This article is making it seem like tracking pixels are illegal and require a search warrant. This is definitively not the case. Search warrants are required only when requesting that information from a third party or against a person's will.
When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
Having an embedded image from a third party server in an email is well within normal usage of email. Logging IP addresses of machines that access content on a web server is also well within the normal usage of that server.
I'm also not sure what the journalist is afraid of in this case. Your IP address reveals almost nothing about you beyond a rough physical location on its own. Considering the Navy sent this email they already know WHO the recipient is. From an editor or authors name I could most likely find what city they live in with no extra help beyond Google.
There absolutely isn't anything illegal or even suspicious about this. If you want to go absolutely crazy mad with paranoia maybe they could collude with another federal agency to tap that network connection... but that is INCREDIBLY unlikely for this.
> The Navy email to Navy Times contained hidden computer coding designed to extract the IP address of the Navy Times computer network and to send that information back to a server located in San Diego. Under U.S. criminal law, authorities normally have to obtain a subpoena or court order to acquire IP addresses or other metadata. Not using one could be a violation of existing privacy laws, including the Electronic Communications Privacy Act.
They lay it out pretty clearly in the article. What you are describing might be true for a private company, but that same behavior from a military branch of our government is very different.
This is a really interesting area of law that I don't think has been settled.
One could argue that attaching this tracking pixel to an email is similar to attaching a GPS tracker to a vehicle. In United States v Jones in 2012, the supreme court ruled that placing a GPS device on violated the 4th amendment.
> "the Government's installation of a GPS device on a target's vehicle, and its use of that device to monitor the vehicle's movements, constitutes a 'search'"
Regardless of whether it was "well within normal usage of email" or not is kind of irrelevant.
It is also very different coming from the government as opposed to a private institution.
It is also very different to be targeting a news outlet (especially one that has been critical of you!).
I would absolutely challenge you on both points - this is ABSOLUTELY suspicious, and as they pointed out in the article, likely illegal – and I haven't gone crazy mad with paranoia.
>One could argue that attaching this tracking pixel to an email is similar to attaching a GPS tracker to a vehicle. In United States v Jones in 2012, the supreme court ruled that placing a GPS device on violated the 4th amendment.
One can't make this arguments based on the Jones ruling because Jones doesn't apply in this situation. The entire reason why the court ruled that physically attaching a GPS tracker to a car is against the fourth amendment is because attaching the device involves physical trespass on a suspect's vehicle which they considered part of his "personal effects." A tracking pixel doesn't have the physical intrusion bit that the court found unconstitutional. In Jones the court only addressed the physical intrusion, not the GPS data itself.
>Also left unanswered was the broader question surrounding the privacy implications of a warrantless use of GPS data absent a physical intrusion – as might occur, for example, with the electronic collection of GPS data from wireless service providers or factory-installed vehicle tracking and navigation services.[27] The Court left this to be decided in some future case, saying, "It may be that achieving the same result through electronic means, without an accompanying trespass, is an unconstitutional invasion of privacy, but the present case does not require us to answer that question."[36]
The real problem is that it is acceptable for lawyers to use email for sensitive communications. Many lawyers just don't understand-- and don't want to. The rules that allow them to practice forbid being nefarious.
My take on it is that the real problem is email software not making it clear-as-day to the user that the message they are about to open is in fact a webpage, and that they will be actively connecting to the World Wide Web to load it, and potentially allowing third parties know that they have opened the message.
Regular people won't make the mail <-> WWW connection in their head without being told, nor should they be expected to.
> The entire reason why the court ruled that physically attaching a GPS tracker to a car is against the fourth amendment is because attaching the device involves physical trespass on a suspect's vehicle which they considered part of his "personal effects."
I understand how you're just trying to reason from the other side. Just trying to show how the reverse argument might happen.
As far as I'm aware, one of the reasons "hacking" has been defined to be a crime, is that unauthorised access to someone's machine has also been defined as a kind of trespass. Allowing them to rule that deploying code from one location to another is also trespass against the physical location.
Carpenter is a fascinating case and you're astute to bring it up. If the tracking image were capable of actually tracking the entirety of someone's location (the way CSLI is), then Carpenter would probably apply.
Assuming it is just a normal tracking image, though, it doesn't provide "detailed, encyclopedic, and effortlessly compiled" information about someone's activities - just whether they opened that particular email while displaying remote images, and - if so - their HTTP request. I think it's unlikely this fits the facts under Carpenter.
Also, Carpenter was about a warrantless search. We really have no idea if the prosecutors did this on their own initiative to try to address the violation of the protective order, or if they did it at NCIS's behest after a warrant. It's entirely possible that this is at NCIS's initiative. Still a lot of facts to uncover here.
I've already argued against your first quote in the post. The privacy acts only apply when the government is getting the data from third parties such as from an email provider or ISP. In this case the image is directly communicating back to their servers and no third parties are involved. Communications between two parties are not subject to the privacy laws when you are one of those two parties.
The target is irrelevant in the case of legality. The only additional protections a journalist has is on not revealing their sources. This doesn't impact or interact with other emails so no sources could be compromised via a tracking pixel. Being "shady" isn't illegal and I wouldn't even say a tracking pixel is shady. The closest approximation of what this tracking pixel is doing is as a read receipt for a piece of mail.
If you want to quote "United States v Jones in 2012" against others you should probably be aware of what the presiding judges actually ruled. It was determined that the action was illegal only because physically attaching the device was considered trespass of private property not because the tracking of the vehicle's location required a search warrant.
If you wanted to make a similar argument you would have to instead refer to the Computer Fraud and Abuse Act to cover something similar to digital trespass. A tracking pixel does not violate that law under any circumstance that I'm aware of.
Any action by the government that can be seen to be chilling toward a free press can be interpreted as a violation of the first amendment. It's not as black and white as you make it out to be, and remember new precedents are being set all the time. They're also in the ninth circuit which is historically hugely favorable to these kinds of cases. You get a strong enough case, a lot of money and a creative lawyer, you might be able to make some caselaw here. There's at least a baseline argument for it.
That said, target is not irrelevant for illegality. There's also an issue of ethics in targeting other lawyers; if I was the defense lawyer this is the issue I'd be pushing like crazy with the judge, ethics panels, etc. Right or wrong, they can do something with that, esp. if they can get some discovery that proves there was actually an attempt to target -- that would be huge. (And they're not allowed to delete any documents to that effect since they are the government).
It ups it entirely another level in that it also was received by defense counsel. That really isn't going to look good for them.From the article: "In the judicial part of this equation, tracking devices give the user an unfair advantage in court proceedings. If you know who your opposing counsel is contacting, you can divine how they are building their case and find ways to counter it."
They can also do discovery to find out the intent behind the pixel -- if they find anything about tracking to find the source of the journalist or learn about the defense, they risk having the entire case thrown out.
This could get really, really interesting. If I was the defense lawyer I would push this as far as I possibly could.
Conversely, it’s also like the police offering you a can of soda as they question you and then later swabbing the empty van for DNA evidence. Totally legal if a bit sneaky.
> They lay it out pretty clearly in the article. What you are describing might be true for a private company, but that same behavior from a military branch of our government is very different.
Belated edit: Given that Constitution-based arguments are being used against the Navy, it's interesting to note that the Constitution outlawed private corporations. Unless they had public-interest charters. And that didn't change until the late 1800s.
> If you want to go absolutely crazy mad with paranoia maybe they could collude with another federal agency to tap that network connection... but that is INCREDIBLY unlikely for this.
Sorry for the undeveloped response, but....hahahaha
>When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
That’s not the legal standard for searches and seizures under the 4th amendment.
It’s about the reasonable expectation of privacy, and when a defense attorney emails their client the client has a reasonable expectation of privacy. A reasonable person doesn’t think the prosecutor has embedded tracking into emails sent to their attorney which will relay information back to the prosecutor when shared forwarded to the client by the defense attorney.
>>When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
>That’s not the legal standard for searches and seizures under the 4th amendment.
Regardless of the location, a conversation is protected from unreasonable search and seizure under the Fourth Amendment if it is made with a "reasonable expectation of privacy".
The law is not and never was:
>When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
I have what I consider to be a reasonable expectation of privacy not to have 3rd party tracking pixels embedded in websites I visit via a secure connection on the internet.
Well I’m not so sure that is a reasonable expectation (certainly visiting a website isn’t the same as an attorney client communication), but either way the 4th amendment only applies to searches and seizures by the government not 3rd party websites.
Well as I previously mentioned the 4th amendment only protects from unreasonable searches and seizures by the government...reasonable belief or not the 4th amendment isn’t going to protect you from data collected by non-government actors (unless the government directed them to collect it for them).
>“He was instructed that the embedded image contained a cyber-tool known as a ‘splunk’ tool,’ which can allow the originator full access to his computer, and all the files on the computer,”
It seems the journalist here believes some tool much more powerful than a tracking pixel may have been used. I've never heard of a "splunk tool" and frankly it seems like BS, but if the journalist believes this then the tone of the article is explained.
From the technical perspective of how emails work and the limited subset of HTML being available inside them. I think this is a case of crying wolf without understanding technical capabilities.
The only way the access described there is even remotely possible is using a vulnerability in a systems image parser or network client stack (using only the URL and server response). Burning an unknown 0-day vulnerability with that level of power wouldn't be wasted on even a high profile military court case.
'It's normal usage' doesn't mean it's okay to a normal person or in any way reasonable. Hence all the privacy debate in recent years. Personally, I'm not okay with tracking pixels and would turn them off if I could.
Gmail will download images and serve them from Google servers to prevent this issue. Perhaps you can setup a similar plugin to automatically upload images to imgur or similar before the client displays them.
An email client fetching images is useful, and shouldn't need to be turned off. If someone sends me an email with a graph embedded, it's a great feature that it will show up where it's supposed to. Using that feature for tracking is an abuse of it, plain and simple. There's no way that was an intended part of the design.
Any reasonable embedding of a graph should be as an attachment that your client receives at the same time as the rest of the email.
> There's no way that was an intended part of the design.
There is certainly a way. And regardless of whether it's intended, it you're dead-set on configuring your system so that it automatically contacts arbitrary 3rd party servers, then you shouldn't be too surprised when that happens. "Bad guys" are known to be opportunistic.
This exact mindset of "here's a feature, I'm sure nobody out there on the Internet would use it maliciously" is what brought us several decades of Microsoft software vulnerabilities.
There are plenty of reasons. Many people use these in their emails to get effectively "read receipts". It's not even clear that this was an official military action or just one officer using a browser extension that embeds these images.
There is very very little information you can get from an individual image being loaded by a user agent.
If they're worried about leaks, it seems much more likely that they're interested in who is talking to who, which they can figure out if the email with the tracking pixel gets forwarded.
When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
Having an embedded image from a third party server in an email is well within normal usage of email. Logging IP addresses of machines that access content on a web server is also well within the normal usage of that server.
I'm also not sure what the journalist is afraid of in this case. Your IP address reveals almost nothing about you beyond a rough physical location on its own. Considering the Navy sent this email they already know WHO the recipient is. From an editor or authors name I could most likely find what city they live in with no extra help beyond Google.
There absolutely isn't anything illegal or even suspicious about this. If you want to go absolutely crazy mad with paranoia maybe they could collude with another federal agency to tap that network connection... but that is INCREDIBLY unlikely for this.