Regulating data collection

Many cell phone apps collect personal data from owners, unbeknownst to the user.  Some app manufacturers store the data, or even release it to advertisers.  This has attracted the attention of lawmakers.

On February 1, the Federal Trade Commission released a staff report, containing recommendations for smartphone manufacturers, app designers and advertisers regarding the collection and use of personal information.  Describing the data collection potential of smartphones as “unprecedented”, the FTC has issued these recommendations in response to widespread concern regarding the expansive and sometimes opaque data collected by their smartphones and third party app producers.  The report recommends that apps seek express consent before accessing “sensitive” data, like geolocation information, and that greater transparency be programmed in, so that users know and can easily determine what information is being collected and when it is being transmitted to a third party.  It also suggests that smartphones offer users a “do not track” feature.  The report is not binding, but its suggestions are considered likely to be highly persuasive to the big players in the cell phone market like Google and Apple.

Companies risk running afoul of the FTC if they access users’ personal information in a misleading fashion.  Last week, the FTC settled an action against the makers of a social networking app, “Path”, which it alleged had misled users about the data it would gain access to.  In particular, Path had accessed users’ phone contacts, regardless of whether they had expressly requested this.  This left consumers with “no meaningful choice” about what information would be collected.  Ars Technica later reported that other social networking app developers are engaging in similar activities.  The incident attracted the attention of the House Energy & Commerce Committee, which sought responses from various app makers regarding their approach to user privacy.

In 2011, New Jersey prosecutors considered criminal charges against app developers over similar activity (transmission of user information to third parties without consent).  App makers, including the makers of the internet radio app, Pandora, reported receiving grand jury subpoenas in relation to potential charges under the Computer Fraud and Abuse Act, also used to prosecute hackers and, notoriously, Aaron Schwartz (Schwartz’s prosecution for downloading the JSTOR database of academic articles without authorization attracted criticism, and led to complaints that the Act is too broad).  Such charges frame the app makers’ access to user data as a form of unauthorized access to a computer, thus falling within the terms of the CFAA.

Cellphone searches incident to arrest

When police place an individual under arrest, they are permitted to conduct a full search of the individual’s person, without a warrant, to look for weapons and preserve evidence.  This search authority includes the ability to search within “containers” the person is carrying, such as a cigarette packet inside a pocket (U.S. v. Robinson).

The so-called “search incident to arrest” doctrine has been relied upon by police to justify searching an arrestee’s cellphone.  These searches are not uncommon — according to Adam Gershowitz, by 2010 over 40 courts nationwide had been asked to assess the constitutionality of cell phone searches incident to arrest.  The argument for lawfulness relies on an analogy to physical containers.  Prior to the cellphone era, courts held that a pager could be searched by police upon its owner’s arrest, as it was no different from a purse or address book, which could also be lawfully searched (U.S. v Chan 830 F. Supp. 531 (N.D. Cal., 1993) and the cases which followed it).

The Supreme Court has not ruled on whether a warrantless cell phone search can be justified under the search incident to arrest doctrine.  But reviews of the caselaw conducted by Junichi Semitsu and Adam Gershowitz conclude that the majority of courts having considered the question found that warrantless searches of cell phones could be upheld on this basis.  For example, in U.S. v. Finley, the Fifth Circuit held that a search of Finley’s cellphone following his arrest for selling drugs to a police officer was justifiable on the basis of the container cases.

But there is division within the judiciary on this point, with a minority of courts rejecting the container analogy.  The Ohio Supreme Court concluded that warrantless cellphone searches could not be analogized to container searches, because cell phones contain intangible data, not physical objects, and do so on a scale which is incomparable to a physical container (State v. Smith).  A District Court judge in California also rejected the analogy, finding that a cellphone contained such a large amount of evidence that it was conceptually closer to a large container which was within the arrestee’s control, but not on their person (U.S. v. Park).

Further, if the police interaction with a suspect does not result in an arrest, a cellphone search is unlikely to be permissible.  In United States v. Zavala, the Fifth Circuit held that a pat-down search conducted during a Terry stop (also known as a “stop and frisk”) did not include the right to search the suspect’s cell phone.  Officers performing a Terry stop are only permitted to engage in a protective search for weapons or contraband, and not a search for evidence such as is contained on a cellphone.

Locking a cellphone using a passcode appears unlikely to put it beyond the reach of law enforcement personnel.  Gershowitz concludes that there is no legal impediment to police seeking to gain access to a passcode-protected phone by guessing or cracking the passcode, provided this is reasonably contemporaneous with arrest.  And from a practical standpoint, officers may have the technical capacity before long to gain access to phone data without knowing the passcode at all.  As the ACLU argued in 2011, it appears that some state police have purchased “forensic cellphone analyzers”, which enable extraction of a range of data (photos, text messages, contacts, and more), even if the phone passcode is not known.

Cellphones in vehicles

A further question arises regarding the lawfulness of police searching cellphones left in vehicles.  According to Supreme Court caselaw, if police have probable cause to search a vehicle, they are lawfully able to look inside containers within the vehicle for the object of their search (California v. Acevedo), even if that container belongs to someone other than the owner of the vehicle (Wyoming v. Houghton).  However, if the object of the search is a physical thing (e.g., drugs or weapons), this could not justify searching a cellphone.

In certain circumstances, the search incident to arrest doctrine, discussed above, can also be relied upon to allow police to search the vehicle occupied by the arrestee at the time of their arrest.  In Arizona v. Gant, decided in 2009, the Supreme Court held that police may conduct a search of the vehicle’s passenger compartment if the suspect is unsecured and could reach into the vehicle to grab something.  Alternatively, if the suspect has been secured (most commonly, using handcuffs), a search of the vehicle is permissible if it is reasonable to believe it contains evidence relevant to the crime which led to the arrest.  Junichi Semitsu argued in 2012 that, in the majority of post-Gant cellphone searches which have been challenged and upheld, the state relied on the Gant rule.

The Court of Appeals for the Fifth Circuit also held in Zavala that the accused’s consent to search his vehicle did not include consent to search his cellphone, which had been removed from him when he was stopped and placed on the roof of the vehicle.  It was not objectively reasonable for the officer to conclude that the consent granted extended to the cellphone.

Where law enforcement searches and data privacy coincide

If the weight of authority comes to be the settled law, there are many circumstances in which law enforcement may lawfully search smartphone without a warrant.  And thanks to the under-regulated and often opaque data collection practices of smartphone companies, what they find in their search may be more expansive than many users realise.

Further, as Junichi Semitsu explains, certain smartphone apps do more than just reveal the contents of the device to the user.  Some, like the Facebook app, also allow the user to access content stored on a server, with no signal to the user regarding which form of content is being observed.  This greatly expands the information to which police can gain access through a warrantless search (information which they would otherwise require a subpoena to obtain).  But, as Semitsu discusses, this distinction has not persuaded courts that the analogy with a “container” is inapt.

Along with apps collecting and storing more data, there are user-driven transformations to information storage taking place.  As the use of cloud storage expands, smartphone users are increasingly using apps like Evernote, Dropbox and Instapaper, along with OS-integrated facilities like iCloud, to synchronize information across multiple devices.  This means that in addition to having the user’s smartphone data at their fingertips, law enforcement personnel may have access to data from the user’s other devices as well.

The expansion of cloud computing has caused the Senate Judiciary Committee to reconsider the scope of the Electronic Communications Privacy Act of 1986 (which regulates law enforcement access to electronic records stored by third parties); perhaps the time has come for reconsideration of warrantless smartphone searches on the same grounds.  Far from being mere “containers,” these devices encapsulate more information than the search-incident-to arrest doctrine could ever have envisaged.

While cloud storage can be an economical and practical method for storing data and information, use of the cloud may result in reduced privacy protection.  When using cloud storage, an individual or a company uses storage capacity provided to it by a third party instead of maintaining its own files.  Although one may not intuitively view this distinction as significant, there is case law (US v. Miller (1976)) which allows such information to be treated differently for privacy purposes.  Law enforcement agencies argue that because a file has been turned over to a third party, the file does not have the same privacy protections it would if it were held by the creator.  The significance of the government’s approach becomes increasingly important as more and more files are being turned over for third party storage.

Those in favor of the government’s right to access such information would argue that one does not have a reasonable expectation of privacy once they turn over the information to a third party.  However, is this how individuals and corporations think of the issue when storing information on the cloud?  While most people would likely acknowledge that there is a set of privacy concerns associated with cloud storage, these concerns generally stem from the fact that the information is being stored on the internet and the third party to which the information is turned over may not be trustworthy.  A reasonable expectation of privacy in email was acknowledged in a recent Sixth Circuit decision, US v. Warshak (2010), but it remains to be seen how this will impact the law in the area.

The main statutory provision which protects wire, oral, and electronic communications is the Electronic Communications Privacy Act (ECPA).  Title II of the ECPA, the Stored Communications Act (SCA), protects communications held in electronic storage.  The ECPA has not undergone a major revision since being enacted in 1986 and its privacy standards are wildly out of sync with much of the computer activity which occurs today.  Take, for example, the fact that Email can be accessed by the government without a warrant if it has been left on a server for more than 180 days.  When the law was passed, Email was generally downloaded.  Therefore, the law considered email which remained on a server for more than 6 months to be abandoned.  Today, however, email is regularly kept and stored on servers, yet the law still considers email left on a server abandoned and allows law enforcement to access it without a warrant.  This leads to POP and IMAP email services to be treated asymmetrically.

An organization called Digital Due Process (a coalition of many of today’s most prominent internet companies) has laid out its major principles for bringing the ECPA up to date with today’s computing needs.  These principles include required use of warrants in order for government entities to require that private information from entities covered by the ECPA be turned over, and requirement that more particularized evidence be provider in order for governmental entities to receive subpoenas.  Senator Patrick Leahy has introduced a bill in the Senate which corresponds with many of these ideas.

While these reforms are necessary to align the law with the current state of the internet they are unlikely to be implemented any time soon. The major roadblocks to enacting this change come from the law enforcement and the cloud computing industry itself.  Obviously law enforcement wishes to continue the practices in which they currently take part and want investigative procedures to remain as simple and quiet as possible. At the same time, the cloud computing industry is caught in a tough position.  On the one hand cloud computing providers want to back data and privacy protections insofar as they encourage individuals and corporations to embrace the cloud and utilize their services.  However, the cloud providers want to continue to access individuals data for their own informational purposes (see Amazon terms of service regarding consumer files, particularly 5.2) and do not want to back any laws which might increase privacy protections and inhibit their use of consumer data.

Naturally, the idea that Google wrote code to evade Safari’s privacy settings has not sat well with many. The Electronic Freedom Frontier dubbed Google’s actions “just as paternalistic as ad networks” and posited that Google needed a new approach to privacy to “restore [its] users’ trust.” Several Congressmen have asked the FTC to investigate whether these actions violate the Google Buzz settlement, which prohibits Google from making “future privacy misrepresentations.” One user has filed a class action suit against Google, claiming violation of federal wiretapping laws and other computer-related statutes.

Tensions often run high when privacy is threatened. Nevertheless, amidst the outcry, it is important to identify the contours of the threat and know what exactly it is we are upset about.

Circumvention Explained

Apple Inc.’s Safari is the only web browser that blocks third-party cookies by default. Cookies are essentially helper-files that websites commonly use to store things like user preferences and session information (for example, the state of a shopping cart). When a site contains third-party content (for example, a banner advertisement on your favorite news site), that third-party (in our example, the advertising company) can write its own cookie. Third-party advertisers commonly use this feature to record where and for whom  their advertisements have been displayed, allowing them to build a history of the sites an individual user visits.

Last September, in an effort to compete with Facebook’s “like” functionality, Google added a “+1” button to certain Google ads, which Google+ users could click on to indicate they “liked” those ads. However, because Google has set up its services such that Google+ and Google Ads reside on different domains, interfacing between the two required the use of third-party cookies. Because Safari blocks these by default, Google faced the prospect that most Safari users – a sizeable user base – would not be able to use this new feature.

To address this problem, Google exploited a known exception to Safari’s no third-party cookie policy. Safari allows third-party cookies when a user submits an HTML form, so Google created an invisible form, never seen by the user, which it submitted any time the user clicked “+1.” This triggered Safari’s form exception, allowing the creation of third-party cookies by Google Ads. The Stanford study showed that, in practice, Google used this backdoor method to create cookies that not only enabled the  “+1 Ads” functionality, but also set up the general Google Ads tracking cookie, which monitors the browsing behavior of users going forward. Google stated that they “didn’t anticipate that this [(setting up the general Google Ads tracking cookie)] would happen” and that they have “now started removing these advertising cookies from Safari browsers.”

So We Are Fighting For?

It’s true the technical facts aren’t flattering for Google: its code uses an invisible form to emulate Little Red Riding Hood and gain access to Grandma’s house, exposing the user to whatever tracking Google Ads decides to subject her to.  It’s true that Google’s primary motivation was enabling the “+1” feature for Safari users, but can we really say the end justifies the means in this case?

Still, this begs the question: what is it about Google’s actions that render them so troubling? Is it the fact that Google can track a user’s browser history? This seems unlikely. Google already tracks search history and processes electronic mail information in Gmail – how much more of an invasion can ad tracking be? Moreover, this backdoor is not triggered until a user actually clicks on “+1” – arguably this surveillance involves some kind of consent, albeit uninformed in most cases. Even if we can’t call this consent, enabling tracking involves some affirmative act by the user, and avoiding this is much easier than with search or Gmail.

If, then, it’s not the tracking itself that is particularly disquieting, perhaps the issue goes to some more fundamental idea of respect. By circumventing Safari’s privacy settings to enable the “+1 Ads” feature, one could say that Google ignored the express desires of its users, elevating its own commercial interests over the user’s personal privacy interests. This kind of disregard may be particularly troubling given the relative bargaining power that an individual consumer has against a monolith like Google.  At the same time, however, it may be hard to say that Google was ignoring express interests – blocking third-party cookies is Safari default behavior that most users are not aware of. Moreover, as one blog points out, Safari’s policy may just be a strategic move by Apple to curb the information its competitors can glean from its customers. Viewed in this light, Google’s actions could be understood as commonplace competitive behavior rather than neglect towards individual privacy concerns.

In this case, prudential arguments may bolster the respect rationale. Even if Safari’s default settings were not actual expressions of most users’ real desires, they nonetheless provide the interface through which these preferences can be expressed. Much like a court artificially thinks about Congress as a unified body with “wishes” and “intentions,” it makes sense for Google to treat browser preferences as a real expression of user preferences. Otherwise, it seems unclear what forum users have left. If browser settings are indeed an expression of real user preferences, then, slippery slope arguments counsel against tolerance of any disregard for them. If Google can violate privacy preferences in this area, what is to stop violations in other areas? And, if Google can do it, why can’t Apple or Microsoft do it too?

Looking Ahead

Clearly, slopes are not always slippery and it is possible to draw lines. Context is also useful – why privacy was breached, the extent of the harm caused by the breach, and the basis under which we deem that harm problematic should all be considered in determining whether that breach should be tolerated. In the case of Google, much uncertainty remains in at least two of these areas – nevertheless, consumers, policymakers, and Google executives alike should think critically about these questions in developing rules and recourse available for internet privacy violations.

Facebook seeks to raise $5 Billion in its initial public stock offering, making it the largest Internet IPO on record.  It is believed that its stock offering will value the company $75 and $100 billion.  Mark Zuckerberg, however, will maintain his control over Facebook with voting power of almost 60 percent of total shares.  Meanwhile, Facebook is coming under a siege of patent lawsuits.  In 2011, Facebook was named as a defendant in 22 patent infringement suits.

Google announced its new privacy policy, which is set to become effective on March 1.  The new policy will allow it to track users’ activities across YouTube, Gmail, its search engine, and nearly all of its other sites.  Users will not be able to opt out, which may trigger more scrutiny from federal regulators.

On January 23, the Supreme Court held that attaching a GPS device to track a vehicle constitutes a search under the Fourth Amendment and requires a warrant.  The ruling is considered a victory for privacy rights in the age of advanced technology, but some argue it was too narrowly reasoned on the basis of the physical intrusion of attaching the device.

Congress indefinitely shelved the controversial antipiracy bills SOPA and PIPA after over 7,000 websites, including Wikipedia and Google protested the bills, handing a crushing blow to the traditional media industry.

Following the shutdown of file-sharing site Megaupload last month and arrest of 7 company employees, Federal prosecutors announced that Megaupload user data would be deleted as early as Thursday (Feb. 2).  However, a nonprofit group stepped in at the last minute, announcing on Wednesday that it would work with data-storage providers to create a website that will allow legitimate Megaupload users retrieve their data.

E-book technology, as provided by Kindle or iBooks, presents particularly significant threats to reader privacy. As noted by the Electronic Frontier Foundation back in December 2009, e-readers have the potential to report back substantial information about their users’ reading habits, including what book you have read, what page you have searched for, how long you viewed it for, and what page you continued onto next. For example, Amazon’s Kindle License Agreement notes that Amazon will be provided with information on not only what books you have bought, but also “annotations, bookmarks, notes, highlights, or similar markings you make using your Kindle.” As such, there has been tremendous concern that such reading records are too easily tracked, and consequently vulnerable to exposure in legal proceedings. These concerns have been played out in recent times, with the North Carolina Department of Revenue demanding that Amazon turn over personally identifiable information linked to specific purchasing records for customers in North Carolina, and Colorado police attempting to subpoena information regarding all book orders ever placed by a suspect at a book store.

Facing these concerns, California recently passed S.B. 602, the Reader Privacy Act, which updates reader privacy laws by ensuring that privacy protections for book purchases are similar to long-established privacy laws for library records. The ACLU, a sponsor of the bill, noted the three prongs of protection to reader privacy associated with this Act:

-          Disclosure to Government: Government entities that seek disclosure of reading records must obtain a court order by showing a compelling interest, as well as an indication that they are using the least intrusive means to achieve this compelling interest. Furthermore, notice must be provided to the reader when the court order is executed, and prior notice must be given to the book seller and provider in order to provide the opportunity to appear and contest.

-          Disclosure to Third Parties: Third parties who seek disclosure in a civil or administrative action must similarly obtain a court order by showing a compelling interest, as well as an indication that they are using the least intrusive means to achieve this interest. For third party disclosures, both the book seller/provider and the reader must be given prior notice and the opportunity to appear and contest before disclosure.

-          Voluntary Disclosure: Reading records may be disclosed when the reader consents or exigent circumstances exist.

Some have questioned whether this law, although noble in intent, is necessary in practice. Mark Giangrande wondered exactly how many prosecutions had taken place where the person’s reading records were allowed into evidence. He noted that the current standard is that, in most cases, the government may not use a person’s reading habits, literary tastes, or political views as evidence against him, on the grounds that such evidence is prejudicial and not necessary to the charges.[1] He notes further that in cases where the reading habits are held relevant to the case, such habits are still considered inadmissible unless the defendant raises that issue.

While Giangrande’s arguments make sense, its retroactive perspective seems to miss the true benefits the law provides when analyzed from a prospective perspective. By establishing a bright line rule rather than a murky standard, California citizens are protected against not only increased litigation to prevent disclosure, but also against their data being released without notice. Businesses also benefit in two ways. First, the standards under which a business has to comply with a subpoena for customer information is clarified. Second, consumers will likely be more comfortable with using e-books, knowing that their personal reading history is protected. Even if the courts ultimately decide that reading habits cannot be admitted as evidence in criminal cases, this law is helpful because it expedites the litigation process.

Yet while the law is a good first step, there are certain limitations to the law. Of course, as a California law and not a federal law, the Reader Privacy Act’s protections are limited. Furthermore, the Act provides protection for the purchase and use of only e-books and books. With the rise of digital media, an increasing number of people acquire information through the internet and blogs. The Reader Privacy Act does not protect users against requests concerning their online history. Finally, the Act provides that “a provider shall not knowingly disclose to any government entity, or be compelled to disclose to any person, private entity, or government entity, any personal information of a user…,” where government entities refer only  to state or local agencies. For the law enforcement provisions, the protections extend only to requests by state law enforcement agencies. Joe Brockmeier notes that this merely means that California police cannot access your reading history, but there is no corresponding protection against federal agencies, even for users in California. As such, while California’s Reader Privacy Act should serve as a model for other states, California cannot afford to rest on its laurels. With technological advances providing increasing concerns regarding individuals’ privacy rights, legal protections must also evolve in a way that alleviates those concerns and mitigates the harmful impacts.

But, what can one really do if, for example, your top search results include an out of date, hopelessly inaccurate and embarrassing article from your hometown newspaper? As much guff as Facebook gets for its poor record on privacy protection, an average Facebook user has a relatively powerful set of tools at his or her disposal: you can delete or untag yourself from embarrassing photos, limit who can view your profile, and even delete your profile completely. But, is there anything you can do about embarrassing search results?

In 2010, Hugo Guidotti Russo, a Spanish plastic surgeon, filed a legal complaint with Spain’s privacy regulator, the Agency for Data Protection, asking them to order Google to remove a 1991 article about a malpractice complaint from his top search results. Russo insisted that because he was cleared of wrongdoing and the article did not mention this, it was within his right to privacy to have the search results removed. The agency agreed. Google is fighting the ruling which was recently referred to the European Court of Justice in Luxembourg on the issue of whether the ruling clashed with EU freedom of expression laws.

The case of the Mr. Russo is connected to the larger issue of whether governments should—or could—guarantee individuals a so-called “right to be forgotten.” Though, like most newly recognized rights, the contours are hazy and the terms ambiguous, the right to be forgotten is catching on. In 2009, the French secretary of state launched a campaign for le Doit a l’Oubli (the right to oblivion, though no English translation is quite adequate) that culminated in the adoption of so-called “codes of good practice” by several trade associations, social networks and search engines.  The provisions are themselves broad but somewhat vague: adoptees are obligated to give notice to users about how to exercise their privacy rights, respect an individual’s right to consent to data processing, to receive prior notice of procession and to object to the use of their data. The European Union is currently tossing around some proposed legislation which would give people the right, any time to have all personal information online deleted—though it’s hard to see how this would work in practice. Even in the United States, where courts have been much less willing to allow individuals to assert a general right of privacy against search engines and social networks, the FTC has issued a working paper called “Safeguarding Consumer Privacy in an Era of Fast Transform” which recommends, among other things, that individuals have the right to have inaccurate information about themselves removed from databases.

Critics of the “right to privacy” argue that, in its extreme form, it’s tantamount to suppression of speech—censorship. Most facts and opinions worth writing about–and reading about– are facts and opinions about people.  Individuals have always been able to fight others who publish false information using libel and defamation law, but falsity is not a requirement for a privacy claim. If individuals are empowered to suppress true or arguably true information written about them by third parties under the guise of privacy, the argument goes, our freedom of expression is significantly burdened.  In one infamous case, Wikipedia was sued by two German murderers  demanding that their names be removed from an article about their victim. German law allows criminals’ names to be withheld from association with their crimes after their sentences are over.  The case of German murderers points to another criticism of the right to privacy: practicability. If a German court orders the removal of the names from the article, does it only apply to the German language version of Wikipedia or with a .de web url? Does it apply to any article accessible from Germany? Or only if the servers which host the article are located in Germany? Moreover, does Wikipedia, which can be edited by anyone, have an ongoing obligation to ensure that the ex-con’s names are kept of the site? For a website like Wikipedia, which relies heavily on user donations, and which relies on a relatively small number of editors to maintain their pages, an ongoing obligation to monitor for information about individuals is a heavy burden.

From the perspective of someone with a rare name—say for example, the author of this post (but three out of the first four results are not me!)—the right to delete whatever search results I wanted from Google would certainly be a blessing. That being said, there is a thin and hazy line between what information is truly private—which should be protected—and what information is merely embarrassing or inconvenient, but a legitimate part of the public discourse.

Background: Sorrell v. IMS Health

In Sorrell v. IMS Health, plantiffs data-mining firms and PhRMA, an association representing pharmaceutical drug manufacturers, have challenged a Vermont law that prohibits drug manufacturers from using of prescriber records for purposes of marketing. The plaintiffs argue that this restriction on their use of information violates their free speech rights.

The Vermont law attempts to curb marketing uses of prescription records by targeting a common three-part transaction: First, upon filling prescriptions, pharmacies collect information including the prescriber’s name and address, the name, dosage, and quantity of the drug, the date and place the prescription is filled, and the patient’s age and gender. Pharmacies sell this information to data-mining firms who aggregate it to reveal individual physician prescribing patterns.

Second, the data-mining firms “de-identify” the aggregated data by stripping it of patient information and then sell it to drug manufacturers. The extent to which the firms de-identify the data is apparently left to their discretion, since no statute defines what constitutes sufficiently de-identified data.

Third, after purchasing the data, drug manufacturers use it in their marketing efforts. Most notably, manufacturers employ representatives to promote their products during visits with individual physicians, a process known as “detailing.”

The challenged Vermont law seeks to disrupt this transaction by prohibiting pharmacies from selling or using prescription records for any marketing purposes without the express consent of the prescribing physician. Put another way, the law prohibits part one of the transaction described above in order to prevent part three. The law permits pharmacies to continue to transmit the data for non-commercial purposes such as health care research, treatment, and safety-related uses.

Plaintiffs data-mining firms and PhRMA argue that the law restricts commercial speech and therefore violates their First Amendment rights. Vermont, in contrast, argues among other things that the law is not a restriction on speech but merely conduct. Even if it were a restriction on commercial speech, Vermont argues, the law advances three substantial state interests: protecting public health, protecting patient privacy, and containing health care costs.

In November, 2010, the Second Circuit agreed with plaintiffs’ argument and struck down the law. The three judge panel held that the statute restricted commercial speech—not merely conduct—and that it failed to advance the state’s asserted interests in lowering health care costs and protecting public health. The court determined that the state’s stated interest in protecting privacy was “too speculative” to qualify as substantial.

The State’s Interest in Privacy

In rejecting the state’s interest in protecting patient privacy as substantial, the Second Circuit neglected to consider developments in technology and decryption techniques that pose a real and substantial threat to patient privacy. In fact, the state itself neglected these developments and instead argued (.pdf) that allowing marketing uses of prescription data undermined the privacy of the patient-doctor relationship.

In an amicus brief (.pdf) cited by the dissent, the Electronic Privacy Information Center (EPIC) emphasized the importance of the state’s interest in protecting patient privacy in light of recent technological developments. In particular, it explained the various ways in which de-identified data can be easily re-identified, and how this re-identification presents serious risks where medical records are at stake.

In its brief, EPIC describes one method of re-identifying anonymous data known as record linkage, which involves merging two or more databases (e.g. public census data, voting records, etc.). This method has been proven to be very effective at re-identifying individuals from supposedly anonymous data—even from ordinary desktop computers. For example, one privacy researcher employing this method was able to uniquely identify 87% of the US population by utilizing only date of birth, gender, and zip code. The same researcher also re-identified a former governor of Massachusetts’ full medical record by cross-referencing public census data with de-identified health data.

Expanding on its amicus brief for the Second Circuit, EPIC’s recent amicus brief (.pdf) filed at the Supreme Court attacks the data-mining firm IMS Health’s method for encrypting the prescription data. According to the brief, the firm uses a faulty method of encryption, known as MD5.  MD5 has been abandoned not only by its inventor Ron Rivest, who has deemed the method “clearly broken,” but also the Department of Homeland Security, whose Computer Emergency Readiness Team concluded that it was “cryptographically broken and unsuitable for further use.”

The court’s failure to recognize these developments would be more understandable if computer scientists had just discovered the risks re-identification; however, these risks have been well documented for years even in the popular press. In an article published nearly two years ago, The New York Times profiled several individuals whose prescription data had been sold to drug manufacturers without their consent and re-identified so that it could be used for purposes of marketing products directly to them.

In the article, one woman in particular began receiving promotional material for various pregnancy-related products after she bought fertility drugs at a pharmacy in San Diego. Although she was unsuccessful in having a baby, she continued to receive ads for over ten years promoting at first diapers and baby formula and later discounts on family photos and “gifts suitable for an elementary school graduate.” The woman describes the ads as painful reminders of a difficult time in her life: “To just go to the mailbox and get that stuff, time after time after time, it was just awful.”

While digitizing medical records provides several benefits, we must not ignore or underestimate the risks. Although one would like to find assurance in the notion of de-identified or anonymous data, the reality proves more troubling. At the very least, state attempts to protect this sensitive data should be carefully reviewed before being struck down—and an understanding of encryption technology and methods must be part of any meaningful review.

Not if the email has been “in electronic storage” for more than 180 days, under the 1986 Stored Communications Act (18 U.S.C. Section 2703). The Stored Communications Act (SCA) is Title II of the Electronic Communications Privacy Act (ECPA).  In contrast, that same Act states that a warrant is required for disclosures of emails that have been stored for 180 days or less.

A Recent Battle Over Email Through Webmail

How to apply the SCA to emails stored by webmail providers was the central issue in a court battle pitting several tech company heavyweights and privacy advocates against the U.S. Department of Justice.  In December of 2009, the DOJ requested and received an order from a magistrate judge that Yahoo turn over emails in specified accounts stored for less than 181 days—without a search warrant.  The DOJ’s rationale? The emails had already been read by the recipient, and thus did not count as being in “electronic storage” within the meaning of the SCA.

Yahoo refused to comply with the magistrate judge’s order. The DOJ filed a motion to compel the production of the emails in March (PDF). Yahoo’s response brief (PDF) contested the DOJ’s interpretation of “storage” and accused the DOJ of trying to overturn years of precedent in an effort to gut Fourth Amendment protections for emails.

Yahoo was not alone in its battle. Google and a coalition of digital privacy groups came to its defense, filing an amicus brief (PDF) arguing that the Fourth Amendment protects email just as much as private conversations and written papers, and supporting Yahoo’s interpretation of “electronic storage” within the meaning of the SCA.

The Government Backs Off… For Now

The fight was just coming to a head when it ended abruptly. The DOJ withdrew its motion to compel the production of the emails (PDF)—without, however, backing down from its interpretation of the law. This means that the argument may not be truly over, but may simply have been postponed. Although Yahoo briefly expressed its pleasure over the new development, the digital privacy groups (for instance, the Electronic Frontier Foundation) are less pleased because the withdrawal delayed resolution of a contentious issue. Adding to their consternation: they thought they were going to win.  Precedent indicates that the resolution the DOJ’s withdrawal delayed may have been favorable to email users and companies like Yahoo, and less than favorable to the DOJ. Although Yahoo won this short-term victory, the government’s withdrawal means that Yahoo and Google and their users will likely face similar issues very soon.

“Electronic Storage” and Cloud Computing

Yahoo, in its response to the DOJ’s motion to compel, relied on the 2003 9^th Circuit case Theofel v. Farey-Jones (PDF) which plainly stated that opened emails fell within the SCA’s definition of “electronic storage.” For the purposes of SCA § 2701(a)(1), a communication is in “electronic storage” if it is stored temporarily and incidentally to transmission or if it is stored “for purposes of backup protection” (SCA § 2510(17)). In Theofel, the 9^th Circuit did not decide the question of whether opened emails were stored incidentally to transmission, but held that regardless of that issue, opened emails were stored for purposes of backup protection. Accordingly they are in “electronic storage” within the plain meaning of the SCA. Yahoo argued that not only are the opened emails stored for purposes of backup protection, but that the court should also consider them to be stored incidentally to transmission. Relying on the plain meaning of the SCA provisions, Yahoo argued that whether an email was opened or not was irrelevant to its classification as “electronic storage” and consequent protection under the SCA.

The DOJ, by contrast, argued that Theofel was an erroneous decision and that the 9^th Circuit was disregarding the structure and legislative history of the SCA. In particular, the DOJ argued that the protection for backup storage only applied to copies made by a service provider in case of system failure. Since opened email does not fall into this category, it is not in “electronic storage” for the purposes of the SCA, but instead falls into the category of communications held by a “remote computing service”—in this case, Yahoo.  The SCA, passed in the days before common use of webmail, does not have warrant requirements for such communications (see section 2703(a), regarding communications in “electronic storage,” compared with section 2073(b), discussing communications held by a “remote computing service”).

The SCA’s distinction between “electronic storage” and storage by a “remote computing service” suggests that much of the information stored by web users will have very little statutory privacy protection in the era of cloud computing, as more and more personal data is stored remotely. That is probably why the amici brief by Google and various digital privacy groups, in addition to supporting Yahoo’s interpretation of the SCA, also argued that the emails were protected under the Fourth Amendment—regardless of whether the SCA’s protections extend to them or not.

Fourth Amendment and Email

Citing a line of cases beginning with Katz v. United States, a Supreme Court decision from 1967 holding that governmental eavesdropping on phone conversations is a Fourth Amendment violation, the amici brief argued that email users have a “reasonable expectation of privacy” (a prerequisite to Fourth Amendment claims) for the contents of emails stored with a webmail provider. The argument was supported by analogy to conversations in person and over the phone (which are intangible, yet constitutionally protected), sealed postal mail (private for Fourth Amendment purposes even though carried by a third party) and the contents of hotel rooms (private even though the room is owned by a third party).

Possible Future Developments

Despite all these fine-tuned legal arguments, all of these parties will have to wait for a final conclusion on whether opening an email makes it less protected and whether email is as constitutionally protected as a phone conversation. However, Google and the digital privacy organizations behind the amici brief—along with Microsoft, AT&T, AOL, Loopt, and others—have joined forces to advocate federal laws that would render moot all of this analysis by changing the SCA so that police will need a search warrant to access emails even if they are stored “in the cloud.” Describing the issue as one of “digital due process,” the coalition argues that the 1986 attitude to “remote computing services” has become obsolete and that privacy protections need updating in the current era.

The fact that most of this diverse coalition banded together to support Yahoo’s case so quickly after it was announced (it was announced on March 30^th and the amici brief was filed on April 13^th) suggests that the coalition may have regarded the Yahoo case as the initial test run for its legal strategy. The DOJ’s withdrawal can be taken as a sign of uncertainty in its position, or at least unwillingness to argue it unless strictly necessary. However, the DOJ’s lack of any concession on this issue shows that it has by no means given up the possibility of pursuing this battle in later cases, which means that we will likely see giants like Google, Microsoft, and AT&T clash with the federal government over email privacy in the future.

Ragbag security legislation

The bill is a ragbag of security-related provisions, spanning a diverse range of issues such as online identity theft, video surveillance, stadium violence, and dangerous driving. The law apparently also authorizes the French authorities to use malware to obtain evidence on criminal suspects, for example by covertly uploading software to their PCs to log their keyboard inputs. While the express purpose of the bill is to set out the framework for the operations of law enforcement agencies for the next five years, it focuses particularly on the technical means that can be employed by the police and judges.[2]

The provision that has proven most controversial is draft article 4, which provides for the filtering, on the authority of ministerial orders, of websites hosting child pornography. The 312 to 214 vote in favor by the Assemblée is unlikely to mark the end of the controversy, as the upper house, the Sénat (Senate) has yet to debate and approve the law. This post considers the text of the provision and the debates surrounding it, before comparing the proposal to similar proposals and existing filtering systems around the world.

Filtering by ministerial order

Draft article 4 is explicitly targeted at, and limited to, the “requirements of the fight against images or representations of minors” prohibited by the Code Pénal (Criminal Code), i.e. child pornography. There is no leeway under the current wording of the article for blocking sites other than those which provide access to child pornography. In terms of procedure, as pointed out by the Ministry of the Interior’s press release on the law, “the rule is simple: the Minister for the Interior communicates to ISPs a blacklist of sites and online content to be blocked, and it is the ISPs who prevent access to those sites and content from computers located in France.”

Legislative Debates

Article 4 was one of the main points of contention in the legislative debates over the bill. According to Le Monde, the (right wing) majority accused the left, which opposed the bill, of turning a blind eye to the kind of materials easily available online. The left, on the other hand, protested against the “diabolization” of the internet, a hostility which Green députée (Representative) Martine Billard sees as rooted in the government’s frustration with its inability to control the internet. The opposition further attacked the bill on the grounds that it fails to address either the victims of the crimes at issue or those who create the images, but rather focuses only on the means of transmission.

Procedural Safeguard

One crucial amendment to the bill was introduced during the debates in the Assemblée Nationale by député Lionel Tardy, a member of the majority UMP party. The amendment requires the approval of a judge before the ministerial order to block a given site can be put into effect. According to Le Monde, the bill sponsors expressed their reservations regarding this amendment (and in particular its potential to slow down the enforcement procedure), but in the end chose not to oppose it. This decision may have been based on a recognition of the validity of the opinion of the Commission des Lois (Law Commission), which was of the view that the absence of this procedural safeguard could lead to the law being struck down as unconstitutional (as happened to the HADOPI law last year).

Criticism

None of the critics of LOPPSI argue that child pornography ought not to be fiercely cracked down on. Rather, a leading theme of criticism of the bill is a concern that, by enshrining a ministerial power to order the blocking of internet sites, LOPPSI lays the foundations for a system of internet filtering that could easily outgrow its original purpose. French cybercrime expert Guillaume Lovet (quoted here), notes that the legislation gives the French government a “foot in the door,” and observes that it reflects a growing international trend of “legislate first, address accountability later.”

Blogger Jean-Michel Planche notes that, if the law is passed, the internet will become the first infrastructure network (e.g. roads, electricity, gas, postal services) to come under the control of the Ministry of the Interior, and wonders what implications this may have as the internet’s role as a platform for all kinds of social and economic exchanges grows.

A number of critics have also questioned the effectiveness of the bill, remarking that this type of ISP-level filtering would do little to prevent the determined and tech-savvy from accessing offending websites, for example through virtual private networks (VPNs) (see e.g. this online LOPPSI forum).

International trends

The explanatory notes to LOPPSI mention the fact that “neighboring democracies” such as Denmark, the Netherlands, Norway, Sweden and the United Kingdom have put in place technical measures enabling the blocking of access to specified sites from within their territories (though these have not been formalized in LOPPSI-like legislation; Le Monde provides a useful map which identifies various countries around the world which have adopted targeted filtering of child pornography sites). The experience of filtering in these countries is not encouraging with regard to the accountability of blacklisting systems.

The blacklists maintained by a number of countries, including Denmark, Norway, Australia and Thailand, have been leaked through Wikileaks over the last few years. The Thai government’s blacklist, aimed at child pornography, allegedly included 1,203 political sites which were thought to criticize the Thai king, in breach of Thailand’s strict lèse majesté laws (see ZeroPaid post here). But even in the case of western democracies, blacklists have been accused of being open to abuse: Forbes reported that the blacklist compiled by the Australian Communications and Media Authority, which is meant to target child pornography and terrorist websites, was found to include the websites of a tour operator and a Queensland dentist’s practice. The U.K. filtering system came under fire in 2008 when it was found that six major British ISPs had blocked access to a Wikipedia page which contained an image reproducing a controversial Scorpions album cover (see report from The Register).

An interesting contrast to LOPPSI is the fate of a recent German filtering proposal, the Gesetz zur Erschwerung des Zugangs zu kinderpornographischen Inhalten in Kommunikationsnetzen (Law on the Restriction of Access to Child Pornography Content in Communication Networks), which was initially approved in the summer of last year by the German lower house, the Bundestag (see Deutsche Welle report). Unlike the French bill, the German law would not have blocked access to the offending sites but would have thrown up a warning page displaying a large red stop sign. The stop sign would notify web users of the nature of the content they were seeking to access, but nevertheless allow the users to proceed if they so choose. The proposal met with considerable public opposition, including an online petition signed by more than 130,000 people (the biggest online petition in Germany to date). Elections in September 2009 resulted in changes to the governing coalition, and the liberal FDP made it clear, during the talks that led to it joining the government, that it would not support the filtering provisions. The filtering strategy was formally dropped on Feburary 8, 2010, in favor of a policy targeted at deleting offending websites rather than blocking them (see Opennet report).

Conclusions

Looking at the wording of article 4 of LOPPSI alone, the concerns of some of the bill’s critics may seem overblown. Few dispute the pressing need to fight the dissemination of child pornography online. Even if ISP-level filtering is unlikely to deter the most resourceful seekers of such content, what limiting effect it does have must surely be welcomed. Regarding the criticism that the bill focuses only on intermediaries, it is clear that other legislation targets the creators of child pornography. Furthermore, in many areas of law enforcement, targeting intermediaries often proves to be the most effective means of achieving effective enforcement. Regarding blacklists, there is a valid argument that releasing the blacklist publicly could compromise the aim of suppressing access to the sites concerned, as it would provide potential offenders with an “address book” of prohibited sites, which the more tech-savvy could then easily access. However, the patchy record even of liberal democracies suggests a strong need for accountability mechanisms in the administration of any kind of blacklist system. In this respect, the amendment introduced by Mr. Tardy is a welcome and necessary procedural safeguard. Nevertheless, there is little doubt that its sufficiency, and indeed the legitimacy of any kind of filtering strategy, will be much debated as LOPPSI makes its way through the French legislative process.

[2] Note that French criminal judges can be much more intimately involved in investigation and evidence gathering than their common law counterparts.

Opting in vs. opting out, and the difficulties of opting out

Google automatically enrolled all Gmail users into Buzz without permission, rather than giving them the choice to opt in. Users could opt out after the automatic enrollment, but they could not avoid enrollment in the first place. And Google initially made things difficult and confusing for users who wished to opt out. The “turn off Buzz” button at the bottom of the Gmail inbox screen did not actually turn off Buzz unless the user deleted her Google profile and blocked her followers, as CNET reported. This initially confused many users although, as CNET explains here, Google has now made disabling Buzz much easier in response to complaints.

The cause of the outcry

One major cause for complaint was the way Google took users’ private e-mail address list and made them public in Buzz. The outrage over Google’s action highlights one of the few clear public-private boundary expectations that exist in online communications: we do not expect our e-mail communications or contacts to be known to our personal acquaintances.  On Facebook, those we have “friended” can generally see each other. But in e-mail, we do not expect each of our e-mail contacts to be made aware of each other simply because they’re in the same address book.  The myriad personal implications of this are obvious.  For example, people do not necessarily want their former significant others to know the e-mail addresses of their current partners. The consequences of this privacy breach can be severe: one blogger found her address book exposed to her abusive ex-boyfriend, as the New York Times reported. Furthermore, as the Times went on to explain, dissidents under authoritarian regimes have reason to fear their contacts being made available to any casual governmental monitor.

As Ars Technica commented, these problems arose directly from Google’s attempt to use information given by its users in a private context (e-mail) by linking it to a public service. Furthermore, Google also took public information (public Picasa Web Albums and Google Reader shared items) and connected it to users’ Buzz account. This made it likelier that the users’ Buzz contacts would see the albums or Reader items. Google defended this by saying the information was public anyway, but linking users’ public information to their social networking account still has consequences. Information that is not hidden behind a password may still be unknown to a user’s personal acquaintances, and the user may wish to keep it that way.  While technically Google “it was public already” defense may have some legal merit, it did not incur any good will from its users by failing to seek their permission on this issue.

Google’s response

Google has apologized and begun rolling back some of Buzz’s problematic features. Google got rid of the automatic creation of a Buzz contact list from users’ email accounts, made it easier to disable Buzz, and no longer automatically connects public Picasa Web Albums and Google Reader shared items to Buzz accounts. The response was both rapid and dramatic, which is a point in Google’s favor in the eyes of many complainants. However, because of the circumstances that made such a response necessary, Google’s critics are still not entirely satisfied.  

The legal repercussions

Google may have to face a class-action suit in federal court in San Jose, CA, the San Francisco Chronicle reports. Plaintiff Eva Hibnick of Florida is seeking to file the suit on behalf of all Gmail users whose account information was automatically linked to Buzz. The complaint accuses Google of unlawfully sharing personal information without permission, as ABC explains. The plaintiff seeks injunctive relief from similar actions in the future, as well as unspecified monetary damages.

Furthermore, the Electronic Privacy Information Center (EPIC) calls Google’s response inadequate, reports Digital Media Wire. EPIC argues that Google Buzz should be opt-in, rather than opt-out. Google’s most recent changes have made it much easier for users to opt out of Buzz, but they still must opt out. Additionally, EPIC argues that Buzz should not have access to Gmail address books. EPIC has also filed a request with the Federal Trade Commission to investigate Google Buzz.

The Electronic Frontier Foundation has also sharply criticized Google Buzz. The EFF’s arguments go beyond the immediate impact of the Buzz features and suggest that courts should be more skeptical of the Google Books settlement. As the EFF points out, a BBC report suggests that Google did not properly test Buzz before launching it. As Google tries to finalize its Books settlement, as the BBC reports, the problematic Buzz launch suggests Google might use Books information for its own competitive advantage in the same way it used Gmail information. The EFF argues that the Buzz incident highlights the need for Google to make “firm enforceable commitments to protecting user privacy.”

The future

Buzz might be doing better than one might anticipate given the uproar. The New York Times reports that Google claims “tens of millions of people” tried Buzz in the first two days after its launch. Google competitors Microsoft (as MediaBistro reports) and Yahoo, meanwhile, are naturally pooh-poohing Buzz’s prospects. But one thing is clear. Google might get away with asking for forgiveness rather than permission while dealing with Google Books and other copyright law issues, but taking that cavalier approach to personal information is a different matter, even in an age of decreasing privacy. Google may be dealing with both the public relations fallout and the legal consequences of the Buzz launch for a long time.