This is Bloomberg Law with June Brusso from Bloomberg Radio. Beautiful, beautiful, unethical, dangerous. You've turned every cell phone in Gotham into a microphone. This is wrong. I've got to find this man, Lucius. At what cost? This is an audious He talks with a range of any phone in the city. You can triangulate his position. I'll help you this one time. In the dark night Batman uses an unexplained technology to convert cell phones into a citywide tracking system to find the joker.
That technology may have seemed like science fiction when the movie was released more than a decade ago, but now it's real and today. Geo fence warrants allowed law enforcement to search Google sensor vault database to get location records for all mobile phones within a virtual perimeter at specified times, raising privacy and Fourth Amendment issues. A robbery case in Virginia will be a high stakes legal test for the dramatic spike and police use of geo fence warrants to
identify suspects. The first Fourth Amendment challenge to a geo fence warrant in a federal court. Here to explain the legal challenges, Ari Ezra Waldman, a professor at Northeastern University Law School. Are new figures from Google show a tenfold increase in the use of these geo fence warrants in
the last three years. Explain what they are. Geo fence warrants are tools that government uses to take advantage of the data that private companies gather about us, like where we are, where we use our phone, where we use Apple pay, where we buy products, that can essentially just like track individuals wherever they are. Think about it as kind of a suped up version of getting self site data.
You know, when you drive down the New Jersey Turnpike or you drive down a highway, your cell phone connects to different towers and you can identify where a car has been or where it's going. A warrant to get ge offense data is essentially here a company, where you have gathered all this information about what we normally do every minute of the day. Give us that information so we can track where a potential suspect is. But a judge has authorized the warrant based on a finding of
probable cause. Yeah, police get a warrant when an independent judge feels that there is probable cause to that some criminal activity is happening. It's often relatively easy to get a warrant, But the idea is that at least the police have to justify to an independent arbiter like a judge, that this information is necessary. But the fact that someone
got a warrant, that's okay. But you have to ask yourself, did individual in giving over this information to private parties right and using tools like Google or an iPhone or so forth, and using tools where we may expect or know that information is being given to private parties, did we expect that such information would be so easily obtained by government authorities? And I think that's a very different question.
So in this case, a man accused of a bank robbery is challenging the use of data from a GEO warrant as evidence in his indictment. And it's the first such federal court challenge. So it's the first case that I'm aware of. It's not the first case where location data is part of an indictment. I'm very important. Supreme Court case Carpenter of the United States, which happened just a couple of years ago, was based on historical sell
site location. So police have been using location information from cell service companies, from Internet companies for some time, and Google said, I think it was last month that geo fence warrants now make up something like one quarter of all demands of information from the US government to these companies. And what that means is, it's not that the government
is newly using location data in criminal prosecution. It's just that the technology that we have is so much better, better in the sense that these companies know exactly where we are and have the ability to track us in real time. So of course the government is going to want to use it when trying to arrest suspects or crashed down on crime. What is the defendant's basic argument
about the constitutionality of the warrant? So the argument is that the quantity and quality of their multiple arguments, but one of the arguments is that the quantity and quality of the information that can be provided through geo fence warrant is just way too significant, way too much. Normally, when you get a warrant, the police will go I need a warrant to search your home. I have a
warrant to search your office. Right there is a finite amount of information that's there if police get a warrant to search your office and there's a computer in there, Normally you have to get a separate warrant to search
the computer. But a geofense warrant really is it's almost like a seven dragnet about a person that allows law enforcement to not just see the papers that are in the death, it allows them to see pretty much everywhere you go, everything you do for however long the warrant lasts,
and sometimes you can get a significant warrant. And in the case the United States Carpenter, the Supreme Court was very skeptical of that, very skeptical of these seven dragnet surveillance tools, not just because there wasn't warrant, there wasn't a warrant, but because of the quantity and the quality of the information. So in defending the GEO warrant in this case, the Justice Department argues that Google users give up their expectation of privacy when they let the company
collect data on their phone. Do you agree with that, Well, that's what the government argued. But as I was saying earlier, it's a very big difference first between giving information to a private company in order to gain some benefits like be able to find your way in a new city through Google Maps and having the government be able to
have access to that information. So that's one of the differences. Second, I think it's just plain wrong, even if the government were not involved in the story, it's just plain wrong to say that we give up our privacy rights the moment we share information with a third party. If that were true, then the moment we walked out of our houses, we would lose our privacy rights. The moment we spoke
to another person, we would lose our privacy rights. Now, of course, the US government, Facebook, Google, large tech companies make that exact argument in court all the time. Our users have no privacy rights. Individuals have no privacy rights because they voluntarily shared information. It's a cynical loy that is based on American laws tradition of seeing privacy in terms of control. It's a longstanding discourse of what privacy means.
That is, privacy is the ability to control the dissemination of information about you. That definition undergird so much of privacy law, whether it's privacy we have against another private party like a tech company or another person or the government. But the implication of that is that if privacy is about controlling the dissemination of your information. Once you share that information with a third party, you lost control of it.
So it's a weak form of privacy that the government and tech companies have been taking advantage of for so long. That's why we feel like we have no privacy, despite all these companies saying we care about your privacy and these privacy wizards and these cookie banners. At its heart, the law itself is undermining our ability to TechEd our
privacy because of this individuated control based definition. So in another case, concerning a search for suspects in ten fires in the Chicago area, a federal judge approved a government request for location data from Google. What kind of a test did that judge use? Normally, warrants are given where there's probable cause that criminal activities occur. So on any given case, you know, a judge will get evidence before when the when the proper party applies for a warrant,
and they'll see, Okay, here's the information. This is the data that law enforcement wants in order to rest or find more information. And therefore, okay, let me determine if there's probable cause based on the information before me. So that's a one off decision, right, Judges when when determining warrants, don't make decisions about how one particular case or one particular motion in front of them affects the wider system or implicates the wider system of surveillance. So it's a
one off. The nature of a one off decision is that it is made in a vacuum. It doesn't notice or doesn't know that, or doesn't care really that the quality and the quantity of information that a geofense warrant or another database more warrant for data um will gather so significant of information that the entire for that the person's everything about the person, not just about their criminal activity. Potential criminal activity is subject to be known by the police.
So it's very easy to approve one of these warrants considering that the surveillance context in which it sits is not really part of the judges determined determination. What's really part of the judges determination is just is there a probable cause here and does this warrant make sense? And it's a lot easier to make that choice than it is to say, well, this is part of a larger system of surveillance that is uh problematic for the fourth amend?
Do you have any reason to think that the judge in this case is going to rule that the warrant was invalid? Well, I can hope. Um. There's a forthcoming paper in the Harvard Law Review by professor at the University of Utah named Matthew Tocsin, and he's done a really great job of taking every single post Carpenter case and analyzing how court lower courts, tel courts, disrecord, state courts,
how they've interpreted Carpenter. And this is going to be another one of those data points, because here the judge has the opportunity to look at this surveillance, look at what the police asked for and what they did, and see has this surveillance gathered so much information the so called aggregation theory of surveillance or mosaic theory of surveillance,
such that it provided no privacy whatsoever. When more surveillance over and above what would be necessary or what would be expected as would be necessary for this particular criminal investigation, Now it's kimely possible that the court will you take Professor Toxsin's advice and do a nuanced analysis, But more often than not, the federal courts, which definitely have a conservative tilt, more often than not side with law enforcements. So maybe that's just my cynicism, but I don't really
expect much of this federal bench. But the appellate courts of the Supreme Court, you know, when it comes to these issues, they don't always fall down traditional ideological lines. So it's an open question what might happen as more courts start to interpret or think about the constitutionality of these types of warms. Are legal experts in the privacy area paying attention to this case? Sure, I mean, these kind of cases are always come before, we always come
us our death. We're whether we're teaching about it or um talking about it or using them as example of
in our research. The interesting thing about geo fence warrants is that it implicates both It's interesting for scholars who scholars of the Fourth Amendment, so government access to information, but also people like me, who I mean I do I focus much more on the relationships between individuals and private companies because this source of the source of all this data is not the government gathering the information on
its own. It implicates our expectations about what a private company like Google will do with our data or what goes on when we make decisions about the tools that we use, the apps that we use, and so forth. That really has nothing to do with the government. But yet our system allows the government great access to that. So I would expect not just Professor Tompson, but I would expect that a lot of law professors and a lot of legal advocates and pol privacy advocates. I think
me about this. Albert fox Cohn, who's a privacy advocate, runs a nonprofit in New York City. He's written several um poignant and uh cojen op eds about g f N S Warren's showing how dangerous they are. So this is a hot topic right now, and hopefully judges are taking note. You've written a book, Industry Unbound, the inside story of privacy, data and corporate power. So let me ask you, what can the average person do to protect their privacy? Because using Google Maps as an example, it
makes it so easy to get around anywhere in the world. Basically, it's hard to give that up for the concept of privacy. Yeah, I get this question a lot, and you're right. I mean, I barely know how to get from place A to B. So I use Google Maps all the time. But I'll play a little bit of a law professor game here
and say that is the wrong question. In fact, what can the individual will do is exactly the question that companies want us to be asking ourselves, because it implies that protecting privacy is something that we can do in the world in informational capitalism, in the world that privacy law and the law has set up, almost nothing an individual can do can protect their privacy. I'm sorry to say,
but there is nothing that we as individuals can do. Sure, you can use a VPN, a virtual private network, You can use Firefox instead of Google Chrome, you can say no to all personalization cookies. All of that is great. Anyone can do that. If you want to go through the work of doing all those toggles, your Internet experience is not going to change very much, and some of
your privacy will be protected. But all of that is marginal because even if you do all those things, these companies are still collecting terabytes of data about you passively. Even if you don't accept cookies, you're on their website. They know where are, they know what hardware you're using, they know where your cursor is they know your purchase histories because companies can buy it from data brokers. So it's the wrong question to ask what we need to do.
The only way that individuals will ever be empowered to protect their privacy is when the current political economy of big tech in the data economy is overturned, or is rejected, or is completely reformed such that we actually do have
those tools. So, although that's very cynical, what we really should be asking ourselves is what can we do to ensure structural reform, whether that means voting for the right political leaders who will actually pass honest reform versus people who only talk about big tech for conservative political gain, whether it's not just a political leaders that we vote for, but what happens in our own schools, Like are we okay with our employers, how having a contract with Google
to allow us to Google docs while also feeling data in the process, or would we be more well served with a similar product that doesn't include rampant data collection like Google Docs. So those are the kind of things that we really need to be thinking of, and we also need to create a larger ground. So will a larger movement for privacy reform because without that, politicians are just going to take more big tech money and maintain the status quo with some changes around the edges. The
book is based on four years of research. Tell us what you did during those four years, who you talk to, how you've got access? Sure, So the book Industry on Bound is based on nearly four years of field work.
And it's not four years five days a year, but it's a It's based on interviews with current and four UMER employees and current and firmer employees of big tech companies, and that include engineers, UM, privacy professionals, product managers, lawyers, as well as interviews with law firm partners and associates and UM as well, in addition reviews of confidential documents
that have been redacted. I also had the opportunity to be embedded for a couple of days around a week er and so in one case inside UM several medium size and small tech companies just to see how they run their meetings and UH interview some of their people talk about how they do privacy law on the ground. Getting access was really hard. I had a lot of
companies just say no, we're not interested in this. So I had to find other routes, including snowball sampling, finding social network that gives me access to people who formerly worked as a company. In fact, Facebook just refused to apply. Google insisted that if I talked to anyone, it has
to be on deep background. I can't quote anyone, And in fact Facebook UM eventually replied to multiple emails later several years down the line and said that if we talk to you, we have to get We require approval of all quotes from Facebook employees, as well as approval of the manuscript. And whereas that might be that kind of access might be helpful for some researchers, that violates
research ethics. So I ended up having to do a lot more work to get access from the back end, like through former employees or through current employees at conferences UM something we call interface ethnography, where companies have open um events where they talk about their products, where you're
able to ask questions. Those kind of tools, those kind of methods really helps paint a picture UM that maybe sometimes the company, an official tour by the company would not have so correct me if I'm wrong, But you contend that the systems the tech companies have to comply with privacy laws are designed to intentionally undermine our privacy. That's exactly right, there's there's. The argument is broader than that.
The argument is that the systems in place coops both privacy law and people who are who see themselves as privacy advocates that are working on the inside on on
these on these compliance on compliance elements are on design. Essentially, the organizational structures inside companies take engineers, privacy professionals, salespeople, designers, advocate, um executives, and whomever, whatever they're reasons for coming to the company, and even if they care so much about privacy, going in the systems inside the company, there their control over discourse, their control over the definitions of privacy, their
control over how people do their work, their control over how design functions, and the relationships between designers and lawyers and designers and privacy professionals, and the organizational barriers that companies put in front of privacy professionals, and the way they habituate privacy workers into doing into thinking about privacy and narrow ways all of these things, it almost doesn't
matter if someone is a privacy advocate. It channels all work into data extracted ends and when a system of law like we have privacy law like the gdp R in Europe and all of the proposals that have been
introduced as the US Congress and the state. When a system of law is based on third party compliance, when it's based on internal structures to fill out forms, to keep records, to fill out to complete privacy impact assessments, a system that co opts those, uh, those people and those tools is a system that does not protect privacy at all. So in that sense, yes, the systems that these companies have created are built to purposely undermine our privacy.
Al Right, Often we get alerts from Google and other sites saying we value your privacy, go through these steps to help protect your information. I mean, should we bother with that? Yeah? Well, part of what that does is it create, it maintains or or maintains this myth that protecting your privacy is something that is your individual responsibility. It's like you have to do the work. You you
have to click these buttons. Setting aside the fact that a lot of these companies don't even provide you with the options of doing that. When Google sends you an email, it sends you an email and says we value your privacy. It's mostly just to notify you have changes the Private to their privacy policy that you really have no option to opt out. Right, It's just here's the deal, and
this is what's happening. But as an aside, I mean, that's part of a larger campaign, a larger purpose is to make you think the privacy is something that we control. That these toggle buttons. Every time you go onto your iPhone and toggle the button you green to gray or great to green, you're turning on something, you're turning off something, you're protecting where that information goes. Even though that is
more of a performance that performance. This this just the action of clicking, okay, the action of toggling these buttons. It habituates us into thinking that privacy is something that we're on, we're in control of, that we're we're in charge of when it's back. The options that they give us are so minimal, or they're so complex and so
difficult to actually run through. Imagine trying to manage all of your privacy, all the privacy toggles on every app on your phone right now, or on every website that you've ever visited. That's impossible to do. Yet the company frames it in this empowering language. We're putting you in control.
That kind of control is anything but control. Every time the government is going to enforce privacy, let's say the settlement agreements they've made with Facebook, Facebook still violates privacy rights and then makes another settlement agreement with the FTC. Is anyone monitoring what these companies do? Yeah, so the FTC, You're absolutely right to note that Facebook is a serial violator of not only our privacy, but supposed consent decree,
but consent increase from the SEC. It's serial violation of It just goes to show you how much FTC and agreements have been just slaps on the risk. The FEC is a weak agency when it comes down to it. It's a weak agency. It has better appointees now under the Biden administration who hope to empower it, but it's a weak agency that for the last thirty years, most of the people who sat on the FTC have seen
their role. It seen part of their role as not not to protect privacy, but to protect privacy only so much as it doesn't harm innovation. A lot of FTC commissioners to said part of their job is to maintain innovation, to tell to listen to companies and say and listen to them when they say that, oh no, we can't do this or don't require us to do this because
of a harm innovation. And that goes a law that goes very far to and I quote some of these FEC commissioners and lobbyists and so forth in the book, it goes very far to show why the SEC has been so so weak. UM and these consent a crees allow the company to get off scott free because it's basically a settlement. There's no order, there's no UM, there's no requirements other than complete this audit or fill out
this document. But one of the things that I found during my research also UM Megan Gray, who used to be at Stanford Center for Internet and Society, also found this when she reviewed these audits. What I found were that a lot of these audit reports that were going to the SEC were just based on executive attestation, which means someone comes in that the company hires and they say and they asked, have you complied with section three
point five of the SEC consent decree? And the answer is, according to executives at attestation as attended in Exhibit I, the company is in compliance with deception. And then when you go to Exhibit I, all it is it's just the executive signing a letter thing. We're in compliance. So that system of audits of documents, which is what Julie Cohen has called tools on the periphery of the regulatory state, those aren't holding these companies speeds of the fire at all.
It's performative. It's privacy lost theater, and companies have a strong interest in maintaining that theater. I'm making it look as good as they can and co opting and ensuring that their workers think that it's real stuff, but in fact it's really just a show for us and for regulators. So finally, what do you hope that readers will get from your book? I want readers to realize that the system is stacked against them even more than they think.
I want privacy professionals to be more introspective about how their work inside tech companies is actually perpetuating data extraction. I want designers to realize that their employers are manipulating them into not caring about privacy. And I want politicians to realize that this whole system depends on companies and their lobby is influencing them to think about privacy and narrow ways. If there's one thing that I'd like to see, it's a change in discourse. I want us to stop thinking.
I want us to all stop thinking about privacy as anything about control, individual control, or anything about choice. That's the fodder, that's the red meat for these tech companies. It's much better for us to think about privacy in terms of civil rights, in terms of equality and justice,
in terms of um the the obligations of trust. As my colleagues Woody Hertzog and Neil Richards have argued, these more robust concepts, the more so show concepts of seeing ourselves as part of a larger group, as opposed to thinking that privacy is something we do against others or
against the world. So as soon as we start, as soon as we stopped talking about privacy in terms of control and choice, and as soon as that discourse gains prominence, it's almost like this house of cards that I talked about in the book is going to start falling apart, and then we can start passing better laws, and then we can have a then we can have Are these laws not depend on the completely captured industry of most privacy professionals. Thanks. Sorry. That's Ari Ezra Waldman of Northeastern
University Law School. His new book, Industry Unbound, The inside story of privacy, data and corporate power. I'm June Grass, and you're listening to Bloomberg