Archive for the ‘Legal/Tech News’ Category

Big Data and the Fall of Personally Identifiable Information

leave a comment

There has been no shortage of “Big Data” based start-ups in the last decade, and that trend shows no sign of slowing down. As computing power and sophistication continues to increase, the ability to process large sets of information has led to increasingly pointed insights about the sources of this data.

Take Target for example. When you pay for something at Target using a credit card, not only do you exchange your credit for physical goods, you also open a file. Target records your credit card number, sticks it to a virtual file and begins to fill that file with all sorts of information. Your purchase history is recorded: what you buy, when you bought it, how much you bought. Every time you respond to a survey, or call the customer help line or send them an email, Target is aware. Anytime you interact with Target, the data and meta-data that characterize that interaction are parsed carefully and stored as Target’s institutional knowledge. But it doesn’t end there. As diligent as Target may be in monitoring your interactions, there will inevitably be holes. But fear not! Instead of settling for an inadequate picture of who you are, Target can just buy the rest of it from the other people you do business with. “Target can buy data about your ethnicity, job history, the magazines you read, if you’ve ever declared bankruptcy or got divorced, the year you bought (or lost) your house, where you went to college, what kinds of topics you talk about online, whether you prefer certain brands of coffee, paper towels, cereal or applesauce, your political leanings, reading habits, charitable giving and the number of cars you own.”

And the results speak for themselves. By scrutinizing the mountains of data that it collects from countless individuals, patterns emerge. One particular creepy example involved Target finding out a teenage girl was pregnant before her father did.

But taking a step back, the increase in the specificity and pervasiveness of the insights that can be drawn from data analytics in the age of Big Brother Data poses, besides the issue of immediate discomfort at the individual level (the creepy factor), a broader legal problem.

Much of US data privacy law centers around the idea of Personally Identifiable Information (PII) and restricting its uses in certain contexts. However, the functionality of such a definition, one that places added weight on information that may distinguish an individual identity, relies on the existence of a practical distinction between data that is labeled PII and data that is not.

As Big Data continues to grow in both reach and sophistication, our information economy will start to approach a state in which no information falls outside of the definition of PII. The Target example makes clear that even seemingly benign information, when processed in conjunction with other “harmless” data, can reveal deeply personal facts about an individual. In a world where correlative findings have valid predictive value, the definition of PII is no longer effective in pursuing its goal of protecting individual rights to privacy.

Written by

March 24th, 2015 at 4:59 pm

How the SEC Really Feels About High Frequency Trading

leave a comment

For fans of Michael Lewis’s Flash Boys, the SEC would like you to know that things are going splendidly on the high frequency crackdown front. In January 2015 alone, the agency brought three high frequency trading (HFT) suits against different sharks in the securities market.

One such shark is high frequency trader Aleksandr Milrud. Milrud layered trades for approximately two years starting in January 2013. Around the globe, Milrud’s recruits used HFT to fraudulently inflate and deflate stock prices to profit upon buying and selling at the altered price. To clear up any lingering confusion on the part of the SEC’s confidential broker informant, Milrud actually referred to the artificial price pressure as “the dirty work.” Milrud further explained that he usually wired his illicit profits to an offshore bank account and later met with an individual who would give him a suitcase full of cash.

The SEC’s complaint confirms that the agency believes “Milrud’s layering scheme was very lucrative. In the course of soliciting the [confidential informant’s] participation in his scheme, Milrud stated that one of his trading groups generated profits of approximately one million dollars per month.” Indeed, the complaint later outlines two examples of Milrud’s profiteering activities: Exhibit 1 involved an order that resulted in a $72.28 profit for the trader. Exhibit 2 clocked in a bit more conservatively at $60.74 worth of illegal profits. Milrud even “directed a wire transfer of $5,000 to a bank account located in New Jersey. The purpose of the transfer was to fund a trading account . . . so that Milrud’s traders could use the account to engage in layering.”

SEC v. Milrud is a relatively humorous anecdote which demonstrates the SEC’s larger high frequency trading (HFT) enforcement strategy: speak loudly and carry a small stick. Consider Milrud himself. He did not build an empire out of his indiscretions. He was brazen, oaf-like, and making a mere $60 to $80 off of any single trade. He played out of bank accounts numbering in the four digits, not with millions or billions dollars-worth of capital. Most importantly, his fraudulent activity was illegal whether he committed it through HFT or inflated stock prices one phantom bid at a time. Milrud’s criminal profits amounted to mere particles of a drop in the bucket of securities trading. But the SEC brought charges anyway and released a press release on their big capture to boot.

It seems obvious that the SEC does want to regulate HFT—but no more than it wants to regulate the securities industry overall. Vowing to determine how HFT truly hurts or helps investors, SEC Commissioner Mary Jo White asked her staff to analyze the potential effects of implementing an anti-disruptive trading rule, of increasing usage of algorithmic trading, and of unequal data feed access by market participants—among a list of additional HFT-related rules and activity. But these requests—stripped of their HFT verbiage—simply look like the analytical gaze to be expected of an industry regulator. The SEC wants to stay vigilant of potential problems, but the SEC does not seem to want to regulate HFT through new or improved means. The SEC wants to apply existing regulatory sanctions to market abuse, regardless of the means through which such abuse is effected.

The SEC is decidedly in favor of what HFT brings to the financial markets. Commissioner White said as much during her speech on June 5, 2014:

“Equity markets are, of course, now dominated by computer algorithms, which generate orders at a volume and speed that have transformed the nature of trading. Importantly, these algorithms are used not only by high-frequency traders, but also by or on behalf of investors. . . . [M]arket quality metrics show that the current market structure is not fundamentally broken, let alone rigged. To the contrary, the equity markets are strong and generally continue to serve well the interests of both retail and institutional investors.”

The SEC will undoubtedly continue to bring actions against HFT firms and players. But look carefully at these complaints and settlements. Consider whether the SEC is cracking down on HFT practices, or if the SEC is going after more traditional market abuse and is simply happy enough to let you think that HFT is in its crosshairs. So longs as it keeps Michael Lewis off Commissioner White’s back.

Written by

March 16th, 2015 at 11:25 pm

Obama Administration to Weigh in on Google v. Oracle Java Dispute

leave a comment

Last month, the Supreme Court invited input from the Department of Justice regarding the ongoing Java dispute between Google and Oracle, asking for advice on whether the Court should hear the case. According to the Court’s memo, U.S. Solicitor General Donald Verrilli, Jr. “is invited to file a brief in this case expressing the views of the United States.” Technology Analyst Al Hilwa calls this a “true 2015 nail-biter for the industry” because “[t]his is a judgment on what might constitute fair use in the context of software.”

The dispute between Google and Oracle began in 2010, when Oracle sued Google seeking $1 billion in damages on the claim that Google had used Oracle Java software to design the operating system for the Android smartphone. Google wrote its own version of Java when it implemented the Android OS, but in order to allow software developers to write their own programs for Android, Google relied on Java Application Programming Interfaces (“APIs”). These APIs are “specifications that allow programs to communicate with each other,” even though they may be written by different people. Oracle alleged that Google copied 37 packages of prewritten Java programs when it should have licensed them or written entirely new code. Google responded with the argument that such code is not copyrightable under §102(b) of the Copyright Act, which withholds copyright protection from “any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in [an original work of authorship].” Google also argued that the copied elements were “a key part of allowing interoperability between Java and Android.”

In May 2012, the Northern District of California ruled that APIs are not subject to copyright laws, finding that where there exists “only one way to declare a given method functionality, [so that] everyone using that function must write that specific line of code in the same way,” such coding language cannot be subject to copyright. The court also held that “whether an element is necessary for interoperability should have no impact on its protectability.” In May 2014, The U.S. Court of Appeals for the Federal Circuit ruled the other way, finding that Java’s API packages were copyrightable, and remanded the matter to the district court to determine whether Google’s copying constitutes a lawful fair use. In response to the Federal Circuit’s ruling, Google filed a petition this past October for a writ of certiorari. Also, numerous large technology companies including HP and Yahoo have filed amicus briefs in support of Google’s position. Google issued the following statement in response to the Supreme Court’s request for input from the Obama Administration: “We appreciate the Supreme Court’s careful review of this issue and look forward to the Solicitor General’s feedback.”

The Supreme Court will take no further action until the Solicitor General files its brief offering the views of the Obama administration on this copyright dispute. According to Peter Toren, an attorney with Weisbrod Matteis & Copley, “the Court may consider this important for definitive clarification as to what extent software is copyrightable.”

Written by

February 19th, 2015 at 11:41 pm

FCC Aims to Flex Muscle to Remove State Barriers to Municipal Internet

leave a comment

On June 10, 2014, FCC Chairman Tom Wheeler published an op-ed championing municipality-funded broadband. Noting Chattanooga, Tennessee’s past as a 19th century railroad boom town, he juxtaposed the city’s history with its recent decision to fund its own gigabit-per-second infrastructure: “Chattanooga’s investment has not only helped ensure that all its citizens have Internet access, it’s made this mid-size city in the Tennessee Valley a hub for the high-tech jobs people usually associate with Silicon Valley. Amazon has cited Chattanooga’s world-leading networks as a reason for locating a distribution center in the area, as has Volkswagen when it chose Chattanooga as its headquarters for North American manufacturing. Chattanooga is also emerging as an incubator for tech start-ups. Mayor Berke told me people have begun calling Chattanooga “Gig City” – a big change for a city famous for its choo-choos.”

Mr. Wheeler then delivered his punchline: “I believe it is in the best interests of consumers and competition that the FCC exercises its power to preempt state laws that ban or restrict competition from community broadband. Given the opportunity, we will do so.” Fast-forwarding to the present, Chairman Wheeler just announced on Monday that he is circulating a proposed Order to his fellow FCC commissioners encouraging FCC preemption of state laws that stymie municipality-sponsored broadband projects via its granted authority under Section 706 of the Communications Act. The announcement comes a few weeks after President Obama himself pushed for increased support of community internet, with the White House publishing a detailed policy report extolling its virtues.

Proponents applaud the move as facilitating the growth of high-speed internet in communities where major telecoms have spurned them, instead backing legislation in some twenty states that limit the practice. Many argue that these efforts come principally from telecom companies’ self-interest to bolster their monopolistic or duopolistic positions in the ISP market. However, opponents such as the conservative think-tank American Legislative Exchange Council, paint the laws as helpful in safeguarding free markets and limited government while stopping municipal projects from “making markets less attractive to competition because of the government’s expanded role as a service provider.”

What’s clear is that the FCC is poised to take a much more assertive role in Internet regulation, as this is not the only big move the commission has in store this week. The FCC has also recently announced a plan to reclassify high-speed internet as a telecommunications service under Title II of the Communications Act (see MTTLR’s Feb. 4 blog post for more), giving the commission strong authority to champion net-neutrality across ISPs. The move has already prompted a legislative response from Congressional Republicans that would curtail the FCC’s powers. With the U.S. having already fallen behind many other Western countries on both speed and price for its broadband internet, 2015 is shaping up to be a watershed year for the future of the country’s internet.

Written by

February 18th, 2015 at 1:41 pm

The Right to be Forgotten

leave a comment

This past May, the Court of Justice of the European Union approved “the right to be forgotten” in a case brought by Mario Costeja against a newspaper and Google, a move which fundamentally changed our notions of Internet privacy. More than a decade earlier, Costeja had posted two notices about an auction of his property to pay off debt, and the links to the notices were still appearing in the search results when Googling his name. Costeja brought suit in an effort to remove the links from the search results. The court said the links could be removed if they were found to be “inadequate, irrelevant or no longer relevant.” Under the right to be forgotten, only searches that include a person’s name will provoke the search result removal, which means that the articles or website can still show up in the results if the search is under a different keyword.

The European Union’s right to be forgotten has spurred much concern for free speech campaigners, who claim the ruling unjustly limits what can be published online. Privacy advocates, however, are praising the ruling for allowing people some exercise of power over what content appears about them online. This new right creates a process for people to remove links to embarrassing, outdated, and otherwise unwanted content from Google and other search engines’ results. Courts are directed to balance the public’s interest in access to the information in question and the privacy interests of the person affected by the content.

As of now, the ruling applies only to Google’s local European sites, such as in Germany, in France, and other search engines. This leaves an easy loophole because the content is still available by searching from European data protection representatives are, of course, eager to apply the right to be forgotten worldwide in order to make the ruling more effective. Europe’s Article 29 cross-European panel of data protection watchdogs recently announced: “de-listing decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights and that EU law cannot be circumvented.” The Article 29 Working Party is comprised of data protection representatives from across Europe and it has very recently published guidelines on the implementation of the right to be forgotten ruling.

The guidelines note, “a balance of the relevant rights and interests has to be made and the outcome may depend on the nature and sensitivity of the processed data and on the interest of the public in having access to that particular information. The interest of the public will be significantly greater if the data subject plays a role in public life.” They also address concerns of how this will impact free speech: “in practice, the impact of the de-listing on individuals’ rights to freedom of expression and access to information will prove to be very limited. When assessing the relevant circumstances, [Data Protection Authorities] will systematically take into account the interest of the public in having access to the information. If the interest of the public overrides the right of the data subject, de-listing will not be appropriate.”

The representatives ask search engines to apply this new right to be forgotten to all of their websites, including, for enforcement worldwide. Privacy advocates allege Google has been undermining the new right by limiting its application to local European sites, while free-speech advocates say the rule is “a gateway to Internet censorship that would whitewash the Web.” It is up to the data regulators in individual countries to decide whether to enforce the panel’s guidelines, and it remains unclear whether Google will move to implement the rule.

Will federal legislation make consumers’ private information safer?

leave a comment

After JP Morgan’s computers were penetrated in the early summer of 2014 by hackers, exposing the personal information of the firm’s customers, the firm did not disclose the breach until late in the summer.[1] Over 76 million customers’ contact information—phone numbers and email addresses—were stolen.[2] The Connecticut and Illinois Attorney Generals started scrutinizing JP Morgan’s delayed notification to their customers that their contact information was obtained by hackers, taking issue with the fact that JP Morgan “only revealed…limited details” about the extent of the breach.[3] Both attorneys general are assessing whether JP Morgan complied with their state privacy laws—mainly their state’s data breach notification laws. With the size of JP Morgan and with 76 million customer information breached, it is safe to assume that residents of Connecticut and Illinois were not the only ones whose personal information was compromised.

Data breach has become a big issue not only for JP Morgan, but for many other companies. The same hackers who breached JP Morgan’s security wall attempted to get customer data from Deutsche Bank, Bank of America, Fidelity and other financial institutions.[4] Hackers breached Target and Home Depot’s customer credit information, taking 40 million of Targets’ customer credit card information and 56 million of Home Depot’s customer credit card information.[5] Data breach and data lost seem to be inevitable, whether it is through someone working internally for an organization—à la Edward Snowden—or through hackers— like in the case of JP Morgan, Home Depot and Target. Regardless of how data is lost, there is a need to evaluate the best approach in notify a consumer when someone else obtain a consumer’s personal information.[6]

The matter is made worse since states have varying definitions of what personal information is, and vary in their definitions of the circumstance that might trigger notification and the method in which a breach must be notified.[7] Some states don’t have a timeline in which a company must notify its customers.[8] And when they do have a timeline, it tends to be vague.[9] It took Target three weeks to notify its customers that their customer’s personal data was breached.[10] The matter is made worse since there is no commonplace federal data breach notification law.[11] Big companies like JP Morgan, who are more likely to be targets of hackers, operate in almost all 50 state, and when their customer’s personal data is breached, they have to deal with each state’s data breach laws state-by-state.[12]

As a result, some advocate for the need of a federal data breach law.[13] There’s an assumption that a federal response to data notification would be better than a state by state response. California’s attorney general is currently suing the Kaiser Foundation Health Plan because it took the health plan 5 months to notify its customers about a breach.[14] It may not take long until other attorneys general start scrutinizing Kaiser. Some of Target’s customers in various states are suing Target for its data breach notification as well.[15]

However, a federal response to data breach notification may not be panacea that some advocate. Legislating is a murky process—even murkier when there’s not much precedent to work with. Data breach, at least the digital kind, is relatively new phenomenon. While various states have their own laws on data breach notification, it is not clear which state(s) have the best process. If a federal notification law is enacted, the standards may be less than what some states currently have. A federal response may serve as a way for companies to absolve themselves from data breach notification. Though the state-by-state approach may be cumbersome, a state-by-state approach in the end will provide a better result as issues are litigated out in public and judges learn about best practices in each state. As cases are litigated in court, states will naturally learn from each other. This organic process is may be more likely to produce a better result than a top-down federal process. [16]

[1] Michael Corkery, Jessica Silver-Greenberg and David E. Sanger, Obama Had Security Fears on JPMorgan Data Breach, N.Y. Times (Oct. 8, 2014),

[2] Id.

[3] Emily Glazer and AnnaMaria Andriotis, J.P. Morgan Data Breach Draws Scrutiny From State Attorneys General, Wall St. J. (Oct. 4, 2014),

[4] See Corkery, supra note 1.

[5] Robin Sidel, Home Depot’s 56 Million Card Breach Bigger Than Target’s, Wall St. J. (Sept. 18, 2014),

[6]Delays revealing data breaches costly: Like JPMorgan, industry practice is hide evidence, JOURNALGAZETTE.COM (Sept. 1, 2014),

[7] Reid J. Schar & Kathleen W. Gibbons, Complicated Compliance: State Data Breach Notification Laws, Privacy & Security Law Report, BLOOMBERG (Aug. 9, 2013),

[8] Kelli B. Grant, Why did Target take so long to report the breach?, CNBC (Dec. 20, 2013),

[9] See Luis J. Diaz and Caroline E. Oks, When Fast Is Too Slow: Notification Compliance Following Target’s Data Breach, The Metropolitan Corp. Couns. (Jan. 16, 2014),

[10] Grant, supra note 8; See Gregg Steinhafel, a message from CEO Gregg Steinhafel about Target’s payment card issues,, (Dec. 20, 2013), available at

[11] See Judy Greenwald, Federal data breach notification law could simplify process, BUSINESS INSURANCE (Oct 24, 2014),

[12] With the exception of Alabama, Kentucky, New Mexico and South Dakota, every state as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands has enacted legislation requiring notification of security breaches involving personal information. See Schar, supra note 7.

[13] See Jill Joerling, Data Breach Notification Laws: An Argument for A Comprehensive Federal Law to Protect Consumer Data, 32 Wash. U. J.L. & Pol’y 467, 468 (2010); see also Jacqueline May Tom, A Simple Compromise: The Need for A Federal Data Breach Notification Law, 84 St. John’s L. Rev. 1569 (2010).

[14] David Navetta, California Attorney General Files Lawsuit Based on Late Breach Notification, INFORMATION LAWGROUP (Jan. 30, 2014),

[15] See Diaz, supra note 9.

[16] See Flora J. Garcia, Data Protection, Breach Notification, and the Interplay Between State and Federal Law: The Experiments Need More Time, 17 Fordham Intell. Prop. Media & Ent. L.J. 693, 697 (2007); see also Brandon Faulkner, Hacking into Data Breach Notification Laws, 59 Fla. L. Rev. 1097 (2007).

Gas, Electric, Water, and…Internet?

leave a comment

In the midst of the battle for the future of the Internet, President Barack Obama has made his allegiance clear. Obama released a statement on November 10th urging the FCC to adopt new regulations that would treat the Internet like a utility in order to preserve a “free and open internet.” The President’s plan endorses an idea that has become popularly known as “net neutrality.” Proponents of net neutrality claim that it would prevent Internet service providers (ISPs) from picking winners and losers online, which they claim would effectively destroy the open Internet. In his recent statement, Obama outlined several bright line rules which would prevent ISPs from blocking content from customer access, prohibit throttling, increase transparency, and forbid paid prioritization. In order for the FCC to accomplish these goals, President Obama advised that the Commission must adopt the strictest rules possible, which would require broadband service to be treated as a public utility.

Opponents of President Obama’s plan argue that treating the Internet like a utility would slow innovation and raise costs, equating the potential FCC regulations to “micromanagement.” Many who oppose the plan argue that the move would increase bureaucracy and cause inefficiency; rather than add it to the list of government-controlled infrastructure, they believe that the open market is the best method of meeting consumer needs.

Classifying the Internet as a utility would entail treating ISPs as common carriers, which are governed by Title II of the 1934 Telecommunications Act. Currently, ISPs are classified as information services. Section 706 of the 1996 Telecommunications Act, which governs the FCC’s oversight of broadband services provided by ISPs, grants the Commission only limited power when compared to FCC control over common carriers under Title II. According to George Foote, a lawyer who works closely with the FCC, this reclassification would be a major shift in FCC policy, and would run counter to the “decades-long efforts to deregulate.”

Net neutrality has become a hot-button issue as of late, and the debates have intensified since the U.S. Court of Appeals for the D.C. Circuit struck down previous FCC rules relating to equal treatment of Internet content. Judge David Tatel wrote for the court, stating that because “the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the Commission from nonetheless regulating them as such. Because the Commission has failed to establish that the anti-discrimination and anti-blocking rules do not impose per se common carrier obligations, we vacate those portions of the Open Internet Order.” The reclassification of Internet as a utility under Title II, however, would do away with the exemption, and afford greater control to the FCC over ISPs, which would now be “common carriers.”

President Obama’s stance on classifying the Internet as a utility puts him in somewhat unfamiliar company, as Supreme Court Justice Antonin Scalia advocated this same approach in National Cable & Telecommunications Association v. Brand X Internet Services in his dissenting opinion. 545 U.S. 967, 968 (2005). It also puts side by side with former FCC chairman Reed Hundt and former FCC commissioner Michael Copps. Meanwhile, many of those across the aisle, including Republican Senator Ted Cruz and Republican House Speaker John Boehner oppose the President’s plan.

In the end, President Obama’s statements are only persuasive. The FCC is an independent agency and, as such, Obama recognized that this decision is “theirs alone.” As the war for the future of the Internet continues to rage on, however, net neutrality has gained a powerful ally.

Written by

January 8th, 2015 at 4:03 pm

The Broader Benefit of Benefit Corporations

leave a comment

Ello, an ad-free social network, recently closed another round of venture funding, raising $5.5M. Exciting right? Another social media start-up getting some Series A funding. While $5.5M is surely nothing to sneeze at, perhaps the more interesting feature of this next stage of Ello’s life is that it’s registered itself as a public benefit corporation, enshrining in its corporate charter as a “public benefit” that it will never show ads or sell user data.

To date, 27 states have enacted legislation recognizing “Benefit corporations,” entities that give directors legal protection to pursue social and environmental goals over maximizing investor returns. According to, a defining characteristic of benefit corporations is that “they are required to create a material positive impact on society and the environment.”

One of the largest early adopters of the benefit corporation form was outdoor clothing and gear company Patagonia. In doing so, Patagonia sought a structure that would prevent shareholders from suing it in the pursuit of costly environment initiatives, such as donations to environmental organizations and support of renewable energy sources, that allowed it to serve the welfare of the global community. Warby Parker, with its initiatives ranging from staying carbon neutral, to providing lost cost eyewear to those in need, and even sponsoring a local Little League team, similarly sought the insulation of its directors through the benefit corporation structure. In both examples, the benefit corporation produces a direct, measurable and concrete positive impact on their communities and the environment.

Ello’s election to benefit corporation status brings with it a tweak to what we’ve seen so far. Even though Ello has registered as a public benefit corporation, their mission is in many ways fundamentally different from more well-known predecessors. Whereas Patagonia and Warby Parker have employed the benefit corporation as a way to protect their support of immediate and material benefits to the public good outside of the scope of their direct relationship with their consumers, Ello seems to have stretched the breadth of the defining characteristic of benefit corporations to protect what it believes to be the intrinsic value of its product. Is protecting users from ads a public benefit in kind with what we’ve seen from Patagonia and Warby Parker? In allowing Ello to register as a benefit corporation, Delaware state law seems not to see a distinction.

Whatever the limits of the definition of public benefits, one thing Ello has shown about benefit corporations is how useful they can be in insulating directors from investor interference. Whether or not Ello’s mission can truly be said to be in pursuit of the public good, they have succeeded in securing the pursuit of their vision. In effect then, perhaps it makes more sense to refer to Ello as a “mission” corporation, protecting the discretionary judgment of it leadership beyond its fiduciary duties to investors, than a benefit corporation. To all of the entrepreneurs of the world, be aware of this broader benefit.

Written by

November 25th, 2014 at 10:37 pm

Technology Companies Fight Back Against Government Requests For User Data

leave a comment

In response to privacy concerns surrounding data transmission and disclosure of information, the federal government has enacted a couple of laws, most notably the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act (“HIPAA”), in order to safeguard individuals’ private information. The Privacy Act of 1974 was enacted in reaction to the dawning age of information and was an attempt by the federal government to protect individuals’ privacy rights. The Act requires governmental agencies to do four things regarding the information they collect and store about private US citizens: 1) to, upon request, tell an individual what information they’ve collected about him or her, 2) to allow individuals to correct or amend that information, 3) to use certain principles when handling and using the information, and 4) to follow certain guidelines restricting how the individual’s information is shared with other agencies and people. HIPAA provides similar protections, specific to disclosures of personally identifiable information in the healthcare setting.

However, despite the enactment of such federal laws, people like Steven Rambam, CEO of Pallorium, an international investigative agency, deliver lectures titled “Privacy is Dead – Get Over It”. The feeling that federal laws don’t protect individuals from unauthorized disclosures of private information is probably due in large part to the fact that neither the Privacy Act nor HIPAA, adequately protect consumers from US law enforcement agency requests for user information, such as requests from the National Security Agency.  Instead, providing safeguards from excessive government surveillance falls to the technology companies in possession of private individuals’ information.

There has been a lot of push back from technology companies on both the concept that “privacy is dead” and the idea that the appropriate response to perceived breaches of privacy is to just “get over it”. Instead current and emerging technology companies are putting technological safeguards in place to protect their users against governmental breaches of privacy. For instance, as detailed in another post on this blog, technology companies like Apple and Google have recently updated their privacy policy and introduced passcode encryption technology that the companies themselves cannot bypass. This allows individual consumers to be protected against attempts by law enforcement to incriminate them based on the contents of their Apple or Google electronic devices. Additionally, Facebook is in the process of developing an app that allows anonymity. Users would be able to discuss topics using multiple pseudonyms.  These technological developments are arguably in response to public opinion reflected in a statement made by Jameel Jaffer, deputy director of the American Civil Liberties Union, that, “Technology companies have an obligation to protect their customers’ sensitive information against overbroad government surveillance….”

Even before the creation of technological safeguards against unauthorized disclosure of information to US law enforcement, technology and internet companies have battled the US government openly and directly in court and in Congress. In fact, the battle between technology companies and the US government concerning governmental requests for user data continues, as on Tuesday, October 4, Twitter sued the FBI and the US Department of Justice on First Amendment grounds, in order to release a transparency report documenting the exact number of government requests for user information the company received.

Twitter is not the first technology or internet company to sue the US government seeking to change the current rules surrounding data request disclosures. Companies, including Apple, Google and Microsoft, have fought for users’ privacy rights in court and in Congress. In fact, in December 2013, eight companies including Apple, Microsoft, Facebook and Google formed a coalition called “Reform Government Surveillance” to lobby Congress to place greater restrictions on governmental surveillance. The aforementioned coalition settled with the federal government and reached an agreement that would allow for companies to disclose how many government data requests they received in groups of one thousand.

Twitter, however, did not participate in this agreement and instead pushes for further National Security Agency data request disclosure rights. For instance, Twitter not only wants to disclose the number of requests but also what types of data the government had requested. Surveillance law reform is slowly making headway, as companies with strong lobbying power like Apple, Microsoft, Twitter, and Facebook push for restrictions on the US government’s power to compel the disclosure of individuals’ information and engage in bulk, seemingly indiscriminate, data collection. In the meantime, according to the Electronic Frontier Foundation (“EFF”), there are a notable portion of technology companies that not only require a warrant before they disclose user information but also notify users about government requests, publish transparency reports and law enforcement guidelines, and fight for users’ privacy rights in court and in Congress. It might be useful for technology and internet platform users to note which technology companies have their backs when it comes to privacy rights and which technology companies do not.

Written by

November 4th, 2014 at 6:11 pm

Posted in Legal/Tech News

Apple’s Canary Fails to Chirp

leave a comment

Recently, Apple updated the privacy section on its website. While this was likely part of their response to privacy concerns due to the recent iCloud controversy, and fortuitously timed with the release of the newest batch of phones from the company, it also contains the latest edition of their transparency report. This report is a collection of the requests made by governments around the world for information about Apple device users and account holders. Curiously though, the most controversial aspect of the report may be what is not included.

As the Electronic Frontier Foundation reported Apple was one of the first major companies to make use of the device known as a warrant canary. A warrant canary is one of the methods that a company may use to alert the public of otherwise secret demands made by US government. Following the passage of the USA Patriot Act in 2001, the availability of secret subpoenas has been dramatically expanded, and may be used against anyone who may have information which the authorities consider relevant to their intelligence or terrorism investigations. Because of the nature of these subpoenas, criminal penalties may be assessed against individuals who reveal even the existence of the requests for information. To get around this, a company may publish a public statement that they have not received such a request. If that is no longer true, removing the statement, or refusing to make it again, signals the public that the government has asked for data. In the transparency report covering early 2013 Apple stated that it “has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.” This language is missing from the more recent reports, instead stating “To date, Apple has not received any orders for bulk data.” This shift in language may be Apple’s signal that it has been forced to comply with an order under the Patriot Act.

An alternative view is that Apple is just complying with the latest addition to the government’s scheme of actually reporting on these kinds of requests. Detailed in a January 2014 letter to the general counsel of major tech companies, there are essentially two options available. A company may publish the amount of requests for specific kinds of information in bands of 1000, or may publish total aggregate numbers in bands of 250. Apple’s latest report indicates that it currently sits in the 0-250 band. The major flaw in both of these reporting capabilities is that the starting number is in fact zero, which is where the warrant canary can do its work. The letter indicates that there is to be a significant time delay between the issuing of a request and when a company may report on it, ranging from six months to two years for a new government security product. A timely published warrant canary may also circumvent this requirement. The risk of the canary from the government’s standpoint is that it undermines the nature of the secret orders and reduces the effectiveness of a major national security tool.

Whether the absence of the canary language indicates Apple’s compliance with the new government reporting scheme or is an admission that Apple has actually received a secret order, the takeaway is clear: The government has an arsenal of methods to acquire information about users of Internet services without their knowledge. The validity of these secret orders is an issue of supreme importance in our increasingly interconnected world. Among the variety of ways for companies to advocate for their users, publishing transparency reports similar to Apple’s is probably one of the simplest, and subtlest, ways to bring the discussion into headline news once again. The warrant canary is a device with perhaps questionable legal heritage, but it promotes a vigilant and informed public discussing a question at the crossroads of national security and personal privacy.

Written by

October 1st, 2014 at 5:58 pm

Posted in Legal/Tech News