When a criminal duo labeled the “High Country Bandits” robbed a series of Arizona and Colorado banks in 2009 and 2010, FBI investigators turned to the owners of local cell phone towers.
A federal judge signed a court order authorizing a “tower dump” of call metadata from towers nearby the robbery sites. (Such court orders have a lighter burden of proof than a warrant, which requires probable cause.) The metadata received by investigators contained 150,000 numbers in plain text. Only two phone numbers were present at every crime scene. Investigators traced these back to their owners, the bank robbers, who were arrested and later convicted.
In 2012, investigators—many of them local police departments—made over 9,000 such requests for cell tower data. Many were granted without a warrant, at the discretion of a judge. The NSA program known as CO-TRAVELER, which was exposed by the Snowden documents, collects similar data, tapping mobile phone networks with a purported intent of identifying associates of known intelligence targets. “Incidentally,” NSA documents say, the program can capture up to 5 billion mobile phone location records per day.
In the High Country Bandits case, such techniques obviously proved to be an effective law enforcement strategy. They are also a significant privacy infringement, containing the mobile phone records and potentially GPS data and network history of individuals en masse.
Yale computer scientists Aaron Segal, Bryan Ford, and Joan Feigenbaum may have a solution. In a paper presented at an August 18 conference on open communication, the researchers paint an idyllic picture of a potential surveillance environment that’s heavy on reach and light on breach. The paper, “Catching Bandits and Only Bandits: Privacy-Preserving Intersection Warrants for Lawful Surveillance,” proposes combining a system of checks and balances with cryptographic techniques to let investigators identify records of interest without exposing anyone else’s data.
Here’s how it works:
When the FBI received the tower dump data from the High Country Bandits case, they tracked down the bank robbers by finding the intersection of all data sets—in other words, the only phone numbers that made calls near each cell phone tower in question. The key to the Yale researchers’ protocol is a well-established cryptographic method known as “privacy-preserving” set intersection. “Privacy-preserving” means that the operation works on encrypted information and doesn’t reveal anything about the data except the intersecting elements. If the FBI had done things this way, they could have still found the criminals but avoided compromising 150,000 people’s information.
NSA surveillance programs like CO-TRAVELER are suspicious because they happen in a private, unchecked sphere. As the Yale researchers write:
“In short, the public must simply ‘trust’ the U.S. government’s evidence-free assertions that its mass ingestion and secret processing of privacy-sensitive data are (secretly) lawful and subject to adequate (secret) privacy protections and effective (secret) oversight.”
Checks on domestic agencies are more extensive. Most tower dumps require a court order and not a warrant, like the High Country Bandits case. If a judge deems a request too expansive, they might demand that the time window be narrowed or that a policy for handling extraneous personal data be specified.
The Yale protocol imposes stronger checks that work by distributing the actual encryption of the data. Once an agency like the FBI receives the data, it’s been encrypted three times over: once by a key held by the court that authorized the dump, once by a key held by the FBI themselves, and once by a key held by a legislative organization that oversees all requests for surveillance data. As long as the keys stay secure, it’s impossible for any single branch to operate on the data without the cooperation of the other two.
The protocol is a step up from the status quo, according to Christopher Soghoia, chief technologist for the American Civil Liberties Union. But under certain conditions, the metadata still wouldn’t be totally impermeable, he says. What’s more, law enforcement agencies might be slow to adopt the new technique due to red tape.
Some privacy advocates oppose any large-scale culling of personal metadata. In a string of critical tweets, security consultant Eleanor Saitta said the paper essentially endorsed over-surveillance. Rather than trying to limit surveillance with clever cryptography, which could eventually be compromised, the government should instead seek to limit its access outright.
That argument ignores the fact that big data is here to stay in one form or another, says Bryan Ford, one of the paper’s authors. Denying that, he says, is merely ”living in a fantasy land.”