U.S. Internet Giants (Probably) Hit Hard By European Safe Harbor Privacy Ruling

October 17, 2015October 17, 2015 / Washington Journal of Law, Technology & Arts / Leave a comment

By Brooks Lindsay

The European Court of Justice ruled on October 6 to scuttle a 15-year data-transfer pact with the United States. This pact provided a “safe harbor” to over 4,000 transatlantic U.S. companies that claimed to satisfy “adequate” data-protection standards under European law. The “safe harbor” principles allowed U.S. companies operating in Europe, like Facebook and Google, to gather the private information of European citizens and transfer that data to U.S.-based servers, so long as those companies self-certified that they complied with the E.U.’s “adequacy” standards for privacy protection. The European court decided that these principles violated Europeans’ rights to privacy because they allowed American government authorities to gain easy access to Europeans’ online information through U.S.-located databases.

The Court’s ruling is in many ways a reaction to revelations over the past few years of U.S. government mass-surveillance programs, highlighted most poignantly by Edward Snowden’s leak in 2013. The Court’s ruling is based in large part on the premise that the U.S. government and U.S. companies can no longer credibly certify that they are protecting Europeans’ privacy and meeting Europe’s baseline data-protection standards. Continue reading →

New StingRay Policies for both Washington State and the Department of Justice

October 14, 2015 / Washington Journal of Law, Technology & Arts / Leave a comment

By Matthew McCoy

Both the State of Washington and the United States Department of Justice (DOJ) have recently issued new policies regarding law enforcement’s use of cell site simulators. Colloquially known as StingRays, cell site simulators spoof cell towers and trick mobile devices in close proximity to the simulator into connecting with it and unveiling their unique location information. While it is possible to initiate more sophisticated attacks, such as deception and logging of message contents, the DOJ asserts in its new policy that its Stingrays are not configured with such capabilities in accordance with the pen register and trap and trace definitions in 18 U.S.C. §3127(3).

Previous use of StingRays, unveiled by research by privacy advocates, show that both federal, state, and local law enforcement entities have been previously approved under traditional pen register/trap and trace orders. While the DOJ argues that obtaining authorization pursuant to the Pen Register Statute is appropriate for these devices, critics say pen registers, which record the numbers dialed to and from a phone, are different than cell site simulator technology, which record a phone’s location and manipulate how a phone connects with its cellular network. Continue reading →

A New (Old) Sheriff: The FTC’s Authority on Cybersecurity Affirmed

September 25, 2015October 5, 2015 / Washington Journal of Law, Technology & Arts / Leave a comment

By Julie Liu

As we know well from news coverage of hacks and leaked information, consumers and employees take a gamble whenever they give their personal information to a company. Consciously or not, these individuals count on the company’s technological savvy in combination with its data security policies to keep the information safe. While this status has not changed much since businesses first became digitized, regulations are gradually catching up. For the Federal Trade Commission (FTC), cybersecurity has been a top priority in recent years, and it will likely tighten its grip on businesses with inadequate security measures.

Late last month, the U.S. Court of Appeals for the Third Circuit issued its long-awaited ruling in FTC v. Wyndham Worldwide Corporation, a case which reevaluated the FTC’s authority to regulate cybersecurity. Litigation began in 2012 when the FTC sued Wyndham Worldwide, a hotel chain company, for unfair business practices. The FTC alleged that Wyndham’s inadequate data security led to three data breaches at Wyndham hotels in two years. According to the complaint, these breaches compromised more than 619,000 payment card accounts and caused over $10.6 million in fraud loss. Wyndham responded with a motion to dismiss the complaint, arguing that the FTC did not have the authority to bring the suit in the first place. The district court denied the motion last year, and the Third Circuit has now affirmed this order on interlocutory appeal.

Continue reading →

The Continuing Saga of Cell Phone Tracking

September 14, 2015September 17, 2015 / Washington Journal of Law, Technology & Arts / Leave a comment

By Kelsey O’Neal

We count on our cell phones to be fast. We hate waiting for a call or a text. Our cell phones constantly emit signals to the closest cell tower. These fast signals instantly gratify us. But as you carry your phone, it creates a mass of data called cell site location information (CSLI). You don’t even have to use your phone; just having it on creates the cell site location information. U.S. federal law is divided on whether the government needs a warrant to get this information. On July 29th, 2015, U.S. District Court Judge Lucy Koh issued an opinion which requires that a government agency get a warrant before it requests 60 days of cell site location information.

Judge Koh wrote that tracking cell phones with historical cell site location information is particularly dangerous because law enforcement can use the cell site information to look into people’s homes and learn detailed information about an individual’s personal life. Judge Koh ruled that the government must obtain a search warrant to access these personal details because: (1) people expect privacy from government intervention when they are at home; (2) people have a higher expectation of privacy when it comes to long-term surveillance, and (3) cell phone location data can reveal a great deal about an individual because everyone turns on their cell phone and carries it with them. Twelve states agree with Judge Koh; six states already have a law that requires the police to get a warrant, and six are trying to get one.

However, not all states or courts agree with Judge Koh. Early this year, an 11th Circuit panel held that the police do NOT have to get a warrant to look at CSLI. Additionally, a 6th Circuit panel in Cincinnati held that you do not have a reasonable expectation of privacy if you accidentally butt-dial, ahem, pocket-dial, somebody. Why? The court compared it to leaving your curtains open; while there is still a privacy interest, it’s not nearly as strong because you are letting people look in your home. It would be simple to protect your privacy by shutting your curtains, or, by password protecting your phone.

It looks like this particular fight could head toward the Supreme Court, and the result could impact all cell phone users. Until that time, you should probably put your phone in airplane mode the next time you rob a bank.

Image source: http://thesceneisdead.com/2013/04/08/edc-vegas-protip-75-do-not-expect-cell-phone-service/.

China Poised to Tighten Grip on Cybersecurity with New Law

August 24, 2015 / Washington Journal of Law, Technology & Arts / Leave a comment

By Andrew H. Fuller

As Cybersecurity becomes a prominent global issue for nation states, governments consider options to curb their nation’s digital vulnerability. On July 6^th, China, an undisputed major player on the global digital frontier, released the Cyber Security Law of the People’s Republic of China (“CSL”) for public comments. The CSL will, among other things, encourage education and training in cybersecurity related fields, establish new protections and rights for personal and sensitive data, and create government set standards for information technology hardware and software. Once adopted, the CSL will be the first Chinese law that exclusively focuses on cybersecurity. Continue reading →

Share this:

Share this:

Share this:

Share this:

Share this: