Tag: Information Privacy Law Spring 2013

By: Bio Kim

Following 9/11 the U.S. government went through extensive reforms to improve the communication and coordination between intelligence officials and law enforcement authorities. The recent Boston Marathon bombing provides a small window into the inner workings of agencies involved in national security. Even though Judge Posner criticized the dual nature of the FBI in conducting both domestic intelligence investigations and criminal investigations, the FBI has evolved by assuming a greater role as a domestic-intelligence-gathering agency.

In tandem with the FBI wearing both hats, the FISA walls, which proved to be a great source of confusion before 9/11 in the sharing of information, have been largely dismantled. The agencies involved in national security now have at their disposal an expanded legal and technical resources. This course of development owes to the increased acceptance by the public of heightened government searches and seizures in the face of terrorism.

Nevertheless, there is also a valid concern that the government could be abusing its power at the cost of people’s privacy. Part of this fear comes from the fact that the Foreign Intelligence Surveillance Court’s (FISC) opinions are kept secret. It is worth noting that even though it is also true that the unique nature of FISC dictates that it “operates primarily in secret” to ensure the “proper functioning of the FISA process,” the FISA court has not definitively concluded that FISA meets the Fourth Amendment requirements. In re Sealed Case.

More information available at:

http://www.govexec.com/technology/2013/04/how-government-searches-boston-marathon-bomber/62613/

http://www.wired.com/threatlevel/2013/04/secret-surveillance-court/

By: Caitlyn Hall

Although Congress is currently contemplating revising the twenty-seven year-old Electronic Communications Privacy Act in response to privacy concerns, it is also considering other legislation that could pose significant threats to the privacy of internet users. In April 2012, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). The bill, which has prompted widespread criticism from civil liberties groups, would allow private entities to share information relating to potential cyber-threats originating from foreign nations with the NSA and other members of the intelligence community.

CISPA’s proponents argue that it protects American business and intellectual property and ensures that government is adequately equipped to deal with web-based attacks from abroad, and that the bill provides adequate privacy protections, including prohibiting the government from forcing private entities to share information with the government and encouraging firms to minimize the information they share with the government. Critics, however, say that the bill does not contain adequate privacy safeguards, such as requiring service providers to remove irrelevant data before passing information along to the government, and add that CISPA in fact provides legal protections for entities that choose to cooperate with the NSA.

The House Select Committee on Intelligence, which is responsible for the bill, has made a number of amendments in response to concerns from privacy advocates, including adding a provision that limits the private sector’s use of cybersecurity information received to only cybersecurity uses, prohibiting private entities from “counter-hacking,” and removing language that would allow the government to use the data collected for “national security” purposes. But critics respond that the changes made have been mostly cosmetic, and warn that CISPA could permit government surveillance of email communications, and might allow private firms to share geolocation and other user data. The White House has threatened to veto CISPA, citing privacy and civil liberties issues raised by the bill.

http://bits.blogs.nytimes.com/2013/04/16/civil-liberties-fears-dooms-house-cybersecurity-bill/

http://www.cio.com.au/article/458812/critics_cispa_still_government_surveillance_bill/

http://dailycaller.com/2013/04/16/white-house-threatens-to-veto-cyber-bill/

http://www.govtrack.us/congress/bills/113/hr624

By: David Gold

Should police officers be required to obtain a warrant before searching an arrestee’s cell phone? Under the California Supreme Court’s 2011 opinion in People v. Diaz, the answer, at least under the Fourth Amendment, is no. That court held that the defendant’s cell phone was immediately associated with his person at the time of his arrest and, even without a warrant, was searchable incident to his lawful custodial arrest. In the decision, the court rejected the dissent and defendant’s argument that cell phones should not be searchable without a warrant because of the amount of sensitive personal data contained within the devices.

On March 19, 2013, the ACLU, together with the law firm Pillsbury Winthrop Shaw Pittman LLP, acting as pro bono assistant counsel, filed a complaint against the City and County of San Francisco claiming that a police officer’s warrantless search of the defendant’s cell phone, which was on the defendant’s person at the time of his lawful arrest, violated both the California Constitution and the First Amendment of the US Constitution. Through its complaint, the ACLU’s lawsuit seeks to circumvent the Diaz decision and require police officers to obtain warrants prior to searching the data content on cell phones on grounds other than Fourth Amendment search and seizure. Article 1, Section 1 of the California Constitution explicitly identifies a right to privacy, which, the ACLU argues, makes the state constitution more protective of privacy rights than the US Constitution, since the latter does not explicitly establish privacy rights. Article 1, Section 13 similarly is argued to offer greater protection than the Fourth Amendment against unreasonable searches and seizures. Finally, the ACLU argues that phones contain a great amount of communication, and that allowing for these searches will have a chilling effect on speech, which is not permissible under the First Amendment in this instance, because even though the information on phones is relevant, the search will only be permitted if it furthers a compelling interest.

The ACLU complaint is filled with a detailed factual record of the capacity for cell phones, and particularly smart phones. Not only does it describe in great detail the current ability of phones, but it also notes the expansion of data capacity on the horizon. Additionally, the ACLU argues that there is sensitive personal information of friends, family members, and co-workers contained on an individual’s cell phone, in addition to highly sensitive personal information, such as credit card information. Furthermore, the ACLU challenged that cell phones do not pose a physical threat to police officers and that police officers do not need to search the contents of the phone immediately because no evidence will be destroyed given that officers may use a Faraday Bag, which prevents third parties from accessing and deleting or changing information on the phone.

Since the California Supreme Court has already determined that such phone searches do not violate the Fourth Amendment, if the ACLU loses on these claims, there will be little room to challenge such searches in California, and only a ruling by the US Supreme Court would overrule such a holding. Perhaps, given that cell phones contain information in different applications, there is a workable middle ground approach, that officers may only access information in certain application without a warrant. Or, as the ACLU points out, perhaps Faraday Bags should become commonplace, allowing officers to seize control of an arrestee’s cell phone and prevent any evidence on it from being destroyed, but not search its contents until a warrant is issued. Discussion about these alternatives will only really be relevant if the California Court decides in favor of the ACLU, since a decision for San Francisco will allow officers to search the entire cell phone device of an arrestee without a warrant.

Fun fact from the ACLU complaint: early mobile phones used to weigh almost 90 pounds!

Articles:

http://www.aclu.org/technology-and-liberty/aclu-lawsuit-challenges-warrantless-searches-cell-phones

http://consumerist.com/2013/03/20/aclu-files-suit-to-stop-police-from-searching-cell-phones-without-warrant/

ACLU-Pillsbury Complaint

https://www.aclunc.org/news/press_releases/asset_upload_file321_12297.pdf

People v. Diaz Decision:

http://epic.org/privacy/devicesearch/People_v_Diaz.pdf

By: Josh Baker

Article: http://www.wired.com/threatlevel/2013/04/secret-surveillance-court/

Government’s brief: http://www.wired.com/images_blogs/threatlevel/2013/04/fisacourt.pdf

The Electric Frontier Foundation (EFF), a digital rights group in San Francisco, brought suit in the District Court for the District of Columbia after the government denied EFF’s Freedom of Information Act (FOIA) request to disclose a ruling of the Foreign Intelligence Surveillance Court (FISC).  FISC opinions are almost never disclosed to the public as a general matter.

In this case, the opinion was not revealed, but Sen. Ron Wyden was briefed on the ruling as a member of the Intelligence Committee.  Wyden was authorized to reveal that FISC had found an instance of surveillance that “circumvented the spirit of the law” and failed Fourth Amendment reasonableness scrutiny, violating the FISA Amendments Act.  The declassified statements also noted that “government has remedied these concerns and the FISC has continued to approve []

collection [pursuant to Section 702] as consistent with the statute and reasonable under the Fourth Amendment.”  The public would not have been aware of the ruling in this case were it not for Sen. Wyden’s authorized comments.

The Department of Justice (DOJ), in its brief, contends that FOIA exempts this information from disclosure.  It argues that the FISC Rules of Procedure prohibit the disclosure of the FISC opinions and Intelligence Committee briefings.  In the alternative, the DOJ declared that the information sought “necessarily implicates classified intelligence sources and methods” and is therefore exempted from FOIA disclosure.  Finally, the DOJ asserts that disclosure of the information sought by EFF “could result in exceptionally grave and serious damage to the national security,” and that the court should defer to the Department’s finding on this matter.

This exemplifies the government’s general rationale for maintaining secrecy as to FISC opinions.  The FISC was designed to have Article III judges rule on information collection/surveillance requests from intelligence agencies, while preserving the secrecy of the government’s investigations that could be jeopardized by public disclosure.  By declassifying certain statements regarding the FISC opinion, the government sought to balance the interest in government transparency with the protection of critical intelligence activities.

By: Ashley Belton

National security often comes at odds with privacy interests, as evidenced by the White House’s reaction to the latest cybersecurity bill currently being considered by the House. On April 16^th, the White House threatened to veto a House bill, which would permit private entities to share with the government and other private entities information pertaining to threats to computer networks. Additionally, the bill would grant private companies immunity from lawsuits if they engaged in such information sharing. The bill is a reflection of the fact that national security threats are increasingly taking the form of cyber attacks; and the government is struggling to combat such dangers while taking into account privacy concerns.

A spokesman for the National Security Council, Caitlin Hayden, identified the administration’s issue with the bill: under the current version of the bill, private companies are not required to remove irrelevant personal information before sharing such information with the government or with each other. Thus, there is no protection against private companies sharing data that could be used to identify ordinary citizens. This criticism is in line with the principle of minimization, that is, the government should only acquire information which is necessary to effectuate its interests, and it should minimize any interference with citizens’ right to privacy.

The House is to vote on the bill later this week. The bill has already faced much criticism from civil liberties groups, such as the American Civil Liberties Union and the Center for Democracy and Technology.

For more information:

Chris Strohm, Obama Threatens Veto of Revised House Cyber Measure, Bloomberg (Apr. 16, 2013, 4:12 PM), http://www.bloomberg.com/news/2013-04-16/obama-threatens-veto-of-revised-house-cyber-measure.html.

Somini Sengupta, Civil Liberties Fears Doom House Cybersecurity Bill, NYT (Apr. 16, 2013, 9:23 PM), http://bits.blogs.nytimes.com/2013/04/16/civil-liberties-fears-dooms-house-cybersecurity-bill/.

By: Michal Flombaum

In 2009, the Department of Homeland Security announced that it would assess the Civil Liberties Impact of suspicionless searches of computers and other electronic devices at the border. Initially, DHS said it would release its findings within 120 days of that announcement, but only in February of this year did DHS release any findings. Releasing only the two page executive summary dealing mostly with the possibility of ethnic or racial profiling, DHS writes that applying a reasonable suspicion requirement to searching electronic devices would be “operationally harmful” without any civil rights and civil liberties benefits.

I find it interesting that DHS relies on the notion that “courts have not treated searches of electronic devices any differently than searches,” given the cases we discussed in class on Monday. Just as we concluded in class, Wired’s coverage of the release takes care to note that, “electronic devices have become virtual extensions of ourselves housing everything from e-mail to instant-message chats to photos and our personal effects,” emphasizing the extremely invasive nature of these searches.

Note that Cotterman was decided just weeks after DHS released the executive summary earlier this year. It will be interesting to follow DHS’s response to Cotterman, and whether DHS will apply the reasonable suspicion standard to all borders or just to those under the jurisdiction of the Ninth Circuit that includes the controversial Arizona and California borders with Mexico

The ACLU filed a FOIA request to discover how DHS reached their conclusions because, as they write, “the reality is that allowing government agents to search through all of a traveler’s data without reasonable suspicion is completely incompatible with our fundamental rights: our Fourth Amendment right to privacy—and more specifically the right to be free from unreasonable searches—is implicated when the government can rummage through our computers and cell phones for no reason other than that we happen to have traveled abroad.” Though the ACLU seems to find the reasonable suspicion standard protective enough, the Electronic Frontier Foundation has advocated for a probable cause standard in its Amicus brief.

http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A%20wired%2Findex%20%28Wired%3A%20Top%20Stories%29

The full text of the executive summary is available here: http://www.dhs.gov/sites/default/files/publications/crcl-border-search-impact-assessment_01-29-13_1.pdf

For the ACLU’s explanation of their FOIA request, please see: http://www.aclu.org/blog/technology-and-liberty-immigrants-rights-national-security/aclu-files-foia-request-unreleased

For a more complete discussion on the matter, please see The Electronic Frontier Foundation: https://www.eff.org/deeplinks/2013/03/finally-some-limit-electronic-searches-border

By: Tom Gottheil

Last week, in a closed-door meeting, the House Intelligence Panel voted 18-2 to approve the Cyber Intelligence Sharing and Protection Act (CISPA), a controversial proposal to encourage information sharing between private companies and the federal government. It is expected to be brought to a full vote on the floor of the House as soon as Thursday, though President Obama has threatened to veto the bill without changes to its corporate liability rules.

The bill’s stated purpose is to investigate and deter cyber attacks against US information infrastructure. In order to facilitate data sharing between technology companies and the government, CISPA broadly limits civil and criminal corporate liability for good-faith compliance with its terms. These limits worry civil liberties groups and activists, who contend that the lack of protection for private information in the bill, combined with its immunity provisions, could result in companies disclosing vast quantities of personal information without legal recourse for those whose data is disclosed.

Despite broad corporate support for CISPA, it was defeated in the Senate last year. A slightly modified version will be coming to the floor of the House of Representatives in the coming days. However, with President Obama’s veto threat looming, the future of CISPA is once again uncertain.

By: Jenn Ebling

Article link: http://www.slate.com/blogs/future_tense/2013/02/26/fisa_supreme_court_says_americans_don_t_have_standing_to_challenge_surveillance.html

The article references a Supreme Court opinion, which can be accessed here: http://www.supremecourt.gov/opinions/12pdf/11-1025_ihdj.pdf

On February 26, 2013, the Supreme Court ruled in Clapper v. Amnesty International USA that American citizens who cannot prove they were subject to government surveillance because the government refuses to divulge details about its surveillance practices lack standing to challenge the constitutionality of the Foreign Intelligence Surveillance Act (FISA).

In 2009, the district court of the Southern District of New York rejected the plaintiffs’ claim that the 2008 amendments to FISA had authorized broad surveillance in violation of their constitutional rights on the grounds that the plaintiffs lacked standing because they could not show a particularized or concrete injury.  In 2011, the 2nd U.S. Circuit Court of Appeals overturned the district court’s opinion and concluded that plaintiffs had standing based on a “reasonable fear of future injury.”  The Supreme Court rejected the circuit court’s rationale on the basis that such fear of future injury is too speculative to support standing.

Though the court was careful to note that a plaintiff could establish standing to challenge the law by proving she had been the subject of surveillance, it is difficult to imagine how a plaintiff could do so in practice given the government’s secrecy about its surveillance practices.

By Nick Harmon

This past February,the Supreme Court heard oral argument on the constitutionality of warrantless DNA collection from arrestees. When Maryland v. King is eventually decided, it will form yet another brick in a makeshift wall that the Court has been forced to construct in light of the rapid advances  law enforcement agencies have made in the area of data collection, aggregation, and analysis. When it decided another data case, United States v. Jones, 132 S. Ct. 945 (2012), last year,the Court had to decide whether a difference existed between tailing a suspect in a car, and monitoring his movements remotely for a month using a GPS tracker. The Court decided there was, but had a difficult time agreeing on the reasons why. In this case as in other cases, the status and power of data has troubled the Court, and it seems likely that the questions will only grow tougher going forward.

The goal of building newer and better and larger databases has been a goal of government efforts in the law enforcement and defense arena for many years. From Total Information Awareness in the last decade, to NGI today, data aggregation and analysis will be central to the question of where and to what extent the government may collect and store data. TIA, once it became subjected to public scrutiny, met a great deal of hostility from the public and from congress. Publicly, the government renounced its goal of pursuing TIA (at least under that name). The political opposition demonstrates how much the power of data aggregation is accepted by the American public. As NYU Law Professor Helen Nissenbaum noted in her book Privacy in Context: Technology, Policy, and the Integrity of Social Life:

Data subjects and third-party harvesters alike are keenly aware of qualitative differences that can occur when bits of data are combined into collages. This is, surely, one of the most alluring transformations yielded by information sciences and technologies. It is anything but the case that an assemblage of bland bits yields a bland assemblage. The isolated bits may not be particularly revealing, but the assemblage may expose people quite profoundly.

In September of last year, the Electronic Privacy Information Center (EPIC) requested documents from the Federal Bureau of Investigation (FBI) which might tell us more about a new FBI data aggregation system, known as the Next Generation Identification Program.

According to the FBI’s website, NGI “will offer state-of-the-art biometric identification services and provide a flexible framework of core capabilities that will serve as a platform for multimodal functionality.” In short, NGI is a system designed to link a variety of widely-used biometric indicators, including fingerprints and DNA profiles. However, the system goes further than just joining in one place systems already in wide use. The development of NGI will include a mandate to “explore the capability of facial recognition technology.” NGI will thus allow for the linking of otherwise disparate profiles, and the incorporation of facial recognition software to supplement those profiles, a powerful shift at a time when surveillance cameras are becoming increasingly ubiquitous. Moreover, as the National Journal has reported that NGI “enables police officers to use a handheld fingerprint reader to send prints through a squad car’s radio to the FBI’s database and learn almost instantly whether there is a match.”  However, NGI will also incorporate a “Repository for Individuals of Special Concern (RISC)” to “[provide] law enforcement and partnering agencies with rapid/mobile identification services to quickly assess the level of threat that an encountered individual poses.” In short, it will generate meaningful analytical profiles as well. Finally, as the FBI has acknowledged, the program is being developed not solely by the government itself but in collaboration with private companies, a troubling fact from a privacy standpoint.

Without public knowledge of government efforts to compile new databases, public oversight is impossible, and the political process justification for courts’ refraining from stepping in becomes more difficult to accept. On April 8, 2013, EPIC filed a lawsuit against the FBI under the Freedom of Information Act (FOIA), challenging its failure to provide information on NGI. (Their complaint can be found here). It states:

In 2012, EPIC filed two Freedom of Information Act (FOIA) requests for documents related to the FBI’s NGI system. One request sought technical specifications related to the roll out of the NGI system. The other sought contracts between the FBI and the private entities developing the system. The FBI did not promptly comply with the law’s requirements and has so far failed to give EPIC any responsive documents. After the agency failed to comply with the Freedom of Information Act, EPIC filed a lawsuit in federal district court.

The FBI notes that “A full and open competition was used to award the NGI contract to Lockheed Martin Transportation and Security Solutions” to develop this technology, but it remains to be seen whether similar public scrutiny will be possible regarding the operations of the database itself.

By: Show Wang

Article link: http://www.ediscoverylaw.com/2013/02/articles/case-summaries/court-considers-the-persnickety-but-persistent-question-of-what-qualifies-as-content-under-the-stored-communications-act/

The article contains a link to a court opinion, which can be seen here: http://www.ediscoverylaw.com/uploads/file/Westlaw_Document_Optiver.doc

A recent case expands on the distinction between communications content and non-content/envelope information for emails. Although so far most of the cases we have dealt with in class have involved the government in criminal cases, the SCA applies to non-government persons and entities. The SCA applies here even though this case involves a company seeking the communications content of another company’s emails. The email provider (Google in this case) would only be allowed to share non-content information such as log data and email addresses. At the end of the opinion, the court correctly classifies email subject lines as content before mentioning what non-content metadata Optiver is entitled to from Google. The list of non-content included recipient, sender, date sent, date received, date read, and date deleted of emails, email attachments, or Google Talk messages.  It is troubling that anyone could have access to this data, and it continues the debate over whether some of this information is revealing of people’s inner lives. Furthermore, if all of this falls under non-content, then it also expands what would fall under non-content surveillance by the government for the Pen Register Act.