Habeas Data: Privacy Vs. the Rise of Surveillance Tech, With Cyrus Faviar

Habeas Data: Privacy Vs. the Rise of Surveillance Tech, With Cyrus Faviar

NBC News investigative tech reporter Cyrus Farivar and Author of "Habeas Data: Privacy Vs. the Rise of Surveillance Tech. The book explores the tools of surveillance that exist today, how they work, and what the implications are for the future of privacy.

Episode Table of Contents

  • [03:18] The Advantage of License Plate Readers 
  • [10:01] 215 Metadata Program
  • [15:07] Choosing Between Convenience and Privacy
  • [18:44] Keeping Your Imprints
  • [25:37] The U.S. Privacy and Civil Liberties Oversight Board
  • About Our Guest

Habeas Data: Privacy vs. the Rise of Surveillance Tech

Carolyn: Today, we're here talking about privacy with NBC investigative reporter and author, Cyrus Farivar.

Cyrus: Good morning. How are you guys?

Carolyn: We're great.

Carolyn: So, Cyrus, your book, I'm not going to lie, it caused some angst for me as I read it. I would get angry and then.

Eric: Hold on, introduce the book for the listeners Carolyn.

Carolyn: Okay. Let me introduce the book. So, privacy has been an issue really since the founding of our country. And today's tech has made it even more complex. Your book, Habeas Data: Privacy Vs. the Rise of Surveillance Tech takes a look at 50 years of American privacy law and how it's become adequate for today's surveillance technology. So, now, there we go. There's the book. And I'm telling you, Eric, it was a week for me to read this book there was a lot of angst going on and let me just get to why.

Eric: A lot of detail.

Justifying One's Innocence Through License Plate Readers

Carolyn: There's a lot of detail but also, have you ever heard somebody say, "I have nothing to hide, I know my data is being collected, I'm okay with that?" Have you ever heard that?

Eric: Yes. I'm roughly in that category because everybody has things to hide.

Carolyn: Well,  Cyrus immediately addresses this point of view and why maybe we shouldn't be okay with that and what a slippery slope it is. Cyrus, I want to talk about you disclose how much data license plate readers collected on you and it's an impressive amount. For a law-abiding citizen. So, talk about that for a minute Cyrus and why we should care.

Cyrus: Sure. I think it's just something that we all should bear in mind, whether or not you feel like you have something to hide or not with regard to license plate readers. Specifically, I think this is a type of technology that is commonplace. It exists now in America, many cities, big and small, and in between have them. And if you don't know, if you're a county sheriff or your municipality has or your state law enforcement agency has license plate readers, it might be worthwhile to see, to find out, to check with local activist groups, or just simply ask your local police department, "Hey, do you folks have license plate readers?"

The Advantage of License Plate Readers 

Cyrus: And if you do, you might consider asking some questions like how many cars are they mounted on? Are they fixed? Where they mounted in certain points over certain streets in certain areas? How long do you keep that data for? License plate readers are an incredible technology that can capture every single license plate that moves or is not moving, right? On any given street up to 60 plates per second, which is insane. So, wherever you folks are right now. Imagine if a police car was driving down the street. It would be capturing every car parked moving in practically any orientation and would capture that plate and it would compare that plate number against a known database, what police often call a hotlist.

Cyrus: These are cars that are wanted or stolen for some reason. Might be an amber alert, might be something else. But in the overwhelming majority of cases, in every city that I've ever looked at, it's always been under 1% of so-called hits. If you talk to the police and you ask them why this is useful. They say, "Oh, this is great because we get to bring back people stolen cars, who doesn't want that? We get to catch bad guys, who don't want that? We get to do things that help us do our jobs more efficiently." And that all sounds great.

License Plate Readers and Its Downside

Cyrus: But the problem is, is that typically these license plate readers are capturing the overwhelming majority of people, you and me, and presumably everyone who is watching or listening to this, who are just regular boring tax-paying citizens who were doing nothing, who are if you're like me, I'm going to get a beer and I'm going to a baseball game and I'm going to get tacos and that's what I do.

Cyrus: And as I pointed out in the book, right? There are lots of perfectly legal activities that all of us engage in that we may not necessarily want there to be a government record of doing, that could be a religious activity, that could be a political activity, that could be going to a medical facility of some kind, that could be going to an abortion clinic, that could be a whole slew of things that are totally legal and fine. But that you may not necessarily want your local law enforcement agency to have a record of the fact that they saw your car doing that thing.

Eric: Yes. For me, it's about where do you draw the line? Scan my plates 500 times a day, I could care less. Now, if you take that information about where I was and when I was there and you sell it to I don't know Amazon or somebody else, I start to care. And I think for each individual citizen, they've got a different line in a different place. I mean, Carolyn, I'm assuming you'd be very different for me in some ways.

The Consequence of Storing Data

Carolyn: I think I probably would. The unforeseen consequences of the massive amount of data being stored. I was shocked to hear how much they had stored on users. I can't even remember how many, and then it's stored over

Cyrus: I think in the book and in the story that you're looking at it, I think it was dozens of times. I think it was 50 times or something like that if I'm not mistaken.

Cyrus: At that time, the Oakland Police Department, which is what I think you were referring to. At that time, the Oakland Police Department had no formal retention policy. Which effectively meant that they were keeping this data indefinitely and they captured my car in front of my house, they captured it in front of a sushi place, they captured it in various places. And again, by itself, that sounds relatively innocuous but taken as a whole, absent any watchdog from either the city agency itself or other people being mindful of what it means when you collect that volume of data and that type of granular data.

The Smith Case

Cyrus: A lot of us pre-pandemic, we park our cars maybe in front of our homes and we drive to our workplaces or maybe we commute to visit relatives or we have a regular pattern of behavior. And given enough data points, you can very clearly establish where somebody lives or where somebody works or where somebody attends religious services or engages in other regular activities that would illuminate a pattern of behavior in somebody.

Carolyn: Well, and then the legality of collecting that kind of data, the so what? Why does it matter to me was really driven home when you talked about the Smith case and what the Smith case ultimately led to, that one was a shocker. So, can you talk about the Smith case, and then I'll let you reveal what happened because of that?

Cyrus: Sure. So, I believe what you're referring to is a case from the late 1970s that's called Smith vs Maryland. And this is a case that lives with us today because it created a legal phrase, a legal standard that we still live with, that's called the third party doctrine. And basically what that means is that you and I having this conversation. I guess there's three of you. So, in this case, there'd be four parties, right? But just for simplicity, I'm treating both of you guys as a single party.

The Importance of Having a Privacy Policy

Cyrus: I'll be the first party, you folks collectively are the second party. The third party in this conversation is whatever platform. What is this? Remotely.fm is the platform that we're using to mediate this conversation. Pre-video conferencing that would have been whatever phone service that you use, AT&T, Verizon, whatever. But there's the entity that is mediating that conversation is the third party. So, while we are having this conversation, we are disclosing too in this case, remotely.fm, the fact that we are having this conversation.

Cyrus: We are allowing this company, this entity, this third party to absorb. I don't know what remotely.fm's privacy policies are. So, if maybe they're recording this entire thing, I have no idea. But we're at a bare minimum, right? They know that one entity and another entity had a conversation on a particular day at a particular time, right? At a minimum, they know that. And so, when in Smith versus Maryland, this is obviously long before video conferencing. This involves a guy who basically ends up mugging a woman on her doorstep at midnight in Baltimore in the 1970s. And he decides that that is not enough creepy behavior, he decides also to make harassing phone calls to this lady at this time and does so from payphones relatively nearby.

215 Metadata Program

Cyrus: And eventually, the police are able to find him, and eventually they're able to determine that, yes, he made the phone calls to this woman to harass her. And they were able to get the records of the calls. Three days of calls that he made to this woman to show that in fact, he had done this. Ultimately, when it was challenged up to the Supreme court, the Supreme court ultimately found that there was no reasonable expectation of privacy in the fact that he had dialed these numbers. Because of this thing the Supreme Court decided and is called the third party document. He had already disclosed in effect that he had made the calls to the phone company. So, the phone company could share that information.

Cyrus: Exactly. And the practical effects of that decision from decades ago means that according to government lawyers, I mean, we're getting a little bit dated now but this is what enabled what was called the section 215 metadata program that was revealed by Edward Snowden from seven years ago. The government lawyers at the time that basically signed off on that basically said, "Okay. Because the Supreme court has said that nobody that this guy Smith in the 70s doesn't have a privacy interest over three days of phone calls for just him and himself, then it must also be true that nobody has any privacy interest over any calls anywhere ever."

Making Metadata Secure

Cyrus: And so, the NSA said, "Yeah. It's totally fine to capture all of the metadata on all Americans' phone records." So, this is the metadata what number called what number for how long and when for years and years and years and years, that program now still exists. Albeit, in a different form, the government doesn't collect it directly. It resides with the telcos, the phone companies, and the government is able to obtain it with a court order, which is a little bit different than how it used to be before Snowden. So, that is the standard, that's the legal test, if you will, that we still live with today.

Eric: But what you're saying is if I put medical records in Dropbox, Dropbox being the third party, probably Comcast, my cable modem, I'm sharing it over that and I could probably think of a few other things, third-party rural says, "Yeah. They can share it out even though their privacy policy says they would not, technically they could."

Cyrus: Right. I mean, they could and it's important to bear in mind that what I think most mainstream companies do, big companies that you've heard of Google, Dropbox, et cetera, right? They will say, "We will keep your data private. We will do X, Y, and Z for you absent a court order," right? Unless a court compels us to do a thing- This is what we're doing.

Eric: Adhere to our policy.

Privacy by Design: What Is Its Importance?

Cyrus: Right. I'm sure there's this phrase that you've heard of before, which is called privacy by design, right? Where there are products and services that exist in the world. I'm thinking in particular of the encrypted messaging app, Signal, right? So, Signal is an encrypted messaging app that is free to use. It's open-source. Anybody can download it. It's very easy to use. The company that makes Signal is a company called Open Whisper Systems.

Cyrus: And Open Whisper Systems has designed Signal in a very particular way. One, they say that they do not keep hardly any information about their users, right? So, when the government has gone to Open Whisper Systems and says, "Hey, we want to know everything that you have on user X." They say, "Well, we can only tell you whether a given phone number is an actual Signal number, one. And two, we can tell you the last time that that number was used on our network. That's it. That's all that we can tell you. We have no other information."

Eric: Yes. Sergeant Schultz from Hogan's Heroes, I know nothing. And they don't.

The Case of Paul Manafort

Cyrus: And it's true. It's true, right? They have made a deliberate choice to design their product in such a way that they have no information to give. Contrast that for example with WhatsApp, right? Another very popular messaging app. WhatsApp, which is owned by Facebook, has a feature whereby default WhatsApp backup messages to iCloud or another kind of cloud backup service. The idea is that if you are switching phones or you're switching devices, you won't lose your messages, right?

Cyrus: If I go drop my phone in the ocean right now, I will lose all my Signal messages on my phone if I have any that I care about. There's no backup option at all. They have chosen not to have that. Whereas WhatsApp and we learned this, if you guys remember the case of Paul Manafort. Paul Manafort was sending messages all over the place on WhatsApp thinking that he was encrypted but guess what? His phone was backing up to iCloud and the government got his messages.

Eric: He was encrypted though.

Cyrus: Sure. But encrypted only means.

Eric: It didn't matter.

Cyrus: Right. It didn't matter. That's what I'm saying. Yes.

Choosing Between Convenience and Privacy

Eric: And I think being a cybersecurity podcast, the other challenge you have is even if these companies don't disclose the information if they get hacked, your information could be taken.

Cyrus: Yes. That's certainly true. There's obviously a trade-off between convenience and security and privacy as you well know. I often say it's super easy to live a very private life. The way you do that is you throw all your digital devices into the nearest body of water, you move to the most remote mountain cabin you can find and you never talk to anybody ever again.

Eric: And you're safe.

Cyrus: Right. Obviously, that's very hard I think for most of us. Because we like cute cat videos on the internet and we like using our phones for various things. And we like living a normal, modern life. And so, that's really difficult to give up convenience for privacy for a lot of people.

Security vs. Privacy

Eric: So, what do you think Carolyn? What do you think about privacy versus access issues?

Carolyn: Well, you'll like this Eric. So, in the book, Cyrus says, "Security versus privacy, security always wins. When the government, we say security versus mission, mission always wins."

Eric: Yes. I would even say just in business many times.

Carolyn: Yes. Mission always wins, right? They'll find a way around the security and-

Eric: Or they'll skip it because they have to get something done.

Carolyn: Right. And I realized that the reason security is going to win over privacy is because security is the mission, right? It's the cops needing to catch the bad guy. So, they're going to do whatever they need to and if they're violating some privacy laws, well, so what? But also, where the conflict came for me with the book was like the Smith case. He was a creeper. He needed to go to jail. But the precedence of his case is what made it possible for the NSA to collect data on all of us. So, the question is, where do we draw the line?

Knowing When to Care About Your Security

Eric: Exactly. If they're scanning your license plates, do you care? You're clean.

Carolyn: Exactly. And if they're taking my temperature, do I care? Maybe.

Eric: And what if they get your medical records and find something out that you don't want to share?

Eric: That's the line for you but how as a society do we draw the line? I go back to Cyrus. You talk about until the 21st century, most of our activities were relatively private. Let's go back to the 17th, 18th century. You lived in a small village or town. Everybody knew your business. I remember growing up, my grandmother would talk about so-and-so is doing this, so-and-so is doing that. You get back a couple hundred more years and you're just in that small village or town. Everybody knows your business. Are we not going back to that where we've already been? Or now you know my blood type you know I have a disease.

Cyrus: I think that it's a difference of scale, right? If you live in a small town in the 16th century, sure. You live in a small town and maybe 50 people know everything about you.

Keeping Your Imprints

Cyrus: What you've been doing but that's very different than that information being accessible to hundreds or thousands or potentially millions of people at incredibly fast speeds. And that information is in the world that we live in now that information is indelible as anybody who has ever tried to get rid of something from the internet about them, be it an embarrassing photo or whatever. It's almost impossible to do that. And whereas in the 16th century, people's memories fade and people die. The dumb thing that you did when you were 15 in 1683 is long forgotten. But hundreds of years in the future, probably a lot of the dumb things that I've said on Twitter will still exist.

Carolyn: And that's the point, Eric, just wait when we talked about the right to be forgotten, are those things die. Even if it's printed in a newspaper, I mean, finding that newspaper is really hard but now you get big data and you start painting this massive picture.

Changing Your View About Security

Eric: It's simple now. So, Cyrus, what do we do? I mean, privacy law hasn't kept up. How do we figure out when everybody has a different line, a location starting point for that line and it could even change, right? My line for this could change today to I don't want you scanning my license plate, I don't want you to look in my internet search.

Cyrus: Yes. And I get that. It's a really hard and thorny problem is the very short version of that. I would say the thing to remember this phrase that I'm sure you both are familiar with, which is the phrase threat modeling. What are you afraid of? What is it that is the worst-case scenario? If it is known by your local police department that you drive to church every Sunday, does that bother you? If it doesn't, then you're probably not going to do anything. But it might.

Carolyn: Well, maybe.

Cyrus: Maybe it does. 

Carolyn: If you're going to a mosque, that might bother you.

Cyrus: It might.

Carolyn: To have somebody following you.

Monitoring Your Every Move

Cyrus: And so, you have to run through these calculations in your mind of like, "Okay. If it bothers me that I don't want anybody to know that I'm driving to my religious institution, maybe I'm going to ride my bike instead, maybe I'm going to take the subway or the bus or some other. And maybe I'm going to walk."

Eric: But you're talking personal action there. So, let's assume you don't want people to monitor the fact that you're going to the mosque once a week but for every license plate we scan, we're catching one out of a thousand criminals.

Cyrus: I would venture that that's an exaggeration.

Eric: You're probably right. It's probably one out of 50,000 or a hundred. But let's assume there's that trade-off, how do we as a society make that decision because it's everybody has their own lines. How do you coalesce society around a common agreeable spot?

The Oakland Privacy Advisory Commission

Cyrus: Sure. So, I think one of the ways that we deal with this here in Oakland where I live is something that and I don't mean to skip ahead to the ending of my own book but I think that here in Oakland, we have something called the Oakland Privacy Advisory Commission. It's a government body that acts at the city level and the municipal level that acts just like any other city commission. Most cities have planning and building commissions, for example. There's a group of people who are experts in building and construction and they decide is it appropriate for you to add a story onto your house or to remodel your kitchen or whatever the case may be.

Cyrus: They have expertise in building and construction.  These people are experts or try to be experts in privacy. And they require under city law for city government entities that are doing something or acquiring something, license plate readers, for example, that might impinge on people's privacy. And they require that the entity that wants to get that thing, the police department usually but not always. Another example might be the sanitation department wants to acquire surveillance cameras so they can capture or license plate readers so they can capture people who are illegally dumping trash in certain areas.

The Framework and a Rule Book of Policy

Cyrus: I don't know if that's an issue where you live but that's an issue where I live here. People are dumping couches and mattresses and all kinds of stuff that they're not supposed to be doing. So, they go to the commission and they say, "Hey, here's the thing that we want. Here's why we want it. Here's the policy that we're going to develop that says, 'Okay. These 10 people have access under these circumstances and we're keeping the data for this amount of time and we're deleting it after this amount of time and we're sharing it with these other agencies under these circumstances.'" And there's a framework and a rule book for how that works.

Cyrus: Because as far as I know, Oakland is the only city in America that has this, that has a city agency that is upfront and trying to get ahead of, like you were saying that the law doesn't catch up. As far as I know, Oakland is the only city that does this ahead of time. And they require that agencies come back every year essentially and do an audit and say, "Hey, okay. We have 30 license plate readers and we caught a hundred bad guys and that's great. And we captured a bazillion license plates and we deleted them all after two months because we figured out that they were useless. And here's our rule and it's very predictable."

We Need Congressional Oversight

Cyrus: So, I think that is a good solution. I'm sure it has flaws and there may be disagreement in the case of license plate reader specifically over what is an appropriate length of time to keep that data, whether it's one day or one week or one year. And I think reasonable people could disagree over what the appropriate length of time is. But to say, "Well, we're just going to keep it forever and we're not going to have a policy," I think is a recipe or could be a recipe for disaster.

Carolyn: And this goes back to a lot of things that we've talked about, Eric, just transparency, communication, cooperation. But my question for you, Cyrus, is Michael Hayden agrees with you. I agree with Michael Hayden. He says that we need congressional oversight. We need PAC at a national level. We have that but it's under-resourced, it's floundered. Can you talk about the commission that we have in place at a national level and maybe what your thoughts are and how we get it to a PAC level to what Oakland is doing?

The U.S. Privacy and Civil Liberties Oversight Board

Cyrus: Sure. At the national level, we have something called the U.S. Privacy and Civil Liberties Oversight Board, which has the unfortunate acronym of PCLOB. I didn't name it. That's just what it's called. And PCLOB is this entity that is largely concerned with overseeing the federal government's surveillance powers. Famously they issued their first report in January 2014 that examined this NSA metadata program that I mentioned earlier called section 215. And they basically found that it was unconstitutional. And that report is an interesting document in its own right.

Cyrus: But I think we need to also be mindful of things that not only are our federal agencies like the NSA, what they're doing but also what individual police departments, sheriff's departments, state law enforcement agencies, tribal law enforcement agencies are doing. We live in a federalist country. County sheriffs, police departments, state governments have a lot of power that is not necessarily overseen or controlled by the U.S. Department of Justice. The U.S. Department of Justice, I don't believe, I'm not a lawyer, much less a constitutional lawyer, as far as I understand it, the federal government doesn't have the ability to say to each and every individual state or police department, "Okay. You have to do this evaluation ahead of time before you acquire surveillance technology or whatever."

The Consent Decrees: What Is It All About?

Cyrus: They can certainly encourage it. There are ways that the government can encourage cities to do certain things or take certain actions. This has been done for example with regard to systemic racism and racial injustice that has happened in many cities and where cities are doing things improperly. And the department of justice regularly does investigations and oftentimes they come up with what are called consent decrees, basically settlements agreements between the U.S. Department of Justice and the Oakland police department or the Chicago police department or whatever.

Cyrus: I'm not aware of any agreement like that between the federal government and a local police department with regard to surveillance technology. It seems to be in this country a little bit easier for better or worse to regulate what the government is doing that's of course baked into our own constitution. There's an inherent skepticism about what the government itself is doing. But of course, as you mentioned before, there are all kinds of other issues to worry about with regard to what private companies are doing.

Eric: Right. And I think if you look at, like body cameras, I don't think they can federally mandate body cameras everywhere.

The Difference Between Police Brutality and Misconduct

Cyrus: As I understand that the federal government could mandate it for federal agencies but I don't believe that the federal government, my understanding is that the federal government itself does not have the authority to mandate to every city and every county in the country to say, "Okay. You must have body cameras now." You may remember in the Obama administration after things went awry in Ferguson to put it extremely mildly, there was a push by the federal government to encourage body cameras.

Cyrus: And that was something that President Obama talked about at the time. And a number of departments did do that. And still, now, more and more departments are continuing to do that. I think the jury's out as to whether or not that has made a substantive difference in terms of police brutality and misconduct. But nevertheless, I think that that's something that is interesting to continue looking at.

The Importance of Privacy Perspective

Eric: Right. But from a privacy perspective, they can suggest, they can find or they can take back funding but they can't mandate.

Cyrus: That's my understanding.

Eric: Yes. Okay.

Carolyn: Yes. It's such a complex issue. As I said, it gives me angst. But I think it's really good that we're talking about it. Unfortunately, we're going to have to leave it here for today. But I encourage our listeners to read Cyrus' book and to think about these issues and what they mean to you.

Eric: Carolyn, will you be riding the bike to the grocery store or you're driving now?

Carolyn: I walk with a hoodie.

Cyrus: Well, it's funny you say that.

Carolyn: Facial recognition.

Cyrus: Right. There's that too. One of the things that there was a line in Edward Snowden who is still in Russia after how many years has been now? Seven years. He said it in an interview recently that it turns out that in Russia, given that it's cold and then he's constantly wearing hats and scarves and stuff around him. That it's easier just given the clothes that you need to wear to be outside in the wintertime, it's a little bit easier to, and also he's a celebrity to try to stay more anonymous, just given the kind of coverings that you need to wear, which I thought was funny.

Hit the Like Button and Give Us a Review

Carolyn: Thank you, listeners. Go smash that like button and give us a review and we will talk to you next week. Thanks for joining us on the To The Point Cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/govpodcast. And don't forget to subscribe and leave a review on iTunes or the Google Play Store.

To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers  2019 & 2020  because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast cford@forcepointgov.com

About Our Guest

Cyrus Farivar is an investigative tech reporter at NBC News and the author of The Internet of Elsewhere. He is also a radio producer and has reported for the Canadian Broadcasting Corporation, National Public Radio, Public Radio International, The Economist, Wired, The New York Times, and others.

Listen and subscribe on your favorite platform