Virginia Police Have Been Secretively Stockpiling Private Phone Records
By G.W. Schulz, Center for Investigative Reporting
While revelations from Edward Snowden about the National
Security Agency’s massive database of phone records have sparked a national
debate about its constitutionality, another secretive database has gone largely
unnoticed and without scrutiny.
The database, which affects unknown numbers of people,
contains phone records that at least five police agencies in southeast Virginia
have been collecting since 2012 and sharing with one another with little
oversight. Some of the data appears to have been obtained by police from
telecoms using only a subpoena, rather than a court order or probable-cause
warrant. Other information in the database comes from mobile phones seized from
suspects during an arrest.
The five cities participating in the program, known as the
Hampton Roads Telephone Analysis Sharing Network, are Hampton, Newport News,
Norfolk, Chesapeake and Suffolk, according to the memorandum of understanding
that established the database. The effort is being led in part by the Peninsula
Narcotics Enforcement Task Force, which is responsible for a “telephone
analysis room” in the city of Hampton, where the database is maintained.
The unusual and secretive database contains telecom customer
subscriber information; records about individual phone calls, such as the
numbers dialed, the time the calls were made and their duration; as well as the
contents of seized mobile devices. The information is collected and shared
among police agencies to enhance analysis and law enforcement intelligence.
The legality of the database is in question, however, and at
least one law enforcement agency has declined to participate in the program due
to legal concerns.
“My initial reaction is that it’s very disturbing and
illegal under Virginia law,” said Rob Poggenklass, a staff attorney at the
American Civil Liberties Union of Virginia, which was previously unaware of the
database.
The system was set up with virtually no public debate or
concern expressed by elected officials, who approved resolutions authorizing
the database. Hardly anyone outside of the five participating police agencies
knows about the sharing network, though its creation was not kept secret.
All over the U.S., local police agencies are collecting vast
stockpiles of private information from people—some of it from people who have
not been convicted of crimes but were merely stopped by police.
As an example of the amount of data being collected, in the
first-ever transparency reports released by major telecoms earlier this year,
AT&T revealed that between January and June, it received nearly 80,000
criminal subpoenas for customer records from federal, state and local law
enforcement agencies, while Verizon disclosed that it had received over 72,000
subpoenas from law enforcement during the same period.
The Virginia system is yet another example of this creeping
expansion of local law enforcement surveillance throughout the country.
Minimal public information about the sharing network exists,
but it first made an appearance on the agendas of local government meetings,
where it met no resistance. Elected city council members in Newport News and
Chesapeake, for instance, passed resolutions approving the telephone
data-sharing agreement without objection.
According to the memo establishing the information-sharing
network, each participating city agrees to “share telephone intelligence
information derived from any source with the (task force) including: subpoenaed
telephone call detail records, subpoenaed telephone subscriber information, and
seized mobile devices.” Participating agencies can query the system by phone or
email. If a city chooses to withdraw from the agreement, any records it
supplied to the database remain, according to the memo.
Details about the data collected from mobile phones and
stored in the database are uncertain, but the data could be wide-ranging, since
mobile users browse the Internet, exchange text messages and share contact
lists, and technology available to police can extract much of this information
from mobile devices, even if it’s hidden, deleted or password-protected.
Police departments involved in the sharing network are
tight-lipped about the database’s contents, refusing to say whether the
contents of seized phones includes contact lists and text messages.
Questions sent to each of the five cities contributing to
the database were met with brief statements, when responses were provided at
all. Sgt. Jason Price of the Hampton Police Division said his agency “gathers,
shares and retains information in accordance with local, state and federal
law.” More specific answers “could jeopardize on-going and future
investigations,” he wrote in an email.
It’s unclear whether the data that’s collected stays with
the task force or is further shared with agencies beyond, perhaps with
so-called intelligence fusion centers that exist in every state except Wyoming
to facilitate information sharing and coordination among local and state
police, the FBI, the Department of Homeland Security and other agencies.
The ACLU’s Poggenklass said the database runs afoul of a
privacy law in Virginia known as the Government Data Collection and Dissemination
Practices Act, designed to curb the overcollection and misuse of digital
personal information by state and local agencies.
He points to an interpretation of that law issued last year
by Virginia’s attorney general in reference to controversial automated
license-plate readers that police departments nationwide have adopted
enthusiastically in recent years.
While law enforcers enjoy some exemptions from privacy laws
during the course of an investigation, according to the opinion, those
exemptions don’t apply when collected data “is of unknown relevance and not
intended for prompt evaluation and potential use.” In other words, there must
be a clear law enforcement need. Without it, Poggenklass said, police should
not be permitted to collect and retain records indefinitely in a database for
future queries.
Asked about the legal issues around the phone records
database, Hampton City Attorney Vanessa Valldejuli said that due to recent
court rulings, data in the system is gathered “only via search warrant or court
order consistent with law.” Court orders, as well as subpoenas, have a lower
legal standard than warrants, which require investigators to articulate
probable cause of a crime to an impartial judge. Valldejuli did not elaborate
on which rulings she was referencing, what records those rulings affected or
what steps were taken to minimize the impact on people not accused of a crime.
She also wouldn’t say whether policies were different before and after the
unspecified rulings.
Not everyone in Virginia seems comfortable with the
database. The Virginia State Police said through a spokeswoman that it opted
not to join the phone record sharing network, even though it’s a member of the
drug task force that helps oversee the database. It cited the state’s data practices
act as the reason.
The attorney general’s finding isn’t the only legal
interpretation of relevance for the database. In a surprisingly tech-savvy
ruling (.pdf) in June, the U.S. Supreme Court ruled unanimously that because
mobile phones contain highly personal records of nearly every aspect of our
lives, police must obtain a warrant before downloading the contents of a mobile
phone when they arrest someone.
Courts around the country are struggling to issue timely
decisions telling police when and how they can use the rich amount of personal
information now contained in smart phones. Federal appeals judges in Atlanta
(.pdf) and New Orleans (.pdf), for instance, recently have issued contrasting
opinions on whether police must meet the same standard to acquire historic
cellphone records that would reveal a person’s movements. That creates
continuing uncertainty for law enforcement investigators about what they can
and cannot pursue short of a warrant.
Additionally, the practice of obtaining cell tower dumps
without a warrant, in which police seek records for every cellphone that has
connected with a tower over a specific period of time, is problematic. A
federal magistrate judge in New York this summer found that no warrant was
necessary for tower dumps, but he did instruct police to determine how they
could better handle the private information of innocent people.
In the case of the Virginia database, it’s unclear whether
content from seized cellphones—such as text messages— is included in the
database or if it just contains so-called metadata describing the phone numbers
called, the calls received and their date and duration. But even if only
metadata is collected there is still a privacy concern, as the Snowden
revelations over the last 18 months have made clear.
Christopher Soghoian, principal technologist and senior
policy analyst with the ACLU in Washington, said metadata is useful for
assembling portraits of people’s lives over a period of time.
“Metadata is structured. That’s the whole point of metadata,”
Soghoian said. “ … Structured metadata enables really, really powerful
analysis. If you have call records saying someone called a suicide hotline at 2
in the morning and was on the phone for an hour, you don’t need to know what
they said. You know what they’re doing.”
Since the Snowden leaks, the White House has responded with
promises to curtail the indiscriminate gathering of bulk records and to require
the Foreign Intelligence Surveillance Court to give specific approval for more
narrowly targeted requests.
Intelligence officials have at times argued that bulk
records about individual communications didn’t threaten privacy when the actual
contents of what was said weren’t included. But former NSA head Michael Hayden
conceded during an April debate that metadata is revealing enough about one’s
lifestyle and identity to target terrorism suspects abroad for attack.
“We kill people,” Hayden said at the debate, “based on
metadata.”
This story was produced by The Center for Investigative
Reporting, an independent, nonprofit newsroom based in the San Francisco Bay
Area. For more, visit cironline.org. Schulz can be reached
gwschulz@cironline.org. Follow him on Twitter: @GWSchulzCIR.
Subscribe to:
Posts (Atom)