GPS Tracking, USA

Sunday 25 November 2012

The tools once reserved for intelligence operatives have become increasingly cheap and available in recent years, and perhaps no one has benefited from this more than private investigators who make their money by monitoring suspected cheaters. No longer do they have to sit outside a seedy motel for hours, trying to take pictures of a philandering husband and his mistress entering a room together. They need only attach a GPS device to the suspected adulterer’s car, and the client’s suspicions can be confirmed.

In a landmark ruling in January, the US Supreme Court held that law enforcement use of GPS trackers to monitor movements constitutes a “search.” That means the technology falls under the Fourth Amendment’s protections against unreasonable searches and seizures, making it difficult for police to put a tracker on a car without first obtaining a warrant. But for private individuals, laws around the use of GPS trackers remain patchy, differing state to state.

Take California, Texas, Virginia, and Minnesota. These states allow private individuals to use tracking devices where the owner of a vehicle consents to it being monitored. Where there is no consent, it is considered a misdemeanor that can result in a fine and a jail sentence of six to 12 months. If a vehicle is jointly owned — say, by a husband and wife — and one owner wants to secretly track the other, it’s a murky area that’s as ethically dubious as it is legally contentious. However, that isn’t stopping private investigators — some of whom appear willing to track any vehicle regardless of its ownership.

In a bid to find out whether private eyes are adhering to the law, earlier this month I decided to dabble in a bit of undercover investigating of my own. Posing as a suspicious wife and using a fake email address, I wrote to a number of PIs in the states with the strictest laws on the use of GPS surveillance trackers. Those I randomly selected were all advertising a GPS service openly on their websites, and I emailed to request a quote for how much it would cost to “GPS monitor movements of my husband's car” over a two-week period.

Of the 20 investigators I contacted, 16 replied, and only one declined to offer me some sort of GPS tracking citing legal concerns. The majority of the PIs said they would do it on the condition that my name was on the title of the car, with some offering to provide a DVD of its movements and others offering “real-time” surveillance of the vehicle for me to watch live via cellphone or computer.

Two separate investigators in California I approached expressed no immediate concern for the state’s GPS tracking law, which unequivocally outlaws tracking a car without the consent of its owner. Still using the fake name and email address, I asked whether the investigators would be willing and able to monitor more than one vehicle at a time. “There is another person who I believe is involved with my husband and it would be useful for me to check her car's movements at the same time as my husband's,” I wrote.

The response from Irvine, Calif.-based Hudson Investigations was a straight yes. “I could do it for $1200 including install and removal,” company boss Rick Hudson, a former Orange County police officer, told me. I received a similarly affirmative answer from Western Investigations, a firm headquartered near San Diego that claims on its website to be one of the most experienced PI agencies in California. “You are looking at a total of $1,800 for 2 vehicles for 2 weeks of the tracking,” Western Investigations’ general manager wrote. “We will give you access to monitor it yourself during the entire course of the investigation. And if you would like a location history report at the conclusion of the investigation, we can do so as well.”

When I subsequently contacted Western Investigations under my real name about this story, I asked whether it was aware the service I requested is classified as a misdemeanor under California’s penal code. “If I gave you the wrong impression then I was mistaken,” the GM wrote back in an email, insisting that the company would not install a tracking device without the consent of the registered owner. Western Investigations’ owner Patrick Schneemann then told me in a separate message, “I can assure you that our company policy is that we do not use GPS in our investigations unless we have consent from the owner of the vehicle.”

Rick Hudson at Hudson Investigations said he was sure he had mentioned the legal constraints in his emails (he didn’t) and said that he wouldn’t put a tracker on any vehicle without signing a GPS agreement with the customer that says that they have the authorisation. Hudson added that he gets “so many calls regarding these tracking units that it's crazy.”

Other PI companies were reluctant to directly help me track the vehicles but instead offered to sell or rent me GPS tracking equipment. This would mean any unlawful use of the tracker would be on my shoulders and not those of a PI. In one instance, even after I informed Texas-based LP Dynamics that I was looking to track two vehicles, one of which had no ownership connection to me, I was offered "2 passive GPS units" for $125 each. A company representative emailed: "Just place on a vehicle, remove when you want and download to your computer to see where they have been." When I later contacted the company for this story, CEO Michael Morrison emailed that "we are a licensed private investigation corporation and not an attorney." Morrison rightly stated that LP Dynamics follows Texas law "to the letter" because the penal code covers only the installation of tracking systems but not the sale of the devices. This could be considered something of a legal loophole.

The solitary exception was California-based Orange Investigations, run by former military policeman Ryan Garrahy. Of the 16 that responded to me, Garrahy was the only PI to completely stonewall my request. Orange Investigations has previously provided GPS tracking for its clients, but Garrahy said he has stopped doing so “at this particular time” because of concerns about a possible rise in civil suits linked to the Supreme Court decision in January.

*****

Overall, the impression I got was that it was not difficult to find companies willing to help me track any vehicle, which could potentially result in a misdemeanor being committed. Even the investigators who were more cautious, telling me that they would only track a vehicle I had an “ownership interest” in, were on shaky ground. Though a case in Minnesota last year ruled that it was acceptable to use a GPS tracker on your spouse if you co-own the car, there is far from a legal consensus on the matter in other states.

Austin, Texas-based criminal lawyer Ian Inglis told me he thought that the Texas statute on tracking wasn’t constructed with joint ownership in mind. “Even if there’s no criminal liability, there could be some civil liability, and it might look bad in a divorce, too,” Inglis said. “Whether it’s your husband or wife, it’s a bad idea to track anybody’s car without their permission.”

In California, similarly, it’s a gray area. Hanni Fakhoury, staff attorney at the Electronic Frontier Foundation, said he wasn’t aware of any statutory California law that addressed the joint ownership question. Fakhoury referred to Georgia v. Randolph, a Supreme Court case where it was ruled that there needed to be joint agreement for the lawful search of a jointly owned property. According to Fakhoury, the joint consent deemed necessary in Randolph is consistent with other California law and so could feasibly apply to the use of trackers on a jointly owned vehicle. (Californian wiretap law, for instance, requires both parties to a conversation to consent to having the conversation recorded — unlike federal wiretap law, which only requires one party to consent.)

Contentious legal issues aside, what’s clear is that the use of GPS tracking devices is very far from being under control. While law enforcement agencies are now bound to consider the trackers as covered by the Fourth Amendment, in the private domain there’s a lack of clarity when it comes to the regulation. Where there are laws, in some cases they are being ignored, and where there is any ambiguity, it is being exploited — often by individuals who stand to make a profit.

As is frequently the case in the realm of surveillance, the technology is out of step with the law. High-tech tracking tools that would a decade ago have rarely been used outside police and military circles are available today to anyone with a credit card and access to the Internet. The technology is continuing to advance and is simultaneously becoming cheaper. And that’s not going to change any time soon.

SpyBase, a surveillance gadgets retailer based out of Torrance, Calif., has seen in recent years a rapid increase in sales of GPS trackers, a trend that’s continuing. The store’s owner, who didn’t want to be named, told me GPS trackers were his “best-sellers,” and that a sophisticated $299 real-time tracker called the PTX 5 was his customers’ favorite.

“PIs, police, private citizens,” he said. “It’s a very big market.”

This article first appeared at Slate.

Counter Surveillance

Friday 2 November 2012

Lately, Mike Janke has been getting what he calls the “hairy eyeball” from international government agencies. The 44-year-old former Navy SEAL commando, together with two of the world’s most renowned cryptographers, was always bound to ruffle some high-level feathers with his new project — a surveillance-resistant communications platform that makes complex encryption so simple your grandma can use it.

After more than two years of preparation, last month the finished product hit the market. Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications — text messages, plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus, and Android in the works. An email service is also soon scheduled to launch.

The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user — a bit like how “this tape will self destruct” goes down in Mission: Impossible, but without the smoke or fire.

Silent Circle began as an idea Janke had after spending 12 years working for the US military and later as a security contractor. When traveling overseas, he realised that there was no easy-to-use, trustworthy encrypted communications provider available to keep in touch with family back home. Cellphone calls, text messages, and emails sent over the likes of Hotmail and Gmail can just be “pulled right out of the air,” according to Janke, and he didn’t think the few commercial services offering encryption — like Skype and Hushmail — were secure enough. He was also made uneasy by reports about increased government snooping on communications. “It offended what I thought were my God-given rights — to be able to have a free conversation,” Janke says. “And so I began on this quest to find something to solve it.”

Janke assembled what he calls an “all-star team”: Phil Zimmermann, a recent inductee to the Internet’s Hall of Fame, who in 1991 invented PGP encryption, still considered the standard for email security. Jon Callas, the man behind Apple’s whole-disk encryption (which is used to secure hard drives in Macs across the world), became Silent Circle’s chief technology officer. Other employees were top engineers and ex-special-forces communications experts based in England, Latvia, and Germany. Together, they designed their own software, created a new encryption protocol called SCimp, registered their company offshore and outside US jurisdiction, then built up their own network in Canada. (They eventually plan to expand to Switzerland and Hong Kong.)

Though many encryption options already exist, they are often difficult to use, which is a barrier for those without the skills, patience, or time to learn. Silent Circle helps remove these hurdles. As a result, organisations that have a real need for secure communications but have maybe not understood how to implement them are coming forward and expressing interest in Silent Circle.

Janke says he’s already sold the technology worldwide to nine news outlets, presumably keen to help protect their journalists’ and sources’ safety through encryption. (ProPublica, for one, confirmed it’s had “preliminary discussions” with Silent Circle.) A major multinational company has already ordered 18,000 subscriptions for its staff, and a couple of A-list actors, including one Oscar winner, have been testing the beta version. The basic secure phone service plan will cost $20 a month per person, though Janke says a number of human rights groups and NGOs will be provided with the service for free.

The company has also attracted attention from 23 special operations units, intelligence agencies, and law enforcement departments in nine countries that are interested in using Silent Circle to protect the communications of their own employees — particularly on the personal devices that they use at home or bring to work. Some of these same agencies, perhaps unsurprisingly, have contacted Janke and his team with concerns about how the technology might be used by bad guys. Because Silent Circle is available to just about anyone, Janke accepts there is a real risk that a minority of users could abuse it for criminal purposes. But he argues you could say the same thing about baseball bats and says if the company is ever made aware someone is using the application for “bad illegal things” — he cites an example of a terrorist plotting a bomb attack — it reserves the right to shut off that person’s service and will do so “in seven seconds.”

The very features that make Silent Circle so valuable from a civil liberties and privacy standpoint make law enforcement nervous. Telecom firms in the United States, for instance, have been handing over huge troves of data to authorities under a blanket of secrecy and with very little oversight. Silent Circle is attempting to counter this culture by limiting the data it retains in the first place. It will store only the email address, 10-digit Silent Circle phone number, username, and password of each customer. It won’t retain metadata (such as times and dates calls are made using Silent Circle). Its IP server logs showing who is visiting the Silent Circle website are currently held for seven days, which Janke says the company plans to reduce to just 24 hours once the system is running smoothly.

Almost every base seems to have been covered. Biannually, the company will publish requests it gets from law enforcement in transparency reports, detailing the country of origin and the number of people the request encompassed. And any payment a person makes to Silent Circle will be processed through third-party provider Stripe, so even if authorities could get access to payment records, Janke says, “that in no way gives them access to the data, voice, and video the customer is sending-receiving ... nor does it tie the two together.” If authorities wanted to intercept the communications of a person using Silent Circle, it is likely they’d have to resort to deploying Trojan-style tools — infecting targeted devices with spyware to covertly record communications before they become encrypted.

Among security geeks and privacy advocates, however, there’s still far from consensus how secure Silent Circle actually is. Nadim Kobeissi, a Montreal-based security researcher and developer, took to his blog last month to pre-emptively accuse the company of “damaging the state of the cryptography community.” Kobeissi’s criticism was rooted in an assumption that Silent Circle would not be open source, a cornerstone of encrypted communication tools because it allows people to independently audit coding and make their own assessments of its safety (and to check for secret government backdoors). Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications.

When I asked Janke about this, he said he recognised the importance of the open-source principle. He says the company, contrary to Kobeissi’s assertion, will be using a noncommercial open-source license, which will allow developers to “do their own builds” of Silent Circle. “We will put it all out there for scrutiny, inspection, and audit by anyone and everyone,” he added.

Another factor is that a number of countries are pushing for new surveillance laws that will force many communications providers to build in backdoors for wiretapping. The Silent Circle team has been following these developments closely, and it seems to have played into the decision to register offshore and locate its multimillion-dollar network outside US jurisdiction. Janke says he has consulted with Canada’s privacy commissioners and understands that the new effort to upgrade surveillance capabilities in Canada will not affect the company because its technology is encrypted peer-to-peer (making it technically incapable of facilitating a wiretap request even if it receives one).

But what if, one day down the line, things change and Canada or another country where Silent Circle has servers tries to force them to build in a secret backdoor for spying? Janke has already thought about that — and his answer sums up the maverick ethos of his company.

“We won’t be held hostage,” he says, without a quiver of hesitation. “All of us would rather shut Silent Circle down than ever allow a backdoor or be bullied into an ‘or else’ position.”

In an age of ever-increasing surveillance, it’s a gutsy stance to take. Perhaps Big Brother has finally met its match.

This article first appeared at Slate.