Tag: Privacy

Carpenter v. United States – What future for digital privacy?

Picture1By Jabu Diagana

On November 29th, 2017, the Supreme Court will hear Carpenter v. United States and decide whether the government violates the Fourth Amendment when it accesses a third party’s record of an individual’s cell phone location without a warrant.

Carpenter was a 2011 case where the defendant was convicted of a series of interstate robberies based on his phone location data, also known as cell-site-location information (CSLI). CSLI is maintained by wireless carriers and is a record of the cell towers our phones connect to every time we transmit calls, texts, emails, or any other digital information. It usually includes the precise geolocation of each tower as well as the day and time the phone tried to connect to it. The government obtained CSLI under the Stored Communications Act (SCA), a 1986 federal statute which provides that a “governmental entity may require a provider of electronic communication service or remote computing service to disclose” records using either a warrant, or, as in Carpenter, using a court order issued “if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”

Stated differently, the real question is to what extent does the SCA allow the government to obtain CSLI without a warrant? Or to put it more bluntly, is the SCA unconstitutional?

The Sixth Circuit holding in Carpenter turned on the “third-party doctrine.”

The third-party doctrine originated in Smith v. Maryland, a 1979 case in which the Supreme Court found that installing and using a pen register to record a phone user’s dialed numbers was not an illegal search and didn’t merit Fourth Amendment protections. According to the Smith court, although the contents of our phone conversations are protected, information about the sender or receiver is not, since they willingly disclose that information to the phone company every time they place a call. Following this logic, the Sixth Circuit first found that the third-party doctrine also authorizes the government to access CSLI as “business records” directly from a cell phone company without a warrant. Additionally, it found that when a person uses their cell phone, they should be aware that their location data is shared with the service provider and should not have any “reasonable expectation of privacy” with respect to that data.

Although Carpenter is about users’ cell locations information, the principle at issue spans over other aspects of our digital privacy, given all the data we now share with third parties through the use of smartphones, wifi hotspots, apps, and cloud-based services. As Justice Sotomayor highlighted in her United States v. Jones concurrence, whatever our current societal expectations of privacy are, our citizenry can “attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy.”

Whether Carpenter is affirmed or overruled, the court discourse will likely revolve around the impracticability of the “third-party doctrine” in the digital age. Does sharing with one mean sharing with many? It is tempting to recommend that the court abandons the “third party” doctrine, but that may be over simplistic. If the court choose to modify it, then where should the line be drawn? should there be a difference between information voluntarily conveyed to a third party or stored on the cloud? There is also a time component to this issue.  How long is continuous tracking too long? All these questions, a priori theoretical will be fundamental to the future of our privacy.

Are My Emails Beyond the Grasp of the U.S. Government?

gavelBy Mackenzie Olson

Companies like Microsoft and Google store a lot of customer data in storage centers overseas. As of July 2016, 2nd Circuit precedent indicated that, due to the foreign location of those centers, the U.S. government could not compel these companies to turn over data, even by issue of a search warrant. The case that rendered this decisions was In the Matter of Warrant to Search a Certain E–Mail Account Controlled and Maintained by Microsoft Corporation. (But also take note of the dissent in the denial of en banc review). As the Southern District of New York adjudicated the Warrant case, the Second Circuit Court of Appeals was its final arbiter. Accordingly, the Court of Appeals’ judgment only controlled as precedent in that jurisdiction. And though its opinion has been persuasive elsewhere, at least one judge, based in the Third Circuit, now disagrees with its outcome.

On February 3, 2017, Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania issued an opinion and subsequent orders compelling Google to turn over certain data stored in overseas facilities, per the request of two previously issued search warrants.

In his opinion, Judge Rueter explains that, “the present dispute centers on the nature and reach of the warrants issued pursuant to section 2703 of the Stored Communications Act, 18 U.S.C. §§ 2701 (“SCA”).

He frames the relevant issues as follows: “The court must determine whether the [g]overnment may compel Google to produce electronic records relating to user accounts pursuant to search warrants issued under section 2703 of the SCA, or in the alternative, whether Google has provided all records in its possession that the [g]overnment may lawfully compel Google to produce in accordance with the Second Circuit’s ruling.” Rueter ultimately holds that “compelling Google to disclose to the [g]overnment the data that is the subject of the warrants does not constitute an unlawful extraterritorial application of the [SCA].”

In its reporting of the decision, news outlet Reuters particularly emphasizes Judge Rueter’s reasoning that “transferring emails from a foreign server so FBI agents c[an] review them locally as part of a domestic fraud probe d[oes] not qualify as a seizure . . . because there [i]s “no meaningful interference” with the account holder’s “possessory interest” in the data sought . . . [the retrieval] has the potential for an invasion of privacy, [but] the actual infringement of privacy occurs at the time of disclosure in the United States.”

Orin Kerr, law professor at The George Washington University School of Law, notes numerous problems with Judge Rueter’s decision. “The issue in this case is statutory, not constitutional. Even if you accept the (wrong) framing of the issue as being whether the SCA applies outside the United States, the answer has to come from what Congress focused on, not where the constitutional privacy interest may or may not be. Where you place the Fourth Amendment search or seizure strikes me as irrelevant to the extraterritorial focus of the statute.”

Kerr further contends that, “Even accepting the court’s framing, I don’t think it’s right that no seizure occurred abroad. As I see it, copying Fourth Amendment-protected files seizes them under the Fourth Amendment ‘when copying occurs without human observation and interrupts the stream of possession or transmission’. . . . That test is satisfied here when the information was copied. The court suggests that bringing a file back to the United States is not a seizure because Google moves data around all the time and ‘this interference is de minimis and temporary.’ I don’t think that works. Google is a private company not regulated by the Fourth Amendment, so whether it moves around data is irrelevant.”

It will come as no surprise that Google plans to appeal the Third Circuit decision. Likely a slough of other tech and media companies that previously filed amicus curie briefs in the Microsoft case will file briefs again, such as Apple, Amazon, AT&T, eBay, and Verizon.

Key questions that remain, then, are what will the Third Circuit decide on review?

Will the court follow the precedent set by the Second Circuit in Warrant?

Will it adopt the reasoning of the dissenters in the denial of Warrant‘s en banc review?

Will it follow Judge Rueter’s reasoning in the case at bar?

Or will it render an entirely novel opinion?

And though we can be sure that the losing party will petition the Supreme Court, one also must consider whether a final player emerge, in the form of Congress directly intervening? After all, the SCA was enacted in 1986, and many consider it not only out of date, but also relatively unworkable for modern technological issues. The time certainly seems ripe for a statutory update.

Image Source

 

Game of Drones

DronesBy Jessy Nations

Sometime during the past decade or so we started taking the idea of making robots a part of our everyday lives more seriously. Naturally, we went from joking about making machines serve us by doing our menial chores, to teaching them to kill. Once our base needs for violence and subservience were satisfied, we quickly began adapting this technology for the highest, noblest, and most human of all endeavors: bothering our neighbors. Meanwhile, our local legislatures are trying to rein these nuisances in and we have to work with seemingly outdated common law theories until they’re finished.

I’m talking, of course, about small flying robots known as drones. What was once the pinnacle of modern robotics – despite being a glorified RC helicopter with a camera –  is now available from the corner 711 for $30. (No seriously. I’ve almost bought one out of curiosity.)

Continue reading “Game of Drones”

EU Privacy Litigation: United States Now Filing An Amicus Brief in Facebook Case

EU FlagBy Jason Liu

The United States will be filing an amicus brief in the ongoing EU case between privacy activist Max Schrems and Facebook. Although not filed yet, the brief will provide vital information on the U.S.’ stance on privacy and international data transfers.

The case comes about because the Data Protection Commissioner of Ireland sought a declaratory action in the Irish High Court, alleging that Facebook was illegally transferring EU citizens’ data to the U.S. under EU law.

Past Privacy Actions in Europe

In the related pivotal case invalidating the U.S.-E.U. Safe Harbor agreement, Max Schrems, an Austrian privacy activist and attorney, brought a prior complaint with the Data Protection Commission (in Ireland) that Facebook was illegally transferring EU citizen information to the U.S. Schrems claimed that the personal data he provided to Irish Facebook servers was also transferred to the U.S.

But what is the Safe Harbor in question? EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. The prior Safe Harbor agreement allowed U.S. companies to transfer EU citizen data to the U.S. if the U.S. government promised to protect the data.

Schrems claimed that the U.S. failed to provide legal protections against U.S. surveillance of data on U.S. servers. These claims were supported by the Edward Snowden revelations of 2013. The Snowden revelations included the NSA PRISM program that provided the U.S. government access to private industry servers of tech companies such as Google, Facebook, or Apple. Snowden also revealed surveillance of world leaders, XKeyscore (internet activity logging program), and various NSA practices used to overcome encryption and hacking methods.

Ultimately, the European Union Court of Justice (EUCJ) ruled that the Safe Harbor agreement was invalidated due to inadequate protection of EU citizens’ data to the U.S. in light of the Snowden revelations.

What is going on now?

Following the case, the Irish Data Protection Commissioner referred Schrems’ original complaint against Facebook to the Irish High Court and also the EUCJ. The current case is about Standard Contractual Clauses and the ability of tech companies to contract with EU citizens to have their data stored in U.S. servers. U.S. companies have argued the “model clauses” from template agreements provided by the EU Commission let EU member states send personal data to countries lacking “adequate levels” of protection under the 1998 Data Protection Act.

In response, Shrems stated that:

I see no way that the [EUCJ] can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see how there could be a solution.

What will be the U.S.’ amicus position?

Although unwritten, the U.S.’ amicus brief may contain stances from the U.S.-EU Privacy Shield that was recently ordered by the EU Commission. Notably, the new Privacy Shield will provide:

  • Strong obligations on companies and robust enforcement;
  • Redress options;
  • Clear safeguards and transparency obligations on U.S. government access; and
  • Annual joint review monitoring.

However, because the EU Order providing for the Privacy Shield was EU-centric, it has been difficult to discern which particular points are emphasized by the U.S. Thus, the amicus brief may be a unique opportunity to learn about the most compelling arguments of the U.S. in light of the new Privacy Shield.

Furthermore, although the amicus brief will be directed at international data transfers, it may also prove an important way to gauge how the U.S. views the domestic regulation of data. Through the Cybersecurity National Action Plan, the Obama administration has shown support for protecting privacy rights through the creation of the Federal Privacy Council.

Of course, any further insight into the U.S. treatment of consumer information is always welcome.

Image source: Pixabay

Is There Really An App for That?

A Review of Technology That is Intended to Help Protect Against Sexual Assault

mobile-application-rc38wc

By Carlie Bacon

The recent case about Brock Turner sexually assaulting a woman at a Stanford party has cause major outrage and has revived an ongoing public discussion about rape culture, victim blaming, and other important issues.

There’s no doubt that sexual assault is a serious and widespread problem on college campuses and around the world.  The National Sexual Violence Resource Center states that in the U.S., 20 percent of women and about 1.4 percent of men will be raped at some point in their lives, with those numbers skyrocketing when factoring in other forms of sexual violence as well as LGBTQ people.  Incidences are probably much greater in number, as rape is the most under-reported crime.

Over the last few years, app developers and innovators believe they have devised ways to help people protect themselves against sexual assault.

Many of the recent designs are fashion-focused.  ROAR for Good is a company that has designed and marketed jewelry that is designed to reduce assaults.  The button-sized piece can be worn as a necklace pendant or as a pin.  When in need, the wearer presses a panic button that emits a loud alarm and sends distress texts with GPS location to “emergency contacts” (friends and family).

A company out of the Netherlands called Pearltect is designing jewelry that, when activated, produces an odiferous substance to deter sexual activity, and a tracking compound that can link the perpetrator to the crime scene.

Undercover Colors, a start-up comprised of North Carolina State University students, is in the process of bringing to market a nail polish that changes color when it comes into contact with common date rape drugs.  The wearer swirls a coated nail in a drink to determine if such a drug is present.

And let’s not forget the simpler, controversial, but nevertheless innovative, Rape-aXe, The “anti-rape condom” is a barbed, rubber device that women may wear to cut short an assault.

Critics voice concerns about, among other things, the effectiveness of such personal protection devices against the reality of rape: 92 percent of rapes are committed by people familiar to the victim.  Critics also argue against the innovations’ exclusiveness to people who can afford to pay.

In addition to wearable devices, personal safety apps like PanicGuard, MyForce, and OnWatchOnCampus offer various features.

India recently announced its plans to mandate technological crime prevention.  Beginning in 2017, all mobile phones in India must include a panic button.  These new phones will be pre-configured to send a distress signal to family members or the police when the user presses the power button three times in succession.  In 2018, all phones will need to be equipped with GPS.

Despite U.S. law enforcement’s research and implementation of numerous technological innovations in preventing and policing crime, it does not seem that much attention has been devoted to improving ways for the public to communicate with law enforcement.  For instance, text messaging from mobile phones has been available to the public since 1993.  Fast-forward over twenty years, and the Federal Communications Commission reports that “text-to-911” is only available in certain markets where call centers “have elected to accept emergency text messages from the public.”

While apps and gadgets can never solve the underlying issue of sexual violence, they may provide some help in preventing certain instances.  It will be interesting to see how much the public sector includes private sector innovations (even basic stuff like texting) into its crime prevention and policing repertoire.

Image source: GSU.EDU