIPAA particularly? We're thinking about health information or what about the stored communications act Which prohibits disclosure of electronic communications or what about some FTC protections consumer protections a Lot of those laws do exist to protect disclosure of your data to certain parties a Lot of whether or not that material sorry those laws actually protect the material we're talking about is a gray area Whether or not HIPAA applies to any of this stuff is a gray area But ultimately every single one of these laws has an exception for the government to get a search warrant When investigating a crime The power of the government in their law enforcement capacity is unmatched and as long as they can keep expanding the Definition of what a crime is and who can be labeled a criminal they're going to keep expanding their ability to invade people's privacy and collect data So typically we're going to do a criminal procedure one-on-one today in a way that's going to annoy every other lawyer in this room Typically to get this data the government needs a warrant the warrant process is a complete mystery to people who don't deal with them Every single day so I'm hoping to lay out the process in broad strokes the requirements for what the government needs to get a warrant Show you some examples of what it actually looks like in practice and talk about the failures of the application of the fourth amendment to digital data And later we'll touch on a couple of remedies that we think would help here The data we're focusing on today that Allison has tested and is going to show you later comes from one of two sources It either comes from directly from a cell phone a mobile device or it is coming from the cloud It's going to be app data that is stored in the cloud that is also available on the phone There are reasons that law enforcement might pursue Getting the data from one place versus another I've laid some of those out here for reference, but either way they do need a warrant So what is a warrant? The fourth amendment requires the government to get a warrant to search anywhere where you have a reasonable expectation of privacy So the idea is basically the cops cannot bust down your door Without having some sort of proof some sort of oversight some sort of process to that The way it actually works is a cop or a prosecutor will write out an affidavit of facts They will then take those facts and draft an order that lists what they intend to search They will go to a judge. They will go to court and when they go to court, they're not doing this open and public on the record Sometimes there is a court reporter taking down some minutes, but this stuff is done in private There's nothing on the record about it It's done in private in secret. They get the warrant and order signed by the judge Theoretically the judge has reviewed the warrant to make sure it actually lives up to the requirements of the fourth amendment And then they go out and execute that warrant within a certain period of time The legal requirements for a warrant Are up there and the first thing they have to do is actually connect the thing that they want to search to the crime So they have to connect the phone to the crime They have to be really specific about what they want to search and where they want to search And they have to justify every single one of the places that they want to search The warrant can't authorize searching more than what they have justified So what this looks like for a house using the example I think that we that most people are like can understand is usually they're going to search a house for drugs We're talking about like long-term drug investigations So a there will usually be a couple of months long investigation that will be laid out in a warrant factually It will say I officer so-and-so Have been involved in a three month long investigation of X individual We made three controlled buys using a confidential informant and an undercover officer One of the ten of those buys who knows however many it is took place inside of this particular house And when I was in that house I watched X suspect walk into the second room on the left and he came out of that room with drugs and then I Exchanged us currency for drugs. That's how they lay out the specific facts of what they're going to search when it's a drug case So that's how it works for a house and most of our fourth amendment law grew out of the idea of How we think it's appropriate for the government to actually search your house But unfortunately using that analogy in court when they've tried to apply this to digital data has had some very severe limitations So mainly I think understanding how limited the law is in the digital realm You really have to understand how slow the law moves and I think Probably everybody here understands that the law moves a lot slower than technology But I think it moves even slower than you could possibly imagine in 2014 Less than ten years ago. The courts were still debating whether or not you had a constitutional right to privacy in your cell phone in 2014 we had the iPhone 6 you could unlock the iPhone 6 with but with a biometric Fingerprint and we were still trying to decide whether or not you had a right to privacy in that device So in 2014 there were still places in the US where cops and prosecutors were just searching people's phones without warrants without any Judicial oversight just because the person had a phone on them when they were arrested It took until 2014 for that issue to get all the way up to the Supreme Court So that they could say something that probably feels really glaringly obvious Which is you have a fourth amendment right to privacy in your phone and That right to privacy has still not been applied to a lot of digital data In 2023 the courts are still debating whether or not you have that constitutional right to privacy in data that exists on the cloud Okay, so there are problems with warrants Full stop a lot of those problems have become more glaring as we see more warrants for digital data The first one I'm going to focus on is that kind of allows all of the other problems to exist is the complete lack of Any sort of real oversight or scrutiny of warrants? I'm sure there you know You've heard the saying a prosecutor can indict a ham sandwich a prosecutor can also get any warrants signed by any judge Any time they want pretty much so Let's see how this plays out in practice. These are all examples of of real warrants that I'm going to show you like real warrants that were executed where people's data Was obtained the first thing they have to do is connect the thing to the crime They have to connect to the phone to the crime the phone has to actually be involved in the crime somehow So This is what we were seeing for a long time and what we actually still see This is boilerplate language that is part of every single cell phone warrant in New York City So like the facts that were attached to this warrant was essentially there was a robbery We investigated a robbery we arrested somebody for that robbery and when we arrested them they had a phone on them and This is why they said it was okay for them to search the phone because phones commonly do stuff and have information on them So for at least the last decade the connection to the crime in every single phone is this same language That really amounts to phones do stuff and I want the stuff that's on the phone. There's nothing specific to the case There's nothing specific to the crime. They don't even bother to make it specific to the device that they have seized in the case It just says target device in every case that could at least take the minute to change it to say Android or iPhone and make something more specific But that's it Here's a better warrant In this case, they found a phone on the ground where crime was committed They do not know who the phone belongs to they do not know how the phone is related to the crime It was just there on the floor And if you read through this it's they want to search it because they know that people use cell phones to take selfies People use smartphones to communicate with other people and it may provide evidence of electronic communications. I mean This is circular reasoning It's them saying I have probable cause to get into the phone Because there might be information on the phone and then I'll let you know what I found on there that actually makes out probable cause This is an example of a really troubling thing that I a more troubling thing I see in the digital Context which is there's a really basic concept in criminal law that you can't interpret something that is innocent or innocuous as being Criminal or nefarious without there being some sort of additional facts So a screwdriver is a screwdriver Until you have a reason to believe that that person is be using the screwdriver as burglar's tools So if I have a screwdriver, and I'm just walking down the street I'm probably going to work if I am stopping in front of every door and like fiddling with the screwdriver in front of a bunch of Doors, I don't have the lock tube that might be additional facts that might turn the screwdriver into a burglar's tool That has never been applied in digital warrants in any real way There's so many warrants that have this language about people involved in criminal activity frequently have Conversations regarding their criminal activities on various social networking sites If you are a person who actually does this please stop so They're not supposed to do this They're supposed to have a particular reason to go into the phone This is the equivalent if we use the house analogy of saying I know that people involved in crimes live in houses And so I should get to search the house But phones really easily go from being an innocuous item to being an instrument of a crime When is it in the hands of somebody the government has labeled a criminal? Sometimes the warrants get a little bit better Sometimes cops claim things like they can see the glow of a cellular device on a pixelated video from public housing in the middle of the night Sometimes those same cops don't bother to put the phone in airplane mode or into a Faraday box a bag while They're sitting around in the station even though they all know perfectly well that there are protocols in place for proper evidence collection So they're not doing a great job connecting the device to the crime How are they doing at limiting the search the second thing? So the really the very simple house analogy again is if I'm going into a house because I think you stole 56 inch TV I cannot open a drawer the TV can't fit in a drawer. You can't open the drawer So this warrant these are I'm not cherry picking these warrants if there were more facts in this warrant I would have shared them. This is it for the connection of the phone to the crime So taking as true That what the officer saw on the video was the defendant holding up a cell phone in a manner consistent with taking a video or photograph Then yes conceivably they would say it's okay to search the phone to look for images or videos That might be related to the crime But they then add this little piece about how they're going to go ahead and also find some stuff about the defendants motive Those three sentences authorized this search And if you look at this list and it appears to you as though it is a bullet pointed list because it is limited It is not it is the whole phone. It's a really Sort of pretty way to pretend. They're not searching the whole phone It specifically authorizes Searches of things that have no relation to the two things they mentioned which was photos and videos and motive It's just a list of everything on the phone and again. This is also boilerplate This is the same language attached to every single warrant. So it is not specific. It is not Specific to that crime or to that investigation. This is the language attached to every warrant So in every warrant for every crime they are asking for the calendar entries of everybody's phone Another interesting thing that happens with digital warrants for digital data is That they kind of tend to leave a lot of information out So here they want to look at the entire contents of a Facebook account Because somebody told them their stolen phone had been sold on Facebook I am hoping that in the course of this investigation an officer actually opened up Facebook and saw it or that this Person showed it to the cops, which means the cops know exactly where on Facebook that thing was posted They know if it was posted on that person's timeline. They know if it was posted in Marketplace But they don't include any of that the way this typically plays out is they'll say I was investigating a crime and the person Involved showed me some messages communications that were sent from one person to another And they'll say that I therefore should get to search the entire phone's communications If the cop looked at the phone Then they know that those messages were sent using WhatsApp or Instagram or the native messaging app Or iMessage they know they don't put it in the warrant because then they would have to be limited to searching that area instead They leave these things purposefully broad Sometimes they don't bother pretending they're limiting their search at all And all of these examples these aren't like it isn't like this is an old one and they've gotten better This one is just as recent as any of the other ones Just going to search all the data Every single example you just saw was signed by a judge Every single one every single one was executed Every single one had somebody's entire facebook or entire phone extracted in the hands of a prosecutor So we're going back to the problem. So let's talk about the second problem, which is After they go to a judge and a judge signs it which is secret There's not Anything you can do to challenge it There is actually no legal mechanism for you to stop a search before it happens Um asterisk there's really very limited limited situations where you can challenge it So even if you knew it was happening, they don't have to tell you they're getting a warrant for your stuff There's nothing you can do So if you have ever been on the receiving end of one of these nice emails from facebook or google that says The government has served us with a warrant. We're about to give them your information. You have 10 days to object It's nice that they think you have an ability to object. You do not you have there's nothing you can do Now i'm going to let allison show you what it looks like. All right, so I have my legal request My judge has signed my warrant. I'm the law enforcement or the government official I have to get the data off the phone first So what they do is they have mobile device forensics tools You've probably seen them in the news before but basically this map is trying to show you that Most agencies in the u.s. Have access to these tools that can copy data and analyze data from devices If they don't have access to the tools they can cooperate with another agency who does so they might work with a computer forensic You know a regional lab or they might work with the fbi or someone you know from another police department and get the data off And these tools we have access to them too at legal aid You know we have our own digital forensics lab, which is great for our clients But I will say we don't get access to all of the tools There are certain Features like advanced unlocking capabilities like if we have a phone where our client doesn't call their passcode Where we aren't allowed to purchase that tool We also might not have access to You know getting more files off of an iphone like a full file system from an iphone That's not eligible currently for any you know main jail breaks These are things that are sold to law enforcement and government agencies that public defenders don't have access to And you're probably thinking like okay. Well, it's a phone hacking tool They probably want to make sure that it's handled responsibly, right? Well while we seem embargoed from purchasing it's internal cyber security can purchase it Private businesses that offer digital forensics can sometimes purchase these tools. It's really just us And um digital forensics has bias like any other field it's subject to you know Things not being 100 accurate because you have to form an expert opinion about what you're looking at And research a couple years ago showed that when you provide investigators with background information about a case They can form different conclusions about that digital evidence. It's not just zeros and ones You know, it's not just this yes or no binary data People are forming their opinions based on their background info of the case And so it's really important for public defense to have access to these tools And what these tools do is they just copy the phone So they get a phone extraction, which is just whatever they can get based on the scope of the warrant or technical specifications on the phone So the phone operating system can influence this security settings on the device And basically these tools will you know, maybe cause the phone to do a backup or they might side load an app Or they might use a bootloader to get files from the device They use a variety of these different methods Sometimes in combination like a Hail Mary to get the data off and prepare it for court And you're probably thinking now well my data is secure. I use a passcode. I make sure I keep everything locked down I Install all my security updates. That's great. But when you get arrested and they seize your phone They're not immediately trying to pull the data off What they should do is secure it like Diane mentioned put it in airplane mode Put it in a Faraday bag just to like prevent anything from getting tampered with or over written But a lot of times these phones aren't getting looked at until they've been kind of stowed away for a few months without getting security updates So that leaves them even more vulnerable to whatever these tool vendors can provide to break into them And another thing to point out is that there's a social engineering aspect to interacting with law enforcement in the government If one of our clients is brought in they it might be insinuated to them That if they cooperate and they give access to their phone and their pin code It might look a little better for their case They probably don't have the understanding of how much data that law enforcement can get because as we're going to see shortly It's more than just what you can see on your phone sometimes And in addition to that i'm sure we're all familiar with that trope of like you get arrested you get your one phone call Well now it's kind of like unlimited phone calls depending on which police department you get sent to Because they are sometimes being trained to give you your phone back So you'll unlock it so you can make your phone call and then once the phone's been unlocked after restarting They have access to more data without necessarily even needing to know the pass code And so these extraction types these are the different names of them They go anywhere from just having to take pictures of the phone if they can't get access to it They might be able to see notifications on the screen All the way to maybe getting a physical copy of the data now The physical data is not as usable these days because of encryption on phones So most often we see a full file system copy or a partial file system copy that You know, it's not just getting text messages. It's also getting some background databases and log files And so when we hook up a phone to our tool, um, this is what it might look like I have a couple of tools up there. We'll change some settings on the phone. So it's not fully forensic We have to document this And then we attach it to our tool and it'll sometimes auto detect the phone and say yeah We can do an adb style backup of this phone, you know, use the debugging capabilities to break into it Maybe there's an Exynos chip vulnerability We can throw some stuff at either phone and break into it that way And we just sort of set it and forget it get this beautiful log file and a tar and zip of user data iPhones actually have a really large amount of data you can get from them just from doing an encrypted iTunes backup So a lot of the tools basically just do that And maybe add a couple more things in there We also have a screenshot here of a tool that I really like that we use that does Like a side-loaded app full file system extraction for iPhones that go up to nearly the latest version You know, it's not the most up-to-date version of iOS But they do frequently update it and you can get things that are you know sensitive from the phones And this brings me to a sort of dirty phrase in our industry called push button forensics You might see if you follow any digital forensics people They talk about this and it's a bad term because it's insinuating that The government police investigators are script kiddies They're just throwing stuff at the phone and not understanding how it works And that can be a problem because they might not know how to properly interpret the data or they might be missing something Or you know in the case of warrants if you do happen to have a specific legal request Maybe they're not fully executing it correctly As I mentioned there's bias. That's an issue. So if you don't know how the tool works You're even more susceptible to maybe not looking for the esculpatory data I mean these tools are software. They have bugs in them I myself over the years of doing digital forensics have had to report bugs where I say Hey, there are like a bunch of emails that are definitely in the data that I looked at the raw data and they're there But your tool isn't interpreting it even though it claims it does So if you don't know what you're doing you might say, oh, there were zero emails on the phone or something like that I will say push button tools are great because they do help with backlog of digital devices And they save me a ton of time. We're gonna look at them. They look so pretty with their GUI But those are concerns to have So we take the data off the phone and we load it in and here's what it might look like This is one of the tools we use. It'll break the data up into the categories it understands So you can get anything from communications Location data even passwords, which is really scary And I do want to point out that the number that you see here next to the artifacts You know the types of data that it found is very low because this is test data This isn't a phone that I had on me all the time I was only testing it for a couple of months. A lot of times these numbers are a lot higher Here's another tool we have that interpreted some data and so in case we forgot we're talking about pregnancy outcome cases This is something that might be interesting if you're doing an investigation as the government This is a cached video file from tiktok. So as this user was scrolling in tiktok. They looked at some videos about How a medication abortion went and this tool easily pulled that out Has a date that could be associated with when the user watched it when it was downloaded to the phone Says it's from tiktok and shows you these wonderful little screen grabs of what the video consists of The same tool also can parse ios snapshots They're these ktx files that when you're trying to change apps on your phone You know you get that kind of carousel of little screenshots So those get saved on the phone and they can reveal basically the last open screen of your app And so from this I have a search term in tiktok for abortion medical pill I also have two open screens of messaging applications So it's not all the messages from these two messaging applications But it is the last open conversation that you can review Apple health data from the phone. There's another tool that parses this really well It's basically anything the user entered to try to track their own health in addition to some activities data like steps heart rate things like that And interestingly enough this tool already parses Dates of menstrual cycles as well as sexual activity So we have some dates that the user logged where they used protection They engaged in a sexual activity and we also have information from the flow app So this was apple health data because the flow app Was communicating with apple health. There's a second copy of it there And i'm not just picking on these tools. I'm actually going to show you sort of the source data That's usually the next step when you're a digital analyst if you're doing your job right is you validate the tool You say all right, I've got this very pretty report and it shows me these dates of menstrual cycles I should make sure this data is right and so then what we do is we go into the source data That was copied from the phone and look into usually just a bunch of sequel light and realm databases And here I've got the apple health data and it shows that same information the body mass The period cycle length things like that and i'm not just picking on iphone The data highlighted in red was not interpreted by our tool But when I looked at the source data, I found samsung health data as well that showed this sensitive reproductive data So from here, we're going to start just looking at source data because these tools aren't understanding Like menstrual lifestyle tracking apps out of the box right now And I did do kind of a survey of some of these apps So if you're a person who has a menstrual cycle, you might use one of these apps to You know manage your health for many reasons and one of the popular ones is flow So I installed flow on an iphone and android and from both of them. I was able to get access to databases that show Dates of menstrual cycles as well as moods that the the user logged and this is something we never want to see as public defenders The mood feeling guilty logged and the date of that I mean we all get anxiety. This could be something that's totally innocent But this is something that's shown in the database We also have an activity of travel and that was in the flow databases on the phones This is from the samsung. I installed the clue period tracker and calendar and the database there also had Dates of menstrual cycles with some additional information Something really interesting there is that it used crash logging. So the last open session is Written to a log and it describes what the user did there And you know if the app crashes it's going to send that off for improving the application But what this particular log said is that the user changed their tracking mode from pregnancy to period Now i'm going to be upfront and say that was a user error while I was making test data I accidentally hit the wrong button But if you're looking at that without that content text that looks kind of incriminating the pregnancy to period tracking We also have again sexual activity logged here withdrawal method unprotected sex and The fact that this user was planning to conceive The cycles period cycle or period app tracker Has a passcode feature. So you open up your phone. You have a passcode for that You also have to enter a passcode to get into this data But when you copy it from the phone that passcode is a non-issue. It's just in the database It's really just sort of a gooey pretty password like a diary lock And here again, I have dates of menstrual cycles that I was able to get by querying the SQLite database just plain as day in the Z menstruation log table Period tracker period calendar has a passcode on it as well same thing where it's in the database This one does have a neat feature where if you enter the wrong passcode, it shows fake period data So like if you're being Interrogated by the police or a partner you can enter a fake passcode And show fake data But if the police were actually to get a copy of this phone, it's written in fake dot db So they'd probably just look at the correct database and get dates and times of menstrual cycles As well as we have a positive pregnancy test logged here and some notes the user made about their health It says get you know medication and it also says that they looked into travel and that they logged this pregnancy The uki app also has a passcode and when I copied that data I was able to get a appointment that I had logged there with a doctor as well as a time stamp for that appointment So you can read the summary slide on your own basically If the data is on your phone, then you can get it off when you copy the phone So Um security is great But like once you get the passcode or once you break into the passcode if you have one of these password tracking tools The government can get access to this data. I'm going to close with this last piece of artifact Which is a p-list that I got from one of the phones That shows search terms entered into tiktok for planned parenthood And you're probably also thinking like well wait dummy. It's not on the phone. It's in the cloud Yeah, there's a lot of data in the cloud. There's a lot of data on the phone Some data is copied to both locations or not at all I'm going to show you some technical examples of the cloud data But dianne's going to talk about how the law gets a little bit tricky here as well so The second place that um law enforcement can get the data they're looking for is from the cloud It presents some complications um and whether Not only in what the government can actually get with or without a warrant But what you can actually do to challenge it So why does this matter? I mentioned earlier that you can't challenge a warrant before it's issued You can't stop it from happening. So when you do challenge them as you challenge them after once the case is in court Once the data is being presented or is going to be presented against you in court That's when you have the opportunity to engage in the actual adversarial process and challenge that data from being used Except for when it comes to cloud data So when the government gets a warrant for your cloud data They are typically doing so because they are required to by the stored communications act Which prohibits disclosure of content By an electronic communication provider So there's two different concepts here There is the constitutional right that the supreme court has to say you have a constitutional right to something And then there is the government getting a warrant because a different law told them to So the government here is not getting a warrant for your cloud data because the constitution said so They're doing it because the stored communications act said so The stored communications act also doesn't require a warrant for all electronic data. Just content So non content can be obtained without a warrant. This is a non exhaustive list, but this is essentially content versus non content um, so again Just to kind of show you what they can actually get with content versus non content This is an example of a warrant that was made public last year This is from the case in nebraska where the mother and daughter were being prosecuted for the daughter's medication abortion The law enforcement there got a warrant to go into the facebook account because they had been shown relevant facebook messages And they limited their warrant limited in quotes to these five categories, which is the entire facebook account And if you actually look at this closely Category a basic subscriber information. So that's when you sign up and you write your name your email address your phone number, etc The government does not actually need a warrant to get any of that Um, I can get it with a subpoena. It's not protected by the stored communications act They also do not need a warrant to get the ip logs Which is particularly troubling to me because ip logs do provide location information Which is something the law has recognized as being private, but at this point court after court has said It's fine. They can get your ip logs So if you can't challenge the search before it happens, you have to challenge it after In order to even challenge a search you need to have the constitutional right to privacy in the thing so If you don't have a constitutional right to privacy in the cloud, you can't challenge it Why do you not potentially have a right to privacy in the cloud? It is because of a very old 1976 legal doctrine Called the third party doctrine which was literally from a case about the phone numbers you dialed into a rotary phone And that theory was basically if you give your information to a third party You no longer have a right to privacy in it. This is actually the problem That was dealt with a few years ago when the government was getting warrants for people's cell site location The idea was well, you don't have a right to privacy in that because you're giving that information to a third party That went to the supreme court and they said no just because you gave this to a third party Does not diminish your right to privacy in it. We have not gotten there yet for the cloud What is particularly ironic with the cloud is that the stored communications act in 1986 Which was really ahead of its time was passed to give that stuff a fourth amendment protection But because it hasn't been recognized constitutionally You potentially cannot even challenge that data being used against you So the stored communications act forces the government to get a warrant for the data And then the third party doctrine deprives you of the ability to actually challenge the use of that data And that's again, that's again a jurisdictional problem because the supreme court has not spoken on it Depending on where you are charged where you are being prosecuted will change whether or not a judge will actually hear your challenge to the warrant so This problem always becomes very funny in new york city because I can Challenge a warrant in Manhattan and have a judge say That's fine. Of course you can challenge this warrant Of course your client has a right to privacy in their cloud data I can go across A bridge to queens and a judge in queens will tell me that my client does not have a right to privacy In their cloud data and deny listening to the motion at all So where you are actually being charged will often define whether or not you have Any rights and what those rights might be And the last thing i'll say about that is It's interesting because the data we're talking about is the same data So it came off your phone. You can challenge it, but if it came from the cloud you can't challenge it It's it's really nonsense Allison mentioned earlier a little bit about we can't buy certain things or companies won't sell us certain things But they will sell them to other people There's an interesting twist on this that came out of you know, the stored communications act existence Which is the major online service providers are not interested in really running a fowl of that law And they're very interested in keeping their friends in law enforcement happy So they want to make it as easy as possible for law enforcement to get them warrants and then to provide them with The data in exchange for the warrant. So they have created these nice law enforcement online request portals If I had a Dot nypd dot nyc email address I could just upload a warrant there and facebook would say great. Thank you so much and give give overall the data but I An attorney practicing in new york if I try to get this data for facebook There's no fancy portal for me if I serve them at their headquarters not headquarters. I'm sorry They're off gigantic office in new york city. They will say i'm sorry. You have to serve this to us physically in california which To very quickly explain is if you are not barred to practice law in a state It is really difficult to serve process on somebody in another state And then I wish that that actually got us to getting the data from facebook Even if we managed to go through the very burdensome expensive Lengthy process of serving in another state facebook will drag us to court over and over and over and over again It refused to turn over the data anyway So if your liberty is at stake you cannot get the information But if you want they want to prosecute you facebook gives them a really easy way to do it I picked on facebook on purpose All right, we are running short. So i'm going to zip through this but um The cloud data it's very similar to what you get off the phone Except actually it's a little bit easier to read a lot of the times because the providers make a beautiful little report for The law enforcement investigators So these are actually more like dramatic reenactments of what that would look like These are from like my own personal data download requests of you know test data and my data So we can see again menstrual cycle data sexual activities from requesting data from cycles Alexa transcripts and recordings voicemails where I have one where a health care provider identified themselves to me Searches and social media and on google and then a couple of interesting google tidbits So some of you might remember last year when google was talking about how they were going to scrub sensitive locations From their location history because of this whole dobs situation Well, I I did go to a gynecologist this year and I looked at my location history and they were there Now I don't think they provide Terminations of pregnancy, but I do know they offer emergency contraceptives and some pregnancy counseling So I was kind of surprised to see that there Sort of part of the whole timeline of the alleged crime if you think about it Another unexpected thing that was fun was my autofill data in google I had filled out a form for this doctor and where it says redacted I'd actually put like a whole little conversation I wanted to have with them about you know blood work medication all the things you talk about with your doctor And it got saved because it was entered into a form with the exact time that I submitted the form And that was in my autofill data in my cloud data Diane had mentioned the whole like not even needing a warrant for some data This could be concerning if you're using a lifestyle tracking app And maybe they're getting ip logs from you because you might use that menstrual tracking app A certain number of times a month and only on specific dates And so if you get ip addresses or ip addresses and dates and times that that's sort of indicative of something But if you want to investigate that you can look into any privacy policy and see what they might return if the government asks them for your data Another dramatic reenactment are ip addresses that you can see in your own accounts So in this case my google email and my facebook showing what device I used my location when I logged in My ip address you know really sensitive information honestly if you're doing an investigation And here's some actual client data. So this is a subpoena return Where it's showing the information about a facebook and instagram subscriber Along with dates and times of these logins So in summary it's in the cloud and arguably maybe even easier to get Um, and then we do have some recommendations of what to do So I think two really easy things that can be done to fix this problem is One there's no reason that these applications have to be done in secret anymore And there's no reason you shouldn't be able to challenge them before they happen So because this the analogy to the house is they used to not give you a heads up They were going to come search your house because you'd flush the drugs down the toilet That's not true about digital data Usually what has happened is you have been arrested your phone has been taken and your phone is sitting in a locked In a drawer somewhere nothing's happening to it the data is not going anywhere There's no reason that there cannot be some sort of actual litigation some sort of adversarial process For you to stop the government from even getting into your phone There's no reason We can do away with the third party doctrine because frankly the To not give your information away to a third party at this point would just require you to opt out of modern society And that's just an unreasonable. That's an unreasonable way to claim that you have that what you need to do that to have a constitutional right to privacy From a technical standpoint if you are an investigator for the government You know these tools do offer ways to narrow your search or narrow your extraction Some of them don't work well or consistently or in ways that you would expect So hopefully those tools will get better But an easier thing to do is to start to you know Have taint teams have a team that is not biased that is not you know directly investigating the accused person Get a specific set of information to look for you know dates and times of events or Communications with this particular individual you know not just go on a big fact finding mission in a giant hump of Hunk of sensitive raw data So in conclusion, I mean this data is on your phone if you use a phone if you use the internet There's going to be data that can show that you've committed a crime Whether or not you've committed one or not or whether or not you respect the crime you're being accused of There's flawed security and technology Phones are almost always going to be vulnerable to these exploits that these software vendors provide And there's also flawed security in the law Diane mentioned the fact that there are these loopholes where it's like Yeah, you can do all the great technical things to Keep your data safe, but your device is compromised when it's in the custody of law enforcement Legal privacy protections are lacking especially when you're being tough on crime So it's something to keep in mind because it's easy for us to all kind of side with the accused criminal When we're talking about someone with a pregnancy outcome and we're you know of that political sphere But these same Overbroad searches and violations of privacy are being applied when they're hunting down murderers or burglars or accused shoplifters or assault or anything where you know that person does have You know an expectation of privacy and they also are innocent until proven guilty But they're still getting completely looked over and having all their sensitive information turned over to the government So ultimately all dobs has really done is extended the government's ability to invade more people's data because they have More people that they can label criminals So every time you think it's okay for the government to have an exception so that they can go get a search warrant Think about how they could just keep extending the definition of what a crime is and who a criminal is And how quickly that could end up being all of your data in the hands of the government We have some references if our slides are on the media server. There's a lot of reading material on this Yeah, we even have references for our references just like inspired things that we didn't necessarily pull on and we're also here to talk So thank you