The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

5th Circuit: SCA Orders Compelling Disclosure of Historical Cell Site Information Constitutional

The 5th Circuit held yesterday that Stored Communications Act (SCA) orders to obtain historical cell site information are not categorically unconstitutional. The case is In Re: Application of the U.S. for Historical Cell Site Data, number 11-20884.

Facts of the Case

The U.S. filed three applications in 2010 under 18 U.S.C. §2703(d) to compel cell phone providers to produce sixty days of historical cell site data and subscriber information.

Under 18 U.S.C. §2703(d), “[a] court order for disclosure… may be issued by any court that is a court of competent jurisdiction and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”

A magistrate judge granted the requests for subscriber information, but denied the request for historical cell site data, and found that compelling the disclosure of this information would violate the Fourth Amendment.

The U.S. filed an ex parte application objecting to the ruling with the Southern District of Texas. The district judge ruled against the U.S., noting that “[t]he standard under the Stored Communications Act is below that required by the Constitution.” The U.S appealed.

Specific and Articulable facts Standard, or Probable Cause ?

According to the District Court, the SCA violates the Fourth Amendment as it allows the government to obtain a record merely on showing “specific and articulable facts,” not probable cause, and thus the Government can only acquire historical cell site data under a warrant issued on probable cause.

But the 5th Circuit interpreted §2703(d) that “shall” direct courts to issue such orders if the Government meets the “specific and articulable facts” standard.

Privacy of Location Information

The ACLU had filed an amicus curiae brief, arguing that individuals have a reasonable expectation of privacy in their location information, if they are tracked in a place traditionally protected against intrusions, such as a home, or if they are tracked for a longer period of time and in greater detail than society would expect. Indeed, in U.S. v. Jones, the Supreme Court concluded in 2012 that extended monitoring of a vehicle using a GPS system is a search under the Fourth Amendment.

But the 5th Circuit reasoned that, as the Fourth Amendment only protects the privacy of individuals against government intrusion, and does not give individuals the right to be left alone by other people, the Government indeed has the right to require information collected by third parties. Here, it was the the cell phone providers which had collected and stored information in the first place, not the Government. The Court concluded that if “a third party collects information in the first instance for its own purposes, the Government … can obtain this information later with a § 2703(d) order, just as it can subpoena other records of a private entity.”

The Fifth Circuit also noted that historical cell data are not private papers, but rather have been created to memorialize business transactions with the cell phones users, not to record its observation of transactions between individuals. Therefore,“cell site information is clearly a business record.”

The Fifth Circuit was not convinced by the ACLU’s argument that cell phone users do not relinquish their information voluntary to a third party, which indeed would then prevent them to claim a right to privacy in the information thus shared.

Instead, the Fifth Circuit agreed with the Government which argued that cell phone users know that they share information with cell phone providers when making calls, and that they voluntarily continue to make calls, and that using a phone “is entirely voluntary.”

Judge Dennis wrote a dissent, noting the “Supreme Court‘s conscientious avoidance of similar questions regarding the Fourth Amendment implications of modern telecommunications technologies,” such as in the Quon case.

 


1 Comment

New York Senator Asks FTC to Allow Consumers to Opt Out of Store Tracking Programs

Senator Charles Schumer (D-NY) held a press conference last Sunday in Manhattan and called on the Federal Trade Commission (FTC) to allow consumers to opt out of being tracked while visiting retail stores.

Senator Schumer suggested that the FTC should require retailers to inform consumers about their opt-out option by sending an electronic notice to their smartphones before starting to track them.

Senator Schumer also sent a letter to Edith Ramirez, the FTC chairwoman, asking the FTC to investigate this practice which he called unfair and deceptive.

Indeed, The New York Times reported this month that some brick-and-mortar stores track shoppers during store visits. The article explained how Nordstrom had tested a new technology which allowed the retailer to use Wi-Fi signals to track customers’ shopping habits.

Nordstrom stopped the experience following customers’ complaints, but the department store is not the only retailer interested in these new tracking technologies. American Apparel and Benetton are among retailers tracking their customers inside their stores.

CBS reported that Nordstrom used a company named Euclid for its tracking experiment. The Euclid web site explains how retailers may track consumers. Its system senses consumers’ smartphones when they come into a store and records the “ping” sent to the store’s Wi-Fi systems. The system scrambles the MAC address of each phone by using one-way hashing algorithms, and then data is processed, analyzed, and stored in the cloud, although it is unclear how long. Euclid calls this data “anonymous foot-traffic” and states on its privacy page that “[n]o personally identifiable data is ever collected or used.”

But privacy advocates know that rendering data anonymous may not be a fool-proof way to safeguard the privacy of data subjects. Therefore, it is welcome that Euclid is one of the companies which will participate in a Future of Privacy Forum group to develop best practices for companies in the business of retail location analytics.

Jules Polonetsky, Director of the Future of Privacy Forum, is quoted saying that “[c]ompanies need to ensure they have data protection standards in place to de-identify data, to provide consumers with effective choices to not be tracked and to explain to consumers the purposes for which data is being used.”

It remains to be seen if the issue will be tackled by a set of best practices, regulation, or both.


1 Comment

A Ballot Initiative Seeks to Add a Right to Privacy in PII to the California Constitution

The California Office of the Attorney General received on July 19 a ballot initiative request, the “California Personal Privacy Initiative.” Under California Law, every California elector has the right to submit a ballot initiative. The two proponents of the initiative are Steve Peace, a former California State Senator, and Michael Thorsnes, an attorney.

The initiative proposes to add an article XXXVI, Right to Privacy in Personally Identifying Information, to the California Constitution:

SECTION 1. Whenever a natural person supplies personally identifying information to a legal person that is engaged in collecting such information for a commercial or governmental purpose, the personally identifying information shall be presumed to be confidential.

SEC. 2. Harm to a natural person shall be presumed whenever his or her confidential personally identifying information has been disclosed without his or her authorization.

SEC. 3. Confidential personally identifying information may be disclosed without authorization if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and no reasonable alternative for accomplishing such compelling interest.

Section 1: PII Collection

Under the language of this section, personally identifying information (PII) provided by a data subject to either a private entity or to the government would be presumed to be confidential. In other words, PII would be confidential by default and entities wanting to process PII would have to first secure the consent of the data subject. The initiative, if enacted, would make opt in the only legal option for choice and consent in California.

The initiative defines PII broadly as “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, whether taken alone, or when combined with other personal or identifying information which is linked or linkable to a specific natural person.” Under that definition, even information rendered anonymous but which could be re-identified would be protected.

Section 2: Harm

Harm would be presumed if the PII has been disclosed without the data subject’s authorization, and that would be very protective of consumers’ interests, as proving harm is notoriously difficult for victims of data breaches or improper data collection. However, in Krottner v. Starbucks, the 9th Circuit found in 2010 that plaintiff faced a credible threat of harm and thus met the injury-in-fact requirement for standing under Article III because of the theft of a laptop containing unencrypted personal data.

But in a recent California case, Yunker v. Pandora Media, the plaintiff had argued that Pandora’s alleged conduct had diminished the value of his PII, decreased the memory space on his mobile device, that disclosure of his PII had put him at risk of future harm, and that Pandora had invaded his constitutional right to privacy when allegedly disseminating his PII to third parties.

The Northern District Court of California found that the facts were not sufficient to prove decreasing memory space and diminished value of PII, and that the mere possibility of future harm was insufficient to establish standing. However, the court found that plaintiff had standing with respect to Pandora’s alleged violations of the constitutional right to privacy.

Under the initiative, plaintiff would no longer have to prove he suffered harm: the defendant would have to prove plaintiff suffered no harm.

Section 3: Countervailing Compelling Interest

The right to the privacy in one’s PII would not be absolute and would have to bend to countervailing interests. For instance, law enforcement would nevertheless have access to PII in order to protect public safety. Would the threat to public safety have to be immediate, or would a general mission of protecting safety be enough to override privacy interests? In the wake of the PRISM scandal, this question is particularly salient.

Another countervailing interest cited by the initiative is non-commercial free speech. One remembers that the Supreme Court held in 2010 in IMS Health, Inc. v. Sorrell that a Vermont prescription privacy law barring disclosure of prescription data for marketing purposes was unconstitutional as it violated the free speech rights of data brokers. Under a new article XXXVI, commercial free speech would not be considered a compelling interest, and thus data brokers would not be able to invoke a free speech defense.

What’s next? Under California law, Election Code § 9001, the Attorney General must now prepare a circulating title and a summary of the initiative within 15 days of the receipt. An initiative petition must then be presented to the Secretary of State and be certified by local election officials to have been signed by a specified number of qualified registered voters.

But the broad scope of the initiative may be its nemesis, as it may trigger intense lobbying against it. Even if enacted, companies may chose to block access to many of their services or products unless the data subject provides a general and broad opt in consent, to the detriment of a more granular consent.


Leave a comment

House Hearing Focuses on Potential Federal Data Breach Notification Legislation

This week, the U.S. House of Representatives Subcommittee on Commerce, Manufacturing, and Trade held an oversight hearing entitled “Reporting Data Breaches:  Is Federal Legislation Needed to Protect Consumers?”  The hearing, which included testimony from members of the technology industry and academia, focused on whether there is a need for a federal law to either supplement or replace the current patchwork of more than 48 state data breach notification laws. 

Tech industry representatives from associations including TechAmerica, CompTIA, and CTIA described the burden facing companies after they suffer a data breach and then must quickly assess their obligations based upon the states’ differing definitions of personal information, various event triggers, and numerous notification timeframes.  In addition, they stressed that any new federal law should preempt existing state laws rather than simply establish a minimum standard on which state laws would be based.  The hearing also included discussion on technical questions relating to a possible federal law, including how to define a data breach, how quickly should breaches be reported, and what obligations do companies have to consumers whose information has been breached. 

During the hearing, Subcommittee Chairman Lee Terry (R-NE) expressed an interest in pursuing new legislation on this matter.  Notably, during the 111th Congress, Subcommittee member Rep. Bobby Rush (D-Ill) reintroduced the Data Accountability and Trust Act (“DATA”) that would have replaced the various state regimes with a uniform federal notification standard and charged the FTC with enforcement.  The bill passed the House, but no action was taken in the Senate.


Leave a comment

Call for New Contributors to The Secure Times

The Secure Times is looking for additional bloggers to join our schedule of contributors starting in August.  Bloggers are generally assigned a week every 2-3 months.  We look for insights on current events or issues in the wide-ranging legal privacy and information security field.  Blogging is a great way to expand your profile and meet others in the field.  The blog is managed by the Privacy and Information Security Committee of the ABA Antitrust Section, though you do NOT need to be a member of the ABA to be a contributor to the blog.

Please contact Bridget Calhoun at bcalhoun@crowell.com if you are interested in joining our blog team.

Earlier this week the Senate Commerce Committee subcommittee with responsibility for consumer protection issues held a hearing to discuss the impact of unwanted robocalls on consumers. Topics discussed included the consumer harm associated with fraudulent robocalls; the effectiveness of regulations and law enforcement in stopping them; and the feasibility of technological solutions to the challenges posed by unauthorized robocalls. The hearing was held not long after the 10th anniversary of the Do Not Call Registry – in the words of humorist Dave Barry “the most popular federal concept since the Elvis stamp.”   The hearing heard testimony from two panels: witnesses on the first panel represented the FTC and FCC, and witnesses on the second panel represented the telecom and ancillary industries.

Two overall themes emerged from the testimony. First, the challenges faced both by regulators and legitimate industry in keeping with up fast-paced technological changes in the robocall industry, and second the increasingly global nature of unauthorized robocalls.

The FTC testimony spoke to the agency’s law enforcement efforts, initiatives to spur technological solutions, and its broad consumer and business outreach in the robocall arena. In the decade since the Telemarketing Sales Rule (TSR) was amended to create the Do Not Call Registry, the agency has brought over 105 enforcement actions, resulting in $126 million in civil penalties and $741 million in redress or disgorgement. Despite these actions, the number of unauthorized robocalls continues to balloon, from 63,000 consumer complaints per month in 2009, to 200,000 complaints per month in 2012.  These numbers were consistent with those presented by the FCC witness who testified that the number of consumer complaints to that agency had doubled in the past two years.

Much of the growth in robocalling is enabled by new technologies such as Voice Over Internet Protocol (VoIP) technology which enables blasting of prerecorded messages over the Internet. VoIP technology not only makes it cheaper to place robocalls when compared to the time and money needed to place a call on the traditional cooper wire, but it also makes identifying the robocall perpetrator more challenging. In the highly regulated copper wire world, the regulated entities are well-known and cannot easily conceal their identities. In contrast, VoIP technology allows businesses to place cheap calls wherever they find an Internet connection, both at home and abroad. For example, one 2012 FTC enforcement action involved billions of calls placed by phone numbers registered to companies with overseas offices in the Northern Mariana Islands, Hong Kong, and the Netherlands.

In October 2012, the Commission hosted a workshop – the Robocall Summit – to explore technological solutions to keep up with the Internet enabled growth in robocalls, (or as then-Chairman Leibowitz described it, “voice blasting technology [] at bargain basement prices.”)  The FTC announced a public contest or “Robocall Challenge” with a $50,000 prize for the individual or small team that could propose a technological solution to help consumers block robocalls on their landlines and mobile phones. In April this year, the agency announced three winning solutions which, if successfully developed could result in “positive results for American consumers.” 

Urging caution, a representative from the USTelecom trade association counseled that technological solutions that “seek to make phone service providers the arbiter of whether a call should – or should not – be permitted to proceed skirt dangerously close to violating the privacy obligations imposed on us by law.”  The witness cited the Wiretap Act provisions protecting the transmission of calls and limiting the rights of universal service providers to intercept them. The witness was not optimistic that a “silver bullet” technological solution to the robocall challenge could be found, and counseled further that “today’s solution could very well turn into tomorrow’s Maginot Line, and could have unintended adverse consequences.”


Leave a comment

U.S. Supreme Court Recognizes Privacy Right in Residents’ Motor Vehicle Records

On June 17, 2013, the U.S. Supreme Court issued its opinion in Maracich v. Spears, No. 12-25, 570 U.S. ___ (2013), to limit the disclosure of personal information covered by the federal Driver’s Privacy Protection Act of 1994 (“DPPA”). See 18 U.S.C. §§ 2721-2725. The case involved class action attorneys who submitted several state Freedom of Information Act (FOIA) requests to the South Carolina DMV to obtain personal information on thousands of car buyers, including buyers’ names, addresses, phone numbers, and car purchase information. The attorneys then used this information to identify potential class action plaintiffs and to send “solicitations” to join several lawsuits against South Carolina car dealerships for alleged violations of state law. The attorneys mailed 34,000 such solicitations under the heading, “ADVERTISING MATERIAL” and asked that recipients return an enclosed reply card if they wanted to participate in the case.

South Carolina residents brought suit against the attorneys for violating the DPPA by obtaining, disclosing, and using their personal information from motor vehicle records for solicitation without their express consent. The issue before the High Court was whether the use of DMV records to solicit clients for an incipient lawsuit fell into the “litigation exception” of the DPPA. This exception allows for the disclosure of DMV-held personal information “in connection with” litigation and for “investigation in anticipation of litigation.”

The majority (written by Justice Kennedy, joined by Chief Justice Roberts and Justices Thomas, Breyer, and Alito) declined to find the litigation exception applicable. The majority’s holding turned on the distinction between an attorney’s solicitation of new clients and his or her conduct on behalf of an existing client or the court. As to the former, the Court held that an attorney’s solicitation of prospective clients was neither a use “in connection with” litigation nor “investigation in anticipation of litigation.”

The High Court noted this reading of the litigation exception of the DPPA was consistent with various provisions of the DPPA that protect an individual’s right to privacy in his or her motor vehicle records. It found the use of purchasers’ highly personal information in solicitations without their express consent was “so substantial an intrusion on privacy it must not be assumed, without language more clear and explicit, that Congress intended to exempt attorneys from DPPA liability in this regard.” Indeed, the Court held “Congress chose to protect individual privacy by requiring a state DMV to obtain the license holder’s ex¬press consent before permitting the disclosure, acquisition, and use of personal information for bulk solicitation.”

The case addressed a narrow issue of statutory construction involving the scope of the litigation exception of the DPPA. Though there was no indication that the attorneys had misused in any way the personal information of consumers lawfully obtained from the state DMV, the majority opinion admonishes private attorneys that engage in fishing expeditions to gain access to this information for the purpose of expanding their client base.