Blog

Kartik Prasad

Information Privacy Law

Professor Ira Rubinstein

April 12, 2017

Transparency Reports and the FREEDOM Act.

The Snowden revelations showcased how Sections 215 and 702 was abused by the NSA in bulk collection of phone metadata. The FREEDOM Act (the Act) sought to curtail this practice by banning the NSA from directly collecting the metadata. Now, its role is limited to approaching service providers using Reasonable Articulable Suspicion approved selectors, as opposed to simply gathering all the metadata itself. This article, through the emergence of the latest transparency reports, will showcase how despite the banning of bulk collection, the same is still achievable today. This is because the Act only shifts the burden of collection onto the service providers, while the law silently permits the government to collect the same from such providers.

The Act also imposes transparency requirements on the Foreign Intelligence Surveillance Court, which otherwise has a long (and notorious) history of secrecy. The FISC is now required to start publishing its decisions thanks to the Act. Interestingly, pursuant to the FREEDOM Act, many data companies have started issuing their own transparency reports.  These are published for such companies to be more transparent with their customers about disclosures made to the government. More pertinently, these transparency reports show a number of subpoenas and gag orders relating to the disclosure of these subpoenas.

There is ample legislation allowing the FBI and other government agencies to issue subpoenas to service providers, requiring them to hand over their information. What is important is that with regard to phone metadata, old precedent of the Supreme Court does not accord any 4^th Amendment protection to it. This is because information that is given to third parties, such as phone operators and banks, do not entail a reasonable expectation of privacy (See Smith v. Maryland and U.S. v. Miller. While circuit courts have questioned the applicability of such a doctrine in modern times, the fact remains that the Court has not overturned it enforcement agencies can continue to use it to their advantage.

The transparency reports showcase how these subpoenas can be overbroad, and can be used to achieve what was sought to be banned through the passage of the Act. Recently, Signal, a messaging app, was served a subpoena to hand over its records relating to a targeted customer of its app by the FBI. Unsurprisingly, this subpoena came with a gag order. However, Signal does not have a log of the data it collects of the communications by its customers and could not provide them with what they were looking for. However, they fought the gag order and had it successfully lifted on account of it being overbroad. Apart from Signal, there seems to be a growing trend of tech giants such as Yahoo and Google disclosing such NSLs. This only indicates that they were successful in getting these lifted.

However, there is a larger issue from the facts above. It is clear that passing the burden of collection onto third party service providers does not seem to have been done with an intention of preserving privacy. To the contrary, it seems to have been engineered by the government to legitimise its exposed and questionable information collection tactics. Instead of collecting the information themselves, the government may serve the service providers with a subpoena and gain the information without any judicial oversight. This highlights a great inadequacy, which the FREEDOM Act failed to address. However, the increasing disclosure of the NSLs in transparency reports indicate the growing sentiment that the shroud of secrecy around data gathering by federal agencies can be excessive.

Sources:

https://techcrunch.com/2016/12/13/google-national-security-letters/

https://techcrunch.com/2016/06/01/usa-freedom-act-allows-yahoo-to-disclose-3-national-security-letters/

https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/

Junjie Yan

Information Privacy Law

Professor Ira Rubinstein

April 13, 2017

Title of Blog Post: Implications of the upcoming repeal of Internet privacy protections

Article: Brian Fung, The House just voted to wipe away the FCC’s landmark Internet privacy protections Wash. Post (Mar. 28, 2017), https://www.washingtonpost.com/news/the-switch/wp/2017/03/28/the-house-just-voted-to-wipe-out-the-fccs-landmark-internet-privacy-protections/?tid=a_inl&utm_term=.834762cb113f

Blog Text:

Congress sent a proposed joint resolution of congressional disapproval of the FCC’s landmark broadband privacy rules to the White House.[1] The moment President Trump sign the bill, internet service providers (ISPs) officially get rid of the FCC privacy compliance burden to collect, use, and sell personal information, browsing history, app usage history or the content of messages, emails and other communications of internet users. Without the online privacy protections promoted by previous Democrat administration, the scale of commercial benefit of ISPs and privacy of internet users significantly leans towards the former.

The repeal of broadband privacy rules may not be an entirely unexpected action in this administration. The job-creating slogan of President Trump has indicated that business entities are likely to have less regulatory restraints. The White House’s criticism that the FCC departs from the technology-neutral framework for online privacy established by the FTC could be regarded as a precursor of the lobbying success of ISPs.[2] However, despite the public concern on privacy invasion by foreseeable increases of target-advertising,[3] there might be more privacy problems for civil liberty groups to worry about from national security surveillance perspective.

Ever since the 911 tragedy, the FBI’s surveillance power has been substantially expanded by the USA Patriot Act. Before the USA Patriot Act came into force, 18 U.S.C. § 2709 of ECPA’s Stored Communication Act has already enabled FBI to compel ISPs to release customer records that were relevant to an authorized foreign counterintelligence investigation. The FBI can obtain such authority through certifying that “there are specific and articulable facts giving reason to believe that the person or entity to whom the information sought pertains is a foreign power or an agent of a foreign power” even without a court order. However, Section 505 of the USA Patriot Act eliminated the “specific and articulable facts” requirement and provides a gag order forbidding ISPs to disclose FBI’s access to the records, making easier for the FBI to gather information without strict scrutiny.

Now that the privacy obstacles have been removed, naturally for commercial purposes ISPs will establish more comprehensive user database in the future, which potentially further expand FBI’s surveillance scope: much more user information could be revealed through National Security Letters (NSLs). Even though NSLs are subject to judicial review and limited Inspector General audit, there are increasing risks of privacy violation as a result of concentration of user data. First, by issuing NSLs to ISPs, the FBI may be able to build bulk online activity surveillance based on ISPs data processing development incentivized by the repeal of FCC privacy protection rules, which the public could be kept in dark about the scale and capacity for a long time. Moreover, the more concentrated our information is, the more damages the leaks of it will create. Leak of information is an inherent risk of any information retainers and has long been a part of political ecosystem. A richer database can only magnify the damages of a possible leak.

It is undeniable that most aspects of our daily life have left traces on the internet. As ISPs’ information gathering capacity surges, without relatively limiting the national surveillance power under the current regulatory scheme, perhaps the fear of George Orwell may become reality.

[1] https://www.whitehouse.gov/the-press-office/2017/03/28/statement-administration-policy-sjres-34-%E2%80%93-disapproving-federal

[2] http://www.foxbusiness.com/politics/2017/03/28/house-approves-bill-to-overturn-fcc-privacy-rule.html

[3] https://www.washingtonpost.com/news/the-switch/wp/2017/03/28/republicans-are-poised-to-roll-back-landmark-fcc-privacy-rules-heres-what-you-need-to-know/?utm_term=.c587684f5232

Ambar Bhushan

Information Privacy Law

Professor Ira Rubinstein

April 13, 2017

Lone Wolf 4th Amendment Challenge To NSA Bulk Data Collection Put On Ice

Tennessee lawyer Elliot Schuchardt’s lawsuit alleging that the NSA was collecting and storing “massive quantities of email and other data created by United States Citizens” has been removed from the District Court’s active docket, The Pennsylvania Record reports.

On March 16 2017, Judge Cathy Bissoon of the Western District of Pennsylvania issued an administrative closing in the suit, subject to Schuchardt’s next filing with respect to the Government’s motion to dismiss. The case may also be reopened sooner, if either party has reason to so move the District Court.

Schuchardt’s lawsuit, originally filed in June 2014, named former POTUS Barack Obama, former National Intelligence Director James R. Clapper, FBI Director James B. Comey and NSA Director Michael S. Rogers as defendants.

On September 30, 2015 Judge Bissoon dismissed the suit for plaintiff’s lack of standing, finding that Schuchardt failed to identify facts indicating that his own communications had been targeted, seized, or stored.

On October 4, 2016 The Third Circuit vacated Judge Bissoon’s order, finding that Schuchardt’s second amended complaint contained sufficient factual allegations to implicate his 4th Amendment Rights. In coming to this conclusion, the Third Circuit focused on the second amended complaint’s characterization of the NSA’s PRISM program as a “dragnet” that collects “all or substantially all of the e-mail sent by American citizens by means of several large internet service providers.” At oral argument, Schuchardt conceded that his claims regarding the bulk collection of telephonic metadata were moot in light of the USA Freedom Act of 2015. The Third Circuit also made it explicitly clear that it was not concluding that Schuchardt had standing, and that the Government was “free to make a factual jurisdictional challenge to the pleading.”

Schuchardt’s complaint, which arose in the wake of the Snowden Revelations, was amended again in January 2017. In its latest iteration, the complaint alleges that Executive Order 12333, Section 702 of the FISA Amendments Act of 2008 and Section 215 of the USA PATRIOT Act violate Schuchardt’s 4th Amendment rights.

The Third Circuit remanding the lawsuit and the subsequent administrative closure, however, should not be taken as indicative of the merits of Schuchardt’s claims, nor color the motives of the Government or the District Court. While some may be excited by the Third Circuit affording Schuchardt an outside chance in his crusade, and tempted to cry foul at the administrative closing, it is important to remember that the re-authorization of Section 702 of FISA is due at the end of 2017.

It is likely that the administrative closing came in the wake of the House of Representatives’ March 1 hearings on Section 702 of FISA. The current indeterminacy of the law, and therefore, its bearing on Schuchardt’s case are the likely culprit for the case being put on hold, and not some sort of political intrigue.

While the outcome of the legislative deliberations on Section 702 is uncertain, one thing is clear: Elliot Schuchardt is not quite done amending his complaint just yet.

Sources:

http://pennrecord.com/stories/511101834-judge-orders-administrative-closing-of-attorney-s-online-privacy-lawsuit-against-obama-national-intelligence-officials

http://law.justia.com/cases/federal/district-courts/pennsylvania/pawdce/2:2014cv00705/216897/28/

http://law.justia.com/cases/federal/appellate-courts/ca3/15-3491/15-3491-2016-10-05.html

http://schuchardtlaw.com/elliot-schuchardt.html

http://schuchardtlaw.com/Contact.html

https://judiciary.house.gov/hearing/section-702-fisa-amendments-act/

https://arstechnica.com/tech-policy/2014/10/lone-lawyer-sues-obama-alleging-illegality-of-surveillance-programs/

Cecilia Coelho Romero

Information Privacy Law

Professor Ira Rubinstein

April 12, 2017

The end of unrestrained bulk metadata collection after Snowden’s revelations

The USA Patriot Act enacted in response to the 9/11 terrorist attacks allowed through its Section 215 the bulk metadata collection, which generated much debate in American society about the proper balance between national security and civil liberties. Title 50 U.S. Code § 1861, also known as Section 215 of the USA Patriot Act, granted access by U.S. surveillance agencies to individuals’ records (namely books, papers, documents, tax returns, among others) under a relativity low scrutiny, for purposes of international terrorism investigations.

Although the Title included language providing that investigations must be conducted under the guidelines approved by the Attorney General, and required that such examinations not be conducted solely upon the basis of activities protected by the first amendment — when targeting U.S. citizens — its business records provision was broadly interpreted by the National Security Agency (NSA) to include the vast collection of phone records of Americans who were not necessarily under investigation. According to Edward Snowden’s revelation, on May 24, 2006, the Foreign Intelligence Surveillance Court (FISC) approved an FBI application for an order, pursuant to 50 U.S.C. § 1861, requiring Verizon to turn over all telephony metadata to the NSA. The court later approved the same measure for all major US telecommunications service providers and such collection of data was extended by FISC, more than thirty times, in the course of seven years. Almost all of the information obtained related to the activities of persons who were not the subjects of any investigation[1].

This bulk-collection program remained secret until mid-2013, and came into light by a combination of leaks by Edward Snowden and the Freedom of Information Act litigation, launched by the Electronic Frontier Foundation. As a result, more than twenty bills have been written in attempt to restore civil liberties, and in June 2015 it was enacted the USA Freedom Act. The Act imposes some new limits on the bulk collection of telecommunication metadata on U.S. citizens, including the prohibition for a tangible thing production order unless a specific selection term is used as the basis for the production, which must be associated with a foreign power or an agent of a foreign power engaged in international terrorism or activities in preparation for such terrorism2. In short, Americans have not blindly accepted the provisions of the USA Patriot Act, and through local and civil liberties organizations, have vigorously stated their opinions against the use of external threat and fear to undercut individual’s freedom.

References:

[1]ARTICLE: BULK METADATA COLLECTION: STATUTORY AND CONSTITUTIONAL CONSIDERATIONS, 37 Harv. J.L. & Pub. Pol’y 757, 767

2 H.R.2048 – USA FREEDOM Act of 2015 – Available at: https://www.congress.gov/bill/114th-congress/house-bill/2048

* LL.M Candidate at NYU School of Law

Jian Wu

Information Privacy Law

Professor Ira Rubinstein

April 11, 2017

Title of Blog Post: China’s Cybersecurity Law Goes into Effect June 1, 2017

Article: Katherine W. Keally, China’s Cybersecurity Law Goes into Effect June 1, 2017—Are You Ready?, NACD Online (March 21, 2017), https://blog.nacdonline.org/2017/03/chinas-cybersecurity-law-goes-into-effect-june-1-2017-are-you-ready/

Blog Text:

The Cybersecurity Law of China, promulgated by the National Congress Standing Committee of China, will become effective on June 1, 2017. [1] This new Law reflects China’s desire for cyber-sovereignty and requires the network service providers in China to participate in protection of the national cybersecurity. [2]

This Law has a very broad scope and potentially far reaching effect.  Key provisions of this Law that may potentially affect multinational companies doing business in China are summarized as follows.

1. Data localization

Article 37 of the Law requires that “Critical Information Infrastructure” (CII) operators shall store all Personal Information and other important data gathered or produced within the territory of China.  Prior government approval will be required where it is “truly necessary” for CII operators to transfer data outside the mainland for business reasons.

“CII” is broadly defined under Article 31 as “public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security.”  “Personal Information” is defined under Article 76 to cover all kinds of information that, taken alone or together with other information, “is sufficient to identify a natural person’s identity, including but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.”

Given the broad definitions of CII and Personal Information, it appears that any types of companies operating in China that are reliant on the telecommunications network for their operations or provision of services would fall into the regulation of this Law and thus, they might be prohibited to transfer data outside China without prior approval. [3]

2. Support for Chinese security authorities

Article 28 of the Law provides that “Network Operators shall provide technical support and assistance to the public security authorities and state security authorities” for the purposes of upholding national security and investigating crimes.  “Network Operators” is defined under Article 76 as “network owners, administrators and network service providers.”  The Law does not specify the types of “technical support and assistance” required.

It is worth noting that the final version of the Law has removed the requirement under an earlier draft for a Network Operator to provide decryption assistance and backdoor access.  However, it is not clear whether in practice the authorities would direct the relevant Network Operator to provide such assistance. [4]

3. Certified network equipment and products

Pursuant to Article 23, critical network equipment and specialized network security products must satisfy the national standards and mandatory requirements, and be safety certified before being sold or provided in China.  In other words, foreign hardware and software suppliers, although not having a presence in China, may also be subject to China’s certification regimes so long as they provide equipment/products to CII operators.

Besides the above provisions, the Law also contains various provisions devoted to personal data protection.  For instance, Article 43 grants users the right to request the network operators to delete their personal information or to make corrections, which seems to echo the “right to be forgotten” under the European regime.

Due to the broad applicability of this Law, it is envisaged that detailed implementation regulations will be issued in the near future.  On April 11, 2017, the Cyberspace Administration of China published the consultation draft of Measures for Safety Valuation on Overseas Transfer of Personal Information and Important Data to seek opinions and suggestions from the public.  [5]

[1] A full text of this law in Chinese can be found at http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm; its unofficial English translation can be found at http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en.

[2] See also Sarah Zhao and Stephanie Sun, What’s in China’s New Cybersecurity Law (Apr. 7, 2017), https://www.faegrebd.com/whats-in-chinas-new-cybersecurity-law.

[3] See also Final Passage of China’s Cybersecurity Law (Nov. 25, 2016), http://www.bakermckenzie.com/en/insight/publications/2016/11/final-passage-of-chinas-cybersecurity-law/.

[4] Id.

[5] The Chinese version of the news can be found at http://tech.sina.com.cn/i/2017-04-11/doc-ifyecezv3062359.shtml.

Caroline Alewaerts
Information Privacy Law
Professor Ira Rubinstein

April 10, 2017

Uncertain Future of the Privacy and Civil Liberties Oversight Board

Reduced to only one member since the beginning of the year, many news reports warn that the Privacy and Civil Liberties Oversight Board (PCLOB) may have become a dead shell, and will remain so unless decisions are made to replenish it.

The PCLOB is a bipartisan independent agency within the Executive branch, created under the recommendations of the 9/11 Commission. [i] Although it was originally created in 2006, and redesigned in 2007, it only became effective in 2013 with the appointment of its last member. Its primary role is to review and oversee the actions of the Executive branch to ensure that their actions adequately protect privacy and civil liberties. Its missions however also include ensuring that privacy and civil liberties are appropriately considered in the development and implementation of regulations and policies related to national security. Part of its tasks involves submitting semi-annual reports to the Congress and the President on its activities and findings.

The PCLOB played a significant role in the review of the NSA surveillance programs revealed by Edward Snowden. In a 2014 report regarding Section 215 of the Patriot Act, the PCLOB declared that the NSA bulk telephone metadata collection program was illegal and should be shut down.[ii] Its recommendations have reportedly been influential in the reform that led to the adoption of the US freedom Act. It is worth noting, however, that although the recommendations were endorsed by all members of the PCLOB, two of them dissented on the finding of illegality of the program.

The PCLOB is composed of five members – one full time chairman and four part-time members – appointed by the President and confirmed by the Senate. It requires a quorum of 3 members to operate. Over the last year, however, four of the five members have left the Board (David Medine, former chairman, resigned last summer, Patricia Wald retired at the end of January, and both James Dempsey and Rachel Brand left after their term ended respectively in January and February), leaving Elisabeth Collins the last remaining member of the PCLOB. [iii]

Worth noting is that Collins was one of the two members that dissented to the finding of illegality of the NSA surveillance program. This, however, may not have much importance in the current circumstances since, without the required quorum, it is now impossible for the PCLOB to carry out its missions. While it may continue working its ongoing investigations, it can no longer issue its semi-annual reports, organize meetings, nor initiate new advices or oversight projects.

The absence of operational PCLOB may also have impact on an international scale. Although EU officials have criticized its limited authority, they have described the PCLOB and its role in overseeing the surveillance practices of the Executive branch as an essential element of the US-EU Privacy Shield agreement. Predictably, the EU has raised concerned over the sustainability of the US-EU Privacy Shield now that the PCLOB is reduced to one member, and effectively no longer operational. [iv]

The PCLOB plays a significant role in ensuring that national security interests are adequately balanced with the need to protect privacy and civil liberties. It cannot, however, operate with only one member, and it is therefore crucial that the empty seats be filled as soon as possible. It is however uncertain that this will be a priority of the new Trump administration, which already expressed its interest in reducing the number of agencies and administrations that it deems “unnecessary”.

[i] See Privacy and Civil Liberties Oversight Board website, About the Board, available at https://www.pclob.gov/about-us.html

[ii] See Charlie Savage, New York Times, Watchdog Report Says N.S.A. Program Is Illegal and Should End (January 23,2014), available at https://www.nytimes.com/2014/01/23/us/politics/watchdog-report-says-nsa-program-is-illegal-and-should-end.html; Dia Kayyali, Electronic Frontier Foundation, Privacy and Civil Liberties Oversight Board to NSA: Why is Bulk Collection of Telephone Records Still Happening? (February 4, 2015), available at https://www.eff.org/deeplinks/2015/02/privacy-and-civil-liberties-oversight-board-nsa-why-bulk-collection-telephone

[iii] See Privacy and Civil Liberties Board website, Board Member Bibliographies, available at https://www/pclob.gov/about-us/board.html; Jenna McLaughlin, The Intercept, The U.S. Government’s Privacy Watchdog is Basically Dead, Emails Reveal (March 3, 2017), available at https://theintercept.com/2017/03/03/the-governments-privacy-watchdog-is-basically-dead-emails-reveal/; Carrie Cordero, Lawfare, An easy Win: Replenishing the Privacy and Civil Liberties Oversight Board (PCLOB) (February 2, 2017), available at https://www.lawfareblog.com/easy-win-replenishing-privacy-and-civil-liberties-oversight-board-pclob#

[iv] See Human Rights Watch and ACLU, Joint Letter to Commissioner Jourova Re: Privacy Shield (February 28, 2017), available at http://www.wuroparl.eu/news/en/news-room/20170329IPR69067/data-privacy-shield-meps-alarmed-at-undermining-of-privacy-safeguards-in-the-us

Alessandro Cocco

Information Privacy Law

Professor Ira Rubinstein

April 8, 2017

The Foreign Intelligence Surveillance Act of 1978 (“FISA”) governs foreign intelligence, and introduces a legal regime different from the Electronic Communications Privacy Act (“ECPA”, the statute governing surveillance for domestic law enforcement purposes). Requests for FISA Orders are heard by a specialized court, composed of federal judges: the Foreign Intelligence Surveillance Court.^[1] The test for court authorizing surveillance under FISA is whether there is probable cause that the party to be monitored is a “foreign power” or “an agent of a foreign power”.

In some cases, surveillance can be conducted under FISA without requiring a court order: the President of the United States, through the Attorney General, may authorize electronic surveillance without a court order to acquire foreign intelligence information for periods of up to one year, if the Attorney General certifies in writing under oath that the electronic surveillance is solely directed at the acquisition of the contents of communications exclusively between foreign powers, or the acquisition of technical intelligence, other than the spoken communications of individuals, from premises under the exclusive control of a foreign power. An additional requirement is that there must be no substantial likelihood that the surveillance will acquire the contents of any communication to which a United States person is a party. FISA also requires “minimization procedures” to be followed. These are procedures reasonably designed to minimize the acquisition and retention, and prohibit the dissemination, of non-publicly available information concerning unconsenting United States persons.^[2]

These rules have become the subject of media attention due to the controversy over incidental collection of conversations of US Citizens in the context of a potential involvement of Russian intelligence in the US Presidential election. The New York Times article cited below clarifies the distinction between the FISA rules, which relate primarily to the collection of communications on US soil between non-US citizens; and Executive Order 12333, which relates to collecting information outside of the US. Privacy protections under Order 12333 are less stringent than under FISA.  According to the article, the criticism aimed at the Obama administration is misplaced, because the activities that resulted in the accidental collection of communications of US citizens occurred on US soil and under FISA, rather than under Executive Order 12333. The drafters of FISA anticipated that some communications of US citizens may be picked up in the US, and included a requirement for “minimization procedures” to be put in place, to minimize the acquisition, retention and dissemination of non-publicly available information about US citizens.

Reference:

https://www.nytimes.com/2017/03/24/us/politics/primer-on-surveillance-practices-and-privacy.html

^[1] 50 U.S.C.S. § 1803.

^[2] 50 U.S.C.S. § 1802.

 

by Eli Siems

• The NY Times reports on an ongoing struggle between banks and tech companies over the fate of your financial data.
• On Monday, Amazon.com launched its new Amazon Cash service, allowing customers to add paper cash to an Amazon account at a physical retail location.
• The Massachusetts Attorney General announced a settlement with a digital advertising firm barring the firm’s practice of geo-fencing women near abortion clinics in order to target them with anti-abortion messages.
• The Wall Street Journal Reports on a Florida Court of Appeals ruling that searches of “black box” data from within a smart car require a warrant.
• The manufacturer of a garage door opener remotely blocked a customer’s access to his garage after the customer posted a negative review of the product.
• A Reuters poll revealed that most Americans would be unwilling to allow their individual personal data to be monitored even if it would help prevent terrorist attacks. Americans remain evenly split on the question when it is posed in regard to collective mass surveillance.
• Senator Ron Wyden introduced a bill in response to the Trump administration’s asserted extreme vetting procedure requiring everyone entering the U.S. to give over reams of personal digital information by handing over devices at the border. The bill seeks to shield American citizens from such searches but does not seek to protect non-citizens from the invasive practice.

Meng Wang

Information Privacy Law

Professor Ira Rubinstein

April 6, 2016

Article: Rhys Dipshan, “Short Circuits: 3 Areas Where Tech Law Is Falling Behind”, Legaltech News, February 27, 2017

http://www.legaltechnews.com/id=1202780021771/Short-Circuits-3-Areas-Where-Tech-Law-Is-Falling-Behind

Established technology-related laws are outdated and may become anachronistic burdens to those organizations they’re enacted to regulate. The article notes three areas where companies face the most challenges with outdated laws.

1. Prosecuting Cyberespionage

Legal resources for fighting cybercrime are often limited to geopolitical jurisdictions, as restitution is a standard penalty that is a part of the federal criminal justice system. When perpetrators of cyberattacks are outside the U.S., or are nation-states themselves, restitution can be difficult to obtain in dealing with foreign actors in countries like China that lack extradition treaties with the United States.

Companies have had turn to novel means to go after foreign cyberattackers. For example, in 2016, U.S. Steel successfully petitioned the United States International Trade Commission (ITC) to take up its case against Chinese steel manufacturers that allegedly stole and profited from U.S. Steel’s intellectual property. U.S. Steel relied on Section 337 of the Tariff Act of 1930 but faced headwinds in court. Defendant, represented by Covington & Burling, argued that the ITC pleading standard is on the same level as those in district courts. U.S. Steel announced it had pulled the case from the ITC in February, noted that decades-old Section 337 law never contemplated the technological advancements over the past 50 years and needed to be reformed.

2. Disclosing Government Data Access

Microsoft recently argues that SCA increasingly places a significant burden on modern technology companies that store growing volumes of their customers’ personal data.

In a case filed April 2016, Microsoft argues that both §2703 and §2705 of the SCA are unconstitutional under First and Fourth amendment grounds, as they restrict companies’ right to talk to its customers and constitute unreasonable searches.

The district court denied a motion to dismiss the case in February 2017, explaining that the First Amendment rights of Microsoft’s customers may outweigh the need for government secrecy in an investigation of a customer. The court dismissed the Fourth Amendment claim for that Fourth Amendment rights cannot be defended by anyone other than the person whose rights were infringed. However, the court did add that the government’s indefinite withholding of disclosures means that “some customers may never know that the government has obtained information in which those customers have a reasonable expectation of privacy.”

3. Fighting Search Warrants for Overseas Cloud Data

It is not entirely clear what rights §2703 of SCA gives authorities to access data that is stored on overseas “cloud” servers. For example, in February 2017, Google lost its attempt to quash SCA search warrants for data it held outside the United States, while only months earlier, it successfully quashed a similar SCA warrant for its customer’s data as well. Though both rulings agreed that the SCA search warrants do not apply beyond U.S. borders, the latter reasoned that because the company moved data around regardless of a user knowing, the actual search and seizure would take place on U.S. soil.

Craig Newman, partner at Patterson Belknap Webb & Tyler, noted that the judiciary may be ill-equipped to handle how to interpret data’s location and jurisdiction given that the SCA is over 30 years old.

Caitlin Schultz

Information Privacy Law

Professor Ira Rubinstein

April 4, 2017

Title of Blog Post: Turning the Tables: Publishing Congress’s Browser History

Article: Travis M. Andrews, Protesters Raise More than $200,000 to Buy Congress’s Browsing Histories, Wash. Post (Mar. 30, 2017), https://www.washingtonpost.com/news/morning-mix/wp/2017/03/30/protesters-raise-more-than-200000-to-buy-congresss-web-histories-theyre-likely-in-for-a-surprise.

Blog Text:

President Trump is expected to sign into law a bill that overturns Federal Communications Commission rules requiring broadband providers to obtain consent before collecting citizens’ online data such as browser history.[1] This repeal of privacy rules for private companies has profound implications for government surveillance activities and for freedoms of speech and association. As an example, AT&T has already been profiting from selling customer data to law enforcement.[2] Additionally, studies show that government surveillance has a profound chilling effect on online behavior by ordinary citizens.[3]

At least four grassroots campaigns to fund the purchase the browser history of members of Congress and make them public are gaining media attention.[4] This turning of the tables on federal legislators highlights the speech, association, and surveillance concerns of not only privacy advocates but also ordinary citizens. Societal norms already play a role in Fourth Amendment and surveillance jurisprudence, and state legislatures and courts should step in to increase the role of modern expectations in order to protect citizens. Congress’s hypocrisy of allowing companies to sell citizens’ data—which arguably will lead to government use of that data for surveillance outside of the traditional Fourth Amendment protections because of the “third party doctrine”—is being exposed as the social norm of internet searches being private is withdrawn on members of Congress themselves.

Of course, the actions of private persons and private companies do not involve state action and, therefore, do not directly implicate government surveillance and the First Amendment. However, in this era of increasing technological development and privatization of government functions, citizens and courts should be wary of privacy and civil and political rights being seriously endangered. To combat this growing problem, courts should analyze the role of private broadband companies and internet service providers in modern life, digital and online notions of personal privacy, and the extent to which government can access information through third parties in a manner in which the government could not access that same information by targeting an individual directly.

Working backward, the First Amendment embodies the idea that individuals should be free not only to speak about concepts, but also to receive ideas about them. The internet has drastically changed how society learns about information, tests ideas, and spreads ideas. If internet search history is not private, for example, this would create a massive “chilling effect” on what citizens discover and learn about. Taking this one step further, if the information is not only not private but also is available to the government to implicate citizens for crimes, this may drastically chill the spread of ideas and information.

The relationship between government surveillance and the First Amendment is often debated. The argument that the Fourth Amendment protections against unreasonable and warrantless searches and seizures include First Amendment considerations[5] should be viewed with skepticism. Free speech being chilled as the direct result of government surveillance is a legitimate concern that courts should take into consideration. Normal human behavior online and social norms about to what level internet activity is private or anonymous are important factors for a court to take into account when deciding reasonable expectations of privacy and levels of government intrusion into citizens’ private lives.

[1] See, e.g., Cecilia Kang, Congress Moves to Overturn Obama-Era Online Privacy Rules, N.Y. Times (Mar. 28, 2017), https://www.nytimes.com/2017/03/28/technology/congress-votes-to-overturn-obama-era-online-privacy-rules.html.

[2] See, e.g., Nicky Woolf, Documents Show AT&T Secretly Sells Customer Data to Law Enforcement, (Oct. 25, 2016 15:33 EST), https://www.theguardian.com/business/2016/oct/25/att-secretly-sells-customer-data-law-enforcement-hemisphere.

[3] See, e.g., Karen Gullo, Surveillance Chills Speech—As New Studies Show—And Free Association Suffers, Electronic Frontier Foundation (May 19, 2016), https://www.eff.org/deeplinks/2016/05/when-surveillance-chills-speech-new-studies-show-our-rights-free-association.

[4] Travis M. Andrews, Protesters Raise More than $200,000 to Buy Congress’s Browsing Histories, Wash. Post (Mar. 30, 2017), https://www.washingtonpost.com/news/morning-mix/wp/2017/03/30/protesters-raise-more-than-200000-to-buy-congresss-web-histories-theyre-likely-in-for-a-surprise.

[5] See Laird v. Tatum, 408 U.S. 1 (1972) (holding that government surveillance of individuals’ civil rights activities does not implicate the First Amendment).