The EU's Push For Stronger Privacy Laws and Safe Harbor

Last week, the European Union took a step closer to enacting stronger digital privacy laws that will make it more challenging for companies to re-purpose the data they are collecting from their customers.  These new data protections would harmonize the privacy laws across the 28 members of the EU and stiffen the potential fines for violators up to 4% of a violator's global revenue.

The European Parliament and individual member governments still must pass the new proposals so it not certain that this is a done deal.  After all of the approvals have been obtained, the law may become effective within two years.

In general, I am in favor of strong industry self-regulation.  Unfortunately, this has not worked as hoped in the digital space.  Some companies are collecting massive amounts of personal information about their users and then utilizing the data for opaque secondary uses (i.e. selling the content to data brokers, psychological experiments, etc...).  Because of these non-transparent abuses, EU lawmakers felt it was time to act to reign in these practices.

Some positive aspects of these reforms provide users the right to know why they are being profiled, how they are being labeled, who is using their personal data, etc... This type of transparency will lead to greater accountability and hopefully lead to some companies changing their troubling privacy policies and data usage practices.  While it may be wishful thinking, I am optimistic that these new laws will convince U.S. law makers and regulators to push for some of these much needed reforms because there is little transparency in the data collection and usage industry.  

This latest push for stronger EU privacy laws coincides with the negotiation for an updated Safe Harbor data transfer agreement which may soon replace the previous one that was invalidated earlier this year.  In our digital dependent economy, participants need to be able to transfer data between continents in a timely fashion. Therefore, I am cautiously optimistic that an updated Safe Harbor Agreement will be finalized early in the new year because in our interconnected world it is imperative for businesses to have legal certainty.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved. 

Supreme Court Declines Cell Phone Privacy Case

Earlier today, the Supreme Court declined to hear a case regarding whether law enforcement needs a warrant to access the location information of cell phone users.  While the decision to turn down the case may disappoint some privacy advocates it is not surprising.

Earlier this year in Davis v. U.S., the 11th Circuit Court of Appeals determined that it was not necessary for the police to obtain a warrant before accessing cell phone location records.  The defendant was convicted of armed robbery based in part by his cell phone location data. The appeals court opinion compared cell phone location data to security camera surveillance images (page 27 of the opinion) which is an interesting analogy.

In general, absent exigent circumstances (legal jargon for an emergency), a warrant should be required to access the content and meta data associated with one's digital devices.  In the physical world, law enforcement is generally required to obtain a warrant to search one's home or car.  A home or car may contain physical information (i.e. clothing, hard copy paper records, etc...) that may indicate an investigatory target's location history or other relevant data.

Since a warrant is generally required for physical world evidence, a warrant should generally be required for digital world evidence including location information, meta data, etc...I am hoping that the court declined this matter because it is waiting for a test case that will more easily enable them to strengthen our privacy laws.

This denial of cert demonstrates that it is imperative for the privacy community to increase its efforts to better educate the judiciary, state and federal lawmakers, and other stakeholders about digital privacy issues.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Cybersecurity Alert: Porn App Blackmails Users

As a former New Yorker, I loved the Broadway musical "Avenue Q".  There are some Broadway shows that have widespread appeal because they are a microcosm of our society.  The production had many memorable musical numbers; however, one that is timeless is "The Internet is for Porn."

In 2013, more people visited porn websites than Twitter, Amazon, and Netflix combined.  In other words, Avenue Q's "The Internet is For Porn" still resonates with audiences more than 12 years after it was introduced.  Not only have Broadway writers taken note of society's love affair with porn so have hackers and criminals.  

According to CNN, a porn app called, "Adult Player", "secretly takes your photo and locks you out of your digital device and demands $500 to unlock it.  This activity is known as ransomware and it is becoming a growing challenge.  Criminals have even successfully targeted police departments and law firms with these schemes.

To avoid becoming a victim of this type of crime, it is imperative to be careful what you download.  Even if something appears to be legitimate it may be a phishing expedition by a criminal enterprise. Therefore, if an email attachment or link looks suspicious delete it.  If someone really wants to get in touch with you they will figure out a way to do so.    

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.  

U.S. Dept. Of Justice v. Microsoft: The Fight For Digital Privacy

Last week, the U.S.government issued new guidance regarding when and how federal law enforcement may deploy cell phone site simulators (i.e. stingray technology) that collect consumer mobile phone/digital device data.  In general, the U.S. Department of Justice (DOJ) will now require federal officials obtain a warrant to deploy these technologies and utilize the data collected.  This change in policy signals that the U.S. government is beginning to understand that it must create reasonable rules and procedures regarding the collection and usage of digital evidence that adheres to the principles of the Fourth Amendment. 

While the federal government has changed its policy regarding the use of cell site simulators, I am perplexed that it hasn’t changed its position about some other digital data privacy issues. For example, in a New York City federal appeals courtroom later this week the DOJ will be squaring off against Microsoft in a matter about digital privacy law that has tremendous international ramifications.  In short, the federal government wants to be able to require U.S. based companies to turn over digital data that is held in foreign based servers without being required to follow the evidence collection laws of the countries where the data is located.  This position is very troubling and goes against well-established national and international law regarding the collection and usage of evidence. 

In general, to obtain physical evidence law enforcement must follow the laws of the jurisdiction where it is located.  In some circumstances jurisdiction occurs by citizenship.  However, here the data is located outside the U.S. and the user (DOJ target) doesn't appear to be American.  Under these facts, I question the DOJ's theory as to why it has the legal authority to obtain the requested information without the cooperation of the government of Ireland.  

The DOJ is arguing that data stored in digital clouds should be treated differently than evidence stored in physical filing cabinets.  Interestingly, the DOJ has so far won its flawed argument in federal court so Microsoft has taken its fight to the federal second circuit  court of appeals.  

Multiple academics (i.e. here and here) have previously written about this case (and so have I) because it sounds like a law school final exam.  For non-lawyers this means that the law is not clear on how to handle this specific situation.  If general jurisprudence on how to handle physical evidence is followed, the DOJ would be required to contact law enforcement agencies in the country (in this case it is Ireland) where the digital data is located.  However, since this is technology, and the information requested is stored in the cloud the courts are grappling with how to handle these issues.

DOJ is claiming (among other things) that since Microsoft (i.e. or other technology providers) has legal control over its servers in Ireland it should be required to turn over the data requested without going through the legal process in Ireland.  With this same argument, a foreign government could in turn claim that it doesn’t have to follow U.S. law when demanding access to U.S. consumer digital data located in the U.S. if the server provider has operations in that foreign country.

If the DOJ wins its legal argument, in addition to foreign governments making the same access demands to digital accounts located in the U.S., a win may also encourage U.S. tech companies to change the legal structure of their foreign subsidiaries to be able to legitimately claim that they do not have the authority to access and/or turn over customer data located in a foreign country.  This may lead to many high paying jobs being transferred from the U.S. to other countries to oversee the operations of these new legal entities. 

Amicus briefs from not only other technology companies, but also from civil rights groups, academic scholars, and privacy advocates supporting Microsoft's position demonstrate that this case is more than just about protecting the bottom line of the U.S. cloud industry. This case goes to the heart of the proper way to handle unique digital law and public policy issues.  Whether its through the federal courts, or via congressional action such as the Law Enforcement Access To Data Stored Abroad (LEADS) Act, or other similar legislation, the U.S. must set an example and take a leadership role on how to properly balance lawful access with personal privacy.  

Regardless of the outcome of this case, it is imperative that a broad international discussion occur on how to handle this and similar burgeoning digital law and public policy issues.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.  

Warrants Must Be Required for Digital Data Access

Growing up, I enjoyed watching L.A. Law and Law & Order.  So it was at a relatively young age that I learned that a warrant was required for the police to search your home and personal belongings. In law school, my criminal law classes focused on the need for the police to follow proper legal procedures to obtain a search warrant. Case after case demonstrated that the Fourth Amendment protects us against unreasonable searches and seizures—a basic tenet of American jurisprudence.

When I began practicing law at the dawn of the Internet Age, I soon realized that in the digital space, this long-held, common-sense approach to law enforcement searches is not always applicable. Surprisingly, searches in the physical world almost always require a warrant while searches in the “digital world” generally do not.  Under the 1986 Electronic Communications Privacy Act (ECPA), enacted with 1980s technology in mind, the legal need for a warrant to access one’s personal digital content depends on the type of technology utilized to store the data and how old the correspondence is.   

According to an Electronic Information Privacy Center (EPIC) analysis of ECPA, the backbone of U.S. digital privacy law, law enforcement does not need a warrant to access both opened and unopened emails stored in the cloud for more than 180 days.  In contrast, emails located on a home hard drive and opened emails that are less than 180 days old require a warrant.

The deficiencies in this approach are becoming more apparent every day.  For example, law enforcement agencies across the country are using mobile devices called Stingrays  to collect information that is stored on our cell phones and other digital devices without warrants. Law enforcement has refused to discuss, even in court, the technology utilized in Stingray devices. And this is just one example of overreach.    

Our current legal framework worked best in 1986. ECPA made sense then because lawmakers didn’t envision people storing thousands of personal files for years on remote or cloud-based servers.  In 1986, these technologies did not exist.  Over the past 30 years, technological innovation has changed how we create, access, process, and archive digital content.  Today, many people store personal emails and data in the cloud or apps.  Due to the growing interconnectedness of our society, many of these platforms have servers located around the globe.  At any given time, our data may be processed, archived, or stored in servers anywhere in the world.        

Whether a warrant is required to access one’s digital data should not depend on the age of the content, the technology utilized to store the information, or the location of the data.  In the face of ECPA’s limitations, some states, such as Virginia and California, have enacted laws requiring a warrant before Stingray technology may be deployed.  A forward-thinking national law that requires a warrant to access digital content regardless of data’s age or the type of storage technology utilized is needed. 

Fortunately, Congress has recently proposed a bipartisan fix to this problem with the introduction of the Law Enforcement Access to Data Stored Abroad Act (LEADS).  This bill offers a well-balanced approach that requires law enforcement to obtain a warrant when it wants access to personal digital content.  If data is located on an app or a server that is located overseas, it requires law enforcement to follow the legal process required to obtain the information in the jurisdiction where the content is located.  This common-sense approach ensures that personal information is treated equally whether located in the physical or the digital world.   

It’s time for the United States to demonstrate leadership on digital privacy issues. A step in the right direction would be to enact the bipartisan LEADS Act.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.         

Apple CEO Blasts Facebook and Google For Privacy and Security Practices

Earlier this week, I attended the Electronic Privacy Information Center's (EPIC) annual Champions of Freedom Awards Dinner.  According to its website, "EPIC is an independent non-profit research center in Washington, DC. EPIC works to protect privacy, freedom of expression, democratic values, and to promote the Public Voice in decisions concerning the future of the Internet."  The event honored those who have made a significant contribution to protecting our personal digital privacy and cyber security.

This year, Richard Clarke, Tim Cook, Kamala Harris, and Susan Linn were honored.  Each of these honorees have performed excellent work in furtherance of protecting our personal privacy and safety from online and offline threats.  Richard Clarke and Susan Linn were in attendance while Tim Cook and Kamala Harris who both live in California spoke to the audience remotely.

The most passionate remarks of the evening came from Apple CEO Tim Cook. He discussed the importance of strong privacy protections in digital products and services and blasted those companies (i.e. Facebook and Google) that provide free services in exchange for selling their customers' personal information to data brokers.     

I do not utilize Facebook or Google products/services for any private communications and I do not recommend anyone who values their digital privacy and safety to do so either because the practices of these companies enable very troubling data mining that may lead to discrimination when applying to college, applying for credit, and when applying for a new job.  For several years, it has been known that Facebook sells its users' personal information to data brokers; however, Google's troubling data broker agreements were not as well known until The Wall Street Journal recently reported that Google is combining users' offline purchases with their digital activity.

Privacy is a civil rights issue and in order to stay a free society we must ensure that no private or public entity is allowed to destroy it.  The bottom line is that digital privacy and cyber safety go hand and hand and organizations such as EPIC work to better protect us from companies such as Facebook and Google that have troubling privacy policies and practices.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.         

New York Times Facebook Content Deal Is A Threat To Personal Privacy

The New York Times is one of the world's most respected news organizations and one of the most popular destinations for news on the Internet.  However, I was dismayed to read in The New York Times that it may strike a deal to house some of its content inside Facebook.

This is a very troubling development for not just the media landscape but also for the freedom of thought and expression.  The ramifications of this potential deal will erode the privacy of The New York Times' readers and it will enable data brokers and their clients to create richer profiles of those who read the paper via Facebook due to Facebook's troubling deal with multiple data brokers.

When a New York Times reader utilizes Facebook to access articles, this information will be sent to Facebook's data broker partners who will insert this content into a user's digital dossier.  This data may be utilized by banks, insurance companies, employers, etc... to discriminate against people for reading about certain topics.  For example, when someone reads a lot of articles about their race, sexual orientation, health issue, religion, etc.. this data will be tracked and a data broker may provide it to one of their clients who may utilize it to decide on whether a reader is a good fit for a job. 

While ad networks and other digital tracking platforms already combine every digital morsel about users they can find, being able to track users from their personal Facebook account creates a new level of data purity that from a privacy standpoint is very troubling.  I don't want data brokers to be able to track everything that I read on The New York Times and combine that information with other personal characteristics about myself.

Due to Facebook's troubling privacy policy and practices, I do not utilize it for personal communications and I have no plans on doing so in the future.  I urge The New York Times and others who may be thinking about hosting their content on Facebook to think about these important privacy issues before finalizing any deal that may harm their users' in unanticipated ways.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Law Enforcement Access To Data Stored Abroad Act Introduced

Late last week, Sen. Orrin Hatch of Utah introduced the Law Enforcement Access To Data Stored Abroad Act (LEADS Act) which would require law enforcement to obtain a warrant under the Electronic Communication Privacy Act (ECPA) to obtain the content of subscriber communications from an electronic communications or cloud computing service.  According to Sen. Hatch, the legislation would "strengthen privacy in the digital age and promote trust in US technologies worldwide by safeguarding data stored abroad, while still enabling law enforcement to fulfill its important public safety mission".

The LEADS Act appears to have been introduced in response to an ongoing federal court case that required a U.S. email service provider to turn over customer emails that are stored in Ireland in response to a U.S. warrant instead of going through the proper legal channels in Ireland.  This ruling was very troubling because it disregarded European digital privacy laws.  Unless this decision is reversed, it may encourage foreign countries to ignore U.S. privacy laws when demanding access to their citizens digital content that is located in the U.S.    

The passage of the LEADS Act is needed not only to better protect digital privacy, but also from a business perspective.  According to The New York Times, the U.S. cloud computing industry may lose tens of billions of dollars in business because international companies and governments have lost confidence in U.S. technology companies due to the NSA surveillance programs that Edward Snowden exposed in 2013.  Forrester Research has indicated that these losses could be as high as $180 billion dollars for U.S. based firms.

As a lawyer who focuses on privacy and cyber security matters, I have seen some of my clients change their communication habits based upon the information obtained from the NSA documents leaked by Snowden.  Even though I am a proponent of utilizing cloud platforms, due to the troubling state of our digital privacy protections and an increase in hacking incidents, I have been encouraging some of my clients to conduct more business in person and/or on the phone until the U.S. enacts stronger digital privacy laws.  In some instances, I am advising clients to go "old school" and send more physical packages via personal courier or a trusted commercial parcel service.

Unless there are digital exigent circumstances, the government should generally be required to obtain a warrant to access our electronic communications.  Since law enforcement officials generally need a warrant to search our physical homes and businesses, the same standard should apply to our digital homes and businesses.

The LEADS Act is a sensible bill that will help protect online privacy and bring digital public policy into the 21st century.  With more of our personal and business communications occurring digitally, it is imperative that our electronic communications receive the same protections as our "old school" pen and paper documents.

Copyright 2015 by Shear Law, LLC All rights reserved.  

The NBA, Donald Sterling, and Secretly Recording Professional Athletes, Coaches, and Owners

In the Digital Age, almost everyone has a smartphone that contains a video/audio recording feature.  In general, this is a good feature that can be used to tape record your family doing fun things.  Many people don't see this as a potential threat to personal privacy.  However, if you are a celebrity, professional athlete, politician, billionaire, etc... there is a possibility that your most embarrassing and/or private moments may be recorded for blackmail purposes.  This in turn may create tremendous financial and reputational harm.

The Donald Sterling matter demonstrates that even the people whom you may allegedly trust the most, such as your "personal assistant" or your "silly rabbit"  may tape your private conversations without your knowledge for personal gain.  This is a growing problem in the sports world.  For example, according to ESPN former Golden State Warriors assistant coach Darren Erman secretly taped his fellow coaches and players without their knowledge.  It appears he may have done this via his smartphone.  The motive for Mr. Erman's behavior is not yet known but his actions appear to have been illegal.   

In some states such as California, two party consent is required when taping a conversation.  I find it hard to believe that Sterling would have consented to being taped making racist and sexist comments to his "personal assistant"/"silly rabbit".  However, until all of the facts are available it is only speculation as to whether he consented.  In addition, I doubt Mr. Erman's fellow coaches and the players on his team would have consented to having their private conversations recorded.   

The bottom line is that while smartphones, apps, and other new digital technologies may help make our lives easier they may also capture unpleasant personal activities and enable them to be easily shared to the entire world in an instant.  This is why it is so important to take the precautions necessary to protect yourself in the Digital Age. 

Copyright 2014 by Shear Law, LLC. All rights reserved.

Bill Cosby, Gilbert Gottfried, Big Data, and the Right to Privacy

One of my favorite television programs growing up in the 1980's was The Cosby Show.  The show was about an upper middle-class African-American family living in Brooklyn, New York.  I enjoyed the show because it was funny and the issues it covered were very timely.

Recently, I watched one of my favorite episodes.  This particular episode's main theme was negotiating to buy a new car since the old family truckster (i.e. think the Griswald's car in National Lampoon's Vacation) was on its last legs.  Bill Cosby's character, Dr. Heathcliff Huxtable does not want the car dealer to know that he is a doctor because he fears he will lose any negotiating power (i.e. he wants to keep his potential financial status anonymous because he believes the dealership will be more flexible with a less financially successful customer; think "price discrimination" based upon ability to pay) if the dealer can size him up financially.  He visits the car dealership with his son in an average looking shirt, pants, etc... and avoids telling the salesman his profession. 

Dr. Huxtable is downplaying his financial position while the car salesman talks about how expensive it is to raise his children and how one of his kids now needs braces.  The bottom line is that the car negotiation is moving along when all of a sudden Gilbert Gottfried shows up.  Gilbert Gottfried calls Bill Cosby's character "Dr. Huxtable" (the salesman didn't know he was a doctor) and tells the salesman that Dr. Huxtable's wife was recently made a partner in her law firm and that they have plenty of money.   The bottom line is that Gilbert Gottfried's information appeared to alter Dr. Huxtable's ability to negotiate the best possible deal.

Why does this matter?  Think of Gilbert Gottfried as a data broker, a digital online advertising network, or an app that sells (i.e. shares, exchanges, etc...) your personal information to others. This information may then be combined so a personal dossier is created that includes both your online and offline activities.  According to 60 Minutes, this information may then be sold to governments to spy on you or to entities that may prey on those who are vulnerable to sales pitches. 

The more information a seller knows about its buyers the greater the risk that price discrimination may occur.  Should a person's race, creed, religion, personal opinions, wants, disabilities, financial position, health status, etc... be available to sellers?  Should all Americans be on the same footing when shopping or negotiating for goods and/or services?  For example, should a school provider of digital services be able to sell to a data broker or insurance company the lunch purchasing information of students so a corporate entity may then utilize this information for commercial gain?

I believe our country needs to create stronger data protection laws and require data collection companies to become more transparent about their activities.  I don't want my children to grow up in a world where everything they do is collected and inserted into their personal digital file and utilized to discriminate them.  Shouldn't future generations have the same privacy protections we had while growing up? 

Copyright 2014 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

New California Law Protects Minors From Digital Mistakes

A new California law is leading the way to protect our children's digital privacy.  Earlier today, Gov. Brown signed into SB-568 Privacy: Internet: Minors that will protect the online privacy of those under 18 years of age who reside in the State of California.  According to CA Senate President Pro Tem Darrell Steinberg, the bill's sponsor, the legislation "requires all web sites, social media sites and apps to allow anyone under 18 to remove content they posted earlier."

The new law will become effective as of January 1, 2015.  It has two main provisions. It seeks to protect minors by generally prohibiting operators of digital platforms (such as web sites, online services, online applications, mobile apps, etc...) from knowingly marketing and advertising to a minor a broad range of products specified in the law.  Some of these products may include alcoholic beverages, firearms, ammunition, tobacco products, fireworks, lottery tickets, tattoos, drug paraphernalia.  In addition, the new law requires operators of digital platforms to notify minors of their rights to remove content or information they posted and honor their requests to remove such data, subject to specified conditions and exceptions.

California has become the first state to offer greater digital protections to minors than the recently revised Children's Online Privacy Protection Act.  While SB-568 is a win for the digital privacy of minors, those under 18 should not use this as an excuse to be reckless about their digital lives.  For example, the law does not enable a minor to require a digital platform remove content that another person posts about that minor.  In addition, Internet companies are only required to remove publicly available content a minor posts and not data that is not publicly viewable.

While SB-568 may help protect California minors from some digital mistakes that may harm their ability to gain acceptance into the college of their dreams, it should not replace educating our children about these issues.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.