Category: Uncategorized

By: David Gold

Should police officers be required to obtain a warrant before searching an arrestee’s cell phone? Under the California Supreme Court’s 2011 opinion in People v. Diaz, the answer, at least under the Fourth Amendment, is no. That court held that the defendant’s cell phone was immediately associated with his person at the time of his arrest and, even without a warrant, was searchable incident to his lawful custodial arrest. In the decision, the court rejected the dissent and defendant’s argument that cell phones should not be searchable without a warrant because of the amount of sensitive personal data contained within the devices.

On March 19, 2013, the ACLU, together with the law firm Pillsbury Winthrop Shaw Pittman LLP, acting as pro bono assistant counsel, filed a complaint against the City and County of San Francisco claiming that a police officer’s warrantless search of the defendant’s cell phone, which was on the defendant’s person at the time of his lawful arrest, violated both the California Constitution and the First Amendment of the US Constitution. Through its complaint, the ACLU’s lawsuit seeks to circumvent the Diaz decision and require police officers to obtain warrants prior to searching the data content on cell phones on grounds other than Fourth Amendment search and seizure. Article 1, Section 1 of the California Constitution explicitly identifies a right to privacy, which, the ACLU argues, makes the state constitution more protective of privacy rights than the US Constitution, since the latter does not explicitly establish privacy rights. Article 1, Section 13 similarly is argued to offer greater protection than the Fourth Amendment against unreasonable searches and seizures. Finally, the ACLU argues that phones contain a great amount of communication, and that allowing for these searches will have a chilling effect on speech, which is not permissible under the First Amendment in this instance, because even though the information on phones is relevant, the search will only be permitted if it furthers a compelling interest.

The ACLU complaint is filled with a detailed factual record of the capacity for cell phones, and particularly smart phones. Not only does it describe in great detail the current ability of phones, but it also notes the expansion of data capacity on the horizon. Additionally, the ACLU argues that there is sensitive personal information of friends, family members, and co-workers contained on an individual’s cell phone, in addition to highly sensitive personal information, such as credit card information. Furthermore, the ACLU challenged that cell phones do not pose a physical threat to police officers and that police officers do not need to search the contents of the phone immediately because no evidence will be destroyed given that officers may use a Faraday Bag, which prevents third parties from accessing and deleting or changing information on the phone.

Since the California Supreme Court has already determined that such phone searches do not violate the Fourth Amendment, if the ACLU loses on these claims, there will be little room to challenge such searches in California, and only a ruling by the US Supreme Court would overrule such a holding. Perhaps, given that cell phones contain information in different applications, there is a workable middle ground approach, that officers may only access information in certain application without a warrant. Or, as the ACLU points out, perhaps Faraday Bags should become commonplace, allowing officers to seize control of an arrestee’s cell phone and prevent any evidence on it from being destroyed, but not search its contents until a warrant is issued. Discussion about these alternatives will only really be relevant if the California Court decides in favor of the ACLU, since a decision for San Francisco will allow officers to search the entire cell phone device of an arrestee without a warrant.

Fun fact from the ACLU complaint: early mobile phones used to weigh almost 90 pounds!

Articles:

http://www.aclu.org/technology-and-liberty/aclu-lawsuit-challenges-warrantless-searches-cell-phones

http://consumerist.com/2013/03/20/aclu-files-suit-to-stop-police-from-searching-cell-phones-without-warrant/

ACLU-Pillsbury Complaint

https://www.aclunc.org/news/press_releases/asset_upload_file321_12297.pdf

People v. Diaz Decision:

http://epic.org/privacy/devicesearch/People_v_Diaz.pdf

By: Josh Baker

Article: http://www.wired.com/threatlevel/2013/04/secret-surveillance-court/

 

Government’s brief: http://www.wired.com/images_blogs/threatlevel/2013/04/fisacourt.pdf

 

The Electric Frontier Foundation (EFF), a digital rights group in San Francisco, brought suit in the District Court for the District of Columbia after the government denied EFF’s Freedom of Information Act (FOIA) request to disclose a ruling of the Foreign Intelligence Surveillance Court (FISC).  FISC opinions are almost never disclosed to the public as a general matter.

 

In this case, the opinion was not revealed, but Sen. Ron Wyden was briefed on the ruling as a member of the Intelligence Committee.  Wyden was authorized to reveal that FISC had found an instance of surveillance that “circumvented the spirit of the law” and failed Fourth Amendment reasonableness scrutiny, violating the FISA Amendments Act.  The declassified statements also noted that “government has remedied these concerns and the FISC has continued to approve []

collection [pursuant to Section 702] as consistent with the statute and reasonable under the Fourth Amendment.”  The public would not have been aware of the ruling in this case were it not for Sen. Wyden’s authorized comments.

 

The Department of Justice (DOJ), in its brief, contends that FOIA exempts this information from disclosure.  It argues that the FISC Rules of Procedure prohibit the disclosure of the FISC opinions and Intelligence Committee briefings.  In the alternative, the DOJ declared that the information sought “necessarily implicates classified intelligence sources and methods” and is therefore exempted from FOIA disclosure.  Finally, the DOJ asserts that disclosure of the information sought by EFF “could result in exceptionally grave and serious damage to the national security,” and that the court should defer to the Department’s finding on this matter.

 

This exemplifies the government’s general rationale for maintaining secrecy as to FISC opinions.  The FISC was designed to have Article III judges rule on information collection/surveillance requests from intelligence agencies, while preserving the secrecy of the government’s investigations that could be jeopardized by public disclosure.  By declassifying certain statements regarding the FISC opinion, the government sought to balance the interest in government transparency with the protection of critical intelligence activities.

By: Ashley Belton

 

National security often comes at odds with privacy interests, as evidenced by the White House’s reaction to the latest cybersecurity bill currently being considered by the House. On April 16^th, the White House threatened to veto a House bill, which would permit private entities to share with the government and other private entities information pertaining to threats to computer networks. Additionally, the bill would grant private companies immunity from lawsuits if they engaged in such information sharing. The bill is a reflection of the fact that national security threats are increasingly taking the form of cyber attacks; and the government is struggling to combat such dangers while taking into account privacy concerns.

 

A spokesman for the National Security Council, Caitlin Hayden, identified the administration’s issue with the bill: under the current version of the bill, private companies are not required to remove irrelevant personal information before sharing such information with the government or with each other. Thus, there is no protection against private companies sharing data that could be used to identify ordinary citizens. This criticism is in line with the principle of minimization, that is, the government should only acquire information which is necessary to effectuate its interests, and it should minimize any interference with citizens’ right to privacy.

 

The House is to vote on the bill later this week. The bill has already faced much criticism from civil liberties groups, such as the American Civil Liberties Union and the Center for Democracy and Technology.

For more information:

Chris Strohm, Obama Threatens Veto of Revised House Cyber Measure, Bloomberg (Apr. 16, 2013, 4:12 PM), http://www.bloomberg.com/news/2013-04-16/obama-threatens-veto-of-revised-house-cyber-measure.html.

 

Somini Sengupta, Civil Liberties Fears Doom House Cybersecurity Bill, NYT (Apr. 16, 2013, 9:23 PM), http://bits.blogs.nytimes.com/2013/04/16/civil-liberties-fears-dooms-house-cybersecurity-bill/.

By: Michal Flombaum

In 2009, the Department of Homeland Security announced that it would assess the Civil Liberties Impact of suspicionless searches of computers and other electronic devices at the border. Initially, DHS said it would release its findings within 120 days of that announcement, but only in February of this year did DHS release any findings. Releasing only the two page executive summary dealing mostly with the possibility of ethnic or racial profiling, DHS writes that applying a reasonable suspicion requirement to searching electronic devices would be “operationally harmful” without any civil rights and civil liberties benefits.

 

I find it interesting that DHS relies on the notion that “courts have not treated searches of electronic devices any differently than searches,” given the cases we discussed in class on Monday. Just as we concluded in class, Wired’s coverage of the release takes care to note that, “electronic devices have become virtual extensions of ourselves housing everything from e-mail to instant-message chats to photos and our personal effects,” emphasizing the extremely invasive nature of these searches.

 

Note that Cotterman was decided just weeks after DHS released the executive summary earlier this year. It will be interesting to follow DHS’s response to Cotterman, and whether DHS will apply the reasonable suspicion standard to all borders or just to those under the jurisdiction of the Ninth Circuit that includes the controversial Arizona and California borders with Mexico

 

The ACLU filed a FOIA request to discover how DHS reached their conclusions because, as they write, “the reality is that allowing government agents to search through all of a traveler’s data without reasonable suspicion is completely incompatible with our fundamental rights: our Fourth Amendment right to privacy—and more specifically the right to be free from unreasonable searches—is implicated when the government can rummage through our computers and cell phones for no reason other than that we happen to have traveled abroad.” Though the ACLU seems to find the reasonable suspicion standard protective enough, the Electronic Frontier Foundation has advocated for a probable cause standard in its Amicus brief.

 

http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A%20wired%2Findex%20%28Wired%3A%20Top%20Stories%29

 

The full text of the executive summary is available here: http://www.dhs.gov/sites/default/files/publications/crcl-border-search-impact-assessment_01-29-13_1.pdf

 

For the ACLU’s explanation of their FOIA request, please see: http://www.aclu.org/blog/technology-and-liberty-immigrants-rights-national-security/aclu-files-foia-request-unreleased

 

For a more complete discussion on the matter, please see The Electronic Frontier Foundation: https://www.eff.org/deeplinks/2013/03/finally-some-limit-electronic-searches-border

 

By: Tom Gottheil

Last week, in a closed-door meeting, the House Intelligence Panel voted 18-2 to approve the Cyber Intelligence Sharing and Protection Act (CISPA), a controversial proposal to encourage information sharing between private companies and the federal government. It is expected to be brought to a full vote on the floor of the House as soon as Thursday, though President Obama has threatened to veto the bill without changes to its corporate liability rules.

 

The bill’s stated purpose is to investigate and deter cyber attacks against US information infrastructure. In order to facilitate data sharing between technology companies and the government, CISPA broadly limits civil and criminal corporate liability for good-faith compliance with its terms. These limits worry civil liberties groups and activists, who contend that the lack of protection for private information in the bill, combined with its immunity provisions, could result in companies disclosing vast quantities of personal information without legal recourse for those whose data is disclosed.

 

Despite broad corporate support for CISPA, it was defeated in the Senate last year. A slightly modified version will be coming to the floor of the House of Representatives in the coming days. However, with President Obama’s veto threat looming, the future of CISPA is once again uncertain.

By: Jenn Ebling

 

Article link: http://www.slate.com/blogs/future_tense/2013/02/26/fisa_supreme_court_says_americans_don_t_have_standing_to_challenge_surveillance.html

 

The article references a Supreme Court opinion, which can be accessed here: http://www.supremecourt.gov/opinions/12pdf/11-1025_ihdj.pdf

On February 26, 2013, the Supreme Court ruled in Clapper v. Amnesty International USA that American citizens who cannot prove they were subject to government surveillance because the government refuses to divulge details about its surveillance practices lack standing to challenge the constitutionality of the Foreign Intelligence Surveillance Act (FISA).

In 2009, the district court of the Southern District of New York rejected the plaintiffs’ claim that the 2008 amendments to FISA had authorized broad surveillance in violation of their constitutional rights on the grounds that the plaintiffs lacked standing because they could not show a particularized or concrete injury.  In 2011, the 2nd U.S. Circuit Court of Appeals overturned the district court’s opinion and concluded that plaintiffs had standing based on a “reasonable fear of future injury.”  The Supreme Court rejected the circuit court’s rationale on the basis that such fear of future injury is too speculative to support standing.

Though the court was careful to note that a plaintiff could establish standing to challenge the law by proving she had been the subject of surveillance, it is difficult to imagine how a plaintiff could do so in practice given the government’s secrecy about its surveillance practices.

By Nick Harmon

 

This past February,the Supreme Court heard oral argument on the constitutionality of warrantless DNA collection from arrestees. When Maryland v. King is eventually decided, it will form yet another brick in a makeshift wall that the Court has been forced to construct in light of the rapid advances  law enforcement agencies have made in the area of data collection, aggregation, and analysis. When it decided another data case, United States v. Jones, 132 S. Ct. 945 (2012), last year,the Court had to decide whether a difference existed between tailing a suspect in a car, and monitoring his movements remotely for a month using a GPS tracker. The Court decided there was, but had a difficult time agreeing on the reasons why. In this case as in other cases, the status and power of data has troubled the Court, and it seems likely that the questions will only grow tougher going forward.

 

The goal of building newer and better and larger databases has been a goal of government efforts in the law enforcement and defense arena for many years. From Total Information Awareness in the last decade, to NGI today, data aggregation and analysis will be central to the question of where and to what extent the government may collect and store data. TIA, once it became subjected to public scrutiny, met a great deal of hostility from the public and from congress. Publicly, the government renounced its goal of pursuing TIA (at least under that name). The political opposition demonstrates how much the power of data aggregation is accepted by the American public. As NYU Law Professor Helen Nissenbaum noted in her book Privacy in Context: Technology, Policy, and the Integrity of Social Life:

 

Data subjects and third-party harvesters alike are keenly aware of qualitative differences that can occur when bits of data are combined into collages. This is, surely, one of the most alluring transformations yielded by information sciences and technologies. It is anything but the case that an assemblage of bland bits yields a bland assemblage. The isolated bits may not be particularly revealing, but the assemblage may expose people quite profoundly.

 

In September of last year, the Electronic Privacy Information Center (EPIC) requested documents from the Federal Bureau of Investigation (FBI) which might tell us more about a new FBI data aggregation system, known as the Next Generation Identification Program.

 

According to the FBI’s website, NGI “will offer state-of-the-art biometric identification services and provide a flexible framework of core capabilities that will serve as a platform for multimodal functionality.” In short, NGI is a system designed to link a variety of widely-used biometric indicators, including fingerprints and DNA profiles. However, the system goes further than just joining in one place systems already in wide use. The development of NGI will include a mandate to “explore the capability of facial recognition technology.” NGI will thus allow for the linking of otherwise disparate profiles, and the incorporation of facial recognition software to supplement those profiles, a powerful shift at a time when surveillance cameras are becoming increasingly ubiquitous. Moreover, as the National Journal has reported that NGI “enables police officers to use a handheld fingerprint reader to send prints through a squad car’s radio to the FBI’s database and learn almost instantly whether there is a match.”  However, NGI will also incorporate a “Repository for Individuals of Special Concern (RISC)” to “[provide] law enforcement and partnering agencies with rapid/mobile identification services to quickly assess the level of threat that an encountered individual poses.” In short, it will generate meaningful analytical profiles as well. Finally, as the FBI has acknowledged, the program is being developed not solely by the government itself but in collaboration with private companies, a troubling fact from a privacy standpoint.

 

Without public knowledge of government efforts to compile new databases, public oversight is impossible, and the political process justification for courts’ refraining from stepping in becomes more difficult to accept. On April 8, 2013, EPIC filed a lawsuit against the FBI under the Freedom of Information Act (FOIA), challenging its failure to provide information on NGI. (Their complaint can be found here). It states:

 

In 2012, EPIC filed two Freedom of Information Act (FOIA) requests for documents related to the FBI’s NGI system. One request sought technical specifications related to the roll out of the NGI system. The other sought contracts between the FBI and the private entities developing the system. The FBI did not promptly comply with the law’s requirements and has so far failed to give EPIC any responsive documents. After the agency failed to comply with the Freedom of Information Act, EPIC filed a lawsuit in federal district court.

 

The FBI notes that “A full and open competition was used to award the NGI contract to Lockheed Martin Transportation and Security Solutions” to develop this technology, but it remains to be seen whether similar public scrutiny will be possible regarding the operations of the database itself.

 

By: Show Wang

Article link: http://www.ediscoverylaw.com/2013/02/articles/case-summaries/court-considers-the-persnickety-but-persistent-question-of-what-qualifies-as-content-under-the-stored-communications-act/

The article contains a link to a court opinion, which can be seen here: http://www.ediscoverylaw.com/uploads/file/Westlaw_Document_Optiver.doc

 

A recent case expands on the distinction between communications content and non-content/envelope information for emails. Although so far most of the cases we have dealt with in class have involved the government in criminal cases, the SCA applies to non-government persons and entities. The SCA applies here even though this case involves a company seeking the communications content of another company’s emails. The email provider (Google in this case) would only be allowed to share non-content information such as log data and email addresses. At the end of the opinion, the court correctly classifies email subject lines as content before mentioning what non-content metadata Optiver is entitled to from Google. The list of non-content included recipient, sender, date sent, date received, date read, and date deleted of emails, email attachments, or Google Talk messages.  It is troubling that anyone could have access to this data, and it continues the debate over whether some of this information is revealing of people’s inner lives. Furthermore, if all of this falls under non-content, then it also expands what would fall under non-content surveillance by the government for the Pen Register Act.

By: Su Mien Tee

 

On March 19, 2013, the House Judiciary Committee’s Subcommittee on Crime, Terrorism, Homeland Security and Investigations held a hearing on ECPA reform. The Department of Justice, in its testimony before the Subcommittee, reversed its long-held stance that a warrant should not be required before government officials can obtain stored information, and in a statement made by Elana Tyrangiel, Acting Assistant Attorney General of the Office of Legal Policy), endorsed a crucial point of reform advocated by policy advocates, public interest groups and privacy experts, that the same protection afforded to letters and phone calls (Ex Parte Jackson, 96 U.S. 727 (1877) and United States v. Katz, 389 U.S. 347 (1967)).

 

Title II of the Electronic Communications Privacy Act (ECPA, Pub. L. 99-508, 100 Stat. 1848), the Stored Communications Act (SCA, 18 U.S.C. Chapter 121 s 2701 – 2712) addresses voluntary and compelled disclosure of “stored wire and electronic communications and transactional records”. Orin Kerr explains the s 2703 regime in terms of an “upside-down pyramid”:

–          A simple subpoena is needed to compel basic subscriber information (s 2703(c)(2)),

–          A s 2703(d) order compels all non-content records (s 2703(c)(1)(B)),

–          A simple subpoena combined with prior notice compels:

• Basic subscriber information (s 2703(c)(2)),
• Any opened emails or other permanently held files (s 2703(b)), and any contents in temporary ‘electronic storage’ such as unretrieved emails in storage for more than 180 days (s 2703(a));

–          A search warrant is needed to compel anything stored in an account (s 2703(a)-(c)) which includes unopened email stored for less than 180 days.

[see Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, (2004) George Washington Law Review, Vol. 72, No. 6]

 

The DOJ stated that “some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications”, and that there is “no principle basis to treat email less than 180 days old differently from email more than 180 days old”. Currently disclosure of the latter can be compelled with a subpoena and prior notice.

 

It went on to reject the distinction between opened and unopened emails, that it does not make sense for the SCA to accord lesser protection to opened emails than it gives to emails that are unopened. It also essentially endorsed the application of the probable cause standard for a warrant to compel disclosure of stored email and all similar stored content information, saying that they “appreciate the appeal of this approach and believe that it has considerable merit”.

 

This warrant standard is also reflected in Google’s official statement (January 28, 2013) on its approach to government requests for user data – requiring a search warrant before handing over users’ emails to law enforcement (which is not required by ECPA currently). The same standard was endorsed by Richard Salgado, Director of Law Enforcement and Information Security of Google Inc, who similarly testified with Tyrangiel before the Subcommittee on March 19, 2013. His written testimony is available here.)

 

The removal of the 180-day rule is also reflected in the Leahy-Lee Bill (introduced on March 19, 2013 by Senator Patrick Leahy and Senator Mike Lee) to reform ECPA, to require government officials to obtain a warrant in order to require ISPs or other online service providers to disclose the private communications of their users, essentially extending the warrant standard in postal letters to email.

(Leahy-Lee Bill accessible at http://www.leahy.senate.gov/download/ecpa-bill-2013.

Read more about the Leahy-Lee Bill and ECPA reform at http://www.slate.com/blogs/future_tense/2013/03/19/patrick_leahy_introduces_legislation_to_update_ancient_electronic_communications.html )

 

This approach is very welcome, given that the 180-day rule appears to have little bearing as to the expectation of privacy that Internet users have about their emails. Whether an email is opened or unopened by the intended recipient has very little bearing as to whether or not the content remains private; whether it has been kept for 179 days or 181 days has even less bearing on the extent of the privacy of the contents. People reasonably expect that the contents of their email communications be kept private and not subject to government search and seizures, especially given the central role that an individual’s email account plays in his or her private life, and contains intimate and private information.

 

Reform of ECPA will have to address the gaps in ECPA that have been opened up by changes in technology, and the Leahy-Lee Bill, if passed, may go a little way in enhancing individuals’ Fourth Amendment rights, which is crucial given the increasingly fine line between content and non-content in today’s world, especially in light of information like URLs and even to and from addresses, which may reveal more than simply addressing information or identity (in the case of email addresses, where email handles may be traced to other similar internet profiles etc).

 

[Note, however, that the DOJ’s new stance has not been received with too much optimism – skeptics have pointed out that the testimony also raises issues which may weaken current privacy protections, including by “making the standard for non-content records technology-neutral, allowing the government to use subpoenas to compel disclosure of addressing information associated with email and other electronic communications. See criticisms by the Center for Democracy and Technology here.]

By: Cindy Hu (Hsin-Yi Hu)

 

Under the U.S. law, the so-called “border search exception” allows government to search the international travelers – including the U.S. citizens – and their luggage and vehicles at any reason when they enter the country. However, this exception might be limited because of the new ruling of the 9th U.S. Circuit Court of Appeals.

On Friday, March 8^th, 2013, the Court of Appeals has ruled that digital devices are granted limited relief from “border search exception.”  Judge M. Margaret McKeown (*.pdf.) stated that “A person’s digital life ought not to be hijacked simply by crossing a border.”  Different from packing traditional luggage which one can decide what to bring and what to leave behind, laptop computers, iPads and the like are simultaneously offices and personal diaries. They contain the most intimate details of our lives: financial records, confidential business documents, medical records and private emails.

However, several critics and dissenting opinions have risen from this ruling. The San Francisco-based appeals court said that the Court’s view was too extreme. In this court’s opinion,  the Court left rules intact that a “manual review of files on an electronic device” may be undertaken without justification while using “software” to decrypt password protected files or to locate deleted files now requires “reasonable suspicion” that criminal activity is afoot. Additionally, Judge Milan Smith in his dissenting opinion states that the ruling of the majority raises national concern because this ruling opens the nation’s borders “to electronically savvy terrorists and criminals who may hereafter carry their equipment and data across our borders with little fear of detection.”

Furthermore, although the decision made by the Court seems to bolster the digital rights of travelers, but it’s pronouncement of reasonable suspicion requirement, in Michael Price’s opinion (the counsel for the Liberty & National Security Program of the Brennan Center for Justice at New York University), seeks to whittle away at the border search exception.

As the Court noted that no reason was needed to manually inspect the content of a gadget, but a forensic examination required a “reasonable suspicion.”  The Court found enough “reasonable suspicion” based on the mere facts that the defendant was a convicted sex offender and frequently traveled to Mexico, a known destination for sex tourism. What’s more, adding to reasonable suspicion, under what the Court labeled as the “totality of the circumstances,” was the fact that some of the files on one of the laptops were password protected. “We really didn’t think there was any reasonable suspicion for the forensic examination,” Price said.

As stated above, the outcome of this ruling might seem to be a big step for the digital rights of travelers; however, the Court’s analysis on “reasonable suspicion” and the way it differentiates computer software and manual review also raise other questions: Why the use of computer software to analyze a hard drive triggers a reasonable suspicion requirement while a “manual review” of the same hard drive requires no suspicion, is left unexplained. Although technology may serve as a useful proxy for the intrusiveness of a search today, in the future even cursory searches might be more efficiently conducted by the use of such technology.

 

The full content of the article can be found at http://www.wired.com/threatlevel/2013/03/gadget-border-searches/, Appeals Court Curbs Border Agents’ Carte Blanche Power to Search Your Gadgets, BY DAVID KRAVETS, 03.08.13, 5:19 PM