Wednesday, September 02, 2015

How the Law Impersonates You, and Your Friends

Here's How Law Enforcement Agencies Impersonate Your Friends

by Sonia Roubini - ACLU Speech, Privacy, and Technology Project

We recently received a handbook from the DEA, in response to a Freedom of Information Act request, seeking information about the use of impersonation as an investigative technique. While the 1999 handbook, titled Online Investigative Principles for Federal Law Enforcement Agents, was almost identical to a version of the handbook that is available online, there is one notable difference: the version that the DEA sent us includes a copy of the DEA’s Consent to Assume Online Identity: Adult Consent form.

The DEA apparently used this fifteen-year-old form to obtain consent from individuals to impersonate their online identities. It states: “I ____ hereby voluntarily provide consent to the Drug Enforcement Administration or other Federal, State or Local Task Force officers to assume my Internet online identity. My Internet screen name(s), nick name(s), and/or e-mail addresses are as follows.” It goes on to state: 

I understand that these law enforcement officers will changes [sic] the password(s) to this account so that I will no longer have access to these accounts. My Internet online identity may be used by these law enforcement officers for any official purpose relating to an official investigation, including sending and receiving e-mail, making direct communications on systems such as ICQ or AOL instant messaging, and any other electronic communications. I have been advised of my right to refuse to allow the assumption of my identity. I give this consent freely and voluntarily.

We filed this FOIA request because the impersonation of actual individuals and organizations by law enforcement agencies has the unique ability to erode our trust in each other’s identities. If government agencies impersonate Senate staffers, Internet repair technicians, newspapers, and individual citizens at will — as they appear to have done in the past — or others in our lives, it will erode a form of trust that is critical for relationships in a free society: our ability to trust stated identities.

Unfortunately, the documents released to us so far raise more questions than they answer. This consent form in particular raises some thorny ones, including: 

  • Under what circumstances can law enforcement agencies ask for consent to impersonate actual individuals?
  • If the individual does not consent, can law enforcement get a warrant to impersonate someone?
  • Once a law enforcement agency is impersonating someone, what is it allowed to do? Can it communicate with the individuals’ Facebook friends? Can it respond to emails from their family members?
  • What factors do law-enforcement agencies consider in deciding whether the extraordinary risks of impersonation are worth the possible reward?

Without this information, it is difficult to assess the lawfulness or wisdom of the DEA’s impersonation of actual individuals — a practice which raises serious constitutional questions. The Fourth Amendment prohibits “unreasonable searches and seizures,” and while courts have generally approved of the government’s use of deception (for example, undercover officers), few have ruled upon the constitutionality of the impersonation of actual individuals.

A recent decision in a Las Vegas District Court involved evidence collected by members of the FBI who impersonated Internet repair technicians to gain physical access to suspects’ hotel rooms. During their investigation of an online gambling ring, FBI agents disconnected the Internet in three rooms of a Las Vegas hotel and impersonated technicians to enter the rooms without suspicion and to collect evidence later used against the suspects in court. The judge eventually tossed the evidence out on the grounds that it was “fruit of a poisonous tree” — legal jargon indicating that the evidence was obtained using an unlawful search.

In another case, the DEA created a fake Facebook profile for a real individual, Sondra Prince, who was arrested on drug charges in 2010, in order to investigate an alleged New York drug ring. The DEA agent who arrested Prince seized her cell phone and mined it for photographs. These were then used to create the fraudulent Facebook profile which was used by the agents as a critical part of their investigation into the drug ring. These photographs notably included ones of Prince in a bathing suit, and photos of her two young children. Prince ultimately sued the DEA over its impersonation of her profile. The Justice Department eventually paid $134,000 to settle the case, which drew the public’s attention to potential privacy violations at play in government agencies’ impersonation of individuals (not to mention the potential dangers involved).

The consent form also raises tricky questions about the scope of consent. Does the form allow the agents, for example, to answer incoming messages from the mother of the consenter? What about a romantic partner or close friends? The form does nothing to clarify these questions. Nor does it address the fact that asking people to turn over their passwords so that law enforcement can then log in to their accounts violates the terms of service of Facebook and a number of other major service providers, which all prohibit password sharing. The government itself has argued in other cases that such password sharing may be a crime under the Computer Fraud and Abuse Act.

Finally, the date of the form — 1999 — raises an obvious but unanswered question: what is the DEA’s current practice? 
Technology and social media have transformed our society in the last sixteen years. Have the DEA’s practices changed since then? Do they impersonate individuals routinely now? What are the rules that now govern that impersonation? We just don’t know, and that’s a problem. 

No comments: