Latest in Aegis Paper Series
U.S. government access to at least some private market data—and the limiting of foreign access to this same information—is essential for national security.
Can governments purchase user records as an end-run around the warrant requirement imposed by Carpenter v. United States?
What are the legal and policy questions raised by gig surveillance work?
The perils that flow from facial recognition can be mitigated through sensible limits without banning the technology and the risks of facial recognition are less bad than the options police have without its use.
Although law enforcement investigations have always depended on information from private actors, modern technology and big data have transformed an analog collection process into an automated, digital one. This shift has elevated the role that private entities play in the investigative process, mirroring the growth of private influence across the entire criminal system. Many of these private influences have been fiercely criticized.
Policing increasingly relies on the collection of digital data, often of people for whom there is no basis for suspicion. Police seek fewer search warrants and more requests to harvest metadata, they buy data from brokers, they track location and other aspects of our lives. Sometimes police collect the data themselves. More often they gather it from third parties. They do so by purchase, and by court order.
Today, more than ever, law enforcement has access to massive amounts of consumer data that allow police to, essentially, pluck a suspect out of thin air. Internet service providers and third parties collect and aggregate precise location data generated by our devices and their apps, making it possible for law enforcement to easily determine everyone who was in a given area during a given time period.
What are the origins and evolution of the institutional, policy and legal frameworks that have come to define both the defensive and offensive aspects of the U.K. and U.S. models?
Among the most discussed provisions of the Tallinn Manual 2.0 is Rule 4: “Violation of sovereignty.” Rule 4 provides: “A State must not conduct cyber operations that violate the sovereignty of another State.” Considered alone, Rule 4 is banal and unobjectionable, since there are many established sovereignty-based international-law rules that cyber operations might violate.
The US policy of “defend forward” and “persistent engagement” in cyberspace raises the stakes of this attribution question as a matter of both international and domestic law.