Our bipartisan coalition is prompting former intelligence agency officials to carry the Biden administration's water by lobbying hard to kill Section 702 reform. Our Senior Policy Advisor and former U.S. Congressman, Bob Goodlatte, and Americans for Prosperity's deputy director of Federal Government Affairs, Matthew Silver, cut through the spin in RealClearPolitics.
Credit to the Department of Justice for a voluminous response to our Freedom of Information Act (FOIA) request. Our request concerned the use of stingrays, or cell-site simulators, by that department and its agencies. Out of more than 1,000 pages in DOJ’s response, we’ve found a few gems. Perhaps you can find your own.
Review our digest of this document here, and the source document here.
The original FOIA request concerned DOJ policies on cell-site simulators, commonly known by the commercial brand name “stingrays.” These devices mimic cell towers to extract location and other highly personal information from your smartphone.
The DOJ FOIA response shows that the FBI in 2021 invested $16.1 million in these cell-site simulators (p. 209) in part to ensure they “are capable of operating against evolving wireless communications.” The bureau also asked for $13 million for “communications intercept resources.” This includes support for the Sensitive Investigations Unit’s work in El Salvador (p. 111).
On the policy side, we’ve reported that some federal agencies, such as the Bureau of Alcohol, Tobacco, Firearms and Explosives, maintain that stingrays are not GPS location identifiers for people with cellphones. This is technically true. Stingrays do not download location data or function as GPS locators. But this is too clever by half. Included in this release is an Obama-era statement by former Department of Justice official Sally Yates that undermines this federal claim by stating: “Law enforcement agents can use cell-site simulators to help locate cellular devices whose unique identifiers are known …” (p. 17)
This release gives an idea of how versatile stingrays have become. The U.S. Marshals Service (p. 977) reveals that it operates cell-site simulators and passive wireless collection sensors to specifically locate devices inside multi-dwelling buildings.
Other details sprinkled throughout this release concern other, more exotic forms of domestic surveillance.
For example, the U.S. Marshals Service Service has access to seven aircraft located around the country armed with “a unique combination of USMS ELSUR suite, high resolution video surveillance capability … proven to be the most successful law enforcement package” (p.881-883).
A surveillance software, “Dark HunTor,” exposes user data from Tor, the browser meant to make searches anonymous, as well as from dark web searches for information. (p. 105) In addition, the U.S. Marshals Service Service “has created the Open-Source Intelligence Unit (OSINT) to proactively review and research social media content. OSINT identifies threats and situations of concern that may be currently undetected through traditional investigative methods. Analyzing public discourse on social media, its spread (‘likes,’ comments, and shares), and the target audience, the USMS can effectively manage its resources appropriate to the identified threats.” (p. 931)
The DOJ release also includes details on biometric devices, from facial recognition software to other biometric identifiers, (p.353), as well as more than $10 million for “DNA Capability Expansion” (p.365).
Is that all? Feel free to look for yourself.
Targeted Journalists, Political Opponents, NGO Around the World
Now another Israeli company joins the NSO Group for its flagrant disregard for human rights, democracy, and digital privacy in the name of profit.
QuaDream has been identified by The Citizen Lab at the Monk School of Global Affairs and Public Policy as the developer of a new spyware, Reign. Like the more notorious Pegasus, Reign infiltrates phones without requiring the target to click on a malicious link or to even take any action at all.
Citizen Lab found that Reign can:
And when the job is complete, Reign self-destructs, removing most of the evidence that it was at ever at work in the victim’s phone.
For decades, iPhone users enjoyed superior security. Reign took a big bite out of Apple’s vaunted security features. It infected some victims’ phones by sending them an iCloud invitation, following up on previous invitations, which makes the fake resend invisible to the user. Meanwhile, Google has issued some software patches to address vulnerabilities with its Android smartphone.
Microsoft, which partnered with Citizen Lab, reported that the technology has been used to surveil journalists, political opposition figures, and an NGO in countries ranging from the Middle East to Central Europe and Latin America.
We have seen time and again that commercially developed spyware finds its most lucrative market in sales to repressive governments and the world’s most dangerous criminal enterprises. While the Israeli government seems alert now to the threat posed by the commercial spyware sector, other actors around the world are surely poised to pick up the slack. The arms race between Apple, Google, and Samsung against spyware developers will continue apace. In the meantime, as former Vice President Nelson Rockefeller said: “If you don’t want it known, don’t say it over the phone.”
Or anywhere within twenty feet of your smartphone.
The New York Times broke the story that a front company in New Jersey signed a secret contract with the U.S. government in November 2021 to help it gain access to the powerful surveillance tools of Israel’s NSO Group.
PPSA previously reported that the FBI had acquired NSO’s signature technology, Pegasus, which can infiltrate a smartphone, strip all its data, and transform it into a 24/7 surveillance device. Mark Mazzetti and Ronen Bergman of The Times now report that the FBI in recent years had performed tests on defenses against Pegasus and “to test Pegasus for possible deployment in the bureau’s own operations inside the United States.” An FBI spokesperson told these journalists the FBI’s version of the software is now inactive.
The secret contract also grants the U.S. government access to NSO’s powerful geolocation tool called Landmark. Mazzetti and Ronen report that such NSO technology has been used thousands of time against targets in Mexico – and that Mexico is named as a venue for the use of NSO technology. Two sources told the journalists that the “contract also allows for Landmark to be used against mobile numbers in the United States, although there is no evidence that has happened.”
This story is catching the Biden Administration flat-footed, which had declared this technology a national security threat while placing NSO on a Commerce Department blacklist. In light of these new revelations, Members of Congress should ask the Directors of National Intelligence, the CIA, FBI, and DEA:
This breaking story will likely force the Biden White House to promulgate new rules limiting the use of NSO technology by federal law enforcement and intelligence agencies. As it does, Congress should be involved every step of the way.
This technology is frightening because NSO tools can be installed remotely on smartphones with the most updated security software, and without the user succumbing to phishing or any other obvious form of attack. The need for a detailed policy limiting the use of these tools is urgent. NSO technology is to ordinary surveillance what nuclear weapons are to conventional weapons. Because nuclear weapons are hard to make, Washington, D.C. had time to plan and enact a global non-proliferation regime that delayed their proliferation. In the case of Pegasus and Landmark, however, this technology easily proliferated in the wild before Washington was even fully aware of its existence.
Pegasus has been used by drug cartels to track down and murder journalists. It has been used by an African government to listen in on conversations between the daughter of a kidnapped man and the U.S. State Department. It was famously used to plan the murder of Adnan Khashoggi. Does anyone doubt that Russian and Chinese intelligence have secured their own copies? Now Washington is both racing to catch up with foreign adversaries and limit the use of this technology at the same time.
NSO, through its amoral proliferation of dangerous technology, has made the world a riskier place. As federal agencies seek to get their hands on this technology, Congress should paint a bright red line – DO NOT USE DOMESTICALLY, EVER.
The Project for Privacy and Surveillance Accountability wore holes in the bottoms of our shoes on Capitol Hill to advocate for common sense reforms of federal surveillance practices. We also wrestled with federal agencies in court to glean insights into the state of surveillance. Through our Freedom of Information Act (FOIA) requests and lawsuits, we compelled the release of documents about how federal agencies are getting around the Fourth Amendment of the U.S. Constitution to access our most private information.
PPSA’s Legislative Year
PPSA was instrumental in helping pass the NDO Fairness Act in the U.S. House of Representatives in 2022. This bill promises to curb the routine government practice of using Non-Disclosure Orders to block telecommunication service providers from notifying their customers that a search of their personal information has been conducted by prosecutors.
PPSA encouraged Members of Congress in both parties to sponsor the Fourth Amendment Is Not for Sale Act. This measure would require law enforcement and intelligence agencies to seek probable cause warrants before accessing our personal information scraped from social media and apps.
We also built on our advocacy that helped the Lee-Leahy Amendment pass the U.S. Senate with 77 votes in 2020. This amendment would require the secret Foreign Intelligence Surveillance Court to appoint an expert attorney to represent the privacy interests of American citizens – a common sense requirement in a court with secret operations that continues to withhold some of its past rulings to this day.
PPSA goes into 2023 with the firm intention of encouraging our champions in the House and Senate to block the reauthorization of Section 702 unless these necessary reform measures are attached to that authority or passed separately.
Freedom of Information Act Revelations
PPSA argued before a federal court that challenges the government’s abuse of the Glomar doctrine, a judicially created maneuver that allows the government to neither “confirm nor deny” the existence of records in response to a FOIA request. We have highlighted the absurd, Catch-22 response from the FBI that it cannot even conduct an internal search for its own documents (in this case, correspondence between the bureau and Members of Congress) without endangering national security.
Other FOIA requests have challenged the secret practices of U.S. law enforcement and intelligence agencies, as well as the suppression of judicial opinions. One such PPSA FOIA yielded an FBI document revealing its collection of web browsing histories of Americans.
“This shows the FBI has a secret policy governing the collection of web browsing data of Americans,” responded Gene Schaerr, PPSA general counsel. “Web browsing data is deeply personal information. It can highlight a person’s religious beliefs, political allegiances, and personal relationships.”
Another PPSA FOIA request is seeking to obtain the secret opinions of the Foreign Intelligence Surveillance Court and the Foreign Intelligence Surveillance Court of Review.
“The very idea of secret law – which can affect the free expression and privacy of millions of Americans – is not compatible with the basics of American democracy,” Gene Schaerr declared in a public statement. “These secret precedents and opinions are corrosive to the operations of a free society. It’s time for the government to come clean.”
Other recent revelations revealed by PPSA FOIA requests show that training documents for U.S. Attorneys require them to “always” seek a Non-Disclosure Order with a warrant application or subpoena. Our FOIA request also revealed documents that direct U.S. Attorneys to seek targets’ location histories from email, social media, or web hosting providers.
In the Courts
PPSA petitioned the U.S. Supreme Court in Torcivia v. Suffolk County to decide whether the Fourth Amendment recognizes a “special-needs” exception to the Constitution’s warrant requirement. Although the petition was ultimately denied, we cast a spotlight on the importance of the High Court ruling on law enforcement’s exceptions to the Fourth Amendment.
In short, 2022 was a building year. Major reform legislation, from Lee-Leahy, to the Fourth Amendment Is Not for Sale Act, to the NDO Fairness Act, have attracted growing bipartisan support and momentum for passage. We look forward to a productive year, both on Capitol Hill and what can be learned about secret surveillance through the courts.
The Internet of Things (IoT), long promised, is already here. It is happening incrementally – from coffee makers, to cars, to refrigerators – that send voluminous quantities of our personal information to the cloud. As the IoT knits together, consumers need to know how our information is being collected.
Most people are unaware that refrigerators, washers, dryers, and dishwashers now often have audio and video recording components. By 2026, over 84 million households will have smart devices, each one a node within a seamless web of personal information. But how will this storehouse of personal data be regulated?
Looking ahead to the growing hazards of the near-future, Sen. Maria Cantwell (D-WA), and Sen. Ted Cruz (R-TX), introduced the Informing Consumers about Smart Devices Act. This legislation would require the Federal Trade Commission to create reasonable disclosure guidelines for products that have video or audio recordings.
“Most consumers expect their refrigerators to keep the milk cold, not record their most personal and private family discussions,” Sen. Cantwell said.
We would make the larger point that Americans shouldn’t have to think about what they say or do in the presence of their appliances. (Although it would be nice to have a smart refrigerator that slaps our hand after 9 p.m.) The greater issue is that all the data that apps, and perhaps now our smart appliances, extract from us can be accessed by government agencies without any need to obey the constitutional requirement to obtain a warrant. All an agency needs to do to obtain our personal information is to purchase it from a private data broker.
That’s all the more reason to pass the Fourth Amendment Is Not For Sale Act.
The Electronic Frontier Foundation, an indispensable pioneer of surveillance accountability, has just released a powerful new version of its Atlas of Surveillance that gives Americans insight into the myriad surveillance technologies that are being used by more than 5,500 law enforcement agencies, across all levels of government, to watch Americans in all 50 states.
EFF is a notable leader in watching the watchers. In September, PPSA examined EFF’s helpful highlighting of marketing slides about the potential for Fog Technology to track people to their homes.
This Atlas of Surveillance, begun with the help of journalism students at the University of Nevada, Reno, recently hit a threshold of 10,000 data points, making it a robust – though not yet complete – survey of which surveillance technologies are being used in which communities.
We entered results for the District of Columbia to give it a try.
John Stuart Mill, quoting the Roman satirist Juvenal, asked: Quis custodiet ipsos custodes? The Atlas of Surveillance gives us confidence that we can at least begin to watch the watchers.
University of Nevada, Reno, interns did a professional job of integrating public documents, crowdsourced information, and news articles to compile this atlas. Kudos to EFF and to their UNR student partners. Be sure and check the Atlas to see how you’re being watched in your community.
Thomas Germain on Gizmodo has an alarming piece on research from two app developers, Tommy Mysk and Talal Haj Bakry, who claim that despite Apple’s explicit promise to allow you to turn off all tracking, Apple still tracks you.
Apple advertises its ability to turn off iPhone tracking on its privacy settings. But according to Mysk and Bakry, after turning off tracking, Apple continues to collect data from many iPhone apps, including the App Store, Apple Music, Apple TV, Books, and Stocks. They found the analytic control and other privacy settings had no discernable effect on Apple’s data collection.
“Opting-out or switching the personalization options off did not reduce the amount of detailed analytics that the app was sending,” Mysk told Gizmodo. “I switched all the possible options off, namely personalized ads, personalized recommendations, and sharing usage data and analytics.” Apple still continued to track.
What could be at stake for consumers? Germain wrote:
“In the App Store, for example, the fact that you’re looking at apps related to mental health, addiction, sexual orientation, and religion can reveal things you might not want to be sent to corporate servers.”
Germain concedes that Apple may not be using this information, but it is impossible to know since Apple has not responded. Perhaps a hint of an answer was foreshadowed by Craig Federighi, Senior Vice President of software engineering, when he recently told The Wall Street Journal that “quality advertising and product privacy could coexist.”
That is far too vague to explain how Apple’s explicit privacy promises work in the real world. PPSA calls on Apple to provide a full explanation of how it treats digital privacy.
Carolyn Iodice of Clause 40 Foundation has penned a brilliant analysis and history of the Foreign Intelligence Surveillance Act (FISA), a worldly examination of how that law operates in practice. Briefly put, FISA is a statute that is often treated by the government not as law that must be obeyed, but as a potpourri to mask the stench of illicit surveillance.
Iodice begins her paper with a report issued earlier this year by Sens. Ron Wyden and Martin Heinrich that the CIA has secretly gathered Americans’ records as part of a warrantless bulk data collection program. This program, the senators noted, works “entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional, or even executive branch oversight that comes with FISA collection.”
To enter the world of FISA is to enter Alice’s Wonderland where agency general counsels talk backwards and agency chiefs assert six impossible things before breakfast. Iodice makes a bold statement in the beginning that the rest of her paper validates:
“In the context of FISA, the government has succeeded in violating the law by using implausible interpretations of statutory language and even by evading the statute entirely. Of course, it’s not uncommon for the executive branch to overstep its statutory authorities, but if FISA is understood to be legally binding on the government’s surveillance activities in the same way that, for instance, the EPA’s authority to set national air quality standards is granted and defined by the Clean Air Act, then the flagrancy and frequency of the government’s unlawful surveillance activities is puzzling. If FISA—a law duly passed by Congress and signed by the president—sets legal rules for surveillance programs, why does the government keep flouting them?”
Unlike with the Clean Air Act, she explains, with FISA there is no agreement where the lines exist between legislative, judicial, and executive authority. Worse still, there is a lack of agreement how far executive authority can be extended when national security is invoked. The need for the Fourth Amendment’s requirement for a probable cause warrant in criminal cases is clear, even if that principle is often now observed in the breach. But the Supreme Court has not supplied much guidance on how the Fourth Amendment applies to operations within the United States that are for intelligence purposes.
The rest of Iodice’s paper tracks the steady weakening of FISA in the post-9/11 world.
This paper is a timely primer for what promises to be a key surveillance debate: By the end of next year, FISA’s Section 702 must be reauthorized or expire. Section 702 grants the intelligence community the authority to surveil foreign intelligence targets. While Fourth Amendment protections prevent Americans from being targeted, the law allows the communications of Americans to get swept up in “incidental” collection. This loophole has been extended to whatever width or shape the government needs to do whatever it wants.
Iodice concludes that if Congress reasserted its authority, or the courts resolved the Fourth Amendment and separation-of-powers issues in FISA, then FISA would operate more like a statute should. In the meantime, civil liberties champions in Congress need to be deadly serious about holding up reauthorization of Section 702 if demands for serious FISA reforms are not met.
Facial recognition software is a problem when it doesn’t work. It can conflate the innocent with the guilty if the two have only a passing resemblance. In one test, it identified 27 Members of Congress as arrested criminals. It is also apt to work less well on people of color, leading to false arrests.
But facial recognition is also problem when it does work. One company, Vintra, has software that follows a person camera by camera to track any person he or she may interact with along the way. Another company, Clearview AI, identifies a person and creates an instant digital dossier on him or her with data scrapped from social media platforms.
Thus, facial recognition software does more than locate and identify a person. It has the power to map relationships and networks that could be personal, religious, activist, or political. Major Neill Franklin (Ret.) Maryland State Police and Baltimore Police Department, writes that facial recognition software has been used to violate “the constitutionally protected rights of citizens during lawful protest.”
False arrests and crackdowns on dissenters and protestors are bound to result when such robust technology is employed by state and local law enforcement agencies with no oversight or governing law. The spread of this technology takes us inch by inch closer to the kind of surveillance state perfected by the People’s Republic of China.
It is for all these reasons that PPSA is heartened to see Rep. Ted Lieu join with Reps. Shelia Jackson Lee, Yvette Clark and Jimmy Gomez on Thursday to introduce the Facial Recognition Act of 2022. This bill would place strong limits and prohibitions on the use of facial recognition technology (FRT) in law enforcement. Some of the provisions of this bill would:
The introduction of this bill is the result of more than a year of hard work and fine tuning by Rep. Lieu. This bill deserves widespread recognition and bipartisan support.
Earlier this month, former Vice-President Mike Pence called out criticism of the FBI lodged by members of his own party. In his speech, Pence stated “I … want to remind my fellow Republicans we can hold the attorney general accountable for the decision that he made without attacking the rank-and-file law enforcement personnel at the FBI..” While the intent of Pence’s statement is certainly laudable, it comes at a time when the public is increasingly distrustful of the agency’s activities.
Pence’s comments have been received so poorly because they dismiss the credible concerns emanating from all sectors of the American public. The distrust towards the agency turned into full-blown outrage when the FBI raided former President Trump’s Mar-a-Lago estate earlier this month on August 8th. It has been weeks since the raid, and there has been little official explanation provided. What information we do have has been pieced together from an unsealed warrant and source leaks. From the warrant, the search was related to potential violations of three laws including the Espionage Act. Attorney General Merrick Garland said during remarks on August 11 that he would not explain why he personally signed off on seeking a search warrant. Even though documents were recovered, distrust of the agency has become so severe, that swaths of the American public may choose to believe that the evidence seized was forged and planted.
Also worried is Michael Horowitz, Inspector General of the U.S. Department of Justice. Across multiple reports, Horowitz details the abuses, noncompliance, and mishandling that is currently ongoing within the FBI. For a few examples, in September of 2021, the office of the Inspector General released a report stating that there “was widespread non-compliance with the Woods Procedures,” a set of procedures to ensure factual accuracy in FISA applications. In August of 2019, the office of the Inspector General released a report detailing the multiple rules violations by former FBI Director James Comey, indicating a culture of secrecy and noncompliance at the highest level in the chain of command. There are multiple reports detailing commercial sex, accepting illegal gifts from the media, the violation of ethics rules, and a “lack of candor.”
When American citizens display “a lack of candor,” they can be fired from their jobs. When senior officials at the FBI do it, prosecution is declined and the offending party is “reassigned to a nonsupervisory role.”
In 2019, the Foreign Intelligence Surveillance Court criticized the FBI for misleading it in applications to wiretap former Trump campaign aide, Carter Page. Inspector General Horowitz found that the FBI had omitted facts and provided false statements to the FISA court when the FBI filed for a warrant to conduct surveillance on Page. FISA court presiding Judge Rosemary Collier stated in her opinion that “The FBI’s handling of the Carter Page applications, as portrayed in the OIG report, was antithetical to the heightened duty of candor described above…”
So, not only is the public concerned, but so is the office of the Inspector General and the FISA courts, two organizations which either oversee or directly liaise with the FBI.
Just this week, the escapades of the FBI were on full display during a trial to convict two men involved in the 2020 plan to kidnap Michigan Governor Gretchen Whitmer. The already high-profile nature of the case was catapulted into the stratosphere when the FBI revealed there were at least five informants or undercover agents embedded among the suspected planners. Defense attorneys have argued there were at least twelve. The involvement of FBI agents and informants was so significant, that a trial for a separate set of suspected planners failed to get a single conviction. One informant became second-in-command of a militia. Another undercover agent offered to provide explosives to the group. It calls into question whether the FBI was engaged in entrapment.
FBI agents assigned to the case became subjects of scrutiny themselves. As the New York Times reports, “one F.B.I. agent on the case was fired last year after being charged with domestic violence, and another agent, who supervised a key informant, tried to build a private security consulting firm based in part on some of his work for the F.B.I.…” That FBI agents so close to an ongoing plan to kidnap a governor were themselves so compromised is very chilling.
It seems obvious from the last several years that the FBI is in need of both oversight and reform. An agency with significant investigatory and enforcement powers, Congress can and should do more to monitor the activities of the agency.
Last February, PPSA reported that NSO Group, the Israeli cybersecurity company that produced the malware Pegasus, had been placed on a U.S. Commerce Department blacklist. Pegasus is to malicious spyware what a supercomputer is to a calculator. It penetrates smartphones remotely, without requiring any security mistakes or phishing attempts. Once inside a smartphone, Pegasus extracts all its information. Then it reconfigures the smartphone into a tracking and recording device.
The U.S. blacklist heavily restricts the ability of American companies to do business with NSO Group. Despite the ban, the FBI purchased Pegasus in 2019 and stores it under lock and key. It has long been an open question whether a U.S. administration would succumb to the temptation to use Pegasus for domestic surveillance purposes.
Now, we have some idea of the degree of U.S. government interest in Pegasus.
It has been revealed that L3Harris, an American military contractor, had been in recent talks to purchase NSO Group. It is hard to imagine that occurring without the secret blessing of at least some U.S. intelligence officials. People familiar with the negotiations said the technology has been of interest to the FBI and the CIA for several years. The negotiations continued well after the Commerce Department’s blacklist was issued and were only discovered in June when the proposal was leaked to the press. Since then, the Biden White House has signaled outrage over the potential sale and vowed to challenge any deal. Although L3Harris has since withdrawn from negotiations, the role of U.S. intelligence officials raises several questions.
Unless or until there is another leak or an enterprising journalist digs deeper, we can only ask these questions.
"Only Congress and the American people can decide whether we will remain a free society or succumb to technological totalitarianism."
A must read opinion piece in Real Clear World by our President, Erik Jaffe.
When it comes to digital privacy, Americans feel like a well-dressed person caught in the rain without an umbrella. At first, you try to wait it out under an eave. Then you accept getting a little bit wet. Finally, when your clothes are thoroughly soaked, you just give up.
When it comes to digital privacy, Americans have long accepted we couldn’t get any wetter. The social media services and apps we use track and sell our location history, our contacts, our communications, our purchases and (most revealing) our web searches. These data points, like the dots in a pointillistic painting, create a portrait of users with great detail. These portraits are then sold by data brokers to government agencies and commercial entities.
A recent Apple commercial portrayed this process by putting a young woman’s virtual self on an auction block. In the ad, the heroine Ellie turns on Apple’s privacy devices, vaporizing her would-be auctioneers. But such controls on a smartphone only involve a small portion of the torrents of information that are collected about us and sold wholesale.
So just when many are ready to declare the death of privacy, a bicameral, bipartisan group of legislators have put forward a discussion draft of the American Data Privacy and Protection Act (ADPPA). In a House hearing on Tuesday morning, this bill drew robust discussion from civil rights groups, digital reformers, and industry-allied organizations. This legislation is the first attempt at a comprehensive, national approach to, in the words of House Energy and Commerce Committee Chairman, Rep. Frank Pallone put “consumers back in control of their data and protecting their privacy.”
Under ADPPA, companies would have to obtain consumers’ consent for them to collect, process or transfer sensitive personal information. Affirmative consent would be required before the data of children between ages 13 and 17 could be transferred. The Federal Trade Commission (FTC) would form a Young Privacy Marketing Division to police the use of children’s data.
Best of all, the shadowy world of data brokers would be exposed to sunlight, with a public online registry created by FTC and third-party audits of how these brokers share information with others.
ADPPA would preempt some state privacy laws, while granting an exemption for the Illinois Biometrics Information Privacy Act (recently used to extract a sweeping settlement in the privacy practices of facial recognition provider Clearview AI), and California’s Privacy Rights Act. Other states with recent privacy laws are preempted, which Govtech.com writes “reeks of backroom dealing.”
The current draft includes a limited private right of action, which would allow individuals to bring suits for privacy violations after giving industry four years to adjust. Federal Trade Commission enforcement would be strengthened, and state attorneys general would be empowered to act against data holders who violate ADPPA. Companies would be given a limited right to cure a problem, which would give them standing to seek injunctive relief.
The discussion that took place in the House Subcommittee on Consumer Protection and Commerce reveals serious legislation with major issues to resolve. Here are a few of them.
How far should preemption of state privacy laws go?
Colorado, Texas, Virginia, Utah, and Connecticut have passed their own privacy laws. Will they eventually be excluded from preemption along with those of California and Illinois? If they are, do we run the risk of balkanizing the internet?
“American consumers and businesses deserve the clarity and certainty of a single federal standard for privacy,” said Former FTC Commissioner Maureen Ohlhausen.
Can we protect personal data by degrees of sensitivity without degrading the ability of digital commerce to function?
One goal of the bill is to have data minimization, which tasks companies with using only data that is needed for a given transaction. But can a law define the limits of what is needed?
John Miller of the Information Technology Industry Council noted that one provision, “information identifying an individual’s online activities over time or across third party websites or online services” could create restrictions for routine browsing. Or, as Ohlhausen put it, the bill “creates uncertainty for routine operational uses of information that are necessary to serve customers and operate a business.”
How broad should the private right of action be for individuals?
“The current proposal inserts several procedural hurdles that will not reduce litigation costs but will block injured individuals from having their day in court,” said David Brody, managing attorney of the Digital Justice Initiative Lawyers’ Committee for Civil Rights Under Law. “The private right of action in the Act is weak and difficult to enforce.”
John Miller countered, “while it is true neither punitive nor statutory damages are permitted” under the bill’s private right of action, “the availability of attorney’s fees could encourage the filing of borderline meritorious cases by specialized attorneys charging exorbitant hourly rates.”
Should government purchases of Americans’ personal data be included in the bill?
One issue that was not addressed on Tuesday is the frequent sale of Americans’ personal data to the government, a problem addressed by the proposed Fourth Amendment Is Not For Sale Act. Any privacy solution should look beyond the private uses of data by businesses to those of law enforcement and intelligence agencies. After all, only the government can use your information to bang down your door at dawn and arrest you.
There were further debates about how the bill might impact the ability of companies to handle cybersecurity threats, and whether small businesses would get tagged with onerous provisions aimed at tech giants. The legislative process in the House and Senate will have to untangle these and many other knotty issues to make this law workable. Yet the hearing room echoed with statements of determination by leaders in both parties to make a national privacy law a reality.
With the pandemic under control and the summer solstice two weeks away, millions of Americans are once again daring to travel to foreign destinations. Many might be concerned about world events intruding on the ability to travel. But few are ready for how intrusive government surveillance of our personal digital devices can be at the U.S. border.
This is a good time, then, to turn to the Electronic Frontier Foundation, and the primer written by Sophia Cope, Amul Kalia, Seth Schoen and Adam Schwartz on the legal, constitutional, and practical aspects of the government’s digital surveillance at the border. This paper, now a few years old, remains a thorough account of what happens at international airports, seaports and entry stations at U.S. land borders with Canada and Mexico.
On the practical side, EFF’s paper advises travelers on how to use encryption and cloud storage to prepare data for the U.S. border. It explains how Customs and Border Protection can worm past encryption and under some circumstances view your data on the cloud. It advises travelers on how to avoid behavior that attracts suspicion and how to calmly deal with requests for passwords into one’s devices.
The border is a privacy disaster because the sum of federal courts’ decisions leaves the Fourth Amendment at the border as more of an aspiration than a constitutional stricture on government behavior.
This hash of a doctrine arises out of the Supreme Court application of a “border search exception” to protect the integrity of the U.S. border. Courts parsed this doctrine to make distinctions between “routine” searches that do not require suspicion of a particular individual, and “highly intrusive” searches that impact the “dignity and privacy” of individuals (and yes, that’s exactly what it sounds like). The latter kind of search requires an “individualized suspicion.”
In a grey zone are searches of Americans’ and other travelers’ digital devices. PPSA has reported on the routine sweeping of Americans’ laptops, cellphones, tablets and other digital devices on returning to the United States from abroad. Electronic devices are searched at the border tens of thousands of times every year.
In denying police the ability to examine all the contents of a suspect’s cellphone without a warrant in Riley v. California (2014), the Supreme Court made an eloquent defense of digital technology as holding “the privacies of life.” Let us hope the courts take a closer look and find that this is just as true at the border.