Categories
Privacy

FTC probing whether Facebook violated consent decree, report

In Nov. 2011, Facebook settled charges by the Federal Trade Commission that it deceived consumers by advising them they could keep their information on the social network private and then allowing it to be shared and made public.

In the wake of the revelations about Cambridge Analytica, the FTC reportedly is examining whether Facebook violated the terms of the settlement.

Cambridge Analytica, a voter-profiling firm, derived data from more than 50 million Facebook profiles that it accessed via a third-party app. A data scientist at Cambridge University harvested the data starting in June 2014.

That may have contravened the 2011 settlement. Among the charges by the FTC that led to the settlement:

Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.

The FTC further charged:

Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.

The settlement barred Facebook from misrepresenting the privacy or security of users’ personal information.

Categories
Law Privacy

New York ruling that lets police follow cellphone locations without a warrant highlights significance of Supreme Court review in Carpenter case

New Yorkers have no constitutionally protected right to privacy in information about our whereabouts that can be deduced from the data emitted by our cellphones, an appeals court in Rochester has ruled in a case that underscores the significance of a ruling expected this spring from the U.S. Supreme Court.

Sharhad Jiles was sentenced to 25 years to life in prison after being found guilty in the shooting death of Sheldon Hepburn during a 2011 robbery. At trial, prosecutors used records obtained from the company that provided Jiles’ cellphone service to place him in the location of the murder.

Jiles asked the judge to exclude the records, which revealed his location over a period of four days beginning on the data of the robbery; information that Jiles contended prosecutors needed a warrant to obtain.

Prosecutors had acquired the records, which track every time our cellphones register with the nearest tower, via a subpoena issued to the provider pursuant to the federal Stored Communications Act, which allows the government to obtain such data without a showing of probable cause of a crime. The trial judge sided with prosecutors and Jiles appealed.

On appeal, Jiles argued that so-called cell site location information is protected by the Fourth Amendment by two rulings of the Supreme Court: a 2012 decision that overturned the conviction of a Maryland man based on evidence obtained from a GPS device that police, acting without a warrant, affixed for 28 days to the underside of his automobile; and a 2014 ruling by the court that police may not, without a warrant, search the contents of a cellphone obtained from someone who has been arrested.

The New York court disagreed, citing a series of rulings by federal courts that suspects have no constitutionally protected privacy in records they voluntarily supply to a third party such as checks, deposit slips and other records filed with banks or telephone numbers they dial.

“We remain bound by the third-party doctrine when interpreting the Fourth Amendment [until] a majority of justices on the [Supreme] Court instructs us otherwise,” Justice Gerald Whalen wrote on behalf of the court in a Dec. 22 ruling.

The instruction should arrive this spring, when the Supreme Court is expected to rule in an appeal from Timothy Carpenter, who was convicted and sentenced to 116 years in prison for a series of robberies in Ohio and Michigan.

At trial, prosecutors introduced evidence of Carpenter’s location they gleaned from records obtained from his cellphone provider that revealed his movements over a period of 127 days.

Like Jiles, Carpenter contended that the government should have obtained a warrant for the records, but both the trial judge and the 6th U.S. Circuit Court of Appeals disagreed.

The Supreme Court heard arguments in the appeal on Nov. 29. Nathan Wessler, an attorney with the American Civil Liberties Union who argued on behalf of Carpenter, distinguished business records such as those filed with a bank from the location data collected by the towers that carry calls from our cellphones.

“The information in bank records can be quite sensitive, but what it cannot do is chart a minute-by-minute account of a person’s locations and movements and associations over a long period regardless of what the person is doing at any given moment,” Wessler said in response to a question by Justice Alito.

Such data gives the government “a categorically new power that is made possible by these perfect tracking devices that 95 percent of Americans carry in their pockets,” he said later in response to a question from Justice Kennedy.

Arguing for the government, Deputy Solicitor General Michael Dreeben dismissed the distinction. By obtaining records that reveal a suspect’s historical location, the government “is doing the same thing” it did in the case of bank records, he told the justices. “It is asking a business to provide information about the business’s own transactions with a customer. And under the third-party doctrine, that does not implicate the Fourth Amendment rights of the customers,” Dreeben added.

As Amy Howe at Scotusblog noted, the challenge for the justices may be where to draw the line between information that is entitled to protection of the Fourth Amendment and that which the government can obtain with a subpoena.

“This is highly personal information,” Justice Breyer remarked, referring to location data that can be gleaned from cell towers.

Justice Sotomayor took note of the erosion on privacy that can accompany developments technology. “Right now, we’re only talking about the cell sites records, but as I understand it, a cell phone can be pinged in your bedroom, “she said. “It can be pinged at your doctor’s office. It can ping you in the most intimate details of your life. Presumably at some point even in a dressing room as you’re undressing. So I am not beyond the belief that someday a provider could turn on my cell phone and listen to my conversations.”

Justice Alito pushed back, challenging Wessler to distinguish cell site location data from bank records or telephone numbers called. Cellphone service contracts advise subscribers that the company can disclose location information to the government pursuant to a court order.

Wessler replied that the Stored Communications Act provides two ways the government can obtain records: either by a court order or a warrant. That, he argued, suggests that anyone looking at the law “would be quite reasonable and right to assume that the reason there’s a warrant prong is to deal with records like these in which there’s a strong privacy interest.”

Some experts say the march of technology means it’s time for the court to discard the third-party doctrine entirely. Writing recently in The Washington Post, Bruce Schneier, a technologist and lecturer at Harvard’s Kennedy School, noted that we store most of our data on computers that belong to other people.

“It’s our email, text messages, photos, Google docs, and more — all in the cloud,” Schneier wrote. “All this data will be collected and saved by third parties, sometimes for years. The result is a detailed dossier of your activities more complete than any private investigator — or police officer — could possibly collect by following you around.”

Police should be able to draw on the data to help solve crimes, Schneier said. But they first should be required to have probable cause and obtain a warrant.

“It’s long past time the Supreme Court recognized that… my emails and other personal data deserve the same protections, whether they’re on my laptop or on Google’s servers,” he noted.

Categories
Privacy

How the government uses social media to monitor protestors

The death of Freddie Gray in April 2015 while in the custody of Baltimore police touched off a wave of protests in that city about civil rights and the department’s treatment of African-Americans.  Days later, as protests mounted, police monitoring social media noticed that kids from a local high school planned to skip class to join a protest at a nearby mall. The department deployed officers to intercept and turn back the students.

The summary of the surveillance comes courtesy of Geofeedia, a Chicago company that sells software that allows users, including police departments across the U.S., to track the whereabouts of people based on searches of data posted to Twitter, Facebook, Instagram and other social networks. According to marketing materials posted by Geofeedia on its website, location-based monitoring of social media activity allowed police in Baltimore “to stay one step ahead of the rioters” and, by running social media photos through facial recognition software, “discover rioters with outstanding warrants and arrest them directly from the crowd.”

screen-shot-2016-10-16-at-11-21-52-am

We know of the monitoring thanks to the American Civil Liberties Union, which obtained the information via records requests to law enforcement agencies in California. A report released Oct. 11 by the group documents how social media companies provided data about users to Geofeedia that comes directly from their servers.

Though both Facebook and Instagram later cut off the feeds, both companies provided police access to data that allowed Geofeedia to sort by specific topics, hashtag or location. Twitter, which also has since ended the practice, provide searchable access to its database of tweets.

As the ACLU noted, the social networks that supplied data for use in monitoring all have expressed publicly their support for activism and free speech.

“Mark Zuckerberg endorsed Black Lives Matter and expressed sympathy after Philando Castile’s killing, which was broadcast on Facebook Live,” Matt Cagle, an attorney for the ACLU who authored the report, wrote in a blog post. “Twitter’s CEO Jack Dorsey went to Ferguson. Above all, the companies articulate their role as a home for free speech about important social or political issues.”

“Social media monitoring is spreading fast and is a powerful example of surveillance technology that can disproportionately impact communities of color,” Cagle added.

For its part, Geofeedia says it has protections in place to ensure that its technology is not used to infringe civil rights.

Though data feeds from the companies have legitimate applications – investors, for example, use data sets from the companies to learn early of problems that can affect stocks, e.g., someone tweets about about his friend becoming ill after eating at Chipotle. The data also can help in finding missing persons. But giving it to the government for use in surveillance can chill the exercise of basic freedoms.

The ACLU is calling on social networks to adhere to guidelines that include a prohibition on supplying data access to developers who are providing software for government surveillance. The networks also should develop clear and open policies that bar use of data feeds for surveillance, and should monitor developers to spot violations, the ACLU says.

Categories
Privacy

The US and EU have three months to come to terms on trans-Atlantic data transfers

The United States and Europe have three months to work out a procedure for the transfer of personal data to the US from the EU, representatives of an independent advisory body that brings together data protection regulators from the EU’s member states announced on Saturday.

The announcement, by the EU’s Article 29 Working Party, gives guidance to businesses and other organizations that send data ranging from posts on social media to personnel records across the Atlantic following a ruling in October by the European Court of Justice (ECJ) invalidating a so-called safe harbor that had governed such transfers since 2000.

The ruling by the ECJ highlighted the cross-border flow of data and raised anew questions about the protections for privacy in a digital economy. It also upended the expectations of more than 4,000 companies, including tech giants such as Facebook, Amazon, and Google, that had certified compliance with the safe harbor to relay data from Europe to the US.

The statement by the Article 29 Working Group aim to allay fears by companies that the ECJ’s ruling might spur regulators in Europe to bring enforcement actions against companies for mishandling data transfers. In the meantime, companies can use contracts to assure privacy safeguards or adopt rules that protect the privacy of data transfers among corporate subsidiaries.

Officials on both sides of the Atlantic also say they will continue negotiations on a pact that can replace the safe harbor. If the sides cannot agree by the end of January, regulators in each of the EU’s member states will “take all necessary and appropriate action, including coordinated enforcement actions,” the Working Party said in its statement.

“Transfers of personal data are an essential element of the transatlantic relationship,” the group added. “The EU and the US are each other’s most important trading partners, and data transfers, increasingly, form an integral part of their commercial exchanges.”

The safe harbor reconciled differences in privacy protection between the US and EU, which holds that citizens have a fundamental right to privacy with respect to the processing of their data. The US regulates privacy by sector but lacks a national scheme.

The ECJ nullified the safe harbor as part of its resolution of a referral from Ireland’s high court, which had referred the matter to the ECJ following a ruling by the republic’s data protection commission (DPC) that the safe harbor preempted investigation of a claim an alleged violation.

The case began in June 2013,  when Max Schrems, then a law student at the University of Vienna, filed a complaint with the DPC charging that Facebook, which maintains its European headquarters in Dublin, sent at least some of the information he and his fellow citizens of the EU posted on the site to servers the company operates in the United States.

Schrems premised his complaint on leaks by Edward Snowden, who documented how the National Security Agency obtained information about users from Facebook, Google, and other tech firms. The surveillance, Schrems asserted, contravened the EU’s protections for personal data.

The ECJ agreed. According to the court, the National Security Agency’s ability to compel tech firms to hand over electronic communications provided by their users “must be regarded as compromising the essence of the fundamental right to respect for private life.”

In January 2014, the Obama administration and tech companies announced a deal that allows the companies to disclose information about data they are required to share with the government

Categories
Privacy

Cell site records privacy comes to the Supreme Court

This fall the Supreme Court will decide whether to hear an appeal that addresses the privacy each of us has in information our cellphones exchange with the network that reveals our movements over time.

The matter comes to the Court in an appeal by Quartavious Davis, an Alabama man who was convicted in 2011 of a string of seven armed robberies in Miami, Florida that netted him a sentence of 162 years in prison. Federal prosecutors tied Davis to the heists—which included robbing a pharmacy, an auto parts store, a beauty salon, and a fast food restaurant—in part from transmissions between his cellphone and the towers it transmitted to as he moved about town.

Prosecutors obtained the cell site data pursuant to an order from a federal magistrate judge that authorized them to review Davis’ phone location for a period of 67 days in September and October of 2010 that straddled the heists.

According to court papers, the records, which prosecutors obtained from MetroPCS, Davis’ service provider, revealed 11,606 points of information about his whereabouts, including calls he allegedly placed to and received from co-conspirators.

At trial, Davis moved to exclude the location information, asserting that prosecutors obtained it without a search warrant. Prosecutors relied instead on the Stored Communications Act, a federal law that authorizes law enforcement to obtain records a magistrate deems relevant to an ongoing criminal investigation.

The problem, Davis asserts, is that the government’s obtaining the location data constituted a search within the meaning of the Fourth Amendment. That required prosecutors to obtain a warrant supported by probable cause, which means prosecutors would have had to demonstrate to a judge a reasonable basis for believing a crime had been committed.

The distinction matters to Davis, who was sentenced at age 22 and faces the rest of his live in prison, but also to anyone who uses a cellphone, which is to say nearly all of us. Ninety-two percent of American adults own a cellphone or smartphone, according to a study published in August by the Pew Research Center. And 90 percent of cellphone owners say they frequently carry their phone with them.

Cell site information reveals an abundance of information about us. As Justice Sotomayor wrote in 2012 in a case that found the government’s attaching a GPS device to a vehicle for 28 days to be a search within the meaning of the Fourth Amendment, “I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.”

Davis’ appeal presents the Court with an opportunity to revisit the so-called third-party doctrine, which holds that you lack a reasonable expectation of privacy in information you disclose voluntarily to third parties. The approach, which traditionally applied to things like a suspect’s bank records, makes less sense in an age in which, as Justice Sotomayor noted in the concurrence cited above, “people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

The Court has recognized as much. Last year the justices ruled unanimously that police may not, without a warrant, search information on a cellphone from someone who has been arrested. Writing for the Court, Justice Roberts noted:

“Prior to the digital age, people did not typically carry a cache of sensitive personal information with them as they went about their day. Now it is the person who is not carrying a cellphone, with all that it contains, who is the exception. According to one poll, nearly three-quarters of smart phone users report being within five feet of their phones most of the time, with 12% admitting that they even use their phones in the shower.”

In Davis’ case, a three-judge panel of the U.S. Court of Appeals for the 11th Circuit ruled that the government violated his rights under the Fourth Amendment by obtaining the cell site location records without a warrant. Still, the panel sided with the trial judge and upheld the conviction because prosecutors relied in good faith on the magistrate’s order.

By a vote of 6 to 5, the entire Eleventh Circuit later reversed the panel, holding that the government did not violate the Fourth Amendment when it obtained the location data because Davis had no reasonable expectation of privacy in records held by his service provider.

The ruling set up a split among federal appeals courts. The U.S. Court of Appeals for the 4th Circuit ruled in August that the government’s accessing cell site data constitutes a search under the Fourth Amendment. That makes the case ripe for review by the Supreme Court, Davis contends. According to the Electronic Frontier Foundation, which filed a friend-of-the-court brief urging the Court to decide the case:

“Given the prevalence of cellphones and smartphones, and the increasing number of law enforcement requests for this sensitive information, this case thus presents a question of compelling national importance. The number of Americans promised that [cell site location information] remains private and accessible to law enforcement only with the protections of a search warrant is increasing. Yet, this legal protection is not uniform, and the federal courts in particular have issued conflicting opinions on the topic, leaving the public and law enforcement in limbo.”

The number of requests by law enforcement for location data is rising. According to figures cited by EFF, AT&T projects it will receive nearly 76,000 requests for cell site location information this year from law enforcement, up 19% from a year earlier and just under the number of such requests received in 2012. Verizon is projecting a 55% increase in the number of so-called cell tower dumps, a majority of which, EFF observes, occur without a warrant.

Note that Davis’ appeal ties to historical location data. Several states already require police to obtain a warrant before tracking a cellphone in real time. This chart from 2011 will give you a sense of how long your cellular provider retains a record of towers used by your phone.

For the Court to take up Davis’ case, at least four justices will have to vote to hear the appeal. In addition to an opportunity to unify the circuits, the justices could use the appeal to clarify the standard for assessing the government’s conduct. Orin Kerr, a professor of law at George Washington University, says the Eleventh Circuit’s reasoning also may make the case worthy of review. As Kerr wrote in The Washington Post following the appeals court decision:

“Instead of the… rule of a warrant, the court begins with general balancing. It’s important to catch criminals, the court reasons, and the statute has some good protections given that this wasn’t such an invasive practice. So on the whole the government’s conduct based on reasonable suspicion seems reasonable and therefore constitutional.

This alternative holding is a major development, I think. It’s at odds with the usual rule that a criminal search requires a warrant, and instead replaces it with a totality of the circumstances inquiry into whether the criminal search was the kind of thing that we would generally say is good or would generally say is bad. There’s not only no warrant requirement, there’s no probable cause requirement: It’s just a free-floating reasonableness inquiry.”

According to the Reporters Committee for Freedom of the Press, allowing warrantless access to cell site data also undermines freedoms guaranteed by the First Amendment. “In part because location data can be so revelatory, journalists frequently go to great lengths to ensure that the locations where they meet their sources are kept private, and that their communications are confidential,” the group writes in a friend-of-the-court brief.

From precedent, we know the justices are paying attention to the privacy implications of technology. In that regard, they seem likely to read a concurrence by Judge Robin Rosenbaum, a member of the Eleventh Circuit who, despite finding the search of Davis’ location data reasonable under the Stored Communications Act, expressed concern.

“In our time, unless a person is willing to live ‘off the grid,’ it is nearly impossible to avoid disclosing the most personal of information to third-party service providers on a constant basis, just to navigate daily life,” Rosenbaum wrote. “And the thought that the government should be able to access such information without the basic protection that a warrant offers is nothing less than chilling.”

Categories
Privacy

Spokeo presents the Supreme Court with an opportunity to validate privacy protections for a digital age

The U.S. Supreme Court is slated to hear an appeal this November that deals with a technical question concerning the right to sue but promises to affect significantly our ability to influence the accuracy of information about us that appears online.

The case involves a lawsuit against Spokeo, a people-finder site that aggregates information from social networks, real estate listings and other public sources. The dispute began five years ago when Thomas Robins, a Virginia resident, sued the Pasadena, Calif.-based company for allegedly violating the Fair Credit Reporting Act (FCRA).

According to Robins, Spokeo’s search results showed he held a graduate degree, was affluent, and married with children. None of that was true, he charges. In reality, Robins, then in his mid-50s, was unemployed, single and searching for a job.

Robins asserts that companies use Spokeo’s results to size up applicants for employment. That, Robins claims, undermined his search by presenting him as more educated and wealthier than he happened to be. Which, according to Robins, dissuaded employers from considering him for certain jobs and contributed to his remaining unemployed as well as to anxiety, stress and worry about his allegedly diminished prospects.

Robins, whom Spokeo says did not claim he asked the company to remove the listing or correct the results (you can for your listing, via this form) also charged the company with knowing about shortcomings in the way it gathered information and its failure to follow the FCRA’s mandate that consumer reporting agencies ensure the maximum possible accuracy of reports they generate. That, alleges Robins, entitles him to damages of up to $1,000 for each violation, as provided by the FCRA.

A trial judge in Los Angeles dismissed the case, ruling that Robins failed to allege an injury concrete enough to establish a right to sue—a prerequisite for suing someone in federal court—and that any harms he asserted were insufficiently traceable to Spokeo’s alleged violations.

Robins appealed to the U.S. Court of Appeals for the 9th Circuit, which reversed the trial court and sided with Robins after determining that the violation of the FCRA he charged itself satisfied the injury-in-fact requirement. Spokeo then appealed to the Supreme Court, which last spring agreed to hear the case.

At one level, the appeal presents the justices with a question about the jurisdiction of the federal courts, which the Constitution limits to deciding legal questions that arise out of an actual dispute between real parties. To determine whether such a dispute exists, federal courts apply a three-part test, pursuant to which a plaintiff must be able to show concrete injury, a causal connection between the injury and the challenged actions of the defendant, and a likelihood that the injury will be set right, or redressed, by a favorable decision.

Spokeo, which describes itself as an Internet search engine rather than a consumer reporting agency—a distinction that matters for purposes of determining whether it has obligations under the FCRA—argues on appeal that Congress can give private parties a right to sue for alleged violations of a statute but that right, by itself, does not relieve those parties of the need to show actual injury in order to proceed.

According to Spokeo, the appeals court did not base its decision on an allegation by Robins that he suffered a specific financial loss or missed out on being hired a particular job. Instead, argues Spokeo, the panel looked no further than the alleged violation of the FCRA. “The Ninth Circuit recognized that its analysis had the practical effect of turning the three-part test for… standing into a single-factor inquiry that was satisfied by the availability of a statutory remedy,” Spokeo asserts in a brief filed in July with the Supreme Court.

The requirement that a plaintiff demonstrate concrete harm “is necessary to prevent the erosion of the Constitution’s fundamental structure,” writes Spokeo, which says the stipulation ensures that courts remain within their role of preventing “actual or imminently threatened injury.” Standing also prevents Congress from “impermissibly delegating” to private parties the duty of the executive branch to enforce the law and protects “individual liberty” from plaintiffs who, in essence, charge violations of the law out of self-interest, the company argues.

Of course, Spokeo has another concern. According to the company, a class action in this case could expose it to “billions of dollars” in damages, based on Robins’ assertion that millions of people could claim to have been on the receiving end of FCRA violations may be eligible to join the lawsuit.

Robins counters that the alleged violation of the statute means that, by definition, he also has suffered pecuniary harm. He “and Spokeo have a legal dispute over a fixed sum of money that turns on whether Spokeo violated Robins’s legal interest under the FCRA,” he writes in a brief filed Aug. 31. “This right to statutory damages is not a ‘bounty’ Robins ‘will receive if the suit is successful.’ (citation omitted). His right to statutory damages arose as soon as Spokeo violated his rights, and the monetary claim is his alone.”

According to Robins, the Supreme Court need look no further than Spokeo’s alleged violation, which is sufficient to establish standing in this case. In short, Congress conferred standing when it gave private parties the right to sue for violations of the FCRA, Robins asserts.

He also notes that three years ago Spokeo agreed to pay $800,000 to settle charges that over a period of two years ending in 2010 it marketed search results to recruiters without adhering to safeguards for credit reporting.

The Obama administration has sided with Robins. “FCRA confers upon [Robins] a legal right to avoid the dissemination of inaccurate personal information about himself under the circumstances presented here,” writes Solicitor General Donald B. Verrilli Jr. in a friend-of-the-court brief filed Sept. 8. “Under this Court’s precedents, a violation of that legal right is an injury sufficient to satisfy Article III requirements, whether or not respondent can identify further consequential harms resulting from the violation.”

But there’s much more at stake than standing say privacy and civil liberties groups. In revising the FCRA in 1969, Congress specifically expressed concern that computerization of personal data could lead to inaccurate credit reports—which by their very nature are derived from data supplied by creditors whose own records may contain errors—to be published widely while leaving consumers without recourse to correct the information or to hold companies that furnish or report such data accountable.

“We are now in a digital era in which data brokers routinely acquire, access, compile, analyze, and sell vast data stores of consumers’ personal information, transactions, and behaviors,” write the Center for Democracy & Technology (CDT), the Electronic Frontier Foundation (EFF), and the New America foundation (New America) in a friend-of-the-court brief filed Sept. 8. “This activity occurs with little regulation or market incentive to ensure that information is accurate, timely, and used in a manner compliant with existing law.”

Robins alleges that unlike a search engine such as Google or Yahoo, Spokeo, in its search results, “draws conclusions, makes predictions, and otherwise makes factual assertions” about the data that tie to a consumer’s financial well being or lifestyle “that do not appear in the public or private data that defendant’s search result draws from.” According to the CDT, EFF and New America:

“While Spokeo’s inaccuracies might initially appear to favor Mr. Robins, they may have in fact damaged his ability to find employment by creating the erroneous impression that he was overqualified for the work he was seeking, that he might be unwilling to relocate for a job due to family commitments, or that his salary demands would exceed what prospective employers were prepared to offer him. The FCRA’s private right of action is the only way Mr. Robins can enforce his rights under the law and redress these inaccuracies. If the FCRA’s requirements are effectively unenforceable, data brokers such as Spokeo have little incentive to follow the law.”

Not surprisingly, a host of companies have weighed in on behalf of Spokeo. According to a brief filed July 9 by Facebook, Google, Twitter, eBay, Netflix and other tech firms that fear liability from class actions alleging “technical statutory violations that are not alleged to ‘have affected the plaintiff’ or harmed anyone.” (citation omitted) Credit reporting agencies, banks, home builders, media companies, and other businesses have raised similar arguments.

The chorus from companies sparked a reply from Patricia Moore, a professor at St. Thomas University School of Law, who wrote recently that “literally hundreds of state and federal statutes create private rights of action to encourage compliance with laws meant to protect consumers, workers, and the environment.”

According to Moore, Spokeo and the companies that are weighing in on its behalf “have conceived a new way to neutralize any statute anywhere that authorizes statutory damages. That is: tar the private right of action… and claim that violation of the statute is ‘technical,’… so not good enough for standing.”

A group of 15 information privacy scholars have sounded a similar point. In a friend-of-the-court brief filed Sept. 4, the group argues that “a broad ruling” in favor of Spokeo would “disrupt established privacy law well beyond the boundaries of the FCRA.”

The scholars cite the Video Privacy Protection Act, a federal law that bars disclosure of the movies someone has rented without his or her consent, and the Wiretap Act, as examples of laws that allow private parties to sue for violations and, in the case of the Wiretap Act, specify statutory damages as an alternative to actual damages, much like the FCRA. According to the scholars, whether in those laws or the FCRA:

“Congress did not ‘create’ injury in any of these statutes. Rather, in each case, it simply recognized privacy injuries-in-fact occurring in new technological contexts, delineated corresponding legal violations, and created private civil rights of action as legal remedies. This it was constitutionally empowered to do. The Court should not second-guess considered legislative judgments about the desirability of affording such remedies.”

Of course, it’s hard to predict whether a majority of the Court will embrace that argument or insist on a showing by Robins of injury beyond the statutory violation, as Spokeo suggests. Or accept the distinction drawn by Spokeo between technical violations and violations generally. It may be, as Moore suggests, a distinction without a difference and calculated solely to allow companies to evade liability.

Or the Court could look to see who was harmed here. Did Robins have more difficulty finding a job thanks to Spokeo’s practices, assuming, that is, the company acted as a consumer reporting agency? What about the anxiety and stress he alleges? If so, what might Robins’ recourse be, if not a lawsuit like the one at issue in this case? And how might the Court feel about people-searches that disseminate inaccuracies? Some of the justices are listed in Spokeo, too.

Categories
Privacy

Microsoft warrant case goes before appeals panel

Microsoft and the Department of Justice will square off today before a federal appeals panel in Manhattan in a case that has implications for digital privacy and the flow of data across borders.

The appeal marks a return to court of a dispute that began nearly two years ago when DOJ obtained a search warrant to seize emails belonging to a suspect in a narcotics trafficking investigation.

Microsoft objected to the warrant, asserting it sought emails from a data center owned by the company in Dublin, where, the company argues, the U.S. has no jurisdiction to seize records. Two lower courts backed DOJ, ruling the warrant was valid because Microsoft controls the data from the U.S. regardless where the emails happen to be stored.

The appeal comes amid lingering tensions between the U.S. and European Union over digital privacy in the wake of revelations about the extent of spying by the National Security Agency and raises a question of how much control over information a nation has within its borders.

Microsoft argues that neither the Fourth Amendment nor the Stored Communications Act, a federal law that limits the ability of the government to force email providers to turn over customer communications absent a court order, apply outside the U.S.

“If the government prevails here, the United States will have no ground to complain when foreign agents—be they friend or foe—raid Microsoft’s offices in their jurisdictions and order them to download U.S. citizens’ private emails from computers located in this country,” the company wrote in court papers.

But the warrant simply demands production of records by Microsoft, a company subject to U.S. jurisdiction, counters the government. “Under long settled precedent, the power of compelled disclosure reaches records stored abroad so long as there is personal jurisdiction over the custodian and the custodian has control over the records,” DOJ argues.

According to the government, a warrant issued pursuant to the Stored Communications Act operates like a subpoena, in that it obligates the provider to turn over the records and does not require a law enforcement officer to search the premises.

Tech companies and civil liberties groups that have weighed in on behalf of Microsoft reject the analogy. “The Fourth Amendment requires the government obtain emails with a search warrant,” wrote the Electronic Frontier Foundation, the ACLU, the Brennan Center, and The Constitution Project in a friend-of-the-court brief. “Although the government did obtain a warrant here, extending the warrant’s reach to emails stored abroad should not rest on an inaccurate analogy to subpoenas.”

A ruling in the government’s favor could spur other countries to serve warrants on tech companies for the private messages of Americans that are stored in U.S. data centers owned by companies based abroad, experts say.

A win for the government also could encourage more tech companies to encrypt messages in ways that make them impossible to read unless the recipient decodes them. Apple recently refused to turn over iMessages sought by the government, saying it couldn’t get access to the messages because they are encrypted. The dustup highlights an ongoing debate over the use of encryption and the government’s ability to unlock data when the needs of law enforcement and national security demand.

Categories
Privacy

Apple stance on privacy may slow artificial intelligence push: report

Those of us who use iPhones may have more to welcome this week than Apple’s event to unveil the latest devices.

The computer maker’s stance on guarding customer privacy may be slowing its push to stay ahead of rivals in the race to to develop digital assistants, Reuters reports. If correct, that means the company is upholding its pledge to respect customers’ personal privacy, but more on that in a minute.

At issue is a race by Apple, Google and other tech companies to recruit experts in machine learning, a branch of artificial intelligence that allows computers to anticipate what users want without being explicitly programmed.

The larger the set of data that software can analyze, the more precise those predictions can become. But with a self-imposed privacy policy that causes iPhones and other devices to refresh every 15 minutes, Apple forgoes the opportunity to send the data to the cloud, where the information could be combined with other data, analyzed and, possibly, sold to advertisers.

That benefits users by protecting their personal privacy but can slow the evolution of services such as Siri to anticipate users’ needs. “They want to make a phone that responds to you very quickly without knowledge of the rest of the world,” Joseph Gonzalez, co-founder of Dato, a machine learning startup, told Reuters, referring to Apple. “It’s harder to do that.”

Or not. If any company can reconcile the imperatives of privacy and technological progress in a way that advances both it may be Apple.

The next generation of Apple’s services will depend heavily on artificial intelligence, AppleInsider reports. At the same time, digital assistants developed by Google and Microsoft reportedly are getting better at learning users’ routines.
Apple currently aims to recruit at least 86 more experts in machine learning, according to an analysis by Reuters of the computer maker’s jobs postings.

Apple CEO Tim Cook said in June that his company won’t be a party to the exchange that defines the relationship of many tech companies and their customers, in which customers accept free services in return for companies’ selling information about consumer’ searches, shopping, health and more to advertisers.

“They’re gobbling up everything they can learn about you and trying to monetize it,” Cook told a gathering in Washington sponsored by privacy advocates. “We think that’s wrong.”

Edward Snowden, the former government subcontractor who revealed the magnitude of the National Security Agency’s spying on Americans in the wake of the 9/11 attacks, said Apple’s stance deserved consumers’ support.

“Regardless of whether it’s honest or dishonest, for the moment, now, that’s something we should… incentivize, and it’s actually something we should emulate,” Snowden told an audience in Spain about two weeks after Cook outlined the company’s policy.

Apple is slated to introduce enhancements to Siri this Wednesday as part of the rollout of iOS 9, the latest version of the company’s operating system for the iPhone and iPad.

Categories
Privacy

In shift, Justice Department requires warrants for using stingrays to spy on cellphones

The Justice Department has tightened restrictions for tracking cellphone signals in a move that officials say will improve transparency and protect the public from unwarranted invasions of privacy.

Henceforth the FBI and federal law-enforcement agencies will need a warrant supported by probable cause before using a so-called cell-site simulator, which can impersonate a cellphone tower by sending out signals that induce phones to respond with identifying information.

The move represents a win for privacy even though the warrant requirement doesn’t apply to state and local governments, which also use cell-site simulators to track suspects.

The devices, which are known variously as stingrays, dirtboxes or IMSI catchers (for International Mobile Subscriber Identity), are used widely for surveillance but have proved to be controversial because of their sweep and the secrecy that shrouds their use. Agents deploy the devices from cars and planes, which enable scanning across larger areas.

“Cell-site simulator technology has been instrumental in aiding law enforcement in a broad array of investigations, including kidnappings, fugitive investigations and complicated narcotics cases,” Deputy Attorney General Sally Quillan Yates said Thursday in a statement announcing the change. “This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties.”

The pivot by DOJ represents a departure from past practice, when law enforcement personnel had to certify merely that use of a cell-site simulator was relevant to an ongoing criminal investigation.

Under the revised guidelines, agents may not configure simulators to collect the contents of communications, including emails and text messages. Agents also must inform judges when applying for warrants that use of the device will capture information from cellphones in the vicinity that are not subject to the investigation, and that the simulator may disrupt service temporarily for all cellphones within reach of its signal. Officials also must detail to the court how they plan to delete data not associated with the device being targeted.

As is the case under the Fourth Amendment generally, federal officials can use a simulator without first obtaining a warrant in the event of so-called exigent circumstances or when the law does not require a warrant, in which instance agents must first obtain the OK of officials within DOJ.

The Guardian reported Friday that public defenders in Baltimore are examining more than 2,000 cases in which police used stingrays to gather evidence on suspects secretly. Prosecutors are obligated to disclose evidence against criminal defendants in the discovery phase of a criminal trial.

Categories
Privacy

Shutterfly lawsuit highlights concerns with the use of facial recognition and the problem with a ‘Shazam’ for faces

A lawsuit pending in a federal court in Chicago may answer whether tagging and storing photos of someone without that person’s permission violates a state law that regulates the collection and use of biometric information.

That’s the hope of Brian Norberg, a Chicago resident, who in June sued Shutterfly, an online business that lets customers turn photos into books, stationery, cards and calendars. The class action represents the latest in a series of challenges to the use of facial recognition and other technologies that record our unique physical attributes.

Norberg, who claims never to have used Shutterfly, charges that between February and June, someone else uploaded at least one photo of him to Shutterfly and 10 more to the company’s ThisLife storage service. According to Norberg, the company created and stored a template for each photo based on such biological identifiers as the distance between his eyes and ears. The service allegedly prompted the person who uploaded the images to also tag them with Norberg’s first and last names—all without Norberg’s permission.

That, charges Norberg, contravened the state’s Biometric Information Privacy Act (BIPA), a law enacted seven years ago that bars businesses from collecting a scan of someone’s “hand or face geometry,” a scan of their retina or iris, or a fingerprint or voiceprint, without their consent. The law authorizes anyone whose biometrics are used illegally to sue for as much as $5,000 per violation.

In July, Shutterfly asked U.S. District Judge Charles Norgle Sr. to dismiss the lawsuit. According to the company, the BIPA specifically excludes photographs and information derived from them. And, even if the law were unclear, says Shutterfly, the legislature intended it to apply to the use of biometrics to facilitate financial transactions and consumer purchases, not to photo-sharing.

“Scanning photos to allow users to organize their own photos is a far cry from the biometric-facilitated financial transactions and security screenings BIPA is aimed at—such as the use of finger-scanning technology at grocery stores, gas stations, or school cafeterias,” the company asserted in court papers.

In a rejoinder filed last Friday, Norberg says that creating templates based on scans of facial features, not the photos themselves, violates the BIPA. “The resulting face templates—not the innocuous photographs from which they were derived, but the resulting highly detailed digital maps of geometric points and measurements—are ‘scans of face geometry’ and thus fall within the BIPA’s definition of ‘biometric identifiers,’” he wrote.

“By [Shutterfly’s] logic, nothing would stop them from amassing a tremendous, Orwellian electronic database of face scans with no permission whatsoever so long as the data base were derived from photographs,” Norberg added. “And indeed, that appears to be exactly what they are doing.”

Of course, facial recognition technology is used widely already. As Ben Sobel, a researcher at the Center on Privacy & Technology at Georgetown Law, explained recently in The Washington Post:

“Facebook and Google use facial recognition to detect when a user appears in a photograph and to suggest that he or she be tagged. Facebook calls this ‘Tag Suggestions’ and explains it as follows: ‘We currently use facial recognition software that uses an algorithm to calculate a unique number (“template”) based on someone’s facial features… This template is based on your profile pictures and photos you’ve been tagged in on Facebook.’ Once it has built this template, Tag Suggestions analyzes photos uploaded by your friends to see if your face appears in them. If its algorithm detects your face, Facebook can encourage the uploader to tag you.”

Facebook also is defending a class action filed last spring that charges the company’s use of facial-recognition software to identify users violates the BIPA. Facebook users have uploaded at least 250 billion photos to the social networking site and continue to do so at a rate of 350 million images a day, reports Sobel, who adds that Facebook’s tagging occurs by default, whereas Google’s requires you to opt in to it.

According to the Federal Trade Commission, companies that use facial recognition technologies should simplify choices for consumers and increase the transparency of their practices. Social networks should provide users with “a clear notice—outside of a privacy policy—about how the feature works, what data it collects and how it will use the data,” the agency wrote in a report published in October 2012. Significantly, social networks should give users an easy way to opt out of having their biometric data collected and the ability to turn off the collection at any time, the agency advised.

Still, that may not cover someone like Norberg, who says he never used Shutterfly. Or prevent an app akin to a Shazam for faces that would allow users to discover someone’s identity (and possibly more, such as their address) by photographing someone regardless whether the subject knows or consents. Situations like those would require the company to obtain the subject’s express affirmative consent—meaning that consumers would have to affirmatively choose to participate in such a system—the FTC noted.

And those are commercial users of biometrics. The photos of at least 120 million people sit in databases—many built from images uploaded from applications for driver’s licenses and passports—that can be searched by the police and law enforcement. Use of biometrics by the government raises additional concerns, including a need to ensure that a suspect has been detained lawfully before police can photograph the person or swab for DNA.

At a hearing in October 2010 that examined use of facial-recognition technology, Senator Al Franken of Minnesota, the senior Democrat on the Judiciary Subcommittee on Privacy, Technology and the Law, noted that in the era of J. Edgar Hoover, the FBI used wiretaps sweepingly with little regard for privacy.

Congress later passed the Wiretap Act, which requires police to obtain a warrant before they get a wiretap and limits use of wiretaps to investigations of serious crimes. “I think that we need to ask ourselves whether Congress is in a similar position today as it was 50 or 60 years ago—before passage of the Wiretap Act,” Franken said