The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Global Privacy Enforcement Authorities Launch Cooperative Network and Website

The United States Federal Trade Commission ("FTC") recently joined forces with privacy authorities from eleven other countries to launch the Global Privacy Enforcement Network ("GPEN"), which aims to promote cross-border information sharing and enforcement of privacy laws. On September 21, 2010, GPEN unveiled its new website, https://www.privacyenforcement.net/, designed to educate the public about the network. The GPEN website, which is supported by the Organization for Economic Co-Operation and Development ("OECD"), provides guidelines and application instructions for government agencies interested in participating in GPEN. It also sets forth GPEN’s action plan and mission of “sharing information about privacy enforcement issues, trends and experiences; participating in relevant training; cooperating on outreach activities; engaging in dialogue with relevant private sector organizations on privacy enforcement and outreach issues; and facilitating effective cross-border privacy enforcement in specific matters by creating a contact list of privacy enforcement authorities interested in bilateral cooperation in cross-border investigations and enforcement matters.”

In his remarks about the network, which was officially launched in March, FTC Chairman Jon Leibowitz stated that “to protect consumers’ privacy in today’s global economy, all of us who work in law enforcement around the world need to cooperate with each other. We at the FTC are looking forward to working closely with our colleagues overseas to make this happen.”


Leave a comment

Parental Control Software Developer to Pay $100,000 for Children’s Privacy Violation

On September 15, 2010, New York State Attorney General Andrew Cuomo announced a $100,000 settlement with EchoMetrix, a developer of parental control software that monitors children’s online activity. The settlement comes one year after the Electronic Privacy Information Center (“EPIC”) alleged in a complaint to the Federal Trade Commission that EcoMetrix was deceptively collecting and marketing children’s information.

EPIC’s 2009 complaint asserted that EchoMetrix engaged in unfair and deceptive trade practices and violated the Children’s Online Privacy Protection Act (“COPPA”) when it launched Pulse, a data-mining service which gathers marketing intelligence by examining the content of children’s instant messages, blog posts and activity on social networking sites. The complaint alleged that EchoMetrix was surreptitiously collecting personal information from children and simultaneously disclosing this information to third parties for marketing purposes. The complaint further alleged that the site’s privacy policy was unclear, inaccessible and did not fully or clearly disclose how information was being collected or shared. EPIC claimed that EchoMetrix violated COPPA by collecting children’s IM chat names, which are linked to unique email addresses, without providing adequate notice or obtaining verifiable parental consent.

Under the settlement, EchoMetrix has agreed to stop analyzing or sharing with third parties any private communications, information, or online activity to which it has access. EchoMetrix also will pay the State of New York a $100,000 penalty.


Leave a comment

Recent Third Circuit Court of Appeals Opinion: In the Matter of the Application of the United States of America for an Order Directing a Provider of Electronic Communication Services to Disclose Records to the Government

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

On September 7, 2010, the Third Circuit Court of Appeals issued an opinion in a narcotics case containing two key holdings regarding the standard by which the government can access records of historical cell site location information (“CSLI”).  The first holding was unsurprising. The Third Circuit held that under the Electronic Communications Privacy Act, 18 U.S.C. § 2703, the government may obtain historical cell site records with an 18 U.S.C. § 2703(d) order based on “specific and articulable facts showing that there are reasonable grounds to believe that the . . . records or other information sought, [are] relevant and material to an ongoing criminal investigation.”  The second holding is more novel, and even somewhat ground-breaking.  The Court determined that it is within the discretion of the magistrate judge to consider the privacy concerns at stake and turn down an application for such an order for cell site data even if the government has met the intermediate “specific and articulable facts” standard and require the government to satisfy the higher “probable cause” standard.

CSLI is data derived from signals sent between cell towers and cellular telephones that can be used to identify the location of a particular telephone.  Each cell tower in a provider’s network is equipped with radio intercepts that receive signals from cellular phones.  Even when cellular phones are not in use they are continually registering their location with the closest cell towers so that the provider’s system can expedite service by sending incoming calls directly to that tower.  This registration information can be stored by cellular phone providers for up to 18 months before it is deleted or anonymized.  While many would consider disclosure of their historical CSLI invasive, the Third Circuit determined that historical CSLI is in fact not protected by the Fourth Amendment and is subject to disclosure without a showing of probable cause.  

In the underlying case, the initial question before the Third Circuit was whether CSLI should be treated as location information derived from a tracking device to which a warrant standard should apply, or as “other subscriber records” or transaction information which may be disclosed in response to a court order issued in accordance with 18 U.S.C. § 2703(d).  The Magistrate Judge’s (“MJ”) opinion, which had been affirmed by the district court, denied the government’s application to obtain historical CSLI because the MJ found that the government must establish probable cause before the data could be disclosed.  MJ Op., 534 F. Supp.2d at 609 (“In the case of movement/location information derived from an electronic device, the traditionally-applied legal standard has been a showing of probable cause; and nothing in the text, structure, purpose or legislative history of the [Stored Communications Act] dictates a departure from that background standard as to either historic or prospective CSLI.”).  The judge held that because of its continual registration with cellular towers, a cell phone generally acts like a tracking device, as it discloses the movement and location of the subscriber.  Therefore, the MJ reasoned, disclosure of CSLI encroaches upon the cellular phone users’ reasonable expectations of privacy relating to physical movements and locations.

The Third Circuit determined that a reasonable expectation of privacy could only be impinged upon if the CSLI would reveal information about activity or location within the confines of a person’s home and that cell phones did not “extend[] to that realm.”  To reach this conclusion, the Third Circuit relied primarily on United States v. Knotts, 460 U.S. 276 (1983) and United States v. Karo, 468 U.S. 705 (1984).  In both cases, law enforcement placed tracking devices on objects that later were moved.  In Knotts, the government used the tracking device to follow the movement of a truck on public highways, and the Supreme Court concluded that no Fourth Amendment interest was violated because individuals have no reasonable expectation of privacy while in plain view of public highways.  In Karo, however, the object with the tracking device was taken into a home and conveyed information to the government that it could not have otherwise obtained without a warrant.  Thus, the Court found that the government’s use of the device constituted an unlawful search and seizure.  Based on this prior precedent, the Third Circuit concluded, “the privacy interests at issue are confined to the interior of the home.”  In so holding, the Third Circuit has established that CSLI can be protected by the Fourth Amendment only to the extent it reveals something about the home. 

The Third Circuit then turned to the second issue of whether the MJ must issue a § 2703(d) order if presented with “specific and articulable facts showing that there are reasonable grounds to believe that . . . the records or other information sought, are relevant and material to an ongoing criminal investigation.”  The Third Circuit found that it is not a requirement but rather discretionary.  In other words, magistrate judges have the option of issuing the order or concluding that probable cause is required.  The Court compared the the statutory language in § 2703(d) concerning the issuance of an order to that in 18 U.S.C. § 3123(a)(1) regarding the issuance of a pen register trap and trace order.  The pen register statute requires a court to issue an order (“a court shall”) if the government meets the relevance showing, whereas § 2703(d) provides a court “may” issue an order “only if” the government makes the required showing of specific and articulable facts.  The Third Circuit interpreted these differences as evidence that the standard for a § 2703(d) order is the minimum showing required of the government to obtain CSLI.  A magistrate judge can require the government to offer further facts to support a higher level showing before issuing an order if a significant privacy interest is at stake.  The Third Circuit cautioned, however, that an MJ does not have “arbitrary” discretion to require the higher evidentiary showing, but must balance the “government’s need (not merely desire) for the information with the privacy interests of cell phone users.”  Slip. Op. at 29.  Further, the Third Circuit stated that an MJ should only “sparingly” require probable cause when considering applications for historical CSLI. 

Finally, at the close of its opinion, the Third Circuit emphasized the need for ECPA reform and expressed its frustration with the inherent contradictions and ambiguities in the Stored Communications Act, stating, “we are stymied by the failure of Congress to make its intention clear.” 

The Third Circuit’s opinion appears to leave key privacy issues unsettled.  The court seems to envision that after receiving an application for historical CSLI, magistrate judges will conduct a preliminary analysis of the constitutionality of CSLI disclosure, balance the privacy interests of cell phone users and the needs of the government and on a case-by-case basis determine which standard to apply.  This could lead to inconsistent results depending on the judge and the forum.