
How “cell tower dumps” caught the High Country Bandits, and why it matters - shawndumas
http://arstechnica.com/tech-policy/2013/08/how-cell-tower-dumps-caught-the-high-country-bandits-and-why-it-matters/
======
phurley
I have a real issue with the current NSA practices and with much of the
government surveillance attitude, that said this generally sounds like a case
of doing it right.

I like that there was a court order for specific cell towers near the
robberies, it would be better if order specifically requested the intersection
of the towers or in someway restricted further use of the information to
prevent long term and or continued use of collected data for unrelated cases,
but I do not find this to be egregious.

This was a case of law enforcement using reasonable tools to do their job and
a judge was in the loop -- I think the there should be a requirement to show
probable cause, but a I think that a judge should be able to see that in this
case there was probable cause to believe that anyone who had been at X number
of the banks at the time of the robberies was a probable suspect and the
collection of the data would be warranted.

My issue is when law enforcement (or other 3 letter agencies) collect (and
retain) all of this data (and email, and license plates, and security
cameras...) for non-specific uses. This is a significant infringement on our
personal privacy and a threat to our democracy.

~~~
nkrumm
Exactly. The phrase "probable cause" can (and should) be directly related to
the probability of a false positive; in the context of virtually unlimited
'data dumps', this paradigm must be adapted to reflect the probability of a
false positive in a multiple-testing situation.

The FBI in this case was successful because they had 4 (or 3) towers; with
only two it is likely they would not have been able to hone in on the
criminals as quickly as they did. It's perhaps even possible to calculate what
the chance of success is, and establish guidelines for release of data based
on this (e.g., minimum 4 towers). Also, probability would have to be taught in
law schools.

~~~
rayiner
> Also, probability would have to be taught in law schools.

The first couple of weeks of my Evidence class was a crash course in
probability and Bayes' rule. Our final exam had an entire section on it. I'd
imagine you can still get through law school without learning probability, but
it's getting increasingly harder as Evidence is reformulated on probabilistic
grounds, just as Torts was reformulated on economics grounds in the
1960-1970's. Today you probably can't get through a Torts class without
learning about Pareto efficiency or Coase theorem, etc. Also, empiricism is a
dominant academic trend right now in legal academia, and it heavily relies on
statistical approaches.

~~~
nkrumm
Very interesting, thanks for that. I admit I had no idea if statistics was
part of the law curriculum or not. Glad to hear it is!

------
rayiner
It's kind of annoying that Ars, which is a publication I usually respect, only
talks about one side of the legal argument around cell tower information.

"In addition, in its well-known Jones decision of 2012, the Supreme Court
ruled that warrantless GPS tracking of a suspect was not allowed, and in
response the FBI switched off 3,000 tracking devices. Cell tower dumps might
well qualify as warrantless 'tracking' under this standard."

Jones was based on the fact that the police had to physically invade the
suspect's property (car) to place the GPS trackers. Physical invasions of
property are a clear-cut situation where the 4th amendment requires a warrant.

Trying to extend Jones to cell phone tracking doesn't work. The police didn't
place a tracking device on anyone's person. These guys bought tracking devices
which uploaded their location in real time to third parties that came under a
court's subpoena power. The guys tracked themselves and handed the data to a
third party that the police could subpoena for evidence. Third party doctrine
says that this doesn't require a warrant:
[http://www.forbes.com/sites/kashmirhill/2012/01/23/a-supreme...](http://www.forbes.com/sites/kashmirhill/2012/01/23/a-supreme-
court-justices-radical-proposal-regarding-the-privacy-of-your-google-searches-
facebook-account-phone-records).

The basic problems is that connected technology and the 4th amendment aren't
friends. Connected technology spills private data everywhere like a sieve, and
the 4th amendment, as it's currently interpreted, doesn't really extend to
information you "make un-private" by sharing it with your thousand closest
friends at AT&T. One or the other will have to change, and it's a much more
uphill battle than Ars is making it out to be.

Also, note that this isn't 1970. We have a conservative Supreme Court and a
conservative judiciary (that is reeling from decades of criticism from both
the left and the right for being "activist judges"). I'd be shocked to see an
expansive judicial reinterpretation of the 4th amendment while the composition
of the Court remains the way it is today. The Court today is looking for tight
legal arguments. I haven't seen one that justifies an expansive view of the
4th amendment in the digital context. What I've seen are the kind of nebulous,
policy-based arguments warning about social harm that might have flown in
1970, but are unlikely to do so in 2013.

~~~
superuser2
I've never understood this. Why can't the fourth amendment follow contracts?
Why can't I trust my location data to AT&T _and no one else_?

Third parties are necessary for most communication. It's ridiculous that
sharing something with a contracted service provider for a specific purpose is
legally identical to publishing it on the open internet.

~~~
arjunnarayan
No tight philosophical reason. It's just that historically, the court has held
that there is no expectation of privacy once you share it with a third party
(as long as they get it via subpoena from the third party).

Is this a good idea? Personally, I don't think so. But US law works on
precedent, and the 4th amendment was written when there was no concept of
privacy that wasn't spatially determined. That is why it says you have a right
"to be secure in their [your] persons, houses, papers, and effects".

Yet another example where the constitution is woefully outdated and obsolete,
but if you say that you get skinned alive because it was immaculately
conceived by gods, and we are unfit to alter or improve the work of our
ancestral giants.

~~~
superuser2
Why are emails and text messages not considered papers? Did SCOTUS decide that
"papers" can only mean ink on dead trees?

~~~
rayiner
No, electronic documents are widely considered to be "papers" within the
meaning of the 4th amendment. Your e-mails, sitting on your laptop, are
definitely covered by the 4th amendment. The problem comes in when you send
that e-mail in clear text over the internet, where a bunch of people at your
ISP can see it, where a bunch of people at Google can see it, where a bunch of
people at the recipient's ISP can see it, etc. You don't have an expectation
of privacy when you take your private information and put it in the hands of
others.

Whether it's an e-mail or ink on dead trees is irrelevant. If I printed out my
e-mails and shipped them to Google, the government would be able to subpoena
them without a warrant.

~~~
superuser2
>and shipped them to Google

USPS is a third party. Why are physical letters protected?

At an organization like Google which is bound to have some internal controls,
wouldn't an employee opening your email be analogous to the USPS opening an
envelope?

~~~
coryrc
Because there are explicit laws covering the protection of letters sent
through USPS. We could make such laws covering ISPs, if our representatives
wanted to.

------
josephlord
To me this is OK. Specific crimes, specific limited locations, filter for the
repeating phones and and then get a warrant on them and no longer use the
general ones. The thought that goes into targeting is important and I hope
subscriber information was only looked up on those that did match multiple
crime locations.

On the the other hand the NSA/GCHQ etc. scoop everything and that is not OK
and is too easy to abuse.

Edit: I do think that the phone companies should have the maximum retention
period limited by law rather than the minimum. It would also be better if the
full tower warrants only provided unique references (hashes?) rather than
phone numbers themselves until the follow up specific requests.

~~~
MichaelGG
IMEI, phone numbers (and credit cards) are such a small space that hashing
them is not effective.

~~~
spuz
It would be simple enough for each phone company to maintain a lookup table of
phone number to random guid (for which the keyspace is sufficiently large) and
hand the FBI only these guids.

------
btilly
Before having a knee-jerk response, let me describe something that undoubtably
someone will provide within 5-10 years, and which I'm sure the NSA can already
do.

Pick a time period and a geographic location. Scoop up all pictures on
Facebook (or some other social media) that match this. Run image recognition
algorithms to pull back all pictures that might include a particular person.
Then manually go through that list.

Sample use case, "So what did you _really_ do at SXSW?" (I name this example
because I was surprised at what I saw when I went there a few years ago, but
plenty of other conferences have reputations as well.)

Given current trends, universal surveillance is a technological inevitability.
Coming soon to a spouse near you. When it becomes commonplace, are we really
going to say that it isn't available to law enforcement?

See
[http://www.davidbrin.com/transparency.html](http://www.davidbrin.com/transparency.html)
for more meditations on this theme.

~~~
jamesaguilar
Entropy leaks, and pirates aren't the only beneficiaries. It's just a
fundamental fact when sieving that entropy is cheap that life will be less
private.

------
bradleysmith
The fact that these guys used their own names and carried their phones says a
lot about the crimes. Hard to believe the bit about the run-in (They called
911!) with cops in Telluride, and no way to link these guys to the banks:

 _In February 2010, three days after they had robbed a bank in Park City,
Utah, police received a 911 call from Capito. He was in the mountains outside
of Telluride, Colorado, and when the cops arrived they found him carrying a
Glock handgun and standing next to a silver Toyota Avalon with blood in the
front seat and signs of struggle in the snow.

Capito told them that he and Glore had argued and that he had punched Glore in
the nose, after which Glore ran off into the woods. After several hours, Glore
had not returned and Capito was worried. The police eventually found Glore
"hypothermic and bloody," and they charged Capito was carrying a concealed
weapon and with disorderly conduct. But they gave Capito's $4,029 wad of cash
to Glore, who promptly used it to bail Capito out of jail. (The Glock had
likely just been used in the robbery and the money had probably come from the
Park City heist.)_

Also, I was in Prescott Valley on Glassford Hill when that October robbery of
Country Bank occurred. Still remember seeing that asshole buzz off on an ATV.
Made me late for class! Sweet justice is served.

------
rlpb
What if the court order prevented the government from obtaining all the data
in the first place? The court could order the cellphone companies to do the
correlation (for a reasonable fee), and then report back. If they report back
that they have a tiny set of numbers that correlate, then _that_ would provide
probable cause, but only for those numbers.

Is there a reason why all the information must be handed over?

~~~
larrik
I'm pretty sure it has something to do with the chain of custody of evidence.
The methods and results of the search are 100% the FBI's responsibility, and
they simply can't trust Verizon to do it right. It's the sort of thing that an
appeals court would tear apart in an instance.

~~~
rlpb
Can this be fixed in statute? If not, why not? The method and results should
well defined and reproducible, right? It could even be possible for the FBI to
have some level of oversight without actually having access to the data.

------
tehwalrus
I have almost no problem with police using cell phone data this way - it
allows them to catch specific bad guys they know are somewhere, and they can
only get access to the data for a specific time, in a specific location, with
approval from a judge.

It would be nice if they were required to delete all but the "evidential"
records afterwards, but that's a minor point, frankly, since we know they
actually used it to find people for a specific crime they were investigating.
If they later trawled it speculatively for random minor crimes, that would be
bad, but you can't get _that_ much data out of these things (the prime
evidence against these idiots[1] was that they confessed, the cell tower data
was just used to find them at all.)

[1] anyone who uses their regular cell phone while committing an armed robbery
is foolish in the extreme - especially several armed robberies in different
towns all with the same darned phone! I won't go on a rant about how one
_should_ go about committing felonies, because reasons, but the stupidity of
these two hits me right in the brain.

~~~
JshWright
I'd prefer if it required the 'probable cause' standard, but I agree, this
seems like a very reasonable compromise...

------
khawkins
This sort of search doesn't bother me all that much. There are only a rare set
of circumstances where being close to a particular cell tower is
incriminating. Furthermore, since moving from cell tower to cell tower
requires moving in public, this information could be gathered just as easily
by security cameras/license plate scanners, which seem to me to be more
invasive, but legal.

------
rarw
I love a good old does-the-4th-Amendment-cover-cell-phone-data debate.
However, there's a lot of misinformation going on about the current state of
ECPA (the Electronic Communications Privacy Act), what it covers and what it
does not. Some brief points.

(1) A number of courts have outright rejected the argument that location
information is covered by the pen register act simply because its shared with
a third party service. This section of ECPA followed in the wake of Smith
which found that since there was no expectation of privacy in your phone
number (beacause after all it was listed in the phone book) there was no
violation if your number, and the number you were calling were recorded. Where
you are at any given moment involves a very different set of data. Many courts
recognize this.

(2) In many cases the basic reasonable expectation of privacy analysis does
not apply in these data oriented situations. ECPA's application is further
complicated by the fact that how information is treated depends on whether it
is retrieved from storage or captured while it is being transmitted. The 7th
circuit recently addressed this issue and determined that it should not matter
how you get someones digital information. However, that is not the law all
over the country. In many cases whether this "dump" was received as a result
of a file containing location data or recorded live as it came off the tower
matters.

For those of you more interested on this subject I wrote a paper on this back
when I was in law school
[http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1988546](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1988546)
and would be happy to discuss further

------
Uhhrrr
150,000 sounds really high. Pinetop AZ only has 4000 people total, and if the
other towns were similar in size, every person in those towns would have to
make 10 calls during the collected period. Does this include multiple database
entries for individual calls or internet access?

~~~
pwf
You don't have to make a call to register with the tower. I would imagine that
sitting directly between two towers would cause lots of renegotiations as one
signal gets stronger or weaker.

~~~
chiph
Hwy 260 runs through the area. It's a four-lane road so probably gets a decent
amount of traffic.

------
DanI-S
Rather than catching two criminals by invading public privacy, I'd prefer to
pay for the social safety net that would prevent unemployed middle aged men
from having to rob banks to make ends meet.

Privacy should not be spent like money. You can earn more money, but privacy
is finite.

------
bluedino
Sort of amazes me that serial bank robbers wouldn't use burn phones. In that
case they probably would have just gotten caught by buying a cart full of
TracFones at a Walmart somewhere or frequenting a flea market to buy them, but
still.

~~~
wmeredith
The smart criminal is as an imaginary figment of pop-culture
fiction/dramatization. They do exist, but they are by far the exception, not
the rule. These guys were knocking off rural banks for a few grand between
fist fights. Ballsy? Yes. Masterminds, they were not.

------
lucaspiller
> Should we have any concerns with the government getting that sort of mass
> tracking information on so many Americans without a warrant?

It's a pretty interesting article, but as a Brit I just don't get why
American's are so concerned about privacy. In England, there is basically no
'right to privacy' in law. As such the police (and anyone else really) are
free to track me like this, on CCTV, whatever. If I am innocent, and have
nothing to hide, I don't really see what the issue is in this.

~~~
coldtea
> _It 's a pretty interesting article, but as a Brit I just don't get why
> American's are so concerned about privacy. In England, there is basically no
> 'right to privacy' in law._

It's because they value invividual freedom and had a revolution. A population
saluting their monarchs in street parades wouldn't necessarily understand.

> _If I am innocent, and have nothing to hide, I don 't really see what the
> issue is in this._

That's total BS.

For one, a lot of stuff that moves society forward, is done by people that
have a lot to hide (from the backwards regime that is). From reporting on
government wrongdoing, to breaking DVD encryption to investigating drug lords,
etc. Especially since current governments are so aggresive to penalize even
tame and civil protests and activism.

Some examples: you think Veronica Guerin had nothing to hide? How would you
like if the names of her sources were made known, and they were killed to?

Did Alan Turing had something to hide? Don't think of such a case as something
that only belongs in the past, and it's a solved problem now. How much of BS
stuff that's now concidered illegal would be OK in the future?

Second, that's not even true for the ordinary boring citizen. How many people
have done stuff like going to a brothel, driving while drunk sometimes, taking
e in clubs when they are young, fighting with their spouse, etc? Would you
want your browsing history to be made public to potential employees?

~~~
eksith
Thank you!

It's quite frustrating to watch people completely ignore the fact that if a
power and capability exists, it will be abused (accidentally or knowingly) for
dubious ends. And those with power and capability seldom relinquish it
willingly.

It's quite something for an individual who has never experienced the
discomfort of being watched _because that 's the way it's always have been_.
Once you taste time away from an unblinking eye, you never quite feel the same
under its gaze... whether that gaze is obvious and plain to see or not.

------
eruditely
I am pretty disappointed for such implicit apologism for state tactics, this
is not the appropriate political climate right now, there _are_ legitimate
sources of state usage of "cell tower dumps" few will argue this, however it
has clearly gotten out of hand, and the fact that ars would publish this shows
a lack of taste.

------
casca
"...the FBI dumped all the numbers into a Microsoft Access database and ran a
query..."

~~~
xionon
It seems like you're calling this out as if it's a negative. MS Access is
perfect for a situation like that - available, disposable, and easy for semi-
technical people to use. When the community talks about "everyone learning to
program," this is what it would look like.

They don't have the authority or budget to set up something permanent just to
catch a couple dudes, and frankly they probably don't need something
permanent. They just got it done quickly and with the tools on-hand.

~~~
hga
Indeed; wouldn't we be ... concerned if they'd used a multi-user database?

For 150,000 records, Access for them, perhaps a Perl or whatever script for
us, and then you abandon everything but the very small number of specific
hits.

This legitimate use is unfortunately the justification for the NSA's Hoovering
of telephone metadata, e.g. you can't tell a judge ahead of time the specific
numbers you're looking for until you've correlated them against your initial
lead.

------
itsallbs
What idiots...bringing their personal cell phones to crime scenes.

------
Demiurge
<Demiurge> modern investigative work really makes for boring movies

<brandan> zoom

<brandan> enhance

<brandan> isolate

<brandan> is he holding a pocket knife?

<brandan> send in swat

<brandan> sniper1, you are clear to take the shot

<brandan> roll credits

~~~
Demiurge
lol, i love the way modding works on this site. " I DO NOT FIND THIIS FUNNY OR
STRICTLY INFORMATIVE, -1"

