Category: Privacy (Law Enforcement)

4

In Honor of Alan Westin: Privacy Trailblazer, Seer, and Changemaker

Privacy leading light Alan Westin passed away this week.  Almost fifty years ago, Westin started his trailblazing work helping us understand the dangers of surveillance technologies.  Building on the work that Warren and Brandeis started in “The Right to Privacy” in 1898, Westin published Privacy and Freedom in 1967.  A year later, he took his normative case for privacy to the trenches.  As Director of the National Academy of Science’s Computer Science and Engineering Board, he and a team of researchers studied governmental, commercial, and private organizations using databases to amass, use, and share personal information.  Westin’s team interviewed 55 organizations, from local law enforcement, federal agencies like the Social Security Administration, and direct-mail companies like R.L. Polk (a predecessor to our behavioral advertising industry).

The 1972 report, Databanks in a Free Society: Computers, Record-Keeping, and Privacy, is a masterpiece.  With 14 case studies, the report made clear the extent to which public and private entities had been building substantial computerized dossiers of people’s activities and the risks to economic livelihood, reputation, and self-determination.  It demonstrated the unrestrained nature of data collection and sharing, with driver’s license bureaus selling personal information to direct-mail companies and law enforcement sharing arrest records with local and state agencies for employment and licensing matters.  Surely influenced by Westin’s earlier work, some data collectors, like the Kansas City Police Department, talked to the team about privacy protections, suggesting the need for verification of source documents, audit logs, passwords, and discipline for improper use of data. Westin’s report called for data collectors to adopt ethical procedures for data collection and sharing, including procedural protections such as notice and chance to correct inaccurate or incomplete information, data minimization requirements, and sharing limits.

Westin’s work shaped the debate about the right to privacy at the dawn of our surveillance era. His changing making agenda was front and center of  the Privacy Act of 1974.  In the early 1970s, nearly fifty congressional hearings and reports investigated a range of data privacy issues, including the use of census records, access to criminal history records, employers’ use of lie detector tests, and the military and law enforcement’s monitoring of political dissidents. State and federal executives spearheaded investigations of surveillance technologies including a proposed National Databank Center.

Just as public discourse was consumed with the “data-bank problem,” the courts began to pay attention. In Whalen v. Roe, a 1977 case involving New York’s mandatory collection of prescription drug records, the Supreme Court strongly suggested that the Constitution contains a right to information privacy based on substantive due process. Although it held that the state prescription drug database did not violate the constitutional right to information privacy because it was adequately secured, the Court recognized an individual’s interest in avoiding disclosure of certain kinds of personal information. Writing for the Court, Justice Stevens noted the “threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files.”  In a concurring opinion, Justice Brennan warned that the “central storage and easy accessibility of computerized data vastly increase the potential for abuse of that information, and I am not prepared to say that future developments will not demonstrate the necessity of some curb on such technology.”

What Westin underscored so long ago, and what Whalen v. Roe signaled, technologies used for broad, indiscriminate, and intrusive public surveillance threaten liberty interests.  Last term, in United States v. Jones, the Supreme Court signaled that these concerns have Fourth Amendment salience. Concurring opinions indicate that at least five justices have serious Fourth Amendment concerns about law enforcement’s growing surveillance capabilities. Those justices insisted that citizens have reasonable expectations of privacy in substantial quantities of personal information.  In our article “The Right to Quantitative Privacy,” David Gray and I are seeking to carry forward Westin’s insights (and those of Brandeis and Warren before him) into the Fourth Amendment arena as the five concurring justices in Jones suggested.  More on that to come, but for now, let’s thank Alan Westin for his extraordinary work on the “computerized databanks” problem.

 

0

Video Voyeurism

Recall that during the spring, a jury convicted Dahrun Ravi of criminal invasion of privacy along with a bias intimidation charge for surreptitiously using his webcam to live stream his roommate’s sexual encounter and for attempting to do so a second time.  Here comes word of another criminal invasion of privacy case, this time in Maryland.  Apparently, a Howard County man broke into the apartments of two young women, installing a video camera in their bathrooms and bedrooms.  The man has been charged with burglary and video surveillance “with a prurient interest.”  The man apparently knew the women, allowing him to steal and copy their apartment keys.  According to news reports, the suspect filmed himself installing the cameras.  Apparently, Maryland law aims to punish and deter sexualized privacy invasions by requiring proof of prurient interest.  Besides the Ravi case, another criminal matter that comes to mind is the Erin Andrews stalking case.  Much like the criminal case against Ms. Andrews’s stalker, prosecutors might also have charged the defendant with criminal harassment, that is, repeated conduct designed to cause victim substantial emotional distress with intent to cause substantial emotional distress.  On the civil side of things, the women can surely sue their harasser for tort privacy’s intrusion on seclusion, which protects against invasions of someone’s solitude or her “private affairs or concerns” that would be “highly offensive to the reasonable person.”  As I head off to speak at the Harvard Law Review’s symposium on Privacy and Technology where I will be commenting on Neil Richards’s excellent essay “The Dangers of Surveillance” (and as I write my book Hate 3.0: The Rise of Cyber Harassment and How to Stop It, forthcoming in Harvard University Press), this case could not be more timely.  You can check out David Gray’s and my response to Neil’s paper, a draft of which is posted on the HLR website.

15

Harvard Law Review Symposium on Privacy & Technology

This Friday, November 9th, I will be introducing and participating in the Harvard Law Review’s symposium on privacy and technology.  The symposium is open to the public, and is from 8:30 AM to 4:30 PM at Harvard Law School (Langdell South).

I have posted a draft of my symposium essay on SSRN, where it can be downloaded for free.  The essay will be published in the Harvard Law Review in 2013.  My essay is entitled Privacy Self-Management and the Consent Paradox, and I discuss what I call the “privacy self-management model,” which is the current regulatory approach for protecting privacy — the law provides people with a set of rights to enable them to decide for themselves about how to weigh the costs and benefits of the collection, use, or disclosure of their data. I demonstrate how this model fails to serve as adequate protection of privacy, and I argue that privacy law and policy must confront a confounding paradox with consent.  Currently, consent to the collection, use, and disclosure of personal data is often not meaningful, but the most apparent solution — paternalistic measures — even more directly denies people the freedom to make consensual choices about their data.

I welcome your comments on the draft, which will undergo considerable revision in the months to come.  In future posts, I plan to discuss a few points that I raise my essay, so I welcome your comments in these discussions as well.

The line up of the symposium is as follows:

Symposium 2012:
Privacy & Technology

Daniel J. Solove
George Washinton University
“Introduction: Privacy Self-Management and the Consent Paradox”

Jonathan Zittrain
Harvard Law School

Paul Schwartz
Berkeley Law School
“The E.U.-U.S. Privacy Collision”

Lior Strahilevitz
University of Chicago
“A Positive Theory of Privacy”

Julie Cohen
Georgetown University
“What Privacy is For”

Neil Richards
Washington University
“The Harms of Surveillance”

Danielle Citron
University of Maryland

Anita Allen
University of Pennsylvania

Orin Kerr
George Washington University

Alessandro Acquisti
Carnegie Mellon University

Latanya Sweeney
Harvard University

Joel Reidenberg
Fordham University

Paul Ohm
University of Colorado

Tim Wu
Columbia University

Thomas Crocker
University of South Carolina

Danny Weitzner
MIT

0

More on government access to private sector data

Last week I blogged here about a comprehensive survey on systematic government access to private sector data, which will be published in the next issue of International Data Privacy Law, an Oxford University Press law journal edited by Christopher Kuner. Several readers have asked whether the results of the survey are available online. Well, now they are – even before publication of the special issue. The project, which was organized by Fred Cate and Jim Dempsey and supported by The Privacy Projects, covered government access laws in AustraliaCanadaChinaGermanyIsraelJapanUnited Kingdom and United States.

Peter Swire’s thought provoking piece on the increased importance of government access to the cloud in an age of encrypted communications appears here. Also see the special issue’s editorial, by Fred, Jim and Ira Rubinstein.

 

2

On systematic government access to private sector data

The Sixth Circuit Court of Appeals has recently decided in United States v. Skinner that police does not need a warrant to obtain GPS location data for mobile phones. The decision, based on the holding of the Supreme Court in US v. Jones, highlights the need for a comprehensive reform of rules on government access to communications non-contents information (“communications data”). Once consisting of only a list of phone numbers dialed by a customer (a “pen register”), communications data have become rife with personal information, including location, clickstream, social contacts and more.

To a non-American, the US v. Jones ruling is truly astounding in its narrow scope. Clearly, the Justices aimed to sidestep the obvious question of expectation of privacy in public spaces. The Court did hold that the attachment of a GPS tracking device to a vehicle and its use to monitor the vehicle’s movements constitutes a Fourth Amendment “search”. But it based its holding not on the persistent surveillance of the suspect’s movements but rather on a “trespass to chattels” inflicted when a government agent ever-so-slightly touched the suspect’s vehicle to attach the tracking device. In the opinion of the Court, it was the clearly insignificant “occupation of property” (touching a car!) rather than the obviously weighty location tracking that triggered constitutional protection.

Suffice it to say, that to an outside observer, the property infringement appears to have been a side issue in both Jones and Skinner. The main issue of course is government power to remotely access information about an individual’s life, which is increasingly stored by third parties in the cloud. In most cases past – and certainly present and future – there is little need to trespass on an individual’s property in order to monitor her every move. Our lives are increasingly mediated by technology. Numerous third parties possess volumes of information about our finances, health, online endeavors, geographical movements, etc. For effective surveillance, the government typically just needs to ask.

This is why an upcoming issue of International Data Privacy Law (IDPL) (an Oxford University Press law journal), which is devoted to systematic government access to private sector data, is so timely and important. The special issue covers rules on government access in multiple jurisdictions, including the US, UK, Germany, Israel, Japan, China, India, Australia and Canada.

Read More

3

Laws Regulating PII

My co-author Sasha Romanosky asks me to post the following:

I am involved in a research project that examines state laws affecting the flow of personal information in some way. This information could relate to patients, employees, financial or retail customers, or even just individuals. And by “flow” we are interested in laws that affect the collection, use, storage, sale, sharing, disclosure, or even destruction of this information.

For example, some state laws require that companies notify you when your personal information has been hacked, while other state laws require notice if the firm plans to sell your information. In addition, laws in other
states restrict the sale of personal health information; enable law enforcement to track cell phone usage without a warrant; or prohibit the collection of a customer’s zip code during a credit card purchase.

Given the huge variation among states in their information laws, we would like to ask readers of Concurring Opinions to help us collect examples of such laws. You are welcome to either post a response to this blog entry or
reply to me directly at sromanos at cmu dot edu.

Thank you!

Sasha is a good guy, and a really careful researcher. Let’s help him!

0

Privacy, Masks and Religion

Basking & masking. In China, where sun tan is negatively stigmatized, beach goers wear masks.

One of the most significant developments for privacy law over the past few years has been the rapid erosion of privacy in public. As recently as a decade ago, we benefitted from a fair degree of de facto privacy when walking the streets of a city or navigating a shopping mall. To be sure, we were in plain sight; someone could have seen and followed us; and we would certainly be noticed if we took off our clothes. After all, a public space was always less private than a home. Yet with the notable exception of celebrities, we would have generally benefitted from a fair degree of anonymity or obscurity. A great deal of effort, such as surveillance by a private investigator or team of FBI agents, was required to reverse that. [This, by the way, isn’t a post about US v. Jones, which I will write about later].

 

Now, with mobile tracking devices always on in our pockets; with GPS enabled cars; surveillance cameras linked to facial recognition technologies; smart signage (billboards that target passersby based on their gender, age, or eventually identity); and devices with embedded RFID chips – privacy in public is becoming a remnant of the past.

 

Location tracking is already a powerful tool in the hands of both law enforcement and private businesses, offering a wide array of localized services from restaurant recommendations to traffic reports. Ambient social location apps, such as Glancee and Banjo, are increasingly popular, creating social contexts based on users’ location and enabling users to meet and interact.

 

Facial recognition is becoming more prevalent. This technology too can be used by law enforcement for surveillance or by businesses to analyze certain characteristics of their customers, such as their age, gender or mood (facial detection) or downright identify them (facial recognition). One such service, which was recently tested, allows individuals to check-in to a location on Facebook through facial scanning.

 

Essentially, our face is becoming equivalent to a cookie, the ubiquitous online tracking device. Yet unlike cookies, faces are difficult to erase. And while cellular phones could in theory be left at home, we very rarely travel without them. How will individuals react to a world in which all traces of privacy in public are lost?

Read More

2

United States v. Skinner: Developments in the Surveillance State and a Response

It’s not news to CoOp readers that Fourth Amendment law is in a state of confusion over how to deal with ever-expanding capacities of state agents to collect information about our movements and activities using a range of surveillance technologies.  My colleague David Gray and I have spent lots of time thinking and writing about the fog surrounding this issue in light of United States v. Jones.  So we write this post together — Professor David Gray is my brilliant colleague who has been a guest for us in the past.  So here is what is on our minds:

The Supreme Court avoided a four-square engagement with these issues last term in Jones by rehabilitating a long-forgotten, but not lost, property-based test of Fourth Amendment search.  For most of us, however, the real action in the opinion was in the concurrences, which make clear that five justices are ready to hold that we may have a reasonable expectation of privacy in massive aggregates of data, even if not that is not true for the constituent parts.  The focus of the academic debate after Jones, including a really fascinating session at the Privacy Law Scholars Conference in June, has largely focused on the pros and cons of the “mosaic” theory, which would assess Fourth Amendment interests in quantitative privacy on a case-by-case basis by asking whether law enforcement had gathered too much information on their subject in the course of their investigation.  Justice Alito, writing for himself and three others, appeared to endorse the mosaic theory in Jones, and therefore would have held that law enforcement engaged in a Fourth Amendment search by using a GPS-enabled tracking device to monitor Jones’s movements over public streets for 28 days, generating over 2,000 pages of data along the way.

Before the ink was dry in Jones, Orin Kerr was out with a powerful critique.  Orin’s concerns, which Justice Scalia seems to share, are doctrinal and practical.  Christopher Slobogin has since offered a very thoughtful defense of the mosaic theory, which comes complete with a model statute complete with commentary (take notice Chief Justice Roberts!).  Professor Gray and I just posted an article on SSRN arguing that, by focusing on the mosaic theory, much of the conversation about technology and the Fourth Amendment has gone badly wrong after Jones.  The Sixth Circuit’s opinion in United States v. Skinner confirms the worst of our concerns.  Another nod to Orin Kerr for putting a spotlight on this decision over at the Volokh Conspiracy.

The question put to the court in Skinner was whether the “use of the GPS location information emitted from [Skinner’s] cell phone was a warrantless search that violated the Fourth Amendment . . . .”  Writing for himself and Judge Clay, Judge Rogers held that “Skinner did not have a reasonable expectation of privacy in the data emanating from his cell phone that showed its location” in the same way that “the driver of a getaway car has no expectation of privacy in the particular combination of colors of his car’s paint.”  Because the officers tracking Skinner only did so for three days, Judge Rogers also saw no quantitative privacy interest at stake.

Skinner is confusing in many ways.  The court is not entirely clear on what tracking technology was used, how it was used, which line of Fourth Amendment doctrine it relied upon, or how its holding can be reconciled with Kyllo.  For now, let’s bypass those issues to focus on what we take to be a dangerous implication of Skinner and perhaps the mosaic theory as well.  According to Judge Rogers, none of us has “a reasonable expectation of privacy in the inherent external locatability of a tool that he or she bought.”  That is, there is absolutely no Fourth Amendment prohibition on law enforcement’s using the GPS devices installed in our phone, cars, and computers, or trilateration between cellular towers to track any of us at anytime.  Because there are no real practical limitations on the scope of surveillance that these technologies can achieve, Judge Rogers’s holding licenses law enforcement to track us all of the time.  The mosaic theory might step in if the government tracks any one of us for too long, but it preserves the possibility that, at any given time, any of us or all of us may be subject to close government surveillance.

We think that something has gone terribly wrong if the Fourth Amendment is read as giving license to a surveillance state.  As we argue in our article, programs of broad and indiscriminate surveillance have deleterious effects on our individual development and our collective democratic processes.  These concerns are familiar in the information privacy law context, where we have spent nearly fifty years talking about  dataveillance and digital dossiers, but they have clear footing in the Fourth Amendment as well.  More precisely, we argue that a fundamental purpose of the Fourth Amendment is to serve as a bulwark against the rise of a surveillance state.  It should be read as denying law enforcement officers unfettered access to investigative technologies that are capable of facilitating broad programs of indiscriminate surveillance.  GPS-enabled tracking is pretty clearly one of these technologies, and therefore should be subject to the crucible of Fourth Amendment reasonableness—at least on our technology-centered approach to quantitative privacy.

3

Social Media and Chat Monitoring

Suppose a system could help alert people to online sexual predators? Many might like that. But suppose that same system could allow people to look for gun purchasers, government critics, activists of any sort; what would we say then? The tension between these possibilities is before us. Mashable reports that Facebook and other platforms are now monitoring chats to see whether criminal activity is suspected. The article focuses on the child predator use case. Words are scanned for danger signals. Then “The software pays more attention to chats between users who don’t already have a well-established connection on the site and whose profile data indicate something may be wrong, such as a wide age gap. The scanning program is also ‘smart’ — it’s taught to keep an eye out for certain phrases found in the previously obtained chat records from criminals including sexual predators.” After a flag is raised a person decides whether to notify police. The other uses of such a system are not discussed in the article. Yet again, we smash our heads against the speech, security, privacy walls. I expect some protests and some support for the move. Blood may spill on old battlegrounds. Nonetheless, I think that the problems the practice creates merit the fight. The privacy harms and the speech harms mean that even if there are small “false positives” in the sexual predator realm, why a company gets to decide to notify police, how the system might be co-opted for other uses, and the affect on people’s ability to talk online should be sorted as social platforms start to implement monitoring systems.

0

Lend me your ears, no really. I need them to ID you.

Researcher Mark Nixon at the University of Southampton “believes that using photos of individual ears matched against a comparative database could be as distinctive a form of identification as fingerprints.”

According to the University’s news site the claim is that: “Using ears for identification has clear advantages over other kinds of biometric identification, as, once developed, the ear changes little throughout a person’s life. This provides a cradle-to-grave method of identification.”

Ok so they are not taking ears. The method involves cameras, scans, and techniques you may know about from facial recognition. This article has a little more detail. As an A.I. system it probably is pretty cool. Still, it sounds so odd that I wonder whether this work has considered the whole piercing, large gauge trend. I can imagine security that now requires removing ear decorations regardless of what they are made of. Also if really used for less invasive ID, will wearing earmuffs be cause to think someone is hiding or should we remember that folks get cold. For the sci-fi inclined, bet that a movie will entail cutting off an ear for identification just like past films have involved cutting off fingers and hands to fake an identity.