Categories
Privacy

Cell site records privacy comes to the Supreme Court

This fall the Supreme Court will decide whether to hear an appeal that addresses the privacy each of us has in information our cellphones exchange with the network that reveals our movements over time.

The matter comes to the Court in an appeal by Quartavious Davis, an Alabama man who was convicted in 2011 of a string of seven armed robberies in Miami, Florida that netted him a sentence of 162 years in prison. Federal prosecutors tied Davis to the heists—which included robbing a pharmacy, an auto parts store, a beauty salon, and a fast food restaurant—in part from transmissions between his cellphone and the towers it transmitted to as he moved about town.

Prosecutors obtained the cell site data pursuant to an order from a federal magistrate judge that authorized them to review Davis’ phone location for a period of 67 days in September and October of 2010 that straddled the heists.

According to court papers, the records, which prosecutors obtained from MetroPCS, Davis’ service provider, revealed 11,606 points of information about his whereabouts, including calls he allegedly placed to and received from co-conspirators.

At trial, Davis moved to exclude the location information, asserting that prosecutors obtained it without a search warrant. Prosecutors relied instead on the Stored Communications Act, a federal law that authorizes law enforcement to obtain records a magistrate deems relevant to an ongoing criminal investigation.

The problem, Davis asserts, is that the government’s obtaining the location data constituted a search within the meaning of the Fourth Amendment. That required prosecutors to obtain a warrant supported by probable cause, which means prosecutors would have had to demonstrate to a judge a reasonable basis for believing a crime had been committed.

The distinction matters to Davis, who was sentenced at age 22 and faces the rest of his live in prison, but also to anyone who uses a cellphone, which is to say nearly all of us. Ninety-two percent of American adults own a cellphone or smartphone, according to a study published in August by the Pew Research Center. And 90 percent of cellphone owners say they frequently carry their phone with them.

Cell site information reveals an abundance of information about us. As Justice Sotomayor wrote in 2012 in a case that found the government’s attaching a GPS device to a vehicle for 28 days to be a search within the meaning of the Fourth Amendment, “I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.”

Davis’ appeal presents the Court with an opportunity to revisit the so-called third-party doctrine, which holds that you lack a reasonable expectation of privacy in information you disclose voluntarily to third parties. The approach, which traditionally applied to things like a suspect’s bank records, makes less sense in an age in which, as Justice Sotomayor noted in the concurrence cited above, “people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

The Court has recognized as much. Last year the justices ruled unanimously that police may not, without a warrant, search information on a cellphone from someone who has been arrested. Writing for the Court, Justice Roberts noted:

“Prior to the digital age, people did not typically carry a cache of sensitive personal information with them as they went about their day. Now it is the person who is not carrying a cellphone, with all that it contains, who is the exception. According to one poll, nearly three-quarters of smart phone users report being within five feet of their phones most of the time, with 12% admitting that they even use their phones in the shower.”

In Davis’ case, a three-judge panel of the U.S. Court of Appeals for the 11th Circuit ruled that the government violated his rights under the Fourth Amendment by obtaining the cell site location records without a warrant. Still, the panel sided with the trial judge and upheld the conviction because prosecutors relied in good faith on the magistrate’s order.

By a vote of 6 to 5, the entire Eleventh Circuit later reversed the panel, holding that the government did not violate the Fourth Amendment when it obtained the location data because Davis had no reasonable expectation of privacy in records held by his service provider.

The ruling set up a split among federal appeals courts. The U.S. Court of Appeals for the 4th Circuit ruled in August that the government’s accessing cell site data constitutes a search under the Fourth Amendment. That makes the case ripe for review by the Supreme Court, Davis contends. According to the Electronic Frontier Foundation, which filed a friend-of-the-court brief urging the Court to decide the case:

“Given the prevalence of cellphones and smartphones, and the increasing number of law enforcement requests for this sensitive information, this case thus presents a question of compelling national importance. The number of Americans promised that [cell site location information] remains private and accessible to law enforcement only with the protections of a search warrant is increasing. Yet, this legal protection is not uniform, and the federal courts in particular have issued conflicting opinions on the topic, leaving the public and law enforcement in limbo.”

The number of requests by law enforcement for location data is rising. According to figures cited by EFF, AT&T projects it will receive nearly 76,000 requests for cell site location information this year from law enforcement, up 19% from a year earlier and just under the number of such requests received in 2012. Verizon is projecting a 55% increase in the number of so-called cell tower dumps, a majority of which, EFF observes, occur without a warrant.

Note that Davis’ appeal ties to historical location data. Several states already require police to obtain a warrant before tracking a cellphone in real time. This chart from 2011 will give you a sense of how long your cellular provider retains a record of towers used by your phone.

For the Court to take up Davis’ case, at least four justices will have to vote to hear the appeal. In addition to an opportunity to unify the circuits, the justices could use the appeal to clarify the standard for assessing the government’s conduct. Orin Kerr, a professor of law at George Washington University, says the Eleventh Circuit’s reasoning also may make the case worthy of review. As Kerr wrote in The Washington Post following the appeals court decision:

“Instead of the… rule of a warrant, the court begins with general balancing. It’s important to catch criminals, the court reasons, and the statute has some good protections given that this wasn’t such an invasive practice. So on the whole the government’s conduct based on reasonable suspicion seems reasonable and therefore constitutional.

This alternative holding is a major development, I think. It’s at odds with the usual rule that a criminal search requires a warrant, and instead replaces it with a totality of the circumstances inquiry into whether the criminal search was the kind of thing that we would generally say is good or would generally say is bad. There’s not only no warrant requirement, there’s no probable cause requirement: It’s just a free-floating reasonableness inquiry.”

According to the Reporters Committee for Freedom of the Press, allowing warrantless access to cell site data also undermines freedoms guaranteed by the First Amendment. “In part because location data can be so revelatory, journalists frequently go to great lengths to ensure that the locations where they meet their sources are kept private, and that their communications are confidential,” the group writes in a friend-of-the-court brief.

From precedent, we know the justices are paying attention to the privacy implications of technology. In that regard, they seem likely to read a concurrence by Judge Robin Rosenbaum, a member of the Eleventh Circuit who, despite finding the search of Davis’ location data reasonable under the Stored Communications Act, expressed concern.

“In our time, unless a person is willing to live ‘off the grid,’ it is nearly impossible to avoid disclosing the most personal of information to third-party service providers on a constant basis, just to navigate daily life,” Rosenbaum wrote. “And the thought that the government should be able to access such information without the basic protection that a warrant offers is nothing less than chilling.”

Categories
Privacy

Spokeo presents the Supreme Court with an opportunity to validate privacy protections for a digital age

The U.S. Supreme Court is slated to hear an appeal this November that deals with a technical question concerning the right to sue but promises to affect significantly our ability to influence the accuracy of information about us that appears online.

The case involves a lawsuit against Spokeo, a people-finder site that aggregates information from social networks, real estate listings and other public sources. The dispute began five years ago when Thomas Robins, a Virginia resident, sued the Pasadena, Calif.-based company for allegedly violating the Fair Credit Reporting Act (FCRA).

According to Robins, Spokeo’s search results showed he held a graduate degree, was affluent, and married with children. None of that was true, he charges. In reality, Robins, then in his mid-50s, was unemployed, single and searching for a job.

Robins asserts that companies use Spokeo’s results to size up applicants for employment. That, Robins claims, undermined his search by presenting him as more educated and wealthier than he happened to be. Which, according to Robins, dissuaded employers from considering him for certain jobs and contributed to his remaining unemployed as well as to anxiety, stress and worry about his allegedly diminished prospects.

Robins, whom Spokeo says did not claim he asked the company to remove the listing or correct the results (you can for your listing, via this form) also charged the company with knowing about shortcomings in the way it gathered information and its failure to follow the FCRA’s mandate that consumer reporting agencies ensure the maximum possible accuracy of reports they generate. That, alleges Robins, entitles him to damages of up to $1,000 for each violation, as provided by the FCRA.

A trial judge in Los Angeles dismissed the case, ruling that Robins failed to allege an injury concrete enough to establish a right to sue—a prerequisite for suing someone in federal court—and that any harms he asserted were insufficiently traceable to Spokeo’s alleged violations.

Robins appealed to the U.S. Court of Appeals for the 9th Circuit, which reversed the trial court and sided with Robins after determining that the violation of the FCRA he charged itself satisfied the injury-in-fact requirement. Spokeo then appealed to the Supreme Court, which last spring agreed to hear the case.

At one level, the appeal presents the justices with a question about the jurisdiction of the federal courts, which the Constitution limits to deciding legal questions that arise out of an actual dispute between real parties. To determine whether such a dispute exists, federal courts apply a three-part test, pursuant to which a plaintiff must be able to show concrete injury, a causal connection between the injury and the challenged actions of the defendant, and a likelihood that the injury will be set right, or redressed, by a favorable decision.

Spokeo, which describes itself as an Internet search engine rather than a consumer reporting agency—a distinction that matters for purposes of determining whether it has obligations under the FCRA—argues on appeal that Congress can give private parties a right to sue for alleged violations of a statute but that right, by itself, does not relieve those parties of the need to show actual injury in order to proceed.

According to Spokeo, the appeals court did not base its decision on an allegation by Robins that he suffered a specific financial loss or missed out on being hired a particular job. Instead, argues Spokeo, the panel looked no further than the alleged violation of the FCRA. “The Ninth Circuit recognized that its analysis had the practical effect of turning the three-part test for… standing into a single-factor inquiry that was satisfied by the availability of a statutory remedy,” Spokeo asserts in a brief filed in July with the Supreme Court.

The requirement that a plaintiff demonstrate concrete harm “is necessary to prevent the erosion of the Constitution’s fundamental structure,” writes Spokeo, which says the stipulation ensures that courts remain within their role of preventing “actual or imminently threatened injury.” Standing also prevents Congress from “impermissibly delegating” to private parties the duty of the executive branch to enforce the law and protects “individual liberty” from plaintiffs who, in essence, charge violations of the law out of self-interest, the company argues.

Of course, Spokeo has another concern. According to the company, a class action in this case could expose it to “billions of dollars” in damages, based on Robins’ assertion that millions of people could claim to have been on the receiving end of FCRA violations may be eligible to join the lawsuit.

Robins counters that the alleged violation of the statute means that, by definition, he also has suffered pecuniary harm. He “and Spokeo have a legal dispute over a fixed sum of money that turns on whether Spokeo violated Robins’s legal interest under the FCRA,” he writes in a brief filed Aug. 31. “This right to statutory damages is not a ‘bounty’ Robins ‘will receive if the suit is successful.’ (citation omitted). His right to statutory damages arose as soon as Spokeo violated his rights, and the monetary claim is his alone.”

According to Robins, the Supreme Court need look no further than Spokeo’s alleged violation, which is sufficient to establish standing in this case. In short, Congress conferred standing when it gave private parties the right to sue for violations of the FCRA, Robins asserts.

He also notes that three years ago Spokeo agreed to pay $800,000 to settle charges that over a period of two years ending in 2010 it marketed search results to recruiters without adhering to safeguards for credit reporting.

The Obama administration has sided with Robins. “FCRA confers upon [Robins] a legal right to avoid the dissemination of inaccurate personal information about himself under the circumstances presented here,” writes Solicitor General Donald B. Verrilli Jr. in a friend-of-the-court brief filed Sept. 8. “Under this Court’s precedents, a violation of that legal right is an injury sufficient to satisfy Article III requirements, whether or not respondent can identify further consequential harms resulting from the violation.”

But there’s much more at stake than standing say privacy and civil liberties groups. In revising the FCRA in 1969, Congress specifically expressed concern that computerization of personal data could lead to inaccurate credit reports—which by their very nature are derived from data supplied by creditors whose own records may contain errors—to be published widely while leaving consumers without recourse to correct the information or to hold companies that furnish or report such data accountable.

“We are now in a digital era in which data brokers routinely acquire, access, compile, analyze, and sell vast data stores of consumers’ personal information, transactions, and behaviors,” write the Center for Democracy & Technology (CDT), the Electronic Frontier Foundation (EFF), and the New America foundation (New America) in a friend-of-the-court brief filed Sept. 8. “This activity occurs with little regulation or market incentive to ensure that information is accurate, timely, and used in a manner compliant with existing law.”

Robins alleges that unlike a search engine such as Google or Yahoo, Spokeo, in its search results, “draws conclusions, makes predictions, and otherwise makes factual assertions” about the data that tie to a consumer’s financial well being or lifestyle “that do not appear in the public or private data that defendant’s search result draws from.” According to the CDT, EFF and New America:

“While Spokeo’s inaccuracies might initially appear to favor Mr. Robins, they may have in fact damaged his ability to find employment by creating the erroneous impression that he was overqualified for the work he was seeking, that he might be unwilling to relocate for a job due to family commitments, or that his salary demands would exceed what prospective employers were prepared to offer him. The FCRA’s private right of action is the only way Mr. Robins can enforce his rights under the law and redress these inaccuracies. If the FCRA’s requirements are effectively unenforceable, data brokers such as Spokeo have little incentive to follow the law.”

Not surprisingly, a host of companies have weighed in on behalf of Spokeo. According to a brief filed July 9 by Facebook, Google, Twitter, eBay, Netflix and other tech firms that fear liability from class actions alleging “technical statutory violations that are not alleged to ‘have affected the plaintiff’ or harmed anyone.” (citation omitted) Credit reporting agencies, banks, home builders, media companies, and other businesses have raised similar arguments.

The chorus from companies sparked a reply from Patricia Moore, a professor at St. Thomas University School of Law, who wrote recently that “literally hundreds of state and federal statutes create private rights of action to encourage compliance with laws meant to protect consumers, workers, and the environment.”

According to Moore, Spokeo and the companies that are weighing in on its behalf “have conceived a new way to neutralize any statute anywhere that authorizes statutory damages. That is: tar the private right of action… and claim that violation of the statute is ‘technical,’… so not good enough for standing.”

A group of 15 information privacy scholars have sounded a similar point. In a friend-of-the-court brief filed Sept. 4, the group argues that “a broad ruling” in favor of Spokeo would “disrupt established privacy law well beyond the boundaries of the FCRA.”

The scholars cite the Video Privacy Protection Act, a federal law that bars disclosure of the movies someone has rented without his or her consent, and the Wiretap Act, as examples of laws that allow private parties to sue for violations and, in the case of the Wiretap Act, specify statutory damages as an alternative to actual damages, much like the FCRA. According to the scholars, whether in those laws or the FCRA:

“Congress did not ‘create’ injury in any of these statutes. Rather, in each case, it simply recognized privacy injuries-in-fact occurring in new technological contexts, delineated corresponding legal violations, and created private civil rights of action as legal remedies. This it was constitutionally empowered to do. The Court should not second-guess considered legislative judgments about the desirability of affording such remedies.”

Of course, it’s hard to predict whether a majority of the Court will embrace that argument or insist on a showing by Robins of injury beyond the statutory violation, as Spokeo suggests. Or accept the distinction drawn by Spokeo between technical violations and violations generally. It may be, as Moore suggests, a distinction without a difference and calculated solely to allow companies to evade liability.

Or the Court could look to see who was harmed here. Did Robins have more difficulty finding a job thanks to Spokeo’s practices, assuming, that is, the company acted as a consumer reporting agency? What about the anxiety and stress he alleges? If so, what might Robins’ recourse be, if not a lawsuit like the one at issue in this case? And how might the Court feel about people-searches that disseminate inaccuracies? Some of the justices are listed in Spokeo, too.

Categories
Privacy

Microsoft warrant case goes before appeals panel

Microsoft and the Department of Justice will square off today before a federal appeals panel in Manhattan in a case that has implications for digital privacy and the flow of data across borders.

The appeal marks a return to court of a dispute that began nearly two years ago when DOJ obtained a search warrant to seize emails belonging to a suspect in a narcotics trafficking investigation.

Microsoft objected to the warrant, asserting it sought emails from a data center owned by the company in Dublin, where, the company argues, the U.S. has no jurisdiction to seize records. Two lower courts backed DOJ, ruling the warrant was valid because Microsoft controls the data from the U.S. regardless where the emails happen to be stored.

The appeal comes amid lingering tensions between the U.S. and European Union over digital privacy in the wake of revelations about the extent of spying by the National Security Agency and raises a question of how much control over information a nation has within its borders.

Microsoft argues that neither the Fourth Amendment nor the Stored Communications Act, a federal law that limits the ability of the government to force email providers to turn over customer communications absent a court order, apply outside the U.S.

“If the government prevails here, the United States will have no ground to complain when foreign agents—be they friend or foe—raid Microsoft’s offices in their jurisdictions and order them to download U.S. citizens’ private emails from computers located in this country,” the company wrote in court papers.

But the warrant simply demands production of records by Microsoft, a company subject to U.S. jurisdiction, counters the government. “Under long settled precedent, the power of compelled disclosure reaches records stored abroad so long as there is personal jurisdiction over the custodian and the custodian has control over the records,” DOJ argues.

According to the government, a warrant issued pursuant to the Stored Communications Act operates like a subpoena, in that it obligates the provider to turn over the records and does not require a law enforcement officer to search the premises.

Tech companies and civil liberties groups that have weighed in on behalf of Microsoft reject the analogy. “The Fourth Amendment requires the government obtain emails with a search warrant,” wrote the Electronic Frontier Foundation, the ACLU, the Brennan Center, and The Constitution Project in a friend-of-the-court brief. “Although the government did obtain a warrant here, extending the warrant’s reach to emails stored abroad should not rest on an inaccurate analogy to subpoenas.”

A ruling in the government’s favor could spur other countries to serve warrants on tech companies for the private messages of Americans that are stored in U.S. data centers owned by companies based abroad, experts say.

A win for the government also could encourage more tech companies to encrypt messages in ways that make them impossible to read unless the recipient decodes them. Apple recently refused to turn over iMessages sought by the government, saying it couldn’t get access to the messages because they are encrypted. The dustup highlights an ongoing debate over the use of encryption and the government’s ability to unlock data when the needs of law enforcement and national security demand.

Categories
Privacy

Apple stance on privacy may slow artificial intelligence push: report

Those of us who use iPhones may have more to welcome this week than Apple’s event to unveil the latest devices.

The computer maker’s stance on guarding customer privacy may be slowing its push to stay ahead of rivals in the race to to develop digital assistants, Reuters reports. If correct, that means the company is upholding its pledge to respect customers’ personal privacy, but more on that in a minute.

At issue is a race by Apple, Google and other tech companies to recruit experts in machine learning, a branch of artificial intelligence that allows computers to anticipate what users want without being explicitly programmed.

The larger the set of data that software can analyze, the more precise those predictions can become. But with a self-imposed privacy policy that causes iPhones and other devices to refresh every 15 minutes, Apple forgoes the opportunity to send the data to the cloud, where the information could be combined with other data, analyzed and, possibly, sold to advertisers.

That benefits users by protecting their personal privacy but can slow the evolution of services such as Siri to anticipate users’ needs. “They want to make a phone that responds to you very quickly without knowledge of the rest of the world,” Joseph Gonzalez, co-founder of Dato, a machine learning startup, told Reuters, referring to Apple. “It’s harder to do that.”

Or not. If any company can reconcile the imperatives of privacy and technological progress in a way that advances both it may be Apple.

The next generation of Apple’s services will depend heavily on artificial intelligence, AppleInsider reports. At the same time, digital assistants developed by Google and Microsoft reportedly are getting better at learning users’ routines.
Apple currently aims to recruit at least 86 more experts in machine learning, according to an analysis by Reuters of the computer maker’s jobs postings.

Apple CEO Tim Cook said in June that his company won’t be a party to the exchange that defines the relationship of many tech companies and their customers, in which customers accept free services in return for companies’ selling information about consumer’ searches, shopping, health and more to advertisers.

“They’re gobbling up everything they can learn about you and trying to monetize it,” Cook told a gathering in Washington sponsored by privacy advocates. “We think that’s wrong.”

Edward Snowden, the former government subcontractor who revealed the magnitude of the National Security Agency’s spying on Americans in the wake of the 9/11 attacks, said Apple’s stance deserved consumers’ support.

“Regardless of whether it’s honest or dishonest, for the moment, now, that’s something we should… incentivize, and it’s actually something we should emulate,” Snowden told an audience in Spain about two weeks after Cook outlined the company’s policy.

Apple is slated to introduce enhancements to Siri this Wednesday as part of the rollout of iOS 9, the latest version of the company’s operating system for the iPhone and iPad.

Categories
Privacy

In shift, Justice Department requires warrants for using stingrays to spy on cellphones

The Justice Department has tightened restrictions for tracking cellphone signals in a move that officials say will improve transparency and protect the public from unwarranted invasions of privacy.

Henceforth the FBI and federal law-enforcement agencies will need a warrant supported by probable cause before using a so-called cell-site simulator, which can impersonate a cellphone tower by sending out signals that induce phones to respond with identifying information.

The move represents a win for privacy even though the warrant requirement doesn’t apply to state and local governments, which also use cell-site simulators to track suspects.

The devices, which are known variously as stingrays, dirtboxes or IMSI catchers (for International Mobile Subscriber Identity), are used widely for surveillance but have proved to be controversial because of their sweep and the secrecy that shrouds their use. Agents deploy the devices from cars and planes, which enable scanning across larger areas.

“Cell-site simulator technology has been instrumental in aiding law enforcement in a broad array of investigations, including kidnappings, fugitive investigations and complicated narcotics cases,” Deputy Attorney General Sally Quillan Yates said Thursday in a statement announcing the change. “This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties.”

The pivot by DOJ represents a departure from past practice, when law enforcement personnel had to certify merely that use of a cell-site simulator was relevant to an ongoing criminal investigation.

Under the revised guidelines, agents may not configure simulators to collect the contents of communications, including emails and text messages. Agents also must inform judges when applying for warrants that use of the device will capture information from cellphones in the vicinity that are not subject to the investigation, and that the simulator may disrupt service temporarily for all cellphones within reach of its signal. Officials also must detail to the court how they plan to delete data not associated with the device being targeted.

As is the case under the Fourth Amendment generally, federal officials can use a simulator without first obtaining a warrant in the event of so-called exigent circumstances or when the law does not require a warrant, in which instance agents must first obtain the OK of officials within DOJ.

The Guardian reported Friday that public defenders in Baltimore are examining more than 2,000 cases in which police used stingrays to gather evidence on suspects secretly. Prosecutors are obligated to disclose evidence against criminal defendants in the discovery phase of a criminal trial.

Categories
Privacy

Shutterfly lawsuit highlights concerns with the use of facial recognition and the problem with a ‘Shazam’ for faces

A lawsuit pending in a federal court in Chicago may answer whether tagging and storing photos of someone without that person’s permission violates a state law that regulates the collection and use of biometric information.

That’s the hope of Brian Norberg, a Chicago resident, who in June sued Shutterfly, an online business that lets customers turn photos into books, stationery, cards and calendars. The class action represents the latest in a series of challenges to the use of facial recognition and other technologies that record our unique physical attributes.

Norberg, who claims never to have used Shutterfly, charges that between February and June, someone else uploaded at least one photo of him to Shutterfly and 10 more to the company’s ThisLife storage service. According to Norberg, the company created and stored a template for each photo based on such biological identifiers as the distance between his eyes and ears. The service allegedly prompted the person who uploaded the images to also tag them with Norberg’s first and last names—all without Norberg’s permission.

That, charges Norberg, contravened the state’s Biometric Information Privacy Act (BIPA), a law enacted seven years ago that bars businesses from collecting a scan of someone’s “hand or face geometry,” a scan of their retina or iris, or a fingerprint or voiceprint, without their consent. The law authorizes anyone whose biometrics are used illegally to sue for as much as $5,000 per violation.

In July, Shutterfly asked U.S. District Judge Charles Norgle Sr. to dismiss the lawsuit. According to the company, the BIPA specifically excludes photographs and information derived from them. And, even if the law were unclear, says Shutterfly, the legislature intended it to apply to the use of biometrics to facilitate financial transactions and consumer purchases, not to photo-sharing.

“Scanning photos to allow users to organize their own photos is a far cry from the biometric-facilitated financial transactions and security screenings BIPA is aimed at—such as the use of finger-scanning technology at grocery stores, gas stations, or school cafeterias,” the company asserted in court papers.

In a rejoinder filed last Friday, Norberg says that creating templates based on scans of facial features, not the photos themselves, violates the BIPA. “The resulting face templates—not the innocuous photographs from which they were derived, but the resulting highly detailed digital maps of geometric points and measurements—are ‘scans of face geometry’ and thus fall within the BIPA’s definition of ‘biometric identifiers,’” he wrote.

“By [Shutterfly’s] logic, nothing would stop them from amassing a tremendous, Orwellian electronic database of face scans with no permission whatsoever so long as the data base were derived from photographs,” Norberg added. “And indeed, that appears to be exactly what they are doing.”

Of course, facial recognition technology is used widely already. As Ben Sobel, a researcher at the Center on Privacy & Technology at Georgetown Law, explained recently in The Washington Post:

“Facebook and Google use facial recognition to detect when a user appears in a photograph and to suggest that he or she be tagged. Facebook calls this ‘Tag Suggestions’ and explains it as follows: ‘We currently use facial recognition software that uses an algorithm to calculate a unique number (“template”) based on someone’s facial features… This template is based on your profile pictures and photos you’ve been tagged in on Facebook.’ Once it has built this template, Tag Suggestions analyzes photos uploaded by your friends to see if your face appears in them. If its algorithm detects your face, Facebook can encourage the uploader to tag you.”

Facebook also is defending a class action filed last spring that charges the company’s use of facial-recognition software to identify users violates the BIPA. Facebook users have uploaded at least 250 billion photos to the social networking site and continue to do so at a rate of 350 million images a day, reports Sobel, who adds that Facebook’s tagging occurs by default, whereas Google’s requires you to opt in to it.

According to the Federal Trade Commission, companies that use facial recognition technologies should simplify choices for consumers and increase the transparency of their practices. Social networks should provide users with “a clear notice—outside of a privacy policy—about how the feature works, what data it collects and how it will use the data,” the agency wrote in a report published in October 2012. Significantly, social networks should give users an easy way to opt out of having their biometric data collected and the ability to turn off the collection at any time, the agency advised.

Still, that may not cover someone like Norberg, who says he never used Shutterfly. Or prevent an app akin to a Shazam for faces that would allow users to discover someone’s identity (and possibly more, such as their address) by photographing someone regardless whether the subject knows or consents. Situations like those would require the company to obtain the subject’s express affirmative consent—meaning that consumers would have to affirmatively choose to participate in such a system—the FTC noted.

And those are commercial users of biometrics. The photos of at least 120 million people sit in databases—many built from images uploaded from applications for driver’s licenses and passports—that can be searched by the police and law enforcement. Use of biometrics by the government raises additional concerns, including a need to ensure that a suspect has been detained lawfully before police can photograph the person or swab for DNA.

At a hearing in October 2010 that examined use of facial-recognition technology, Senator Al Franken of Minnesota, the senior Democrat on the Judiciary Subcommittee on Privacy, Technology and the Law, noted that in the era of J. Edgar Hoover, the FBI used wiretaps sweepingly with little regard for privacy.

Congress later passed the Wiretap Act, which requires police to obtain a warrant before they get a wiretap and limits use of wiretaps to investigations of serious crimes. “I think that we need to ask ourselves whether Congress is in a similar position today as it was 50 or 60 years ago—before passage of the Wiretap Act,” Franken said

Categories
Law

Why the clerk in Kentucky who refuses to license same-sex marriages doesn’t have the law on her side

A county clerk in Kentucky who is slated to appear in a federal courtroom Thursday after refusing to license same-sex marriages may have sincerely held beliefs but she doesn’t have the law on her side.

Kim Davis, a self-described Apostolic Christian who in January was elected clerk of Rowan County, a precinct that lies about 135 miles east of Louisville, has been directed by U.S. District Judge David Bunning to explain her actions, which place her at risk of fines or jail time.

In addition to its consequences for same-sex couples who would assert their legal right to marry in Rowan Country, the standoff represents two decades of advocacy that aims to advance a conservative agenda under the pretext of religious freedom.

In Kentucky the dustup began anew Tuesday after Davis declined to issue licenses to two same-sex couples a day after the U.S. Supreme Court let stand a ruling by Bunning that directs Davis to authorize legal marriages presented to her. Davis stopped licensing all marriages following a ruling by the Supreme Court in June that upheld the constitutional right of same-sex couples to marry. Bluegrass State law requires marriage licenses to be signed by a county clerk.

Davis, who also has refused to step down, issued a statement Tuesday in which she described her actions as compelled by faith. “To issue a marriage license which conflicts with God’s definition of marriage, with my name affixed to the certificate, would violate my conscience,” Davis wrote. “It is not a light issue for me. It is a Heaven or Hell decision. For me it is a decision of obedience. I have no animosity toward anyone and harbor no ill will.”

Of course, as an elected official, Davis can resign if her beliefs prevent her from discharging duties she swore an oath to uphold. There’s no evidence the state is requiring Davis to hold a particular belief as a condition of public employment.

“The Court must again point out that the act of issuing a marriage license to a same-sex couple merely signifies that the couple has met the legal requirements to marry,” Bunning ruled Aug. 12 when he directed Davis to comply with a directive by Governor Steve Beshear that clerks throughout the state license all legal marriages presented to them. “It is not a sign of moral or religious approval.”

Nor is this a case of the government’s compelling speech in violation of the First Amendment. As Bunning noted, the only speech the state seeks to compel is speech by Davis in the performance of her official duties, which the state can do. Remember, too, that Davis embodies the state when she acts in her capacity as clerk.

A similar problem arises for Davis’ claims to being a conscientious objector. As Jonathan Adler, a professor of constitutional law at Case Western Reserve University explained Wednesday in The Washington Post, referring to Davis:

“Someone who objects to war due to his religious conscience has a right to be a conscientious objector and not serve in the military, even were there to be a draft. But he does not have the right to serve as a military officer, draw a paycheck from the military and then substitute his own personal views of when war is justified for that of the government. The same applies here.”

Finally, Davis seeks the protection of Kentucky’s version of the Religious Freedom Restoration Act, a federal law enacted in 1993 that provides an exemption from legal requirements for religious objectors unless the government can show it has a compelling interest that requires the person to comply with the law.

Despite its co-optation by conservatives, the law represented a bipartisan rejoinder to a ruling by the Supreme Court three years earlier that upheld the authority of the State of Oregon to criminalize possession of peyote without providing an exemption for Native Americans who use the drug for religious purposes.

Since then, as Professor Wendy Brown of UC Berkeley observed in a lecture last July at the London School of Economics, states have adopted their versions of the religious freedom law so that businesses can discriminate against those whom they think are engaged in acts of sin. Think of a bakery whose owners refuse to bake a wedding cake for a same-sex couple.

In a more radical turn, the Supreme Court extended that religious freedom exemption to corporations, when it ruled last year in Burwell v. Hobby Lobby Stores that a for-profit corporation need not comply with a legal mandate that employer-sponsored health plans cover the cost of contraceptives if the corporation’s—yes, the corporation’s—religious beliefs dictate otherwise.

The ruling, which Davis cited at least nine times in her application to the Supreme Court for a stay of Bunning’s order, represents a line of advocacy based on what Brown terms “a jurisprudence of aggrieved power [in which] the assertion of conscience is central in… producing the claimant as a beleaguered minority, requiring protection from the state and from a popular majority.”

Davis has yet to show how her actions, which, after all, represent state action, qualify her for an exemption under Kentucky’s religious freedom law. Bakers who decline to bake wedding cakes for same-sex couples have not taken an oath to uphold the law of the land.

That’s not to suggest Davis is not free to argue that the religious freedom law allows her to avoid issuing licenses to same-sex couples. She can do that on appeal while discharging her duties in the meantime.

No matter what transpires, the incident shows the reach of the jurisprudence of religious freedom. “Somehow the separation of church and state has come to mean blocking the state from protecting the civil rights of citizens and forcing it to support—and pay for—sectarianism, bigotry, superstition and bullying,” Katha Pollitt wrote last year in The Nation. “I really doubt this is what Thomas Jefferson had in mind.”

Categories
cybersecurity

Jailbroken iPhones infected by malware

Nearly a quarter of a million owners of Apple’s iPhone may be at risk of having their iTunes accounts hijacked or their devices held hostage by intruders.

That’s because hackers have distributed malware that allows users to steal log-in credentials and purchase apps and media from both the App and iTunes stores, according to a report published Sunday by Palo Alto Networks, a digital security firm.

The attack is thought to be the largest known theft of data from Apple accounts caused by malware, the firm said.

The malware, known as KeyRaider, affects iPhones whose users have disabled, or jailbroke, the operating system on their devices to allow installation of third-party apps. As of Sunday, thieves had used KeyRaider to steal nearly 226,000 valid Apple accounts, along with certificates, private keys and other security features, the firm said.

“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying,” Claud Xiao, a security researcher at Palo Alto Networks, wrote in a blog post.

As of Sunday, about 20,000 people had downloaded the malware, suggesting at least that many people are misapplying credentials stolen from iTunes accounts. The malware, which also allows intruders to hold phones hostage in return for ransom, has appeared in 18 countries, including the U.S., China and U.K.

Palo Alto Networks traced the malware after members of Weiphone, a community of iPhone fans based in China, discovered unauthorized charges in their iTunes accounts.

The malware offers a reminder that jailbreaking carries risks. “Most security experts discourage the practice unless it’s done by highly experienced people who know exactly what code they’re using to circumvent Apple engineers’ safeguards and, once that’s done, what alternative apps they’re installing,” Dan Goodin wrote Monday at Ars Technica.