Privacy and cybersecurity go hand and hand. Therefore, it is imperative that policy makers on the local, state, and federal level adopt policies and enforce practices that promote these principles. This is especially important due to the increased amount of data that governments are collecting.
During the past decade, law enforcement agencies around the world have begun to implement police body cameras to assist in evidence gathering, transparency, and accountability. In the United States, several incidents during the past year have prompted local police departments to test and begin utilizing body cameras. While this technology brings great promise it also creates new privacy and cyber security challenges.
To help alleviate these concerns, the International Association of Chiefs of Police (IACP) recently published their "Guiding Principles on Cloud Computing in Law Enforcement". These principles are much needed because as more digital video evidence is created by law enforcement, the proper safeguards must be in place to ensure that the data is stored in an appropriate manner for the legal justice system.
The IACP's principles state:
1) FBI CJIS Security Policy
Compliance – Services
provided by a cloud service
provider must comply with the requirements of the Criminal
Justice Information Services (CJIS) Security Policy (current
version 5.3, dated August 4, 2014), as it may be amended.
2) All Data Storage Systems
Should Meet the Highest Common
Denominator of Security.
3) Data Storage Technology Can Be Disaggregated From Collection.
4) Data Ownership-Law enforcement agencies should ensure that they retain ownership of all data.
5) Impermissibility of data mining-Law enforcement agencies should ensure that the cloud service provider does not mine or otherwise process or analyze data for any purpose not explicitly authorized by the law enforcement agency.
6) Auditing - Upon request, or at regularly scheduled intervals mutually agreed, the cloud service provider should conduct, or allow the law enforcement agency to conduct audits of the cloud service provider's performance, use, access, and compliance with the terms of any agreement.
7) Portability and interoperability - The cloud service provider should ensure that that CJI maintained by the providers is portable to other systems and interoperable with other operating systems to an extent that does not compromise the security and integrity of the data.
8) Integrity - The cloud service provider must maintain the physical or logical integrity of CJI.
9) Survivability - The terms of any agreement with cloud service providers should recognize potential changes in business structure, operations, and/or organization of the cloud service provider, and ensure continuity of operations and the security, confidentiality, integrity, access and utility of the data.
10) Confidentiality - The cloud service provider should ensure the confidentiality of CJI it maintains on behalf of a law enforcement agency.
11) Availability, Reliability, and Performance - The cloud service provider must ensure that CJI will be available to the law enforcement agency when it is required within agreed performance metrics.
12) Cost - Law enforcement agencies should focus cloud acquisition decisions on the Total Cost of Ownership model.
The recent multiple hacks into the federal government's networks have demonstrated the importance of updating and implementing the proper digital policies and technologies. With access comes responsibility. It is imperative that law enforcement agencies that utilize bodyworn cameras and other digital data collection technologies follow these principles to protect law enforcement agencies, the general public, and the criminal justice system. The IACP's cloud computing principles will help ensure that justice stays blind in the age of police body cameras.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
Thursday, June 18, 2015
Tuesday, June 16, 2015
FBI Investigating St. Louis Cardinals For Allegedly Hacking Houston Astros
According to The New York Times, the FBI is investigating the St. Louis Cardinals for allegedly hacking into the Houston Astros' internal network. The Cardinals are the most successful National League franchise and 2nd most successful organization in Major League Baseball after the New York Yankees. While this investigation is ongoing, it would not surprise me if in addition to serious state and federal charges, Major League Baseball imposes a harsh penalty on the Cardinals and those employees responsible if it is found that they hacked into the Astros computer networks.
This is a breaking story so more updates may be provided later.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
This is a breaking story so more updates may be provided later.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
Facial Recognition Privacy Talks Collapse Due to Inadequate Consumer Safeguards
According to The New York Times, nine civil rights and other advocacy organizations announced today that they are withdrawing from "talks with trade
associations over how to write guidelines for the fair commercial use of
face recognition technology for consumers."
Why are these talks so important? Because every time you walk into a fast food restaurant instead of a health food store you will be tracked and this information will be sent to data brokers who will insert it into your digital dossier. You will be penalized for who you talk to in public (whether its a friend, business associate, or a stranger on the street) and this data will be tied to you forever. What stores you visit and when you visit them will be collected and available to interested parties.
Should private companies have the right to know if you attend weekly religious functions and what faith you practice based upon your comings and goings? What about whether you are seen visiting a bar or other gathering known for particular social or political characteristics? Do you want others to know whether you frequent casinos, liquor stores, cigar shops, or certain specialty retailers? Visiting these places and making purchases are perfectly legal. However, when each of these individual activities are taken together it can paint a picture of our lives. This is why John Hancock has created a new life insurance product that tracks your every move. These are just a few examples of why stronger privacy protections are needed for biometrics.
Privacy is a civil right. The potential for discrimination is high. The more data that is being collected about us the greater the risk of the information falling into the wrong hands. For example, the recent cyber attack on federal databases by Chinese hackers is a serious threat to national security and personal safety. The systems compromised housed information on federal workers, their families, and those who interact with them. The type of data contained in these files may be utilized for strategic national and economic security, blackmail, and who knows what else.
Absent participation by civil rights groups and privacy advocates, the facial recognition talks are worthless. Its time for more technology companies to take a public stand for greater privacy protections. The 4th amendment has protected us against unreasonable government searches and seizures for more than 200 years. Its time for us to demand that our government extend this principle to protect us against unreasonable data collection and usage by private companies.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
Why are these talks so important? Because every time you walk into a fast food restaurant instead of a health food store you will be tracked and this information will be sent to data brokers who will insert it into your digital dossier. You will be penalized for who you talk to in public (whether its a friend, business associate, or a stranger on the street) and this data will be tied to you forever. What stores you visit and when you visit them will be collected and available to interested parties.
Should private companies have the right to know if you attend weekly religious functions and what faith you practice based upon your comings and goings? What about whether you are seen visiting a bar or other gathering known for particular social or political characteristics? Do you want others to know whether you frequent casinos, liquor stores, cigar shops, or certain specialty retailers? Visiting these places and making purchases are perfectly legal. However, when each of these individual activities are taken together it can paint a picture of our lives. This is why John Hancock has created a new life insurance product that tracks your every move. These are just a few examples of why stronger privacy protections are needed for biometrics.
Privacy is a civil right. The potential for discrimination is high. The more data that is being collected about us the greater the risk of the information falling into the wrong hands. For example, the recent cyber attack on federal databases by Chinese hackers is a serious threat to national security and personal safety. The systems compromised housed information on federal workers, their families, and those who interact with them. The type of data contained in these files may be utilized for strategic national and economic security, blackmail, and who knows what else.
Absent participation by civil rights groups and privacy advocates, the facial recognition talks are worthless. Its time for more technology companies to take a public stand for greater privacy protections. The 4th amendment has protected us against unreasonable government searches and seizures for more than 200 years. Its time for us to demand that our government extend this principle to protect us against unreasonable data collection and usage by private companies.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
Monday, June 15, 2015
Belgium Sues Facebook Over Its Troubling Privacy Practices
According to The Wall Street Journal, Belgium's Privacy Commission is taking Facebook to court over its very troubling privacy practices. Last month, the Commission publicly chastised Facebook for the way it handles the personal data of Internet users. The Commission has focused on "how Facebook tracks Internet users
on external websites through the use of “like” and “share” buttons".
In general, I avoid using Facebook's "like" or "share" button because for years the company has demonstrated via its privacy policy and agreements with data brokers that it has does not care about the privacy of its users. The New York Times recently shed some light on how Facebook's Mark Zuckerberg is a privacy hypocrite. Mr. Zuckerberg's business practices demonstrate that he doesn't believe his users deserve to have their personal data kept private but he wants those who are working with him personally to sign non-disclosure agreements (NDA) to protect his personal information. This behavior appears to demonstrates that Mr. Zuckerberg believes privacy is only for the super-rich and not the Average Joe or Facebook user.
My hope is that U.S. lawmakers, regulators, and state attorney generals closely watch how the European Union (EU) deals with digital privacy issues. While I don't agree with every public policy decision that the EU makes regarding the digital ecosystem, when it comes to holding companies such as Facebook and Google accountable for the way they handle and utilize the personal information of Internet users', the U.S. should closely explore emulating the EU's thought process on these matters.
Privacy is one of the hallmarks of a democratic society and we must protect it before some members of the technology community permanently destroy it to maximize their corporate profits. While Facebook and Google talk the talk regarding privacy they have failed to walk the walk and refrain from abusing their access to the data they are collecting about all of us.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
In general, I avoid using Facebook's "like" or "share" button because for years the company has demonstrated via its privacy policy and agreements with data brokers that it has does not care about the privacy of its users. The New York Times recently shed some light on how Facebook's Mark Zuckerberg is a privacy hypocrite. Mr. Zuckerberg's business practices demonstrate that he doesn't believe his users deserve to have their personal data kept private but he wants those who are working with him personally to sign non-disclosure agreements (NDA) to protect his personal information. This behavior appears to demonstrates that Mr. Zuckerberg believes privacy is only for the super-rich and not the Average Joe or Facebook user.
My hope is that U.S. lawmakers, regulators, and state attorney generals closely watch how the European Union (EU) deals with digital privacy issues. While I don't agree with every public policy decision that the EU makes regarding the digital ecosystem, when it comes to holding companies such as Facebook and Google accountable for the way they handle and utilize the personal information of Internet users', the U.S. should closely explore emulating the EU's thought process on these matters.
Privacy is one of the hallmarks of a democratic society and we must protect it before some members of the technology community permanently destroy it to maximize their corporate profits. While Facebook and Google talk the talk regarding privacy they have failed to walk the walk and refrain from abusing their access to the data they are collecting about all of us.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
Thursday, June 11, 2015
Warrants Must Be Required for Digital Data Access
Growing
up, I enjoyed watching L.A. Law and Law & Order. So it was at a relatively young age that I
learned that a warrant was required for the police to search your home and personal
belongings. In law school, my criminal law classes focused on the need for the
police to follow proper legal procedures to obtain a search warrant. Case after
case demonstrated that the Fourth Amendment protects us against unreasonable
searches and seizures—a basic tenet of American jurisprudence.
When
I began practicing law at the dawn of the Internet Age, I soon realized that in
the digital space, this long-held, common-sense approach to law enforcement searches
is not always applicable. Surprisingly, searches in the physical world almost
always require a warrant while searches in the “digital world” generally do
not. Under the 1986 Electronic
Communications Privacy Act (ECPA), enacted with 1980s technology in mind, the legal
need for a warrant to access one’s personal digital content depends on the type
of technology utilized to store the data and how old the correspondence is.
According
to an Electronic Information Privacy
Center (EPIC) analysis of ECPA, the backbone of U.S. digital privacy law, law
enforcement does not need a warrant to access both opened and unopened emails
stored in the cloud for more than 180 days.
In contrast, emails located on a home hard drive and opened emails that
are less than 180 days old require a warrant.
The
deficiencies in this approach are becoming more apparent every day. For example, law enforcement agencies across the
country
are using mobile devices called Stingrays to collect information that is stored on our cell
phones and other digital devices without warrants. Law enforcement has refused to
discuss, even in court, the technology
utilized in Stingray devices. And this is just one example of overreach.
Our
current legal framework worked best in 1986. ECPA made sense then because lawmakers
didn’t envision people storing thousands of personal files for years on remote or
cloud-based servers. In 1986, these
technologies did not exist. Over
the past 30 years, technological innovation has changed how we create, access,
process, and archive digital content.
Today, many people store personal emails and data in the cloud or apps. Due to the growing interconnectedness of our
society, many of these platforms have servers located around the globe. At any given time, our data may be processed,
archived, or stored in servers anywhere in the world.
Whether
a warrant is required to access one’s digital data should not depend on the age
of the content, the technology utilized to store the information, or the
location of the data. In the face of
ECPA’s limitations, some states, such as Virginia and California,
have enacted laws requiring a warrant before Stingray technology may
be deployed. A forward-thinking national
law that requires a warrant to access digital content regardless of data’s age
or the type of storage technology utilized is needed.
Fortunately,
Congress has recently proposed a bipartisan fix to this problem with the introduction
of the Law Enforcement
Access to Data Stored Abroad Act (LEADS). This bill offers a well-balanced approach
that requires law enforcement to obtain a warrant when it wants access to personal
digital content. If data is located on
an app or a server that is located overseas, it requires law enforcement to
follow the legal process required to obtain the information in the jurisdiction
where the content is located. This
common-sense approach ensures that personal information is treated equally
whether located in the physical or the digital world.
It’s
time for the United States to demonstrate leadership on digital privacy issues.
A step in the right direction would be to enact the bipartisan LEADS Act.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
Wednesday, June 3, 2015
Apple CEO Blasts Facebook and Google For Privacy and Security Practices
Earlier this week, I attended the Electronic Privacy Information Center's (EPIC) annual Champions of Freedom Awards Dinner. According to its website, "EPIC is an independent non-profit research center in Washington, DC.
EPIC works to protect privacy, freedom of expression, democratic values,
and to promote the Public Voice in decisions concerning the future of
the Internet." The event honored those who have made a significant contribution to protecting our personal digital privacy and cyber security.
This year, Richard Clarke, Tim Cook, Kamala Harris, and Susan Linn were honored. Each of these honorees have performed excellent work in furtherance of protecting our personal privacy and safety from online and offline threats. Richard Clarke and Susan Linn were in attendance while Tim Cook and Kamala Harris who both live in California spoke to the audience remotely.
The most passionate remarks of the evening came from Apple CEO Tim Cook. He discussed the importance of strong privacy protections in digital products and services and blasted those companies (i.e. Facebook and Google) that provide free services in exchange for selling their customers' personal information to data brokers.
I do not utilize Facebook or Google products/services for any private communications and I do not recommend anyone who values their digital privacy and safety to do so either because the practices of these companies enable very troubling data mining that may lead to discrimination when applying to college, applying for credit, and when applying for a new job. For several years, it has been known that Facebook sells its users' personal information to data brokers; however, Google's troubling data broker agreements were not as well known until The Wall Street Journal recently reported that Google is combining users' offline purchases with their digital activity.
Privacy is a civil rights issue and in order to stay a free society we must ensure that no private or public entity is allowed to destroy it. The bottom line is that digital privacy and cyber safety go hand and hand and organizations such as EPIC work to better protect us from companies such as Facebook and Google that have troubling privacy policies and practices.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
This year, Richard Clarke, Tim Cook, Kamala Harris, and Susan Linn were honored. Each of these honorees have performed excellent work in furtherance of protecting our personal privacy and safety from online and offline threats. Richard Clarke and Susan Linn were in attendance while Tim Cook and Kamala Harris who both live in California spoke to the audience remotely.
The most passionate remarks of the evening came from Apple CEO Tim Cook. He discussed the importance of strong privacy protections in digital products and services and blasted those companies (i.e. Facebook and Google) that provide free services in exchange for selling their customers' personal information to data brokers.
I do not utilize Facebook or Google products/services for any private communications and I do not recommend anyone who values their digital privacy and safety to do so either because the practices of these companies enable very troubling data mining that may lead to discrimination when applying to college, applying for credit, and when applying for a new job. For several years, it has been known that Facebook sells its users' personal information to data brokers; however, Google's troubling data broker agreements were not as well known until The Wall Street Journal recently reported that Google is combining users' offline purchases with their digital activity.
Privacy is a civil rights issue and in order to stay a free society we must ensure that no private or public entity is allowed to destroy it. The bottom line is that digital privacy and cyber safety go hand and hand and organizations such as EPIC work to better protect us from companies such as Facebook and Google that have troubling privacy policies and practices.
Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
Subscribe to:
Posts (Atom)