Privacy Advocates Say Kelsey Smith Act Gives Police Too Much Power

This bill making its way through Congress would allow law enforcement to more easily uncover location data for cell phones from mobile carriers in an emergency.

The delicate balancing act between security and privacy is once again being tested. A bill making its way through Congress seeks to allow law enforcement to more easily uncover location data for cell phones from mobile carriers.

The Kelsey Smith Act (H.R. 5983 and S. 2973) would allow police and other agencies to compel an AT&T or Verizon to reveal the location of a person’s device in a streamlined way, if they have probable reason to believe that person is in danger.

This scenario has played out many times in television shows and movies – a character calls 911 and tells the operator that she’s in danger – but hangs up amidst unsettling background noise before being able to say where they are. No problem, in TV-land – the good guys simply use cell tower triangulation to figure it out and will be there in a few minutes.

In the real world, you would need a warrant for that if the carrier demands it. Under existing laws, telecom providers can use their discretion to decide whether to comply with a location information request immediately or to demand a warrant or subpoena. The problem is that in at least one very real-world instance, things went terribly wrong thanks to this oversight provision.

The eponym for the Act, 17-year-old Kelsey Smith, was kidnapped in 2007 in Kansas. After Smith had been reported missing, police asked Verizon to disclose the location of her cell phone. But Verizon wouldn’t comply with that request without a subpoena – and by the time that was granted four days later, it was too late. The police eventually discovered that Smith was killed the same day she was kidnapped. Also, once the request was granted, her body was found a mere 45 minutes later, meaning that she likely could have been rescued.

In an effort to prevent these kinds of tragedies, the bill seeks to give police the power to force providers to disclose the location of a device without a subpoena or warrant, by either demonstrating that the device was used in the last 48 hours to call 911; or if  they can show with “reasonable suspicion that the device is in the possession of an individual who is involved in an emergency situation that involves the risk of death or serious physical harm.”

A state version of this was signed into law in Kansas in 2009, and 21 states followed suit. Now, the Kelsey Smith Act seeks to implement a national version.

U.S. Senators Jerry Moran and Pat Roberts and House Representative Kevin Yoder, all of Kansas, introduced the bill in May, but it hasn’t been met with universal support. The Electronic Frontier Foundation this week has lodged its opposition to the measure on the grounds that the definition of “emergency” is far too broad – and that it leaves the data subject in question with little control if an officer or agent uses the expanded powers for ill purpose.

“On its face, [the point of the bill is] not unreasonable,” said EFF’s David Ruiz, in a posting this week. “But if the police make a mistake—or abuse their power—the bill offers almost no legal recourse for someone whose location privacy was wrongfully invaded.”

The use of a 48-hour window for having called 911 is the first problem, Ruiz noted.

“Emergencies are of-the-moment crises, requiring immediate responses,” he said. “If you call 911 today to request emergency assistance, law enforcement shouldn’t be able to get your location information 48 hours later without showing that the call relates to a current emergency.”

He added that there are multiple cases where local police or the FBI have claimed emergency circumstances fraudulently in order to uncover location information for other purposes.

“In a 2010 report, the Department of Justice’s Inspector General found that emergency requests were used … in three media leak investigations,” Ruiz noted, “one of which resulted in the collection of telephone records from Washington Post and New York Times reporters.”

There are other examples as well.

“Police in Anderson, Calif., coerced a person seeking a restraining order into saying she had been held against her will for six hours, and then sent a false emergency request for location information to the purported kidnapper’s cellular service provider,” wrote ACLU attorney Nathan Wessler in 2016 testimony before a Congressional committee regarding an earlier version of the Kelsey Smith Act (it has been introduced into the House three times now). He added, “Police in Rochester, N.Y., obtained location information about a suspect’s cell phone when they already knew the suspect’s location, but wanted to build a better case by obtaining information from the phone.”

Further, there is little oversight and no consequences stipulated in the language covering law enforcement’s use of the would-be law.

“To make this bill more reasonable for the protection of privacy there must be important changes made. Some changes being that you could only gain access to location information in the event that there is ‘probable cause’ during an emergency, and that it is required there be judicial review within two days after the initial emergency generated the location search,” said FreedomWorks, in a posting in June on the Act.

It added, “To hold law enforcement accountable there should be consequences to obtaining an individual’s coordinates illicitly or without cause and a required notification to the individual that their location information has been acquired.”

This is just the latest test of law enforcement’s limits in tracking cell phones. In 2011, without getting a probable cause warrant, the government obtained from cell service companies months’ worth of phone location records for suspects in a robbery investigation in Detroit. For one suspect, Timothy Carpenter, the records covered 127 days and revealed 12,898 separate points of location data. This lead to a Supreme Court case, Carpenter vs. U.S., which ultimately found that this violated Carpenter’s Fourth Amendment rights.

The majority opinion in the case from Chief Justice John Roberts noted that these kinds of records are “an intimate window into a person’s life, revealing not only his particular movements, but through them his familial, political, professional, religious, and sexual associations. These location records hold for many Americans the ‘privacies of life.'”

As such, it’s unlikely that this latest version of the Kelsey Smith Act will pass easily. The EFF, FreedomWorks and the ACLU are all aligned against it, though they acknowledge the good intentions behind the effort.

“On its face, [the purpose of the bill is] not unreasonable,” Ruiz said. “But if the police make a mistake—or abuse their power—the bill offers almost no legal recourse for someone whose location privacy was wrongfully invaded.” He added, “While EFF sympathizes with the bill’s intended purpose, creating an overly broad route for law enforcement to demand people’s personal information is not the answer.”

Suggested articles

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.