STE WILLIAMS

On Wednesday, Ontario Provincial Police (OPP) put out a news release about what they’re calling a “new investigative technique” to help find out the person(s) who recently murdered a hitchhiker.

Namely, they’ve used a court order to get their hands on the phone numbers of every person who was in the vicinity of where 65-year-old Frederick “John” Hatch was last seen alive, near the town of Erin, Ontario, on 17 December 2015.

The plan was to send two text messages to all those numbers on Thursday: one version in English, one in French.

The messages will request that recipients visit a website and voluntarily answer “a few simple questions” to hopefully help the OPP solve the murder.

OPP may call this technique “new,” but it’s old hat for many police departments.

The data demands are called “tower dumps.” It entails mass-slurping data by ordering phone companies to hand over personal information about thousands of mobile phone users.

The slurping is often done a) regardless of whether or not the slurpees are themselves under investigation, b) despite the fact that courts have grappled with its legality, c) regardless of phone companies finding it illegal, and d) without the consent of those the police plan to contact.

Australia’s done it, for one. In July 2014, the Sydney Morning Herald confirmed that both federal and state police were using tower dumps.

Tower dumps can give police the identity, activity and location of any phone that connects to targeted phone towers, generally within 1-2 hours.

However, the OPP says that its own data request didn’t include names or other contact information for registered cellphone owners.

Besides Australia, US police have also widely used this type of large-scale interception of mobile phone data. According to an investigation conducted by USA Today, about 1 in 4 law enforcement agencies had used the tower dump tactic by December 2013.

USA Today also reported at the time that at least 25 police departments owned a stingray: a surveillance device that sends powerful signals to trick cell phones – including those of bystanders – into transmitting their locations and their IDs.

The OPP said in its release that it obtained the phone numbers via a court process called a Production Order. Whoever responds to the text messages will have the option of providing their names and contact information when they answer a few simple questions.

Digital privacy lawyer David Fraser says that the Production Order is similar to a search warrant. It differs in that it orders a third party, such as a telco, to hand over relevant records.

Law enforcement would have had to convince a justice of the peace that they needed the information, similar to a magistrate judge in the US signing off on a warrant, and would have also had to convince the court that public interest in the investigation outweighs privacy concerns.

Fraser also noted that the OPP’s tower dump would have to be done in a manner consistent with guidelines that were drawn up by the court in a case from last year: that of R v Rogers and Telus.

In that case, a tower dump request from the police would have pulled in detailed information on some 43,000 people who had nothing to do with the crime, Fraser wrote at the time.

The judge in that case laid out guidelines that instructed such requests to minimize both privacy intrusions and the number of records requested in future tower dumps.

When speaking with Motherboard, Fraser suggested that there has to be a “a cut-off of severity” for when tower dumps are requested:

Are they going to do this after a bar brawl at a strip club? Imagine you’re sitting on the couch with your lovely spouse and your phone buzzes and your spouse looks and says, ‘Oh, it’s the police wondering if you were at the strip joint and if you saw anything?’

An unsolved murder case such as that of the hitchhiking Mr. Hatch may be one where the balance tips in favor of such a fishing expedition, Fraser told me, but he suggests that the big question will be, where will the police and the courts draw the line when they want to use this technique for other crimes?

Beyond potential for that type of overreach, there’s the problem of getting police to stick to guidelines that limit retention of data.

As it is, police in the US often store records on individual gadgets, such as tablets. Ensuring that data is scrubbed from such a disparate collection of storage devices has proved unwieldy, at best.

The retention rate under Canada’s new guidelines is 6 months. Will police scrub the data as required? Who will be responsible for ensuring that they do?

According to Fraser, we don’t know…

We have no insight into this [whether tower dumps will be used for fishing expeditions], and the police are not saying much.

We also have no insight into how long they plan to keep the data and if they propose to do anything else with it. For example, they may try to match the phone numbers with other cases. Or just put it in a database and use it in subsequent investigations.

The devil, he says, is in the detail.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RcEeOjeAgH0/