Archive for the ‘Privacy (National Security)’ Category

Overturning the Third-Party Doctrine by Statute: Hard and Harder

posted by Robert Gellman

Privacy advocates have disliked the third-party doctrine at least from the day in 1976 when the Supreme Court decided U.S. v. Miller.  Anyone who remembers the Privacy Protection Study Commission knows that its report was heavily influenced by Miller.  My first task in my long stint as a congressional staffer was to organize a hearing to receive the report of the Commission in 1977.  In the introduction to the report, the Commission called the date of the decision “a fateful day for personal privacy.”

Last year, privacy advocates cheered when Justice Sonia Sotomayor’s concurrence in U.S. v. Jones asked if it was time to reconsider the third-party doctrine.  Yet it is likely that it would take a long time before the Supreme Court revisits and overturns the third-party doctrine, if ever.  Sotomayor’s opinion didn’t attract a single other Justice.

Can we draft a statute to overturn the third-party doctrine?  That is not an easy task, and it may be an unattainable goal politically.  Nevertheless, the discussion has to start somewhere.  I acknowledge that not everyone wants to overturn Miller.  See Orin Kerr’s The Case For the Third-party Doctrine.  I’m certainly not the first person to ask the how-to-do-it question.  Dan Solove wrestled with the problem in Digital Dossiers and the Dissipation of Fourth Amendment Privacy.

I’m going at the problem as if I were still a congressional staffer tasked with drafting a bill.  I see right away that there is precedent.  Somewhat remarkably, Congress partly overturned the Miller decision in 1978 when it enacted The Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq.  The RFPA says that if the federal government wants to obtain records of a bank customer, it must notify the customer and allow the customer to challenge the request.

The RFPA is remarkable too for its exemptions and weak standards.  The law only applies to the federal government and not to state and local governments.  (States may have their own laws applicable to state agencies.)  Bank supervisory agencies are largely exempt.  The IRS is exempt.  Disclosures required by federal law are exempt.  Disclosures for government loan programs are exempt.  Disclosures for grand jury subpoenas are exempt.  That effectively exempts a lot of criminal law enforcement activity.  Disclosures to GAO and the CFPB are exempt.  Disclosures for investigations of crimes against financial institutions by insiders are exempt.  Disclosures to intelligence agencies are exempt.  This long – and incomplete – list is the first hint that overturning the third-party doctrine won’t be easy.

We’re not done with the weaknesses in the RFPA.  A customer who receives notice of a government request has ten days to challenge the request in federal court.  The customer must argue that the records sought are not relevant to the legitimate law enforcement inquiry identified by the government in the notice.  The customer loses if there is a demonstrable reason to believe that the law enforcement is legitimate and a reasonable belief that the records sought are relevant to that inquiry.  Relevance and legitimacy are weak standards, to say the least.  Good luck winning your case.

Who should get the protection of our bill?  The RFPA gives rights to “customers” of a financial institution.  A customer is an individual or partnership of five or fewer individuals (how would anyone know?).  If legal persons also receive protection, a bill might actually attract corporate support, along with major opposition from every regulatory agency in town.  It will be hard enough to pass a bill limited to individuals.  The great advantage of playing staffer is that you can apply political criteria to solve knotty policy problems.  I’d be inclined to stick to individuals.

Read the rest of this post »

  April 29, 2013 at 12:02 pm   Posted in: Criminal Procedure, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)   Print This Post   3 Comments

Privacy & Information Monopolies

posted by Frank Pasquale

First Monday recently published an issue on social media monopolies. These lines from the introduction by Korinna Patelis and Pavlos Hatzopolous are particularly provocative:

A large part of existing critical thinking on social media has been obsessed with the concept of privacy. . . . Reading through a number of volumes and texts dedicated to the problematic of privacy in social networking one gets the feeling that if the so called “privacy issues” were resolved social media would be radically democratized. Instead of adopting a static view of the concept . . . of “privacy”, critical thinking needs to investigate how the private/public dichotomy is potentially reconfigured in social media networking, and [the] new forms of collectivity that can emerge . . . .

I can even see a way in which privacy rights do not merely displace, but actively work against, egalitarian objectives. Stipulate a population with Group A, which is relatively prosperous and has the time and money to hire agents to use notice-and-consent privacy provisions to its advantage (i.e., figuring out exactly how to disclose information to put its members in the best light possible). Meanwhile, most of Group B is too busy working several jobs to use contracts, law, or agents to its advantage in that way. We should not be surprised if Group A leverages its mastery of privacy law to enhance its position relative to Group B.

Better regulation would restrict use of data, rather than “empower” users (with vastly different levels of power) to restrict collection of data. As data scientist Cathy O’Neil observes:
Read the rest of this post »

  April 20, 2013 at 1:03 pm   Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (National Security), Social Network Websites, Sociology of Law   Print This Post   2 Comments

New Edition of Solove & Schwartz’s Privacy Law Fundamentals: Must-Read (and Check out the Video)

posted by Danielle Citron

Privacy leading lights Dan Solove and Paul Schwartz have recently released the 2013 edition of Privacy Law Fundamentals, a must-have for privacy practitioners, scholars, students, and really anyone who cares about privacy.

Privacy Law Fundamentals is an essential primer of the state of privacy law, capturing the up-to-date developments in legislation, FTC enforcement actions, and cases here and abroad.  As Chief Privacy Officers like Intel’s David Hoffman and renown privacy practitioners like Hogan’s Chris Wolf and Covington’s Kurt Wimmer agree, Privacy Law Fundamentals is an “essential” and “authoritative guide” on privacy law, compact and incredibly useful.  For those of you who know Dan and Paul, their work is not only incredibly wise and helpful but also dispensed in person with serious humor.  Check out this You Tube video, “Privacy Law in 60 Seconds,” to see what I mean.  I think that Psy may have a run for his money on making us smile.

  March 8, 2013 at 8:42 am   Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)   Print This Post   4 Comments

Senator Rand Paul Drones On

posted by Ryan Calo

Concurring Opinions readers might get a kick out of the fact that, at one point in his twelve hour, old school filibuster of John Brennan’s nomination as CIA director this evening, Senator Rand Paul reads aloud from my 2011 online essay in Stanford Law Review on the domestic use of drones.  Video of the clip here.  I suppose it beats a phone book!

  March 7, 2013 at 12:43 am   Posted in: Politics, Privacy (National Security)   Print This Post   5 Comments

More on government access to private sector data

posted by Omer Tene

Last week I blogged here about a comprehensive survey on systematic government access to private sector data, which will be published in the next issue of International Data Privacy Law, an Oxford University Press law journal edited by Christopher Kuner. Several readers have asked whether the results of the survey are available online. Well, now they are – even before publication of the special issue. The project, which was organized by Fred Cate and Jim Dempsey and supported by The Privacy Projects, covered government access laws in Australia, Canada, China, Germany, Israel, Japan, United Kingdom and United States.

Peter Swire’s thought provoking piece on the increased importance of government access to the cloud in an age of encrypted communications appears here. Also see the special issue’s editorial, by Fred, Jim and Ira Rubinstein.

 

  October 2, 2012 at 2:04 am  Tags: cloud computing, data protection, Fourth Amendment, government access, Privacy  Posted in: Constitutional Law, Consumer Protection Law, Cyberlaw, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Uncategorized   Print This Post   No Comments

On systematic government access to private sector data

posted by Omer Tene

The Sixth Circuit Court of Appeals has recently decided in United States v. Skinner that police does not need a warrant to obtain GPS location data for mobile phones. The decision, based on the holding of the Supreme Court in US v. Jones, highlights the need for a comprehensive reform of rules on government access to communications non-contents information (“communications data”). Once consisting of only a list of phone numbers dialed by a customer (a “pen register”), communications data have become rife with personal information, including location, clickstream, social contacts and more.

To a non-American, the US v. Jones ruling is truly astounding in its narrow scope. Clearly, the Justices aimed to sidestep the obvious question of expectation of privacy in public spaces. The Court did hold that the attachment of a GPS tracking device to a vehicle and its use to monitor the vehicle’s movements constitutes a Fourth Amendment “search”. But it based its holding not on the persistent surveillance of the suspect’s movements but rather on a “trespass to chattels” inflicted when a government agent ever-so-slightly touched the suspect’s vehicle to attach the tracking device. In the opinion of the Court, it was the clearly insignificant “occupation of property” (touching a car!) rather than the obviously weighty location tracking that triggered constitutional protection.

Suffice it to say, that to an outside observer, the property infringement appears to have been a side issue in both Jones and Skinner. The main issue of course is government power to remotely access information about an individual’s life, which is increasingly stored by third parties in the cloud. In most cases past – and certainly present and future – there is little need to trespass on an individual’s property in order to monitor her every move. Our lives are increasingly mediated by technology. Numerous third parties possess volumes of information about our finances, health, online endeavors, geographical movements, etc. For effective surveillance, the government typically just needs to ask.

This is why an upcoming issue of International Data Privacy Law (IDPL) (an Oxford University Press law journal), which is devoted to systematic government access to private sector data, is so timely and important. The special issue covers rules on government access in multiple jurisdictions, including the US, UK, Germany, Israel, Japan, China, India, Australia and Canada.

Read the rest of this post »

  September 29, 2012 at 4:34 am  Tags: cloud computing, data protection, law enforcement, national security, Privacy  Posted in: Constitutional Law, Consumer Protection Law, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Uncategorized   Print This Post   2 Comments

Why Justice Goldberg Cared So Much About Privacy

posted by Peter Swire

David Stebenne gave a fascinating talk today about how the personal experiences of Justice Goldberg made him very sensitive to privacy, and led to his strong pro-privacy concurrence in the Griswold case that established a right to privacy for use of contraceptives.  David is a legal historian at Ohio State, now has a joint appointment with our law school, and spoke today at a John Marshall Law School conference on the history of privacy from Brandeis to today.

Stebenne has written a biography of Goldberg, and is a master of the historical record. Look at these personal experiences that shaped Justice Goldberg’s views on privacy:

(1) Brandeis and Warren-style press intrusions.  Goldberg was the leading lawyer for the Steelworkers Union and the CIO during the 1950′s.  The unions were subjected to many hostile press articles, often describing (or exaggerating) union corruption.  The sorts of press excesses, at the center of the Brandeis and Warren privacy article, were lived by Goldberg.

(2) Intrusive police surveillance.  The Steelworkers and other unions were pervasively wiretapped in the 1950′s.  In one 1957 board meeting, the leadership reported that there were so many wiretaps on the line that they could barely hear each other talk.

(3) Mistaken FBI files.  The FBI opened a file before World War II about a different person named Arthur Goldberg, who had suspected links to the Communist Party.  Years later, Goldberg found out that a huge file had been accumulated on him based on this original, mistaken report.  He met with the FBI, and had the unusual good fortune to clear the matter up.   But he learned personally how invasive and unreliable FBI files could be.

(4) CIA spy and counter-spy.  During World War II, Goldberg worked for the OSS, the predecessor of the CIA.  For part of that time he was the target of enemy espionage himself.  He knew the CIA kept a close eye on his clients in the labor movement, and thus knew more than most about the nature and scale of domestic surveillance by the government.

In short, Goldberg was not a privileged person who knew he had nothing to hide. Instead, he had direct personal experience with the intrusiveness and mistakes that could result from the media, intelligence agencies, and new technologies.

Insight can come from personal experience.  Among other lessons from this history, it suggests some virtues of having judges and justices with a wide range of personal experience.

  September 27, 2012 at 5:06 pm   Posted in: Constitutional Law, Privacy (Electronic Surveillance), Privacy (National Security)   Print This Post   11 Comments

Laws Regulating PII

posted by Dave Hoffman

My co-author Sasha Romanosky asks me to post the following:

I am involved in a research project that examines state laws affecting the flow of personal information in some way. This information could relate to patients, employees, financial or retail customers, or even just individuals. And by “flow” we are interested in laws that affect the collection, use, storage, sale, sharing, disclosure, or even destruction of this information.

For example, some state laws require that companies notify you when your personal information has been hacked, while other state laws require notice if the firm plans to sell your information. In addition, laws in other
states restrict the sale of personal health information; enable law enforcement to track cell phone usage without a warrant; or prohibit the collection of a customer’s zip code during a credit card purchase.

Given the huge variation among states in their information laws, we would like to ask readers of Concurring Opinions to help us collect examples of such laws. You are welcome to either post a response to this blog entry or
reply to me directly at sromanos at cmu dot edu.

Thank you!

Sasha is a good guy, and a really careful researcher. Let’s help him!

  September 10, 2012 at 9:58 am   Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)   Print This Post   3 Comments

Biometric Databases and Quantitative Privacy

posted by Danielle Citron

The new $1 billion Next Generation Identification (NGI) system is now in its roll out phase. NGI–a joint project of federal, state, and local law enforcement and other agencies — is a nationwide network of databases containing images of the body’s characteristics, such as fingerprints, iris, retina, voice, and face.  Here is a little primer on how biometric systems work (see my SoCal Reservoirs of Danger article).  Databases store images of biometric information, either as pictures or mathematical formulas of images called templates.  The biometric system matches an individual’s fingerprint, for instance, with an image or template stored in databases.  Aside from governmental forays into biometric collection and use (which are many), private biometric providers hold templates of millions of individuals.  Elementary schools, airports, gas providers, grocery stores, health clubs, workplaces, and even Disney’s theme parks collect iris scans and fingerprints to secure access to physical plants and/or accounts.  Companies reportedly are creating central clearinghouses of biometric information for commercial use.

According to Assistant Director Tom Bush of the Criminal Justice Information Services Division, NGI  is a “state-of-the-art identification system that will be bigger, faster, and better than IAFIS (Integrated Automated Fingerprint Identification System).”  It is “bigger” because it will increase the capacity of fingerprint storage plus house multimodal biometrics records like palm prints and iris scan and have room to accommodate future biometric technologies (i.e., voice, gait, etc.) as they become available.  It is “faster” because it will speed up response time for high priority criminal ten-print submissions from two hours to about 10 minutes on average. It is “better” because going beyond fingerprints as biometric identifiers will enhance the investigative and identification processes. Adding palm prints makes sense, according to Bush, because latent prints left behind by criminals at crime scenes are often palm prints. NGI is also being developed “to be compatible with other U.S. biometric systems and potentially with those of some foreign partners.”

The FBI’s NGI website proclaims that its many virtues include:

Interstate Photo System Enhancements

Closeup photo of an arm tattoo.  Currently, the IAFIS can accept photographs (mugshots) with criminal ten-print submissions. The Interstate Photo System (IPS) will allow customers to add photographs to previously submitted arrest data, submit photos with civil submissions, and submit photos in bulk formats. The IPS will also allow for easier retrieval of photos, and include the ability to accept and search for photographs of scars, marks, and tattoos. In addition, this initiative will also explore the capability of facial recognition technology.

Multimodal Biometrics

The future of identification systems is currently progressing beyond the dependency of a unimodal (e.g., fingerprint) biometric identifier towards multimodal biometrics (i.e., voice, iris, facial, etc.). The NGI Program will advance the integration strategies and indexing of additional biometric data that will provide the framework for a future multimodal system that will facilitate biometric fusion identification techniques. The framework will be expandable, scalable, and flexible to accommodate new technologies and biometric standards, and will be interoperable with existing systems. Once developed and implemented, the NGI initiatives and multimodal functionality will promote a high level of information sharing, support interoperability, and provide a foundation for using multiple biometrics for positive identification. Read the rest of this post »

  September 8, 2012 at 2:49 pm   Posted in: Criminal Procedure, Cyberlaw, Privacy, Privacy (National Security)   Print This Post   One Comment

United States v. Skinner: Developments in the Surveillance State and a Response

posted by Danielle Citron

It’s not news to CoOp readers that Fourth Amendment law is in a state of confusion over how to deal with ever-expanding capacities of state agents to collect information about our movements and activities using a range of surveillance technologies.  My colleague David Gray and I have spent lots of time thinking and writing about the fog surrounding this issue in light of United States v. Jones.  So we write this post together — Professor David Gray is my brilliant colleague who has been a guest for us in the past.  So here is what is on our minds:

The Supreme Court avoided a four-square engagement with these issues last term in Jones by rehabilitating a long-forgotten, but not lost, property-based test of Fourth Amendment search.  For most of us, however, the real action in the opinion was in the concurrences, which make clear that five justices are ready to hold that we may have a reasonable expectation of privacy in massive aggregates of data, even if not that is not true for the constituent parts.  The focus of the academic debate after Jones, including a really fascinating session at the Privacy Law Scholars Conference in June, has largely focused on the pros and cons of the “mosaic” theory, which would assess Fourth Amendment interests in quantitative privacy on a case-by-case basis by asking whether law enforcement had gathered too much information on their subject in the course of their investigation.  Justice Alito, writing for himself and three others, appeared to endorse the mosaic theory in Jones, and therefore would have held that law enforcement engaged in a Fourth Amendment search by using a GPS-enabled tracking device to monitor Jones’s movements over public streets for 28 days, generating over 2,000 pages of data along the way.

Before the ink was dry in Jones, Orin Kerr was out with a powerful critique.  Orin’s concerns, which Justice Scalia seems to share, are doctrinal and practical.  Christopher Slobogin has since offered a very thoughtful defense of the mosaic theory, which comes complete with a model statute complete with commentary (take notice Chief Justice Roberts!).  Professor Gray and I just posted an article on SSRN arguing that, by focusing on the mosaic theory, much of the conversation about technology and the Fourth Amendment has gone badly wrong after Jones.  The Sixth Circuit’s opinion in United States v. Skinner confirms the worst of our concerns.  Another nod to Orin Kerr for putting a spotlight on this decision over at the Volokh Conspiracy.

The question put to the court in Skinner was whether the “use of the GPS location information emitted from [Skinner’s] cell phone was a warrantless search that violated the Fourth Amendment . . . .”  Writing for himself and Judge Clay, Judge Rogers held that “Skinner did not have a reasonable expectation of privacy in the data emanating from his cell phone that showed its location” in the same way that “the driver of a getaway car has no expectation of privacy in the particular combination of colors of his car’s paint.”  Because the officers tracking Skinner only did so for three days, Judge Rogers also saw no quantitative privacy interest at stake.

Skinner is confusing in many ways.  The court is not entirely clear on what tracking technology was used, how it was used, which line of Fourth Amendment doctrine it relied upon, or how its holding can be reconciled with Kyllo.  For now, let’s bypass those issues to focus on what we take to be a dangerous implication of Skinner and perhaps the mosaic theory as well.  According to Judge Rogers, none of us has “a reasonable expectation of privacy in the inherent external locatability of a tool that he or she bought.”  That is, there is absolutely no Fourth Amendment prohibition on law enforcement’s using the GPS devices installed in our phone, cars, and computers, or trilateration between cellular towers to track any of us at anytime.  Because there are no real practical limitations on the scope of surveillance that these technologies can achieve, Judge Rogers’s holding licenses law enforcement to track us all of the time.  The mosaic theory might step in if the government tracks any one of us for too long, but it preserves the possibility that, at any given time, any of us or all of us may be subject to close government surveillance.

We think that something has gone terribly wrong if the Fourth Amendment is read as giving license to a surveillance state.  As we argue in our article, programs of broad and indiscriminate surveillance have deleterious effects on our individual development and our collective democratic processes.  These concerns are familiar in the information privacy law context, where we have spent nearly fifty years talking about  dataveillance and digital dossiers, but they have clear footing in the Fourth Amendment as well.  More precisely, we argue that a fundamental purpose of the Fourth Amendment is to serve as a bulwark against the rise of a surveillance state.  It should be read as denying law enforcement officers unfettered access to investigative technologies that are capable of facilitating broad programs of indiscriminate surveillance.  GPS-enabled tracking is pretty clearly one of these technologies, and therefore should be subject to the crucible of Fourth Amendment reasonableness—at least on our technology-centered approach to quantitative privacy.

  August 17, 2012 at 2:13 pm   Posted in: Criminal Procedure, Current Events, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)   Print This Post   2 Comments

Big Data Brokers as Fiduciaries

posted by Danielle Citron

In a piece entitled “You for Sale,” Sunday’s New York Times raised important concerns about the data broker industry.  Let us add some more perils and seek to reframe the debate about how to regulate Big Data.

Data brokers like Acxiom (and countless others) collect and mine a mind-boggling array of data about us, including Social Security numbers, property records, public-health data, criminal justice sources, car rentals, credit reports, postal and shipping records, utility bills, gaming, insurance claims, divorce records, online musings, browsing habits culled by behavioral advertisers, and the gold mine of drug- and food-store records.  They scrape our social network activity, which with a little mining can reveal our undisclosed sexual preferences, religious affiliations, political views, and other sensitive information.  They may integrate video footage of our offline shopping.  With the help of facial-recognition software, data mining algorithms factor into our dossiers the over-the-counter medicines we pick up, the books we browse, and the pesticides we contemplate buying for our backyards.  Our social media influence scores may make their way into the mix.  Companies, such as Klout, measure our social media influence, usually on a scale from one to 100.  They use variables like the number of our social media followers, frequency of updates, and number of likes, retweets, and shares.  What’s being tracked and analyzed about our online and offline behavior is accelerating – with no sign of slowing down and no assured way to find out.

As the Times piece notes, businesses buy data-broker dossiers to classify those consumers worth pursuing and those worth ignoring (so-called “waste”).  More often those already in an advantaged position get better deals and gifts while the less advantaged get nothing.  The Times piece rightly raised concerns about the growing inequality that such use of Big Data produces.  But far more is at stake.

Government is a major client for data brokers.  More than 70 fusion centers mine data-broker dossiers to detect crimes, “threats,” and “hazards.”  Individuals are routinely flagged as “threats.”  Such classifications make their way into the “information-sharing environment,” with access provided to local, state, and federal agencies as well as private-sector partners.  Troublingly, data-broker dossiers have no quality assurance.  They may include incomplete, misleading, and false data.  Let’s suppose a data broker has amassed a profile on Leslie McCann.  Social media scraped, information compiled, and videos scanned about “Leslie McCann” might include information about jazz artist “Les McCann” as well as information about criminal with a similar name and age.  Inaccurate Big Data has led to individuals’ erroneous inclusion on watch lists, denial of immigration applications, and loss of public benefits.  Read the rest of this post »

  June 19, 2012 at 5:08 pm   Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)   Print This Post   2 Comments

BRIGHT IDEAS: Q&A with Bruce Schneier about Liars and Outliers

posted by Daniel Solove

Bruce Schneier has recently published a new book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive (Wiley 2012).  Bruce is a renowned security expert, having written several great and influential books including Secrets and Lies and Beyond Fear.

Liars and Outliers is a fantastic book, and a very ambitious one — an attempt to conceptualize trust and security.  The book is filled with great insights, and is a true achievement. And it’s a fun read too.  I recently conducted a brief interview with Bruce about the book:

Q (Solove): What is the key idea of your book?

A (Schneier): Liars and Outliers is about trust in society, and how we induce it. Society requires trust to function; without it, society collapses. In order for people to have that trust, other people must be trustworthy. Basically, they have to conform to the social norms; they have to cooperate. However, within any cooperative system there is an alternative defection strategy, called defection: to be a parasite and take advantage of others’ cooperation.

Too many parasites can kill the cooperative system, so it is vital for society to keep defectors down to a minimum. Society has a variety of mechanisms to do this. It all sounds theoretical, but this model applies to terrorism, the financial crisis of 2008, Internet crime, the Mafia code of silence, market regulation…everything involving people, really.

Understanding the processes by which society induces trust, and how those processes fail, is essential to solving the major social and political problems of today. And that’s what the book is about. If I could tie policymakers to a chair and make them read my book, I would.

Okay, maybe I wouldn’t.

Q: What are a few of the conclusions from Liars and Outliers that you believe are the most important and/or provocative?

A: That 100% cooperation in society is impossible; there will always be defectors. Moreover, that more security isn’t always worth it. There are diminishing returns — spending twice as much on security doesn’t halve the risk — and the more security you have, the more innocents it accidentally ensnares. Also, society needs to trust those we entrust with enforcing trust; and the more power they have, the more easily they can abuse it. No one wants to live in a totalitarian society, even if it means there is no street crime.

More importantly, defectors — those who break social norms — are not always in the wrong. Sometimes they’re morally right, only it takes a generation before people realize it. Defectors are the vanguards of social change, and a society with too much security and too much cooperation is a stagnant one.

Read the rest of this post »

  May 14, 2012 at 2:26 am   Posted in: Book Reviews, Bright Ideas, Privacy, Privacy (Law Enforcement), Privacy (National Security)   Print This Post   One Comment

Cybersecurity Legislation and the Privacy and Civil Liberties Oversight Board

posted by Peter Swire

Along with a lot of other privacy folks, I have a lot of concerns about the cybersecurity legislation moving through Congress.  I had an op-ed in The Hill yesterday going through some of the concerns, notably the problems with the over broad  ”information sharing” provisions.

Writing the op-ed, though, prompted me to highlight one positive step that should happen in the course of the cybersecurity debate.  The Privacy and Civil Liberties Oversight Board was designed in large part to address information sharing.  This past Wednesday, the Senate Judiciary Committee had the hearing to consider the bipartisan slate of five nominees.

Here’s the point.  The debate on CISPA and other cybersecurity legislation has highlighted all the information sharing that is going on already and that may be going on in the near future.  The PCLOB is the institution designed to oversee problems with information sharing.  So let’s confirm the nominees and get the PCLOB up and running as soon as possible.

The quality of the nominees is very high.  David Medine, nominated to be Chair, helped develop the FTC’s privacy approach in the 1990′s and has worked on privacy compliance since, so he knows what should be done and what is doable.  Jim Dempsey has been at the Center of Democracy and Technology for over 15 years, and is a world-class expert on government, privacy, and civil liberties.  Pat Wald is the former Chief Judge of the DC Circuit.  Her remarkably distinguished career includes major experience on international human rights issues.  I don’t have experience with the other two nominees, but the hearing exposed no red flags for any of them.

The debates about cybersecurity legislation show the centrality of information sharing to how government will respond to cyber-threats.  So we should have the institution in place to make sure that the information sharing is done in a lawful and sensible way, to be effective and also to protect privacy and civil liberties.

  April 21, 2012 at 5:02 pm  Tags: CISPA, civil liberties, cybersecurity  Posted in: Administrative Law, Cyber Civil Rights, Cyberlaw, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)   Print This Post   One Comment

Pakistan Scrubs the Net

posted by Derek Bambauer

Pakistan, which has long censored the Internet, has decided to upgrade its cybersieves. And, like all good bureaucracies, the government has put the initiative out for bid. According to the New York Times, Pakistan wants to spend $10 million on a system that can block up to 50 million URLs concurrently, with minimal effect on network speed. (That’s a lot of Web pages.) Internet censorship is on the march worldwide (and the U.S. is no exception). There are at least three interesting things about Pakistan’s move:

First, the country’s openness about its censorial goals is admirable. Pakistan is informing its citizens, along with the rest of us, that it wants to bowdlerize the Net. And, it is attempting to do so in a way that is more uniform than under its current system, where filtering varies by ISP. I don’t necessarily agree with Pakistan’s choice, but I do like that the country is straightforward with its citizens, who have begun to respond.

Second, the California-based filtering company Websense announced that it will not bid on the contract. That’s fascinating – a tech firm has decided that the public relations damage from helping Pakistan censor the Net is greater than the $10M in revenue it could gain. (Websense argues, of course, that its decision is a principled one. If you believe that, you are probably a member of the Ryan Braun Clean Competition fan club.)

Finally, the state is somewhat vague about what it will censor: it points to pornography, blasphemy, and material that affects national security. The last part is particularly worrisome: the national security trump card is a potent force after 9/11 and its concomitant fallout in Pakistan’s neighborhood, and censorship based on it tends to be secret. There is also real risk that national security interests = interests of the current government. America has an unpleasant history of censoring political dissent based on security worries, and Pakistan is no different.

I’ll be fascinated to see which companies take up Pakistan’s offer to propose…

Cross-posted at Info/Law.

  March 8, 2012 at 3:03 pm   Posted in: Architecture, Current Events, Cyber Civil Rights, Cyberlaw, Google and Search Engines, Intellectual Property, Politics, Privacy (National Security), Social Network Websites, Technology, Web 2.0   Print This Post   One Comment

Symposium on Configuring the Networked Self: Cohen’s Methodological Contributions

posted by Frank Pasquale

Julie Cohen’s extraordinarily illuminating book Configuring the Networked Self makes fundamental contributions to the field of law and technology. In this post, I’d like to focus on methodology and theory (a central concern of Chapters 1 to 4). In another post, I hope to turn to the question of realizing Cohen’s vision of human flourishing (a topic Chapters 9 and 10 address most directly).

Discussions of rights and utility dominate the intellectual property and privacy literatures.* Cohen argues that their appeal can be more rhetorical than substantive. As she has stated:

[T]he purported advantage of rights theories and economic theories is neither precisely that they are normative nor precisely that they are scientific, but that they do normative work in a scientific way. Their normative heft derives from a small number of formal principles and purports to concern questions that are a step or two removed from the particular question of policy to be decided. . . . These theories manifest a quasi-scientific neutrality as to copyright law that consists precisely in the high degree of abstraction with which they facilitate thinking about processes of cultural transmission.

Cohen notes “copyright scholars’ aversion to the complexities of cultural theory, which persistently violates those principles.” But she feels they should embrace it, given that it offers “account[s] of the nature and development of knowledge that [are] both far more robust and far more nuanced than anything that liberal political philosophy has to offer. . . . [particularly in understanding] how existing knowledge systems have evolved, and how they are encoded and enforced.”

A term like “knowledge system” may itself seem very abstract and formal. But Cohen’s work insists on a capacious view of network-enabled forms of knowing. Rather than naturalizing and accepting as given the limits of copyright and privacy law on the dissemination of knowledge, she can subsume them into a much broader framework of understanding where “knowing” is going. That framework includes cultural practices, norms, economics, and bureaucratic processes, as well as law.
Read the rest of this post »

  March 8, 2012 at 12:26 am   Posted in: Configuring the Networked Self Symposium, Google and Search Engines, Privacy, Privacy (Electronic Surveillance), Privacy (National Security)   Print This Post   No Comments

On the Colloquy: The Fourth Amendment and Airport Screening Issues

posted by Northwestern University Law Review

The online companion to the Northwestern University Law Review is proud to feature companion essays on the Fourth Amendment and newly invasive airport screening methods.

In Revisiting “Special Needs” Theory Via Airport Searches, Professor Alexander Reinert examines the controversy surrounding the Travel Security Administration’s new airport search regime by reference to the Fourth Amendment jurisprudence that developed in response to the first instantiation of mass airport searches in the early 1960s. While the Fourth Amendment approaches developed in the 1970s remain relevant today, Professor Reinert argues, TSA’s new search regime is more difficult to square with traditional Fourth Amendment principles than were the FAA’s initial airport screening procedures; and precisely because of the pressure on courts to adjust Fourth Amendment doctrine to meet the perceived needs of the TSA and the traveling public, it is all the more important that new doctrinal limitations accompany any judicial acceptance of the TSA’s new search regime.

In his companion piece The Bin Laden Exception, Professor Erik Luna complements Professor Reinert’s Essay on the Fourth Amendment and airport safety by providing context on terrorism and the decade of Osama bin Laden. Specifically, Professor Luna argues what is at play in the airport search context is not a previously recognized exception to the Fourth Amendment, but instead an entirely new exemption from otherwise applicable requirements, driven by an abiding fear of al Qaeda and its now-deceased kingpin rather than a reasoned assessment of terrorism-related risks.

Read both pieces online at the Northwestern University Law Review Colloquy.

  February 26, 2012 at 11:07 pm   Posted in: Constitutional Law, Law Rev (Northwestern), Privacy (National Security)   Print This Post   No Comments

Surveillance, Apologize (Sometimes), and Repeat

posted by Danielle Citron

On February 19, 2009, the North Central Texas Fusion Center issued a bulletin to over a hundred law enforcement agencies that urged officers to report activities of pro-Islam groups.  As the bulletin explained, “Middle Eastern Terrorist groups and their supporting organizations have been successful in gaining support for Islamic goals in the United States and providing an environment for terrorist organizations to flourish.”  Groups warranting surveillance and reporting included the Council on American Islamic Relations (CAIR), which “presents itself as a Muslim Civil liberties group yet it was named an unindicted co-conspirator in the Justice Department’s case in Dallas against the Holy Land Foundation, a Hamas-linked Islamic charity.”  So, too, “pushing an aggressive, pro-Islam agenda that’s been increasingly successful in recent years takes on a new light.”  According to the bulletin, while certain activities in isolation may seem innocuous, they may in fact promote Islamic radicalization.”  The bulletin provided the following examples: “Muslim cab drivers in Minneapolis refuse to carry passengers who have alcohol in their possession; The Indianapolis airport in 2007 installed foot baths to accommodate Muslim prayer; Public schools schedule prayer breaks to accommodate Muslim students; Pork is banned in the workplace ; etc..”  Islamic radicalization “marketing schemes have included hip hop fashion boutiques, hip hop bands, use of online social networks, use of video sharing networks, chat forums and blogs.”  (See here for links to the bulletin).

The bulletin was leaked online, and apologies ensued.  At a sub-committee hearing of the House of Representatives Homeland Security Committee entitled “The Future of Fusion Centers: Potential Promise and Dangers,” John Bateman of the Texas Department of Public Safety and Robert Riegle from the US Department of Homeland Security denounced the bulletin.  David Gersten of the U.S. Department of Homeland Security described it as a “demonstration of what not to do.”  Mr. Riegle testified:

We took immediate and aggressive response to the bulletin… we immediately sent a team of civil liberties and civil rights experts down to the state of Texas to work directly with the center.  This included advocates from the Muslim-American community in the United States of America. We also then immediately altered the directors’ meeting at the national conference to emphasize the importance of this and went over this particular oversight error as aggressively as we possibly could.”

Apologies for surveillance of First Amendment activities are so yesterday–at least in New York.  The New York Times recently covered the New York Police Department’s monitoring of websites of Muslim student groups at more than a dozen universities.  Mayor Michael R. Bloomberg defended the efforts as part of the department’s effort to guard against the threat of terrorism.  As the mayor said in an appearance at the Brooklyn Public Library, “The Police Department goes where there are allegations, and they look to see whether those allegations are true.  That’s what you would expect them to do. That’s what you would want them to do.”  Yale University’s president, Richard C. Levin, has this to say in an e-mail to students, faculty, and staff: “I am writing to state, in the strongest possible terms, that police surveillance based on religion, nationality, or peacefully expressed political opinion is antithetical to the values of Yale, the academic community, and the United States.”  These activities resemble the monitoring of protected groups during the COINTELPRO era, which the Church Committee denounced and which Congress sought to prevent in 28 C.F.R. part 23.  If the monitoring spearheaded by the NYPD isn’t included in records that make their way into federal databases, fair information practices required by federal law would not apply.  And New York’s laws may not preclude records of expressive activities, hence the lack of apology.

  February 26, 2012 at 6:00 pm   Posted in: Civil Rights, Privacy, Privacy (National Security), Religion   Print This Post   One Comment

Stanford Law Review Online: The Privacy Paradox 2012 Symposium Issue

posted by Stanford Law Review

Our 2012 Symposium Issue, The Privacy Paradox: Privacy and Its Conflicting Values, is now available online:

Essays

• A Reasonableness Approach to Searches After the Jones GPS Tracking Case by Peter Swire (64 Stan. L. Rev. Online 57);
• Privacy in the Age of Big Data by Omer Tene & Jules Polonetsky (64 Stan. L. Rev. Online 63);
• Yes We Can (Profile You): A Brief Primer on Campaigns and Political Data by Daniel Kreiss (64 Stan. L. Rev. Online 70);
• Paving the Regulatory Road to the “Learning Health Care System” by Deven McGraw (64 Stan. L. Rev. Online 75);
• Famous for Fifteen People: Celebrity, Newsworthiness, and Fraley v. Facebook by Simon J. Frankel, Laura Brookover & Stephen Satterfield (64 Stan. L. Rev. Online 82); and
• The Right to Be Forgotten by Jeffrey Rosen (64 Stan. L. Rev. Online 88).

The text of Chief Judge Alex Kozinski’s keynote is forthcoming.

  February 13, 2012 at 1:04 pm   Posted in: Law Rev (Stanford), Law Rev Contents, Law School, Law School (Scholarship), Media Law, Military Law, Politics, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security), Social Network Websites, Supreme Court, Technology, Tort Law   Print This Post   No Comments

Kennedy and Szoka on U.S. v. Jones

posted by Danielle Citron

Charlie Kennedy and Berin Szoka of TechFreedom have an insightful op-ed in c/net yesterday.  It resonates with some of what my co-blogger Dan Solove said in his post and urges Congress to move on ECPA reform.  Here is the piece:

  January 30, 2012 at 10:37 am   Posted in: Privacy, Privacy (Law Enforcement), Privacy (National Security), Uncategorized   Print This Post   One Comment

The Potentially Profound Implications of United States v. Jones

posted by Daniel Solove

I must respectfully disagree with a recent post by Renee Hutchins on our blog about the recent U.S. Supreme Court case, United States v. Jones.    She concludes:

With full knowledge of this history, the Jones decision should give us pause. It is widely believed that the test the court enunciated nearly a half-century ago better protects the privacy interest of citizens in the face of advancing technology. By reverting to the language of trespass, the court this week took a step back when it could have taken a bold step forward. Moreover, by failing to engage the admittedly “thorny” question of whether the monitoring of the GPS device alone violated Mr. Jones’ constitutional rights, the court missed a momentous opportunity to speak clearly in a brave new world.

Although it is true that the majority opinion is narrow, the concurring opinions indicate five votes for a broader more progressive view of the Fourth Amendment, one which breaks from some of the Court’s antiquated notions of privacy. When I read Jones, I see cause for celebration rather than disappointment.

I have long argued that the Court has failed to understand that aggregated pieces of information can together upend expectations of privacy. See Privacy and Power 1434-35 (2001), The Digital Person 44-47 (2004), Understanding Privacy 117-21 (2008).  I have also critiqued what I call the “secrecy paradigm” where the Court has held that privacy is only invaded by revealing previously concealed information.  See The Digital Person 42-44 (2004), Understanding Privacy 106-12 (2008).  I have argued that privacy can be invaded even by public surveillance.  More recently, in Nothing to Hide 178 (2011), I argued:

The problem with the secrecy paradigm is that we do expect some degree of privacy in public.  We don’t expect total secrecy, but we also don’t expect somebody to be recording everything we do. Most of the time, when we’re out and about, nobody’s paying any special attention to us. We do many private things in public, such as buy medications and hygiene products in drug stores and browse books and magazines in bookstores. We expect a kind of practical obscurity—to be just another face in the crowd.

In Justice Alito’s concurring opinion, he seemingly recognizes both of the concept of aggregation and the fact that the extent of the surveillance matter more than merely whether it occurs in public or private:

Under this approach, relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable.  But the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.  For such offenses, society’s expectation has been that law enforcement agents and others would not—and indeed, in the main, simply could not—secretly monitor and catalogue every single movement of an individual’s car for a very long period.

Justice Sotomayor discusses this passage with approval in her concurrence, indicating five votes for this view.  Indeed, she would go even further than Justice Alito.

I see profound implications in Jones for the future direction of the Fourth Amendment and privacy law more generally.  I explain this in detail in a recent essay, United States v. Jones and the Future of Privacy Law: The Potential Far-Reaching Implications of the GPS Surveillance Case, Bloomberg BNA Privacy & Security Law Report (Jan. 30, 2012).  From the essay:

The more contextual and open-ended view of privacy articulated by Justice Alito has five votes on the Court.  This is a sophisticated view of privacy, one that departs from the antiquated notions the Court has often clung to.  If this view works its way through Fourth Amendment law, the implications could be quite profound.  So many of the Court’s rationales under the reasonable expectation of privacy test fail to comprehend how technology changes the dynamic of information gathering, making it ruthlessly efficient and making surveillance pervasive and more penetrating.  We might be seeing the stirrings of a more modern Fourth Amendment jurisprudence, one that no longer seems impervious to technological development.

I continue:

Read the rest of this post »

  January 29, 2012 at 1:18 pm   Posted in: Constitutional Law, Criminal Procedure, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)   Print This Post   2 Comments

• « Older Entries