The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

U.S. Supreme Court Recognizes Privacy Right in Residents’ Motor Vehicle Records

On June 17, 2013, the U.S. Supreme Court issued its opinion in Maracich v. Spears, No. 12-25, 570 U.S. ___ (2013), to limit the disclosure of personal information covered by the federal Driver’s Privacy Protection Act of 1994 (“DPPA”). See 18 U.S.C. §§ 2721-2725. The case involved class action attorneys who submitted several state Freedom of Information Act (FOIA) requests to the South Carolina DMV to obtain personal information on thousands of car buyers, including buyers’ names, addresses, phone numbers, and car purchase information. The attorneys then used this information to identify potential class action plaintiffs and to send “solicitations” to join several lawsuits against South Carolina car dealerships for alleged violations of state law. The attorneys mailed 34,000 such solicitations under the heading, “ADVERTISING MATERIAL” and asked that recipients return an enclosed reply card if they wanted to participate in the case.

South Carolina residents brought suit against the attorneys for violating the DPPA by obtaining, disclosing, and using their personal information from motor vehicle records for solicitation without their express consent. The issue before the High Court was whether the use of DMV records to solicit clients for an incipient lawsuit fell into the “litigation exception” of the DPPA. This exception allows for the disclosure of DMV-held personal information “in connection with” litigation and for “investigation in anticipation of litigation.”

The majority (written by Justice Kennedy, joined by Chief Justice Roberts and Justices Thomas, Breyer, and Alito) declined to find the litigation exception applicable. The majority’s holding turned on the distinction between an attorney’s solicitation of new clients and his or her conduct on behalf of an existing client or the court. As to the former, the Court held that an attorney’s solicitation of prospective clients was neither a use “in connection with” litigation nor “investigation in anticipation of litigation.”

The High Court noted this reading of the litigation exception of the DPPA was consistent with various provisions of the DPPA that protect an individual’s right to privacy in his or her motor vehicle records. It found the use of purchasers’ highly personal information in solicitations without their express consent was “so substantial an intrusion on privacy it must not be assumed, without language more clear and explicit, that Congress intended to exempt attorneys from DPPA liability in this regard.” Indeed, the Court held “Congress chose to protect individual privacy by requiring a state DMV to obtain the license holder’s ex¬press consent before permitting the disclosure, acquisition, and use of personal information for bulk solicitation.”

The case addressed a narrow issue of statutory construction involving the scope of the litigation exception of the DPPA. Though there was no indication that the attorneys had misused in any way the personal information of consumers lawfully obtained from the state DMV, the majority opinion admonishes private attorneys that engage in fishing expeditions to gain access to this information for the purpose of expanding their client base.

Leave a comment

U.S. Supreme Court Holds that Government’s Use of Trained Police Dogs to Investigate Front Porch is a “Search” within the Meaning of the Fourth Amendment

On March 26, 2013, the U.S. Supreme Court affirmed the decision by the Florida Supreme Court that suppressed evidence obtained following a trained police dog’s positive alert for narcotics from the defendant’s front porch. See Florida v. Jardines, 569 U.S. ____ (2013).   Writing for the majority in a 5-4 opinion, Justice Scalia focused on the government’s physical intrusion into the constitutionally protected area immediately surrounding the home and declined to consider whether the search violated the defendant’s reasonable expectation of privacy. 

Law enforcement had received an unverified tip that marijuana was being grown in the home of respondent/defendant Joelis Jardines.  Agents arrived at Jardines’ home with a drug-sniffing police dog and stood on the porch while the dog was given 6 feet of slack to sniff for narcotics.  The dog signaled an airborne odor that was emanating from base of the front door.  Based on the alert, the officers obtained a search warrant, found marijuana plants inside the home, and charged Jardines with trafficking in cannabis.  The trial court suppressed the evidence as the product of an unreasonable search under the Fourth Amendment, which ultimately was upheld by the Florida Supreme Court.

The majority (Justice Scalia, joined by Justices Thomas, Ginsburg, Sotomayor, and Kagan) affirmed, holding that law enforcement’s use of trained police dogs to investigate the home and its immediate surroundings constituted a “search” within the meaning of the Fourth Amendment.  The constitutional violation was based on what the Court characterized as “the traditional property-based understanding of the Fourth Amendment.”  Otherwise put, the act of “march[ing] a bloodhound” to “trawl for evidence” was a physical intrusion on constitutionally protected areas that defied the Fourth Amendment’s “very core” of “the right of a man to retreat into his home and there be free from unreasonable governmental intrusion.” 

A concurring opinion from Justice Kagan (with Justices Ginsburg and Sotomayor) went one step further, calling the police action both a constitutional trespass and an invasion of privacy, as defined in Kyllo v United States, 533 U.S. 27 (2001) (finding a constitutional privacy violation for the government’s use of a thermal imaging device that was “not in general public use”).  Justice Kagan classified drug-detection dogs as specialized law enforcement tools for discovering objects not in plain view and likened their use to “super-high-powered” binoculars.   

In a scathing dissent, Justice Alito (joined by Chief Justice Roberts and Justices Kennedy and Breyer) wrote the conduct of the police officer neither constituted a trespass nor violated Jardines’ reasonable expectation of privacy.  The officer did not exceed the scope the implied license under Fourth Amendment jurisprudence to approach the front door, the license being limited to the amount of time it would customarily take to approach the door, pause long enough to see if someone is home and (if not expressly invited to stay longer), leave.  On the contrary, the officer adhered to the customary path, did not approach in the middle of the night, and remained at the front door for less than a minute.  Justice Alito likened this action to the standard “knock and talk” that has been deemed permissible police activity under the Fourth Amendment, and stated that residents do not have a reasonable expectation of privacy in odors that emanate from the dwelling and reach spots where members of the public may lawfully stand.  Finding no difference between odors that can be smelled by humans and those that are detectible only by dogs, Justice Alito rejected the analogy of the use of a drug-sniffing dog to the use of a thermal imaging device or other forms of technology, as advanced in Justice Kagan’s concurrence.

This sharply divided opinion presages more complicated constitutional privacy cases to come.  Had the canine detected the smell from a public sidewalk and not the curtilage of private property, the case would have been outside the scope of the majority’s property-focused holding.  And if law enforcement’s use of a police dog does not qualify as a “specialized law enforcement tool” to violate reasonable expectations of privacy, as suggested by Justice Alito, the question remains how “specialized” or “high-tech” a police device must be to constitute an unreasonable search under the Fourth Amendment.  

Leave a comment

White House Administration Issues Highly Anticipated Cybersecurity Executive Order

As announced in his State of the Union address on February 12, 2013, President Obama issued an executive order directing federal departments and agencies to use their existing authorities to strengthen cybersecurity defenses. This follows months of congressional stalemate over cybersecurity legislation and recommendations from a number of politicians, including Senate Intelligence Chairwoman Dianne Feinstein, that the President circumvent Congress altogether to protect the country’s critical infrastructure.

Among its numerous provisions, the executive order directs the National Institute of Standards and Technology (NIST) to coordinate the development of a cybersecurity framework that includes a set of standards and procedures to address cyber risks. The order requires that voluntary consensus standards and industry best practices be incorporated to the extent possible. The White House anticipates the framework to be technology neutral and allow for critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards developed to address cyber risks.

Further, the order requires that the Department of Homeland Security (DHS) establish a voluntary critical infrastructure program to support the adoption of the cybersecurity framework by owners and operators of critical infrastructure. It tasks DHS, the Department of Treasury, and the Commerce Department to make recommendations separately to the White House Administration on incentives that could be provided to owners and operators of critical infrastructure under existing laws and authorities, and a cost-benefit analysis on incentives that would require new legislation.

To accomplish these objectives, the executive order establishes the following deadlines:

DHS has 150 days to identify critical infrastructure at the greatest cyber risk. The order makes clear that commercial IT products cannot be designated as critical infrastructure at the greatest risk, which is an exception that industry members had sought in legislation.

NIST will have 240 days to publish a preliminary version of the cybersecurity framework and one year to publish a final version. In coordinating the development of the final cybersecurity framework, the order requires that NIST conduct an open public review and comment process and consult relevant federal agencies, owners and operators of critical infrastructure, and other stakeholders.

Within 90 days of the publication of the preliminary framework, designated federal agencies shall submit a report to the Administration that determines whether or not they have clear authority under current law to implement the framework in a way that would sufficiently address cyber risk, and whether additional authority would be required. If current regulatory requirements are deemed insufficient, the agencies shall propose further action to mitigate cyber risk.

In addition to this directive, President Obama underscored the urgency of comprehensive cybersecurity legislation in his State of the Union address:

“Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy . . . [n]ow Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”