Private Until Presumed Guilty

Presented at DEF CON 31 (2023), Aug. 11, 2023, 1:30 p.m. (45 minutes)

Dobbs has significantly heightened the fear that everyday private data can be leveraged by law enforcement to prosecute pregnancy outcomes. However, this data is already being used in investigating other criminalized activities. In this talk, we will show you examples of information that can easily be extracted from many phones to surveil personal reproductive decisions. We will also show you how the government obtains your not-so-private thoughts using forensic extraction and reporting tools, with a focus on health and lifestyle apps. This will include a review of the output of common forensic tools, demonstrating both the practical ease of reviewing sensitive data and the technical limitations of interpreting their meaning. Warning: you may find this peek into digital investigations disturbing. We will discuss the different laws that do, or do not, protect your private health data, but will focus primarily on the limitations of the 4th Amendment in the digital world. The talk will provide a brief overview of traditional warrant practice and the "reasonable expectation of privacy" in digital data. But because the law has no bearing on reality, we'll look at excerpts from search warrants for digital devices and cloud data that illustrate the flawed nature of warrant practice in general, the limitations of the practice in the digital context, and the ease with which the government can obtain your data without any real oversight. Bibliography & References: - United States v. Jones, 565 U.S. 400 (2012) - Riley v. California, 573 U.S. 373 (2014) - Carpenter v. United States, 138 S. Ct. 2206 - United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) - Stored Communications Act 18 U.S. Code § 2703 - Aziz Z. Huq & Rebecca Wexler, Digital Privacy for Reproductive Choice in the Post-Roe Era, 98 NYUL Rev 555 [2023] - Congressional Research Service, "Abortion, Data Privacy, and Law Enforcement Access: A Legal Overview", (July 8, 2022 Update), Available at: https://crsreports.congress.gov/product/pdf/LSB/LSB10786 - Conti-Cook, Cynthia, "Surveilling the Digital Abortion Diary" (October 28th, 2020). University of Baltimore Law Review: Vol. 50: Iss. 1, Article 2. Available at: https://scholarworks.law.ubalt.edu/ublr/vol50/iss1/2 - Downing, Andrea, "Health Advertising on Facebook: Privacy and Policy Considerations," (August 15th, 2022). Patterns. Available at https://doi.org/10.1016/j.patter.2022.100561 - Fowler, Leah R. and Ulrich, Michael R., Femtechnodystopia (May 3, 2022). Stanford Law Review, Forthcoming, Available at SSRN: https://ssrn.com/abstract=4099764 or http://dx.doi.org/10.2139/ssrn.4099764 - Gallagher, William, "What Apple surrenders to law enforcement when issued a subpoena," (January 21st, 2020). Apple Insider. Available at: https://appleinsider.com/articles/20/01/21/what-apple-surrenders-to-law-enforcement-when-issued-a-subpoena - Huss et. al, "Self-Care Criminalized: August 2022 Preliminary Findings," If/When/How. Available at https://www.ifwhenhow.org/resources/self-care-criminalized-preliminary-findings/ - Koepke, Logan and Emma Weil, Urmila Janardan, Tinuola Dada, Harlan Yu, "Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones" (October 20th, 2020). Upturn. Available at https://www.upturn.org/work/mass-extraction/ - Paltrow LM, Flavin J. "Arrests of and forced interventions on pregnant women in the United States, 1973-2005: implications for women's legal status and public health." J Health Polit Policy Law. 2013 Apr;38(2):299-343. doi: 10.1215/03616878-1966324. Epub 2013 Jan 15. PMID: 23262772. - "Pregnancy Justice, Arrests and Prosecutions of Pregnant People, 1973-2020." Available at https://www.pregnancyjusticeus.org/arrests-and-prosecutions-of-pregnant-women-1973-2020/ - Rajesh, Ananya Mariam and Jeffrey Dastin, "Google to delete location history of visits to abortion clinics," (July 1st, 2022). Reuters. Available at https://www.reuters.com/world/us/google-delete-location-history-visits-abortion-clinics-2022-07-01/ - Sunde, Nina and Itiel E. Dror, "A hierarchy of expert performance (HEP) applied to digital forensics: Reliability and biasability in digital forensics decision making," Forensic Science International: Digital Investigation, Volume 37, 2021, 301175, ISSN 2666-2817, https://doi.org/10.1016/j.fsidi.2021.301175. (Accessed from https://www.sciencedirect.com/science/article/pii/S2666281721000834 on July 2nd, 2023) - Wexler, Rebecca, "Privacy As Privilege: The Stored Communications Act and Internet Evidence" (August 13, 2020). 134 Harv. L. Rev. 2721 (2021). Available at SSRN: https://ssrn.com/abstract=3673403 - Cole, Samantha, "Apple Health Data Is Being Used as Evidence in a Rape and Murder Investigation," (January 11th, 2018). Vice Media Group. Available at: https://www.vice.com/en/article/43q7qq/apple-health-data-is-being-used-as-evidence-in-a-rape-and-murder-investigation-germany - Cuthbertson, Anthony. "Amazon ordered to give Alexa evidence in double murder case," (November 14th, 2018). The Independent. Available at: https://www.independent.co.uk/tech/amazon-echo-alexa-evidence-murder-case-a8633551.html - Feathers, et. Al. "Facebook Is Receiving Sensitive Medical Information from Hospital Websites," (June 16th, 2022). The Markup. Available at https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites - Federal Trade Commission, "FTC Finalizes Order with Flo Health, a Fertility-Tracking App that Shared Sensitive Health Data with Facebook, Google, and Others," (June 22, 2021). Available at: https://www.ftc.gov/news-events/news/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared-sensitive-health-data-facebook-google - Federal Trade Commission: In the Matter of Flo, Inc., Case Summary and Timeline, available at: https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc - Germain, Thomas, "FTC Fines GoodRx $1.5M for Sending Your Medication Data to Facebook and Google for Ads," (February 9th, 2021). Gizmodo. Available at https://gizmodo.com/ftc-fines-goodrx-prescription-data-facebook-google-1850059096. - Guide to Abortion Privacy, available at https://digitaldefensefund.org/ddf-guides/abortion-privacy - "How to turn on Advanced Data Protection for iCloud," (January 19th, 2023). Apple Support. Available at: https://support.apple.com/en-us/HT212520 - Joyce, Stephen, "Court Allows Use of Facebook Live, Internet Searches as Evidence," (December 20th, 2022). Bloomberg Industry Group, Inc. Available at: https://news.bloomberglaw.com/us-law-week/court-allows-use-of-facebook-live-internet-searches-as-evidence - Peterson, M., "Apple Health data used to convict man in wife's death," (February 9th, 2021), AppleInsider. Available at: https://appleinsider.com/articles/21/02/09/apple-health-data-used-to-convict-man-in-wifes-death - Pratt, Mark. "Google searches to be key in prosecuting Brian Walshe’s murder trial, experts say" (January 27th, 2023). CBS News. Available at: https://www.cbsnews.com/boston/news/ana-walshe-murder-case-brian-walshe-google-internet-searches-cohasset-massachusetts/

Presenters:

• Diane Akerman - Digital Forensics Attorney at The Legal Aid Society
  Diane Akerman is a public defender working in the Legal Aid Society's Digital Forensics Unit (DFU). The Digital Forensics Unit is dedicated to fighting the unregulated and unfettered use of surveillance technology primarily by the NYPD. Her work involves investigating and uncovering the purchase and use of technologies, developing litigation strategies in criminal cases, and advocating for policy changes. She has litigated the full array of electronic surveillance technologies employed by the NYPD and local law enforcement, including cell phone tracking, GPS, ShotSpotter and facial recognition technology. She knows what it's like to get that email from Facebook informing you that they are about to give the federal government all your data, and to have her cell phone a mere Judge's signature away from a Cellebrite machine.
• Allison Young - Digital Forensics Analyst at The Legal Aid Society
  Allison Young is an Analyst in the Digital Forensics Unit of the Legal Aid Society. Allison has expertise in computer, mobile, and cloud account preservation and analysis. She is a current Cellebrite Certified Mobile Examiner and holds a Master's degree in Digital Forensics from the University of Central Florida. She has examined hundreds of computers and cell phones during her career and has a love-hate relationship with data Allison has used her knowledge of "how computers think" to help attorneys understand the importance of their digital evidence so they can better serve their clients, sometimes resulting in reduced, settled, or dismissed outcomes in legal cases. She likes to bridge the gap between what the database says and what may have happened IRL - or point out when crossing that bridge won't necessarily bring us to the truth.

Links:

• https://forum.defcon.org/node/246113

Similar Presentations:

• DEF CON 29 (2021) / The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities In The Global Food Supply Chain.
• DEF CON 31 (2023) / Legend of Zelda: Use After Free (TASBot glitches the future into OoT)
• DEF CON 31 (2023) / Abortion Access in the Age of Surveillance