Regulating data collection

Many cell phone apps collect personal data from owners, unbeknownst to the user.  Some app manufacturers store the data, or even release it to advertisers.  This has attracted the attention of lawmakers.

On February 1, the Federal Trade Commission released a staff report, containing recommendations for smartphone manufacturers, app designers and advertisers regarding the collection and use of personal information.  Describing the data collection potential of smartphones as “unprecedented”, the FTC has issued these recommendations in response to widespread concern regarding the expansive and sometimes opaque data collected by their smartphones and third party app producers.  The report recommends that apps seek express consent before accessing “sensitive” data, like geolocation information, and that greater transparency be programmed in, so that users know and can easily determine what information is being collected and when it is being transmitted to a third party.  It also suggests that smartphones offer users a “do not track” feature.  The report is not binding, but its suggestions are considered likely to be highly persuasive to the big players in the cell phone market like Google and Apple.

Companies risk running afoul of the FTC if they access users’ personal information in a misleading fashion.  Last week, the FTC settled an action against the makers of a social networking app, “Path”, which it alleged had misled users about the data it would gain access to.  In particular, Path had accessed users’ phone contacts, regardless of whether they had expressly requested this.  This left consumers with “no meaningful choice” about what information would be collected.  Ars Technica later reported that other social networking app developers are engaging in similar activities.  The incident attracted the attention of the House Energy & Commerce Committee, which sought responses from various app makers regarding their approach to user privacy.

In 2011, New Jersey prosecutors considered criminal charges against app developers over similar activity (transmission of user information to third parties without consent).  App makers, including the makers of the internet radio app, Pandora, reported receiving grand jury subpoenas in relation to potential charges under the Computer Fraud and Abuse Act, also used to prosecute hackers and, notoriously, Aaron Schwartz (Schwartz’s prosecution for downloading the JSTOR database of academic articles without authorization attracted criticism, and led to complaints that the Act is too broad).  Such charges frame the app makers’ access to user data as a form of unauthorized access to a computer, thus falling within the terms of the CFAA.

Cellphone searches incident to arrest

When police place an individual under arrest, they are permitted to conduct a full search of the individual’s person, without a warrant, to look for weapons and preserve evidence.  This search authority includes the ability to search within “containers” the person is carrying, such as a cigarette packet inside a pocket (U.S. v. Robinson).

The so-called “search incident to arrest” doctrine has been relied upon by police to justify searching an arrestee’s cellphone.  These searches are not uncommon — according to Adam Gershowitz, by 2010 over 40 courts nationwide had been asked to assess the constitutionality of cell phone searches incident to arrest.  The argument for lawfulness relies on an analogy to physical containers.  Prior to the cellphone era, courts held that a pager could be searched by police upon its owner’s arrest, as it was no different from a purse or address book, which could also be lawfully searched (U.S. v Chan 830 F. Supp. 531 (N.D. Cal., 1993) and the cases which followed it).

The Supreme Court has not ruled on whether a warrantless cell phone search can be justified under the search incident to arrest doctrine.  But reviews of the caselaw conducted by Junichi Semitsu and Adam Gershowitz conclude that the majority of courts having considered the question found that warrantless searches of cell phones could be upheld on this basis.  For example, in U.S. v. Finley, the Fifth Circuit held that a search of Finley’s cellphone following his arrest for selling drugs to a police officer was justifiable on the basis of the container cases.

But there is division within the judiciary on this point, with a minority of courts rejecting the container analogy.  The Ohio Supreme Court concluded that warrantless cellphone searches could not be analogized to container searches, because cell phones contain intangible data, not physical objects, and do so on a scale which is incomparable to a physical container (State v. Smith).  A District Court judge in California also rejected the analogy, finding that a cellphone contained such a large amount of evidence that it was conceptually closer to a large container which was within the arrestee’s control, but not on their person (U.S. v. Park).

Further, if the police interaction with a suspect does not result in an arrest, a cellphone search is unlikely to be permissible.  In United States v. Zavala, the Fifth Circuit held that a pat-down search conducted during a Terry stop (also known as a “stop and frisk”) did not include the right to search the suspect’s cell phone.  Officers performing a Terry stop are only permitted to engage in a protective search for weapons or contraband, and not a search for evidence such as is contained on a cellphone.

Locking a cellphone using a passcode appears unlikely to put it beyond the reach of law enforcement personnel.  Gershowitz concludes that there is no legal impediment to police seeking to gain access to a passcode-protected phone by guessing or cracking the passcode, provided this is reasonably contemporaneous with arrest.  And from a practical standpoint, officers may have the technical capacity before long to gain access to phone data without knowing the passcode at all.  As the ACLU argued in 2011, it appears that some state police have purchased “forensic cellphone analyzers”, which enable extraction of a range of data (photos, text messages, contacts, and more), even if the phone passcode is not known.

Cellphones in vehicles

A further question arises regarding the lawfulness of police searching cellphones left in vehicles.  According to Supreme Court caselaw, if police have probable cause to search a vehicle, they are lawfully able to look inside containers within the vehicle for the object of their search (California v. Acevedo), even if that container belongs to someone other than the owner of the vehicle (Wyoming v. Houghton).  However, if the object of the search is a physical thing (e.g., drugs or weapons), this could not justify searching a cellphone.

In certain circumstances, the search incident to arrest doctrine, discussed above, can also be relied upon to allow police to search the vehicle occupied by the arrestee at the time of their arrest.  In Arizona v. Gant, decided in 2009, the Supreme Court held that police may conduct a search of the vehicle’s passenger compartment if the suspect is unsecured and could reach into the vehicle to grab something.  Alternatively, if the suspect has been secured (most commonly, using handcuffs), a search of the vehicle is permissible if it is reasonable to believe it contains evidence relevant to the crime which led to the arrest.  Junichi Semitsu argued in 2012 that, in the majority of post-Gant cellphone searches which have been challenged and upheld, the state relied on the Gant rule.

The Court of Appeals for the Fifth Circuit also held in Zavala that the accused’s consent to search his vehicle did not include consent to search his cellphone, which had been removed from him when he was stopped and placed on the roof of the vehicle.  It was not objectively reasonable for the officer to conclude that the consent granted extended to the cellphone.

Where law enforcement searches and data privacy coincide

If the weight of authority comes to be the settled law, there are many circumstances in which law enforcement may lawfully search smartphone without a warrant.  And thanks to the under-regulated and often opaque data collection practices of smartphone companies, what they find in their search may be more expansive than many users realise.

Further, as Junichi Semitsu explains, certain smartphone apps do more than just reveal the contents of the device to the user.  Some, like the Facebook app, also allow the user to access content stored on a server, with no signal to the user regarding which form of content is being observed.  This greatly expands the information to which police can gain access through a warrantless search (information which they would otherwise require a subpoena to obtain).  But, as Semitsu discusses, this distinction has not persuaded courts that the analogy with a “container” is inapt.

Along with apps collecting and storing more data, there are user-driven transformations to information storage taking place.  As the use of cloud storage expands, smartphone users are increasingly using apps like Evernote, Dropbox and Instapaper, along with OS-integrated facilities like iCloud, to synchronize information across multiple devices.  This means that in addition to having the user’s smartphone data at their fingertips, law enforcement personnel may have access to data from the user’s other devices as well.

The expansion of cloud computing has caused the Senate Judiciary Committee to reconsider the scope of the Electronic Communications Privacy Act of 1986 (which regulates law enforcement access to electronic records stored by third parties); perhaps the time has come for reconsideration of warrantless smartphone searches on the same grounds.  Far from being mere “containers,” these devices encapsulate more information than the search-incident-to arrest doctrine could ever have envisaged.

Last month, Apple suffered a defeat in its global IP-war with Samsung over its Galaxy Tab tablet computer:  the UK Court of Appeal upheld the High Court’s ruling that Samsung’s Galaxy Tab did not infringe Apple’s European Community registered design.  The Court of Appeal also affirmed the High Court’s publicity order, which required Apple to post a link its UK homepage to a statement explaining that the Galaxy Tab does not infringe Apple’s design rights.  A notice soon went up on the Apple homepage, but not without raising some eyebrows.  All of the text required by the order (regarding the High Court and Court of Appeal’s rulings on infringement) appeared, but so did some extra words.  Apple had added to the statement (1) some carefully selected words from the judgment of the High Court (remarking on the qualities of the Apple design and noting that the Samsung design is “not as cool”); and (2) references to rulings in Apple’s favour in the US and Germany.  This week, the parties were back before the Court of Appeal on Samsung’s motion.  The Court was not impressed.  Apple’s edited notice was reportedly described as a ‘clear breach’ of the Court’s order, which the Court was ‘at a loss’ to understand, and the company was given 48 hours to remove and replace the notice.  In a further rebuff, the Court declined Apple’s request for 14 days to amend the notice, disbelieving counsel’s assertion that this period of time was required in the absence of an affidavit from Apple’s senior management.

An additional wrinkle in the Court of Appeal’s judgment revolves around the multi-jurisdictional enforcement of European Community IP rights.  As Bird & Bird point out, a significant factor in the Court’s decision (see [83]) to affirm the High Court’s publicity order was the existence of a contradictory injunction made by the German Oberlandesgericht (Court of Appeal), which purported to prohibit the sale of Galaxy Tabs across Europe.  The German order was made after the UK High Court’s decision, in respect of the identical legal question, and brought the Oberlandesgericht in for some sharp criticism from the Court of Appeal: “[i]f courts around Europe simply say they do not agree with each other and give inconsistent decisions, Europe will be the poorer” (at [63]).  While the reasons for the inconsistency are unknown, the decision points to the complexities associated with administering regional IP rights, in the absence of a regional forum for the settlement of disputes.

Technology v. The Fourth Amendment

Two recent Fourth Amendment decisions provide interesting examples of the difficult questions posed for Fourth Amendment jurisprudence by the expansion of technology-driven law enforcement practices.

The first case comes from rural Wisconsin.  The defendants sought to suppress video evidence obtained by DEA agents, who installed surveillance cameras without a warrant on private land that was being used by the defendants to grow marijuana.  The land was fenced in and said to have been marked with ‘no trespassing’ signs.  The Supreme Court earlier held in Oliver v. United States, 466 U.S. 170 (1984) that the Fourth Amendment does not protect against searches of ‘open fields’, so that officers can lawfully search outside the area immediately surrounding the home (the “curtilage”) without a warrant, regardless of whether they commit a trespass in doing so.  According to media reports, the United States District Court for the Eastern District of Wisconsin this week refused the defendants’ motion to suppress the video, adopting the recommendation of a US Magistrate Judge.  The Magistrate Judge recommended suppression not occur because officers are permitted to enter and observe open fields, so long as they stay out of the curtilage of the home, and video showed only those areas.  Although the agents in this case installed surveillance equipment, which did not occur in Oliver, it should not be distinguished because “the Supreme Court has upheld the use of technology as a substitute for ordinary police surveillance.”  Further, the Magistrate Judge explained, if the privacy-oriented analysis of the Supreme Court in United States v. Jones, 132 S. Ct. 945 (2012) is applied, the result is the same as there is no legitimate expectation of privacy in an open field.  Some commentators reacted negatively to the ruling, with Ars Technica arguing that it is “an absurdity” to determine the legality of electronic surveillance by extrapolating from the legality of a human officer making the same observations.

The second case arose in an application by the Government for access to a ‘cell tower dump’.  The Government sought access to all telephone numbers and all other subscriber information for calls processed at particular cell phone towers during a relevant period of time.  The Magistrate Judge rejected the government’s application, applying authority (currently before the 5th Circuit on appeal) which held that the Fourth Amendment prohibits warrantless searches of cell tower data.  As Orin Kerr noted, the Magistrate Judge also expressed concern about the seeming lack of technological understanding of the Government’s lawyer, and the Government’s lack of any protocol for dealing with the information it obtained about innocent third parties.  But as Techdirt points out, technology is available which allows the Government to obtain cell phone data without accessing the information held by cell phone towers.

MegaUpdate

MegaUpload, the file-sharing site dramatically shut down by the US Attorney’s office earlier this year, is set to return.  The site’s founder, Kim DotCom has announced he will be launching a new cloud storage service, Me.ga, to be hosted on servers in Gabon.  The new service, according to DotCom, will rely on user-held encryption keys, giving users greater control over their content, and protecting the site’s administrators from liability.  A few days earlier, court filings in one user’s application to recover data from MegaUpload’s downed servers indicated that system’s users would not be given access to their data lightly.  In its response to the user’s motion for return of property (i.e., his data), the Government submitted that the user’s ownership of the copyright in his data would not be sufficient to establish a property interest in copies of that data stored on the seized MegaUpload servers.  For this and other reasons, it sought a separate hearing on the issue of whether the user had even a prima facie interest in the property he sought to recover.  The Government’s stance was interpreted as presenting a significant hurdle to data recovery for former MegaUpload users.

Hurricane Sandy

The Columbia Science & Technology Law Review sends its thoughts and best wishes to all those affected by Hurricane Sandy this week.  Many parts of New York City are setting out on what will be a long road to complete recovery.

Meanwhile, Manhattan lawyers discovered during the hurricane that even widespread power outages can’t stop the supply of legal services.  On the science front, our counterparts at the Columbia Earth Institute point to the questions Sandy poses for climate change, infrastructure management, and building design, some of which will likely confront courts and legislators in the years to come.