ILI Student Blog

Year: 2013

  • CIA and NSA May Soon Gain Access to FinCEN

    By Kenneth Alan Agee

    Soon US spy agencies may have access to a large database of financial data, which includes a vast amount of US citizens’ financial data.  Earlier this month, Reuters was able to see a Treasury Department document that revealed that the Obama administration is planning on giving US spy agencies full access to Treasury’s Financial Crimes Enforcement Network (FinCEN).[1] FinCEN is a “massive database that contains financial data on American citizens and others who bank in the country.”[2] The database is used to fight terrorism and fraud. “Any transaction above $10,000 in value is documented, and over 25,000 financial institutions currently file reports to the network.”[3] Banks are also required to report “suspected incidents of money laundering, loan fraud, computer hacking or counterfeiting.”[4]

    Currently, the FBI has full access to the database, but spy agencies like the CIA and NSA only have access to data on a case-by-case basis upon request. The proposal would give them full access to the database, which would allow them to use this data for data mining, which involves combining this financial data with other information they have collected and run it through complex algorithms in order to try to identify individuals whose information creates a suspicion of terrorism or other illegal activity.

    This proposal carries with it some serious privacy concerns. First, there is the problem that arises anytime one uses computer-based analysis over human analysis: the possibility of being wrong. A false positive can potentially be of great inconvenience to the accused. Second, as it has become easier to obtain large amount of data, it has also become easy to store such data. This means it is unknown how long these agencies might have access to this data. Who knows what these agencies might be able to gleam from this data the future. Lastly, there is the concern over who else might be able to gain access to this information. The Internal Revenue Services? Other government agencies? Private actors hired by these spy agencies?

    Nevertheless, maybe these concerns are worth the possibility for increased security. The US faces great national security threats, and it could be argued that these concerns are minimal compared to the increased safety citizens obtain by relinquishing this data. Regardless, this will likely make many people queasy. Although if you’ve survived the FBI going through your bank accounts so far, could the CIA really make things any worse?

     


    [1] http://in.reuters.com/article/2013/03/13/usa-banks-spying-idINDEE92C0EH20130313

    [2] Id.

    [3] http://www.zdnet.com/spy-agencies-to-be-granted-access-to-us-citizen-finances-7000012612/

    [4] http://in.reuters.com/article/2013/03/13/usa-banks-spying-idINDEE92C0EH20130313

  • A critical case to balance Privacy and Law Enforcement Activities

    By Lina Enriquez

     

    Under the umbrella of the Privacy Act (1974), a provision expressed in 42 USC § 14135(a) allows agencies of the U.S. that arrest or detain or supervise individuals facing charges to collect DNA samples from them, even without their consent. The personal information, once collected, is stored and processed in the Combined DNA Index System (“CODIS”), which is a system of records as defined by the Privacy Act.

     

    The broad terms used in 42 USC § 14135(a) have served as ground for a lot of state laws allowing for DNA testing of arrestees. One of those laws, enacted in Maryland in 2010, and as applied to the case of an arrestee that was subject to a warrantless DNA collection, is currently under analysis of the Supreme Court in Maryland v. King, a very significant case to define the scope of privacy interests against the law enforcement purposes that government seeks through different system of records as CODIS. In November 2012, the Supreme Court decided to hear Maryland v. King to decide whether the Maryland’s DNA Act is unconstitutional under the Fourth Amendment as applied to individuals arrested, but not convicted.

     

    The State of Maryland argued in its brief that a DNA collection is just another mechanism of identification as fingerprint collection, that it serves to law enforcement purposes, and that the degree of intrusion upon the privacy of an arrestee is minimal because only the individual’s identity is compromised and arrestees “have a reduced expectation of privacy generally, and when it comes to identity specifically, no legitimate expectation of privacy.”

    http://www.americanbar.org/content/dam/aba/publications/supreme_court_preview/briefs-v2/12-207_pet.authcheckdam.pdf

     

    Arguing in favor of privacy rights, The Electronic Privacy Information Center (EPIC), a public interest research center, has filed a brief to alert that the collection of a DNA sample from an individual “raises a profound and far-reaching privacy concern. Genetic traits can identify family members and reveal predispositions to disease and mental illness. … DNA testing can also result in social stigma, discrimination in employment, barriers to health insurance, and other problems. As the Combined DNA Indexing System (CODIS) system has expanded, so too has the collection of this particularly sensitive personal information. Even after analyzing the sample to extract a CODIS profile, the government does not destroy it. … States indefinitely retain entire DNA samples after CODIS analysis is complete. Further, the dramatic expansion of CODIS underscores the likelihood that an increasing number of individuals will be subject to the collection of their DNA sample and its maintenance within the criminal justice system.”

    http://epic.org/amicus/dna-act/maryland/EPIC-Amicus-Brief.pdf

     

    This case, described by Justice Alito as “perhaps the most important criminal procedure case that this Court has heard in decades”, (http://www.genomicslawreport.com/index.php/2013/02/27/all-eyes-on-maryland-v-king-recapping-the-supreme-court-oral-argument/) will doubtless be a cornerstone to define whether government agencies are allowed to collect personal identification data for general law enforcement purposes and keep it stored to use it “within the scope of an authorized law enforcement activity” (See Becker v. Internal Revenue Service. 7th Cir. 1994), or whether enforcement agencies are not allowed to collect personal information without reasonable suspicion just because it can prove to be useful at some later state.

     

  • Federal Court Strikes Down National Security Letter Statute

    By: Matt Zimmerman

    On Friday, the federal district court for the Northern District of California released a 24-page opinion in which it struck down a national security letter (NSL) statute — 18 U.S.C. § 2709 — that authorizes the FBI to obtain customer records from telecommunications companies and to gag those recipients from publicly disclosing that an NSL had been received.  In 2011, the Electronic Frontier Foundation (full disclosure:  I’m lead counsel on the case at EFF) filed a petition on behalf of an unnamed telecommunications provider to set aside both the NSL it received as well as the statute itself.  In our petition, EFF challenged both provisions of the NSL statute on First Amendment and separation of powers grounds.  The court granted our petition, agreeing that the statute amounted to a prior restraint without the necessary procedural safeguards required by the First Amendment.  Moreover, because it found that the statute was not severable, the court ordered that the entire statute must be struck down and that the FBI issue no further NSLs.

    This is a big deal.  While NSL statutes were first created in the mid-80s as a counter-intelligence tool to help ferret out spies, their scope was dramatically expanded by the PATRIOT Act to allow the FBI to obtain subscriber information about anyone so long as a field-level Special Agent in Charge certified that the information sought was “relevant” to a national security investigation.  NSL use has skyrocketed since the PATRIOT Act was passed, with the FBI issuing nearly 300,000 NSLs.

    While EFF’s petition challenged both NSL powers, the court’s order fundamentally rests on the procedural problems with the gag provision.  As written, the statute authorizes the FBI to gag an NSL recipient, indefinitely and without the need for any court oversight.  As the court found, this violates the Supreme Court’s First Amendment procedural requirements demanded where the government seeks to impose a prior restraint.  Under the Supreme Court’s 1965 Freedman vs. Maryland decision, a case evaluating a Maryland licensing scheme that required films to be evaluated by a government ratings board prior to public showings, a statute must must be designed to ensure that any person who is gagged gets a quick, fair opportunity to challenge that decision, specifically:

    1. the burden must fall on the government to go to court to obtain approval for any gag

    2. the pre-review gag must be strictly limited in time, and

    3. the time in which a reviewing court must make its determination must be set to “short fixed period compatible with sound judicial resolution.”

    The court found that the NSL statute plainly fails the Freedman test: the FBI can gag an NSL recipient on its own and without any judicial review, the statute does not force the government to initiate the review in the event that a recipient objects, and there are no requirements that a challenge be promptly heard or evaluated.  Just as in the Freedman case, the court here noted that the FBI was institutionally inclined to gag NSL recipients, and the statute improperly stacked the deck against NSL recipients if they chose to challenge the gag.

    The unconstitutionality of the nondisclosure provision proved fatal to the statute:  the court further determined that as the statute was not severable (i.e., that Congress did not intend that either provision could survive independently), the entire statute must be struck down, including the FBI’s ability to demand customer records.  Statistics cited by the court backed the court’s severability conclusion:  97% of all NSLs are delivered with a gag provision.

    While the court’s order was sweeping, little will change for the moment.  The court stayed its order for a 90 day period in which the government will likely file an appeal and seek a further stay until the Court of Appeals issues its own ruling.  For the moment, however, Judge Illston has given enormous support to critics of all stripes who have long argued that such an invasive, unchecked grant of power to the FBI was not justified and had to go.

  • Court Challenge to Scope of FTC Authority to Regulate Data Security

    By: Jenna Small

     

    In what is being called “unprecedented litigation,” the FTC has sued Wyndham Worldwide Corporation in federal court, alleging violations of Section 5 of the FTC Act for unfair and deceptive practices regarding Wyndham’s data security measures.  The FTC accused Wyndham of misrepresenting their information security policies and failing to provide sufficient security safeguards, which allegedly resulted in three major network breaches, the exposure of 600,000 credit card accounts and $10.6 million in fraudulent charges.

     

    Wyndham has moved to dismiss the complaint, arguing that the FTC lacks authority to regulate data security standards for all industries under the unfairness prong of Section 5.  Wyndham contends that this is a “classic example of agency overreaching” and the FTC’s authority to regulate data security is limited to those areas where Congress has given the FTC specific rule-making authority (e.g., FCRA, GLBA, COPPA, and HIPAA).  Wyndham also asserts that the theft of credit card data does not constitute “substantial injury” as envisioned by Section 5 because federal law restricts consumer liability for unauthorized payments.

     

    In its opposition to Wyndham’s motion to dismiss, the FTC maintains that Congress deliberately chose not to enumerate specific prohibited practices under Section 5, and thus the agency was delegated broad authority to prohibit unfair practices (citing other established uses of this power absent explicit statutory grants).  They further argue that this sort of systemic injury, a small harm to a large number of consumers, was the type of “substantial injury” contemplated by Congress in enacting the FTC Act.

     

    In the 41 data security enforcement actions to date, the defendants have signed consent decrees with the FTC.  Since this is the first judicial test of the scope of FTC regulatory authority under the unfairness prong, the case may have significant ramifications for the agency’s regulations of data security standards and may ultimately necessitate legislative intervention.

     

    For an article summarizing the complaint and subsequent motions (with links to the briefing), please refer to the following link:

    http://www.lexology.com/library/detail.aspx?g=511af563-4502-4477-b79c-025c61276ef3

     

  • Identity Theft During Tax Season

    By: Erin Harper

    A Consumer Sentinel Network report found that the country’s fastest growing crime involves using Social Security numbers to steal tax refunds. The website GoBankingRates.com estimates that $5.2 billion in tax refunds has already been stolen this year.

    IRS Commissioner Steven Miller has said that the agency has increased its efforts to pursue and prevent identity theft-related tax fraud. As part of an IRS crackdown, a nationwide campaign led to more than 700 enforcement actions in January. The IRS has also added additional computer screening filters in an effort to combat fraud and has assigned more than 3,000 employees to engage in identity theft-related work.

    According to Steven Toporoff, a Federal Trade Commission attorney, tax refund theft occurs in various ways. In some instances, the thief uses the taxpayer’s name and Social Security number to steal the person’s refund. In others, the thief uses the taxpayer’s Social Security number but his own or a fake name. Typically, taxpayers discover that they are victims of refund fraud when they attempt to file electronically and receive a rejection notice. Unfortunately, each tax identity theft case takes approximately 180 days to resolve. The IRS, however, is working to reduce the time it takes to get refunds to taxpayers victimized by this crime.

    http://www.cbsnews.com/8301-505144_162-57572789/tax-refund-theft-is-nations-fastest-growing-fraud/

    http://www.usatoday.com/story/money/business/2013/02/07/irs-identity-theft-enforcement/1899059/

  • Javelin Strategy & Research’s 2012 Identity Theft Report

    By: Hiroyuki Tanaka

    http://www.foxbusiness.com/personal-finance/2013/02/20/one-new-identity-theft-victim-every-3-seconds-in-2012/

    This article is about the results of the”Javelin Strategy & Research’s 2012 Identity Theft Report.”

    https://www.javelinstrategy.com/brochure/239

    According to the article, in 2012, the victims of identity theft were 12.6 million.

    It is genrally alleged that regularly monitoring financial transactions and receiving alerts about irregular transactions is a good way to prevent identity theft.  However, if personal information is used to open new accounts, consumers cannot monitor or receive alerts about identity theft.    As this article shows, more than half of victims were not only monitoring their accounts, but also using “financial alerts, credit monitoring or identity protection services.”  So the traditional way of preventing identity theft is not effectively working.

    So what can be done to prevent identity theft?  One way to go is leaving it to the consumer’s choices.  According to the article, 15% of identity theft victims “decide to change their behaviors and avoid smaller online merchants.”  This shows that most of the consumers keep on using the same service even after the identity theft.  As there is no clear standard for consumers to choose which service is paying more attention to the identity theft, it is difficult for consumers to change behaviors.  It can be said that consumers tend not to change their behaviors if they are satisfied with the quality or price of the service other than the privacy protection.   So, leaving it to consumers’ choices does not seem to be a good idea.  Another way to go is posing higher liability such as strict liability on service provider and strengthening government regulation including its enforcement.  As this will result in the huge increase of costs for service providers, it will be difficult to form a consensus.  But, as the victims of identity theft are increasing year by year, it is necessary to find common ground to balance the profits of companies and consumer protection.

  • Government IMSI Catchers Operate on the Fringes of Fourth Amendment Privacy

    By Benjamin Smith

     

    The Supreme Court’s 2012 decision in US v. Jones failed to resolve many open questions in Fourth Amendment privacy protection, including the particularly shadowy domain of International Mobile Subscriber Identity (“IMSI”) catchers. IMSI catchers, colloquially called “stingrays”, are devices used by law enforcement agencies to monitor cell phone conversations, for which ordinary wiretaps are not feasible, without going through telecommunications providers. IMSI catchers work by fooling a cell phone into thinking the catcher is a local cell tower. It can then force the cell phone to use insecure channels even if otherwise set to encrypt its conversations. Once the IMSI catcher has routed the cell phone onto an insecure channel, any conversation may be easily monitored and recorded.

     

    There are two major Fourth Amendment concerns with IMSI catchers. First, it is unclear whether the use of an IMSI catcher qualifies as a search. Some might have hoped a case like US v. Jones to come close to resolving the question, but it did not. It seems unlikely that use of an IMSI catcher would not be ruled a search, but IMSI catchers are currently routinely used without a warrant. Judges have begun to push back against the warrantless use of IMSI catchers, including in the ongoing US v. Rigmaiden case in the District of Arizona, but such resistance is only in its earliest days.

    In addition, when an IMSI catcher is activated, it does not target a specific cell phone but instead draws in all cell phones operating nearby. If an IMSI catcher records all conversations, conversations will be recorded equally from innocents as from suspects. Thus, even if law enforcement is using an IMSI catcher only under a warrant and with court approval, unintended intrusions without a warrant are bound to occur. The security of such data collected from innocents is unclear.

     

    As the technology becomes cheaper and more widely available to law enforcement agencies, privacy questions about IMSI catchers will have to be resolved. In the mean time, remember it as an emerging technology with unusual privacy implications.

     

    Additional information on IMSI catchers is available below:

     

    http://www.slate.com/blogs/future_tense/2013/02/15/stingray_imsi_catcher_fbi_files_unlock_history_behind_cellphone_tracking.html

    http://blogs.wsj.com/digits/2012/10/22/judge-questions-tools-that-grab-cellphone-data-on-innocent-people/

    http://online.wsj.com/article/SB10001424052970204621904577014363024341028.html

    http://gritsforbreakfast.blogspot.com/2013/03/bypassing-telecoms-stingrays-allow.html

  • Even Our Children Aren’t Safe

    By Kamilah Alexander

     

    Parents now have one more thing to protect their children from- identity theft.  In a development that should surprise no one, identity thieves are now targeting kids.  The enticement is simple- unlike an adult with an existing identity that needs to be altered, a child’s identity is an empty canvas upon which thieves can create any picture they desire.  Moreover, because children generally have no need of their own credit for a long period of time, the theft of a child’s identity can go undetected for numerous years.  It’s likely not until the child eventually applies for (and is denied) his or her first credit card or loan (car, college), that the identity theft will be discovered, long after the child’s credit has been ruined.

     

    A local news station in Jacksonville, Florida reports that, in an effort to combat the identity theft of children, Florida lawmakers have recently introduced a bill that would let parents create a credit profile for their children and then freeze that credit profile.  An ability to freeze a child’s credit would certainly help parents. They wouldn’t have to continuously monitor their children’s credit profiles, something adults find challenging enough to do for themselves.

     

    http://www.wokv.com/news/news/local/your-child-risk-identity-theft/nWjbH/

  • Privacy Act and Freedom of Information Act

    By Glenn Velazquez-Morales

     

    In another example of the recurring discussion about the relationship between the Privacy Act of 1974 and the Freedom of Information Act (FOIA), the National Pork Producers Council denounced that the Environmental Protection Agency (EPA) released personal and “business-confidential” data of U.S. hog farmers to various interest groups in the United States.

     

    The Pork Producers alleged that, in early February, the EPA disclosed information including home addresses, phone numbers, e-mail addresses, and information related to business operation of several hog and other poultry farmers to various environmental groups, including the Natural Resources Defense Council, Earth Justice and the Pew Charitable Trusts. The Council denounced that the information was gathered from several state water agencies in order to create a national database as part of a proposed rule known as the Concentrated Animal Feeding Operations. Later, after harsh criticism of many farmers and agriculture interest groups, the proposed rule was tabled. However, several environmental interest groups who supported the rule have publicly requested the information to be released and formally asked the EPA to do so under several dispositions of FOIA.

     

    On the other hand, the EPA reacted to this allegation through a short statement in which expressed that the release of information was legitimate and required by law under the Freedom of Information Act. In addition, the EPA announced that the information will be publicly available throughout the US.

     

    This controversy has the potential of being actively litigated if some of the farmers allege actual damages under Section 552a(g)(4) of the Privacy Act. Moreover, because this was a disclosure of a national database of hundreds of dozens of farmers across the US, it may be possible to foresee a class action suit against the EPA. However, as have been expressed by several Courts and legal experts, the interaction between the Privacy Act and FOIA is complicated because of the legitimate goals and values that these two statutes seems to protect. In this case, the legitimate privacy claim of the farmers will have to be weighted against the promotion of public transparency of the EPA throughout its rule-making process.

     

    Here is the link to a report from the Des Moines Register regarding this controversy and the EPA response:

     

    http://blogs.desmoinesregister.com/dmr/index.php/2013/02/20/pork-producers-troubled-by-release-of-data-to-activist-groups

     

     

    Here is the link to the press released issued by the National Pork Producers Council:

     

    http://www.nppc.org/2013/02/epa-releases-confidential-farm-data/

     

  • 369,132 cases of identity theft were reported to FTC in 2012

    By Hung-Yi Hsiao

     

    According to Consumer Sentinel Network data book 2012 released by FTC in February 2013, there were 369,132 identity theft complaints received by FTC in year 2012, nearly 90,000 more than year 2011.

    Identity theft was the number one complaint category with 18% of the overall complaints. Among identity theft cases, tax or wage Related Fraud (43.4%) was the most common, followed by credit card fraud (13%), phone or utilities fraud (10%), bank fraud (6%), employment-related fraud (5%) and loan fraud (2%). Tax or wage Related Fraud was also the most rapid growth category in the past few years, growing from 15.6% in 2010, 24.3% in 2011, to 43.4% in 2012.

    54% of the Identity theft victims notified a police department and a report was taken, while 6% victims also notified but no report was taken, and another 8% notified police and did not indicate whether a report was taken. 32% of the victims did not choose to notify police departments.

    Among the victims of identity theft, 16,133(6%) were under 19, 57,491(21%) were in the age of 20-29, 52,704(19%) in 30-39, 49,403(18%) in 40-49, 45,483(17%) in 50-59, 30,583(11%)in 60-69 and 22,027(8%) in 70 and over. Comparing to data in 2010, there were 18,334(8%) under 19, 56,635(24%) were in the age of 20-29, 49,375(21%) in 30-39, 3,877(19%) in 40-49, 35,314(15%) in 50-59, 19,923(8%)in 60-69 and 12,984(5%) in 70 and over. It seems that identity theft criminals found more and more middle-aged and older victim in recent years.

    http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf

     

    In the meanwhile, other research suggests that the number in FTC report is way lower than the real number. A report of a private marketing research agency indicates that there were more than 12.6 million identity theft victims in 2012, which equals 5.25% of U.S. adults, or 1 victim every 3 seconds. Almost 1 in 4 consumers that received a data breach letter became a victim of identity fraud. $21 billion dollars were stolen in identity theft incidents. The data of the research was gathered by a survey of a representative sample of 5,249 U.S. adults.

     

    https://www.javelinstrategy.com/news/1387/92/More-Than-12-Million-Identity-Fraud-Victims-in-2012-According-to-Latest-Javelin-Strategy-Research-Report/d,pressRoomDetail