Can the DEA Buy Your Search History to Bust You for Cannabis?
Nugg Team | May 10, 2017 | Leave a Comment
Perhaps it’s a myopic view, but the first concern I considered when hearing that our internet search histories just went up for grabs to the highest bidder was that the DEA might very much like to see mine.
Of course, they’d be sorely disappointed considering that I’m a part time copywriter and much of what I Google is “top 10 gardening tools you just have to have” or “how to stop my dog from clawing my couch.” And I don’t even have a dog.
But what about those sites connected to activities that are completely legal on the state level, but not so much on the federal? What about our Weedmaps searches? Or other sites connected to legal cannabis products and activities?
It’s not like privacy for marijuana consumers isn’t an issue. It is. So much so that Oregon Governor Kate Brown just signed a bill preventing marijuana retailers from keeping customer data for more than four days.
Senate Bill 863 requires that all retailers eliminate their consumer data within the month and, quite frankly, most retailers are relieved since record keeping requirements slow down business. It’s a complete 180 from California’s laws which require patient and sales records to be kept for years, at an enormous fine per record if they’re lost.
[See Prop. 64 full text, Sec. 26160(f): If a licensee, or an agent or employee of a licensee, fails to maintain or provide the records required pursuant to this section, the licensee shall be subject to a citation and fine of up to thirty thousand dollars ($30,000) per individual violation.]
But how much does it matter that sales information is private if the DEA can just go to your ISP, see what you Googled, and go straight to your retailer?
Okay, that’s an extreme example. It’s not like they’re going to come after all pot consumers based on their internet search histories. But there are certain websites that could tip the DEA’s eye toward you in a very unpleasant way. If you think it’s not a concern, think again.
Last year an article by Americans for Tax Reform, an advocacy group for taxpayers, shows how the DEA “consistently searches through American travel records to seize millions of dollars using civil asset forfeiture.” And now Congress has given that dog another bone.
This is old news at this point (a few weeks at least). Congress passed this little monster that lifts the FCC’s restrictions on internet service providers’ ability to tap and sell our private (so we thought) internet search data. This data doesn’t just include what we look for, it includes where we are.
Think the DEA might find that useful in certain situations?
Guess what? They could already do this, and they have been for years. Law enforcement can already access an uncomfortable amount of information with nothing more than a subpoena.
- Our IP address: via the Electronic Communications Privacy Act investigators can access the IP addresses we visit; a subpoena can be obtained without a judge’s approval.
- Our online activities: using a court order, law enforcement can access other online activities that don’t include emails, files or browser histories.
- The rest: once the police can convince a judge that your browser history may contain evidence of criminal activity, they can obtain a warrant that gives them the key to absolutely everything.
Stephanie Lacambra, a criminal defense attorney for the Electronic Frontier Foundation, has pointed out that this data collection method is sometimes used for murder, domestic violence, and child pornography cases, “but there is nothing stopping police from applying for warrants in drug cases.”
With these search warrants, law enforcement can even go straight to providers like Google and request all of your user data. If you think that Google fights to protect the privacy of its users, think again. In 2015, they honored 85% of these requests for broad search history information.
Worse, police can just nab your phone and pull up the entire browsing history using software called Cellebrite. Literally EVERYTHING that’s left in the forgotten remains of your browser history is up for grabs. EVERYTHING. Now you have a good reason to delete it every single day.
This is enough to make Anthony Weiner sweat bullets.
If they couldn’t physically nab our cell phones or laptops, then the DEA would have had to convince a competent judge that our search history was worth having before the bill was passed.
How has this changed?
Not a whole lot, according to our interview with Karen Gullo at the Electronic Frontier Foundation.
“Last year the FCC passed a set of rules for how ISPs deal with their customers’ data. The commonsense rules updated longstanding federal protections for Internet users. Under the rules, ISPs would be required to protect your data and wouldn’t be allowed to do a host of creepy things, including sell your Internet browsing records without your consent. The resolution repealed those FCC’s privacy rules, which opens the door for ISPs to do a host of things, which we explain here…As I understand it, based on what our experts said, DEA isn’t affected by the resolution. Whatever they had been doing they can continue to do.”
Yes, this includes all of the activities listed above. But we don’t have to necessarily worry about the DEA going on an outright fishing expedition based on purchased search histories…yet.
Still, it’s nice to know that most internet service providers are also governed by their own privacy policies. Basically, this is a contract with their customers. Most have strict provisions that prohibit selling individual identifying information, meaning that if Google were to sell President Trump’s private browsing data to a private citizen, it would most likely cause a lawsuit of epic proportions.
Of course, this means all of those who’ve started Kickstarter funds to buy Congressperson’s private browsing data (some of them are already in the six figures) are probably pissing in the wind; they can no longer approach Yahoo and buy the President’s history anymore than he can buy theirs.
But what does that matter when the police can already obtain everything we search for online with nothing more than a flimsy warrant that’s extremely easy to obtain according to Google’s own statistics?
The good news is that several states are already proposing their own legislation to keep ISPs from selling your user data/search history without consent. These include Connecticut, Illinois, Kansas, Maryland, Massachusetts, Minnesota, Montana, New York, Washington and Wisconsin.
Unfortunately, California is not one of these states.
But it can be. Contact your local representatives and tell them you support internet privacy protections in your upcoming statewide legislation. In the meantime, there are more immediate concerns, considering that your information has been up for free for years now.
The immediate steps that we need to take to protect our search history and privacy involve a bit more technical know-how.
First, always force your browser to use HTTPS. Your ISPs can see where you go, but they really can’t see much of what you’re doing there. If you’re on Google Chrome (the devil we know) you can install this extension to make your browser use this extension whenever possible.
Second, consider using a Virtual Private Network (VPN). It may be less convenient, but it hides your IP. Don’t think that you can do anything you want behind it; believe me, if law enforcement really wants your browsing data, they can get past it. Worse, some VPN services have received warrants regarding individual browsing data and they’ve honored it. The only thing that a VPN protects you from is random data mining.
Third, consider using a Tor browser. This masks your identity further by bouncing your searches all over the world before landing at your destination. It’ll definitely slow your browsing down, but will add an extra layer of privacy.
Despite these precautions, at the end of the day cookies and snooping software rule. Your computer probably already has spyware, some of it even from law enforcement. So, the old adage wins: “Just because you’re paranoid, doesn’t mean they’re not out to get you.”
Assume everything you do online is being tracked, because it is. The only difference is that we’re one step closer to having our browsing data available to the highest bidder. We’re not quite there yet, but we might as well resign ourselves to the fact that we’re living in the Orwellian world of 1984. Ever so slowly we slip one step closer to the fabled Panopticon.