Wednesday, April 6, 2011

Top Computer Scientists Back WikiLeaks Associates in Twitter Case | Threat Level | Wired.com

Top Computer Scientists Back WikiLeaks Associates in Twitter Case

The government should be required to obtain a search warrant to get the IP addresses of Twitter users linked to WikiLeaks, argues a court brief filed Thursday by a group of respected security experts who say the addresses carry a higher expectation of privacy than mere phone numbers.

The amicus brief, filed in the U.S. District Court in Alexandria, Virginia, argues that IP addresses, like cellphone location data, can reveal a lot about a person’s movement, activities and even associations, and therefore should enjoy a higher degree of protection than phone numbers. (.pdf)

The brief was filed by Steve Bellovin, computer science professor at Columbia University; Matt Blaze, computer science professor at the University of Pennsylvania; Peter Neuman, principal scientist at SRI International; Bruce Schneier, chief security technology officer at BT; and others. The experts urge a federal judge to overturn an order requiring Twitter to turn over IP addresses and other information on three WikiLeaks associates.

That order was granted this month under 18 USC 2703(d), a provision of the 1994 Stored Communications Act that governs law enforcement access to non-content records, such as transaction information. Such an order is issued when prosecutors provide “specific and articulable facts” that show the information sought is relevant and material to a criminal investigation — a lower bar than the “probable cause” standard needed for a search warrant.

It’s not disputed that a 2703(d) order can be used to get the phone numbers a target called. But the amicus brief argues that IP addresses are more akin to cellphone location data, and should thus require a search warrant instead.

A user logging in to Twitter from a series of networks in different locations — for example at the Dulles International Airport before a flight, aboard the aircraft enroute to a location and at the destination hotel — would leave a trail of IP addresses that could allow the government to map the user’s journey.

Add to this the date and time of access to Twitter, and authorities could infer relationships between the user and others who might be tracked to the same place at the same time.

“Suppose for example that two individuals logged in to Twitter at exactly the same date and time from a single IP address associated with a Starbucks in Reykjavik, Iceland,” the technologists write in the brief. “That information would be highly suggestive of the fact that the two people were meeting each other.”

The government’s acquisition of such data has serious implications for a person’s expectations of privacy, the technologists write, which should, in turn, “trigger greater judicial scrutiny of Constitutional issues that arise.”

Marvin Miller, an attorney who filed the brief told Threat Level that the idea behind the brief is that the information the government is seeking would yield “more than perhaps they’re entitled to or maybe than they might think they’re seeking.”

Co-counsel Thomas Moore added that when it comes to IP addresses and cell phone data, the courts need to throw out their old concepts about telephone numbers and come up with new principles for dealing with newer technologies that are more intrusive.

“We just want the judge to start from the point of view of getting the technology right,” he said.

The case involves Birgitta Jonsdottir, a member of Iceland’s parliament, as well as WikiLeaks’ U.S. representative Jacob Appelbaum, and Dutch businessman and activist Rop Gonggrijp. Jonsdottir and Gonggrijp helped WikiLeaks prepare the release of a classified U.S. Army video published last April.

The U.S. Justice Department obtained a 2703(d) order to get information from Twitter about their accounts with the site. Among the data sought by the government are the IP addresses used to access the accounts and records of their session times and durations.

The three WikiLeaks associates challenged the government’s right to obtain the data, which they lost last month when a judge ruled that the order could stand. The three filed an appeal last Friday, arguing that the ruling violates a federal statute and the Constitution.

In arguing that IP addresses are comparable to cell phone location data and therefore should require a warrant to obtain them, the technologists are entering a muddy area of law related to cellphone data that is still largely undetermined by the courts.

Last September, a federal appeals court in Pennsylvania found that the government may obtain cell-site information from mobile phone carriers with a 2703(d). But the three-judge panel also found that lower courts could still choose to demand the government show probable cause — the standard required by a search warrant.

The ruling leaves the privacy issue to the whims of district court judges and magistrates, and, in any case, is not binding in Virginia where the Twitter case is being heard.

Image: Jacob Appelbaum speaking on behalf of WikiLeaks at The Next HOPE conference in New York in July 2010. Courtesy Cosmiclint/flickr

See also:

Kim Zetter is a senior reporter at Wired covering cybercrime, privacy, security and civil liberties.
Follow @KimZetter on Twitter.

http://www.wired.com/threatlevel/2011/03/amicus-wikileaks-twitter-case/

Posted via email from Whistleblower

No comments:

Post a Comment