Month: April 2017

Meng Wang

Information Privacy Law

Professor Ira Rubinstein

April 6, 2016

Article: Rhys Dipshan, “Short Circuits: 3 Areas Where Tech Law Is Falling Behind”, Legaltech News, February 27, 2017

http://www.legaltechnews.com/id=1202780021771/Short-Circuits-3-Areas-Where-Tech-Law-Is-Falling-Behind

Established technology-related laws are outdated and may become anachronistic burdens to those organizations they’re enacted to regulate. The article notes three areas where companies face the most challenges with outdated laws.

1. Prosecuting Cyberespionage

Legal resources for fighting cybercrime are often limited to geopolitical jurisdictions, as restitution is a standard penalty that is a part of the federal criminal justice system. When perpetrators of cyberattacks are outside the U.S., or are nation-states themselves, restitution can be difficult to obtain in dealing with foreign actors in countries like China that lack extradition treaties with the United States.

Companies have had turn to novel means to go after foreign cyberattackers. For example, in 2016, U.S. Steel successfully petitioned the United States International Trade Commission (ITC) to take up its case against Chinese steel manufacturers that allegedly stole and profited from U.S. Steel’s intellectual property. U.S. Steel relied on Section 337 of the Tariff Act of 1930 but faced headwinds in court. Defendant, represented by Covington & Burling, argued that the ITC pleading standard is on the same level as those in district courts. U.S. Steel announced it had pulled the case from the ITC in February, noted that decades-old Section 337 law never contemplated the technological advancements over the past 50 years and needed to be reformed.

2. Disclosing Government Data Access

Microsoft recently argues that SCA increasingly places a significant burden on modern technology companies that store growing volumes of their customers’ personal data.

In a case filed April 2016, Microsoft argues that both §2703 and §2705 of the SCA are unconstitutional under First and Fourth amendment grounds, as they restrict companies’ right to talk to its customers and constitute unreasonable searches.

The district court denied a motion to dismiss the case in February 2017, explaining that the First Amendment rights of Microsoft’s customers may outweigh the need for government secrecy in an investigation of a customer. The court dismissed the Fourth Amendment claim for that Fourth Amendment rights cannot be defended by anyone other than the person whose rights were infringed. However, the court did add that the government’s indefinite withholding of disclosures means that “some customers may never know that the government has obtained information in which those customers have a reasonable expectation of privacy.”

3. Fighting Search Warrants for Overseas Cloud Data

It is not entirely clear what rights §2703 of SCA gives authorities to access data that is stored on overseas “cloud” servers. For example, in February 2017, Google lost its attempt to quash SCA search warrants for data it held outside the United States, while only months earlier, it successfully quashed a similar SCA warrant for its customer’s data as well. Though both rulings agreed that the SCA search warrants do not apply beyond U.S. borders, the latter reasoned that because the company moved data around regardless of a user knowing, the actual search and seizure would take place on U.S. soil.

Craig Newman, partner at Patterson Belknap Webb & Tyler, noted that the judiciary may be ill-equipped to handle how to interpret data’s location and jurisdiction given that the SCA is over 30 years old.

Caitlin Schultz

Information Privacy Law

Professor Ira Rubinstein

April 4, 2017

Title of Blog Post: Turning the Tables: Publishing Congress’s Browser History

Article: Travis M. Andrews, Protesters Raise More than $200,000 to Buy Congress’s Browsing Histories, Wash. Post (Mar. 30, 2017), https://www.washingtonpost.com/news/morning-mix/wp/2017/03/30/protesters-raise-more-than-200000-to-buy-congresss-web-histories-theyre-likely-in-for-a-surprise.

Blog Text:

President Trump is expected to sign into law a bill that overturns Federal Communications Commission rules requiring broadband providers to obtain consent before collecting citizens’ online data such as browser history.[1] This repeal of privacy rules for private companies has profound implications for government surveillance activities and for freedoms of speech and association. As an example, AT&T has already been profiting from selling customer data to law enforcement.[2] Additionally, studies show that government surveillance has a profound chilling effect on online behavior by ordinary citizens.[3]

At least four grassroots campaigns to fund the purchase the browser history of members of Congress and make them public are gaining media attention.[4] This turning of the tables on federal legislators highlights the speech, association, and surveillance concerns of not only privacy advocates but also ordinary citizens. Societal norms already play a role in Fourth Amendment and surveillance jurisprudence, and state legislatures and courts should step in to increase the role of modern expectations in order to protect citizens. Congress’s hypocrisy of allowing companies to sell citizens’ data—which arguably will lead to government use of that data for surveillance outside of the traditional Fourth Amendment protections because of the “third party doctrine”—is being exposed as the social norm of internet searches being private is withdrawn on members of Congress themselves.

Of course, the actions of private persons and private companies do not involve state action and, therefore, do not directly implicate government surveillance and the First Amendment. However, in this era of increasing technological development and privatization of government functions, citizens and courts should be wary of privacy and civil and political rights being seriously endangered. To combat this growing problem, courts should analyze the role of private broadband companies and internet service providers in modern life, digital and online notions of personal privacy, and the extent to which government can access information through third parties in a manner in which the government could not access that same information by targeting an individual directly.

Working backward, the First Amendment embodies the idea that individuals should be free not only to speak about concepts, but also to receive ideas about them. The internet has drastically changed how society learns about information, tests ideas, and spreads ideas. If internet search history is not private, for example, this would create a massive “chilling effect” on what citizens discover and learn about. Taking this one step further, if the information is not only not private but also is available to the government to implicate citizens for crimes, this may drastically chill the spread of ideas and information.

The relationship between government surveillance and the First Amendment is often debated. The argument that the Fourth Amendment protections against unreasonable and warrantless searches and seizures include First Amendment considerations[5] should be viewed with skepticism. Free speech being chilled as the direct result of government surveillance is a legitimate concern that courts should take into consideration. Normal human behavior online and social norms about to what level internet activity is private or anonymous are important factors for a court to take into account when deciding reasonable expectations of privacy and levels of government intrusion into citizens’ private lives.

[1] See, e.g., Cecilia Kang, Congress Moves to Overturn Obama-Era Online Privacy Rules, N.Y. Times (Mar. 28, 2017), https://www.nytimes.com/2017/03/28/technology/congress-votes-to-overturn-obama-era-online-privacy-rules.html.

[2] See, e.g., Nicky Woolf, Documents Show AT&T Secretly Sells Customer Data to Law Enforcement, (Oct. 25, 2016 15:33 EST), https://www.theguardian.com/business/2016/oct/25/att-secretly-sells-customer-data-law-enforcement-hemisphere.

[3] See, e.g., Karen Gullo, Surveillance Chills Speech—As New Studies Show—And Free Association Suffers, Electronic Frontier Foundation (May 19, 2016), https://www.eff.org/deeplinks/2016/05/when-surveillance-chills-speech-new-studies-show-our-rights-free-association.

[4] Travis M. Andrews, Protesters Raise More than $200,000 to Buy Congress’s Browsing Histories, Wash. Post (Mar. 30, 2017), https://www.washingtonpost.com/news/morning-mix/wp/2017/03/30/protesters-raise-more-than-200000-to-buy-congresss-web-histories-theyre-likely-in-for-a-surprise.

[5] See Laird v. Tatum, 408 U.S. 1 (1972) (holding that government surveillance of individuals’ civil rights activities does not implicate the First Amendment).

Hernán Garcés

Information Privacy Law

Professor Ira Rubinstein

April 3, 2017

 The highest court of the European Union rules that Member States may not impose a general obligation to retain data on providers of electronic communications services

 Last December, four days before Christmas, the European Court of Justice (“ECJ”) made a present to the European citizens in a major privacy decision declaring that indiscriminate storing of private citizens’ communications data is illegal under EU law.

 In 2015, two cases from Sweden and United Kingdom were referred to the ECJ on the general obligation imposed on telecommunication service providers to retain data relating to electronic communications. The Court was requested to indicate whether a general obligation to retain data is compatible with EU law (specifically the Directive on privacy and electronic communications and certain provisions of the EU Charter of Fundamental Rights).

According to the Court, data retentions can result in very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained. Therefore, the national legislation of the Member States that provides for the retention of traffic and location data must be subject to strict requirements. In words of the Court: “the fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference”.

The Court said that exceptions to the protection of personal data should be limited to the absolutely necessary. This applies also to the access of authorities to the stored data and the national legislation of the Member States providing a general and indiscriminate data retention which does not have a link between the data and a threat to public security goes beyond the limits of the absolutely necessary cannot be justified in a democratic society. Therefore, the legislation of the Member States that do not comply with these requirements must be abolished or amended accordingly. Also the Court states that any national legislation to that effect must be clear and precise and must provide for sufficient guarantees of the protection of data against risks of misuse.

According to Camilla Graham Wood from Privacy International the judgment is a “major blow against mass surveillance and an important day for privacy. It makes clear that blanket and indiscriminate retention of our digital histories can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep.”

Last week as a consequence of the decision, the Council of Europe, the institution representing the member states’ governments, informed the Member States that intends with the European Commission to provide guidance on bringing national data retention laws into line with the judgment.

Related documents:

1. Judgment of the European Court of Justice of 21th December 2016
   http://curia.europa.eu/juris/document/document.jsf?docid=186492&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=747271

2. Press release of the European Court of Justice
   http://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf

3. Opinion of the Advocate General of the European Union

http://curia.europa.eu/juris/document/document.jsf?docid=181841&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=747271

4. Press release of the Advocate General’s Opinion

http://curia.europa.eu/jcms/upload/docs/application/pdf/2016-07/cp160079en.pdf

5. Outcome of the Council Meeting of 28^th March 2017

www.consilium.europa.eu/en/meetings/jha/2017/03/st07688_en17_pdf/

6. The Guardian

https://www.theguardian.com/law/2016/dec/21/eus-highest-court-delivers-blow-to-uk-snoopers-charter

 

Yu-Jean Liu

Information Privacy Law

Professor Ira Rubinstein

April 3, 20
Last year, Second Circuit in Microsoft Corp. v. United States 829 F.3d 197 (2d Cir. 2016) held that the government cannot compel Internet Service Providers (ISPs) to turn over data that is stored overseas. The court rules that government cannot do so even with a warrant.
In December 2013, Judge Francis of the Southern District of New York issued a warrant under the Stored Communications Act 18 U.S.C. §§ 2701–2712 for the email content associated with a Microsoft Network email address. Microsoft agreed and handed over responsive non-content data that were stored in the United States. However, as for the requested content information that was stored in a Microsoft server which was located in Ireland, Microsoft believed the data in Ireland was not in the jurisdiction of the warrant. Thus, Microsoft refused to hand over the data and moved to quash the warrant.
The court held that the applying SCA’s warrant provisions extraterritorially was not the Congress intention. Rather the intention of those provisions is to protect user’s privacy interests. Therefore, the SCA does not authorize a United States court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.
This case well indicated the phenomenon that law failed to keep pace with new technology and the dilemma the court face when applying old laws to modern technology. Whether the court should appreciate the unique and novel aspects of technology and manage to adapt legal rules and definitions to modern technology or just simply follow the old rulings.
However, it is my opinion that when it comes to new technology, merely applying existing legal rule or guessing the intention of the Congress is not enough. It could lead to delaying enactment and implementation of appropriate law regulations for new technology.
Reference:
http://law.justia.com/cases/federal/appellate-courts/ca2/14-2985/14-2985-2016-07-14.
html
http://www.minnesotalawreview.org/2017/02/microsoft-corp-v-united-states/
http://knowledge.freshfields.com/m/Global/r/1623 /microsoft_v__united_states__court
_s__privacy__ruling_is

Qianyao Li

Information Privacy Law

Professor Ira Rubinstein

April 3, 2017

Pennsylvania magistrate judge’s ruling requires Google to turn over data stored outside United States to FBI

On Feb 3, 2017, Pennsylvania Magistrate Judge Thomas J. Rueter granted the Government’s motions to compel Google to comply with search warrants to turn over data stored outside United States.

Google has partially complied with the warrants by producing data that it could confirm is stored on its servers located in the United States. However, has refused to produce other, relying upon a recent decision by Second Circuit, where the court determined that enforcing the warrant by directing Microsoft to size the contents of its customer’s communication stored in Ireland would be an unlawful extraterritorial application of the Stored Communication Act (“SCA”). Microsoft, 829 F.3d 194 (2d Cir. 2016).

Magistrate Rueter was not troubled by the fact that the information was stored abroad. Instead, he concluded that the warrants are applied within United States since “the search of electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.” In re Search Warrant No. 16-960-M-01, No. 16-960-M-01, 2017 U.S. Dist. LEXIS 15232 (E.D. Pa. Feb. 3, 2017).

Magistrate Rueter distinguished this case from Microsoft by the fact that there is no evidence regarding the precise location of the servers which store the electronic data requested by the search warrants; While in Microsoft, all the relevant user data of a presumably Irish citizen was located exclusively in one data center in Ireland and remained stable there for a significant period of time. It seems Magistrate was saying that the extraterritorial application of SCA should be determined by the place where FBI will review the copies, because it is hard to locate the place where electronic data is stored.

The briefs from Microsoft, Amazon, Cisco Systems, Apple and Yahoo has been filed in the U.S. District Court for the Eastern District of Pennsylvania, allying with Google in its opposition to the Feb. 3 decision. But a final resolution is years away, given the lengthy appellate process.

Sources:

http://pennrecord.com/stories/511093025-tech-giants-file-briefs-supporting-google-in-case-of-fbi-subpoena

https://www.forbes.com/sites/realspin/2017/03/07/digital-privacy-rights-take-a-u-turn-and-congress-needs-to-act/#261f00925cbf

https://www.justice.gov/opa/blog-entry/file/937001/download

 

Jeffrey Bishop
Information Privacy Law
Professor Ira Rubinstein
March 30, 2017

Ninth Circuit to Address Police Surveillance of Cell Site Location Information
Do consumers possess a Fourth Amendment “reasonable expectation of privacy” in the location data collected by cell phone service providers, such that police must obtain a warrant supported by probable cause to access this information? This was the chief question before the US Court of Appeals for the Ninth Circuit on March 17 during oral argument in United States v. Gilton. Although the four circuits that have considered the question have concluded (albeit in fractured opinions) that Fourth Amendment protections do not apply, at least two of the three judges on the Ninth Circuit panel indicated a willingness to find otherwise, raising the specter of a circuit split.
At issue is the historical cell site location information (CSLI) collected as a matter of routine business practice by cell phone service providers like Sprint. In order for a cell phone to function, it must periodically send a radio signal to a nearby cell site to connect to the service provider. Every time a call is made or received on a phone, a record is logged with the service provider based on the cell site information, including the location of a phone relative to the cell site at the beginning and end of a call. With the proliferation of smartphones, these radio signals are sent to cell sites with increasing frequency, as much as “every few minutes,” as phones now send radio signals when automatically checking for emails, streaming videos, and engaging in other forms of data usage. Though the accuracy of the CSLI is dependent on factors such as the density of cell towers in any given area (e.g. dense urban areas make location tracking more precise than a large, rural area with a single tower), by aggregating the CSLI data points over time, one is able to track the movements of a cell phone user throughout her day.
Under the facts of Gilton, investigators suspected Gilton of criminal activity and ordered Sprint, pursuant to a defective warrant, to deliver 37 days of Gilton’s cell phone records containing 8,790 CSLI data points – an average of “one [location point] every six minutes.” During oral argument and in their briefs, the US Government and the ACLU (as amicus in support of Gilton) sparred over whether the Government’s gathering of CSLI without a valid warrant (and, consequently, without probable cause) constituted a “search” that could fall within the protections of the Fourth Amendment.
Of particular interest to the parties and the questioning judges was the applicability of the “third-party doctrine” to modern, invasive technology. This doctrine derives from the decades old Supreme Court holdings in United States v. Miller (1976) and Smith v. Maryland (1979) where the Court held that there was no reasonable expectation of privacy in one’s banking transaction data and phone numbers dialed from a home landline phone because the defendants in each case had voluntarily conveyed that information to a third party – a bank teller or the phone company – and consequently “assumed the risk” of disclosure to state authorities. In such scenarios, government
investigators are permitted to obtain information without the ordinary requirements of a warrant and probable cause since, without a reasonable expectation of privacy, there has been no “search” subject to Fourth Amendment protections.
The Government relied heavily on these “third-party doctrine” precedents in arguing that Gilton’s historical CSLI was voluntarily conveyed to Sprint pursuant to the ordinary business agreement between a phone user and her service provider. Consequently, they argued, there can be no reasonable expectation of privacy in the CSLI, no Fourth Amendment “search,” and no requirement to obtain a valid warrant subject to a probable cause standard.
Judges Bybee and McKeown expressed their skepticism over the notion that consumers “voluntarily” hand over CSLI to their service providers since a consumer cannot possibly know to which cell site her phone is connecting. Judge McKeown further questioned the strength of the voluntariness theory where CSLI is collected even where a person chooses not to answer an incoming call. Counsel for the Government, however, found voluntariness inherent in the business relationship between a consumer and service provider, stating that “in order to get cellular phone service, you know that you have to connect your phone to the cellular network’s towers and you know that you have to be in range of those towers to get service…to make or receive phone calls.” The Government additionally contended that Sprint’s terms of service and privacy policies notify the user that Sprint “generally know[s] the location of your device.” Nonetheless, Judges Bybee and McKeown appeared concerned that the Government’s position left no limiting principle for warrantless searches in an age where technology is ubiquitous and often requires the sharing of sensitive, detailed information with service providers.
Echoing these concerns, counsel from the ACLU argued that the third-party doctrine is not a “categorical” rule, but that it only allows for an exception to the warrant requirement where the information is both “voluntarily conveyed” and the information is not particularly “private or sensitive.” Admitting that CSLI does not provide information on the “contents of the phone calls,” the ACLU contended that “this kind of pervasive, long-term location information is closely analogous to content information in the very detailed picture of a person’s life that it paints.” Their brief explains that police can infer from CSLI where one sleeps at night, her demographic information, and even the associational groups she frequents, potentially raising First Amendment concerns. Judge Wallace pressed the ACLU to distinguish CSLI from the numbers dialed from a phone in Smith which could also provide an “awful lot of information” yet is still not subject to the warrant requirement. The ACLU distinguished the cases in that phone numbers dialed are “voluntarily conveyed” to the phone company because they are “necessary to connect that call.” This contrasts with CSLI in which a user has no way to know what location information is being conveyed to the service provider, and the user does not necessarily take affirmative action to send over that information.
Moreover, the ACLU stressed that the fundamental question is “whether the warrant requirement is going to maintain vitality in the modern digital age.” Concerns over “dragnet” surveillance by police has led the Supreme Court to caution lower courts not to emphasize “pre-digital precedents” when applying them to newer, pervasive technologies. Modern cell phones should carry a stronger expectation of privacy since they are often carried wherever one goes, even into traditionally “constitutionally protected spaces” such as one’s home. Channeling the concerns of privacy
advocates, the ACLU argued that it can’t be that the third-party doctrine swallows the warrant requirement of the Fourth Amendment. In an age where a cell phone can be considered a “feature of the human anatomy,” the ACLU maintained that owning one is hardly a choice and “users should [not] be required to disable the core functionality of their phone in order to avoid…warrantless surveillance.”
The Ninth Circuit panel is expected to release an opinion in United States v. Gilton shortly. Other issues in Gilton – such as the applicability of the “good faith exception” in relying on a defective warrant and the Ninth Circuit’s requirement that a “compelling reason” must exist to create a circuit split – leave open the possibility that the Court may not reach the question of whether one can possess a reasonable expectation of privacy in CSLI. However, the Ninth Circuit is in the unique position of potentially being the first circuit court to find that CSLI is protected by the Fourth Amendment. Information privacy advocates should be following this case intently.
Additional Sources:
1. www.brennancenter.org/sites/default/files/Gilton%20Amicus%20Brief.pdf
2. www.brennancenter.org/legal-work/usa-v-gilton-amicus-brief
3. www.therecorder.com/id=1202781561237/Ninth-Circuit-Weighs-Privacy-in-Police-Cellphone-Tracking-Case?mcode=0&curindex=0&curpage=ALL
4. www.washingtonpost.com/news/volokh-conspiracy/wp/2017/03/17/ninth-circuit-oral-argument-on-historical-cell-site-information/?utm_term=.92c7cc481b4c
5. www.youtube.com/watch?v=SipCIWNsFts