Legislators tilt at the digital privacy windmill (again).

In the effort to preserve individual privacy in the digital age, hope springs eternal.

The latest endeavor to protect individuals’ privacy in the digital era is legislation introduced this week in the U.S. Senate that would require law enforcement and government authorities to obtain a warrant before accessing the digital communications of U.S. citizens.

Known as the ECPA Modernization Act of 2017, it is bipartisan legislation introduced by two senators known for being polar opposites on the political spectrum: Sen. Patrick Leahy (D-VT) on the left and Sen. Mike Lee (R-UT) on the right.

At present, only a subpoena is required for the government to gain full access to Americans’ e-mails that a over 180 days old. The new ECPA legislation would mean that access couldn’t be granted without showing probable cause, along with obtaining a judge’s signature.

The ECPA Modernization Act would also require a warrant for accessing geo-location data, while setting new limits on metadata collection. If the government did access cloud content without a warrant, the new legislation would make that data inadmissible in a court of law.

There’s no question that the original ECPA (Electronic Communications Privacy Act) legislation, enacted in 1986, is woefully out of date. After all, it stems from a time before the modern Internet.

It’s almost quaint to realize that the old ECPA legislation defines any e-mail older than 180 days as “abandoned” — and thereby accessible to government officials.  After all, we now live in an age when many residents keep the same e-mail address far longer than their home address.

The fact is, many individuals have come to rely on technology companies to store their e-mails, social media posts, blog posts, text messages, photos and other documents — and to do it for an indefinite period of time. It’s perceived as “safer” than keeping the information on a personal computer that might someday malfunction for any number of reasons.

Several important privacy advocacy groups are hailing the proposed legislation and urging its passage – among them the Center for Democracy & Technology and the Electronic Frontier Foundation.

Sophia Cope, an attorney at EFF, notes that the type of information individuals have entrusted to technology companies isn’t very secure at all. “Many users do not realize that an e-mail stored on a Google or Microsoft service has less protection than a letter sitting in a desk drawer at home,” Cope maintains.

“Users often can’t control how and when their whereabouts are being tracked by technology,” she adds.

The Senate legislation is also supported by the likes of Google, Amazon, Facebook and Twitter.

All of which makes it surprising that this type of legislation – different versions of which have been introduced in the U.S. Senate every year since 2013 – has had such trouble gaining traction.

The reasons for prior-year failure are many and varied – and quite revealing in terms of illuminating how crafting legislation is akin to sausage-making.  Which is to say, not very pretty.  But this year, the odds look more favorable than ever before.

Two questions remain on the table: First, will the legislation pass?  And second, will it really make a difference in terms of protecting the privacy of Americans?

Any readers with particular opinions are encouraged to weigh in.

Is Apple setting itself up for failure in the FBI’s Syed Farook Probe?

ipThere’s no question that Apple’s refusal to help the FBI gain access to data in one of the iPhones used during the San Bernardino massacre has been getting scads of coverage in the news and business press.

Apple’s concerns, eloquently stated by CEO Tim Cook, are understandable. From the company’s point of view, it is at risk of giving up a significant selling feature of the iPhone to enable a “back door” access to encrypted data..  Apple’s contention is that many people have purchased the latest models of iPhones for precisely the purpose of protecting their data from prying eyes.

On the other hand, the U.S. government’s duty is to protect the American public from terrorist activities.

Passions are strong — and they’re lining up along some predictable social and political fault lines. After having read more than a dozen news articles in the various news and business media over the past week or so, I decided to check in with my brother, Nelson Nones, for an outsider’s perspective.

As someone who has lived and worked outside the United States for decades, Nelson’s perspectives are invariably interesting because they’re formed from the vantage point of “distance.”

Furthermore, Nelson has held very strongly negative views about the efforts of the NSA and other government entities to monitor computer and cellphone records. I’ve given voice to his perspectives on this topic on the Nones Notes blog several times, such as here and here.

So when I asked Nelson to share his perspectives on the Apple/FBI, I was prepared for him to weigh in on the side of Apple.

Well … not so fast. Shown below what he wrote to me:

______________________

This may come as a surprise, but I’m siding with the government on this one. Why?  Three reasons:

Point #1: The device in question is (and was) owned by San Bernardino County, a government entity.

The Fourth Amendment of the U.S. Constitution provides, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated …”

The investigation that the FBI wants to conduct could either be thought of as a seizure of property (the iPhone), or as a search (accessing the iPhone’s contents). Either way, Fourth Amendment protections do not apply in this case.

Within the context of the Fourth Amendment, seizure of property means interfering with an individual’s possessory interests in the property. In this case, the property isn’t (and never was) owned by an individual; it is public property.  Because Farook, an individual, never had a possessory interest in the property, no “unreasonable seizure” can possibly occur.

Also, within the meaning of the Fourth Amendment, an “unreasonable search” occurs when the government violates an individual’s reasonable expectation of privacy. In this case the iPhone was issued to Farook by his employer.  It is well known and understood through legal precedent that employees have no reasonable expectation of privacy when using employer-furnished equipment.  For example, employers can and do routinely monitor the contents of the email accounts they establish for their employees.

Point #2: The person who is the subject of the investigation (Syed Farook) is deceased.

According to Paul J. Stablein, a U.S. criminal defense attorney, “Unlike the concept of privilege (like communications between doctor and patient or lawyer and client), the privacy expectations afforded persons under the Fourth Amendment do not extend past the death of the person who possessed the privacy right.”

So, even if the iPhone belonged to Farook, no reasonable expectation of privacy exists today because Farook is no longer alive.

Point #3: An abundance of probable cause exists to issue a warrant.

In addition to protecting people against unreasonable searches and seizures, the Fourth Amendment also states, “… no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

I strongly believe the U.S. National Security Agency’s mass surveillance was unconstitutional and therefore illegal, due to the impossibility of establishing probable cause for indiscriminately searching the records of any U.S. citizen who might have placed or received a telephone call, sent or received an email message or logged on to their Facebook account.

That’s because these acts do not, in and of themselves, provide any reasonable basis for believing that evidence of a crime exists.

I also strongly believe that U.S. citizens have the right to encrypt their communications. No law exists preventing them from doing so for legal purposes. Conducting indiscriminate searches through warrantless “back door” decryption would be just as unconstitutional and illegal as mass surveillance.

In this case, however, multiple witnesses watched Farook and his wife, Tashfeen Malik, open fire on a holiday party, killing 14 people, and then flee after leaving behind three pipe bombs apparently meant to detonate remotely when first responders arrived on the scene.

Additional witnesses include the 23 police offers involved in the shootout where Farook and Malik eventually were killed.

These witnesses have surely given sworn statements attesting to the perpetrators’ crimes.

It is eminently reasonable to believe that evidence of these crimes exists in the iPhone issued to Farook. So, in this case there can be no doubt that all the requirements for issuing a warrant have been met.

For these three reasons, unlike mass surveillance or the possibility of warrantless “back door” decryption, the law of the land sits squarely and undeniably on the FBI’s side.

Apple’s objections.

Apple’s objections, seconded by Edward Snowden, rest on the notion that it’s “too dangerous” to assist the FBI in this case, because the technology Apple would be forced to develop cannot be kept secret.

“Once [this] information is known, or a way to bypass the code is revealed, [iPhone] encryption can be defeated by anyone with that knowledge,” says Tim Cook, Apple’s CEO. Presumably this could include overreaching government agencies, like the National Security Agency, or criminals and repressive foreign regimes.

It is important to note that Apple has not been ordered to invent a “back door” that decrypts the iPhone’s contents. Instead, the FBI wants to unlock the phone quickly by brute force; that is, by automating the entry of different passcode guesses until they discover the passcode that works.

To do this successfully, it’s necessary to bypass two specific iPhone security features. The first renders brute force automation impractical by progressively increasing the minimum time allowed between entries.  The second automatically destroys all of the iPhone’s contents after the maximum allowable number of consecutive incorrect guesses is reached.

Because the iPhone’s operating system must be digitally signed by Apple, only Apple can install the modifications needed to defeat these features.

It’s also important to note that Magistrate Judge Sheri Pym’s order says Apple’s modifications for Farook’s iPhone should have a “unique identifier” so the technology can’t be used to unlock other iPhones.

This past week, Apple has filed a motion to overturn Magistrate Judge Pym’s order. In its motion, the company offers a number of interesting arguments, three of which stand out:

Contention #1: The “unreasonable burden” argument.

Apple argues that complying with Magistrate Judge Pym’s order is unreasonably burdensome because the company would have to allocate between six and ten of its employees, nearly full-time over a 2 to 4 week period, together with additional quality assurance, testing and documentation effort.  Apple also argues that being forced to comply in this case sets a precedent for similar orders in the future which would become an “enormously intrusive burden.”

Contention #2: Contesting the phone search requirement.

Apple isn’t contesting whether or not the FBI can lawfully seize and search the iPhone.  Instead it is contesting Magistrate Judge Pym’s order compelling Apple to assist the FBI in performing the search.  As such, Apple is an “innocent third party.”  According to Apple, the FBI is relying on a case, United States v. New York Telephone, that went all the way to the Supreme Court in 1977.  Ultimately, New York Telephone was ordered to assist the government by installing a “pen register,” which is a simple device for monitoring the phone numbers placed from a specific phone line.

The government argued that it needed the phone company’s assistance to execute a lawful warrant without tipping off the suspects.  The Supreme Court found that complying with this order was not overly burdensome because the phone company routinely used pen registers in its own internal operations, and because it is a highly regulated public utility with a duty to serve the public.  In essence, Apple is arguing that United States v. New York Telephone does not apply, because (unlike the phone company’s prior use of pen registers) it is being compelled to do something it has never undertaken before, and also because it is not a public utility with a duty to serve.

Contention #3: The requirement to write new software.

Lastly, Apple argues that it will have to write new software in order to comply with Magistrate Judge Pym’s order. However, according to Apple, “Under well-settled law, computer code is treated as speech within the meaning of the First Amendment,” so complying with the order amounts to “compelled speech” that the Constitution prohibits.

What do I think of Apple’s arguments?

Regarding the first of the them, based on its own estimates of the effort involved, I’m guessing that Apple wouldn’t incur more than half a million dollars of direct expense to comply with this order. How burdensome is that to a company that just reported annual revenues of nearly $234 billion, and over $53 billion of profit?

Answer:  To Apple, half a million dollars over a four-week period is equivalent to 0.01% of last year’s profitability over an equivalent time span. If the government compensates Apple for its trouble, I don’t see how Apple can win this argument.

Regarding the other two arguments above, as Orin Kerr states in his Washington Post blog, “I don’t know which side would win … the scope of authority under the [All Writs Act] is very unclear as applied to the Apple case.  This case is like a crazy-hard law school exam hypothetical in which a professor gives students an unanswerable problem just to see how they do.”

My take:  There’s no way a magistrate judge can decide this.  If Apple loses, and appeals, this case will eventually end up at the Supreme Court.

What if the back door is forced open?

The concerns of privacy advocates are understandable. Even though I’m convinced the FBI’s legal position is solid, I also believe there is a very real risk that Apple’s modifications, once made, could leak into the wrong hands. But what happens if they do?

First, unlike warrantless “back door” decryption, this technique would work only for iPhones — and it also requires physical possession of a specifically targeted iPhone.

In other words, government agencies and criminals would have to lawfully seize or unlawfully steal an iPhone before they could use such techniques to break in. This is a far cry from past mass surveillance practices conducted in secret.

Moreover, if an iPhone is ever seized or stolen, it is possible to destroy its contents remotely, as soon as its owner realizes it’s gone, before anyone has the time to break in.

Second, Apple might actually find a market for the technology it is being compelled to create. Employers who issue iPhones to their employees certainly have the right to monitor employees’ use of the equipment.  Indeed, they might already have a “duty of care” to prevent their employees from using employer-issued iPhones for illegal or unethical purposes, which they cannot fulfill because of the iPhone’s security features.

Failure to exercise a duty of care creates operational as well as reputational risks, which employers could mitigate by issuing a new variety of “enterprise class” iPhones that they can readily unlock using these techniques.

____________________

So that’s one person’s considered opinion … but we’d be foolish to expect universal agreement on the Apple/FBI tussle. If you have particular views pro or con Apple’s position, please join the discussion and share them with other readers here.

In the “right to be forgotten” battles, Google’s on the defensive again.

untitledSuddenly, the conflict between Google and the European Union countries regarding the censoring of search results has taken on even wider worldwide proportions.

This past week, the courts have upheld the French government’s data protection office (CNIL) order for Google to broaden the “right to be forgotten” by censoring search results worldwide — not just in Europe.

Google had appealed the initial CNIL ruling.

The CNIL rejected Google’s argument that a worldwide implementation of the European standard of censoring search results would mean that the Internet would be only as free as the “least free place.” (Think Belarus or Syria.)  But in its ruling, the CNIL noted that a country-by-country implementation of the “right to be forgotten” would mean that the right could be circumvented too easily.

While it’s true that more than 95% of Google searches in Europe are performed via European versions of the company’s search engine tool, such as google.fr and google.co.uk, identical searches can be performed easily using google.com, meaning that anyone trying to find “forgotten” information on an individual can do so easily, irrespective of the European standard.

file-and-forgetAs I blogged back in May, The European Court of Justice’s 2014 ruling meant that Google is required to allow residents of EU countries to delete links to certain harmful or embarrassing information that may appear about themselves in Google search results.

The directive has turned into a real thicket of challenges for Google.

What the definition of “harmed and embarrassing” is is somewhat amorphous, as the court’s ruling encompassed links to information ranging from excessive and harmful on one end of the scale all the way down to links that are merely outdated, inadequate or irrelevant.

Since the ruling went into effect, Google has had to field requests to remove more than one million links from European search results.

Link removal isn’t accomplished via some sort of “bot” procedure.  Instead, each request is considered on a case-by-case basis by a panel of arbiters made up of attorneys, paralegals and search engineers.

Approximately one-third of the links in question have been removed following panel review, while about half have remained in search results.

The rest – the real toughies – are still under review, and their status as yet unresolved.

Obviously, for this activity to spread from covering just European search engines to include potentially the entire world isn’t what Google has in mind at all.  (If Google could have its way, doubtless the whole notion of “the right to be forgotten” would be off the table.)

But the situation is getting pretty hot now. French authorities imposed a 15-day compliance deadline, after which Google could be fined nearly US$350,000.

Of course, the amount of that penalty pales in comparison to the cost Google would incur to comply with the directive.

But that fine is just the opening salvo; there’s no telling what the full degree of financial penalties might turn out to be for continued non-compliance.

I wrote before that it’s difficult to know where the world will eventually end up on the issue of censoring search engine results.  Today, I don’t think we’re anywhere closer to knowing.

The Ideal Privacy Policy?

policyRecently, I came upon a column written by software entrepreneur and business author Cyndie Shaffstall in which she proposes the following policy for any company to adopt that truly cares about its customers’ privacy:

The Ideal Privacy Policy:

1.  We have on file only your first name, last name, and e-mail address.

2.  We ask for nothing else.

3.  We send you only e-mails you request.

4.  We have nothing to share with others – and wouldn’t if they asked.

5.  We won’t change this policy without prior notice – ever. 

Thank you for being our customer, 

~ Your Grateful Vendor 

Cyndie Shaffstall
Cyndie Shaffstall

As Shaffstall herself acknowledges, she’s never actually seen a policy like this.

But if a company actually adopted such a policy, it would certainly make people more comfortable about purchasing its products — particularly things like phones, wearables and other products that capture and process user-specific data as part of their functionality.

Unfortunately, Shaffstall is correct in asserting that few if any companies would actually adopt such a privacy policy.  Because if they did, they’d be voluntarily walking away from so much of what makes the online world such a lucrative business proposition.

But think for a moment:  Wouldn’t it be absolutely wonderful if we didn’t have to consider such privacy policies “too good to be true”?

Do you know any real-live examples of companies whose privacy policies come close to this ideal?  If so, please share them with readers here.

Going up against Goliath: The latest privacy tussle with Facebook.

Is that Maria Callas?  Check with Facebook -- they'll know.
Is that Maria Callas? Check with Facebook — they’ll know.

It had to happen eventually:  Facebook’s “faceprints” database activities are now the target of a lawsuit.

The suit, which has been filed in the state of Illinois, alleges that Facebook’s use of its automatic photo-tagging capability to identify people in images is a violation of Illinois’ state law regarding biometric data.

Facebook has been compiling faceprint data since 2010, and while people may choose to opt out of having their images identified in such a way, not surprisingly, that option is buried deep within the Facebook “settings” area where most people won’t notice it.

Moreover, the “default” setting is for Facebook to apply the automatic photo-tagging feature to all users.

Carlo Licata, the lead individual in the class-action complaint filed in Illinois, contends that Facebook’s practices are in direct conflict with the Illinois Biometric Information Privacy Act.  That legislation, enacted in 2008, requires companies to obtain written authorization from persons before collecting any sort of “face geometry” or related biometric data.

The Illinois law goes further by requiring the companies gathering biometric data to notify people about the practice, as well as to publish a schedule for destroying the information.

Here’s how the lawsuit states its contention:

“Facebook doesn’t disclose its wholesale biometrics data collection practices in its privacy policies, nor does it even ask users to acknowledge them.  With millions of users in the dark about the true nature of this technology, Facebook [has] secretly amassed the world’s largest privately held database of consumer biometrics data.”

The response from Facebook has been swift – and predictable.  It contends the lawsuit is without merit.

As much as I’m all for of individual privacy, I suspect that Facebook may be correct in this particular case.

<em>Brave New World:</em>  Biometrics
Brave New World: Biometrics

For one thing, the Illinois law doesn’t reference social networks at all.  Instead, it focuses on the use of biometrics in business and security screening activities — citing examples like finger-scan technologies.

As Eric Goldman, a professor of law at Santa Clara University notes, the Illinois law is “a niche statute, enacted to solve a particular problem.  Seven years later, it’s being applied to a very different set of circumstances.”

And there’s this, too:  The Illinois law deals with people who don’t know they’re giving data to a company.  In the case of Facebook, it’s commonly understood user data is submitted with consent.

That may not be a particularly appealing notion … but it’s the price of gaining access to the fabulous networking functionality that Facebook offers its users – all at no expense to them.

And of course, millions of people have made that bargain.

That being said, there’s one nagging doubt that I’m sure more than a few people have about the situation:  The folks at Facebook now aren’t the same people who will be there in the future.  The use of faceprint information collected on people may seem quite benign today, but what about tomorrow?

The fact is, ultimately we don’t have control over what becomes the “tower of power” or who resides there.  And that’s a sobering thought, indeed.

What’s your own perspective?  Please share your thoughts with other readers here.

It had to happen: Google Glass begets facial recognition apps.

Google Glass wearerWell, that didn’t take long:  Now that Google Glass devices have started to be worn by more than just the first few early adopters, a new facial recognition app has promptly been developed.

It’s an app that enables users to snap a photo of someone, and then search the Internet for more information about the image – essentially, to identify the person by name.

Of course, Google has always maintained that such activities are an inappropriate use of Google Glass devices.  But that hasn’t stopped an outside app developer from doing just that.

The app is called NameTag, and it was introduced in late 2013 by a developer group known as FacialNetwork.  In December, the developer uploaded a video showing how NameTag works.  You can view it on YouTube here — and note that it’s quite controversial with more “dislikes” than “likes” from voters; how often does that happen?

Basically, the Google Glass wearer snaps a picture and the app runs the photo through a database containing ~2.5 million facial images.  If a match is found, it returns that finding along with the name and profile associated with the facial match (e.g., occupation, personal interests and relationship status).

According to the developers, NameTag can detect an image match even from behind obstructions like glasses and a hat.

What does FacialNetwork see as the benefit of its new NameTag app?  The developer touts the potential for dating and relationship-building.  On its website, the following scenario is presented:

“Jane has lots of different social media profiles and loves to meet new people.  By using NameTag, she can link all her social networks to her face and share her information, and meet new people in an instant.”

Personal privacy concernsRight. 

… And I’m sure “Jane” doesn’t worry one bit about the “creepiness” factor of someone learning her name and her personal information before she’s even aware of it …

As if pre-anticipating all of the hackles, NameTag quickly goes on to explain that people can choose whether to have their name and profile information displayed to others.

As entrepreneur and NameTag’s co-creator Kevin Tussy notes, “It’s not about invading anyone’s privacy; it’s about connecting people that [sic] want to be connected … We will even allow users to have one profile that is seen during business hours, and another that is only seen in social situations.”

If all of this sounds like it’ll be a tad more difficult to carry out in real life than it sounds like in theory – that you’re not fully comfortable “assuming” an app like this will actually offer the proper degree of safeguarding – I’m sure you’re not alone in your concerns.

In fact, some people aren’t waiting around to see what “might” happen, but are moving now to take preemptive action.  Certain congresspeople are in on the action.  And consumer advocacy group Public Citizen notes that Google Glass users in certain states could potentially face criminal prosecution in addition to civil penalties for recording people without their knowledge or consent.

Up to now, no one has faced such legal action – but that could be because the technology remains so new that few people are actually using Google Glass devices at this point.

The question is this:  Are people giving their “implicit consent” to be recorded just by talking with someone who’s wearing the device?  (The devices are fairly distinctive looking, after all.)

The answer may lie in whether the person even knows what Google Glass devices are.  One person speaking to another automatically means they know they’re being recorded seems to assume too much – at least at this relatively early stage in the product adoption cycle.

Things remain murky at this point because we’re still in an emerging phase in the application of the technology.  But one thing that seems clear is that we haven’t yet seen the beginning of what promises to be an airing of “dueling rights” in this area of the law.

For those who may already be using Google Glass (I’m not one, by the way), here’s your chance to share your perspectives with other readers here.

“Don’t Tread On Me”: Employees have strong feelings about employers gaining access to their social media profiles.

Social media privacyRecent news reports that some companies are asking their current employees or prospective new hires to grant them access to their private social media profiles haven’t set well with many people.

It seems that while people don’t mind publishing their personal information for friends and families to see, they’re not keen at all on employers having access as well.

This is borne out in the latest American Pulse survey from BIGinsight, a consumer information portal. In that survey, which queried nearly 3,600 American adults over the age of 18, respondents were asked how they would react to a request by an employer to hand over personal social media passwords, thereby gaining access to their profiles.

Approximately one in five of the survey respondents reported that they are not engaged in social media.  But among the remainder, most would resist the employer’s request … even to the extent of quitting their job:

  • Would quit a job or withdraw an employment application: ~52%
  • Would delete social media pages to prevent them from being seen: ~21%
  • Would go ahead and provide social media passwords to the employer: ~14%
  • Would edit social media profiles first … then provide passwords: ~13%

Based on the opinions of the respondents, it’s not at all surprising that the survey also found that ~85% think that when employers asking for access to social media profiles, it’s an invasion of privacy.  And only about 11% of respondents would be “comfortable” sharing their social media profiles with a potential employer.

There does seem to be a bit of altruism at work, because the preponderance of survey respondents (~72%) claim that they have “nothing to hide” on their social sites.

No doubt, Americans’ views about online privacy are borne out of the “live free or die … don’t tread on me” tradition of individualism in this country.  We love our ability to express ourselves … but spare us the KGB/Stasi routine!