FOR PRIVACY’S SAKE, IS APPLE IN THE RIGHT?

On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing. The perpetrators, Syed Rizwan Farook and Tashfeen Malik, a couple living in the city of Redlands, targeted a training event and holiday party organized by the San Bernardino County Department of Public Health. About 80 employees had attended the event. Farook was an American-born U.S. citizen of Pakistani descent, who worked as a health department employee. Malik was a Pakistani-born lawful permanent resident of the United States. It was later discovered that both Farook and Malik supported ISIS’s ideology and had been radicalized.

During its investigation of the San Bernardino mass shooting, the FBI collected the shooter’s iPhone, which is locked down so securely that the Bureau cannot get access in to see what is inside. Since the owner is dead, the government has requested Apple to open the device. In essence, the government wants Apple to build a backdoor to the iPhone. Specifically, the FBI wants Apple to make a new version of the iPhone’s operating system, circumventing several important security features, and install it on an iPhone recovered during the San Bernardino investigation. The software that Apple is being asked to create does not exist today, but in the wrong hands it would have the potential to unlock any iPhone in someone’s physical possession. Apple is refusing to create the software to open the phone stating that doing so would compromise the security of every iPhone everywhere.

The All Writs Act of 1789

The Government is using a 226-year-old law to order Apple to create the software. Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority. The Act states in part that: “[t]he Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”

A Writ is a Court Order. The Act gives courts the authority to issue orders compelling individuals to do things, so long as it is for a legal and necessary reason. However, the All Writs Act, while very broad, is not all-powerful. The very ruling that orders Apple to help the FBI has a caveat of “unreasonable burden” that is part of the All Writs Act. In fact, to the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to the Court for relief. That is, Apple can petition the Court not to be compelled to produce the key to open the phone if it can show that doing so would be “unreasonably burdensome.”

Additionally, Apple’s will argue that if the government is utilizing the All Writs Act to make it easier to unlock the iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept people’s messages, access health records or financial data, track locations, or even access people’s phone’s microphone or camera without their knowledge. Google, Facebook, Snapchat, Amazon, Microsoft and Twitter have all signed on to legal briefs supporting Apple in its court case.

History Repeats Itself

Post-9/11 domestic measures implemented in the name of national security included: restrictions on speech and assembly; increased government surveillance; diminished administrative and judicial oversight; new registration requirements and ongoing monitoring of non-citizens that could lead to arrest, detainment, loss of legal immigrant status, criminal charges, and deportation for failures to register; attempts to deport or hold indefinitely non-citizens for minor or nonexistent immigration violations;   secrecy about the names of people detained;   use of asset forfeiture and other expanded governmental powers to obtain information, arrest, detain, and indict individuals for broadly defined terrorism-related activities. In the immediate aftermath of September 11, the United States government arrested and held over 1,000 individuals without filing formal criminal charges against them.

In mid-December 2005, an article appeared on the front page of the New York Times chronicling widespread monitoring of telephonic and Internet communications by the National Security Agency (NSA). These intercepts, according to the authors of the article, occurred with the direct authorization of the President of the United States George H. Bush, and were undertaken without approval or oversight by the judiciary, beginning shortly after the September 11 terrorist attacks. This wide-ranging program targeted interception of email and telephone calls with the number of those targeted ranging from the hundreds to possibly thousands. On December 19, 2005, President George W. Bush confirmed that the government had secretly and purposefully launched a massive electronic surveillance and communications interception program.

It was subsequently revealed that the national Security Agency had conducted warrantless electronic surveillance before obtaining authorization or consent from the President and that domestic communications had also been intercepted without the usual legal safeguards. Moreover, the NSA did not act alone, it sought and obtained the assistance of various private communications companies, who permitted the NSA to directly access their systems to collect information. Finally, the NSA was discovered to have shared the information that it “illegally” obtained with other investigative agencies. In a 2011 New Yorker article, former NSA employee Bill Binney said that his colleagues told him that the NSA had begun storing billing and phone records from “everyone in the country.” The NSA’s wiretap program was ultimately found to be illegal and NSA surveillance has been since brought within the relevant laws.

In May 2004, the graphic display of photographs of abuse at the Abu Ghraib prison in Iraq after the United States’ invasion shocked the world. One observer noted, “[i]t was Saddam’s torture chamber, and now it’s ours.” The Abu Ghraib scandal was the last straw. Critics began more vociferous in their concerns about other measures that had been adopted post 9/11 that severely curtailed civil liberties such as the indefinite detention of aliens. In a decision that was seen as a victory for champions of civil liberties, the Supreme Court spoke in the case of Hamdan v. Rumsfeld, and struck down the system of military tribunals for Guantanamo detainees established by the Bush Administration.

After 9/11 people’s outrage about the terrorist attacks fueled their willingness to give up many of their civil liberties in exchange for gaining some sense of personal security. Eventually, the infringement on civil liberties by the governments was such that an adjustment became necessary. The adjustment came mostly as a result of public outcry and people’s realization that despite the importance of personal security, a balance between waving their civil liberties and ensuring their safety was necessary.

Privacy and Security

A respect for the right to privacy and personal security are not mutually exclusive. With the appearance of new technologies that could potentially eliminate individual privacy, society is prompted to question whether privacy is such an essential human need as to make it sacred ground where governments are not allowed to enter unless we allow them to do so. The government’s flawed arguments positing that the only way to offer protection is to infringe in our right to privacy have proven not been successful in the long term. In fact, the NSA surveillance program did not prevent later terrorist attacks in the US and elsewhere. The idea that there must be a tradeoff between privacy and security is false. Our willingness to sacrifice our privacy for our security has been short-lived and eventually, the tide has turned back by demand of the people.

With the Apple controversy, we as individuals must decide what matters most to us, to know that there are some areas in our lives that we can keep private, or to allow our government access to the key to intrude whenever they choose in our private lives? Zeid Raad al-Hussein, the U.N. human rights chief has stated that U.S. authorities “risk unlocking a Pandora’s Box” in their efforts to force Apple to create software to crack the security features on its phones. He has warned about the potential for “extremely damaging implications” on human rights, journalists, whistle-blowers, political dissidents and others.

Should Apple create a key to open the terrorist’s phone, do we trust the government to only use the software this one time? Did we learn anything from the NSA scandal? Do we not remember about the NSA’s indiscriminate domestic surveillance of regular citizens? The answers to these questions will determine the future of the right to privacy. The choice to open Pandora’s Box is ours.

 

 

 

 

 

THE FEAR OF CYBER ATTACKS, THE GOVERNMENT, AND THE RIGHT TO PRIVACY

In response to a series of major data breaches at US companies in recent months including Sony, Anthem and Target, President Obama unveiled a series of cyber security proposals in his last State of the Union address in January. Obama followed up on this declaration of intent by signing a new executive order during the Summit on Cybersecurity and Consumer Protection organized by the White House at Stanford University in February.

Obama’s executive order encourages the development of Information Sharing and Analysis Organizations (“ISAOs”), providing legal-liability protection to make it easier for businesses and government to share online threat data specific to their industry or geographic region. The order also increases the role of the Department of Homeland Security in the data-sharing process by permitting it to enter into agreements and coordinate the ISAOs.

Mr. Obama’s renewed focus on cyber security has been mostly welcomed by the tech industry, however, the president continues to encounter some of the same suspicions over the privacy of online data that were so effectively highlighted by the Edward Snowden revelations about the NSA in 2013. Although Cyber terrorism is a reality, the concern is that unless there is a balancing between governmental intrusion and the individual’s right to privacy, people’s rights will be violated as they have in the past.

The right to privacy has been affected previously by extraordinary events around the world such as terrorism. While society has not been willing to sacrifice individual civil liberties lightly, it has done so in circumstances where the prevalent belief was that personal security has been threatened. In recent times, surveillance regimes that have been adopted as anti-terrorism measures have had a profound, chilling effect on other fundamental human rights.

The most drastic change affecting privacy in the laws of the United States occurred in response to the 9/11 attacks, when President Bush signed into law the anti-terrorism statute titled Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, more commonly known as the USA PATRIOT Act. Among other things, the Patriot Act expanded the wiretapping and electronic surveillance powers of federal law enforcement authorities, and increased the information-sharing powers of investigative agencies. It also allowed law enforcement to demand libraries, bookstores, and businesses to produce tangible items, such as papers, books, and records, about persons of interest, while forbidding disclosure of such a demand. It further authorized searches conducted without giving contemporaneous notice of the search or an actual warrant for the search.

At the end of 2005, an article appeared on the front page of the New York Times chronicling widespread monitoring of telephonic and Internet communications by the NSA—National Security Agency.   These intercepts occurred with the direct authorization President Bush, and were undertaken without approval or oversight by the judiciary, beginning shortly after the 9/11 terrorists attacks. This wide-ranging program targeted interception of email and telephone calls with the number of those targeted ranging from the hundreds to possibly thousands. The effect of such wholesale violation of the right to privacy caused uproar among regular citizens who thought that such governmental intrusion on their personal affairs was overreaching and unwarranted.

Acts of terrorism and a fear for our personal security have historically intersected the privacy protections recognized by governments, and at times, served to take a few steps back in the universal recognition of the right to privacy. However, the government’s unsound arguments positing that the only way to offer protection was to infringe in our right to privacy have not been successful in the long term. People have recognized the obvious flaw with the proposition that there must be a trade off between privacy and security. Our willingness to sacrifice our privacy for security has been short-lived, and eventually, the tide has had to turn back by popular demand.

Upon further reflection and discourse on the effect of excessively curtailing civil liberties, the conclusion must be that a balance between security and respect for human rights is necessary in a civilized society. The two are not mutually exclusive; it is possible to demand cyber security and the protection of the right to privacy at the same time. The government must be very careful not to institute measures that will encroach on peoples’ hard fought civil liberties. The efforts made by Obama through his new initiative must carefully be monitored so that the right to privacy of individuals is sufficiently protected both by government and private entities.

JUST WHEN YOU THOUGHT IT WAS SAFE, WE LEARN OF POSTAL MAIL INTERCEPTING

The New York Times http://nyti.ms/1Dnh0RF recently published an article in which it was reported that the US Government that had nearly 50,000 requests to the US Postal authorities to intercept mail approved during 2013. According to the report, the surveillance program, known as “mail covers,” has been in place for many years. What essentially occurs is that the law enforcement agencies or the Postal Inspection Service make the initial request and postal workers then record all the information on the outside of the envelope before delivering the mail. The scope of the intercepts increased significantly in 2013 raising concerns, as cited in the Times article, about how little oversight there is of the program and how postal workers are called to make the ultimate decision about the legitimacy of the request.

Such intercepts of mail may seem at first blush not to involve a violation of constitutionally protected rights as the mail is not opened by postal workers—which would absolutely require a warrant. However, when one considers the Supreme Court jurisprudence on constitutionally protected searches, the answer is not quite so clear. Recall that what is being done here is targeting an individual’s mail in order to gain intelligence information about that target’s communications, which may then be used to draw other conclusions or even to obtain warrants. The discussion in United States v. Jones, 132 S. Ct. 945 (2012), the landmark GPS case, is very instructive on this point particularly since Jones involves the collection of data. As Justice Sotomayor wrote in her concurring opinion, “[m]ore fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information

voluntarily disclosed to third parties.” This reasoning which extends accepted Fourth Amendment thinking which centers on the expectation of privacy as set forth in Katz v. United States, 389 U.S. 347 (1967) based on the invasion of your private space. This would allow a constitutionally protected privacy right to things that lie outside your private space such as the writing on the outside of your correspondence, which although voluntary disclosed to a third party, the postal service, is not intended for prying eyes.

Moreover, these “intercepts” of the mail may run afoul of federal law. Under 18 USC § 1703 any postal employee who “unlawfully secretes, destroys, detains, delays, or opens any letter….shall be [subject to a fine].” How these scans are actually done and whether the mail is removed from the ordinary stream of mail may bear on any such application, but it is definitely worth considering.

In the end, these new revelations are just further confirmation of the US government’s ongoing efforts to obtain information on individuals’ outside the judicial framework laid out for constitutional searches. The government continues to use tools that are subject to little or no oversight to collect information and in effect conduct surveillance on US citizens and thereby further encroach on privacy.  In historical context, the infringement into the mail bag seems particularly troubling given the founding fathers’ concerns about the absolute power of the monarchy and its ability to encroach on the life of the citizenry when they wrote that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…”

By Ivan Mercado

Europe and the “Right to be Forgotten”

With its odd sounding name “The right to be Forgotten” has made its way in recent months into the discussion of privacy/data protection and the internet. This “right” is little more than a long held feeling that an individual should have the ability to remove information from the internet at some point in time based on such reasons as it being incorrect, being unfairly placed on the internet, or simply being having occurred long ago and no longer relevant.

The “Right to be forgotten” was enshrined in the in the 1995 European Data Protection Directive (Directive 95/46 EC). (Directives direct all member States to enact an enforceable framework of laws to give them effect, and form one of the principal bases of governance in the EU). Under Article 12 of the Directive private citizens in the EU were permitted to request removal of information from the Internet. Specifically, Article 12 on the “Right of access” states:

Member States shall guarantee every data subject the right to obtain from the controller:

(b) as appropriate the rectification, erasure or blocking of data the processing  of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

A recent ruling Judgment of the Court (Grand Chamber) in C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez (13 May 2014), has given new teeth to the right to be forgotten and sounded the alarm for search engines, Internet Service Providers and others.  The case began in 2010 when a Spanish citizen presented a complaint against a Spanish newspaper and Google with the Data Protection Agency of Spain. Mr. Costeja alleged that a notice of auction in connection with a bankruptcy notice that appeared in Google’s search results violated his right to privacy because the matter to which the notice related had been completely resolved for several years and was no longer relevant. He initially asked that the newspaper be required to either delete the information or change the pages at issue so that the personal data would cease to appear online; and also, that Google Spain or Google Incorporated be ordered to not make the information relating to him available through searches with his name.

The Spanish Audiencia Nacional (similar to a US District Court) decided to stay the proceedings and to refer the case to the Court of Justice of the European Union for opinion on the following broadly stated questions:

(a) Whether the Directive 95/46 EC applied to search engines such as Google;

(b) Whether Directive 95/46 EC applied to Google Spain, given that the company’s data processing server was in the United States;

(c) Whether an individual has the right to request that his or her personal data be removed from accessibility via a search engine under Article 12 (the ‘Right to be Forgotten’).

In answer to these questions, the Grand Chamber, which is comprised of 15 judges (including the president and vice-president) found that:

a) Even in cases where the actual server is located outside of the EU, the laws and Directives of the EU are applicable to search engine providers if they maintain a physical presence in any Member State and carry out business intended toward garnering revenue within the the EU;

b) Search engines should be considered “controllers” of personal data. That by search engines qualify by “…exploring the internet automatically, constantly and systematically in search of the information which is published there, the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results.” As such the right to be forgotten as enshrined in 95/46 EC also applies to them.

c) As to the last question the Court concluded that the Right to be Forgotten extends to “not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” It went on to state that: “even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where those data are no longer necessary in the light of the purposes for which they were collected or processed.”

The Court does go on to that the right to be forgotten is not without limits and must be balanced against “the legitimate interest of internet users potentially interested in having access to that information…”  The Court goes on to explain that, “when appraising such requests made in order to oppose processing such as that at issue in the main proceedings, it should in particular be examined whether the data subject has a right that the information relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name.” Interestingly, the Court makes explicit that eth party requesting removal need not establish “that the inclusion of the information in question in the list of results causes prejudice to the data subject.”

With this ruling the EU has confirmed one of the basic rights which to date remained little more than an aspirational right.  The question is whether this ruling applies to specific cases affecting an individual’s right to privacy over information that is no longer relevant or inaccurate, or whether it serves as a harbinger of court intervention to establish such other Internet rights as the right to Opt-In, greater protection from Cookies, or the right to be obscure on the Internet?

By Ivan Mercado

Europe Gets Serious on Data Protection

Companies like Google, Facebook and Twitter collect data from their users without their permission and this personalized data can be used, in large measure, to produce targeted advertisement. Advertising networks collect information across a wide span of sites, using cookies that are placed on a user’s computer when loading a page containing an ad, and then they use the Web surfing history to deliver other ads. Every time a user clicks on a “like” on Facebook or plus in Google that information is collected use by these companies and their clients. Internet users’ movements on the web are also being tracked for further use by countless other entities—both public and private.

Europe has been signaling an overhaul of its data protection laws that date from 1995. Last week, one legislator, Jan Philipp Albrecht, a member of the Green Party from Hamburg, introduced a bill that would create a new agency to enforce a series of measures giving Internet users greater control of their online information.

If approved, the proposal would replace an advisory panel to the European Commission with a privacy regulator with the power to make decisions for the 27 members of the European Union and levy fines of up to 2 per cent of a company’s revenue that violates Europe’s data protection laws.

The new measures would prohibit the use of a range of standard Web tracking and profiling practices that companies use to produce targeted advertising unless consumers give their explicit prior consent.

The bill would also grant European consumers a fundamental new right: data portability, or the right to easily transfer one’s personal posts, photos and video from one online service site to another.

A coalition of US, Asian and European businesses and advertisers have criticized the proposed plan, which would give Europeans much stronger legal protections to control their online identities than people elsewhere. However, the enactment of these laws is very good news for consumers concerned about the lack of regulation regarding data collection and user’s tracking on the interned and on social networks.

The European Parliament will vote on the proposal in April, and a final agreement with the upper house is expected later this year.

Governmental Intrusions, Twitter and the Right to Privacy

Malcolm Harris, one of about 700 protesters who participated in the Occupy movement march along the Brooklyn Bridge last October, was subsequently arrested and charged with disorderly conduct. The prosecutor in the case subpoenaed hundreds of Twitter messages alleging that they would show that the police did not lead protesters off the bridge’s pedestrian path and then arrest them, an argument that Mr. Harris was expected to make at trial.

Although Twitter originally refused, eventually, the criminal court Judge demanded that Twitter release the data or hand over its confidential earnings statements from the last two quarters so he could determine how much of a fine to levy against the company. Twitter, which keeps such financial data secret, eventually produced the  data.

The judge’s ruling said that, “If you post a tweet, just like if you scream it out the window, there is no reasonable expectation of privacy. There is no proprietary interest in your tweets, which you have now gifted to the world. This is not the same as a private e-mail, a private direct message, a private chat, or any of the other readily available ways to have a private conversation via the internet that now exist. Those private dialogues would require a warrant based on probable cause in order to access the relevant information.”

In its appeal, Twitter wrote that Harris’ tweets are protected by the Fourth Amendment “because the government admits that it cannot publicly access them, thus establishing that the defendant maintains a reasonable expectation of privacy in his communications.” The Twitter accounts in question have been closed and are no longer publicly available.

Technology that allows for the invasion of privacy evolves significantly faster than privacy protecting laws, and as a result, the laws are almost always reactive to these new legal scenarios and often rushed to meet the urgency of the case at hand. In this particular case, the question is whether a message on Twitter that a person posts for his followers is the same as a message “gifted to the world” as the Judge stated in his ruling, for which there is no reasonable expectation of privacy.

To the extent that Twitter allows a user to block a follower, the user has an expectation of privacy regarding his messages. I am pretty sure that Mr. Harris would have blocked a government representative who wanted to become a follower of his tweets.

Under these circumstances, did his messages become public? Were his messages “gifted to the world,” or are his messages more like emails, that would require the government to obtain a warrant to have access to them?