Categories
Law Privacy

Senate pushes cybersecurity bill to September

The U.S. Senate Wednesday agreed to postpone until September debate on a bill to bolster cybersecurity.

The legislation, known as the Cybersecurity Information Sharing Act, would direct the federal government to share cyber threats with businesses and shield companies that exchange information and best practices about cybersecurity from antitrust liability.

The deal addresses concerns expressed by senators who charged that the measure as it stands will fail to prevent cyberattacks or protect privacy sufficiently.

The agreement means that Democratic Senators Ron Wyden (Ore.), Patrick Leahy (Vt.) and Al Franken (Minn.), along with Republican Senators Rand Paul (Ky.) and Dean Heller (Nev.), all will be able to offer amendments they say strengthen civil liberties and improve the bill.

“We’ve got to debate some real things like cybersecurity, and have real amendments, not pretend amendments,” Leahy told National Journal.

Categories
Law Privacy

Senate to take up cybersecurity bill as concerns about privacy continue

The U.S. Senate is slated this week to take up legislation that aims to bolster cybersecurity by spurring businesses and the federal government to share information about digital threats and best practices with one another.

The measure, known as the Cybersecurity Information Sharing Act, would direct the federal government to develop ways to share information with the private sector while taking steps to protect privacy and civil liberties. The bill also aims to address antitrust concerns by shielding businesses that share information from enforcement of laws that otherwise might dissuade those businesses from cooperating. The House passed a similar measure in April.

The push represents the third time in as many years that Congress has tried to pass legislation that would encourage sharing of cyber threats. Recent cyberattacks on the Office of Personnel Management, Sony Pictures Entertainment and other targets have prompted legislators to try again. Cybercrime costs the global economy more than $400 billion annually, according to a study released jointly last summer by McAfee and the Center for Strategic and International Studies

Though the measure passed the Senate Intelligence Committee in March, maneuvering underway since then has centered on a tension between defending digital networks and protecting the privacy of Americans whose information is stored in those systems.

Among the concerns: the measure could result in companies handing over personally identifiable information to the National Security Agency. Such information might include, for example, the browsing history of someone who happens to have visited a website that becomes the subject of a cyberattack.

On Monday, Senator Al Franken, Democrat of Minnesota, released a letter from the Department of Homeland Security (DHS), which cautioned against allowing companies to share information with intelligence agencies without first channeling the information through DHS. “The Administration has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector,” wrote Alejandro Mayorkas, the deputy secretary of homeland security.

“The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers,” Mayorkas added.

Though Senators Richard Burr, Republican of North Carolina and chairman of the intelligence panel, and Dianne Feinstein, the committee’s top Democrat, have circulated an amendment that aims to address concerns over the legislation’s impact on privacy, some civil liberties groups say the fixes don’t go far enough. According to the Center for Democracy and Technology, the bill as modified still would authorize the government to use information about cyber threats to investigate and prosecute crimes of espionage, identity theft and trade secrets violations, regardless whether those infractions tie to cybersecurity.

The White House backs passage of cybersecurity legislation but has called on Congress to strengthen protections for privacy and to narrow an exemption from liability for companies that fail to secure their networks after receiving information they receive.

That leaves the question whether the measures actually may cause businesses and the government to exchange more information about cyber threats. While the measure aims to ease companies’ fears of legal liability, the Department of Justice and the Federal Trade Commission already have advised companies “that properly designed sharing of cyber threat information should not raise antitrust concerns.”

And as N. Eric Weiss of the Congressional Research Service observed in June, sharing of cyber threats happens currently. Industries ranging from retail to financial services participate in so-called information sharing and analysis centers (ISACs) that serve as clearinghouses for information about cyber threats.

“The ‘bottom line’ is how likely nonfederal entities—particularly businesses—value the benefits from sharing information against the cost of sharing,” wrote Weiss, who notes that neither bill would address the cost of membership in ISACs, which can cost anywhere from $10,000 to $100,000 to join and thus might exceed the ability of small and medium-sized businesses to afford.

Still, the wave of cyberattacks—and the fallout from them—might cause businesses to think anew about the advantages of sharing. “Although most data breaches have not been expensive compared with the revenues and profits earned,” noted Weiss, “recent events may change the attitude of boards of directors and senior management: the chief executive officers at Target and Sony Entertainment were forced to resign.”

Categories
Law Privacy

FCC to address Internet privacy

The chairman of the Federal Communications Commission announced in June that the agency plans this fall to address privacy in the context of consumers’ use of the Internet.

The spur for putting privacy on the agenda is the decision last winter by the FCC to enshrine the principle of an Internet open to all providers of content—a concept better known as net neutrality—within the agency’s authority to regulate common carriers pursuant to Title II of the Communications Act.

The decision included a determination that providers of broadband Internet service, including broadband delivered via mobile devices, will be subject to a section of the law that governs so-called customer proprietary network information (CPNI), which includes such things as the frequency, duration and timing of calls. In short, information that telecommunications companies know from providing service to customers.

Except for billing, emergencies and other exceptions provided by law, carriers cannot use CPNI without the approval of customers. But until the FCC’s net-neutrality ruling, the rules that govern use of CPNI applied only to services such as Voice over Internet Protocol—think Skype—that tie to the telephone network.

That seems likely to change. As the FCC noted in its net-neutrality ruling, the rules that govern use of CPNI by telephone companies would not be “well suited” to broadband Internet service. The reason: In recent years the FCC has revised the rules that govern CPNI after initially classifying broadband Internet service as a so-called information service, which exempted Internet service providers (ISPs) from common carrier status and later led a federal appeals court to order the FCC to revise its approach.

In addition, “the existing CPNI rules do not address many of the types of sensitive information to which a provider of broadband Internet services is likely to have access, such as (to cite just one example) customers’ web browsing history,” the FCC explained.

Until it can adopt rules that address the use of CPNI by broadband Internet providers specifically, the FCC says it “intends to focus on whether providers are taking reasonable, good-faith steps to comply” with restrictions on the use of CPNI set forth in the Communications Act. Note that CPNI does not include customers’ names, addresses and other personal information, the handling of which is governed by laws such as the Cable Television Privacy Act and the privacy notices that cable and phone companies deliver to subscribers.

So what protections for privacy should apply to broadband networks? In July, nine Democratic senators, including Elizabeth Warren and White House hopeful Bernie Sanders, wrote to FCC Chairman Tom Wheeler with some suggestions. The proposals include ensuring the definition of CPNI includes data pertaining to Internet usage, online activity and payments; directing ISPs to collect data transparently; requiring ISPs to obtain consumers’ express consent before sharing information; ordering ISPs to safeguard customers’ information and to notify customers in the event of a data breach; and giving consumers a clear process for resolving complaints.

“We call on the Commission to adopt a comprehensive definition of CPNI as it pertains to broadband,” the senators wrote. “Every click consumers make online paints a detailed picture of their personal and professional lives.”

Categories
Law Privacy

Pocket-dial calls are not private, court rules

Someone whom you pocket-dial can listen to your call with impunity, a federal appeals court has ruled.

That’s because you know, or should know, that using a cellphone might result in your calling someone inadvertently, according to the U.S. Court of Appeals for the Sixth Circuit, which held recently that an assistant to the CEO of Cincinnati/Northern Kentucky International Airport who overheard comments about her boss by the airport’s chairman after he pocket-dialed the assistant is not liable for unlawfully intercepting a private conversation.

The assistant, Carol Spaw, listened continuously on Oct. 24, 2013 while James Huff, the chairman of the airport board, discussed Candace McGraw, the CEO, with Larry Savage, the airport’s vice-chairman, and later with Huff’s wife, Bertha. The men had stepped onto an outdoor balcony at their hotel in Bologna, Italy, where they discussed airport personnel matters, including the possibility of replacing McGraw as CEO.

Both Huff and his wife, with whom Huff continued discussing McGraw after returning to their room, later sued Spaw for intentionally intercepting their private conversations. A trial court ruled in favor of Spaw after concluding that because Huff placed the call, the Huffs lacked a reasonable expectation that their conversation would not be intercepted.

The appeals court agreed with respect to James but not with regard to Bertha. Writing for a three-judge panel, Judge Danny Boggs noted that “a number of simple and well-known measures can prevent pocket-dials form occurring.” But James Huff did not employ any of those measures, Boggs noted, adding, “He is no different from the person who exposes in-home activities by leaving drapes open or a webcam on and therefore has not exhibited an expectation of privacy.”

At issue was a series of steps that led to Spaw’s overhearing a conversation the participants thought to be private. After stepping onto the balcony, Huff tried to call Spaw using his iPhone to ask her to make a dinner reservation for him and Savage. When the call failed to connect, Savage called Spaw, who agreed to make reservations.

Thereafter, while Huff and Savage discussed personnel matters, the iPhone, which Huff had placed in the breast pocket of his jacket, called Spaw’s office phone, which she answered. After saying “hello” several times without a response, Spaw placed her phone on speaker mode and said “hello” a few more times. Within the first two minutes, Spaw realized that Huff and Savage were discussing McGraw, which prompted Spaw to take handwritten notes of the conversation and to instruct her colleague Nancy Hill, who also could hear the men talking, to do the same.

Spaw listened continuously to the call, which lasted 91 minutes. During that time, Huff finished his conversation with Savage and returned to his room, where he relayed to Bertha the substance of his conversation with Savage. Spaw, who used an iPhone to record part of the call, claimed that she felt obliged to do so after hearing the men discuss what Spaw described as an intention to discriminate against McGraw unlawfully.

The court noted that whether someone intercepts a phone call in violation of the law that authorized Spaw’s lawsuit turns on two questions: First, whether a person whose call is intercepted exhibits an expectation of privacy and, second, whether that expectation is reasonable.

“James Huff lacked a reasonable expectation of privacy in his statements only to the extent that a third-party gained access to those statements through a pocket-dialed call that he placed,” wrote Boggs (emphasis in original). “In sum, a person who knowingly operates a device that is capable of inadvertently exposing his conversations to third-party listeners and failed to take simple precautions to prevent such exposure does not have a reasonable expectation of privacy with respect to statements that are exposed to an outsider by the inadvertent operation of that device.”

Unlike her husband, however, Bertha Huff had an expectation that the contents of her conversation would remain private, at least until the final two minutes of the call, when her husband realized what had happened and told her his phone was on.

Though Bertha Huff knew her husband owned a cellphone and that cellphones can pocket-dial, “speaking to a person who may carry a device capable of intercepting one’s statements does not constitute a waiver of the expectation of privacy in those statements,” Boggs wrote.

Bertha Huff might have a claim against Spaw, provided Huff can show that Spaw’s actions constituted an intentional use of a device to intercept Huff’s communications, the court ruled.

The decision reminds us that anyone we pocket-dial can eavesdrop. “Having a private cause of action against someone who records your call after a pocket dial may be small consolation if the contents of the call are sufficiently embarrassing,” writes Jonathan Adler, a professor at Case Western University School of Law, in The Washington Post. “So this is a good reminder to lock your phone before putting it in your pocket.”

Categories
Law News Privacy

Gawker fills in a gap between publishing and privacy

Last Thursday, Gawker, an online site that tout’s “today’s gossip” as “tomorrow’s news,” published an item about a married male executive at a major media company who planned to hook up with a male escort in a Chicago hotel room.

As detailed in the post, the executive, who serves as chief financial officer of Condé Nast, called off the rendezvous after the escort, who realized the executive happens to be the brother of a former Treasury secretary, sent his would-be date documents tied to housing discrimination the escort claims to be facing in Texas.

The post drew a firestorm of criticism from readers, including from journalists. Critics condemned Gawker for outing the executive and for detailing an attempt by the escort, whom the piece identified using a pseudonym, to pressure the executive to hit up his brother for help.

A day after the post went up, Gawker took it down. The move marked “the first time we have removed a significant news story for any reason other than factual error or legal settlement,” Nick Denton, the site’s CEO, wrote in a statement. According to Denton:

“The story involves extortion, illegality and reckless behavior, sufficient justification at least in tabloid news terms. The account was true and well-reported. It concerns a senior business executive at one of the most powerful media companies on the planet… In the early days of the Internet that would have been enough… But the media environment has changed, our readers have changed, and I have changed… I believe this public mood reflects a growing recognition that we all have secrets, and they are not all equally worthy of exposure.”

The decision to remove the post prompted the resignation of both Gawker’s executive editor and the site’s editor-in-chief. Removing the post breached the firewall between the editorial and business sides of the house in a way that, in their view, undermined their responsibility to safeguard the site’s editorial integrity.

As Denton noted, the turnabout marked a departure for Gawker, which made its mark with pieces that sparked the downfall or discomfort of a series of public figures. In 2010, the site published an anonymous account of the author’s one-night stand with Christine O’Donnell, then the Republican nominee for the U.S. Senate from Delaware. (Though O’Donnell was a public figure, critics in and out of the media slammed Gawker for invading her privacy. Denton defended the post by pointing out that O’Donnell campaigned as a paragon of chasteness.) In 2011, former U.S. Rep. Chris Lee resigned after Gawker published an email exchange he had with a woman he met on Craigslist.

Hulk Hogan sued Gawker in 2012 for $100 million after Denton posted excerpts from a tape of the wrestler having sex with the wife of a friend. (The case is pending in a Florida court.) More recently, Gawker investigated whether Katie Holmes moved into a Manhattan apartment three years ago that linked via a secret entrance to a Whole Foods Market on the first floor. (She did, it seems.)

To its credit, the site punches up. In 2010, Gizomodo, a Gawker site devoted to tech news, revealed a lapse in Apple’s legendary security by reporting on a prototype of an iPhone 4 that the editors bought from someone who found it in a bar, where an engineer from Apple left it by accident. Last winter, Gawker took the lead in publishing a trove of emails from the hack of Sony.

At its best, Gawker knows  how to “make fun of people and media sites without being overtly cruel,” Sarah Grieco wrote last year in the Columbia Journalism Review. At its worst, Gawker has a tendency to bully, according to Grieco, who cites Gawker’s claims that Shepard Smith, a Fox News anchor, is gay despite a dearth of evidence.

In defense of the discretion that Gawker demonstrates when it wants to, Denton has cited the decision not to publish nude photos of Jennifer Lawrence and other celebrities that leaked last year. The images may have been accurate, but they exposed no lie, Denton told Capital New York recently.

The piece about the CFO seems to be akin to the case of Hogan but with one difference. Hogan charges Gawker with invading his privacy. The video showed Hogan having sex but the act was private and recorded without his knowledge, he alleges. Gawker counters that the material is newsworthy, a position in line with the law, which generally protects reporters who ferret out facts that are not commonly known so long as they’re news.

Still, compared with Hogan, a celebrity who has boasted about his sexual prowess, the CFO of Condé Nast is an unknown. Sure, he works for a company that publishes The New Yorker, Vogue and other titles. But the person in charge of overseeing preparation of financial statements, managing Condé Nast’s financial strength or presenting the company’s creditworthiness has little to do with the content of its magazines.

At many news outlets, the executive suite tends to be a well-paid wing of the back office. And by most accounts, the current CFO of Condé Nast is about as far from the limelight as one can be. It’s also difficult to find a contradiction between his private behavior and public persona. He has no public persona.

Though Denton seems to have concluded as much the realization came too late to prevent the piece from going up in the first place. In a memo Monday to Gawker’s staff, he noted that the CFO story was legal but unworthy of the discretion afforded the editors who signed off on its publication. Writes Denton:

“We need a codification of editorial standards beyond putting truths on the Internet. [italics in original] Stories need to be true and interesting. I believe we will have to make our peace with the idea that to be published, those truths should be worthwhile. And some humane guidelines are needed — in writing — on the calculus of cruelty and benefit in running a story. Everybody has a private life, even a C-level executive, at least unless they blab about it. We do not seek to expose every personal secret — only those that reveal something interesting. And the more vulnerable the person hurt, the more important the story had better be.”

Time will tell if that’s a standard Gawker can uphold. Some members of Gawker’s editorial staff dispute both the viability of the criterion and Denton’s role in publishing the Condé Nast piece, which some in the newsroom say he could have killed up front had he found it as reprehensible as he contends.

Whatever the outcome, the test that Denton has articulated further defines the boundaries of publishing and privacy in a digital age. Highlight the disparities between the statements and actions of public figures. Clear the air of spin. Cover the news. And remember that stories are about people, too.

Categories
Law Privacy

Neiman Marcus customers can sue over data breach

The hassle of straightening out unauthorized charges and the cost of protecting oneself against identity theft give consumers whose personal information is swiped in a data breach standing to sue a company that controlled the information, a federal appeals court in Chicago ruled Monday.

Customers who shopped at Neiman Marcus over roughly three months in 2013 during which hackers used malware to steal payment card information from the retailer’s terminals suffered injuries concrete enough to support their claims, according to the U.S. Court of Appeals for the 7th Circuit.

The customers, who include people who discovered fraudulent charges on their credit or debit cards after using the cards at Neiman Marcus stores in New York and California two years ago, filed a class-action lawsuit in March 2014 charging the luxury chain with failing to maintain security sufficient to protect their personal information and waiting six months from the start of the breach to notify customers their information had been compromised.

The plaintiffs alleged that the breach exposed 350,000 cards, of which 9,200 were known to have been used fraudulently. In all, the breach may have exposed as many as 1.1 million payment cards.

The trial court tossed the lawsuit, finding the plaintiffs’ claims of financial harm they might experience insufficient to support standing. Judge Diane Wood, writing for a three-judge panel of the appeals court, disagreed:

“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal customers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”

The court distinguished the case of the data breach before it with a ruling in 2013 by the Supreme Court that found human rights organizations lacked standing to challenge the Foreign Intelligence Surveillance Act because they could not show that the government actually intercepted their communications with suspected terrorists.

“This is a really consequential decision” notes Alison Frankel of Reuters. “It’s the first time a federal appeals court has looked at a data breach class action that was dismissed because the trial judge said it fell short of [the Supreme Court’s] standing requirements.”

The customers of Neiman Marcus “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” wrote Wood, citing the Court’s ruling from two years ago.

According to Wood, an offer by Neiman Marcus to pay the cost of a credit-monitoring service that costs $4.95 for the first month and $19.95 a month thereafter reflects the type of injury the plaintiffs suffered. She added:

“It is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who shopped at their stores between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”

That some lenders will not hold customers responsible for unauthorized charges neither eliminates injury to the cardholders nor shows that their injury cannot be redressed by a decision in their favor, the court found.

According to the court, the fact that the plaintiffs’ injuries might be traced to a data breach at Target or another of the retailers whose systems hackers infiltrated around the same time also does not rule out a lawsuit against Neiman Marcus.

If it happens that more than one company may be responsible for exposing the plaintiffs’ personal information to hackers, the companies themselves will have an opportunity to prove that they were not the cause of the injury, the court said.

Categories
Law Privacy

Search of seized hard drives highlights questions of privacy in a digital age

A federal appeals court in New York has agreed to hear anew an appeal that explores the contours of privacy in a digital age.

At the urging of one of their colleagues, a majority of judges on the 2nd Circuit U.S. Court of Appeals voted on June 29 to rehear an appeal filed by Stavros Ganias, an accountant from Wallingford, Connecticut who was convicted in 2011 of two counts of tax evasion and sentenced to 24 months in prison.

The ruling reopens an appeal decided in June 2014 by three judges of the court, who in a divided ruling vacated Ganias’ conviction after concluding that the government violated his Fourth Amendment rights when it retained files from his lawfully searched computers for more than two-and-a-half years and then searched them again when it later developed probable cause.

The case highlights a difference between searches of books or papers and searches of computers and other electronics, which can hold files that range from the professional to the personal and may encompass far more information about someone from whom the government seizes such devices than the warrant itself authorizes.

In deciding to review the ruling, the majority asked the parties and their allies to address two questions that the court will consider when it convenes for oral argument on Sept. 30.

“(1) Whether the Fourth Amendment was violated when, pursuant to a warrant, the government seized and cloned three computer hard drives containing both responsive and non-responsive files, retained the cloned hard drives for some two-and-half years, and then searched the non-responsive files pursuant to a subsequently issued warrant; and

(2) Considering all relevant factors, whether the government agents in this case acted reasonably and in good faith such that the files obtained from the cloned hard rives should not be suppressed.”

At issue is a prosecution that stemmed from Ganias’ work on behalf of a company that had been hired by the U.S. Army to provide security and maintenance services at a vacant facility in Stratford, Connecticut.

Based on a tip from a confidential source that the contractors had stolen copper wire and other equipment from the facility, in Nov. 2003 investigators from the Army obtained warrants to search several premises, including the offices that housed Ganias’ accounting firm.

There, pursuant to the warrant, the agents made identical copies of the hard drives of Ganias’ computers. Though the imaging also copied Ganias’ personal files—contained in programs such as QuickBooks and TurboTax—the agents assured Ganias they were looking only for materials that tied to the investigation. The following spring, after discovering suspicious payments by the contractor to a business owned by someone who had not reported any income from that business, the Army invited the IRS to join the investigation. Investigators from the Army gave the IRS copies of Ganias’ hard drives so that agents from the IRS could review the evidence.

By December, the agents from both the Army and IRS had extracted the files that tied to their investigation of the contractor. They knew the warrant did not authorize them to review other records retrieved from the hard drives. Still, they retained the files that had nothing to do with the investigation.

For its part, the IRS started to suspect that Ganias had failed to report the contractor’s income properly. In July 2005—about 20 months following the seizure of the hard drives—the IRS broadened its investigation to include possible tax fraud by Ganias. The agent in charge of the investigation did not review Ganias personal financial records, which she knew to be beyond the scope of the warrant.

The following February, the government asked Ganias and his attorney for permission to review Ganias’ personal files that had been copied from the hard drives. After Ganias did not respond, the IRS obtained a warrant to search the images of Ganias’ financial records seized in 2003. Because Ganias had revised the original files shortly after the Army copied the drives in 2003, the original records would not have existed absent the government’s retaining the images.

At trial, Ganias sought to suppress the computer files that became the subject of his appeal. Judge Alvin Thompson of the U.S. District Court in Hartford denied the motion, explaining:

“Here… where the searches and seizures were authorized by a magistrate judge, where government agents scrupulously avoided reviewing files that they were not entitled to review, and where the defendant had an alternative remedy pursuant to [a motion to return property] to avoid the complained of injury, i.e. that the government held his data for too long without returning or destroying it, the defendant has not shown that his Fourth Amendment rights were violated.”

On appeal, the court noted that the framers of the Constitution sought to end the practice of the British of searching the premises of opponents and seizing their papers, books and records indiscriminately pursuant to so-called general warrants. Consequently, the court noted, the Fourth Amendment requires that warrants will be available to the government only on a showing of probable cause and a description of the places to be searched and the items to be seized. According to Judge Denny Chin:

“These Fourth Amendment protections apply to modern computer files. Like 18th Century “papers,” computer files may contain intimate details regarding an individual’s thoughts, beliefs, and lifestyle, and they should be similarly guarded against unwarranted Government intrusion. If anything, even greater protection is warranted.”

The court observed that investigators who carry out a warrant may do so by making mirror images of the information stored on hard drives that the investigators can later review off-site. According to the court, the government must review the material within a reasonable period—there’s no one-size-fits-all rule—and that material is subject to exclusion from evidence when the government seizes items outside the scope of the warrant (a practice that starts to resemble a general warrant) and fails to act in good faith.

In the case of Ganias, the court concluded that the government had overstepped its authority. According to Chin, the government’s retaining Ganias’ records for two-and-a-half years interfered with his rights in those files.

“Without some independent basis for its retention of those documents in the interim, the government clearly violated Ganias’ Fourth Amendment rights by retaining the files for a prolonged period of time and then using them in a future criminal investigation,” wrote Chin, who rejected the government’s contention that it obtained a second warrant to search Ganias’ files.

“If the Government could seize and retain non-responsive electronic records indefinitely, so it could search them whenever it later developed probable cause, every warrant to search for particular electronic data would become, in essence, a general warrant,” he added.

The ruling, which vacated Ganias’ conviction, surfaces a tension between the reasonableness of a search—in this case the length of time the government retains records swept up in a search—and the need for the government to establish that it has not altered evidence in its custody. As the Harvard Law review noted in December:

“Although the court properly found that Ganias’ Fourth Amendment rights had been violated, the decision failed to appreciate the importance of authentication requirements for electronic evidence. As a result, Ganias may unnecessarily complicate prosecutions by potentially creating a perceived ‘right to deletion’—a prescription that federal prosecutors must delete files nonresponsive to a warrant sooner rather than later. The court could have avoided any potentially burdensome effects of this prescription on the evidentiary authentication process had it issued a more narrow ruling merely suppressing the evidence.”

The decision to reexamine the ruling also may tie to a question posed by Orin Kerr, a professor of criminal law and procedure at George Washington University who has commented on the case. “Is the real problem here that the government has over-seized and is taking unfair advantage of having extra stuff available to it, or is the real problem only that too much time has elapsed before the government is taking that advantage?” Kerr wrote in The Washington Post following Chin’s ruling.

Kerr suggests the same facts as Ganias except imagines the government developed probable cause for the second crime days after carrying out the first warrant. “Should that case come out differently?” he asks. “And if it could come out differently, is that because we intuit that the information for the second warrant likely is still… available on the original hard drive or because we think that the government’s seizure did not go on for so long as to become unreasonable?”

The first briefs are due by July 29.

Categories
News Privacy

Sorting out the cyberattacks

This post has been updated as of Nov. 11.

The cyberattack announced in June on a system that stores information about millions of current and former federal workers and contractors highlights yet again the vulnerabilities of the computer networks that connect us.

The breaches resulted in raids on files containing names, Social Security numbers, fingerprints and other personal information for nearly 26 million people, according to the Office of Personnel Management (OPM), the agency that was hacked. Investigators say the attack came from China, which has denied responsibility.

The attack on OPM spurred me to sift through a series of cyberattacks on the government, companies and others since 2013. The list, which appears below, is almost certainly incomplete. It also doesn’t include breaches of unsecured protected health information that by law are reported to the U.S. Department of Health and Human Services, which has logged 34 such intrusions this summer alone.

Though the attacks summarized below have been reported widely, the roster suggests the sweep and frequency of intrusions, which are likely to increase according to a survey fielded last fall by the Pew Research Center. I will update this post periodically. Please tweet additions, corrections or comments to @bbrowdie.

2015 (attacks listed in reverse chronological order by date of disclosure)

Scottrade (Oct.)—Between late 2013 and early 2014, thieves stole the names and street addresses of roughly 4.6 million clients, according to the retail brokerage firm, which said it had no evidence that trading platforms or clients funds were compromised.

E-Trade (Oct.)—The financial firm notified 31,000 customers that hackers may have accessed their names, email addresses, and street addresses. The intrusion reportedly occurred in 2013, but at the time the company did not think that customer information had been compromised.

Dow Jones (Oct.)—The publisher of The Wall Street Journal said in a statement that intruders who gained access to its systems may have swiped payment card and contact information for roughly 3,500 customers.

Experian (Oct.)—Hackers stole personal information for roughly 15 million Americans, the consumer data company said in a statement. The data included names, dates of birth and Social Security numbers for people who applied for service with T-Mobile over a period of two years starting in September 2013. In a statement, T-Mobile CEO John Legere said he is “incredibly angry about this data breach” and pledged to “institute a thorough review” of the company’s relationship with Experian.

CVS (Sept.)—The pharmacy chain, which in July revealed a possible breach of its online photo service, confirmed that personal information may have been swiped by hackers. The data included names, credit card numbers, phone numbers, email addresses, usernames and passwords. The company declined to say how many customers were affected.

Business Wire/PR Newswire Association (Aug.)—Federal officials charged a group of hackers and inside traders with stealing nonpublic information from servers belonging to two of the largest services that companies use to distribute news releases and using the information to profit illegally over a period of roughly five years.

Carphone Warehouse (Aug.)—The UK-based mobile phone retailer said that a “sophisticated cyberattack” resulted in the theft of names, addresses, dates of birth and bank details for as many as 2.4 million customers. The intrusion also may have resulted in the theft of encrypted payment card information for as many as 90,000 customers, the company said.

Sabre/American Airlines (Aug.)—Sabre, a company processes reservations for hundreds of airlines and thousands of hotels, “recently learned of a cybersecurity incident” but could not say what data was stolen or who might be responsible, Bloomberg reported. American Airlines reportedly was investigating whether the intruders moved to its computers from Sabre’s systrems.

U.S. Dept. of Defense (Aug.)—A unclassified system that supports email for about 4,000 military and civilian personnel who work for the Joint Chiefs of Staff returned to operation roughly two weeks after an intrusion by hackers thought to be from Russia. Officials said that no classified information was swiped or compromised during the attack.

United Airlines (July)—Hackers based in China allegedly stole manifests in May or early June that detail passengers and their travel origins and destinations, Bloomberg reported. Investigators reportedly have linked the hackers to the group that stole information from both Anthem Inc. and the Office of Personnel Management. The intrusion reportedly occurred in May or early June.

Fiat Chrysler (July)—The automaker updated software that tethers its vehicles to a series of information and navigation services after two security researchers demonstrated they could take control of a Jeep Cherokee remotely and force it into a ditch.

Ashley Madison (July)— The online service that offers casual sexual encounters for married people said that hackers obtained information about some of its 37 million users, as well as financial information and other data that belongs to Avid Life Media, Ashley Madison’s company. The hackers, who go by the name “Impact Team,” threatened to release all of the company’s information, including nude photos and members’ private postings, if management did not take Ashley Madison’s sites offline. A month later Impact Team made good on that threat. On Aug. 18, the group released postal and email addresses, descriptions of users (including height and weight), encrypted passwords, partial payment card numbers and details of transactions. Two days later, the hackers leaked a trove of data twice as large that appeared to include additional files from the company.

Hershey Resorts (July)—The theme park operator is investigating a series of fraudulent charges that appeared in payment card accounts of customers who visited its attractions in Pennsylvania between mid-March and late May.

Hacking Team (July)—Emails and records that hackers stole from the Italian maker of software that itself allows governments to hack into computers showed that the company counts Russia, Saudi Arabia, and other nations with questionable human-rights records as clients.

Trump Hotel Collection (July)—The chain of 12 luxury hotels owned by Donald Trump said in a statement it was investigating “suspicious credit card activity” stemming from a breach that may date to February.

Houston Astros (June)—Federal law enforcement officials reportedly are investigating whether the St. Louis Cardinals stole scouting reports and information about players and prospects from a database belonging to the Astros. If true, the intrusion represents the first known example of a professional sports team breaking into the network of another team.

LastPass (June)—The service, which lets customers store their passwords online and access them with master log ins, disclosed that an intruder or intruders swiped email addresses, password reminders, authentication codes and more. The breach did not include customer accounts, LastPass said.

Negotiations with Iran (June)—An unnamed state—thought to be Israel—used malware to spy on negotiations between Iran and a group of nations that aim to prevent Iran from obtaining a nuclear weapon. According to Kaspersky Lab, whoever sought the information unleashed the malware, known as Duqu 2.0, on computers at hotels where the negotiations took place.

U.S. Army (June)—The U.S. Army’s website went offline following what appears to have been a distributed denial of service attack. The Syrian Electronic Army, a group of hackers who back President Bashar al-Assad, claimed credit.

Eataly (June)—The marketplace in Manhattan for foods from Italy warned that “unauthorized individuals” set up malware designed to harvest information from credit and debit cards in the company’s payment-processing system. The intruders may have obtained names and account numbers, as well as expiration dates and security codes for cards that customers swiped at Eataly in the first three months of this year.

Office of Personnel Management (June)—The attacks, which OPM discovered in April, resulted in the theft of personal information belonging to 4.2 million current and former federal workers, as well as another 21.5 million applicants for security clearances and their spouses or partners. In a letter dated June 11, the president of the American Federation of Government Employees—the largest federal employees’ union—charged that hackers stole information for every federal worker and retiree, and that the Social Security numbers the hackers obtained were unencrypted. The union has filed a class action lawsuit that charges OPM’s director and chief information officer with negligence in failing to protect information entrusted to them. On Sept. 23, OPM increased its count of the number of people whose fingerprints were stolen to roughly 5.6 million, from approximately 1.1 million previously. Though OPM termed the potential for misusing the fingerprint data “limited,” the agency noted “this probably could change over time as technology evolves.”

CareFirst BlueCross BlueShield (May)—Hackers suspected of operating from China obtained access to names, email addresses and dates of birth for roughly 1.1 million customers of this health insurer based in Maryland and D.C.

Tesla (April)—Hackers took over the automaker’s Twitter feed and defaced the company’s website.

Mandarin Oriental Hotel Group (March)—The upscale lodging chain said that intruders used malware to swipe payment-card information from some of the company’s hotels in the U.S. and Europe.

Anthem Blue Cross (Feb.)—Hackers said to be operating from China allegedly obtained names, dates of birth, Social Security numbers, and information about bank accounts and medical conditions for as many as 78 million people insured by this Indianapolis-based company, which does business in 14 states.

Internal Revenue Service (May)—Hackers thought to be operating from Russia stole tax forms containing Social Security numbers, dates of birth, home addresses and other information for as many as 334,000 people.

Sally Beauty Supply (May)—The Denton, Texas-based retailer of beauty supplies said that intruders had breached its payment system, though the company did not speculate on the scope of the breach. The cyberattack constituted the second on Sally Beauty in as many years.

US HealthWorks (April)—Hackers allegedly pilfered personal and health-related data for an unknown number of members of this California-based insurer. The thieves reportedly breached US HealthWorks’ systems via a laptop stolen from a vehicle belonging to one of the company’s employees.

Premera Blue Cross (March)—Hackers thought to be operating from China allegedly stole names, dates of birth, email addresses, Social Security numbers, information about bank accounts and more from as many as 11 million members of this health insurer based in Washington state.

Banks in Russia, Japan, Europe and the U.S. (Feb.)—A band of thieves that reportedly included Russians, Chinese and European hackers orchestrated an attack on more than 100 banks worldwide, making off with as much as $900 million.

Park ‘N Fly (Jan.)—The Atlanta-based airport parking service confirmed that intruders stole numbers, names and addresses, expiration dates and verification codes for credit cards stored in its reservations website. The company did not say how many cards might have been affected.

2014

Korea Hydro and Nuclear Power Co. Ltd. (Dec.)—A cyberattack reportedly erased some data at the state-owned company that runs the country’s 23 atomic reactors. South Korea later blamed North Korea for the intrusion.

Chik-fil-A (Dec.)—The fast-food chain said it was investigating reports of unauthorized activity concerning credit and debit cards used at some of its restaurants. Chik-fil-A later said the investigation revealed “no evidence” of its systems being hacked or payment cards stolen.

Bebe (Dec.)—The women’s clothing chain disclosed that hackers obtained names, account numbers, expiration dates and verification codes for payment cards swiped between Nov. 8 and Nov. 26 at its stores in the U.S., Puerto Rico, and the U.S. Virgin Islands.

Sony Pictures Entertainment (Nov.)—Cyber intruders obtained names, home addresses, and Social Security numbers, as well as information about bank accounts, payment cards, compensation and more for as many as 47,000 employees. According to the U.S. government, the hackers operated from North Korea, although some experts have doubted the charge. The thieves also swiped more than 173,000 emails and nearly 31,000 documents from the studio.

JPMorgan Chase (Oct.)—Hackers obtained names, home and email addresses, phone numbers and internal bank information about 83 million customers, including 76 million households.

Apple (Oct.)—Cyberattackers reportedly sought to intercept user IDs, passwords and other information from the company’s iCloud service in China. The Chinese government denied responsibility for the attack.

Staples (Oct.)—The office-supply chain confirmed it was investigating a potential theft of payment-card data. Two months later, Staples said that hackers swiped information for roughly 1.16 million credit and debit cards after installing malware at 115 of the company’s 1,400 stores in the U.S.

NATO, the Ukraine, Poland and the European Union (Oct.)—Hackers working on behalf of the Russian government allegedly used a flaw in Windows to swipe documents and other files from government and university offices, as well as energy and telecommunications companies.

Kmart (Oct.)—The retailer disclosed that someone had installed malware on payment systems at its stores but that no email addresses, PINs or Social Security numbers were swiped. Still, the information that thieves grabbed may have allowed them to counterfeit stolen cards.

Home Depot (Sept.)—Cyber thieves allegedly used an account belonging to a refrigeration contractor in Pennsylvania to steal 56 million credit and debit cards, as well as 53 million email addresses.

Jimmy John’s (Sept.)—An intruder or intruders used log-in credentials to pilfer numbers for credit and debit cards swiped at 216 of the sandwich chain’s more than 1,900 stores, along with cardholders’ names, verification codes and expiration dates.

Viator (Sept.)—The tour-booking unit of TripAdvisor notified customers that an intruder or intruders may have made off with payment information for as many as 880,000 customers, along with email addresses and encrypted passwords for another 560,000.

AB Acquisition (Aug.)—The parent of the Albertsons, ACME, Jewel-Osco, Shaw’s and Star Markets chains warned customers of a breach that may have resulted in the theft of credit and debit card information from some of its stores. About six weeks later, the company disclosed a second breach in which thieves used “different malware” than that used in the incident announced in August.

Community Health Systems (Aug.)—Hackers allegedly operating from China stole names, addresses, Social Security numbers, birth dates and telephone numbers belonging to 4.5 million patients of the chain, which operates 199 hospitals in 29 states. The attackers did not swipe payment data or clinical information, the company said.

AT&T (June)—The company said that three employees of one of its vendors accessed records—including Social Security numbers and information about calls—for some customers.

State of Montana Dept. of Public Health and Human Services (June)—Someone who broke into the state’s systems allegedly made off with addresses, birth dates, Social Security numbers and medical records for as many as 1.3 million people.

Domino’s Pizza (June)—The company disclosed that hackers swiped customers’ names, email addresses and even favorite pizza toppings for roughly 650,000 customers in France and Belgium.

P.F. Chang’s China Bistro (June)—Cyber thieves allegedly stole more than 7 million credit and debit cards, including numbers, cardholders’ names and expiration dates, from 33 of the chain’s restaurants.

Feedly (June)—Websites for this service, which delivers RSS feeds to roughly 15 million users, went down as the result of a distributed denial of service attack.

EBay (May)—Intruders allegedly stole customers’ names, encrypted passwords, email and home addresses, phone records and dates of birth for as many as 233 million users of the auction site. Three months earlier, the Syrian Electronic Army defaced websites belonging to both eBay and its PayPal subsidiary.

Sally Beauty Supply (March)—The beauty supply chain said that hackers accessed its network and stole information for roughly 25,000 credit and debit cards.

University of Maryland (Feb.)—An attacker or attackers infiltrated a database that contained names, Social Security numbers, dates of birth and university IDs for roughly 288,000 students, faculty and staff. The hack reflected the work of someone or some group of people who knew the university’s systems well, the university’s chief information officer told The Washington Post.

Neiman Marcus Group (Jan.)—Hackers used malware to steal roughly 1.1 million credit and debit cards from the Dallas-based retailer.

Michaels Stores (Jan.)—The retailer reported that it was looking into a potential security breach. Three months later the company said that thieves broke into its payment system and made off with credit and debit card information for 3 million customers.

Snapchat (Jan.)—Hackers said they published phone numbers and handles for roughly 4.6 million users of the video-message service that the hackers swiped in a New Year’s Eve raid.

2013

Target (Dec.)—Cyber thieves suspected of operating from Russia stole credit and debit card information for roughly 40 million customers along with names, mailing addresses, phone numbers or email addresses for as many as 70 million people.

Adobe Systems (Oct.)—A cyberattack on the software maker exposed names, IDs, passwords, and payment card information for nearly 3 million customers.

Experian (Oct.)—A subsidiary of the credit bureau sold personal and financial information about millions of Americans to a Vietnamese man who later pleaded guilty to running an identity theft service. The company said its credit files were not breached.

South Korean banks (March)—A cyberattack, alleged to have originated in North Korea, suspended online banking and paralyzed systems at Shinhan Bank, Nonghyup Bank and Cheju Bank.

LivingSocial (March)—The online marketplace asked customers to change their passwords after a cyberattack on the company’s systems exposed names, email addresses, passwords and dates of birth for more than 50 million people worldwide.

Evernote (March)—The note-taking service directed 50 million users to reset their passwords after hackers gained access to user IDs, email addresses and passwords tied to accounts.

U.S. financial institutions (March)—Distributed denial of service attacks slowed websites at a series of banks. A hacktivist group that called itself the al-Qassam Cyber Fighters claimed responsibility for some of the slowdowns.