Author: Ashley Jacques

Privacy Blog: Emails Closer to Warrant Protection as Enormously Popular Bill Advances

By: Inhwan Lee (Panel 2)

April 14th, 2016

Article: http://www.usnews.com/news/articles/2016-04-13/emails-closer-to-warrant-protection-as-enormously-popular-bill-advances

A legislation to amend the Stored Communications Act of 1986 was approved by the House Judiciary Committee unanimously and moved forward in the U.S. House of Representatives on April 13. 

According to the article, as for now, law enforcement and civil agencies can ask a service provider to turn over such aged private communications with only a subpoena, which is subject to less judicial oversight than a warrant.  However, the legislation would eliminate the present-day ability of government agents to acquire emails older than 180 days without a warrant.

Although a bill that was introduced previously was defeated last year and it is still uncertain whether the legislation will become law this time, it should be followed carefully whether such extension will bring the privacy protection that was intend to.  Further, as there are still controversy remains on the content of the bill, additional modification which might be occur during the legislative review should be carefully reviewed also.

Topic: Surveillance and the First Amendment

By: Adelaide Dunn, Panel 2

Post: Ryan Calo, “Tech companies may be our best hope for resisting government surveillance” Fusion.net (September 7, 2015)

http://fusion.net/story/193583/tech-companies-may-be-our-best-hope-for-resisting-government-surveillance/

This article is of particular note after the growing dispute between the FBI and Apple regarding encryption (and Apple’s message to its customers about this issue last month – http://www.apple.com/customer-letter/). Ryan Calo offers an alternative to the common accusation that tech giants have no regard for privacy rights, because of their financial dependency on gathering data from users. He argues that technology companies are acting instead as “data custodians” by formulating simpler encryption techniques and making those developments default on devices. This will make effective data protection available to all, rather than a specialized project for the privacy-minded and tech-savvy among us. Such ubiquitous encryption, Calo contends, is currently the most assuring shield against mass surveillance. However, there are still major systemic obstacles that society faces in challenging mass surveillance.

From a democratic perspective, the American population generally displays ambivalence towards the privacy issues raised by surveillance. Even if we elect privacy-conscious politicians, however, the intelligence community is still powerful, enormous and shrouded in secrecy. Political candidates lack access to this entity and do not possess the expertise or incentives to challenge it.

In addition, challenging surveillance on a Constitutional (or other legal) basis requires your knowledge of the specific surveillance in the first place. Those who are able to utilize the Fourth Amendment tend to have already been implicated in a crime. Furthermore, data that is stored online by third party service providers may be reachable by law enforcement agencies without a warrant, depending on what jurisdiction the third party server exists within. These assertions serve as a pragmatic reminder behind the complex discussions around the legality and constitutionality of mass surveillance.

Technological protections are available to encrypt communications and to hide online purchases and browsing behaviour. However, these are often complex to use and not tailored to specific privacy tasks that users attempt to achieve. Because technological protections are niche, their very use can place one on the government’s radar.

Due to these societal, institutional and technological challenges, shifts in tech giants’ policies and inventions regarding encryption remain promising. Perhaps, as the population becomes more educated and aggressive towards surveillance, privacy will become a stronger market force behind the development of communicative consumer products like smartphones, tablets and computers. That way, responses to consumer need by corporations like Google, Apple and Microsoft might be democratically as well as commercially productive.

Parental Eavesdropping: An Exception for “Best Interests”

Information Privacy Blog Post

By: Viviana Puchi

http://bigstory.ap.org/article/0ad56b89ebee4903a4bc53adb3bf7012/new-yorks-top-court-parents-can-legally-eavesdrop-kids

On April 5, 2016, the New York Court of Appeals ruled that parents can legally eavesdrop on a minor child’s phone conversations and record them if they “reasonably believe it would be in the child’s best interest.”[1] This creates an exception to existing New York law prohibiting the recording of conversations without the consent of at least one person on a call. The court adopted the doctrine of vicarious consent, drawing from the federal Wiretap Act, which allows for an exception for the interception of a communication where one of the parties has given prior consent.[2] The court looked to other state and federal courts that have held that a parent or guardian of a minor child can give vicarious consent on behalf of the child to the recording of conversations to which the child is a party, in the good faith protection of the child’s best interests. The court weighed the competing interests at stake and decided that children’s best interests and parents’ duties to protect their children outweighed the invasion of children’s privacy in this context. With this decision, New York joins about a dozen other states that have also recognized vicarious consent.

The eavesdropper in this case was the biological father of a five-year-old boy, who was attempting to contact the boy’s mother. After several unsuccessful phone calls, his call was finally answered but no one spoke to him. He could, however, overhear a conversation during which the boy’s mother and her boyfriend yelled at the child and mentioned beating him while he could be heard crying. The father, claiming concern about his son’s safety, recorded the conversation using the “voice memo” function on his cell phone. Several months later, the child was removed from the mother’s home after a severe beating, and he went to live with his father, who then notified the police about the recorded conversation he had. He did not incur liability for his eavesdropping, as the court ruled that his situation fell under the vicarious consent doctrine.

In explaining the elements of vicarious consent in this context, the court stressed the importance of a “good faith, objectively reasonable” basis to believe that a child’s best interests were at stake, noting specific circumstances such as suspicions of abuse. Mere curiosity about a child’s conversations will not suffice. It also stated that, when analyzing such cases, courts must consider the age and maturity of the child, though a specific age was not listed. Instead, the age and maturity question should turn on “whether the child is capable of formulating well-reasoned judgments of his or her own.” Though seeking to protect children’s best interests, opening up this new exception may create problems going forward, where it may be difficult to determine both good faith in protecting best interests and a child’s maturity level. In this particular case, the facts already raised questions about good faith, where the father did not notify authorities or share the recording until several months later. This raises questions about how carefully courts will examine good faith in the privacy context going forward.

Additionally, the court specified in its holding that a parent can create an audio or video recording under this vicarious consent doctrine, which may create further questions about privacy invasion going forward. One can imagine a future situation in which a parent, with the assistance of surveillance software, claims to suspect that their child is speaking with an abuser and records the child’s video chats, gaining even more private information than audio might provide and raising questions about the distinction between audio and video in privacy law.

This decision provides another example of ways in which surveillance can be excused. It highlights the difficulty of neatly carving out exceptions to privacy law that would not create loopholes subject to misuse or exploitation. As the dissent notes, it is also questionable whether the creation of such exceptions should be done by the courts or left to the legislature. Further, the case hints at the problem of anticipating future developments in technology that may alter our existing ideas about surveillance, an ongoing issue in information privacy law.

[1] See People v. Badalamenti, No. 71, 2016 WL 1306683 (N.Y. Apr. 5, 2016).

[2] 18 U.S.C. §2511(2)(d).

By: Samuel J. Beckerman

https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/10/29/warrant-to-search-phone-did-not-allow-opening-folder-unlikely-to-contain-evidence-sought-court-rules/

The United States Supreme Court decided in the case of Riley v. California, that the warrantless search of the digital contents of a cellphone violates the 4^th Amendment, even if the search is incident to arrest, court have continued to push for privacy protections of cell phones.  Following this trend, a few months ago the Supreme Court of Colorado decided the case of People v. Herrera.  There the court decided that even with a valid search warrant, law enforcement officers were not permitted to open a digital folder that was no likely to contain the evidence which the warrant described.  While modern technology can present problems with the well-established particularity requirement of search warrants, this case presents a great example of a court applying traditional 4^th amendment law in the digital search context.

The case is about a young girl who reported to police that the defendant had been text messaging her in order to facilitate sexual interactions.  After a successful sting operation, the police were able to arrest the defendant and retrieved his cell phone.  Because of the restriction on searching the phone incident to this arrest after Riley, the police were able to seize the phone as evidence, but were not yet able to search it.  When the police finally did get a warrant to search the phone, the warrant only authorized them to look for evidence that the cell phone belonged to the defendant and evidence pertaining to illicit messages and photographs sent by him during the aforementioned sting operation (during which he believed he was communicating with another young girl who was actually a police officer).

The particularity requirement of search warrant requires law enforcement officers applying for a search warrant to describe, with as much detail as possible, the evidence they hope to, and expect to, find when executing that warrant.  When the police searched the phone, they found a messaging app, which organized messages by the name of the recipient.  Despite applying for a warrant to search only for the messages pertaining to the sting operation, the police found messages under the name of the original victim and open that file.  While the plain view doctrine indicates that evidence found while conducting a proper search is admissible in court, by the very act of opening the file which police had reason to believe contained evidence not described in the warrant, the search became unlawful according to the Colorado Court.  Unfortunately, this resulted in otherwise probative and damning evidence becoming inadmissible against the defendant.

While the Washington Post article reporting on this case, written by preeminent 4^th amendment and cybercrime scholar Orin Kerr, seems to argue that opening the file was not an issue of the particularity requirement, I think particularity still plays a role here.  A challenge to the particularity requirement, if successful, means that the warrant is invalid and any search conducted under its authority also invalid.  While Kerr claims that the reason the file couldn’t be opened was not the particularity requirement, I think there is another way to look at this issue.  The particularity requirement provides the police officer executing the warrant with a sense of scope as to what he can look for and where he can look for it.  By unreasonably exceeding this scope, the execution of the warrant is improper, thus the particularity requirement informs whether a search is proper or not.  Regarding the plain view doctrine, Kerr indicates that this doctrine is about warrantless seizures.  While this is true in part, the plain view doctrine as applied here, is more about a search which exceeds the scope of the warrant, and requires that the officer is conducting a lawful search while they merely stumble upon evidence, rather than going out of their way just to get that evidence which is not described in the warrant.

Kerr’s point about the evolution of the plain view doctrine in the context of digital searches here is worth noting.  Traditionally, a police officer looking for a car for example, cannot look in a matchbook, because a car “could” not be there.  These kinds of considerations and determinations are much harder to make in the digital context where a car’s worth of data can be stored in an extremely small container.  Thus Kerr points out that the Herrera court seems to be switching the analysis from whether the evidence “could” be in the area searched, to whether the evidence “would” be there.  Here, because the file was labelled with the name of the original victim, the court determined the search was improper because the evidence authorized by the warrant “would” not be there.  While the fact that huge amounts of data can be stored in tiny places might cut towards this analytic shift, the problem might be that this opens the door to evading an otherwise proper search for evidence merely by purposefully mislabeling a digital file.

By: Jeff Mudd

Article: http://blog.norml.org/2016/02/12/legalizing-marijuana-and-your-4th-amendment-protections/

The Fourth Amendment provides protections against unreasonable searches by law enforcement, but in many states where marijuana remains illegal, courts have consistently held that the smell of marijuana is sufficient probable cause to justify a warrantless search by law enforcement, or at least obtain a warrant without anything further. For example, an officer conducting a routine traffic stop may search the center console of the car if he purports to smell the requisite plant. The above article, written by NORML, a nonprofit working to liberalize marijuana-related issues, explores how Fourth Amendment jurisprudence will change when more states legalize marijuana use for medicinal and/or recreational use.

The Article criticizes law enforcement practice of lying about the smell of marijuana to conduct a further search. This raises issues related to profiling and arbitrary searches based on an officer’s often unfounded belief that more serious crime is afoot. The recent media attention given to the origins of the war on drugs corroborates these concerns. See Tom Lobianco, Aide Says Nixon’s war on drugs targeted blacks, hippies, CNN Politics (last visited March 30, 2016), http://www.cnn.com/2016/03/23/politics/john-ehrlichman-richard-nixon-drug-war-blacks-hippie/. The good news is that as more states legalize marijuana, this collateral abuse of Fourth Amendment doctrine will subside.

Jeff Mudd

Privacy Blog Post: Panel 4. By Clay Venetis

Gilford, New Hampshire Proposes Rules for Police Body Cameras, Including an Exemption to State Wiretapping Laws.

http://www.laconiadailysun.com/newsx/local-news/93405-body-camera-legislation-winds-through-state-house

The use of body cameras on police officers is a popular suggestion today for curbing misconduct. Local law enforcement departments like that in Gilford, New Hampshire are currently drawing up rules requiring officers to wear them. Yet such civil liberties-minded requirements may come in conflict with another central civil liberty – public privacy. Federal and state wiretapping laws generally prohibit recording interactions with individuals without consent – and a body camera would record many such interactions throughout the workday. Hence, the proposed rules in Gilford “exempts the use of body cameras from wiretapping laws” to avoid this conflict of laws.

Do we want body camera requirements at the expense of better protection of our communications with the police? How do we balance the interest of police accountability with the privacy of the individuals that officers confront?

It is important to note that at the federal level, there is no likely conflict. The Wiretap Act 18 U.S.C. §§ 2510-2522, which makes intercepting wire, oral or electronic communications unlawful, allows interception when one party consents. § 2511(2)(c).  Thus, the police consenting to record their interactions with the public would suffice to shield them from federal wiretapping violations.

Yet states have their own wiretapping laws. While many also provide an exception to the law when one party consents, twelve states do not have that exception (California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington). That is, twelve states require all parties to consent to the recording. This is why we mentioned above that the police department of Gilford, New Hampshire, needs to exempt body cameras from their wiretapping laws. The people on the street are parties to the interaction, and they will not always consent to the recording.

This conflict has already played out in the opposite scenario: when citizens secretly record police officers. Individuals in Massachusetts have been charged with violating state electronic surveillance laws after bringing forward hidden audio recordings of their interactions with police. See, e.g., Commonwealth v. Hyde, 750 N.E.2d 963 (Mass. 2001). If members of the public are liable for recording police officers while being arrested, the officers could very well be in violation when recording the individuals they are arresting.

Some states that require all parties to consent to the recording do have exceptions for public interactions, in which no party has a reasonable expectation of privacy in their conversations. For example, California’s wiretapping law does not protect “a communication made in a public gathering … or in any other circumstances in which the parties to the communication may reasonably expect that the communication may be overheard or recorded.” Cal. Penal Code § 632(c). Therefore, in such jurisdictions, recording a police officer without interfering is likely lawful.

However, with respect to body cameras, much of the police officer interactions that implicate privacy concerns occur in non-public areas, such as the home, where the public will have a reasonable expectation of privacy. In these instances, the body camera requirements are more likely to conflict with wiretapping restrictions. Assuming an officer is in one’s home lawfully, is it also lawful for the officer to be keeping a detailed audio-visual record of everything inside the home, which can then be filed and referenced in the future? This also points to Constitutional concerns, such as the reasonableness of a search under the Fourth Amendment.

Therefore, in some states, a body camera requirement will have to include a wiretapping exemption, like that in Gilford’s proposed rule. In the body camera debate, we should ask ourselves whether we are comfortable with laws that may negatively implicate privacy interests in exchange for better police accountability. Not all civil liberties are compatible.

Other Sources:

Laws on Recording Conversations in all 50 States:

https://www.mwl-law.com/wp-content/uploads/2013/03/LAWS-ON-RECORDING-CONVERSATIONS-CHART.pdf

Police Body Cameras and Data Protection Standards in Maryland

By: Farzaan Ijaz

A recent article in the Baltimore Sun has brought attention to the substandard data privacy policies put into practice for police body cameras.[1] The recent call to an increase in the number of police body cameras circulated brings with it the issue of how to protect what will be massive amounts of data collected on citizens. Many people already show reluctance to increase the number of police body cameras in use because of concerns about how they made be intrusive to the lives of those people being recorded by the police. This fear becomes more of a reality if the collection of data recorded isn’t properly protected.

Given the massive amount of data, complexity of data protection issues and citizen fears, Maryland Police Training commission’s decision to forego a standardized policy in favor of allowing each agency to create their own set of security policies is a risky policy. Essentially, they have allowed for the creation of substandard cybersecurity policies to be introduced in a variety of different districts. Further, the headache involved with attempting to match protocols between different departments when they work together on one case will further increase the cost while continuing to leave significant cybersecurity risk present.

It would be one course of action if an alternative standard with a good reputation didn’t exist – but that’s where the FBI’s widely accepted and trusted Criminal Justice Information Services Division Security Policy (CJIS) for body camera recordings comes into play. It has the strongest set of security protocols available to protect sensitive law enforcement information. Further, they have an added layer of security by requiring routine audits and background checks for individuals working with this sensitive data.

It is worth noting that this policy Is not set in stone. The Maryland Police Training Commission has said that in regards to the Implementation and Use of Body Cameras by Law Enforcement Officers, they will study and outline best practices for the use of body cameras in Maryland. Given this willingness to change and learn, hopefully the data protection standards for this sensitive data are properly implemented.

[1] http://www.baltimoresun.com/news/opinion/oped/bs-ed-body-cameras-20151026-story.html

The FBI Operated a Child Porn Website for Nearly Two Weeks

By: Peter Steffensen

What are the lengths that the Federal Bureau of Investigation may go to in order to identify moderators and users of a prominent dark web child pornography ring?

That is the novel question arising from the FBI’s investigation into Playpen, a child pornography website that, for a 13-day period in 2015, Motherboard reports, was actually controlled by the FBI and run from FBI servers based in Virginia. The FBI’s actions have resulted in the identification of over 1,300 unique IP addresses and a (still-growing) number of indictments from a single warrant, issued in the Eastern District of Virginia, authorizing the searches related to the investigation.

In seizing Playpen, the FBI effectively converted the website into a “honeypot,” a term used in the computer security field to describe a mechanism for detecting and counteracting cyberthreats. Here, the FBI’s control of Playpen allowed it to deploy a “network investigative technique” (in other words, government-administered malware) onto users’ computers to uncover their real IP addresses, which almost assuredly would have been masked by some sort of anonymized routing technology, such as Tor.

The FBI has been severely criticized by a number of privacy advocates, who have suggested that the use of these techniques amounts to an “unprecedented” expansion of law enforcement surveillance powers. These advocates argue that the use of “powerful hacking tools” by the government to monitor and/or control a target computer system is something that requires both public debate and Congressional action.

Others have accused the FBI of being complicit in the distribution of child pornography during the 13-day period that the federal agency operated Playpen. The suggestion raises a fascinating question about means and ends. Though many, if not most, would categorically applaud a law enforcement agency for taking down a prominent child pornography ring, do the FBI’s steps here go too far?

Other, even murkier questions naturally follow: What type of internal assessments, if any, were conducted to determine the potential impact on victims? Were the “network investigative techniques” affirmatively deployed by the FBI covered under the scope of the authorizing warrant? Do its actions in the Playpen case allow the FBI to similarly operate, for example, the Silk Road in order to uncover the identities of drug traffickers? If so, what length of time, if any, is reasonable to achieve this goal?

Many of these questions are already being raised by defense counsel to several of those indicted in the investigation, and will hopefully be addressed by courts in the ensuing litigation. Importantly, this case may serve as a crucial proving ground for the ability of the FBI—and other law enforcement agencies—to utilize hacking techniques to discover, locate, and monitor potential criminals.

Legislators Continue to Drag Feet on ECPA Reform

By: Alex Schindler (Panel 4)

The way we transmit and store our information by electronic means has changed dramatically since 1986, so why hasn’t the Electronic Communications Privacy Act? As government surveillance powers and the technological means of exploiting them have expanded in three decades, an archaic loophole has remained, allowing law enforcement to subpoena or otherwise access “stored communications” older than 180 days with less than probable cause and a warrant. This remains law on the books even after the Sixth Circuit’s 2010 decision in United States v. Warshak granted email the same privacy protections due physical mail. As some would tell it, law enforcement agencies are to blame for the failure of Congress to fix this statutory oddity despite bipartisan support, popular pressure (at least since the Snowden revelations), and lobbying from civil rights advocates and technological industry leaders alike.

Bipartisan reform proposals have emerged in both the Senate and the House. Senators Patrick Leahy (D-Vermont) and Mike Lee (R-Utah) introduced the Electronic Communications Privacy Act Amendments Act (S. 356), which like its House counterpart the Email Privacy Act (H.R. 699, advocated by Reps. Jared Polis, D-Colorado, and Kevin Yoder, R-Kansas) closes the antiquated 180-day loophole. In December 2015, Slate reported that S. 356 had 25 cosponsors and H.R. 699 had 306—the latter constituting an easy House supermajority. Even the White House has been a voice in favor of increasing privacy protections in our digital ear: former Attorney General Eric Holder supported a warrant requirement for email searches in 2013, and President Obama’s “big data report” called for ECPA reform the following year.

Yet a vote on these ECPA reform bills has been consistently delayed for years. A markup and vote on the House bill is finally scheduled for April 13^th, and the markup will no doubt reflect the concerns of the institutions who have presented the major counterweight to a seemingly popular position: law enforcement agencies. They are also responsible for the many delays.

In September, an SEC director testified before the Senate that its investigations would be hindered if it could not easily access personal content stored by online service providers. Five months earlier, the agency’s chairperson Mary Jo White testified that its investigations would be hindered if it could no longer use its administrative subpoena power to access content information (one which hinges on a “relevance” standard rather than the stricter probable cause requirement envisioned by the reform). And indeed, such has been the pattern for years: despite an unusual confluence of interests between powerful corporations and civil rights advocates, the advocates of robust law enforcement powers have delayed and hobbled ECPA reform.

In two weeks we shall see whether markup of the House bill carves out exceptions for civil agency investigations, as demanded by the SEC. Either way, privacy advocates will continue to oppose ad hoc distinctions in the law regarding expectations of privacy in email and other digital communications, or special exemptions for government agencies.

Information Privacy Post

By: Paul J Mancuso

The Department of Justice recently dropped its case against Apple after the FBI managed to unlock the iPhone of one of the shooters in the San Bernardino terror attacks.  The DOJ had previously obtained a court order that would have required Apple to write software to access the iPhone.  However, the dispute between the technology industry and law enforcement over access to encrypted information is not over.  While the DOJ waged its public fight with Apple over access to the locked iPhone, the government considered how to resolve its separate standoff with Facebook over access to its messaging application, WhatsApp.

The DOJ is currently pursuing a criminal investigation in which a federal judge has approved a wiretap, but investigators are frustrated by WhatsApp’s encryption.  WhatsApp has “end-to-end encryption,” according to which only intended recipients are able to read the messages.  In contrast to the iPhone dispute, as The New York Times reports, the wiretap order and all of the information associated with it are under seal.  As Nate Cardozo comments for the Electronic Frontier Foundation, it appears that the DOJ has not yet asked the court for a follow-on order that would compel WhatsApp to decrypt the messages.  If the DOJ were to do so, it would base its motion on the “technical assistance” provision of the WireTap Act.

As The New York Times reports, “investigators view the WhatsApp issue as even more significant than the one over locked phones because it goes to the heart of the future of wiretapping.” Although for the past fifty years the DOJ has relied on the wiretap as a fundamental tool to investigate and fight crimes, law enforcement officials are nowconcerned that encryption technology renders useless wiretaps in the future.  As a result, it is expected that Senators Richard Burr and Dianne Feinstein of the Senate Intelligence Committee will soon introduce legislation that will expose technology companies to civil penalties for refusing to comply with court orders to help investigators access encrypted data.  Although Reuters reports that the proposal is unlikely to gain traction in the House of Representatives, which supports digital privacy in the wake of the Snowden revelations, Robert Litt, the top U.S. intelligence community lawyer, thinks “momentum on the issue could turn in the event of a terrorist attack or a criminal event where strong encryption can be shown to have hindered law enforcement.”

http://www.nytimes.com/2016/03/13/us/politics/whatsapp-encryption-said-to-stymie-wiretap-order.html?login=email

http://www.reuters.com/article/us-apple-encryption-legislation-idUSKCN0WB2QC?feedType=RSS&feedName=technologyNews

https://www.eff.org/deeplinks/2016/03/next-front-new-crypto-wars-whatsapp

https//news.vice.com/article/fbi-unlocks-san-bernardino-iphone-and-drops-case-against-apple