At Black Hat, Jennifer Granick warns against maintaining ‘enticing repositories of information.’
Patching laws is much harder than patching software, especially when the law in question is the Constitution.
Jennifer Granick, surveillance and cybersecurity counsel for the American Civil Liberties Union, came to Black Hat to discuss possible workarounds for a particularly patch-resistant statute: the Fourth Amendment and its protections against “unreasonable searches and seizures” by the government.
Today, exponentially more data about people’s “persons, houses, papers, and effects” both exists and is available to government investigators than people could have imagined when that amendment was ratified in 1791 along with the rest of the Bill of Rights.
But the Fourth Amendment’s 54 words remain unchanged, subject to only the occasional reinterpretation via a court ruling. In the most recent major case, 2018’s Carpenter v. United States, the Supreme Court held that law-enforcement investigators need a warrant to collect historical cell-site location information about a suspect’s whereabouts from a wireless carrier.
“Our attack surface has greatly expanded, and the Fourth Amendment is just hanging out there,” Granick said in opening her 40-minute talk on Thursday. “It hasn’t expanded security protections for all these new kinds of data that are being created.”
Granick identified three vulnerabilities to bulk searches that she finds particularly concerning, challenging audience attendees to explore ways that their own work does not enable Fourth Amendment exploits by government investigators.
