Tag Archives: privacy

Recap: MN Civil Law Committee Hearing on Surveillance and Privacy

Here’s my edited dump of notes from today’s meeting (apologies if any of it is misattributed or incorrect):

Today the State of MN Civil Law Committee convened to hear testimony regarding state and local government use of surveillance technologies.  At issue was how these technologies impact an individual’s right to privacy, and what legislative steps can be taken to allow law enforcement’s use of these technologies while protecting constitutional rights.

The first person to testify was the ACLU’s Catherine Crump.  She prefaced her comments by mentioning that while many privacy issues have surfaced due to the NSA, problems can also arise at the state and local level.  The ACLU is not opposed to surveillance technologies, but recognizes that oversight is required to prevent powerful technologies from being abused.

(While I would prefer that modern technologies not be used to surveil in the first place, this is a perfectly sane position to take.  Being “opposed” to technology is a pretty difficult proposition, since it’s the actual use of technology that can be problematic – it would be like opposing streaming video technology because you watched a bad movie.)

Crump’s testimony was focused on four areas: GPS tracking of vehicles, cell phone location tracking, automated license plate readers, and surveillance drones.  Crump also noted that extended surveillance often leads to the discovery of very private information about an individual, and that 28 days of GPS surveillance was considered a “search” by the Supreme Court.  Previously, searches like this were limited by the cost of technology, but the plummeting cost of GPS technology requires the state to impose additional legal restraints against this type of use.

Crump also touched on some topics related to cell phone tracking.  The first is all carriers store historical data for at minimum one year, and that carriers are willing to share this data with law enforcement.  This historical data is often much more sensitive than current location, since it can be used to identify patterns of activity.

Current cell phone location data is obviously very useful in the event of an immediate threat or crime being committed, and I do not believe anyone is opposed to police using this data.  Law enforcement can also work with carriers to receive what’s called a “tower dump” which consists of a list of cell phones that have recently connected to a particular cell phone tower.  Both these uses of technology require oversight into the frequency these tools are used, who they are used against, and how they are deployed.

In closing, Crump stated that legislation which adds oversight to the use of technology needs to address where future technology is headed.  For example, surveillance drones will likely soon become a part of our landscape, so it’s important to come up with legislation regarding acceptable drone use before they become widely deployed.

Next, Commissioner of Public Safety Ramona Dohman answered a few questions form the committee.  Most interesting to me was that Kingfish/Stingray (cell phone exploitation devices) have been deployed in Minnesota since 2005 – almost 10 years!  Other interesting points made by Dohman (or her assistants – my notes are terrible) was that data collected by Kingfish was not kept, but that it could be – the claim is that this data would not be very useful.  Also, in response to a question, the identities of the specific officers that access data is not available to the public.

Next up was Minneapolis PD Chief Janee Harteau, who stated that MPD does not have any cell phone exploitation technology and does not have any plans to obtain it.  When MPD has such a need, they get a warrant and make a request to the BCA who handles the technology aspect.  When asked why MPD does not contact the Hennepin County Sheriff’s Office (who also has Kingfish), she could not give an answer – personally, I get the feeling that MPD and Hennepin County Sheriff’s don’t always see eye-to-eye.  Harteau also stated that MPD does not own and drones and has no plans to purchase any drones.    Harteau also was questioned over her department’s policy of keeping license plate reader (LPR) data for 90 days (a time period I consider somewhat reasonable).

St Paul Police Chief Tom Smith was a little more active about stating the benefits of consumer location technology, noting that OnStar could find him if he were in an accident in northern MN, and also touting some of the features of Apple’s iOS7.  He noted that St Paul does not use Triggerfish or Kingfish, and that like Minneapolis, when they need to use that technology, they get a warrant and contact the BCA.  Smith also stated that he and Harteau were both members of the International Association of Police Departments, and that that organization might be able to help draft some model legislation.

After some additional testimony from Olmstead County Sheriff Dave Mueller and MN Sheriff’s Association Executive Director Jim Franklin, things got a little more interesting.  Don Gemberling of the Minnesota Coalition on Government Information raised the possibility of a privacy and civil liberties board in Minnesota (after keenly pointing out that at one point, George Orwell himself was a cop).  He also cited Judge Brandeis’ dissent in the Olmstead case (“if the government becomes a lawbreaker, it breeds contempt for law”) as one reason this board might need to be established, and said that it’s not only the bad guys you have to worry about, but also the good guys who lose control.

Rich Neumeister gave some additional comments, stating that law enforcement has been increasingly trending toward secrecy, and that this trend has been going on a long time.  He noted that even the LPR data took 4 years before it was made public knowledge, and that police in the late 80s used handheld scanners to attempt to listen to phone calls transmitted by cordless phones.  He has also been unable to obtain even the names of the companies that BCA has contracts with.

Last, Deputy Secretary of State Beth Fraser spoke.  She talked briefly about the Safe at Home program, which helps shield victims of domestic abuse from their abusers.  She stated her concern of what happens when an abuser is a member of the law enforcement community, and would like a way for certain data to be deleted that does not have a legitimate use.

Overall, the meeting was about what I expected.  Not a whole lot that was accomplished today, but I am grateful for Rep. John Lesch keeping important privacy issues at the forefront of discussion.  As always, feel free to contact me via email or leave a note in the comments.

Nice Ride and user privacy – crossing the line

I’m a really big fan of Nice Ride, the bike-sharing program we have here in the Twin Cities. It’s a great way to encourage cycling (especially for beginners) and exploration of the cities – there are so many little wonderful things you miss when you’re in a car or riding the bus. That’s why I was disappointed when Nice Ride disclosed rider data to the public without removing a field which can be used to individually identify riders.

Privacy has been in the Minnesota news recently, when it was discovered that the Minneapolis police department was scanning license plates and using that information to compile a database of driver activity (such as where and when a car was spotted). The mere existence of such a database is disturbing, but is unfortunately not news to those of us who follow the advancing deployment of technology. What was disturbing was that this data was semi-public – anyone could request the locations where a particular license plate was observed, and the police would provide that data. Since this story broke, efforts have been made to reduce the overall scale of the database, in addition to monitoring and/or restricting access to the public.

Nice Ride, on the other hand, apparently has no qualms about publishing their entire database, complete with a unique subscriber ID. This unique subscriber ID allows anyone with a copy of the database to track an individual user’s activity throughout the Nice Ride system. This is useful information for Nice Ride employees who are using this data to figure out how individual riders are using the bikes, allowing Nice Ride to better serve their customers. But releasing this data to the public means that a subscriber ID can be easily linked with an actual person, exposing an individual’s entire ride history. There are many conclusions one can draw about individual Nice Ride users by manipulating this data (and combining it with other data), so let’s take a look!

I’d like to start out by describing the easiest ways to correlate a subscriber ID and an actual user, but I don’t really have the heart to publish a thorough methodology – that’s one of the things I’m deeply opposed to, and is my main grievance with the irresponsible publication of this data. I did not personally use Nice Ride this year, so I don’t even have a subscriber ID in the system. But if you’re a user/consumer of social media, can you remember tweeting or updating your Facebook status when you rode on a Nice Ride? Remember someone else who did? Know of any ways that you can find this info again, as well as the date/time it was published? Well, that’s one way to start. (Again, I apologize for not writing more on this but I’m trying not to go too in-depth. Simple observation is the other obvious way – you saw that cute girl get on a Nice Ride at a certain date/place/time, and while you don’t have her name, now Nice Ride has told you everywhere she has ridden a shared bike)

Once you match a single person to a subscriber ID, the floodgates are open. You get every single individual ride’s start time/date, as well as location, and the same for the destination (time, date, location). It’s also trivial to glance at any person’s data and see if any other user has checked out a bike from the same location within the same timeframe, potentially gaining the subscriber ID of a known acquaintance, spouse, etc.

Or, to take an example from the Minneapolis Bike Love forum:

Let’s say I take a bike out every morning near my house and ride it to work. My ex-wife knows I do this. She uses this information to figure out my subscriber ID because I am the only one who daily takes that bike from there and rides to the location near my work. Using my ID she looks at my other activity. She sees that I am riding places in the middle of the day. She sees that I am riding places when I told her I was out of town. She sees that I am riding around when I told her I was too sick to take the kids. She sees that I am riding to a place where I spent Saturday night and ride away the next morning. I just do not want her knowing that shit and I did not pay NiceRide to tell her.

The bottom line is that publishing this data is irresponsible and potentially dangerous. Bike-share programs in other cities also publish the exact same data (in addition to cool charts), but without the subscriber ID. I support the great things that Nice Ride does in order to make biking more accessible to beginners and those who prefer to avoid the hassle of bike maintenance. But they seriously need to remove just one field before publishing their data.

Update as of 12/8/2012:

Of course there’s one more thing that I neglected to mention in the above post. If you go to Nice Ride’s sign-up page, you’re presented with the user agreement at the bottom. About 2/3 of the way through that document, the section on “Confidential Information” (which is the only aspect of the user agreement related to privacy, as far as I can tell) refers the user to the Privacy Policy on the website.

Now, most modern websites have some sort of Privacy Policy which governs data that is submitted or stored via the website, so that’s kind of sloppy – obviously subscriber ID, check-in times, station locations, etc. are not submitted via the website. And ignoring that oversight, most of the Privacy Policy is relatively standard boilerplate, even the section that reads:

We may share aggregated demographic information (data that cannot identify any individual person) with our partners and sponsors.

The data they have published is not aggregated data (and can potentially be used to identify individuals), and they are not providing it strictly to partners and sponsors, but to the public. There are good reasons for this (so other data nerds can make maps and track behavior). Even if Nice Ride removed the subscriber ID, they would still not be in technical compliance with their policy (because of the aggregation claim), but they would remove the possibility of identification of users, which is all I really care about.

And finally, Nice Ride published a similar dataset in 2011, but included Date of Birth, Gender, and ZIP Code – making it very easy to identify people. It doesn’t appear that they did much about this oversight (other than properly redacting this data in 2012), as Minneapolis Mayor RT Rybak’s subscriber ID appears to be in use in both the 2011 and 2012 data sets (though either he stopped using Nice Ride in May 2012, or was assigned a new subscriber ID – this doesn’t surprise me considering he’s an avid cyclist and probably prefers his own bike). It would have been a smart idea to re-assign subscriber IDs after that inadvertent disclosure.

And if you’re wondering, I did email the Director of IT for Nice Ride prior to publishing this, and he was unconcerned about the privacy implications of publishing the data. I didn’t tell him specifically about the privacy policy violations mentioned in this update, because I thought of that angle after he stopped replying to my email. The EFF sent me a form letter telling me to contact my local bar association, and a reporter from the Star Tribune couldn’t come up with an angle which was appealing enough to readers.

If anyone has any ideas on how to get this resolved (either updating their policy to state that they will share ride data about users, or to stop publishing the subscriber ID field), please let me know and share the link to this post. Thanks!