LAS VEGAS–Patching laws is much harder than patching software, especially when the law in question is the Constitution.
Jennifer Granick, surveillance and cybersecurity counsel for the American Civil Liberties Union, came to Black Hat to discuss possible workarounds for a particularly patch-resistant statute: the Fourth Amendment and its protections against “unreasonable searches and seizures” by the government.
Today, exponentially more data about people’s “persons, houses, papers, and effects” both exists and is available to government investigators than people could have imagined when that amendment was ratified in 1791 along with the rest of the Bill of Rights.
But the Fourth Amendment’s 54 words remain unchanged, subject to only the occasional reinterpretation via a court ruling. In the most recent major case, 2018’s Carpenter v. United States, the Supreme Court held that law-enforcement investigators need a warrant to collect historical cell-site location information about a suspect’s whereabouts from a wireless carrier.
“Our attack surface has greatly expanded, and the Fourth Amendment is just hanging out there,” Granick said in opening her 40-minute talk on Thursday. “It hasn’t expanded security protections for all these new kinds of data that are being created.”
Granick identified three vulnerabilities to bulk searches that she finds particularly concerning, challenging audience attendees to explore ways that their own work does not enable Fourth Amendment exploits by government investigators.
One is data brokers that assemble and combine vast amounts of information about Americans and sell it off to interested parties that can easily include the government. Even individual experts struggle to escape the scrutiny of data brokers, and bills to rein in their activity have gone nowhere in Congress.
“They’re giving the government information that would be unavailable without a warrant,” Granick said. She added that government transactions with data brokers can evade the Fourth Amendment’s “particularity requirement” that a warrant specify “the place to be searched, and the persons or things to be seized”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
The second is the repurposing of existing government databases for law-enforcement practices, which the Trump administration has greatly stepped up to find undocumented immigrants to detain and deport. Granick cited the Internal Revenue Service’s “unprecedented” move to share more than 7 million tax records with the Department of Homeland Security, a development ProPublica reported in July.
The third is “reverse searches,” in which law-enforcement investigators can leverage the vast amounts of data collected from people’s smartphones to request data not on the location of a particular suspect, but on the identity of every person near a suspected crime.
Suggesting that the authors of the Bill of Rights “would have thought of that as witchcraft,” Granick observed that reverse searches are now “everyday experience in criminal courts.” For example, police investigators used “geofence warrants” to find many Jan. 6 rioters whom President Trump promptly pardoned after his return to the White House.
Recommended by Our Editors
(Granick noted that anxiety over tech-enabled blanket surveillance “is not a partisan concern.”)
In this last example, Granick could point to concrete action by a tech company that addressed this vulnerability: Google’s decision in late 2023 to move Google Maps location histories from its cloud to individual mobile devices, with the option of end-to-end encrypted online backups that it cannot access. Granick called that “exactly the kind of thing” she would like to see more of from tech firms. She asked: “How can we not have these enticing repositories of information?”
She closed the talk with a series of suggestions for attendees to take back to their employers, most of which would represent a break from business as usual in fields ranging from web design to automobiles:
-
Have a plan for when governments request user data that includes notifying customers (assuming that a gag order doesn’t prevent that warning) and fighting those requests in court.
-
Give customers options to make their data harder to access.
-
“Don’t collect data that you don’t need”—and encrypt as much of it as possible.
-
Bring a broader perspective to threat modeling: “Include the government and law enforcement in your risk assessment.”
Granick voiced hope in the ability of tech firms to redeem themselves with more thoughtful choices: “Technology really took our privacy away, but I am optimistic that it can give us back our privacy as well.”
But outside Black Hat’s sessions and exhibits, management at many of the largest tech companies seems more focused on avoiding Trump’s wrath over allegedly “woke” practices and dodging his latest rounds of threatened tariffs.
OpenAI Debuts GPT-5 Model During OpenAI’s Summer Update Event