The U.S. District Court for the District of Columbia issued a decision in Sandvig v. Sessions. The case pitted the First Amendment against data privacy concerns, and the decision has garnered interest and some criticism.
Facebook says it will not apply some GDPR protections to US citizens.
The Wall Street Journal reported on efforts to incorporate facial recognition technology into surveillance and police body cameras.
The United States Department of Education issued a letter to Agora Charter Schools telling them that they cannot require parents to use an online service that would require them to waive their rights under FERPA.
FISA section 702 was extended.
Times of India reports that the Indian Supreme Court “said apprehensions of profiling of citizens on the basis of Aadhaar data is a serious issue that needs examination”
Emiliano Falcon and Eli Siems contributed
A recent Op-Ed in the New York Times assailed the academic community for being asleep at the wheel on the critical study of algorithms and technology more broadly. Meanwhile NYU officially launched the AInow Institute for the study of the social implications of AI.
News from the Internet of things: an app-integrated remote control sex toy was secretly recording audio and usage data; the FDA approved digital “Smart Pills.”
Some facebook users have noted that the site’s “people you might know” feature has gotten strikingly– and sometimes inexplicably– accurate. It seems that the company uses “shadow profiles” that are “built from the inboxes and smartphones of other Facebook users”.
Rhizome Artbase is accepting proposals for papers, presentations, and scholarship on the ethics of archiving the web.
Less than a month after it went on sale, Apple’s Face ID, the newest feature of the iPhone X, got hacked by a Vietnamese security company. They used a 3D printed mask to fool the camera. Apple declined to comment, and some people are skeptical about the threat.
News Roundup, April 26
By Eli Siems
U.K. Parliament concluded an inquiry into algorithmic decision-making. James Davenport contributed.
“Buzzfeed is building a team of writers to sell you stuff you didn’t know you wanted,” mainly by producing familiar lists and slideshows about products and linking to partners like Amazon.com. They hope users will share these ads on social media as they would any other Buzzfeed piece.
Unroll Me, a service that unsubsribes users from mailing lists, has been scanning people’s inboxes for items like Lyft receipts and selling that data to interested parties.
A new class-action suit alleges that the Bose Connect app secretly gathers a broad swath of user data that the headphone company then share with third parties.
Lambda Legal has filed suit against Puerto Rico and Idaho for policies forbidding transgender people from changing the gender on their birth certificates.
A German court ordered Facebook to stop mining users’ WhatsApp data because the company had failed to obtain genuine user consent.
PRG NEWS ROUNDUP: APRIL 12
by Caroline Alewaerts
A research from New York University and Michigan State University reveals that smartphone fingerprint sensors may not be as secure as we think. The researchers managed to digitally create fake fingerprints (“MasterPrints”) that could match real fingerprints up to 65% of the time. Although not tested in real-life conditions, the research still raises question as to the security of smartphones that rely on fingerprints.
Germany is about to introduce a new law designed to regulate hate speech on social media platforms. The draft law will require social media networks, such as Facebook, Twitter, etc., to remove illegal content within 24 hours of receiving a notification. Under this new legislation, failure to comply with this obligation will expose the social media company to fines up to € 50 millions ($ 53 millions).
Burger King launched a controversial TV ad this Wednesday that takes control of your Google home device. In the commercial, the actor asks “O.K. Google, what is the Whopper burger?”, which automatically activates the Google home device located near the TV and starts reciting the burger ingredients from Wikipedia. Burger King did not contact nor obtain Google’s approval before launching the ad, and it seems that, by Wednesday afternoon, Google home devices had stopped reacting to the ad. Some argue that this kind of ‘hijacking’ of smart home speakers may constitute an unauthorized access prohibited under the Computer Fraud and Abuse Act.
Kartik Prasad
Information Privacy Law
Professor Ira Rubinstein
April 12, 2017
Transparency Reports and the FREEDOM Act.
The Snowden revelations showcased how Sections 215 and 702 was abused by the NSA in bulk collection of phone metadata. The FREEDOM Act (the Act) sought to curtail this practice by banning the NSA from directly collecting the metadata. Now, its role is limited to approaching service providers using Reasonable Articulable Suspicion approved selectors, as opposed to simply gathering all the metadata itself. This article, through the emergence of the latest transparency reports, will showcase how despite the banning of bulk collection, the same is still achievable today. This is because the Act only shifts the burden of collection onto the service providers, while the law silently permits the government to collect the same from such providers.
The Act also imposes transparency requirements on the Foreign Intelligence Surveillance Court, which otherwise has a long (and notorious) history of secrecy. The FISC is now required to start publishing its decisions thanks to the Act. Interestingly, pursuant to the FREEDOM Act, many data companies have started issuing their own transparency reports. These are published for such companies to be more transparent with their customers about disclosures made to the government. More pertinently, these transparency reports show a number of subpoenas and gag orders relating to the disclosure of these subpoenas.
There is ample legislation allowing the FBI and other government agencies to issue subpoenas to service providers, requiring them to hand over their information. What is important is that with regard to phone metadata, old precedent of the Supreme Court does not accord any 4th Amendment protection to it. This is because information that is given to third parties, such as phone operators and banks, do not entail a reasonable expectation of privacy (See Smith v. Maryland and U.S. v. Miller. While circuit courts have questioned the applicability of such a doctrine in modern times, the fact remains that the Court has not overturned it enforcement agencies can continue to use it to their advantage.
The transparency reports showcase how these subpoenas can be overbroad, and can be used to achieve what was sought to be banned through the passage of the Act. Recently, Signal, a messaging app, was served a subpoena to hand over its records relating to a targeted customer of its app by the FBI. Unsurprisingly, this subpoena came with a gag order. However, Signal does not have a log of the data it collects of the communications by its customers and could not provide them with what they were looking for. However, they fought the gag order and had it successfully lifted on account of it being overbroad. Apart from Signal, there seems to be a growing trend of tech giants such as Yahoo and Google disclosing such NSLs. This only indicates that they were successful in getting these lifted.
However, there is a larger issue from the facts above. It is clear that passing the burden of collection onto third party service providers does not seem to have been done with an intention of preserving privacy. To the contrary, it seems to have been engineered by the government to legitimise its exposed and questionable information collection tactics. Instead of collecting the information themselves, the government may serve the service providers with a subpoena and gain the information without any judicial oversight. This highlights a great inadequacy, which the FREEDOM Act failed to address. However, the increasing disclosure of the NSLs in transparency reports indicate the growing sentiment that the shroud of secrecy around data gathering by federal agencies can be excessive.
Sources:
https://techcrunch.com/2016/12/13/google-national-security-letters/
https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/
Junjie Yan
Information Privacy Law
Professor Ira Rubinstein
April 13, 2017
Title of Blog Post: Implications of the upcoming repeal of Internet privacy protections
Article: Brian Fung, The House just voted to wipe away the FCC’s landmark Internet privacy protections Wash. Post (Mar. 28, 2017), https://www.washingtonpost.com/news/the-switch/wp/2017/03/28/the-house-just-voted-to-wipe-out-the-fccs-landmark-internet-privacy-protections/?tid=a_inl&utm_term=.834762cb113f
Blog Text:
Congress sent a proposed joint resolution of congressional disapproval of the FCC’s landmark broadband privacy rules to the White House.[1] The moment President Trump sign the bill, internet service providers (ISPs) officially get rid of the FCC privacy compliance burden to collect, use, and sell personal information, browsing history, app usage history or the content of messages, emails and other communications of internet users. Without the online privacy protections promoted by previous Democrat administration, the scale of commercial benefit of ISPs and privacy of internet users significantly leans towards the former.
The repeal of broadband privacy rules may not be an entirely unexpected action in this administration. The job-creating slogan of President Trump has indicated that business entities are likely to have less regulatory restraints. The White House’s criticism that the FCC departs from the technology-neutral framework for online privacy established by the FTC could be regarded as a precursor of the lobbying success of ISPs.[2] However, despite the public concern on privacy invasion by foreseeable increases of target-advertising,[3] there might be more privacy problems for civil liberty groups to worry about from national security surveillance perspective.
Ever since the 911 tragedy, the FBI’s surveillance power has been substantially expanded by the USA Patriot Act. Before the USA Patriot Act came into force, 18 U.S.C. § 2709 of ECPA’s Stored Communication Act has already enabled FBI to compel ISPs to release customer records that were relevant to an authorized foreign counterintelligence investigation. The FBI can obtain such authority through certifying that “there are specific and articulable facts giving reason to believe that the person or entity to whom the information sought pertains is a foreign power or an agent of a foreign power” even without a court order. However, Section 505 of the USA Patriot Act eliminated the “specific and articulable facts” requirement and provides a gag order forbidding ISPs to disclose FBI’s access to the records, making easier for the FBI to gather information without strict scrutiny.
Now that the privacy obstacles have been removed, naturally for commercial purposes ISPs will establish more comprehensive user database in the future, which potentially further expand FBI’s surveillance scope: much more user information could be revealed through National Security Letters (NSLs). Even though NSLs are subject to judicial review and limited Inspector General audit, there are increasing risks of privacy violation as a result of concentration of user data. First, by issuing NSLs to ISPs, the FBI may be able to build bulk online activity surveillance based on ISPs data processing development incentivized by the repeal of FCC privacy protection rules, which the public could be kept in dark about the scale and capacity for a long time. Moreover, the more concentrated our information is, the more damages the leaks of it will create. Leak of information is an inherent risk of any information retainers and has long been a part of political ecosystem. A richer database can only magnify the damages of a possible leak.
It is undeniable that most aspects of our daily life have left traces on the internet. As ISPs’ information gathering capacity surges, without relatively limiting the national surveillance power under the current regulatory scheme, perhaps the fear of George Orwell may become reality.
[1] https://www.whitehouse.gov/the-press-office/2017/03/28/statement-administration-policy-sjres-34-%E2%80%93-disapproving-federal
[2] http://www.foxbusiness.com/politics/2017/03/28/house-approves-bill-to-overturn-fcc-privacy-rule.html
[3] https://www.washingtonpost.com/news/the-switch/wp/2017/03/28/republicans-are-poised-to-roll-back-landmark-fcc-privacy-rules-heres-what-you-need-to-know/?utm_term=.c587684f5232
Ambar Bhushan
Information Privacy Law
Professor Ira Rubinstein
April 13, 2017
Lone Wolf 4th Amendment Challenge To NSA Bulk Data Collection Put On Ice
Tennessee lawyer Elliot Schuchardt’s lawsuit alleging that the NSA was collecting and storing “massive quantities of email and other data created by United States Citizens” has been removed from the District Court’s active docket, The Pennsylvania Record reports.
On March 16 2017, Judge Cathy Bissoon of the Western District of Pennsylvania issued an administrative closing in the suit, subject to Schuchardt’s next filing with respect to the Government’s motion to dismiss. The case may also be reopened sooner, if either party has reason to so move the District Court.
Schuchardt’s lawsuit, originally filed in June 2014, named former POTUS Barack Obama, former National Intelligence Director James R. Clapper, FBI Director James B. Comey and NSA Director Michael S. Rogers as defendants.
On September 30, 2015 Judge Bissoon dismissed the suit for plaintiff’s lack of standing, finding that Schuchardt failed to identify facts indicating that his own communications had been targeted, seized, or stored.
On October 4, 2016 The Third Circuit vacated Judge Bissoon’s order, finding that Schuchardt’s second amended complaint contained sufficient factual allegations to implicate his 4th Amendment Rights. In coming to this conclusion, the Third Circuit focused on the second amended complaint’s characterization of the NSA’s PRISM program as a “dragnet” that collects “all or substantially all of the e-mail sent by American citizens by means of several large internet service providers.” At oral argument, Schuchardt conceded that his claims regarding the bulk collection of telephonic metadata were moot in light of the USA Freedom Act of 2015. The Third Circuit also made it explicitly clear that it was not concluding that Schuchardt had standing, and that the Government was “free to make a factual jurisdictional challenge to the pleading.”
Schuchardt’s complaint, which arose in the wake of the Snowden Revelations, was amended again in January 2017. In its latest iteration, the complaint alleges that Executive Order 12333, Section 702 of the FISA Amendments Act of 2008 and Section 215 of the USA PATRIOT Act violate Schuchardt’s 4th Amendment rights.
The Third Circuit remanding the lawsuit and the subsequent administrative closure, however, should not be taken as indicative of the merits of Schuchardt’s claims, nor color the motives of the Government or the District Court. While some may be excited by the Third Circuit affording Schuchardt an outside chance in his crusade, and tempted to cry foul at the administrative closing, it is important to remember that the re-authorization of Section 702 of FISA is due at the end of 2017.
It is likely that the administrative closing came in the wake of the House of Representatives’ March 1 hearings on Section 702 of FISA. The current indeterminacy of the law, and therefore, its bearing on Schuchardt’s case are the likely culprit for the case being put on hold, and not some sort of political intrigue.
While the outcome of the legislative deliberations on Section 702 is uncertain, one thing is clear: Elliot Schuchardt is not quite done amending his complaint just yet.
Sources:
http://law.justia.com/cases/federal/district-courts/pennsylvania/pawdce/2:2014cv00705/216897/28/
http://law.justia.com/cases/federal/appellate-courts/ca3/15-3491/15-3491-2016-10-05.html
http://schuchardtlaw.com/elliot-schuchardt.html
http://schuchardtlaw.com/Contact.html
https://judiciary.house.gov/hearing/section-702-fisa-amendments-act/
Cecilia Coelho Romero
Information Privacy Law
Professor Ira Rubinstein
April 12, 2017
The end of unrestrained bulk metadata collection after Snowden’s revelations
The USA Patriot Act enacted in response to the 9/11 terrorist attacks allowed through its Section 215 the bulk metadata collection, which generated much debate in American society about the proper balance between national security and civil liberties. Title 50 U.S. Code § 1861, also known as Section 215 of the USA Patriot Act, granted access by U.S. surveillance agencies to individuals’ records (namely books, papers, documents, tax returns, among others) under a relativity low scrutiny, for purposes of international terrorism investigations.
Although the Title included language providing that investigations must be conducted under the guidelines approved by the Attorney General, and required that such examinations not be conducted solely upon the basis of activities protected by the first amendment — when targeting U.S. citizens — its business records provision was broadly interpreted by the National Security Agency (NSA) to include the vast collection of phone records of Americans who were not necessarily under investigation. According to Edward Snowden’s revelation, on May 24, 2006, the Foreign Intelligence Surveillance Court (FISC) approved an FBI application for an order, pursuant to 50 U.S.C. § 1861, requiring Verizon to turn over all telephony metadata to the NSA. The court later approved the same measure for all major US telecommunications service providers and such collection of data was extended by FISC, more than thirty times, in the course of seven years. Almost all of the information obtained related to the activities of persons who were not the subjects of any investigation[1].
This bulk-collection program remained secret until mid-2013, and came into light by a combination of leaks by Edward Snowden and the Freedom of Information Act litigation, launched by the Electronic Frontier Foundation. As a result, more than twenty bills have been written in attempt to restore civil liberties, and in June 2015 it was enacted the USA Freedom Act. The Act imposes some new limits on the bulk collection of telecommunication metadata on U.S. citizens, including the prohibition for a tangible thing production order unless a specific selection term is used as the basis for the production, which must be associated with a foreign power or an agent of a foreign power engaged in international terrorism or activities in preparation for such terrorism2. In short, Americans have not blindly accepted the provisions of the USA Patriot Act, and through local and civil liberties organizations, have vigorously stated their opinions against the use of external threat and fear to undercut individual’s freedom.
References:
2 H.R.2048 – USA FREEDOM Act of 2015 – Available at: https://www.congress.gov/bill/114th-congress/house-bill/2048
Jian Wu
Information Privacy Law
Professor Ira Rubinstein
April 11, 2017
Title of Blog Post: China’s Cybersecurity Law Goes into Effect June 1, 2017
Article: Katherine W. Keally, China’s Cybersecurity Law Goes into Effect June 1, 2017—Are You Ready?, NACD Online (March 21, 2017), https://blog.nacdonline.org/2017/03/chinas-cybersecurity-law-goes-into-effect-june-1-2017-are-you-ready/
Blog Text:
The Cybersecurity Law of China, promulgated by the National Congress Standing Committee of China, will become effective on June 1, 2017. [1] This new Law reflects China’s desire for cyber-sovereignty and requires the network service providers in China to participate in protection of the national cybersecurity. [2]
This Law has a very broad scope and potentially far reaching effect. Key provisions of this Law that may potentially affect multinational companies doing business in China are summarized as follows.
Article 37 of the Law requires that “Critical Information Infrastructure” (CII) operators shall store all Personal Information and other important data gathered or produced within the territory of China. Prior government approval will be required where it is “truly necessary” for CII operators to transfer data outside the mainland for business reasons.
“CII” is broadly defined under Article 31 as “public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security.” “Personal Information” is defined under Article 76 to cover all kinds of information that, taken alone or together with other information, “is sufficient to identify a natural person’s identity, including but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.”
Given the broad definitions of CII and Personal Information, it appears that any types of companies operating in China that are reliant on the telecommunications network for their operations or provision of services would fall into the regulation of this Law and thus, they might be prohibited to transfer data outside China without prior approval. [3]
Article 28 of the Law provides that “Network Operators shall provide technical support and assistance to the public security authorities and state security authorities” for the purposes of upholding national security and investigating crimes. “Network Operators” is defined under Article 76 as “network owners, administrators and network service providers.” The Law does not specify the types of “technical support and assistance” required.
It is worth noting that the final version of the Law has removed the requirement under an earlier draft for a Network Operator to provide decryption assistance and backdoor access. However, it is not clear whether in practice the authorities would direct the relevant Network Operator to provide such assistance. [4]
Pursuant to Article 23, critical network equipment and specialized network security products must satisfy the national standards and mandatory requirements, and be safety certified before being sold or provided in China. In other words, foreign hardware and software suppliers, although not having a presence in China, may also be subject to China’s certification regimes so long as they provide equipment/products to CII operators.
Besides the above provisions, the Law also contains various provisions devoted to personal data protection. For instance, Article 43 grants users the right to request the network operators to delete their personal information or to make corrections, which seems to echo the “right to be forgotten” under the European regime.
Due to the broad applicability of this Law, it is envisaged that detailed implementation regulations will be issued in the near future. On April 11, 2017, the Cyberspace Administration of China published the consultation draft of Measures for Safety Valuation on Overseas Transfer of Personal Information and Important Data to seek opinions and suggestions from the public. [5]
[1] A full text of this law in Chinese can be found at http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm; its unofficial English translation can be found at http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en.
[2] See also Sarah Zhao and Stephanie Sun, What’s in China’s New Cybersecurity Law (Apr. 7, 2017), https://www.faegrebd.com/whats-in-chinas-new-cybersecurity-law.
[3] See also Final Passage of China’s Cybersecurity Law (Nov. 25, 2016), http://www.bakermckenzie.com/en/insight/publications/2016/11/final-passage-of-chinas-cybersecurity-law/.
[4] Id.
[5] The Chinese version of the news can be found at http://tech.sina.com.cn/i/2017-04-11/doc-ifyecezv3062359.shtml.