Cars have become computers on wheels — and police have easy access to their data

Avatar

This is Part 2 of a three-part series on automobile privacy that will run through the month of December. Read the previous installment here.

The crime was horrific: In 2019, an Ohio man was accused of shooting his wife, her parents and her aunt in the head allegedly over mounting tensions with his in-laws over money and financial pressures created by expensive gifts he was buying for his longtime mistress.

Prosecutors relied heavily on testimony from an expert at a little-known vehicle forensics company called the Berla Corporation to make their case. The employee testified that the FBI asked him to extract data from Singh’s car using the company’s technology, which allows law enforcement to hoover up text messages, GPS locations, emails, call histories, pictures, videos, contact lists, social media feeds and information as granular as when a car door opens.

An FBI digital forensic examiner followed him on the stand, saying his analysis of data from the car’s hard drive put Singh’s vehicle at the scene of the crime at 9:09 p.m. Witnesses testified to hearing gunshots at the apartment between 9:15 p.m. and 9:30 p.m.

Although data collected from automobiles doesn’t always paint a perfect picture — the jury in Singh’s case deadlocked, and he is awaiting a retrial next year — the use of Berla’s technology raises controversial questions about how much consumers should trade their privacy to enhance law enforcement’s ability to solve crimes.

Since many citizens don’t know their car data can easily be sucked up by a company working with law enforcement, potentially without a warrant, the practice shines a light on the complex questions embedded in car data privacy.

And the issue is only growing as carmakers incorporate more computers into automobiles that collect and process vast amounts of data.

Car computer systems are “practically mobile phones at this point,” said Sean McKeever, a senior security specialist at cybersecurity firm GRIMM, which has a focus on automotive cyber. “The difference is my phone doesn’t leave my pocket. To get to my data on my phone you have to get to me, whereas my car is more of a stable target that can be towed away and accessed.”

Go-to source for vehicle forensics

Many police departments don’t discuss their investigative tools, but a quick web search for Berla suggests the company’s products are used widely. Law enforcement officials in San Diego, San Antonio and Anne Arundel County, Maryland, for example, have spoken publicly about the value they have derived from Berla’s tools.

While Berla has competitors, none appear to match its capabilities or reach with law enforcement. Its software is not available to the general public.

The Maryland-based company has been in the spotlight before, but it has taken on new relevance in the wake of a Washington State class action data privacy lawsuit highlighting the company’s capabilities and marketing statements in its claims against five automakers whose systems allegedly allow Berla software to access driver text messages and other data. A Seattle-based federal judge ruled last month that the practice did not violate state privacy laws, which require a victim to prove that “his or her business, his or her person, or his or her reputation” has been threatened.

Despite the controversy, Berla CEO Ben LeMere has never been shy about showcasing his product.

“We’ve assisted in pretty much every major terrorism investigation in the last year, from the Paris bombing to the Chattanooga, Tennessee, shooting to San Bernardino,” he told the Armed Forces Communications and Electronics Association International in 2016.

Police can extract cell phone data transferred to cars through its infotainment center. Image: Unsplash/Swansway Motor Group

Berla’s marketing slogan is “Staggering Amounts of Data. Endless Possibilities,” a claim that many in law enforcement appear to agree with. The company’s offerings are extensive and even allow law enforcement to search vehicle profiles from their cell phones. As of March 2022, the most recent data available, Berla’s software worked on 20,752 types of cars.

Police can use Berla’s tools — conceivably without a warrant — to access a car’s navigation system. If a driver has synced their phone with their car’s infotainment center, police can also extract cell phone data transferred to the car while the vehicle is connected.

The Department of Homeland Security began working with Berla in 2013, connecting the company with several state and local police departments. U.S. Customs and Border Protection, a DHS agency, reportedly paid more than $450,000 for five Berla vehicle forensic kits, according to a contract The Intercept reported in 2021. A spokesperson there did not respond to a request for comment, and a DHS spokesperson said it no longer partners with the firm.

A surveillance disclosure statement on the San Diego Police Department’s website says the Berla software it uses takes data stored in the car’s infotainment and telematics system, including vehicle events, location data and data from connected devices.

The document defines vehicle events as, for example, “door openings, ignition activity and seatbelt usage” along with date/time stamps and “the GPS location of the vehicle at the time of the event.”

“There is a chance a vehicle may contain devices connected to the vehicle that are unrelated to the specific criminal case,” the web disclosure says.

For such a powerful investigative tool, Berla’s software is relatively inexpensive, at least for smaller agencies. A San Antonio TV station in 2021 quoted local sheriff Javier Salazar saying the department had paid just $15,000 for a contract with the company across at least two years.

Car searches and the Constitution

Nearly 100 years ago, the U.S. Supreme Court established that there was an automobile exception to the Constitution’s protection against unreasonable search and seizures. Today, that exception means that police are allowed to “warrantlessly dig into a vehicle’s computer system and extract vast amounts of cell phone data,” according to a paper published earlier this year by a William & Mary Law School professor.

“Just as the police can rip open seats or slash tires to search for drugs under the automobile exception, the police can warrantlessly extract data stored in a vehicle’s infotainment system,” Professor Adam Gerhsowitz wrote in the article, entitled “The Tesla Meets the Fourth Amendment.”

There is no such exception for cell phones, which police are not allowed to search without a warrant. Gershowitz said the automobile exception precedent dates to the bootlegging era when law enforcement searches only involved illegal physical objects like jugs of alcohol. The mobility of vehicles was used then to justify the warrantless searches, he said.

“That precedent in no way contemplates a world in which the stuff in the car is not tangible things like drugs or bootlegged alcohol or firearms,” Gershowitz said in an interview. “Now we live in a world in which the stuff in the car is an enormous amount of data that runs through the vehicle.”

Gershowitz’s 51-page article cited Berla 74 times, arguing that as sophisticated digital extraction techniques become more commonly used among law enforcement agencies — potentially without obtaining a warrant — there is a need for state and federal legislation to address the practice.

Citing reported court decisions from at least six states showing police downloaded data from vehicles without a warrant, Gershowitz said far more attention to the issue is merited.

“Given that there are nearly 18,000 law enforcement agencies across the country, it is likely that many police departments permit their officers to warrantlessly extract data from vehicles,” Gershowitz said in his article.

Searches of vehicles are wrongly held to comparatively low legal standards, meaning there is no need for a warrant, John Davisson, the director of litigation at the Electronic Privacy Information Center, concurred.

“If the information obtained using Berla appears in a criminal prosecution later on, there would be potential for that evidence to be excluded if law enforcement lacked the requisite reasonable suspicion or probable cause at the time that they exfiltrated the data,” Davisson said. “But there is no judge on the scene when law enforcement is stopping a vehicle so they could, as a practical matter, certainly get that data in the first instance.”

Computers on wheels

Berla declined to comment for this story, but LeMere has been candid when discussing the software in the past, in one case telling podcast interviewers that his team pulled data from 70 phones from the infotainment system in a rented Ford Explorer, capturing call logs, contacts, SMS histories and even Facebook and Twitter posts.

“It’s quite comical when you sit back and read some of the text messages,” he said.

On another podcast, now erased, LeMere was even more explicit, saying that many of the people whose infotainment systems he’s examined “aren’t doing anything wrong, but it’s pretty funny to see the hookers and blow request text messages and answers,” according to NBC News.

A major problem with the scale of the data extraction taking place is how unknown it is to most people.

“I don’t think most people when they use a car to send a text message would be surprised that, yes, their car is handling the data,” said Cody Venzke, senior policy counsel working on surveillance, privacy and technology at the ACLU. “What they are surprised about is the retention of that information.”

Data retention stems from the fact that cars are now effectively computers, according to McKeever.

“Just like any other computer, something that’s stored on it is going to leave a file,” he said of the infotainment center and other systems. “Car computers use the same basic technology as regular computers do — some of them even use the same operating systems.”

McKeever said the data retention is hard to avoid given the way computers work, but he allowed that manufacturers “could make it easier for customers to remove that information.”

He said today’s computerized car features were not built with consumer privacy in mind. It will not be an easy problem to fix either, he said, with privacy enhancements likely to cost millions of dollars and several years worth of supply chain changes.

Car manufacturers are all too aware of the troves of data they store and what Berla’s offerings can do, according to previous public statements from LeMere.

He has discussed his close ties to automakers and their suppliers in the past, saying at a 2016 Department of Homeland Security event that he has lent his security expertise to manufacturers to ensure Berla’s customers have easy access to their technology when needed.

He told the audience he only deals with manufacturers of infotainment systems when they agree to give law enforcement access to their products.

“It really is a double-edged sword of when we go out and give presentations, everyone is immediately scared to death and they never want to plug anything in their car again,” LeMere said. “But hopefully you guys aren’t going to murder anybody, so it’ll work out.”

IndustryNewsTechnologyPrivacy
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Pro-China influence operation gained YouTube following, researchers find

Next Post

Iran confirms nationwide cyberattack on gas stations

Related Posts

How Cynet Makes MSPs Rich & Their Clients Secure

Managed service providers (MSPs) are on the front lines of soaring demand for cybersecurity services as cyberattacks increase in volume and sophistication. Cynet has emerged as the security vendor of choice for MSPs to capitalize on existing relationships with SMB clients and profitably expand their client base. By unifying a full suite of cybersecurity capabilities in a simple, cost-effective
Avatar
Read More

Report: The Dark Side of Phishing Protection

The transition to the cloud, poor password hygiene and the evolution in webpage technologies have all enabled the rise in phishing attacks. But despite sincere efforts by security stakeholders to mitigate them - through email protection, firewall rules and employee education - phishing attacks are still a very risky attack vector. A new report by LayerX explores the state of
Avatar
Read More