Category: Uncategorized

By: Brian Harris

The Department of Homeland Security has recently released a response to an ACLU challenge about its border patrol policies.

The ACLU challenged the DHS’s policy of conducting suspicionless, warrantless searches of personal electronics within an area 100 miles from the border around the entire United States.  These searches raise concerns about a possible government infringement of our Fourth Amendment rights.

The ACLU refers to this 100 mile stretch of land as the “Constitution-free zone.”   The DHS has insisted that these searches were a necessary function of ensuring national security.  These searches raise increasingly relevant issues of privacy as improvements in technology encourage people to convert more of their lives and personal information into digital media.  What begins as a seemingly simple search of a laptop could actually be an incredibly intrusive collection of personal data.

The DHS takes the position that there is long standing authority to search recently purchased merchandise at the border for incoming and going travelers.  They claim that these searches are an obvious extension of that philosophy.  They also take the position that requiring reasonable cause would directly interfere with the operational effectiveness of border control thereby creating a risk to national security.

More importantly, the 100 mile stretch of land inland from the border encompasses approximately 200 million Americans, which is 2/3 of the population.  According to the Congressional Research Services, border patrol agents must have a “reasonable suspicion” of criminal activity.  They say that a better case for the “Constition-free zone” should be targeted at airport security where they can search your belongings even without any probable cause.
The Supreme Court has not taken a case about the warrantless search of electronics at the border.  It seems as though until that occurs, the government’s position on this issue will remain the same.

http://www.dhs.gov/sites/default/files/publications/crcl-border-search-impact-assessment_01-29-13_1.pdf

http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/

By: Ken Chen

Researchers at MIT and Universite Catholique de Louvain in Belgium have conducted a 15-months analysis of mobile phone data for about 1.5 million users and they successfully identified 95 percent of the users. What it took were just very few pieces of data – that is, trace the activity to a specific anonymous individual.

Locations are determined by the nearest cell tower on basis of the pings from mobile phone whenever the users’ phone checks in with the network as the users receive calls and text messages, or just move around. The location is updated hourly. Roughly a hundred data points were provided each day. The researchers need only four data points to identify the individual. With just two data points, they could identify 50 percent of users.

The researchers wrote in their study published in Scientific Reports, “We show that the uniqueness of human mobility traces is high, thereby emphasizing the importance of the idiosyncrasy of human movements for individual privacy,” they explain. “Indeed, this uniqueness means that little outside information is needed to re-identify the trace of a targeted individual even in a sparse, large-scale, and coarse mobility dataset. Given the amount of information that can be inferred from mobility data, as well as the potentially large number of simply anonymized mobility datasets available, this is a growing concern.”

The controversy over cell location data is growing. Apple officially responded to this growing controversy in 2011, arguing that the iPhone is not logging your location; rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested.

Along with the increase of government requests, it is also heavily debated on the content or non-content nature of location. It is accepted that, although a single piece of information about location seems non-content, the aggregation of locations may become content-based and reveal inner lives of information owners. Government would intend to argue the non-content nature of location information for sake of the easier-to-meet procedural hurdles for non-contents records in the ECPA, instead of having to first obtain a warrant based on probable cause under the Fourth Amendment standard.

This research shows that the location data can be easily used to identify a user based on little more than tracking the pings of a cellphone. We could imagine how easily the government (or any company with such intention and such information) could intrude our inner lives, even with a relatively higher procedural hurdles.

http://www.theverge.com/2013/4/9/4187654/how-carriers-sell-your-location-and-get-away-with-it

http://www.wired.com/threatlevel/2013/03/anonymous-phone-location-data/

http://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html

By: Jimmy Matteucci

On March 21, two bills were introduced in the House and the Senate that would prohibit law enforcement and private investigators from utilizing GPS data or cellphone location data without first obtaining a warrant. The Geolocational Privacy and Surveillance Act (“GPS Act”) was introduced in the House by Rep. Jason Chaffetz (R-Utah) and in the Senate by Mark Kirk (R-Illinois) and Ron Wyden (D-Oregon). The cosponsors of the GPS Act say it is a response to the Supreme Court’s holding in U.S. v.Jones, which they say did not go far enough. “Although Jones was a step in the right direction, the Department of Justice is still arguing in court that they do not need a warrant to track someone’s movements using GPS devices or technology. This highlights the need for Congress to step in and provide clear and reasonable guidelines,” said Rep. Chaffetz.

Writing for the majority in U.S. v. Jones, Justice Scalia used trespass doctrine to hold that placing a physical GPS tracking device on an owner’s car was a trespass to private property and therefore a “search” under the Fourth Amendment. Subsequently, law enforcement has argued that merely obtaining GPS information from someone’s phone or built-in car system, such as OnStar, is not such a trespass, and therefore does not require a warrant. The GPS Act would explicitly overrule this argument, making all acquisitions of geolocation information prohibited except pursuant to a warrant.

The text of the proposed GPS Act includes several exceptions to this general prohibition, including when consent is given; when the information is obtained in the normal course of business; when the information is acquired while conducting foreign intelligence surveillance; when the information is acquired in an emergency; when the information is used to locate a person who is unlawfully using the device through theft or fraud; and, when the geolocation information being acquired and used is readily accessible to the general public. Of all of these exceptions, the emergency situation exception has the potential to be read the broadest. The text allows an officer to intercept geolocation information if they, “reasonably determine that an emergency situation exists that involves (i) immediate danger of death or serious physical injury to any person; (ii) conspiratorial activities threatening the national security interest; or (iii) conspiratorial activities characteristic of organized crime.” There are safeguards built in, such as requiring an application for an order approving the interception within 48 hours after it has occurred, however one expects law enforcement to rely heavily on this exception.

To make sure that the prohibitions included in the GPS Act are enforced, the bills include civil and criminal penalties for violators.

The GPS Act has attracted vocal support from the American Civil Liberties Union, Americans for Tax Reform’s DigitalLiberty.net, the Competitive Enterprise Institute, the Electronic Frontier Foundation, and the Computer and Communications Industry Association. If the bills are enacted, the procedural protections surrounding the use of new technologies by law enforcement will be greatly enhanced.

For more articles on the subject:

http://www.wired.com/threatlevel/2013/03/warrantless-gps-tracking/

http://www.pcworld.com/article/2031590/bills-would-require-warrants-for-police-to-use-gps-tracking.html

By Tanata Tantasathien

Social networking sites such as Facebook and Google+ enable people to interact and develop relationships in a whole new way- deviated from traditional face-to-face communications and not envisioned by legislative, judiciary authorities or even scholars in the past. Despite their countless benefits, social networks have brought new threats to privacy. Aggravating the privacy infringement problems, disclosure of users’ information on the sites concerning their ‘everything’, i.e., identity, contacts, family, friends, acquaintances, educational background, work experience as well as all the  ‘likes’, can facilitate criminals, identity thefts and other wrong-doers to abuse the victims. Government can also make use of such disclosure for the purpose of gathering people’s information.

According to the 4^th Amendment, government lacks authority to conduct ‘search and seizure’ absent a specified warrant issued by courts. In practice, however, they sometimes have access to private sector records needless of warrant. Government also takes advantage from “the Third Party Doctrine” which Kerr Orin S. defines as “knowingly revealing information to a third party relinquishes 4^th Amendment protection in that information.” By adopting this doctrine, social network users would have very limit or even no privacy protection because all the information are inevitably disclosed to internet service providers and social network sites in course of the normal use of the sites. The article Facebook and Interpersonal Privacy: Why the Third Party Doctrine Should Not Apply by Monu Bedi, which is available at http://lawdigitalcommons.bc.edu/bclr/vol54/iss1/2 responds to the issue: whether the information posted by users in social media sites still merits the 4^th Amendment protection despite being disclosed to ISPs and some third parties; and suggests alternative protection under the doctrine of Interpersonal Privacy.

First the author points out how scholars have attempted to expand the 4^th Amendment protection, but found the third party doctrine as an impediment. He doubts the efficiency and appropriateness of the doctrine in the context on internet communications; and argues that this context deserves some special consideration when applying the 4^th Amendment reasonable expectation test. In particular, it must “recognize the unique role that internet communication play in creating and maintaining relationships.” Furthermore, the disclosure of information to the ISPs should not vitiate privacy protection because these entities serve no part in users’ relationships.

Then he introduces the “Interpersonal Privacy Doctrine” which courts have applied in cases relating to intimate, marital, and parent-child relationships. This doctrine holds that people have rights to make personal decisions and are entitled to the privacy in their intimate relationships, i.e., abortion, same sex relationship, contraception consumption, without government intrusion. It is grounded in the Due Process, Equal Protection, and the 1^st Amendment. The author cites several ideas from Thomas Crocker, namely, the interplay between liberty interest and privacy in internet communications; the notion that privacy sometimes means undisclosed, but not always. Most importantly, Crocker asserts: “the three qualities—identity, relationship, and community—which are not unique to social networking sites; they are “basic elements of social interaction, offline and on.” Consequently, both the author and Crocker believe that the interpersonal privacy doctrine can be applied to safeguard internet communication, preferably at the same level of face-to-face communication.

Monu Bedi, Facebook and Interpersonal Privacy: Why the Third Party Doctrine Should Not Apply, 54 B.C.L. Rev. 1 (2013), http://lawdigitalcommons.bc.edu/bclr/vol54/iss1/2

By: John Sadlik

Retail-theft databases, which are used by retailers for background checks on potential employees and to track employee thefts, are facing increased scrutiny from private lawyers and federal regulators.

These databases contain information about accusations and admissions of theft from retail employees and are often used to justify passing over applicants for retail positions.

Though legal, the companies which maintain these databases must answer questions about whether or not they run afoul of the Fair Credit Reporting Act. The FCRA is aimed at regulating the collection, dissemination, and use of consumer information.

The databases are used by retailers like Target, CVS, and Family Dollar, and have been the subject of a recent wave of class action lawsuits. LexisNexis, which owned the Esteem database until this year, recently agreed to pay 13.5 million to settle a class-action lawsuit that  alleged violations of consumer protection laws.

The Federal Trade Commission is examining whether it is too difficult for retail employees to correct inaccurate information stored in retail-theft databases. Information which can be the deciding factor in the decision to hire a new employee.

Admissions of theft by retail employees, which are shared by retailers these databases, usually come in the form of written statements that advocates say fail to give notice about their use.

Such admissions can be the product of questionable circumstances, as well. Made in the back of retail stores and under potentially intense pressure from private loss-prevention officers, advocates argue they can be the product of coercion. Often these admissions do not result in criminal charges and are made without a complete understanding of their consequences.

http://www.nytimes.com/2013/04/03/business/retailers-use-databases-to-track-worker-thefts.html?ref=business

By: Adam Shamah

SCOTUSBlog’s “Petition of the day” Tuesday was the cert. petition in Jennings v. Broome, which asks the Supreme Court to answer “Whether e-mails stored by an e-mail provider after delivery are in “electronic storage” under the Stored Communications Act, 18 U.S.C. §§ 2701.”

If the Supreme Court grants cert., it’s decision could majorly impact privacy law. We covered the Act’s protections in class.  They include regulations on disclosure to private parties and the government; prohibition on unauthorized access; and rules governing compelled disclosure by law enforcement. The petition notes the importance of the Stored Communications Act in protecting email privacy, given that the Wiretap Act protects only communications in transit and the Fourth Amendment typically does not apply due to the third party doctrine.

As the petition explains, “The prohibition of unlawful access … and the disclosure regulations … apply to communications that are in “electronic storage,” which is defined as: (A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication… The scope of the SCA’s disclosure provisions and its protections accordingly turns on exactly what is encompassed by this definition.”

The case arose after a wife and husband separated.  The wife and her daughter-in-law guessed the husband’s email password and printed several of his emails. The husband filed suit under the SCA’s “unauthorized access” provision.  The Court of Common Pleas for

the Fifth Judicial Circuit of South Carolina granted summary judgment for the defendants, holding that e-mails were not “stored communications” because they had already been “transmitted and had reached their final destination” and thus could not be in “temporary, intermediate storage incidental to the electronic transmission.” Further “[b]ecause Yahoo was not storing the e-mails for its own ‘purposes of backup protection,’ the court reasoned that the e-mails failed to satisfy the second prong of the definition of electronic storage.”  The South Carolina Court of Appeals reversed the trial court.  The South Carolina Supreme Court then reversed again, offering three different opinions, each with a different rationale.

The South Carolina Supreme Court thus created a split with the Ninth Circuit on this issue. See Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004).  The petition notes additional lower courts that have taken a variety of views on the matter.  Hopefully, the Supreme Court will grant cert and decide whether billions of emails are protected by the Act or not.

By: Thomas Prieto

The Currency and Foreign Transactions Reporting Act of 1970, better known as the Bank Secrecy Act of 1970, requires banks to create and keep specific records, which the government can search, often in attempts to detect and prevent money laundering. In the past, enforcement of the Bank Secrecy Act has been relatively lax, but there are indications that enforcement is on the rise.

The three major requirements of the Bank Secrecy Act for financial institutions, according to the below linked article, are 1) “implementing an anti-money laundering program, 2) reporting suspicious transactions, 3) conducting due diligence for private banking and correspondent bank accounts involving foreign persons.” The Bank Secrecy Act empowers the Treasury Department to examine all these records it requires.

It should be interesting to see whether the government’s increased enforcement may once again raise the issues in United States v. Miller. In that case was whether the plaintiff’s bank records were seized illegally in violation of the Fourth Amendment. The Court held that Miller had no right to privacy in his bank records. The documents subpoenaed were not ‘private documents.’ Rather, they were the bank’s business records.

http://www.mainjustice.com/2012/12/18/analysis-enforcement-of-the-bank-secrecy-act-is-on-the-rise-is-your-financial-institution-prepared/

By: Wesley Horner

I used to have a remote control helicopter.  OK, I still do.  One of the great things about technology is that as it becomes economical to make and distribute the coolest gadgets and gizmos, they become increasingly accessible, and new uses and creative innovations arise that make our lives better.  Or at least more fun.  Yes, that means that you can operate cool new remote control helicopters from your smart phone.  One startup company is even offering a taco delivering service—you place an order using your smart phone, and a flying robot will deliver the taco to you.  Taco bout convenient!  But we should remember that with great power comes great responsibility.

When technology advances to the point of materially advancing law enforcement capabilities, society should be alert to the increased risks to individual privacy and be prepared to delineate the proper boundaries of police conduct.  Drone technology, in particular, demonstrates the risks accompanying technological progress.  Drones equipped with cameras could drastically reduce costs and drastically increase the effectiveness of search and rescue missions.  Drones could also improve tactical awareness by offering multiple vantage points to aid in the execution of dangerous operations.  Drones offer significantly improved coverage, and unlike manned surveillance, some advanced drones may be able to operate without breaks.  Indeed, the taco delivery service boasts, “Our unmanned delivery agents are fast and work tirelessly.”  But further advances in drone technology could also enable pervasive mass surveillance, raising questions about what Big Brother should be entitled to monitor and record and under what circumstances.

In February of 2012, President Obama signed into law provisions that incorporate drones into US airspace.    As local police have asked for FAA approval to incorporate drones into police operations, local outcry has created surprising opposition.  Although current commercial drone technology consists of small systems often weighing less than 5 lb. and with fly time limited to 15 minutes, technology moves rapidly, and these limits may soon be surpassed.  It’s no wonder that more than 30 states are considering legislation limiting the use of drones.

This past February, Virginia became the first state to pass legislation that would require a moratorium on drone use by law enforcement until 2015.  Last week, however, Governor Bob McDonnell proposed some amendments to allow police to use drones for search and rescue missions.  The Governor has the right idea.  An outright ban on drone use is unnecessarily overinclusive.  Regulations should be tailored to permit uncontroversial uses that could drastically improve public services.  The moratorium exception for search and rescue missions is just one example.  States should also consider permitting drone use upon a judicial finding of probable cause—modeled after the Federal Wiretap Act—side-stepping the constitutional question of whether or not an advanced technology fly-over constitutes a search.  Probable cause has always been considered adequate protection for individual privacy.  There is little reason to believe otherwise, even in the context of advanced surveillance technologies.

By: Cory McAlister

As Benjamin Smith mentioned in a recent post, the question of law enforcement’s use of “stingrays” in criminal investigations is currently being litigated in an Arizona federal court. A judge heard arguments on March 28 on the legal issues surrounding the FBI’s use of a Stingray to monitor Rigmaiden’s location.

Recall that Stingrays are international mobile subscriber identity (“IMSI”) catchers: they spoof the behavior of cell towers in order to trick local phones or other cellular devices into connecting through the Stingray rather than directly to a legitimate tower. Posts on this blog have alerted us to the power of cell site location information (“CSLI”),—the trafficking data collected by cell towers that reveals a caller’s whereabouts—which is permitted by most courts under the third party doctrine. The third party doctrine allows the government to demand records maintained by telecommunications companies necessary to the transmission of calls. A Stingray device allows law enforcement to bypass even the telecom’s (required) cooperation, and to pinpoint location with even greater accuracy than CSLI.

In Mr. Rigmaiden’s case, the FBI did in fact obtain a court order and warrant for mobile location tracking,—it appears to have been intended for obtaining CSLI—which they used to get information from Verizon Wireless about Rigmaiden’s use of an air card. They then tracked the location of his cell network-connected computer by setting up a Stingray to detect that air card’s use.

The defendant argued that the warrant application for the mobile location inadequately described the details of the technology that would eventually be used pursuant to the warrant, i.e. the Stingray. The defendant argued, therefore, that the FBI went beyond the scope of the warrant, and could not use any evidence obtained in excess of its authorization.

The government had originally argued in this case that the Stingray did not require a warrant of any kind, and therefore the details of the warrant application provided to the issuing magistrate had no bearing on its use. However, the government reversed course and subsequently argued that the warrant also authorized the use of the Stingray, and was sufficiently clear about the nature of the technology—that it would involve mobile location tracking—that the warrant could be validly issued.

As a separate matter, the defendant, and privacy advocates who submitted briefs as “friends of the court,” noted that the Stingray collaterally collected data from numerous innocent individuals who were not targets of the investigation. Rigmaiden does not have standing to contest the violations of third parties’ Fourth Amendment rights, but he argued that the warrant as a whole is defective because it did not meet the Fourth Amendment’s particularity requirements. That is, even if the scope of the warrant encompassed the use of the Stingray, that scope would mean so broad a search that it amounts to an invalid general warrant. The government, for its part, countered the defense’s particularity claims by arguing that it purges data on individuals unrelated to the investigation, and thereby allays the particularity concerns.

http://www.wired.com/threatlevel/2013/03/gov-fights-stingray-case/all/