Carpenter v. United States – What future for digital privacy?

Picture1By Jabu Diagana

On November 29th, 2017, the Supreme Court will hear Carpenter v. United States and decide whether the government violates the Fourth Amendment when it accesses a third party’s record of an individual’s cell phone location without a warrant.

Carpenter was a 2011 case where the defendant was convicted of a series of interstate robberies based on his phone location data, also known as cell-site-location information (CSLI). CSLI is maintained by wireless carriers and is a record of the cell towers our phones connect to every time we transmit calls, texts, emails, or any other digital information. It usually includes the precise geolocation of each tower as well as the day and time the phone tried to connect to it. The government obtained CSLI under the Stored Communications Act (SCA), a 1986 federal statute which provides that a “governmental entity may require a provider of electronic communication service or remote computing service to disclose” records using either a warrant, or, as in Carpenter, using a court order issued “if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”

Stated differently, the real question is to what extent does the SCA allow the government to obtain CSLI without a warrant? Or to put it more bluntly, is the SCA unconstitutional?

The Sixth Circuit holding in Carpenter turned on the “third-party doctrine.”

The third-party doctrine originated in Smith v. Maryland, a 1979 case in which the Supreme Court found that installing and using a pen register to record a phone user’s dialed numbers was not an illegal search and didn’t merit Fourth Amendment protections. According to the Smith court, although the contents of our phone conversations are protected, information about the sender or receiver is not, since they willingly disclose that information to the phone company every time they place a call. Following this logic, the Sixth Circuit first found that the third-party doctrine also authorizes the government to access CSLI as “business records” directly from a cell phone company without a warrant. Additionally, it found that when a person uses their cell phone, they should be aware that their location data is shared with the service provider and should not have any “reasonable expectation of privacy” with respect to that data.

Although Carpenter is about users’ cell locations information, the principle at issue spans over other aspects of our digital privacy, given all the data we now share with third parties through the use of smartphones, wifi hotspots, apps, and cloud-based services. As Justice Sotomayor highlighted in her United States v. Jones concurrence, whatever our current societal expectations of privacy are, our citizenry can “attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy.”

Whether Carpenter is affirmed or overruled, the court discourse will likely revolve around the impracticability of the “third-party doctrine” in the digital age. Does sharing with one mean sharing with many? It is tempting to recommend that the court abandons the “third party” doctrine, but that may be over simplistic. If the court choose to modify it, then where should the line be drawn? should there be a difference between information voluntarily conveyed to a third party or stored on the cloud? There is also a time component to this issue.  How long is continuous tracking too long? All these questions, a priori theoretical will be fundamental to the future of our privacy.

What To Do About Russian Facebook Trolls?

Picture1By Hugo Fraga

Once again, Facebook is being prodded by state officials—this time from across the pond. Just one month after revealing to Congress that Russian-linked accounts purchased $150,000 worth of political ads during the US election, Facebook is being asked to provide British lawmakers with information on ads purchased by Russian-linked Facebook accounts during last year’s Brexit referendum and during this year’s general election.

Law makers in both the United States and Britain worry that the social media giant is providing a platform for foreign governments to interfere with the democratic process. Up until now, Facebook has not provided enough information to Congress to assuage this worry. For that reason, Congress—and from the looks of it, Parliament as well —is considering a bill that would require political advertisements on social media platforms to disclose who is paying for the advertisement.

This kind of regulation—at least in the U.S.—isn’t new. The Federal Election Commission is charged with ensuring that political advertisements on television and radio reveal the source of their funds and has a similar regulation for radio and television ads. But as it stands now, political advertisers on social media platforms, like Facebook, escape the FEC’s requirement to disclose the source of their funds because such advertisements are considered merely “small items,” and thus are in the same group as, say, buttons and bumper stickers.

However, Congress has introduced a bill entitled “The Honest Ads Act” that could change that. The Honest Ads Act would require social media companies with more than 50 million monthly users to make public detailed information about any political advertiser who spends over $500 on their platforms. Furthermore, it would require social media platforms to take “reasonable efforts” to ensure that any political advertisements or content they display were not purchased by a foreign national.

But some argue that this isn’t enough. Brendan Fischer, director of the Federal Election Commission reform at the Campaign Legal Center, told Wired Magazine that the kinds of advertisements purchased by Russian-linked accounts wouldn’t fall under campaign finance law because none of them included “expressed advocacy”—i.e., a prompt to vote for this or that candidate. And even if Congress expanded the meaning of a bill to include the kind of ads purchased by Russian-linked accounts, there would still be ways around it, like forming a “fake news” website and then posting the ad as an article instead.

Nonetheless, Congress likely realizes that a single bill won’t fix this problem and that there will be ways around any proposed solutions. However, many members of Congress see this bill more as an attempt to regulate what has seemed impossible to regulate: Facebook. And the advantage of that is that people won’t have to rely on Facebook’s internal efforts to solve the problem. After all, when has a company’s self-legislated efforts ever been in favor of the people.

Sharing Is Not Always Easy – An Analysis of Sharing Data Between the Public and Private Sectors

Picture1By Isaac Prevost

Traffic data plays an important role for public agencies concerned with traffic management and infrastructure. We’re seeing private companies collect more and more of this data, occasionally resulting in partnerships between governments and those private companies. However, whether these partnerships will stave off an increased interest in regulatory requirements of private data disclosure remains to be seen.

Federal, state, and local governments collect significant traffic data about traffic patterns and use of roadway system. The collection methods used by governmental entities range from interconnected sensors along the road to government employees manually tallying vehicle occupancies. This information is then used to analyze infrastructure needs, improve public transportation routes, and provide real-time traffic information to the public. In recent years however, there has also been a substantial uptick in the amount of traffic data collected by private companies. This is occurring with the prevalence of ride-sharing companies, increasingly-automated cars, and mapping applications such as Google Maps.

So, just how are public transportation agencies utilizing these new sources of data? Waze, a GPS navigation software owned by Google, launched the Connected Citizens Program in 2014 that shares traffic and road information with public entities for free. Agencies that partner with them participate in a two-way exchange of traffic data, giving Waze information on road closures and incidents. This private data supplements the government’s data, providing better information on functions such as the timing of traffic signals or the dispatch of emergency vehicles.

An alternative example of these partnerships can be found between Strava Metro and public agencies, where the agency pays for access to the data. Strava, a popular application for runners and cyclists, gives the public entities access to the their users’ running and cycling routes.  The Oregon Department of Transportation pays $20,000 per year for access to the data. Information from Strava Metro was a factor in the decision to restrict cars from Portland’s Tilikum Crossing bridge. These types of collaborations are just a small sample of how private data is increasingly being used in public planning.

However, even though the voluntary sharing of private data with public entities has become more common, it has not happened without its hurdles. While governments may be eager to use the data that companies like Waze or Strava are willing to share or sell, tensions have arisen when a company like Uber is reluctant to turn over data or withholds certain customer information. A partnership between Uber and the City of Boston in 2015 resulted in underwhelming results because Uber only disclosed the zip codes for the start and end location of an Uber user’s ride. A city official explained that the location information was not specific enough to be useful for urban planning.

Instead of pursuing partnerships, some cities have required data information from ridesharing companies in exchange for their license to operate in the area. In January 2017, the New York City Taxi and Limousine Commission requested all passenger pick-up and drop-off information from ride-sharing companies such as Uber and Lyft. Uber publicly objected to the proposal, citing the privacy of their drivers, but the Commission kept the requirement. The City expressed interest in the value of Uber’s data for traffic planning and analysis, as well as a tool for preventing drivers from working beyond their permitted total of work.

Possibly in an effort to appease regulators, Uber launched Uber Movement this year, which aggregates and anonymizes Uber’s ride data to show the traffic flows of various cities. In their FAQs section, Uber Movement states that the launch of the site was partially due to feedback from government agencies that “aggregated data will inform decisions about how to adapt existing infrastructure and invest in future solutions to make our cities more efficient.” One of their pilot reports tracked how a metro shutdown in Washington D.C. affected travel times in the city. The New York Times labeled this website “an olive branch to local governments.”

Uber Movement formally launched in August. As it gains more and more data on various cities, it could provide an interesting case study: what amount and type of private traffic data are governmental entities hoping to access? Will the availability of this data stave off further local and state regulations? Partnerships between governments and private companies are becoming more and more common, but the success or failure of Uber Movement may provide some insight into what lies ahead for these types of partnerships.

 

Picture Source

Regulatory Landscape Remains Unclear for Mobile Health App Developers

8585047526_37a5bed3ff_bBy Mariko Kageyama

The digital health field has been growing exponentially and is now expanding rapidly into emerging markets. As a result, mobile health apps, or “mHealth apps,” have exploded in popularity. If you search for “health” on online app stores such as Apple’s App Store or Google Play, you will have no problem finding countless apps with various health-related purposes. One survey reports that nearly 260,000 mHealth apps were available worldwide by 2016.

However, what mHealth app developers and consumers may not realize is that these new technologies are becoming the target of increasingly tight regulations by both federal and state laws in the United States.

At the federal level, mobile health apps may be scrutinized under the following federal agency laws:

  • Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act – These acts regulate data privacy and security of health information. They are enforced by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC);
  • Food, Drug, and Cosmetic Act (FDCA) – This act allows the Food and Drug Administration (FDA) to regulate the safety and effectiveness of “medical devices;” and
  • Federal Trade Commission Act (FTC Act) – This act both creates the FTC and allows it to enforce and penalize deceptive or unfair business practices including false or misleading claims about apps’ performance.

Among these major agency players, the FDA has struggled the most with trying to adapt its existing regulatory framework to include and regulate mHealth apps.

For instance, the FDA can regulate “medical devices,” but what qualifies as a “medical device” under FDA law? According to its 2015 Guidanace, the FDA does not want to regulate every single smartphone app that tangentially relates to fitness or wellness. Instead, the FDA only wants to keep an eye on a small subset of apps called “mobile medical apps” that may pose moderate to high risks to a patient’s safety if the apps fail to work as intended. “Mobile medical apps” can either be those connected to existing medical devices already regulated by FDA, or those that “transform” mobile platforms into an FDA-regulated device.

The FDA explains that a mobile app “transforms” into a medical device when it uses attachments, display screens, or sensors, or when it uses a mobile platform’s built-in features such as light, vibrations, and camera to create functionalities similar to those of currently regulated devices. But the exact actions that constitute a “transformation” are not yet known and remain open to significant agency discretion.

Therefore, if you were to create a new mHealth app that “transforms” a mobile device, you may need to seek FDA approval for a specific medical device classification based on the level of safety risks it poses. The classes are ranked I, II, or III and any class of device can be subject to what is known as Premarket Notification 510(k).

In anticipation of ambiguities in this field, multiple federal agencies collaborated in 2016 to create the Mobile Health Apps Interactive Tool. What is unique about this user-friendly educational website is that it is clearly intended for IT developers, not healthcare professionals or general consumers.

State laws have also come into play. Earlier in 2017, the New York Attorney General settled with three mHealth app developers for state law violations over their misleading marketing and privacy practices. Those mHealth apps are: My Baby’s Beat–Prenatal Listener; Heart Rate Monitor & Pulse Tracker; and Cardiio-Heart Rate Monitor + 7 Minute Workout. As illustrated in the settlement documents, these apps do not look any more sophisticated than other similar apps, but the New York AG maintained that these cardiac rate monitors probably fall under FDA Class II medical devices. Such a classification means that these are higher risk devices than Class I and thus subject to greater regulatory controls. Although the investigation did not go further, these state cases show that mHealth app developers and manufacturers can be exposing themselves to large amounts of liability at the state level as well as the federal level.

Despite this heightened oversight, the current FDA Guidance is clearly nothing more than a temporary fix when much more is needed to address these issues in such a rapidly growing and changing field. Because Congress has a less-than-great track record of quickly enacting laws, the FDA and other relevant agencies should act swiftly to reevaluate these regulations in order to ensure consumer health and safety while simultaneously fostering innovation in this massively beneficial field.

Picture Source

Virtual Trespass: Not in My Backyard

Picture1By Yonah Reback

Who could have predicted that last summer’s biggest fad would be the reemergence of a Japanese video game whose cultural relevance peaked fifteen years ago? If you had known that Pokémon Go would immediately sweep the nation’s interest upon its release in July 2016, call me—I want your stock tips for this summer. For the rest of us mortals, the game was a surprise hit, quickly drawing the attention of not just kids and gamers, but anyone tuned in to pop culture.  Continue reading “Virtual Trespass: Not in My Backyard”

Twitter Fights Back in the ‘Trump Era’ to Protect ‘Rogue’ Government Accounts

Picture1

By Jeff Bess

During the early days of Donald Trump’s presidency, Twitter accounts purporting to represent unofficial “resistance” factions of federal agencies emerged and proliferated alternative perspectives on the inner workings of the Trump administration and its policies. These accounts claim to represent holdover factions from the Obama administration and career officials in agencies and government organizations such as the National Parks Service and the Federal Bureau of Investigation. The accounts issued frequent tweets critiquing the Trump administration’s policies across a variety of issues. Agencies “represented” by “alternative” Twitter accounts run the gamut from the Department of Justice to NASA to the National Weather Service.

Continue reading “Twitter Fights Back in the ‘Trump Era’ to Protect ‘Rogue’ Government Accounts”

$5.3 Million Settlement over “Find Friends” iOS Feature

Picture1By Kiran Jassal

Eight companies (Foodspotting, Foursquare, Gowalla, Instagram, Kik, Path, Twitter, and Yelp) have agreed to a proposed settlement of $5.3 million in a case surrounding the “Find Friends” feature in iOS apps. As the name suggests, “Find Friends” allows consumers to quickly discover if any of their contacts are also using an app. Interestingly, both Apple and LinkedIn are among the companies named in the lawsuit; however, they are continuing to fight the case while the aforementioned entities have decided to settle. Continue reading “$5.3 Million Settlement over “Find Friends” iOS Feature”

Public Records in the Age of Trump

twitterBy Jeff Bess

It is  more than cliché to observe that the advent and evolution of the internet has deeply transformed modern society in many ways, both micro and macro. Indeed, not a clearer example exists than the role social media played in the 2016 presidential election. With over twenty million followers on Twitter and nearly 35,000 tweets, Donald Trump leaned into this direct line to the masses to set a new high water mark for social media ubiquity in pursuit of the White House.

Though derided by many as misguided or un-presidential, it is undeniable that Trump’s avid use of Twitter has been and continues to be effective. Indeed his prolific social media presence was a key source of the estimated $2 billion in earned media that greatly contributed to his success. And now that he is president, do his characteristic early morning, sometimes scattershot flurries of 140-character missives count as official government records? In other words, are they subject to federal document retention laws?

Continue reading “Public Records in the Age of Trump”

They Are Listening and It CAN Come Back to Haunt You

echo
Amazon Echo

By Tyler Quillin

 

How many smart devices with voice-activation capabilities surround you at any given moment? How many times have you thought about whether they are listening to everything you’re saying, just waiting for the word “Alexa” to wake them up from their idle eavesdropping? Well, some of your concerns may soon be answered by a court in Arkansas.

In late 2016, Bentonville Police Department of Arkansas obtained a search warrant for the recordings produce through Amazon’s “Echo” device pertaining to a bath tub murder. Echo is aptly described as an “always on” device. It continuously listens, waiting to hear the term “Alexa,” which “wakes” it up. Once awoken, Alexa will perform various tasks upon verbal request. She does everything from checking the weather or traffic, to answering trivia, to playing music through a Bluetooth connection.

Continue reading “They Are Listening and It CAN Come Back to Haunt You”

A Tale of Two Cameras

By Daniel Healow

cmera
Depending on your views about privacy and police accountability, it may be the best of times or the worst of times. Either way, it is clear that sensors, specifically cameras, have taken center stage as communities seek to objectively reconstruct confrontations between law enforcement and the public.

In what many call the “fastest technology upgrade in policing history”, body-worn cameras (BWCs) are quickly being deployed by police forces throughout the nation, inspiring widespread public support. Although a recent New York Times profile on the rollout of BWCs in Seattle highlighted the growing pains of rapidly deploying new technology, a summer survey found that  70% of Americans support BWCs becoming standard issue throughout all law enforcement. As an added bonus, the cameras appear to be increasing public accountability as well. Studies show public complaints of police misconduct down a whopping 93% in municipalities that have deployed the cameras. So the more cameras the better, right?

Continue reading “A Tale of Two Cameras”