Category: Uncategorized

Hannah Bloch-Wehba

US continues to receive wholesale financial data from EU banking org. without a warrant

The Europol Joint Supervisory Body (JSB) recently released a report confirming that the U.S. continues to receive wholesale data from Belgian banking clearinghouse SWIFT under the auspices of what’s known as the “Terrorist Finance Tracking Program.” A little background: after September 11, Treasury began retrieving vast quantities of data from SWIFT’s U.S. servers–without a warrant. SWIFT, an international banking consortium, processes hundreds of millions of transactions a year, creating a rich source of financial data that was ripe for the mining. The program fell directly under the holdings in Smith and Miller that indicated that financial information shared with a third party was “knowingly exposed” and therefore not protected by the Fourth Amendment’s warrant requirement.  When the program came to light in 2006, it triggered a backlash from E.U. and Belgian data protection officials, who deemed it in violation of EU Directive 95/46/EC. To save itself, SWIFT pulled its servers from the U.S. and now stores all its information in Switzerland; to save the program, and the transatlantic relationship, the E.U. and U.S. concluded an agreement under which data could only be transferred to the US under certain conditions and with the JSB’s supervision.

Yesterday’s JSB report indicates that not a single US request for information has been denied, and that the requests have covered a continuous time period–gutting the Program’s requirements that data-sharing be minimized. More to the point, it raises questions about Europol’s ability to oversee the Program at all–and about the commitment, on both sides of the Atlantic, to preserving financial privacy, due process, and accountability.

Patrick McCarthy

 

Supreme Court Ruling Prompts FBI to Turn Off 3,000 Tracking Devices

 

The Federal Bureau of Investigation is scrambling to comply with the Supreme Court’s recent decision in U.S. v. Jones on warrantless GPS tracking.  According to FBI General Counsel Andrew Weissmann, the ruling has caused a “sea change” within the Justice Department, prompting the agency to turn off thousands of tracking devices.  The Bureau is also working to create new guidance for field agents on the use of these devices.  However, the questions left unanswered by the Court have made this task difficult.

 

The implications of Justice Alito’s concurrence are particularly troublesome, says Weissmann.  The Court held in Jones that the attachment and use of GPS vehicle tracking devices constitutes a search within the meaning of the Fourth Amendment.  Unlike the majority, whose reasoning was based on property grounds, Alito focused heavily on the fact that the tracking occurred over the span of almost a month.  This indicates that members of the Court are concerned specifically with long-term surveillance.  Weissmann and others believe this could lead to questions about the constitutionality of other forms of tracking technology in addition to GPS.  Consequently, the Bureau is struggling with how best to advise its agents on compliance with what will likely become a changing area of law.

 

http://abcnews.go.com/blogs/politics/2012/03/supreme-court-ruling-prompts-fbi-to-turn-off-3000-tracking-devices/

 

 

Christian Oronsaye

Privacy Rights Groups Fight FAA on Use of Drones in U.S.

Reports have it that some privacy advocacy groups have petitioned the Federal Aviation Administration (FAA) in connection with the increase in the use of aerial drones in the United States. We understand that more than 30 organizations, including the American Civil Liberties Union (ACLU), the Bill of Rights Defense Committee, and the Electronic Privacy Information Center — which have also served as key opponents to the Transportation Security Administration and the Department of Homeland Security — have demanded that the FAA hold a rulemaking session to consider all the violations to American privacy and safety posed by the proposal.

The ACLU Petition in part states as follows:

Drones greatly increase the capacity for domestic surveillance. Gigapixel cameras used to outfit drones are among the highest definition cameras available, and can “provide real-time video streams at a rate of 10 frames a second.” On some drones, operators can track up to 65 different targets across a distance of 65 square miles. Drones may also carry infrared cameras, heat sensors, GPS, sensors that detect movement, and automated license plate readers. In the near future these cameras may include facial recognition technology that would make it possible to remotely identify individuals in parks, schools, and at political gatherings.

The link to the site is set out below:

http://www.thenewamerican.com/usnews/constitution/11033-privacy-rights-groups-fight-faa-on-use-of-drones-in-us

Christian Oronsaye

Supreme Court Justices say GPS tracker violated privacy rights

The United States Supreme Court on Monday (01/23/2012) unanimously ruled that the police violated the Constitution when they placed a Global Positioning System tracking device on a suspect’s car and tracked its movements for 28 days.

The case concerned Antoine Jones, who was the owner of a Washington nightclub when the police came to suspect him of being part of a cocaine-selling operation. They placed a tracking device on his Jeep Grand Cherokee without a valid warrant, tracked his movement for a month and used the evidence they gathered to convict him of conspiring to sell cocaine. He was sentenced to life in prison.

The United States Court of Appeals for the District of Columbia Circuit overturned his conviction, saying the sheer amount of information that had been collected violated the Fourth Amendment, which bars unreasonable searches.  The court noted that “the government physically occupied private property for the purpose of obtaining information. We have no doubt that such a physical intrusion would have been considered a ‘search’ within the meaning of the Fourth Amendment when it was adopted.”

The Supreme Court affirmed that decision, but on a different ground. “We hold that the government’s installation of a G.P.S. device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search,’ ” Justice Antonin Scalia wrote for the majority. Chief Justice John G. Roberts Jr. and Justices Anthony M. Kennedy, Clarence Thomas and Sonia Sotomayor joined the majority opinion.

Link: http://www.nytimes.com/2012/01/26/opinion/gps-and-the-right-to-privacy.html

Christopher Poole

 

Private Sector Brushes Up Against EU’s “Right to be Forgotten”

 

In January of this year the European Commission unveiled a series of proposed reforms to the 1995 Data Protection Directive. While the reforms are significant in many respects, one key aspect is the Article 17 ‘right to be forgotten.’ In short, the ‘right’ would require that organizations handling personal data online respond to and fulfill requests by persons to delete such data.[1] As Professor Jeffrey Rosen has stated, “If requested to do so companies such as Facebook and Google would have to remove photos that people post about themselves and later regret, even if the photos have been widely distributed already.”[2]

 

While many have welcomed such a right, some in both academia and the private sector have expressed concern over the far-reaching implications of such a law. Rosen himself has noted that perhaps the most crucial aspect of the proposed regulation may be in that it  “treats takedown requests for truthful information posted by others identically to takedown requests for photos” users have posted themselves, raising questions about freedom of speech and the role of online services as censors.

 

One major player in the privacy game is already finding itself under pressure. Google has publicly expressed concern over what it sees as the broadness of the regulation, arguing that it may not adequately address the “important distinctions that need to be made between services that host content created by people (such as Facebook and YouTube) and services that point people to content that exists elsewhere (for example, search engines such as Google, Bing and Yahoo!).”[3] Facing EU scrutiny over its revamped privacy policy[4], Google is already squaring off against claims of a broad right to be forgotten in the EU. This past week, Spain’s highest court requested the European Court of Justice to decide if Spanish citizens may lawfully require Google to remove data from its search engine and associated services.[5] The formal referral to the ECJ comes after authorities in Madrid have received “over 100” such requests for Google to delete data, including cases such as a “plastic surgeon [who] wants to get rid of archived references to a botched operation.”

 

Cited:

 

[1] Commission proposes a comprehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses, http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&aged=0&language=EN&guiLanguage=en (text of the proposed regulations directly available at Article 17: Right to be forgotten and to erasure, http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf).

 

[2] The Right to be Forgotten, http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten .

 

[3] Our thoughts on the right to be forgotten, http://googlepolicyeurope.blogspot.com/2012/02/our-thoughts-on-right-to-be-forgotten.html .

 

[4] EU agencies say Google breaking law: commissioner, http://www.reuters.com/article/2012/03/01/us-google-privacy-eu-idUSTRE82011K20120301 .

 

[5] Spain refers Google privacy complaints to EU’s top court, http://www.reuters.com/article/2012/03/02/us-eu-google-idUSTRE8211DP20120302 .

 

For more information:

 

Data protection reform: Frequently asked questions,

http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/12/41&format=HTML&aged=0&language=EN&guiLanguage=fr .

 

Google picks holes in EU’s ‘right to be forgotten’, http://www.zdnet.co.uk/news/regulation/2012/02/17/google-picks-holes-in-eus-right-to-be-forgotten-40095071/

 

EU agencies say Google breaking law: commissioner,

http://www.reuters.com/article/2012/03/01/us-google-privacy-eu-idUSTRE82011K20120301 .

Khan Shing

 

Class Action Over Facebook Sponsored Stories Proceeds

 

Late last year, Facebook rolled out its “Sponsored Story” ad program.  Among the online marketing community, this was probably the most anticipated Facebook product release of the past year.  The gist of it is that anytime you post something about, or Like, a product, brand, event, etc. of a an advertiser, that post might get redisplayed on your outgoing feed as a Sponsored Story, with the advertiser’s brand prominently displayed.  COO Sheryl Sandberg has described this as an important innovation in display ads, since people are far more likely to buy products from brands their friends recommend.  Insiders at Facebook, as well as many outside analysts, also think this will be a critical part of the company’s efforts at increasing its share of the online display ad market.

However, Sponsored Stories also led to class action lawsuits being filed on behalf of Facebook users, alleging various privacy, misappropriation, and unfair business practices claims.  As discussed here, http://goo.gl/hWUJR, a district court in California allowed one of these cases to move forward.  In previous cases, Facebook has made arguments that they have commercial free speech rights in their targeted ad programs and they will likely make similar arguments here.  While Sponsored Stories is certainly a clever way for Facebook to profit from the massive, and to this point largely free, marketing campaigns being waged all over the social network, it is equally clear the ad program has great potential to cause mischief.  Since Facebook does not allow users to opt out of the program, anyone can accidentally become a virtual pitchman for a product based on a post that is taken out of context or, as is often the case, made ironically.  Case in point: http://goo.gl/1qjDL

Felicity Kohn

California has reached an agreement designed to protect the privacy of mobile app users with Amazon.com, Apple, Google, HP, Microsoft, and a company called Research in Motion.  The agreement was sparked by the fact that smartphone apps routinely transmit users’ contacts and other personal data, including location, identity, messages, and photos, without their knowledge.  Both Apple and Google already require app developers to ask users for permission to obtain personal data.  However, users are rarely told which data is being collected or how it will be stored or used.  Moreover, some developers – even makers of very popular apps – have collected and transmitted users’ contact lists without their consent.

 

California’s agreement requires developers of apps for mobile phones to post clearly marked privacy policies explaining what personal information they will collect and how they will use it.  According to the California attorney general’s office, only 5% of mobile apps currently have a privacy policy in place.  In addition to requiring app developers to post privacy policies, California’s agreement also requires app store providers like Apple and Google to provide ways for users to report apps that don’t comply.  In an interesting connection to our conversation about FTC enforcement powers, the California attorney general’s office said that developers who violated their own privacy policies could be prosecuted under California’s Unfair Competition Law and False Advertising Law.

 

California’s agreement also relates to our conversation about the White House’s suggestion for multistakeholder meetings to develop enforceable codes of conduct, in that the statement by California attorney general suggests that this agreement was born of just such a process: “[T]hese companies have to be commended for accepting the invitation to meet around our table, act on it and sign the agreement…”  Perhaps this agreement indicates the willingness of tech companies to engage in that kind of a process.

 

Finally, it’s interesting – and perhaps telling – that California brokered the deal with these major tech companies since it is the state that was on the forefront of requiring notices to consumers regarding breaches of their data, and the casebook notes that most states then followed suit (p. 881-82).  Thus, state regulation may provide yet a third means (other than Congressional action and White House policy) of advancing the cause of consumer privacy.

 

The link to the article is here: http://bits.blogs.nytimes.com/2012/02/22/california-attorney-general-reaches-deal-on-app-privacy/?scp=6&sq=privacy&st=cse