Newsweek reports: Artificial intelligence has become one of Ukraine's most "effective tools" in identifying potential saboteurs amid the ongoing war with Russia, according to the Ukrainian Ministry of Internal Affairs. The ministry issued a report Wednesday on law enforcement's anti-sabotage activities aimed at stopping people in Ukraine who may compromise the counteroffensive or aid Russia in its assault.

Officers have been using software on tablets to check if a person they view as "suspicious" is already listed in databases, including a police database of about 2 million people suspected of holding positions in paramilitary units from the far-right faction known as the Liberal Democratic Party of Russia (LDPR)... The ministry said that Ukrainian police have been fighting against such saboteurs ever since Russia invaded Ukraine. "More than 123 counter-sabotage groups were set up, and at least 1,500 people were involved," First Deputy Minister of Internal Affairs Yevgeny Yenin said in a statement, according to an English translation. "And the result was not long in coming: More than 800 people suspected of sabotage and intelligence activities were detained and handed over to the SBU (Security Service of Ukraine) for investigation."

The report, citing Yenin, said that the police database on people with suspected ties to the LDPR alone contains a "huge amount" of operational information that law enforcement and partners have compiled. This includes more than 10 billion photos, it said...

Russia has also reportedly contended with sabotage from supporters of Ukraine within its borders.

U.S. law enforcement have announced the takedown of SSNDOB, a notorious marketplace used for trading the personal information -- including Social Security numbers, or SSNs -- of millions of Americans. From a report: The operation was conducted by the FBI, the Internal Revenue Service (IRS), and the Department of Justice (DOJ), with help from the Cyprus Police, to seize four domains hosting the SSNDOB marketplace -- ssndob[dot]ws, ssndob[dot]vip, ssndob[dot]club, and blackjob[dot]biz. SSNDOB listed the personal information for approximately 24 million individuals in the United States, including names, dates of birth, SSNs, and credit card numbers, and generated more than $19 million in revenue, according to the DOJ. Chainalysis, a blockchain analysis company, reports separately that the marketplace has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015, though the marketplace is believed to have been active since at least 2013. These figures suggest that some users were buying personally identifiable information from the service in bulk, according to Chainalysis, which also uncovered a connection between SSNDOB and Joker's Stash, a large dark net market focused on stolen credit card information that shut down in January 2021.

IRA Financial Trust, a platform that lets users save for retirement in alternative assets like cryptocurrency, is suing the Gemini cryptocurrency exchange over an alleged failure to protect its customers from a heist that resulted in the theft of $36 million in crypto. The financial platform partners with Gemini, owned by the Winklevoss twins, Cameron and Tyler, to allow customers to trade and store cryptocurrency. From a report: In February, IRA was the victim of a major attack that drained the millions in funds customers had stored with Gemini. The company was reportedly swatted, the act of calling the police to report a fake crime at someone's location, when the cyberattack occurred. Police showed up at IRA's South Dakota headquarters after false reports of a robbery, while bad actors made off with millions in crypto. At the time, a source close to Gemini told CoinDesk it wasn't hacked and that it makes various security controls available to its partners. "Gemini knew about the risks attendant to crypto assets," IRA's complaint states. "In fact, it built its public image around purportedly mitigating those risks. But like so much else in the world of crypto, Gemini's image is just that: an image. In reality, Gemini brushes security aside when there is a chance to earn more revenue."

Several readers have shared the following report: Messaging apps that offer end-to-end encryption can claim that they're protecting their users by saying that they've thrown away the key -- metaphorical and literal -- and can't undo what's been scrambled in transmission. Telegram, however, claims it protects every user whether they use E2EE or not, saying that government data requests have to pass an especially high muster before they would comply and that they have never acceded to such request. Not so, a report claims. Der Spiegel reports from sources that Telegram has fulfilled a number data requests from Germany's Federal Criminal Police Office involving terror and child abuse suspects. Still more data requests for other criminal cases have been more or less ignored. [...] The German government has been pressuring Dubai-based Telegram to cooperate with its investigations into right-wing extremist groups who have been using the messaging platform to spread their cause and coordinate action. Telegram has ramped up its own enforcement actions recently, but its user and group bans have been as comprehensive as lawmakers have been looking for.

An anonymous reader quotes a report from Reuters: Clearview AI is expanding sales of its facial recognition software to companies from mainly serving the police, it told Reuters, inviting scrutiny on how the startup capitalizes on billions of photos it scrapes from social media profiles. [...] Clearview primarily helps police identify people through social media images, but that business is under threat due to regulatory investigations. The settlement with the American Civil Liberties Union bans Clearview from providing the social-media capability to corporate clients.

Instead of online photo comparisons, the new private-sector offering [called "Clearview Consent"] matches people to ID photos and other data that clients collect with subjects' permission. It is meant to verify identities for access to physical or digital spaces. Vaale, a Colombian app-based lending startup, said it was adopting Clearview to match selfies to user-uploaded ID photos. [...] Clearview AI CEO Hoan Ton-That said a U.S. company selling visitor management systems to schools had signed up as well. He said a customer's photo database is stored as long as they wish and not shared with others, nor used to train Clearview's AI. But the face-matching that Clearview is selling to companies was trained on social media photos. It said the diverse collection of public images reduces racial bias and other weaknesses that affect rival systems constrained by smaller datasets. The company outlined their path forward in a press release Wednesday.

"Today, FRT is used to unlock your phone, verify your identity, board an airplane, access a building, and even for payment," Clearview AI CEO Hoan Ton-That said in a statement. "Now, we are offering companies who use facial recognition as part of a consent-based workflow access to Clearview AI's superior, industry-leading FRT algorithm, bringing an increased level of security and protection to the marketplace."

He added: "Using facial recognition as a preventative measure means fewer crimes and fewer victims. Ultimately, Clearview Consent is all about making everyday consumers feel more secure in a world that is rife with crime and fraud."

An anonymous reader shares a report: In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.

Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn't require any special hardware or expensive software, and will generate fake IDs that pass inspection using the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system. "To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence," Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.

An anonymous reader quotes a report from TorrentFreak: The ordeal of three people, who edited major movies down to 10 minutes and then uploaded those summaries to YouTube, is not over yet. After being arrested and found guilty in a criminal court last year, they now face action in the civil courts. A total of 13 companies including Toei, Kadokawa, Nikkatsu, and Fuji, say they are entitled to at least $3.9 million in copyright damages. [...] Clear indications of how seriously the anti-piracy groups and media companies are taking this action were on display after the lawsuit was filed last week. A press conference was held in Tokyo with a representative of CODA and three attorneys present to answer questions on the case.

Those present, including CODA director Takero Goto, highlighted that the three defendants committed criminal acts when they uploaded the movie edits and then profited from advertising revenue. The civil action aims to underline those convictions with a strong message that rightsholders will not allow people to free-ride on creators' content without facing significant financial consequences. The overall message is one of deterrence coupled with the reaffirmation of copyright law, Goto said.

An anonymous reader quotes a report from The Guardian: Dutch police have received dozens of leads after using deepfake technology to virtually bring to life a teenager almost two decades after his murder. Sedar Soares was shot dead in 2003 while throwing snowballs with friends in the parking lot of a Rotterdam metro station. The 13-year-old's murder baffled police for years. Now, with the permission of Sedar's family, they have made a video in which the teen asks the public to help solve the cold-case crime.

In what Dutch police believe could be a world first, an eerily lifelike image of Sedar appears in the video as he greets the camera and picks up a football. Accompanied by stirring music, he walks through a guard of honor on the field, comprising his relatives, former teachers and friends. "Somebody must know who murdered my darling brother. That's why he has been brought back to life for this film," a voice says, before Sedar stops and drops his ball. "Do you know more? Then speak," Sedar and his relatives and friends say, before his image disappears from the field and the video gives the police contact details. Dutch police have posted the deepfake video on YouTube. You can also watch the making of the video in the documentary "Speak! Now!"

Over the past few weeks, Google Messages users in India have been reporting more and more ads showing up through RCS messaging. 9to5Google reports: While many brands -- even in the US and other countries -- have used messaging apps and SMS texts to advertise new products to former customers, these ads going on in India are not necessarily the result of a user's buying activity. Business messaging on RCS, as Google's Jibe website points out, is supposed to be used for things such as sending copies of your travel tickets or sending links for buying additional products based on a past purchase based on a user's request. [...] That is very much not what is happening in India right now.

Brought to our attention by Ishan Argwal on Twitter, RCS ads in Google Messages appear to be coming from "Verified Business" accounts. Google first announced that functionality back in 2020, for the purposes of allowing customers to talk to businesses. Advertising was surely part of the functionality, but it's clearly being abused in India. Android Police says these ads have been going out for almost a year now, citing examples of ads sent by Kotak Mahindra Bank, Bajaj Finserv, Buddy Loan, and PolicyBazaar. From what we can tell from user reports, it appears the frequency of these ads has been picking up over the past few months especially.

These ads are not harmless, either, with many of the examples we've seen being for personal loans, a category that tends to be full of predatory practices. One user reports that they were sent one of these ads on a phone that didn't even have an active SIM card in it. Currently, it seems as though this practice is primarily happening in the Indian market, at least in this quantity. What can be done about these ads in Google Messages? The solutions are all not quite ideal, unfortunately. You can report these businesses and block them from sending future messages [...]. Alternatively, you can turn off RCS features entirely within the Google Messages app.

schwit1 shares a report: The House of Representatives [...] will provide taxpayer-funded Peloton memberships to all of its staff, costing taxpayers roughly $100,000 per month. The move comes one year after the fitness company set up a lobbying shop in Washington. Memberships to the exercise service, which offers workout classes, will be available to House staff in Washington, D.C., and in district offices, as well as to Capitol police officers, Fox Business reported. The number of people eligible for the fully taxpayer-funded memberships totals roughly 12,300.

Under the contract with Peloton, which takes effect May 18, the government will pay the company $10,000 up front and $10 per month for each staffer who chooses to enroll, according to Fox Business. With high participation among House staffers, the monthly cost of the contract for taxpayers could exceed $100,000 per month. [...] In March 2021, Peloton hired an in-house lobbyist and two lobbying firms to influence Congress on issues including "government programming to support health and wellness of Americans."

BeerFartMoron shares a report from Motherboard: For the last five years, driverless car companies have been testing their vehicles on public roads. These vehicles constantly roam neighborhoods while laden with a variety of sensors including video cameras capturing everything going on around them in order to operate safely and analyze instances where they don't. While the companies themselves, such as Alphabet's Waymo and General Motors' Cruise, tout the potential transportation benefits their services may one day offer, they don't publicize another use case, one that is far less hypothetical: Mobile surveillance cameras for police departments.

"Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads," says a San Francisco Police department training document obtained by Motherboard via a public records request. "Investigations has already done this several times."

Privacy advocates say the revelation that police are actively using AV footage is cause for alarm. "This is very concerning," Electronic Frontier Foundation (EFF) senior staff attorney Adam Schwartz told Motherboard. He said cars in general are troves of personal consumer data, but autonomous vehicles will have even more of that data from capturing the details of the world around them. "So when we see any police department identify AVs as a new source of evidence, that's very concerning."

As companies continue to make public roadways their testing grounds for these vehicles, everyone should understand them for what they are -- rolling surveillance devices that expand existing widespread spying technologies," said Chris Gilliard, Visiting Research Fellow at Harvard Kennedy School Shorenstein Center. "Law enforcement agencies already have access to automated license plate readers, geofence warrants, Ring Doorbell footage, as well as the ability to purchase location data. This practice will extend the reach of an already pervasive web of surveillance."

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets. On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA. According to this page at the Justice Department website, LEIA "provides federated search capabilities for both EPIC and external database repositories," including data classified as "law enforcement sensitive" and "mission sensitive" to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA's El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community. EPIC and LEIA also have access to the DEA's National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins). The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley. Weaver said it's clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases. "I don't think these [people] realize what they got, how much money the cartels would pay for access to this," Weaver said. "Especially because as a cartel you don't search for yourself you search for your enemies, so that even if it's discovered there is no loss to you of putting things ONTO the DEA's radar."

Facial recognition is making a comeback in the United States as bans to thwart the technology and curb racial bias in policing come under threat amid a surge in crime and increased lobbying from developers. From a report: Virginia in July will eliminate its prohibition on local police use of facial recognition a year after approving it, and California and the city of New Orleans as soon as this month could be next to hit the undo button. Homicide reports in New Orleans rose 67% over the last two years compared with the pair before, and police say they need every possible tool. "Technology is needed to solve these crimes and to hold individuals accountable," police Superintendent Shaun Ferguson told reporters as he called on the city council to repeal a ban that went into effect last year.

Thieves are targeting digital currency investors on the street in a wave of "crypto muggings," police have warned, with victims reporting that thousands of pounds have been stolen after their mobile phones were seized. From a report: Anonymised crime reports provided to the Guardian by City of London police, as part of a freedom of information request, reveal criminals are combining physical muscle with digital knowhow to part people from their cryptocurrency. One victim reported they had been trying to order an Uber near Londonâ(TM)s Liverpool Street station when muggers forced them to hand over their phone. While the gang eventually gave the phone back, the victim later realised that $6,150-worth of ethereum digital currency was missing from their account with the crypto investing platform Coinbase.

In another case, a man was approached by a group of people offering to sell him cocaine and agreed to go down an alley with them to do the deal. The men offered to type a number into his phone but instead accessed his cryptocurrency account, holding him against a wall and forcing him to unlock a smartphone app with facial verification. They transferred $7,400-worth of ripple, another digital currency, out of his account. A third victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole $35,300, including cryptocurrency.

An anonymous reader quotes a report from Engadget: Notorious facial recognition company Clearview AI has agreed to permanently halt sales of its massive biometric database to all private companies and individuals in the United States as part of a legal settlement with the American Civil Liberties Union, per court records. Monday's announcement marks the close of a two-year legal dispute brought by the ACLU and privacy advocate groups in May of 2020 against the company over allegations that it had violated BIPA, the 2008 Illinois Biometric Information Privacy Act. This act requires companies to obtain permission before harvesting a person's biometric information -- fingerprints, gait metrics, iris scans and faceprints for example -- and empowers users to sue the companies who do not.

In addition to the nationwide private party sales ban, Clearview will not offer any of its services to Illinois local and state law enforcement agencies (as well as all private parties) for the next five years. "This means that within Illinois, Clearview cannot take advantage of BIPA's exception for government contractors during that time," the ACLU points out, though Federal agencies, state and local law enforcement departments outside of Illinois will be unaffected. That's not all. Clearview must also end its free trial program for police officers, erect and maintain an opt-out page for Illinois residents, and spend $50,000 advertising it online. The settlement must still be approved by a federal judge before it takes effect. "Fourteen years ago, the ACLU of Illinois led the effort to enact BIPA -- a groundbreaking statute to deal with the growing use of sensitive biometric information without any notice and without meaningful consent," Rebecca Glenberg, staff attorney for the ACLU of Illinois, said in a statement. "BIPA was intended to curb exactly the kind of broad-based surveillance that Clearview's app enables. Today's agreement begins to ensure that Clearview complies with the law. This should be a strong signal to other state legislatures to adopt similar statutes."

The Securities and Exchange Commission is vastly expanding its fight against cryptocurrency fraud by hiring more than a dozen new employees to combat cybercrime, the agency said Tuesday. From a report: The additional 20 positions will result in almost a doubling in size of the agency's Cyber Unit, which is also being renamed the Crypto Assets and Cyber Unit to reflect the group's growing mission, the SEC said in a release. The Cyber Unit was first founded within the SEC's enforcement division in 2017. "By nearly doubling the size of this key unit, the SEC will be better equipped to police wrongdoing in the crypto markets while continuing to identify disclosure and controls issues with respect to cybersecurity," SEC Chair Gary Gensler said in a statement.

Telegram appears to be testing another way for the super popular messaging app to start bringing in revenue. From a report: Beta testers for Telegram's iOS app noticed something new in version 8.7.2, as first spotted by Android Police: a new set of stickers and reaction emoji that you can only unlock "by subscribing to Telegram Premium." Telegram Premium, of course, doesn't exist yet. But right now, users with access to Telegram's TestFlight builds and its Test Server are able to send each other exploding-heart and flying-ghost reactions, a sticker in which that cute blobby yellow duck is just unbearably sad, and a few other new things. And it appears that, ultimately, even the recipients of those messages will need Telegram Premium to see them; if you send a non-subscriber a sad duck, they'll get a prompt to sign up.

An anonymous reader quotes a report from The Verge: The EU has agreed on another ambitious piece of legislation to police the online world. Early Saturday morning, after hours of negotiations, the bloc agreed on the broad terms of the Digital Services Act, or DSA, which will force tech companies to take greater responsibility for content that appears on their platforms. New obligations include removing illegal content and goods more quickly, explaining to users and researchers how their algorithms work, and taking stricter action on the spread of misinformation. Companies face fines of up to 6 percent of their annual turnover for noncompliance.

"The DSA will upgrade the ground-rules for all online services in the EU," said European Commission President Ursula von der Leyen in a statement. "It gives practical effect to the principle that what is illegal offline, should be illegal online. The greater the size, the greater the responsibilities of online platforms." [...] Although the legislation only applies to EU citizens, the effect of these laws will certainly be felt in other parts of the world, too. Global tech companies may decide it is more cost-effective to implement a single strategy to police content and take the EU's comparatively stringent regulations as their benchmark. Lawmakers in the US keen to rein in Big Tech with their own regulations have already begun looking to the EU's rules for inspiration.

The final text of the DSA has yet to be released, but the European Parliament and European Commission have detailed a number of obligations it will contain [...]. Although the broad terms of the DSA have now been agreed upon by the member states of the EU, the legal language still needs to be finalized and the act officially voted into law. This last step is seen as a formality at this point, though. The rules will apply to all companies 15 months after the act is voted into law, or from January 1st, 2024, whichever is later. "Large online platforms like Facebook will have to make the working of their recommender algorithms (used for sorting content on the News Feed or suggesting TV shows on Netflix) transparent to users," notes The Verge. "Users should also be offered a recommender system 'not based on profiling.' In the case of Instagram, for example, this would mean a chronological feed (as it introduced recently)."

The tech giants will also be prohibited from using "dark patterns" -- confusing or deceptive UIs designed to steer users into making certain choices. A detailed list of obligations contained in the DSA can be found in the article.

CNN profiles Bellingcat, a Netherlands-based investigative group specializing in "open-source intelligence". And investigator Christo Grozev tells CNN that authoritarian governments make their work easier, because "they love to gather data, comprehensive data, on ... what they consider to be their subjects, and therefore there's a lot of centralized data."

"And second, there's a lot of petty corruption ... within the law enforcement system, and this data market thrives on that." Billions have been spent on creating sophisticated encrypted communications for the military in Russia. But most of that money has been stolen in corrupt kickbacks, and the result is they didn't have that functioning system... It is shocking how incompetent they are. But it was to be expected, because it's a reflection of 23 years of corrupt government.
Interestingly there's apparently less corruption in China — though more whistleblowers. But Bellingcat's first investigation involved the 2014 downing of a Boeing 777 over eastern Ukraine that killed 283 passengers. (The Dutch Safety Board later concluded it was downed by a surface-to-air missile launched from pro-Russian separatist-controlled territory in Ukraine.) "At that time, a lot of public data was available on Russian soldiers, Russian spies, and so on and so forth — because they still hadn't caught up with the times, so they kept a lot of digital traces, social media, posting selfies in front of weapons that shoot down airliners. That's where we kind of perfected the art of reconstructing a crime based on digital breadcrumbs..."

"By 2016, it was no longer possible to find soldiers leaving status selfies on the internet because a new law had been passed in Russia, for example, banning the use of mobile phones by secret services and by soldiers. So we had to develop a new way to get data on government crime. We found our way into this gray market of data in Russia, which is comprised of many, many gigabytes of leaked databases, car registration databases, passport databases. Most of these are available for free, completely freely downloadable from torrent sites or from forums and the internet." And for some of them, they're more current. You actually can buy the data through a broker, so we decided that in cases when we have a strong enough hypothesis that a government has committed the crime, we should probably drop our ethical boundaries from using such data — as long as it is verifiable, as long as it is not coming from one source only but corroborated by at least two or three other sources of data. That's how we develop it. And the first big use case for this approach was the ... poisoning of Sergei and Yulia Skripal in 2018 (in the United Kingdom), when we used this combination of open source and data bought from the gray market in Russia to piece together who exactly the two poisoners were. And that worked tremendously....

It has been what I best describe as a multilevel computer game.... [W]hen we first learned that we can get private data, passport files and residence files on Russian spies who go around killing people, they closed the files on those people. So every spy suddenly had a missing passport file in the central password database. But that opened up a completely new way for us to identify spies, because we were just able to compare older versions of the database to newer versions. So that allowed us to find a bad group of spies that we didn't even know existed before.

The Russian government did realize that that's maybe a bad idea to hide them from us, so they reopened those files but just started poisoning data. They started changing the photographs of some of these people to similar looking, like lookalikes of the people, so that they confused us or embarrass us if we publish a finding but it's for the wrong guy. And then we'll learn how to beat that.
When asked about having dropped some ethical boundaries about data use, Grozev replies "everything changes. Therefore, the rules of journalism should change with the changing times." "And it's not common that journalism was investigating governments conducting government-sanctioned crimes, but now it's happening." With a country's ruler proclaiming perpetual supreme power, "This is not a model that traditional journalism can investigate properly. It's not even a model that traditional law enforcement can investigate properly." I'll give an example. When the British police asked, by international agreement, for cooperation from the Russian government to provide evidence on who exactly these guys were who were hanging around the Skripals' house in 2018, they got completely fraudulent, fake data from the Russian government....

So the only way to counter that as a journalist is to get the data that the Russian government is refusing to hand over. And if this is the only way to get it, and if you can be sure that you can prove that this is valid data and authentic data — I think it is incumbent on journalists to find the truth. And especially when law enforcement refuses to find the truth because of honoring the sovereign system of respecting other governments.
It was Bellingcat that identified the spies who's poisoned Russian opposition leader Alexey Navalny. CNN suggests that for more details on their investigation, and "to understand Vladimir Putin's stranglehold on power in Russia, watch the new film Navalny which premieres Sunday at 9 p.m. ET on CNN."

The movie's tagline? "Poison always leaves a trail."

The nonprofit online news site Virginia Mercury investigated their state police departments' "real-time location warrants," which are "addressed to telephone companies, ordering them to regularly ping a customers' phone for its GPS location and share the results with police." Public records requests submitted to a sampling of 18 police departments around the state found officers used the technique to conduct more than 7,000 days worth of surveillance in 2020. Court records show the tracking efforts spanned cases ranging from high-profile murders to minor larcenies.... Seven departments responded that they did not have any relevant billing records, indicating they don't use the technique. Only one of the departments surveyed, Alexandria, indicated it had an internal policy governing how their officers use cellphone tracking, but a copy of the document provided by the city was entirely redacted....

Drug investigations accounted for more than 60 percent of the search warrants taken out in the two jurisdictions. Larcenies were the second most frequent category. Major crimes like murders, rapes and abductions made up a fraction of the tracking requests, accounting for just under 25 of the nearly 400 warrants filed in the jurisdictions that year.
America's Supreme Court "ruled that warrantless cellphone tracking is unconstitutional back in 2012," the article points out — but in practice those warrants aren't hard to get. "Officers simply have to attest in an affidavit that they have probable cause that the tracking data is 'relevant to a crime that is being committed or has been committed'.... There's been limited public discussion or awareness of the kinds of tracking warrants the judiciary is approving." "I don't think people know that their cell phones can be converted to tracking devices by police with no notice," said Steve Benjamin, a criminal defense lawyer in Richmond who said he's recently noticed an uptick in cases in which officers employed the technique. "And the reality of modern life is everyone has their phone on them during the day and on their nightstand at night. ... It's as if the police tagged them with a chip under their skin, and people have no idea how easily this is accomplished."
The case for these phone-tracking warrants?

• The executive director of the Virginia Association of Chiefs of Police tells the site that physical surveillance ofen requires too many resources — and that cellphone tracking is safer. "It may be considered an intrusive way of gathering data on someone, but it's certainly less dangerous than physical tracking."
• A spokesperson for the Chesterfield County police department [responsible for 64% of the state's tracking] argued that "We exist to preserve human life and protect the vulnerable, and we will use all lawful tools at our disposal to do so." And they added that such "continued robust enforcement efforts" were a part of the reason that the county's still-rising number of fatal drug overdoses had not risen more.

The site also obtained bills from four major US cellphone carriers, and reported how much they were charging police for providing their cellphone-tracking services:

• "T-Mobile charged $30 per day, which comes to $900 per month of tracking."
• "AT&T charged a monthly service fee of $100 and an additional $25 per day the service is utilized, which comes to $850 per 30 days of tracking..."
• "Verizon calls the service 'periodic location updates,' charging $5 per day on top of a monthly service fee of $100, which comes to $200 per 30 days of tracking."
• "Sprint offered the cheapest prices to report locations back to law enforcement, charging a flat fee of $100 per month."

Thanks to Slashdot reader Beerismydad for sharing the article!