Menu
Applying Fourth Amendment search protections to data in the cloud |
"The law simply hasn't kept up with the technology."
There appears to be no end to the statutes and regulations to which the above statement applies. When Forbes' Thomas Fox-Brewster makes the statement in a May 21, 2017, article, the law he is referring to is the Stored Communications Act (18 U.S.C. Chapter 121 §§ 2701–2712), which was enacted as Title II of the Electronic Communications Privacy Act of 1986. Fox-Brewster reports that in at least six different cases, Google is fighting attempts by the FBI to require that Google release Gmail information stored on the company's servers located overseas. The Stored Communications Act states clearly that the law applies only to "domestic" information, which limits it to data situated in the United States. The government argues that the law should be interpreted to apply to all domestic cases. In a 2016 case, Microsoft successfully prevented the government from accessing data stored in Ireland. That ruling applies only to the Second U.S. Circuit, but Google hopes to extend the precedent to all federal districts. Amazon, Apple, Cisco, Yahoo, and Microsoft are among the tech companies supporting Google's efforts to protect data stored offshore. The companies point out that should the U.S. government be allowed to subpoena data stored overseas, foreign courts would then feel free to demand access to the data of U.S. citizens that's stored in the U.S. In 2016, Rule 41 of the Federal Rules of Criminal Procedure was amended to allow warrants for data located outside the magistrate's jurisdiction to apply when the device's physical location was "concealed through technological means," such as use of the Tor browser or a virtual private network. Yahoo and other tech companies claim that even with the change, Rule 41 doesn't apply to data stored outside the U.S., at least not until Congress clarifies the law to state explicitly that overseas data is subject to the warrants. Google's proposed solution is to base warrants on the location of the "user" rather than the location of the user's data. That way, our data would always travel with us, regardless of how far we are from the servers that currently store it. Wouldn't it be great if our personal information could likewise be deemed to tag along with us wherever we go? That would certainly make it easier for people to claim ownership of the data and exercise more control over who it is shared with and how it is used. ----------------------------------------------------- How many times has your license plate been scanned today? There is nothing illegal about government agencies and private businesses scanning your car's license plate when you're on the road. Californians can at least find the privacy and usage policies of any entity that automatically scans and collects license plate data in the state. A law that took effect on January 1, 2016, requires all California agencies and businesses using automated license plate readers (ALPR) to state on their websites the purpose for the collection, the job title or designation of all parties accessing the data, a description of how the agency complies with privacy and data security laws, and a description of how the data is checked for accuracy and corrected when in error. (Note that transporation agencies are exempt from the rule because other laws apply to their use of ALPR; also, if the entity has no website, the policy must be made available upon request.) The Electronic Frontier Foundation has compiled links to dozens of local government ALPR policies as well as those of a handful of non-government ALPR collectors. Also provided is a Google Map of the relevant jurisdictions along with links to further information. The ALPR systems are used to identify vehicles "connected to crimes" or whose owners have outstanding court fees, according to the EFF. Because the license plates of people not connected to or suspected of any crime are scanned and recorded, the practice constitutes an incredible privacy risk. Not only could the data be aggregated to report individuals' driving patterns, it could indicate the locations they frequent, "such as protests, gun shows, and health-care facilities," the EFF writes. The group notes that its ALPR list is far from exhaustive, particularly in surveying private use of the technology. Just assume that if you're on the road, you're being tracked -- by government agencies and private businesses alike. How comforting is that? ----------------------------------------------------- The price you pay for eschewing Facebook: Social exile Cory Doctorow, who's quickly becoming my favorite futurist (and whose new book Walkaway is next on my reading list), describes the high social price you pay for staying off Facebook -- and why the price is worth it. In a May 22, 2017, long read on Slate, Doctorow first explains how science fiction influences the future. Then he compares Facebook to a casino where the jackpots are the attention of other people: "You place bets on what kind of personal revelation will ring the cherries, pull the lever—hit 'post'—and wait while the wheel spins to see if you’ll win big. As in all casino games, in the Facebook game there’s one universal rule: The house always wins. Facebook continuously fine-tunes its algorithms to maximize the amount that you disclose to the service because it makes money by selling that personal information to advertisers. The more personal information you give up, the more ways they can sell you..." Doctorow points out that Facebook's dominance has made joining the network a "group decision" with a cost for refusing: social exile: "I’m a Facebook vegan. I won’t even use WhatsApp or Instagram because they’re owned by Facebook. That means I basically never get invited to parties; I can’t keep up with what’s going on in my daughter’s school; I can’t find my old school friends or participate in the online memorials when one of them dies. Unless everyone you know chooses along with you not to use Facebook, being a Facebook vegan is hard. But it also lets you see the casino for what it is and make a more informed choice about what technologies you depend on." I haven't gone cold turkey on Facebook yet, but I'm down to about two or three logins a month, and far fewer posts -- maybe three updates over the course of a year. Like Doctorow, I sometimes feel left out of the online social whirl. However, I value my personal life greater than what Facebook is offering for it. The loss of privacy is too steep a price for me. Besides, making Mark Zuckerberg richer is being part of the problem rather than part of the solution. ----------------------------------------------------- Linkapalooza Big change in password advice from NIST: SC Media's Greg Masters reports in a May 22, 2017, post that the National Institute of Standards and Technology has completely revised its guidelines for crafting secure passwords. The draft proposal of the Digital Identity Guidelines, Special Publication 800-63-3, recommends IT departments no longer require or suggest periodic changes to users' passwords, unless there's a chance the password has been compromised. Instead, the NIST advises use of memorized secrets, which are entered in long text strings that include spaces. The real-good news is that there's no need to require people use characters, numbers, upper and lower cases, or any other silliness. The upshot: The longer your password, the less likely it will be cracked. Free speech and pharmaceuticals: Commercial speech is limited in ways other kinds of speech are not. The "venerable" Central Hudson test puts the burden on the government to show the limitation on commercial speech promotes a substantial government interest and is no more restrictive than necessary. (To be protected, the speech must concern a lawful activity, and it must not be misleading.) The Central Hudson test is expected to get dusted off when the new Commissioner of the Food and Drug Administration, Dr. Scott Gottlieb, rewrites the FDA regulation prohibiting drug companies from promoting off-label uses for their products. ReedSmith's James Beck writes in a May 22, 2017, article on JD Supra that Gottlieb believes patients have a right to information from clinical practice, without having to wait for the results of clinical trials, which may take years to complete. Likewise, doctors should have the right to "tailor their patients' treatment plans based on medical need and personal preferences." A new precedent in the area of commercial speech and the First Amendment is Ocheesee Creamery LLC v. Adam Putnam Zach Conlin, 851 F.3d 1228 (11th Cir. 2017). As Beck reports, Ocheese is a small creamery located on the producer's own farm in Florida. The company promotes its "all-natural dairy items." The State of Florida requires that vitamin A be added to skim milk before it can be labeled as "skim milk" because the process of skimming milk removes its vitamin A. Ocheesee refused to add vitamin A to its skim milk because it wanted to keep its products additive-free. Still, the state refused to allow Ocheesee to call its skim milk "skim milk," even though it "contains no product other than skim milk." Florida insisted that Ocheesee's all-natural, additive-free skim milk be labeled "imitation milk." Yep, sounds like Florida. Regulatory Accountability Act puts everyone's health and safety at risk: Imagine a law whose sole purpose is to make it more difficult to enact and enforce laws designed to protect people from health hazards and other dangers. That's the Regulatory Accountability Act in a nutshell -- at least from the perspective of medical professionals, scientists, and environmentalists. As Mother Jones' Jenny Luna writes in a May 22, 2017, article, the U.S. Chamber of Commerce is crazy about the act, which was passed by the House in January and is now being revised in the Senate. The House version, dubbed the "License to Kill bill" by critics, would require the Environmental Protection Agency and other federal regulators to prove the cost-effectiveness of laws enacted to safeguard the public before they could be enforced. Luna quotes one environmentalist as saying, "Trump is temporary, but the License to Kill bill is forever... It will be a generation or more until we can undo the damage." Hedges: "Our republic is dead": Speaking of Trump and damage, the current administration has TruthDig's Chris Hedges thinking about Commodus, who is widely considered the worst in a long line of "vain and idiotic" Roman emperors. In a May 22, 2017, article, Hedges writes that "[s]ocieties that once were open and had democratic traditions are easy prey for the enemies of democracy." Demagogues such as Commodus "pay deference to the patriotic ideals, rituals, practices and forms of the old democratic political system while dismantling it," according to Hedges. Our constitutional rights "exist only in name." Hedges concludes that "[t]he outward forms of democratic participation—voting, competing political parties, judicial oversight and legislation—are meaningless theater.... The relationship between the state and the citizen who is watched constantly is one of master and slave. And the shackles will not be removed if Trump disappears." U.S. government privacy office stripped of nearly all power: Speaking of disappearing, that's what happened to the Privacy and Civil Liberties Oversight Board, which few people knew existed in the first place. The board was created by Congress in 2004 at the recommendation of the 9/11 Commission. In a March 3, 2017, article, The Intercept's Jenna McLaughlin writes that the board was charged with ensuring U.S. spy agencies didn't violate privacy and civil liberties protections. Rather than the five board members and full-time chair the board is supposed to have, it is now down to a single part-time board member. Since it has no board, it has very little power. The eight staff members left have been planning for the "sub quorum scenario," according to McLaughlin, providing what little spy-agency oversight they can manage. While the current administration hasn't responded to requests for new board members, the agency's decline predates Trump, despite it having "served a vital oversight role in recent years." If the board ever does get the backing it needs, I suggest it increase its PR budget. Boycott Trump? That's what some people are doing, as Common Dreams' Mattea Kramer reports in a May 23, 2017, article. One of the most popular boycott promoters is the site Grab Your Wallet, which simply lists companies offering or promoting Trump-related products and services. The women behind the site, which is named after a Trump vulgarity, claim the boycott has led to 22 companies dropping Trump products to date. While some of the people starting boycott groups are trying to coordinate their activities, many organizers believe they can be more effective by remaining grass roots and decentralized. There's something to be said for both approaches: Grab Your Wallet is affiliated with the Women's March, for example. Kramer questions whether the people who are "changing their spending habits, tweeting at advertisers, contacting chief executives, and jamming phones at Trump businesses, will do so in a way that converts their discrete actions into real influence and power." I can only reply, it couldn't hurt! |