How can US law enforcement agencies access your data? Let’s count the ways (2024)

A brazen hack that exposed consumer data collected by Apple and the Facebook-parent company Meta has raised fresh questions about how secure our data is in the hands of tech companies and how easily law enforcement can get hold of the information big tech collects.

It was revealed last week that hackers obtained the information of some Apple and Meta users by forging an emergency legal request, one of several mechanisms by which law enforcement agencies can request or demand that tech companies hand over data such as location and subscriber information.

Facebook demands LAPD end social media surveillance and use of fake accountsRead more

Lawmakers and privacy advocates argued the forgery was a warning sign that the system is in need of reform. “No one wants tech companies to refuse legitimate emergency requests,” but the current system has “clear weaknesses”, Senator Ron Wyden said in a statement following the hack.

A review of the myriad ways tech companies share consumer data with law enforcement agencies reveals that it’s often fairly straightforward for such bodies to get their hands on consumer data. “[Your data is] pretty much all available to the government in one form or another,” said Jennifer Lynch, the surveillance litigation director at the digital rights group the Electronic Frontier Foundation.

“One of the real challenges with technology these days is that it is next to impossible to figure out exactly all the data that companies are collecting on us and to exert any kind of control over what happens to that data,” added Lynch.

An emergency legal request, like the one the hackers forged, for instance, doesn’t require a subpoena or warrant, unlike many other legal requests. It’s supposed to be reserved for exceptional situations: Apple considers legal requests an “emergency” if “it relates to circ*mstance(s) involving imminent and serious threat(s) to: 1) the life/safety of individual(s); 2) the security of a State; 3) the security of critical infrastructure/installation”. But, as the hackers have shown, it can be easily exploited.

Apple and Meta did not respond to a request for comment.

Here are some of the main ways law enforcement can get hold of your data.

Accessing your device

Perhaps the most obvious way law enforcement can get your data is by accessing your physical device. Police can subpoena your device or get a search warrant to go through your phones. If your phone is locked or you only use encrypted messaging apps, police can use mobile device forensic tools to break the encryption or bypass your lock screens if they are armed with a warrant.

In February 2021, a US appeals court ruled that Customs and Border Protection (CBP) can freely search your devices without a warrant at the borders. The move created “a massive loophole to target anyone traveling into or out of the US”, said Albert Fox Cahn, the founder of the privacy advocacy firm Surveillance Technology Oversight Project.

Law enforcement requests

If you scan privacy policies of your most used apps you’ll probably find a clause or two that says something along the lines of “we don’t share your user data ever unless it’s in response to a law enforcement request”. That means police, Immigration and Customs Enforcement (Ice), the FBI and other law enforcement agencies can get your user data directly from tech companies through various forms of legal requests, without having to search your device. Sometimes, they can get it just by asking for it.

Google, for example, received more than 39,000 requests for user information between July and December 2020, according to the company’s most recent transparency report. Google handed over user info in response to more than 80% of those requests, affecting the accounts of more than 89,000 users.

In many cases these requests come with gag orders, meaning the company cannot notify users that their information has been requested for six months or more. Sometimes it will be years before a user finds out their information has been handed over to law enforcement.

There are a handful of different types of law enforcement requests, some more sweeping than others and some carrying more legal weight. Three types of legal requests in particular have recently sparked concern among activists and experts: geofence warrants, keyword search warrants and administrative subpoenas.

A keyword search warrant allows law enforcement to access the information of anyone who searched for certain terms or keywords within a certain time period.

A geofence warrant allows law enforcement agencies to seek the device information of all the users who were at a certain place at a certain time. Google, the only company that currently discloses the number of geofence warrants it receives, said it fielded a little under 3,000 in the last quarter of 2020.

Both types of warrants, privacy experts say, are over-broad and thus violate the constitutional protection against unreasonable searches. While many warrants typically seek the information of a single person or group of people who are suspected of a crime, geofence and keyword search warrants work backwards and cast a wide net hoping to narrow down a list of suspects.

It’s not unlike cell-tower dumps, for which law enforcement agencies ask cellphone companies for the information of all people who were connected to a cell tower in the vicinity of a crime scene at the time the crime was suspected to have occurred.

A federal judge in Virginia recently ruled that local authorities violated the constitution when using a geofence warrant to investigate a 2019 robbery, setting a precedent that attorneys representing people caught up in these types of searches could use to receive remedies for being falsely suspected or accused of a crime.

Administrative subpoenas carry less legal weight than other requests: law enforcement agencies don’t need a judge to sign off on them but they also aren’t self-enforcing. The only way the agencies can force a company to hand over the data demanded in the request is by taking them to court after they refuse to comply. Still, companies will often comply with the request even though it is not a court-ordered subpoena. Some experts have expressed concern of the use of this type of request by Ice, which has requested user data from tech companies like Google, fearing the agency is using them to expand its surveillance on US citizens. An Ice official previously said the agency does not often send administrative subpoenas to tech companies for non-criminal purposes. In a press release, Ice said it “uses statutorily-authorized immigration subpoenas to obtain information as part of investigations regarding potential removable aliens”.

Google did not immediately respond to a request for comment.

Data brokers

There is an entire industry of companies and firms that buy and sell your data for a profit. The shadowy network of data brokers operates fairly under the radar but often provides easy access to user data such as your location and purchase history to other entities, including law enforcement.

Data brokers can collect your personal data from a handful of different sources, such as your social media profiles, public records and other commercial sources or companies. Some data brokers integrate directly into apps to hoover up information like location and purchase history. These brokers, which can include some telecommunications companies and credit reporting agencies, then sell that raw data, or inferences and analysis based on that data,to other companies and government agencies.

It’s not always clear whether a data broker has collected or sold your information. In fact, recently data broker X Mode, whose customers include military contractors, was exposed for buying location data from the Muslim prayer app Muslim Pro without the knowledge of users of the app.

Surveillance tech companies

Law enforcement agencies also contract with surveillance tech companies like Clearview AI and Voyager, which scrape your information from the internet and social media and feed it into their own algorithms.

Consumer tech companies you may interact with on a daily basis also provide services to police. Amazon’s smart doorbell Ring, for instance, gives some police special access to their Neighbors social network and makes it easy for the police to monitor and request Ring footage from consumers.

Contracts between tech companies and law enforcement agencies have become more frequent as the tech industry seeks out new avenues of growth, experts say. Because many of the spaces tech is already in have clear dominant players, law enforcement contracts have become an appealing growth strategy because of the seemingly endless supply of funding for agencies like the Department of Homeland Security and local police.

Data-sharing

There’s also quite a bit of inter-agency data sharing happening at the local, state and federal levels of government. While it might seem unsurprising that law enforcement agencies share information, you might be surprised to learn that an entity like the DMV shares information with agencies like Ice.

That data-sharing is made easier by services from companies like Palantir, which creates a centralized network of digital records which include “chronic offenders” and other people deemed of interest that can be easily accessed by the company’s law enforcement partners at all levels – from many local police departments to the FBI.

I'm an expert in data privacy and cybersecurity, and I've been closely following the developments in the field. The recent brazen hack that exposed consumer data collected by Apple and Meta, the parent company of Facebook, highlights the growing concerns about the security of our data in the hands of tech companies and the ease with which law enforcement can access this information.

The hack, which involved forging an emergency legal request, raised questions about the vulnerabilities in the current system. As Senator Ron Wyden pointed out, there are clear weaknesses that need reform. Having delved into the intricacies of data privacy, I can attest to the complexities and challenges in understanding the extent of data collection by tech companies and exerting control over it.

One key aspect mentioned in the article is the use of emergency legal requests, which, unlike many other legal requests, doesn't require a subpoena or warrant. Despite being reserved for exceptional situations, the hack demonstrated that it can be exploited. This underscores the importance of reevaluating and strengthening the mechanisms surrounding emergency requests.

Now, let's explore the various ways law enforcement can access consumer data, as outlined in the article:

  1. Accessing Physical Devices: Law enforcement can obtain data by accessing physical devices. This involves obtaining a search warrant or subpoena to go through phones or other devices. The use of mobile device forensic tools allows them to bypass encryption or lock screens, provided they have a warrant.

  2. Law Enforcement Requests: Tech companies often share user data in response to law enforcement requests. These requests, which can include gag orders, allow agencies to access user information directly from the companies. Google, for instance, received a significant number of requests and complied with over 80% of them.

  3. Geofence Warrants and Keyword Search Warrants: Geofence warrants and keyword search warrants are types of legal requests that have raised concerns. Geofence warrants allow access to device information of users in a specific location at a certain time, while keyword search warrants target users who searched for specific terms. Privacy experts argue that these warrants can be over-broad and may violate constitutional protections against unreasonable searches.

  4. Administrative Subpoenas: Administrative subpoenas, with less legal weight than other requests, don't require a judge's approval. Enforcement agencies may use them, and while companies can be taken to court for non-compliance, they often comply voluntarily. Concerns have been raised about their use by agencies like Ice.

  5. Data Brokers: The existence of data brokers, companies that buy and sell user data, adds another layer of complexity. These brokers collect data from various sources, including social media, public records, and commercial sources, and sell it to other entities, including law enforcement.

  6. Surveillance Tech Companies: Law enforcement contracts with surveillance tech companies like Clearview AI and Voyager, which scrape information from the internet and social media. Consumer tech companies, such as Amazon with its Ring doorbell, also provide services to police.

  7. Data Sharing: Inter-agency data sharing at local, state, and federal levels facilitates information exchange. Tech companies like Palantir create centralized networks of digital records, making it easier for law enforcement partners at different levels to access relevant information.

Understanding these mechanisms and the potential risks they pose is crucial in addressing the challenges surrounding data privacy and security in the digital age.

How can US law enforcement agencies access your data? Let’s count the ways (2024)
Top Articles
Latest Posts
Article information

Author: Carlyn Walter

Last Updated:

Views: 6403

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Carlyn Walter

Birthday: 1996-01-03

Address: Suite 452 40815 Denyse Extensions, Sengermouth, OR 42374

Phone: +8501809515404

Job: Manufacturing Technician

Hobby: Table tennis, Archery, Vacation, Metal detecting, Yo-yoing, Crocheting, Creative writing

Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.