Category: Uncategorized

EU’s Article 29 Working Party adopted opinion regarding mobile geolocation services and required e.g. a prior informed consent from users. Yet The European Commission’s proposed reform of the EU’s 1995 data protection rules includes nearly nothing about geolocation.

By: Anne Aaltonen

On May 16, 2011, EU’s Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services.

According to the opinion: “A smart mobile device is very intimately linked to a specific individual. Most people tend to keep their mobile devices very close to themselves, from their pocket or bag to the night table next to their bed. It seldom happens that a person lends such a device to another person. Most people are aware that their mobile device contains a range of highly intimate information, ranging from e-mail to private pictures, from browsing history to for example a contact list. This allows the providers of geolocation based services to gain an intimate overview of habits and patterns of the owner of such a device and build extensive profiles. From a pattern of inactivity at night, the sleeping place can be deduced, and from a regular travel pattern in the morning, the location of an employer may be deduced. The pattern may also include data derived from the movement patterns of friends, based on the so-called social graph. A behavioral pattern may also include special categories of data, if it for example reveals visits to hospitals and religious places, presence at political demonstrations or presence at other specific locations revealing data about for example sex life. These profiles can be used to take decisions that significantly affect the owner.”

Read more here:

http://www.infolawgroup.com/2011/05/articles/data-privacy-law-or-regulation/mobile-location-privacy-opinion-adopted-by-europes-wp29/

 

The European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy on 25 January 2012. It is strange that this reform talks very little about geolocation data.

 

Read more here:

 

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

Senator Franken’s Comment to NTIA Focuses on Location Privacy

 

Page Hubben

On April 2, Senator Al Franken, Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, wrote a letter to the National Telecommunications and Information Administration, an agency of the U.S. Department of Commerce, to comment on the Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct. One of Senator Franken’s primary focuses in the letter is location privacy, and he argues that the Location Privacy Protection Act he introduced last year provides an answer to some of the major issues.

 

Senator Franken’s main concern with location privacy is the lack of federal law governing commercial use of this data. He points out that because the Fourth Amendment does not apply to corporations, federal law allows companies to collect location information from customers and give the information to third parties. He notes that the Cable Act and the Communications Act prohibit cable and telephone service companies from disclosing customer location, but the Electronic Communications Privacy Act lets smartphone and app companies share the same information without obtaining consent.

 

The letter aligns the location privacy bill with President Obama’s recently released Consumer Privacy Bill of Rights. The President’s proposal calls for transparency, individual control, and respect for context. Senator Franken asserts that transparency is not satisfied by disclosures in a privacy policy. Accordingly, his bill requires companies to tell consumers what information will be collected and to whom it will be disclosed. To implement individual control, companies must obtain express authorization prior to collecting or disclosing location information. In Senator Franken’s view, the combination of these requirements preserves contextual integrity, because consumers can ensure that their information is used only within a specific context.

 

The letter enumerates recent events that triggered concerns over consumer privacy, such as the Carrier IQ software running secretly in mobile phones to collect location data and keystrokes. Such stories show that consumers appreciate the sensitive nature of location data, but the transition in technology has happened so rapidly that many people are unsure of when information is collected and by whom.

 

The Future of Privacy Forum, a think tank, sees these events diminishing consumer confidence and is working with industry and government agencies to create responsible privacy practices. Part of the issue in their view is that policy makers know there is a problem, but may not have a clear understanding of what is going on.

 

Nevertheless, regulation may be on the horizon. In addition to Senator Franken’s bill, Congressman Ed Markey released a draft of the Mobile Device Privacy Act earlier this year, which would require user permission to operate monitoring software on a mobile device. The Federal Trade Commission also specifically mentioned mobile data as a key area for privacy discussions, encouraging industry groups to regulate themselves.

 

Many feel that self-regulation can address consumer concerns more effectively than the government. The Future of Privacy Forum calls for app developers to create solutions, and NetChoice, an e-commerce trade group, ranked the location bill as one of the worst for companies operating online because they believe it would require a pop-up notice every time an app collects location information. Senator Franken addresses this concern directly in his letter: “[A]s I explained when I spoke on the floor of the Senate to introduce the legislation, my bill will not flood consumers with pop-up consent screens: a one-time consent screen will suffice.”

 

Criticism from business groups may be enough stall this bill, but given the growth of mobile technology and consumer unease when location data is improperly shared, this is an issue likely to stay on everyone’s radar.

Several recent NY Times articles reflect growing concerns over increasing government access to  and retention of communications and other data here in the U.S.:

 

Police Are Using Phone Tracking as a Routine Tool

By ERIC LICHTBLAU

Published: March 31, 2012

Law enforcement tracking of cellphones is a convenient surveillance tool in many situations, but it is unclear if using such technology without a warrant violates the Constitution.

 

U.S. Relaxes Limits on Use of Data in Terror Analysis

By CHARLIE SAVAGE

Published: March 22, 2012

Attorney General Eric H. Holder Jr. signed new guidelines on how analysts may access, store and search information gathered by government agencies about Americans.

 

And in the UK:

 

Britons Protest Proposal to Widen Surveillance

By ALAN COWELL

Published: April 2, 2012

Reported government plans to give intelligence services the ability to monitor the electronic communications of every person in the country drew fire on Monday.

 

Katherine J. Strandburg

 

Does your level of Fourth Amendment protection vary inversely with the convenience of your digital life?

Matthew Smith

Today, Ars Technica published an excellent rundown of the various approaches that policymakers have taken, or are taking, to attempt to secure the privacy of smartphone users.

The article ties in with another recent Ars piece, which pointed out that Apple has the “master keys” to the encryption of its iCloud service – and so, in theory, could give those keys to the police, if asked.

This situation exemplifies a truism that may well come to define the digital age: your level of privacy varies inversely with the convenience of your digital life. Here’s how it plays out.

Everyone has data that’s important to them – and the convenience of their digital life depends, in large part, on how easily they can organize, access, and play around with their data. Data can be anything from an address book and e-mails to a digital movie collection.

In the 1990s, the PalmPilot – arguably, the forerunner of modern smartphones – was successful, in large part, because it offered users easy, convenient access to their data. Of course, the PalmPilot posed no threat to privacy, as long as the user was able to hold onto it: the data never left the user’s possession. The drawback to this ecosystem was, as any PalmPilot user will remember, the need to “sync” the device whenever the user wished to update its data.

The game changer in this realm was the creation of mobile access to the Internet and the rise of “The Cloud.” Once the devices we carried with us gained access to the Internet, putting our data on the Internet was an obvious next step: keep the master copy of everything in the Cloud, and, any time there is a change, all of the user’s devices can be updated over their Internet connections, in real-time. Everything is always up-to-date, and always at hand.

But, of course, this convenience comes at a price. The user puts the privacy of their data at risk by entrusting it to a third party. The extent to which data given over to a third party is protected by the Fourth Amendment or other laws is still being worked out – largely because Cloud services are so new that laws regulating them have yet to develop – see the Ars Technica posts linked above. If Apple (or another company) possesses the keys to a user’s data, Apple (or the other company) can control who accesses that data. And frequently, the police look to access a user’s private data when they suspect the user of criminal activity.

As the Ars Technica rundown of smartphone privacy approaches above indicates, the law here is unsettled – but it is clear that, absent a strong stand in favor of privacy, users who store their personal data in Cloud services may well be trading off legal privacy protections by doing so.

So, what’s a tech-savvy citizen who values privacy and convenience to do?

One clue may come from the so-called Maker Manifesto: “if you can’t open it, you don’t own it.” Unless a user is personally responsible for the storage and security of their data – perhaps by purchasing or building a dedicated private web server to be set up in the home or setting up an always-connected PC at home for remote access to its hard drive – it is impossible to be certain of the security and privacy of the user’s data.

When a user personally controls access to their data, the level of government intrusion on that user’s privacy required to access that data is much greater. In the instance of a server set up in a private home, the government would be required to make entry into the home itself to access the data on the server. And traditionally, the home is the most-protected sphere under the Fourth Amendment.

Of course, this is costly – and, because software systems for remote data access are frequently built around the assumption that the user will be connecting to a third-party service (Apple iCloud, Google, Box.net, Dropbox) to access their data – many of the convenient features of data storage in the Cloud may be unavailable to a user setting up their own system.

Because of this cost – in terms of finance and convenience – the desirability of strong legal protections for users’ data stored with third parties is manifest. It remains to be seen whether (and how) Congress (and courts) will act to respond to this need.

Kevin Frick

“Can You Track Me Now?…Good.” Do Police Need a Warrant for Cell Phone Location Data?

Last week, the question of whether law enforcement officials required to get a warrant for cell-phone location took a step toward Supreme Court review, as the government appealed a magistrate judge’s denial of an order for such data absent probable cause to the Fifth Circuit. Many privacy organizations, including the ACLU and the Electronic Frontier Foundation, and the National Association of Criminal Defense Lawyers joined in submitting an amicus brief.

Cell phone tracking data as an issue is heating up for a variety of reasons. First and foremost, the prevalence of cell phone use makes the issue palpable for almost every citizen. However, there are some lesser known legal reasons that make the issue a timely one. These include the following:

• Law enforcement increasingly seek such data; judges are increasingly denying access: The first published decision on the issue emerged from Brooklyn in 2005, when Magistrate Judge Orenstein made public his denial of law enforcement’s request of cell phone location data. Since then, many judges have followed his lead.
• It implicates the important “third-party doctrine”: Under the third-party doctrine, information that has been volunteered to a third-party no longer receives Fourth Amendment protection. However, the third-party doctrine has been developed in quite different contexts, like whether police can search garbage put out for collection. Justice Sotomayor has called “ill-suited to the digital age.”
• The effect of the recent U.S. v. Jones on the issue isn’t clear: The majority opinion in Jones decided the case—concerning the installation of a GPS device on a suspect’s car—primarily on the principle of physical trespass, despite a concurrence by Justice Sotomayor recognizing that “physical intrusion is now unnecessary to many forms of surveillance.”

For these reasons and more, the issue of law enforcement collection of cell phone location data is likely that moves quickly and publicly toward Supreme Court review.

 

Update 4/2/12: Monday, the New York Times highlighted the issue, noting how many local police departments use location tracking data for routine investigations.

Mu-Chia Kao

9^th Circuit: ECPA protects domestic communications of non-US citizens

 

In Suzlon Energy Ltd. v. Microsoft Corp., the U.S. Court of Appeals for the Ninth Circuit uphold a trial court’s quashing of a subpoena and concluded that even foreign citizens are entitled to the protection of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2510-2522.

In this case, the plaintiff, Suzlon Energy Ltd. (“Suzlon”) has demanded that the defendant, Microsoft Corp. (“Microsoft”) produce documents from its Hotmail email account of Rajagopalan Sridhar, an Indian citizen imprisoned abroad. Microsoft objected to the production and argued that production of the emails would violate the ECPA. The district court agreed and held that the plain terms of the statute applied the ECPA to all persons, and granted the motion to quash.

The relevant provision of the ECPA states that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.” 18 U.S.C.§ 2702(a)(1) and it defines a “user” as “any person or entity who — (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use.” 18 U.S.C. § 2510(13) The question at issue is whether the protections of the ECPA extend to the contents of communications of foreign citizens.

According to the Court, just like the Freedom of Information Act, “the ECPA does not facially restrict its applicability to U.S. citizens.” The Court also recognized in O’Rourke that “Congress knows how to explicitly limit a statute to U.S. citizens when it intends to do so.” (O’Rourke v. U.S. Dept. of Justice, 684 F.Supp. 716 (D.D.C. 1988) Therefore, it affirms the district court’s finding that “the plain text of the ECPA applies its terms to ‘any person,’ without qualification, including foreign citizens.” 18 U.S.C. § 2510(13)

Moreover, considering legislative history, the Court noted that “in order to fully protect American citizens, it might be necessary to extend the ECPA to all domestic communications, regardless of who sent them.” The Court also said, “Suzlon’s restrictive reading of the ECPA would put email service providers in an untenable position. By limiting the ECPA only to those people entitled to Fourth Amendment protection, as urged by Suzlon, an email service provider would need to assess whether a particular account holder was at all times a U.S. citizen, or later became a citizen, or was a resident alien with some Fourth Amendment protection, or if there were other reasons to provide Fourth Amendment rights. This would be a costly, fact-intensive, and difficult determination.” In sum, this ruling indicates that the ECPA at least applies whenever the requested documents are stored in the United States. But the Court specifically noted that it does not address whether the ECPA applies to documents stored or acts occurring outside of the United States.

Although this case is a civil litigation involving discovery request, as the Court rejects the argument that the ECPA only applies to government law enforcement, we may reasonably concludes that this ruling applies to cases involving law enforcement issues as well. And since almost all major email servers are located in U.S., this ruling may impose a significant impact on email users all over the world for gaining protections from the ECPA.

 

Full context of the court’s opinion: http://www.ca9.uscourts.gov/datastore/opinions/2011/10/03/10-35793.pdf