Tag: Information Privacy Law Spring 2013

By: Ross Woessner

Great controversy surrounds the proposed Cyber Intelligence Sharing and Protection Act (“CISPA”), which passed the House and is currently in the Senate.  The bill provides for voluntary information sharing between private companies and the government in order to prevent or mitigate cyberattacks.  For example, if the government detects a cyberattack threatening Google or Twitter it could inform those companies of the threat; likewise, Google could notify the government if they detect suspicious activity on their networks.  Part of the bill’s rationale is the increasing number of cyberattacks on American companies emanating from China and Iran.

This has alarmed civil liberties groups because of the ease with which private communications companies can share users’ information with the government.  CISPA is written broadly enough that such companies could provide someone’s text messages, emails, or cloud-shared files.  The bill authorizes such disclosure “notwithstanding any other law,” which according to the Electronic Frontier Foundation, “essentially means CISPA would override the relevant provisions in all other laws,” and thus creates “a cybersecurity loophole in all existing privacy laws.”

But as Solove and Schwartz note on page 590, Internet “anonymity is quite fragile, and in some cases illusory.”  Indeed, Business insider has noted that CISPA merely legalizes already common cybersecurity practices.  The Electronic Privacy Information Center (“EPIC”), through a FOIA request, obtained documents that describe a well-established information sharing program between the Department of Defense, Department of Homeland Security and private companies, including immunity provisions for private companies.  This is particularly worrisome because the Obama administration has publicly threatened to veto CISPA “while privately granting immunity to [private companies] as they collaborate with government agencies to evade wiretapping laws.”  Thus, CISPA’s practical impact would be minimal because the practices it authorizes are already widely used.

http://www.pcmag.com/article2/0,2817,2417993,00.asp (“What is CISPA, and Why Should You Care?”)

http://www.businessinsider.com/cispa-legalizes-common-secret-practices-2013-4

By: Elena D. Lobo

The past two weeks have brought about events that are surely making many government officials and privacy scholars think about our current policies in a new light. In some ways, what occurred in Boston reawakened fears that we felt in the aftermath of the 9/11 attacks in 2001. Additionally, in the same week, mysterious ricin-laden envelopes were sent to the White House. Homeland security is now forced to make decisions with respect to many of the issues we examine in a class like Information Privacy. The Boston bombing turned into a manhunt that upended what was set to be a beautiful, patriotic Monday; and suspects have been apprehended in the mailings incident. The main difference between these events and those that occurred in 2001, however, is that the perpetrators of these incidents (as far as we know, and as far as the news media/government has told us) were American citizens.

The aftermath of the 2001 attacks resulted in an overhaul of our privacy regulations. The Patriot Act was passed with very little opposition. Many were generally ok with it because the people we were being protected against, the terrorists, were “out there;” they were the “other.” Well, it appears that now terrorists can be “one of us.” Once again, privacy laws are being questioned, and similar discussions are taking place about how much privacy we are willing to give up in the name of anti-terrorism and public safety. The information privacy regulations once saved for foreign terrorism suspects are now threateningly able to be used at home. Does the fact that we have more and more American citizens participating in terrorist activities mean our privacy policies will have to expand to include more and more surveillance of Americans?

What is becoming apparent is that the once nebulous idea of “terrorism” that we have generally been so quick to blame for various atrocities we fall victim to as Americans is starting to bump up against a thinning border between “us” and “them.” And our government has to respond. In fact, all governments do. Scott Helfstein argues in an article in Foreign Affairs that security surveillance needs to become more globally cooperative. Of course, this sounds ludicrous. Why would we share our intelligence with say, post-Arab Spring countries, for example? We may be able to help each other….but would it endanger us much more than it would help? That is the fear, but is there a way to get the benefit without compromising our own national security? http://www.foreignaffairs.com/articles/139337/scott-helfstein/intelligence-lessons-from-the-boston-attacks

As far as we know, the channels are already open for increased surveillance. In fact it is nearly impossible to know how much nonconsensual surveillance is already being conducted. We know that the CIA and the FBI can request access to emails sent 180 days prior without a warrant or judicial review of any kind. We know that FISA allows surveillance of international communications made by Americans. We know that the Department of Homeland Security trolls our Facebook and twitter accounts for buzz words that may lead to further monitoring. And now we know that the IRS can access our emails without a warrant, in the name of policing tax law criminals. (http://www.washingtonpost.com/blogs/post-politics/wp/2013/04/23/ma-senate-candidates-feud-over-homeland-security/).

Our laws are not adapting quickly enough to our changing environment. It’s a dilemma that can only be fixed by making more laws, and faster. But with that comes the fear of carelessness, and in an area like homeland security, that is something we just can’t afford. Is it crazy to think the next step may be a computer that can draft and adapt laws for us? After all, it would be faster…

By: Zach Portnoy

A new proposal has emerged in the ever-controversial debate on immigration, which would affect not only immigrants, but also U.S. citizens.  The proposal, headlined by Senator Chuck Schumer (D-NY), would require all U.S. citizens and legal immigrants who wish to work to obtain biometric, Social-Security ID cards.  While many, if not most, of the details are still being hashed out, the general idea is as follows.  All employers would be required to scan their workers’ biometric ID cards in order to verify their identities.  According to the Senators, “each card’s unique biometric identifier would be stored only on the card; no government database would house everyone’s information.  The cards would not contain any private information, medical information, or tracking devices.”  The cards would be used in place of the current E-Verify system, which has been not been particularly effective, to prevent unauthorized persons from working in the U.S.

These statements raise a number of questions.  First, what type of biometric identification system would be used?  Biometrics refers to information about a person’s body, including anything from height and weight to fingerprints and iris scans.  The Senators propose that the biometric ID cards would not contain any private or medical information.  Yet for the biometric ID cards to work, they necessarily must use a piece of information that is unique, does not change, and is not duplicable.  That would seem to fall in line much better with an identifier such as a fingerprint, something that is most definitely private information.

Moreover, the Senators propose that there would be no central database holding everyone’s information.  But when employers scan these biometric ID cards, won’t they need some way to independently verify the information? However, a central government database storing unique, biometric information would lead to some serious privacy concerns.

There are numerous other concerns with mandating biometric ID cards.  How long would it be before everyone, not just workers were required to carry such a card?  And if everyone is carrying a national ID card, how long until it must be shown to travel on airplanes, purchase a gun, or to identify yourself to law enforcement?  Each step would seem to be the logical extension of such a program.

http://www.huffingtonpost.com/2013/01/31/immigration-reform-biometric-id_n_2594285.html

http://communities.washingtontimes.com/neighborhood/tekknotes/2013/apr/23/tech-tuesday-what-biometric-id-card-and-why-do-we-/

By: Elizabeth Filatova

Voting in the United States is a huge hassle and after every presidential election there is a discussion on all levels of government on the ways in which voting can be improved. Unlike the United States, Estonia introduced online voting in 2005. Estonians are very happy with the convenience of their system of online voting. The percentage of the population who vote online has risen from 2% to 25% from 2005 to 2011. Estonians are issued a government ID which gives them a unique online identity. After each Estonian has voted their votes are encrypted to preserve anonymity. Even though the government guarantees secure transactions, the Estonians’ identity is authenticated by a party impendent of the government. Furthermore, to ensure that voters are not voting under duress the system allows them to override a prior electronic vote by voting again online or at a polling site.

Estonians also use their ID for a variety of purposes like paying online bills or taxes. Inside this ID is a chip that holds information about the card’s owner and two certificates, one of which is used to authenticate identity and the second to render a digital signature. Each person who uses the ID online has a card reader attached to their computer. The ID card is secure because a PIN code is assigned to each chip and it is required every time the card is used. Estonians can also use their cellular phones for identification – which means that they don’t need to get an ID card reader for their computer as the phone acts as both the card and the reader. Over 90% of Estonians have an electronic ID that they use for various ever increasing purposes.

According to the Estonian President, Toomas Hendrik Ilves, this identification system makes Estonia’s economy stronger and helped lessen the effects of the DDoS attacks of 2007. Furthermore, Estonians have legal ownership of their own data and are thus able to access their financial and medical information online. This makes them more comfortable with their ability to maintain privacy.

However, computer scientists are not convinced. They say that a system that that is able to accurately count votes while keeping the information anonymous has not been invented and that anything short of perfection is not acceptable for the purposes of voting. There is no way to tell that existing systems, like the one in Estonia, is secure because discrepancies are so hard to detect.

http://www.washingtonpost.com/blogs/wonkblog/wp/2012/11/06/estonians-get-to-vote-online-why-cant-america/

http://www.nytimes.com/2013/04/12/opinion/global/cybersecurity-a-view-from-the-front.html?pagewanted=all

http://estonia.eu/about-estonia/economy-a-it/e-estonia.html

http://www.technologyreview.com/news/506741/why-you-cant-vote-online/

By: Piotr Semeniuk

According to the National Conference of State Legislatures, last week the Department of Homeland Security confirmed that subsequent six states – Alabama, Florida, Kansans, Nebraska, Utah and Vermont – comply with the REAL ID Act. The Real ID Act, enacted with a motivation of enhancing national security after 9/11, sets minimum document criteria for state-issued driver’s licenses and identification cards.

Pursuant to the REAL ID Act, the non-compliant state IDs will be starkly underprivileged under the federal law. The bottom line is that the non-compliant IDs will not be accepted for the so-called federal “official purposes,” e.g., boarding a commercial plane or entering a federal facility.

Beloved by some conservative thinks tanks (such as the Heritage Foundation) and vivaciously questioned by civil rights advocates (such as ACLU) the act triggered some opposition among the states themselves. Last year several states, including the Montana’s governor Brian Schweitzer (listen to the governor discussing his opposition to REAL ID here), sent formal statements to Congress in which they underline the exorbitant costs of the REAL ID Act’s implementation as well as privacy concerns.

The opposition of some state gave rise to a weird legal and political landscape. In this landscape the DHS is regularly setting deadlines for implementation of the Real ID Act and states have constant troubles meeting the required deadlines (to say the least). As a result, the full implementation is being constantly delayed whereas the states and its citizens don’t face any sanctions. The recent deadline was to lapse on 15 January 2013. However, on December 2012 the DHS announced that after January 15, 2013 “states not found to meet the standards will receive a temporary deferment.” This means that residents of the non-compliant states (still the majority of states) will be allowed to enter federal buildings and use interstate plane connections. So far, the period of the determent period remains undefined, and the DHS is heralding to develop a schedule for the phased enforcement of the REAL ID states commitments “by early fall 2013.”

Where is it all going? It seems that the nationwide implementation of the Act is stuck in limbo. My guess is that the federal government would not resort to a sanction of rejecting the cards issued by non-compliant states. Such rejection would cause, with regard to the ban on boarding planes, a paralysis of the movement within the whole country. The DHS even admits its non-readiness to hit the ordinary people with sanctions by announcing that, while developing a schedule for the phased enforcement of the Act, residents of all states “will be treated in a fair manner.” Hence, at least so far, the rebellious states will likely have a final saying in relation to the implementation of the REAL ID Act.

However, these of advocates focusing on the Real Act should be cautious not to overlook another legislative effort that comes close to what some people call “a de facto ID national database.” What I have in mind is the so-called E-Verify system. E-Verify is a national, electronic database administered by the Department of Homeland Security (you can access E-Verify here) where employers can check if a person can legally work in the US. So far the system has been voluntary for employers. If they participate in E-Verify, when they hire an employee, they are required to enter information into the system via the web. E-Verify will then determine whether an employee got an approval or not. The system has been criticized for many flaws, including frequent errors leading to mischaracterization of the employees’ status (watch Chris Calbrese from ACLU discussing the downsides of E-Verify here).

Pursuant to ACLU, last week a group of eight bipartisan senators ( the so-called Gang of Eight) proposed a reform to federal immigrations laws expanding the scope of E-Verify. If the proposal was passed, E-Verify would come even closer to a de facto ID federal database. First, the proposal calls for the employers’ mandatory participation in E-Verify; second, if passed, it would require states to supply E-Verify with data on state driver’s licenses (including photographs).

It is up for discussion, whether it is a successful implementation of the Real ID Act or a potential modification to the E-Verify system that will bring the US closer to having a de facto ID national database. One thing is certain. There are forces in DC obstinately pushing for electronic collection of more and more identifying data.

By Sisi Wu

In 2011, Thomas Cooley Law School filed a defamation lawsuit against a former student who criticized the school on his blog, which he called “Thomas M. Cooley Law School Scam.” The blogger, “John Doe,” sought a protective order from the trial court to prevent Cooley from disclosing his real name in court documents. The trial court ruled against Doe, finding that slander per se (which Cooley sufficiently alleged in its complaint) is not protected by the First Amendment.

On April 4, 2013, the Michigan Court of Appeals reversed. The opinion surveyed various standards in other jurisdictions for determining when a plaintiff has the right to learn the identity of an anonymous defendant. Without adopting a clear standard, the appeals court determined that the trial court had abused its discretion in refusing Doe’s protective order by failing to properly consider Doe’s First Amendment rights.

Although the decision was lauded by free speech advocates for being protective of anonymous speech, observers (links below) criticized the court for failing to provide a clear standard for future cases and, particularly, for not establishing a notice requirement for subpoenas issued to obtain the identity of anonymous defendants. Without mandatory notice, defendants may not be aware that their personal information is being sought, and thus won’t file motions to quash. This uncertainty could have a chilling effect on anonymous speech.

More information and commentary:

http://www.citizen.org/litigation/forms/cases/getlinkforcase.cfm?cID=691

http://www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1202595256890&Cooley_Law_loses_bid_to_unmask_online_critic_on_appeal&slreturn=20130324223310

http://thefire.org/article/15705.html

http://www.techdirt.com/articles/20130405/15314122604/appeals-court-protects-anonymity-critics-cooley-law-school-could-have-done-more.shtml

By Josh Stager

Medical devices have the potential to significantly improve the quality of patient care, but recent innovations demonstrate that the convergence of health information technology and Big Data are testing the limits of health privacy law. As the Wall Street Journal recently explained, many new devices collect vast amounts of patient data – often without the patient’s knowledge. Medtronic is a leader in this field, as it manufactures many devices that wirelessly collect and transmit data from technology implanted inside patient’s bodies. For example, a defibrillator implant tracks a patient’s heartbeat and provides a shock if the heartbeat stops. It is an important device for people with serious heart conditions, and doctors can use the data collected by the device to provide better treatment. But patients wanting to see data about their own heartbeats are rebuffed.

The pivotal question is: who owns the data collected by such devices? The Health Insurance Portability and Accountability Act of 1996 allows patients to access medical data from hospitals and physicians. However, the data collected by many medical devices is transmitted wirelessly to the device maker. Doctors can only access the data through websites maintained by the device maker – and patients have only been able to access that data from doctors who are willing to share it. Consequently, the data falls outside the scope of HIPAA’s patient access provisions.

While the medical community apparently considers this data to be owned by the companies who develop the technology and store the data, the legal community is less certain. Some argue that HIPAA is too outdated to adequately address the issue, and many patients (and their doctors) have an instinctive sense that the patient must have some ownership rights to the data, given that it is derived from their own bodily functions. Stanford cardiologist Paul Zei articulates the question thusly: “Is the device itself a depository for medical records, or is it part of the patient, and an extension of vital signs that we download into a medical chart?”

While a few enterprising patients have gone to great lengths to access data from their implanted devices (the Wall Street Journal described a man who took a $2,000 training course to learn how to read his device’s data transmissions and persuaded his doctor to copy his data from the manufacturer’s website), patient demand is relatively weak – for now. Few patients actually realize their device is transmitting data until they learn about it through some happenstance disclosure during a checkup. As public awareness increases, patient demand for access to this data will likely grow. Health data analytics is a fast-growing area of smartphone app development, as many people use apps such as Fitbit to track their physical activity or monitor sleep patterns.

Big Data companies also have an interest in the data collected by medical devices. Medtronic has indicated that is looking into ways to monetize the data by selling it to interested third parties. While existing regulations prevent device makers and other third parties from selling data that is patient-identifiable, it is possible that anonymized data could be sold.

Smartphone apps raise another important question: what happens to medical data collected by apps? Such programs are not subject to FDA approval and fall outside the ambit of HIPAA. Nonetheless, phones are increasingly being used to collect and analyze medical data. In addition to health monitoring applications, phone and texting logs have been used by researchers to predict the onset of depression and stress disorders. In this environment, the definition of “medical data” is unclear. Technological innovation appears to be broadening the understanding of what constitutes medical data, but privacy law is stuck in a 20^th Century framework.

Unprotected data from implanted devices, smartphone apps, and other medical technology could ultimately be used against patients. Medtronic envisions a future in which health insurers require those at risk of heart disease to wear monitoring devices or face higher premiums. Harvard research fellow Tolu Odomusu worries that an auto insurance company might buy unprotected medical data to prove that a driver’s sleepiness was to blame for a car accident.

The potential for abuse of medical data is substantial, which is what motivated Congress to enact HIPAA 17 years ago. However, HIPAA is clearly straining to keep up with health information technology, as the advances in medical devices demonstrates. New devices reveal a loophole in privacy laws that device makers, data companies, and app developers have exploited. It seems the only actor not benefitting from outdated laws is the patient. Indeed, the FDA offers little guidance to patients seeking access to their device data, other than telling them to ask their doctors for it. The unsustainability of this situation and the inherent privacy risks should be a call to action for Congress to revise HIPAA for the 21^st Century.

By Scott Snyder

Earlier this month, the 11^th Circuit Court of Appeals ruled in favor of greater privacy protection for the medical data of deceased nursing home patients.  The issue arose when family members of a deceased patient in Florida sought medical records and were denied access.  According to the Health Insurance Portability and Accountability Act of 1996, a federal law, medical records may be released only to a designated “personal representative.”  This conflicted with a less restrictive Florida state law that required nursing homes to release records of deceased residents to spouses, guardians, surrogates, or attorneys.  According to the 11^th Circuit, the more restrictive federal law preempts.

However, while privacy advocates can celebrate this small victory, they face growing challenges from new technologies that spread medical information across more devices and media.  One such medium is health social networking websites, on which users can share information and connect with individuals with similar afflictions.  This creates a significant privacy concern, especially as users frequently do not understand the privacy settings on these websites.  There is also uncertain accountability for third-parties who may wish to access and use data from the sites.

In addition, the growing prevalence of Bring Your Own Device policies raises concerns that sensitive medical information could be gleaned from lost or stolen devices.  These policies can cut costs for businesses that would otherwise have to provide electronic accessories to their employees, but they create vulnerabilities even as they reduce expenses.  A Cisco survey of healthcare workers found that 89% of U.S. healthcare workers use their personal smartphones for work purposes.  Another survey of hospitals found that 85% of physicians and staff use personal devices at work; this usage includes reviewing medical records and transferring files, including radiology images and lab results.  These findings juxtapose starkly with a sample White House BYOD policy that would require users to refrain from downloading or transferring sensitive business data to their personal devices.

While the decision in Florida demonstrates the availability of legal protection for private medical information, gaps clearly remain.  More widespread use of technology is rapidly exacerbating the problem; policymakers will need to work quickly to ensure that the law keeps pace.

By Peter Van Valkenburgh

A Bill’s been floated in the Illinois State Senate that seeks to put an end to anonymous commenting on websites and blogs. The full text is here here: http://legiscan.com/IL/text/SB1614

But here’s the juicy part:

“Section 10. Anonymous internet poster; right to know. A web site administrator upon request shall remove any comments posted on his or her web site by an anonymous poster unless the anonymous poster agrees to attach his or her name to the post and confirms that his or her IP address, legal name, and home address are accurate. All web site administrators shall have a contact number or e-mail address posted for such removal requests clearly visible in any sections where comments are posted.”

The first thing to note is that the text of this bill is word-for-word identical to a bill floated last year in the NY State Legislature (more here: http://www.wired.com/threatlevel/2012/05/anonymous-online-speech-ban/). Is this just a case of copy-cat legislators or are some enterprising torts lawyers shopping a bill state-by-state? As we’ll see, the passage of such a bill would greatly increase a lawyer’s client-base should they just so happen to specialize in defamation and electronic communications.

This brings us to why these bills might be repeatedly cropping up. Given the present state of the law those harmed by online comments have absolutely no possibility of legal relief (damages or injunction) should they be unable to determine the identity of their virtual assailant. Section 230 of the Communications Decency Act provides near bullet-proof immunity to the interactive services (read: yelp, facebook, blogs) that solicit and display user-generated content (“UGC”) like blog comments. These sites are not required to remove and can’t themselves be sued for UGC that is defamatory (see Zeran v. AOL, 129 F.3d 327 (4th Cir. 1997)), or in violation of other state laws — like right to personality claims, right to privacy claims, state prohibitions on sexually explicit advertising (see Doe v. AOL, 783 So. 2d 1010, 1013-1017 (Fl. 2001)), false information (see Gentry v. eBay, 99 Cal. App. 4th 816, 830 (2002)), discriminatory housing ads (see Chicago Lawyers’ Committee v. Craigslist 519 F.3d 666 (7th Cir. 2008)), or threats (see Delfino v. Agilent Technologies, 145 Cal. App. 4th 790 (2006)).

Effectively, CDA 230 immunizes the electronic republishers and distributors of content from all liability stemming from UGC (except liability under federal criminal law (see 47 U.S.C. §§ 230(e)(1)) or federal copyright law (see id. at (e)(2))). So, if you are somehow harmed by UGC and the remedy for that harm would be under state law, your only option is to sue the original author of the content. Trouble is, most of the particularly offensive or damaging UGC out there is, for this very reason, anonymously posted.

With the full legal picture in mind, it is clear why some lawmakers (or the enterprising young defamation lawyers who probably drafted both of these bills) are trying to force UGC contributors to identify themselves. Moreover, to be clear, this wouldn’t just force the identification of comment trolls on blogs — this would “out” yelp reviewers, social networking posters, wikipedia editors, basically the whole kit-and-kaboodle of web 2.0 contributors. Accordingly, you could finally identify and sue the dissatisfied diner that wrote a scathing Yelp review about your restaurant, or the the unhappy couple who claims on Angie’s List that your plumbing company flooded their basement. Moreover, even if your defamation claim isn’t great, you could probably scare them into removing the content or settling by merely raising the spectre of costly litigation.

I can appreciate arguments that the CDA’s sweeping section 230 immunities need to be revisited in light of the complete inability of genuine UGC victims to legally compel intermediaries to remove truly damaging content. But these proposals don’t touch the CDA; instead, they strike at the core of our first amendment right to freely speak in the manner we so choose. Your choice to identify or not is a part of the content of your speech (see McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995)) . Requiring that all electronic speech include identification is no different than any other sort of content-based restriction on speech. It’s unconstitutional and antithetical to the preservation of a flourishing democracy and a flourishing online marketplace of ideas.

By: Amanda Levendowski

In January, the Department of Homeland Security (DHS) quietly published its long-awaited “Civil Rights/Civil Liberties Impact Assessment” of border searches of electronic devices. The actual impact may be an equally quiet erosion of Fourth Amendment rights.

As of 2009, DHS is lawfully allowed to both search and seize devices like smart phones, laptop computers, and other data storage devices (including disks and flash drives) at the border without reasonable suspicion that the devices were involved in a crime. Then-Secretary Napolitano explained that these searches struck “the balance between respecting the civil liberties of travelers while ensuring DHS can take the lawful actions necessary to secure our borders.”

The Impact Assessment executive summary is three pages long, and its treatment of the Fourth Amendment amounts to fewer than ten lines of text. The summary concludes that “current border policy searches comply with the Fourth Amendment,” and that “imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits.” The executive summary points to “longstanding constitutional authority” permitting warrantless, suspicionless searches at the border, that authority being directives issued by Immigrations and Customs Enforcement (ICE) and Customs and Border Protection (CBP). While agency directives are persuasive, the summary relies on these directives as if agencies have the power to abridge Fourth Amendment rights.

As American Civil Liberties Union staff attorney Katie Hass explains, the summary “draws the highly questionable conclusion that the border search policy does not violate our Fourth Amendment right to privacy,” but fails to “explain any of the evidence or reasoning its conclusions are based on.”  The ACLU has filed a FOIA request seeking disclosure of the entire assessment, as well as records and data used to compile the report, but no additional information has yet been disclosed.

The DHS executive summary effects many more individuals than just those crossing into Canada or Mexico for holiday. According to 8 CFR § 287.1, the “border” extends 100 miles inland of any external boundary. The government’s definition of a border subjects more than 190 Americans to the possibility of warrantless, suspicionless searches of electronic devices, and more than 6,500 people had their electronic devices searched at the border since 2008.

Just after the DHS executive summary was released, the Ninth Circuit sitting en banc heralded United States v. Cotterman as a “watershed” case. Judge McKeown acknowledged that when American citizens travel now, we carry all manner of electronic devices, from company Blackberries and laptops to personal e-readers and iPhones. Any one of these devices reveals more sensitive, personal information than other items that may have been subject to border searches in the past, and the court noted that a persons “digital life ought not be hijacked simply by crossing a border.”  Because of the unique nature of electronic devices, the Ninth Circuit determined that “reasonable suspicion” is required for border searches. Cotterman is not the godsend case that many privacy advocates hoped for: the reasonable suspicion standard is only applicable to “forensic examinations,” only evocable along portions of the Mexico-US and US-Canada border, and the facts that established reasonable suspicion were frighteningly thin, Cotterman may be a step in the right direction, but the path towards protecting Fourth Amendment rights at the border remains a long one.