Raymond Chow is an associate attorney at Breuninger & Fellman in New Jersey, and his passion for technology gives him a unique perspective on the constantly evolving landscape of individual privacy rights. His Note, "Why-Spy? An Analysis of Privacy and Geolocation in the Wake of the 2010 Google 'Wi-Spy' Controversy" is published in the Rutgers Computer and Technology Law Journal.
In a late-night vote Thursday, June 19, the U.S. House of Representatives voted to prohibit US intelligence agencies from searching government databases for information about U.S. citizens. It also voted to eliminate funding for the development of further backdoor data gathering.
Vote results. Image courtesy Rep. Thomas Massie (R-Ky.), the chief sponsor of the amendment
The amendment passed at 10:47 PM with a vote of 293 to 123. There are two types of backdoors that the amendment addresses:
The first, warrantless searches
The FISA Amendments Act gives the NSA broad power to collect data through any number of programs. One of these data collection programs broadly collected and stored emails, web-browsing, and chat histories of random people, many of which were U.S. citizens. Previously, the NSA had the authority to search these massive databases without a warrant. These warrantless searches were known as “backdoor searches”. The amendment prevents the NSA from using money to do a backdoor search on a U.S. citizen, effectively stopping the practice altogether.
The second, private company backdoors
In the tech world, “backdoor” is a term of art that has specific meaning: a method of bypassing normal security and authentication routines, effectively allowing someone who shouldn’t have access to a computer system to get in. The NSA has been asking larger private companies to modify their encryption mechanisms to add backdoors, which would allow the NSA to expand their data collection efforts. The amendment eliminated funding for this type of program.
The amendment had bipartisan support, and the vote took just 10 minutes of debate. If you look at the vote results and see that your representative voted Nay, maybe it’s time to give him or her a call and urge intelligence reform for future votes. While you’re at it, contact your senator, so we can make sure this passes in the Senate as well.
On June 11, 2014, the 11th U.S. Circuit Court of Appeals held that police will need a search warrant to obtain the metadata that allows a phone carrier to determine your location.
Quartavious Davis probably had no idea his string of armed robberies in 2010 would contribute to the national privacy debate.
What location metadata are we talking about?
The metadata in question here is the cellphone’s location. In addition to the GPS capabilities of most modern phones, all phones constantly broadcast location metadata to their cellphone providers. In order to remain connected to the cell network, your cellphone constantly pings nearby cell towers, so that the phone company will know which tower to route incoming calls and data through. If your phone is pinging a specific tower, then obviously you must be close enough to that tower to be able to connect to it. When there’s more than one tower in an area, the phone company is able to triangulate a more exact position. Given enough towers, the phone company is able to determine your exact location at any point in time.
Why didn’t the police need a search warrant to get Quartavious Davis’s location metadata?
Thanks to the Fourth Amendment, police usually need search warrants in order to seize private information, except when that information qualifies under one of several exceptions. For Quartavious Davis, the police tried to argue that the location metadata fell under the Third-Party Doctrine.
The Third-Party Doctrine says that any information you knowingly reveal to a third-party will not receive Fourth Amendment protections against unreasonable searches and seizures. Because that information isn’t protected by the Fourth Amendment, the police will only need a court order instead of a search warrant. The distinction is that it’s much harder for police to get search warrants, which require the police to show a judge that there’s probable cause. A court order requires only reasonable grounds for belief, which they can show by arguing that the information is relevant and material to the investigation.
So what did the 11th Circuit decide?
What the courts are arguing about at this point is whether or not the location metadata is knowingly and voluntarily revealed to your cellphone company or not. The 11th Circuit held that because Davis had not knowingly or voluntarily sent the metadata to his phone company, he had not waived his reasonable expectation of privacy.
This most recent decision only has validity in Florida, Georgia, and Alabama, and directly contradicts a decision from the 5th Circuit earlier last year, which held that merely owning a phone equals consent to constant tracking. Because two different Circuits directly contradict on this issue, it’s likely the U.S. Supreme Court will step in soon to sort this mess out.
My thoughts on the issue
The 11th Circuit decision mostly punted the in-depth analysis which would give some weight to its decision: does mere ignorance shield society from privacy intrusions? Anyone technologically-fluent already understands that their cell phones are constantly broadcasting location metadata, and our society’s understanding of this fact is increasing every day. At some point enough people will understand how their phones work that the courts will feel comfortable throwing out this privacy protection. In another landmark case, Smith v. Maryland from 1979, the U.S. Supreme Court argued that all people must realize that when they dial (landline) phone numbers, those numbers are sent to their telephone companies, and that everyone knows those companies have facilities for permanently storing those records. After all, if you knowthat someone is constantly monitoring you, do you really have any reasonable expectation of privacy after all? At some point our society will be technologically-fluent enough that the courts will unanimously expect us all to know similar things about our cellphone providers. Hopefully we’ll be able to cobble together enough protections before then.
In March of 2006, Brussels introduced a Data Retention Directive to the European Union which required telecom companies to retain all EU citizens’ communications metadata for at least six months, and for up to two years. Today, the EU’s highest court discarded this Directive, holding that it infringed on basic human rights.
Members of the EU Court of Justice [source]The metadata in question included information necessary to personally identify the telecom subscriber, traffic data, location data, time of communication, frequency and length of communications. The metadata in question here is comparable to the metadata collected by the NSA.
In a press release, the Court summarized its position on five major problems with the Directive:
It was overly broad. The Directive covered all electronic communication and traffic without restricting the scope of data collection to the smallest necessary to fight serious crime.
The Directive didn’t have proper access limits. It allowed access to the metadata to fight serious crime, but what is serious crime? The Directive didn’t give objective standards to decide whether a particular access request qualified for a serious crime or not.
The retention time-periods were arbitrary. It set the minimum period at 6 months, and maximum period at 24 months, but gave no guidelines for telecom companies to decide exactly how long to retain data, nor did it acknowledge distinctions between the different data categories.
There weren’t enough protections against the risk of abuse. Personal data stored within the EU is subject to a higher level of required security, and the Directive improperly gave companies the ability to consider the economic cost of implementing strict security policies. It also didn’t ensure the data would be destroyed after the retention period.
It didn’t require the data to stay within the EU. When personal data is processed in a EU state, with only a few exceptions, it must remain fully within the EU. The Directive didn’t restrict the export of private data out of the EU.
The Court very carefully weighed the crime-fighting advantages of bulk metadata collection, but ultimately found that the impact on “the essence of the fundamental rights to respect for private life and to the protection of personal data” were simply too great to justify the Directive, and it exceeded the EU principle of proportionality used when examining privacy related laws.
This ruling obviously only affects EU citizens, but the lessons learned here impact us domestically. The fact that another major world power is willing to reject the notion that security and public safety justify bulk metadata collection acts as yet another speedbump for the NSA’s policies. The Court also wholly rejects the argument that these collection programs only store “just metadata” and not the contents of those communications; it explicitly acknowledges that metadata is clearly personally identifiable, and the mere collection of that metadata constitutes a grievous invasion of personal privacy.
Car repossession companies get paid on a bounty, that is, they get paid per car they can find. Back in the day, a repo company would get a list of repoed cars, and would try to track them down one-by-one, picking one from the list and doing the grunt work to locate it manually. That used to be time-intensive, but there really wasn’t a more efficient way to do it until just recently. With modern technology, repo companies install cameras on their tow-trucks and unmarked spotter cars, and the cameras scan for license plates.
DRN’s largest competitor, TLO, gives us a glimpse of the data it captures and sells. [Source]The license plate information is matched with the camera’s GPS location, plus the current date and time, and is returned to centralized databases, where a computer can instantly compare the scanned plate with their list of repoed cars. The technology infrastructure is costly, so small repo companies often enter into agreements with large scanning companies to manage the tech backend. One of the largest is Digital Recognition Network (“DRN”), owned by Vigilant, based in Texas. DRN has so many repo companies collecting data for it, they claim that they have license plate scans of 40% of all the cars in the entire United States. At the end of 2013 they had 1.8 billion plates on record, and continue to add another 70 million each month.
A diagram explaining how license plate tracking works. Click to enlarge. [Source]Certainly license plate scanning isn’t new; police departments have been using it for several decades. The use of license plate scanning for police purposes has both supporters and detractors, but most people can at least see there is some amount of public good that results from police-use. However, it is significantly more concerning for a private, for-profit company to collect this type of data.
Do I have a privacy interest in the location of my license plates?
DRN claims that their scanner technology and database is legal because it’s no different from a person walking down the street and writing down a car’s plate number and location. DRN further claims that the federal Driver’s Privacy Protection Act (18 USC 2721) already protects car owners from privacy invasions. However, DRN grossly misstates the level of protection the federal law provides. The federal law only restricts a government agency’s disclosure of the personal information attached to a license plate, it does not limit or control the metadata collection DRN is currently doing.
DRN claims that unlike police, who can just search the DMV databases, DRN has no way of knowing who actually owns a vehicle, and the data they collect is not personally identifiable. This is the same type of argument the NSA has made about phone metadata, and it is flawed. The license plate data collection DRN is doing is fundamentally different from a person walking down the street writing down license plate numbers. The metadata is persistent, easily machine readable, and contains precise time and location data. For example, if DRN scans your plate at 6AM in front of a house several times, it is reasonable to assume the car’s owner lives at that house. When it later scans your plate in an office building’s parking lot at 2PM on the weekdays, it can also figure out where you work. The average high-schooler could figure out who a person is if given that person’s home and work address, and you can be sure that supercomputers are faster and better at doing that correlation than highschoolers.
What are the states doing about it?
Some states are in the process of proposing legislation which would outlaw the practice, or severely limit it. For example, in Massachusetts a proposed bill would ban license plate readers outright, except for law enforcement. Other states have already outlawed the process: Utah has a law that restricts a company’s ability to take a photograph and analyze its contents with technology.
The problem with these laws is that they can be attacked with a constitutional challenge. If you have a First Amendment right to take a photograph of a car while walking down a public street, then why shouldn’t a company? Because these types of law may infringe a fundamental constitutional right, it will have to pass strict scrutiny, which means a judge would have to find that the law:
Addresses a compelling governmental interest (is protecting a citizen from constant private surveillance something that is necessary and not just preferred?);
Is narrowly tailored to address that interest (the law can’t be too broadly written so that is might affect other activities, nor can it be so restrictively written that it doesn’t address the compelling interest);
And must be the least restrictive means to achieve that interest (is there something else the government can do to protect citizens’ privacy rights short of banning these technologies completely?).
And what can we do about it?
In short, not much. In many jurisdictions it’s illegal to remove or cover-up your license plates, even while parked, so that’s definitely not an option. DRN and these other companies don’t have an opt-out procedure, so you can’t even tell them not to collect your data. And there aren’t any legal mechanisms that would prevent a camera from capturing your license plate number that you can use. If these technologies concern you, you can raise the issue with your legislature, but that won’t provide you with any immediate protection or benefit. Unfortunately, this is one of those just-be-aware-of-it type things for now.
Twelve US companies have allowed their US-EU Safe Harbor certification to expire, but continued to display certification seals on their websites. When pressed by the FTC, all 12 companies quickly agreed to settle the FTC complaints. Settlement details have not yet been released.
US Companies allowed their self-certifications to lapse
What is the US-EU Safe Harbor Certification?
The European Union Data Protection Directive acts to restrict the private data storage, use, and transmission among participating EU states. The directive’s seven principles are:
Notice – people should know that data is being collected
Purpose – data should only be used for stated purposes
Consent – people should be required to give consent for data disclosure
Security – data should be kept secure
Disclosure – people should know who is collecting their data
Access – people should be allowed to access their data and make corrections to any inaccurate data (for example, if a credit reporting agency incorrectly lists an account)
Accountability – people should be able to hold companies accountable when they mess up
EU companies must abide by each local EU state’s enforcement laws in order to do business. International businesses must abide by the same protection laws, and if they don’t, they won’t be allowed to transfer personal data into or out-of the EU countries. Obviously compliance with so many different local data laws is difficult; the US attempts to solve this problem with the Safe Harbor Certification. If a US company self-certifies that they comply with all seven principles, they can operate within the EU countries without hassle. This self-certification needs to be renewed once a year, and if they fail to do so, as these 12 companies did, they must remove all certification marks from their websites. If they don’t, the FTC will investigate and fine them.
Which US Companies let their certification lapse?
According to the FTC, the following 12 companies let their certification lapse, didn’t remove their certification marks, were charged by the FTC, and decided to settle the FTC charges against them:
Apperian, Inc.: Company specializing in mobile applications for business enterprises and security;
We don’t know the penalty that will be imposed yet, but each company can be fined up to $16,000. The fine is pitifully insignificant for all of these companies, so it will likely not have much dissuasive impact on US companies for non-compliance. There is no indication that any of the companies intentionally mis-used personal data, so in reality there won’t be much of a functional impact for US or EU citizens. The most significant result of these enforcement actions is the message that the US sends to the EU: that we respect their sovereignty, that we intend to comply with their laws, and that we will hold our own companies responsible when they break those laws.
Project Code-name “Quantum” gives the NSA the ability to remotely access computers disconnected from the internet from up to 8-miles away.
The NSA Project Quantum can access data from offline computers from up to 8-miles away
If you’re tech-savvy enough to be reading this blog, you should at least have an intuitive understanding that computers connected to the internet are vulnerable to remote access and attack. Less intuitive is that computers completely disconnected from the internet can also be remotely accessed. The New York Times recently released an article detailing Project Quantum, which gives the NSA the ability to remotely access a computer from up to 8-miles away. Initial estimates puts the NSA’s reach with this program at more than 100,000 computers.
How it Works
The NSA needs to first physically embed circuitry onto the computer. It’s been revealed the NSA has in the past intercepted computer shipments and embedded the circuitry inside the computer itself. Another technique is to hide the circuitry inside a USB plug for a device that will eventually be connected to the computer. These circuits, when powered, can transmit data through a covert radio frequency to a mobile receiving station. The receiving station can fit inside a regular briefcase, and must be within 8-miles of the compromised computer. The receiving station then transmits the data back to the NSA.
No Domestic Use Detected so far
So far, there is no evidence that the NSA has used these intercept programs domestically; the intended targets are all high-value international intelligence figures. There’s little reason to doubt this claim, because the expense and effort required to physically bug an individual computer is immense.
The takeaway
Even if you think yourself important enough to warrant personal surveillance from the NSA, it’s unlikely you would have the technical expertise required to identify and remove these hidden circuits. While we lack specifics about the exact transmission method, we know it to be within the radio spectrum, so it is reasonable to assume that a computer placed in a fully electromagnetically shielded room might be protected from this particular method. Certainly I do not recommend disconnecting your devices from the internet and wrapping your house in aluminum foil; rather, just take this post as a reminder of the NSA’s incredible technological reach.
In addition to Target and Neiman Marcus, at least three other unidentified retailers were also hacked in December and leaked their customers’ private information.
Target, Neiman Marcus, and three other unidentified merchants were hacked in mid-December of 2013.
Target was the first major retailer to publicly announce that it had been hacked in mid-December. Its initial disclosure estimated that 40 million customers were affected, but Target recently updated this figure to 70 million. This past weekend, Neiman Marcus also announced that it was hacked at around the same time, but hasn’t yet released how many customers were affected. Just today, anonymous sources claim at least three other brick-and-mortar retailers, most likely those with a physical presence in shopping malls, have also been subjected to a cyber attack originating from Eastern Europe. While not yet conclusively established, the similarities between the attacks seem too similar to not be connected somehow.
Worst Case Scenario
If a store leaked enough of your personally identifiable information, then new accounts could be opened in your name. To protect against new accounts being fraudulently opened in your name, you can ask the three major credit reporting agencies to place a credit freeze on your reports. When frozen, if someone (including yourself) tries to open a line of credit, it will be denied, and the credit reporting agencies will contact you for your instructions. The major down-side to this option is that in most cases you’ll have to pay a fee to unfreeze your credit reports when you actually do want someone to access your credit report. Alternatively, you could just pay close attention to your credit reports, and close down fraudulent accounts if they get opened. Even if there weren’t this massive security breach, you should be proactively monitoring your credit reports to keep an eye on the personal information that these credit agencies are authorized to keep. Remember, by federal law you’re allowed one free credit report per year from each of the three major reporting agencies. The best strategy is to stagger your free reports, pulling one report every four months, rotating the agencies as you go.
Most likely scenario
While some people will inevitably have accounts opened in their name, the large majority of people will just see fraudulent purchases charged to their credit cards. You should carefully examine your credit card statements for unauthorized charges. With the wide-scale availability of online account access, you can probably also catch fraudulent purchases as they happen. Federal law restricts your liability on unauthorized credit card purchases to $50, but all of the major card networks reduce that liability to $0 in an effort to keep customers happy. If you used a debit card instead of a credit card, your protections by law are shockingly weaker. Your liability can be as high as $500 if you don’t contest the charge within 60 days after receiving a bank statement, and your liability will be unlimited if you don’t report it within 60 days after. Again, many banks will waive the liability to keep you happy, but they don’t have to legally, so take the personal initiative to stay on top of your finances.
And in the future
Retailers will always be targets for data theft. Do your best to minimize exposure to the risks. If you like to pay in cash, continue to do so. When the merchant asks you for your phone number or e-mail address to send you coupons, just decline. And when they ask for your zip-code, decline that as well. They may try to claim it’s to prevent fraudulent purchases, but in actuality when the merchant combines the information it receives from the payment network with your zip code, that merchant will be able to personally identify you with near-100% accuracy. And remember, as the consumer, you always have the power. If the merchant insists on getting your personal information, and you don’t feel comfortable doing so, leave and support a merchant who has more respect for your privacy.
If you have a gmail.com e-mail address, and a Google+ account, pay close attention: Google has released a feature that allows anyone on Google+ who adds you to his/her circles to send you an e-mail directly, without even knowing your e-mail address.
Any random Google+ user will now be able to add you to his/her circles and send you e-mails directly.
You do not need to have these people in your circles for them to e-mail you. If they are in your circles, then their e-mails will go to your Primary tab, otherwise they’ll go to your Social tab, assuming you have the tabbed inbox feature enabled. This feature is enabled by default, even for existing gmail accounts.
Here’s how the feature works
Once someone sends you an e-mail via Google+, you have three options:
Allow the message and future messages by adding the person back to one of your circles, or by replying to the e-mail. NOTE: If you reply to the e-mail, your e-mail address will be made visible to the other person!
Block the message and future messages by clicking on the Report Spam or Abuse button.
Ignore the message. If you do nothing, that sender will be able to send replies to that specific e-mail, but won’t be able to send you any new e-mails in the future.
How can I opt-out of this new feature?
Open Gmail.
Click the gear-box in the top right.
Select Settings.
In the General tab, scroll down to the Email via Google+ section.
Click the drop-down menu and choose Anyone on Google+, Extended circles, Circles or No one. Selecting “No one” will opt you out of this feature, and you won’t see these new Google+ e-mails.
Click Save Changes at the bottom of the page.
Select the highlighted option to opt-out of this feature entirely.
There is some value to this service; maybe you live a quasi-public life, and want to allow people to contact you without necessarily making your e-mail address fully public. For these use-cases, Google should have made this feature opt-in, rather than enabled by default.
In 1978, France enacted loi n° 78-17, the French Data Protection Act.This Act protects how personally identifiable information, like your name, address, contact information, and sensitive personal information, is processed. When a company wants to collect, process, or otherwise use personally identifiable information, it must first inform that person, limit how long it keeps the data, provide easy ways to view and delete that data, limit international transfer of that data, and give CNIL a detailed description of its business and how it will process personal data.
What is CNIL?
This Act created Commission nationale de l’informatique et des libertés (CNIL), which is an administrative regulatory agency that monitors companies to make sure they comply with the Act, and processes applications and reviews. CNIL also has the power to fine companies for violating the Act. As a part of CNIL’s constant monitoring, it noticed Google’s new Unified Privacy Policy violated parts of the Act.
What is Google’s Unified Privacy Policy?
Companies issue Privacy Policies, which are detailed descriptions of what kinds of personal data are collected from internet users when they use the company’s website. Google has many services (Search, Gmail, Maps, Youtube, etc.), and before March 2012 each service had its own privacy policy. However, on March 1st, 2012, Google unified these policies, and one single privacy policy controlled data processing across all of Google’s services.
How did the Unified Policy violate the Act?
CNIL claims that Google:
Did not inform users why data was being processed.
Started tracking data before getting users’ consent.
Did not say for how long data would be stored
Collects user data from many of its services, and combines them together.
1 & 4 are big problems, because Google combines user data from all of its services to more accurately target advertisements to its users, but it doesn’t make it clear that’s what they’re doing. For example, if you get a wedding invitation sent to your Gmail, you might start seeing ads for tuxedo rentals in your Google Maps. CNIL claims that such integrated data collection and usage violates the Act. Of course, Google disagrees, and continues to believe that its Unified Policy is 100% legal.
The Final Thought
The fine is significant because it’s the largest single fine CNIL has ever issued on a company before. Also, France isn’t alone in thinking the Unified Policy is a privacy nightmare; both the Dutch and Spanish Data Protection Authorities came to similar conclusions last year. The unfortunate reality is that €150,000 (around $204,000 USD) is a mere drop in the bucket for Google. To put it in perspective, based on Google’s public 2012 financial reports, Google makes around $20,428 net profit every minute; CNIL’s fine works out to just under 10 minutes worth of profit. It’s unlikely Google will see these fines as a significant deterrent for its continued unified, pervasive user data collection, especially when it’s so profitable.
Edited on January 9, 2014: added net profit per minute to provide perspective on the insignificance of the fine.
Today AT&T announced plans to launch a mobile Sponsored Data scheme, where consumers who use apps from participating providers would have those data charges billed directly to the provider.
For example, let’s assume that Facebook will be a participating provider*, and that you have a 2gb/month data plan. When you open the Facebook app, and it begins to auto-play a video, the data that the video uses will not be charged against your 2gb/month plan, but rather will be billed directly to Facebook.
At first glance this scheme may sound great for consumers; after all, you’re getting free data. But once you look harder, it’s easy to find parts of this plan that may have privacy implications.
The Provider as a dumb tube
In an ideal world, service providers would just be a dumb tube, doing nothing more than transferring data from your content-provider to your devices. But AT&T’s scheme directly inserts itself into an otherwise private stream of data. While ISPs certainly already do examine your internet traffic, it previously was not in a position where it could directly negotiate with your content provider.
A hypothetical negotiation
It’s fairly safe to assume these participating providers will not pay retail prices for the data. Where you might be paying $7.50/gb of data, let’s assume the providers will pay $5/gb. AT&T could offer an even steeper discount to the provider if the provider gave AT&T information about you. Let’s assume Facebook knows which TV shows you Liked on Facebook. AT&T might offer a discounted rate of only $4/gb, if Facebook agreed to give AT&T that information.
Why would AT&T want to do that?
Advertising. The more AT&T knows about you, the better it can target advertising towards your interests. And it’s not inconceivable AT&T will use the Sponsored Data scheme to expand the profile data it already has on its subscribers. AT&T is already rolling out a plan where it offers a 30% discount to direct subscribers if you allow it to track everything you do on the internet. Here, it might just offer that same discount to the participating providers.
What should I do?
For now, just wait. The Sponsored Data plan is not active yet, we don’t have a finalized idea of how it will work exactly. Perhaps AT&T will take the privacy-conscious route and protect consumers with strong terms of service. Perhaps AT&T will offer an opt-out mechanism for data tracking. Keep following Privacy Blawg for updates on AT&T’s plans as they come in.
*It is important to note that there is no indication Facebook will be a participating provider, it is merely suggested as an example.
![Members of the EU Court of Justice [link]](https://i0.wp.com/privacyblawg.com/wp-content/uploads/2014/04/courtjustice.jpg)
![DRN's largest competitor, TLO, gives us a glimpse of the data it captures and sells. [Source]](https://i0.wp.com/privacyblawg.com/wp-content/uploads/2014/03/vs_report_demo.jpg)
![A diagram explaining how license plate tracking works. [Source]](https://i2.wp.com/privacyblawg.com/wp-content/uploads/2014/03/05tracking.jpg){kind=tracking}
![CNIL Headquarters in Paris. [Image Courtesy]](https://i1.wp.com/privacyblawg.com/wp-content/uploads/2014/01/cnil.jpg)
