Blog

by Eli Siems

• The NY Times reports on an ongoing struggle between banks and tech companies over the fate of your financial data.
• On Monday, Amazon.com launched its new Amazon Cash service, allowing customers to add paper cash to an Amazon account at a physical retail location.
• The Massachusetts Attorney General announced a settlement with a digital advertising firm barring the firm’s practice of geo-fencing women near abortion clinics in order to target them with anti-abortion messages.
• The Wall Street Journal Reports on a Florida Court of Appeals ruling that searches of “black box” data from within a smart car require a warrant.
• The manufacturer of a garage door opener remotely blocked a customer’s access to his garage after the customer posted a negative review of the product.
• A Reuters poll revealed that most Americans would be unwilling to allow their individual personal data to be monitored even if it would help prevent terrorist attacks. Americans remain evenly split on the question when it is posed in regard to collective mass surveillance.
• Senator Ron Wyden introduced a bill in response to the Trump administration’s asserted extreme vetting procedure requiring everyone entering the U.S. to give over reams of personal digital information by handing over devices at the border. The bill seeks to shield American citizens from such searches but does not seek to protect non-citizens from the invasive practice.

Meng Wang

Information Privacy Law

Professor Ira Rubinstein

April 6, 2016

Article: Rhys Dipshan, “Short Circuits: 3 Areas Where Tech Law Is Falling Behind”, Legaltech News, February 27, 2017

http://www.legaltechnews.com/id=1202780021771/Short-Circuits-3-Areas-Where-Tech-Law-Is-Falling-Behind

Established technology-related laws are outdated and may become anachronistic burdens to those organizations they’re enacted to regulate. The article notes three areas where companies face the most challenges with outdated laws.

1. Prosecuting Cyberespionage

Legal resources for fighting cybercrime are often limited to geopolitical jurisdictions, as restitution is a standard penalty that is a part of the federal criminal justice system. When perpetrators of cyberattacks are outside the U.S., or are nation-states themselves, restitution can be difficult to obtain in dealing with foreign actors in countries like China that lack extradition treaties with the United States.

Companies have had turn to novel means to go after foreign cyberattackers. For example, in 2016, U.S. Steel successfully petitioned the United States International Trade Commission (ITC) to take up its case against Chinese steel manufacturers that allegedly stole and profited from U.S. Steel’s intellectual property. U.S. Steel relied on Section 337 of the Tariff Act of 1930 but faced headwinds in court. Defendant, represented by Covington & Burling, argued that the ITC pleading standard is on the same level as those in district courts. U.S. Steel announced it had pulled the case from the ITC in February, noted that decades-old Section 337 law never contemplated the technological advancements over the past 50 years and needed to be reformed.

2. Disclosing Government Data Access

Microsoft recently argues that SCA increasingly places a significant burden on modern technology companies that store growing volumes of their customers’ personal data.

In a case filed April 2016, Microsoft argues that both §2703 and §2705 of the SCA are unconstitutional under First and Fourth amendment grounds, as they restrict companies’ right to talk to its customers and constitute unreasonable searches.

The district court denied a motion to dismiss the case in February 2017, explaining that the First Amendment rights of Microsoft’s customers may outweigh the need for government secrecy in an investigation of a customer. The court dismissed the Fourth Amendment claim for that Fourth Amendment rights cannot be defended by anyone other than the person whose rights were infringed. However, the court did add that the government’s indefinite withholding of disclosures means that “some customers may never know that the government has obtained information in which those customers have a reasonable expectation of privacy.”

3. Fighting Search Warrants for Overseas Cloud Data

It is not entirely clear what rights §2703 of SCA gives authorities to access data that is stored on overseas “cloud” servers. For example, in February 2017, Google lost its attempt to quash SCA search warrants for data it held outside the United States, while only months earlier, it successfully quashed a similar SCA warrant for its customer’s data as well. Though both rulings agreed that the SCA search warrants do not apply beyond U.S. borders, the latter reasoned that because the company moved data around regardless of a user knowing, the actual search and seizure would take place on U.S. soil.

Craig Newman, partner at Patterson Belknap Webb & Tyler, noted that the judiciary may be ill-equipped to handle how to interpret data’s location and jurisdiction given that the SCA is over 30 years old.

Caitlin Schultz

Information Privacy Law

Professor Ira Rubinstein

April 4, 2017

Title of Blog Post: Turning the Tables: Publishing Congress’s Browser History

Article: Travis M. Andrews, Protesters Raise More than $200,000 to Buy Congress’s Browsing Histories, Wash. Post (Mar. 30, 2017), https://www.washingtonpost.com/news/morning-mix/wp/2017/03/30/protesters-raise-more-than-200000-to-buy-congresss-web-histories-theyre-likely-in-for-a-surprise.

Blog Text:

President Trump is expected to sign into law a bill that overturns Federal Communications Commission rules requiring broadband providers to obtain consent before collecting citizens’ online data such as browser history.[1] This repeal of privacy rules for private companies has profound implications for government surveillance activities and for freedoms of speech and association. As an example, AT&T has already been profiting from selling customer data to law enforcement.[2] Additionally, studies show that government surveillance has a profound chilling effect on online behavior by ordinary citizens.[3]

At least four grassroots campaigns to fund the purchase the browser history of members of Congress and make them public are gaining media attention.[4] This turning of the tables on federal legislators highlights the speech, association, and surveillance concerns of not only privacy advocates but also ordinary citizens. Societal norms already play a role in Fourth Amendment and surveillance jurisprudence, and state legislatures and courts should step in to increase the role of modern expectations in order to protect citizens. Congress’s hypocrisy of allowing companies to sell citizens’ data—which arguably will lead to government use of that data for surveillance outside of the traditional Fourth Amendment protections because of the “third party doctrine”—is being exposed as the social norm of internet searches being private is withdrawn on members of Congress themselves.

Of course, the actions of private persons and private companies do not involve state action and, therefore, do not directly implicate government surveillance and the First Amendment. However, in this era of increasing technological development and privatization of government functions, citizens and courts should be wary of privacy and civil and political rights being seriously endangered. To combat this growing problem, courts should analyze the role of private broadband companies and internet service providers in modern life, digital and online notions of personal privacy, and the extent to which government can access information through third parties in a manner in which the government could not access that same information by targeting an individual directly.

Working backward, the First Amendment embodies the idea that individuals should be free not only to speak about concepts, but also to receive ideas about them. The internet has drastically changed how society learns about information, tests ideas, and spreads ideas. If internet search history is not private, for example, this would create a massive “chilling effect” on what citizens discover and learn about. Taking this one step further, if the information is not only not private but also is available to the government to implicate citizens for crimes, this may drastically chill the spread of ideas and information.

The relationship between government surveillance and the First Amendment is often debated. The argument that the Fourth Amendment protections against unreasonable and warrantless searches and seizures include First Amendment considerations[5] should be viewed with skepticism. Free speech being chilled as the direct result of government surveillance is a legitimate concern that courts should take into consideration. Normal human behavior online and social norms about to what level internet activity is private or anonymous are important factors for a court to take into account when deciding reasonable expectations of privacy and levels of government intrusion into citizens’ private lives.

[1] See, e.g., Cecilia Kang, Congress Moves to Overturn Obama-Era Online Privacy Rules, N.Y. Times (Mar. 28, 2017), https://www.nytimes.com/2017/03/28/technology/congress-votes-to-overturn-obama-era-online-privacy-rules.html.

[2] See, e.g., Nicky Woolf, Documents Show AT&T Secretly Sells Customer Data to Law Enforcement, (Oct. 25, 2016 15:33 EST), https://www.theguardian.com/business/2016/oct/25/att-secretly-sells-customer-data-law-enforcement-hemisphere.

[3] See, e.g., Karen Gullo, Surveillance Chills Speech—As New Studies Show—And Free Association Suffers, Electronic Frontier Foundation (May 19, 2016), https://www.eff.org/deeplinks/2016/05/when-surveillance-chills-speech-new-studies-show-our-rights-free-association.

[4] Travis M. Andrews, Protesters Raise More than $200,000 to Buy Congress’s Browsing Histories, Wash. Post (Mar. 30, 2017), https://www.washingtonpost.com/news/morning-mix/wp/2017/03/30/protesters-raise-more-than-200000-to-buy-congresss-web-histories-theyre-likely-in-for-a-surprise.

[5] See Laird v. Tatum, 408 U.S. 1 (1972) (holding that government surveillance of individuals’ civil rights activities does not implicate the First Amendment).

Hernán Garcés

Information Privacy Law

Professor Ira Rubinstein

April 3, 2017

 The highest court of the European Union rules that Member States may not impose a general obligation to retain data on providers of electronic communications services

 Last December, four days before Christmas, the European Court of Justice (“ECJ”) made a present to the European citizens in a major privacy decision declaring that indiscriminate storing of private citizens’ communications data is illegal under EU law.

 In 2015, two cases from Sweden and United Kingdom were referred to the ECJ on the general obligation imposed on telecommunication service providers to retain data relating to electronic communications. The Court was requested to indicate whether a general obligation to retain data is compatible with EU law (specifically the Directive on privacy and electronic communications and certain provisions of the EU Charter of Fundamental Rights).

According to the Court, data retentions can result in very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained. Therefore, the national legislation of the Member States that provides for the retention of traffic and location data must be subject to strict requirements. In words of the Court: “the fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference”.

The Court said that exceptions to the protection of personal data should be limited to the absolutely necessary. This applies also to the access of authorities to the stored data and the national legislation of the Member States providing a general and indiscriminate data retention which does not have a link between the data and a threat to public security goes beyond the limits of the absolutely necessary cannot be justified in a democratic society. Therefore, the legislation of the Member States that do not comply with these requirements must be abolished or amended accordingly. Also the Court states that any national legislation to that effect must be clear and precise and must provide for sufficient guarantees of the protection of data against risks of misuse.

According to Camilla Graham Wood from Privacy International the judgment is a “major blow against mass surveillance and an important day for privacy. It makes clear that blanket and indiscriminate retention of our digital histories can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep.”

Last week as a consequence of the decision, the Council of Europe, the institution representing the member states’ governments, informed the Member States that intends with the European Commission to provide guidance on bringing national data retention laws into line with the judgment.

Related documents:

1. Judgment of the European Court of Justice of 21th December 2016
   http://curia.europa.eu/juris/document/document.jsf?docid=186492&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=747271

2. Press release of the European Court of Justice
   http://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf

3. Opinion of the Advocate General of the European Union

http://curia.europa.eu/juris/document/document.jsf?docid=181841&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=747271

4. Press release of the Advocate General’s Opinion

http://curia.europa.eu/jcms/upload/docs/application/pdf/2016-07/cp160079en.pdf

5. Outcome of the Council Meeting of 28^th March 2017

www.consilium.europa.eu/en/meetings/jha/2017/03/st07688_en17_pdf/

6. The Guardian

https://www.theguardian.com/law/2016/dec/21/eus-highest-court-delivers-blow-to-uk-snoopers-charter

 

Yu-Jean Liu

Information Privacy Law

Professor Ira Rubinstein

April 3, 20
Last year, Second Circuit in Microsoft Corp. v. United States 829 F.3d 197 (2d Cir. 2016) held that the government cannot compel Internet Service Providers (ISPs) to turn over data that is stored overseas. The court rules that government cannot do so even with a warrant.
In December 2013, Judge Francis of the Southern District of New York issued a warrant under the Stored Communications Act 18 U.S.C. §§ 2701–2712 for the email content associated with a Microsoft Network email address. Microsoft agreed and handed over responsive non-content data that were stored in the United States. However, as for the requested content information that was stored in a Microsoft server which was located in Ireland, Microsoft believed the data in Ireland was not in the jurisdiction of the warrant. Thus, Microsoft refused to hand over the data and moved to quash the warrant.
The court held that the applying SCA’s warrant provisions extraterritorially was not the Congress intention. Rather the intention of those provisions is to protect user’s privacy interests. Therefore, the SCA does not authorize a United States court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.
This case well indicated the phenomenon that law failed to keep pace with new technology and the dilemma the court face when applying old laws to modern technology. Whether the court should appreciate the unique and novel aspects of technology and manage to adapt legal rules and definitions to modern technology or just simply follow the old rulings.
However, it is my opinion that when it comes to new technology, merely applying existing legal rule or guessing the intention of the Congress is not enough. It could lead to delaying enactment and implementation of appropriate law regulations for new technology.
Reference:
http://law.justia.com/cases/federal/appellate-courts/ca2/14-2985/14-2985-2016-07-14.
html
http://www.minnesotalawreview.org/2017/02/microsoft-corp-v-united-states/
http://knowledge.freshfields.com/m/Global/r/1623 /microsoft_v__united_states__court
_s__privacy__ruling_is

Qianyao Li

Information Privacy Law

Professor Ira Rubinstein

April 3, 2017

Pennsylvania magistrate judge’s ruling requires Google to turn over data stored outside United States to FBI

On Feb 3, 2017, Pennsylvania Magistrate Judge Thomas J. Rueter granted the Government’s motions to compel Google to comply with search warrants to turn over data stored outside United States.

Google has partially complied with the warrants by producing data that it could confirm is stored on its servers located in the United States. However, has refused to produce other, relying upon a recent decision by Second Circuit, where the court determined that enforcing the warrant by directing Microsoft to size the contents of its customer’s communication stored in Ireland would be an unlawful extraterritorial application of the Stored Communication Act (“SCA”). Microsoft, 829 F.3d 194 (2d Cir. 2016).

Magistrate Rueter was not troubled by the fact that the information was stored abroad. Instead, he concluded that the warrants are applied within United States since “the search of electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.” In re Search Warrant No. 16-960-M-01, No. 16-960-M-01, 2017 U.S. Dist. LEXIS 15232 (E.D. Pa. Feb. 3, 2017).

Magistrate Rueter distinguished this case from Microsoft by the fact that there is no evidence regarding the precise location of the servers which store the electronic data requested by the search warrants; While in Microsoft, all the relevant user data of a presumably Irish citizen was located exclusively in one data center in Ireland and remained stable there for a significant period of time. It seems Magistrate was saying that the extraterritorial application of SCA should be determined by the place where FBI will review the copies, because it is hard to locate the place where electronic data is stored.

The briefs from Microsoft, Amazon, Cisco Systems, Apple and Yahoo has been filed in the U.S. District Court for the Eastern District of Pennsylvania, allying with Google in its opposition to the Feb. 3 decision. But a final resolution is years away, given the lengthy appellate process.

Sources:

http://pennrecord.com/stories/511093025-tech-giants-file-briefs-supporting-google-in-case-of-fbi-subpoena

https://www.forbes.com/sites/realspin/2017/03/07/digital-privacy-rights-take-a-u-turn-and-congress-needs-to-act/#261f00925cbf

https://www.justice.gov/opa/blog-entry/file/937001/download

 

Jeffrey Bishop
Information Privacy Law
Professor Ira Rubinstein
March 30, 2017

Ninth Circuit to Address Police Surveillance of Cell Site Location Information
Do consumers possess a Fourth Amendment “reasonable expectation of privacy” in the location data collected by cell phone service providers, such that police must obtain a warrant supported by probable cause to access this information? This was the chief question before the US Court of Appeals for the Ninth Circuit on March 17 during oral argument in United States v. Gilton. Although the four circuits that have considered the question have concluded (albeit in fractured opinions) that Fourth Amendment protections do not apply, at least two of the three judges on the Ninth Circuit panel indicated a willingness to find otherwise, raising the specter of a circuit split.
At issue is the historical cell site location information (CSLI) collected as a matter of routine business practice by cell phone service providers like Sprint. In order for a cell phone to function, it must periodically send a radio signal to a nearby cell site to connect to the service provider. Every time a call is made or received on a phone, a record is logged with the service provider based on the cell site information, including the location of a phone relative to the cell site at the beginning and end of a call. With the proliferation of smartphones, these radio signals are sent to cell sites with increasing frequency, as much as “every few minutes,” as phones now send radio signals when automatically checking for emails, streaming videos, and engaging in other forms of data usage. Though the accuracy of the CSLI is dependent on factors such as the density of cell towers in any given area (e.g. dense urban areas make location tracking more precise than a large, rural area with a single tower), by aggregating the CSLI data points over time, one is able to track the movements of a cell phone user throughout her day.
Under the facts of Gilton, investigators suspected Gilton of criminal activity and ordered Sprint, pursuant to a defective warrant, to deliver 37 days of Gilton’s cell phone records containing 8,790 CSLI data points – an average of “one [location point] every six minutes.” During oral argument and in their briefs, the US Government and the ACLU (as amicus in support of Gilton) sparred over whether the Government’s gathering of CSLI without a valid warrant (and, consequently, without probable cause) constituted a “search” that could fall within the protections of the Fourth Amendment.
Of particular interest to the parties and the questioning judges was the applicability of the “third-party doctrine” to modern, invasive technology. This doctrine derives from the decades old Supreme Court holdings in United States v. Miller (1976) and Smith v. Maryland (1979) where the Court held that there was no reasonable expectation of privacy in one’s banking transaction data and phone numbers dialed from a home landline phone because the defendants in each case had voluntarily conveyed that information to a third party – a bank teller or the phone company – and consequently “assumed the risk” of disclosure to state authorities. In such scenarios, government
investigators are permitted to obtain information without the ordinary requirements of a warrant and probable cause since, without a reasonable expectation of privacy, there has been no “search” subject to Fourth Amendment protections.
The Government relied heavily on these “third-party doctrine” precedents in arguing that Gilton’s historical CSLI was voluntarily conveyed to Sprint pursuant to the ordinary business agreement between a phone user and her service provider. Consequently, they argued, there can be no reasonable expectation of privacy in the CSLI, no Fourth Amendment “search,” and no requirement to obtain a valid warrant subject to a probable cause standard.
Judges Bybee and McKeown expressed their skepticism over the notion that consumers “voluntarily” hand over CSLI to their service providers since a consumer cannot possibly know to which cell site her phone is connecting. Judge McKeown further questioned the strength of the voluntariness theory where CSLI is collected even where a person chooses not to answer an incoming call. Counsel for the Government, however, found voluntariness inherent in the business relationship between a consumer and service provider, stating that “in order to get cellular phone service, you know that you have to connect your phone to the cellular network’s towers and you know that you have to be in range of those towers to get service…to make or receive phone calls.” The Government additionally contended that Sprint’s terms of service and privacy policies notify the user that Sprint “generally know[s] the location of your device.” Nonetheless, Judges Bybee and McKeown appeared concerned that the Government’s position left no limiting principle for warrantless searches in an age where technology is ubiquitous and often requires the sharing of sensitive, detailed information with service providers.
Echoing these concerns, counsel from the ACLU argued that the third-party doctrine is not a “categorical” rule, but that it only allows for an exception to the warrant requirement where the information is both “voluntarily conveyed” and the information is not particularly “private or sensitive.” Admitting that CSLI does not provide information on the “contents of the phone calls,” the ACLU contended that “this kind of pervasive, long-term location information is closely analogous to content information in the very detailed picture of a person’s life that it paints.” Their brief explains that police can infer from CSLI where one sleeps at night, her demographic information, and even the associational groups she frequents, potentially raising First Amendment concerns. Judge Wallace pressed the ACLU to distinguish CSLI from the numbers dialed from a phone in Smith which could also provide an “awful lot of information” yet is still not subject to the warrant requirement. The ACLU distinguished the cases in that phone numbers dialed are “voluntarily conveyed” to the phone company because they are “necessary to connect that call.” This contrasts with CSLI in which a user has no way to know what location information is being conveyed to the service provider, and the user does not necessarily take affirmative action to send over that information.
Moreover, the ACLU stressed that the fundamental question is “whether the warrant requirement is going to maintain vitality in the modern digital age.” Concerns over “dragnet” surveillance by police has led the Supreme Court to caution lower courts not to emphasize “pre-digital precedents” when applying them to newer, pervasive technologies. Modern cell phones should carry a stronger expectation of privacy since they are often carried wherever one goes, even into traditionally “constitutionally protected spaces” such as one’s home. Channeling the concerns of privacy
advocates, the ACLU argued that it can’t be that the third-party doctrine swallows the warrant requirement of the Fourth Amendment. In an age where a cell phone can be considered a “feature of the human anatomy,” the ACLU maintained that owning one is hardly a choice and “users should [not] be required to disable the core functionality of their phone in order to avoid…warrantless surveillance.”
The Ninth Circuit panel is expected to release an opinion in United States v. Gilton shortly. Other issues in Gilton – such as the applicability of the “good faith exception” in relying on a defective warrant and the Ninth Circuit’s requirement that a “compelling reason” must exist to create a circuit split – leave open the possibility that the Court may not reach the question of whether one can possess a reasonable expectation of privacy in CSLI. However, the Ninth Circuit is in the unique position of potentially being the first circuit court to find that CSLI is protected by the Fourth Amendment. Information privacy advocates should be following this case intently.
Additional Sources:
1. www.brennancenter.org/sites/default/files/Gilton%20Amicus%20Brief.pdf
2. www.brennancenter.org/legal-work/usa-v-gilton-amicus-brief
3. www.therecorder.com/id=1202781561237/Ninth-Circuit-Weighs-Privacy-in-Police-Cellphone-Tracking-Case?mcode=0&curindex=0&curpage=ALL
4. www.washingtonpost.com/news/volokh-conspiracy/wp/2017/03/17/ninth-circuit-oral-argument-on-historical-cell-site-information/?utm_term=.92c7cc481b4c
5. www.youtube.com/watch?v=SipCIWNsFts

By Alexia Ramirez

Congress overturned the FCC regulations created by the Obama Administration which would have required broadband providers to receive permission before collecting data on a user’s online activities.  Former Chairman of the FCC, Tom Wheeler, wrote an op-ed addressing the troubling ramifications of the repeal.

The European Commission announced it will propose new measures in June to make it easier for police to access data on encrypted apps such as WhatsApp. Law enforcement’s access to encrypted messaging app data has been a renewed subject of discussion in the wake of the London terrorist attack.

Google Maps will release a new feature which allows individuals to share their location with others.

Today the Supreme Court held in Expressions Hair Design v. Schneiderman that restrictions on how a seller describes legal transactions are speech restrictions. The Court remanded the case back to the lower court to determine whether the speech restriction was actually unconstitutional under the court’s commercial speech doctrine. Depending on how the court decides, the decision could affect how providers must convey information to users.

 

Ying Cai

Information Privacy Law

Professor Ira Rubinstein

March 29, 2017

Following the passage by Senate last week of the resolution overturning an Obama-era FCC rule that required internet providers to get consumers’ permission before sharing their browsing history with other companies, the House of Representatives passed the same resolution in a 215-205 vote on March 28. Internet providers now only need a signature from President Trump before they’re free to take, share, and sell people’s web browsing history without prior permission.

It is reported that no Democrats in the House voted for the resolution, and 15 Republicans opposed it. A similar version squeaked through the Senate last Thursday on a party-line vote of 50-48. In view of the new political environment, it appears unlikely to be any new consumer privacy legislation in this vastly more pro-business Congress. And the FCC won’t be able to pass privacy restrictions protecting all web browsing history again under the Congressional Review Act. In this regard, people may start to question the future of consumer protection and privacy enforcement under the federal government.

Stacey Gray at Future of Privacy Forum believes that we are likely to see state legislatures and Attorneys General step in if no new consumer privacy legislation is to be generated or the ability of regulatory bodies to protect consumer privacy is limited. She says several states that have strong consumer privacy laws, such as California, may seek to fill the void and regulate digital marketing. She also expects there could be more private litigation seeking to protect and enforce consumer privacy.

In addition to resorting to public protection, consumers may need to seek self-protection. For instance, consumers may use computer software such as “Tor” to enable anonymous communication. “Tor” can direct Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user’s location and usage. However, the problems of using “Tor” include technical complexity and slower internet speed because service providers have been downgrading traffic they can’t sell adverts around.

Virtual Private Networks (VPNs) that set up a secure connection that runs traffic through their own servers may be another option. However, Jeremy Gillula, senior staff technologist at the Electronic Frontier Foundation, suggest avoiding free VPNs because it’s just passing the trust issue to another company. Additionally, VPNs have to work under the rules of their home country, and therefore it is not clear whether your data collected by the VPNs is subject for sale under the relevant law.

On the other side, the majority of the industry are applauding the congressional action to repeal the FCC rule. The Internet & Television Association and CTIA, formerly the Cellular Telecommunications and Internet Association, an advocacy group for the industry, issued statements after the vote, claiming that they would continue to follow ‘privacy-by-design’ principles and honor the FTC’s successful consumer protection framework. However, not all ISPs want to abolish the rule. Some small providers believe that such resolution is harmful to the industry in the long run given that one of the cornerstones of the business is respecting the privacy of the customers. And some small providers have said publicly that they won’t collect, store or sell their users’ data, in order to gain power in competition. Hopefully the market could eventually shake down the best solutions for people.

http://www.nbcnews.com/tech/security/house-set-vote-whether-isps-can-sell-your-data-without-n739166

https://martechtoday.com/changes-consumer-privacy-law-might-impact-marketers-martech-196664

http://www.vox.com/new-money/2017/3/28/15089396/house-republican-privacy-bill

https://www.theguardian.com/technology/2017/mar/28/internet-service-providers-sell-browsing-history-house-vote

https://www.theregister.co.uk/2017/03/28/so_my_isp_can_now_sell_my_browsing_history_what_can_i_do/

http://www.usatoday.com/story/tech/news/2017/03/28/wait-theres-no-rules-protecting-my-online-privacy/99754182/

http://www.cnbc.com/2017/03/28/congress-clears-way-for-isps-to-sell-browsing-history.html

Soo Hyun Chin

Information Privacy Law

Professor Ira Rubinstein

March 29, 2017

WhatsApp and Metadata Overlooked

On the website of the most popular mobile messenger, WhatsApp, the company states that “privacy and security is in our DNA, which is why we have end-to-end encryption in the latest versions of our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands.  . . . WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp.”

This encryption keeps the content of the user’s messages private as mentioned above, but not metadata like date, time, duration of communications, or location and contact information. Unlike the Signal messaging application that does not store metadata, WhatsApp retains metadata. Thus, WhatsApp needs to take more measures to protect the users’ privacy.

Most people do not think about metadata much and overlook the importance of metadata. Nevertheless, the role that metadata can play in privacy area is not smaller than the content of the communications itself.

For example, the court can order WhatsApp to install a pen register device to help the ongoing investigation. This kind of order is not rare. In May 2006, an Ohio court ordered WhatsApp 1) to track numbers calling and messaging, 2) to record the date, time and duration of communications, and 3) to provide details on any SMS text messaging WhatsApp had access to.

Those data do not include the content of the messages but as Neema Singh Guliani, legislative counsel with the American Civil Liberties Union mentioned in the article, “metadata is often enough to draw an informative map of a target’s life.” We already saw this in Smith v. Md., 442 U.S. 735, 99 S. Ct. 2577 (1979) where the police used the number dialed from the target’s telephone and other evidence to reveal that the target was the criminal. Metadata itself has a great importance. And with the combination of other evidence obtained, metadata can have even more power.

Unlike Facebook which is the parent company of WhatsApp, WhatsApp’s responses to the police requests were veiled in secrecy. Facebook has a transparency report which provide information about its response to law enforcement requests and has opened law enforcement guideline outlining how and when users’ information can be retrieved. However, we cannot find those information of WhatsApp from the transparency report, guideline or other materials.

Given the importance of metadata and growing attention to privacy, WhatsApp might want to consider the stance like Google’s active response to Guardian’s news on Prism program which tried to keep the users trust by publishing relevant information in the company’s transparent report.

https://www.forbes.com/sites/thomasbrewster/2017/01/22/whatsapp-facebook-backdoor-government-data-request/#462793711030

 

(About Google’s response to Prism news:

https://googleblog.blogspot.com/2013/06/asking-us-government-to-allow-google-to.html)