 feel free to interrupt me if you have questions as I go I'm going to review sort of the basics of mobility law I realize everybody's not a lawyer here so some of the definitions can get a little labyrinthine and difficult slow me down if I'm talking in too many acronyms and ask me to explain I'm used to more of a legal audience than I am a lay audience so forgive me for being a lawyer less than a and not a public speaker for a wider audience I try but I don't always succeed Chris's paranoia is well founded I have to say I love Boston I got a ride from the airport last night with a cab driver who asked me what I was doing here and I said I was coming to speak to the Berkman Center about mobility and location law and he said you know that's really interesting but I don't know why anybody cares about that because I know we all have chips implanted when we're born and everybody's tracking this anyway so just so you know you can be a cab driver after this job and probably make more money at it too right yeah well you know when he put the foil hat on I really knew he was absolutely serious I'm gonna cover a couple of topics because we don't have a lot of time to get get really too deep into the weeds here but I'm gonna focus mostly on location technology but it does overlap more with surveillance law in general and some constitutional law fourth amendment issues I'm gonna try to level set us on the technology so we have a common lexicon when we talk about mobility and location information give you a little bit of background on the history and how we got to where we are in the current debate and then give you some perspective on the future at least as I see it on on where law is going with location I have a sort of a unique perch I started representing macaw cellular in the early 90s one of the very first cell phone providers and there's an old adage in baseball if you're fond of field of dreams it's in Craig Macaw was fond of quoting this if you build it they will come and the surprise was the they wasn't the customer it was the criminal so the first customers they had were the people who were stealing service and in some markets it was as much as 70% of the carriage was due to fraud and this is the old analog world where cell phones had no security built in where you could easily with a bear cat scanner and Timson software you know somebody shaking their head because they have this on their laptop right now you could just scan that information yeah not as useful and you could reprogram a phone and you could clone it basically and pretend to be somebody else and a lot of our early efforts at the company were were dedicated towards combating that kind of fraud so we would go out and we would look for call cell operations which basically was somebody standing on a corner who had cloned a phone and was selling service to make long distance calls to foreign countries for five bucks a minute to some poor guy who wanted to walk up and didn't didn't have a phone of their own and that was huge business and it was obviously huge revenue loss and so we developed tools to find them we drive around lower Manhattan with a cell site analyzer on top of a van and look for these operations triangulate the signals and pull up call the police and have them arrested the second day that would show up once they understood the capabilities we had were all the three letter agencies who wanted to learn the same techniques and indeed employed those same techniques so if all of you remember who Kevin Mitnick is famous hacker he was actually caught through location aware technology he had a wireless modem he was using to hack into carrier switches and make his long distance phone calls and internet access and do his hacking through that wireless modem he was tracked with the cooperation of a carrier in the FBI to to the place where he ultimately was arrested using a trigger fish device which is a device that measures the assist in measuring the various signals from multiple points in a cellular network and much like a dividing rod looking for water you can zero in on where the signal is coming from from the handset or wireless modem and so all of this was really the the infancy of location aware technology for surveillance in in the nineteen nineties well those capabilities coupled with the migration in the cellular networks from analog to digital put law enforcement at a real disadvantage they didn't have the capabilities we did they wanted them we said no because it costs too much money to build in that kind of capability so in nineteen ninety four they went to Congress and demanded that Congress pass a law it actually was nineteen ninety three was the first attempt but in nineteen ninety four they succeeded in passing the communications assistance for law enforcement at which for the first time ever required carriers not just wireless but all carriers to bake in to their equipment surveillance capable technology so that no longer would you need a pair of alligator clips in the line outside the targets home to climb up the telephone pole and hook those alligator clips up or to go down into the basement of the building in the tried and true method that is far back is is the phone was invented law enforcement used you could now do it all out of the central office of a carrier with the flip of a switch so you send an order in and say we need to wiretap individual x and you will automatically provide us the content of that communication and the call identifying information about that particular call in those debates one of the serious privacy issues raised in the testimony before congress was whether or not the government sought to have tracking capability for wireless phones included an FBI director Lewis free submitted his written statements saying in in no way shape or form does the government want tracking it is a privacy red herring being you know promulgated by a bunch of paranoid zealots looking at Chris and the statutory structure at the time in the compromises made by law enforcement in getting the legislation passed seem to support that conclusion first in Calia we separated basic subscriber information that the government could get on a mere subpoena your name your address how long you had the service and the types of service you had from other network information like location information which tower was serving your call we put them into two different buckets and for the first one the basic stuff we said all law enforcement had to do is come to you with a grand jury subpoena which you know you know it's like ordering a ham sandwich at a lunch bar you simply walk in ask the clerk for a subpoena and you go out and you serve it no judicial review and instead for this other category which included location we said you need an independent judge to review that that information is needed and the standard the judge will go by is a higher standard than a mere pen register the standard will be specific and articulable facts that the information is relevant to an ongoing investigation judge has to make an independent determination based on an affidavit from the requesting officer and then in the second part of Calia we said that location information will not be available solely on a pen register order and that word solely is important in the statute a pen register is the dialing and signaling of you making a phone call so when I dial your phone number each one of those pulses can be captured with a pen register in real time automatically on a standard that is very that is really low a magistrate must a magistrate shall issue a pen register order when the requesting officer shows its material to an investigation arguably no discretion the judge simply issues the order tells the carrier put the pen register up so coming out of Calia there was a general sense that location information was not covered prospectively for real time surveillance now all of that is interesting language and sort of loaded I have a lot of terms in there so I want to break it down into kind of the network information when I talk about location information and network there are a number of various sources for that information every time you put your phone on right now if your cell phone is on it's registering on a tower and that tower is in the carrier's back end authenticating you as a user it's saying you're a legitimate customer who can use my system and I know where you are in order to route and deliver the phone call that's recorded automatically now you're not making a call I just know and record your availability on a particular cell tower that information generally is ephemeral it's only stored for a short period of time in the carrier's home location register now I make a phone call is because of the history of how carrier networks were created and licenses granted the location information the tower handling your call was automatically recorded at the beginning and end of that call why because it not that I'm dating myself here but in the early days of cell phones when they were bricks you only had local service and you were roaming in other carriers networks in there was compensation paid in order to be carried and so to figure that out they registered you on a particular tower and looked at that information to determine who paid who what so historically as part of the call record of every call you made we kept location information in the system so that's still there and it's still recorded what's more because systems for billing are subject to disaster and diff and problems and either a local level or or a national disaster carriers back up their switches every day and so the raw data which includes the registration information on the tower is stored for whatever the disaster recovery plan is for the carrier some it's shorter some it could be indefinite now that you mean the information of every phone that's on simply the towers awareness that that phone is there and can potentially route traffic to the call details information so when a call is made location associated with the call so that information stays historically there's a second component outside what I'll just they'll call that network information and that's the information carriers have developed for purposes of 911 service many carriers have GPS capability built into their systems that GPS is not part of their network infrastructure and as a result of GPS being built into phones everybody know what GPS is right there we could pretty good sense of it as a result of that being built into phones now third-party providers have come along and leverage that information to make location-based services aware if you're a Google Maps user you can just call up the map and it tells you where you are that's because when you downloaded that and you inquired for a map the coordinates of where you were located is captured by Google along with a cell ID that's serving you so Google makes a database of all of that information this is all well described in in how mobility works at Google Maps you can just read this if you care to know more technical detail so now I have a third party who has all of this his this historical information and of course Google is not retaining logs of that but nothing prevents a third party application provider from doing that so there is a historical collection of location information that's available from various resources within carriers and third party application providers then there's a second set of data that I would describe as real-time data and that simply is the fact that I know you're on your present I know what tower is serving you and even if you're not making a call I can initiate a ping to your phone if I'm a carrier or a third party application provider and know where you are precisely so a one time method of determining your present and where you are and then there's a third category that I would describe as prospective and that is is the the aggregate mapping of your movements and you see this many department of transportation's are experimenting with this to determine speed and direction on highways using cell phones as probes so I can map where you are and where you're going over a period of time so three categories now back to Kalea Kalea only dealt arguably with the historical aspect of that Louis Free said no tracking not what we're interested in but the historical record arguably was something that could be gotten as transactional information under the modification of the Electronic Communications Privacy Act that I described for lawyers that's 18 USC 2703 is the section so what do we do about prospective and real time out of Kalea carriers had to develop a standardized means of delivering the surveillance information Congress said you can collectively as an industry get together and develop how you're going to deliver location and other information for surveillance and if you comply with that the government can't sue you for failing to meet Kalea's requirements so industry convened a would turn out to be a four-year standards development process where all of the manufacturers and carriers got together with law enforcement to create a standard for delivery and it's important for law enforcement because they had to buy collection equipment to receive all of that incoming stuff and so you want what's sending and receiving obviously to talk to each other location information was a major debate in that process for four years we sat there we had law enforcement and what one occasion I'll never forget pull out a weapon slam it on the desk and said you're aiding terrorists if you don't give us this prospectively and we said you're entitled to it retrospectively you're not entitled to it prospectively we didn't view Kalea is requiring us to track in fact we thought that's what the FBI said you didn't need or you didn't want ultimately that just case the standard was challenged both by law enforcement and by privacy groups and in 2000 the court determined that the way the industry handled location was proper although it didn't articulate what standard was necessary to obtain location so what do I mean by that here's what we did in the compromise in the standard setting process we agreed that location would be given at the beginning and end of a call as a conditional parameter in the message set for surveillance sent to law enforcement on a pen register provided the government met the proper legal standard so if they came to us with the right type of order you would flip a switch and outward go location information as part of the pen register at the beginning and end of a call nothing else not registration not prospective tracking only location when the person was making a call at the beginning and end of that call notice I said not in between because if a person is talking and they go through multiple cell sites and stuff we weren't going to give them a map a tracking map either the court said that's fine that's the appropriate standard that the signaling information obviously under the way Kalea was written was intended to be provided to them as part of that calling information but the court punted on what the appropriate legal standard was thank you we know where you are who you are and if you don't I'll just flip the switch so we can listen to the call it is being reported it's in it's in your bag all right so where do we end up we end up with a system of delivering location baked into the wireless carriers network but uncertainty about what legal standard is required to force its disclosure we immediately started receiving orders from federal agencies as part of the pen register request and for those of you haven't seen an order it's it's nothing magical it basically says carriers providing service to this customer shall provide a pen register and then they'll list other information in the order it's it's as I said nothing magical it's a form yep yes pause me the standard that you would give location at the beginning end of the call is that interpretation of the text in Kalea or something else yes so it is language in Kalea that points towards this if not explicitly my question is how explicit was Kalea about so the standard was to be developed by industry to meet the assistance capabilities of Kalea the assistance capabilities really are two-fold they're really four but only two really matter here the ability to intercept the content of the communication and at the same time we're immediately thereafter the call identifying information that explains the incoming outgoing direction and redirection of a call so essentially the routing of a call that set of language those four elements were greatly disputed in terms of what they mean and in terms of attributes for an engineer to put into a message set it was call start message origination the number it was coming from the number it was going to if it was interrupted for a reason like a hang up if it was routed and forwarded to another call station call forwarding call termination in these various elements the location piece of that was not articulated very clearly in the statute but the compromise developed by the engineers and law enforcement after four years of fighting was essentially will include it as conditional in the standard so lots of fight about that and lots of hard feelings about that as you might imagine in the room the court ultimately upheld that and actually I think it's the right answer this what identifies a call and it's beginning and end includes the network node handling that call and I think that's a fair interpretation and nobody was willing to go to the Supreme Court on that issue okay so immediately after the passage of the standard law enforcement started coming to carriers with pen register orders and carriers started saying well there was this other provision in calia that said you may not get location solely on a pen register and so the pen register orders were rejected by the carriers and law enforcement went to the Department of Justice and ultimately they concluded that that's right there needed to be an additional authorization some other statutory provision that permitted it and so they looked in the stored communications act if you remember the second part of calia I mentioned is that the stored communications act was divided into two buckets basic subscriber and then the other information which included cell site information and law enforcement said well there there it is that's where our statutory grant comes from so we'll include the magic words of section 20703 in the pen register order so it won't be solely pursuant to a pen register it will be pursuant to these two provisions in the law the only problem is that provision is about stored records things that already exist that are historical as opposed to that we would be creating in the future and reporting in real time the structure of the law says if you have a unit if you follow a court's order you have immunity as a provider the providers were really not willing to take law enforcement on over that formulation so orders routinely would come in saying 2703 plus pen register statute equals prospective location information and it wasn't really until two years ago almost three years ago that a federal magistrate in New York finally looked at these orders and said I have a real problem with this I don't understand this prospective cell site stuff you're putting in here and it looks to me like this is really a fourth amendment search and seizure probable cause issue if you want to know where somebody's going I just don't see the authority at a statute for that how are you getting there and that opinion started a magistrates revolt across the country magistrate after magistrate has analyzed this issue now and the government's only one two of these cases and about 30 have gone against them and and here's the reasoning and I I hesitate to get too legally technical about this but I have to say on both sides of this equation it is an ipsy Dixit outcome both sides have figured out where they wanted to go both the privacy and and the law enforcement community and the fashioned arguments around statutes that personally I don't think were ever intended to cover the prospective acquisition of location information the magistrates that wanted to quash these requests for prospective information analyzed it this way they said in 1986 when Congress passed the electronic communications privacy act they amended the definition of an electronic communication to exclude information collected from a mobile tracking device now why was that why would we have a separate statute that required probable cause or the then what existed in the ordinary course was to get a probable cause warrant to track a bug that you'd attached to a car or to a box where you wanted to trace somebody going down a public highway and I'm not going to go into the case history of that but everybody is familiar with the notion of putting a bug on something and following it through GPS that's how they traditionally did it and thought about it in 1986 by excluding that from the definition of an electronic communication we did what for law enforcement we avoided them having to get a wiretap order to obtain the electronic communication because they can't intercept an electronic communication without going through very severe hoops they're very difficult to do and besides we're tracing something in the public car driving down the highway what privacy expectation can you have in the public and that was the thinking that went into this language to exclude from signaling location information derived from a mobile tracking device so the magistrates looked at that and said gee under Kalea I can't imagine how you would be able to treat tracking information as a record of an electronic communication because it's specifically outside the definition of it and so consequently 2703 doesn't apply and that's not the other authority Congress had in mind when they said you couldn't get it solely pursuant to a pen register they must have had something else in mind and what I think they had in mind was rule 41 of the criminal rules of procedure which says get a probable cause warrant if you want to track something and that's what we think you should do so those magistrates now are the vast majority of decisions the government forum shops they look for a magistrate they know is leaning their way when they want it because one magistrates decision is not binding on another magistrates decision in the in the district how do I know that well apart from case authority which says that I know that first hand because when Judge Smith in the district court in Texas issued his famous decision on this which really was the first thorough articulation of the magistrates revolt the magistrates sitting in the room next to him issued a prospective tracking order which we objected to and moved to quash and the judge in very simple terms and I won't give the name of the judge said this hearing will be short do you wish to go to jail or do you wish to implement the order easy answer I'm sitting here today and the order was implemented so you see one magistrates decision doesn't find another and we have inconsistent application of this now across the country add to that the state authorities the states likewise do surveillance Korea and the electronic communications privacy act is the floor and they can't have standards less than that but what happens when one magistrate in one state says one thing and another magistrate says another and the state disagrees with the one that is in favorable to its law enforcement which magistrate do you follow for state requests well the answer is the same whichever judge is going to put you in jail you follow their order and that's really where we are on on state law so this debate continues to rage we don't know what the outcome will be other than the fact that everybody needs certainty and so we know looking forward that legislation is on its way the Department of Justice wants to change and get a clear standard guess which standard they want they want the lower standard specific and articulable facts and at least that's independent judicial review right I mean at least that is a judge looking at the basic facts and making a decision whether it's relevant carriers privacy groups on the other side of course believe anything prospective should require a probable cost standard now it's very difficult for law enforcement to obtain this information on a probable cost standard because of the delays that are inherent in the process of getting a warrant issued and oftentimes this is critical in their investigations to get it very quickly and I appreciate that but nonetheless the privacy implications are huge and let me explain a couple of examples of where it comes in the types of orders we see on a routine basis are all individuals registered on a cell site during a 10-minute period if I'm looking for witnesses who observed a particular drug transaction or a murder or something else I ask for all of those individuals on a cell site and under today's standard it appears they can easily get that information even what is a historical record is subject to some dispute over when you can get location information because if I'm only storing it as soon as it hits the server how long does it have to be stored before it can be obtained on a lower standard and it's a cosmic equivalent of when life begins is how long storage must be and that's a really open question now what if I asked for that stored stuff every five minutes we used to call this the poor man's pen register because I go ask for call records every five minutes and and determine when those calls were made and it's the poor man's pen register same for location so do we need a standard that's a higher standard looking at historical records now when I ask and this is I won't say a common occurrence but it is an occurrence when law enforcement asks for the historical records on 15 individuals and then compares and maps those individuals on the location basis to determine their proximity to each other during a particular event you really start to develop a map if you will of of your life this way now for third party providers who are not communications providers at all what standard applies to them if they are an electronic communication service to the public they're not covered by any of this and so is that a mere subpoena for information in their hands like Google Maps now many of you may have seen last week that Google like looped a social networking application for mobility declared that when one user just determines to send their location to another user so they know where they are they treat that as content not location information a communication I'm here here I am come and find me and they will only respond to a search warrant or or a title three request in real time for that for a wiretap so service providers are pushing back on a privacy perspective and they are not generally logging this information now for civil purposes for their applications and other uses in location based services nothing prevents them from doing it and there may well be services where you'd want to know family finder for your child if you want to know they're in school and you want a record of where they've been and you as the parent decides to do that and you decide to keep the record now all of a sudden we develop a location history and then what standard do we get that under the legislation has to address that how about transparency future future legislation should articulate how many such requests are being made in my personal experience it's about a hundred a week at the major carriers a hundred a week so thousands a year requesting location there is no report on that like we get for wiretaps where we know how many wiretaps have been requested that's right and that request can include multiple individuals as well so it could be ten phones a hundred phones so the volume of requests is enormous how long must that order be implemented typically because if law enforcement's hybrid theory of the stored communications act and the pen register act combined many of them have them run the same duration so a pen register can be 60 days so location location tracking for 60 days but there is no statute that sends that says that so how long are we willing to track them at what periodicity it's one thing to say at the beginning and end of a call only but what about intermittently how about every ten minutes you know I have a great anecdote in with two minutes left I'll tell you because you can disclose location on an emergency basis when life or limb as at risk without legal process it shouldn't be surprising that law enforcement has gained that system and they know in emergency cases that if they call up and say someone's at risk somebody's going to die no carrier is going to withhold that information we do it all the time and it's the right thing to do because carriers are not in the position of second-guessing but if we had reporting on those requests and oversight of those requests we'd know which ones were and were not legitimate an incoming request for location on a missing child a teenager a teenage girl and they demand that the phone be paying every 15 minutes that takes a person to sit there and manually ping a phone every 15 minutes that request went on for 24 hours that's a lot of pings when the carrier complained about that the law enforcement agent did the typical thing and this was a state agency you're going to jail if you're not doing it we say the phone is off when the phone comes back on will tell you no ping it every 15 minutes it turns out as we found out after complaining about this it was the sheriff's daughter who didn't come home from a date how subject to abuse is this right and without any oversight without any reporting without any sunshine we have absolutely no way as a public of knowing whether or not these requests are legitimate now for every one of those there are 20 legitimate requests so obviously in kidnappings in child lost children everybody remembers probably the family that died in in Oregon in the mountains the husband survived with his cell phone as he was climbing out but the family died in their car and in a snowstorm and couldn't get out you know to be able to save at least one life it's a it's obviously a great service that carriers provide but it is also subject to abuse without appropriate safeguards and lastly there's a target versus associate problem that has to be solved it's one thing to say I have an interest in you as the target the subject of surveillance to know where you are but what about all the people that that target talks to it's very current today to get the community of interest records of everybody the target talks to and that may be an appropriate step for investigation to understand who's involved but now they routinely include location requests as well so that's a very burdensome thing to do and it's questionable how you could ever know even on the specific and articulables fact standard that somebody in the future that somebody might call is relevant to an investigation so the standard doesn't quite meet the practice today that needs to be fixed in any legislation and lastly I'll just say two things that apply both in criminal and civil if the service provider is offering these location based services can civil parties track somebody who's using the service now I had an order recently from a state court you'll you'll love it it's a hilarious case where the you can be a private attorney general in essence when you're looking for counterfeit goods the statutes permit you to go after somebody and exercise much of the same authority that law enforcement can have in making a requesting information on an expedited basis and the creative lawyer asked us because a cell phone was found on the on the premises of a seized cargo container that contained yes counterfeit condoms which I suppose could be a public emergency to track that phone and all the phone numbers that were obtained related to who called it now we refuse because we still think that's tracking electronic surveillance that would only the government could do but we don't have a law that precisely states that so who's taken up that bail bondsman we get requests all the time for bail bondsman to track individuals guess what family law court it's very kind my husband stole my kid didn't have the kid back on time whereas where are they now I want the sheriff to go get them in some states are looking for mandatory disclosure of location information and emergency situations which may well include a child who wasn't brought back on time from a shared parental oversight so you know the risk is enormous that location information will be abused misused both in civil and in business and in criminal cases and as far from clear what Congress will do with this hot potato when it lands in their lap but we do know it's coming and it is going to be there the courts the development of this law through the courts is very inefficient and and it makes very little sense for one user in a state to have their privacy safeguarded at a higher standard and another user not and indeed the same user perhaps subject to two inconsistent standards depending on which magistrate signed which order and so your location may be provided on a lower standard on one wiretap and higher standard on another so with with that I'd like to open it up to questions and explain anything I've said I know that's a lot of information at a short period of time but I hope it made some sense questions yes in the difference between sort of specific individual information which you were talking about here and aggregate information so you mentioned in passing departments of transportation for instance wanting essentially a wide swath of information so they can essentially determine the flow of traffic what are the sort of privacy implications associated with that if a telco for instance is doing a high degree of anonymizing what are the concerns there and are there parties other than government parties who could request access for that information how would how would you want to see that handle yeah great question and for wireless carriers we drafted and published last spring a set of location based services guidelines you can find them on CTIA's website which explains the standards that wireless carriers all signed up to for third parties to get access to individualized and aggregate location information basically carriers want the customer's consent to disclose location and you know that raises an interesting question because who's the customer many people buy five phones for their family and there's one customer and five users can the parent consent to track their child sure can the husband provide the service to their wife and watch where she's going surreptitiously interesting unclear but the customer must consent to it for aggregate information the carriers historically because of the telecommunications act actually treats location information derived from a telephone call to be something called CP&I or customer proprietary network information under 47 USC 222 it requires the express consent of the user to disclose except if you wish to make it into aggregate information you may do so without that consent so carriers develop security procedures to anonymize that information and then make it available to service providers like departments of transportation or third-party aggregators to develop application so a mobile advertising application could be based on all individuals registered on a particular cell tower at a time where you wouldn't know who those individuals were but you could broadcast an amber alert for example to everybody that would be the use of also that get information because non-carriers are not covered by that same prohibition in section 222 there are no standards that apply to them for the creation of aggregate information or the use of individualized information so the Google Maps location server could be licensed to third parties for their applications now all of those providers like Google recognize the extreme privacy sensitivity of it and therefore want consent and clear guidelines on the use of that information that's a self-regulatory imposed regime should it be a legal standard very good question because the profiles created by these services ultimately are extremely revealing and in sensitive because we are getting close to the degree of accuracy that is much more granular than a particular cell tower survey you which can cover seven miles in some rural areas we're talking about for 9-1-1 services and x y z x s what floor in the building are you on so if we're going to be that close and we'll be able to put you on the steps of an age treatment center or a mosque we probably wish should have a better standard on the use of that kind of granular information yes I guess sort of a follow-up the CP and I right now is a little couple about this yesterday with Verizon it defaults to the user gives permission and this is even though I'm sure the carriers are following the letter of the law nobody knows about that it's buried on the page you have to know what you're looking for they send out a little legalistic form it's a default it's a it's a default that is rarely going to be what do you think about that shouldn't we flip that yeah a poor journalism is what I think about it the the rules are actually much more restrictive than the article explained or or people understood the opt-out notice to cover so essentially for basic CP and I your calling records the carrier can use it for its own marketing purposes its own marketing purposes but in order to share it with the third party it requires opt-in consent of the user the opt-out consent that you get is is for their use of it for their own marketing purposes to tell you about their latest new feature or phone not to give it to an airline to market frequent flyer services to you or to give it to an advertising company for their purposes legal definition of since they can share it with their parent or affiliates what's the legal definition of affiliate here how protected are we from them saying that some offender is affiliate that that's correct so they can share it in the family so Verizon could give it to long distance and it's it's whoever you own or control and of course telcos don't own or control marketing companies for example or billing companies at least currently so within the family of companies all the and I don't represent Verizon just as a disclaimer here within the family of companies a carrier can share information for marketing and you have the option to opt out of receiving a notice from Verizon long distance or their file service or broadband service for example but they can't give it to an independent contractor and they can't for marketing purposes or a vendor for that purpose and in CP and I has a higher standard for location so in any event that notice does not cover location which requires your express opt-in to use I'm sorry I'm sorry I just want to just because this is incredibly good opportunity and so I want to push the language at least the language that is given to me or end users is it's for parent companies or affiliates what is is there a legal definition of affiliate what is sure the federal communications commissions rules contain a definition of affiliate that is a entity which you own or control an ownership or control is a you know a legal concept of you know 51% ownership or stock control and it's kind of a historical definition so it's within the family of companies that are commonly owned or controlled so that would exclude independent contractors vendors third parties that are not within the family of ownership and you know Verizon obviously would do better to say all of the Verizon companies instead of to use the legal term and those companies because carriers are independently incorporated in individualized states that's what they're getting at so Verizon of New Mexico could obtain and use the CP and I from Verizon wireless to offer you local service to offer you local broadband service that would be permitted. Thank you. Makes sense. Yep. You too, ladies. Some of the technical aspects and also the privacy laws. So I think you mentioned if I'm not mistaken that a consortium was put together a while back of technical individuals from some of the companies to help develop the standards because this area technically is constantly evolving is there that consortium of technical advisors has that remained current and is it still actively advising? Yeah, great question. So the industry standard was developed under TIA, the Telecommunications Industry Association, and they produce joint standard 25, which was the basic core cellular and wireline standard. They had to meet again to do joint standard 25 a which added what we described as the punch list features after the court in 2000 determined law enforcement was entitled to a couple more things. We put those in. We reconvened to do joint standard 25 B to address packet boat communications when the FCC extended Kalea to broadband internet access. So it isn't a standing committee in the sense that they meet regularly to look at network evolution, but rather based on new legal requirements that come out, they do meet and address those. The packet mode communications standard had a particularly sorted history. That standard has been challenged by law enforcement as insufficient to meet their needs and currently is pending before the FCC for decision. It's been there for three years. So presently we have no packet mode interception standard in place. Essentially the carriers wanted to only provide information about the user at the beginning and end of a session. Law enforcement wanted everything in between. So that's the gulf that separates the industry and law enforcement today. The downside of that is nothing prevents law enforcement in the meantime from bringing their equipment into the premises to do their interception work. And that's the problem for many carriers. Federal regulations are the California regulations and it's kind of a growing area where people are advising as well. Have you been involved in that and do you have any comments? On mass privacy laws? Yeah, Massachusetts. Oh, yeah, the data. Yeah, I love I love how one state basically ratchets up, you know, but but obviously it only applies if you have Massachusetts residents in your database, right? So do companies. Although it's so difficult to know if you have Massachusetts representatives in your databases that it's been found that for all practical purposes, it can almost apply to everybody in the United States. And also because of ways you interpret where that data is stored and who owns it. It may not be mass residents, but if you're using EMC storage devices that might be located in Holliston, are you covered by mass data privacy laws? It can be interpreted to almost mean everyone in the world. Yeah, and and of course, it's not limited to a telco or service provider is limited to anybody. It's not limited to anybody that stores the data on a mass resident. You know, it's a lot like the European privacy directive. One can pronounce all they want. But if they don't have jurisdiction over you at the end of the day, if you're not doing business in that state, if they don't have enforcement over you, then it's an interesting pronouncement that in practice will be compartmentalized and routed around as opposed to implement it. I think that there's a lot of reaction to it, which is why it keeps getting delayed time and again, and revised time and again. The principles of it are pretty good, right? I mean, if we had better security and encryption standards and the like, we'd all have more privacy. But I seriously doubt that Massachusetts will be the rule at the end of the day, unlike California, which really set the standard for security breach notice that now is in, you know, 44 states. And, you know, the base basis of discussion for federal law on it. Yes. You can say something about how the how user perceptions of privacy might affect this in the future. So for example, as more and more people elect to have their location, you know, recognized by by Google or looped or any of these other location aware social systems, those their perceptions of or rather their expectations of privacy, of course, are different at their as a personally disclosing this stuff. And I think about something like, you know, Gmail that where somehow it's okay that that that that Google would sort of parse our our content. And as you say, location is content, which I think is very interesting, that Google would parse our content and then deliver us advertising. Well, of course, that's a business model for things like latitude and loop eventually that sort of minority report model of of the world that that back, you know, our location will determine how we're being advertised to so so at what point does and I know that those are third parties, but at what point do those expectations now interact with what you're talking about? Yeah, it's a great question. And have a personal view and then in a legal view as well. In a case called US V warship, W. A. R. S. C. H. A. K. That is in the fifth, sixth circuit Court of Appeals. The government argued that the Fourth Amendment doesn't apply to users who've agreed in the terms and conditions and privacy policy of online sites to the review, access and use of their personal information for advertising and other purposes. And so if there is no reasonable expectation of privacy and what everybody else is looking at. And if I give it to Gmail or somebody else to insert advertising, then what the heck? How can you complain that it and say that the Constitution protects me when I'm letting a machine or some other person look at it? The judge dismissed that notion in the District Court opinion and said, this doesn't apply to mechanical insertion of ads review mechanically for spam and viruses. But you know, intellectually, it's really hard to make that argument, I think. So where the Fourth Amendment might not apply, and you may lose a reasonable expectation of privacy because you are the equivalent of a digital skin flint and think everything belongs on Facebook, or anyone can look at stuff to give you that free service and return for serving ads to you. That doesn't mean as a matter of policy that the law should have a lower standard. And the Stored Communications Act and the Electronic Communications Act are intended to fill voids in the Fourth Amendment and to produce a policy decision on what standard the government should follow to get access. So even though I'm willing to let you look at it, or I have like, you know, my son 800 friends on Facebook, that doesn't mean I'm willing to let the government look at it, or I should be able to let them have access to it on a mere subpoena without judicial oversight. Should it be probable cause is the question. And that's the question I think that will consume Congress in the coming session for all of these sorts of network social networks. As everything moves wireless, we've added mobility as an attribute that is much more revealing even than the content itself. And we have yet to address from a legal standpoint, I think holistically, which standard should apply to that. And I go back to what I said at the outset, I think there are really three categories here. The historical, although even that is subject to privacy and intrusiveness and concerns. The real time, where am I right now? And then the prospective, which is, you know, where am I going over a period of time? And it may turn out that there are three different standards that are appropriate for those circumstances. But as I said, you know, the government is very good at heuristics. They look at the historical record and determine where you're going from that next time. Who else is good at heuristics? Insurance companies. If I know the route you take every day, going to work in your car, maybe I give you a cheaper rate. Do we want redlining based on your location profile? Do we want the insurance company to require you to disclose your location in order to make determinations on what rate is appropriate to you? We have a whole raft of these issues ahead of us that we've only just now started to really think through. And I'm not sure where we're going to end up with that one. I just want to get the simplest pieces of this clear in my mind. So a pen register is a record of the numbers I dialed. In real time, dialing or signaling in real time. And that's easy to get if somebody just asks, we want the pen register of what this guy dialed. It turns out to be easier. And then in terms of locating, if somebody wants to know exactly where this is, do they triangulate it from three cell towers or is it a GPS? How do they know I'm a 23 Everett Street? There are multiple ways and it depends on the carrier. Some carriers have built tools to ping a phone based solely on triangulation within their network, because this is a radio. It's just sending out a signal and it's registering on every tower. The tower picks the strongest signal to carry the call, but all the towers still know where you are. So by simply analyzing the time of delivery of the signal, I can triangulate your precise performance. Some carriers have built that in. Others have not and can only tell law enforcement where the tower is and which face of the tower it's on. So I can look at a quarter of a circle and know you're in that direction. GPS is very different and as long as I have a clear signal, I can triangulate because GPS is based on the same concept. Three satellites visible at any time, measuring the time of delivery of the signal between the three. So there also is a hybrid called Network Assisted GPS where I take both the GPS signal and the network signal and mash them up to come out with. So that's how they determine it. So there are two different ways to do triangulation. Satellite triangulation and cell tower triangulation. And this has to have a GPS enabled before they can do the former. Correct. I'm a big fan of the wire and I know that maybe some other people in this room are fan at our show. I don't follow the advice of the drug dealers in that show, but I'm intrigued by the use of what we would, I guess, call operational security by these very intelligent drug dealers. And one of the techniques that the characters in the show use is what they call burners, which are prepaid cell phones that they don't actually ever refill. They buy a $30 phone at 711, use it for a couple of days and then throw it away. And I'm wondering if you can speak just for a couple minutes on how this shift to essentially disposable phones purchased in cash has changed what normally would be the status quo, maybe made life easier or maybe made life more difficult. And particularly I guess one thing I want to focus in on is the fact that, you know, no matter if you change your phone every week, if you're still calling your mom on her fixed line phone, you're linkable. That's the community of interest. So long as they know you're calling your mom and are able to get a wire tap up quickly. Remember, you may not know this, but the wire tap law has something called a roving wire tap, which allows the government to dispense with the ordinary procedures when they know the individual is trying to evade surveillance. So it used to be set up for purposes of phone booths where you could rapidly go and get an order on a new phone booth and the carrier would have to put it up. Now it's being used for disposable cell phones because, you know, obviously they walk in by a new one and then you need the number. The UK has just prosecuted or intended to prosecute, as I understand it, somebody who failed to register their prepaid cell phone. So in the UK they have a requirement that if you buy prepaid you still have to register that phone so they know who you are. You know, there are probably a million Mickey mouses in the UK right now using that registration service. Not too hard to have a fake ID to do that besides, but anyway it's its law enforcement's attempt to solve a problem, which is a very serious problem for them. But prepaid does not mean non-wire tapable. There still is a vendor. That vendor still has a platform. That platform still records the dialing and signaling in order to complete the call. So if I have the information someplace I can get that information. A wireless phone still must register on a network. That network still must be paid for that call. And so there is a means to debit that prepaid account. So the only issue is whether it's rapid enough to capture it in real time and get the carriers assistance to do it. And actually prepaid has not been as big a problem as wired in 24 and some of those other shows would lead you to believe. Which is good because we want the criminals to think that they're more secure. It's the good guys we don't want to. So that's actually where my question is going to go and it's going to take you out of your comfort zone because my work is mostly with human rights activists and repressive nations. So it's routine for me to go into a meeting with someone in Cairo and we will all then disassemble our cell phones and depending on your level of paranoia that can be the SIM card in the battery or I've seen people go even further than that. My question is basically this. When we had the debate in the U.S. of a clipper all these years ago one of the more compelling arguments I thought came from Patrick Ball, a major human rights and technology advocate who said I don't care how much we trust the U.S. government I don't care how many safeguards we have in place we're going to build these backdoors into telecoms equipment that equipment is going to get exported around the world and it's going to go to governments where we know those safeguards aren't in place. And so even if we have a really terrific functional kiosk ecosystem you bring it into Zimbabwe and that's just not going to happen it's simply the backdoor that lets us in. Is that getting discussed at all at the standards level associated with this? When we're building these standards we have a tendency to export them whether we wish to or not. We're exporting them into extremely different legal environments. What are the implications of that and is that being discussed at all at the standard setting? Yeah I mean the standards are developed by manufacturers who distribute their equipment to multiple markets and the standards comply with whatever the local law demands are. They try not to build for 270 countries they would prefer to build for one country one nation one globe but inevitably there are additional requirements that are baked in for depending on you know whether you're selling into China or whether you're selling into someplace else but but you know also don't forget repressive regimes control the access points and so I don't really need the manufacturer to do anything if everything going in and out of a country floats through the pipe that I own and you know of course that's how we deal with places you know that's how you know China and other places deal with with those problems as well so you know I think you could have standards all you want on it the access ports are the big issue and that's not really true I mean it's particularly untrue in the China case right I mean if you actually were to monitor all internet traffic coming in and out of China there's simply no equipment that's capable of doing it at that point the great firewall based on the research we've been doing for five years here is now mostly at a provider level which is to say either at the ISP level or even more than that at the publishing platform level so the actual technology has enormous implications and what that ISP for instance is capable of doing has enormous implications yeah I don't agree with you there I think that that you're you're right that the path of least resistance is often followed by the service provider wishing to enter that market in order to get permission to enter they will sometimes block IP addresses have takedown requirements but look that's the criminal law of that country if I can't say anything bad about the the head of India's government or the head of Turkey's government and if I do say something bad I'm going to go to jail and if I host that I'm going to go to jail well service providers aren't going to host the illegal thing even if it's Nazi memorabilia right so so you end up with compromises made by service providers but the ultimate firewall is the access port at the end of the day because I could simply turn it off and everything in between is a compromise which lets something in or something out and it's really not the standards that are getting there I will say this however and and I think inevitably the internet from a technological point of view is breaking down based on volume and and the quality control means of solving that problem are manufacturers building in quality of service capabilities to their equipment which has the effect of doing what you know regulating traffic ports applications just follow the Comcast issue with regulating peer-to-peer communications and and you'll see so even though those standards are not intended for surveillance they have the practical application of being able to identify and isolate on a protocol level certain communications and so by default I'm creating a system for the internet which is going to make surveillance and or firewalling a lot easier yes you thought where are we on a global government on commerce which will address all of this because it all is interconnected and right now enforceable global court the international criminal court and the discussions are happening quietly but I don't see the talcum stepping into this today and I haven't heard you address consequences for government police any security authority that might be implemented for misuse so the criminal let me do it in reverse order the criminal law is the criminal law whether a agent improperly wiretaps or a civilian improperly wiretaps all of you may have enjoyed the private investigator to the stars calicano going to jail for illegally wiretapping he had an accomplice in a inside of companies that helped him illegally wiretap who likewise goes to jail the same applies to law enforcement agents there was a a sheriff recently that was sentenced to two years in prison for illegally wiretapping we've had DEA agents two in particular in new york sent to federal prison for illegally using subpoenas to get call records I'll say this absolutely about while the government investigators are zealots and want to solve their case they are very sensitive to following the law I've regularly had them say to me I don't want that because I'm not authorized to get it and not all carriers or ISPs are particularly educated about what they can and can't do there are 3,500 cell phone companies no I mean you don't realize that but there's tons of them there are the equivalent number of ISPs in this country they don't have a skilled staff in dealing with this or for legal review the inspector general's report for national securities letters revealed that some ISPs were giving content out on administrative subpoenas they were giving email out when all they were asking for were the subscribers name and address so you know over collection can occur but but generally speaking investigators are very good at following the law and I don't think we have a lot of effort on their part to go around it now you can argue that's different for the warrantless surveillance program and all of that issue we could have a whole second debate about that one here but I think you know generally speaking of the enforcement and following the law pretty good and and approving wiretaps by the way you know we only do about under 2000 authorized wiretaps a year in this country compare that to Italy I have a friend there who once laughed that his third divorce occurred because somebody wiretapped him as the chief of police in Rome and his wife found out about it 360 000 a year so compare us to Italy to Germany hundreds of thousands I mean the U.S. is actually punctilious about approving wiretaps and I commend the Department of Justice for the process they follow there on a global basis however all of the discussion is about something different than wiretapping because state security is carved out of international treaties we don't turn our investigative needs over to global institutions we do however work with countries on cross-border evidence gathering and have and this is where a very interesting debate is occurring globally right now we have the convention on cyber crime which requires those signatory countries to cooperate to deal with cross-border evidence gathering in computers and databases stored in the U.S. now if I provide gmail services or a social networking platform that's accessible by users in greece this is a little bit to your massachusetts example and I have 20 million users in greece and the greek government says you know there are or better still the brazilian government where this is is is absolutely true most of your users are pedophiles and skinheads so we want that information and all of their email that goes with it but my database is in the U.S. and under the stored communications act I can't disclose content to foreign law enforcement I can give it to my government if they come to me but now being a skinhead in brazil is not a crime in the U.S. so I don't have a predicate in order to disclose that information in emergency cases like the Mumbai bombing our government works with their government to get emergency disclosure of content and call identifying and communications identifying information they work collaboratively in emergencies like that to address those issues but for the routine criminal activity in a foreign country we don't have a very good mechanism and so what do they do they arrest the executives in the country you know they beat on them to attempt to get the company to disclose it and the companies are always walking a very fine line on how to do that we have mutual legal assistance treaties which we refer them to and we get assistance from the Department of Justice to work with the local law enforcement to do it but you know the best thing in the world for the future political career of a district attorney in an area in brazil is to do what prosecute google you know take take up the cudgels of of the rights of the people and you know this is around the world and in it's every service provider that has a globally accessible business and that's a big issue on the horizon we don't have a good answer to right now we have time for one more question and i'm gonna give that to my boss rob good choice good choice Chris thanks um i i haven't thought in such stark terms of the difference before today of asking for the record of an individual versus asking for the record of all the individuals in a given area there was a uh a recent uh example i can see the food riots in egypt where it was the disclosure recently the vodafone had turned over the information on on who was present here what are the legal standards uh for asking for information on people who are attending an event versus uh getting getting information on an individual are there are they pretty well the bind where they up in the air and up for grabs this just seems to be an area very very vulnerable to abuse i had a police chief in a small community in michigan uh say that there was a protest that the expected was going to be violent and he wanted the location on all of the phones so that they could prepare to defend against the inevitable riot with the civil rights march uh you know obviously the abuse is enormous uh what's the standard uh your guess is as good as mine because it's not clear let me give you a couple of very specific examples um the the law separates uh remote computing services into what there's a category called the remote computing service and so if i store my documents online put my photos online then the government can get access to that under certain conditions now they're actually very low standards to do that but they can get access to that for me as a subscriber to that service but what is uh youtube is it a remote computing service i mean vis-a-vis the person that posted it certainly what about vis-a-vis the person that watched it if i get a request for every person that viewed a particular video that happened to be an arabic that happened to have an al-qaeda symbol in the background which many do which senator lee bimmerin took umbridge at uh what's the standard to get that all persons registered on a cell site what's the standard to get that all persons that viewed a particular website the content of it when somebody asked uh when law enforcement asked in a case in wisconsin for all of the people who bought a particular book amazon.com moved to quash that and on first amendment grounds the district court agreed that that would reveal too much in order for them to go fish essentially in order to develop witnesses for their defrauding scheme that they were looking for relative to that particular book uh the standards are absolutely unclear and we as a people now rely on service providers to make those objections in the first instance because it's not even clear you would have standing to object to that request in many states the individual um record holder doesn't have standing to object to a third party subpoena new jersey for example so who can object well the carrier objects on what grounds it burdens something and that's really basically where we are today if not for the service providers and that information would go and i i have to say that most service providers are very concerned because their business rests on your comfort level with their protection of your privacy you won't use it if you're not safe and so most of them stand up like google did to the department of justice subpoena for search and i think that's a great thing but not it's not uniform and it's not a uniform reaction in the standards just are not clear uh they should be