Archive for the ‘Privacy (Electronic Surveillance)’ Category

Overturning the Third-Party Doctrine by Statute: Hard and Harder

posted by Robert Gellman

Privacy advocates have disliked the third-party doctrine at least from the day in 1976 when the Supreme Court decided U.S. v. Miller.  Anyone who remembers the Privacy Protection Study Commission knows that its report was heavily influenced by Miller.  My first task in my long stint as a congressional staffer was to organize a hearing to receive the report of the Commission in 1977.  In the introduction to the report, the Commission called the date of the decision “a fateful day for personal privacy.”

Last year, privacy advocates cheered when Justice Sonia Sotomayor’s concurrence in U.S. v. Jones asked if it was time to reconsider the third-party doctrine.  Yet it is likely that it would take a long time before the Supreme Court revisits and overturns the third-party doctrine, if ever.  Sotomayor’s opinion didn’t attract a single other Justice.

Can we draft a statute to overturn the third-party doctrine?  That is not an easy task, and it may be an unattainable goal politically.  Nevertheless, the discussion has to start somewhere.  I acknowledge that not everyone wants to overturn Miller.  See Orin Kerr’s The Case For the Third-party Doctrine.  I’m certainly not the first person to ask the how-to-do-it question.  Dan Solove wrestled with the problem in Digital Dossiers and the Dissipation of Fourth Amendment Privacy.

I’m going at the problem as if I were still a congressional staffer tasked with drafting a bill.  I see right away that there is precedent.  Somewhat remarkably, Congress partly overturned the Miller decision in 1978 when it enacted The Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq.  The RFPA says that if the federal government wants to obtain records of a bank customer, it must notify the customer and allow the customer to challenge the request.

The RFPA is remarkable too for its exemptions and weak standards.  The law only applies to the federal government and not to state and local governments.  (States may have their own laws applicable to state agencies.)  Bank supervisory agencies are largely exempt.  The IRS is exempt.  Disclosures required by federal law are exempt.  Disclosures for government loan programs are exempt.  Disclosures for grand jury subpoenas are exempt.  That effectively exempts a lot of criminal law enforcement activity.  Disclosures to GAO and the CFPB are exempt.  Disclosures for investigations of crimes against financial institutions by insiders are exempt.  Disclosures to intelligence agencies are exempt.  This long – and incomplete – list is the first hint that overturning the third-party doctrine won’t be easy.

We’re not done with the weaknesses in the RFPA.  A customer who receives notice of a government request has ten days to challenge the request in federal court.  The customer must argue that the records sought are not relevant to the legitimate law enforcement inquiry identified by the government in the notice.  The customer loses if there is a demonstrable reason to believe that the law enforcement is legitimate and a reasonable belief that the records sought are relevant to that inquiry.  Relevance and legitimacy are weak standards, to say the least.  Good luck winning your case.

Who should get the protection of our bill?  The RFPA gives rights to “customers” of a financial institution.  A customer is an individual or partnership of five or fewer individuals (how would anyone know?).  If legal persons also receive protection, a bill might actually attract corporate support, along with major opposition from every regulatory agency in town.  It will be hard enough to pass a bill limited to individuals.  The great advantage of playing staffer is that you can apply political criteria to solve knotty policy problems.  I’d be inclined to stick to individuals.

Read the rest of this post »

  April 29, 2013 at 12:02 pm   Posted in: Criminal Procedure, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)   Print This Post   3 Comments

Privacy & Information Monopolies

posted by Frank Pasquale

First Monday recently published an issue on social media monopolies. These lines from the introduction by Korinna Patelis and Pavlos Hatzopolous are particularly provocative:

A large part of existing critical thinking on social media has been obsessed with the concept of privacy. . . . Reading through a number of volumes and texts dedicated to the problematic of privacy in social networking one gets the feeling that if the so called “privacy issues” were resolved social media would be radically democratized. Instead of adopting a static view of the concept . . . of “privacy”, critical thinking needs to investigate how the private/public dichotomy is potentially reconfigured in social media networking, and [the] new forms of collectivity that can emerge . . . .

I can even see a way in which privacy rights do not merely displace, but actively work against, egalitarian objectives. Stipulate a population with Group A, which is relatively prosperous and has the time and money to hire agents to use notice-and-consent privacy provisions to its advantage (i.e., figuring out exactly how to disclose information to put its members in the best light possible). Meanwhile, most of Group B is too busy working several jobs to use contracts, law, or agents to its advantage in that way. We should not be surprised if Group A leverages its mastery of privacy law to enhance its position relative to Group B.

Better regulation would restrict use of data, rather than “empower” users (with vastly different levels of power) to restrict collection of data. As data scientist Cathy O’Neil observes:
Read the rest of this post »

  April 20, 2013 at 1:03 pm   Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (National Security), Social Network Websites, Sociology of Law   Print This Post   2 Comments

“Brain Spyware”

posted by Ryan Calo

As if we don’t have enough to worry about, now there’s spyware for your brain.  Or, there could be.  Researchers at Oxford, Geneva, and Berkeley have created a proof of concept for using commercially available brain-computer interfaces to discover private facts about today’s gamers. Read the rest of this post »

  April 14, 2013 at 12:57 am   Posted in: Bioethics, Civil Rights, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Technology, Uncategorized   Print This Post   One Comment

Bartelt’s Dog and the Continuing Vitality of the Supreme Court’s Tacit Distinction between Sense Enhancement and Sense Creation

posted by Albert Wong

Last Term, in an amicus brief in United States v. Jones, 565 U.S. __, several colleagues and I highlighted the Supreme Court’s long, albeit not always clearly stated, history of distinguishing between sense-enhancing and sense-creating technologies for Fourth Amendment purposes.  As a practical matter, the Court has consistently subjected technologies in the latter category to closer scrutiny than technologies that merely bolster natural human senses.  Thus, the use of searchlights, field glasses, and (to some extent) beepers and airplane-mounted cameras was not found to implicate the Fourth Amendment.  As the Court explained, “[n]othing in the Fourth Amendment prohibit[s] the police from augmenting the sensory faculties bestowed upon them at birth with such enhancement as science and technology” may afford.  460 U.S. at 282 (emphasis added).  In contrast, the Court has held that technologies that create a new capacity altogether, including movie projectors, wiretaps, ultrasound devices, radar flashlights, directional microphones, thermal imagers, and (as of Jones) GPS tracking devices, do trigger the Fourth Amendment.  To hold otherwise, as the Court has stated, would “shrink the realm of guaranteed privacy,” leaving citizens “at the mercy of advancing technology.”  533 U.S. at 34-36.

In fact, of the landmark cases involving technology and the Fourth Amendment during the past 85 years (from United States v. Lee, 274 U.S. 559, in 1927 to Jones in 2012), only in one instance did the Supreme Court appear to deviate from this distinction between sense enhancement and sense creation.  In that case, United States v. Place, 462 U.S. 696, and its successors, City of Indianapolis v. Edmond, 531 U.S. 32, and Illinois v. Caballes, 543 U.S. 405, the Court held that the use of trained narcotics-detection dogs (more apparently similar to using a new capacity than merely enhancing a natural human sense) did not implicate the Fourth Amendment.  In our amicus brief in Jones, we rationalized Place, Edmond, and Caballes by arguing that dogs were unique, being natural biological creatures that had long been used by the police, even in the time of the Framers.  Further, we argued, a canine sniff, unlike the use of, say, a wiretap or a thermal imager, “discloses only the presence or absence of narcotics, a contraband item.”  462 U.S. at 707 (emphasis added).  Still, the apparent ‘dog exception’ was rankling. Read the rest of this post »

  March 31, 2013 at 11:35 am   Posted in: Anonymity, Constitutional Law, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Supreme Court, Technology, Uncategorized   Print This Post   14 Comments

Some Thoughts On Florida v. Jardines

posted by Ryan Calo

Amidst all of the discussion of gay marriage at One First Street NW today, you may have missed that the Supreme Court decided Florida v. Jardines.  In a five-four opinion by Justice Scalia, the Court held that bringing a police dog within the curtilage (in this case, the front porch) of the home to sniff for drugs constitutes a search for purposes of the Fourth Amendment.  As Orin Kerr predicted, the opinion turned on the lack of implied consent to approach with a dog, which converted the detectives’ action into a trespass.  Justices Thomas, Ginsburg, Sotomayor, and Kagan joined Justice Scalia’s opinion.  Justice Alito wrote for the dissent, joined by Justices Kennedy, Breyer, and the Chief Justice.  Justice Kagan, joined by Justices Ginsburg and Sotomayor, wrote separately to note that they “could just as happily have decided [the case] by looking to Jardines’ privacy interests.” Read the rest of this post »

  March 26, 2013 at 1:21 pm   Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Supreme Court, Uncategorized   Print This Post   2 Comments

“The Future of Drones in America” Hearing

posted by Ryan Calo

I got the chance to testify at a hearing of the full Senate Judiciary Committee about the domestic use of drones yesterday. The New York Times has this coverage and, for aficionados of torts, I talk about intrusion upon seclusion with Senator Dick Durbin in this clip from NBC News. Should you get a chance to watch the hearing in full, Senator Al Franken’s thoughts at the end were particularly vivid. My written and oral comments were similar to those outlined in my previous post: privacy law places few limits on the use of drones for surveillance, but we should be very careful in crafting any drone-specific legislative response.  It happens that, about when I was testifying, my students were taking a final where one of the questions involved a drone filming a private party.  I feel they had fair notice that this might be on the exam.

  March 21, 2013 at 7:42 pm  Tags: Robotics  Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Technology, Tort Law   Print This Post   No Comments

New Edition of Solove & Schwartz’s Privacy Law Fundamentals: Must-Read (and Check out the Video)

posted by Danielle Citron

Privacy leading lights Dan Solove and Paul Schwartz have recently released the 2013 edition of Privacy Law Fundamentals, a must-have for privacy practitioners, scholars, students, and really anyone who cares about privacy.

Privacy Law Fundamentals is an essential primer of the state of privacy law, capturing the up-to-date developments in legislation, FTC enforcement actions, and cases here and abroad.  As Chief Privacy Officers like Intel’s David Hoffman and renown privacy practitioners like Hogan’s Chris Wolf and Covington’s Kurt Wimmer agree, Privacy Law Fundamentals is an “essential” and “authoritative guide” on privacy law, compact and incredibly useful.  For those of you who know Dan and Paul, their work is not only incredibly wise and helpful but also dispensed in person with serious humor.  Check out this You Tube video, “Privacy Law in 60 Seconds,” to see what I mean.  I think that Psy may have a run for his money on making us smile.

  March 8, 2013 at 8:42 am   Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)   Print This Post   4 Comments

In Honor of Alan Westin: Privacy Trailblazer, Seer, and Changemaker

posted by Danielle Citron

Privacy leading light Alan Westin passed away this week.  Almost fifty years ago, Westin started his trailblazing work helping us understand the dangers of surveillance technologies.  Building on the work that Warren and Brandeis started in “The Right to Privacy” in 1898, Westin published Privacy and Freedom in 1967.  A year later, he took his normative case for privacy to the trenches.  As Director of the National Academy of Science’s Computer Science and Engineering Board, he and a team of researchers studied governmental, commercial, and private organizations using databases to amass, use, and share personal information.  Westin’s team interviewed 55 organizations, from local law enforcement, federal agencies like the Social Security Administration, and direct-mail companies like R.L. Polk (a predecessor to our behavioral advertising industry).

The 1972 report, Databanks in a Free Society: Computers, Record-Keeping, and Privacy, is a masterpiece.  With 14 case studies, the report made clear the extent to which public and private entities had been building substantial computerized dossiers of people’s activities and the risks to economic livelihood, reputation, and self-determination.  It demonstrated the unrestrained nature of data collection and sharing, with driver’s license bureaus selling personal information to direct-mail companies and law enforcement sharing arrest records with local and state agencies for employment and licensing matters.  Surely influenced by Westin’s earlier work, some data collectors, like the Kansas City Police Department, talked to the team about privacy protections, suggesting the need for verification of source documents, audit logs, passwords, and discipline for improper use of data. Westin’s report called for data collectors to adopt ethical procedures for data collection and sharing, including procedural protections such as notice and chance to correct inaccurate or incomplete information, data minimization requirements, and sharing limits.

Westin’s work shaped the debate about the right to privacy at the dawn of our surveillance era. His changing making agenda was front and center of  the Privacy Act of 1974.  In the early 1970s, nearly fifty congressional hearings and reports investigated a range of data privacy issues, including the use of census records, access to criminal history records, employers’ use of lie detector tests, and the military and law enforcement’s monitoring of political dissidents. State and federal executives spearheaded investigations of surveillance technologies including a proposed National Databank Center.

Just as public discourse was consumed with the “data-bank problem,” the courts began to pay attention. In Whalen v. Roe, a 1977 case involving New York’s mandatory collection of prescription drug records, the Supreme Court strongly suggested that the Constitution contains a right to information privacy based on substantive due process. Although it held that the state prescription drug database did not violate the constitutional right to information privacy because it was adequately secured, the Court recognized an individual’s interest in avoiding disclosure of certain kinds of personal information. Writing for the Court, Justice Stevens noted the “threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files.”  In a concurring opinion, Justice Brennan warned that the “central storage and easy accessibility of computerized data vastly increase the potential for abuse of that information, and I am not prepared to say that future developments will not demonstrate the necessity of some curb on such technology.”

What Westin underscored so long ago, and what Whalen v. Roe signaled, technologies used for broad, indiscriminate, and intrusive public surveillance threaten liberty interests.  Last term, in United States v. Jones, the Supreme Court signaled that these concerns have Fourth Amendment salience. Concurring opinions indicate that at least five justices have serious Fourth Amendment concerns about law enforcement’s growing surveillance capabilities. Those justices insisted that citizens have reasonable expectations of privacy in substantial quantities of personal information.  In our article “The Right to Quantitative Privacy,” David Gray and I are seeking to carry forward Westin’s insights (and those of Brandeis and Warren before him) into the Fourth Amendment arena as the five concurring justices in Jones suggested.  More on that to come, but for now, let’s thank Alan Westin for his extraordinary work on the “computerized databanks” problem.

  February 24, 2013 at 10:18 am   Posted in: Criminal Procedure, Current Events, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement)   Print This Post   4 Comments

“Kicking the Tires” is not “Looking Under the Hood”

posted by Frank Pasquale

Celebrated in the tech press only a week ago, the FTC inaction (and non-explanation of its inaction) with respect to search bias concerns is already starting to curdle. The FT ran a front page headline titled “Europe Takes Tough Stance on Google.” Another story included this striking comment from the EU’s competition chief:

Almunia insists that the Federal Trade Commission decision will be “neither an obstacle [for the European Commission] nor an advantage [for Google]. You can also think, well, this European authority, the commission, has received a gift from the American authorities, given that now every result they will get will be much better than the conclusions of the FTC,” he said with playful confidence. “Google people know very well that they need to provide results and real remedies, not arguments or comparisons with what happened on the other side [of the Atlantic].”

In response to allegations of search bias, Google has essentially said, “Trust us.” And at the end of its investigation into the potential bias, the FTC has essentially said the same. One public interest group has already put in a FOIA request for communications between Google and the FTC. Consumer Watchdog has requested a staff report that was reported to have recommended more robust action. Will Google, an advocate of openness in government and the internet generally, hold firm to its professed principles and commend those requests?
Read the rest of this post »

  January 11, 2013 at 10:28 am   Posted in: Antitrust, Cyberlaw, Google & Search Engines, Government Secrecy, Political Economy, Privacy (Electronic Surveillance), Technology   Print This Post   2 Comments

Cyberstalking, Still Ignored (Really)

posted by Danielle Citron

Since Friday, the news has been abuzz about the resignation of General Patraeus and the FBI investigation of alleged cyber stalking that led to the exposure of his affair and potential security risk — blackmail — that such an affair raises.  According to today’s New York Times and other media coverage, the FBI agent who spearheaded the cyber stalking investigation was not really seeking to enforce the federal Interstate Stalking law.  Instead, the agent thought, “This is serious” because the e-mail sender “seem[ed] to know the comings and goings of a couple of generals.’”  The FBI agent supposedly worried that might suggest the Generals were being stalked in ways that could compromise national security.  The Times explains that the agent “doggedly pursued Ms. Kelley’s cyberstalking complaint,” despite being admonished by supervisors who thought he was trying to improperly insert himself into the investigation.  What’s clear: the agent pursued a criminal investigation of Ms. Broadwell for allegedly stalking Ms. Kelley (though it’s clear that is not the stalking that worried the FBI), which served as the basis for the warrant obtained by the FBI to retrieve Broadwell’s e-mails and ultimately obtain the e-mails of General Patraeus.  This investigation used cyber stalking of Ms. Kelley as a pretext to obtain Ms. Broadwell’s e-mails and hence to better understand what the agent thought was the sexual nature of the relationship between Ms. Broadwell and the General.

On first hearing about the investigation, I never kidded myself that the FBI was taking cyber stalking seriously.  That is not to say that they never do, but the typical response to cyber stalking complaints is to advise victims to turn off their computers, to return to the precinct when their stalkers confront them offline, to pursue their harassers with civil suits, and/or to ignore their attackers who will eventually get bored.  Or as cyber stalking victims have told me, law enforcement agents, both federal and state, incorrectly tell them that criminal law provides little help to cyber stalking victims.  (Federal and state law often does punish repeated online conduct directed at private individuals for no legitimate reason that is designed to cause substantial emotional distress that does in fact cause substantial emotional distress, 18 U.S.C. 2261A(2)(A)).  Indeed, little has changed since the Department of Justice reported in 2001 that the majority of law enforcement agencies refused to investigate cyber stalking cases because they lacked training to understand the seriousness of the attacks and the potential legal responses.  Part of the problem may be attributable to officers’ poor response to stalking generally.  According to the 2009 National Crime Victimization Survey, stalking continues to be frequently overlooked and often misunderstood.  Half of those surveyed explained  that officers took a report and did nothing else.  Almost 19% reported that officers did nothing at all.  They attributed police inaction to a lack of interest in getting involved, a sense that no legal authority existed, and incompetence.  Lack of training and troubling social attitudes are to blame for criminal law’s under-enforcement.

  November 15, 2012 at 11:42 am   Posted in: Culture, Current Events, Cyber Civil Rights, Privacy, Privacy (Electronic Surveillance)   Print This Post   4 Comments

Harvard Law Review Symposium on Privacy & Technology

posted by Daniel Solove

  November 5, 2012 at 3:43 pm   Posted in: Articles and Books, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Technology   Print This Post   15 Comments

PETs, Law and Surveillance

posted by Omer Tene

In Europe, privacy is considered a fundamental human right. Section 8 of the European Convention of Human Rights (ECHR) limits the power of the state to interfere in citizens’ privacy, ”except such as is in accordance with the law and is necessary in a democratic society”. Privacy is also granted constitutional protection in the Fourth Amendment to the United States Constitution. Both the ECHR and the US Constitution establish the right to privacy as freedom from government surveillance (I’ll call this “constitutional privacy”). Over the past 40 years, a specific framework has emerged to protect informational privacy (see here and here and here and here); yet this framework (“information privacy”) provides little protection against surveillance by either government or private sector organizations. Indeed, the information privacy framework presumes that a data controller (i.e., a government or business organization collecting, storing and using personal data) is a trusted party, essentially acting as a steward of individual rights. In doing so, it overlooks the fact that organizations often have strong incentives to subject individuals to persistent surveillance; to monetize individuals’ data; and to maximize information collection, storage and use.

Read the rest of this post »

  October 8, 2012 at 2:36 am  Tags: data protection, PETs, Privacy, surveillance, third party doctrine  Posted in: Consumer Protection Law, Cyberlaw, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Technology, Uncategorized   Print This Post   6 Comments

More on government access to private sector data

posted by Omer Tene

Last week I blogged here about a comprehensive survey on systematic government access to private sector data, which will be published in the next issue of International Data Privacy Law, an Oxford University Press law journal edited by Christopher Kuner. Several readers have asked whether the results of the survey are available online. Well, now they are – even before publication of the special issue. The project, which was organized by Fred Cate and Jim Dempsey and supported by The Privacy Projects, covered government access laws in Australia, Canada, China, Germany, Israel, Japan, United Kingdom and United States.

Peter Swire’s thought provoking piece on the increased importance of government access to the cloud in an age of encrypted communications appears here. Also see the special issue’s editorial, by Fred, Jim and Ira Rubinstein.

 

  October 2, 2012 at 2:04 am  Tags: cloud computing, data protection, Fourth Amendment, government access, Privacy  Posted in: Constitutional Law, Consumer Protection Law, Cyberlaw, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Uncategorized   Print This Post   No Comments

On systematic government access to private sector data

posted by Omer Tene

The Sixth Circuit Court of Appeals has recently decided in United States v. Skinner that police does not need a warrant to obtain GPS location data for mobile phones. The decision, based on the holding of the Supreme Court in US v. Jones, highlights the need for a comprehensive reform of rules on government access to communications non-contents information (“communications data”). Once consisting of only a list of phone numbers dialed by a customer (a “pen register”), communications data have become rife with personal information, including location, clickstream, social contacts and more.

To a non-American, the US v. Jones ruling is truly astounding in its narrow scope. Clearly, the Justices aimed to sidestep the obvious question of expectation of privacy in public spaces. The Court did hold that the attachment of a GPS tracking device to a vehicle and its use to monitor the vehicle’s movements constitutes a Fourth Amendment “search”. But it based its holding not on the persistent surveillance of the suspect’s movements but rather on a “trespass to chattels” inflicted when a government agent ever-so-slightly touched the suspect’s vehicle to attach the tracking device. In the opinion of the Court, it was the clearly insignificant “occupation of property” (touching a car!) rather than the obviously weighty location tracking that triggered constitutional protection.

Suffice it to say, that to an outside observer, the property infringement appears to have been a side issue in both Jones and Skinner. The main issue of course is government power to remotely access information about an individual’s life, which is increasingly stored by third parties in the cloud. In most cases past – and certainly present and future – there is little need to trespass on an individual’s property in order to monitor her every move. Our lives are increasingly mediated by technology. Numerous third parties possess volumes of information about our finances, health, online endeavors, geographical movements, etc. For effective surveillance, the government typically just needs to ask.

This is why an upcoming issue of International Data Privacy Law (IDPL) (an Oxford University Press law journal), which is devoted to systematic government access to private sector data, is so timely and important. The special issue covers rules on government access in multiple jurisdictions, including the US, UK, Germany, Israel, Japan, China, India, Australia and Canada.

Read the rest of this post »

  September 29, 2012 at 4:34 am  Tags: cloud computing, data protection, law enforcement, national security, Privacy  Posted in: Constitutional Law, Consumer Protection Law, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Uncategorized   Print This Post   2 Comments

Why Justice Goldberg Cared So Much About Privacy

posted by Peter Swire

David Stebenne gave a fascinating talk today about how the personal experiences of Justice Goldberg made him very sensitive to privacy, and led to his strong pro-privacy concurrence in the Griswold case that established a right to privacy for use of contraceptives.  David is a legal historian at Ohio State, now has a joint appointment with our law school, and spoke today at a John Marshall Law School conference on the history of privacy from Brandeis to today.

Stebenne has written a biography of Goldberg, and is a master of the historical record. Look at these personal experiences that shaped Justice Goldberg’s views on privacy:

(1) Brandeis and Warren-style press intrusions.  Goldberg was the leading lawyer for the Steelworkers Union and the CIO during the 1950′s.  The unions were subjected to many hostile press articles, often describing (or exaggerating) union corruption.  The sorts of press excesses, at the center of the Brandeis and Warren privacy article, were lived by Goldberg.

(2) Intrusive police surveillance.  The Steelworkers and other unions were pervasively wiretapped in the 1950′s.  In one 1957 board meeting, the leadership reported that there were so many wiretaps on the line that they could barely hear each other talk.

(3) Mistaken FBI files.  The FBI opened a file before World War II about a different person named Arthur Goldberg, who had suspected links to the Communist Party.  Years later, Goldberg found out that a huge file had been accumulated on him based on this original, mistaken report.  He met with the FBI, and had the unusual good fortune to clear the matter up.   But he learned personally how invasive and unreliable FBI files could be.

(4) CIA spy and counter-spy.  During World War II, Goldberg worked for the OSS, the predecessor of the CIA.  For part of that time he was the target of enemy espionage himself.  He knew the CIA kept a close eye on his clients in the labor movement, and thus knew more than most about the nature and scale of domestic surveillance by the government.

In short, Goldberg was not a privileged person who knew he had nothing to hide. Instead, he had direct personal experience with the intrusiveness and mistakes that could result from the media, intelligence agencies, and new technologies.

Insight can come from personal experience.  Among other lessons from this history, it suggests some virtues of having judges and justices with a wide range of personal experience.

  September 27, 2012 at 5:06 pm   Posted in: Constitutional Law, Privacy (Electronic Surveillance), Privacy (National Security)   Print This Post   11 Comments

Laws Regulating PII

posted by Dave Hoffman

My co-author Sasha Romanosky asks me to post the following:

I am involved in a research project that examines state laws affecting the flow of personal information in some way. This information could relate to patients, employees, financial or retail customers, or even just individuals. And by “flow” we are interested in laws that affect the collection, use, storage, sale, sharing, disclosure, or even destruction of this information.

For example, some state laws require that companies notify you when your personal information has been hacked, while other state laws require notice if the firm plans to sell your information. In addition, laws in other
states restrict the sale of personal health information; enable law enforcement to track cell phone usage without a warrant; or prohibit the collection of a customer’s zip code during a credit card purchase.

Given the huge variation among states in their information laws, we would like to ask readers of Concurring Opinions to help us collect examples of such laws. You are welcome to either post a response to this blog entry or
reply to me directly at sromanos at cmu dot edu.

Thank you!

Sasha is a good guy, and a really careful researcher. Let’s help him!

  September 10, 2012 at 9:58 am   Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)   Print This Post   3 Comments

Brin’s “Existence,” the Fermi Paradox, and the Future of Privacy

posted by Peter Swire

I just finished David Brin’s “Existence,” his biggest new novel in years.  Brin, as some readers know, has won multiple Hugo and Nebula awards for best science fiction writing.  He also wrote the 1999 non-fiction book “The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?”.  More about that in a bit.

Existence is full of big ideas.  A main focus is on the Fermi Paradox, which observes that we would expect to find other forms of life out there among the hundreds of billions of suns, but we haven’t seen evidence of that life yet.  If you haven’t ever thought through the Fermi Paradox, I think it is a Genuine Big Question, and well worth contemplating.  Fortunately for those who like their science mixed with fiction, Brin weaves fifty or so possible answers to the Fermi Paradox into his 550-page novel.  Does climate change kill off other races?  Nuclear annihilation?  Do aliens upload themselves into computers once they get sophisticated (the “singularity”), so we never detect them across the void?  And a lot, lot more.

It took me a little while to get into the book, but I read the last few hundred pages in a rush.  I’ve had the pleasure to know Brin for a bunch of years, and find him personally and intellectually engaging.  I was pleased to read this, because I think it will intrigue curious minds for a long time as our telescopic views of other planets deepen our puzzlement about the Fermi Paradox.

As for privacy, my own view is that the privacy academics didn’t take his 1999 book seriously enough as an intellectual event.  One way to describe Brin’s insight is to say that surveillance in public becomes cheaper and more pervasive over time.  For Brin, having “control” over your face, eye blinks, location, etc., etc. becomes futile and often counter-productive once cameras and other sensors are pervasive and searchable.  Brin picked up on these themes in his earlier novel, “Earth,” when elderly people used video cameras to film would-be muggers, deterring the attacks.  In the new novel, the pervasive use of the 2060 version of Google Glasses means that each person is empowered to see data overlays for any person they meet.  (This part is similar to the novel “Rainbow’s End” by Brin’s friend Vernor Vinge.)

Surveillance in public is a big topic these days.  I’ve worked with CDT and EFF on USvJones.com, which asked law academics to propose doctrine for surveillance in public.  Facial recognition and drones are two of the hot privacy topics of the year, and each are significant steps towards the pervasive sensor world that Brin contemplated in his 1999 book.

So, if you like thinking about Big Ideas in novel form, buy Existence.  And, if you would like to retain the Fair Information Principles in a near future of surveillance in public, consider Brin more carefully  when you imagine how life will and should be in the coming decades.

  August 17, 2012 at 6:46 pm   Posted in: Anonymity, Articles and Books, Book Reviews, Privacy, Privacy (Electronic Surveillance), Science Fiction, Uncategorized   Print This Post   4 Comments

United States v. Skinner: Developments in the Surveillance State and a Response

posted by Danielle Citron

It’s not news to CoOp readers that Fourth Amendment law is in a state of confusion over how to deal with ever-expanding capacities of state agents to collect information about our movements and activities using a range of surveillance technologies.  My colleague David Gray and I have spent lots of time thinking and writing about the fog surrounding this issue in light of United States v. Jones.  So we write this post together — Professor David Gray is my brilliant colleague who has been a guest for us in the past.  So here is what is on our minds:

The Supreme Court avoided a four-square engagement with these issues last term in Jones by rehabilitating a long-forgotten, but not lost, property-based test of Fourth Amendment search.  For most of us, however, the real action in the opinion was in the concurrences, which make clear that five justices are ready to hold that we may have a reasonable expectation of privacy in massive aggregates of data, even if not that is not true for the constituent parts.  The focus of the academic debate after Jones, including a really fascinating session at the Privacy Law Scholars Conference in June, has largely focused on the pros and cons of the “mosaic” theory, which would assess Fourth Amendment interests in quantitative privacy on a case-by-case basis by asking whether law enforcement had gathered too much information on their subject in the course of their investigation.  Justice Alito, writing for himself and three others, appeared to endorse the mosaic theory in Jones, and therefore would have held that law enforcement engaged in a Fourth Amendment search by using a GPS-enabled tracking device to monitor Jones’s movements over public streets for 28 days, generating over 2,000 pages of data along the way.

Before the ink was dry in Jones, Orin Kerr was out with a powerful critique.  Orin’s concerns, which Justice Scalia seems to share, are doctrinal and practical.  Christopher Slobogin has since offered a very thoughtful defense of the mosaic theory, which comes complete with a model statute complete with commentary (take notice Chief Justice Roberts!).  Professor Gray and I just posted an article on SSRN arguing that, by focusing on the mosaic theory, much of the conversation about technology and the Fourth Amendment has gone badly wrong after Jones.  The Sixth Circuit’s opinion in United States v. Skinner confirms the worst of our concerns.  Another nod to Orin Kerr for putting a spotlight on this decision over at the Volokh Conspiracy.

The question put to the court in Skinner was whether the “use of the GPS location information emitted from [Skinner’s] cell phone was a warrantless search that violated the Fourth Amendment . . . .”  Writing for himself and Judge Clay, Judge Rogers held that “Skinner did not have a reasonable expectation of privacy in the data emanating from his cell phone that showed its location” in the same way that “the driver of a getaway car has no expectation of privacy in the particular combination of colors of his car’s paint.”  Because the officers tracking Skinner only did so for three days, Judge Rogers also saw no quantitative privacy interest at stake.

Skinner is confusing in many ways.  The court is not entirely clear on what tracking technology was used, how it was used, which line of Fourth Amendment doctrine it relied upon, or how its holding can be reconciled with Kyllo.  For now, let’s bypass those issues to focus on what we take to be a dangerous implication of Skinner and perhaps the mosaic theory as well.  According to Judge Rogers, none of us has “a reasonable expectation of privacy in the inherent external locatability of a tool that he or she bought.”  That is, there is absolutely no Fourth Amendment prohibition on law enforcement’s using the GPS devices installed in our phone, cars, and computers, or trilateration between cellular towers to track any of us at anytime.  Because there are no real practical limitations on the scope of surveillance that these technologies can achieve, Judge Rogers’s holding licenses law enforcement to track us all of the time.  The mosaic theory might step in if the government tracks any one of us for too long, but it preserves the possibility that, at any given time, any of us or all of us may be subject to close government surveillance.

We think that something has gone terribly wrong if the Fourth Amendment is read as giving license to a surveillance state.  As we argue in our article, programs of broad and indiscriminate surveillance have deleterious effects on our individual development and our collective democratic processes.  These concerns are familiar in the information privacy law context, where we have spent nearly fifty years talking about  dataveillance and digital dossiers, but they have clear footing in the Fourth Amendment as well.  More precisely, we argue that a fundamental purpose of the Fourth Amendment is to serve as a bulwark against the rise of a surveillance state.  It should be read as denying law enforcement officers unfettered access to investigative technologies that are capable of facilitating broad programs of indiscriminate surveillance.  GPS-enabled tracking is pretty clearly one of these technologies, and therefore should be subject to the crucible of Fourth Amendment reasonableness—at least on our technology-centered approach to quantitative privacy.

  August 17, 2012 at 2:13 pm   Posted in: Criminal Procedure, Current Events, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)   Print This Post   2 Comments

There is no new thing under the sun

posted by Omer Tene

Photo: Like it’s namesake, the European Data Protection Directive (“DPD”), this Mercedes is old, German-designed, clunky and noisy – yet effective. [Photo: Omer Tene]

 

Old habits die hard. Policymakers on both sides of the Atlantic are engaged in a Herculean effort to reform their respective privacy frameworks. While progress has been and will continue to be made for the next year or so, there is cause for concern that at the end of the day, in the words of the prophet, “there is no new thing under the sun” (Ecclesiastes 1:9).

The United States: Self Regulation

The United States legal framework has traditionally been a quiltwork of legislative patches covering specific sectors, such as health, financial, and children’s data. Significantly, information about individuals’ shopping habits and, more importantly, online and mobile browsing, location and social activities, has remained largely unregulated (see overview in my article with Jules Polonetsky, To Track or “Do Not Track”: Advancing Transparency and Individual Control in Online Behavioral Advertising). While increasingly crafty and proactive in its role as a privacy enforcer, the FTC has had to rely on the slimmest of legislative mandates, Section 5 of the FTC Act, which prohibits ‘‘unfair or deceptive acts or practices”.

 

To be sure, the FTC has had impressive achievements; reaching consent decrees with Google and Facebook, both of which include 20-year privacy audits; launching a serious discussion of a “do-not-track” mechanism; establishing a global network of enforcement agencies; and more. However, there is a limit as to the mileage that the FTC can squeeze out of its opaque legislative mandate. Protecting consumers against “deceptive acts or practices” does not amount to protecting privacy: companies remain at liberty to explicitly state they will do anything and everything with individuals’ data (and thus do not “deceive” anyone when they act on their promise). And prohibiting ‘‘unfair acts or practices” is as vague a legal standard as can be; in fact, in some legal systems it might be considered anathema to fundamental principles of jurisprudence (nullum crimen sine lege). While some have heralded an emerging “common law of FTC consent decrees”, such “common law” leaves much to be desired as it is based on non-transparent negotiations behind closed doors, resulting in short, terse orders.

 

This is why legislating the fundamental privacy principles, better known as the FIPPs (fair information practice principles), remains crucial. Without them, the FTC cannot do much more than enforce promises made in corporate privacy policies, which are largely acknowledged to be vacuous. Indeed, in its March 2012 “blueprint” for privacy protection, the White House called for legislation codifying the FIPPs (referred to by the White House as a “consumer privacy bill of rights”). Yet Washington insiders warn that the prospects of the FIPPs becoming law are slim, not only in an election year, but also after the elections, without major personnel changes in Congress.

Read the rest of this post »

  July 30, 2012 at 7:47 pm  Tags: co-regulation, data protection, multistakeholder, Privacy, right to be forgotten, self regulation, w3c  Posted in: Cyber Civil Rights, Cyberlaw, International & Comparative Law, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Uncategorized   Print This Post   3 Comments

The Vanishing Distinction Between Real-time and Historical Location Data

posted by Susan Freiwald

A congressional inquiry, which recently revealed that cell phone carriers disclose a huge amount of subscriber information to the government, has increased the concern that Big Brother tracks our cell phones. The New York Times reported that, in 2011, carriers responded to 1.3 million law enforcement demands for cell phone subscriber information, including text messages and location information. Because each request can acquire information on multiple people, law enforcement agencies have clearly obtained such information about many more of us than could possibly be worthy of suspicion. Representative Markey, who spearheaded the inquiry, has followed up with a thorough letter to Attorney General Holder that asks how the Justice Department could possibly protect privacy and civil liberties while acquiring such a massive amount of information.

Among many important questions, Representative Markey’s letter asks whether the DOJ continues to legally differentiate between historical (those produced from carrier records) and real-time (those produced after an order is issued) cell site location information and what legal standard the DOJ meets for each (or both). Traditionally, courts have accorded less protection to historical location data, which I have criticized as a matter of Fourth Amendment law in my amicus briefs and in my scholarship. The government’s applications for historical data in the Fifth Circuit case, which is currently considering whether agents seeking historical location data must obtain a warrant, provide additional evidence that the distinction between real-time and historical location data makes no sense.

Some background. Under the current legal rules for location acquisition by law enforcement, which are complex, confusing, and contested, law enforcement agents have generally been permitted to acquire historical location data without establishing probable cause and obtaining a warrant. Instead, they have had to demonstrate that the records are relevant to a law enforcement investigation, which can dramatically widen the scope of an inquiry beyond those actually suspected of criminal activity and yield the large number of disclosures that the recent congressional inquiry revealed. Generally, prospective (real-time) location information has required a higher standard, often a warrant based on probable cause, which has made it more burdensome to acquire and therefore more protected against excessive disclosure.

Some commentators and judges have questioned whether historical location data should be available on an easier to satisfy standard, positing the hypothetical that law enforcement agents could wait just a short amount of time for real-time information to become a record, and then request it under the lower standard. Doing so would clearly be an end run around both the applicable statute (ECPA) and the Fourth Amendment, which arguably accord less protection to historical information because it is stored as an ordinary business record and not because of the fortuity that it is stored for a short period of time.

It turns out that this hypothetical is more than just the product of concerned people’s imagination. The three applications in the Fifth Circuit case requested that stored records be created on an ongoing basis. For example, just after a paragraph that requests “historical cell-site information… for the sixty (60) days prior” to the order, one application requests “For the Target Device, after receipt and storage, records of other information… provided to the United States on a continuous basis contemporaneous with” the start or end of a call, or during a call if that information is available. The other two applications clarify that “after receipt and storage” is “intended to ensure that the information” requested “is first captured and recorded by the provider before being sent.” In other words, the government is asking the carrier to create stored records and then send them on as soon as they are stored.

To be clear, only one of the three applications applied for only a relevance-based court order to obtain the continuously-created stored data. That court order, used for historical data, has never been deemed sufficient for forward-looking data (as the continuously-created data would surely be as it would be generated after the order). The other two applications used a standard less than probable cause but more than just a relevance order. It is not clear if the request for forward-looking data under the historical standard was an inadvertent mistake or an attempt to mislead. But applications in other cases have much more clearly asked for forward-looking prospective data, and didn’t require that data to be momentarily stored. Why would the applications in this case request temporary storage if not at least to encourage the judge considering the application to grant it on a lower standard?

I am optimistic that the DOJ’s response to Representative Markey’s letter will yield important information about current DOJ practices and will further spur reform. In the meantime, the government’s current practice of using this intrusive tool to gather too much information about too many people cries out for formal legal restraint. Congress should enact a law requiring a warrant based on probable cause for all location data. It should not codify a meaningless distinction between historical and real-time data that further confuses judges and encourages manipulative behavior by the government.

  July 17, 2012 at 4:50 pm  Tags: cell site location data, DOJ, ECPA, Fourth Amendment, location data, Markey, Privacy, surveillance  Posted in: Constitutional Law, Criminal Procedure, Current Events, Cyberlaw, Privacy (Electronic Surveillance), Technology   Print This Post   2 Comments

• « Older Entries