The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Senate ‘Malvertising’ Hearing

The Permanent Subcommittee of the Senate Committee on Homeland Security & Governmental Affairs held a hearing last week on the findings of its ‘Online Advertising and Hidden Hazards to Consumer Security and Data Privacy’ report.
In his introductory remark, Senator John McCain (R-AZ) noted that online advertising is now more profitable than broadcast television advertising. Indeed online advertising revenue was $42.8 billion in 2013, almost $3 billion more than television advertising.

At the same time, ‘malvertising’ increased over 200 % in 2013 to over 209,000 incidents generating over 12.4 billion malicious ad impressions (Testimony of Craig D. Spiezle Executive Director & Founder of Online Trust Alliance).

Online advertisements may be used as a vehicle to install malicious software on users’ computers. The software then steal personal information or attack other computers, most of the time without the user even knowing that his computer has been infected.

Online advertisements is a serious security threat for consumers, yet most consumers are not aware of this issue. During the questions sessions, Mr. Spiezle noted that that issue has been kept quiet from several years. Senator McCaskill (D-MI) reminded panelists that online advertising is the backbone of the Internet economy, yet consumers have not been sufficiently informed that their data is what fuels this economy. Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the FTC, stated that the FTC informs consumers about online privacy on its OnGuard online site.

Who is Responsible?

What should be the responsibility of online advertising companies such as Google and Yahoo! ? Senator McCain believes that they “have a responsibility to help protect consumers from the potentially harmful effects of the advertisements they deliver.” They do not directly control the advertisements however, and as many as five or six companies can be involved in the process of publishing an ad, which makes finding which companies are responsible for having let the malware being installed quite difficult.

Also, Senator McCain noted that “commercial actors have limited incentives to develop and institute security measures for fear of becoming the liable party if something goes wrong.” However, the representatives of Google and Yahoo! emphasized that their companies have an incentive to fight malvertising in order to retain their customers’ trust.
Senator McCain asked Alex Stamos, Chief Information Security Officer at Yahoo!, if the site was responsible for malware, to which Mr. Stamos answered that Yahoo! takes responsibility for its users’ safety. Pushing further, Senator McCain then asked Mr. Stamos if Yahoo! would reimburse a user whose bank account has been depleted through a malware encountered on a Yahoo! site, but Mr. Stamos did not believe that Yahoo! has such responsibility.

Possible Solutions

George F. Salem, Senior Product Manager at Google, testified that his company has a two-pronged approach to fighting malware: preventing users from even visiting sites invested with malware and disabling ads which have malware. He also noted that consumers should be careful about downloads, always use the latest version of their browser and also install up-to-date antivirus software, a view shared by Ms. Mithal.

Senator Mc Cain also noted that “another problem in the current online advertising industry is the lack of meaningful standards for security” and expressed frustration that Google and Yahoo!, similar companies as they are, could not have the same best practice standards and implement them the same way, as they face the same problems.

Senator Mc Cain asked Ms. Mithal what could be the solutions to malvertising. She answered that increasing consumer education, having more robust industry self-regulations and also more enforcement would be key. Indeed, the FTC has already brought some enforcement actions against companies involved in online advertising for deceptive practices. Ms. Mithal stressed that there should be enforcement against the purveyor of malware but also against third parties which let the purveyor go by.

What’s Next?

Several online advertising companies, including Google and Yahoo, announced a new initiative called Trust in Ads that has as its goal the protection of consumers from malicious online advertisements and deceptive practices.

New legislation may be ahead. Senator Mc Cain asked Ms. Mithal if the FTC would need additional tools to protect consumer’s online privacy and Ms. Mithal mentioned that the FTC has advocated in the past to be given the authority to fine companies that do not maintain reasonable security practices. In her written testimony, Ms. Mithal wrote that the FTC “continues to reiterate its longstanding, bipartisan call for enactment of a strong federal data security and breach notification law.”

Leave a comment

Google ‘Glasstiquette’ and Other Google Glass Issues

I was sitting at an airport café a few weeks ago, and witnessed a group of friends having fun, speaking and laughing together around a table. Next to them was a middle-aged business man wearing Google Glass.

One of the members of the group spotted the glasses, and started a conversation with their wearer. The business man obliged, saying he liked them very much, and then said: Oh, and by the way, I just took a picture of you!

The mood of the group subtly changed. They politely ended the conversation and then, very slowly, as not to be rude, all turned their back to the business man.

I had just witnessed a Google Glass breach of etiquette, and for what is worth, it did not seem that the culprit was unaware of it.

Etiquette for a Wearable Computers World

Do we need new rules to live in a society where the person next from us on line at the supermarket counter, or worse, behind us at the pharmacy while we pick up drugs, may be able to take a photograph of us, or to film us, without us even noticing it?

Google itself seems to believe we do,  as it recently released a guide for ‘Google Glass Explorers,’ people who have been given the opportunity to test Google Glass, which are still not available for sale.

Well, it seems that the business man I witnessed at the airport broke one of the Do’s of the guide: ‘Ask for permission.’ While this seems just common sense if one if taking a photograph, how could we possibly ask for permission to film a crowd? Should we ask every single person for permission?

Google Glass and Law Enforcement

Knowing the answer to this question may be a matter of personal safety. A woman claimed this week that she was attacked and robbed in a bar at San Francisco while wearing Google Glass, and, according to her, it was because she was wearing Google Glass.

It seems that she was later able to retrieve her Google Glass. Interestingly, its camera had apparently recorded the incident, showing a man ripping the glasses off her face. Could the recoding be used as evidence?

Indeed, Google Glass may be used by law enforcement officials in the near future. New York’s finest, the NY Police Department, is experimenting with two pairs of Google Glass, to find out whether they could be used for police work. That could raise some interesting fourth amendment issues.

On the other hand, Google Glass may become the pet peeve of police officers in charge of enforcing road security.

A woman got a ticket in San Diego last October, for speeding, but also for wearing Google Glass, as 27602(a) of the California Vehicle Code forbids driving a motor vehicle if “a television receiver, a video monitor, or a television or video screen, or any other similar means of visually displaying a television broadcast or video signal that produces entertainment or business applications, is operating and is located in the motor vehicle at a point forward of the back of the driver’s seat, or is operating and the monitor, screen, or display is visible to the driver while driving the motor vehicle.”

The case was later dismissed, as the judge did not find enough evidence to prove beyond a reasonable doubt that Google Glass was switched on while its wearer was driving.

Is it safe for car drivers to wear Google Glass while driving? It may be banned soon by legislators, just as texting and using a telephone while driving is forbidden in most states. Some states, such as Illinois, have already introduced bills to that effect. It remains to be seen if they will be enacted; Reuters reported this week that Google is lobbying to stop these bills from becoming law.

Facial Recognition and Google Glass

Even though Google has not (yet) developed a facial recognition app for Google Glass, another company, NameTag has done so. It would allow Google Glass wearers to pick a suitable date among a crowd of strangers, by scanning social media information of people around them. That triggered concerns from Senator Al Franken (D-Minnesota), who sent a letter on February 5th to the President of NameTag, expressing his “deep concerns” about the new app  and urging him to delay its launch “until best practices for facial recognition technology are established.”

It is not the first time legislators are expressing concerns over the privacy issues involved in Google Glass, and it probably won’t be the last.  

Leave a comment

Washington State May Soon Regulate Personal Information Collection by Drones

Two Washington State bills are addressing the issue of government surveillance using drones, and the potential negative impact this could have on privacy.

The first bill, HB 1771, is a bi-partisan bill sponsored by Rep. David Taylor, R-Moxee, which was   introduced last year. It calls drones a “public unmanned aircraft system.”

HB 2789, is also sponsored by Rep. David Taylor. It calls drones “extraordinary sensing devices” and its Section 3(1) would have government use of drones “conducted in a transparent manner that is open to public scrutiny.”

Calling drones “devices” instead of “aircraft” has significance for a State famous for its aeronautic industry.  Indeed, while HB 1771 passed the House last week, HB 2789 stills lingers in Committee.

A Very Broad Definition of Personal Information

HB 2789 and HB 1771 both define what is “personal information” quite broadly, as it would not only encompass a social security or an I.D. number, but also “medical history, ancestry, religion, political ideology, or criminal or employment record.

Interestingly, it would also encompass information that can be “a basis for inferring personal characteristics” such as “the record of the person’s presence, registration, or membership in an organization or activity, or admission to an institution” or even, “things done by or to such person,” a definition that is so broad that it may encompass just about anything that ever happens to an individual. This definition recognizes that drone surveillance allows for a 24/7 surveillance society.

Personal information also means IP and trade secret information.

Illegal Collection of Data by Drones Must be “Minimized”

Under section 4 of HB 2789, disclosure of personal information acquired by a drone must be conducted in a way that minimizes unauthorized collection and disclosure of personal information. It reprises the words of Section 5 of HB 1771, only replacing ‘public unmanned aircraft by ‘extraordinary sensing device.’

I am not sure that I interpreted section 4 correctly, so here is the full text:

All operations of an extraordinary sensing device or disclosure of personal information about any person acquired through the operation of an extraordinary sensing device must be conducted in such a way as to minimize the collection and disclosure of personal information not authorized under this chapter.

So the standard it not complete avoidance of unauthorized collection of personal information, but instead minimization of illegal collection. The wording may reflect the understanding of the legislature that, because of the amazing volume of data that may potentially be collected by drones, including “things done by or to such person,” it would be unrealistic to set a standard of complete avoidance of data collection.

Maybe this ”minimizing” standard set by HB 1771 and HB 2789 is a glimpse of the standards for future data protection law…

Warrant Needed to Collect Personal Information by Drones

Under Section 5 of HB 2789, a drone could to collect personal information pursuant to a search warrant, which could not exceed a period of ten days.

The standard to obtain a warrant under Section5 (3)(c) of HB 2789 and Section 6 (2) (c ) of HB 1771would be “specific and articulable facts demonstrating probable cause to believe that there has been, is, or will be criminal activity

Under Section 5 (3)(d) of HB 2789, a petition for a search warrant would also have to include a statement that “other methods of data collection have been investigated and found to be either cost prohibitive or pose an unacceptable safety risk to a law enforcement officer or to the public. ”

So drones should be, at least for now, still considered an extraordinary method to be used in criminal investigations.  Such statement would not be necessary though under HB 1771.

Warrant could not exceed ten days under Section 5(5) of HB 2789, but could not exceed 48 hours under section 6(4)HB 1771, and thus HB 1771 would be much more protective for civil liberties. However, as we saw, it is unlikely that HB 1771 will ever be enacted into law.

Warrant Not Needed in Case of an Emergency

Both bills would authorize some warrantless use of drones.

However, under Section 7 of HB 2789 a warrant would not be needed if a law enforcement officer “reasonably determines that an emergency situation exists [involving] criminal activity and presents immediate danger of death or serious physical injury to any person,” and that the use of a drone is thus necessary.

Under Section 8 of HB 1771, it would only be necessary for the law enforcement officer to “reasonably determine that an emergency situation exists that involves immediate danger of death or serious physical injury to any person” which would require the use of drone, without requiring a pre-determination of criminal activity.

But even if an emergency situation does not involve criminal activity, section 8 of HB 2789 allows for the use of drones without a warrant if there is “immediate danger of death or serious physical injury to any person,” which would require the use of drones in order “to reduce the danger of death or serious physical injury.”

However, such use would only be authorized if it could be reasonably determined that such use of drones “does not intend to collect personal information and is unlikely to accidentally collect personal information,” and also that such use is not done “for purposes of regulatory enforcement.“

Both bills require that an application for a warrant be made within 48 hours after the warrantless use of a drone.

Fruits of the Poisonous Drone

Under section 10 of HB 2789 and section 10 of HB 1771, no personal information acquired illegally by a drone nor any evidence derived from it could be used as evidence in a court of law or by state authorities.

Handling Personal Information Lawfully Collected

Even if personal information has been lawfully collected by drones, such information may not be copied or disclosed for any other purpose than the one for which it has been collected, “unless there is probable cause that the personal information is evidence of criminal activity.”

If there is no such evidence, the information must be deleted within 30 days if the information was collected pursuant to a warrant and 10 days if was incidentally collected under section 11 of HB 2789, but would have to be deleted within 24 hours under section 11 of HB 1771.

Drone regulation is a new legal issue, but Washington  would not be the first State to regulate it. Many other States have introduced similar proposals, often not successfully however. But Florida, Idaho, Illinois, Montana, Oregon, Tennessee, Texas and Virginia have all enacted laws regulating the use of drones for surveillance purposes and North Carolina has enacted a two-year moratorium. It remains to be seen if and when federal legislation will be enacted.

1 Comment

Warrant Needed In Massachusetts to Obtain Cell Phone Records

The Massachusetts Supreme Judicial Court ruled 5-2 on February 18 in Commonwealth v. Augustine that the government must first obtain a warrant supported by probable cause before obtaining two weeks worth of historical cell site location information (CSLI).

Defendant had been indicted for the 2004 murder of his former girlfriend. During the investigation, the prosecution filed for an order to obtain CSLI from the suspect’s cellular service provider, but the order was filed under 18 U.S.C. § 2703(d) of the Stored Communications Act (SCA). Under that law, the government does not need to show probable cause, but only needs to show specific and articulable facts showing “that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”

The order was granted by the Superior Court in September 2004. Defendant was indicted by a grand jury in 2011, and filed a motion to suppress evidence associated with his cell phone in November 2012.

A judge from the Superior Court granted his motion to suppress, reasoning that this was a search under article 14 of the Massachusetts Declaration of Rights – which is similar to the Fourth Amendment to the U.S. Constitution – and thus a search warrant was required.

The Commonwealth of Massachusetts appealed, arguing that the CSLI was a business record, held by a third party, and that the defendant had no expectation of privacy in this information as he had voluntarily revealed it to a third party.

This argument did not convince the Massachusetts Supreme Judicial Court, ruling instead that defendant had an expectation of privacy in the CSLI and that the prosecution therefore needed to obtain a warrant based on probable cause to obtain this information.

The Third Party Doctrine

Why did the court find that the defendant had an expectation of privacy in his CSLI, even though this information was known by a third party, his cell phone service provider?

Under the U.S. Supreme Court third party doctrine, as stated in the U.S. v. Miller 1976 case and in the 1979 Smith v. Maryland case, a defendant has no reasonable expectation of privacy in information revealed to third parties.

In Miller, the Supreme Court found that defendant has no expectation of privacy in his bank records, as they were “business records of the banks.” Similarly, in Smith v. Maryland, the Supreme Court held that installing and using a telephone pen register was not a “search” under the Fourth Amendment, and thus no warrant was required, because the defendant had no expectation of privacy in the phone numbers he had dialed.

First, the Massachusetts Supreme Judicial Court recognized article 14 of the Massachusetts Declaration of Rights affords more protection than the Fourth Amendment to the U.S. Constitution.


Then, the Supreme Judicial Court distinguished Miller and Smith from the case, finding “significant difference” between these two cases and the case at stake. The Court noted that “the digital age has altered dramatically the societal landscape from the 1970’s.

In Smith, the defendant had taken an affirmative step when dialing the numbers which had been communicated to the prosecution by the telephone company. He had to do it in order to be able to use his telephone service. As such, Smith had “identified] a discrete item of information…like a telephone number (or a check or deposit slip as in Miller) and then transmit it to the provider.”

But cell phone users do not transmit their data to their cell phone company in order to use the service. Instead, “CSLI is purely a function and product of cellular telephone technology, created by the provider’s system network.”

The court also noted that, while using a landline may only indicate that a particular party is at home, CSLI provides a detailed report of an individual’s whereabouts. The Massachusetts court quoted the State v. Earls case from the New Jersey Supreme Court, which stated that using a cell phone to determine the location of its owner “is akin to using a tracking device and can function as a substitute for 24/7 surveillance.”

As CSLI is business information “substantively different from the types of information and records contemplated by Smith and Miller,” the court concluded that it “would be inappropriate to apply the third-party doctrine to CSLI.” However, the court added that they saw “no reason to change [their] view thatthe third-party doctrine applies to traditional telephone records.”

Obtaining CSLI from a Cell Phone Provider is a Search and Thus Requires a Warrant

The court then proceeded to answer the question of whether the government needed a warrant to access the CSLI.

As CSLI informs law enforcement about the whereabouts of an individual, the Massachusetts Supreme Judicial Court compared it to electronic monitoring devices such as a GPS. It noted that “it is only when such tracking takes place over extended periods of time that the cumulative nature of the information collected implicates a privacy interest on the part of the individual who is the target of the tracking,” quoting the Supreme Court U.S. v. Jones case, where Justice Sotomayor and Justice Alito both noted in their concurring opinions that the length of a GPS surveillance is relevant to determine whether or not the individual monitored has or does not have an expectation of privacy.

The Massachusetts Supreme Judicial Court found relevant the duration of the period of time for which historical CSLI was sought by the government. The government may only obtain historical CSLI, meeting the SCA standard of specific and articulable facts, if the time period is “too brief to implicate the person’s reasonable privacy interest,” but the two-week period covered in this case exceeds it.

The court’s ruling was about article 14 of the Massachusetts Declaration of Rights. The Supreme Court has not yet considered the issue of whether obtaining CSLI is a search under the Fourth Amendment. Since courts are split on this issue, it is likely that the Supreme Court will answer the question of whether a warrant is required to obtain cell phone location records quite soon. 

Leave a comment

More International Reactions to the US Massive Intelligence Collection

The revelation of the large-scale US intelligence collection program continues to bring about international reactions.  

United Nations

The Third Committee of the United Nations (Social, Humanitarian and Cultural) approved on November 26 a draft resolution on “The right to privacy in the digital age.” The draft will now advance to General Assembly voting.

 The General Assembly would call upon Member States to respect the right to privacy and to take measures to prevent its violation. They also would have to “review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law.

The General Assembly would also request the United Nations High Commissioner for Human Rights to write a report on the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale.

European Union Commission

In the European Union, the EU Commission published today a communication on “Rebuilding Trust in EU-US Data Flows.” The Commission noted that “the standard of protection of personal data must be addressed in its proper context, without affecting other dimensions of EU-US relations.”

This is why data protection standards will not be negotiated within the Transatlantic Trade and Investment Partnership (TTIP).

The Commission noted in the introduction that trust in the US/EU “has been negatively affected and needs to be restored” and that “[m]ass surveillance of private communication, be it of citizens, enterprises or political leaders, is unacceptable.”

The communication identified six steps which should be taken to restore trust in transatlantic data transfers:

Implement the EU Data Protection Reform

The proposed regulation has a wide territorial scope since companies not established in the EU would have to apply it if they offer goods and services to European consumers or monitor their behavior.

The regulation would also provide” clear rules on the obligations and liabilities of data processors such as cloud providers.” Surveillance programs affect data stored in the cloud, and companies providing cloud services asked to provide personal data to foreign authorities would not be able “to escape their responsibility” by arguing that they are mere data processors, not data controllers.

Making the Safe Harbor Safe

The Safe Harbor scheme has several weaknesses and that leads to some competitive disadvantages. For instance, some self-certified Safe Harbor members do not comply with its principles in practice. Also, some countries may decide to cease altogether data transfer on the basis of Safe Harbor.

Therefore,” the current implementation of Safe Harbor cannot be maintained.”However, it should be strengthened, not canceled.

The scheme would be more effective if certified companies would have more transparent privacy policies  and also if affordable dispute resolution mechanisms would be available to EU citizens.

Strengthening Data Protection Safeguards in the Law Enforcement Area

The current negotiations between the US and the EU on an “umbrella agreement” for transfers and processing of data in the context of police and judicial cooperation must be concluded quickly.

Using the existing Mutual Legal Assistance and Sectoral Agreements to Obtain Data

The Commission expressed hope that the US would commit that personal data held by private companies located in the EU will not be directly accessed and transferred to US law enforcement authorities outside of formal channels of cooperation, such as the Passenger Name Records Agreement and Terrorist Financing Tracking Program.

Addressing European Concerns in the On-Going U.S. Reform Process

President Obama has announced a review of U.S. national security authorities’ activities. This process should also benefit EU citizens by providing an opportunity to address the EU concerns about US intelligence collection programs.

Safeguards available to US citizens should be extended to EU citizens not resident in the US, and transparency should be increased and there should be better and stronger oversight.

Promoting Privacy Standards Internationally

The U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the “Convention 108”, which is open to countries which are not member of the Council of Europe. The US has already acceded to the 2001 Convention on Cybercrime.

The press release about this communication is available here.

Leave a comment

ACS Panel: is it Possible for the Constitution to Keep Pace with New Technologies?

On November 21, the American Constitution Society (ACS) presented a panel on ‘The Constitution and Privacy in a Time of Innovation.’ The participants were Stephen Vladeck of American University, Chris Calabrese of the ACLU, James Grimmelman of the University of Maryland, and Orin Kerr of The George Washington University, and the moderator was Dahlia Lithwick of Slate. The video of the panel is here.

The ACS asked the question: is it possible for the Constitution to keep pace with new technologies? The question could not have been more topical, as the panel took place just a day after it was revealed that the government has been collecting Internet metadata for many years.

Orin Kerr started by reminding the audience that the Fourth Amendment was originally applied to breaking into homes, arresting people and seizing in the physical world. However, the Fourth Amendment also addressed new issues over the years.

Professor Kerr noted that “every age is an age of innovation.” In the 20’s, the issue was how the Fourth Amendment would apply to automobiles and telephones, in the 60’s, how it would apply to phone booths, and in the 80’s, how it would apply to aerial surveillance. Today, the issues are DNA, email and GPS devices. Professor Kerr believes that we’ll see more cases similar to the 2012 U.S. v. Jones GPS case in the future.

Chris Calabrese regretted that the Supreme Court has dodged the issue of the records about each of us, not the content of our messages, but the metadata. This is “envelope information” such as who we call and when. Mr. Calebrese gave the example of an individual calling a suicide hot line:  this would be a very sensitive piece of information. However, the Supreme Court  still follows the third party doctrine, as  stated in Smith v. Maryland:  if you share info with a third party, it is no longer protected by the Fourth Amendment.

U.S. v. Jones is the first case where the Supreme Court addressed a form of metadata, location information. Mr. Calabrese stated that as “we live in a world of records,” where we constantly create records, it is thus essential to know who owns these records and how they are accessed. These are issues that both the Supreme Court and Congress must address. 

James Grimmelman reminded the audience that some third parties holding our information now actively engage in information gathering, unlike telephone companies which play a somewhat passive role. He gave Facebook as an example of a company actively trying to maximize information to gain advertising revenue and fuel activities on its site. To do so, it gives incentives to users to share information.

Professor Grimmelman pointed out that Facebook is aware that users are concerned about how their information is being shared with the government, which may chill their willingness to share information on Facebook. Mr. Calabrese later said that, according to a survey, the public dislikes corporate collection of data even more than government collection of data, as they perceive the government as giving them at least something  back.

Professor Grimmelman also believes that surveillance by drones in public places will be an important issue, as the government will know and aggregate the whereabouts of individuals on a massive scale.  Mr. Calabrese noted that we appear in public, sure, but in “an impermanent way” and that would no longer be the case if our public presence is constantly recorded and analyzed. This is a pervasive intrusion on our private lives.

Stephen Vladeck addressed the issue of whether the Fourth Amendment is affected by NSA surveillance. He reminded the audience that the FISA Act functioned in a space unoccupied by the Supreme Court. FISA was extended in 2001 and in 2008, and gave the government authority to implement programs such as PRISM. What is the role of the Fourth Amendment in these surveillance issues?

Professor Kerr does not believe the Fourth Amendment has a role to play there, under the third party doctrine, but Professor Vladeck proposed to differentiate between records that we individually share with third parties, from the fairly new ability for the government to aggregate that data.

For Professor Vladeck, the Fourth Amendment can regulate surveillance, as only the government is capable of such massive surveillance. However, Professor Kerr does not believe that the Fourth Amendment protects metadata against searches, as it only protects against government invasion into one’s private space. Metadata searches should be regulated by a law, but this is not the role of the Fourth Amendment. When reading the Jones concurrence, it seems however, that the Supreme Court may soon introduce a new category of search. It could possibly cover metadata.

That may happen this term, as Professor Kerr believes the Supreme Court will tackle this term the issue of whether the police may search a cell phone incident to an arrest, and, if they can, how far they can search. That would be an opportunity for the Supreme Court to discuss once again the issue of new technologies and the Fourth Amendment.

Leave a comment

Big Data and Privacy: Some Recent Developments

For those of you tracking the relationship between big data and privacy, some recent developments will be of interest.

Last June, Commissioner Julie Brill from the Federal Trade Commission gave a speech about Reclaim Your Name, focusing on data brokers.

Since then, as reported in The New York Times, data broker Axciom has launched a web portal, Aboutthe, which would enable consumers to access data held by Axciom and even correct it.

However, Axciom is still ironing out the wrinkles in its portal, as it seems that some users have not been able to log in.

In the meantime, Commissioner Brill will give a lecture on the issue at NYU Poly/Sloan Institute in Brooklyn on October 23. Attendance to this event will be free, and the details can be found here.

Leave a comment

California Soon to Have RFID Driver Licenses

A California bill, S.B. 397, would allow the Department of Motor Vehicles (DMV) to issue enhanced driver’s licenses (EDLs) and identification cards, that is, licenses and IDs containing radio frequency identification (RFID) technology.

Such EDLs would include a machine readable zone or barcode that could be electronically read from a distance. These cards would transmit an encrypted randomly assigned number, but would not contain any other personal data, biometric information, or number. They would only contain the information required by the federal Western Hemisphere Travel Initiative (WHTI) established by the Department of State and Department of Homeland Security.

Pro: Convenience and Speediness

The WHTI requires U.S. and Canadian travelers to present a passport or other document proving their identity and citizenship when entering the U.S.

Carrying an EDL would allow travelers to use the Ready Lanes already available at some port of entry, which make the process of entering the U.S. faster and easier. A summary of the bill made this month by the Assembly’s Appropriations Committee describes the process as “convenient and time-saving.” Four U.S. states, Michigan, New York, Vermont, and Washington are already issuing EDLs.

Con: Privacy and Security Risks

What may be the risks for privacy? The web site of the Department of Homeland Security (DHS) states that “[n]o personally identifiable information is stored on the card’s RFID chip or can be transmitted electronically by the card. The card uses a unique identification number that links to information contained in a secure Department of Homeland Security database. This number does not contain any personally identifiable information.”

S.B. 397 contains provisions addressing the security issues that the use of such cards may raise. It states that the DMV would include in the EDLs “reasonable security measures, including tamper-resistant features to prevent unauthorized duplication or cloning and to protect against unauthorized disclosure of personal information regarding the person who is the subject of the license, permit, or card.”

The American Civil Liberties Union of Northern California opposes the bill, and states that DHS has admitted that the personal information encoded on the RFID chip could be read from up to 30 feet away. Also, the EDLs do not include technological protections to prevent the personal information from being read without the individual’s knowledge or consent.

The ACLU mentions a scientific report which studied the security of the Washington EDLs. The authors of this report stated that RFID contained in such cards only have limited security features and, as such, could be surreptitiously scanned and reproduced.

A note from the ACLU of Washington, published that the time Washington state proposed to have EDLs, had noted that such cards do not have built-in security, and thus the Department of Licensing would had to provide users with a security sleeve designed to block the RFID transmission. Such sleeve indeed prevents a card to be scanned without authorization, but, as the EDL does not have an on/off switch, the card can broadcast information to compatible readers within its range if taken out of the protective sleeve by accident.

The site of the Washington State Department of Licensing informs users that the “[e]nhancements included in the EDLs… are industry best practices for security”, that is, “secure and isolated-dedicated (optic fiber) network connectivity; encryption of personal identifying information between Washington State and the Border Officer during transmission; closed and secure network design, including firewalls and limited and controlled access to the network, network equipment, and data centers.”

Big Data at the Borders

However, there is no clear information on whether data about travel is retained, and, if it is, for how long. As travel data is of particular interest to governments, there may be a temptation to store and analyze it. For example, the Australian Customs and Border Protection Service recently put in place a program using Big Data to analyze passenger information.  There is no such program yet in the U.S., and the EDLs cannot be used for air travel, but we should keep in mind that these cards may be used as intelligence/surveillance tools.

The California bill has been approved by the Senate, and is now under consideration in the Assembly. It is expected to pass. A Committee hearing is scheduled for next Friday, August 30th.

Leave a comment

New European Union Regulation about Notification of Personal Data Breaches Enters into Force

A new European Union Regulation applicable to the notification of personal data breaches entered into force on Sunday, August 25.

The Regulation is part of the effort to address the issue identified in article 35 of the Digital Agenda for Europe, to give guidance for implementing a new Telecoms Framework to better protect individuals’ privacy and personal data.

To do so, Directive 2009/136/EC of November 25, 2009 had amended Directive 2002/22/EC, the ePrivacy Directive, and had directed the Member States to add to their laws and regulations, by May 25, 2011, a duty for publicly available electronic communications service providers (ECPs) to report personal data breaches.

A Duty to Report Personal Data Breaches Under Directive 2009/136/EC

Under the modified ePrivacy Directive, ECPs, such as telecoms operators and Internet service providers must, “without undue delay,” notify their national authorities of any personal data breach.

Article 2(i) of the modified ePrivacy Directive defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”

Under article 4 of the modified ePrivacy Directive, ECPs must notify individuals of the breach “without undue delay” if it is “likely to adversely affect [their] personal data or privacy,” unless the ECP affected by the breach can demonstrate to its national authority that it has implemented ”appropriate technological protection measures.”

A Regulation to Ensure Consistency in Implementing the Modified ePrivacy Directive

A Directive is not directly enforceable in the 28 Member States, but, instead, sets the goals to be achieved and leaves Member States the choice on how to implement these goals in their national systems. Therefore, there is always a risk that the 28 different ways to implement a particular Directive lead to some inconsistencies.

In order to ensure consistency in the implementation of these new data breach notification measures, article 4(5) of the modified ePrivacy Directive gave the EU Commission the power to adopt technical implementing measures.

This is why the Commission published a Regulation on June 24, 2013. Unlike a Directive, a Regulation is directly applicable in all Member States, and thus ensures that the law is the same in all the Member States.

Notification of Personal Data Breaches to the National Authorities

Article 1 of the Regulation defines its scope as notification by ECPs of personal data breaches. Annex 1 of the Regulation details the content of what must be notified to the national authority, divided in two sections:

Section 1

Identification of the provider

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Whether it concerns a first or second notification

Initial information on the personal data breach (for completion in later notifications, where applicable)

4. Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident

5. Circumstances of the personal data breach (e.g. loss, theft, copying)

6. Nature and content of the personal data concerned

7. Technical and organizational measures applied (or to be applied) by the provider to the affected personal data

8. Relevant use of other providers (where applicable)

Section 2

Further information on the personal data breach

9. Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):

10. Number of subscribers or individuals concerned

11. Potential consequences and potential adverse effects on subscribers or individuals

12. Technical and organizational measures taken by the provider to mitigate potential adverse effects

Possible additional notification to subscribers or individuals

13. Content of notification

14. Means of communication used

15. Number of subscribers or individuals notified

Possible cross-border issues

16. Personal data breach involving subscribers or individuals in other Member States

17. Notification of other competent national authorities

Recital 11 of the Regulation suggests that national authorities should provide ECPs with a secure electronic means to notify them about personal data breaches, which should be in a common format, such as XML, an online format, across the EU.

However, if some of this information is not available, an ECP can make an initial notification to the competent national authority within 24 hours, including only the information described in section 1. The ECP must then make a second notification “as soon as possible, and in the latest within three days after the initial notification” providing then the information described in section 2.  

This precise time frame is welcome as the phrasing “undue delay in the modified ePrivacy Directive was vague. However, a 24-hour delay for an initial notification, followed by only three more days to gather the information necessary for a complete notification, may leave some companies scrambling to meet their legal obligations.

Notification of Personal Data Breaches to the Subscriber or the Individual

Notifications to subscribers or individuals must contain all the information contained in Annex II of the Regulation:

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Summary of the incident that caused the personal data breach

4. Estimated date of the incident

5. Nature and content of the personal data concerned as referred to in Article 3(2)

6. Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)

7. Circumstances of the personal data breach as referred to in Article 3(2)

8. Measures taken by the provider to address the personal data breach

9. Measures recommended by the provider to mitigate possible adverse effects

According to article 3.3 of the Regulation, such notification must be made “without undue delay after the detection of the personal data breach.” As ECPs must provide a copy of this notification when notifying their national authorities of a breach, such notification has to be made, at the latest, 24 hours after the occurrence of the breach, again, a rather short delay.

A Safe Harbor: Implementation of Technological Security Measures  

Article 4 of the Regulation states that ECPs do not have to notify subscribers or individuals if they were able to demonstrate to their national authority that they have implemented “appropriate technology protection measures” which were applied to the data affected by the breach.

Such measures must render data unintelligible. Article 4.2(a) and 4.2(b) details when data will be considered unintelligible:

(a) it has been securely encrypted with a standardized algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or

(b) it has been replaced by its hashed value calculated with a standardized cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorized to access the key.

So far, only ECPs have a duty to report personal data breaches in the EU. However, the new data protection Regulation currently debated in the European Parliament would provide an obligation for all data controllers to report personal data breaches to their supervisory authority (article 31) and to the data subject affected by the breach (article 32).

The entering into force of the June 24, 2013 Regulation may provide an insight on how well ECPs are prepared to meet their obligations, and will also likely give clues on whether it will indeed be feasible for data controllers to meet their obligations under the new data protection Regulation, likely to enter into force next year.

Leave a comment

5th Circuit: SCA Orders Compelling Disclosure of Historical Cell Site Information Constitutional

The 5th Circuit held yesterday that Stored Communications Act (SCA) orders to obtain historical cell site information are not categorically unconstitutional. The case is In Re: Application of the U.S. for Historical Cell Site Data, number 11-20884.

Facts of the Case

The U.S. filed three applications in 2010 under 18 U.S.C. §2703(d) to compel cell phone providers to produce sixty days of historical cell site data and subscriber information.

Under 18 U.S.C. §2703(d), “[a] court order for disclosure… may be issued by any court that is a court of competent jurisdiction and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”

A magistrate judge granted the requests for subscriber information, but denied the request for historical cell site data, and found that compelling the disclosure of this information would violate the Fourth Amendment.

The U.S. filed an ex parte application objecting to the ruling with the Southern District of Texas. The district judge ruled against the U.S., noting that “[t]he standard under the Stored Communications Act is below that required by the Constitution.” The U.S appealed.

Specific and Articulable facts Standard, or Probable Cause ?

According to the District Court, the SCA violates the Fourth Amendment as it allows the government to obtain a record merely on showing “specific and articulable facts,” not probable cause, and thus the Government can only acquire historical cell site data under a warrant issued on probable cause.

But the 5th Circuit interpreted §2703(d) that “shall” direct courts to issue such orders if the Government meets the “specific and articulable facts” standard.

Privacy of Location Information

The ACLU had filed an amicus curiae brief, arguing that individuals have a reasonable expectation of privacy in their location information, if they are tracked in a place traditionally protected against intrusions, such as a home, or if they are tracked for a longer period of time and in greater detail than society would expect. Indeed, in U.S. v. Jones, the Supreme Court concluded in 2012 that extended monitoring of a vehicle using a GPS system is a search under the Fourth Amendment.

But the 5th Circuit reasoned that, as the Fourth Amendment only protects the privacy of individuals against government intrusion, and does not give individuals the right to be left alone by other people, the Government indeed has the right to require information collected by third parties. Here, it was the the cell phone providers which had collected and stored information in the first place, not the Government. The Court concluded that if “a third party collects information in the first instance for its own purposes, the Government … can obtain this information later with a § 2703(d) order, just as it can subpoena other records of a private entity.”

The Fifth Circuit also noted that historical cell data are not private papers, but rather have been created to memorialize business transactions with the cell phones users, not to record its observation of transactions between individuals. Therefore,“cell site information is clearly a business record.”

The Fifth Circuit was not convinced by the ACLU’s argument that cell phone users do not relinquish their information voluntary to a third party, which indeed would then prevent them to claim a right to privacy in the information thus shared.

Instead, the Fifth Circuit agreed with the Government which argued that cell phone users know that they share information with cell phone providers when making calls, and that they voluntarily continue to make calls, and that using a phone “is entirely voluntary.”

Judge Dennis wrote a dissent, noting the “Supreme Court‘s conscientious avoidance of similar questions regarding the Fourth Amendment implications of modern telecommunications technologies,” such as in the Quon case.