The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

California Veto of Electronic Communication Bill Makes Case for Federal Action

This past weekend, California Gov. Jerry Brown vetoed legislation (SB 467) which would have would have required California law enforcement officials to get a warrant to access online communications. The current Federal statute governing the search and seizure of these records is the Electronic Communications Privacy Act, known as ECPA for short. Enacted in 1986, many commentators believe that portions of ECPA have outlived their usefulness and that the law must be changed; that was the goal of SB 467.

ECPA consists of three main parts: Title III which outlaws unauthorized wiretaps while establishing procedures for law enforcement; the Stored Communications Act which deals with government access to stored electronic communications; and procedures governing the installation and use of pen registers. It is the Stored Communications Act portion that has become the focus of reform attempts. Written at a time when only a fraction of the population was using computer networks to communicate, it permits law enforcement to obtain the contents of electronic communications without a warrant so long as they are at least 180 days old and stored on a third party computer. With the advent of remote servers, cloud computing, and other realities of the internet age, advocates have been hoping for a broad rewrite of this seemingly arcane standard.

Efforts to reform the Stored Communications Act had a fair bit of momentum in the Senate prior to the 2012 election but stalled before Congress adjourned. In March of this year, Judiciary Chairman Sen. Patrick Leahy (D-Vt) and Sen. Mike Lee (R-Ut) again introduced ECPA reform legislation to create a search warrant requirement for electronic communications stored on third party computers. The bill also requires a notice to the individual whose communications have been seized within ten days of the warrants execution. Similar legislation has been introduced in the House. Both chambers seemed poise to act, but like so many other issues in the current Congress, efforts have become stalled over budget and fiscal issues.
The proposed California law paralleled the proposed Senate legislation in many ways, but departed significantly in its notice requirement. SB 467 would have mandated that individuals receive notice of the warrant within three days, a time frame that is more compressed than the 10-days outlined in Chairman Leahy’s bill. This requirement brought out opposition within California’s law enforcement community with police and prosecutors expressing their doubts.
In his veto statement Gov. Brown gave voice to those concerns saying, “The bill, however, imposes new requirements that go beyond those required by federal law and could impede ongoing criminal investigations.”

With this veto the focus will again (once Congress solves/punts its fiscal fights) come back to the efforts of Sens. Lee and Leahy to move ECPA reform out of the Senate. With strong bipartisan backing, the question is more of when, not if, this happens.


1 Comment

Amendments to CalOPPA Allow Minors to “Erase” Information from the Internet and Also Restricts Advertising Practices to Minors

On September 23, 2013, California Governor Jerry Brown signed SB568 into law, which adds new provisions to the California Online Privacy Protection Act. Officially called “Privacy Rights for California Minors in the Digital World,” the bill has already garnered the nickname of the “Internet Eraser Law,” because it affords California minors the ability to remove content or information previously posted on a Web site. The bill also imposes restrictions on advertising to California minors.

California Minors’ Right to Remove Online Content

Effective January 1, 2015, the bill requires online operators to provide a means by which California minors may remove online information posted by that minor. Online operators can elect to allow a minor to directly remove such information or can alternatively remove such information at a minor’s request. The bill further requires that online operators notify California minors of the right to remove previously-posted information.

Online operators do not need to allow removal of information in certain circumstances, including where (1) the content or information was posted by a third party; (2) state or federal law requires the operator or third party to retain such content or information; or (3) the operator anonymizes the content or information. The bill further clarifies that online operators need only remove the information from public view; the bill does not require wholesale deletion of the information from the online operator’s servers.

New Restrictions on Advertising to California Minors

Also effective January 1, 2015, the bill places new restrictions on advertising to California minors. The bill prohibits online services directed to minors from advertising certain products, including alcohol, firearms, tobacco, and tanning services. It further prohibits online operators from allowing third parties (e.g. advertising networks or plug-ins) to advertise certain products to minors. And where an advertising service is notified that a particular site is directed to minors, the bill restricts the types of products that can be advertised by that advertising service to minors.

Implications

Given the sheer number of California minors, these amendments to CalOPPA will likely have vast implications for online service providers. First, the bill extends not just to Web sites, but also to mobile apps, which is consistent with a general trend of governmental scrutiny of mobile apps. Online service providers should expect regulation of mobile apps to increase, as both California and the Federal Trade Commission have issued publications indicating concerns over mobile app privacy. Second, the bill also reflects an increased focus on privacy of children and minors. Developers should consider these privacy issues when designing Web sites and mobile apps, and design such products with the flexibility needed to adapt to changing legislation. Thus, any business involved in the online space should carefully review these amendments and ensure compliance before the January 1, 2015 deadline.



1 Comment

Online Privacy Is Getting Interestinger and Interestinger!

In case you haven’t heard, online privacy is getting very complicated and Internet users are worried.  It’s no wonder given all the activity in the industry, with daily stories on stolen identities and data breaches, companies you’ve never even heard of collecting information about you and even mobile game applications knowing about your physical whereabouts. (Let’s not even get into the recent NSA PRISM disclosures!)  So different than in the 1990s when online privacy was pretty much an “Opt-in” or “Opt Out” proposition or people didn’t even know to worry about it.   Today, things are much more complex.  Pew Research Center’s recently published survey, Anonymity, Privacy, and Security Online, confirms that not only do most users want control over their online personal information but fear that this is no longer possible. 

It isn’t just government surveillance that people are worried about; in fact, users are more intent on masking their personal information–things like email and download content, contacts and their online presence–from hackers and advertisers to even friends and family members.  How hard are they trying to hide?  Well, the study reports that 64 percent of users clear their browser history or disable cookies while 14 percent have resorted to setting up anonymous browsing capabilities.  And, 13 percent actively misidentify themselves in their efforts to “hide.”  It’s not that individuals want to be completely hidden online, they just want to decide when they are unseen based on what kind of data is at issue, who might be watching, and what they think might happen if they don’t hide.  Not surprisingly, the younger and more sophisticated users are more likely to “bounce” back and forth between disclosing who they are and remaining anonymous depending on what they are doing online.

 

Personal photos top the list of key pieces of personal information users know are available online.  Next come birthdates, phone numbers (both cell and home), home addresses and group affiliations.  Over one third of online users avoid websites that ask for their name, and 41 percent have deleted or modified a prior posting.

Perhaps users are more aware of what information about them is floating around out there in cyberspace because cybersecurity is having a hard time keeping up with the sophisticated methods of hackers.  21% of online adults report having had an email or social media account hijacked and 11% having had vital information like Social Security numbers, bank account data, or credit cards stolen.  With all this complexity and increasing numbers of identify theft, it is not surprising then that 68% of those surveyed do not believe current laws are sufficient to protect individual online privacy.  So what’s to be done?  Industry groups are racing to pull together self-regulatory measures and codes of conduct in an effort to avert what they fear could be cumbersome and over-reaching legislation and regulations in both the security and privacy spheres—whether or not they succeed in time remains to be seen. And, of course, the government is keeping a careful watch over the whole issue (pun intended)!

 


1 Comment

Amicus Briefs filed asking Court to determine if warrentless searches of cell phone data are permissible under the Fourth Amendment

Two recent petitions for certiorari were filed regarding whether the Fourth Amendment permits police officers to search all or some digital contents of an arrestee’s cell phone incident to arrest.  Federal courts of appeal and state courts of last resort are divided on this issue.  On July 30, 2013, a petition for certiorari was filed asking the Supreme Court to review a California Court of Appeal, Fourth District case, Riley v. California.  On August 19, 2013 the U.S. Solicitor General submitted an amicus brief asking the Supreme Court to reverse the First Circuit Court of Appeal’s decision in U.S. v. Wurie.  These cases are noteworthy since they touch on arrestee’s rights to their cell phone data and since the Fourth Amendment is a bedrock for privacy law in the United States.

In U.S. v. Wurie, the police confiscated the arrestee’s Verizon LG flip-phone and retrieved the phone number of an incoming call labeled “my house.”  The police used that phone number to determine the arrestee’s residence and gather further evidence.  In Riley v. California, the police searched the arrestee’s smartphone, made an extenstive search of its digital contents, and were able to gather evidence linking the arrestee to more serious crimes.  In both instances, the police made the searches without a warrant pursuant to the search-incident-to-arrest exception to the Fourth Amendment that allows police officers to perform a class of searches that have been deemed potentially necessary to preserve destructible evidence or protect police officers. 

The question of whether the search of cell phone data could ever be justified under the search-incident-to-arrest exception has come up in federal and state courts in the past, some finding that warrantless cell phone data searches are categorically lawful, others upholding a limited search.  In Riley v. U.S., the California Court of Appeal held that because the cell phone was immediately associated with the arrestee’s person at the time of his arrest, the warrantless search was valid.  The First Circuit joined at least two other state courts of last resort in creating a bright-line rule rejecting all warrantless cell phone data searches and declined to create a rule based on particular instances.  In its amicus brief, the Solicitor General argued that even if cell phone data searches do not fall under the search-incident-to-arrest exception, the First Circuit erred in imposing a blanket prohibition.

Cell phone data searches struck the First Circuit as “a convenient way for the police to obtain information related to a defendant’s crime of arrest—or other, as yet undiscovered crimes—without having to secure a warrant.”  In rendering its opinion, the court found that data contained on cell phones, such as photographs, videos, written and audio messages, contacts, calendar appointments, web search and browsing history, purchases, and financial and medical records is highly personal in nature, would previously have been stored in one’s home, and reflects private thoughts and activities.  Additionally, the court noted that certain applications, if installed on modern cell phones, provide direct access to the home by remotely connecting to a home computer’s webcam.  Given the highly personal nature of the data and the scope of the search, potentially a home search, the court found that cell phone data is categorically different from otherwise allowable categories of searches incident to arrest. 

The First Circuit rejected the government’s argument that the cell phone data search was necessary to prevent evidence from being destroyed by remote wiping before a warrant issued.  The First Circuit noted that the police have evidence preservation methods, such as removing the phone’s battery, turning off the phone, placing the phone in a device that blocks external electromagnetic radiation, or by making a mirror copy of the phone’s entire contents.  Unlike other circuits, the First Circuit viewed the “slight and truly theoretical risk of evidence destruction,” a risk that was “‘remote’ indeed,” as insufficient when weighed against the “significant privacy implications inherent in cell phone data searches.”  In its amicus brief, the Solicitor General argued that cell phone searches are more critical to preserving extractable evidence than previously allowed searches since co-conspirators could remove data remotely. 

The First Circuit also rejected the government’s argument that searches of items carried on one’s person are justified since the arrestee had a reduced expectation of privacy caused by the arrest.  This was the basis for the California Court of Appeal’s decision in Riley.  The Solicitor General tried to revive this argument in its amicus brief.  The First Circuit rejected this argument since at the time of the precedent cited, the court “could not have envisioned a world in which the vast majority of arrestees would be carrying on their person an item containing not physical evidence but a vast storage of intangible data—data that is not immediately destructible and poses no threat to the arresting officers.”   Allowing police to search such data at the time of arrest would create, in the court’s view, “a serious and recurring threat to the privacy of countless individuals.” 

In making its categorical ban on warrantless cell phone data searches under the search-incident-to-arrest exception, the First Circuit noted that the exigent circumstances exception to the Fourth Amendment warrant requirement might apply where the police have probable cause to believe that the phone contains evidence of a crime, as well as a compelling need to act quickly, that makes it impractical for them to obtain a warrant. 

 

 


1 Comment

New York Senator Asks FTC to Allow Consumers to Opt Out of Store Tracking Programs

Senator Charles Schumer (D-NY) held a press conference last Sunday in Manhattan and called on the Federal Trade Commission (FTC) to allow consumers to opt out of being tracked while visiting retail stores.

Senator Schumer suggested that the FTC should require retailers to inform consumers about their opt-out option by sending an electronic notice to their smartphones before starting to track them.

Senator Schumer also sent a letter to Edith Ramirez, the FTC chairwoman, asking the FTC to investigate this practice which he called unfair and deceptive.

Indeed, The New York Times reported this month that some brick-and-mortar stores track shoppers during store visits. The article explained how Nordstrom had tested a new technology which allowed the retailer to use Wi-Fi signals to track customers’ shopping habits.

Nordstrom stopped the experience following customers’ complaints, but the department store is not the only retailer interested in these new tracking technologies. American Apparel and Benetton are among retailers tracking their customers inside their stores.

CBS reported that Nordstrom used a company named Euclid for its tracking experiment. The Euclid web site explains how retailers may track consumers. Its system senses consumers’ smartphones when they come into a store and records the “ping” sent to the store’s Wi-Fi systems. The system scrambles the MAC address of each phone by using one-way hashing algorithms, and then data is processed, analyzed, and stored in the cloud, although it is unclear how long. Euclid calls this data “anonymous foot-traffic” and states on its privacy page that “[n]o personally identifiable data is ever collected or used.”

But privacy advocates know that rendering data anonymous may not be a fool-proof way to safeguard the privacy of data subjects. Therefore, it is welcome that Euclid is one of the companies which will participate in a Future of Privacy Forum group to develop best practices for companies in the business of retail location analytics.

Jules Polonetsky, Director of the Future of Privacy Forum, is quoted saying that “[c]ompanies need to ensure they have data protection standards in place to de-identify data, to provide consumers with effective choices to not be tracked and to explain to consumers the purposes for which data is being used.”

It remains to be seen if the issue will be tackled by a set of best practices, regulation, or both.


Leave a comment

The FTC Publishes a Staff Report on Mobile Apps for Children and Privacy

The Federal Trade Commission (FTC) just released a Staff Report (the Report) titled ‘Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing.

 

Mobile Applications (Apps) are getting increasingly popular among children and teenagers, even very young. Indeed, the Report found out that 11% of the apps sold by Apple have toddlers as their intended audience (Report p. 6). Apps geared to children are often either free or inexpensive, which makes them easy to purchase, even on a pocket-money budget (Report p. 7-8).

As such, according to the Report, these apps seem to be intended for children’s use, and some may even be “directed to children” within the meaning of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s implementing Rule (the Rule). The Rule defines what is a “[w]ebsite or online service directed to children”) at 16 C.F.R. § 312.2. Under COPPA and the Rule, operators of online services directed to children under age 13 of age must provide notice and obtain parental consent before collecting children’s personal information. This includes apps. Yet, the FTC staff was unable, in most instances, to find out whether an app collected any data, or, if it did, the type of data collected, the purpose for collecting it, and who collected or obtained access to such data (Report p. 10).

 

‘The mobile app market place is growing at a tremendous speed, and many consumer protections, including privacy and privacy disclosures, have not kept pace with this development’ (Report p.3)

 

Downloading an app on a smart phone may an impact on children’s privacy, as apps are able to gather personal information such as the geolocation of the user, her phone number or a list of contacts, and this, without her parent’s knowledge. Indeed, if app stores and operating systems provide rating systems and controls which allow parents to restrict access to mobile content and features, and even to limit data collection, they do not provide information about which data is collected and whether it is shared. (Report, p. 15)

 

The Report concludes by recommending that app stores, app developers, and third parties providing services within apps, increase their efforts to provide parents with “clear, concise and timely information” about apps download by children. Parents would then be able to know, before downloading an app, what data will be collected, how it will be used, and who will obtain access to this data (Report p. 17). This should be done by using “simple and short disclosures or icons that are easy to find and understand on the small screen of a mobile device.” (Report p. 3)

 

One remembers that United States of America v. W3 Innovations, LLC, in August 2011, was the first FTC case involving mobile applications.

 


Leave a comment

Privacy – Transparency and the Push to Convert the U.S. Government to the “Cloud”

Have you thought about how many government agencies are transitioning to cloud computing, and what that means for privacy concerns?  The White House released a “25 Point Implementation Plan to Reform Federal Information Technology Management” in December 2010 that advocates a shift to a “cloud first” policy for all agencies. This is after the GAO observed in June 2010 that although “OMB launched a cloud computing initiative in 2009” it “does not yet have an overarching strategy or implementation plan.” The OMB IT Dashboard suggests that numerous federal agencies (perhaps over 100) are pushing to build in cloud computing functions, including. the General Services Administration and the  Department of Health and Human Services.
 
In contrast to the hype surrounding the cloud, NIST’s recently published draft Guidelines on Security and Privacy for government use that provides detailed commentary on key cloud computing concerns, including: cloud system complexity; the shared multi-function environment; and internet-exposure that increases vulnerability to internet attacks such as botnets. Notably, the NIST reported that although the city of Los Angeles made news in 2009 (see, e.g. articles here, here, and here and mention in this report) when it announced it was shifting its email servers to Google’s cloud, the system has not lived up to the hype. As of early 2011 the city was running both its legacy and the cloud systems – hardly a model of cost-efficiency. The police functions had not been successfully outsourced because of security concerns and the report stated that Los Angeles will have to shut down the operation in June 2011 if the situation isn’t resolved. Could Los Angeles be the canary in the coal mine to show that that “cloud first” may not result in dramatic cost savings?
 
Perhaps most troubling is the loss of control over data: According to the draft NIST report “a characteristic of many cloud computing services is that detailed information about location of the data is unavailable or not disclosed to the service subscriber. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met.” Translation: outsourcing data to the clouds means that often organizations (including the US government) won’t know and/or have any control over where that data is stored or transferred, despite state and federal laws prohibiting transfer of data overseas. Enabling third party service providers to dictate where data flows may not be worth whatever cost-savings may be generated by the new “cloud first” policies.