Year: 2016

Privacy Blog Post: Panel 4. By Clay Venetis

Gilford, New Hampshire Proposes Rules for Police Body Cameras, Including an Exemption to State Wiretapping Laws.

http://www.laconiadailysun.com/newsx/local-news/93405-body-camera-legislation-winds-through-state-house

The use of body cameras on police officers is a popular suggestion today for curbing misconduct. Local law enforcement departments like that in Gilford, New Hampshire are currently drawing up rules requiring officers to wear them. Yet such civil liberties-minded requirements may come in conflict with another central civil liberty – public privacy. Federal and state wiretapping laws generally prohibit recording interactions with individuals without consent – and a body camera would record many such interactions throughout the workday. Hence, the proposed rules in Gilford “exempts the use of body cameras from wiretapping laws” to avoid this conflict of laws.

Do we want body camera requirements at the expense of better protection of our communications with the police? How do we balance the interest of police accountability with the privacy of the individuals that officers confront?

It is important to note that at the federal level, there is no likely conflict. The Wiretap Act 18 U.S.C. §§ 2510-2522, which makes intercepting wire, oral or electronic communications unlawful, allows interception when one party consents. § 2511(2)(c).  Thus, the police consenting to record their interactions with the public would suffice to shield them from federal wiretapping violations.

Yet states have their own wiretapping laws. While many also provide an exception to the law when one party consents, twelve states do not have that exception (California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington). That is, twelve states require all parties to consent to the recording. This is why we mentioned above that the police department of Gilford, New Hampshire, needs to exempt body cameras from their wiretapping laws. The people on the street are parties to the interaction, and they will not always consent to the recording.

This conflict has already played out in the opposite scenario: when citizens secretly record police officers. Individuals in Massachusetts have been charged with violating state electronic surveillance laws after bringing forward hidden audio recordings of their interactions with police. See, e.g., Commonwealth v. Hyde, 750 N.E.2d 963 (Mass. 2001). If members of the public are liable for recording police officers while being arrested, the officers could very well be in violation when recording the individuals they are arresting.

Some states that require all parties to consent to the recording do have exceptions for public interactions, in which no party has a reasonable expectation of privacy in their conversations. For example, California’s wiretapping law does not protect “a communication made in a public gathering … or in any other circumstances in which the parties to the communication may reasonably expect that the communication may be overheard or recorded.” Cal. Penal Code § 632(c). Therefore, in such jurisdictions, recording a police officer without interfering is likely lawful.

However, with respect to body cameras, much of the police officer interactions that implicate privacy concerns occur in non-public areas, such as the home, where the public will have a reasonable expectation of privacy. In these instances, the body camera requirements are more likely to conflict with wiretapping restrictions. Assuming an officer is in one’s home lawfully, is it also lawful for the officer to be keeping a detailed audio-visual record of everything inside the home, which can then be filed and referenced in the future? This also points to Constitutional concerns, such as the reasonableness of a search under the Fourth Amendment.

Therefore, in some states, a body camera requirement will have to include a wiretapping exemption, like that in Gilford’s proposed rule. In the body camera debate, we should ask ourselves whether we are comfortable with laws that may negatively implicate privacy interests in exchange for better police accountability. Not all civil liberties are compatible.

Other Sources:

Laws on Recording Conversations in all 50 States:

https://www.mwl-law.com/wp-content/uploads/2013/03/LAWS-ON-RECORDING-CONVERSATIONS-CHART.pdf

Police Body Cameras and Data Protection Standards in Maryland

By: Farzaan Ijaz

A recent article in the Baltimore Sun has brought attention to the substandard data privacy policies put into practice for police body cameras.[1] The recent call to an increase in the number of police body cameras circulated brings with it the issue of how to protect what will be massive amounts of data collected on citizens. Many people already show reluctance to increase the number of police body cameras in use because of concerns about how they made be intrusive to the lives of those people being recorded by the police. This fear becomes more of a reality if the collection of data recorded isn’t properly protected.

Given the massive amount of data, complexity of data protection issues and citizen fears, Maryland Police Training commission’s decision to forego a standardized policy in favor of allowing each agency to create their own set of security policies is a risky policy. Essentially, they have allowed for the creation of substandard cybersecurity policies to be introduced in a variety of different districts. Further, the headache involved with attempting to match protocols between different departments when they work together on one case will further increase the cost while continuing to leave significant cybersecurity risk present.

It would be one course of action if an alternative standard with a good reputation didn’t exist – but that’s where the FBI’s widely accepted and trusted Criminal Justice Information Services Division Security Policy (CJIS) for body camera recordings comes into play. It has the strongest set of security protocols available to protect sensitive law enforcement information. Further, they have an added layer of security by requiring routine audits and background checks for individuals working with this sensitive data.

It is worth noting that this policy Is not set in stone. The Maryland Police Training Commission has said that in regards to the Implementation and Use of Body Cameras by Law Enforcement Officers, they will study and outline best practices for the use of body cameras in Maryland. Given this willingness to change and learn, hopefully the data protection standards for this sensitive data are properly implemented.

[1] http://www.baltimoresun.com/news/opinion/oped/bs-ed-body-cameras-20151026-story.html

The FBI Operated a Child Porn Website for Nearly Two Weeks

By: Peter Steffensen

What are the lengths that the Federal Bureau of Investigation may go to in order to identify moderators and users of a prominent dark web child pornography ring?

That is the novel question arising from the FBI’s investigation into Playpen, a child pornography website that, for a 13-day period in 2015, Motherboard reports, was actually controlled by the FBI and run from FBI servers based in Virginia. The FBI’s actions have resulted in the identification of over 1,300 unique IP addresses and a (still-growing) number of indictments from a single warrant, issued in the Eastern District of Virginia, authorizing the searches related to the investigation.

In seizing Playpen, the FBI effectively converted the website into a “honeypot,” a term used in the computer security field to describe a mechanism for detecting and counteracting cyberthreats. Here, the FBI’s control of Playpen allowed it to deploy a “network investigative technique” (in other words, government-administered malware) onto users’ computers to uncover their real IP addresses, which almost assuredly would have been masked by some sort of anonymized routing technology, such as Tor.

The FBI has been severely criticized by a number of privacy advocates, who have suggested that the use of these techniques amounts to an “unprecedented” expansion of law enforcement surveillance powers. These advocates argue that the use of “powerful hacking tools” by the government to monitor and/or control a target computer system is something that requires both public debate and Congressional action.

Others have accused the FBI of being complicit in the distribution of child pornography during the 13-day period that the federal agency operated Playpen. The suggestion raises a fascinating question about means and ends. Though many, if not most, would categorically applaud a law enforcement agency for taking down a prominent child pornography ring, do the FBI’s steps here go too far?

Other, even murkier questions naturally follow: What type of internal assessments, if any, were conducted to determine the potential impact on victims? Were the “network investigative techniques” affirmatively deployed by the FBI covered under the scope of the authorizing warrant? Do its actions in the Playpen case allow the FBI to similarly operate, for example, the Silk Road in order to uncover the identities of drug traffickers? If so, what length of time, if any, is reasonable to achieve this goal?

Many of these questions are already being raised by defense counsel to several of those indicted in the investigation, and will hopefully be addressed by courts in the ensuing litigation. Importantly, this case may serve as a crucial proving ground for the ability of the FBI—and other law enforcement agencies—to utilize hacking techniques to discover, locate, and monitor potential criminals.

Legislators Continue to Drag Feet on ECPA Reform

By: Alex Schindler (Panel 4)

The way we transmit and store our information by electronic means has changed dramatically since 1986, so why hasn’t the Electronic Communications Privacy Act? As government surveillance powers and the technological means of exploiting them have expanded in three decades, an archaic loophole has remained, allowing law enforcement to subpoena or otherwise access “stored communications” older than 180 days with less than probable cause and a warrant. This remains law on the books even after the Sixth Circuit’s 2010 decision in United States v. Warshak granted email the same privacy protections due physical mail. As some would tell it, law enforcement agencies are to blame for the failure of Congress to fix this statutory oddity despite bipartisan support, popular pressure (at least since the Snowden revelations), and lobbying from civil rights advocates and technological industry leaders alike.

Bipartisan reform proposals have emerged in both the Senate and the House. Senators Patrick Leahy (D-Vermont) and Mike Lee (R-Utah) introduced the Electronic Communications Privacy Act Amendments Act (S. 356), which like its House counterpart the Email Privacy Act (H.R. 699, advocated by Reps. Jared Polis, D-Colorado, and Kevin Yoder, R-Kansas) closes the antiquated 180-day loophole. In December 2015, Slate reported that S. 356 had 25 cosponsors and H.R. 699 had 306—the latter constituting an easy House supermajority. Even the White House has been a voice in favor of increasing privacy protections in our digital ear: former Attorney General Eric Holder supported a warrant requirement for email searches in 2013, and President Obama’s “big data report” called for ECPA reform the following year.

Yet a vote on these ECPA reform bills has been consistently delayed for years. A markup and vote on the House bill is finally scheduled for April 13^th, and the markup will no doubt reflect the concerns of the institutions who have presented the major counterweight to a seemingly popular position: law enforcement agencies. They are also responsible for the many delays.

In September, an SEC director testified before the Senate that its investigations would be hindered if it could not easily access personal content stored by online service providers. Five months earlier, the agency’s chairperson Mary Jo White testified that its investigations would be hindered if it could no longer use its administrative subpoena power to access content information (one which hinges on a “relevance” standard rather than the stricter probable cause requirement envisioned by the reform). And indeed, such has been the pattern for years: despite an unusual confluence of interests between powerful corporations and civil rights advocates, the advocates of robust law enforcement powers have delayed and hobbled ECPA reform.

In two weeks we shall see whether markup of the House bill carves out exceptions for civil agency investigations, as demanded by the SEC. Either way, privacy advocates will continue to oppose ad hoc distinctions in the law regarding expectations of privacy in email and other digital communications, or special exemptions for government agencies.

Information Privacy Post

By: Paul J Mancuso

The Department of Justice recently dropped its case against Apple after the FBI managed to unlock the iPhone of one of the shooters in the San Bernardino terror attacks.  The DOJ had previously obtained a court order that would have required Apple to write software to access the iPhone.  However, the dispute between the technology industry and law enforcement over access to encrypted information is not over.  While the DOJ waged its public fight with Apple over access to the locked iPhone, the government considered how to resolve its separate standoff with Facebook over access to its messaging application, WhatsApp.

The DOJ is currently pursuing a criminal investigation in which a federal judge has approved a wiretap, but investigators are frustrated by WhatsApp’s encryption.  WhatsApp has “end-to-end encryption,” according to which only intended recipients are able to read the messages.  In contrast to the iPhone dispute, as The New York Times reports, the wiretap order and all of the information associated with it are under seal.  As Nate Cardozo comments for the Electronic Frontier Foundation, it appears that the DOJ has not yet asked the court for a follow-on order that would compel WhatsApp to decrypt the messages.  If the DOJ were to do so, it would base its motion on the “technical assistance” provision of the WireTap Act.

As The New York Times reports, “investigators view the WhatsApp issue as even more significant than the one over locked phones because it goes to the heart of the future of wiretapping.” Although for the past fifty years the DOJ has relied on the wiretap as a fundamental tool to investigate and fight crimes, law enforcement officials are nowconcerned that encryption technology renders useless wiretaps in the future.  As a result, it is expected that Senators Richard Burr and Dianne Feinstein of the Senate Intelligence Committee will soon introduce legislation that will expose technology companies to civil penalties for refusing to comply with court orders to help investigators access encrypted data.  Although Reuters reports that the proposal is unlikely to gain traction in the House of Representatives, which supports digital privacy in the wake of the Snowden revelations, Robert Litt, the top U.S. intelligence community lawyer, thinks “momentum on the issue could turn in the event of a terrorist attack or a criminal event where strong encryption can be shown to have hindered law enforcement.”

http://www.nytimes.com/2016/03/13/us/politics/whatsapp-encryption-said-to-stymie-wiretap-order.html?login=email

http://www.reuters.com/article/us-apple-encryption-legislation-idUSKCN0WB2QC?feedType=RSS&feedName=technologyNews

https://www.eff.org/deeplinks/2016/03/next-front-new-crypto-wars-whatsapp

https//news.vice.com/article/fbi-unlocks-san-bernardino-iphone-and-drops-case-against-apple

Maryland Court says Use of IMSI Catchers Violate the Fourth Amendment

By Nicole Kramer

The following blog post was written following an article featured on Fortune’s online platform, and can be found here.

On March 30, 2016, the Maryland Court of Special Appeals issued an opinion written by Judge Leahy that found that the Baltimore police departments’ use of IMSI catchers to track suspects’ phones without search warrants, violated the Fourth Amendment as an unreasonable search.

IMSI catchers such as the Hailstorm at issue in the Maryland case, are eavesdropping devices that intercept mobile phone calls and help determine a users precise location, thereby “transform[ing]” mobile phones into “real-time tracking device[s].”[1] Such devices are increasingly being used by law enforcement agencies without warrant raising significant privacy concerns. In Baltimore alone, it is estimated that the technology has been used in at least 2,000 investigations.[2]

The Baltimore Police Department had relied on an approved application for a pen register/trap & trace order on the suspect’s cell phone to locate and arrest the petitioner in this case. One argument that arose in the lower court arguments was that, unlike with GPS or cell site information, information gathered with IMSI catchers was not generated willingly by the phone, rather the technology “forc[ed] the phone to emit information”[3] and identify itself. The information was not merely available to anyone who wanted to look for it; it was not “readily available and in the public view.”[4] And this fact weighed heavily in the court’s opinion.

In the opinion, Judge Leahy discussed Justice Douglas’s dissenting and concurring opinions in Osborn v. United States, Lewis v. United States and Hoffa v. United States which raised a fear of a society becoming more accustomed to “surveillance at all times.”[5] She sided with the court in Katz, especially Justice Harlan’s concurrence, which offered individuals strong protection against unreasonable searches and seizures in the face of advancing technology. The court ultimately found, in accordance with the Supreme Court rulings in Karo, Kyllo, and Jones, that Justice Harlan’s two-part test should be applied, and that “people have an [objectively] reasonable expectation that their cell phones will not be used as real-time tracking devices by law enforcement,”[6] and therefore that the use of such technology required a search warrant imposing reasonable limitations on the scope and manner of the search.[7] The court further added that the prior case law established that the “use of surveillance technology not in general public use to obtain information about the interior of a home, . . . is a search under the Fourth Amendment.”[8]

However, as the court noted, there are some exceptions to this conclusion. The court first looks to the Third Party Doctrine and United States v. Miller and Smith v. Maryland, but ultimately rejects this exception. The doctrine “provid[es] that an individual forfeits his or her expectation of privacy in information that is turned over to a third party.”[9] The state argued that the petitioner forfeited his expectation of privacy by carrying a cell phone that he knew would be communicating with nearby cell towers. But in these cases and those that followed from it, including Graham, it remained necessary that the user voluntarily convey the information to a third-party.[10] Which did not happen in Andrews.

The Maryland Court ruling was a success for privacy advocates. The state’s attorney general has not stated whether his office will challenge the ruling.

[1] State v. Andrews, 2016 Md. Ct. Spec. App. LEXIS 33, *1 (March 30, 2016).

[2] David Z. Morris, Maryland Court Says Phone Tracking Unconstitutional, Fortune (April 3, 2016, 4:22PM EDT), http://fortune.com/2016/04/03/maryland-court-phone-tracking/.

[3] Andrews at *19.

[4] Id. at *59.

[5] Id. at *28.

[6] Id. at *2.

[7] Id. at *65.

[8] Id. at *50.

[9] Id. at *65.

[10] Id. at *69-70.

Smith v. Maryland, Third Party Doctrine as Applied to Reddit Users

Naadia Chowdhury

This past Friday, Reddit users were concerned about government internet surveillance and the privacy of their data. In its annual report, Reddit typically lists the kinds of requests it gets for its consumer information and for complaints to remove content. Reddit’s latest annual report was missing a paragraph that typically says Reddit did not receive a national security letter to conduct electronic surveillance. This indicated to users that the government may have sent Reddit a national security letter allowing the FBI to conduct surveillance and access user information without a warrant or court order.¹

To become a user on Reddit, you do not need to disclose a lot of information. Potential users create a username and disclose their email addresses. Compared to other social platforms, there is not a lot of directly identifiable information. It can be argued, however, that an email address is enough information to track down an individual.

Even if the FBI was not working under the national security exception to the requirement of getting a warrant or court order to complete surveillance, it seems unlikely that Reddit users could successfully argue they have privacy rights against the government from accessing their information. Based on Smith v. Maryland, Reddit users do not have a legitimate expectation of privacy regarding their information because they disclose their email addresses and activities on Reddit to Reddit employees and the company. Any information a Reddit user discloses is information he or she voluntarily conveys to the company and therefore, assumes the risk of having their information revealed to a government official.

In United States v. Forrester, the Ninth Circuit Court of Appeals determined internet users have no legitimate privacy expectations in the IP addresses of the websites they visit. The information Reddit users disclose seem analogous to this case and so, users have weak legal protections in their information.

It is still not clear if privacy policies that companies have will alter the analysis courts undertake to determine whether there is a legitimate expectation in privacy. It would be logical that the assumption of the risk a user undertakes when registering on a website with a privacy policy guaranteeing to keep the user’s information safe would be altered and be a more limited assumption. If Reddit provides a privacy policy, perhaps an argument can be made, but as of 2008, protections against government electronic surveillance are fairly weak under the Smith test.

From Apple to Lavabit: The ECPA and the Legal Struggles Surrounding Encryption

By: Debra Slutsky

Although the FBI dropped its lawsuit to compel Apple to assist it in unlocking one of the San Bernardino shooter’s iPhones, the case provides insight into how the Justice Department grapples with modern digital communications using existing law. According to Kim Zetter’s article in Wired, Long Before the Apple-FBI Battle, Lavabit Sounded a Warning, such a struggle between the Justice Department and tech companies, specifically those that offer encrypted communication services, is not new. Zetter writes that Lavabit “made a surprising cameo this month in a brief filed by US attorneys in that case. The attorneys invoked the Lavabit case in a footnote as part of a threat to Apple…” However, as the Lavabit and Apple cases demonstrate, the channels available to the government for accessing such communications are largely legally untested and dependent on law that contemplated a much more primitive technological landscape.

In the Apple case, attention was brought to the government’s use of the All Writs Act, a 227-year-old-law that grants judges the authority to issue writs, or orders, to compel parties to perform acts within the bounds of law. Through the All Writs Act, The FBI sought to force Apple to build a backdoor into its iOS operating system in order to access encrypted iMessages. The case has also brought spotlight to the Pen Register Act. The Pen Register Act is a component of the Electronic Communications Privacy Act (ECPA) of 1986. While originally intended to record outgoing telephone numbers dialed, the Pen Register Act was expanded by the Patriot Act to include IP addresses and email headers. In 1979, the significant case Smith v. Maryland affirmed that the use of a pen register by a telephone company does not violate the 4^th Amendment. This metadata permissibly collected, however, provides deeper insight than just the frequency and duration of phone numbers. This was noted in Smith v. Maryland by Justice Stewart in his dissent, where he wrote that telephone metadata, “although certainly more prosaic than the conversation itself – [is] not without ‘content’…I doubt there are any who would be happy to have broadcast to the world a list of the local or long distance numbers they have dialed. This is not because such a list might in some sense be incriminating, but because it easily could reveal…the most intimate details of a person’s life.”

Similarly, in 2013, the FBI obtained and served an order pursuant to the Pen Register Act upon Lavabit founder Ladar Levison. The order permitted the FBI to obtain information sent to and from the target’s email account, Edward Snowden. Since Lavabit employed SSL encryption to protect transmitted data, the order further required Levison to provide the SSL keys to access Snowden’s emails. Lavabit’s roughly 400,000 subscribers would be placed at risk of having their emails vulnerable, since the company used only five SSL key-pairs. Levison planned to challenge the order, but lacking financial resources, he was forced to represent himself pro se during initial proceedings. He was held to be in contempt of court after refusing to comply with the order to hand over Lavabit’s encryption keys. On appeal, the contempt order was affirmed, and the appellate judge never addressed Levison’s challenge to the underlying legality of the Government’s use of the Pen Register Act to obtain SSL keys since he did not properly object to that issue during the earlier proceedings.

In its case against Apple, the Justice Department cited to the Lavabit case for the proposition that its pen register order to produce SSL encryption keys was affirmed on appeal. Levison took to Facebook to publicly state that the Government’s language was “incredibly misleading” as to the appellate court’s actual ruling. The statement is accurate. As the law stands, the Government has wide ranging authority to obtain pen register orders to access digital communications. The bounds of Government authority to obtain digital communications and the lengths it may go to compel third parties to assist in such measures is, however, ripe for review. The Lavabit and Apple cases both concluded before ever reaching a definitive ruling. With encryption becoming the standard for digital communications, a case is bound to arise in the near future that will definitively rule on the issue.

Sources:

• http://www.wired.com/2016/03/lavabit-apple-fbi/
• Smith v. Maryland, 442 U.S. 735 (1979)
• In re Under Seal, 749 F.3d 276, 281-83 (4th Cir. 2014)
• http://www.smithsonianmag.com/smart-news/what-all-writs-act-1789-has-do-iphone-180958188/?no-ist