Regulating data collection

Many cell phone apps collect personal data from owners, unbeknownst to the user.  Some app manufacturers store the data, or even release it to advertisers.  This has attracted the attention of lawmakers.

On February 1, the Federal Trade Commission released a staff report, containing recommendations for smartphone manufacturers, app designers and advertisers regarding the collection and use of personal information.  Describing the data collection potential of smartphones as “unprecedented”, the FTC has issued these recommendations in response to widespread concern regarding the expansive and sometimes opaque data collected by their smartphones and third party app producers.  The report recommends that apps seek express consent before accessing “sensitive” data, like geolocation information, and that greater transparency be programmed in, so that users know and can easily determine what information is being collected and when it is being transmitted to a third party.  It also suggests that smartphones offer users a “do not track” feature.  The report is not binding, but its suggestions are considered likely to be highly persuasive to the big players in the cell phone market like Google and Apple.

Companies risk running afoul of the FTC if they access users’ personal information in a misleading fashion.  Last week, the FTC settled an action against the makers of a social networking app, “Path”, which it alleged had misled users about the data it would gain access to.  In particular, Path had accessed users’ phone contacts, regardless of whether they had expressly requested this.  This left consumers with “no meaningful choice” about what information would be collected.  Ars Technica later reported that other social networking app developers are engaging in similar activities.  The incident attracted the attention of the House Energy & Commerce Committee, which sought responses from various app makers regarding their approach to user privacy.

In 2011, New Jersey prosecutors considered criminal charges against app developers over similar activity (transmission of user information to third parties without consent).  App makers, including the makers of the internet radio app, Pandora, reported receiving grand jury subpoenas in relation to potential charges under the Computer Fraud and Abuse Act, also used to prosecute hackers and, notoriously, Aaron Schwartz (Schwartz’s prosecution for downloading the JSTOR database of academic articles without authorization attracted criticism, and led to complaints that the Act is too broad).  Such charges frame the app makers’ access to user data as a form of unauthorized access to a computer, thus falling within the terms of the CFAA.

Cellphone searches incident to arrest

When police place an individual under arrest, they are permitted to conduct a full search of the individual’s person, without a warrant, to look for weapons and preserve evidence.  This search authority includes the ability to search within “containers” the person is carrying, such as a cigarette packet inside a pocket (U.S. v. Robinson).

The so-called “search incident to arrest” doctrine has been relied upon by police to justify searching an arrestee’s cellphone.  These searches are not uncommon — according to Adam Gershowitz, by 2010 over 40 courts nationwide had been asked to assess the constitutionality of cell phone searches incident to arrest.  The argument for lawfulness relies on an analogy to physical containers.  Prior to the cellphone era, courts held that a pager could be searched by police upon its owner’s arrest, as it was no different from a purse or address book, which could also be lawfully searched (U.S. v Chan 830 F. Supp. 531 (N.D. Cal., 1993) and the cases which followed it).

The Supreme Court has not ruled on whether a warrantless cell phone search can be justified under the search incident to arrest doctrine.  But reviews of the caselaw conducted by Junichi Semitsu and Adam Gershowitz conclude that the majority of courts having considered the question found that warrantless searches of cell phones could be upheld on this basis.  For example, in U.S. v. Finley, the Fifth Circuit held that a search of Finley’s cellphone following his arrest for selling drugs to a police officer was justifiable on the basis of the container cases.

But there is division within the judiciary on this point, with a minority of courts rejecting the container analogy.  The Ohio Supreme Court concluded that warrantless cellphone searches could not be analogized to container searches, because cell phones contain intangible data, not physical objects, and do so on a scale which is incomparable to a physical container (State v. Smith).  A District Court judge in California also rejected the analogy, finding that a cellphone contained such a large amount of evidence that it was conceptually closer to a large container which was within the arrestee’s control, but not on their person (U.S. v. Park).

Further, if the police interaction with a suspect does not result in an arrest, a cellphone search is unlikely to be permissible.  In United States v. Zavala, the Fifth Circuit held that a pat-down search conducted during a Terry stop (also known as a “stop and frisk”) did not include the right to search the suspect’s cell phone.  Officers performing a Terry stop are only permitted to engage in a protective search for weapons or contraband, and not a search for evidence such as is contained on a cellphone.

Locking a cellphone using a passcode appears unlikely to put it beyond the reach of law enforcement personnel.  Gershowitz concludes that there is no legal impediment to police seeking to gain access to a passcode-protected phone by guessing or cracking the passcode, provided this is reasonably contemporaneous with arrest.  And from a practical standpoint, officers may have the technical capacity before long to gain access to phone data without knowing the passcode at all.  As the ACLU argued in 2011, it appears that some state police have purchased “forensic cellphone analyzers”, which enable extraction of a range of data (photos, text messages, contacts, and more), even if the phone passcode is not known.

Cellphones in vehicles

A further question arises regarding the lawfulness of police searching cellphones left in vehicles.  According to Supreme Court caselaw, if police have probable cause to search a vehicle, they are lawfully able to look inside containers within the vehicle for the object of their search (California v. Acevedo), even if that container belongs to someone other than the owner of the vehicle (Wyoming v. Houghton).  However, if the object of the search is a physical thing (e.g., drugs or weapons), this could not justify searching a cellphone.

In certain circumstances, the search incident to arrest doctrine, discussed above, can also be relied upon to allow police to search the vehicle occupied by the arrestee at the time of their arrest.  In Arizona v. Gant, decided in 2009, the Supreme Court held that police may conduct a search of the vehicle’s passenger compartment if the suspect is unsecured and could reach into the vehicle to grab something.  Alternatively, if the suspect has been secured (most commonly, using handcuffs), a search of the vehicle is permissible if it is reasonable to believe it contains evidence relevant to the crime which led to the arrest.  Junichi Semitsu argued in 2012 that, in the majority of post-Gant cellphone searches which have been challenged and upheld, the state relied on the Gant rule.

The Court of Appeals for the Fifth Circuit also held in Zavala that the accused’s consent to search his vehicle did not include consent to search his cellphone, which had been removed from him when he was stopped and placed on the roof of the vehicle.  It was not objectively reasonable for the officer to conclude that the consent granted extended to the cellphone.

Where law enforcement searches and data privacy coincide

If the weight of authority comes to be the settled law, there are many circumstances in which law enforcement may lawfully search smartphone without a warrant.  And thanks to the under-regulated and often opaque data collection practices of smartphone companies, what they find in their search may be more expansive than many users realise.

Further, as Junichi Semitsu explains, certain smartphone apps do more than just reveal the contents of the device to the user.  Some, like the Facebook app, also allow the user to access content stored on a server, with no signal to the user regarding which form of content is being observed.  This greatly expands the information to which police can gain access through a warrantless search (information which they would otherwise require a subpoena to obtain).  But, as Semitsu discusses, this distinction has not persuaded courts that the analogy with a “container” is inapt.

Along with apps collecting and storing more data, there are user-driven transformations to information storage taking place.  As the use of cloud storage expands, smartphone users are increasingly using apps like Evernote, Dropbox and Instapaper, along with OS-integrated facilities like iCloud, to synchronize information across multiple devices.  This means that in addition to having the user’s smartphone data at their fingertips, law enforcement personnel may have access to data from the user’s other devices as well.

The expansion of cloud computing has caused the Senate Judiciary Committee to reconsider the scope of the Electronic Communications Privacy Act of 1986 (which regulates law enforcement access to electronic records stored by third parties); perhaps the time has come for reconsideration of warrantless smartphone searches on the same grounds.  Far from being mere “containers,” these devices encapsulate more information than the search-incident-to arrest doctrine could ever have envisaged.

The Federal Bureau of Investigation (FBI) has announced that it will use Facial Recognition Technology in its Next Generation Identification (NGI) system. The system, which will eventually serve as an upgrade to the current Integrated Automated Fingerprint Identification System (IAFIS), will use security footage from public cameras to identify suspects and people of interest across the country. IAFIS contains only fingerprint information, while the NGI system can store information about a person’s voice, iris, and facial biometrics. The program is currently being tested in certain areas, using photographs drawn from law enforcement databases. When the system is rolled out in full scope in 2014, the FBI will provide facial recognition software to law enforcement agencies nationwide.

For this technology to work effectively as an identifying mechanism, a large database of faceprints must exist, against which images captured by the camera could then be compared.  These faceprints will need to have already been matched with a name. A criminal database is an obvious initial source for this, but it has limited reach. To grow its faceprint database, the NGI program could draw from non-criminal government photograph databases such as those maintained by a state’s Department of Motor Vehicles, U.S. Citizenship and Immigration Services, or even privately held databases that are maintained by social networking websites. Often, photographs in these databases will be connected to a person’s real-name identity, and the originators may not hold exclusive rights to the photographs, making the database accessible to law enforcement. While no law directly protects people’s interests in their faceprints, the acquisition of faceprints without a warrant may implicate the subjects’ Fourth Amendment right to be “secure in their persons…against unreasonable searches and seizures.”

Fourth Amendment Implications

No court has yet explicitly recognized Fourth Amendment protection of faceprints. The Supreme Court has recognized, however, that other biometric data is constitutionally protected. In Davis v. Mississippi (394 U.S. 721 (1969)), defendant Davis was held without a warrant or probable cause during the course a rape investigation. During this time, defendant’s fingerprints were taken by authorities, and were matched to a set of fingerprints found at the scene of the crime. The evidence of the match was used at trial, and defendant was convicted of rape. Davis appealed, alleging that the acquisition of the fingerprints was the result of an unreasonable search and seizure. The Supreme Court agreed, stating that fingerprints could not be collected without a warrant. Like possessions taken from a person, the fingerprints bear “evidentiary value which the public authorities have caused an arrested person to yield.”

Some guidance is provided by Skinner v. Railway Labor Executives Ass’n (489 U.S. 602 (1989)), in which labor organizations challenged the drug testing procedures used by their employers. The challenged procedures included collection of blood and urine. The court found such procedures, without warrant or probable cause, to violate the Fourth Amendment, citing “concerns about bodily integrity.” While such concerns differ from those that arise in the use of facial recognition technology, Skinner is indicative of the notion that the Fourth Amendment includes some protection against using evidence that was drawn from the a person’s own body to convict him or her.

Most recent is United States v. Jones (132 S.Ct. 945 (2012)), in which authorities planted a tracking device on defendant’s car. The court found that tracking the defendant’s public movements through a Global Positioning System unit violated the Fourth Amendment. Similarly, matching a faceprint to an image captured by a public camera in order to track a person’s location at a given time may violate these protections.

Together, these cases imply that the warrantless collection and use of faceprints by law enforcement is unlikely to overcome the hurdle of the Fourth Amendment. As the use of facial recognition technology becomes more prevalent and faceprints gain prominence as a form of biometric identification, that theory is likely to be put to the test.

While cloud storage can be an economical and practical method for storing data and information, use of the cloud may result in reduced privacy protection.  When using cloud storage, an individual or a company uses storage capacity provided to it by a third party instead of maintaining its own files.  Although one may not intuitively view this distinction as significant, there is case law (US v. Miller (1976)) which allows such information to be treated differently for privacy purposes.  Law enforcement agencies argue that because a file has been turned over to a third party, the file does not have the same privacy protections it would if it were held by the creator.  The significance of the government’s approach becomes increasingly important as more and more files are being turned over for third party storage.

Those in favor of the government’s right to access such information would argue that one does not have a reasonable expectation of privacy once they turn over the information to a third party.  However, is this how individuals and corporations think of the issue when storing information on the cloud?  While most people would likely acknowledge that there is a set of privacy concerns associated with cloud storage, these concerns generally stem from the fact that the information is being stored on the internet and the third party to which the information is turned over may not be trustworthy.  A reasonable expectation of privacy in email was acknowledged in a recent Sixth Circuit decision, US v. Warshak (2010), but it remains to be seen how this will impact the law in the area.

The main statutory provision which protects wire, oral, and electronic communications is the Electronic Communications Privacy Act (ECPA).  Title II of the ECPA, the Stored Communications Act (SCA), protects communications held in electronic storage.  The ECPA has not undergone a major revision since being enacted in 1986 and its privacy standards are wildly out of sync with much of the computer activity which occurs today.  Take, for example, the fact that Email can be accessed by the government without a warrant if it has been left on a server for more than 180 days.  When the law was passed, Email was generally downloaded.  Therefore, the law considered email which remained on a server for more than 6 months to be abandoned.  Today, however, email is regularly kept and stored on servers, yet the law still considers email left on a server abandoned and allows law enforcement to access it without a warrant.  This leads to POP and IMAP email services to be treated asymmetrically.

An organization called Digital Due Process (a coalition of many of today’s most prominent internet companies) has laid out its major principles for bringing the ECPA up to date with today’s computing needs.  These principles include required use of warrants in order for government entities to require that private information from entities covered by the ECPA be turned over, and requirement that more particularized evidence be provider in order for governmental entities to receive subpoenas.  Senator Patrick Leahy has introduced a bill in the Senate which corresponds with many of these ideas.

While these reforms are necessary to align the law with the current state of the internet they are unlikely to be implemented any time soon. The major roadblocks to enacting this change come from the law enforcement and the cloud computing industry itself.  Obviously law enforcement wishes to continue the practices in which they currently take part and want investigative procedures to remain as simple and quiet as possible. At the same time, the cloud computing industry is caught in a tough position.  On the one hand cloud computing providers want to back data and privacy protections insofar as they encourage individuals and corporations to embrace the cloud and utilize their services.  However, the cloud providers want to continue to access individuals data for their own informational purposes (see Amazon terms of service regarding consumer files, particularly 5.2) and do not want to back any laws which might increase privacy protections and inhibit their use of consumer data.

The facts of the case, In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, are as follows. The government served a subpoena duces tecum on the suspect (“Doe”), compelling him to produce the unecrypted contents located on the hard drives of his laptop computers and five external hard drives. In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, No. 11-12268, 2012 WL 579433, at *1 (11th Cir. Feb. 23, 2012). Doe refused to comply with the subpoena, instead invoking his Fifth Amendment right against self-incrimination. Id. The U.S. Attorney applied to the district court for an order that would grant Doe immunity and require him to respond to the subpoena. Id. The district court rejected Doe’s explanations, judged him to be in contempt of court, and ordered him incarcerated. Id.

On appeal, the 11th Circuit arrived at two overall conclusions. First, [the district court] erred in concluding that Doe’s act of decryption and production would not constitute testimony. Second, in granting Doe immunity, it erred in limiting its immunity, under 18 U.S.C. §§ 6002 and 6003, to the Government’s use of his act of decryption and production, but allowing the Government derivative use of the evidence such act disclosed. Id. at 3. I will be focusing on the first issue—the issue of “whether the act of production may have some testimonial quality sufficient to trigger Fifth Amendment protection when the production explicitly or implicitly conveys some statement of fact.” Id. at 4.

The Court stated that there were two ways for the government to avoid implicating the Fifth Amendment right. First, Doe’s decryption and production of the hard drives would have to be a physical act, not a testimonial act that “requires the use of the contents of his mind.” Second, the government would have to already know what is inside the drives. The government would only be asking Doe to produce the decrypted drives; the knowledge of what is inside would have only been a foregone conclusion. However, the Court held that the government failed in satisfying either of these methods. The Court stated that it reached its holding for this issue by concluding that “(1) Doe’s decryption and production of the contents of the drives would be testimonial, not merely a physical act; and (2) the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions.” Id. at 8.

While the Court’s analysis mostly seems correct, I have a few problems with some parts of the analysis. First, regarding the distinction between a physical act and a testimonial act, the Court lists some implied factual statements that determine whether or not Doe’s decryption and production of the hard drives would be testimonial. The Court states that “the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt those files.” Id. The latter two factors can certainly be classified as making the use of one’s mind, but I would argue that the first factor should not be involved if Doe were to decrypt and produce the hard drives. By producing the decrypted hard drives, Doe would be showing that he had possession, control, and access to the hard drives, and he would also be showing that he had the ability to decrypt the files. In regards to the first factor, however, Doe would not necessarily be showing that he had knowledge of the existence and location of potentially incriminating files. The government basically just needs the decryption passwords so it can access the encrypted partitions inside the hard drives.

Second, the Court uses a useful analogy in comparing Doe’s situation to surrendering a combination as opposed to surrendering a key; however, I believe that the Court’s analogy should focus on a different point. The Court believes that producing a key is a physical act while producing a combination is a testimonial act that requires use of the contents of one’s mind. The Court analogized Doe’s situation to producing a combination, saying that “[r]equiring Doe to use a decryption password is most certainly more akin to requiring the production of a combination because [it demands] the use of the contents of the mind, and the production is accompanied by the implied factual statements noted above that could prove to be incriminatory.” Id. To further explain its point, the Court referred to the Supreme Court’s explanation of this distinction in U.S. v. Hubbell:

“The assembly of those documents was like telling an inquisitor the combination to a wall safe, not like being forced to surrender the key to a strongbox . . . The Government’s anemic view of respondent’s act of production as a mere physical act that is principally nontestimonial in character and can be entirely divorced from its “implicit” testimonial aspect so as to constitute a “legitimate, wholly independent source” . . . for the documents produced simply fails to account for these realities.” U.S. v. Hubbell, 530 U.S. 27, 43 (2000).

My problem with the Court’s analysis here is that I believe the focus should simply be on whether or not implied factual statements are involved or not. A key vs. combination analogy seems to wrongly focus on a physical production of a key as opposed to a mental production of a combination, and whether there are implied factual statements seems to be an additional factor to consider when that should be the primary factor.

Putting this proposal into action, if compelling the production of a key or combination to some kind of safe ends up involving implied factual statements, then such an act of production would be testimonial. For instance, in this case, the key factor is whether or not the government actually knows that Doe has “knowledge of the combination”—for instance, whether Doe has the decryption passwords for the hard drives. If the government is not sure whether or not the suspect has knowledge of the combination, then the act of production should qualify as a testimonial act because such an act would be accompanied by the implied factual statement that the suspect knew the combination (e.g., a decryption password in this case). However, if the government knows that the suspect knows the combination, then producing the combination should qualify as a physical nontestimonial act. This would be functionally similar to asking a suspect to produce a key—there is no accompanying implied factual statement, and the combination would essentially be acting as a “key.”

Under this proposed focus, then, it is the fact that the government does not know for sure whether or not Doe has “the combination to the safe” that makes Doe’s decryption and production of the hard drives testimonial—producing the decrypted hard drives would bring in the implied factual statement that Doe knew the decryption passwords. In conclusion, the focus should simply be on whether or not implied factual statements are involved or not; this key point better fulfills the purpose behind the standard of “requiring the use of the contents of one’s mind.”