Tag: Information Privacy Law Spring 2013

By: Su Mien Tee

 

On March 19, 2013, the House Judiciary Committee’s Subcommittee on Crime, Terrorism, Homeland Security and Investigations held a hearing on ECPA reform. The Department of Justice, in its testimony before the Subcommittee, reversed its long-held stance that a warrant should not be required before government officials can obtain stored information, and in a statement made by Elana Tyrangiel, Acting Assistant Attorney General of the Office of Legal Policy), endorsed a crucial point of reform advocated by policy advocates, public interest groups and privacy experts, that the same protection afforded to letters and phone calls (Ex Parte Jackson, 96 U.S. 727 (1877) and United States v. Katz, 389 U.S. 347 (1967)).

 

Title II of the Electronic Communications Privacy Act (ECPA, Pub. L. 99-508, 100 Stat. 1848), the Stored Communications Act (SCA, 18 U.S.C. Chapter 121 s 2701 – 2712) addresses voluntary and compelled disclosure of “stored wire and electronic communications and transactional records”. Orin Kerr explains the s 2703 regime in terms of an “upside-down pyramid”:

–          A simple subpoena is needed to compel basic subscriber information (s 2703(c)(2)),

–          A s 2703(d) order compels all non-content records (s 2703(c)(1)(B)),

–          A simple subpoena combined with prior notice compels:

• Basic subscriber information (s 2703(c)(2)),
• Any opened emails or other permanently held files (s 2703(b)), and any contents in temporary ‘electronic storage’ such as unretrieved emails in storage for more than 180 days (s 2703(a));

–          A search warrant is needed to compel anything stored in an account (s 2703(a)-(c)) which includes unopened email stored for less than 180 days.

[see Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, (2004) George Washington Law Review, Vol. 72, No. 6]

 

The DOJ stated that “some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications”, and that there is “no principle basis to treat email less than 180 days old differently from email more than 180 days old”. Currently disclosure of the latter can be compelled with a subpoena and prior notice.

 

It went on to reject the distinction between opened and unopened emails, that it does not make sense for the SCA to accord lesser protection to opened emails than it gives to emails that are unopened. It also essentially endorsed the application of the probable cause standard for a warrant to compel disclosure of stored email and all similar stored content information, saying that they “appreciate the appeal of this approach and believe that it has considerable merit”.

 

This warrant standard is also reflected in Google’s official statement (January 28, 2013) on its approach to government requests for user data – requiring a search warrant before handing over users’ emails to law enforcement (which is not required by ECPA currently). The same standard was endorsed by Richard Salgado, Director of Law Enforcement and Information Security of Google Inc, who similarly testified with Tyrangiel before the Subcommittee on March 19, 2013. His written testimony is available here.)

 

The removal of the 180-day rule is also reflected in the Leahy-Lee Bill (introduced on March 19, 2013 by Senator Patrick Leahy and Senator Mike Lee) to reform ECPA, to require government officials to obtain a warrant in order to require ISPs or other online service providers to disclose the private communications of their users, essentially extending the warrant standard in postal letters to email.

(Leahy-Lee Bill accessible at http://www.leahy.senate.gov/download/ecpa-bill-2013.

Read more about the Leahy-Lee Bill and ECPA reform at http://www.slate.com/blogs/future_tense/2013/03/19/patrick_leahy_introduces_legislation_to_update_ancient_electronic_communications.html )

 

This approach is very welcome, given that the 180-day rule appears to have little bearing as to the expectation of privacy that Internet users have about their emails. Whether an email is opened or unopened by the intended recipient has very little bearing as to whether or not the content remains private; whether it has been kept for 179 days or 181 days has even less bearing on the extent of the privacy of the contents. People reasonably expect that the contents of their email communications be kept private and not subject to government search and seizures, especially given the central role that an individual’s email account plays in his or her private life, and contains intimate and private information.

 

Reform of ECPA will have to address the gaps in ECPA that have been opened up by changes in technology, and the Leahy-Lee Bill, if passed, may go a little way in enhancing individuals’ Fourth Amendment rights, which is crucial given the increasingly fine line between content and non-content in today’s world, especially in light of information like URLs and even to and from addresses, which may reveal more than simply addressing information or identity (in the case of email addresses, where email handles may be traced to other similar internet profiles etc).

 

[Note, however, that the DOJ’s new stance has not been received with too much optimism – skeptics have pointed out that the testimony also raises issues which may weaken current privacy protections, including by “making the standard for non-content records technology-neutral, allowing the government to use subpoenas to compel disclosure of addressing information associated with email and other electronic communications. See criticisms by the Center for Democracy and Technology here.]

By: Cindy Hu (Hsin-Yi Hu)

 

Under the U.S. law, the so-called “border search exception” allows government to search the international travelers – including the U.S. citizens – and their luggage and vehicles at any reason when they enter the country. However, this exception might be limited because of the new ruling of the 9th U.S. Circuit Court of Appeals.

On Friday, March 8^th, 2013, the Court of Appeals has ruled that digital devices are granted limited relief from “border search exception.”  Judge M. Margaret McKeown (*.pdf.) stated that “A person’s digital life ought not to be hijacked simply by crossing a border.”  Different from packing traditional luggage which one can decide what to bring and what to leave behind, laptop computers, iPads and the like are simultaneously offices and personal diaries. They contain the most intimate details of our lives: financial records, confidential business documents, medical records and private emails.

However, several critics and dissenting opinions have risen from this ruling. The San Francisco-based appeals court said that the Court’s view was too extreme. In this court’s opinion,  the Court left rules intact that a “manual review of files on an electronic device” may be undertaken without justification while using “software” to decrypt password protected files or to locate deleted files now requires “reasonable suspicion” that criminal activity is afoot. Additionally, Judge Milan Smith in his dissenting opinion states that the ruling of the majority raises national concern because this ruling opens the nation’s borders “to electronically savvy terrorists and criminals who may hereafter carry their equipment and data across our borders with little fear of detection.”

Furthermore, although the decision made by the Court seems to bolster the digital rights of travelers, but it’s pronouncement of reasonable suspicion requirement, in Michael Price’s opinion (the counsel for the Liberty & National Security Program of the Brennan Center for Justice at New York University), seeks to whittle away at the border search exception.

As the Court noted that no reason was needed to manually inspect the content of a gadget, but a forensic examination required a “reasonable suspicion.”  The Court found enough “reasonable suspicion” based on the mere facts that the defendant was a convicted sex offender and frequently traveled to Mexico, a known destination for sex tourism. What’s more, adding to reasonable suspicion, under what the Court labeled as the “totality of the circumstances,” was the fact that some of the files on one of the laptops were password protected. “We really didn’t think there was any reasonable suspicion for the forensic examination,” Price said.

As stated above, the outcome of this ruling might seem to be a big step for the digital rights of travelers; however, the Court’s analysis on “reasonable suspicion” and the way it differentiates computer software and manual review also raise other questions: Why the use of computer software to analyze a hard drive triggers a reasonable suspicion requirement while a “manual review” of the same hard drive requires no suspicion, is left unexplained. Although technology may serve as a useful proxy for the intrusiveness of a search today, in the future even cursory searches might be more efficiently conducted by the use of such technology.

 

The full content of the article can be found at http://www.wired.com/threatlevel/2013/03/gadget-border-searches/, Appeals Court Curbs Border Agents’ Carte Blanche Power to Search Your Gadgets, BY DAVID KRAVETS, 03.08.13, 5:19 PM

By: Brian Harris

The Department of Homeland Security has recently released a response to an ACLU challenge about its border patrol policies.

 

The ACLU challenged the DHS’s policy of conducting suspicionless, warrantless searches of personal electronics within an area 100 miles from the border around the entire United States.  These searches raise concerns about a possible government infringement of our Fourth Amendment rights.

 

The ACLU refers to this 100 mile stretch of land as the “Constitution-free zone.”   The DHS has insisted that these searches were a necessary function of ensuring national security.  These searches raise increasingly relevant issues of privacy as improvements in technology encourage people to convert more of their lives and personal information into digital media.  What begins as a seemingly simple search of a laptop could actually be an incredibly intrusive collection of personal data.

 

The DHS takes the position that there is long standing authority to search recently purchased merchandise at the border for incoming and going travelers.  They claim that these searches are an obvious extension of that philosophy.  They also take the position that requiring reasonable cause would directly interfere with the operational effectiveness of border control thereby creating a risk to national security.

 

More importantly, the 100 mile stretch of land inland from the border encompasses approximately 200 million Americans, which is 2/3 of the population.  According to the Congressional Research Services, border patrol agents must have a “reasonable suspicion” of criminal activity.  They say that a better case for the “Constition-free zone” should be targeted at airport security where they can search your belongings even without any probable cause.
The Supreme Court has not taken a case about the warrantless search of electronics at the border.  It seems as though until that occurs, the government’s position on this issue will remain the same.

 

http://www.dhs.gov/sites/default/files/publications/crcl-border-search-impact-assessment_01-29-13_1.pdf

 

http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/

By: Ken Chen

 

Researchers at MIT and Universite Catholique de Louvain in Belgium have conducted a 15-months analysis of mobile phone data for about 1.5 million users and they successfully identified 95 percent of the users. What it took were just very few pieces of data – that is, trace the activity to a specific anonymous individual.

 

Locations are determined by the nearest cell tower on basis of the pings from mobile phone whenever the users’ phone checks in with the network as the users receive calls and text messages, or just move around. The location is updated hourly. Roughly a hundred data points were provided each day. The researchers need only four data points to identify the individual. With just two data points, they could identify 50 percent of users.

 

The researchers wrote in their study published in Scientific Reports, “We show that the uniqueness of human mobility traces is high, thereby emphasizing the importance of the idiosyncrasy of human movements for individual privacy,” they explain. “Indeed, this uniqueness means that little outside information is needed to re-identify the trace of a targeted individual even in a sparse, large-scale, and coarse mobility dataset. Given the amount of information that can be inferred from mobility data, as well as the potentially large number of simply anonymized mobility datasets available, this is a growing concern.”

 

The controversy over cell location data is growing. Apple officially responded to this growing controversy in 2011, arguing that the iPhone is not logging your location; rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested.

 

Along with the increase of government requests, it is also heavily debated on the content or non-content nature of location. It is accepted that, although a single piece of information about location seems non-content, the aggregation of locations may become content-based and reveal inner lives of information owners. Government would intend to argue the non-content nature of location information for sake of the easier-to-meet procedural hurdles for non-contents records in the ECPA, instead of having to first obtain a warrant based on probable cause under the Fourth Amendment standard.

 

This research shows that the location data can be easily used to identify a user based on little more than tracking the pings of a cellphone. We could imagine how easily the government (or any company with such intention and such information) could intrude our inner lives, even with a relatively higher procedural hurdles.

 

http://www.theverge.com/2013/4/9/4187654/how-carriers-sell-your-location-and-get-away-with-it

http://www.wired.com/threatlevel/2013/03/anonymous-phone-location-data/

http://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html

By: Jimmy Matteucci

 

On March 21, two bills were introduced in the House and the Senate that would prohibit law enforcement and private investigators from utilizing GPS data or cellphone location data without first obtaining a warrant. The Geolocational Privacy and Surveillance Act (“GPS Act”) was introduced in the House by Rep. Jason Chaffetz (R-Utah) and in the Senate by Mark Kirk (R-Illinois) and Ron Wyden (D-Oregon). The cosponsors of the GPS Act say it is a response to the Supreme Court’s holding in U.S. v.Jones, which they say did not go far enough. “Although Jones was a step in the right direction, the Department of Justice is still arguing in court that they do not need a warrant to track someone’s movements using GPS devices or technology. This highlights the need for Congress to step in and provide clear and reasonable guidelines,” said Rep. Chaffetz.

 

Writing for the majority in U.S. v. Jones, Justice Scalia used trespass doctrine to hold that placing a physical GPS tracking device on an owner’s car was a trespass to private property and therefore a “search” under the Fourth Amendment. Subsequently, law enforcement has argued that merely obtaining GPS information from someone’s phone or built-in car system, such as OnStar, is not such a trespass, and therefore does not require a warrant. The GPS Act would explicitly overrule this argument, making all acquisitions of geolocation information prohibited except pursuant to a warrant.

 

The text of the proposed GPS Act includes several exceptions to this general prohibition, including when consent is given; when the information is obtained in the normal course of business; when the information is acquired while conducting foreign intelligence surveillance; when the information is acquired in an emergency; when the information is used to locate a person who is unlawfully using the device through theft or fraud; and, when the geolocation information being acquired and used is readily accessible to the general public. Of all of these exceptions, the emergency situation exception has the potential to be read the broadest. The text allows an officer to intercept geolocation information if they, “reasonably determine that an emergency situation exists that involves (i) immediate danger of death or serious physical injury to any person; (ii) conspiratorial activities threatening the national security interest; or (iii) conspiratorial activities characteristic of organized crime.” There are safeguards built in, such as requiring an application for an order approving the interception within 48 hours after it has occurred, however one expects law enforcement to rely heavily on this exception.

 

To make sure that the prohibitions included in the GPS Act are enforced, the bills include civil and criminal penalties for violators.

 

The GPS Act has attracted vocal support from the American Civil Liberties Union, Americans for Tax Reform’s DigitalLiberty.net, the Competitive Enterprise Institute, the Electronic Frontier Foundation, and the Computer and Communications Industry Association. If the bills are enacted, the procedural protections surrounding the use of new technologies by law enforcement will be greatly enhanced.

 

For more articles on the subject:

 

http://www.wired.com/threatlevel/2013/03/warrantless-gps-tracking/

http://www.pcworld.com/article/2031590/bills-would-require-warrants-for-police-to-use-gps-tracking.html

By Tanata Tantasathien

Social networking sites such as Facebook and Google+ enable people to interact and develop relationships in a whole new way- deviated from traditional face-to-face communications and not envisioned by legislative, judiciary authorities or even scholars in the past. Despite their countless benefits, social networks have brought new threats to privacy. Aggravating the privacy infringement problems, disclosure of users’ information on the sites concerning their ‘everything’, i.e., identity, contacts, family, friends, acquaintances, educational background, work experience as well as all the  ‘likes’, can facilitate criminals, identity thefts and other wrong-doers to abuse the victims. Government can also make use of such disclosure for the purpose of gathering people’s information.

According to the 4^th Amendment, government lacks authority to conduct ‘search and seizure’ absent a specified warrant issued by courts. In practice, however, they sometimes have access to private sector records needless of warrant. Government also takes advantage from “the Third Party Doctrine” which Kerr Orin S. defines as “knowingly revealing information to a third party relinquishes 4^th Amendment protection in that information.” By adopting this doctrine, social network users would have very limit or even no privacy protection because all the information are inevitably disclosed to internet service providers and social network sites in course of the normal use of the sites. The article Facebook and Interpersonal Privacy: Why the Third Party Doctrine Should Not Apply by Monu Bedi, which is available at http://lawdigitalcommons.bc.edu/bclr/vol54/iss1/2 responds to the issue: whether the information posted by users in social media sites still merits the 4^th Amendment protection despite being disclosed to ISPs and some third parties; and suggests alternative protection under the doctrine of Interpersonal Privacy.

First the author points out how scholars have attempted to expand the 4^th Amendment protection, but found the third party doctrine as an impediment. He doubts the efficiency and appropriateness of the doctrine in the context on internet communications; and argues that this context deserves some special consideration when applying the 4^th Amendment reasonable expectation test. In particular, it must “recognize the unique role that internet communication play in creating and maintaining relationships.” Furthermore, the disclosure of information to the ISPs should not vitiate privacy protection because these entities serve no part in users’ relationships.

Then he introduces the “Interpersonal Privacy Doctrine” which courts have applied in cases relating to intimate, marital, and parent-child relationships. This doctrine holds that people have rights to make personal decisions and are entitled to the privacy in their intimate relationships, i.e., abortion, same sex relationship, contraception consumption, without government intrusion. It is grounded in the Due Process, Equal Protection, and the 1^st Amendment. The author cites several ideas from Thomas Crocker, namely, the interplay between liberty interest and privacy in internet communications; the notion that privacy sometimes means undisclosed, but not always. Most importantly, Crocker asserts: “the three qualities—identity, relationship, and community—which are not unique to social networking sites; they are “basic elements of social interaction, offline and on.” Consequently, both the author and Crocker believe that the interpersonal privacy doctrine can be applied to safeguard internet communication, preferably at the same level of face-to-face communication.

 

Monu Bedi, Facebook and Interpersonal Privacy: Why the Third Party Doctrine Should Not Apply, 54 B.C.L. Rev. 1 (2013), http://lawdigitalcommons.bc.edu/bclr/vol54/iss1/2

By: John Sadlik

Retail-theft databases, which are used by retailers for background checks on potential employees and to track employee thefts, are facing increased scrutiny from private lawyers and federal regulators.

These databases contain information about accusations and admissions of theft from retail employees and are often used to justify passing over applicants for retail positions.

Though legal, the companies which maintain these databases must answer questions about whether or not they run afoul of the Fair Credit Reporting Act. The FCRA is aimed at regulating the collection, dissemination, and use of consumer information.

The databases are used by retailers like Target, CVS, and Family Dollar, and have been the subject of a recent wave of class action lawsuits. LexisNexis, which owned the Esteem database until this year, recently agreed to pay 13.5 million to settle a class-action lawsuit that  alleged violations of consumer protection laws.

The Federal Trade Commission is examining whether it is too difficult for retail employees to correct inaccurate information stored in retail-theft databases. Information which can be the deciding factor in the decision to hire a new employee.

Admissions of theft by retail employees, which are shared by retailers these databases, usually come in the form of written statements that advocates say fail to give notice about their use.

Such admissions can be the product of questionable circumstances, as well. Made in the back of retail stores and under potentially intense pressure from private loss-prevention officers, advocates argue they can be the product of coercion. Often these admissions do not result in criminal charges and are made without a complete understanding of their consequences.

http://www.nytimes.com/2013/04/03/business/retailers-use-databases-to-track-worker-thefts.html?ref=business

By: Adam Shamah

SCOTUSBlog’s “Petition of the day” Tuesday was the cert. petition in Jennings v. Broome, which asks the Supreme Court to answer “Whether e-mails stored by an e-mail provider after delivery are in “electronic storage” under the Stored Communications Act, 18 U.S.C. §§ 2701.”

 

If the Supreme Court grants cert., it’s decision could majorly impact privacy law. We covered the Act’s protections in class.  They include regulations on disclosure to private parties and the government; prohibition on unauthorized access; and rules governing compelled disclosure by law enforcement. The petition notes the importance of the Stored Communications Act in protecting email privacy, given that the Wiretap Act protects only communications in transit and the Fourth Amendment typically does not apply due to the third party doctrine.

 

As the petition explains, “The prohibition of unlawful access … and the disclosure regulations … apply to communications that are in “electronic storage,” which is defined as: (A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication… The scope of the SCA’s disclosure provisions and its protections accordingly turns on exactly what is encompassed by this definition.”

 

The case arose after a wife and husband separated.  The wife and her daughter-in-law guessed the husband’s email password and printed several of his emails. The husband filed suit under the SCA’s “unauthorized access” provision.  The Court of Common Pleas for

the Fifth Judicial Circuit of South Carolina granted summary judgment for the defendants, holding that e-mails were not “stored communications” because they had already been “transmitted and had reached their final destination” and thus could not be in “temporary, intermediate storage incidental to the electronic transmission.” Further “[b]ecause Yahoo was not storing the e-mails for its own ‘purposes of backup protection,’ the court reasoned that the e-mails failed to satisfy the second prong of the definition of electronic storage.”  The South Carolina Court of Appeals reversed the trial court.  The South Carolina Supreme Court then reversed again, offering three different opinions, each with a different rationale.

 

The South Carolina Supreme Court thus created a split with the Ninth Circuit on this issue. See Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004).  The petition notes additional lower courts that have taken a variety of views on the matter.  Hopefully, the Supreme Court will grant cert and decide whether billions of emails are protected by the Act or not.

 

By: Thomas Prieto

The Currency and Foreign Transactions Reporting Act of 1970, better known as the Bank Secrecy Act of 1970, requires banks to create and keep specific records, which the government can search, often in attempts to detect and prevent money laundering. In the past, enforcement of the Bank Secrecy Act has been relatively lax, but there are indications that enforcement is on the rise.

 

The three major requirements of the Bank Secrecy Act for financial institutions, according to the below linked article, are 1) “implementing an anti-money laundering program, 2) reporting suspicious transactions, 3) conducting due diligence for private banking and correspondent bank accounts involving foreign persons.” The Bank Secrecy Act empowers the Treasury Department to examine all these records it requires.

 

It should be interesting to see whether the government’s increased enforcement may once again raise the issues in United States v. Miller. In that case was whether the plaintiff’s bank records were seized illegally in violation of the Fourth Amendment. The Court held that Miller had no right to privacy in his bank records. The documents subpoenaed were not ‘private documents.’ Rather, they were the bank’s business records.

http://www.mainjustice.com/2012/12/18/analysis-enforcement-of-the-bank-secrecy-act-is-on-the-rise-is-your-financial-institution-prepared/

By: Wesley Horner

I used to have a remote control helicopter.  OK, I still do.  One of the great things about technology is that as it becomes economical to make and distribute the coolest gadgets and gizmos, they become increasingly accessible, and new uses and creative innovations arise that make our lives better.  Or at least more fun.  Yes, that means that you can operate cool new remote control helicopters from your smart phone.  One startup company is even offering a taco delivering service—you place an order using your smart phone, and a flying robot will deliver the taco to you.  Taco bout convenient!  But we should remember that with great power comes great responsibility.

When technology advances to the point of materially advancing law enforcement capabilities, society should be alert to the increased risks to individual privacy and be prepared to delineate the proper boundaries of police conduct.  Drone technology, in particular, demonstrates the risks accompanying technological progress.  Drones equipped with cameras could drastically reduce costs and drastically increase the effectiveness of search and rescue missions.  Drones could also improve tactical awareness by offering multiple vantage points to aid in the execution of dangerous operations.  Drones offer significantly improved coverage, and unlike manned surveillance, some advanced drones may be able to operate without breaks.  Indeed, the taco delivery service boasts, “Our unmanned delivery agents are fast and work tirelessly.”  But further advances in drone technology could also enable pervasive mass surveillance, raising questions about what Big Brother should be entitled to monitor and record and under what circumstances.

In February of 2012, President Obama signed into law provisions that incorporate drones into US airspace.    As local police have asked for FAA approval to incorporate drones into police operations, local outcry has created surprising opposition.  Although current commercial drone technology consists of small systems often weighing less than 5 lb. and with fly time limited to 15 minutes, technology moves rapidly, and these limits may soon be surpassed.  It’s no wonder that more than 30 states are considering legislation limiting the use of drones.

This past February, Virginia became the first state to pass legislation that would require a moratorium on drone use by law enforcement until 2015.  Last week, however, Governor Bob McDonnell proposed some amendments to allow police to use drones for search and rescue missions.  The Governor has the right idea.  An outright ban on drone use is unnecessarily overinclusive.  Regulations should be tailored to permit uncontroversial uses that could drastically improve public services.  The moratorium exception for search and rescue missions is just one example.  States should also consider permitting drone use upon a judicial finding of probable cause—modeled after the Federal Wiretap Act—side-stepping the constitutional question of whether or not an advanced technology fly-over constitutes a search.  Probable cause has always been considered adequate protection for individual privacy.  There is little reason to believe otherwise, even in the context of advanced surveillance technologies.