ILI Student Blog

Category: Uncategorized

  • February 20 PANEL 09

    Yael Tzipori

    http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/02/06/no-fourth-amendment-right-in-metadata-embedded-in-posted-photo-court-holds/

    On January 30, 2014, a judge of the Southern District of Texas determined that there is no reasonable expectation of privacy in the metadata embedded in a photograph posted on the Internet. The defendant in the case, United States v. Post, had uploaded child pornography images to a website, and investigators used publicly available software to scan at least one photograph for the precise location of where the photograph was taken. The photograph had been taken with a cell phone. When a cell phone is used to take a photograph while the location services feature is set to “on,” the camera will store the information from the phone’s GPS in the image file. Investigators were able to scan the image and determine the location at which the photograph was taken, and the location led them directly to the defendant.

    The defendant acknowledged that he had no expectation of privacy in the image itself, which had been voluntarily uploaded to the Internet, but argued that he did have a reasonable expectation of privacy in the metadata (the location information) embedded in the image because he had not intended for that information to be made public. The district court judge stated that there was no basis for dividing the image up based on the type of content it contained–when the defendant made the image publicly available, he relinquished his right to privacy in any of the information contained in that image. The judge analogized the situation to one in which a defendant voluntarily leaves his clothing at a crime scene, but does not realize that he has also left DNA evidence on that clothing. Leaving the clothing in a public place causes the defendant to relinquish any privacy interest in information contained on the clothing, “regardless of how he contemplated that clothing could be used.” Such a conclusion, said the judge, was equally applicable to the defendant in Post.

     

     

    Daniela Badiola

    States Address Privacy Concerns

    Post-Snowden revelations, states have taken it into their own hands to increase the privacy protections of citizens and individual residents. The states taking this action, by enacting stronger privacy protection legislation, are mainly addressing two issues: 1) the courts’ hesitancy to adapt fourth amendment jurisprudence to technological advances that create the capability to store & collect unprecedented amounts of data; and 2) the federal government’s inertia in amending privacy protecting legislation to reflect modern technological use & societal norms.

    In this week’s readings we have seen that while some courts recognize that new uses and dependence on technology renders law like Smith to be irrelevant or wholly distinguishable regarding the NSA’s collection of metadata (Klayman v. Obama, 2013), others cling on to strict analogies to letters and telephones which could only be used to make phone calls (ACLU v. Clapper, 2013).  As a result, 4th amendment jurisprudence regarding mobile phones, which serve a mini-personal computers rather than simple telephones is extremely confused. In addition, legislation such as the Electronic Communications Privacy Act (ECPA) is inadequate in today’s context of mass data. As a result, states are fighting back.

    In Arizona and Tennessee state legislators have proposed, a will likely pass, legislation that bars the state from providing material support to the NSA. In addition, data collected without a warrant cannot be used as evidence in state court. The evidence ban creates a bright line test in the face of confused jurisprudence regarding an individual’s right to privacy from the government.

    In New Hampshire, a proposed bill requires that law enforcement obtain a warrant before searching “information in an electronic portable device.” This mirrors the holding in US v. Wurie (2013) which found that evidence found when a cop searched an arrestee’s phone without a warrant violated the 4th amendment. However, on appeal this might be reversed and other courts might disagree. New Hampshire’s law provides clarity. In addition, New Hampshire is also proposing a bill that will protect “expectation of privacy in personal information, including personal identifiers, content, and usage, given or available to third-party providers of information and services, including telephone; electric, water and other utility services; internet service providers; social media providers; banks and financial institutions; insurance companies; and credit card companies.” This is a necessary slap in the face to the third party doctrine – which taken to its extreme in today’s digital world – diminishes the 4th amendment protections to a mere novelty.

    Relying on out of date precedent, ignoring the modern reality that communication of information is not truly voluntary if one wants to participate in society, and not acknowledging the unprecedented scope of data collection possible using previously acceptable devices, courts have not adapted 4th amendment jurisprudence to adequately protect the privacy of American citizens. In its current gridlock, Congress cannot be depended to make sweeping changes either. As a result, the states have stepped up to the plate. Although this is of little condolence to one interacting with a federal court, it is a step in the right direction.

     

     

    Kevin Thomas

    http://www.dotnews.com/2014/sj-court-decision-impacts-04-savin-hill-murder-trial

    A decision by the Massachusetts Supreme Judicial Court has the effect of throwing out “key evidence” against the defendant from a 2011 murder trial. The decision focused on law enforcement access to cell-site location information (CSLI). More specifically, whether the government needed to meet the traditional “probable cause” requirement for obtaining a warrant, or whether a court order for the information could be obtained through the much less demanding “specific and articulable” facts standard.

    Here the majority found that CSLI, as with GPS in Massachusetts, implicates the constitutionally protected interest of a reasonable expectation of privacy in one’s personal movements. It chose not to apply the same third party doctrine used in Smith v. Maryland and United States v. Miller to the acquisition of CSLI. Interestingly, the dissent distinguished the use of “call CSLI” wherein a user’s location is recorded during phone calls and “registration CSLI” in which the phone’s location is transmitted automatically every seven seconds.

    The District Attorney noted that, because of the gray area in the law, police have been obtaining warrants for this kind of information for years. As a result, this ruling will not impact very many criminal cases in Massachusetts.

     

     

    Jessica Heller

    http://www.nytimes.com/2013/09/10/business/the-border-is-a-back-door-for-us-device-searches.html?pagewanted=2&_r=0&hp

    This article discusses the ways in which the government can use border crossings to perform warrantless searches and seizures of electronic devices.

    The article specifically focuses on the case of David House, a former fundraiser for Bradley Manning’s legal defense, and the government documents that were released as part of House’s legal settlement with the Department of Homeland Security.  The government tagged House as a ‘person of interest’ because of his connection with Private Manning.  As a result, when House flew from Mexico to the U.S., immigration officials seized his computer without a warrant and performed a thorough search.  The documents revealed that after searching over 26,000 of House’s files, there was no evidence of any criminal wrongdoing.

    Though the government may lawfully perform warrantless searches and seizures of electronic devices because of the border crossing exception to the Fourth Amendment, in an increasing number of cases like House’s, it is being asserted that the government is abusing its power, and that power should be curtailed.  An A.C.L.U lawyer working on House’s case said that the government had abused its power to execute a search that “no court would have approved.”

    The government’s ability to skirt constitutional protections is particularly concerning given the high volume of searches on electronic devices.  In the last 3 years, Customs and Border Protection has conducted warrantless electronic media searches on an average of 15 people per day.

     

     

    Christine Kuveke

    http://www.nytimes.com/2013/10/02/technology/google-accused-of-wiretapping-in-gmail-scans.html

    This article discusses a lawsuit that has been brought against Google, alleging that it is wiretapping its users in violation of the Electronic Communications Privacy Act (ECPA). The plaintiffs assert that Google has acted illegally in collecting user data in Gmail and Street View. One practice, which is challenged, is the scanning of emails used to provide targeted advertisements.

    Google has argued that its users have consented to its practices by agreeing to its service and privacy policy. Consent is one of the ECPA exceptions that we discussed in class. Google has also argued that non-Gmail users have no reasonable expectation of privacy when they send emails to Gmail users. Another argument is that Google is entitled to protection under ECPA because it is acting in the ordinary course of business. The counterargument, of course, is that creating user profiles and providing targeted ads are not related to Google’s core business of providing email services. Two federal judges have ruled against Google in its motions to dismiss. One of the themes that runs through the article is the argument that ECPA is “stuck in the past and has failed to keep up with new technologies.”

     

     

    Nathan Monroe Yavneh

    http://www.nytimes.com/2013/05/08/us/politics/obama-may-back-fbi-plan-to-wiretap-web-users.html

    This article, by Charlie Savage of the New York Times, describes the policy debate that surrounds efforts to update the Communications Assistance for Law Enforcement Act (CALEA).

    CALEA, which dates to 1994, already requires phone and network carriers to build interception capabilities into their systems. Today, however, more people are choosing to communicate online, using protocols like VoIP. CALEA does not apply to such modern Internet-based methods of communication. This has prompted a concern by law enforcement officials, such as FBI Director Robert S. Mueller, III, that voice communication is “going dark” – that is, moving to media that law enforcement are not able to intercept.

    The FBI has put out two proposals to update CALEA in recent years. The first proposal, in 2010, would have required Internet communications services to build a backdoor into their systems which law enforcement could use for wiretapping. It would also have required those companies to unscramble encrypted data at the request of law enforcement.

    The more recent proposal takes a different tack, strengthening wiretap orders issued by judges. Under the proposal, a company would first receive notice that it may receive a surveillance request in the future. If it has received such notice, and fails to comply, it would be eligible for steep fines. This would have more teeth than the current law, which affords companies “wiggle room” to argue that they can not surveil for technical reasons.

    There has been criticism of both proposals. Critics argue that it will stifle innovation, potentially driving tech startups overseas to countries where they would not have to comply with wiretap requests. Others worry about security, pointing out that any backdoors built into systems for law enforcement could also be discovered and exploited by hackers or other malicious agents.

    While it remains unclear what form the revisions to CALEA will take, this article indicates that we are at a crossroads with regards to government surveillance of the internet. As technology outpaces a two decade old law, some decision must be reached balancing the privacy interests of Internet users and the law enforcement interests of the government. The abandonment of the FBI’s 2010 proposal to require backdoors and decryption of communications seems to indicate that the balance has swung slightly in favor of user’s privacy, but beyond that it is difficult to predict.

     

     

    Siobhan Atkins

    Article: Chanakya Sethi, Do Americans Care About the Privacy of our Metadata?

    Every day, Americans share vast amounts of information with cell phone service providers, credit card companies, and Internet vendors.  The frequency and volume of information shared with third parties in the digital age raises an important question: do Americans truly “voluntarily” give away all such information, thus waiving any Fourth Amendment protections against that information’s collection? Or, given the degree to which citizens must share such data to participate in modern society, do Americans perhaps expect a greater degree of privacy now than ever before?

    This article briefly explores American sentiments towards metadata collection, and ultimately argues that Americans who disclose more information may expect more privacy in the electronic information they share.  The article first discusses findings made by the panel of intelligence experts convened by President Obama in December 2013 to evaluate the NSA telephony metadata program.  The panel argued that Americans’ extensive disclosure in the digital age does not reflect an increasing apathy about the information’s release to the wider world, but rather is a “necessary accommodation to the realities of modern life.”

    The article goes on to discuss a Pew Research poll that indicates that many Americans are increasingly concerned about the information available about them online – even, paradoxically, as they share more of that information with third parties.  Perhaps most interesting was the poll’s finding that those who have taken more steps to remain anonymous online are more likely than others to have posted information about themselves online – an indication that our desire for privacy may grow stronger in the digital age, even as we share more information about ourselves with others.

    The changing nature of disclosure in modern society, as well as shifting public opinions on privacy, may influence whether courts continue to use Smith v. Maryland as a guide in assessing the constitutionality of metadata collection programs. In Klayman v. Obama, Judge Leon cited the changing frequency and nature of phone use – and an Associated Press survey revealing increased concern about data privacy – in support of his argument that Smith is “of little value” in evaluating the Fourth Amendment claims raised by the NSA’s telephony metadata collection program.  In contrast, Judge Pauley argued in ACLU v. Clapper that the ubiquity of cell phones today “does not undermine the Supreme Court’s ruling that a person has no subjective expectation of privacy in telephony metadata.”  It will be interesting to see how – or whether – changing habits and public sentiment influence court rulings in the future.

     

     

    Paul Hanft (submitted 25 February)

    http://www.usatoday.com/story/news/politics/2014/01/20/poll-nsa-surveillance/4638551/

    http://swampland.time.com/2013/12/17/nsa-takes-a-hit-in-fight-for-american-public-opinion/

    These two articles from Time and USA today discuss the overall public opinion of the American public on the NSA and its collection of metadata. The NSA has been trying to assuage the public that its collection of metadata phone records does not amount to domestic spying, as such former public affairs officer for the Federal Bureau of Investigation and CBS correspondent John Miller featured NSA head Keith Alexander who attempted to explain the NSA’s actions to the American public. The segment was heavily criticized for being inaccurate and the current public opinion leans heavily against the NSA with a 53% majority disapproving of the metadata collection program against 40% approving.

    President’s Obama’s most recent proposals that a third party rather than the government to hold the massive stores of phone metadata and that intelligence analysts would need a court order to search it except in emergencies were also surveyed and respondents expressed little confidence in them in protecting privacy. By 73%-21% margin, those who paid attention to the speech say his proposals won’t make much difference in protecting people’s privacy.

    The article discusses Judge’s Leon recent ruling that the NSA’s broad collection of information from cell-phone records violates the constitution. Particular bothering both to judge Leon and likely to the public as a whole is the NSA’s ability to collect data without any particularized suspicion of wrongdoing and inability of individuals to avoid government collection while simultaneously being integrated into modern life (that is one generally must have a cell-phone).

  • February 13 PANEL 10

    Angela Lelo

    http://www.msnbc.com/msnbc/how-sotomayor-undermined-obamas-nsa

    This article’s author discusses the influence that Sotomayor’s concurring opinion in U.S. v. Jones has already had on the White House, federal judges, and legal scholars. To recall, Sotomayor asserted in that case that the third party doctrine is no longer tenable in the digital age where individuals routinely convey a vast amount of information about themselves to third parties.

    This article’s author suggests that Sotomayor’s position may have important ramifications for the NSA’s metadata program: Should the NSA’s metadata program ever reach the Supreme Court, “the high court will have to reckon with Sotomayor’s reasoning in Jones.”

    This article raises a number of questions: Faced with challenges from legal scholars and civil liberties groups, is the third party doctrine likely to lose its judicial stronghold? More pointedly, will Sotomayor’s stance evolve into the Supreme Court’s majority position over time?

     

     

    Benjamin Goldberg

    Article by Susan Lahey 5 February 2014: ECPA and A Reasonable Expectation of Privacy in the Digital Age

    Since we just discussed the ECPA in class on Wednesday, I thought it would be a good idea to find an article on ECPA for my blog post. As such a hot-button issue, ECPA seems to always be in the news and there were no shortage of recent articles. I chose an incredibly recent one that I thought also summed up a number of issues we discussed.

    The article, in summarizing a recent panel discussion on ECPA, focuses mainly on the cloud and the inherent privacy risks that the ECPA creates. As the article notes, the ECPA hasn’t been changed in nearly 30 years whereas technology has grown leaps and bounds. One panelist noted that a computer in 1986 (the year ECPA was enacted) could only store the data equivalent of two digital photographs. 

    The article, however, also did a good job noting the panelists who defended ECPA. That panelist questioned whether citizens can really have any privacy in the cloud. Since privacy laws were created to protect what was done in the home, communication done in a public forum arguably has no privacy right. Public activity such as cloud storage, tweets, Facebook posts, and information stored on servers in other countries shouldn’t be protected. The panelist further argued that people who store data in the cloud are trading privacy for convenience. The counter-argument, however, is that there is a difference between making information public and allowing the government to access your information.

    The article also discussed the growing problem of intimidation tactics used by some investigators to access information. As the article notes, “For example, an investigator might say “The attorney general isn’t going to be happy with your refusal to cooperate.” As Robinson said, as an attorney, he knows to respond “The attorney general is your boss, not mine” and require that any requests follow proper channels. A company who doesn’t have a staff attorney might not know to do that.” Furthermore, the investigators often don’t understand the technology and ask the hosting company to conduct the research for them. The panelist supporting ECPA surprisingly supported the idea of charging fees for those kinds of services.

    Finally, the article highlighted a discussion on the panel of what reforms to the law will be necessary going forward. Some ideas: protecting electronic information, limiting the discretion of certain agencies and lawmakers, and closing loopholes in the law.

    All in all, I really thought this article, though it only summarized a panel discussion, did a great job highlighting some of the main criticisms of the ECPA, put forth potential solutions, and also offered a balanced defense of the legislation as well.

     

     

    Andrew Choi

    http://dailycaller.com/2014/01/27/its-time-to-protect-data-in-the-cloud/

    This is an article in the Daily Caller that criticizes Obama for not providing a more clear vision for how he aims to bring more balance to surveillance and data collection activities of the government.  The article specifically proposes that the ECPA be updated and expanded to protect data in the cloud – which the article defines as private data stored on servers on the internet.

    The author, Stephen Titch, observes that cloud computing had not been conceived of at the time of the ECPA’s passage.  Moreover, cloud computing is unique in a number of practical ways that may require special treatment, at least with respect to government or third party access.  Unlike traditional information storage, information on the cloud is continually accessible by the user in a way that does not require location proximate to the storage location.  It is also used for a wide variety of promising practical applications (smart homes, driverless cars, and wearable computers) that are useful in personal everyday day-to-day activity.  Moreover, usage in these personal everyday activities requires the divulging and storage of massive amounts of personal data.  For instance, cloud usage in driverless cars would require constant divulging of one’s GPS location.  Hence, the article notes that “companies involved in cloud technology will require a high degree of trust and goodwill from the marketplace if consumers are going to feel comfortable sharing data.”

    Titch proposes extending ECPA protections to data that is collected in the cloud.  Titch thinks this is important because the United States has already lost a lot of political capital and public trust in the US government’s respect for information privacy.  He notes that a number of foreign companies have become hesitant or refused to store data in the United States.

    An ambiguity that Titch does not address is exactly how the ECPA should be modified to address cloud storage – or if in fact the ECPA needs to be modified to address it.  On an obvious reading, cloud storage appears to be clearly covered under the Stored Communications Act.  This would be most obvious in cases where the data stored are traditional documents (like .pdf documents, mp3 files and the like).  That said, in the case of uses like driverless cars, much of the data may not operate as stored communication so much as transmission.  Driverless cars may, for instance, be using the cloud as an intermediary for transmitting data between a GPS satellite, a remote Google computer and the driverless car.  On this reading, cloud storage may be covered under the Wiretap Act, as accessing cloud information would essentially involve “intercepting” information passing (through the cloud) from a driverless cloud to a remote Google computer or GPS satellite.  On another reading, cloud storage may be covered under the Pen Register Act, since much of the information stored in the cloud may be purely incidental  or irrelevant to any content that a user intends to send (such as GPS location).  This is to say, it is not clear if the ECPA needs to be modified to address cloud storage and computing, but it is not exactly clear if cloud storage is a distinct “kind” that needs to be covered by the ECPA.  Information seemingly could fit under any of the three Acts, which would make the ECPA sufficient.  However, this ambiguity and the public conception of “the cloud” as a single type of medium, may be a good reason to explicitly designate “the cloud” as a type of medium that needs to be protected.

     

     

    Matthew Weprin

    http://www.forbes.com/sites/jennifergranick/2014/01/24/told-ya-so-nsas-collection-of-metadata-is-screamingly-illegal/

    Forbes recently posted an article titled “Told Ya So: NSA’s Collection of Metadata is Screamingly Illegal.” The article claims that not only does the NSA’s metadata collection violate the constitution (specifically the Fourth Amendment), but that it is also forbidden because no law authorizes it and several laws forbid it. The NSA relies on section 215 of the Patriot Act which allows the FBI to obtain court orders for companies to produce “tangible things” that are “relevant” to an authorized foreign intelligence investigation.

    The Privacy and Civil Liberties Oversight Board (“PCLOB”), a blue-ribbon panel looking into this issue found that section 215 does not provide an adequate legal basis to support the program because (1) telephone records acquired under in it have no connection to a specific FBI investigation, (2)  they are collected in bulk and cannot be regarded as “relevant,” (3) it obligates telephone companies to furnish new calling records rather than just turning over records in their possession, and (4) the statute only permits the FBI to obtain items for its investigation rather than the NSA.

    The article argues that not only is the NSA metadata collection not authorized by section 215, but it is also prohibited by the Electronic Communications Privacy Act (“ECPA”). Sections 2702 and 2703 of the ECPA prohibit phone companies from sharing their customer information records with the government except within a specific set of enumerated circumstances that does not include section 215 orders. This article presents a compelling case that the NSA metadata collection is not just unauthorized but actually violates the law. The secrecy of the program and the judicial proceedings related to it make it very difficult for the public to understand that the law is being violated and even harder to fight back against it.

    However, the article is also a bit one-sided and may overstate its case by claiming that this metadata collection is “screamingly illegal.” The article claims that the data collection violates the fourth amendment as if it is a given, but the truth is more complicated. Under some relevant case law, the collection of metadata arguably is not a fourth amendment search because metadata does not constitute the content of the call/message. While there is an argument that the scale of data collection makes this unconstitutional, the article does not address it and just takes the fact that metadata collection is unconstitutional as a given. The article also overstated how obvious it is that the metadata collection violated the law.

    Overall, this is an interesting article that does a good job explaining the laws that we studied in class and how they connect to the NSA metadata collection program in layman’s terms. It also provides a good summary of the findings of the PCLOB. However, by overstating its case, it loses some credibility. The authors would have been better off explaining the complexity of the counterarguments to their article in more detail rather than simply dismissing them as obviously wrong.

     

     

    Sarah Sullivan

    http://www.digitaltrends.com/web/the-digital-self-can-the-4th-amendment-fit-in-140-characters/

    We are living in a time that is completely dominated by social media. Many people maintain a presence on several different social media platforms. We put an unprecedented amount of information out into the public sphere through these services, but most people have probably not considered the implications that third party doctrine could have on these social media communications. This article considers how third party doctrine could affect social media communications, including the potential privacy implications and the possibility for future development in this area of law.

    Third party doctrine developed several decades ago, with the Supreme Court decisions in Smith v. Maryland and United States v. Miller. These cases found that warrantless government access of information individuals had shared with a third party – in Smith the information was shared with a phone company, and in Miller it was shared with a bank – was not a Fourth Amendment violation. The Court in Miller explained, “The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government. This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.” An individual would have no legitimate expectation of privacy in any information shared with a third party, and the government would be free to obtain that information without a warrant.

    Based on Miller and Smith cases, it seems clear that social media platforms such as Facebook would be considered third parties. This raises the concern that any information shared with them would therefore be available to the government without raising any Fourth Amendment violations. However, there have been significant technological developments since those decisions, and the Court has never ruled on third party doctrine as specifically applied to third parties in the digital age. The article notes that Justice Sotomayor’s recent dissent in United States v. Jones left open the possibility that the law could be changing in light of these concerns. She wrote in her dissent, “all information voluntarily disclosed to some member of the public for a limited purpose” is not necessarily “disentitled to Fourth Amendment protection.”

    The article fleshes out the issue at hand by noting that while email communications have been given Fourth Amendment protection in spite of the third party implications, social media raises different, unique concerns. We do not yet have an answer on whether things like tweets or Facebook status updates are entitled to any Fourth Amendment protection – the article points out that “[c]ourts are still divided” and have “not yet [provided] clear guidance on this issue.”

    The article goes on to raise a number of interesting questions to consider as we wait for courts to address what constitutes search and seizure or reasonableness for purposes of the Fourth Amendment with regard to social media. Although people who use social media have some understanding that their communications there are not completely private, many of these platforms have privacy settings or terms of use that address privacy concerns. In spite of the decision to share this information with the public, many people still strive for privacy and ways to protect their internet and social media communications.

    Is this enough to constitute a reasonable expectation of privacy under the Fourth Amendment? Perhaps not, and the article even suggests that our widespread use of social media could actually be eroding our privacy rights, claiming “the very act of sharing parts of your life online, or agreeing to hand over your data recklessly, potentially weakens the constitutional protections awarded to us all.”

    Whatever implications social media has for our privacy rights, Alan Butler, Appellate Advocacy Counsel for the Electronic Privacy Information Center (EPIC), asserts, “courts will be forced to update their Fourth Amendment analysis to adjust for new technologies.” In the meantime, all we can do is wait for the courts to clarify how third party doctrine will affect social media privacy. This is clearly an area of law that is ripe for further development.

     

     

    Christina Skaliks
    http://bits.blogs.nytimes.com/2013/06/09/intelligence-agencies-and-the-data-deluge/?_php=true&_type=blogs&_r=0

    Given our discussion of the ECPA and the third party doctrine I decided to look for an article discussing the protection, or lack thereof, for cell phone meta data.

    This article raises several issues we identified in our discussions of U.S. v.  Jones and the ECPA.  Specifically it addresses Obama’s statement regarding the NSA surveillance program that the NSA was not listening to citizen’s phone calls or reading their e-mails.  The article rightly states that this distinction between content and non-content is disingenuous. This distinction aims to reassure the American people that their expectation of privacy is not being violated or at the very least minimally invaded.  As the author points out, while metadata may not contain what is traditionally thought of as “content”, it can be very revealing.  Meta data can provide insight about an individual’s location, political affiliation, social network and location.  Further, according to the article and a Nature study cited in the article, “four data points about the location and time of a mobile phone call made it possible to identify the sender 95 percent of the time.”   The article also focuses on how metadata is more valuable to the NSA as it cuts down on the traffic the NSA must assess and is easier to organize, and detect patterns.

    Given the value and power of metadata, it is concerning that there are gaps in its protection under current privacy law.  Metadata does not appear to be sufficiently protected under the ECPA. The article notes that metadata is the “least protected form of communications information”.   The NSA reportedly was gaining access to cellular metadata under the pen register act.  This means they gained the metadata upon a showing that the information likely to be obtained was relevant to an ongoing criminal investigation.

    Given the Court’s acceptance of the third party doctrine, even the judicial system could fail to protect one’s expectation of privacy in his or her metadata. This article brought to mind Justice Sotomayor’s discussion of the third party doctrine in her concurrence in US v. Jones.  As Sotomayor noted, the third party doctrine is ill suited to the digital age.  As technology advances, individuals are sharing a wealth of information about themselves without realizing the implications of their actions. An individual may understand that their cellular phone will reveal their location to their service provider, but they may not reasonably suspect that “their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits…”

    Overall, I think this article is useful in understanding the basic objections in the recent NSA surveillance controversy.

     

     

    Dave Hamell

    Verizon Issues First Transparency Report, Revealing Widespread Collection of User Location Data

    In the months following former National Security Agency (NSA) contractor Edward Snowden’s leak of a large number of top secret NSA documents revealing that the agency’s broad surveillance programs were sweeping in the information of millions of domestic electronic communications users, internet giants such as Google and Microsoft, and later, telecom providers including AT&T and Verizon, have petitioned the Justice Department for permission to release information related to government requests they’ve received that seek user information. After negotiations with the government over the content and format of permissible disclosures, certain companies are beginning to publicly report such information. On January 22, 2014, Verizon released its first Transparency Report for the 2013 calendar year. The first report of its kind from Verizon, with significantly more detail than reports previously released by other companies, the Transparency Report adds a significant amount of clarity to our understanding of the type and volume of government requests for caller information – an understanding that has previously been clouded by incomplete data on requests for information relating to the location and identities of targeted callers, which law enforcement officers obtain by subpoena, or by court order under the Pen Register Act (PRA), and certain expansions thereof under the FCC’s interpretation of the Communications Assistance for Law Enforcement Act (CALEA). The report reveals a startling number of information requests, particularly by subpoena, and under the broader and more lenient provisions of CALEA.

    In 1986, Congress passed the Electronic Communications Privacy Act (ECPA), which significantly updated the law governing the ability of law enforcement agencies to intercept oral communications made telephonically or through other electronic media, and access content and user information related to non-oral communications sent and stored electronically. The PRA was passed as Title III of the ECPA, and specifically addressed law enforcement’s capabilities to obtain the telephone numbers dialed from a particular targeted telephone (traditionally obtained in real time through a device known as a pen register), as well as the numbers of incoming calls to that targeted telephone (traditionally obtained in real time through a trap and trace device). A court order to use such devices would be issued upon a showing that the information likely to be obtained through their use would be relevant to an ongoing investigation – an exceedingly low standard, particularly as compared with the requirement supported by a showing of probable cause necessary for a court order to be issued under other provisions of the ECPA. In response to the emergence of new communications technology which created barriers for law enforcement agencies attempting to access information transmitted or stored by communications carriers, in 1994 Congress passed CALEA, which at its core, requires that all telecommunications providers have a means to provide law enforcement agencies with information they have legal authorization to access in the course of an investigation. In a case challenging the surveillance capabilities that were interpreted by the FCC as necessary for telecommunications companies to provide under CALEA, the D.C. Circuit court upheld the requirement that carriers make available the physical location of the antenna towers that mobile phone users connect to throughout a call. Analogizing to the location information typically obtained by accessing phone records gathered from pen registers and trap and trace devices, the court reasoned that providing access to such location information from antenna towers instead, was not an expansion of previous law enforcement capabilities under the PRA, and was thus consistent with CALEA’s legislative mandate. Notably, however, because such information is not obtained under the PRA – because no pen registers or trap and trace devices are used in the collection of location information from antenna towers – the authority for gathering such information falls under CALEA, backstopped only by the 4th Amendment, which does not generally protect such information.

    While the Transparency Report revealed that only approximately 6,300 pen register and trap and trace device orders were received, Verizon disclosed that approximately 35,000 requests to produce location information were received. Among those, 11,000 requests were pursuant to warrants, while 24,000 requests were pursuant to court orders. These numbers show a disturbingly great desire for user location data. For example, Verizon received around 63,000 general orders, half of which it described as requiring “the same types of basic information that could also be released pursuant to a subpoena.” This would include information such as user names, addresses, and a list of phone numbers called, which law enforcement officers can obtain by subpoena, in the course of an investigation without judicial approval. Location data is particularly sensitive to many people, as it reveals not only who we were, but where we go. The fact that less than one third of this information was obtained pursuant to a warrant – only issued upon the requisite showing of probable cause mandated by the 4th Amendment to the U.S. Constitution, which many citizens believe is the standard that must be met before their personal information can be gathered by law enforcement agencies – illustrates the high rate at which such information is being disclosed pursuant to a far lower standard.

    Still more unsettling, is the revelation that 3,200 warrants or orders were for “cell tower dumps.” According to the report, “[i]n such instances, the warrant or court order compelled [Verizon] to identify the phone numbers of all phones that connected to a specific cell tower during a given period of time.” Such requests seem inherently overbroad, and as described by the ACLU, are “ripe for misuse.” For example, in one known instance, police in Michigan requested a cell tower dump to gather information on all cell phones that were congregated in a particular area, because of purported concerns of a possible riot. There was, however, no riot, and it was discovered that the only planned congregation in that area was an organized labor protest. As described by Stephen W. Smith, a federal magistrate in Houston, prosecutors have been using requests for location information as “a surreptitious tracking device,” demonstrating that law enforcement has conceived of methods for using location information that are far more insidious than a mere ex post examination of user data.

    Verizon reports that such requests are up substantially from 2012, and are expected to continue to rise. While Verizon has taken an important first step toward increasing the transparency of law enforcement surveillance practices, other carriers should follow Verizon’s lead and provide statistic that are more disaggregated. Moreover, the Justice Department should recognize the great public interest in increased transparency and enable Verizon and other carriers to issue more comprehensive disclosures with data disaggregation, and report more detailed explanations of the type of information requested, the effect on individual users, and the legal basis for such requests. Absent Congressional action or a change in law enforcement practices, only increased disclosure and transparency can assure the public that surveillance abuses are not taking place.

     

     

    Joanne Luckey

    http://www.technologyreview.com/news/523981/android-app-warns-when-youre-being-watched/

    For all of you Android users, there’s an app for that.  The Android app alerts users when their location data is being accessed by apps on their phones.  It also identifies which apps are accessing the information.  It will be available in Google Play in the next couple of months.  There’s also an an app available in the Apple Store called ProtectMyPrivacy.  Unfortunately for iPhone users, the app requires the users to first jailbreak their phones.

    I included this article because I thought students might find it useful.  The developer of the Android app hoped that it would encourage Google and Android apps to provide more prominent disclosures and collect less personal information.  Ultimately, consumers will decide whether they want to exchange their privacy for Flappy Bird and Facebook, but at least they will know that they are making that choice.

     

  • Agricultural Privacy?

    Here’s the story I mentioned at PRG today about farmers giving their farm data to big agricultural companies for analytic purposes. I think the article calls to mind the lack of focus on non-urban subjects when we talk about surveillance and privacy, something I’ve been thinking about recently since many of my truckers come from rural backgrounds. Taking rural contexts seriously might illuminate some surprising forms of monitoring, like this farm program, that are emerging.

  • IAPP Westin Research Fellowships

    Of possible interest from Omer Tene:  Established in 2013, the IAPP Westin Research Center was created to encourage and enable research and scholarship in the field of privacy. Each year, the IAPP welcomes two or more recent graduates to spend 12 months on site with our team, reporting to the VP of Research and Education, and working on a broad array of privacy research projects. The fellowship program, which bears the name of Dr. Alan Westin, serves as a pathway for future leaders who aspire to join the privacy community. The IAPP provides the fellows with ample opportunity to engage with the privacy community, participate and present in major conferences and events, and communicate on a daily basis with leaders of the profession from around the world.  The application process opens on January 1, 2014, and closes on February 28, 2014. Interviews will occur for some applicants in March, with final decisions expected at the end of March. Fellowship terms generally run from September through August of each year.  For additional details about the fellowship and application process see the fellowship website.

  • Internet architects propose encrypting all the world’s Web traffic

    See details here.

  • Sloan Cybersecurity Lecture at NYU-Poly

    As part of the FTC’s “Reclaim Your Name” initiative, FTC Commissioner Julie Brill delivered the Sloan Cybersecurity Lecture at NYU-Poly. Her talk focused on the rise of big data as a social force, the historical role of the FTC in privacy protection, and the roles that different parties (i.e. engineers, lawyers, policymakers, and advertising industry members) can play in ensuring both privacy and utility in the era of big data.

    The lecture was followed by a lively and enlightening panel discussion, chaired by Katherine Strandburg (NYU). The panel members were Julie Brill (FTC), Jennifer Barrett Glasgow (Acxiom), Julia Angwin (WSJ), and Daniel Weitzner (MIT). The discussion centered on issues attending big data, with panelists discussing transparency, accountability, anonymity, and potential harm or discrimination that large-scale machine learning can facilitate. Finally, the panelists presented their views on the potential for privacy protection via legal or industry directives.

    To find out more, read the lecture notes or the panel notes.

  • Extra-PRG Meeting on the Technical Implications of the NSA and GCHQ Revelations

    On the 27th of September, we organized an extra Privacy Research Group (PRG) meeting on the technical implications of the NSA and GCHQ surveillance programs as revealed by Edward Snowden and The Guardian. Specifically, given what we know from media reports and discussions among the security community, the meeting provided us with an opportunity to explore answers to the following three questions:

     

    1. What are the technical surveillance capabilities of the NSA and GCHQ?
    2. What are some implications of these surveillance capabilities for technical communities (e.g., cryptographers, technical standards makers, and developers), their practices, and the tools that they develop and deploy?
    3. What are some necessary and desirable technical and policy measures in response to the global, intrusive and secretive mass-surveillance programs of the NSA and GCHQ?

     

    At this meeting, in addition to the regular PRGs, we were lucky to welcome our guest Arvind Narayanan (http://randomwalker.info), who is currently an Assistant Professor at Computer Science and CITP at Princeton University. Arvind helped us kick off the meeting with an impromptu lecture on symmetric, asymmetric, and elliptic curve cryptography, as well as an introduction to Public Key Infrastructures (PKIs) based on Certification Authorities. He also explained the role of these cryptographic building blocks and infrastructures in helping computers do authentication and initial cryptographic handshakes on the Internet – both important steps for establishing secure communications.

     

    In the discussion that followed, we turned to what we exactly should imagine as “backdoors” implemented by these intelligence agencies. This led to the following interpretation of backdoors with some examples:

    –  crypto backdoors: e.g., attacks on elliptic curve cryptography that are developed by researchers working for the NSA and concealed from the rest of the world.

    –  software (and crypto implementation) backdoors: e.g., Man in The Middle (MITM) attacks using implementation weaknesses in the Secure Sockets Layer (SSL).

    –  hardware backdoors: e.g., embedding into consumer devices processors that have weak(ened) pseudo random number generators, which are used in deriving cryptographic keys. Note that the example is a mix of hardware and crypto backdoors.

    –  infrastructure backdoors: e.g., obtaining rogue certificates from Certification Authorities (CAs). This could or could not be combined with a legal backdoor.

    –  organizational backdoors: e.g., embedding NSA personnel in companies, or vice versa.

    –  legal backdoors: e.g., asking companies to hand over cryptographic keys and putting the company employees under a gag order.

    –  user backdoors: e.g., crunching passwords or running black operations to steal keys or hijack operating systems.

    – standards backdoors: e.g., using influence in technical standards bodies to recommend weak(ened) cryptographic building blocks and protocols, or sabotaging the progress of cryptographic standards for standards that would constrain NSA surveillance activities.

    Next, we turned our focus to the different reactions from various communities in response to the revelations about the use of backdoors in the NSA/GCHQ surveillance programs. For example, in response to crypto backdoors, cryptographers have taken to intensively re-evaluating those cryptographic primitives and protocols that are secure against crypto backdoors and that may provide better protection against mass surveillance. We all had heard of claims that, given knowns and unknowns about NSAs cryptanalytic capabilities, symmetric crypto is assumed to be more secure then asymmetric crypto. This is surprising given the differences in the construction of the two cryptographic primitives. In a nutshell, symmetric cryptography is based on creating an elaborate design that scrambles clear text into an encrypted text such that the design cannot be attacked in any way other than a brute force (i.e., trying out all possible secret keys one by one) that is too costly to succeed in a reasonable amount of time. Asymmetric crypto on the other hand relies on fundamental mathematical principles, i.e., number theory and the complexity of certain computations. But, how is it that an approach that “scrambles” text into encrypted information, as is the case in symmetric cryptography, is seen to be more reliable than an approach which relies upon mathematical principles, as is the case in asymmetric crypto?

     

    The logic of this unintuitive reasoning builds on some of the assumptions that underlie these cryptographic primitives. Asymmetric cryptographic algorithms depend on the fact that, given the inputs, some functions are easy to calculate, but, given the output, it is difficult to calculate the inputs — such functions are also known as one-way functions. For example, it is easy to identify two large prime numbers and to take their product, but it is difficult to identify those original prime numbers given their product only. This property makes it possible to announce the product of the prime numbers to the world, also called the public key. The public key can then be used to encrypt messages. The person who knows the prime factors, that is, the secret key, is then the only one that can decrypt these encrypted messages. This setup of public and privacy key pairs works if the person picks large enough prime numbers to generate the keys such that it would be impractically long for somebody else to calculate the associated prime factors, given what is currently known about number theory. The hook is in that last bit: it is not known whether NSA mathematicians know more than the general public about number theory, and specifically about prime factorization. If so, it could be that mathematicians at NSA are able to factor larger numbers than is currently assumed feasible, and hence would be able to decrypt communications that rely on smaller keys. Given historical evidence that NSA researchers were at times years ahead of their colleagues in the civilian world, e.g., in the development of elliptic curve cryptography, it has been commonplace in discussions about the NSA revelations to extrapolate on NSA’s current capabilities.

     

    In our discussions, the opacity of what researchers at NSA may know led to some remarks about mathematics and how it is currently practiced. There is an imbalance between the “open” science culture that most mathematicians and cryptographers are avid participants of, and the closed scientific culture that NSA is cultivating. The parallel “closed” world that NSA researchers inhabit has access to the “open” research results but the reverse does not hold. While the NSA may regard their opacity as “necessary” to keeping ahead in the national security game, it creates divides among mathematicians and cryptographers. The distrust this divide creates may have negative consequences for keeping alive the open research culture most of these researchers adhere to and that relies on the ideals of achieving “open” participation, collegial respect and collective knowledge creation with the objective of guaranteeing secure communications for everyone.

     

    One of our participants went a step further and put it into words as follows: “It is probably the case that you can trust the math, but you should not trust the math”. This remark pointed out the necessity to take with a grain of salt some of the claims of mathematicians and NSA people, especially given that, at times, mathematics can also function as a communal belief system, and some of these beliefs may change with time.

     

    Our discussion also took a short detour on a possible meta story that the NSA is “managing” the revelations to strategically debunk popular belief in cryptography, break up the crypto community, or dismiss aspirations to use technology to circumvent government surveillance. We agreed that it would be important for the communities that are most affected by the conspiracies surrounding the revelations to take measures to address some of these matters and to avoid greater damage to the community through conspiracy thinking.

     

    Another interesting line of inquiry was in the comparison of the different backdoors, their advantages and disadvantages to NSA as well as the society at large. Members of the information security and cryptography communities have repeatedly spoken against weakening security for the sake of surveillance, as this would provide backdoors not only to the NSA, but also to other parties with sufficient incentives. While one PRG participant argued that, for example, some of the cryptographic backdoors that were revealed would only make communications susceptible towards NSA surveillance and not towards others, this was seen to rely on the assumption that NSA’s backdoors would remain secret, uneasy to discover and hence secure. However, past cases indicated that this might not always hold true. In the case of DigiNotar, the Certificate Authority based in the Netherlands, it was speculated that the hackers had perhaps been exploiting a pre-existing NSA backdoor. The question was then, whether, given the risks associated with the hijacking of cryptographic, software and hardware backdoors by unintended others, it would be “less risky” for society in general if the NSA would predominantly use legal backdoors, e.g., asking for data followed by gag orders, as their modus operandi. Even if the latter were preferable from a security point of view, most of us agreed that the current legal and organizational set up provides the NSA with disproportionate powers. The accumulation of such powers in the hands of the NSA is unacceptable given its negative consequences for society in general, be it in the US or elsewhere. We also observed that that the feasibility of designing and deploying technology to provide reasonable protections from mass surveillance programs and to guarantee secure communications to society in general can be jeopardized, even if the NSA and GCHQs mainly relied on intrusive use of legal backdoors.

     

    We covered many more topics that ranged from the role of standards organizations like NIST, the manipulation and sabotaging of standard setting procedures, to the lack of transparency and accountability in the functioning of the FISA courts. An interesting one of these was the relationship between the Going Dark program of the FBI and the NSA’s surveillance programs.

    The Going Dark program is an initiative to increase the FBI’s authority in response to problems the FBI says it is having in implementing wiretapping measures in the context of new technologies. Juxtaposed with the current Snowden revelations, we shortly discussed weather the Going Dark initiative was a public facing project to legalize the already existing surveillance programs of NSA.

     

    In terms of moving forward, we shortly considered the development of technologies based on encryption and principles of technical and organizational decentralization, i.e., avoiding large information collections as held by Google, Facebook or Microsoft. Some people in the room were confident that, if we were to deploy such technologies and design principles, we would be able to achieve greater protections against surveillance programs like that of the NSA and the GCHQ. Others voiced skepticism towards such long-standing proposals, which have only rarely come to materialize successfully, require a good dedicated community to keep secure, and often do not scale to the masses. However, this is a greater subject worthy of another session, and for the curious who want to go deeper into the subject in the meantime, below are some links to articles on the topic from Arvind Narayanan and some of the PRGs.

     

    We thank all participants of the meeting and look forward to the next round of NSA revelations.

     

     

    A Critical Look at Decentralized Personal Data Architectures

    http://randomwalker.info/publications/critical-look-at-decentralization-v1.pdf

     

    What Happened to the Crypto Dream?

    http://randomwalker.info/publications/crypto-dream-part1.pdf

    http://randomwalker.info/publications/crypto-dream-part2.pdf

     

    Unlikely Outcomes?

    http://randomwalker.info/publications/unlike-us.pdf

  • Slides for “The Emotional Context of Information Privacy”

    Hi all – if anyone’s interested, the (perhaps too cryptic) slides which accompanied my talk last week are available below. Many thanks for everyone’s feedback – more is certainly welcome!

    PRGPresentation

  • Is freedom from cross-border surveillance a human right?

    Among the revelations about NSA surveillance this summer was the news that the United States engaged in massive surveillance of foreign governments and citizens, including embassies, delegations, and politicians of its allies and trading partners, and the offices of the European Union and the United Nations.

    These revelations raise questions about the status of electronic surveillance under international law. In the United States, the Foreign Intelligence Surveillance Act authorizes the government to intercept the communications of foreign targets (any “non-United States Person”) without a court order, at the authorization of the Attorney General. Other countries have no legal restrictions at all on electronic surveillance outside their own borders, or have adopted extraterritorial legal frameworks to permit their governments to engage in foreign communications surveillance of other countries.

    Recently, however, there is a trend to see communications surveillance as a matter of human rights. Under this view, might cross-border espionage by a state be considered to be a violation of international human rights law?

    Conventional wisdom viewed international espionage at peacetime as unregulated by international law. To be sure, countries that conduct espionage on foreign soil violate the domestic laws of those countries, and acts of espionage are viewed as “unfriendly acts” among nations. However, there are currently no international customary norms or treaties forbidding such actions. It is argue that the very clandestine nature of espionage places it beyond the power of international law to regulate.

    However, earlier this year, the UN Human Rights Council received the “Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue”.  The report ties the practice of communications surveillance, including foreign intelligence surveillance, to the human rights of privacy and freedom of opinion and expression. Recently, a coalition of non-governmental organizations issued a declaration of “International Principles on the Application of Human Rights to Communications Surveillance”, which ties surveillance to human dignity, the freedoms of expression and associations, and the right to privacy, but treats all surveillance activities equally and does not draw a distinction between foreign and domestic surveillance.

    It is hard to predict what affect, if any, will the trend to regard unlawful electronic surveillance as a matter of human rights have on foreign intelligence gathering under international law. Both the report of the HRC Special Rapporteur and the International Principles do not suggest any international measures against foreign surveillance, and confine their recommendations to countries’ domestic laws. Nevertheless, viewing mass electronic surveillance across borders as a violation of international human rights law might add weight to the diplomatic calls on the United States and its intelligence-sharing allies to limit their dragnet sweep of the world’s communications.

     

    References:

     

    Information on US surveillance activities against foreign counties:

    http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/17/the-nsas-global-spying-operation-in-one-map/

    http://www.theguardian.com/world/2013/jun/08/nsa-boundless-informant-global-datamining

    http://www.spiegel.de/international/world/secret-nsa-documents-show-how-the-us-spies-on-europe-and-the-un-a-918625.html

    On the international law of espionage:

    A. John Radsan, The Unresolved Equation of Espionage and International Law, 28 Mich. J. Int’l L. 595 (2006-2007).

    Geoffrey B. Demarest, Espionage in International Law, 24 Denv. J. Int’l L. & Pol’y 321(1995).

     

    Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue

    http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf

     

    International Principles on the Application of Human Rights to Communications Surveillance.

    https://en.necessaryandproportionate.org/text

  • New York’s E-ZPass: We’re watching you (Salon.com)

    Courtesy of Salon‘s Andrew Leonard:

    “Let’s file this one under the category of things we were reasonably sure were happening already, but are still greatly annoyed to have confirmed. New York City, reports Kashmir Hall in Forbes, has been tracking the movements of cars equipped with E-ZPass RFID tags all over the city — not just at the toll booths for which New York drivers presumably purchased their E-ZPasses to get through.

    The surveillance was uncovered when an electronics tinkerer who styles himself  ”Puking Money” hacked his E-ZPass to, no joke, go “moo cow” each time it was pinged by a reader.”

    Click through for the grizzly details.