Category: Privacy (Electronic Surveillance)

4

Cyberstalking, Still Ignored (Really)

Since Friday, the news has been abuzz about the resignation of General Patraeus and the FBI investigation of alleged cyber stalking that led to the exposure of his affair and potential security risk — blackmail — that such an affair raises.  According to today’s New York Times and other media coverage, the FBI agent who spearheaded the cyber stalking investigation was not really seeking to enforce the federal Interstate Stalking law.  Instead, the agent thought, “This is serious” because the e-mail sender “seem[ed] to know the comings and goings of a couple of generals.’”  The FBI agent supposedly worried that might suggest the Generals were being stalked in ways that could compromise national security.  The Times explains that the agent “doggedly pursued Ms. Kelley’s cyberstalking complaint,” despite being admonished by supervisors who thought he was trying to improperly insert himself into the investigation.  What’s clear: the agent pursued a criminal investigation of Ms. Broadwell for allegedly stalking Ms. Kelley (though it’s clear that is not the stalking that worried the FBI), which served as the basis for the warrant obtained by the FBI to retrieve Broadwell’s e-mails and ultimately obtain the e-mails of General Patraeus.  This investigation used cyber stalking of Ms. Kelley as a pretext to obtain Ms. Broadwell’s e-mails and hence to better understand what the agent thought was the sexual nature of the relationship between Ms. Broadwell and the General.

On first hearing about the investigation, I never kidded myself that the FBI was taking cyber stalking seriously.  That is not to say that they never do, but the typical response to cyber stalking complaints is to advise victims to turn off their computers, to return to the precinct when their stalkers confront them offline, to pursue their harassers with civil suits, and/or to ignore their attackers who will eventually get bored.  Or as cyber stalking victims have told me, law enforcement agents, both federal and state, incorrectly tell them that criminal law provides little help to cyber stalking victims.  (Federal and state law often does punish repeated online conduct directed at private individuals for no legitimate reason that is designed to cause substantial emotional distress that does in fact cause substantial emotional distress, 18 U.S.C. 2261A(2)(A)).  Indeed, little has changed since the Department of Justice reported in 2001 that the majority of law enforcement agencies refused to investigate cyber stalking cases because they lacked training to understand the seriousness of the attacks and the potential legal responses.  Part of the problem may be attributable to officers’ poor response to stalking generally.  According to the 2009 National Crime Victimization Survey, stalking continues to be frequently overlooked and often misunderstood.  Half of those surveyed explained  that officers took a report and did nothing else.  Almost 19% reported that officers did nothing at all.  They attributed police inaction to a lack of interest in getting involved, a sense that no legal authority existed, and incompetence.  Lack of training and troubling social attitudes are to blame for criminal law’s under-enforcement.

15

Harvard Law Review Symposium on Privacy & Technology

This Friday, November 9th, I will be introducing and participating in the Harvard Law Review’s symposium on privacy and technology.  The symposium is open to the public, and is from 8:30 AM to 4:30 PM at Harvard Law School (Langdell South).

I have posted a draft of my symposium essay on SSRN, where it can be downloaded for free.  The essay will be published in the Harvard Law Review in 2013.  My essay is entitled Privacy Self-Management and the Consent Paradox, and I discuss what I call the “privacy self-management model,” which is the current regulatory approach for protecting privacy — the law provides people with a set of rights to enable them to decide for themselves about how to weigh the costs and benefits of the collection, use, or disclosure of their data. I demonstrate how this model fails to serve as adequate protection of privacy, and I argue that privacy law and policy must confront a confounding paradox with consent.  Currently, consent to the collection, use, and disclosure of personal data is often not meaningful, but the most apparent solution — paternalistic measures — even more directly denies people the freedom to make consensual choices about their data.

I welcome your comments on the draft, which will undergo considerable revision in the months to come.  In future posts, I plan to discuss a few points that I raise my essay, so I welcome your comments in these discussions as well.

The line up of the symposium is as follows:

Symposium 2012:
Privacy & Technology

Daniel J. Solove
George Washinton University
“Introduction: Privacy Self-Management and the Consent Paradox”

Jonathan Zittrain
Harvard Law School

Paul Schwartz
Berkeley Law School
“The E.U.-U.S. Privacy Collision”

Lior Strahilevitz
University of Chicago
“A Positive Theory of Privacy”

Julie Cohen
Georgetown University
“What Privacy is For”

Neil Richards
Washington University
“The Harms of Surveillance”

Danielle Citron
University of Maryland

Anita Allen
University of Pennsylvania

Orin Kerr
George Washington University

Alessandro Acquisti
Carnegie Mellon University

Latanya Sweeney
Harvard University

Joel Reidenberg
Fordham University

Paul Ohm
University of Colorado

Tim Wu
Columbia University

Thomas Crocker
University of South Carolina

Danny Weitzner
MIT

6

PETs, Law and Surveillance

In Europe, privacy is considered a fundamental human right. Section 8 of the European Convention of Human Rights (ECHR) limits the power of the state to interfere in citizens’ privacy, ”except such as is in accordance with the law and is necessary in a democratic society”. Privacy is also granted constitutional protection in the Fourth Amendment to the United States Constitution. Both the ECHR and the US Constitution establish the right to privacy as freedom from government surveillance (I’ll call this “constitutional privacy”). Over the past 40 years, a specific framework has emerged to protect informational privacy (see here and here and here and here); yet this framework (“information privacy”) provides little protection against surveillance by either government or private sector organizations. Indeed, the information privacy framework presumes that a data controller (i.e., a government or business organization collecting, storing and using personal data) is a trusted party, essentially acting as a steward of individual rights. In doing so, it overlooks the fact that organizations often have strong incentives to subject individuals to persistent surveillance; to monetize individuals’ data; and to maximize information collection, storage and use.

Read More

0

More on government access to private sector data

Last week I blogged here about a comprehensive survey on systematic government access to private sector data, which will be published in the next issue of International Data Privacy Law, an Oxford University Press law journal edited by Christopher Kuner. Several readers have asked whether the results of the survey are available online. Well, now they are – even before publication of the special issue. The project, which was organized by Fred Cate and Jim Dempsey and supported by The Privacy Projects, covered government access laws in AustraliaCanadaChinaGermanyIsraelJapanUnited Kingdom and United States.

Peter Swire’s thought provoking piece on the increased importance of government access to the cloud in an age of encrypted communications appears here. Also see the special issue’s editorial, by Fred, Jim and Ira Rubinstein.

 

2

On systematic government access to private sector data

The Sixth Circuit Court of Appeals has recently decided in United States v. Skinner that police does not need a warrant to obtain GPS location data for mobile phones. The decision, based on the holding of the Supreme Court in US v. Jones, highlights the need for a comprehensive reform of rules on government access to communications non-contents information (“communications data”). Once consisting of only a list of phone numbers dialed by a customer (a “pen register”), communications data have become rife with personal information, including location, clickstream, social contacts and more.

To a non-American, the US v. Jones ruling is truly astounding in its narrow scope. Clearly, the Justices aimed to sidestep the obvious question of expectation of privacy in public spaces. The Court did hold that the attachment of a GPS tracking device to a vehicle and its use to monitor the vehicle’s movements constitutes a Fourth Amendment “search”. But it based its holding not on the persistent surveillance of the suspect’s movements but rather on a “trespass to chattels” inflicted when a government agent ever-so-slightly touched the suspect’s vehicle to attach the tracking device. In the opinion of the Court, it was the clearly insignificant “occupation of property” (touching a car!) rather than the obviously weighty location tracking that triggered constitutional protection.

Suffice it to say, that to an outside observer, the property infringement appears to have been a side issue in both Jones and Skinner. The main issue of course is government power to remotely access information about an individual’s life, which is increasingly stored by third parties in the cloud. In most cases past – and certainly present and future – there is little need to trespass on an individual’s property in order to monitor her every move. Our lives are increasingly mediated by technology. Numerous third parties possess volumes of information about our finances, health, online endeavors, geographical movements, etc. For effective surveillance, the government typically just needs to ask.

This is why an upcoming issue of International Data Privacy Law (IDPL) (an Oxford University Press law journal), which is devoted to systematic government access to private sector data, is so timely and important. The special issue covers rules on government access in multiple jurisdictions, including the US, UK, Germany, Israel, Japan, China, India, Australia and Canada.

Read More

11

Why Justice Goldberg Cared So Much About Privacy

David Stebenne gave a fascinating talk today about how the personal experiences of Justice Goldberg made him very sensitive to privacy, and led to his strong pro-privacy concurrence in the Griswold case that established a right to privacy for use of contraceptives.  David is a legal historian at Ohio State, now has a joint appointment with our law school, and spoke today at a John Marshall Law School conference on the history of privacy from Brandeis to today.

Stebenne has written a biography of Goldberg, and is a master of the historical record. Look at these personal experiences that shaped Justice Goldberg’s views on privacy:

(1) Brandeis and Warren-style press intrusions.  Goldberg was the leading lawyer for the Steelworkers Union and the CIO during the 1950’s.  The unions were subjected to many hostile press articles, often describing (or exaggerating) union corruption.  The sorts of press excesses, at the center of the Brandeis and Warren privacy article, were lived by Goldberg.

(2) Intrusive police surveillance.  The Steelworkers and other unions were pervasively wiretapped in the 1950’s.  In one 1957 board meeting, the leadership reported that there were so many wiretaps on the line that they could barely hear each other talk.

(3) Mistaken FBI files.  The FBI opened a file before World War II about a different person named Arthur Goldberg, who had suspected links to the Communist Party.  Years later, Goldberg found out that a huge file had been accumulated on him based on this original, mistaken report.  He met with the FBI, and had the unusual good fortune to clear the matter up.   But he learned personally how invasive and unreliable FBI files could be.

(4) CIA spy and counter-spy.  During World War II, Goldberg worked for the OSS, the predecessor of the CIA.  For part of that time he was the target of enemy espionage himself.  He knew the CIA kept a close eye on his clients in the labor movement, and thus knew more than most about the nature and scale of domestic surveillance by the government.

In short, Goldberg was not a privileged person who knew he had nothing to hide. Instead, he had direct personal experience with the intrusiveness and mistakes that could result from the media, intelligence agencies, and new technologies.

Insight can come from personal experience.  Among other lessons from this history, it suggests some virtues of having judges and justices with a wide range of personal experience.

3

Laws Regulating PII

My co-author Sasha Romanosky asks me to post the following:

I am involved in a research project that examines state laws affecting the flow of personal information in some way. This information could relate to patients, employees, financial or retail customers, or even just individuals. And by “flow” we are interested in laws that affect the collection, use, storage, sale, sharing, disclosure, or even destruction of this information.

For example, some state laws require that companies notify you when your personal information has been hacked, while other state laws require notice if the firm plans to sell your information. In addition, laws in other
states restrict the sale of personal health information; enable law enforcement to track cell phone usage without a warrant; or prohibit the collection of a customer’s zip code during a credit card purchase.

Given the huge variation among states in their information laws, we would like to ask readers of Concurring Opinions to help us collect examples of such laws. You are welcome to either post a response to this blog entry or
reply to me directly at sromanos at cmu dot edu.

Thank you!

Sasha is a good guy, and a really careful researcher. Let’s help him!

4

Brin’s “Existence,” the Fermi Paradox, and the Future of Privacy

I just finished David Brin’s “Existence,” his biggest new novel in years.  Brin, as some readers know, has won multiple Hugo and Nebula awards for best science fiction writing.  He also wrote the 1999 non-fiction book “The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?”.  More about that in a bit.

Existence is full of big ideas.  A main focus is on the Fermi Paradox, which observes that we would expect to find other forms of life out there among the hundreds of billions of suns, but we haven’t seen evidence of that life yet.  If you haven’t ever thought through the Fermi Paradox, I think it is a Genuine Big Question, and well worth contemplating.  Fortunately for those who like their science mixed with fiction, Brin weaves fifty or so possible answers to the Fermi Paradox into his 550-page novel.  Does climate change kill off other races?  Nuclear annihilation?  Do aliens upload themselves into computers once they get sophisticated (the “singularity”), so we never detect them across the void?  And a lot, lot more.

It took me a little while to get into the book, but I read the last few hundred pages in a rush.  I’ve had the pleasure to know Brin for a bunch of years, and find him personally and intellectually engaging.  I was pleased to read this, because I think it will intrigue curious minds for a long time as our telescopic views of other planets deepen our puzzlement about the Fermi Paradox.

As for privacy, my own view is that the privacy academics didn’t take his 1999 book seriously enough as an intellectual event.  One way to describe Brin’s insight is to say that surveillance in public becomes cheaper and more pervasive over time.  For Brin, having “control” over your face, eye blinks, location, etc., etc. becomes futile and often counter-productive once cameras and other sensors are pervasive and searchable.  Brin picked up on these themes in his earlier novel, “Earth,” when elderly people used video cameras to film would-be muggers, deterring the attacks.  In the new novel, the pervasive use of the 2060 version of Google Glasses means that each person is empowered to see data overlays for any person they meet.  (This part is similar to the novel “Rainbow’s End” by Brin’s friend Vernor Vinge.)

Surveillance in public is a big topic these days.  I’ve worked with CDT and EFF on USvJones.com, which asked law academics to propose doctrine for surveillance in public.  Facial recognition and drones are two of the hot privacy topics of the year, and each are significant steps towards the pervasive sensor world that Brin contemplated in his 1999 book.

So, if you like thinking about Big Ideas in novel form, buy Existence.  And, if you would like to retain the Fair Information Principles in a near future of surveillance in public, consider Brin more carefully  when you imagine how life will and should be in the coming decades.

2

United States v. Skinner: Developments in the Surveillance State and a Response

It’s not news to CoOp readers that Fourth Amendment law is in a state of confusion over how to deal with ever-expanding capacities of state agents to collect information about our movements and activities using a range of surveillance technologies.  My colleague David Gray and I have spent lots of time thinking and writing about the fog surrounding this issue in light of United States v. Jones.  So we write this post together — Professor David Gray is my brilliant colleague who has been a guest for us in the past.  So here is what is on our minds:

The Supreme Court avoided a four-square engagement with these issues last term in Jones by rehabilitating a long-forgotten, but not lost, property-based test of Fourth Amendment search.  For most of us, however, the real action in the opinion was in the concurrences, which make clear that five justices are ready to hold that we may have a reasonable expectation of privacy in massive aggregates of data, even if not that is not true for the constituent parts.  The focus of the academic debate after Jones, including a really fascinating session at the Privacy Law Scholars Conference in June, has largely focused on the pros and cons of the “mosaic” theory, which would assess Fourth Amendment interests in quantitative privacy on a case-by-case basis by asking whether law enforcement had gathered too much information on their subject in the course of their investigation.  Justice Alito, writing for himself and three others, appeared to endorse the mosaic theory in Jones, and therefore would have held that law enforcement engaged in a Fourth Amendment search by using a GPS-enabled tracking device to monitor Jones’s movements over public streets for 28 days, generating over 2,000 pages of data along the way.

Before the ink was dry in Jones, Orin Kerr was out with a powerful critique.  Orin’s concerns, which Justice Scalia seems to share, are doctrinal and practical.  Christopher Slobogin has since offered a very thoughtful defense of the mosaic theory, which comes complete with a model statute complete with commentary (take notice Chief Justice Roberts!).  Professor Gray and I just posted an article on SSRN arguing that, by focusing on the mosaic theory, much of the conversation about technology and the Fourth Amendment has gone badly wrong after Jones.  The Sixth Circuit’s opinion in United States v. Skinner confirms the worst of our concerns.  Another nod to Orin Kerr for putting a spotlight on this decision over at the Volokh Conspiracy.

The question put to the court in Skinner was whether the “use of the GPS location information emitted from [Skinner’s] cell phone was a warrantless search that violated the Fourth Amendment . . . .”  Writing for himself and Judge Clay, Judge Rogers held that “Skinner did not have a reasonable expectation of privacy in the data emanating from his cell phone that showed its location” in the same way that “the driver of a getaway car has no expectation of privacy in the particular combination of colors of his car’s paint.”  Because the officers tracking Skinner only did so for three days, Judge Rogers also saw no quantitative privacy interest at stake.

Skinner is confusing in many ways.  The court is not entirely clear on what tracking technology was used, how it was used, which line of Fourth Amendment doctrine it relied upon, or how its holding can be reconciled with Kyllo.  For now, let’s bypass those issues to focus on what we take to be a dangerous implication of Skinner and perhaps the mosaic theory as well.  According to Judge Rogers, none of us has “a reasonable expectation of privacy in the inherent external locatability of a tool that he or she bought.”  That is, there is absolutely no Fourth Amendment prohibition on law enforcement’s using the GPS devices installed in our phone, cars, and computers, or trilateration between cellular towers to track any of us at anytime.  Because there are no real practical limitations on the scope of surveillance that these technologies can achieve, Judge Rogers’s holding licenses law enforcement to track us all of the time.  The mosaic theory might step in if the government tracks any one of us for too long, but it preserves the possibility that, at any given time, any of us or all of us may be subject to close government surveillance.

We think that something has gone terribly wrong if the Fourth Amendment is read as giving license to a surveillance state.  As we argue in our article, programs of broad and indiscriminate surveillance have deleterious effects on our individual development and our collective democratic processes.  These concerns are familiar in the information privacy law context, where we have spent nearly fifty years talking about  dataveillance and digital dossiers, but they have clear footing in the Fourth Amendment as well.  More precisely, we argue that a fundamental purpose of the Fourth Amendment is to serve as a bulwark against the rise of a surveillance state.  It should be read as denying law enforcement officers unfettered access to investigative technologies that are capable of facilitating broad programs of indiscriminate surveillance.  GPS-enabled tracking is pretty clearly one of these technologies, and therefore should be subject to the crucible of Fourth Amendment reasonableness—at least on our technology-centered approach to quantitative privacy.

3

There is no new thing under the sun

Photo: Like it’s namesake, the European Data Protection Directive (“DPD”), this Mercedes is old, German-designed, clunky and noisy – yet effective. [Photo: Omer Tene]

 

Old habits die hard. Policymakers on both sides of the Atlantic are engaged in a Herculean effort to reform their respective privacy frameworks. While progress has been and will continue to be made for the next year or so, there is cause for concern that at the end of the day, in the words of the prophet, “there is no new thing under the sun” (Ecclesiastes 1:9).

The United States: Self Regulation

The United States legal framework has traditionally been a quiltwork of legislative patches covering specific sectors, such as health, financial, and children’s data. Significantly, information about individuals’ shopping habits and, more importantly, online and mobile browsing, location and social activities, has remained largely unregulated (see overview in my article with Jules Polonetsky, To Track or “Do Not Track”: Advancing Transparency and Individual Control in Online Behavioral Advertising). While increasingly crafty and proactive in its role as a privacy enforcer, the FTC has had to rely on the slimmest of legislative mandates, Section 5 of the FTC Act, which prohibits ‘‘unfair or deceptive acts or practices”.

 

To be sure, the FTC has had impressive achievements; reaching consent decrees with Google and Facebook, both of which include 20-year privacy audits; launching a serious discussion of a “do-not-track” mechanism; establishing a global network of enforcement agencies; and more. However, there is a limit as to the mileage that the FTC can squeeze out of its opaque legislative mandate. Protecting consumers against “deceptive acts or practices” does not amount to protecting privacy: companies remain at liberty to explicitly state they will do anything and everything with individuals’ data (and thus do not “deceive” anyone when they act on their promise). And prohibiting ‘‘unfair acts or practices” is as vague a legal standard as can be; in fact, in some legal systems it might be considered anathema to fundamental principles of jurisprudence (nullum crimen sine lege). While some have heralded an emerging “common law of FTC consent decrees”, such “common law” leaves much to be desired as it is based on non-transparent negotiations behind closed doors, resulting in short, terse orders.

 

This is why legislating the fundamental privacy principles, better known as the FIPPs (fair information practice principles), remains crucial. Without them, the FTC cannot do much more than enforce promises made in corporate privacy policies, which are largely acknowledged to be vacuous. Indeed, in its March 2012 “blueprint” for privacy protection, the White House called for legislation codifying the FIPPs (referred to by the White House as a “consumer privacy bill of rights”). Yet Washington insiders warn that the prospects of the FIPPs becoming law are slim, not only in an election year, but also after the elections, without major personnel changes in Congress.

Read More