Every lover of liberty and the Constitution should be offended by the moniker “Privacy Bill of Rights” appended to regulatory legislation Senators John Kerry (D-MA) and John McCain (R-AZ) introduced yesterday. As C|Net’s Declan McCullagh points out, the legislation exempts the federal government and law enforcement:
[T]he measure applies only to companies and some nonprofit groups, not to the federal, state, and local police agencies that have adopted high-tech surveillance technologies including cell phone tracking, GPS bugs, and requests to Internet companies for users’ personal information–in many cases without obtaining a search warrant from a judge.
The real “Privacy Bill of Rights” is in the Bill of Rights. It’s the Fourth Amendment.
It takes a lot of gall to put the moniker “Privacy Bill of Rights” on legislation that reduces liberty in the information economy while the Fourth Amendment remains tattered and threadbare. Nevermind “reasonable expectations”: the people’s right to be secure against unreasonable searches and seizures is worn down to the nub.
Senators Kerry and McCain should look into the privacy consequences of the Internal Revenue Code. How is privacy going to fare under Obamacare? How is the Department of Homeland Security doing with its privacy efforts? What is an “administrative search”?
McCullagh was good enough to quote yours truly on the new effort from Sens. Kerry and McCain: “If they want to lead on the privacy issue, they’ll lead by getting the federal government’s house in order.”
The smartphone is arguably one of the most empowering and revolutionary technologies of the modern era. By putting the processing power of a personal computer and the speed of a broadband connection into a device that fits in a pocket, smartphones have revolutionized how we communicate, travel, learn, game, shop, and more.
Yet smartphones have an oft-overlooked downside: when they end up in the wrong hands, they offer overreaching agents of the state, thieves, hackers, and other wrongdoers an unparalleled avenue for uncovering and abusing the volumes of sensitive personal information we increasingly store on our mobile phones.
Over on Ars Technica, I have a long feature story that examines the constitutional and technical issues surrounding police searches of mobile phones:
Last week, California’s Supreme Court reached a controversial 5-2 decision in People v. Diaz
(PDF)
, holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.California’s opinion in Diaz is the latest of several recent court rulings upholding warrantless searches of mobile phones incident to arrest. While this precedent is troubling for civil liberties, it’s not a death knell for mobile phone privacy. If you follow a few basic guidelines, you can protect your mobile device from unreasonable search and seizure, even in the event of arrest. In this article, we will discuss the rationale for allowing police to conduct warrantless searches of arrestees, your right to remain silent during police interrogation, and the state of mobile phone security.
Continue reading →
If you store sensitive files on your personal computer which law enforcement authorities wish to examine, they generally cannot do so without first obtaining a search warrant based upon probable cause
. But what if you store personal information online—say, in your Gmail account, or on Dropbox? What if you’re a business owner who uses Salesforce CRM or Windows Azure? How secure is your data from unwarranted governmental access?
Both the U.S. Senate and the House of Representatives are investigating these crucial questions in two separate hearings this week. Congress hasn’t overhauled the privacy laws governing law enforcement access to information stored with remote service providers since 1986. The Electronic Communications Privacy Act (ECPA), the key federal law governing electronic privacy, has grown increasingly out of touch with reality as technology has evolved and Americans have grown increasingly reliant on cloud services like webmail and social networking. As a result, government can currently compel service providers to disclose the contents of certain types of information stored in the cloud without first obtaining a search warrant or any other court order requiring the scrutiny of a judge.
Thus, the Competitive Enterprise Institute has joined with The Progress & Freedom Foundation, Americans for Tax Reform, Citizens Against Government Waste, and the Center for Financial Privacy and Human Rights in submitting a written statement to the U.S. Senate and House Judiciary Committees urging Congress to reform U.S. electronic privacy laws to better reflect users’ privacy expectations in the information age. The groups also belong to the Digital Due Process coalition, a broad array of public interest organizations, businesses, advocacy groups, and scholars who are working to strengthen U.S. privacy laws while also preserving the building blocks of law enforcement investigations.
Continue reading →
If you have a mobile phone, that’s the upshot of an argument being put forward by the government in a case being argued before the Third Circuit Court of Appeals tomorrow. The case is called In the Matter of the Application of the United States of America For An Order Directing A Provider of Electronic Communication Service To Disclose Records to the Government.
Declan McCullagh reports:
In that case, the Obama administration has argued that Americans enjoy no “reasonable expectation of privacy” in their—or at least their cell phones’—whereabouts. U.S. Department of Justice lawyers say that “a customer’s Fourth Amendment rights are not violated when the phone company reveals to the government its own records” that show where a mobile device placed and received calls.
The government can maintain this position because of the retrograde “third party doctrine.” That doctrine arose from a pair of cases in the early 1970s in which the Supreme Court found no Fourth Amendment problems when the government required service providers to maintain records about their customers, and later required those service providers to hand the records over to the government.
I wrote about these cases, and the courts’ misunderstanding of privacy since 1967’s
Katz decision, in an American University Law Review article titled “Reforming Fourth Amendment Privacy Doctrine“:
These holdings were never right, but they grow more wrong with each step forward in modern, connected living. Incredibly deep reservoirs of information are constantly collected by third-party service providers today. Cellular telephone networks pinpoint customers’ locations throughout the day through the movement of their phones. Internet service providers maintain copies of huge swaths of the information that crosses their networks, tied to customer identifiers. Search engines maintain logs of searches that can be correlated to specific computers and usually the individuals that use them. Payment systems record each instance of commerce, and the time and place it occurred. The totality of these records are very, very revealing of people’s lives. They are a window onto each individual’s spiritual nature, feelings, and intellect. They reflect each American’s beliefs, thoughts, emotions, and sensations. They ought to be protected, as they are the modern iteration of our “papers and effects.”
This is a case to watch, as it will help determine whether or not your digital life is an open book to government investigators.
Jeff Jonas has published an important post: “Your Movements Speak for Themselves: Space-Time Travel Data is Analytic Super-Food!”
More than you probably realize, your mobile device is a digital sensor, creating records of your whereabouts and movements:
Mobile devices in America are generating something like 600 billion geo-spatially tagged transactions per day. Every call, text message, email and data transfer handled by your mobile device creates a transaction with your space-time coordinate (to roughly 60 meters accuracy if there are three cell towers in range), whether you have GPS or not. Got a Blackberry? Every few minutes, it sends a heartbeat, creating a transaction whether you are using the phone or not. If the device is GPS-enabled and you’re using a location-based service your location is accurate to somewhere between 10 and 30 meters. Using Wi-Fi? It is accurate below 10 meters.
The process of deploying this data to markedly improve our lives is underway. A friend of Jonas’ says that space-time travel data used to reveal traffic tie-ups shaves two to four hours off his commute each week. When it is put to full use, “the world we live in will fundamentally change. Organizations and citizens alike will operate with substantially more efficiency. There will be less carbon emissions, increased longevity, and fewer deaths.”
This progress is not without cost:
Continue reading →
New Jerseyans may get a chance to vote their Fourth Amendment preferences in the upcoming gubernatorial elections. Among the candidates is Chris Christie, who as U.S. Attorney for New Jersey authorized the tracking of suspects’ cell phones without getting a warrant.
Indiana University law professor Fred Cate writes with characteristic thoroughness and organization in his article Government Data Mining: The Need for a Legal Framework, published in the Harvard Civil Rights-Civil Liberties Law Review this summer.
It took me a while to get around to reading it – a little longer to write it up. Don’t make the same mistakes I did! It’s good!
Here’s a snippet from the abstract:
The article describes the extraordinary volume and variety of personal data to which the government has routine access, directly and through industry, and examines the absence of any meaningful limits on that access. So-called privacy statutes are often so outdated and inadequate that they fail to limit the government’s access to our most personal data, or they have been amended in the post-9/11 world to reduce those limits. And the Fourth Amendment, the primary constitutional guarantee of individual privacy, has been interpreted by the Supreme Court to not apply to routine data collection, accessing data from third parties, or sharing data, even if illegally gathered.
Professor Cate spends a good deal of time on the Supreme Court’s pernicious “third party doctrine,” which exempts information shared with a third party (think of ISPs, banks, etc.) from Fourth Amendment protection. This rule was bad when it was written and it grows worse and worse as we move our lives further and further online.
Oh, there are details from the paper I would have treated differently. He mistakenly says the 9/11 terrorists used false ID. (Fraudulently gotten, yes. False identities, no.) And he omits the Federal Agency Data Mining Reporting Act of 2007, passed as §804 of the Implementing Recommendations of the 9/11 Commission Act of 2007 (Public Law 110-53). But these are trivial issues with a paper that is excellent overall.
Poking around among the Internets to confirm this and that detail, I found this post saying that Professor Cate authored much of a recent report called “Protecting Individual Privacy in the Struggle Against Terrorists.” It’s also very good stuff.
Fred Cate, people!
One of the bright lights.
Frankly, I don’t expect the scholars, lawyers, and judges who have been steeping in traditional Fourth Amendment doctrine their entire careers to get the thesis of my recent American University Law Review article. But you can! And, eventually, if I do enough work, they will.
Here are some highlights from the introduction to “Reforming Fourth Amendment Privacy Doctrine“:
Since 1967, the Supreme Court and lower courts have relied too heavily on an unreliable test that arose from the leading Fourth Amendment case, Katz v. United States. Distracted by Justice Harlan’s concurrence in the case and befuddled by the concept of “privacy,” courts have ignored the simple rule of the actual holding in Katz and conditioned Fourth Amendment rights on surmises about privacy “expectations.”
Privacy is a real thing that need not be a matter of conjecture. The
Katz Court held that personal information was protected by the Fourth Amendment because, as a factual matter, the defendant had kept it private. Installing a wiretap to overcome Katz’s use of law and physics to conceal information was unreasonable without a warrant. The Court did not base its holding on open-ended “expectations” or “reasonableness,” as Justice Harlan’s concurrence suggested, but on the affirmative steps Katz took to conceal that information.
. . .
If an individual has secured the privacy of particular information, the Fourth Amendment focuses on the reasonableness of the government’s actions in undoing that privacy, not on the reasonableness of the individual’s expectations.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.