Congress should close the loophole allowing warrantless digital car searches


Most Americans expect the Fourth Amendment — which protects individuals from illegal searches — to extend to their digital lives.

In general, this expectation matches reality: unless law enforcement comes knocking with a warrant, the government cannot search a person’s phone or computer. However, cars are treated differently, and as “connected cars” become increasingly linked to people’s digital identities, there is a risk that police will use this exception to conduct digital searches without warrants.

Congress should close this loophole.

The Fourth Amendment is the cornerstone of people’s right to privacy and freedom from government intrusion in the United States. It requires the government to get a warrant based on probable cause before conducting a search and seizure of personal property.

The Supreme Court has found these protections important enough to update them for the digital world. For example, the court has extended warrant protections to cell phones and vehicle GPS tracking, and it is currently reviewing whether law enforcement officials should be required to get a warrant to obtain cellphone location information from wireless carriers.

However, there has been a long-standing exception for vehicles in the Fourth Amendment: law enforcement officials can stop and search a vehicle based on probable cause without having to get a warrant from a judge.

For example, police officers can stop a vehicle for a routine traffic violation, and search it on the spot if the officers have probable cause that they will find contraband or the evidence of a crime. This lower standard for government searches makes sense in a physical world, where vehicles can only hold so much information and drivers can easily drive away to dispose of evidence.

But cars are changing, both in term of the amount and sensitivity of the information they can hold. Next-generation vehicles generate gigabytes of data while driving, enabling a host of new applications that enhance convenience, safety, and efficiency for drivers.

When this information can be accessed either through a display interface in the car or programmatically through an on-board computer, law enforcement could gain access to a significant amount of data about drivers without a warrant. For example, police could access in-car apps that contain sensitive information, such as navigation apps that contain travel history, social media apps that store messages and other personal information, and payment apps that contain information about past purchases.

While some of these applications require passwords, many only do so when the driver first logs in. Therefore, they would likely be unlocked when police pull over a driver.

In addition, many drivers may be intimidated into revealing their passwords during a stop, as has happened to travelers forced to unlock their phones at border crossings.

Finally, police could retrieve information stored in an on-board computer which may collect and store a variety of potentially sensitive information about drivers, including their driving behavior. Already, some police use special devices designed to circumvent built-in security measures on citizens’ phones and quickly copy their contents — similar devices could be designed for cars.

Photo: Joseph C. Justice Jr./Getty Images

Despite these potential risks, a car’s ability to collect information is not inherently privacy-invasive. And importantly, the automotive industry has taken pains to protect consumer privacy. For example, automakers made a series of public commitments in 2014 to establish strict privacy standards for data collected from vehicles, promising not to share consumer information with other businesses without affirmative consent — a standard that is higher than those found in other industries.

However, the auto industry cannot change the laws on digital searches. Policymakers should close this loophole to protect both citizens’ rights and support for technological progress. Congress has previously acted to close loopholes created by technological change.

For example, the Electronic Communications Privacy Act (ECPA), which limits how law enforcement can access digital information has different legal standards for obtaining email stored on a PC and email stored in the cloud. As cloud computing adoption has grown, Congress has worked to pass a legislative fix.

Just as Congress has been working to close the loophole for cloud computing, it should close the loophole created by the convergence of digital technology with vehicles. Congress should require law enforcement officials to obtain a warrant before they can access data from a vehicle.

Congress can do this while maintaining the vehicle exception for physical searches and maintaining law enforcement’s access to data held by third parties, such as automakers or wireless providers, through warrants or other lawful processes.

By upholding citizen privacy, Congress can ensure a smooth road ahead for vehicles of the future.

Featured Image: Pgiam/Getty Images

Senator calls on Tinder to fix a security flaw that lets randos snoop through your dates


Oregon Senator Ron Wyden is nervous about Tinder. He may not be swiping on the service this Valentine’s Day, but with a new letter demanding that Tinder resolve some security issues, Wyden is looking out for everyone who is.

Last month, a security report surfaced what it deemed “disturbing vulnerabilities” in the dating app. Wyden’s letter cites the research, demanding a fix for a security loophole that allows would-be attackers to view nearly everything about a user’s Tinder experience via an attack over unsecured wifi.

“Tinder can easily enhance privacy to its users by encrypting all data transmitted between its app and servers, and padding sensitive information to thwart snooping,” Wyden writes.

As the security firm Checkmarx explains:

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).”

The report notes that stolen credentials are unlikely, but the vulnerability is a recipe for blackmail. TechCrunch reached out to Tinder for comment on Sen. Wyden’s letter and its plans to fix its security concerns but the company has not responded.

“Americans expect their personal information to remain private online,” Wyden writes. “To that end, I urge Tinder to address these security lapses, and by doing so, to swipe right on user privacy and security.”

Facebook and Twitter face a short deadline on Russian bot #ReleaseTheMemo reports for Congress


Two leading Democrats in Congress are calling for new disclosures from Facebook and Twitter about Russian disinformation campaigns on their platforms.

In a letter, Rep. Adam Schiff and Sen. Dianne Feinstein, minority leads on the House Intel and Senate Judiciary committees respectively, called for the two tech companies to release any information that have about Russian ties to the recent social media campaign around a controversial memo written by Republican Rep. Devin Nunes. The pair argues that there is evidence that Russian bots promoted Nunes’ political agenda and the public deserves to know about it, citing last week’s Business Insider story “Russia-linked Twitter accounts are working overtime to help Devin Nunes and WikiLeaks.”

The new Russian bot debate surrounds a hashtag known as #releasethememo. #Releasethememo sprung up to call on Congress to declassify the Nunes memo, which is either a damning account of corruption in the investigation into Russia’s efforts to undermine the 2016 election or a craven gesture to create political cover for a doomed president, depending on who you ask.

As Feinstein and Schiff’s letter argues, #releasethememo is tainted by Russian influence:

Specifically, on Thursday, January 18, 2018, the House Permanent Select Committee on Intelligence (HPSCI) Majority voted to allow Members of the U.S. House of Representatives to review a misleading talking points “memo” authored by Republican staff that selectively references and distorts highly classified information.  The rushed decision to make this document available to the full House of Representatives was followed quickly by calls from some quarters to release the document to the public.

Several Twitter hashtags, including #ReleaseTheMemo, calling for release of these talking points attacking the Mueller investigation were born in the hours after the Committee vote. According to the German Marshall Fund’s Alliance for Securing Democracy, this effort gained the immediate attention and assistance of social media accounts linked to Russian influence operations.

Senators Sheldon Whitehouse and Richard Blumenthal also published a similar letter on Tuesday calling on Twitter specifically to answer questions about Russian disinformation campaigns and related political hashtags.

The letter goes on to request that Twitter and Facebook examine these links to “Russian influence operations,” including “the frequency and volume of their postings on this topic” and “how many legitimate Twitter and Facebook account holders have been exposed to this campaign.” With a request for this information by January 26, the members of Congress give the two companies a deadline they’re unlikely to meet, assuming they choose to cooperate. If the companies do conduct an investigation and issue reports on #releasethememo, Feinstein and Schiff’s play could easily backfire. We should know by now that 1) these companies aren’t particularly good at conducting comprehensive internal analyses on foreign disinformation campaigns and 2) tons of fake news and political propaganda is generated domestically too. Still, the more info on this kind of stuff that Congress can wring out of Facebook and Twitter, the better.

Nunes, who serves as the chairman of the House Intel Committee, is a controversial figure. That committee, along with considerably less chaotic Senate counterpart, is investigating Russian interference in the U.S. election. Last year, Nunes created a lot of attention for himself by amplifying misleading claims that the Obama administration had “wiretapped” President Trump (for clarification on this bit, read a little about how a FISA warrant is obtained. Hint: It doesn’t involve the White House). His memo purports to provide evidence, or at least talking points, around the claim that the FBI somehow abused the Foreign Intelligence Surveillance Act (FISA) in its effort to surveil Trump campaign adviser Carter Page.

Given his proven track record of partisanship and pandering to the White House, it’s difficult to take something authored by Nunes that seriously, regardless of what it claims to prove. Still, a broader Republican effort to release the memo suggests that a chunk of Congress thinks (or hopes) it might cause a stir. Oddly enough, many of those same Republican members of Congress just voted overwhelmingly to support Section 702, a portion of FISA that would appear to contradict the position of outrage over recent “wiretapping” claims.

Whatever ends up coming of the potentially Russia-influenced effort to #releasethememo, it’s clear that after dragging Facebook and Twitter over the coals on Russia, some members of Congress are happy to casually knock on tech’s door for evidence that might undermine their political opposition. Whether that’s good (transparency!) or bad (partisanship!), it’s definitely strange, and we can expect tech’s relationship with Congress to get even stranger in 2018.

The full letter is embedded below.

Featured Image: Matt McClain/Getty Images