Categories
Privacy

Microsoft warrant case goes before appeals panel

Microsoft and the Department of Justice will square off today before a federal appeals panel in Manhattan in a case that has implications for digital privacy and the flow of data across borders.

The appeal marks a return to court of a dispute that began nearly two years ago when DOJ obtained a search warrant to seize emails belonging to a suspect in a narcotics trafficking investigation.

Microsoft objected to the warrant, asserting it sought emails from a data center owned by the company in Dublin, where, the company argues, the U.S. has no jurisdiction to seize records. Two lower courts backed DOJ, ruling the warrant was valid because Microsoft controls the data from the U.S. regardless where the emails happen to be stored.

The appeal comes amid lingering tensions between the U.S. and European Union over digital privacy in the wake of revelations about the extent of spying by the National Security Agency and raises a question of how much control over information a nation has within its borders.

Microsoft argues that neither the Fourth Amendment nor the Stored Communications Act, a federal law that limits the ability of the government to force email providers to turn over customer communications absent a court order, apply outside the U.S.

“If the government prevails here, the United States will have no ground to complain when foreign agents—be they friend or foe—raid Microsoft’s offices in their jurisdictions and order them to download U.S. citizens’ private emails from computers located in this country,” the company wrote in court papers.

But the warrant simply demands production of records by Microsoft, a company subject to U.S. jurisdiction, counters the government. “Under long settled precedent, the power of compelled disclosure reaches records stored abroad so long as there is personal jurisdiction over the custodian and the custodian has control over the records,” DOJ argues.

According to the government, a warrant issued pursuant to the Stored Communications Act operates like a subpoena, in that it obligates the provider to turn over the records and does not require a law enforcement officer to search the premises.

Tech companies and civil liberties groups that have weighed in on behalf of Microsoft reject the analogy. “The Fourth Amendment requires the government obtain emails with a search warrant,” wrote the Electronic Frontier Foundation, the ACLU, the Brennan Center, and The Constitution Project in a friend-of-the-court brief. “Although the government did obtain a warrant here, extending the warrant’s reach to emails stored abroad should not rest on an inaccurate analogy to subpoenas.”

A ruling in the government’s favor could spur other countries to serve warrants on tech companies for the private messages of Americans that are stored in U.S. data centers owned by companies based abroad, experts say.

A win for the government also could encourage more tech companies to encrypt messages in ways that make them impossible to read unless the recipient decodes them. Apple recently refused to turn over iMessages sought by the government, saying it couldn’t get access to the messages because they are encrypted. The dustup highlights an ongoing debate over the use of encryption and the government’s ability to unlock data when the needs of law enforcement and national security demand.

Categories
Privacy

Apple stance on privacy may slow artificial intelligence push: report

Those of us who use iPhones may have more to welcome this week than Apple’s event to unveil the latest devices.

The computer maker’s stance on guarding customer privacy may be slowing its push to stay ahead of rivals in the race to to develop digital assistants, Reuters reports. If correct, that means the company is upholding its pledge to respect customers’ personal privacy, but more on that in a minute.

At issue is a race by Apple, Google and other tech companies to recruit experts in machine learning, a branch of artificial intelligence that allows computers to anticipate what users want without being explicitly programmed.

The larger the set of data that software can analyze, the more precise those predictions can become. But with a self-imposed privacy policy that causes iPhones and other devices to refresh every 15 minutes, Apple forgoes the opportunity to send the data to the cloud, where the information could be combined with other data, analyzed and, possibly, sold to advertisers.

That benefits users by protecting their personal privacy but can slow the evolution of services such as Siri to anticipate users’ needs. “They want to make a phone that responds to you very quickly without knowledge of the rest of the world,” Joseph Gonzalez, co-founder of Dato, a machine learning startup, told Reuters, referring to Apple. “It’s harder to do that.”

Or not. If any company can reconcile the imperatives of privacy and technological progress in a way that advances both it may be Apple.

The next generation of Apple’s services will depend heavily on artificial intelligence, AppleInsider reports. At the same time, digital assistants developed by Google and Microsoft reportedly are getting better at learning users’ routines.
Apple currently aims to recruit at least 86 more experts in machine learning, according to an analysis by Reuters of the computer maker’s jobs postings.

Apple CEO Tim Cook said in June that his company won’t be a party to the exchange that defines the relationship of many tech companies and their customers, in which customers accept free services in return for companies’ selling information about consumer’ searches, shopping, health and more to advertisers.

“They’re gobbling up everything they can learn about you and trying to monetize it,” Cook told a gathering in Washington sponsored by privacy advocates. “We think that’s wrong.”

Edward Snowden, the former government subcontractor who revealed the magnitude of the National Security Agency’s spying on Americans in the wake of the 9/11 attacks, said Apple’s stance deserved consumers’ support.

“Regardless of whether it’s honest or dishonest, for the moment, now, that’s something we should… incentivize, and it’s actually something we should emulate,” Snowden told an audience in Spain about two weeks after Cook outlined the company’s policy.

Apple is slated to introduce enhancements to Siri this Wednesday as part of the rollout of iOS 9, the latest version of the company’s operating system for the iPhone and iPad.

Categories
Privacy

In shift, Justice Department requires warrants for using stingrays to spy on cellphones

The Justice Department has tightened restrictions for tracking cellphone signals in a move that officials say will improve transparency and protect the public from unwarranted invasions of privacy.

Henceforth the FBI and federal law-enforcement agencies will need a warrant supported by probable cause before using a so-called cell-site simulator, which can impersonate a cellphone tower by sending out signals that induce phones to respond with identifying information.

The move represents a win for privacy even though the warrant requirement doesn’t apply to state and local governments, which also use cell-site simulators to track suspects.

The devices, which are known variously as stingrays, dirtboxes or IMSI catchers (for International Mobile Subscriber Identity), are used widely for surveillance but have proved to be controversial because of their sweep and the secrecy that shrouds their use. Agents deploy the devices from cars and planes, which enable scanning across larger areas.

“Cell-site simulator technology has been instrumental in aiding law enforcement in a broad array of investigations, including kidnappings, fugitive investigations and complicated narcotics cases,” Deputy Attorney General Sally Quillan Yates said Thursday in a statement announcing the change. “This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties.”

The pivot by DOJ represents a departure from past practice, when law enforcement personnel had to certify merely that use of a cell-site simulator was relevant to an ongoing criminal investigation.

Under the revised guidelines, agents may not configure simulators to collect the contents of communications, including emails and text messages. Agents also must inform judges when applying for warrants that use of the device will capture information from cellphones in the vicinity that are not subject to the investigation, and that the simulator may disrupt service temporarily for all cellphones within reach of its signal. Officials also must detail to the court how they plan to delete data not associated with the device being targeted.

As is the case under the Fourth Amendment generally, federal officials can use a simulator without first obtaining a warrant in the event of so-called exigent circumstances or when the law does not require a warrant, in which instance agents must first obtain the OK of officials within DOJ.

The Guardian reported Friday that public defenders in Baltimore are examining more than 2,000 cases in which police used stingrays to gather evidence on suspects secretly. Prosecutors are obligated to disclose evidence against criminal defendants in the discovery phase of a criminal trial.

Categories
Privacy

Shutterfly lawsuit highlights concerns with the use of facial recognition and the problem with a ‘Shazam’ for faces

A lawsuit pending in a federal court in Chicago may answer whether tagging and storing photos of someone without that person’s permission violates a state law that regulates the collection and use of biometric information.

That’s the hope of Brian Norberg, a Chicago resident, who in June sued Shutterfly, an online business that lets customers turn photos into books, stationery, cards and calendars. The class action represents the latest in a series of challenges to the use of facial recognition and other technologies that record our unique physical attributes.

Norberg, who claims never to have used Shutterfly, charges that between February and June, someone else uploaded at least one photo of him to Shutterfly and 10 more to the company’s ThisLife storage service. According to Norberg, the company created and stored a template for each photo based on such biological identifiers as the distance between his eyes and ears. The service allegedly prompted the person who uploaded the images to also tag them with Norberg’s first and last names—all without Norberg’s permission.

That, charges Norberg, contravened the state’s Biometric Information Privacy Act (BIPA), a law enacted seven years ago that bars businesses from collecting a scan of someone’s “hand or face geometry,” a scan of their retina or iris, or a fingerprint or voiceprint, without their consent. The law authorizes anyone whose biometrics are used illegally to sue for as much as $5,000 per violation.

In July, Shutterfly asked U.S. District Judge Charles Norgle Sr. to dismiss the lawsuit. According to the company, the BIPA specifically excludes photographs and information derived from them. And, even if the law were unclear, says Shutterfly, the legislature intended it to apply to the use of biometrics to facilitate financial transactions and consumer purchases, not to photo-sharing.

“Scanning photos to allow users to organize their own photos is a far cry from the biometric-facilitated financial transactions and security screenings BIPA is aimed at—such as the use of finger-scanning technology at grocery stores, gas stations, or school cafeterias,” the company asserted in court papers.

In a rejoinder filed last Friday, Norberg says that creating templates based on scans of facial features, not the photos themselves, violates the BIPA. “The resulting face templates—not the innocuous photographs from which they were derived, but the resulting highly detailed digital maps of geometric points and measurements—are ‘scans of face geometry’ and thus fall within the BIPA’s definition of ‘biometric identifiers,’” he wrote.

“By [Shutterfly’s] logic, nothing would stop them from amassing a tremendous, Orwellian electronic database of face scans with no permission whatsoever so long as the data base were derived from photographs,” Norberg added. “And indeed, that appears to be exactly what they are doing.”

Of course, facial recognition technology is used widely already. As Ben Sobel, a researcher at the Center on Privacy & Technology at Georgetown Law, explained recently in The Washington Post:

“Facebook and Google use facial recognition to detect when a user appears in a photograph and to suggest that he or she be tagged. Facebook calls this ‘Tag Suggestions’ and explains it as follows: ‘We currently use facial recognition software that uses an algorithm to calculate a unique number (“template”) based on someone’s facial features… This template is based on your profile pictures and photos you’ve been tagged in on Facebook.’ Once it has built this template, Tag Suggestions analyzes photos uploaded by your friends to see if your face appears in them. If its algorithm detects your face, Facebook can encourage the uploader to tag you.”

Facebook also is defending a class action filed last spring that charges the company’s use of facial-recognition software to identify users violates the BIPA. Facebook users have uploaded at least 250 billion photos to the social networking site and continue to do so at a rate of 350 million images a day, reports Sobel, who adds that Facebook’s tagging occurs by default, whereas Google’s requires you to opt in to it.

According to the Federal Trade Commission, companies that use facial recognition technologies should simplify choices for consumers and increase the transparency of their practices. Social networks should provide users with “a clear notice—outside of a privacy policy—about how the feature works, what data it collects and how it will use the data,” the agency wrote in a report published in October 2012. Significantly, social networks should give users an easy way to opt out of having their biometric data collected and the ability to turn off the collection at any time, the agency advised.

Still, that may not cover someone like Norberg, who says he never used Shutterfly. Or prevent an app akin to a Shazam for faces that would allow users to discover someone’s identity (and possibly more, such as their address) by photographing someone regardless whether the subject knows or consents. Situations like those would require the company to obtain the subject’s express affirmative consent—meaning that consumers would have to affirmatively choose to participate in such a system—the FTC noted.

And those are commercial users of biometrics. The photos of at least 120 million people sit in databases—many built from images uploaded from applications for driver’s licenses and passports—that can be searched by the police and law enforcement. Use of biometrics by the government raises additional concerns, including a need to ensure that a suspect has been detained lawfully before police can photograph the person or swab for DNA.

At a hearing in October 2010 that examined use of facial-recognition technology, Senator Al Franken of Minnesota, the senior Democrat on the Judiciary Subcommittee on Privacy, Technology and the Law, noted that in the era of J. Edgar Hoover, the FBI used wiretaps sweepingly with little regard for privacy.

Congress later passed the Wiretap Act, which requires police to obtain a warrant before they get a wiretap and limits use of wiretaps to investigations of serious crimes. “I think that we need to ask ourselves whether Congress is in a similar position today as it was 50 or 60 years ago—before passage of the Wiretap Act,” Franken said

Categories
Law

Why the clerk in Kentucky who refuses to license same-sex marriages doesn’t have the law on her side

A county clerk in Kentucky who is slated to appear in a federal courtroom Thursday after refusing to license same-sex marriages may have sincerely held beliefs but she doesn’t have the law on her side.

Kim Davis, a self-described Apostolic Christian who in January was elected clerk of Rowan County, a precinct that lies about 135 miles east of Louisville, has been directed by U.S. District Judge David Bunning to explain her actions, which place her at risk of fines or jail time.

In addition to its consequences for same-sex couples who would assert their legal right to marry in Rowan Country, the standoff represents two decades of advocacy that aims to advance a conservative agenda under the pretext of religious freedom.

In Kentucky the dustup began anew Tuesday after Davis declined to issue licenses to two same-sex couples a day after the U.S. Supreme Court let stand a ruling by Bunning that directs Davis to authorize legal marriages presented to her. Davis stopped licensing all marriages following a ruling by the Supreme Court in June that upheld the constitutional right of same-sex couples to marry. Bluegrass State law requires marriage licenses to be signed by a county clerk.

Davis, who also has refused to step down, issued a statement Tuesday in which she described her actions as compelled by faith. “To issue a marriage license which conflicts with God’s definition of marriage, with my name affixed to the certificate, would violate my conscience,” Davis wrote. “It is not a light issue for me. It is a Heaven or Hell decision. For me it is a decision of obedience. I have no animosity toward anyone and harbor no ill will.”

Of course, as an elected official, Davis can resign if her beliefs prevent her from discharging duties she swore an oath to uphold. There’s no evidence the state is requiring Davis to hold a particular belief as a condition of public employment.

“The Court must again point out that the act of issuing a marriage license to a same-sex couple merely signifies that the couple has met the legal requirements to marry,” Bunning ruled Aug. 12 when he directed Davis to comply with a directive by Governor Steve Beshear that clerks throughout the state license all legal marriages presented to them. “It is not a sign of moral or religious approval.”

Nor is this a case of the government’s compelling speech in violation of the First Amendment. As Bunning noted, the only speech the state seeks to compel is speech by Davis in the performance of her official duties, which the state can do. Remember, too, that Davis embodies the state when she acts in her capacity as clerk.

A similar problem arises for Davis’ claims to being a conscientious objector. As Jonathan Adler, a professor of constitutional law at Case Western Reserve University explained Wednesday in The Washington Post, referring to Davis:

“Someone who objects to war due to his religious conscience has a right to be a conscientious objector and not serve in the military, even were there to be a draft. But he does not have the right to serve as a military officer, draw a paycheck from the military and then substitute his own personal views of when war is justified for that of the government. The same applies here.”

Finally, Davis seeks the protection of Kentucky’s version of the Religious Freedom Restoration Act, a federal law enacted in 1993 that provides an exemption from legal requirements for religious objectors unless the government can show it has a compelling interest that requires the person to comply with the law.

Despite its co-optation by conservatives, the law represented a bipartisan rejoinder to a ruling by the Supreme Court three years earlier that upheld the authority of the State of Oregon to criminalize possession of peyote without providing an exemption for Native Americans who use the drug for religious purposes.

Since then, as Professor Wendy Brown of UC Berkeley observed in a lecture last July at the London School of Economics, states have adopted their versions of the religious freedom law so that businesses can discriminate against those whom they think are engaged in acts of sin. Think of a bakery whose owners refuse to bake a wedding cake for a same-sex couple.

In a more radical turn, the Supreme Court extended that religious freedom exemption to corporations, when it ruled last year in Burwell v. Hobby Lobby Stores that a for-profit corporation need not comply with a legal mandate that employer-sponsored health plans cover the cost of contraceptives if the corporation’s—yes, the corporation’s—religious beliefs dictate otherwise.

The ruling, which Davis cited at least nine times in her application to the Supreme Court for a stay of Bunning’s order, represents a line of advocacy based on what Brown terms “a jurisprudence of aggrieved power [in which] the assertion of conscience is central in… producing the claimant as a beleaguered minority, requiring protection from the state and from a popular majority.”

Davis has yet to show how her actions, which, after all, represent state action, qualify her for an exemption under Kentucky’s religious freedom law. Bakers who decline to bake wedding cakes for same-sex couples have not taken an oath to uphold the law of the land.

That’s not to suggest Davis is not free to argue that the religious freedom law allows her to avoid issuing licenses to same-sex couples. She can do that on appeal while discharging her duties in the meantime.

No matter what transpires, the incident shows the reach of the jurisprudence of religious freedom. “Somehow the separation of church and state has come to mean blocking the state from protecting the civil rights of citizens and forcing it to support—and pay for—sectarianism, bigotry, superstition and bullying,” Katha Pollitt wrote last year in The Nation. “I really doubt this is what Thomas Jefferson had in mind.”

Categories
cybersecurity

Jailbroken iPhones infected by malware

Nearly a quarter of a million owners of Apple’s iPhone may be at risk of having their iTunes accounts hijacked or their devices held hostage by intruders.

That’s because hackers have distributed malware that allows users to steal log-in credentials and purchase apps and media from both the App and iTunes stores, according to a report published Sunday by Palo Alto Networks, a digital security firm.

The attack is thought to be the largest known theft of data from Apple accounts caused by malware, the firm said.

The malware, known as KeyRaider, affects iPhones whose users have disabled, or jailbroke, the operating system on their devices to allow installation of third-party apps. As of Sunday, thieves had used KeyRaider to steal nearly 226,000 valid Apple accounts, along with certificates, private keys and other security features, the firm said.

“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying,” Claud Xiao, a security researcher at Palo Alto Networks, wrote in a blog post.

As of Sunday, about 20,000 people had downloaded the malware, suggesting at least that many people are misapplying credentials stolen from iTunes accounts. The malware, which also allows intruders to hold phones hostage in return for ransom, has appeared in 18 countries, including the U.S., China and U.K.

Palo Alto Networks traced the malware after members of Weiphone, a community of iPhone fans based in China, discovered unauthorized charges in their iTunes accounts.

The malware offers a reminder that jailbreaking carries risks. “Most security experts discourage the practice unless it’s done by highly experienced people who know exactly what code they’re using to circumvent Apple engineers’ safeguards and, once that’s done, what alternative apps they’re installing,” Dan Goodin wrote Monday at Ars Technica.

Categories
News

FTC ends probe of data breach at Morgan Stanley, offers guidance to businesses

If they haven’t already, companies that handle customers’ personal information should read a letter released recently by the Federal Trade Commission that concludes an investigation by the agency into data security practices at Morgan Stanley.

The probe by the FTC followed Morgan Stanley’s firing in January of a financial adviser who downloaded and took home with him details for the accounts of 350,000 of the firm’s roughly 3.5 million wealth-management clients. Morgan Stanley later discovered some of the information on Pastebin, a file-sharing site.

Though the information reportedly included account names and numbers, account values and states of residence, the bank said that no clients incurred financial harm as a result of the breach. Law-enforcement officials later investigated whether hackers obtained the information from the adviser’s computer and posted the details online.

Two factors influenced the FTC’s decision to end its investigation without charging Morgan Stanley with failing to secure the information in violation of federal law, which prohibits unfair or deceptive acts or practices by businesses.

First, the FTC found that Morgan Stanley maintained “comprehensive policies designed to protect against insider theft of personal information.” According to the agency, the firm limits access by employees to data for which they have a business need, monitors data transfers by employees, prohibits use of USB flash drives and other devices that can be used to remove data, and blocks access by employees to websites the firm regard as high-risk.

Second, although the adviser was able to obtain a “narrow set of reports” for which Morgan Stanley had configured controls improperly, the company fixed the problem quickly after the breach came to its attention.

“We continue to emphasize that data security is an ongoing process,” the FTC wrote. “As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly. As employees increasingly use personal websites and a host of online applications, companies should deploy appropriate controls to address the potential risks of broad access to such resources on work devices.”

Categories
Life

Rest in peace, Oliver Sacks, physician, writer, swimmer

Oliver Sacks, neurologist and writer, died Sunday at age 82. I did not know Dr. Sacks but had the privilege of swimming in an adjacent lane many mornings several years ago in Chelsea.

Tonight I read for the first time an essay he wrote about swimming that was published in The New Yorker, May 26, 1997. In it, Dr. Sacks recalls how he learned to swim by imitating his father’s strokes. Another parallel: My father swims still, at age 84.

Here’s how the essay concludes:

“There is an essential rightness about swimming, as about all such flowing and, so to speak, musical activities. And then there is the wonder of buoyancy, of being suspended in this thick, transparent medium that supports and embraces us. One can move in water, play with it, in a way that has no analogue in the air. One can explore its dynamics, its flow, this way and that; one can move one’s hands like propellers or direct them like little rudders; one can become a little hydroplane or submarine, investigating the physics of flow with one’s own body.

And beyond this, there is all the symbolism of swimming—it’s imaginative resonances, its mythic potentials.

My father called swimming ‘the elixir of life,’ and certainly it seemed to be so for him: he swam daily, slowing down only slightly with time, until the grand age of ninety-four. I hope I can follow him, and swim till I die.”

Categories
Law

Kentucky clerk’s appeal of same-sex marriage ruling highlights the reach of Hobby Lobby

The signature of Barbara Fiala appears on my driver’s license. But I have no idea what she thinks of my fitness to operate a motor vehicle in New York State. And who is Barbara Fiala anyway?

As it happens, Ms. Fiala is the former state commissioner of motor vehicles. I Googled her upon reading about an application filed Saturday by Kim Davis with the U.S. Supreme Court. Davis is asking the justices to stay a court order that directs her to issue licenses sought by four couples, including two of the same sex, to marry in Rowan County, Kentucky, where Davis holds the office of clerk, an elected post.

The litigation has its origins in the events of June 26, when, within hours of a ruling by the court that upheld the right of same-sex couples to marry, Governor Steve Beshear directed clerks of counties throughout the Bluegrass State to license the marriages of same-sex couples.

The directive did not sit well with Davis, an Apostolic Christian who believes that marriage represents a union between one man and one woman. Kentucky requires that marriage licenses be signed by a county clerk, an act that Davis charges would violate her faith in applications by same-sex couples.

Davis improvised a way around the directive: She would refrain from issuing any marriage licenses. The betrothed sued, citing the governor’s decree. Judge David Bunning of the U.S. district court in Ashland sided with the couples but postponed the effective data of his ruling until this Monday to give Davis time to appeal. On Wednesday, the U.S. Court of Appeals for the 6th Circuit denied Davis’ request for a stay.

The requirement that clerks affix their names to marriage licenses would constitute a “searing act of personal validation [that] would forever, and irreversibly, echo in her conscience—and, if it happened, there is no absolution or correction that any earthly court can provide to rectify it,” Davis charged in papers filed with Justice Kagan, who oversees emergency appeals from Kentucky.

“A stay of the injunction will halt the irreversible implications on Davis’ conscience while this case undergoes appellate review, especially since multiple less restrictive alternatives are available that do not substantially burden Davis (or the Plaintiffs),” Davis added.

The application characterizes the need for relief as arising from a conflict between the constitutional right of same-sex couples to marry and the free exercise of religion enshrined in the First Amendment. Davis has two choices, she says: affix her name to marriage licenses for same-sex couples, or resign.

Of course, it’s unlikely the governor’s directive or the requirement that clerks in Kentucky affix their names to marriage licenses aim to interfere with religion. A law that punishes conduct just because it is religious is invalid. For example, a municipal ordinance may not prohibit ritual slaughter of chickens while otherwise allowing the slaughter of chickens.

The problem for Davis may be that it’s hard to find such intent behind the implementation of same-sex marriage in Kentucky. State law requires, among other things, that a marriage license bear the name of the county clerk pursuant to whose authority the license was issued. But by its terms the requirement seems to reflect simply that Kentucky has authorized the marriage rather than the beliefs of the clerk whose name happens to appear on the license.

In support of her application, Davis cites the Court’s ruling last year in Burwell v. Hobby Lobby Stores, which found the Affordable Care Act’s mandate that employer-sponsored health plans include coverage for contraceptives to be unlawful because it burdened the exercise of religion by a closely held corporation.

Davis leans on the Hobby Lobby majority’s finding that the health care law’s requirement that employers cover the cost of birth control did not constitute the least restrictive means of serving a compelling government interest, which is a test the court applies to claims the government has engaged in religious discrimination.

As Davis sees it, the state could assure the issuance of marriage licenses to same-sex couples in Rowan County by, among other things, allowing county officials to recuse themselves from issuing licenses based on a sincerely held religious objection, deputizing a clerk from a nearby county to issue marriage licenses to same-sex couples, or revising the form the state uses for marriage licenses to remove the clerk’s name.

“All of the foregoing options, and others, are available to avoid substantially burdening Davis’ personal religious freedom in the wake of the redefinition of marriage in Obergefell,” she writes.

No matter which way the Court rules—the justices can choose not to act and allow Davis to appeal in the normal course, or they can invite a response from the couples who sued—the application highlights one way Hobby Lobby reverberates.

In addition, by framing the problem as an issue of religious conscience rather than one of equal protection of the laws for same-sex couples, Davis advances a line of argument that, as Professor Wendy Brown of UC Berkeley observed in a lecture in July at the London School of Economics, finds its endorsement in the Hobby Lobby ruling.

Categories
Privacy Tech

The Internet of Things marks an anniversary for privacy

This September marks two years since the Federal Trade Commission ordered TRENDnet, a California-based maker of surveillance cameras and networking devices, to refrain from misrepresenting the security of its devices after feeds from hundreds of consumers’ cameras became public on the Internet.

According to the FTC, the company failed to use reasonable security to design and test software for its SecurView cameras. The omission allowed hackers to obtain feeds for roughly 700 cameras that showed babies asleep in their cribs, children playing, and adults coming and going.

The case, which TRENDnet settled by agreeing to strengthen digital security in its products and to implement a program that reduces risks to privacy, represented the first enforcement action by the FTC involving a consumer device that sends and receives data over the Internet, also known as the Internet of Things (IoT).

From mattresses that measure whether we toss and turn at night, to refrigerators that tell the grocer when it’s time to restock, to fitness trackers that encircle our wrists, the IoT represents a networking of everyday devices to improve—in theory, at least—how we live and work. The IoT includes meters that allow electric utilities to measure usage, monitors that give doctors access to our health data 24/7, and carpets and walls that detect when someone has fallen.

Though estimates vary, there are roughly 4.9 billion connected devices in the world, up 30% from 2014, according to Gartner, which projects 25 billion such devices by 2020. Data from mobile devices alone reached 2.5 exabytes per month (that’s one billion gigabytes) last year, up 69 percent from a year earlier, and is expected to exceed 24.3 exabytes per month by 2019, according to Cisco.

Or, as a character on the HBO series “Silicon Valley” exclaims: “Ninety-two percent of the world’s data has been created in the last two years alone!”

Devices can be difficult to secure. Seventy percent of the most common ones that constitute the IoT contain serious vulnerabilities, a study last year by Hewlett-Packard found. But what matters as much if not more is safeguarding the flood of data itself and ensuring that consumers know the terms of the exchange. Dominique Guinard, co-founder and and chief technical officer of Evrythng, a maker of platforms that tie devices together, observed recently in AdvertisingAge:

“In the data-driven world of IoT, the data that gets shared is more personal and intimate than in the current digital economy. For example, consumers have the ability to trade protected data such as health and medical information through their bathroom scale, perhaps for a better health insurance premium. But what happens if a consumer is supposed to lose weight, and ends up gaining it instead? What control can consumers exert over access to their data, and what are the consequences?”

Guinard envisions contracts between consumers and manufacturers that adjust over time and address what happens when data becomes unfavorable to the consumer. The FTC has discussed similar approaches. In a report published last January, the agency presented results of a workshop at which participants examined security for the IoT as measured by Fair Information Practices, a code established in 1973 by the U.S. Department of Health, Education and Welfare and later adopted by the Organization for Economic Cooperation and Development that has provided a framework for thinking about privacy since.

At the workshop the FTC and participants focused on the application of four practices as they pertain to the IoT: security, data minimization, notice, and choice. Participants stressed the benefit of so-called security by design, which holds that companies build security into devices at the outset rather than as an afterthought. Minimization refers to companies imposing reasonable limits on collection and retention of data. Less is more, you might say.

Notice refers to how a company describes its privacy practices, including what information the company collects from consumers. Choice addresses the ability of consumers to specify how such information may be used, disclosed and shared.

The meaningfulness of both notice and choice turn in part on consumers’ expectations. Among scenarios posited by the FTC:

“Suppose a consumer buys a smart oven from ABC Vending, which is connected to an ABC Vending app that allows the consumer to remotely turn the oven on to the setting, ‘Bake at 400 degrees for one hour.’ If ABC Vending decides to use the consumer’s oven-usage information to improve the sensitivity of its temperature sensor or to recommend another of its products to the consumer, it need not offer the consumer a choice for these uses, which are consistent with its relationship with the consumer. On the other hand, if the oven manufacturer shares a consumer’s personal data with, for example, a data broker or an ad network, such sharing would be inconsistent with the context of the consumer’s relationship with the manufacturer, and the company should give the consumer a choice.”

Technology may help. The Future of Privacy Forum, a Washington-based think tank that advocates for responsible data practices, suggested in comments to the FTC that companies tag data with permissible uses so that software can identity and flag unauthorized uses. Microsoft envisioned a manufacturer that offers more than one device using a consumer’s preference for one to determine a default preference for others.

As the proposals suggest, notice and choice can be a challenge to achieve when our appliances collect data while we go about our lives. But as the FTC observed, “giving consumers information and choices about their data… continues to be the most viable [approach] for the IoT in the foreseeable future.”