Observations from a criminal defense lawyer teaching other lawyers about digital forensic investigation

Last week, I taught a continuing education class for lawyers about digital forensics and digital investigation, along with an actual digital forensic investigator who works at our office. We’ve taught this course about five times as part of our office’s forensic training unit. When we teach these courses, the lawyers we teach are always really surprised at how much information law enforcement can get about a person and their activities from their phones and computers. They’re also surprised at some of the easy (and not as easy) ways they can prevent this kind of thing.

With that in mind, I thought I’d briefly explore some of the topics we cover at those trainings that would be of interest to lawyers and other non-tech people. This post is about data warehousing and tracking, and I’ve got another in the works about encryption.

Your Own Devices are Warehousing Secret Profiles of You

The criminal defense lawyers I meet at our training sessions all have computers and smartphones, but I find that they haven’t necessarily thought about the effect of using these machines in their work and their lives nearly constantly. Talking about how law enforcement investigates the computers and phones of suspects not only has these lawyers thinking about how to defend people more effectively, it also, as a side effect, leaves them asking questions about what their own phones and computers are doing.

Our phones and our computers are always trying to do a better job giving us what we want as quickly as possible. One of the simple tricks these machines use to do that is to try to learn what we want before we ask for it. They do this by warehousing information about what we’ve done in the past and trying to extrapolate from it.

One very innocent example of this is that, when I access a file through, let’s say, Microsoft Word, then Microsoft Word notes the location of that file on my computer and saves a link to it to reuse next time I want this file. This way, Word can quickly recall the things I use frequently and get them to me seconds (or more likely milliseconds) faster. Again, the benefit of this makes sense, and this is maybe the most innocent example of this kind of data collection and connection-making a computer can do.

We don’t need to look far, though, to find something slightly more nefarious. By default, unless the appropriate settings are turned off, my phone is recording where I go and storing my location in giant lists. It’s also looking for places I visit more frequently and labeling those as my favorite locations. The phone believes (insofar as phones believe anything; it’s maybe more accurate to say “the human at the start of the chain of activities that ends with your phone believes”) that it’s doing me a really big favor by tracking my most-visited locations. It can very quickly pre-load search results near those locations, or keep local map data about those locations at the ready.

I always talk with the criminal defense lawyers after our presentations and show them this “frequent locations” list on their phones (and remind them that I’ve turned this feature off on my phone). Nearly every person I talk to is surprised to see it, even though it’s been quietly humming along ever since they first turned on their phones, and they’ve possibly even benefited from it on many occasions.

Given these benefits, in considering the up-sides and down-sides, some might opt to leave this feature on. But as we explain at our seminars, our clients also don’t consider the down-sides too severe until this location information is used against them in court. This data (and more frequently cell-tower location data, which is a separate subject) can be used to show our clients were in certain places at certain times, but it is sometimes used just to make our clients look bad even if it isn’t actual evidence of something nefarious our clients were doing (to show they frequented the shop that was robbed, to show they habitually visited a seedy bar where drug deals often go down, etc.).

Aside from the obvious law-enforcement implications of this kind of location tracking, there are also more sinister capitalist implications. The phone (and the company who makes it and the service provider and a number of the apps running on the phone) can also, should it desire to, sell you as a person who is usually in a certain area so that the ads you see are targeted at that area. When we use the internet (and especially when we use free apps or free services) we are the product, not the consumer. The phone doing all this stuff is just trying to make us into a more sellable product, and the phones and companies who are best at this are the ones who make the most money off of selling us to third parties. The harms of this are more obtuse, but possibly more widespread, and therefore more nefarious.

Finally, beyond the advertising and evidentiary angles, there’s also the ancillary problem of what can be known about a person with a large enough dataset about them. Using this location history, if someone had an incentive to do it, they could also theoretically determine when I go places that aren’t typical for me, for instance if I go to a particular doctor different from my normal doctor, or a particular shop farther away from my home town. This kind of wholesale data warehousing could theoretically be used to find those people who deviate from some norm and target them for further investigation to see just WHY they deviate from the norm. Some of this is speculative, of course, but it is worth thinking about, because when it’s no longer speculative, it might be too late.

Even If Your Phone Isn’t Profiling You, the Sites you Visit Every Day Are

Even if I don’t use a phone that tracks this kind of thing, and I don’t use apps that actively track this kind of thing, I am still being tracked in a lot of less obvious ways. If I search for things using Google while logged into Google, then unless I’ve actively opted out, I’ve freely consented to Google tracking, collating, and analyzing everything I search and everything I view to try to get me better results when I search for things. Google is banking on the up-side of more targeted search results outweighing the (somewhat hidden) down-side of letting Google create a detailed profile of any given person, including likes, dislikes, interests, any WebMD searches run in the middle of the night, any desires explored, etc.

Like I said, I opt out of this, and you can too. Or you can just not sign in to Google and prevent it doing this. But the bad news is, in general, someone is still trying to do this to us even if we haven’t opted in anywhere.

When I access a page, that page can still have trackers embedded in it that are collating information about me using whatever identifying information they can glean from my browser, my IP address, or any number of things. The trackers are hosted and served from other websites, but they’re tucked into the code that makes up the site I am looking at, quietly observing me while I’m on that page and tagging me (often using cookies) to monitor what I do. These trackers are still creating this detailed profile of me, just without my explicit opt-in consent. And sites I visit every day have these trackers embedded in them, because those sites can charge more for ads if they can also target those ads using the information these trackers provide.

I use a Chrome extension called Privacy Badger to stop this kind of tracking as much as possible (I’ll discuss this more later), and that app has taught me that this practice is pretty common. As an example, an article from Wired about data privacy and data warehousing was, according to privacy badger, running almost 30 different bits of code or embedded trackers from other websites on that one page. Maybe not all of them are trackers; sometimes Privacy Badger notes embedded videos or photos hosted on other domains. But a number of them definitely were advertising trackers; some even had the words “advertising” or “ad” in their names.

Notice that little red “28” at the top right? That’s Privacy Badger telling me there are 28 different things from this page that could be trying to track me.

So even if we haven’t opted in to have our data collected and profiled, it’s still being done to us. We are still being profiled by systems that think we want to be profiled in exchange for better services from those systems, but also by companies who want to sell us to their advertisers. As I said, the criminal defense lawyers I teach some of this to are always surprised to discover this is happening. And they’re also usually not pleased when I say there is no way to entirely avoid being tracked without abandoning their internet practices as they know them and getting all new phones and computers and operating systems. But at the very least, there are some ways to mitigate against this kind of thing.

Some Tips on How to (Try to) Stop This

Whenever I tell our audiences that this kind of tracking and data collection are happening, I try to at least passingly mention that there are ways to opt out or protect yourself. Because I’m teaching about how to defend people from digital forensic evidence, I don’t usually cover in depth how to protect against these things (I’ll sometimes joke in passing that, if you can, make sure your clients know how to turn these kinds of things off before doing… anything…). But here are some brief tips from my own experience on how to limit this tracking without too much wholesale change to your digital life.

The first line of defense for stopping this kind of tracking is to manually turn off every tracker you can on your computer and phone. You’ll have to search around for more detailed tips on how to do this, but there are a number of things to think about. Watch for things that say anything like “advertising tracking” or any other more obvious language. Also watch for things like “location history” and “service logging.” There are a lot of things you cannot opt out of with the more user-friendly (and as a result more popular) phones with preloaded operating system and applications. Installing other operating systems or jailbreaking phones is generally outside the scope of feasibility when talking with public defenders, but you can learn more by searching those terms.

You can also look for ways to opt out of tracking from any web services you use. Look for “search history” or “browsing history” options in your web accounts (Google has ways to turn these things off). Any time any of your services or apps offer you the option to opt into something to “improve user experience” or “provide data for service improvements” or whatever, think carefully before clicking yes.

I alluded to this above, but a key part of my arsenal is the Privacy Badger extension for Google Chrome. It blocks any code or scripts running on a page from other pages or domains, a pretty tell-tale sign of advertising company data collection. The example of the Wired article above is pretty telling, but I’d also note that even while I am logged in to Facebook, and Facebook is transparently and obviously tracking what I do on their service, there are three other trackers running and providing information about me to three totally separate companies. (Of course if I wanted to be very cautious and exponentially reduce the instances where I’m being tracked, I’d delete my Facebook account. I am always inches away from doing this.)

Worth noting here is that there are so many things your phone or computer are doing in the background to make them work (for instance the “recently used files” thing in Microsoft Word). There isn’t a way to opt out of those things, but they are generally (mercifully) stored locally on your phone or computer. The more commercial operating systems offer you no guarantee that this information is not being grabbed in the background for usage reports or bug reports. But the fact that this kind of stuff is generally localized means it’s also, if you’re being smart, encrypted, and therefore hard to get at. I’ll talk a lot more about that in the next piece in this series.

The best defense against this kind of tracking is to be thinking critically about all of the technologies and services we use. What are we getting from them? What are we giving up? How are we paying for them? Why are they free? Are there alternatives? It’s become a foregone conclusion that our privacy is gone when we use the internet, but if we keep asking these hard questions, we can start to push back, start to get a little more control over our online lives.

Why Everyone (Not Just Criminals and Their Lawyers) Should Be Thinking About This

As I said, I often allude to these kinds of precautions people can take during our training sessions. And a number of people immediately start thinking “why would I opt out of all this stuff if I have nothing to hide?” These lawyers think of themselves as “normal” people, not criminals, so why should they work so hard to counteract this kind of thing?

This question always puzzles me. As public defenders and criminal defense lawyers, we know better than pretty much anybody else that the majority of our clients are also “normal” people, people who got into circumstances that went south on them and are now suffering the consequences of that. Many of our clients don’t set out in the morning hoping to commit a crime. And many of our clients did not even do the things they’re accused of doing. Just like we do, they think of themselves as “normal” people, people with nothing, really, to hide.

So these kinds of remedial measures to protect our privacy aren’t about hiding our nefarious criminal activities. They’re about hiding our totally legal but personal lives from those who would rather expose them, for either investigative or monetary reasons. Especially when talking about encryption, a lot of the remedial actions I suggest are associated with “terrorism” (encrypted messaging apps, for instance). But I always try to remind audiences that I am not a terrorist, and I use these things, because I have never opted out of privacy, and I won’t have it taken from me without at least a little bit of a fight.

When people walk away from these training programs, of course they’re thinking about their clients and cases. But they’re also thinking about their own lives. Because when this kind of tracking and data-warehousing is happening to everyone, not just criminals, we realize the line between “citizen” and “criminal” is perilously thin, and perilously malleable. This fact animates all that I do as a public defender and as a policy attorney. I hope this article has illustrated that truth, and possibly provided some tools for others to join me in thinking about all this.

(Note: I have received a lot of training in digital forensics and the topics I talk about here, but I am always looking to learn more. Please feel free to comment if you have thoughts!)