Ep. 252: Surveillance in America, Pt 4: No Warrant Required

“What the Hack?” is DeleteMe’s true cybercrime podcast hosted by Beau Friedlander

Beau: The Constitution has made for some truly great entertainment.

Dirty Harry Clip: Where the hell does it say you’ve got a right to kick down doors, torture suspects, deny medical attention and legal counsel? Where have you been? Does Escobedo ring a bell? Miranda? I mean, you must have heard of the Fourth Amendment.

Beau: That’s the prosecutor in “Dirty Harry” talking about the Scorpio killer.

Dirty Harry Clip: Well, I’m all broken up about that man’s rights.

Dirty Harry Clip: You should be. I’ve got news for you, Callahan. As soon as he’s well enough to leave the hospital, he walks.

Dirty Harry Clip: What are you talking about?

Dirty Harry Clip: He’s free.

Beau: And that’s how we’re used to thinking about the Fourth Amendment, illegal search and seizure. We’ve been talking a lot about surveillance, specifically cameras and systems sold by companies with often outdated software, unsecured operating systems or insufficient ones, stuff that anyone with a little technical ability can hack. I don’t even know if you want to call it hacking. And law enforcement, they can use it to track anyone anywhere in the United States without a warrant. But think about it.

The Truman Show: Martin, find him. He’s still in the drawer. Come out, come out, wherever you are.

Beau: “The Truman Show” depicted a controlled environment with cameras everywhere. That movie ends with Truman opting out.

The Truman Show: In case I don’t see you, good afternoon, good evening, and good night.

Beau: Good night indeed. Hooray for Hollywood. Showbiz has always seen things coming way before; they were mostly science fiction, right? Long before it happened. Like literally. The 1927 silent film, like really literally the very beginning of film, “Metropolis,” featured video calls, okay, and AI automation. Now, I wish I could play a clip, but it was– You’re just gonna hear music. “War Games” introduced moviegoers to the emerging threat of hacking in 1983. For reference, The Police, that’s Priestang, Michael Jackson, and “Oh What a Feeling” by Irene Cara held the top slots in the Billboard’s top chart then, right? Deepfakes, those were predicted four decades ago in “The Running Man.”

The Running Man: Tony, this better work, pal, or you’ll be a digital memory.

The Running Man: Take it easy, Damon. Uh, we’re loading Richard’s image onto the database, and when he’s mapped onto the stunt double, you’ll never know the difference.

Beau: Now for a reality check.

404 Media ICE’s Backdoor Into a Nationwide AI Surveillance Network: It’s… Like, once you’re in it, you can query the cameras of other states and municipalities. You can do either a statewide search or you can do a nationwide search. And so in some cases you can… Like, say you’re a local police department, you can say, “Hey, I’m looking for this license plate of a stolen vehicle,” and you’re not just searching the cameras that you have personally bought and, like, paid the subscription fee for. You can search all the ones in your state, all the ones in the country if you want to. So it’s become this massive network of tens of thousands of devices, and you really, like, can’t drive in many major cities and small, even some small towns at this point without driving by one of these things. 

Beau: And of course, the current surveillance state was foreseen in so many movies, but I’m guessing that’s because humans are wired for results, and the law, you know, is a hindrance. There’s a story about General George Patton in Sicily. Obviously, it’s in his movie, “Patton,” or not his movie, but the biopic, “Patton.” His column, his soldiers are stuck on a mountain road in Sicily, and they’re behind– they’re all stuck behind this peasant with his two mules, and the mules refuse to go. His soldiers have their shoulder behind the cart. Everyone’s trying to get them to move. Nothing’s working. Patton gets out, shoots both mules, and yells at his men to throw them over the side of the bridge so they can get where they’re going. Now, he didn’t think of himself as doing anything wrong there. There, and I’m not gonna play the clip ’cause I think it’s so sad, but there was a war to win, right, in his mind. People say, “Shoot the donkey,” to this day, especially in business circles when they’re talking about getting rid of stupid impediments. Shoot the donkey. Those people are generally not animal lovers. Today’s for-profit surveillance industry, led by Flock Safety at the moment, is in the process of installing a Truman Show-level of camera coverage across the country on telephone poles and parking lots, outside car dealerships, in private neighborhoods. You know, what they’re doing really is they’re shooting the donkey when it comes to the need for warrants. They’re not owned by the police, and that’s the point. When law enforcement wants your location history, your travel patterns, who you were with and when, they would generally need a warrant for that, but they don’t now. They just ask Flock or whatever company has that data. There are other companies, not just Flock Safety. And they can get it because private companies are just selling data, data that they collected on their machines, and there’s no law against that. It’s kind of crazy, isn’t it? Unlike the donkeys in “Patton,” the Fourth Amendment is still here, at least for the time being. Nobody’s shot it… yet, or maybe it’s getting killed by a thousand cuts or a billion cuts or 20 billion cuts a month, as you’ll hear later. Anyway, the basic idea here that matters is the government needs a reason before it gets to know things about you. That’s what the Fourth Amendment says, a real reason, one that a judge signed off on, not a hunch, and not something that you can just look up ’cause you happen to have a subscription paid at the moment. It needs a warrant. This week, we’re talking about all that with Nathan Freed Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project. He’s been fighting surveillance overreach in federal courts for over a decade, and in two thousand eighteen, argued a case before the Supreme Court called Carpenter versus United States that changed, maybe permanently, how the Fourth Amendment applies to the digital world.

Carpenter v. United States (16-402) (2017 November 29): Mr. Wessler.

Nate: Thank you Mr. Chief Justice, and may it please the court.

Beau: You heard some of Nate last week. There was a lot more to cover, so here we are again. I’m Beau Friedlander, and this is “What The Hack?,” the podcast that asks, in a world where your data is everywhere, how do you stay safe online? Nate, welcome to the show.

Nate: Thank you so much. Really glad to be here.

Beau: It’s a real honor to have you on the show. You’ve done really important work for privacy and surveillance, for the protection of Americans from unwarranted surveillance. And that’s why we’re talking today. I think I wanna start, if you don’t mind, with Carpenter just to give people a sense of, it wasn’t that long ago. I think it was 2018 it was decided.

Nate: Yeah. So, Timothy Carpenter himself, was a man in the Detroit area who was arrested by police, started as Detroit police, and then became a federal prosecution, on suspicion of participating in a series of robberies. Kind of ironically, robberies of cell phone stores. There was an allegation that there was a group of guys who was ripping off smartphones from stores and reselling them. And in the course of the investigation, one of the things the government did was go to his cell phone company and get without a warrant with a court order, but on a much lower legal standard, not probable cause you need for a warrant, got an order, went to the phone company and got months worth about seven months worth of his historical cell phone location information. Our cellphones are basically radios, right? In order to make or receive a cell phone call, send or receive a text message or make a data connection, our phones have to talk to a cell tower. And they have to talk actually to a directional antenna coming off of that cell tower. It turns out that every time our phone makes one of those connections, the phone company is recording information about which cell tower, which side of the cell tower, the phone is, and the companies retain that information for their own reasons, for billing purposes, for network diagnostics.

Beau: Your phone is constantly looking for the nearest cell tower. It has to be, otherwise calls wouldn’t come through. And every time it finds one, the phone company logs it. Time, location, what tower, right? All day, every day, without you doing anything. This is very different from GPS data. That’s a global positioning satellite providing pinpoint accuracy to help you know where you are. Turn left, turn right, make a U-turn, send a bomb somewhere, spy on you. And of course, most phones these days have GPS receivers. It’s a problem. But back to those cell towers, that data is different. It lists the nearest cell towers to you twenty-four/seven. Do that a thousand times a day across weeks, months, and years, and you don’t have a footnote, you have a diary. A diary you now have with detailed timestamps, an unbroken record of where you’ve been. It’s worth noting diaries are protected by the Fourth Amendment.

Nate: What law enforcement had figured out, over the course of a day when we’re carrying our phones with us, that just charts out everywhere you’ve been. And it’s a rare investigation where knowing where a suspect was at a time of an alleged crime isn’t useful.

Beau: Forget a witness who might misremember. Forget alibis that are hard to check. If you have someone’s cell phone location data, you can put them in a general vicinity at a particular time. We’ve all been near a crime scene, whether or not we were aware of it. I know it’s kind of creepy, but true. The Data Also shows who else is in the same area. Your accomplice, for example, or your kid. It’s enough to convict someone of a crime. That is, if they get a warrant to review the data.

Nate: And so police started making huge volumes of requests to the cellphone companies for historical cellphone location data and doing it without getting a search warrant, without getting the kind of warrant that police have always been required to get under the Fourth Amendment to say, search our homes, search our closed containers, search our private areas or private information. They were doing that under the theory that when you do business with a company and they gain your private information through the relationship with you as a consumer, you’ve given up your privacy interest. It’s now the business’s records. It’s not your private data anymore. And so you just have no Fourth Amendment rights in it, and the government can go without a warrant. And that was the central question in the Carpenter case. Does the fact that this is held by a cell phone company mean there’s just no privacy rights? Or do we need to have kind of a re-understanding of how to apply old Fourth Amendment protections in the digital age ?

Beau: When I first learned about the fourth Amendment, it had to do with, I think Brady and the illegal use of a journal. The illegal use of of a person’s private journal and the prosecution of someone… is- our phones are kind of like electronic journals, aren’t they? 

Nate: Oh, absolutely. Courts love operating by analogy, and phones are, you know, they’re so sensitive and so needing of protection, in part because they’re all the things. They’re a journal, they’re an almanac. They’re a medical file. They’re a family photo album. In fact, they’re the entire shelf worth of family photo albums. They’re your doctor’s file, right? They’re your billing records, right? There’s just a diversity and a variety and a depth of information that’s unprecedented to be saved in a single place. And relevant to the Carpenter decision, they’re also a tracking device, right? They’re a sophisticated computer. But they’re also a GPS location tracker that’s sitting in our pockets. And that, without protections, means an incredible depth of really private information about where we go when we go there, who we spend time with, what we’re doing, is just free for the taking. That’s why the law had to step in.

Beau: The government had been arguing that your location data belonged to the phone company, not you. You waived all rights when you signed up for service. That’s a legal doctrine called third-party rule, and for decades it worked because in the pre-digital world, the only records a phone company had were things like the phone numbers that you dialed, not a rolling diary of where you went. Carpenter changed that. Chief Justice Roberts, a nuanced conservative when it comes to privacy, wrote the majority opinion. He said that when the government gets a comprehensive record of a person’s past movements, that is a search, and you need a warrant.

Carpenter v. United States (16-402) (2017 November 29) Clip: This would be revolutionary to fundamentally change the understanding of the application of the Fourth Amendment to subpoenas. Do you want us to do that?

Clip: Well, I don’t think it’s revolutionary at all. This is, unlike a warrant, and all of this court’s cases on the good faith exception have dealt with warrants based on affidavits from an investigating officer. This is an unsworn application from a prosecutor who we think should know better. Thank you.

Clip: Thank you, counsel. The case is submitted

Beau: Nate argued that case. He won that case five to four, and now every surveillance company in the land is living with the fallout. Go, Nate.

Nate: Another thing the government does is they’ll go to a cell phone company or another company like Google and say, we wanna know all the phones that were in this geographic area in this timeframe. On the theory that a crime happened there or nearby, and they wanna know who was nearby. But of course, you’re gonna get tons of innocent people then, and then you’ll know that they were in some vicinity, at some time, without any particularized suspicion.

Beau: You’d think that there would be a resistance on the side of a private sector company that would say, you’re gonna have to get a warrant if you want that information. But that is not always how it has worked, is it? 

Nate: That’s right. It’s important actually to understand, you know, what Congress has done and when in this area. Because there are some rules, but they’re really old. So the relevant federal statute that governs law enforcement request to technology companies or communication service providers. So that’s things like the telecoms, cellphone service companies AT&T and Verizon, or the landline companies or entities like Google or Meta or Apple, any of those. They’re governed by the Electronic Communications Privacy Act. Now that’s a law that dates from the 1980s when the internet barely existed, when email was still basically an experiment between university campuses. So in 1986, Congress said, well, at least for certain contents of communications, right? And today that would be contents of your email messages, your text messages, or social media direct messages. Many of those will require a warrant, although there were some loopholes that made maybe some logical sense 40 years ago, don’t make any sense today. And there’s some very basic information called basic subscriber information, name, billing information, network connection times they can get with a subpoena, which is just a piece of paper that a government agent sends. And then everything else in the middle, any other record pertaining to a customer or user, you can get either with a warrant or with a one of these court orders on the reasonable grounds standard, which is very easy to meet. It’s a very low threshold. 

Beau: But there’s no failure of imagination in 1980, because that’s just unfair. There’s a failure to update laws, it sounds like.

Nate: That absolutely right. Congress made some mild, very minor amendments in the mid nineties to that statute, and it’s basically just sat there since then as our lives have moved completely online. And so that’s why we have these questions that Congress just hasn’t revisited. Like, well, what do you do with cellphone location records? They’re not content of communications. So the statute doesn’t say you need a warrant, but the Fourth Amendment says something about it.

Beau: You’re carrying, you’re carrying a vault around with you all the time. You’re carrying, you know, what should be in a safe or a safety deposit box in your pocket constantly. And that’s not something that the law could have foreseen at all. But at the same time, there’s this data that is, it’s off-gassing that the legal system or the courts have not yet recognized as being…that should be protected. That’s what I’m hearing.

Nate: That’s right. I mean, until the Carpenter case, the Supreme Court hadn’t engaged in this question. The court had dealt with a couple other privacy in the digital age cases, and really set some protective rules about searching the contents of cellphones after someone’s arrested. Where the old rule is if you’re under arrest, police can search what’s in your pockets just because you’re under arrest, and the Supreme Court updated that rule for cellphones saying, yeah, maybe that’s true for a cigarette pack or even a wallet, but cellphones, because they contain so much private information and such a diversity of that information, you need a warrant. Police can secure the phone while you’re under arrest. But if they want to go into it, you gotta go to a judge first. But this fundamental question of what you do with data that’s not held on your device itself, not held in your pocket, but it’s held on the servers of a company you’ve interacted with, that was a new one to the Supreme Court. 

Beau: It was a new one to consumers too. I don’t think consumers were thinking, oh, I am now, you can find me day or night. You’ll always know where I am or where I have been. If phone records, including where you’ve been are the property of a phone company, which arguably they would be ’cause it’s just data that has happened as a result of someone signing up for their service, can they sell it? Can a law enforcement person who’s finding that a judge is saying, nope. Sorry. Can they just go through a data broker and buy it?

Nate: Yeah, so this is now a really pressing question. So the phone companies themselves are barred by federal law from selling our cellphone location data. There’s a statute called the Federal Communications Act, Telecommunications Act that protects what’s called customer proprietary network information, and particularly, which is the whole category of records about our phone use. But it has special protections actually for location data. So the phone companies aren’t allowed to sell it, and they can’t voluntarily turn it over to the government. So the government has to come with some piece of paper. And now we know from the Supreme Court and Carpenter that that piece of paper has to be a warrant. But there’s a whole other class of companies out there that are not regulated by the Telecommunications Act: the app companies. On a modern smartphone, there are of course a bunch of apps that come preloaded, but then we download apps left and right and a lot of them are free purportedly, right? You’re not paying cash upfront. But these are for-profit entities in a capitalist system trying to make money. So how do they do that? Through advertising and through selling whatever data they can. Federal law just has not caught up to these kinds of commercial data harms that can come from selling, say, a complete record of GPS location points that the app on your phone has collected. There’s a whole gray market now, the data broker market for that data, going to advertiser networks, insurance companies, lots of others, but also now to the government. And there are a number of these data brokers who have realized that there’s a really lucrative business to be made from selling people’s app-derived location data to law enforcement, which lets law enforcement get around the warrant requirement from Carpenter because now they are paying money instead of going to a phone company with a warrant.

Beau: What about the IRS, the Pentagon, the Department of Homeland Security?

Nate: Well, it’s actually happening at all of those. The IRS got caught buying this data. They said, they shut it down several years ago, and the Pentagon has also gotten caught buying this data from Americans, from Americans. 

Beau: Nate, can you talk about the tech that ICE is using, like Stingrays? 

Nate: Yeah, so Stingrays are one of several ways that a government agent, a law enforcement officer, can try to locate a phone or identify somebody. These Stingrays, more generically, they’re called cell-site simulators, are designed by these private surveillance vendors to send out signals that mimic cell phone towers, that trick phones into thinking, oh, I’m talking to a tower. And then the phone identifies itself with its unique serial number and the Stingray can force the phone to keep transmitting that and then really triangulate and zero in on exactly where that phone is; an also, either intentionally or just a by as a byproduct of this, pinging all the phones in the area, figure out all the phones that are nearby. So even when the government’s looking for a particular suspect, it’s forcing all the phones in the area to talk to the Stingray device. And these devices can be configured to retain that information too, to purposefully download a list of all the phones nearby. The location tracking ability of these devices is really precise. I’ve seen cases where police were able to figure out exactly what, behind which window in a very large apartment building the phone they were looking for was at, because they’re just narrowing in on where that signal’s coming from.

Beau: A lot of this was done, used without warrant proper warrants. Is that right? 

Nate: That’s right. For a long time, the government was not getting warrants. There was a flurry of litigation that the ACLU and Criminal Defense Attorneys brought about a decade ago, maybe 12, 13 years ago. They started turning the tide. And there’s now a small critical mass of court decisions that explain that a warrant is absolutely required for this. There also is federal policy now in both Department of Justice and Department of Homeland Security that dates back about a decade and as far as I know is still in effect. But the problem is that, if you’re walking around with a phone, there’s no reliable way to know, unless you have some pretty sophisticated software on that phone that’s tailor-made for this, no good way to know whether a Stingray is in the area locating you. So, we have to kind of trust that the government’s actually following the policies.

Beau: But there has been stories about ICE using it. Are we guessing or hoping that there are warrants in all, in every instance?

Nate: Yeah, I mean there has been some really troubling reporting suggesting that there are kind of digital fingerprint of Stingray use out on phones nearby some ICE buildings. For example, in Portland, Oregon, there was reporting by a journalist who had some kind of sophisticated tailor-made software on their phone, that was looking for some kind of signal artifacts that might suggest, that are highly suggestive of there being a Stingray .

Beau: Stingrays, data brokers, third-party doctrine, it’s all a lot for the non-expert. What is the Fourth Amendment supposed to protect, and how has it evolved in the digital age? We’ll explore this after the break. Okay, Nate, you’re an expert at this. You work for the ACLU. We keep saying warrants. Warrant, no warrant, wrong warrant, didn’t get a warrant, should’ve gotten a warrant. Why does that word matter to someone who’s never been in a courtroom in their life?

Nate: Yeah, so the Fourth Amendment is the part of our constitution in the Bill of Rights that put some guardrails around searches and seizures by the government. The basic rule is that when the government engages in a search or a seizure, and there’s now a whole body of case law defining what those are, the default rule is it has to get a warrant. Police have to go to a judge, demonstrate probable cause, particularly describe the thing or the place they’re gonna search, and then they have to get judicial authorization to do that. The Supreme Court has given us kind of two legal tests for what is a search. How do you know if the Fourth Amendment applies? One is called the reasonable expectation of privacy test, where the court asked starting the 1960s, whether society reasonably expects that a particular place or thing or item or information is private. And in parallel, the court has also said that when there’s a trespass or a physical imposition on your body or your property or your things for the purpose of gathering information, that’s a search too. And you don’t even have to look at privacy interests. You just look at, did police basically touch your stuff or your person in order to gather information. And if so, that’s a Fourth Amendment search, and they should have gotten a warrant unless some specified exception to the warrant requirement applies.

Beau: And that would include saying like, pull up your sleeve. I wanna see if you have a tattoo.

Nate: Generally, yes. You know, there are some questions about brief stops on the street and what police are allowed to do, but, generally, yeah, if the government is, if they’re putting hands on you and pulling up your sleeve themselves, then that’s a search. We, the ACLU won a case in the Michigan Supreme Court, just a few years ago about police in a city in Michigan fingerprinting people during brief stops to question them on the street. And the justification purportedly was people who aren’t carrying an ID, we don’t trust that they’re identifying themselves accurately, so we’re gonna fingerprint them. And the ACLU brought this case all the way up to the state Supreme Court, and unanimously, every member of the court said, well, this is easy, of course, it’s a search and a warrant should have been required. Because police are grabbing your finger, pressing it to ink and pressing it to card stock. They’ve now trespassed on your body. They’ve physically imposed on your body in order to gather information, your fingerprint and your identity. That’s a search. And so, yeah, even really minor physical impositions can trigger this requirement.

Beau: Now the Fourth Amendment then serves as a form of outrage, right? A form of like, how dare you, don’t get away. 

Nate: Yes, yes. 

Beau: And it’s coded in our laws, saying mm-hmm. I don’t live in England anymore. You can’t have my money. And stop pulling out my sleeves to look at my tattoo. None of your business. And we have historically taken this law extremely seriously. We’ve seen heinous criminals, people we were pretty sure did bad things go free because the Fourth Amendment was not observed in all of its complexity. Correct?

 Nate: Absolutely right. And, you know, and the important thing about the Fourth Amendment is it’s supposed to protect all of us. You know, the most frequent cases that make it through the courts are criminal cases where someone’s accused of having done an illegal thing. And then they’re saying, well, you’ve actually violated my rights trying to gather that information. And sometimes then courts have to throw out cases if police didn’t get a warrant or otherwise violated the Fourth Amendment. But those cases really serve as like the canary in the coal mine or the restraint that protects all of us. Because without these rules, police could just, you know, they could bust down every door in a neighborhood because they have a hunch that somebody has marijuana inside one of them, right? They could do anything they want. And the whole point, as you’ve said, of the fourth Amendment, is to check government power. It’s really about abuse of power and checking discretion of law enforcement agents and imposing a really an independent decisionmaker, a judge in between police and the most sensitive searches they might want to conduct.

Beau: Which brings us back to Flock Safety and what we talked about last week, because Flock doesn’t do Dirty Harry. Why kick down a door when you can clock someone’s location 24 hours a day? Thanks to this new growth sector in law enforcement technology stacks, there are cameras on public streets in places where you now have zero reasonable expectation of privacy, but not as a legal thing, just as a matter of fact. These cameras take pictures of your license plate, and then they build a nationwide network of places where your picture can be taken and tell any subscriber at the click of a button everywhere your car has been. No warrant, no judge, no probable cause, just that subscription. Is Flock Safety right now creating a structural workaround for the Fourth Amendment in the United States?

Nate: Yeah, I think it’s tremendously dangerous. Yes, it is.

Beau: Every time your car passes one of these cameras, and there are billions of these reads now, 20 billion a month on Flock Safety’s network alone, that creates a record just like your cellphone pinging a tower. One camera, that’s a data point. Two cameras, that’s a commute. 100 cameras scattered around the city, and some cities have far more than that, and suddenly you have something else entirely. You have a map, pattern of life, where someone sleeps, where they work, where they go to on a Tuesday night, when they do things that they might not wanna tell you about. And it’s, and it’s just not one person, right? It’s everyone, everyone who drove past, all of us, all the time, sitting in their database. Flock Safety is the biggest company in this space, but they’re not alone. I know you keep hearing me say that, and that’s not me being careful. It’s just true. They’re all building different versions of the same thing: a permanent, searchable, nationwide record of where American cars have been and the people inside them. Just sitting there, waiting.

KABB FOX San Antonio: Right now, officials in Illinois are sounding the alarm saying deputies here in Texas misused their license plate cameras. Last week, we received disturbing news that police in Texas illegally accessed data from automatic license plate readers used throughout Illinois. They did so to track down a woman regarding an abortion care-related matter.

Beau: Police in Texas used license plate reader data to track a woman who drove to Illinois to get an abortion. Maybe you’re okay with that. Maybe you think that states should be able to enforce their laws wherever residents go, right? Okay. That’s a position. But sit with that for a second. She didn’t know she was being tracked. There was no warrant. No judge decided her trip was suspicious enough to justify surveillance. There was just a database, a private company’s database, one that also seems to maybe not be super secure according to rigorous reporting by 404 Media, YouTuber Benn Jordan, and others. Her trip was just there. That’s the thing about a system with high walls and no legal oversight. You don’t get to control what it gets used for or who uses it or when. The companies building these networks, their business model is access, not safety. A police department in your city doesn’t just get access to the cameras in your city, by the way. They buy the whole country. Every plate, every timestamp, every state line crossed, all at the click of a button. I know you know me. I hear a story like what happened in Carpenter and I turn my phone off when I go places to mess up the pattern of life that my provider sells. I know how that sounds. But after you consider what we’ve talked about today, I don’t think it’s an extreme position, you know. But while I can turn off my phone, I can’t turn off my license plate. Facial recognition? I can turn my face off with a mask, I guess, but is that where we are now? One of the things that I keep wondering is, you know, I have not yet downloaded an app in California, lately anyway. And, but I’m wondering, you know, to me, I wouldn’t be surprised if while in California I downloaded an app and it said, do you want to turn location services on? Instead of it being by default because it’s, that is the kind of tiny little win, which is a huge win, that says that everything that you buy is set to private, not sharing anything by default, and you have to opt in everywhere. And it’s as simple as that. And all of the manufacturers, I don’t care if it’s software, actual devices, they know this. All they have to, they could all just say we’re going to make people safe. You know, the first company to do it, Apple is going to get market share if they advertise it correctly.

Nate: Yep.

Beau: I mean, it was just like that very smart ad that one AI company ran during the Super Bowl towards another AI company that was starting to run ads. It’s a smart thing to say we are different.

Nate: Yeah, I mean, I think there…design changes absolutely can make a huge difference. You know, one of the things I, you know, I think about every day when I’m online is websites now, largely as a result of European privacy regulations, but a little bit because of US regulations, put these like cookie permission screens up, right? Like, do you, are you gonna allow cookies and-

Beau: Some of them are just the necessary ones. 

Nate: Right. It’s good that we have choice, but I spend a lot of my time clicking in to turn off cookies. Right, one by one. Forcing websites to account for universal choices where you just toggle in your browser, no, I just want, I don’t wanna be tracked. And the website to actually listen to that would save all of us the effort and means you just have to once per per web browser, you set your preferences and those preferences are already in the web browsers. It’s just a question of making the companies that are operating the websites listen to it. What we really need is for lawmakers in Congress, in state legislatures, in city governments to step in and set strong durable rules and to keep them updated to protect all of us.

Beau: Nate Wesler, thank you so much for joining us today. I appreciate you giving us so much time, and hopefully we’ll talk again.

Nate: Such a pleasure to talk, take care.

Beau: The courts are moving slowly, case by case, appeal by appeal, but moving. The Supreme Court said in Carpenter that your cell phone location data is yours. There’s a case in front of them right now about geofence warrants that could extend that protection further. It’s a show for another day. That’s real. Congress has a bill, the Fourth Amendment Is Not for Sale Act. It’s– We’ve already talked to one of its authors, Senator Ron Wyden. I hope to speak to the other author soon. It passed the House, stalled in the Senate, but it could move again. That’s also real. A handful of state legislatures are passing laws with actual teeth. Illinois says you can’t use license plate readers for immigration enforcement, period. Colorado is considering a law that would bar them from abortion enforcement. Small, patchwork, but real. And the tech companies, the ones who receive the subpoenas, who know when ICE comes knocking, who sit in the middle of all of this, some of them are starting to push back, too. Quietly, imperfectly, but it’s happening. So that’s good news, and I don’t want to minimize it because none of that was inevitable, and all of it required people who cared. But here’s the other thing. The cameras don’t come down when a law passes. The database doesn’t get deleted when an administration changes. The network that Flock and Ring and others have spent a decade building, that exists. It’s out there. And whatever rules we eventually write will be written around a surveillance infrastructure that is already everywhere, already collecting, already waiting. You know, not quite clear how that’s all gonna get taken apart, if it’s gonna be taken apart. What gets deleted? Is there such a thing as deleting them? There’s a study I wanted to share with you. Researchers found that in neighborhoods with high levels of surveillance, people were less likely to recognize faces. Now think about that for a second. Not less likely to commit crime, less likely to recognize faces. Because when you feel watched all the time, your brain sees every stranger as a potential threat, and that creates hypervigilance fatigue. I didn’t make that up. Look it up. Hypervigilance fatigue. Fun. But I can’t stop thinking about it. When the thing that makes you feel safe is also the thing that makes you trust people less, isn’t that creating a world of Bernard Goetzs- I don’t know, Bernie Goetzs if you listen to Lou Reed. Anyway, if you’re too young to know who that is, Daniel Penny might ring a bell. He’s the guy who got acquitted for murder after killing a former Michael Jackson impersonator fallen on hard times. That man’s name was Jordan Neely, often referred to as a panhandler. Murder victim. That happened in 2023 on a New York subway. And what I mean by this is, aren’t we just creating a paranoid society, a society of potential vigilantes everywhere? The Fourth Amendment was written by people who had just lived through what happens when a government doesn’t respect its peeps, right? They didn’t write it because they trusted the government of their moment, right? They wrote it because they knew that moment was gonna end, that power changes hands, and that the tools built by one administration are inherited by the next. The warrant requirement isn’t a technicality. It’s a question. It’s society asking itself every single time, “Is this search worth what it could allow to happen to all of us at some point in the future? Is privacy worth less than whatever needs to be found?” And now it’s time for the Tinfoil Swan, our paranoid takeaway to keep you safe on and offline. Your phone company knows where you are from cell tower data. That’s just how cellular works. Your phone is always pinging the nearest tower, so calls and texts can reach you. You can’t make that stop entirely, but you can make the data a lot less useful to them. The simplest thing you can do costs nothing. Turn off your phone sometimes when you’re out. Not forever, not always, just when you’re walking around sometimes, running errands, doing things you’d rather keep private, and doing things that you always do. No signal means no location ping. It also means no call, so use your judgment. But the habit of occasionally going dark is one of the easiest privacy moves there is. All these phone companies sell pattern-of-life data. Make it a point to make yours suck. The next step is a VPN, and here’s why it matters for location specifically. Your carrier always knows which towers your phone is hitting, so they know roughly where you are. What they can also see without a VPN is where your internet traffic is going, which apps, which websites at what times, and they combine that location data with that traffic data to build a profile that is worth selling. A VPN breaks that combination. They still know you’re at the corner of 8th and Broadway, but they can’t see that you were on a medical website or looking at a job listing while you were standing there. That’s what they sell, the combination. A VPN makes your location data a lot less valuable, even if it doesn’t erase it. I’m not gonna recommend any particular VPN. Just make sure whichever one you choose, you’re paying for it, because the ones you don’t pay for, I don’t trust them. Now, for the apps on your phone, that’s a separate layer of location tracking, and this you can control completely. On an iPhone, go to Settings, then Privacy & Security, then Location Services. You can hit, you know, 15 seconds back if you need to hear this again. You’ll see every app that has ever asked for your location. Go through the list. For anything that doesn’t genuinely need to know where you are, shopping apps, games, news apps, social media, switch it to Never. For maps or weather, set it to While Using, not Always. Always means the app is tracking you in the background even when you’re not using it. Now, on Android, it’s the same idea. Go to Settings, then Location, then App Permissions, same drill. Set everything you can to Only While Using or Deny, and save Always for navigation. That’s it. Now, one last thing, and this one surprises people. This is cool. Buried in your location settings is something called Significant Locations, at least on your iPhone. Go to Privacy, and then Location Services, and then System Services, then Significant Locations. It’s at the very bottom of the list. Imagine that, totally hard to find, of course. Now, delete the record and turn it off. Your phone has been keeping a diary of everywhere you’ve been. Gross, right? I mean, seriously. The goal here isn’t perfection, ’cause that’s impossible, but making your location data thin enough or unreliable even enough that there’s not much left worth selling, or people start complaining about what they’ve bought. That’s it for this week. Stay private out there, stay safe, and I’ll see you next week. This episode of What the Hack was produced by me and Andrew Steven who also did the editing. Our theme music is by Andrew Steven. If you think you heard Benn Jordan’s music in the mix, you’re right. There’s some other stuff, but there’s some Benn Jordan too. Check him out on Bandcamp or wherever you get your stuff. What the Hack is a production of DeleteMe, which was picked by the New York Times’ Wirecutter as the #1 personal information removal service. You should be using it already. If you’re not and you want to, well, you can. Here’s what to do. Go to joindeleteme.com/wth. That’s joindeleteme.com/wth and get 20% off. I kid you not, 20%. 20% off. That’s joindeleteme.com/wth. Now stay safe out there. See you around.

Learn More:

• See where your data is exposed with our free scan.
• Learn more about data brokers and how big tech and surveillance intersect.
• Read more about common online threats in 2026 and how to avoid them.