If you’ve ever read a privacy policy, you may have noticed a section that says something about how your data will be shared with law enforcement, which means if the police demand it and have the necessary paperwork, they’ll likely get it. But maybe, like most American adults, you don’t read privacy policies very carefully if at all. In that case, you might be surprised to learn how much of your data is in the hands of third parties, how much access law enforcement has to it, how it might be used against you, or what your rights are — if any — to prevent it.

Many of the Capitol insurrectionists might be discovering this now, as cases against them are built with evidence taken from internet services like Facebook and Google. While they left a trail of digital evidence for investigators (and internet detectives) to follow, not all of that data was publicly available. If you read through cases of people charged with crimes relating to the events in Washington on January 6, you’ll find the FBI also obtained internal records from various social media platforms and mobile phone carriers.

But you don’t have to be an alleged insurrectionist for law enforcement to get data about you from another company. In fact, you don’t have to be suspected of a crime at all. The police are increasingly using tactics like reverse search warrants to grab the data of many people in the hope of finding their suspect among them. You might get swept up in one just because you were in the wrong place at the wrong time or looked up the wrong search term. And you might never know that you got caught in the dragnet.

“Investigators are going to these providers without a suspect and asking for a broad set of information that is not targeted in order to basically identify suspects that they didn’t already have in mind,” Jennifer Granick, surveillance and cybersecurity counsel for the ACLU’s speech, privacy, and technology project, told Recode. “These more mass surveillance techniques are increasingly common.”

Basically, if a company collects and stores your data, then the police can probably get their hands on it. And when it comes to your digital life, there’s a lot of your data held by third parties out there to obtain. Here’s how they get it.

How law enforcement buys your data, no warrant needed

The good news is there are some privacy laws that govern if and how the government can get your data: The Electronic Communications Privacy Act (ECPA), first enacted in 1986, established these rules.

But the law is several decades old. While it has been updated since 1986, many of its tenets don’t really reflect how we use the internet today, or how much of our data stays in the hands of the companies that provide those services to us.

That means there are gray areas and loopholes, and for some things, the government doesn’t have to go through any legal processes at all. Law enforcement can and does purchase location data from data brokers, for instance. And while location data companies claim that their data has been de-identified, experts say it’s often possible to re-identify individuals.

“The notion is that if it’s available for sale, then it’s okay,” said Kurt Opsahl, deputy executive director and general counsel for the Electronic Frontier Foundation (EFF). “Of course, one of the problems is that a lot of these data brokers are getting information without going through the consent process that you might want.”

And it’s not just location data. Facial recognition company Clearview AI’s entire business model is to sell law enforcement agencies access to its facial recognition database, much of which was culled from publicly available photos Clearview scraped from the internet. Unless you live in a city or state that has outlawed facial recognition, it’s currently legal for the police to pay for your face data, regardless of how flawed the technology behind it may be.

This could change if something like the Fourth Amendment Is Not for Sale Act, which bans law enforcement from purchasing commercially available data, were to become law. But for now, the loophole is open.

“One of the challenges with any technology law is technology evolves faster than the law,” Opsahl said. “It is always a challenge to apply these laws to a modern setting, but [ECPA] still has, all these many decades later, provided a solid privacy protection. There definitely could be improvements, but it’s still doing good work today.”

What law enforcement can get through the courts

If you’re suspected of a crime and police are looking for evidence in your digital life, then ECPA says they must have a subpoena, court order, or warrant before a company is allowed to provide the data they’re requesting. That is to say, the company can’t just hand it over voluntarily. There are a few exceptions — for instance, if there’s reason to believe there’s imminent danger or a crime is in progress. But in the case of criminal investigations, those exceptions don’t apply.

Broadly, the legal process that investigators have to use depends on what data they’re looking for:

  • Subpoena: This gives investigators what’s known as subscriber information, such as your name, address, length of service (how long you’ve had your Facebook profile, for example), log information (when you’ve made phone calls or logged into and out of your Facebook account), and credit card information.
  • Court order, or “D” order: The D refers to 18 US Code § 2703(d), which says a court may order internet service providers to give law enforcement any records about the subscriber other than the content of their communications. So that could include who emailed you and when, but not the contents of the actual email.
  • Search warrant: This gives law enforcement access to content itself, specifically stored content, which includes emails, photos, videos, posts, direct messages, and location information. While the ECPA says that emails stored for over 180 days can be obtained with just a subpoena, that rule dates back to before people routinely kept their emails on another company’s server (how far back does your Gmail inbox go?) or used it as a backup. At this point, several courts have ruled that a warrant is necessary for email content regardless of how old the emails are, and service providers generally demand a warrant before they’ll agree to hand them over.

If you want to get an idea of how often the government requests data from these companies, some of them do release transparency reports that give basic details about how many requests they get, what type, and how many of those requests they fulfill. They also show how much those requests have increased over the years. Here’s Facebook’s transparency report, here’s Google’s, and here’s Apple’s. The EFF also put out a guide in 2017 showing how several tech companies respond to government requests.

You don’t have to be a suspect or involved in a crime for law enforcement to get your data

So, let’s say you’ve decided that you will never commit a crime so law enforcement obtaining your data will never be an issue for you. You’re wrong.

As mentioned above, your data could be included in a purchase from a data broker. Or it may be scooped up in a digital dragnet, also known as a reverse search warrant, where police request data about a large group of people in the hope of finding their suspect within them.

“These are novel techniques to discover things that never could have been discovered in the past, and which have the capacity to rope in innocent people,” Granick, of the ACLU, said.

Two examples of this: where you went and what you searched for. In a geofence warrant, law enforcement gets information about all the devices that were in a certain area at a certain time — say, where a crime occurred — then narrows them down and gets account information for the device(s) they think belong to their suspect(s). For keyword warrants, police may ask a browser for all the IP addresses that searched for a certain term related to their case and then identify a possible suspect from that group.

These situations still represent a legal gray area. While some judges have called them a Fourth Amendment violation and refused the government’s requests for warrants, others have allowed them. And we’ve seen at least one instance where reverse search warrants have led to the arrest of an innocent person.

You may not be told for years that your data was obtained — if you’re told at all

Another troubling aspect to this is that, depending on what’s being requested and why, you may never know if police requested your data from a company or if that company gave it to them. If you’re charged with a crime and that data is used as evidence against you, then you’ll know. But if your data is obtained through purchase from a data broker or as part of a bulk request, you might not. If a company tells you that law enforcement wants your data and gives you advance notice, then you can try to fight their request yourself. But investigators can get gag orders that prevent companies from telling users anything, at which point you’re left to hope that the company fights for you.

According to their transparency reports, Google, Apple, and Facebook do appear to fight or push back sometimes — for example, if they think a request is overly broad or burdensome — so not every request is successful. But that’s them. It’s not necessarily true of everyone.

“Not every provider is a Google or a Facebook that has a deep-bench legal department with serious expertise in federal surveillance law,” Granick said “Some providers, we don’t know what they do. Maybe they don’t do anything. That’s a real issue.”

The majority of government requests even to the biggest companies in the world result in the disclosure of at least some user data, and we’ve seen cases where someone’s data was given to the government and that person didn’t know for years. For instance, the Department of Justice obtained Democratic Reps. Adam Schiff’s and Eric Swalwell’s subscriber records (and that of their family members) from Apple through a grand jury subpoena. This occurred in 2017 and 2018, but the Congress members only found out about it in June 2021, when the gag order expired.

If your information is swept up in something like a reverse search warrant but you’re never identified as a suspect or charged, you may never know about it at all if the company that provided it doesn’t tell you. Opsahl, of the EFF, said that most of the major tech companies post transparency reports and it’s considered an industry best practice to do so. That doesn’t mean they all follow it, nor do they have to.

How you can prevent this

When it comes to your data held by third parties, you don’t have much control or say over if and what they’ll disclose. You’re relying on laws written before the modern internet existed, a judge’s interpretation of them (assuming it goes before a judge, which subpoenas may not), and the companies that have your data to fight them. If you’re notified about a pending order, you might be able to fight it yourself. That’s no guarantee you’ll win.

The best way to protect your data is to use services that don’t get it in the first place. Privacy concerns, including the ability to communicate free from government surveillance, have made encrypted messaging apps like Signal and private browsers like DuckDuckGo popular in recent years. They minimize the data they collect from users, which means they don’t have much to give if investigators try to collect it. You can also ask services to delete your data from their servers or not upload it to them in the first place (assuming those are options). The FBI can’t get much from Apple’s iCloud if you haven’t uploaded anything to it.

At that point, investigators will have to try to get the data they want from your device … which is a whole other can of legal worms.

Source