Court Rules Homeland Security has the Right to Search through Electronics

The Ninth Circuit Court of Appeals has ruled, in United States v. Cotterman, that Homeland Security’s border agents may conduct a forensic examination of mobile phones, laptops, memory cards in cameras, and many other electronics, as long as the border agents have the “reasonable suspicion” to do so. In Cotterman, Howard Cotterman and his wife were driving home to the U.S. from a vacation in Mexico, eventually reaching Lukeville, Arizona, Port of Entry. During the primary inspection, the border agents found a hit on Howard, which indicated that he was a sex offender - he was previously convicted: on two counts of use of a minor in sexual conduct; two counts of lewd and lascivious conduct upon a child; and three counts of child molestation.

Based on Howard's history and the fact that he was potentially involved in child sex tourism, the border agents performed a secondary inspection on him and his wife, and they were told to exit their car, subsequently leaving their belongings behind. The agents searched the vehicle and retrieved two laptops and three digital cameras; upon reviewing these items, it appeared that these devices only contained family and other personal photos, along with other password-protected files. The agents retained the two labtops and one camera for forensic reviews, where a computer program would be used to copy the hard drives of the electronic devices and extract information that was deleted. Upon inspecting the two laptops, the inspector found about hundreds of images of child pornography, stories, and videos depicting children. Based on this evidence, the grand jury indicted Howard Cotterman for various offenses related to child pornography. In his defense, Cotterman argued that the evidence should not have been admitted because it violated his Fourth Amendment protection from warrantless searches.

Before examining the details of the case, the Ninth Circuit Court of Appeals noted that case law in this field is ambiguous, noting that the Supreme Court “has never defined the precise dimensions of a reasonable border search, instead pointing to the necessity of a case-by-case analysis.” In fact, the court in Cotterman cited to U.S. v. Duncan in explaining that "reasonableness, when used in the context of a border search, is incapable of comprehensive definition or of mechanical application.” As a result, the court noted that it must evaluate the totality of the case, rather to the specifics. The court found that although Cotterman’s previous convictions do not support the reasonable suspicion to conduct an extensive forensic search, the border agents’ understanding of the objective facts became the baseline for determining reasonable suspicion. The court determined that it was reasonable for the border agents to have acted the way they did given the fact that Mexico is a country associated with sex tourism and that Cotterman was previously convicted as a sex offender.

It appears that the Ninth Circuit Court of Appeals made its decision in a punative, yet politically and publically popular way; it did not want to let a sex offender go unpunished in light of the amount of child pornography that was found in his possession. Although the court made well rationalized decisions as to why the search was reasonable, the idea that courts should look to the totality of the circumstances for example, it appears that there is still a violation of one’s Fourth Amendment right from warrantless searches. Because the law in this field is vague and fairly new, we should expect more litigation in this area soon and it shouldn’t be a surprise if decisions vary in their outcome and reasoning.

Twitter Answers U.S. Government's Request for User Data 69% of the Time

As technology advances and social media websites continue to develop into a hub for global communication, governments have started to seek user information from these sites. Whether this is unreasonable government surveillance or effective resource management is debatable. Either way, it is inevitable that the government will request information from social media users and it is foreseeable, provided the correct documentation, that social media sites will disclose the information.

Twitter has created a transparency report that unveils to the public and its users the number of times the government is requesting information in order to maintain transparency between its users and the company. Twitter’s second transparency report provided that in the beginning of 2013 they received 1,009 requests for user account information from the government between July to December 2012 and 1858 requests for all of 2012. These numbers convey a sixteen percent increase from the first half of the year to the second half of the year. With eighty-one percent of the requests coming from the United States, there is reason to establish awareness. Approximately sixty percent of the data requested by the U.S. government was via subpoenas versus warrants. Since January 1, 2012 there have also been forty-eight removal requests that the government deemed illegal and 6,646 copyright violations found by the government.

Although governments are continually requesting user information, it is not always granted. Of the 1,009 requests, accounting for 1,433 user’s accounts, Twitter released user information sixty-nine percent of the time. Japan requested the second most, sixty-two times regarding seventy-five users, however Twitter only complied five percent of the time. The U.S. government requested information in three primary forms; subpoenas - sixty percent of the time, court orders - eleven percent of the time, and warrants - nineteen percent of the time. Twitter disclosed that the majority of the subpoenas requested basic subscriber information, such as e-mail address associated to the account and IP logs. Search warrants are typically requesting more detailed disclosure, including tweets and direct messages.

As social media continues to grow, Twitter finds it imperative that it is transparent to users about the government’s requests to attain user information. As the number of inquires continue to grow, it is vital users are cognitive of the government’s actions and aware of the information they are disclosing to internet services in order to act accordingly and properly protect themselves. Although information is being disclosed by Twitter, the transparency report displays that the social media site is clearly doing its due diligence regarding the process. Additionally, it is important that social media users understand that Twitter, as well as other social media websites, have a responsibility to provide its user’s information when presented with official documentation like subpoenas and court orders. As a citizen of the United States, we are fortunate to live in a democracy where we maintain a freedom of speech and expectation of privacy, however if you are participating in suspicious activity take note that social media websites like Twitter and the government will work together in order to establish justice.

Rethinking the Cost and Benefits of Behavioral Targeting

Online behavioral targeting, also known as behavioral advertisement, involves tracking an individual’s online activities for the purpose of delivering tailored services or advertisement to a user. During the 2012 elections, it was revealed that even politicians used behavioral targeting in their campaigns. Online behavioral tracking has been proven to be extremely valuable because not only does it allow interested parties to align their advertisement with what the individual is likely to purchase, it also enables useful features to Internet users such as saving customized personal preferences and settings on the web.

Behavioral targeting has generated a form of service providers called network advertisers, companies that compile and classify expensive consumer profiles and deliver appropriate advertisements to participating websites across their network. Companies generally use “cookies”, amongst other tracking methods, to track consumer activities by associating those activities with a particular computer or electronic device.

Despite the Federal Trade Commission's efforts in setting self-regulatory principles, there is currently no law in the U.S that expressly addresses behavioral targeting. Typically, data that network advertisers collect does not fall under any existing privacy regulations because it does not include any personal identifying information, such as the user’s real name or other identifying information that can tie the user to his/her real identity.

Those who oppose to such act of data collection argue that behavioral targeting constitutes a breach of privacy because it implicates some form of personal information and more importantly, it invades an individual’s “inner identity”. A complete consumer data profile is, in a way, an attempt to replicate the individual’s personality in order to create customized advertisements. Such exploration can be more private and valuable than some aspects of external identity. For instance, the delivery of advertisements may reveal private browsing history such as religious beliefs or sexual orientation to other users of the same electronic device because cookies track the online activities of a device, not of a particular person. In other words, behavioral targeting may lead to not only identify thefts, but also embarrassment, inconvenience, and unfairness.

While many consumers in the U.S remain unaware that their online activities are being tracked, the European Union has heavily promoted Internet privacy awareness. Amongst other regulations, the e-Privacy Directive requires each member of the European Union to legislate the collection, use, and disclosure of personal information. Furthermore, the Directive requires all Internet firms and any other business that process data to obtain informed consent from data protection authority, as well as individuals, before commencing any data collection and processing.

There is an urgent need for the Legislature to find a way to balance data utility and privacy. Don’t you think it is about time that pair of shoes you checked out last week stops following you everywhere?

The Science of Constitutional Rights

Eroding the third trimester standard established in Roe v. Wade in 1973, the Idaho legislature passed the “Pain-Capable Unborn Child Protection Act” in 2011, prohibiting abortions based on neuroscientific findings that pain sentience in fetuses may occur before viability. Roe v. Wade insisted on viability as the critical point where the fetus’s life might outweigh the mother’s right to privacy, but Idaho, along with several other state legislatures, is fighting against the Supreme Court’s standard.

As the basis for the stricter abortion standard, Idaho’s “Pain-Capable Unborn Child Protection Act” cites findings that pain receptors are present throughout “the unborn child’s body no later than sixteen (16) weeks after fertilization” and that “the unborn child reacts to touch” by eight weeks after fertilization. Anti-abortion proponents support the pain-capable fetus protection acts, and former Presidential candidate Mitt Romney has voiced his agreement with such measures: “I will advocate for and support a Pain-Capable Unborn Child Protection Act to protect unborn children who are capable of feeling pain from abortion.”

Unsurprisingly, not everyone is on board with the contraction of abortion rights. In defending an Idaho woman who was arrested for inducing her own abortion and a related suit involving the Pain-Capable Unborn Child Protection Act, attorney Rick Hearn, M.D., questions the government’s use of science to circumscribe the constitutional right to privacy and thus abortion. William Egginton, a philosophy professor and guest columnist for the New York Times, attempts to discern the relationship of pain sentience to personhood for abortion purposes in an entry for the NY Times’s Opinionator blog. Egginton opines that scientific findings are facts that can inform thinking but mere data can neither provide an absolute definition of personhood nor generate an airtight argument for a particular variation of constitutional rights.

Frankly, the Pain-Capable Unborn Child Protection Acts are inconsistent with the standard established by Roe v. Wade. These statutes prioritize the possibility of the fetus’s pain over that of the mother’s right to privacy, a framework the 1973 Supreme Court rejected in favor of valuing the mother’s freedom to choose until viability. Pain sentience is simply not the standard set forth by Roe v. Wade, and the use of pain as a guideline for limits on abortion would greatly limit women’s life choices.

Call Me Maybe? – The Use of Cell Phone Records as an Investigative Technique to Locate and Track Suspects

In 2008, the FBI utilized a novel and innovative way to track a band of bank robbers in Texas – they obtained phone records. These records not only documented over 20 calls made between two of the robbers around the time that the heists occurred, but also revealed the identities of the two men, thus allowing police to make an arrest. The two men were charged with robbery and possession of deadly weapons charges and were eventually convicted.

This case marked the beginning of a trend in the investigative method of cell phone tracking. The ambiguity of many longstanding federal privacy laws allows for debate over whether or not such a method is, in fact, constitutional. The Obama administration has taken the stance that because most Americans have no reasonable expectation of privacy when it comes to their cell phone records, their Fourth Amendment rights are not violated when a phone company subsequently turns over records to police.

On the other hand, many civil liberties groups such as the American Civil Liberties Union argue that allowing warrantless searches of an individual’s cell phone records could open a so-called “Pandora’s Box” regarding privacy limitations (or lack thereof). If cell phones can be tracked without a warrant, can online history, automobile GPS and even social media be trailed by the government as well sans justification?

And for proponents of this novel investigative technique – how far should investigators be allowed to go? Should warrantless searches be limited to retrospective data such as from where and to whom calls have already been placed? Or should law enforcement be privileged to attain up-to-date live information documenting where a cell phone is at any given moment and receive notification when such a device is used? Questions like these are not readily answered in current privacy statutes and have found themselves at the onus of much litigation regarding the issue.

Four years after the Texas case, this issue finds itself before the federal courts yet again, this time in New Orleans. Again the Obama administration is arguing that warrantless tracking of cell phones is entirely constitutional and does not violate any privacy expectations. In fact, federal prosecutors are maintaining that law enforcement should be able to obtain minute-by-minute movements of such devices for up to 60 days at a time as part of an investigative proceeding. Information to be gleaned by such close monitoring, they argue, involves medical treatments, political associations, religious convictions and even potential indiscretions such as adultery.

Advocates of warrantless searches argue that requiring police to obtain a warrant prior to tracking would only serve to hinder law enforcement’s ability to obtain valuable and crucial information relating to investigations of serious crimes. They state that because a cell phone provider stores and records information regarding cell phone location and usage, and because customers voluntarily convey information to their wireless provider by using their cell phone, that customer, upon signing a cell phone contract, has no reasonable expectation of privacy regarding their mobile device. They maintain that as long as law enforcement is able to demonstrate that the cell phone records are relevant and material to an ongoing investigation, no constitutional rights are violated.

On the other hand, individuals who oppose warrantless searches suggest that while tracking for a period of a few weeks might be constitutional, carrying out the period for over two months violates any expectation of privacy cell phone users may have.

While there is much debate in the Senate regarding this issue, with Democrats vetoing required warrants and Republicans introducing pro-warrant legislation, it does not appear as if the issue is soon to reach a resolution. In an age where an individual’s every movement and conversation can sometimes be traced using technology, whether that be through cell phone records, Facebook, Twitter, or otherwise, it seems as if some limits should be placed on the government’s ability to scrutinize every move of the American public. It is hard to believe that an unsuspecting customer using his or her cell phone or updating a status online impliedly renounces the right to privacy, and essentially acquiesces to having every move subject to the investigative techniques of law enforcement.

Court Approves Warrantless Police Surveillance Cameras

Judge William Griesbach ruled that the Drug Enforcement Administration (DEA) was legally permitted to install hidden cameras on rural private property without a warrant. The DEA’s purpose for installing the multiple cameras was to obtain evidence in a large-scale marijuana growing operation. Five Marinette County residents were charged last July with violating federal drugs laws after more 1,000 marijuana plants were discovered. Council for the defendants attempted to have video surveillance excluded from evidence under the Fourth Amendment prohibition of unfair governmental searches and seizures. But the defense’s argument did little to convince Judge Griesbach to not admit the tapes.

The charges were the result of an extensive two-month drug investigation, which culminated in a bust last summer involving over 200 federal and state police. While things are not looking too good for the defendants, one wonders what effects Judge Griesbach’s ruling will have on future criminal investigation and litigation. U.S. Magistrate Judge William Callahan admitted the video evidence on grounds that, “The Supreme Court has upheld the use of technology as a substitute for ordinary police surveillance.” Judge Callahan cited a 1984 Supreme Court case, Oliver v. United States, in which the court ruled the government’s intrusion on an open area constituted trespass at common law, but did was not “search” protected by the fourth amendment. 466 U.S. 170, 184 (1984).

However, Judge Griesbach’s ruling was contrary to the Supreme Court’s decision last January. In the previous case, the Supreme Court held that installing GPS tracking devices without a warrant violated the Fourth Amendment. The Supreme Court has yet to rule on warrantless cell phone tracking devices but the hot-button issue is currently before the Court. While Judge Griesbach’s ruling will likely not influence the Supreme Court’s upcoming decision, it may have a significant impact on future evidentiary hearings regarding police surveillance.

As stated previously, the use of covert digital surveillance cameras without a warrant is just one of many technological surveillance innovations garnering attention in the courts. Police monitoring evokes legitimate concerns for Fourth Amendment rights but the increasing police surveillance is also a violation of ordinary citizens’ privacy rights. The objectives of the police may be to ensure public well being, but those objectives must be cautious not to strip the public of fundamental rights in the process. As technology advances, the capabilities of police surveillance will expand and the degree of privacy invasion we allow in exchange for peacekeeping purposes remains to be seen.

More Web Surveillance for Government Officials – Where Do We Draw the Line?

The FBI is renewing its request to update and broaden the Communications Assistance for Law Enforcement Act (CALEA), a law initially intended for surveillance of digital telephone networks. The FBI wishes to make the Internet more conducive to wiretapping. If passed, this could lead to less privacy and less security for users.

CALEA was first passed by Congress in 1994, forcing phone companies to rearrange their network architectures to make wiretapping easier. Then in 2005, the FCC announced an expansion of CALEA to include Internet broadband providers and certain VoIP providers.

According to CNET, in May, the FBI requested expansion of this law to include built-in “back doors” for various Internet services, such as e-mail, instant messaging, and social media sites for government surveillance. The FBI also asked that Internet companies not oppose such an amendment. However, the FBI has not been specific in stating how government surveillance is made more difficult by not having easier access to wireless connections, encryption, or social networks.

The Electronic Frontier Foundation (EFF) , a group that opposes this proposed expansion of CALEA, suggests that law enforcement agencies can already access information on the Internet. Also, by having the existing ability to tap cell phones, law enforcement officials already have access to digital data such as e-mails, and locations based off of cell phone signals. Furthermore, Internet companies are already cooperative with law enforcement officials. So why does the FBI wish to make such surveillance even easier?

Doing so would put many values and rights at risk. In looking to amend CALEA, Congress needs to make sure that this expansion would not infringe upon the Fourth Amendment or due process rights of individuals. Furthermore, granting the government easier access to personal data on the Internet would likely provide easier access to hackers and identity thieves. Also, according to the EFF, this type of expansion could lead to limited creativity among programmers and Internet companies who would have to always keep government surveillance at the forefront of their minds.

Furthermore, the EFF makes a great point that CALEA was never intended to provide such surveillance over Internet data. Phone networks are closed systems, whereas the Internet is a wide, open global network. The FCC’s expansion to broadband networks should be enough. This is where we should draw the line in maintaining as much privacy as possible on the Internet.

Facebook finding new ways to Track its Users

The Electronic Privacy Information Center has (EPIC) recently questioned Facebook’s relationship with data marketer, Datalogix. Facebook requested the aid of Datalogix to bolster their advertising strategy. EPIC, however, believes that the U.S. Federal Trade Commission (FTC) should open an investigation on whether the relationship between Facebook and Datalogix complies with the terms of an agreement between Facebook and the FTC made in November 2011.

In the November 2011 settlement with the FTC, Facebook agreed to obtain consent from users before sharing any of their information that would go beyond the scope of what was already established in its privacy policy. This past August, Facebook further agreed that it would get consumer approval before it changes how it shares data, and submit regular audits of its privacy practices for the next 20 years.

The recent partnership with Datalogix, however, has raised concern over whether Facebook will abide by its commitment. Datalogix is linked to Facebook through loyalty cards, which allow it to track user purchases and target advertising campaigns according to the purchases. In addition, the loyalty cards are linked to Facebook accounts, which share information such as email addresses.

Through their relationship, Datalogix will be able to give Facebook and its advertisers information on which ads drove in-store sales. Moreover, the information will provide an indication of which ads Facebook users see and may determine if an item was purchased offline. Although the information provided by Datalogix is based on what ads Facebook users are drawn to, it has also been their practice to share users' personal information to allow advertisers to get a better picture of the potential customer. This data sharing has Facebook users concerned, and may find such tracking as a violation of their privacy.

Facebook has been repeatedly charged by the FTC for sharing information that users believe to be kept private. Although it is not readily apparent whether the relationship with Datalogix will violate the agreement with the FTC, Facebook seems to continually find loopholes to potentially compromise the privacy of its users.

Dis-“Like”-ing the Proposed Revisions to Child Privacy Laws

Mark Zuckerberg’s “liked” pages at the moment probably don’t include the Federal Trade Commission. Recently, Facebook sent a twenty-page letter to the Federal Trade Commission objecting to proposed revisions of the Children’s Online Privacy Protection Act (COPPA), applicable to children under 13 years of age. Facebook asserts that it has no control over sites that incorporate social plug-ins, such as a “like” button, and should not be held liable under the child privacy law.

In her letter, Facebook Chief Privacy Officer of Policy Erin M. Egan argues that Facebook cannot be held liable for the sites using social plug-ins because the “like” button is an “off-the-shelf” product over which Facebook no longer has control. Egan also posits that Facebook’s age verification at sign-up should be sufficient as actual knowledge, pursuant to the Administrative Procedure Act, and holding Facebook liable for failure to check a user’s age when a “like” button is clicked from a third-party website is inconsistent with the Act. In support of her argument, Egan points to Congress’s intent in passing COPPA: “to limit COPPA’s obligations to situations in which ‘personal information [is] collected from a child.’” Furthermore, Egan attacks the proposals to COPPA as a First Amendment violation because social plug-ins such as the “like” button constitute free speech.

Facebook’s latest disagreement with COPPA is merely a part of the ongoing dispute over child privacy laws. As mentioned in the letter, Facebook adamantly insists that the Internet is a valuable learning tool for children, and COPPA can only serve to inhibit that benefit. As Facebook argues, these stricter regulations would certainly raise issues for Facebook and the third-party websites using its social plug-ins by adding a burden of age verification procedures for the plug-ins, perhaps chilling such use of the plug-ins.

Facebook’s constitutional argument is interesting to consider. While the current Supreme Court tends to take an expansive view of First Amendment rights, COPPA as it currently stands has not been ruled unconstitutional. The proposed regulations still allow for the free speech of children under 13 years of age as long as certain procedural requirements are met, and minors have long had First Amendment rights somewhat less than those of a full-fledged adult, so at first blush, it does not seem that the Court would find these proposed revisions to COPPA unconstitutional.

Where You At?: Privacy Concerns with Automated License Plate Readers

Two months have passed since the ACLU and its associates sent a letter under the Freedom of Information Act to the DOJ, DOT, and DHS requesting the government’s automated license plate readers’ (ALPR) records. After little to no response the ACLU of Massachusetts was obligated to file suit against the DOJ and the DHS in federal court on September 25th.

The ACLU’s main concern is focused on why and how the government is using these records in regards to ordinary citizens.

On July 30, the ACLU filed an open-records request, also referred to as a Freedom of Information Act request, asking the government to provide records and information in regards to the ALPR’s uses since January 1, 2006. The demands were by no means “light lifting”; the letter was roughly six pages in length. Yet, most American citizens would have found it justified, especially since the government’s use of ALPRs continues to expand leading to a further invasion of ordinary citizens’ privacy rights.

The ALPRs are small radio sized boxes and are adhered to police cars or other static objects along the roadways. A reader can snap over 1,000 pictures of license plates per minute, while also noting the time, date and location of the vehicle. Once a license plate number is obtained the reader is able to search criminal databases. The device is beneficial for tracking stolen cars, wanted criminals and those with expired registrations, but also records mass amounts ordinary citizens’ information. Thus, the ACLU is alarmed with the amount of information obtained by the readers and how it is being protected and used. The federal agencies' failure to respond to the ACLU’s requests raised even greater concerns and forced the ACLU to seek legal action.

The ALPRs are unfortunately just another form of government surveillance being disputed in the courts. A Wall Street Journal analysis states that the government records information about an ordinary American citizen in 20 different manners a day. But unlike cell phones and online tracking, license plates do not have an off button and chances are if you're driving around or even parked at Kwiki Mart, the federal government knows this and has your daily activities on file. Clearly this raises Fourteenth Amendment privacy concerns specifically in regards to ordinary citizens whose privacy freedoms are not diminished by a criminal record.

Furthermore, the expense of surveillance technology, including the ALPRs has diminished throughout the years, to the extent that even private entities have invested in the devices. Many are also concerned as whether or not the current databases are safe from hackers. Considering the massive amount of information ALPRs record on daily basis what would happen if they were hacked or information was leaked? Forget the government watching your every move. What about criminals, stalkers or your mom?!

The underlying focus of the ACLU is to learn what the federal government is doing with all this information. It is easy to assume that the ALPRs can or soon will be combined with speed detectors and other video surveillance. Could this mean traffic tickets will soon be sent and received in the mail? The influx on most district or traffic courts would be astronomical, as if these courts are not already busy enough.

Lastly, could this information be used as evidence in trial cases, and if so, how accurate is the information? Most of photographs are only of the license plate and do not include the passengers, car make, or model. Hopefully, the ACLU’s recent legal actions will soon shed some light on ALPRs and how they may be infringing on our privacy rights.

Latest Regulatory Filings Reveal Mixed Results in Addressing Cyber Threats

Photo entitled "Cyber AttacK" by Marsmet501 on Flickr

Companies submitted their first 10-Q quarterly filings since the SEC issued guidance on reporting cyber issues. A Reuters review of over 2,000 filings revealed varying degrees of effort to follow the SEC’s guidance.

Issued in October, the Division of Corporate Finance’s CF Disclosure Guidance emphasized the importance of disclosing information about the risks and impacts of cyber incidents, considering among other things, the history of attacks as well as future threats and costs. Investor perception and materiality played important roles within the guidelines for public companies making the determination to release cyber threat information.

Most companies addressed cyber risks in a general sense using boilerplate language but others, including known hacking victims, did not address the issue at all. Among the notable companies to not even report cyber risks as generic threats to business were major defense contractors including Lockheed Martin Corp., Mantech International Corp., and CACI International Corp. All three corporations have been targeted in sophisticated cyber attacks.

Yet other companies were more transparent and disclosed details of cyber incidents and related threats. Internet security provider VeriSign Inc. and credit card and debit card transaction processor VeriFone Systems Inc., submitted threat details after suffering major breaches in 2010. While some companies made good faith efforts to address the SEC’s cyber concerns these attempts were by no means indicative of all public filings for the most recent quarter.

Upon initial review, most companies made some attempt to follow the SEC’s October guidelines. However, using standard terminology to address generic cyber threats is probably not what the SEC would consider ideal compliance. Such attempts do not improve corporate transparency nor do they aid investors and business partners in making thorough investment decisions.

Some experts anticipate that public companies will make better efforts to address cyber threats in their upcoming annual filings and disclose more information regarding successful hacking attempts. Others feel the guidance does not contain enough specificity and plan to watch the SEC closely as it responds to this most recent round of filings. However, most experts agree that while the disclosure is not a new concern, companies are slowly moving toward increasing transparency and acknowledge that the process will take time to develop.

Facebook and the State of Washington Join Forces in Fighting Online Spam

Photo titled "Dislike" by Charlotte Road on Flickr

For the first time since the enactment of the federal CAN-SPAM Act, a state government and a private company joined forces in protecting consumers from spammers/scammers. On January 26, 2012, Facebook and the State of Washington filed two separate lawsuits against internet marketing company Adscend Media, alleging violations of the anti-spam law. Specifically, they claimed that Adscend Media tricked Facebook users into clicking deceptive links that appeared as recommendations from their friends. These deceptive links led users to disclose their personal information, direct them to advertising sites, and continued the cycle of spreading spam to their friends.

The CAN-SPAM Act was enacted by Congress in 2003, aiming to protect consumers from unsolicited commercial email. It requires that all commercial electronic mail must clearly and conspicuously identify the message as an ad in the subject line, clearly and conspicuously disclose to the recipient an opt-out right to not receive future emails in the text body, and cease transmission of commercial emails within 10 days of recipient of the opt-out request. The Act also establishes tough penalties of up to $16,000 for each separate email, it also grants the government and private parties the right to bring civil and criminal action against violators.

The Act covers all commercial messages, defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Courts have interpreted “electronic mail message” broadly, reasoning that such a broad interpretation is consistent with Congress’ intent to curtail the number of misleading commercial messages that overburden the infrastructure of the internet. In Myspace v. Wallace and Myspace v. the Globe.com, Inc., the Central District Court of California defined an electronic mail message as a message deliverable to a unique electronic mail address. An electronic mail address is a form of electronic communications, including a traditional email address, inbox, and other alternative forms. A message posted on a Facebook wall, news feed, or home page is an electronic mail message.

The Act grants a limited right to a private party (namely internet access service providers) to bring a civil action against alleged offenders in federal court. In order to have standing to bring such action, an internet access service provider must show an adverse effect by the violation of the Act. “An adverse effect” can be a very high standard in some jurisdictions, requiring an actual harm from specific messages, rather than a general harm from receiving messages. Despite the limited private right and high standard of proving an adverse effect, more and more private entities enjoy the success against spammers. For example, Facebook has been awarded millions of dollars in judgments under the CAN-SPAM Act since 2008, including a $873.3 million judgment against a Canadian-based site for illegally using Facebook user’s log-in information to distribute spam, and a $711 million judgment against “spam king” Sanford Wallace for fraudulently gaining access to Facebook accounts and using them to send spam throughout the Facebook network.

States have the right to bring a civil action on behalf of their residents if they reasonably believe that the interests of their residents has been or is threatened or adversely affected by commercial email senders. States can either seek to enjoin future violations, or recover monetary damage. The bar for the later is much higher than the former. A state must prove that an alleged offender had actual or implied knowledge for the alleged unlawful conduct in order to recover monetary damage which is not required in an enjoinment action.

In the current joint action against Adscend Media, it is likely that both Facebook and the State of Washington have a good chance of winning. Under the broad interpretations promulgated by the courts, messages Adscend Media sent to Facebook users were electronic messages because they reached destinations receivable by Facebook users. These messages were fraudulent, as they were not recommended by Facebook users’ friends as their outward appearance would suggest. The messages were deceptive and intended to direct unsuspecting Facebook users to third party commercial sites so as to obtain the user’s personal information. Facebook suffered damages because its rights were violated. The interests of citizens of Washington State were compromised because they were tricked into disclosing personal information and pay for unwanted subscription services through spam. Adscend Media’s alleged unlawful conduct is not likely unintentional, if their actual or implied knowledge can be proven. It is not only likely to pay damages to Facebook, but also to Facebook’s users in the Washington.

IP Kidnapping

Photo titled: "Obama propone penas de cárcel obligatorias con un mínimo de tres años para los hackers" by jediadame on Flickr

On February 6th, 2012, CNET.com confirmed that the Internet security giant Symantec offered to pay a hacker or hacker group $50,000 for a promise to not release its valuable security code on the Internet. Specifically, CNET reports that beginning in early January of this year, a hacker known as “Yamatough” reached out to Symantec in an extortion attempt. Yamatough claimed to be part of the “Anoymous” hacker group that has attracted headlines in recent months, both for their attack on local, state, and federal government websites and its support of the Occupy Movement.

The object at issue is Symantec’s source code. Source code is the text written using the format and syntax of the programming language (computer language) that is specifically designed to facilitate the specific program it supports. Source code is significant because it is useful to a user, programmer, or system administrator to better understand how a program works, or more importantly, modify the program. Symantec identified the source code as that for Symantex Endpoint and Symantec Antivirus 10.2. Evidence at the time suggests that the hacker(s) may have obtained the code after breaking into servers run by Indian military intelligence.

Although Symantec publicly stated that its customers have no significant security threats due to this situation, a rational person would of course be worried. Although Symantec can and most likely has adapted its programs to this security threat, there is great reason for alarm. The source code obtained by the hackers can give them extra knowledge of Symantec projects and procedures, along with the ability to manipulate the code to best serve their interests. In addition, and perhaps most important, the threat to expose the source code to the Internet as a whole exponentially increases this risk because there will likely be no way to track the source code once it is released.

In fact, as of approximately 9:00 p.m. on February 6th, 2012, a 1.2 GB filed labeled “Symantec’s pcAnywhere Leaked Source Code” has appeared on The Pirate Bay, a large bit-torrent file sharing site. Symantec has not yet confirmed whether this is the source code at issue. What does this mean for your average attorney? Basically, its time to add another area of concern for attorneys, along with issues such as conflicts of interests, fiduciary duties, and professional responsibilities. If an Internet security giant is breached in this manner, then it may be time for attorneys, who are entrusted with confidential and sensitive personal and professional information, to be even more careful with this type of data. As technology becomes a more crucial part of an attorney’s arsenal of tools, events like this remind the profession why some times, having a simple lock and key safe may be the better bet in protecting a client’s information.

Google’s New Master Privacy Policy

Photo titled: "Scary Google with Sauron Eyes" by dullhunk on flickr

Google, Inc. announced their new “master privacy policy” earlier this week, which will take effect on March 1, 2012. The new policy will replace 60 different privacy policies currently in place. Google’s goal of implementing the new policy is as follows; “Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google.”

One of the major changes stemming from the new policy is the relationship of the user to all of Google’s products. A user will be treated as a single user. Now information will be shared across Google products, including YouTube, Picasa, Calendar, and Gmail. Under the current policy, information is maintained by each individual Google produce, rather than consolidated. By sharing information across multiple products, Google has the ability to offer more innovative features for users, customize ads, and compete with Facebook.

Eight House lawmakers already reacted to Google’s updated policy by writing a letter to Google Chief Executive, Larry Page, requesting a response by mid-February. The lawmakers, which consist of 5 Democrats and 3 Republicans, requested more information about the policy mainly regarding the collection and storage of information. Their main concern stems from a user’s ability to opt out of data collection. The lawmaker’s wrote, “Google's announcement raises questions about whether consumers can opt-out of the new data sharing system either globally or on a product-by-product basis."

Betsy Masiello, the company policy manager, responded to the letter on a blog post. She said, the company looks “forward to answering those questions, and clearing up some of the misconceptions about our privacy policies.”

A lot of the criticism stems from a lack of understanding of what information Google is currently able to obtain, and what they are going to be obtaining in the future. The information Google can access has not changed, however their process for handling the information has. In Google’s 2005 privacy policy, the company states, “We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience, and to improve the quality of our services.”

Users should be aware of the new effective privacy policy to understand what type of data Google is capturing. Check out the new privacy policy below:

Google Privacy Policy, available at https://www.google.com/policies/privacy/preview

Carrier IQ – Has someone violated the Electronic Communications Privacy Act?

Photo Titled "Completely Taped" by Byung Kyu Park available on Flickr

141 Million handsets have a software program deployed on them which purports to only collect network diagnostic information for mobile phone service carriers. However, this software program is secretly running because is not easy for an average mobile phone user to see the program running on their phone because it does not appear as a “running application” on the applications list. Nor is there a clear disclosure of what data is being collected by the application, or a way to easily opt out of the application running on the mobile device. Nor is there any easy way to stop it from running on the Android phones. On November 28, 2011 Trevor Eckhart uploaded a seventeen minute video (shown above) exposing the extent of the data being captured by Carrier IQ, an application that mobile phone providers and/or carriers install on mobile phones. The video shows an Android developer searching his phone for privacy policy disclosures, and not finding any privacy disclosures related to the Carrier IQ program, he proceeds to show the type of data that is logged by Carrier IQ onto the phone’s debug log. For example, each time he presses a key that key press is logged, even when he enters information into a web page over his own local WiFi connection and the session is protected with SSL (which is an encrypted means of communicating between a client and host and forms the backbone of all secure communication over the Internet; as a standard and all data transferred within an SSL connection should be encrypted and protected after the SSL handshake). As of January 25, 2012, Eckhart’s video received over 1.9 Million views on YouTube.

In response, Carrier IQ sent Eckhart a letter threatening legal action unless he retracted his research, characterizing his analysis and posting of privacy policies as a breach of copyright which could expose him to an excess of $150,000 in damages. In response, Eckhart reached out to the E.F.F., who agreed to represent him; Carrier IQ has since backed off from its legal action and apologized for the cease and desist letter. The question remains now – has Carrier IQ, or the mobile phone manufacturers, or the mobile service carriers violated the E.C.P.A. by secretly running a software program on the mobile phones?

The Electronic Communications Privacy Act (E.C.P.A., 18 U.S.C.A. § 2510) was enacted to expand the scope of the Wiretap Act (which was focused on the interception of voice communication) to protect data transferred by computers. Title I of the Act protects messages that are in transit, and Title II of the Act protects messages that are in storage on a device. Within the E.C.P.A., it is unlawful for a person to distribute “any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications” (18 U.S.C.A. § 2512(1)(a)). However carriers do have an exception, where under the normal course of their business in maintaining their communication systems, they can use devices to intercept wire communications.

Senator Al Franken, who chairs the Senate Judiciary Subcommittee on Privacy, Technology and the Law, has requested more information regarding what data is being collected and where the data is being sent. Depending on the type of data that is actually collected and sent to the carriers, they may be able to claim that they were operating within their normal course of business in maintaining the stability of the wireless networks. A criminal or civil case under the E.C.P.A. may not be a guaranteed success in a court of law. However, the public surprise of the extent of data being captured, and the lack of notice and control that users are able to exercise over how much activity is being tracked has already made the carriers and Carrier IQ losers in the court of public opinion.

Carrier IQ: Cell Phone Data Snooping Revealed

Photo by: sam_churchill 

Earlier this week, a 25-year old security researcher named Trevor Eckhart posted a YouTube video detailing a program called “HTC IQ Agent” that was installed on his cell phone. Trevor showed that the program was recording every action taken on his phone, including key presses, text messages, and passwords - and then transmitting this data directly to the offices of the company Carrier IQ. The program started automatically with the phone, ran in the background, and could not be turned off. It wasn’t a virus, nor was it installed by an outside vendor; it came pre-installed on his phone.

The revelation that a company was extensively tracking cell phone users actions lit off a firestorm of controversy. Numerous technology blogs decried Carrier IQ's actions. Carrier IQ soon threatened Mr. Eckhard with legal action, but then apologized after Mr. Eckhard sought the protection of the Electronic Frontier Foundation.

In its defense, Carrier IQ claims that all of the recorded data transmitted is anonymous. The company provides a valuable service to many U.S. cell phone carriers, who contract with Carrier IQ to provide specialized diagnostic, trending, and troubleshooting data for the devices on their network. The issue is the sheer volume and depth of data being recorded, which seems unnecessary for purely diagnostic or reporting purposes.

Whenever I accept a terms of service or license agreement on a website, I assume that I'm giving up all of my rights related to content and privacy. However, even in this digital age, I still consider my right of privacy to extend to my personal belongings; the information in my wallet, my documents, and even information stored on my cellphone. As cellphones have become more powerful and increasingly connected, they have become personal organizers. My calendar, contact list, Christmas shopping ideas, and other personal information are all stored on my cellphone. Given that I've tapped all this information into my cell phone at some point, it is likely that this information is also now stored somewhere on Carrier IQ's servers.

So far, Carrier IQ software has been found on both Android and iOS cell phones for several U.S. carriers. Many guides and how-to documents have been posted with instructions on how to disable the software. The Senate has even gotten involved, giving Carrier IQ until December 14th to address privacy concerns. In addition, it's possible that Carrier IQ has violated federal wiretapping statutes, and already there are rumblings of class action lawsuits.

It's also quite possible that this story has been overblown. Many journalists have noted that the data stored are purely anonymized metrics that carriers use to improve their service, ultimately benefiting consumers. There is no evidence that personal, identifying information has been used in an improper manner. However, given the amount and type of data being recorded, I am uncomfortable with any company having this information on their servers. A line has been crossed, and thanks to Trevor Eckhart, the world knows.

A Step Towards Anonymous Browsing on Mobile Devices

Photo by: jeffschuler 

As Americans we “get” our right to privacy through provisions of the 1st, 4th and 14th amendments. We have the 1st amendment right to free assembly, the 4th amendment right be free from unwarranted search and seizure and the 14th amendment right to due process. Through these provisions the Supreme Court has addressed and upheld birth control rights, abortion rights, marriage rights, and child rearing rights among other issues related to privacy.

With the surge of people using the Internet over the past 2 decades, from children to college students to baby boomers, there is endless amounts of personal information on the internet, some of it intentionally put there and some of it not intentionally publicized. It is harder to maintain ones privacy in this world of instant Facebook access and oversharing on Twitter. Adding to this dilemma is the advent of the smart phone, from Iphones to Blackberries, you can now remotely upload a picture to Facebook, you can browse the Internet on the train, and update your blog while out to dinner.

Using these devices can leave the user or others vulnerable to their privacy being invaded. Not only can others access public Facebook profiles and see content that 3rd parties in pictures or mentioned may not be aware of, but websites track browsing and respond with ads and suggestions, not to mention the dangerous problems of phishing, hacking and identity theft. For example Google scans emails and then advertises for things mentioned in “personal” emails. Anyone with access to your computer or device can check your history and see where you have been poking around on the Internet.

This week, Apple approved the use of an application that will now be offered in the App Store. This Covert Browser for Ipad will allow users to confidentially browse the Internet (a similar App is also available for the Iphone). Although there are kinks to be worked out, you can purchase the peace of mind of “completely” anonymous web browsing for just $2.99. The Covert Browser is a much more secure way to browse than other secure networks. The technology behind the application is Tor. Tor triple encrypts data and routes it through three computers whereas other secure browsing only route through one computer, leaving users vulnerable to the companies responsible for the routing. The Apple endorsed application is a much needed move towards privacy for mobile devices.

Carrier IQ, the Electronic Communications Privacy Act, and the Digital Millennium Copyright Act

Image titled Android Virus by Charliesalima

In the same week that Facebook settled its dispute with the Federal Trade Commission (“FTC”) over allegedly deceiving consumers about its privacy practices, an Android developer, Trevor Eckhart, discovered that Android phones run software that logs keystrokes and hides its presence on the phone. The discovery of Carrier IQ (CIQ) software embedded in the Android (and over the following days, other smartphones) raises legal questions that might expose both smartphone vendors and customers to liability.

The Electronic Communications Privacy Act, 18 U.S.C. 2510 et. seq. (2006)(ECPA) expanded the Federal Wiretap Act to prohibit interception of electronic communications through any “system affecting interstate or foreign commerce” without the consent of at least one of the parties to the communication. The Digital Millennium Copyright Act prohibits circumvention of effective measures designed to prevent unauthorized access to copyrighted material. 17 U.S.C.A. 1201 (2006).

Much of the analysis of Carrier IQ misunderstands the ECPA, so some discussion of what the ECPA does and does not cover is in order. The ECPA has been interpreted to allow keystroke logging which intercepted signals sent between the keyboard and the computer, because until an email or other message is actually sent, the computer is not “a system affecting interstate or foreign commerce.” U.S. v. Ropp, 347 F. Supp. 2d 831(C.D. Cal. 2004). The bulk of CIQ’s spying does not violate the ECPA. As Eckhart noted in his criticism of CIQ, when he dialed a phone number, the software logged the number before he made the call. Some states may have privacy laws prohibiting CIQ’s conduct, and certain consumers may have other claims (e.g. copyright infringement if any of their emails or texts contained material they owned a copyright to), but the ECPA does not prohibit keylogging.

Other portions of CIQ’s data collection may violate the ECPA. CIQ apparently also intercepts incoming text messages and emails. Incoming messages satisfy the “affecting interstate or foreign commerce” standard. Whether the manufacturers or carriers who installed CIQ violated the ECPA would then depend on whether they had valid contracts which allowed them to intercept their customers’ messages, a factual question specific to each carrier. Carriers’ recent panicked statements to the media indicate that most do not, as carriers have generally claimed either that they do not collect the data Carrier IQ collects, or that they only collect some less offensive subset of it. Carriers have put themselves in a precarious position by making such assertions, which smartphone manufacturers claim are false. The claim that a carrier does not collect data is only believable if the carrier does not include a data collection provision in its contracts, or includes the provision in a manner designed to keep consumers from recognizing or understanding it. Carriers who try to avoid bad publicity now may find themselves estopped from asserting a contract defense to ECPA claims in a later lawsuit.

A lawsuit may be the only option consumers have. Self-help is available to copyright owners in many scenarios, but is denied to people who want to protect their privacy from their wireless carrier. CIQ cannot be turned off through normal means, at least on the phone Eckhart tested. It can be defeated by hacking the phone. However, because CIQ is protected by digital rights management (DRM) software, consumer attempts to turn CIQ off may violate the DMCA.

In 2010, the Librarian of Congress used its powers under the DMCA to create an exemption for “jailbreaking” smartphone handsets. However, the exemption only applies when the jailbreaking is for purposes of interoperability, offering consumers no hope for protecting their privacy.

The DRM technology in use does not need to be strong to make circumventing it illegal. In spite of the word “effective” in the statute, courts have held that the DMCA also prohibits circumvention of ineffective measures designed to protect copyrighted material, because effective measures don’t need legal restrictions on circumvention and the word “effective” would be mere surplusage if it didn’t also cover ineffective measures. See Universal City Studios v. Reimerdes, 111 F. Supp. 273 F.3d 429 (2d Cir. 2001). The DMCA applies even when no copyright is violated, and it carries criminal penalties.

The DMCA leaves customers of carriers who use CIQ no other option but to accept violations of their privacy, find a carrier which does not use CIQ, or sue. Given the number of misleading press releases put out by carriers in the last few days and the frequent use of adhesion contracts that lock customers in to long periods of service, option 2 may not be so easy. While the case for ECPA violations is not as strong as some have asserted, it is still viable, and may be consumers’ only hope.

A Christmas Gift is Waiting for You at the Airport…

Photo by: Mashable Tech

The Transportation Security Administration (TSA) has got a new toy for you if you travel this holiday season – new software that will not reveal anything under your clothes except for weapons. This is a relief for the vast majority of people who were concerned about not only their privacy at the airport, but their safety and health.

There are two main full body scanners that you will likely see at the airport: the millimeter wave scanner and the backscatter x-ray. The former produces only “millimeter” waves instead of x-rays and therefore is not strong enough to produce a genotoxic effect likely to cause cancer. On the other hand the x-ray scanner’s safety has not been proven but it’s known that x-rays in general are high frequency devices that damage DNA in cells and can eventually be cancer causing.

In addition to safety concerns, members of the public allege that the full body scanners violate their right to privacy when their nude image appears on a screen for all to see. However, in July of 2011, the United States Court of Appeals for the District of Columbia ruled that the scanners do not violate the Fourth Amendment’s protection against unreasonable searches. Furthermore, to calm the fears of many, the TSA will finally utilize software this holiday season which produces a generic nude image of passengers but at the same time, retain the scanners’ ability to reveal concealed weapons and other contraband. The new software will also prevent future leaks of nude images that were leaked in 2010 before generic images were produced.

Are these uneconomical efforts to decrease the public’s concern worth it or are they creating unnecessary problems stemming from legal and safety concerns? Well, the reality is that the U.S. is concerned about preventing terrorist attacks that have occurred in the past. It was shown that less sophisticated scanners will not reveal small weapons.

Given the added security that the country needs, a balancing of all interests shows that the millimeter and backscatter x-ray scanners should be used. The millimeter wave scanner was proven to be safe because it produces very small waves. The backscatter x-ray scanner may be harmful but passengers pass through the scanners infrequently for a very short amount of time and therefore any negative effect will likely be negligible. The new software will assure passengers that a personally identifiable nude image will not be produced so privacy concerns should decrease.

Most importantly, the United States’ need to be vigilant and protect against weapons entering airplanes is paramount. To this point, the TSA found an alternative way, less invasive to travelers, which reveals dangerous weapons. Any negative effect on health will be virtually non-existent.

If you still are not convinced, just think: You are seated on an airplane and you are ready to take-off. Imagine that no one on the airplane passed through a full body scanner . . . how safe would you feel?

Supreme Court Set to Hear Arguments on GPS Tracking Devices in United States v. Jones

Photo courtesy of Sho Hashimoto on Flickr

On November 8th, the Supreme Court will hear arguments in what the New York Times has described as, “the most important Fourth Amendment case in a decade.” United States v. Jones is on appeal from the D.C. Circuit, and considers the issue of whether law enforcement can install and subsequently monitor a GPS tracking device on a suspect’s car without first obtaining a warrant. The Supreme Court was inclined to grant certiorari following a decision by the D.C. Circuit that the police violated defendant Jones’s Fourth Amendment rights, a clear split from other circuit courts which have heard the issue.

The case is essentially the next step in a pair of decisions handed down by the Court in 1983 and 1984, United States v. Knotts and United States v. Karo, respectively. In Knotts and Karo the Supreme Court ruled that monitoring a beeper tracking device attached to a suspect’s car was not a Fourth Amendment violation. The Court’s decision stemmed from the fact that one could not have a reasonable expectation of privacy in their public movements, because the police could have essentially conducted the same surveillance without the aid of the tracking device. Defendant’s which have attempted to distinguish themselves from the Knotts and Karo decisions have focused on dicta in Knotts, explaining that the issue could be reconsidered when twenty-four hour surveillance encompassing dragnet-type law enforcement was being conducted. The circuit courts which considered the GPS issue prior to the D.C. Circuit all found that law enforcement did not use GPS tracking devices in a volume to be distinguished based on the language in Knotts.

In the D.C. case, the circuit court took an alternate approach. Instead of considering the amount of people being investigated with GPS tracking devices, the court determined that the Knotts court was actually referring to the length of the surveillance. The court found that the vast technological differences between GPS and beepers enabled the police to conduct surveillance for a much longer period of time and in greater detail. Beepers require the police to follow a suspect’s car and only give the relative distance that the police are from the suspect. GPS on the other hand, is able to map a suspect’s movement without any police involvement. The D.C. Circuit relied on a mosaic theory, essentially finding that the sum of the information provided by GPS was greater than the amount of information the suspect intended to convey through his public movements.

Despite the rulings in Knotts and Karo, the Supreme Court should distinguish GPS technology from the beeper technology used in those cases. Without a warrant, police are free to conduct GPS surveillance on whomever they please, without making any showing of suspicion. In beeper technology cases, law enforcement were still limited as to how they could conduct surveillance. Beepers required police to still be an active part of the investigation because they had to follow the electronic beeps emitted by the device. Besides the initial investigation, police can monitor GPS passively. This, combined with the falling cost of GPS, means that police can monitor a greater number of people than traditional or beeper technology would allow, going beyond the capabilities of surveillance the public reasonably expects.