Seattle Privacy Coalition

Seattle’s operating surveillance ordinance still needs fixing

In January 2013, the West Seattle Blog reported on the surveillance cameras being installed along Alki Beach. Their continued coverage of the cameras and wireless mesh radios is well worth a read for a detailed background on this post.

I recently noted that one of the wireless mesh nodes was transmitting, in contradiction of the City’s repeated assurances that the network was “turned off,” while I was attending a protest outside the King County courthouse in City Hall Park near 3rd Ave and Yesler Way. My post to Twitter caught the attention of the Seattle Police Department, who promptly shut off the node and posted a blog entry and tweeted about it. The following tweets appeared on Twitter that day, with much more commentary on the original post (which you can see if you click on the date stamp below.)

#SEAspy #MeshNet node is transmitting on “3rd&Yesler” and “TEST-WAP” SSIDs. @SeattlePrivacy @SeattlePD #rootsup2014 pic.twitter.com/Z0gHtp8Rrp

— lee⭐c (@sleepylemur) July 11, 2014

What we know about our node. http://t.co/PgeQFRqpkS #nodecomment

— Seattle Police Dept. (@SeattlePD) July 12, 2014

Seattle Police officer Sean Whitcomb’s reply on the SPD blotter makes a misleading claim, that “The rogue node, while producing a visible signal, was not being operated.” This isn’t only misleading because radio waves are invisible. They’re also not visible because the Service Set IDentifier (SSID or “network name”) of these mesh nodes gives no indication that they’re operated by the police department. It’s not the sort of thing that a nontechnical person would notice, even if they saw it listed on a computer or mobile device when they were trying to find a wireless network. It’s also misleading to claim that the node was “not being operated”.

The device may not have been switched on intentionally, it may not have seen any active traffic from SPD vehicles or those of other city departments while it was powered on and transmitting, but a claim that it wasn’t operating is the same category of the “non-operational” SPD cameras installed throughout the city. The glowing blue light indicates that power is applied to the cameras, just as the blinking orange and green lights indicate that mesh network nodes have power and some sort of activity. According to the Seattle Police’s definition of “operating”, these networked surveillance cameras aren’t “in use” because the digital video recording system to which they’re attached isn’t capturing any of their video feeds.

@sleepylemur @SeattleCouncil @SeattlePrivacy Lee, consider this “confirmed”. The cameras are not in use. sw — Seattle Police Dept. (@SeattlePD) September 11, 2013

However, as Mayor Murray opined in an interview on the matter, the cameras and their mesh network could be switched on if the City decided they were needed for some sort of emergency (the Boston Marathon bombing was mentioned, but any emergency could do). Now, this mayor may have no intention of using these cameras and Seattle’s current police force might not intend to use their mesh network to monitor the movements of every active WiFi and Bluetooth device in the city (see The Stranger’s article You Are A Rogue Device), but we’re a country of laws, not of men.

Seattle should revise its ordinance regarding the installation and use of surveillance equipment. We made recommendations to the city council regarding Ordinance 124142 in March and this matter still needs to be addressed.

The sort of thing we are curious about…

As Seattle Privacy discusses the need for privacy oversight in City Hall, we are interested in both the big policy and governance questions and in the technical details of privacy-sensitive technology. Here is an example of the latter, drawn from city paperwork involving Cascade Networks, Inc., the contractor that installed the police surveillance cameras and mesh radio network in 2012-2013. The radios that make up the mesh network are basically tricked-out, weather-proofed versions of normal Wi-Fi access points. Before the city “turned off” the radios last year, each of them was broadcasting a network ID that you could have seen on your laptop or cell phone alongside Starbucks or the name of your home wireless router.  The specs for the project included requirements about network access and logging:

In bland technical language, we learn that the network has the following capabilities.

• It can limit logins to a list of approved users stored in a database.
• It can identify potential users based on username/password or hardware device IDs.
• It will keep detailed logs (time, duration, identity, etc.) of client connections.

However, these details raise questions that still have not been answered by the Seattle Police Department or any other city office.

• What happens if a random passerby with a laptop or cell phone attempts to “associate” with a city access point? The answer to this could have privacy and security implications for both parties.
• Wi-Fi devices broadcast uniquely identifiable radio beacons; does the city equipment record these beacons, or can it be configured to do so? Authorities in Chicago are planning just such a capability in a potentially intrusive Big Data collection scheme.
• How long will logs be kept, and who will have access to them? Will they be subject to public records requests?

These are questions that should have been asked and publicly debated at early stages of the planning process. They also quickly become issues of general policy: If data is collected, it will be used by any legal or illegal branch of government whose agents can pick up a phone. To protect privacy, don’t collect sensitive information in the first place.

Below is a link to the source documents, courtesy of Tacoma-based Infowars reporter Mikael Thalen, who discovered them on the Seattle.gov Web site:

http://www.scribd.com/doc/183600279/Port-Security-Video-Surveillance-System-with-Wireless-Mesh-Network-Seattle

Or download the document.

Shelved Seattle Police drones highlight transparency problems with surveillance equipment

As the results of a public records request recently revealed, Seattle Police Department never quite got around to sending back those drones we were all talking about back in early 2013.

Brief refresher: In early 2012, three days after then-mayoral-hopeful Bruce Harrell of Seattle City Council introduced a bill to regulate the use of drones by Seattle Police Department, then-mayor Mike McGinn one-upped his opponent by abruptly announcing an end to the drone program. McGinn also declared that the devices would be sent back to the vendor from which they were purchased.

This was a win for the public–we never asked our police to purchase flying surveillance cameras in the first place–and we celebrated it as such. But to those who were paying close enough attention, McGinn’s decree looked like political posturing.

Surveillance technology advances rapidly. The fact that SPD’s 2010-era drones, with their 15-minute battery life and inability to fly in the rain, are sitting on a shelf here in Seattle gathering dust doesn’t worry us.

We are more concerned about the continued lack of transparency in how surveillance equipment is acquired and deployed (and disabled, or not disabled), and the lack of meaningful oversight of the police department, and about the fact that our police continue to use U.S. Department Homeland Security money to purchase equipment the public doesn’t trust them to use in a constitutional manner.

Our Mayor and City Council need advice from technologists and privacy advocates to fend off the ever-encroaching surveillance state at the local level. Until we formalize a system for providing elected officials with the information they need to make good decisions, they will continue to be blind-sided by SPD’s use of their homeland security slush fund for purchases of equipment used to treat everyone as a potential suspect.

Other coverage:

The Seattle Police Dept Said It Would Get Rid of Its Drones. It Hasn’t.
by Shawn Musgrave
March 25, 2014

Seattle Police Secretly Keep Drones Despite Promise
by Mikael Thalen
March 26, 2014

Seattle Police Still Have Drones
by Ansel Hertz
March 26, 2014

Video: City Council authorize federal funding for facial recognition and fusion center

By Phil Mocek

At the 2:00 p.m. March 10, 2014, Seattle City Council meeting of the full council (agenda), public comment was received from five people regarding Council Bill 118043, which authorized federal funding for facial recognition software and the Washington State fusion center. Each person spoke in opposition to passage of the bill. Because public comment was, as is typical at City Council meetings, limited to 20 minutes, some people who wished to speak were not allowed to do so. After public comment, council members discussed the bill, then voted 7-1 to pass the bill, with Kshama Sawant casting the lone vote in opposition.

A complete video archive of the meeting is available from Seattle Channel for streaming and download. In attendance at the meeting were (in order from left to right as visible in the video) council members Sally Bagshaw, Bruce Harrell, Sally Clark, Tom Rasmussen, Tim Burgess, Jean Godden, Mike O’Brien, and Kshama Sawant.

Council Bill 118043 authorizes acceptance of a financial grant from U.S. Department of Homeland Security under the Urban Areas Security Initiative program, including about $1.2 million for Seattle Police Department, and ratifies and confirms any act made pursuant to the authority of the ordinance taken prior to the effective date of the ordinance. Intended uses of the DHS funding that have been disclosed to the public include purchase of facial recognition software for use by Seattle Police Department staff and further funding of the regional fusion center.

We are unaware of any way to link directly to a point in time in a video hosted by Seattle Channel, so we cached a portion of the video archive of yesterday’s meeting elsewhere.

Following is an index to relevant portions of that video:

• 06:42 Public comment: Scott Shock
• 08:41 Public comment: Lee Colleton
• 14:27 Public comment: Christopher Sheats
• 17:11 Public comment: David Robinson
• 19:19 Public comment: Phil Mocek
• 23:19 Introduction of item #1: Council Bill 118043
• 24:06 Councilmember Harrell
• 29:47 Councilmember Bagshaw
• 31:15 Councilmember Sawant
• 34:28 Councilmember Harrell
• 36:40 Councilmember Clark
• 40:55 Councilmember O’Brien
• 42:12 Councilmember Burgess
• 42:23 Rollcall vote

How to fix Seattle’s operating surveillance ordinance

by Phil Mocek, Jacob Appelbaum, Jan Bultmann, Allegra Searle-LeBel, and Lee Colleton

We call on City Council to make the following improvements to Ordinance 124142, also known as “the operating surveillance equipment” ordinance, before the end of calendar year 2014.

• All protocols for use of surveillance equipment must be public.
• Any and all aspects–even secret ones–of surveillance performed by or commissioned by government agencies in Seattle must include automatic sunset provisions.
• All property used for communications interception wire rooms or other surveillance (e.g., rentals of houses, vans, etc.) must be accounted for in a budget. When properties are no longer used for such purpose, their addresses must be disclosed. Similarly, the surveillance-related purpose of other expenses must be disclosed after the necessarily-secret nature of their use concludes.
• The ongoing budget and expenses for surveillance activity funded by City of Seattle must be public during this entire time so that we, the people, can review these expenses and recognize if such activity has spiraled out of control relative to other city priorities.  The public must have the ability to determine if a general area has been under surveillance.

• All non-SPD contact (eg: FBI, TSA, ICE, SS, any part of DHS, etc) that request assistance, clearance, or notification of surveillance should be logged. Thus, if the FBI is performing a raid of say, your house, the local police don’t accidentally think it is a (different kind of) crime in progress. This already happens, the key is that the log should be audited and not just a matter of coordination.A requirement that any surveillance operations within Seattle must be logged with the Seattle police – thus, the FBI would be required to notify the SPD, even if only for their spying activity.
• All legal statutes must be cited *during* collection as to why the collection was undertaken in the first place.
• All electronic surveillance must be logged, including location, equipment type, legal justification and information on the officer(s) involved.
• All surveillance requests involving any non-SPD agency, company or private individual must be logged. For example, if SPD asks Google for data on Yoga Arts, that request must be logged.
• The ordinance should specify that all surveillance data or metadata is only for use with the SPD and is not for data sharing with WSIN, the State of Washington, any Federal agency or any other agency, company, or person without a specific court order.
• A log of all contact made with those under surveillance – that is – each time a person is under surveillance and the collection ends, the person should be notified and it should be logged. A lack of notification should also be logged. This information should become public record automatically and absolutely handed over during a Privacy Act Request (PAR) by the target of surveillance.
• If there was a sneak-and-peak warrantless search (eg: PATRIOT Act, Section 215) or a search conducted with a sealed warrant, this must be logged specifically as such. It should be logged with a third party that is not the SPD. We’re open to suggestions as to which party is a good one. It seems that the Mayor’s office is probably a reasonable first choice.
• If during the course of a surveillance operation, a person is in harm’s way and disclosure *could* expose the surveillance operation, the surveillance team has a *duty* to put public safety before secrecy of the specific operation. This is already the case with good Samaritan laws in most states – when we see a person in trouble, we are required by law to help. For better or worse, it should apply to law enforcement and intelligence agencies, even if it would otherwise harm the secrecy of the operation.

Enforcement

• Ordinance 124142 must be enforced, and penalties for violation must be specified.