Author: KStrandburg

Of possible interest from Omer Tene:  Established in 2013, the IAPP Westin Research Center was created to encourage and enable research and scholarship in the field of privacy. Each year, the IAPP welcomes two or more recent graduates to spend 12 months on site with our team, reporting to the VP of Research and Education, and working on a broad array of privacy research projects. The fellowship program, which bears the name of Dr. Alan Westin, serves as a pathway for future leaders who aspire to join the privacy community. The IAPP provides the fellows with ample opportunity to engage with the privacy community, participate and present in major conferences and events, and communicate on a daily basis with leaders of the profession from around the world.  The application process opens on January 1, 2014, and closes on February 28, 2014. Interviews will occur for some applicants in March, with final decisions expected at the end of March. Fellowship terms generally run from September through August of each year.  For additional details about the fellowship and application process see the fellowship website.

Available at:
http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning

In Buffalo, a 25-year-old guy logged in to his neighbor house’s Wi-Fi connection and downloaded child pornography through the wireless signal.

Firstly, the FBI agents suspected the homeowners. They denied and agents tapped away at the homeowner’s desktop computer, eventually taking it with them, along with his and his wife’s iPads and iPhones.

Within three days, investigators determined the homeowner had been telling the truth: If someone was downloading child pornography through his wireless signal, it wasn’t him. About a week later, agents arrested the guy and charged him with distribution of child pornography. The case is pending in federal court.

Experts say the more savvy hackers can go beyond just connecting to the Internet on the host’s dime and monitor Internet activity and steal passwords or other sensitive information.

This case revealed two major issues. One is how to protect privacy of Wi-Fi users and the other is whether internet users are legally responsible to secure their wireless connections to prevent others from illegally downloading data.

Controversy over revelations regarding iPhone and iPad location tracking has been growing quickly. As the New York Times reports, the German, French, and Italian governments have either started or will soon start investigations into whether the tracking violates those countries’ respective privacy laws. In the United States, Senator Al Franken of Minnesota and Congressman Edward Markey of Massachusetts have sent letters asking for further explanation from Apple.

A letter from Apple’s general counsel to Congressman Markey last July suggests that the data is in fact being transmitted to Apple for use in its location-based services. However, the letter indicates that location data is anonymized and only collected when users agree to use location-based services. Last Friday, Google confirmed that it collected similar data from Android users for similar location-based service purposes, again anonymized and with user consent.

Some commentators have questioned the need for retaining the location data on users’ devices, arguing that it leaves them vulnerable to hackers who would be able to learn a user’s day-to-day movements. Others question whether users are fully informed about the extent of location tracking due to the sometimes-vague and difficult-to-understand privacy policies that describe its use.

The New York Times article also reports that the data has been used for law enforcement purposes, raising interesting questions about the applicability of the Stored Communications Act and the 4th Amendment to such data. Though the article doesn’t specify the legal basis upon which law enforcement gathered this data, it seems possible that the SCA would apply. Would a court hold that compelling Apple to produce such data under the SCA but without a warrant violates the 4th amendment, much like the compelled e-mail production in United States v. Warshak? On a related note, the ACLU recently reported that Michigan State Police officers have been using forensic cellphone analyzers to download the contents of smartphones during routine traffic stops. The ACLU has issued a FOIA request for more information on this practice, but the Michigan Police have requested over $500,000 from the ACLU to cover the costs of retrieving and assembling such documents. Given the recent revelations about location tracking on Apple products it seems plausible that such data collection from Apple users could include the location-tracking file, thus possibly giving the police information about the user’s every move for the past few months.

http://legaltimes.typepad.com/blt/2011/04/doj-pitches-gps-surveillance-case-to-supreme-court.html

http://legaltimes.typepad.com/files/doj_gps_cert.pdf

On Friday, the Solicitor General filed a certiorari petition with the Supreme Court to resolve a circuit split on whether a warrant is required for GPS surveillance. The case, United States v. Jones, involves the government’s use of GPS tracking technology to monitor a person’s movements on public roads for an extended period of time.

As part of an investigation into the defendant’s supposed narcotics distribution, the FBI placed a GPS tracking device on defendant Jones’s Jeep, tracking its movements 24 hours a day for 4 weeks. The FBI’s prolonged tracking of Jones without a warrant raised serious 4th Amendment and privacy concerns. On appeal of his conviction in the D.C. Circuit, Jones argued that the Government’s use of a GPS device constituted a violation of his reasonable expectation of privacy and was a breach of his 4th Amendment right. The Government relied on United States v. Knotts for the position that the tracking of a suspect on public roads does not constitute a search. In Knotts a beeper was placed in a container containing chemicals used in the production of methamphetamine to track the suspect’s vehicle from the purchase location to his cabin. The Court of Appeals held that Knotts did not control as it did not address the issue of a prolonged, dragnet type surveillance. The Court reasoned that while the movement of the defendant in Knotts, from one location to another, was readily exposed to the public, the totality of Jones’s movements over the course of a month was not. The aggregation of Jones’s movements for an entire month reveals intimate details that a single trip would not and therefore there was a reasonable expectation of privacy in those movements.

The D.C. Circuit’s adoption of this “mosaic theory” of privacy puts it at odds with the Seventh, Eighth, and Ninth Circuits, all of which permit warrantless GPS surveillance. The Government maintains that the D.C. Circuit’s contrary holding will hamper the ability of law enforcement to collect evidence to establish probable cause at the onset of an investigation. It also makes a slippery slope argument, fearing that wider acceptance of the “mosaic theory” will jeopardize other longstanding investigatory techniques used to collect public information on criminal suspects.

The Jones case presents the Court with the opportunity to revisit its thirty-year-old holding in Knotts and squarely address whether the aggregation of otherwise public information through sophisticated technological means changes the nature of a suspect’s privacy expectations. It remains to be seen whether the Court will, in Jones or a future case, follow the lead of a number of states that have imposed a warrant requirement in these circumstances.

Article Link: http://www.latimes.com/business/la-fi-do-not-track-20110406,0,3461978,full.story
Link to Bill: http://dist27.casen.govoffice.com/index.asp?Type=B_BASIC&SEC={2C530FAF-6F85-4236-BB30-293D33F815E5}

Continuing the groundswell of support for Do-Not-Track across the nation, California State Senator Alan Lowenthal (D-Long Beach) introduced legislation that would force Internet companies doing business in California to allow consumers to opt out of online monitoring. If passed, California would be the first state to have a do-not-track law. Lowenthal is hoping that passage in democratically controlled California could act as a “stimulus to the rest of the nation.”

The proposed bill broadly applies to all connected devices, likely requiring software updates to many existing smart phones, computers, tablets, and Internet TVs. It empowers the state attorney general to issue regulation requiring that websites give users a simple method to block tracking. The bill allows individuals and the state attorney general to target violations with civil suits.
The bill is backed by a number of advocacy groups, including Consumer Watchdog, Privacy Rights Clearing House, Common Sense Media, and the California Consumer Federation. However, the Interactive Advertising Bureau, a digital marketing industry group, criticized that a strict reading of the legislation, SB761, would prevent websites from collecting innocuous information that could hurt the user experience. IAB also believes that the bill could be an unconstitutional restriction on interstate commerce.

Available at: http://online.wsj.com/article_email/SB10001424052748703467304575383522318244234-lMyQjAxMTAxMDAwMzEwNDMyWj.html; Stalkers Exploit Cellphone GPS – Mobile Location Tracking – WSJ.com

In August of 2010, the Wall Street Journal reported that global-positioning-system (GPS) technology offered by cellular carriers is being used by stalkers. Although the technology is intended to rescue lost drivers, locate kidnap victims and enable other noble endeavors, it has had the unintended consequence of allowing stalkers to more easily track their victims. According to the article, cellular GPS technology has become the easiest, and possibly the most common, way for stalkers to locate their targets.

Certain carriers, such as AT&T, offered deals to consumers allowing them to “sign up” for these tracking services. However, although the carrier alerts phone users when tracking functions are activated, such users do not have the right to refuse to be tracked by the account holder. Their only option to avoid detection is to turn off their phone.

Carriers will also agree to deactivate GPS tracking functions if requested to do so by law enforcement officials. As of August 2010, no carriers had been asked to alter their GPS programs.

According to the article, the ease of access to GPS tracking capabilities is, in part, an unintended consequence of federal regulations that require the installation of GPS chips into cellular phones. The intent of these regulations was to allow easier access to emergency services, and the regulations have been largely successful in this area.

Unfortunately, GPS capabilities have also had negative consequences, as tech companies have found other uses for tracking data. For instance, software manufacturers have developed software that can be surreptitiously loaded on someone else’s cellular phone and used to track that person’s movements through the already-existing GPS technology. This allows any third party (i.e. someone other than the cellular carrier) to track someone else’s location. This unintended usage has proven especially problematic for victims of domestic violence, and has even driven certain domestic violence shelters to dismantle the phones of the victims who they house. These systems have also been abused by law enforcement officers who have reportedly used location data for personal reasons. They are able to do so because federal law allows carriers to turn such data over in emergencies without subpoenas, but carriers are unable to verify whether an emergency situation truly exists.

Available at:
http://www.cnn.com/2011/TECH/mobile/03/31/google.face/index.html; Google making app that would identify people’s faces – CNN.com

Google has announced that it is working on a mobile application that would allow users to take pictures of people’s faces in order to access their personal information. The product would include a user’s name, phone number, and e-mail address, but Google has not indicated what other personal data might be available. Indications are that the system could be programmed to obtain publicly available pictures from third-party websites, such as Facebook.

Privacy advocates have expressed concern with this ability, especially in the wake of Google’s recent privacy “missteps.” For example, Google recently settled over grievances relating to its social networking service, Buzz. Google is also in the midst of inquiries by numerous government agencies concerning its Street View program.

Perhaps in response to privacy concerns, Google plans to use an “opt-in” model, whereby people would have to agree to give Google permission to access their personal information via facial recognition. Although this would limit the application’s utility, Google foresees many circumstances in which people would agree to be found.

Google Book Search allows anyone to search a massive library of books that Google has scanned. A few years ago, the Authors Guild sued Google to stop the project and various settlement agreements have subsequently been proposed. Judge Denny Chin recently rejected the latest settlement agreement.^[1] Though he suggested that the opt-out provision, allowing Google to scan any work unless the right holder opts out, was the main reason for rejecting the settlement, Chin also stated that “the privacy concerns are real.”

Chin noted the concern that the settlement agreement does not limit what reader information Google can track, potentially allowing Google to create detailed profiles of its readers. Chin also noted issues as to whether and to what extent Google could share such information with others. Finally, though not in the opinion, some have voiced concern over transparency with what the privacy policies will be and how much control users will have over their privacy settings.^[2]

Despite the privacy concerns, Chin apparently does not believe “they are a basis in themselves to reject the proposed settlement.” In coming to this conclusion, Chin notes Google has obliged itself to follow voluntary safeguards. But while Google has previously offered assurances that the “principles” of its normal privacy policy would apply to Book Search, it has declined to offer specific details. Google has also suggested it cannot develop an adequate privacy policy until it finishes developing Book Search, though few would argue Book Search is currently so undeveloped that it does not require any consideration of privacy.

While privacy issues may not be the deciding factor in the Google Book Search settlement, and Google has certainly sought to downplay them, they will undoubtedly become an important issue once the legal issues are resolved and the practical problems with the project must be dealt with.

1 See http://thepublicindex.org/docs/amended_settlement/opinion.pdf.
2 See http://www.aclunc.org/issues/technology/google_don’t_close_the_book_on_reader_privacy.shtml

The Chinese Government has announced plans to track 1.7 million cellphone users in Beijing through location technology, in order to help city authorities better manage traffic (see http://www.bjjtgl.gov.cn/publish/portal1/tab165/info23222.htm). However, this raises concerns that the government may abuse this technology for surveillance purposes, infringing a variety of human rights.

China maintains a tight grip on the flow of information within and out of the country. It has already blocked sites like Youtube and Twitter, driven Google China out of the mainland and into Hong Kong, and even required telecommunications operators and internet service providers to cooperate with the State in locating leaks of state secrets:

http://www.nytimes.com/2009/07/07/world/asia/07beijing.html

http://au.ibtimes.com/articles/21189/20100428/china-telco-isps-communication-information-control-censorship-google-yahoo-facebook-twitter-internet.htm

With the Chinese government now engaging in such highly comprehensive cellphone tracking, a number of human rights concerns arises, including the possibility of political dissenters being monitored and tracked as the government clamps down on its critics. Apart from its judicial branches of government, Chinese citizens can also make claims, “petitions”, to the highest level of government seated in Beijing. Through its many tactics of getting rid of petitioners, the most heinous is tracking down these individuals, arresting them for social disturbance or throwing them in mental institutions (see http://www.unhcr.org/refworld/docid/4c05091b19.html). Cellphone tracking, although politically neutral on its face, can at best chill free speech and peaceful protests (i.e. Jasmine Rallies), at worst, allow government officials and police to have easier access to dissidents.

Of course, it could be argued that, on a daily basis, individual privacy is hardly interfered with if cellphone tracking is used for its asserted purpose – after all, each person would merely be one of 1.7 million other “trackees” in one of the most densely populated cities in the world. Furthermore, it has been well documented that Beijing has one of the world’s biggest problems with traffic (http://www.bbc.co.uk/news/world-asia-pacific-11062708). Last August, there was a nine-day traffic jam that stretched 100km just outside of Beijing. However, it is questionable what tracking cellphones can really do to aid traffic flow. The main problem is the amount of cars on the road — better solutions should target a reduction of cars, rather than simply band-aid solutions to track individuals.

Further, if tracking were really implemented concerns do arise where “targeted” rather than simply “general” cellphone tracking takes place — a capacity that both the Chinese and all other governments possess, and is highly susceptible to abuse.

For more information:

http://voices.washingtonpost.com/posttech/2011/03/china_said_it_may_begin.html