The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Tributes and a Call to Action – Remembering Aaron Swartz

A year ago, on January 11, 2012, 26-year-old internet activist Aaron Swartz committed suicide while facing up to 35 years in prison and up to $1 million in fines. Charges against him included violations of the Computer Fraud and Abuse Act (CFAA) as a result of “unauthorized access” for downloading millions of academic articles while on MIT’s network. On this first anniversary of his death, a reinvigorated call to action is taking place. The Electronic Frontier Foundation (EFF) has launched a “Remembering Aaron” campaign and is reactivating efforts to reform the CFAA, activists are invoking his name for an upcoming day of action against NSA surveillance, “The Day We Fight Back” to be held on February 11, lawmakers are demanding answers from the Justice Department treatment of Swartz, and a host of articles and other tributes are appearing across the internet.

The EFF’s Remembering Aaron campaign includes a tribute to Swartz’s legacy and kicks off a month of action against censorship and surveillance, toward open access. The EFF is reinvigorating efforts to reform the CFAA, encouraging supporters to send a letter to their legislative representatives that criticizes the law for its “vague language” and “heavy-handed penalties,” and its disregard for demonstrating whether an act was done to further the public good. The letter calls for: “three critical fixes: first, terms of service violations must not be considered crimes. Second, if a user is allowed to access information, it should not be a crime to access that data in a new or innovative way — which means commonplace computing techniques that protect privacy or help test security cannot be illegal. And finally, penalties must be made proportionate to offenses: minor violations should be met with minor penalties.”

In addition to calls to change the CFAA, activists are also calling a protest against laws and systems that enable government surveillance to run unchecked. Specifically, a mass movement against government surveillance is being organized by a heavy-hitting group of organizations including  EFF; the organization Swartz co-founded, Demand Progress; Fight for the Future; Reddit; and Mozilla. Organized for February 11, 2014, “The Day We Fight Back Against Mass Surveillance” invokes Swartz’s legacy in its call for a day of mass protest against government surveillance: “If Aaron were alive, he’d be on the front lines, fighting against a world in which governments observe, collect, and analyze our every digital action.” In a show of support for the planned protest, on the day before the year anniversary of Swartz’s death, Anonymous defaced MIT’s SSL-enabled Cogeneration Project page, displaying a page that called viewers to “Remember the day we fight back.”

In addition to reinvigorating the fight against laws that are abusive and can be easily abused, the key players in Swartz’s prosecution are also coming under scrutiny: the DOJ and MIT. On Friday January 10, a bipartisan group of eight lawmakers, Sens. John Cornyn, R-Texas; Ron Wyden, D-Ore.; Jeff Flake, R-Ariz.; and Reps. Darrell Issa, R-Calif.; James Sensenbrenner, R-Wis.; Alan Grayson, D-Fla.; Zoe Lofgren, D-Calif.; and Jared Polis, D-Colo, sent Attorney General Eric Holder a letter calling out inconsistencies between the DOJ’s and MIT’s reports and the DOJ’s lack of forthrightness and transparency. Additionally, the letter issues this demand: “In March, you testified that Mr. Swartz’s case was ‘a good use of prosecutorial discretion.’  We respectfully disagree. We hope your response to this letter is fulsome, which would help re-build confidence about the willingness of the Department to examine itself where prosecutorial conduct is concerned.” In Boston Magazine’s Losing Aaron, Bob Swartz, Aaron’s father, voices his deep disappointment in MIT and articulates specific ways in which he believes the institution was complicit in the DOJ’s draconian prosecution contributing to Aaron’s suicide.

Additional tributes to Swartz this month include a documentary by Brian Knappenberger, The Internet’s Own Boy: The Story of Aaron Swartz, which will play at the Sundance Film Festival beginning this week. In Wired Magazine’s article, One Year Later, Web Legends Honor Aaron Swartz, author Angela Watercutter notes “Swartz’s fight for rights online has only been brought more intensely into focus in the year since his death, largely due to NSA whistleblower Edward Snowden. To see him talk about government spying in [Knappenberger’s] documentary at a time before the Snowden leaks is especially chilling now.”  Further, in Knappenberger’s forthcoming documentary  web visionaries, including founders of the World Wide Web and Creative Commons, speak of Swartz’s work and legacy:

“I think Aaron was trying to make the world work – he was trying to fix it…  he was a bit ahead of his time.” – Tim Berners-Lee.

“He was just doing what he thought was right to produce a world that was better.” – Lawrence Lessig



Before Liftoff, Drones Must Maneuver Through Privacy Laws

Unmanned aerial vehicles, better known as drones, are expected to revolutionize the way companies deliver packages to their customers.  Some also imagine these small aircrafts delivering pizzas to a customer’s home or nachos to a fan at a ballgame.  Researchers are even investigating the possibility of using drones to assist farmers with monitoring their crops.  Before drone technology takes flight, however, it will have to maneuver through privacy laws.

The Federal Aviation Administration (FAA) is the agency charged with developing rules, including privacy rules, for private individuals and companies to operate drones in national airspace.  While the precise breadth of FAA rules is not entirely clear, a framework is beginning to develop.  When the FAA recently announced test sites for drones, it also noted that test site operators must: (1) comply with existing federal and state privacy laws, (2) have publicly available privacy policies and a written plan for data use and retention, and (3) conduct a review of privacy practices that allows for public comment.  When soliciting the public for comment on these test site-privacy rules, the FAA received a wide spectrum of feedback.  This feedback ranged from suggestions that the agency must articulate precise elements of what constitutes a privacy violation, to the federal agency was not equipped (and therefore should not attempt) to regulate privacy at all.  It appears that the FAA settled on a middle ground of requiring drones to comply with existing privacy law, which is largely regulated by individual states.

Accordingly, state privacy laws are likely to be the critical privacy hurdle to commercial drone use.  It appears that only four states have thus far expressly addressed the use of private drones (as distinguished from drones used by public agencies, such as law enforcement).  Idaho and Texas generally prohibit civilians from using a drone to take photographs of private property.  They also restrict photography of any individual – even in public view – by such a drone.  And Oregon prevents drones from flying less than 400 feet above a property of a person who makes such a request.  The fourth state, Illinois, restricts use of drones that interfere with hunting and fishing activities.

As for the other states, they may be simply getting up to speed on the technology.  On the other hand, many of these states have considered or enacted laws restricting use of drones by the police.  Because these laws are silent on the use of private drones, one could argue that these states intentionally chose not to regulate private drones (and accordingly, existing laws regarding use of aircrafts or other public cameras, govern use of private drones).

Even though a state has passed a drone-related privacy law, it may very well be challenged on constitutional or other grounds.  For instance – to the extent they prohibit photography of public areas or objects and people in plain view – the Idaho and Texas laws may raise First Amendment questions.  As described in Hurley v. Irish-American, photographers generally receive First Amendment protection when taking public photos if he or she “possessed a message to be communicated” and “an audience to receive that message, regardless of the medium in which the message is to be expressed.”  Under this test, in Porat v. Lincoln Towers Community Association, a photo hobbyist taking pictures for aesthetic and recreational purposes was denied First Amendment protection.  In contrast, in Pomykacz v. Borough of West Wildwood, a “citizen activist” – whose pictures were taken out of concern about an affair between a town’s mayor and a police officer – was found to have First Amendment protection.  To be sure, however, the Supreme Court has acknowledged that “even in a public forum the government may impose reasonable restrictions on the time, place, or manner of protected speech, provided the restriction are justified without reference to the content of the regulated speech, that they are narrowly tailored to serve a significant governmental interest, and that they leave open ample alternative channels for communication of the information.”  For example, under this premise, some courts have upheld restrictions on public access to crime and accident scenes.  All told, we may see drone users assert First Amendment protection for photographs taken of public areas.

Another future legal challenge may involve the question of who owns the airspace above private property.  In United States v. Causby, the Supreme Court appeared to reject the idea of private ownership of airspace.  More specifically, it held that government aircrafts flying over private land do not amount to a government “taking”, or seizure of private property, unless the aircrafts are so low and frequent that they constitute an immediate interference with enjoyment of the land.  In other words, under Causby, the landowner owns the airspace necessary to use and enjoy the land.  But the Court declined to draw a specific line.  At the moment, it is unclear whether Oregon’s law – restricting drones within 400 feet of a home – is consistent with principle.

Lastly, we may see a legal challenge asserting that certain state privacy laws (such as the Idaho or Texas law or others that disallow drone use altogether) are preempted, or trumped.  Congress’s intent to impliedly preempt state law may be inferred (1) from a pervasive scheme of federal regulation that Congress left no room for the states to supplement, or (2) where Congress’s actions touch a field in which the federal interest is so dominant that the federal system will be assumed to preclude enforcement of state laws on that subject.  Applied here, one could argue that Congress has entrusted the FAA with sole authority for creating a scheme for regulating the the narrow field of national airspace, and drones in particular.  Additionally, the argument goes, the federal government has a dominant interest in regulating national airspace as demonstrated by the creation of the FAA and numerous other aircraft regulations.  Under the preemption line of reasoning, state privacy laws may be better focused on regulating data gathered by the drone rather than the space where the drone may fly or actions the drone may take while in the space (e.g. taking pictures).

All told, before official drone liftoff, companies employing drones will have to wait for final FAA rules on privacy.  Whether these final rules track the test site rules discussed above is not for certain.  Likely, the final rules will depend on the public comments received by the drone test sites.  Assuming the final rules track the test site rules, companies using commercial drones should focus on compliance with the various state privacy laws.  But, as noted above, we may see a constitutional challenge to these laws along the way.  Stay tuned.

Leave a comment

5th Circuit: SCA Orders Compelling Disclosure of Historical Cell Site Information Constitutional

The 5th Circuit held yesterday that Stored Communications Act (SCA) orders to obtain historical cell site information are not categorically unconstitutional. The case is In Re: Application of the U.S. for Historical Cell Site Data, number 11-20884.

Facts of the Case

The U.S. filed three applications in 2010 under 18 U.S.C. §2703(d) to compel cell phone providers to produce sixty days of historical cell site data and subscriber information.

Under 18 U.S.C. §2703(d), “[a] court order for disclosure… may be issued by any court that is a court of competent jurisdiction and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”

A magistrate judge granted the requests for subscriber information, but denied the request for historical cell site data, and found that compelling the disclosure of this information would violate the Fourth Amendment.

The U.S. filed an ex parte application objecting to the ruling with the Southern District of Texas. The district judge ruled against the U.S., noting that “[t]he standard under the Stored Communications Act is below that required by the Constitution.” The U.S appealed.

Specific and Articulable facts Standard, or Probable Cause ?

According to the District Court, the SCA violates the Fourth Amendment as it allows the government to obtain a record merely on showing “specific and articulable facts,” not probable cause, and thus the Government can only acquire historical cell site data under a warrant issued on probable cause.

But the 5th Circuit interpreted §2703(d) that “shall” direct courts to issue such orders if the Government meets the “specific and articulable facts” standard.

Privacy of Location Information

The ACLU had filed an amicus curiae brief, arguing that individuals have a reasonable expectation of privacy in their location information, if they are tracked in a place traditionally protected against intrusions, such as a home, or if they are tracked for a longer period of time and in greater detail than society would expect. Indeed, in U.S. v. Jones, the Supreme Court concluded in 2012 that extended monitoring of a vehicle using a GPS system is a search under the Fourth Amendment.

But the 5th Circuit reasoned that, as the Fourth Amendment only protects the privacy of individuals against government intrusion, and does not give individuals the right to be left alone by other people, the Government indeed has the right to require information collected by third parties. Here, it was the the cell phone providers which had collected and stored information in the first place, not the Government. The Court concluded that if “a third party collects information in the first instance for its own purposes, the Government … can obtain this information later with a § 2703(d) order, just as it can subpoena other records of a private entity.”

The Fifth Circuit also noted that historical cell data are not private papers, but rather have been created to memorialize business transactions with the cell phones users, not to record its observation of transactions between individuals. Therefore,“cell site information is clearly a business record.”

The Fifth Circuit was not convinced by the ACLU’s argument that cell phone users do not relinquish their information voluntary to a third party, which indeed would then prevent them to claim a right to privacy in the information thus shared.

Instead, the Fifth Circuit agreed with the Government which argued that cell phone users know that they share information with cell phone providers when making calls, and that they voluntarily continue to make calls, and that using a phone “is entirely voluntary.”

Judge Dennis wrote a dissent, noting the “Supreme Court‘s conscientious avoidance of similar questions regarding the Fourth Amendment implications of modern telecommunications technologies,” such as in the Quon case.


Leave a comment

Google Faces International Lawsuit Over Privacy Breach Caused by Buzz Tool

In early January 2011, Canadian consumers brought a class action against Google regarding a privacy breach caused by Google’s Buzz social networking and messaging tool. The lawsuit, filed in the Manitoba Court of Queen’s Bench alleged that Google breached consumers’ privacy because the Buzz tool’s default settings allowed users to view private profile information about other users without consent. Under Canadian privacy law, consumers may collect up to $5,000 per consumer in damages for each privacy breach.

A number of privacy advocates and consumers have expressed concerns over Google’s Buzz tool since its launch in early 2010. In February 2010, the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission (“FTC”), urging an FTC investigation and alleging that Google’s Buzz “violated user expectations, diminished user privacy, contradicted Google’s privacy policy, and may have violated federal wiretap laws.” Further, in November 2010, Google settled a U.S. class action relating to privacy protections for $8.5 million. Finally, a number of countries’ privacy commissioners and data protection authorities, including Canada, France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain, and the United Kingdom, sent a letter to Google in April 2010, expressing concern over the Buzz tool and directing Google and other international corporations to respect individuals’ privacy rights.

Leave a comment

Court of Appeals Determines E-Mail Deserves Fourth Amendment Privacy Protection

On December 14, 2010, the Court of Appeals for the Sixth Circuit determined that the Department of Justice should have obtained a search warrant before seizing and searching e-mails from a service provider, holding that e-mails are analogous to letters or telephone calls and deserve Fourth Amendment protection.

In U.S. v. Warshak, the Department of Justice issued a subpoena ordering the defendant’s e-mail provider (NuVox) to prospectively preserve copies of Warshak’s future e-mails. Subsequently, the government obtained Warshak’s stored e-mails from NuVox, basing its actions on the Stored Communications Act, which the government argued allows it to obtain e-mails already in storage with an e-mail provider without a search warrant in many situations (e.g., the law affords different levels of privacy protection to e-mails depending on where they are stored and how long they have been in storage). Despite the provisions in the Stored Communications Act, the Sixth Circuit determined that e-mails, like letters or telephone calls, deserve Fourth Amendment protection. Accordingly, the Department of Justice should have obtained a search warrant based on probable cause before seizing Warshak’s e-mails from his service provider.

The Sixth Circuit’s decision in U.S. v. Warshak is available here.

Leave a comment

Recent Third Circuit Court of Appeals Opinion: In the Matter of the Application of the United States of America for an Order Directing a Provider of Electronic Communication Services to Disclose Records to the Government




/* Style Definitions */
{mso-style-name:”Table Normal”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-fareast-font-family:”Times New Roman”;
mso-bidi-font-family:”Times New Roman”;

On September 7, 2010, the Third Circuit Court of Appeals issued an opinion in a narcotics case containing two key holdings regarding the standard by which the government can access records of historical cell site location information (“CSLI”).  The first holding was unsurprising. The Third Circuit held that under the Electronic Communications Privacy Act, 18 U.S.C. § 2703, the government may obtain historical cell site records with an 18 U.S.C. § 2703(d) order based on “specific and articulable facts showing that there are reasonable grounds to believe that the . . . records or other information sought, [are] relevant and material to an ongoing criminal investigation.”  The second holding is more novel, and even somewhat ground-breaking.  The Court determined that it is within the discretion of the magistrate judge to consider the privacy concerns at stake and turn down an application for such an order for cell site data even if the government has met the intermediate “specific and articulable facts” standard and require the government to satisfy the higher “probable cause” standard.

CSLI is data derived from signals sent between cell towers and cellular telephones that can be used to identify the location of a particular telephone.  Each cell tower in a provider’s network is equipped with radio intercepts that receive signals from cellular phones.  Even when cellular phones are not in use they are continually registering their location with the closest cell towers so that the provider’s system can expedite service by sending incoming calls directly to that tower.  This registration information can be stored by cellular phone providers for up to 18 months before it is deleted or anonymized.  While many would consider disclosure of their historical CSLI invasive, the Third Circuit determined that historical CSLI is in fact not protected by the Fourth Amendment and is subject to disclosure without a showing of probable cause.  

In the underlying case, the initial question before the Third Circuit was whether CSLI should be treated as location information derived from a tracking device to which a warrant standard should apply, or as “other subscriber records” or transaction information which may be disclosed in response to a court order issued in accordance with 18 U.S.C. § 2703(d).  The Magistrate Judge’s (“MJ”) opinion, which had been affirmed by the district court, denied the government’s application to obtain historical CSLI because the MJ found that the government must establish probable cause before the data could be disclosed.  MJ Op., 534 F. Supp.2d at 609 (“In the case of movement/location information derived from an electronic device, the traditionally-applied legal standard has been a showing of probable cause; and nothing in the text, structure, purpose or legislative history of the [Stored Communications Act] dictates a departure from that background standard as to either historic or prospective CSLI.”).  The judge held that because of its continual registration with cellular towers, a cell phone generally acts like a tracking device, as it discloses the movement and location of the subscriber.  Therefore, the MJ reasoned, disclosure of CSLI encroaches upon the cellular phone users’ reasonable expectations of privacy relating to physical movements and locations.

The Third Circuit determined that a reasonable expectation of privacy could only be impinged upon if the CSLI would reveal information about activity or location within the confines of a person’s home and that cell phones did not “extend[] to that realm.”  To reach this conclusion, the Third Circuit relied primarily on United States v. Knotts, 460 U.S. 276 (1983) and United States v. Karo, 468 U.S. 705 (1984).  In both cases, law enforcement placed tracking devices on objects that later were moved.  In Knotts, the government used the tracking device to follow the movement of a truck on public highways, and the Supreme Court concluded that no Fourth Amendment interest was violated because individuals have no reasonable expectation of privacy while in plain view of public highways.  In Karo, however, the object with the tracking device was taken into a home and conveyed information to the government that it could not have otherwise obtained without a warrant.  Thus, the Court found that the government’s use of the device constituted an unlawful search and seizure.  Based on this prior precedent, the Third Circuit concluded, “the privacy interests at issue are confined to the interior of the home.”  In so holding, the Third Circuit has established that CSLI can be protected by the Fourth Amendment only to the extent it reveals something about the home. 

The Third Circuit then turned to the second issue of whether the MJ must issue a § 2703(d) order if presented with “specific and articulable facts showing that there are reasonable grounds to believe that . . . the records or other information sought, are relevant and material to an ongoing criminal investigation.”  The Third Circuit found that it is not a requirement but rather discretionary.  In other words, magistrate judges have the option of issuing the order or concluding that probable cause is required.  The Court compared the the statutory language in § 2703(d) concerning the issuance of an order to that in 18 U.S.C. § 3123(a)(1) regarding the issuance of a pen register trap and trace order.  The pen register statute requires a court to issue an order (“a court shall”) if the government meets the relevance showing, whereas § 2703(d) provides a court “may” issue an order “only if” the government makes the required showing of specific and articulable facts.  The Third Circuit interpreted these differences as evidence that the standard for a § 2703(d) order is the minimum showing required of the government to obtain CSLI.  A magistrate judge can require the government to offer further facts to support a higher level showing before issuing an order if a significant privacy interest is at stake.  The Third Circuit cautioned, however, that an MJ does not have “arbitrary” discretion to require the higher evidentiary showing, but must balance the “government’s need (not merely desire) for the information with the privacy interests of cell phone users.”  Slip. Op. at 29.  Further, the Third Circuit stated that an MJ should only “sparingly” require probable cause when considering applications for historical CSLI. 

Finally, at the close of its opinion, the Third Circuit emphasized the need for ECPA reform and expressed its frustration with the inherent contradictions and ambiguities in the Stored Communications Act, stating, “we are stymied by the failure of Congress to make its intention clear.” 

The Third Circuit’s opinion appears to leave key privacy issues unsettled.  The court seems to envision that after receiving an application for historical CSLI, magistrate judges will conduct a preliminary analysis of the constitutionality of CSLI disclosure, balance the privacy interests of cell phone users and the needs of the government and on a case-by-case basis determine which standard to apply.  This could lead to inconsistent results depending on the judge and the forum.

Leave a comment

Supreme Court Addresses Privacy of Personal Text Messages on Pager Supplied by Employer

The Supreme Court recently addressed the challenges created by workplace privacy for public employees in the electronic era.  The Court’s decision in City of Ontario v. Quon sidestepped the critical question of whether a government employee has a reasonable expectation of privacy in text messages transmitted on an employer-issued pager, leaving the proper test for a Fourth Amendment violation in this context unsettled.  But every member of the Court easily agreed that even assuming that a public employee has a reasonable expectation of privacy in such text messages, the City’s search in this instance did not violate the Fourth Amendment.

Continue reading

Leave a comment

House Subcommittees Hold Hearing to Address Potential Privacy Legislation

On November 19, 2009, the House Subcommittee on Commerce, Trade, and Consumer Protection and the House Subcommittee on Communications, Technology, and the Internet conducted a hearing entitled "Exploring the Offline and Online Collection and Use of Consumer Information."  The hearing focused primarily on the collection, dissemination, and use of personal information from both online and offline sources, as well exploring privacy issues that should be addressed by future legislation.  Highlights of the hearing included:
  • Subcommittee members and witnesses discussed many facets of personal information use for marketing purposes, such as how consumer data is collected, the types of data that businesses collect, consumers’ ability to access his or her personal information held by marketers, and consumer education concerning privacy matters.
  • Participants discussed elements that could be addressed in future legislation included increasing transparency and choice, consumer education, and providing consumers with a clear statement of their rights–such as the ability to "opt in" and/or "opt out" of having personal data collected.  Witnesses, such as Chris Hoofnagle with the University of California, Berkley – School of Law, encouraged consumer education measures, noting that most consumers are unaware of their obligation to object to data collection practices with which they do not agree, and that many consumers assume that personal information collected by companies is secure–which may not always be the case. 
  • Many of the witnesses advocated privacy protection through a self-regulatory scheme, but Subcommittee members countered that self-regulation is ineffective at stopping "bad actors" and comprehensive legislation is necessary to protect consumers from unscrupulous businesses.
  • Finally, almost all of the witnesses stressed that legislation should be tailored to meet the needs of different types of businesses and industries, as well as creating different standards to regulate the offline versus online collection and use of personal information. 
In a separate interview, Chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, Bobby Rush (D-IL), indicated that a draft privacy bill would not be circulated before the end of the year. 

Leave a comment

Actress Sues Individuals Over Craigslist Job Posting Allegedly In Her Name

Unlike many plaintiffs in other Web site posting cases, this one is suing the users who actually posted the content as opposed to the service provider (Craigslist). The causes of action are fraudulent impersonation, appropriation invasion of privacy, false light invasion of privacy, conspiracy to invade privacy, and conspiracy to commit criminal conduct. No separate claim for violation of the right of publicity is stated, although it might be included in appropriation invasion of privacy.

Leave a comment

Facebook’s new privacy features

The Washington Post reports that Facebook is announcing new privacy features that would allow users to distinguish between friends, family and coworkers, for instance, and set different access levels for different groups. Now that the Facebook generation is entering the workforce, this should help them recognize that those drunken photos they had no problem sharing with college buddies probably shouldn’t be available to coworkers and managers. On the other hand, Facebook is also providing a feature that lets friends of friends view profiles. And since only 25% of their users even make use of their existing privacy controls, I don’t think we’ll see reports of firings based on those drunken photos diminish any time soon.

One thing the article doesn’t discuss . . . and what seems to supply a never-ending source of gossip blog fodder, is the ability to access even privacy-controlled elements if you’ve got the URL link directly to that item. Just requires one friend to sell you out.

Also, with Beacon and behavioral targeting beefing up on the site, will the contents of chats be a source of targeting information?