Categories
Life Privacy Tech

Facebook loses appeal over search warrants

Facebook cannot challenge the constitutionality of a search warrant on its users’ behalf prior to the government’s executing the warrant, an appeals court in New York has ruled in a decision that delineates a boundary for Internet privacy.

The ruling follows a lawsuit by Facebook to void 381 search warrants the company received two years ago from the Manhattan district attorney’s office, which obtained then in connection with an investigation into Social Security disability claims by a group of retired firefighters and police officers whom the DA suspected of feigning illness they attributed to the aftermath of the 9/11 attacks.

Upon receiving the warrants, which sought information derived from the users’ accounts, Facebook asked the DA to withdraw the warrants or to strike a provision that directed the company to refrain from disclosing their existence to users whose postings were to be searched. The DA’s office asserted the confidentiality requirement was needed to prevent the suspects being investigated from destroying evidence or fleeing the jurisdiction if they knew they were being investigated.

After the DA declined to withdraw the warrants, Facebook sued to either quash them or compel the DA remove the non-disclosure provision. The trial court sided with the DA and Facebook appealed.

The appeals court affirmed that the legality of the searches could be determined only after the searches themselves were conducted. “There is no constitutional or statutory right to challenge an alleged defective warrant before it is executed,” Judge Dianne Renwick wrote for a unanimous panel of the court’s appellate division in a ruling released July 21. “We see no basis for providing Facebook a greater right than its customers are afforded.”

The constitutional requirement that a warrant can issue only upon a showing of probable cause as determined by a judicial officer helps to ensure the government does not exceed its authority when requesting a search warrant and eliminates the need for a suspect to make a motion to void the warrant before it can be served, the court noted. “Indeed… the sole remedy for challenging the legality of a warrant is by a pretrial suppression motion which, if successful, will grant that relief,” Renwick explained.

According to Facebook, which was joined in the appeal by Google, Twitter, Microsoft and other tech industry firms, the federal Stored Communications Act also gave the company the right to challenge the warrants. But that law, which protects the privacy of email and other communications stored on servers belonging to ISPs, authorizes ISPs to challenge subpoenas and court orders but not warrants obtained from a judicial officer based on a showing of probable cause, the court noted.

Despite its ruling, the court agreed with Facebook that the DA’s serving 381 warrants swept broadly and suggested the users themselves may have grounds for suppression. “Facebook users share more intimate personal information through their Facebook accounts than may be revealed through rummaging about one’s home,” wrote Renwick. “These bulk warrants demanded ‘all’ communications in 24 broad categories from the 381 targeted accounts. Yet, of the 381 targeted Facebook users accounts only 62 were actually charged with any crime.”

Through civil liberties groups hoped the appeal might bolster protections for Internet privacy, experts said the ruling makes sense as a matter of law. As Orin Kerr, a professor of criminal procedure at George Washington University Law School who has written extensively about privacy and the Internet, wrote in The Washington Post:

“Think about how this plays out in an old-fashioned home search. If the cops show up at your door with a warrant to search your house, you have to let them search. You can’t stop them if you have legal concerns about the warrant. And if a target who is handed a warrant can’t bring a pre-enforcement challenge, then why should Facebook have greater rights to bring such a challenge on behalf of the targets, at least absent legislation giving them that right?”

Still, “that doesn’t mean the warrants were valid,” added Kerr, who imagined that the defendants themselves seem likely to challenge the sweep of the material seized from their Facebook accounts if they haven’t already.

For its part, Facebook disagreed with the ruling but said the company had not decided whether to appeal. “We continue to believe that overly broad search warrants—granting the government the ability to keep hundreds of people’s account information indefinitely—are unconstitutional and raise important concerns about the privacy of people’s online information,” Jay Nancarrow, a spokesman for the company, told the Times.

The DA’s office noted that the investigation led to the indictment of 134 people and alleged hundreds of millions of dollars in fraud. “In many cases, evidence on [the suspects’] Facebook accounts directly contradicted the lies the defendants told to the Social Security Administration,” Joan Vollero, a spokeswoman for the district attorney’s office, said in a statement.

 

Categories
Law Privacy

Sony must face breach lawsuit, court rules

Sony Pictures must continue to defend a lawsuit filed by nine former employees whose personal information was stolen from the studio during a cyberattack last fall, a federal court has ruled.

The former employees sued Sony in March, charging the company with negligence, breach of contract and violation of confidentiality laws in failing to safeguard medical, financial and other personally identifiable information that the attackers later posted online and traded via the Internet. The plaintiffs charge they’ve have had to subscribe to identity-protection and credit-monitoring services, obtain credit reports and incur costs resulting from freezes to their credit.

Sony asked the U.S. District Court in Los Angeles to dismiss the suit, alleging that the former employees failed to show injury sufficiently concrete to establish standing.

The court disagreed. “Here, plaintiffs have alleged that PII was stolen and posted on file-sharing websites for identity thieves to download,” wrote Judge Gary Klausner in a ruling released June 15. “Plaintiffs also allege that the information has been used to send emails threatening physical harm to employees and their families. These allegations alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.”

According to the court, the costs incurred by the former employees also satisfy the requirement for injury on which a claim of negligence depends, although Klausner sided with Sony and dismissed part of the lawsuit that charged the company with failing to notify the former employees of the breach in a timely fashion.

The plaintiffs also established that a so-called special relationship exists between a company and its employees that allows the employees to later hold the employer responsible for negligence and breach of contract. According to the plaintiffs, Sony failed to shore up systems that stored records for human resources despite experiencing data breaches in the past.

Klausner agreed, noting that “to receive such compensation and other benefits, Sony required plaintiffs to provide their PII, including names, addresses, Social Security number, medical information, and other personal information.”

Sony’s alleged failure to defend its systems against a cyberattack also allows the former employees to charge the company with violating a California law that obligates employers to safeguard employees’ medical information, the court ruled.

Categories
cybersecurity Law

EU readies rules to bolster cybersecurity, require notice of data breaches

The European Union is readying an approach to cybersecurity that may subject services as Google and Facebook to breach notification requirements that mirror those for banks and health-care providers.

The Network and Information Security Directive, a proposal under consideration by the European Commission, would require companies in industries deemed critical to strengthen digital safeguards and report breaches to national authorities.

The directive represents one of the first attempts to legislate a rule for security breaches that crosses borders. That stands in contrast to the U.S., which has yet to adopt a national notification law and leaves companies to comply with a series of notification requirements set by states.

Members of the European Parliament who have been negotiating the rules have agreed to extend the reach of the directive to social networks, cloud computing platforms, commerce sites and other digital platforms, according to a report Friday by Reuters.

Under the terms of the directive, which was proposed in 2013, companies that operate so-called critical infrastructure in any of the 28 countries that constitute the EU will be required to report “significant security incidents” as well adopt measures to lessen the risk of cyber threats.

In addition to Internet companies, the directive would require companies in the financial, energy, health and transportation industries to report incidents “having a significant impact on the security of core services.” The EU currently requires telecommunications companies to report such incidents.

Members of the commission are expected to start work this September on a final version of the rule.

Ninety percent of large corporations and 74% of small businesses in the U.K. experienced a security breach in the past year, according to survey published recently by PwC.

Categories
Law Privacy

Phone companies should not be required to store call data, privacy advocates say

A federal rule that orders phone companies to retain records of calls for a year-and-a-half disregards the privacy of millions of Americans, according to a coalition of civil liberties groups that is asking the Federal Communications Commission to rescind the requirement.

As currently configured, the mandate that carriers hold for 18 months the name, address and telephone number of callers, along with numbers called and the dates, times and length of each call exposes consumers to data breaches, thwarts innovation and does little to aid law enforcement, according to a petition filed Tuesday with the FCC by the Electronic Privacy Information Center (EPIC) on behalf of itself and 28 organizations.

The retention requirement makes little sense in an age when phone companies bill customers for unlimited or non-measured calling, compared with a time when companies itemized calls, according to EPIC, which contends that requiring companies to keep such records in bulk results in retention of information about nearly all American adults regardless of whether the government suspects them of wrongdoing.

“These telephone records not only show who consumers call and when, but can also reveal intimate details about consumers’ daily lives,” wrote Marc Rotenberg, EPIC’s president. “These records reveal close contacts and associates, and confidential relationships between individuals and their attorneys, doctors, or elected representatives.”

According to EPIC, the FCC proposed 30 years ago to eliminate the record keeping entirely before the Department of Justice asked the FCC to extend the retention period to 18 from six months, contending that retaining phone records aided investigation and prosecution of criminal conspiracies. But the value of the records has eroded as billing has changed, charges EPIC, which notes that DOJ conceded as much in comments filed with the FCC in 2006. Further, law enforcement agencies still could request that records be retained in connection with investigations, said EPIC.

Retaining calling records also amplifies the risk of data breaches, such as the one recently at the Office of Personnel Management, according to EPIC. “The best strategy to reduce the risk of an attack and to minimize the harm when such attacks do occur is to collect less sensitive information at the outset,” the petition notes.

Discontinuing the requirement that carriers retain call records for 18 months would lower the cost of record keeping and allow phone companies to compete for customers on basis of privacy, “which many believe is the market-based solution to the enormous privacy challenge confronting the nation today,” Rotenberg added.

The FCC declined to comment on the petition.

Revisions last spring to post-9/11 surveillance laws ended bulk collection of phone call metadata by the government. Under the terms of the USA Freedom Act, the National Security Agency can obtain such information from phone companies if authorized by the Foreign Intelligence Surveillance Court. But the act does not require phone companies to collect or store metadata.

Categories
Law Privacy

Senate pushes cybersecurity bill to September

The U.S. Senate Wednesday agreed to postpone until September debate on a bill to bolster cybersecurity.

The legislation, known as the Cybersecurity Information Sharing Act, would direct the federal government to share cyber threats with businesses and shield companies that exchange information and best practices about cybersecurity from antitrust liability.

The deal addresses concerns expressed by senators who charged that the measure as it stands will fail to prevent cyberattacks or protect privacy sufficiently.

The agreement means that Democratic Senators Ron Wyden (Ore.), Patrick Leahy (Vt.) and Al Franken (Minn.), along with Republican Senators Rand Paul (Ky.) and Dean Heller (Nev.), all will be able to offer amendments they say strengthen civil liberties and improve the bill.

“We’ve got to debate some real things like cybersecurity, and have real amendments, not pretend amendments,” Leahy told National Journal.

Categories
Law Privacy

Senate to take up cybersecurity bill as concerns about privacy continue

The U.S. Senate is slated this week to take up legislation that aims to bolster cybersecurity by spurring businesses and the federal government to share information about digital threats and best practices with one another.

The measure, known as the Cybersecurity Information Sharing Act, would direct the federal government to develop ways to share information with the private sector while taking steps to protect privacy and civil liberties. The bill also aims to address antitrust concerns by shielding businesses that share information from enforcement of laws that otherwise might dissuade those businesses from cooperating. The House passed a similar measure in April.

The push represents the third time in as many years that Congress has tried to pass legislation that would encourage sharing of cyber threats. Recent cyberattacks on the Office of Personnel Management, Sony Pictures Entertainment and other targets have prompted legislators to try again. Cybercrime costs the global economy more than $400 billion annually, according to a study released jointly last summer by McAfee and the Center for Strategic and International Studies

Though the measure passed the Senate Intelligence Committee in March, maneuvering underway since then has centered on a tension between defending digital networks and protecting the privacy of Americans whose information is stored in those systems.

Among the concerns: the measure could result in companies handing over personally identifiable information to the National Security Agency. Such information might include, for example, the browsing history of someone who happens to have visited a website that becomes the subject of a cyberattack.

On Monday, Senator Al Franken, Democrat of Minnesota, released a letter from the Department of Homeland Security (DHS), which cautioned against allowing companies to share information with intelligence agencies without first channeling the information through DHS. “The Administration has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector,” wrote Alejandro Mayorkas, the deputy secretary of homeland security.

“The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers,” Mayorkas added.

Though Senators Richard Burr, Republican of North Carolina and chairman of the intelligence panel, and Dianne Feinstein, the committee’s top Democrat, have circulated an amendment that aims to address concerns over the legislation’s impact on privacy, some civil liberties groups say the fixes don’t go far enough. According to the Center for Democracy and Technology, the bill as modified still would authorize the government to use information about cyber threats to investigate and prosecute crimes of espionage, identity theft and trade secrets violations, regardless whether those infractions tie to cybersecurity.

The White House backs passage of cybersecurity legislation but has called on Congress to strengthen protections for privacy and to narrow an exemption from liability for companies that fail to secure their networks after receiving information they receive.

That leaves the question whether the measures actually may cause businesses and the government to exchange more information about cyber threats. While the measure aims to ease companies’ fears of legal liability, the Department of Justice and the Federal Trade Commission already have advised companies “that properly designed sharing of cyber threat information should not raise antitrust concerns.”

And as N. Eric Weiss of the Congressional Research Service observed in June, sharing of cyber threats happens currently. Industries ranging from retail to financial services participate in so-called information sharing and analysis centers (ISACs) that serve as clearinghouses for information about cyber threats.

“The ‘bottom line’ is how likely nonfederal entities—particularly businesses—value the benefits from sharing information against the cost of sharing,” wrote Weiss, who notes that neither bill would address the cost of membership in ISACs, which can cost anywhere from $10,000 to $100,000 to join and thus might exceed the ability of small and medium-sized businesses to afford.

Still, the wave of cyberattacks—and the fallout from them—might cause businesses to think anew about the advantages of sharing. “Although most data breaches have not been expensive compared with the revenues and profits earned,” noted Weiss, “recent events may change the attitude of boards of directors and senior management: the chief executive officers at Target and Sony Entertainment were forced to resign.”

Categories
Law Privacy

FCC to address Internet privacy

The chairman of the Federal Communications Commission announced in June that the agency plans this fall to address privacy in the context of consumers’ use of the Internet.

The spur for putting privacy on the agenda is the decision last winter by the FCC to enshrine the principle of an Internet open to all providers of content—a concept better known as net neutrality—within the agency’s authority to regulate common carriers pursuant to Title II of the Communications Act.

The decision included a determination that providers of broadband Internet service, including broadband delivered via mobile devices, will be subject to a section of the law that governs so-called customer proprietary network information (CPNI), which includes such things as the frequency, duration and timing of calls. In short, information that telecommunications companies know from providing service to customers.

Except for billing, emergencies and other exceptions provided by law, carriers cannot use CPNI without the approval of customers. But until the FCC’s net-neutrality ruling, the rules that govern use of CPNI applied only to services such as Voice over Internet Protocol—think Skype—that tie to the telephone network.

That seems likely to change. As the FCC noted in its net-neutrality ruling, the rules that govern use of CPNI by telephone companies would not be “well suited” to broadband Internet service. The reason: In recent years the FCC has revised the rules that govern CPNI after initially classifying broadband Internet service as a so-called information service, which exempted Internet service providers (ISPs) from common carrier status and later led a federal appeals court to order the FCC to revise its approach.

In addition, “the existing CPNI rules do not address many of the types of sensitive information to which a provider of broadband Internet services is likely to have access, such as (to cite just one example) customers’ web browsing history,” the FCC explained.

Until it can adopt rules that address the use of CPNI by broadband Internet providers specifically, the FCC says it “intends to focus on whether providers are taking reasonable, good-faith steps to comply” with restrictions on the use of CPNI set forth in the Communications Act. Note that CPNI does not include customers’ names, addresses and other personal information, the handling of which is governed by laws such as the Cable Television Privacy Act and the privacy notices that cable and phone companies deliver to subscribers.

So what protections for privacy should apply to broadband networks? In July, nine Democratic senators, including Elizabeth Warren and White House hopeful Bernie Sanders, wrote to FCC Chairman Tom Wheeler with some suggestions. The proposals include ensuring the definition of CPNI includes data pertaining to Internet usage, online activity and payments; directing ISPs to collect data transparently; requiring ISPs to obtain consumers’ express consent before sharing information; ordering ISPs to safeguard customers’ information and to notify customers in the event of a data breach; and giving consumers a clear process for resolving complaints.

“We call on the Commission to adopt a comprehensive definition of CPNI as it pertains to broadband,” the senators wrote. “Every click consumers make online paints a detailed picture of their personal and professional lives.”