Privacy protection is a contentious topic in the United States. Following the terrorist attacks of Sept. 11, 2001, the U.S. government aggressively pursued invasive measures in the name of “national security.” Many years later it is highly debatable as to whether the government had American citizens’ safety in mind when passing laws like the Patriot Act. Especially in light of Edward Snowden’s whistleblowing on the NSA’s PRISM program and WikiLeaks’ Vault 7 leaks, law enforcement agencies have shown little regard for privacy or cybersecurity protections via mass surveillance and installation of backdoors in mobile devices.
InfoSec professionals have a dog in this fight as much of the data that the government illegally collects can put citizens at high risk should it fall into the wrong hands (an argument used by Apple when they fought the FBI on the agency’s desire for a master key for iPhone decryption). It is this point that should be kept in mind with the news of the recent Supreme Court ruling on access to phone location data.
The 5-4 ruling was for the case Carpenter v. United States, which sought to appeal a 100-year conviction due to what was perceived to be overreach by the FBI. Timothy Carpenter received the conviction because cell phone location data placed him near a string of robberies that he was accused of masterminding. The data was obtained via court order instead of a warrant, which Carpenter contended should have been necessary as he viewed cell phone location data as having the same protections as actual stored data on a phone.
The Supreme Court narrowly agreed, with Chief Justice John Roberts having this to say:
Although such records are generated for commercial purposes, that distinction does not negate Carpenter’s anticipation of privacy in his physical location. Mapping a cell phone’s location over the course of 127 days provides an all-encompassing record of the holder’s whereabouts. As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’... And like GPS monitoring, cell phone tracking is remarkably easy, cheap, and efficient compared to traditional investigative tools. With just the click of a button, the Government can access each carrier’s deep repository of historical location information at practically no expense.
The privacy protection implications are massive in this case, for although the ruling does allow exceptions in “extreme circumstances,” data protection overall has been given a boost with this ruling. The more data that the government can collect, the more that is available to malicious entities (I’d honestly place the government in this category as well) that can utilize said data in cyberattacks. Data is vital in the reconnaissance phase of a hacker’s attack and the more data of any kind they have access to can improve the success of their infiltration of networks, mobile devices, and other high-priority targets.
The less private data that exists stored away in some sought-after location (like servers in the Pentagon) the better. Cyberterrorists, nation-states, black hats, and malicious domestic governmental entities can leverage this data to their liking at any time and if that repository is taken away, the safer citizens will be from cyberattacks. There is always the possibility that the NSA, FBI, and CIA will try (as they have in the past) to circumnavigate this ruling, but at the very least there is a legal precedent set to blow the whistle if necessary.
Data and privacy protection must always be a high priority for the InfoSec world, and for this reason, this ruling is important. It isn’t a magic solution, but it is a step in the right direction.
Featured image: Flickr / Matt Wade