This new information revealed that Google had collected, not just the name and location of wireless networks, but also information sent over unsecured wireless networks, which is called payload data. Google has said that the collection of payload data was unintentional and the result of software code mistakenly included in the Street View cars program. Google also noted that, because the cars are on the move and the software that the cars use rapidly changes channels, the chance that Google captured data containing anything fragments of data is unlikely.
The fallout has been swift and thunderous:
· Private litigants filed eight class action lawsuits in six federal district court in the U.S. The lawsuits generally allege claims under the Computer Fraud and Abuse Act, the Wiretap Act, and various state claims, including invasion of privacy, fraudulent concealment, and violations of state consumer protection laws. Some of the complaints allege that the data collection was intentional. On June 8, 2010, Google filed a motion with the Judicial Panel on Multidistrict Litigation to have all of the cases moved to the Northern District of California.
· Connecticut’s Attorney General, Richard Blumenthal, has initiated a multi-state AG investigation. Over thirty states recently participated in a conference call led by Blumenthal’s office regarding the matter. The call reportedly included representatives from the offices of the attorneys general for Illinois, Maryland, Massachusetts, Michigan, Missouri, and New York. Blumenthal, who is running for the U.S. Senate, stated: “Google needs to describe how code that intercepted and collected unencrypted data transmitted over WiFi networks was inserted into its software. . . . We want to know who did this, why and how and when Google discovered it. Another concern is whether the data was accessed in any way by Google and if so when and why.” Blumenthal has sent two letters to Google seeking information.
· Representatives Waxman, Barton, Markey, and Conyers sent letters to Google asking for information about the WiFi data collection. Barton and Markey also sent a letter to FTC Chairman Liebowitz, inquiring whether the FTC was investigating the matter.
· Two German DPAs have filed charges and several others are investigating.
· Other countries around the world, including Austria, France, Italy, Spain, Canada, Australia, New Zealand and Malaysia, have announced investigations.
· Several European countries, including the Denmark, Ireland, and the U.K., required Google to destroy the data collected from those nations.
· Google recently signed an agreement with the DPA in Hong Kong, in which Google agreed to cease collection of data from WiFi networks in Hong Kong and to preserve the data that has been collected until directed to destroy it by the Hong Kong DPA.
Quon, along with those with whom he had been exchanging texts, filed suit against the City, the OPD and others (collectively “the City”) for violating his Fourth Amendment right to privacy. The district court applied a two-step test developed by a plurality of the Supreme Court in O’Conner v. Ortega (1987) to address Fourth Amendment claims in the employment context. Under that test, a court first considers the operational realities of the workplace, on a case-by-case basis, to determine whether the employee has a reasonable expectation of privacy. Only if there is a reasonable expectation of privacy would a court then go on to consider whether the employer’s intrusion was nonetheless reasonable. Applying this test to Quon’s circumstances, the district court concluded that Quon had a reasonable expectation of privacy in his text messages. The district court then asked the jury to determine whether the City had conducted the search to determine the efficacy of the character limit policy (reasonable in the court’s view) or to snoop into how Quon used his pager (unreasonable in the court’s view). The jury concluded that the City performed the search for the former purpose, resulting in a win for the City. But the victory did not last long. On appeal, the Ninth Circuit found the City’s search unreasonable because there were less intrusive means of determining whether the character limits were appropriate.
The Supreme Court reversed, in an opinion by Justice Kennedy. The Court declined to endorse or overrule the O’Connor plurality’s test. Acknowledging that the Court was avoiding the question of whether Quon’s expectation of privacy was justifiable, Kennedy noted that “prudence counsels caution” in the face of evolving technologies and changing workplace norms. Kennedy explained that any rule the Court might fashion could not keep pace with the evolution of technology and practices for use of that technology in the workplace. Nevertheless, the majority opinion offered some thoughts about the factors it might consider under the O’Connor test.
Kennedy then focused on the relatively narrow question of whether the search was reasonable. He first determined that the City’s search satisfied the O’Connor legitimacy standard – it was “conducted for a ‘noninvestigatory, work-related purpose[] or for the investigatio[n] of work related misconduct.’” Kennedy then concluded that the search was reasonable: it was “efficient,” “expedient,” and not “excessively intrusive.” Furthermore, because the City reasonably believed that Quon likely had only a limited privacy expectation (if any), the City had reasonably assumed that the search would not intrude on personal matters. Kennedy swiftly dismissed the Ninth Circuit’s decision as at odds with controlling precedent in that the Fourth Amendment does not require the government to use the least intrusive means and such a hindsight-based approach would be unworkable as a court could nearly always be able to come up with a different approach it believes would have been better.
Two Justices filed separate concurrences. Justice Stevens concurred to remind readers that, in addition to the plurality and Scalia’s concurrence in O’Connor, Justice Blackmun’s O’Connor dissent—joined by Justices Brennan, Marshall, and Stevens – also provided an approach to determining an employee’s expectation of privacy, which he considered still viable. Justice Scalia, on the other hand, lambasted the majority opinion for its “[t]he-times-they-are-a-changin’” discussion as an unnecessary. Prophesying, with some merit, that lawyers and courts will focus on the discussion about the expectation of privacy in the majority’s opinion offered merely as guidance rather than acknowledge the narrow nature of that holding, Scalia also chided the Court for improperly buttressing the O’Connor plurality’s two-step analysis – with which he, of course, continues to disagree.
]]> Amendments to the Personal Information Protection Act (PIPA) of the Canadian province of Alberta took effect on May 1, 2010. Two of the changes are particularly noteworthy. First, like several states in the United States, Alberta now requires notification of data breaches. Second, new notice requirements might impact use of service providers outside Canada.
(1) An organization that has personal information under its control must provide to the Alberta Information and Privacy Commissioner without unreasonable delay notice of any incident involving loss of, unauthorized access to, or disclosure of, personal information. Notice is required where “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss of or unauthorized access or disclosure.” If the Commissioner determines that the data breach poses a real risk of significant harm to individuals, the organization may be required to notify those individuals.
(2) An organization that uses a service provider outside Canada to collect personal information about an individual, or that transfers to a service provider outside Canada personal information about an individual, must notify the individual of the way in which the individual can obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada. Notification may be given in writing or orally, but it must be given before or at the time the personal information is collected, whenever consent for collection is required.
The changes make Alberta the first Canadian province to mandate notification of data breaches generally. Many Canadian legal commentators expect other Canadian jurisdictions to follow suit shortly.
Canada does have an omnibus information protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Any organization that collects personal information in the course of commercial activity is covered by PIPEDA, except in provinces that have “substantially similar” information protection laws. Alberta’s PIPA has been declared to be substantially similar to PIPEDA.
Recently proposed amendments to PIPEDA would, if enacted, require an organization to report to the Canadian Privacy Commissioner any material breach of security safeguards involving personal information under its control. Similar to Alberta’s PIPA, the amendments would also require an organization to notify an individual of any breach of security safeguards involving such individual’s personal information if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
]]> ]]>
A trade association representing some of AT&T’s competitors then submitted a FOIA request to the FCC to view the complete investigation file. AT&T filed a “reverse” FOIA lawsuit, seeking to prevent the disclosure. AT&T argued to the Third Circuit that the FOIA privacy exception applied because AT&T had “personal privacy” rights, and that the investigative file was exempt from disclosure.
The Third Circuit agreed with AT&T, focusing exclusively on the text of the FOIA. Exemption 7(C) of the FOIA protects law enforcement investigatory documents from disclosure if revealing them would invade “personal privacy.” The FOIA does not define “personal,” but it does define “person” to include an “an individual, partnership, corporation, association, or public or private organization other than an agency.” The Third Circuit found that it “would be very odd indeed for an adjectival form of a defined term not to refer back to that defined term.” 582 F.3d. at 497. The court reasoned it is a “grammatical imperative” that the definition of “person” in the FOIA also defines the term “personal,” and as such encompasses corporations.
In her petition for the
Kagan went on to argue that the Third Circuit’s decision, if allowed to stand, would lead to illogical results. Pet. at 24. The definition of “person” includes not only corporations, but also “public . . . organization[s] other than [a federal government] agency.”
Kagan’s petition reflected even greater concern about the impact of the Third Circuit’s decision on the federal government’s administration of the FOIA.
]]> The further delay comes as FTC Chairman Leibowitz acknowledges the agency’s Rule’s shortcomings: “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly.”
Reaction to the bill’s announcement was mixed . One commenter described the bill as one that “would push American privacy legislation closer to the strict rules that the European Union uses, and would extend privacy protections both on the Internet and offline.” On the other hand, some privacy advocacy groups believe the bill would not provide tangible benefits for consumers, citing the preemption of stronger state laws, the provision allowing marketers to retain information for 18 months without express user consent, and the bill’s utilization and tacit endorsement of the much-criticized notice-and-consent regime.
In the end, the bill is still only in discussion draft form, Boucher is "facing what may be the most difficult re-election of his 28-year career" this fall, and there are many steps it would need to take before reaching the floor of Congress, which it is highly unlikely to do in the current term. Still, the release of this bill signals that Congress is taking the issue of online behavioral advertising seriously, and even if not enacted it could create momentum leading to other legislation or increased FTC regulation of online behavioral advertising (as it has warned it might do when releasing and revising its Online Behavioral Advertising Principles most recently in February 2009), or encourage similar federal or state regulation of the collection and use of personal information for marketing purposes.
Bret Cohen and Elizabeth Khalil of the Privacy and Information Management practice in Hogan Lovells' Washington, D.C. office prepared this entry.
]]>This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH. For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”). NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance. Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007.
OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov
Mark Paulding of the Privacy and Information Management practice in Hogan Lovells' Washington, D.C. office prepared this entry.
]]>FOR COMMUNICATIONS SERVICE PROVIDERS
On April 21, 2010, the Federal Communications Commission ("FCC") issued a Notice of Inquiry that kicks off a proceeding seeking comment on a "cyber security" certification program designed to encourage communication service providers (i.e., those entities providing communications services by radio, wire, cable, satellite, or lightguide for a fee to one or more unaffiliated entities) to implement a full range of cyber security best practices. The FCC is reviewing this potential program, which was recommended under the Commission's National Broadband Plan, in an effort to counter cyber attacks and protect the communications infrastructure in the
The proposed voluntary certification program would involve security assessments of service providers' networks, to be conducted by the FCC or private sector auditors. The audit would entail a review of whether the networks comply with "stringent cyber security practices" to be developed by a public-private partnership. Those providers who successfully complete the audit would receive a special certification and then be able to market their networks as complying with these FCC network security requirements.
The inquiry is being led by the FCC's Public Safety and Homeland Security Bureau. The FCC's Notice of Inquiry seeks comment on a variety of topics, including:
· the costs/benefits of the program
· whether the program will really lead to an increase in security and improved cyber security practices
· whether the certification program should be open to all communication providers, or only certain types
· the composition and operating procedures of a certification authority
· whether the security criteria should be definitive or established on a case-by-case basis.
· assessment standards
· form and duration of the security certification, and the renewal process
· FCC enforcement process, if any, for the program
· education process regarding cyber security for consumers, businesses, and government agencies
]]>In December 2009, the House passed the “Wall Street Reform and Consumer Protection Act of 2009” (HR 4173). An important provision in the bill would strip the FTC of its powers to regulate consumer financial protection -- while also expanding the agency’s powers in two key ways. First, by giving the FTC “APA” rulemaking authority for areas that fall within the FTC’s jurisdiction and second, by giving the agency greater latitude to assess civil penalties for unfair and deceptive practices.
These amendments will surely impact FTC enforcement of online advertising, marketing, privacy, and data security. For instance, violations under the FTC’s expanded authority could trigger civil penalties even in the absence of an FTC order. Civil penalties would be assessed in antitrust cases brought by the FTC that include a consumer protection claim.
In addition, the HR 4173 language that expands the FTC’s authority would impose liability on companies that “substantially assist” in an unlawful act, even if the company does not have direct knowledge or responsibility for the violation. This provision will probably raise some serious concerns for companies currently enjoying a safe harbor under the Communications Decency Act.
Today, FTC rulemaking jurisdiction comes in two flavors – “APA” rulemaking under certain laws as prescribed by Congress e.g. the Children’s Online Privacy Protection Act, as well as general rulemaking authority under the 1975 Magnusson-Moss Act. Under the latter, the FTC can only regulate “prevalent” unfair and deceptive acts, and must justify that regulation with “substantial evidence.” The key difference between these two types of rulemaking occurs during judicial review; a court can overturn an FTC regulation under Magnusson-Moss if the rule lacks a substantial evidentiary record to support it. In contrast, FTC regulations enacted under the APA rulemaking scheme, such as those implementing COPPA, can only be overturned if the agency was "arbitrary or capricious" in enacting the rule – a much higher standard. As former FTC Chairman Muris explained in his presentation at the panel, Magnusson-Moss gives the FTC authority to act only when a problem occurs often enough to justify a rule, or when a problem has a common cause in a sufficient number of cases.
Current FTC Chairman Jon Leibowitz, supported by President Obama and the Administration, has strongly advocated for an expansion in the FTC’s authority, stating that it is “critical” for the FTC to carry out its mission of protecting consumers. In particular, Leibowitz has argued that the procedural requirements of Magnusson-Moss – such as the requirement that a practice be prevalent before the agency can act - makes FTC rulemaking more burdensome than at most other federal agencies. Although the relevant amendments expanding the FTC’s power are missing from the Senate version of the legislation, it is widely expected that these differences will be worked out in conference. Financial reform legislation appears to be on a fast track - earlier today, a Senate panel approved the bill, and both Republicans and Democrats have indicated that passage is likely.
The CFPA would be a new independent federal agency – the composition of which would vary depending on whether you are looking at the House Bill (5 members and a Director for two years) or Senate Bill (5 members). Its enactment would strip the FTC and other federal banking agencies of their federal consumer protection powers under a number of laws, including the Electronic Funds Transfer Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, the Home Mortgage Disclosure Act, the Real Estate Settlement Procedures Act, the Secure and Fair Enforcement for Mortgage Licensing Act, the Truth in Lending Act and the Truth in Savings Act. In short, any product or service that results from or is related to engaging in a financial activity and that is to be used by a consumer “primarily for personal, family or household purposes” will come under the new agency’s purview.
At today’s session, we saw differing viewpoints from both Tim Muris, former FTC Chairman, and Julie Brill, incoming FTC Commissioner, on this current push to expand the FTC’s authority under financial reform legislation.
Former Chairman Muris views the FTC’s current role as important, and he sees FTC rulemaking as relevant in certain areas – e.g. the do-not-call rules. He is concerned about the current proposals to expand the FTC’s authority because the agency often lacks industry-specific knowledge and expertise (I see this most recently in the area of privacy, as the FTC is currently gleaning this knowledge through its Exploring Privacy roundtable series). Muris also thinks the agency’s rulemaking authority under Magnusson-Moss is more than sufficient as it imposes an obligation on the agency to be clear about its proposed theories while focusing its evidence on key questions. He cites the agency’s recent business opportunity rulemaking as an example of an instance where the FTC initially proposed a broad rule that would have disproportionately impacted both fraudulent and legitimate business. The FTC eventually narrowed its proposed business opportunity rule after the public comment process.
On civil penalties, Muris thinks these are important only when a company violates an FTC order or rule. He sees blanket civil penalty authority as a mistake that may have unintended consequences – such as a penalty on a firm’s stock price. He’s also concerned that the standard of review laid out in the financial reform legislation will return the FTC’s definition of unfairness to its pre 1994 definition i.e. the Sperry-Hutchinson or "cigarette rule" which defines an unfair practice as one that is injurious to consumers, violate established public policy or is it unethical or unscrupulous. As many know, Congress amended the FTC Act in 1994 to specify that an unfair act or practice is one that causes or is likely to cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or competition.
Providing a counterpoint to Muris’ remarks, FTC Commissioner Julie Brill, speaking “on behalf of herself,” is generally in favor of expanding the FTC’s authority. She sees the FTC as both a law enforcement and regulatory agency. She views civil penalties as just “one of the arrows” in the FTC’s quiver – not to be used in every instance, but as appropriate. As a law enforcer, she does not see the FTC’s request to have civil penalty authority as unusual – since most state AGs already have this type of authority. To view such penalties as “automatic” is particularly misleading to her, since the FTC would only be able to obtain such penalties after judicial review in court. Brill also sees the FTC as a regulatory agency and notes that APA rulemaking is enjoyed by most other federal agencies. In addition, she points out that APA rulemaking under the proposed amendments would also be subject to review by a judge in court. Brill also views civil penalties as helpful in quantifying equitable remedies to compensate consumers for their injury - e.g. disgorgement or restitution for data breach violations.
Taking a broader view of the situation, Brill sees an expansion of the FTC's authority as a way to make the agency's enforcement efforts more effective – which benefits both consumers and competition in the long run. She also feels that consumers want an agency that has the right enforcement tools – not an “emasculated” FTC - and finds it surprising that the issue is even being debated, given the events of the financial meltdown and the current economic recession.
On the subject of FTC regulation, Brill is strongly in favor of an update, noting that rulemaking under Magnusson-Moss can often take up to 8 – 10 years. She recalls comments she made on the hearing aid rule as an Assistant AG in Vermont in 1992 – rules that have yet to be issued, nearly 20 years later. Her statements suggest that expanded rulemaking authority might give companies in dynamic industries – such as technology - FTC regulation that actually keeps pace with innovation.
The question of course, is whether such FTC regulation would also stifle innovation preemptively. Companies have started to take note of the recent push to expand the FTC’s power, and it is likely that the topic will continue to be debated fiercely in the coming weeks as financial reform legislation comes to a vote. Some have even expressed concerns that such an expansion of the FTC’s rulemaking authority could impact funding and investment in technology and Internet companies by both Wall Street and Silicon Valley VCs. For more, take a look at this transcript of the Progress & Freedom Foundation’s recent forum entitled “Supersizing the FTC.”
]]>]]> Stengart v. Loving Care Agency, Inc. was an employment discrimination action brought by Stengart, a former employee of Loving Care, a home nursing and health services company. In preparation for discovery, Loving Care's attorneys conducted forensic analysis of a company-supplied laptop Stengart used in the course of her employment and retrieved several e-mails exchanges between Stengart and her personal attorney, which Stengart had accessed via her private Yahoo e-mail account. When he learned of the e-mails' retrieval, Stengart's attorney claimed that they were privileged and demanded that all copies be returned. Loving Care's attorneys provided copies, but denied that any privilege applied and further reserved their right to use the e-mails. This prompted a motion to compel their return and to disqualify Loving Care's attorneys. Both motions failed at the trial level based upon the trial judge's finding that, by sending the e-mails using Loving Care's computer, Stengart waived the privilege because Loving Care's computer use policy allowed the company to review, access and disclose all matters on its "media systems."
Holding that the trial court had gotten it wrong, the New Jersey Supreme Court held that Stengart had a reasonable expectation of privacy in the e-mails because (1) Loving Care's policy provided inadequate notice that personal, password-protected e-mails would be reviewed or were subject being forensically retrieved and (2) our system of justice places a special importance upon preserving the confidentiality of attorney-client communications.
According to the Court, Loving Care's policy was inadequate to defeat the privilege because: (1) it used general, undefined terms such as "media systems and services" and "the e-mail system;" (2) it did not address personal e-mail accounts at all; (3) it contained a disclaimer that employees should not consider personal e-mails private, but also stated that "occasional" personal use was permitted; and (4) it failed to warn employees that the contents of their personal e-mails would be stored in temporary internet files on their company laptops and could be later retrieved. The Court held that these factors created ambiguity as to whether the policy covered personal, password-protected e-mails.
It also found that Stengart took steps to protect her privacy by using the personal, password-protected account and never having stored her Yahoo password on the company laptop. These actions, combined with the policy's ambiguity and the attorney-client nature of the e-mails made her expectation of privacy reasonable.[1]
Perhaps in response to arguments made by the Employers Association of New Jersey in amicus briefing, the Court took pains to assuage fears that its ruling would undermine employers' ability to protect corporate assets by focusing its ruling not on Loving Care's retrieval of the e-mails, but on the fact that it read the content of the e-mails. Companies can protect their assets, reputation and productivity by enforcing well-written and even strict computer use policies through employee discipline, up to and including termination, but the Court held that "employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy." Indeed, in light of this lack of justification, the Court stated, in dicta, that an employer would not be entitled to read the contents of such e-mails even if its policy banned all personal computer use and explicitly reserved its right to retrieve and read such e-mails.[2]
It remains to be seen whether other states will follow New Jersey's lead on this question and whether courts will use the Loving Care analysis to privacy protections applicable to personal, password-protected e-mails at work to and from others such as medical providers or spouses. However, in order to best address the Court's concerns, companies may find it useful to make sure their policies explicitly warn employees that they have no expectation of privacy when using company computers and that the company can access, monitor, read and forensically retrieve any information employees access, view and transmit using company computers, including e-mails sent using personal, password-protected e-mail accounts.
[1] Stengart's expectation of privacy was also deemed subjectively reasonable because she claimed to be unsophisticated in the use of computers and that she did not know Loving Care could read e-mails sent with her Yahoo account.
[2] Noting that no bad faith was involved, the Court nevertheless went on to hold that Loving Care's attorneys had violated Rule 4.4 of New Jersey's Rules of Professional Conduct by not disclosing the e-mails existence to Stengart's counsel before reading them. The Court remanded the matter to the trial court to determine whether disqualification or other sanctions were appropriate.
]]>
ECPA Reform: Why Now?
The Electronic Communications Privacy Act (ECPA) was a forward-looking statute when enacted in 1986. It specified standards for law enforcement access to electronic communications and associated data, affording important privacy protections to subscribers of emerging wireless and Internet technologies. Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986 – light years ago in Internet time.
As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today’s digital communication services may no longer be adequately protected. At the same time, ECPA must be flexible enough to allow law enforcement agencies and services providers to work effectively together to combat increasingly sophisticated cyber-criminals or sexual predators.
The time for an update to the ECPA is now. For more than a year, privacy advocates, legal scholars, and major Internet and communications service providers have been engaged in a dialogue to explore how the ECPA applies to new services and technologies. We have developed consensus around the notion of a core set of principles intended to simplify, clarify, and unify the ECPA standards; provide clearer privacy protections for subscribers taking into account changes in technology and usage patterns; and preserve the legal tools necessary for government agencies to enforce the laws and protect the public.
Changes in Technology Have Outpaced the Law
Justice Brandeis famously called privacy “the most comprehensive of rights, and the right most valued by a free people.” Of course, privacy must be balanced against other societal interests. Electronic communications and associated data can provide key evidence in the investigation of many crimes, and the assistance of service providers is often necessary to access such evidence. With respect to communications privacy and law enforcement investigations, the courts and Congress have sought to develop rules for government surveillance that balance three interests: the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.
Since enactment of ECPA, there have been fundamental changes in communications technology and the way people use it, including –
· Email: Most Americans have embraced email in their professional and personal lives and use it daily for confidential communications of a personal or business nature. Because of the importance of email and unlimited storage capabilities available today, most people save their email indefinitely, just as they previously saved letters and other correspondence. The difference, of course, is that it is easier to save, search and retrieve digital communications. Many of us now have many years worth of stored email. Moreover, for many people, much of that email is stored on the computers of service providers.
· Mobile location: Cell phones and mobile Internet devices constantly generate location data that supports both the underlying service and a growing range of location-based services of great convenience and value. This location data can be intercepted in realtime, and is often stored in easily accessible logs files. Location data can reveal a person’s movements, from which inferences can be drawn about activities and associations. Location data is augmented by very precise GPS data being installed in a growing number of devices.
· Cloud computing: Increasingly, businesses and individuals are storing data “in the cloud,” with potentially huge benefits in terms of cost, security, flexibility and the ability to share and collaborate.
· Social networking: One of the most striking developments of the past few years has been the remarkable growth of social networking. Hundreds of millions of people now use these social media services to share information with friends and as an alternative platform for private communications.
In the face of these developments, ECPA does not provide protection suited to the way technology is used today:
· Conflicting standards and illogical distinctions: ECPA sets rules for governmental access to email and stored documents that are not consistent. A single email is subject to multiple different legal standards in its lifecycle, from the moment it is being typed to the moment it is opened by the recipient to the time it is stored with the email service provider. To take another example, a document stored on a desktop computer is protected by the warrant requirement of the Fourth Amendment, but the ECPA says that the same document stored with a service provider may not be subject to the warrant requirement.
· Unclear standards: ECPA does not clearly state the standard for governmental access to location information.
· Judicial criticism: The courts have repeatedly criticized ECPA for being confusing and difficult to apply. The Ninth Circuit in 2002 said that Internet surveillance was “a confusing and uncertain area of the law.” In the past 5 years, no fewer than 30 federal opinions have been published on government access to cell phone location information, reaching a variety of conclusions.
· Constitutional uncertainty: The courts are equally conflicted about the application of the Fourth Amendment to new services and information. A district court in Oregon recently opined that email is not covered by the constitutional protections, while the Ninth Circuit has held precisely the opposite. Last year, a panel of the Sixth Circuit first ruled that email was protected by the Constitution and then a larger panel of the court vacated the opinion.
This murky legal landscape does not serve the government, customers or service providers well. Customers are, at best, confused about the security of their data in response to an access request from law enforcement. Companies are uncertain of their responsibilities and unable to assure their customers that subscriber data will be uniformly protected. The current state of the law does not well serve law enforcement interests either as resources are wasted on litigation over applicable standards, and prosecutions are in jeopardy should the courts ultimately rule on the Constitutional questions.
The solution is a clear set of rules for law enforcement access that will safeguard end-user privacy, provide clarity for service providers, and enable law enforcement officials to conduct effective and efficient investigations.
Guiding Principles for ECPA Reform
The overarching goal of our review of the ECPA was to balance the law enforcement interests of the government, the privacy interests of users, and the interests of communications service providers in certainty, efficiency and public confidence.
We were guided by the following concepts:
· Technology and Platform Neutrality: A particular kind of information (for example, the content of private communications) should receive the same level of protection regardless of the technology, platform or business model used to create, communicate or store it.
· Assurance of Law Enforcement Access: The reform principles would preserve all of the building blocks of criminal investigations – subpoenas, court orders, pen register orders, trap and trace orders, and warrants – as well as the sliding scale that allows the government to escalate its investigative efforts.
· Equality Between Transit and Storage: Generally, a particular category of information should be afforded the same level of protection whether it is in transit or in storage.
· Consistency: The content of communications should be protected by a court order based on probable cause, regardless of how old the communication is and whether it has been “opened” or not.
· Simplicity and Clarity: All stakeholders – service providers, users and government investigators – deserve clear and simple rules.
· Recognition of All Existing Exceptions: Over the years, a variety of exceptions have been written into the ECPA, such as provisions allowing disclosures to the government without court orders in emergency cases. These principles should leave all those exceptions in place.
Rather than attempt a full rewrite of ECPA, which might have unintended consequences, we focused on just a handful of the most important issues – those that are arising daily under the current law: access to email and other private communications stored in the cloud, access to location information, and the use of subpoenas to obtain transactional data.
Our principles do not seek to answer all questions or concerns about ECPA. Though members of the coalition may differ on the specifics, and some individual members would support additional changes, we all agree that these principles provide a framework for opening a public dialogue on the issue.
Specific Background on ECPA Reform Principles
1. The government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user’s private communications or documents stored online.
2. The government should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device.
3. Before obtaining transactional data in real time about when and with whom an individual communicates using email, instant messaging, text messaging, the telephone or any other communications technology, the government should demonstrate to a court that such data is relevant to an authorized criminal investigation.
4. Before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect, the government should first demonstrate to a court that the data is needed for its criminal investigation.
March 30, 2010
In Rehberg, [1] former Georgia District Attorney Kenneth Hodges and Chief Investigator James Paulk investigated Charles Rehberg for allegedly sending harassing emails and faxes to administrators at
On appeal, the Eleventh Circuit reversed the district court’s decision. According to the court, Rehberg no longer had an expectation of privacy in his emails by the time the defendants obtained them because the emails had been “voluntarily turn[ed] over to third parties.”[5] First, the court relied on Guest v. Leiss for the precedent that “[a]n individual sending an email ‘loses a legitimate expectation of privacy in an e-mail that has already reached its recipient.’”[6] Second, the court reasoned that Rehberg lost his expectation of privacy when he transmitted an email to his third-party Internet service provider, because that action “constituted voluntary relinquishment of the right to privacy in that information.”[7] The court considered transmission to the ISP to be no different from delivery to the recipient and suggested that, had the defendants obtained the emails from Rehberg’s home computer, the outcome may have been different.[8]
The Eleventh Circuit’s application of the third party doctrine to emails stored by ISPs and email providers to has significant implications for modern Fourth Amendment jurisprudence and essentially rejects the Sixth Circuit’s decision in Warshak v. United States in which the court opined “that individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP.” [9] The Eleventh Circuit’s decision has significant implications for privacy in the “cloud” and will likely be cited in support of amendments to the Stored Communications Act.
[2]
[3]
[4]
[5]
[6] Rehberg, No. 09-11897 at 21-22 (quoting Guest v. Leiss, 255 F.3d 325, 333 (6th Cir. 2001)).
[7]
[8] See id.
[9] Warshak v. United States, 490 F.3d 455, 473 (6th Cir. 2007, vacated on procedural grounds, 532 F.3d 521 (6th Cir. 2008) (en banc).
More information can be found at http://www.ftc.gov/opa/2010/02/controlscan.shtm.
]]>
]]> In the Memorandum Opinion, citing to Chevron, Judge Walton determined that the FTC's application of the Red Flags Rule was not entitle to deference, and stated that "[e]ven a cursory review of the language of these Acts [Equal Credit Opportunity Act and FACTA] and the purposes underlying their enactment leads the Court to the conclusion that it was not 'the unambiguously expressed intent of Congress,' Chevron, 467 U.S. at 842-43, to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission's Red Flags Rule." Judge Walton goes on to state that the FTC's position that attorneys regularly extend or arrange for credit is unsupported by either legislative or administrative findings. Likewise, Judge Walton was not persuaded by the FTC's reliance on the Federal Reserve Board's staff notes to Regulation B of the Equal Credit Opportunity Act.
The Court then discussed the lack of any record in the FTC's rulemaking process to support a determination that existing regulation of attorneys did not address identity theft, the arbitrary selection of monthly invoicing as the activity to regulate, the failure to put attorneys on notice that the rule would apply to them, the balance between state and federal regulation and the effect that the Red Flags Rule rule would have on the attorney client relationship. Considering all of these factors, the Court rejected the FTC’s position, ruling that the Commission's interpretation of its Red Flags Rule applying to practicing attorneys is both plainly erroneous and inconsistent with the purpose underlying the FACT Act.
]]>The top ten complaints for 2009 are:
|
Rank |
Category |
No. of Complaints |
|
1 |
Identity Theft |
278,078 |
|
2 |
Third Party and Creditor Debt Collection |
119,549 |
|
3 |
Internet Services |
83,067 |
|
4 |
Shop-at-Home and Catalog Sales |
74,581 |
|
5 |
Foreign Money Offers & Counterfeit Check Scams |
61,736 |
|
6 |
Internet Auction |
57,821 |
|
7 |
Credit Cards |
45,203 |
|
8 |
Prizes, Sweepstakes and Lotteries |
41,763 |
|
9 |
Advance-Fee Loans and Credit Protection/Repair |
41,448 |
|
10 |
Banks and Lenders |
32,443 |