electronic privacy

U.S. Supreme Court decides government use of GPS for monitoring constitutes search under the 4th Amendment.

Huge electronic privacy news out of Washington. In an historic unanimous decision on United States vs. Jones, the United States Supreme Court found that “the Government’s attachment of the GPS device to the vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a search under the Fourth Amendment.” That means that the federal government will now need a probable cause warrant to affix a GPS device to a car.

Kashmir Hill, Forbes’s ace privacy writer, summarized this decision succinctly in a tweet linking to the decision: “Gov lost. Privacy won.”

“The decision, in what is arguably the biggest Fourth Amendment case in the computer age, rejected the Obama administration’s position that American’s had no privacy in their public movements,” wrote David Kravets in Wired: “Warrant required for GPS tracking, Supreme Court rules.” Kravetz observed how long it’s been since a similar case made it to the nation’s highest court:

During oral arguments in the case in November, a number of justices invoked the specter of Big Brother if the police could secretly attach GPS devices on Americans’ cars without getting a probable-cause warrant.

The last time the high court considered the Fourth Amendment, technology and privacy in a big-ticket case was a decade ago, when the justices ruled that the authorities must obtain search warrants to employ thermal-imaging devices to detect indoor marijuana-growing operations, saying the imaging devices carry the potential to “shrink the realm of guaranteed privacy.”

“While the result was unanimous, the reasoning was not,” observes Timothy Lee in ArsTechnica: “Supreme Court holds warrantless wiretapping unconstitutional

A five-judge majority led by Justice Scalia, and including most of the court’s conservatives, focused on the physical trespass involved in attaching the device to the car. Three of the court’s liberals signed a concurrence by Justice Alito, a conservative, that would have taken a stronger pro-privacy stance, holding that extended warrantless tracking itself violates the Fourth Amendment regardless of whether the government committed a trespass to accomplish it.

Justice Sotomayor straddled the line. She signed onto the majority opinion, but also filed a separate concurrence in which she endorsed both Scalia’s concerns about physical trespass and Justice Alito’s broader concerns about the dangers of warrantless GPS tracking.

“As Justice Alito incisively observes, the same technological advances that have made possible nontrespassory surveillance techniques will also affect the Katz test by shaping the evolution of societal privacy expectations,” Sotomayor wrote, referring to the famous case of Katz v. United States that established the “reasonable expectation of privacy” test for violations of the Fourth Amendment. “Under that rubric, I agree with Justice Alito that, at the very least, ‘longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.’”

The Center for Democracy and Technology, which was an active participant in the jurisprudence surrounding the case, released the following statement on the ruling:

“The Supreme Court today made it clear that it will not allow advancing technology to erode the Constitutional right of privacy,” said Gregory T. Nojeim, Director of CDT’s Project on Freedom, Security and Technology.
The Justice Department had argued that the GPS device, because it tracked the person’s movements only on the public streets, did not raise any concern under the Constitution’s Fourth Amendment, which generally requires a warrant for searches and seizures.  Not a single Justice agreed with the government on that issue.
Instead, all nine agreed that, under the facts of the case, the Constitution required a warrant issued by a judge.  Five Justices agreed that any use of GPS planted by the government was a search generally requiring a warrant, effectively settling that issue.
The case also has implications for tracking individuals using cell phone tower data.  Five Justices held that a warrant would have been required on the facts of this case even if the government tracking did not involve planting a GPS device.  “Cell phone triangulation can be just as precise as GPS,” Nojeim said. “Congress should build on this opinion by writing a statute that draws a bright line requiring the government, except in emergencies, to get a warrant before turning your cell phone into a tracking device.”
CDT has helped to coordinate a coalition of major Internet companies, think tanks and advocacy groups from across the political spectrum calling on Congress to require a warrant for cell phone tracking.
CDT filed an amicus brief in the Supreme Court case, arguing that warrant is required for GPS tracking.

“Wow,” tweeted electronic privacy and security researcher Chris Soghoian. “Justice Sotomayor in Jones concurrence (pg 5): it may be necessary to reconsider the 3rd party doctrine,” he continued, which is that there is “no reasonable expectation of privacy for data held by ISPs & telcos.”

In the decision, Sotomayor wrote that it is ‘ill suited to the digital age.’

“So 4 supreme court judges embraced the mosaic theory (but not by name),” tweeted Soghoian. “4 weeks of GPS tracking by gov not OK, but a lesser amount might be. Also interesting to see Sotomayor cite last year’s OnStar privacy firestorm as evidence that the public is not cool with covert GPS tracking. Majority opinion by Sup Ct paves way for more gov tracking of cellphones, which gov still claims it can do (w/single tower data) w/o warrant.”

Expect more tech policy and privacy writers to be all over this one, all week.

Looking back at SXSWi and a “Social Networking Bills of Rights”

Posts and thoughts on the 2011 South by Southwest Interactive Festival are still making their way out of my hard drive. On the first day of the conference, I moderated a panel on “Social Network Users’ Bill of Rights” that has received continued interest in the press.This correspondent moderated a panel on a “social networking bill of rights” which has continued to receive attention in the days since the festival, including at MSNBC, Mainstreet.com, and PC World, focusing on the responsibility data stewardship. At MemeBurn.com, Alistair Fairweather highlighted a key question to consider for the technology industry to consider in the months ahead: “Why is user data always vested within the networks themselves? Why don’t we host our own data as independent “nodes”, and then allow networks access to it?”

Good questions, and ones that a few startups I talked to at the festival are working hard to answer. Stay tuned. For now, Jon Pincus captured the online conversation about the panel using Storify, below.


Daniel Weitzner is the new White House deputy CTO for Internet policy

DSC_5476

Image by Elon University via Flickr

There’s a new deputy chief technology officer in the White House Office of Science and Technology Policy: Danny Weitzner. He’ll be taking over the policy portfolio that Andrew McLaughlin held. The appointment appears to have been reported first by Julia Angwin in her story on a proposed bill for an online privacy bill of rights drafted by Senator John McCain (R-AZ) and Senator John Kerry (D-MA). Rick Weiss, director of communications at OSTP confirmed the appointment and said that they anticipate that Weitzner will start work “very soon.”

With the appointment, the OSTP staff has three deputy CTOs again working under federal CTO Aneesh Chopra: Chris Vein for innovation, Weitzner for Internet policy and Scott Deutchman for telecommunications policy.

Weitzner has a deep and interesting background when it comes to Internet policy. He was serving as associate administrator for policy at the United States Commerce Department’s National Telecommunications and Information Administration (NTIA), the principal adviser to the President on telecommunications and information policy. Prior to joining the Obama administration, Weitzner created the MIT CSAIL Decentralized Information Group and was used to be the policy director for the World Wide Web Consortium (W3C) before he joined . Here’s his bio from his time there:

Daniel Weitzner is Policy Director of the World Wide Web Consortium’s Technology and Society activities. As such, he is responsible for development of technology standards that enable the web to address social, legal, and public policy concerns such as privacy, free speech, security, protection of minors, authentication, intellectual property and identification. Weitzner holds an appointment as Principal Research Scientist at MIT’s Computer Science and Artificial Intelligence Laboratory, co-directs MIT’s Decentralized Information Group with Tim Berners-Lee, and teaches Internet public policy at MIT.

As one of the leading figures in the Internet public policy community, he was the first to advocate user control technologies such as content filtering and rating to protect children and avoid government censorship of the Intenet. These arguments played a critical role in the 1997 US Supreme Court case, Reno v. ACLU, awarding the highest free speech protections to the Internet. He successfully advocated for adoption of amendments to the Electronic Communications Privacy Act creating new privacy protections for online transactional information such as Web site access logs.

Before joining the W3C, Mr. Weitzner was co-founder and Deputy Director of the Center for Democracy and Technology, a leading Internet civil liberties organization in Washington, DC. He was also Deputy Policy Director of the Electronic Frontier Foundation. He serves on the Boards of Directors of the Center for Democracy and Technology, the Software Freedom Law Center, the Web Science Research Initiative. and the Internet Education Foundation.

His publications on technical and public policy aspects of the Internet have appeared in the Yale Law Review, Science magazine, Communications of the ACM, Computerworld, Wired Magazine, and The Whole Earth Review. He is also a commentator for NPR’s Marketplace Radio.

Mr. Weitzner has a degree in law from Buffalo Law School, and a B.A. in Philosophy from Swarthmore College.

As Angwin reported, Weitzner pushed for creation of the Commerce Department new privacy office while he was at NTIA. In his new role, he’s likely to be working closely with the FTC, Congress and a new privacy office at the Commerce that, according to Angwin, is likely to be run by Jules Polonetsky, currently head of the Future of Privacy Forum.

Weitzner’s appointment is good news for those who believe that ECPA reform matters and for advocates of free speech online. Given the recent role of the Internet as a platform for collective action, that support is worth acknowledging.

For those interested, Weitzner can be found on Twitter at @djweitzner. While he has not sent out a tweet since last November, his link to open government in the United Kingdom last July bodes well for his support for open data and Gov 2.0: “Proposed Government Data Transparency principles from UK gov’t via Shadbolt & Berners-Lee http://bit.ly/b1WyYs #opendata #gov20.”

 

Enhanced by Zemanta

FTC online privacy report endorses “Do-Not-Track” mechanism for Web browsers

The Federal Trade Commission released an online privacy report today that will reshape how companies, consumers and businesses interact on the Internet. The agency will take questions from reporters at 1 PM EST and from the public on Twitter in its first Twitter chat at 3 PM EST. The recommendation that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices” is a key direction to every startup or Global 1000 corporation that comes under the FTC’s purview as the nation’s top consumer protection regulator.

The new FTC privacy report proposes a framework that would “balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services,” according to the agency’s statement, and recommends the implementation of a “Do Not Track” mechanism, which the agency describes as “a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities.”

“Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well,” said FTC Chairman Jon Leibowitz.

The report states that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The framework outlined in the report is designed to reduce the burdens on consumers and businesses.

“This proposal is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines,” according to the report, which is titled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”

“Self-regulation has not kept pace with technology,” said David Vladeck, director of the FTC’s Consumer Protection Bureau, speaking this morning about the proposed online privacy rules. “We have to simplify consumer choice and ‘do not track’ will achieve that goal,” he said. “I don’t think that under the FTC authority we could unilaterally mandate ‘do not track.’”

One of the nation’s top technology policy advocates approved. “The FTC report hits all the right notes. It sets out a modern and forward looking framework for privacy protection that moves beyond a narrow focus on notice and choice toward a full set of fair information practices and accountability measures,” said Center for Democracy and Technology president Leslie Harris. “The FTC has provided the blueprint. Now it is time for Congress and industry to follow suit.”

“We are very pleased to see the FTC exerting strong leadership on privacy,” said CDT Privacy Project Director Justin Brookman. “This report should bolster efforts to enact a privacy bill next Congress. Its recommendations are consistent with what is being discussed on the Hill.”

In a novel move, the FTC tweeted out “key points” from the report, embedded below, using @FTCGov.

“FTC proposes new framework 2 guide policymakers & industry as they develop legislation & other solutions. Self-regulation on privacy has been too slow. Important privacy choices should be presented in relevant context, not buried in privacy policy. Baseline protections of FTC’s proposed framework include reasonable security & accuracy, confidence that data collected or kept only 4 legitimate needs & privacy considered at every stage of product development. Privacy notices should be clearer, shorter & more standardized to better understand privacy practices & promote accountability. Consumers should have reasonable access to data upon request. Commission supports a more uniform mechanism for behavioral advertising: a so-called “Do Not Track”. Do Not Track could signal consumer’s choices about being tracked & receiving targeted ads.”

Below are the prepared remarks of the FTC chairman, followed by a liveblog of the press call. Audio of the FTC online privacy press call is available as an MP3.

FTC Chairman Privacy Report Remarks

FTC Online Privacy Report

FTC to release online privacy report, host first Twitter chat at #FTCpriv

This fall, online privacy debates have been heating up in Washington. Tomorrow, the Federal Trade Commission will finally deliver its long awaited online privacy report. Chairman. Over the past year FTC has explored new online privacy frameworks and examined the strength of cloud computing privacy in a series of privacy roundtables.

The FTC has issued a privacy advisory for tomorrow, stating that FTC chairman Jon Leibowitz, Jessica Rich, deputy director of the Bureau of Consumer Protection, and Edward W. Felten, the FTC’s new chief technologist, will answer reporters’ questions “about a new FTC report on privacy that outlines a framework for consumers, businesses and policymakers.”

This FTC online privacy report will be one of the most important government assessments this year. Look for widespread reaction to its contents across industry and technology media. Particular attention likely be paid to two events here in Washington:

First, David Vladeck, the FTC’s director of the Bureau of Consumer Protection Protection, will speak tomorrow at Consumer Watchdog’s policy conference on the future of online consumer protections. You can watch live here (if you can stream Windows Media files.)

Second, House of Representatives will hold a hearing on “Do-Not-Track legislation, which would consider whether citizens should be able to opting of from Web tracking

Will online privacy look different by the end of the day? As Jamie Court, Author, President of Consumer Watchdog, wrote in the Huffington Post:

There are few issues 9 out of 10 Americans agree on. A Consumer Watchdog poll shows that 90% of Americans agree it is important to protect their privacy online. 86% want a “make me anonymous” button and 80% want the creation of a “do not track me” list online that would be administered by the Federal Trade Commission.

The release of the FTC online privacy report also comes with a new media twist: According to @FTCGov, the agency’s Twitter account, the nation’s top regulator will also host its first Twitter chat at 3 PM. It remains to be seen how civil citizens are in the famously snarky medium. The agency has suggested the #FTCpriv hashtag to aggregate tweets. UPDATE: Although the White House OpenGov account and FTC tweeted on Wednesday that the chat would be at #FTCpriv hashtag, not #FTCpriv, the chat ended up being at the original hashtag.

Breaking News! Tomorrow we will release our #privacy report & host our 1st Twitter Chat to answer Qs. More details to come. #FTCprivless than a minute ago via web

Senate considers update to Electronic Communications Privacy Act

Today in Washington, the Senate Judiciary Committee held a hearing on updating the Electronic Communications Privacy Act (ECPA), the landmark 1986 legislation that governs the protections citizens have when they communicate using the Internet or cellphones.

The statements of the witnesses before the Senate from the Commerce Department, Justice Department and witnesses are embedded in ths post. Below, find an exclusive interview with digital privacy and security researcher Chris Soghoian, who until recently was the resident geek at the Federal Trade Commission, and some context on “Digital Due Process,” the coalition of industry and privacy advocates advocating for an ECPA update.

“From the perspective of industry and definitely the public interest groups, people shouldn’t have to consider government access as one of the issues when they embrace cloud computing,” said Soghoian. “It should be about cost, about efficiency, about green energy, about reliability, about backups, but government access shouldn’t be an issue.”

While the tech blogosphere may be focused on Twitter, Facebook and inside baseball among the venture capitalists of Silicon Valley’s today, the matter before Congress should be earning more attention from citizens, media and technologists alike. Over at Forbes, Kashmir Hill made the case that industry will benefit from a clearer Electronic Communications Privacy Law. Take it one step further: updates to the ECPA have the potential to improve the privacy protections for every connected citizen, cloud computing provider or government employee. As she pointed out there:

One of the most egregious ECPA issues is how it treats the protection of email. “Why should email in someone’s inbox be treated different from something in someone’s sent folder?” asked Smith [Microsoft's general counsel]. “Why is something unread in my junk folder subjected to greater privacy than something read in my inbox? Why does an email I sent in April have fewer privacy protections than one I sent in September?”

Smith discussed security and privacy concerns with respect to cloud computing after the hearing: Get Microsoft Silverlight

It’s important to be clear: Congress is unlikely to move on updating ECPA before the mid-term elections or in the lame duck session. That said, the hearing in the Senate today and the hearing on ECPA reform and the revolution in cloud computing in the House of Representatives tomorrow will inform any legislative action in the next Congress.

Chairman Patrick Leahy was clear in his opening statement today: American innovation has outpaced digital privacy laws.

When Congress enacted ECPA in 1986, we wanted to ensure that all Americans would enjoy the same privacy protections in their online communications as they did in the offline world, while ensuring that law enforcement had access to information needed to combat crime. The result was a careful, bipartisan law designed in part to protect electronic communications from real-time monitoring or interception by the Government, as emails were being delivered and from searches when these communications were stored electronically. At the time, ECPA was a cutting-edge piece of legislation. But, the many advances in communication technologies since have outpaced the privacy protections that Congress put in place.

Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.

For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.

Simply put, the times have changed, and so ECPA must be updated to keep up with the times. Today’s hearing is an opportunity for this Committee to begin to examine this important issue.

“There does seem to be wide agreement that current ECPA standards are a muddled mess,” said Julian Sanchez, a research fellow at the libertarian Cato Institute, and contributing editor for Reason Magazine. “The fear about “uncertainty” expressed by Baker is ridiculous when you consider the scholarly consensus and the evident confusion in the courts trying to apply it. In reality, DOJ finds the ambiguity convenient, since they can jurisidiction-shop for magistrates whose interpretations they find congenial.”

Jim Dempsey of the Center for Democracy and Technology made the following statement on ECPA, promoting security and protecting privacy:

Justice Brandeis famously called privacy “the most comprehensive of rights, and the right most valued by a free people.” The Fourth Amendment embodies this right, requiring a judicial warrant for most searches or seizures, and Congress has enacted numerous laws affording privacy protections going beyond those mandated by the Constitution.

In setting rules for electronic surveillance, the courts and Congress have sought to balance two critical interests: the individual’s right to privacy and the government’s need to obtain evidence to prevent and investigate crimes, respond to emergency circumstances and protect the public. More recently, as technological developments have opened vast new opportunities for communication and commerce, Congress has added a third goal: providing a sound trust framework for communications technology and affording companies the clarity and certainty they need to invest in the development of innovative new services.

Today, it is clear that the balance among these three interests – the individual’s right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust – has been lost as powerful new technologies create and store more and more information about our daily lives. The protections provided by judicial precedent and statute have failed to keep pace, and important information is falling outside the traditional warrant standard.

The personal and economic benefits of technological development should not come at the price of privacy. In the absence of judicial protections, it is time for Congress to respond, as it has in the past, to afford adequate privacy protections, while preserving law enforcement tools and providing clarity to service providers.

Dempsey’s full testimony is embedded below:
Jim Dempsey Testimony on ECPA Update

The American Civil Liberties Union also had specific recommendations for Congress on ECPA reform. “The Electronic Communications Privacy Act was written in 1986 before the Web was even invented and is in desperate need of an upgrade,” said Laura W. Murphy, Director of the ACLU Washington Legislative Office. “While Americans have embraced technology as an essential part of everyday life, they have not surrendered their fundamental right to privacy. Congress must ensure that our privacy laws reflect the technology Americans use every day.”

The testimony of the ACLU on ECPA reform is embedded below:

ACLU statement on update to ECPA

The written testimony of Microsoft general counsel Brad Smith is embedded below:

Microsoft counsel Brad Smith’s Testimony before Senate

The written testimony of he Honorable James A. Baker, Esq., Associate Deputy Attorney General, United States Department of Justice, is embedded below:

Baker Testimony on ECPA Updates

The written testimony of the Honorable Cameron F. Kerry, Esq., General Counsel of the United States Department of Commerce is embedded below:

Cameron Kerry Testimony before the Senate

The written testimony of attorney Jamil Jaffer Testimony is below:

Jamil Jaffer Testimony before the Senate Judiciary Comittee

Digital Due Process

Earlier this year, I reported on the launch of DigitalDueProcess.org, a coalition pushing for an ECPA update for online privacy in cloud computing age. A powerful collection of organizations has been pushing for an update to ECPA. Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.

The coalition set up a website, DigitalDueProcess.orgcontaining its proposals for updating ECPA in the face of new cloud computing security and online privacy challenges. Google Public Policy released a video, embedded below, describing the concept of “digital due process,”

Exploring the future of online privacy with Jules Polonetsky

How will regulations and laws that address the new challenges of online privacy evolve? What are the tradeoffs between societal benefit and individual rights? How should the opportunities inherent in data mining be balanced with harm-based standards? What are the responsibilities of governments, businesses and citizens to protect privacy?

Yesterday at the Gov 2.0 Summit in Washington, my interview with Jules Polonetsky covered all of those topics and more. Polonestsky is the Co-chair and Director of the Future of Privacy Forum, a think tank seeking to improve the state of online privacy by advancing responsible data practices. His writing and research can be found at Futureofprivacy.org.