Site Meter

Author: Daniel Solove

0

NSA Metadata Surveillance and the Fourth Amendment

Phone NSA 01

 

A U.S. District Court recently held that the NSA surveillance of telephone metadata likely violates the Fourth Amendment. The case is Klayman v. Obama.

The NSA surveillance program involves an incredibly broad gathering of metadata about people’s conversations. Metadata doesn’t include the conversations themselves, just data about when and to whom they are made — i.e., not the content of the phone conversations but the phone numbers of the people having the conversations.

The key Fourth Amendment case at issue is Smith v. Maryland, 442 U.S. 745 (1979), which held that a pen register device capturing the phone numbers a person dialed wasn’t protected by the Fourth Amendment partly because the phone company had access to the phone numbers and partly because phone numbers weren’t viewed to be as sensitive as the phone conversations themselves.

The court in Klayman has an interesting view of why Smith v. Maryland is no longer applicable. Essentially, the court argues that the pen register information the government could gather when Smith was decided is much different from the very broad systematic gathering of phone records today.

The Klayman court relies on the U.S. Supreme Court’s fairly recent decision in United States v. Jones, 132 S.Ct. 945 (2012), where five justices in concurrences noted that wide-scale extensive surveillance technologies have different implications than there older more limited counterparts. Jones involved GPS, and the Court there distinguished an earlier case involving a beeper device that tracked a car. In a concurring opinion, Justice Alito wrote that “relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable. But the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy. For such offenses, society’s expectation has been that law enforcement agents and others would not—and indeed, in the main, simply could not—secretly monitor and catalogue every single movement of an individual’s car for a very long period.”

I find much merit to the Klayman court’s analysis. I have long argued that Smith was wrongly decided, and not too long ago, I wrote here about why there are strong privacy interests in metadata.

Read More

2

The NSA’s Santa Surveillance Program

I was able to obtain the latest National Security Agency (NSA) memo leaked by Edward Snowden.  I reprint it in full below.

TOP SECRET AND CLASSIFIED

THE NATIONAL SECURITY AGENCY

SANTA SURVEILLANCE PROGRAM (SSP)

 

Intelligence reports have indicated an alarming amount of chatter between citizens of the United States and a foreign organization with unknown whereabouts somewhere near the North Pole.  The organization is led by an elderly bearded cleric with the alias, “Santa.”

We have probable cause to believe that this “Santa” organization is providing material support to terrorist cells in the United States.  On numerous occasions, “Santa” has reportedly entered the country illegally by flying across the border in a stealth aircraft.  He delivers contraband to various enemy combatants who request weapons and other military vehicles and aircraft.

For example, the intercepted letter below is from an enemy combatant by the name of “Johnny Smith”:

NSA Santa 01

Another letter, written by enemy combatant “Mikey Brown” – an alias for Michael Brown – indicates a desire for a weapon of mass destruction called “the Death Star.”   Mikey is now being questioned at an unidentified secure location.

Santa has an army of followers who call themselves “elves” and who train in Santa’s camp.  We fear that these elves are highly radicalized.

Based upon a recent dramatic increase in chatter between the Santa organization and enemy combatants in the U.S., we will initiate a new surveillance program caked the “Santa Surveillance Program” (SSP).

We will monitor all communications by all people everywhere.  For minimization standards, we will limit our surveillance to human beings only and not include other life forms.

The SSP will be ongoing until “Santa” is terminated by a drone attack.

Cross-posted at LinkedIn

11

In Defense of Law Reviews

Criticizing law reviews has been in fashion for quite a while, and in the New York Times there’s a new article with a similar refrain of attacks on law reviews.  In essence, the criticisms boil down to: (1) law reviews should be peer review and articles not selected by law students; (2) many law review articles aren’t cited; (3) practitioners don’t read law review articles.  We’ve heard all these before, and I’m growing very tired of these stale arguments.

Although law reviews are on odd system for publishing, I think that the model is actually not as crazy as it might seem.

1. Is the grass really greener with peer review?

For all their imperfections, students do a fairly decent job. I don’t think that articles in other academic disciplines in the social sciences are any less obscure or are cited more. Peer review is filled with cronyism and with way too much “I don’t like this article because I disagree with it” or “I don’t like this article because I’m not cited enough.”

Although law review editors can get bogged down in silly footnote citation formalities, for the most part, I’ve been pleased with my editing and have received some really excellent editing that has sometimes been more extensive than the editing I’ve received when publishing with academic book publishers.

2. Do we really want to bother with peer review?  Is it still needed in today’s age where there’s no longer a scarcity in publishing opportunities?

Peer review is a “front end” evaluation (prior to publication).  It is designed to determine which scholarship is worthy of publication.  That made sense when there was a scarcity of publishing opportunities.  We wanted good scholarship to be published because being published was something not anyone could do, and it distributed and publicized scholarship.

Today, there isn’t a scarcity of publishing opportunities.  Anyone can publish.  Most articles make it on Westlaw.  Hardly anyone reads the print journals anymore.

Peer review can readily occur on the “back end,” with professors evaluating articles post-publication.

Of course, professors will use law review placement as a proxy rather than read the article and decide its merits for themselves. But this is laziness that professors should blame themselves for. If we want to make things more fair, then professors can be more fair in how they evaluate scholarship and stop using law review placement as a proxy if it isn’t a good proxy.

One reason why professors use law review placement as a proxy is that despite a number of misplaced articles, law review placement isn’t completely random.  It’s not a perfect proxy, but for the most part, the top law reviews publish more articles I that I find to be of quality than lower ranked ones.  Not always, but I don’t need a perfect proxy in today’s age where it is so easy to search for and find scholarship.   It’s a kind of weak proxy that can sometimes be helpful, but it shouldn’t replace making one’s own evaluation.

In the end, if we don’t think law reviews do a good job evaluating scholarship, nothing is stopping us from reading it and deciding for ourselves!

3. Should we be alarmed that so few articles are cited?

Read More

0

The FTC and the New Common Law of Privacy

I recently posted a draft of my new article, The FTC and the New Common Law of Privacy (with Professor Woodrow Hartzog).

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort.

In this article, we contend that the FTC’s privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such. The article explores the following issues:

  • Why did the FTC, and not contract law, come to dominate the enforcement of privacy policies?
  • Why, despite more than 15 years of FTC enforcement, have there been hardly any resulting judicial decisions?
  • Why has FTC enforcement had such a profound effect on company behavior given the very small penalties?
  • Can FTC jurisprudence evolve into a comprehensive regulatory regime for privacy?

 

 

The claims we make in this article include:

  • The common view of FTC jurisprudence as thin — as merely enforcing privacy promises — is misguided. The FTC’s privacy jurisprudence is actually quite thick, and it has come to serve as the functional equivalent to a body of common law.
  • The foundations exist in FTC jurisprudence to develop a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, that extends far beyond privacy policies, and that involves substantive rules that exist independently from a company’s privacy representations.

 

You can download the article draft here on SSRN.

0

New Titles from NYU Press

Here are some recent titles from NYU Press:

Those Damned Immigrants: America’s Hysteria over Undocumented Immigration
by Ediberto Román, with a foreword by Michael A. Olivas

Legal Pluralism and Empires, 1500-1850
Edited by Lauren Benton and Richard J. Ross

Hate Thy Neighbor: Move-In Violence and the Persistence of Racial Segregation in American Housing
by Jeannine Bell

Breaking Women: Gender, Race, and the New Politics of Imprisonment
by Jill A. McCorkel

Ghosts of Jim Crow: Ending Racism in Post-Racial America
by F. Michael Higginbotham

The Embattled Constitution
Edited by Norman Dorsen, with Catharine DeJulio

Disabled Education: A Critical Analysis of the Individuals with Disabilities Education Act
by Ruth Colker

Please check out the above books. You can propose a review of one of these books or another recent title not on the list. We’re aiming for reviews between 500 – 1500 words, ideally about 1000 words. Please email your proposals to me.

0

What Is Personally Identifiable Information (PII)? Finding Common Ground in the EU and US

This post was co-authored by Professor Paul Schwartz.

We recently released a draft of our new essay, Reconciling Personal Information in the European Union and the United States, and we want to highlight some of its main points here.

The privacy law of the United States (US) and European Union (EU) differs in many fundamental ways, greatly complicating commerce between the US and EU.  At the broadest level, US privacy law focuses on redressing consumer harm and balancing privacy with efficient commercial transactions.  In the EU, privacy is hailed as a fundamental right that trumps other interests.  The result is that EU privacy protections are much more restrictive on the use and transfer of personal data than US privacy law.

Numerous attempts have been made to bridge the gap between US and EU privacy law, but a very large initial hurdle stands in the way.  The two bodies of law can’t even agree on the scope of protection let alone the substance of the protections.  The scope of protection of privacy laws turns on the definition of “personally identifiable information” (PII).  If there is PII, privacy laws apply.  If PII is absent, privacy laws do not apply.

In the US, the law provides multiple definitions of PII, most focusing on whether the information pertains to an identified person.  In contrast, in the EU, there is a single definition of personal data to encompass all information identifiable to a person.  Even if the data alone cannot be linked to a specific individual, if it is reasonably possible to use the data in combination with other information to identify a person, then the data is PII.

In our essay, Reconciling Personal Information in the European Union and the United States, we argue that both the US and EU approaches to defining PII are flawed.  We also contend that a tiered approach to the concept of PII can bridge the differences between the US and EU approaches.

Read More

3

Mug Shot Blackmail?

A recent article from the Associated Press describes a troubling new website that posts people’s mug shots and then charges people to have them taken down:

After more than seven years and a move 2,800 miles across the country, Christopher Jones thought he’d left behind reminders of the arrest that capped a bitter break-up. That was, until he searched the Internet last month and came face-to-face with his 2006 police mug shot.

The information below the photo, one of millions posted on commercial website mugshots.com, did not mention that the apartment Jones was arrested for burglarizing was the one he’d recently moved out of, or that Florida prosecutors decided shortly afterward to drop the case. But, otherwise, the digital media artist’s run-in with the law was there for anyone, anywhere, to see. And if he wanted to erase the evidence, says Jones, now a resident of Livermore, Calif., the site’s operator told him it would cost $399.

The practice seems outrageous, but is there any way the law can address it? The First Amendment protects people in publishing any information they glean from public records. See Cox Broadcasting Corp. v. Cohn, 420 US 469 (1975).

But this practice might run afoul of the blackmails statutes in many states. For example, here’s Kansas’s blackmail statute:

Blackmail is gaining or attempting to gain anything of value or compelling another to act against such person’s will, by threatening to communicate accusations or statements about any person that would subject such person or any other person to public ridicule, contempt or degradation.

There are several interesting issues here.

First, does the practice of this site and others like it violate some blackmail statutes? The statute I quoted above appears to focus on the threat to divulge information, but it is unclear as to whether the information must previously be unknown. The site has already revealed the information; the money is demanded to stop doing so. Blackmail is a relatively rare legal issue these days, and I don’t know offhand how this practice would fit into many blackmail laws. But there definitely seems to be a decent argument that the site’s practices might be quite close to blackmail.

Read More

3

Employers and Schools that Demand Account Passwords and the Future of Cloud Privacy

Passwords 01In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.

I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.

But Bradley Shear, an attorney who has focused extensively on the issue, opened my eyes to the fact that the practice is much more prevalent than I had imagined, and it is an issue that has very important implications as we move more of our personal data to the Cloud.

The Widespread Hunger for Access

Employers are not the only ones demanding social media passwords – schools are doing so too, especially athletic departments in higher education, many of which engage in extensive monitoring of the online activities of student athletes. Some require students to turn over passwords, install special software and apps, or friend coaches on Facebook and other sites. According to an article in USA Today: “As a condition of participating in sports, the schools require athletes to agree to monitoring software being placed on their social media accounts. This software emails alerts to coaches whenever athletes use a word that could embarrass the student, the university or tarnish their images on services such as Twitter, Facebook, YouTube and MySpace.”

Not only are colleges and universities engaging in the practice, but K-12 schools are doing so as well. A MSNBC article discusses the case of a parent’s outrage over school officials demanding access to a 13-year old girl’s Facebook account. According to the mother, “The whole family is exposed in this. . . . Some families communicate through Facebook. What if her aunt was going through a divorce or had an illness? And now there’s these anonymous people reading through this information.”

In addition to private sector employers and schools, public sector employers such as state government agencies are demanding access to online accounts. According to another MSNBC article: “In Maryland, job seekers applying to the state’s Department of Corrections have been asked during interviews to log into their accounts and let an interviewer watch while the potential employee clicks through posts, friends, photos and anything else that might be found behind the privacy wall.”

Read More

0

Harvard Law Review Privacy Symposium Issue

The privacy symposium issue of the Harvard Law Review is hot off the presses.  Here are the articles:

SYMPOSIUM
PRIVACY AND TECHNOLOGY
Introduction: Privacy Self-Management and the Consent Dilemmas
Daniel J. Solove

What Privacy is For
Julie E. Cohen

The Dangers of Surveillance
Neil M. Richards

The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures
Paul M. Schwartz

Toward a Positive Theory of Privacy Law
Lior Jacob Strahilevitz

1

Privacy Self-Management and the Consent Dilemma

I’m pleased to share with you my new article in Harvard Law Review entitled Privacy Self-Management and the Consent Dilemma, 126 Harvard Law Review 1880 (2013). You can download it for free on SSRN. This is a short piece (24 pages) so you can read it in one sitting.

Here are some key points in the Article:

1. The current regulatory approach for protecting privacy involves what I refer to as “privacy self-management” – the law provides people with a set of rights to enable them to decide how to weigh the costs and benefits of the collection, use, or disclosure of their information. People’s consent legitimizes nearly any form of collection, use, and disclosure of personal data. Unfortunately, privacy self-management is being asked to do work beyond its capabilities. Privacy self-management does not provide meaningful control over personal data.

2. Empirical and social science research has undermined key assumptions about how people make decisions regarding their data, assumptions that underpin and legitimize the privacy self-management model.

3. People cannot appropriately self-manage their privacy due to a series of structural problems. There are too many entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity. Moreover, many privacy harms are the result of an aggregation of pieces of data over a period of time by different entities. It is virtually impossible for people to weigh the costs and benefits of revealing information or permitting its use or transfer without an understanding of the potential downstream uses.

4. Privacy self-management addresses privacy in a series of isolated transactions guided by particular individuals. Privacy costs and benefits, however, are more appropriately assessed cumulatively and holistically — not merely at the individual level.

5. In order to advance, privacy law and policy must confront a complex and confounding dilemma with consent. Consent to collection, use, and disclosure of personal data is often not meaningful, and the most apparent solution – paternalistic measures – even more directly denies people the freedom to make consensual choices about their data.

6. The way forward involves (1) developing a coherent approach to consent, one that accounts for the social science discoveries about how people make decisions about personal data; (2) recognizing that people can engage in privacy self-management only selectively; (3) adjusting privacy law’s timing to focus on downstream uses; and (4) developing more substantive privacy rules.

The full article is here.

Cross-posted on LinkedIn.