Gabriel Gutiérrez

Documents Say NSA Pretends to be Facebook in Surveillance , from the Wall Street Journal’s Big Data Blog, written by Reed Albergotti and Danny Yadron

The article “reveals” that the NSA has disguised itself as Facebook to gain access to the computers of targets of investigations. Information on the technique is based on documents leaked by Snowden. The NSA says the accusations are false and Facebook representatives say the technique wouldn’t work anymore because of new security measures implemented by the company.

I thought the article was amusing because it depicts a company whose own privacy policies often spark criticism being used by the government to spy. Furthermore, the company’s own security measures seem to actually be protecting the privacy of targets. If true, the situation described illustrates that there is always a “bigger bully” and that privacy concerns – especially in the on-line setting – are very closely integrated. The article also touches on how the tactic isn’t directed towards mass data-gathering and instead targets specific individuals, presumably already under the NSA’s scrutiny for some suspicious activity.

 

 

 

Monica Perrigino

http://www.broadcastingcable.com/news/washington/ftc-report-gives-props-alcohol-marketing-self-regulation/129967

http://www.just-drinks.com/news/ftc-backs-industry-self-regulation-on-alcohol-advertising-study_id113187.aspx

On March 20, 2014, the Federal Trade Commission issued a 49-page report entitled “Self-Regulation in the Alcohol Industry” in which it expressed its support for the continued self-regulation over alcohol marketing in the country, deeming it “more prompt and flexible than government regulation.” This report provides an excellent, current example of industry self-regulation – illuminating the topic we have been studying in class this week by setting it in a real-life context.

This study is the FTC’s fourth major study on alcohol industry compliance with self-regulatory marketing guidelines, and it found that 93.1% of all measured media ad placements met the industry’s self-regulatory standard (the standard being that 70% or more of the measured audience must be at least 21 years old).

With respect to privacy interests, the report yielded generally positive results, finding that alcohol industry members “appear[ed] to have considered privacy impacts in the marketing of their products.” While the largest chunk of measured media consists of broadcast and print (nearly 1/3 of drinks’ companies marketing budgets are spent on traditional media, whereas only 8% are dedicated toward digital and online advertising), for the most part alcohol companies nevertheless advise consumers how their information will be used with respect to online registration opportunities. They also require consumers to opt-in to receive marketing information, and consumers can readily opt-out when they want to stop receiving such information. Furthermore, use of cookies and tracking tools on brand websites are limited to those needed to ensure that only consumers who have stated that they are 21 years old or older can re-enter the site.

Distilled Spirits Council president, Peter Cressy, spoke in regards to the report with pride. He asserted: “The FTC report clearly shows that the spirits industry directs its advertising to adults and is a leader in self-regulation” – further embodying a tone of positivity and optimism in regards to the success of self-regulation in this area.

Despite this positive feedback, the FTC has nevertheless made a series of recommendations for how to improve the system. Some recommendations for online marketing efforts include forcing consumers to enter their dates of birth, instead of just asking them to confirm that they are at least 21 years old and encouraging any medium where compliance falls below 90% to target an audience with a higher 21-plus audience so that it will meet the standard when the ad actually appears. Cressy insisted that “DISCUS will give careful consideration to the recommendations in the report.”

The full text of the report can be found here.

 

 

 

William Brewer

Privacy Group Calls for Federal Investigation of Facebook’s $19 Billion WhatsApp Deal

By Will Oremus

A DC information privacy think tank, Electronic Privacy Information Center (EPIC), has filed a complaint for the FTC to investigate the recent $19 billion acquisition of the cell phone app “WhatsApp” by Facebook. The crux of the investigation will focus on whether WhatsApp has made privacy policy promises to consumers that it will be unable to keep under new ownership. Due to Facebook’s history of collecting data from acquired companies, EPIC asserts that there is a legitimate fear that it will do so again. The worry, then, is that Facebook, upon acquisition, will extract user data gathered by WhatsApp before the acquisition, while the previous privacy policies were in place. It may be a separate (and additional) question whether there are sufficient safeguards against future privacy policy violations (post-merger) for WhatsApp users (e.g. WhatsApp users with previously held expectations of privacy not being able to opt-out of new Facebook practices). The starkness of privacy policies between WhatsApp and Facebook couldn’t be more pronounced. While Facebook is known for using user data for advertisements, etc., WhatsApp’s policy ensures that “contents of any delivered messages are not kept or retained by WhatsApp,” though it does keep some meta-deta (phone numbers and time-stamps).

The author notes that acquisitions like this are rarely halted on privacy grounds, with the FTC relying often instead on competition-based effects for disapproval.

 

 

 

Ian Ratner

http://mashable.com/2014/03/21/microsoft-privacy-hotmail/

In March of 2014, Microsoft came under significant scrutiny after using a loophole in its privacy policy to read through a user’s Hotmail emails and instant messages. In conducting this search, Microsoft was seeking information regarding one former employee’s alleged misappropriation of trade secrets. The search itself was lawful because Microsoft owns Hotmail, the trade secretes were related to Microsoft software, and therefore the search was conducted to protect Microsoft’s own property – which is permissible under the Electronic Communications Privacy Act.

Despite its legality, the search obviously drew a lot of negative attention. Indeed, a separate article in the New York Times pointed out that many users felt hesitant to continue using Microsoft’s services given the loophole. As a result, Microsoft decided to publicly tweak its privacy policies to mitigate these concerns. This is particularly important with regard to information privacy law because the FTC not only concerns itself with a company’s privacy policy, but also with a company’s public statements and notice.

Microsoft’s new privacy policy relating to searches of its own users’ email and instant messages is complex. First, Microsoft will employ a legal team separate from its investigation team to assess the risk to Microsoft’s property. Second, if the legal team finds that there is sufficient evidence to warrant the search, then Microsoft will relay the information to a former judge to receive his or her opinion on the matter. These steps are intended to replicate the steps Microsoft would need to conduct if the warrant process were actually applicable. In the same vein, Microsoft proclaims that its legal team will also take steps to make sure that the search is confined to original risk to its property – i.e., that the search does not invade more of the user’s search than necessary. The last part of Microsoft’s new policy involves transparency: the company will include in its bi-annual reports data regarding the number of these searches that it conducts.

This new policy is important in the context of the FTC because the new policy would certainly be material to new users, which affects whether the FTC could find deceptive practices. In other words, this new policy will assuredly affect whether users continue to use Microsoft’s products, so it is important that Microsoft adheres to this policy going forward.

 

 

 

Sharon Steinerman

http://www.motherjones.com/politics/2014/01/are-fitbit-nike-and-garmin-selling-your-personal-fitness-data

Wearable technology has become increasingly popular over this past year, as technology companies have looked to market a new type of device to tech-savvy users who already own smart phones and tablet devices. Wearable tech has particularly taken off in the areas of health and fitness, as companies like Fitbit and Nike have begun successfully marketing smart watch-like devices that can serve as pedometers, calorie counters, sleep monitors, and general fitness trackers. Users can even sync up these devices with various apps on their phones and computers to better keep track of their fitness plans.

However, according to Mother Jones, the FTC has become increasingly concerned about the volume of data that the makers of these devices are collecting and, potentially, selling. In addition to tracking your location, these devices offer the option for users to input sensitive and ostensibly private medical information, such as blood pressure and glucose levels. Most devices also encourage users to input gender, weight, height, age, and other sensitive personal information. Although these companies have privacy policies that outline individual user identity protection, the information may still be collected in the aggregate and potentially sold to advertisers.

Other concerns stem from the interactions between these devices and other fitness applications. Fitbit, for example, a company that makes a range of fitness trackers that can monitor activity and sleep levels as well as nutritional information, allows and even encourages users to set their devices to interact with third-party applications for calorie counting and weight loss monitoring. These third party applications have their own privacy policies that may offer incredibly limited privacy protection, but the makers of these applications are similarly provided with sensitive health information by users of the wearable fitness technology. This information may then be sold to advertisers, all without users ever being aware of this gaping privacy breach.

 

 

 

Julie Ann Rosenberg

http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/21/facebook-says-states-shouldnt-regulate-online-teen-privacy-the-ftc-disagrees/?tid=pm_business_pop

Facebook and the Federal Trade Commission (Hereinafter, “FTC”) currently disagree about the interpretation of a children’s privacy law. The FTC recently filed a brief in the current case, Batman v. Facebook.  If adopted, the FTC’s position would hurt Facebook’s argument in this ongoing district court case in California.

The disputed issue between the FTC and Facebook, is whether or not states can enforce their own laws governing teen privacy.  Currently, the Children’s Online Privacy and Protection Act (COPPA) only applies to and protects children under the age of 12.  Facebook contends that therefore states may not enforce their own state laws regulating teenagers’ privacy (children above 12 years of age).

The case arose from a 2012 settlement regarding Facebook’s “sponsored stories,” or advertisements that used users’ information.  The users who are challenging the settlement argue that the settlement violates state privacy laws, because it doesn’t require teens to receive permission from their parents before appearing in Facebook advertisements.  Facebook contends that since the COPPA (federal protections) only apply to children up to age 12, older teens’ Internet activities cannot be subject to restrictions, even under state law.  In its filing, the FTC directly disagreed with Facebook, and outright declared Facebook’s position as wrong, and unsupported by the language, structure, and legislative history.

 

 

 

Kate Englander

“Pot shops wary of privacy concerns in handling customer information”

Colorado Amendment 64, which went into effect on January 1, 2014, legalized the sale and personal consumption of marijuana through an amendment to the state’s constitution.  This article addresses the way in which Colorado’s marijuana dispensaries are addressing their customers’ privacy concerns after the passage of Amendment 64.  Because it is still illegal to sell and use marijuana under federal law, and because marijuana use is still largely taboo, many users are concerned about maintaining their privacy.

While consumers might freely give personal information, such as their name, phone number, and address, at many retail stores, marijuana retailers in Colorado are wary of the fact that their customers may not wish to have their name or personal information associated with marijuana use in any sort of collected database.  On the other hand, marijuana dispensaries must weigh the privacy concerns of their customers against their own objectives.  First, dispensaries have an interest in tracking their customers’ preferences and purchasing habits in order to target advertising and promotions to them.  Furthermore, some dispensary owners are concerned about verifying customers’ identity to protect against credit card fraud.

The amendment itself does not require dispensaries to collect personal data about customers – they need only verify that the customer is 21 or older under the law.  This requirement stands in contrast to the medical marijuana laws in California, where dispensaries are required to track patients’ personal information.

Often when we have considered the collection and dissemination of identities aggregated with commercial data, it has been difficult to identify the harm. Are there real quantifiable damages in the dissemination of consumer preferences, when they indicate that a certain customer prefers a certain brand of makeup, or frequently purchases high-end jewelry? Courts have often regarded the potential damages as relatively minimal.  However, the collection of personal information in connection with marijuana purchases provides an example collection of personal information in association with purchasing data can lead to definite harm to a person’s reputation or perhaps even to criminal liability.

 

 

 

Abigail Everdell

“Give Me Back My Online Privacy: Internet Users Tap Tech Tools That Protect Them From Prying Eyes” – Wall Street Journal

This article outlines a number of programs that have emerged as popular tools for limiting the collection of data on the internet. The article acknowledges that only 8% of internet users make use of such programs, a number the author seems to consider large, but which still strikes me as small in light of the high number of Americans who are concerned about data collection. Nevertheless, the article has a hopeful tone, suggesting that emerging programs are more successful at helping users find a “middle ground” of data collection–one which doesn’t block all collection, but does allow a certain measure of awareness or control regarding when and how data is being collected.

I thought this article was particularly relevant to our readings this week as it suggests that market self-regulation, while not a complete solution, may be making strides towards addressing the problem of indiscriminate commercial data collection on the internet. Professor Rubinstein, according to his article excerpted in our readings this week, might refer to these kinds of programs as “privacy-friendly PETs [Privacy Enhancing Technologies],” an aspect of “Privacy by Design.” The underlying assumption of the materials we read, however, seems to be that data collection companies must implement PETs on their own, and the financial incentives to do so are not compelling. The proliferation and growing popularity of third-party PETs described in this article, however, suggests that there may be hope for the market to better address consumer preferences in some regard.

 

 

 

Ann Lucas

Recent FTC Ruling Could Cloud Data Security Enforcement by John Moore, iHealthBeat Contributing Reporter
The FTC filed an administrative complaint under the Section 5(a)(1) of the FTC Act’s ban on “unfair … acts or practices” in August of 2013 against LabMD, a medical testing lab, for data security breaches involving consumer health data. More specifically, the complaint alleges that a LabMD spreadsheet containing names, social security numbers, dates of birth, medical treatment codes of more than 9,0000 consumers was found on a peer to peer network in 2008. On Jan 16, 2014, the FTC denied LABMD’s motion to dismiss by a 4-0 unanimous vote. Last week, LabMD filed suit in federal district in Northern Georgia claiming that the August 2013 administrative complaint filed by the FTC against the firm, “is arbitrary, capricious, an abuse of discretion and power, in excess of statutory authority and short of statutory right, and contrary to law and constitutional right.” LabMD alleges that the FTC lacks the jurisdiction under Section 5 of the Federal Trade Commission Act to regulate personal health information security practices. Moreover, the firm claims that HIPAA/OCR takes precedence over the FTC in the realm of data security with respect to health care.

 

This article highlights the steep costs of an FTC enforcement action. LabMD has ceased operations due to the high costs of its legal battle with the FTC. Additionally, although FTC fines amount to only $16,000 per violation and are lower than HIPAA’s maximum fines, which are capped at $1.5 million, the 20-year privacy audits add to the high cost of such actions. Mac McMillan, the CEO of an IT consulting firm estimates that the cost of conducting periodic audits could prove more expensive in the long run than a HIPAA fine. “You’ve got the cost of an external monitor for 20 years,” McMillan said, noting that the audits are conducted by a third party. He said, “It’s not just the cost, but being under the microscope for 20 years,” adding, “That is an awfully long time to have the government … reviewing what you are doing.”

 

 

 

Ilana Broad

The United States government has been struggling to maintain open honesty under President Obama in the recent years. New statistics regarding the amount of time it takes the federal government to respond to a FOIA request and the frequency with which they deny FOIA requests show an increase in, both, the time it took to get a response and the number of rejections. [1] The study, based on government-released statistics from almost 100 federal agencies over six years, shows a major setback in the government’s response to citizens’ desires for government openness and accountability.

While FOIA requests were up approximately 8% in the last year, government response to FOIA requests for information went up only 2%, and the documents released were censored more often than ever before. White House spokesman Eric Scultz believes that these statistics are good – they show that the government is responding to FOIA requests more often and more quickly than ever. The problem with his perspective on these statistics, frankly, is that it’s wrong – federal agencies, on average, took longer to respond to FOIA requests than in previous years. Perhaps some of the issue stems from a lack of inter-agency communication in an era when information crosses agency borders very often. In fact, there have been instances where FOIA requests by one agency were answered with very censored documents, and when other requests for the same documents from another agency/representative come back with entirely open documents. [2]

Most importantly, 36% of all FOIA requests (that means including the requests that don’t get responses) are rejected or censored. The reasons cited for refusal to grant a FOIA request speak volumes about this troubling trend. Reliance on the national security exception to FOIA openness has doubled since Obama’s first year in office. The NSA saw a 138% increase in number of FOIA requests – which may account for some of the increase in reliance on the national security exception – but the NSA denied full access to information requested 98% of time.

Reporters have noted how “abysmal” federal openness has been, and even our Congress-people are on notice as to how dissatisfied FOIA applicants have been. Some people blame it on bureaucracy and some find more grim conspiracies to point to. Regardless of the reasons behind this increase in government secrecy, it’s important to remember how necessary government openness and accountability are for a democratic society. The Electronic Frontier Foundation has been on the forefront of keeping the government, specifically the NSA, honest. [3] In the last five years, EFF litigation has been responsible for exposing numerous domestic investigations done without Congressional or court approval, and sketchy attempts at maintaining secrecy and undisclosed information practices.[4]

 

 

 

 

 

 

Jeffrey Ritholtz

http://washingtonexaminer.com/obama-administration-faces-foia-fire-over-ambassador-picks/article/2545253

http://washingtonexaminer.com/examiner-editorial-foia-reform-a-step-forward-for-government-transparency/article/2544763

The Obama administration has come under fire in recent weeks for its failure to publicize the “Certificates of Demonstrated Competence” that the State Department fills out and submits to the Senate Foreign Relations Committee prior to nomination hearings for foreign ambassador candidates. The American Foreign Service Association, a labor union for diplomats, has filed two FOIA requests as of February 28 asking for release of these documents, but the administration has not yet responded. The union is concerned with the recent nomination of ambassadors to Iceland, Argentina, and Norway, each of whom has limited if any experience in diplomacy but has raised a significant amount of money for President Obama’s presidential campaign efforts. The State Department has maintained that it is working within parameters of the FOIA statute, which requires responses to FOIA requests on a first-come, first-served basis. It has noted that more than 18,000 FOIA requests are received by the government each year, requiring a great amount of time and resources to sort through. Not persuaded by the government’s claims, however, AFSA has threatened to sue if the requested documents are not revealed by an imposed deadline. The State Department has refused to disclose when it plans to respond to the outstanding FOIA requests for this documentation.

This story is particularly important in light of the bill recently passed by the House, which intends to simplify and expedite the FOIA request process. The bill would create a “presumption of disclosure” for all FOIA requests, consistent with a recent executive memorandum from President Obama. Perhaps more importantly, the FOIA Oversight and Implementation Act of 2014 would expand the online platform for FOIA requests and centralize the requests in a single online web portal supervised by the Office of Management and Budget. Essentially, the bill would remove the current hurdles of inter-agency coordination and communication that currently obscure the FOIA process and lead to major lags in response time to FOIA requests. Furthermore, the web portal would permit updated tracking of requests in the system, granting submitters knowledge of where their specific requests stand in the process and greatly increasing the transparency of the system. Finally, the bill would establish an Open Government Advisory Committee that would be responsible for creating an ongoing dialogue about the effectiveness of FOIA and potential reforms to the statute.

These proposed reforms to the FOIA statute would seemingly prevent situations like the one discussed earlier involving President Obama’s choices for foreign diplomats. Under the new statute, AFSA would no longer have to constantly press the State Department about its requests through the media, but rather it would be able to submit its requests online and track them fully throughout the review process. In addition, the whole system would be sped up by the centralization proposed in the bill, so that AFSA would likely have already received a response to its requests under the new legislation. Because FOIA was originally intended to shed light on some dark areas of the federal government by allowing access to previously undisclosed information, it seems appropriate that the system itself should be transparent enough to permit relatively quick and painless responses to disclosure requests. If the proposed bill should pass through Congress, we will hopefully begin to see the development of such transparency.

 

 

Jennifer Gautier

 http://www.ibtimes.com/edward-snowden-sxsw-2014-what-whistleblower-said-about-nsa-surveillance-protecting-privacy-online

This article discusses Edward Snowden’s recent Google Hangout event at SXSW 2014.  The former CIA and NSA employee, now infamous for whistleblowing and disclosing thousands of classified documents revealing a global surveillance program run by the NSA and other government agencies, addressed a crowd of more than 7,000 SXSW attendees and countless others via live stream Monday morning. Through a live video feed broadcast from an undisclosed location in Russia (and bounced through many proxies around the world to help maintain location anonymity) Snowden spoke to the audience with Chris Soghoian, the principal technologies at the ACLU, and Ben Wizner, the director of the ACLE’s Speech, Privacy and Technology Program.

Snowden used this platform as a sort of call to arms to the tech community, calling on them to create solutions to privacy violations that would be accessible by the average Internet user. Snowden and Soghoian stated that many of the tools that currently exist to protect privacy and security online are too difficult for the average person to use; they need an easier way to encrypt their data.  According to Snowden, the out of the box solutions currently available to the average user are not effective at circumventing the NSA’s surveillance programs. In response to a question asking what steps the average Internet user can take today, Snowden suggested that people encrypt their physical hard drives and networks, and use the program Tor to encrypt their web traffic. (For more on Tor, see this article from The Guardian.)

Ultimately, Snowden believes in order to combat mass surveillance, “we need to think of encryption not as an arcane, dark art, but as a basic protection”. Encryption alone will not defend against a targeted spy attempt against an individual, but the presenters believe it is the best strategy to defend against mass surveillance, as it will make it too expensive to spy on everyone. Snowden believes that by forcing the government to focus not on mass monitoring and data collection, but on the targeted surveillance of suspects, the surveillance programs will pose less of a privacy threat to average citizens and will also be more effective at preventing crimes. Snowden claims that if the NSA focused less on mass surveillance, it might have been able to prevent the Boston Marathon bombings.

The event also included discussion on data collection by private companies and accountability standards for government organizations. Snowden concluded his presentation by commenting on the motivation behind his decision to leak the NSA documents that lead to his worldwide notoriety and exile. “I took an oath to support the Constitution, and I felt the Constitution was violated on a massive scale,” he said. “The interpretation of the Constitution had been changed in secret to ‘no unreasonable search and seizure’ to ‘any seizure is fine, just don’t search it’ and that’s something that the public ought to know.”

 

 

Cynthia Benin

Feds Refuse to Release Public Comments on NSA Reform — Citing Privacy

Article by David Kravets

The Obama administration’s newly professed commitment to transparency was called into question recently when the Office of the Director of National Intelligence (ODNI) refused to produce documents pursuant to a FOIA request for information about third-party proposals for managing NSA cell-phone metadata.

The backstory: On January 17th, President Obama announced that he would explore several of the recommendations set forth by an outside review group he assembled to evaluate the NSA’s current practices and identify areas for reform.  One such recommendation would remove vast stores of bulk data from the government’s control and instead enlist third parties or cell phone service providers to store the data and pass on small bits of information to the government in response to specific queries.  Obama expressed skepticism at the feasibility of such arrangement but instructed the intelligence community and the attorney general to develop options and report back.

In early February, ODNI chief James Clapper put forth a Request For Information (RFI) soliciting information “about existing commercially viable capabilities” for storing telephone metadata.  Twenty-eight proposals were received by the end of the submission period on February 12th. Wired magazine immediately submitted a FOIA request seeking release of these documents. Two weeks later, Wired received the response that the ODNI was withholding the material in its entirety.

In its denial, the ODNI cited FOIA exemptions (b)(4), which corresponds to trade secrets and confidential commercial data, and (b)(6), which applies to personnel and similar files which release would cause an “unwarranted invasion of personal privacy.” Wired contests the validity of such exemptions given that the RFI explicitly advised responding companies to “ensure that the submitted material has been approved for public release.”  Wired is currently appealing the denial.

 

 

Ben Notterman

A February 25th article by Nate James of the National Security Archive examines the FOIA Oversight and Implementation Act, recently passed by the House and presently under review by the Senate Committee on the Judiciary. Despite well-documented frustration with the government’s general approach to issues of privacy, this FOIA reform bill has attracted relatively little media attention. James offers a useful analysis of how the bill in present form would improve FOIA and how, more notably, it would not.

First, James approves of a provision requiring all agencies to update their FOIA regulations within 180 days of the bill’s passage. Many agencies have exacerbated FOIA’s shortcomings by failing to update regulations to reflect policy changes, including those required by the OPEN Government Act of 2007. The Federal Trade Commission, for instance, last updated its regulations in 1975. Given that society now depends more than ever on the free transmission of information, this sort of administrative inaction should not be taken lightly.

Section Three of the bill calls for the creation of an online FOIA request system, enabling citizens to issue and track requests for all federal agencies through one “centralized portal.” While this system would almost certainly make FOIA more efficient and user-friendly, James urges Congress to “take the final, logical step and require that agencies join the 21^st century” by posting all disclosures online, thereby extending access from a single requestor to the entire public, at no additional expense. (First-party releases would, of course, be excluded).

James makes a good point. It is difficult to conjure up a legitimate basis for not posting disclosures online for the general public, such that “a release to one is a release to all.” Indeed, FOIA’s mandate for granting disclosures presupposes a right of access to all members of the public, not merely those willing and able to make requests. Online posting would more directly stimulate public debate and render FOIA more transparent, while avoiding redundant disclosures and lowering operating costs. Furthermore, when it comes to keeping the government in check, there is great power in numbers, for the gaze of a thousand voters is more difficult to ignore than the gaze of one. As James insinuates, excluding such a policy from the bill undercuts the administration’s purported commitment to a “new era of openness.”

The bill does codify a general “presumption of disclosure,” a policy previously articulated in a 2003 DOJ memorandum from former Attorney General John Ashcroft. The presumption’s practical effect is unclear, however, since the burden of nondisclosure already rest with the government. Perhaps it was meant as a symbol of the administration’s renewed commitment to government transparency, to diffuse throughout the 101 agencies subject to FOIA. Of course, achieving government transparency requires more than airy declarations and symbolic gestures; more practical changes would focus on narrowing FOIA’s various exemptions.

To that end, James targets a few exemptions he believes are particularly in need of reform. The first is provision b(3), covering all information “specifically exempted from disclosure” by other statutes. James points out that no fewer than 170 such statutory exemptions are triggered by b(3), covering a broad range of peculiar subject matter, from “cigarette additive information” to  “obscene matter”  to “information on watermelon growers.” As an alternative to b(3)’s categorical exemptions, James proposes the use of a judicial “harm test,” which would balance the government’s interest in nondisclosure with the public’s interest in learning the requested information. James also calls for revision of exemption b(5), excluding all “inter-agency or intra-agency” communications. To be sure, the sheer volume of information implicated by b(5) is enormous, and there is little to prevent agencies from exploiting this exemption prospectively, by framing documents as “internal” memoranda to provide basis for future nondisclosure.

On the whole, I agree with James: the FOIA Oversight and Implementation Act is a small, yet significant step in the right direction. To achieve more meaningful reform, Congress must target FOIA’s capacious exemptions.

 

 

Reagan Lynch

http://www.politico.com/blogs/media/2014/02/house-unanimously-passes-foia-bill-184049.html

House Resolution 1211, the FOIA Oversight and Implementation Act of 2014, received unanimous approval in the House of Representatives on February 25, 2014.  The bipartisan bill was co-sponsored by Darrell Issa (R-CA) and Elijah Cummings (D-MD).

The bill would establish new procedures to increase the speed and efficiency of Freedom of Information Act (FOIA) requests including a centralized portal for filing FOIA requests under the oversight of the Office of Management and Budget (OMB) as well as mandating public disclosure of information when information is released to an individual pursuant to their FOIA request.

The bill reached the Congressional floor in response to the following Executive Letter issued by President Obama: http://www.whitehouse.gov/the-press-office/freedom-information-act.  In the letter, President Obama advocates for a clear policy position that when in doubt, agencies should disclose requested information rather than maintaining confidentiality.  He obliquely addresses concerns about the retention of embarrassing or otherwise non-confidential material and encourages the Department of Justice (DOJ) and OMB to implement new policies encouraging full and frank disclosure.  For a more in depth look at these issues, consider the 2011 study completed by the American Civil Liberties Union comparing non-redacted information disclosed by Wikileaks with the same documents obtained by subsequent FOIA requests. https://www.aclu.org/wikileaks-diplomatic-cables-foia-documents.

In its current form, there may be some concern about the House bill’s centralization of the FOIA process through OMB.  An argument might be made that this centralization could tighten the reins on FOIA disclosures; however, by exposing the request to both OMB and the agency holding the requested information, it is likely that the agency will be more likely to disclose non-confidential materials that may otherwise have been retained in the interest of the particular agency.  Similar concerns might be raised about the provision for full public disclosure in response to a FOIA request.  Where perhaps an agency might have been less circumspect when disclosing to a single individual, disclosure in a public forum may create a presumption against broad disclosure and undercut President Obama’s push for broader disclosure.

If the bill passes the Senate and is enacted, the merits of these procedural changes may be evaluated.  In combination with increased Executive Branch oversight through the DOJ, the bill will hopefully act to bring greater transparency and efficiency to the FOIA process.

 

 

Rebecca Shieh

http://www.bna.com/doctors-wary-cms-n17179882230/

The Centers for Medicare & Medicaid Services (CMS) is reversing its long-standing policy on the release of Medicare billing data. Under its previous policy, the agency would not disclose physician payment data in response to Freedom of Information Act (FOIA) requests, finding the public interest insufficient. This was largely influenced by the permanent injunction issued in Florida Medical Association, Inc., et al. v. Department of Health, Education, and Welfare, et al. (M.D. Fla. 1979). There, the court reasoned that physicians had a compelling right to privacy that would be violated by the release of such payment information. The injunction was eventually dissolved by the Middle District of Florida on May 31, 2013, after media outlets investigating alleged fraud and abuse by physicians pushed for the release of the data. In light of this, CMS reversed its policy in a January 17, 2014 notice, which goes into effect on March 18. FOIA requests will now be reviewed on a case by case to determine if “exemption 6” applies. FOIA Exemption 6 protects information about individuals in “personnel and medical files and similar files” when the disclosure of such information “would constitute a clearly unwarranted invasion of personal privacy.” 5 U.S.C. § 552(b)(6).

This touches upon the common tension between the public interest in disclosure and basic privacy interests. If the dialogue leading up to Sunshine Week (March 16-22) is any indication, physicians may experience further exposure of their coding and billing patterns as efforts to strengthen FOIA gain momentum. Just last month, the FOIA Oversight and Implementation Act passed unanimously in the House. The proposed legislation hopes to address some of the concerns brought up again during the March 11 Government Transparency hearing chaired by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt. There, experts testified about a “culture of obfuscation,” extensive backlogs, and increased use of FOIA exemptions to prevent disclosure. A recently released federal agency scorecard by the Center for Effective Government supported this testimony, reporting long delays, inadequate regulations, and lack of user-friendly websites.

The FOIA Oversight and Implementation Act would make it more difficult for agencies to withhold information and move more FOIA processing online. Changes include a presumption of openness which requires agencies to justify withholding information rather than requiring the public to justify release, a centralized online portal for all information requests, and the publication of documents requested three or more times. If such reforms come to pass, CMS will find it more difficult to deny requests for physician billing information and this previously unavailable data is certain to become more easily accessible.

 

Robyn Lym

The Definition of an Adequate Determination under FOIA

Last April, the U.S. Court of Appeals for the District of Columbia ruled that in order for a government agency to comply with the FOIA deadline for a determination within 20 days, the agency’s response must be meaningful. Under FOIA, the requester must exhaust administrative appeals within the agency before the requester can can sue the agency in federal court for not producing documents. If the agency complies with the request by the deadline, the agency has complied with its requirements under the statue and a requester must appeal within the agency to appeal the decision. If the agency does not comply with the request, the exhaustion requirement is satisfied and the requester may sue the agency in federal court. The court considered what constitutes a sufficient determination.

The FEC and the DOJ argued that it is sufficient response to inform the requester by the deadline that the agency will be producing nonexempt documents in the future and claiming exemptions. However, the D.C. Circuit held that agencies must state which documents they are producing, which documents they are withholding and why. The article argues that the interpretation of the statue proposed by the government would undermine the purpose of the statue, as allowing agencies to answer requests with vague language does not further the policy objectives of FOIA.

 

 

Edward Rooker       

“Freedom of Information Act law ‘terribly, terribly broken,’ expert tells Senate panel”

Lejla Sarcevic, Washington Examiner

The Senate Judiciary Committee is currently reviewing the FOIA Oversight and Implementation Act of 2014.  The bill, which passed the House unanimously in February[1], is being strongly advocated for by journalists who believe that the current FOIA law is ineffective. This article highlights the criticisms from the journalism community that were presented to the Senate Judiciary Committee by David Cuillier, the President of the Society of Professional Journalists, as well as from other individuals.

A majority of the criticisms of the current FOIA system is the backlog of requests that have built up as a result of the lack of oversight.  The Center for Effective Government recently graded the 15 federal agencies that receive the most FOIA requests, placing a large amount of weight on the an agencies’ ability to process information requests in a timely fashion.[2] This report card resulted in 7 of the 15 federal agencies receiving failing grades.

In response, the Departments of Justice’s Office of Information Privacy, the group tasked with overseeing FOIA compliance within the executive branch, pointed out that of the 99 agencies subject to FOIA, 29 had no backlog at all and 73 have a backlog of a one hundred requests or less.  Nevertheless, the backlog of FOIA requests does not seem to be getting any better.  As the article points out, the DOJ’s own backlog has worsened over the past three years.

Members of the Senate Judiciary Committee also expressed their displeasure with the current system.  Senator Chuck Grassley (R-IA) said there was a culture of obfuscation” among FOIA officials and Committee Chairman Patrick Leahy (D-VT) pointed out a 41% increase in the federal agencies use of FOIA exception 5.[3]  These issues combined with the current climate of public skepticism of government and a weakening of public support for government secrecy, even for issues of national security, seems to set the stage perfectly for Congressional reform of FOIA.

The amendments proposed by the FOIA Oversight and Implementation Act of 2014 would address the failures of the current FOIA system and the backlog that has been created.  One of the proposed amendments would give increased oversight to the Office of Government Information Services of the administration of FOIA requests.  The bill would also create a presumption of disclosure for all FOIA decisions with an exemption only for a “foreseeable harm from disclosure.”  This change shifts the burden of proof from the requester to the government agency.  The amendments would also require the Office of Management and Budget to create a single website for submitting FOIA requests and checking on the status of such requests. The bill would require the agency to release information publicly once it is released to individual journalists.

It doesn’t seem like this bill will face any opposition from the President.  The bill itself has been described as a mere codification of President Obama’s executive memorandum issued January 21^st, 2009, the President’s first full day in office.[4]  With this in mind and the bill now sitting with the Democratically controlled Senate, it seems that amendments to the current FOIA system are imminent.  Only time will tell if these  amendments will bring the changes in government efficiency and transparency that the journalism community and the American public as a whole are hoping for.

Fanny Pelpel

http://threatpost.com/justice-dept-eases-gag-order-on-fisa-national-security-letter-reporting/103903

This article deals with National Security Letters (NSL) and the gag order that is applied with regards to them in particular. This issue has generated a lot of tensions over the years, especially from a First Amendment perspective, leading some service providers such as Google, Facebook, Yahoo and Microsoft to file lawsuits before the Foreign Intelligence Surveillance Court. That is why in January, a Justice Department ruling was released, aiming to ease this gag order and improve transparency.

The author of the article explains the two options technology and telecommunications companies have: they will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests and or to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.

These new measures are interesting and debatable for different reasons. Firstly, as the article mentions it, reporting on national security orders issued against data collected by new company products and services must be delayed two years. This alleged improvement is thus limited to established companies and does little to help start-ups and recently created ones in a transparency promotion campaign.

The disclosure mechanism is not exempt of criticisms either. Reporting these orders in increments of 1,000 could backfire, in the sense that while the purpose of it was to accurately reveal to what extent companies had to cooperate with intelligence agencies, the restriction from reporting the exact number of requests could mislead users.  However the second option limits this drawback. But the underlying issue is that the number of requests and NSLs doesn’t necessary reveal the importance of information disclosed by these companies, and the impact this collection of data could have on consumers’ right to privacy.

I found this article insightful because it gives a broad view of the stakes of regulating NSLs, the tensions between ensuring the protection of national security, and the companies’ need to maintain trust with their customers for their business’ sakes, through the use of their First Amendment right to free speech.

 

 

Lisa Lansio

http://articles.latimes.com/2013/aug/09/news/la-pn-obama-patriot-act-oversight-20130809

This article discusses President Obama’s news conference on national security and privacy concerns that followed Edward Snowden’s revelations of national surveillance programs. President Obama urged Congress to make changes to the Patriot Act, which would entail greater oversight and the implementation of safeguards for the protection of privacy of individuals. President Obama also recommended that Congress consider the possibility of allowing individuals to appear in court to contest the surveillance measures as applied to them.

One of the programs that Snowden revealed to the media was an NSA program that allowed the NSA to collect virtually all American telephone calling records. President Obama mentioned this program in his speech and said that he was considering measures to restrict the NSA’s ability to collect this information. A proposal being considered by President Obama would require telecommunications companies to archive calling records themselves, which would then be available to the NSA if it obtained a warrant.

Among the other proposals being considered by President Obama is a proposal to create a permanent staff of attorneys to advocate for private citizens in cases before the Foreign Intelligence Surveillance Court (FISC). Alternatively, the President is considering allowing outside parties to file amicus briefs to the FISC. This would allow FISC to hear arguments concerning privacy and civil liberties, which may influence the court’s decision-making process.

While the President is considering supporting changes to the Patriot Act, he has also expressed his view that the Snowden revelations did not reveal abuses of the law and that the dedication to national security should remain a priority. The changes to existing surveillance laws must reflect a balance between national security and the civil liberties and rights of Americans.

 

 

Courtney Chen

http://www.nytimes.com/2013/09/14/business/global/china-hems-in-private-sleuths-seeking-fraud.html

In August of 2013, Peter Humprhey, stood before Chinese national television, handcuffed, donning an orange prison smock and apologized to the masses for his indiscretions.  British national, Mr. Humphrey and his wife, Yu Yingzeng confessed to illegally trafficking personal information via their Hong Kong-based company ChinaWhys, a business marketed towards foreign companies seeking to operate in China. The company claimed that it specialized in advising outside investors on fraud and cheating when dealing with the potentially risky Chinese market. However, investigators contest that firm violated the law on more than ten occasions, buying and selling information that included details about the hukou personal registrations, automobile and home ownership records, family member names, and cross-border travel. The Humphreys profited from these infringements of the privacy of Chinese citizens.

While the Humphrey incident is not unique in China, the arrest of Peter Humphrey illustrates the newfound interest that the Chinese government has purportedly taken with regards to data privacy. The country currently boasts a national population exceeding 1.3 billion people, over 40% of which are internet users; in 2012, online sales nearly reached a staggering $200 billion. China is in fact primed to surpass the United States in e-commerce transactions. With the internet becoming a pervasive component of business and society and digital footprints growing larger, officials have naturally become concerned with issues surrounding the ways Chinese companies collect and store information about internet users. The benefits that the internet brings have come at an inevitable cost: the loss of data privacy, making users more susceptible to data breaches and identity fraud. Perhaps more importantly, officials have recognized that protecting consumer privacy can increase international commercial interests. Despite China’s robust e-commerce market, some companies are hesitant about entering a foreign environment with dubious security measures.

Although an omnibus privacy framework has yet to exist, the Chinese government has responded to concerns with a variety of piecemeal provisions. Notably, in 2013, the National People’s Congress enacted the first national standard on personal information protection, though the actual efficacy of the guideline has yet to be realized. After all, China and its “Great Firewall” is not historically known for embracing privacy with open arms. We will see within the upcoming years if its efforts produce actual results.

 

 

Christina Schnurr

https://www.accessnow.org/blog/2014/01/24/structural-changes-to-surveillance-court-offer-hope-for-new-protections-for

Recall our class lecture and discussion about the privacy protections, or arguably lack thereof, for United States persons and non-United States persons under section 702. We noted that the statutory language limiting the government’s targeting program—for example, the government cannot intentionally target anyone located in the US and cannot intentionally target a non-US person for the purpose of targeting a person reasonably believed to be in the US—is broad and, consequently, cause for concern, particularly in light of the increasing use of ex parte proceedings before the Foreign Intelligence Surveillance Court (FISC).

Attached is a link to an article by Drew Mitnick and Peter Micek for Access, an international human rights organization, suggesting structural changes to FISC that Mitnick and Micek argue will better protect the privacy of US and non-US persons: incorporating special advocates at FISC deliberations, increasing technical assistance to FISC judges, and changing the appointment procedures. While the recommendations for improving technical knowledge and diversity of viewpoints from the FISC judges are significant to protecting privacy, Mitnick and Micek’s recommendation for special advocates’ involvement is of particular interest to us in light of our in-class discussion about the concern that, currently, no person challenges or demands in-court clarification of FISC’s or the government’s statutory interpretation of “intentionally” or “reasonably believed” in authorizing collection of content under section 702.

Mitnick and Micek provide a list of special advocate best practices to ensure various goals of reforms such as expertise, fair representation, accountability, and due process. In addition, they note that having a special advocate would ensure transparency through declassifications of certain FISC opinions—a highly desired element of reform, but often seen as too risky to national security because of the sensitive information found in some opinions. Mitnick and Micek also suggest special advocates have full access to join a FISC deliberation voluntarily rather than only by a summoning by a FISC judge. (It might be even more advisable to mandate the presence of a special advocate in all deliberations, but that is not mentioned in the article). The list of best practices, particularly the special advocates’ abilities to declassify certain opinions and join deliberations on their own initiative, are viable remedies to the concern that section 702 does not curtail government abuse because of the broad statutory language that goes largely unchallenged.

To be sure, calling for a special advocate to challenge the government’s claims in FISC proceedings is not a novel reform idea—both reports by the Privacy and Civil Liberties Oversight Board and President Obama’s Review Group endorsed an independent public advocate—which perhaps indicates the receptivity by intelligence agencies and the practicability in implementation.

 

 

Adam Mechanic

Article by Eli Lake, February 17, 2014: Spy Chief: We Should’ve Told You We Track Your Calls.

 

This article discusses an exclusive interview with James Clapper, Director of National Intelligence. In the interview Clapper admitted that public concern over the collection of their phone records by the government could have been avoided. Clapper is of the opinion that the American people would have been more comfortable with surveillance had the government been open about the necessity of it in the wake of 9/11, clearly explained how the process would work, and what the safeguards were going to be.

 

Clapper explained that the initial program of surveillance after 9/11 was the origin of the program now codified in section 215, a formerly secret law revealed by Edward Snowden. Although Clapper has subsequently declassified a lot of material relating to 215, admitting that the government should have been more transparent is a dramatic departure for the Director of National Intelligence. The article points out that, in a testimony in front of the Senate Select Committee on Intelligence, Clapper openly denied the collection of American citizen’s data. It seems clear that Clapper supported a policy of secrecy at some point, so perhaps the Snowden leaks and subsequent media scrutiny made him realize the error in such a policy.

 

Would transparency from the outset have helped Americans feel comfortable with surveillance? One should keep in mind that a majority of Americans think that NSA phone tracking is acceptable in the context of fighting terrorism, but this majority is a small one: 56%. Perhaps people’s concern is more about the secrecy of surveillance and less about the actual surveillance itself, which would mean initial transparency would certainly have helped. The problem for the government also seems to be the media frenzy that occurred after the Snowden leaks despite the majority support for certain NSA activities. Overall, it seems that things could not have gone worse for the government than they did after the Snowden leaks, at least from a PR perspective, if they were simply honest with the American people at the beginning.

 

 

Oren Hoffman

Surveillance and the Big Tech Companies

Last year, commentators heavily criticized technology giants such as Google, Yahoo, and LinkedIn for revealing troves of user data to the United States government in response to Foreign Intelligence Surveillance Act (“FISA”) requests and national security letters (“NSLs”).  The Foreign Intelligence Surveillance Court (“FISC”) is charged with overseeing FISA requests for surveillance, and the Court operates largely in secret.  NSLs are issued by FBI officials and typically have nondisclosure provisions.  Until recently, it was entirely unclear the volume and type of information internet companies were revealing to the government in response to these secretive requests.

Google, Yahoo, Facebook, and LinkedIn sued the Department of Justice last summer.  These companies wanted to publicly reveal more information about the types and content of data requests they receive from the government.  The companies contended that their “businesses are hurt by any perception [that] they are arms of vast government surveillance.”

The parties reached an agreement last month.  Under this new agreement, companies such as Google can reveal more information about the types and volume of data requests originating from the government.  These companies are also permitted to reveal how many customer accounts are affected by these requests.

This agreement represents a minor step towards creating a more transparent surveillance system.  For instance, Google can only reveal the kind and volume of information the government is requesting, and how many users are affected.  This agreement did not impact the standard the government must establish for a FISC order or the nondisclosure elements of NSLs.

Nevertheless, internet users can now begin to understand the breadth and volume of the government’s surveillance.  This new information will both inform the debate as to whether to curtail this type of surveillance and allow internet users to better identify what kinds of data they are potentially sharing with the government when using the web.

 

 

Geetanjali Visvanathan

http://www.nytimes.com/2014/02/26/us/justice-dept-informs-inmate-of-pre-arrest-surveillance.html?

http://www.nytimes.com/2014/01/30/us/warrantless-surveillance-challenged-by-defendant.html

Yesterday’s NY Times carried the third incident of the government serving a notice informing a US citizen of his pre-arrest warrantless wiretapping under the FISA Amendment Act, 2008 (FAA). Unfortunately in this case the critical information was given to the defendant much after he had accepted the plea bargain.  This recent change in DOJ’s policy of issuing notices and informing defendants of such warrantless wiretapping is the result of Solicitor General, Donald Verrilli Jr. statements made before the Supreme Court in Clapper v. Amnesty International USA where he conceded that prosecutors were obliged to inform the defendants if they faced any such evidence.  Though last year the Supreme Court dismissed this particular constitutional challenge to the FAA on the ground of lack of evidence and standing, this issue is far from over.

In January this year Mr. Muhtorov, a Colorado resident, who was the first to receive such a notice filed a motion before the District Court of Colorado challenging the validity of FAA. The surprising part in Mr. Muhtorov case was that the FAA notice was given to him 20 months after the initial FISA notice. Thus, raising a reasonable suspicion that the prosecutors had initially informed the defense only about the evidence collected under a wiretap order and concealed prior evidence collected through warrantless wiretapping.

Apart from challenging FAA on the ground of violation of the reasonable expectation of privacy, warrantless search and reasonableness standard under the Fourth Amendment, Mr. Muhtorov also argues that FAA’s targeting and minimization requirements permit the government to target any foreigner abroad for surveillance and to acquire and retain any U.S. persons’ international communications with (or about) those foreigners that relate to “the conduct of the foreign affairs of the United States”. Thus, FAA exposes every international communication-including by US citizens at one end to warrantless surveillance-thus giving unfettered surveillance power to the government. In all probability this issue will again be before the Supreme Court and we can only wait and see how the Supreme Court determines it this time.

 

 

Brian Wood

Charlie Savage, “Warrantless Surveillance Challenged by Defendant,” The New York Times (Jan. 29, 2014)

The Foreign Intelligence Surveillance Act (FISA) has been in the news a lot lately in the aftermath of the Snowden Leaks. The FISA Amendments Act of 2008 permits the targeted domestic surveillance of non-US persons for national security purposes. Up until now NSA has engaged in its FISA surveillance largely in secret, but there has been growing public consciousness and demand for transparency and judicial review of such domestic surveillance.

Because of the secretive nature of the NSA in its surveillance pursuant to FISA, there are very limited opportunities to look into how FISA powers are being used, and just as few opportunities for the courts to review those powers. Just last month, two different district courts are now in the midst of first-of-their kind legal actions that could promise future transparency.

First, an Illinois District Court Judge ordered the government to turn over to a defendant-classified information gathered pursuant to FISA surveillance conducted for national security purposes. “No defense lawyer has apparently ever been allowed to see such materials since the Foreign Intelligence Surveillance Act was enacted in 1978.” The court took this first-of-its-kind move over the protests of Attorney General Eric Holder, who in a sworn affidavit argued that such disclosure of confidential FISA material would threaten national security. The court considered Holder’s protest and considered the fact that defense counsel already had security clearance, and wrote that “[w]hile this court is mindful of the fact that no court has ever allowed disclosure of FISA materials to the defense, in this case, the court finds that the disclosure may be necessary….This finding is not made lightly, and follows a thorough and careful review of the FISA application and related materials.”

Second, and the focus of the New York Times article, the defense in a Colorado District Court criminal case filed a motion to suppress evidence collected from the FISA-related domestic surveillance of the perminant-resident defendant. The motion, which can be found at http://www.documentcloud.org/documents/1010478-muhtorov-defendants-motion-to-suppress.html argued that the surveillance amounted to a “search” in violation of the Fourth Amendment. “The fruits of the government’s surveillance of Mr. Muhtorov must be suppressed because the statute [the FISA Amendments Act of 2008] that authorized the surveillance is unconstitutional.”

The defendants in both cases have the same immediate goals for relief: discovery and exclusion of the fruits of FISA materials. Bigger picture, both cases could bring the issue before the Supreme Court of whether surveillance under the FISA Amendments Act of 2008 amounts to a violation of the Fourth Amendment. In the Illinois case, defense counsel are holding off on challenging the constitutionality of FISA, which they may get to eventually in the event they need to argue for a mistrial; at the moment they are more concerned with discovery. On the other hand, defense counsel in the Colorado case are already actively challenging the statute’s constitutionality.

Both cases are operating in the wake of last year’s Supreme Court decision in Clapper v. Amnesty International to reject a challenge to the 2008 Amendment, although the court did so on procedural grounds, finding that the plaintiffs could not prove that they had been the victims of wiretapping, and therefore lacked standing to challenge the law. The court came to this conclusion after Soliciter General Donald Verrilli “assured the justices that such defendants would receive notice, allowing anyone with proper standing to challenge the 2008 law.” However, as the Snowden leaks would help reveal, at the time when the alleged wiretapping took place in Amnesty International, the government had never put a large class of surveilled defendants on notice that they had been wiretapped.

Since Amnesty International, (and since the Snowden revelations), Soliciter General Donald Verrilli put pressure on the Justice Department to change its policy, which had previously not required giving defendants notice that they had been subject to FISA surveillance when that surveillance was an “earlier link in an investigative chain.” The Justice Department complied, and began going through its case files looking for defendants who had been subjected to early-stage FISA surveillance. The defendants in the Colorado case and the Illinois case are the only two defendants to have been given notice of their surveillance following this investigation, and as such, if either case were to go to the Supreme Court, neither would be a knocked down on the same standing issue as Amnesty International, and the court may be forced to finally grapple with the FISA Amendment Act’s constitutionality.

 

 

Sindhu Kandachar Suresh

http://www.rightsidenews.com/2014022433911/us/homeland-security/fisa-the-nsa-and-america-s-secret-court-system.html

This article focuses on the Foreign Intelligence Surveillance Court (FISA Court or FISC) created in 1978 as a result of recommendations of the Church Committee. Even though the primary function of the FISC was to double up as a protective measure against arbitrary activities of the intelligence services by requiring the agency to obtain warrants from the Court before intercepting communications and thereby bringing NSA under the realm of regular judicial supervision, the article looks at how FISC has failed to perform this essential function.

The article looks at the secretive nature of the FISC which unlike regular Courts, meets secretively and holds in camera proceedings with select few government representatives lacking the required ‘due process of law’ with government being the only party to the proceeding. Further, a warrant sought for surveillance from FISC may authorize mass collection of information of millions of people for a long duration which has been condemned by Judge Leon in Klayman preliminary judgment stating “… no court has ever recognized a special need sufficient to justify continuous, daily searches of virtually every American citizen without any particularized suspicion”. The Court’s role as a check in curbing the agency’s arbitrary surveillance activity is further diminished by the statistics provided in the article. For Instance, In the 33,949 applications that were resolved from 1979-2012, only 11 were rejected (0.0324%).

The overarching powers of FISC have expanded to conducting quasi-constitutional proceedings, allegedly validating the surveillance programs as being within the constitutional powers of the US government. This brings us to ponder on whether a Court which conducts secretive hearings in absence of affected parties and which fails to follow due process of law should be recognized as a Court at al.

 

Yael Tzipori

http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/02/06/no-fourth-amendment-right-in-metadata-embedded-in-posted-photo-court-holds/

On January 30, 2014, a judge of the Southern District of Texas determined that there is no reasonable expectation of privacy in the metadata embedded in a photograph posted on the Internet. The defendant in the case, United States v. Post, had uploaded child pornography images to a website, and investigators used publicly available software to scan at least one photograph for the precise location of where the photograph was taken. The photograph had been taken with a cell phone. When a cell phone is used to take a photograph while the location services feature is set to “on,” the camera will store the information from the phone’s GPS in the image file. Investigators were able to scan the image and determine the location at which the photograph was taken, and the location led them directly to the defendant.

The defendant acknowledged that he had no expectation of privacy in the image itself, which had been voluntarily uploaded to the Internet, but argued that he did have a reasonable expectation of privacy in the metadata (the location information) embedded in the image because he had not intended for that information to be made public. The district court judge stated that there was no basis for dividing the image up based on the type of content it contained–when the defendant made the image publicly available, he relinquished his right to privacy in any of the information contained in that image. The judge analogized the situation to one in which a defendant voluntarily leaves his clothing at a crime scene, but does not realize that he has also left DNA evidence on that clothing. Leaving the clothing in a public place causes the defendant to relinquish any privacy interest in information contained on the clothing, “regardless of how he contemplated that clothing could be used.” Such a conclusion, said the judge, was equally applicable to the defendant in Post.

 

 

Daniela Badiola

States Address Privacy Concerns

Post-Snowden revelations, states have taken it into their own hands to increase the privacy protections of citizens and individual residents. The states taking this action, by enacting stronger privacy protection legislation, are mainly addressing two issues: 1) the courts’ hesitancy to adapt fourth amendment jurisprudence to technological advances that create the capability to store & collect unprecedented amounts of data; and 2) the federal government’s inertia in amending privacy protecting legislation to reflect modern technological use & societal norms.

In this week’s readings we have seen that while some courts recognize that new uses and dependence on technology renders law like Smith to be irrelevant or wholly distinguishable regarding the NSA’s collection of metadata (Klayman v. Obama, 2013), others cling on to strict analogies to letters and telephones which could only be used to make phone calls (ACLU v. Clapper, 2013).  As a result, 4^th amendment jurisprudence regarding mobile phones, which serve a mini-personal computers rather than simple telephones is extremely confused. In addition, legislation such as the Electronic Communications Privacy Act (ECPA) is inadequate in today’s context of mass data. As a result, states are fighting back.

In Arizona and Tennessee state legislators have proposed, a will likely pass, legislation that bars the state from providing material support to the NSA. In addition, data collected without a warrant cannot be used as evidence in state court. The evidence ban creates a bright line test in the face of confused jurisprudence regarding an individual’s right to privacy from the government.

In New Hampshire, a proposed bill requires that law enforcement obtain a warrant before searching “information in an electronic portable device.” This mirrors the holding in US v. Wurie (2013) which found that evidence found when a cop searched an arrestee’s phone without a warrant violated the 4^th amendment. However, on appeal this might be reversed and other courts might disagree. New Hampshire’s law provides clarity. In addition, New Hampshire is also proposing a bill that will protect “expectation of privacy in personal information, including personal identifiers, content, and usage, given or available to third-party providers of information and services, including telephone; electric, water and other utility services; internet service providers; social media providers; banks and financial institutions; insurance companies; and credit card companies.” This is a necessary slap in the face to the third party doctrine – which taken to its extreme in today’s digital world – diminishes the 4^th amendment protections to a mere novelty.

Relying on out of date precedent, ignoring the modern reality that communication of information is not truly voluntary if one wants to participate in society, and not acknowledging the unprecedented scope of data collection possible using previously acceptable devices, courts have not adapted 4^th amendment jurisprudence to adequately protect the privacy of American citizens. In its current gridlock, Congress cannot be depended to make sweeping changes either. As a result, the states have stepped up to the plate. Although this is of little condolence to one interacting with a federal court, it is a step in the right direction.

 

 

Kevin Thomas

http://www.dotnews.com/2014/sj-court-decision-impacts-04-savin-hill-murder-trial

A decision by the Massachusetts Supreme Judicial Court has the effect of throwing out “key evidence” against the defendant from a 2011 murder trial. The decision focused on law enforcement access to cell-site location information (CSLI). More specifically, whether the government needed to meet the traditional “probable cause” requirement for obtaining a warrant, or whether a court order for the information could be obtained through the much less demanding “specific and articulable” facts standard.

Here the majority found that CSLI, as with GPS in Massachusetts, implicates the constitutionally protected interest of a reasonable expectation of privacy in one’s personal movements. It chose not to apply the same third party doctrine used in Smith v. Maryland and United States v. Miller to the acquisition of CSLI. Interestingly, the dissent distinguished the use of “call CSLI” wherein a user’s location is recorded during phone calls and “registration CSLI” in which the phone’s location is transmitted automatically every seven seconds.

The District Attorney noted that, because of the gray area in the law, police have been obtaining warrants for this kind of information for years. As a result, this ruling will not impact very many criminal cases in Massachusetts.

 

 

Jessica Heller

http://www.nytimes.com/2013/09/10/business/the-border-is-a-back-door-for-us-device-searches.html?pagewanted=2&_r=0&hp

This article discusses the ways in which the government can use border crossings to perform warrantless searches and seizures of electronic devices.

The article specifically focuses on the case of David House, a former fundraiser for Bradley Manning’s legal defense, and the government documents that were released as part of House’s legal settlement with the Department of Homeland Security.  The government tagged House as a ‘person of interest’ because of his connection with Private Manning.  As a result, when House flew from Mexico to the U.S., immigration officials seized his computer without a warrant and performed a thorough search.  The documents revealed that after searching over 26,000 of House’s files, there was no evidence of any criminal wrongdoing.

Though the government may lawfully perform warrantless searches and seizures of electronic devices because of the border crossing exception to the Fourth Amendment, in an increasing number of cases like House’s, it is being asserted that the government is abusing its power, and that power should be curtailed.  An A.C.L.U lawyer working on House’s case said that the government had abused its power to execute a search that “no court would have approved.”

The government’s ability to skirt constitutional protections is particularly concerning given the high volume of searches on electronic devices.  In the last 3 years, Customs and Border Protection has conducted warrantless electronic media searches on an average of 15 people per day.

 

 

Christine Kuveke

http://www.nytimes.com/2013/10/02/technology/google-accused-of-wiretapping-in-gmail-scans.html

This article discusses a lawsuit that has been brought against Google, alleging that it is wiretapping its users in violation of the Electronic Communications Privacy Act (ECPA). The plaintiffs assert that Google has acted illegally in collecting user data in Gmail and Street View. One practice, which is challenged, is the scanning of emails used to provide targeted advertisements.

Google has argued that its users have consented to its practices by agreeing to its service and privacy policy. Consent is one of the ECPA exceptions that we discussed in class. Google has also argued that non-Gmail users have no reasonable expectation of privacy when they send emails to Gmail users. Another argument is that Google is entitled to protection under ECPA because it is acting in the ordinary course of business. The counterargument, of course, is that creating user profiles and providing targeted ads are not related to Google’s core business of providing email services. Two federal judges have ruled against Google in its motions to dismiss. One of the themes that runs through the article is the argument that ECPA is “stuck in the past and has failed to keep up with new technologies.”

 

 

Nathan Monroe Yavneh

http://www.nytimes.com/2013/05/08/us/politics/obama-may-back-fbi-plan-to-wiretap-web-users.html

This article, by Charlie Savage of the New York Times, describes the policy debate that surrounds efforts to update the Communications Assistance for Law Enforcement Act (CALEA).

CALEA, which dates to 1994, already requires phone and network carriers to build interception capabilities into their systems. Today, however, more people are choosing to communicate online, using protocols like VoIP. CALEA does not apply to such modern Internet-based methods of communication. This has prompted a concern by law enforcement officials, such as FBI Director Robert S. Mueller, III, that voice communication is “going dark” – that is, moving to media that law enforcement are not able to intercept.

The FBI has put out two proposals to update CALEA in recent years. The first proposal, in 2010, would have required Internet communications services to build a backdoor into their systems which law enforcement could use for wiretapping. It would also have required those companies to unscramble encrypted data at the request of law enforcement.

The more recent proposal takes a different tack, strengthening wiretap orders issued by judges. Under the proposal, a company would first receive notice that it may receive a surveillance request in the future. If it has received such notice, and fails to comply, it would be eligible for steep fines. This would have more teeth than the current law, which affords companies “wiggle room” to argue that they can not surveil for technical reasons.

There has been criticism of both proposals. Critics argue that it will stifle innovation, potentially driving tech startups overseas to countries where they would not have to comply with wiretap requests. Others worry about security, pointing out that any backdoors built into systems for law enforcement could also be discovered and exploited by hackers or other malicious agents.

While it remains unclear what form the revisions to CALEA will take, this article indicates that we are at a crossroads with regards to government surveillance of the internet. As technology outpaces a two decade old law, some decision must be reached balancing the privacy interests of Internet users and the law enforcement interests of the government. The abandonment of the FBI’s 2010 proposal to require backdoors and decryption of communications seems to indicate that the balance has swung slightly in favor of user’s privacy, but beyond that it is difficult to predict.

 

 

Siobhan Atkins

Article: Chanakya Sethi, Do Americans Care About the Privacy of our Metadata?

Every day, Americans share vast amounts of information with cell phone service providers, credit card companies, and Internet vendors.  The frequency and volume of information shared with third parties in the digital age raises an important question: do Americans truly “voluntarily” give away all such information, thus waiving any Fourth Amendment protections against that information’s collection? Or, given the degree to which citizens must share such data to participate in modern society, do Americans perhaps expect a greater degree of privacy now than ever before?

This article briefly explores American sentiments towards metadata collection, and ultimately argues that Americans who disclose more information may expect more privacy in the electronic information they share.  The article first discusses findings made by the panel of intelligence experts convened by President Obama in December 2013 to evaluate the NSA telephony metadata program.  The panel argued that Americans’ extensive disclosure in the digital age does not reflect an increasing apathy about the information’s release to the wider world, but rather is a “necessary accommodation to the realities of modern life.”

The article goes on to discuss a Pew Research poll that indicates that many Americans are increasingly concerned about the information available about them online – even, paradoxically, as they share more of that information with third parties.  Perhaps most interesting was the poll’s finding that those who have taken more steps to remain anonymous online are more likely than others to have posted information about themselves online – an indication that our desire for privacy may grow stronger in the digital age, even as we share more information about ourselves with others.

The changing nature of disclosure in modern society, as well as shifting public opinions on privacy, may influence whether courts continue to use Smith v. Maryland as a guide in assessing the constitutionality of metadata collection programs. In Klayman v. Obama, Judge Leon cited the changing frequency and nature of phone use – and an Associated Press survey revealing increased concern about data privacy – in support of his argument that Smith is “of little value” in evaluating the Fourth Amendment claims raised by the NSA’s telephony metadata collection program.  In contrast, Judge Pauley argued in ACLU v. Clapper that the ubiquity of cell phones today “does not undermine the Supreme Court’s ruling that a person has no subjective expectation of privacy in telephony metadata.”  It will be interesting to see how – or whether – changing habits and public sentiment influence court rulings in the future.

 

 

Paul Hanft (submitted 25 February)

http://www.usatoday.com/story/news/politics/2014/01/20/poll-nsa-surveillance/4638551/

http://swampland.time.com/2013/12/17/nsa-takes-a-hit-in-fight-for-american-public-opinion/

These two articles from Time and USA today discuss the overall public opinion of the American public on the NSA and its collection of metadata. The NSA has been trying to assuage the public that its collection of metadata phone records does not amount to domestic spying, as such former public affairs officer for the Federal Bureau of Investigation and CBS correspondent John Miller featured NSA head Keith Alexander who attempted to explain the NSA’s actions to the American public. The segment was heavily criticized for being inaccurate and the current public opinion leans heavily against the NSA with a 53% majority disapproving of the metadata collection program against 40% approving.

President’s Obama’s most recent proposals that a third party rather than the government to hold the massive stores of phone metadata and that intelligence analysts would need a court order to search it except in emergencies were also surveyed and respondents expressed little confidence in them in protecting privacy. By 73%-21% margin, those who paid attention to the speech say his proposals won’t make much difference in protecting people’s privacy.

The article discusses Judge’s Leon recent ruling that the NSA’s broad collection of information from cell-phone records violates the constitution. Particular bothering both to judge Leon and likely to the public as a whole is the NSA’s ability to collect data without any particularized suspicion of wrongdoing and inability of individuals to avoid government collection while simultaneously being integrated into modern life (that is one generally must have a cell-phone).

Here’s the story I mentioned at PRG today about farmers giving their farm data to big agricultural companies for analytic purposes. I think the article calls to mind the lack of focus on non-urban subjects when we talk about surveillance and privacy, something I’ve been thinking about recently since many of my truckers come from rural backgrounds. Taking rural contexts seriously might illuminate some surprising forms of monitoring, like this farm program, that are emerging.

Of possible interest from Omer Tene:  Established in 2013, the IAPP Westin Research Center was created to encourage and enable research and scholarship in the field of privacy. Each year, the IAPP welcomes two or more recent graduates to spend 12 months on site with our team, reporting to the VP of Research and Education, and working on a broad array of privacy research projects. The fellowship program, which bears the name of Dr. Alan Westin, serves as a pathway for future leaders who aspire to join the privacy community. The IAPP provides the fellows with ample opportunity to engage with the privacy community, participate and present in major conferences and events, and communicate on a daily basis with leaders of the profession from around the world.  The application process opens on January 1, 2014, and closes on February 28, 2014. Interviews will occur for some applicants in March, with final decisions expected at the end of March. Fellowship terms generally run from September through August of each year.  For additional details about the fellowship and application process see the fellowship website.

See details here.