The Internet of Things (IoT), long promised, is already here. It is happening incrementally – from coffee makers, to cars, to refrigerators – that send voluminous quantities of our personal information to the cloud. As the IoT knits together, consumers need to know how our information is being collected.
 
Most people are unaware that refrigerators, washers, dryers, and dishwashers now often have audio and video recording components. By 2026, over 84 million households will have smart devices, each one a node within a seamless web of personal information. But how will this storehouse of personal data be regulated?
 
Looking ahead to the growing hazards of the near-future, Sen. Maria Cantwell (D-WA), and Sen. Ted Cruz (R-TX), introduced the Informing Consumers about Smart Devices Act. This legislation would require the Federal Trade Commission to create reasonable disclosure guidelines for products that have video or audio recordings.
 
“Most consumers expect their refrigerators to keep the milk cold, not record their most personal and private family discussions,” Sen. Cantwell said.
 
We would make the larger point that Americans shouldn’t have to think about what they say or do in the presence of their appliances. (Although it would be nice to have a smart refrigerator that slaps our hand after 9 p.m.) The greater issue is that all the data that apps, and perhaps now our smart appliances, extract from us can be accessed by government agencies without any need to obey the constitutional requirement to obtain a warrant. All an agency needs to do to obtain our personal information is to purchase it from a private data broker.
 
That’s all the more reason to pass the Fourth Amendment Is Not For Sale Act.

​The Electronic Frontier Foundation, an indispensable pioneer of surveillance accountability, has just released a powerful new version of its Atlas of Surveillance that gives Americans insight into the myriad surveillance technologies that are being used by more than 5,500 law enforcement agencies, across all levels of government, to watch Americans in all 50 states.
 
EFF is a notable leader in watching the watchers. In September, PPSA examined EFF’s helpful highlighting of marketing slides about the potential for Fog Technology to track people to their homes.
 
This Atlas of Surveillance, begun with the help of journalism students at the University of Nevada, Reno, recently hit a threshold of 10,000 data points, making it a robust – though not yet complete – survey of which surveillance technologies are being used in which communities.
 
We entered results for the District of Columbia to give it a try.

• The D.C. Metropolitan Police has automated license plate readers, maintains a registry of private and personal surveillance cameras, has a gunshot detection system, uses “video analytics” that can identify people in crowds, and since 2003 has owned cell-site simulator technology (stingrays) that can spoof cell towers and trick cellphones into divulging data.

 

• Choosing a small city at random – San Angelo, Texas – we find that the San Angelo Police Department has one drone, body cameras, and a partnership with Amazon’s Ring camera home surveillance, allowing it to ask for surveillance video from customers on the service’s Neighbors app.

 
John Stuart Mill, quoting the Roman satirist Juvenal, asked: Quis custodiet ipsos custodes? The Atlas of Surveillance gives us confidence that we can at least begin to watch the watchers.
 
University of Nevada, Reno, interns did a professional job of integrating public documents, crowdsourced information, and news articles to compile this atlas. Kudos to EFF and to their UNR student partners. Be sure and check the Atlas to see how you’re being watched in your community.

​Thomas Germain on Gizmodo has an alarming piece on research from two app developers, Tommy Mysk and Talal Haj Bakry, who claim that despite Apple’s explicit promise to allow you to turn off all tracking, Apple still tracks you.
 
Apple advertises its ability to turn off iPhone tracking on its privacy settings. But according to Mysk and Bakry, after turning off tracking, Apple continues to collect data from many iPhone apps, including the App Store, Apple Music, Apple TV, Books, and Stocks. They found the analytic control and other privacy settings had no discernable effect on Apple’s data collection.
 
“Opting-out or switching the personalization options off did not reduce the amount of detailed analytics that the app was sending,” Mysk told Gizmodo. “I switched all the possible options off, namely personalized ads, personalized recommendations, and sharing usage data and analytics.” Apple still continued to track.
 
What could be at stake for consumers? Germain wrote:
 
“In the App Store, for example, the fact that you’re looking at apps related to mental health, addiction, sexual orientation, and religion can reveal things you might not want to be sent to corporate servers.”
 
Germain concedes that Apple may not be using this information, but it is impossible to know since Apple has not responded. Perhaps a hint of an answer was foreshadowed by Craig Federighi, Senior Vice President of software engineering, when he recently told The Wall Street Journal that “quality advertising and product privacy could coexist.”
 
That is far too vague to explain how Apple’s explicit privacy promises work in the real world. PPSA calls on Apple to provide a full explanation of how it treats digital privacy.

Carolyn Iodice of Clause 40 Foundation has penned a brilliant analysis and history of the Foreign Intelligence Surveillance Act (FISA), a worldly examination of how that law operates in practice. Briefly put, FISA is a statute that is often treated by the government not as law that must be obeyed, but as a potpourri to mask the stench of illicit surveillance.
 
Iodice begins her paper with a report issued earlier this year by Sens. Ron Wyden and Martin Heinrich that the CIA has secretly gathered Americans’ records as part of a warrantless bulk data collection program. This program, the senators noted, works “entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional, or even executive branch oversight that comes with FISA collection.”
 
To enter the world of FISA is to enter Alice’s Wonderland where agency general counsels talk backwards and agency chiefs assert six impossible things before breakfast. Iodice makes a bold statement in the beginning that the rest of her paper validates:
 
“In the context of FISA, the government has succeeded in violating the law by using implausible interpretations of statutory language and even by evading the statute entirely. Of course, it’s not uncommon for the executive branch to overstep its statutory authorities, but if FISA is understood to be legally binding on the government’s surveillance activities in the same way that, for instance, the EPA’s authority to set national air quality standards is granted and defined by the Clean Air Act, then the flagrancy and frequency of the government’s unlawful surveillance activities is puzzling. If FISA—a law duly passed by Congress and signed by the president—sets legal rules for surveillance programs, why does the government keep flouting them?”
 
Unlike with the Clean Air Act, she explains, with FISA there is no agreement where the lines exist between legislative, judicial, and executive authority. Worse still, there is a lack of agreement how far executive authority can be extended when national security is invoked. The need for the Fourth Amendment’s requirement for a probable cause warrant in criminal cases is clear, even if that principle is often now observed in the breach. But the Supreme Court has not supplied much guidance on how the Fourth Amendment applies to operations within the United States that are for intelligence purposes.
 
The rest of Iodice’s paper tracks the steady weakening of FISA in the post-9/11 world.
 
This paper is a timely primer for what promises to be a key surveillance debate: By the end of next year, FISA’s Section 702 must be reauthorized or expire. Section 702 grants the intelligence community the authority to surveil foreign intelligence targets. While Fourth Amendment protections prevent Americans from being targeted, the law allows the communications of Americans to get swept up in “incidental” collection. This loophole has been extended to whatever width or shape the government needs to do whatever it wants.
 
Iodice concludes that if Congress reasserted its authority, or the courts resolved the Fourth Amendment and separation-of-powers issues in FISA, then FISA would operate more like a statute should. In the meantime, civil liberties champions in Congress need to be deadly serious about holding up reauthorization of Section 702 if demands for serious FISA reforms are not met.

Facial recognition software is a problem when it doesn’t work. It can conflate the innocent with the guilty if the two have only a passing resemblance. In one test, it identified 27 Members of Congress as arrested criminals. It is also apt to work less well on people of color, leading to false arrests.
 
But facial recognition is also problem when it does work. One company, Vintra, has software that follows a person camera by camera to track any person he or she may interact with along the way. Another company, Clearview AI, identifies a person and creates an instant digital dossier on him or her with data scrapped from social media platforms.
 
Thus, facial recognition software does more than locate and identify a person. It has the power to map relationships and networks that could be personal, religious, activist, or political. Major Neill Franklin (Ret.) Maryland State Police and Baltimore Police Department, writes that facial recognition software has been used to violate “the constitutionally protected rights of citizens during lawful protest.”
 
False arrests and crackdowns on dissenters and protestors are bound to result when such robust technology is employed by state and local law enforcement agencies with no oversight or governing law. The spread of this technology takes us inch by inch closer to the kind of surveillance state perfected by the People’s Republic of China.
 
It is for all these reasons that PPSA is heartened to see Rep. Ted Lieu join with Reps. Shelia Jackson Lee, Yvette Clark and Jimmy Gomez on Thursday to introduce the Facial Recognition Act of 2022. This bill would place strong limits and prohibitions on the use of facial recognition technology (FRT) in law enforcement. Some of the provisions of this bill would:
 

• Limit law enforcement use of FRT to situations in which a warrant is obtained that shows probable cause that an individual committed a serious violent felony.

 

• Prohibit law enforcement from using FRT to create a record documenting how an individual expresses rights guaranteed by the Constitution, such as lawful protests.

 

• Prohibit a FRT match from being the sole basis upon which probable cause can be established for a search, arrest, or other law enforcement action.

 

• Ban the use of FRT in conjunction with databases that contain illegitimately obtained information.

 

• Ban the use of FRT to track individuals with live or stored video footage.

 

• Require law enforcement to provide notice to individuals who are subjects of an FRT search and copy of the court order and/or other key data points.

 
The introduction of this bill is the result of more than a year of hard work and fine tuning by Rep. Lieu. This bill deserves widespread recognition and bipartisan support.

Earlier this month, former Vice-President Mike Pence called out criticism of the FBI lodged by members of his own party. In his speech, Pence stated “I … want to remind my fellow Republicans we can hold the attorney general accountable for the decision that he made without attacking the rank-and-file law enforcement personnel at the FBI..” While the intent of Pence’s statement is certainly laudable, it comes at a time when the public is increasingly distrustful of the agency’s activities.
 
Pence’s comments have been received so poorly because they dismiss the credible concerns emanating from all sectors of the American public. The distrust towards the agency turned into full-blown outrage when the FBI raided former President Trump’s Mar-a-Lago estate earlier this month on August 8th. It has been weeks since the raid, and there has been little official explanation provided. What information we do have has been pieced together from an unsealed warrant and source leaks. From the warrant, the search was related to potential violations of three laws including the Espionage Act. Attorney General Merrick Garland said during remarks on August 11 that he would not explain why he personally signed off on seeking a search warrant. Even though documents were recovered, distrust of the agency has become so severe, that swaths of the American public may choose to believe that the evidence seized was forged and planted.
 
Also worried is Michael Horowitz, Inspector General of the U.S. Department of Justice. Across multiple reports, Horowitz details the abuses, noncompliance, and mishandling that is currently ongoing within the FBI. For a few examples, in September of 2021, the office of the Inspector General released a report stating that there “was widespread non-compliance with the Woods Procedures,” a set of procedures to ensure factual accuracy in FISA applications. In August of 2019, the office of the Inspector General released a report detailing the multiple rules violations by former FBI Director James Comey, indicating a culture of secrecy and noncompliance at the highest level in the chain of command. There are multiple reports detailing commercial sex, accepting illegal gifts from the media, the violation of ethics rules, and a “lack of candor.”
 
When American citizens display “a lack of candor,” they can be fired from their jobs. When senior officials at the FBI do it, prosecution is declined and the offending party is “reassigned to a nonsupervisory role.”
 
In 2019, the Foreign Intelligence Surveillance Court criticized the FBI for misleading it in applications to wiretap former Trump campaign aide, Carter Page. Inspector General Horowitz found that the FBI had omitted facts and provided false statements to the FISA court when the FBI filed for a warrant to conduct surveillance on Page. FISA court presiding Judge Rosemary Collier stated in her opinion that “The FBI’s handling of the Carter Page applications, as portrayed in the OIG report, was antithetical to the heightened duty of candor described above…”
 
So, not only is the public concerned, but so is the office of the Inspector General and the FISA courts, two organizations which either oversee or directly liaise with the FBI.
 
Just this week, the escapades of the FBI were on full display during a trial to convict two men involved in the 2020 plan to kidnap Michigan Governor Gretchen Whitmer. The already high-profile nature of the case was catapulted into the stratosphere when the FBI revealed there were at least five informants or undercover agents embedded among the suspected planners. Defense attorneys have argued there were at least twelve. The involvement of FBI agents and informants was so significant, that a trial for a separate set of suspected planners failed to get a single conviction. One informant became second-in-command of a militia. Another undercover agent offered to provide explosives to the group. It calls into question whether the FBI was engaged in entrapment.
 
FBI agents assigned to the case became subjects of scrutiny themselves. As the New York Times reports, “one F.B.I. agent on the case was fired last year after being charged with domestic violence, and another agent, who supervised a key informant, tried to build a private security consulting firm based in part on some of his work for the F.B.I.…” That FBI agents so close to an ongoing plan to kidnap a governor were themselves so compromised is very chilling.
 
It seems obvious from the last several years that the FBI is in need of both oversight and reform. An agency with significant investigatory and enforcement powers, Congress can and should do more to monitor the activities of the agency.

​Last February, PPSA reported that NSO Group, the Israeli cybersecurity company that produced the malware Pegasus, had been placed on a U.S. Commerce Department blacklist. Pegasus is to malicious spyware what a supercomputer is to a calculator. It penetrates smartphones remotely, without requiring any security mistakes or phishing attempts. Once inside a smartphone, Pegasus extracts all its information. Then it reconfigures the smartphone into a tracking and recording device.
 
The U.S. blacklist heavily restricts the ability of American companies to do business with NSO Group. Despite the ban, the FBI purchased Pegasus in 2019 and stores it under lock and key. It has long been an open question whether a U.S. administration would succumb to the temptation to use Pegasus for domestic surveillance purposes.
 
Now, we have some idea of the degree of U.S. government interest in Pegasus.
 
It has been revealed that L3Harris, an American military contractor, had been in recent talks to purchase NSO Group. It is hard to imagine that occurring without the secret blessing of at least some U.S. intelligence officials. People familiar with the negotiations said the technology has been of interest to the FBI and the CIA for several years. The negotiations continued well after the Commerce Department’s blacklist was issued and were only discovered in June when the proposal was leaked to the press. Since then, the Biden White House has signaled outrage over the potential sale and vowed to challenge any deal. Although L3Harris has since withdrawn from negotiations, the role of U.S. intelligence officials raises several questions.

• The role of U.S. intelligence officials in the planned NSO Group acquisition is troubling. Does this attempt to buy NSO Group mean that the U.S. national security apparatus has changed its mind about using Pegasus?

 

• If so, how seriously were some in the government contemplating deploying Pegasus for U.S. domestic surveillance?

 

• Given the fierce response from the White House against L3Harris, was this a case of poor internal communication, or was the U.S. intelligence community and L3Harris intending to do a runaround of the blacklist?

 

• On the other hand, given Pegasus’ abilities, could the case be made that the purchase of NSO Group by a U.S. firm might be the most reasonable option? Is it wise to leave such a powerful piece of malware in the hands of those who have sold it around the world, with the risk Pegasus will become the security equivalent of the Covid-19 pandemic?

 
Unless or until there is another leak or an enterprising journalist digs deeper, we can only ask these questions.

A must read opinion piece in Real Clear World by our President, Erik Jaffe. 

When it comes to digital privacy, Americans feel like a well-dressed person caught in the rain without an umbrella. At first, you try to wait it out under an eave. Then you accept getting a little bit wet. Finally, when your clothes are thoroughly soaked, you just give up.
 
When it comes to digital privacy, Americans have long accepted we couldn’t get any wetter. The social media services and apps we use track and sell our location history, our contacts, our communications, our purchases and (most revealing) our web searches. These data points, like the dots in a pointillistic painting, create a portrait of users with great detail. These portraits are then sold by data brokers to government agencies and commercial entities.
 
A recent Apple commercial portrayed this process by putting a young woman’s virtual self on an auction block. In the ad, the heroine Ellie turns on Apple’s privacy devices, vaporizing her would-be auctioneers. But such controls on a smartphone only involve a small portion of the torrents of information that are collected about us and sold wholesale.
 
So just when many are ready to declare the death of privacy, a bicameral, bipartisan group of legislators have put forward a discussion draft of the American Data Privacy and Protection Act (ADPPA). In a House hearing on Tuesday morning, this bill drew robust discussion from civil rights groups, digital reformers, and industry-allied organizations. This legislation is the first attempt at a comprehensive, national approach to, in the words of House Energy and Commerce Committee Chairman, Rep. Frank Pallone put “consumers back in control of their data and protecting their privacy.”
 
Under ADPPA, companies would have to obtain consumers’ consent for them to collect, process or transfer sensitive personal information. Affirmative consent would be required before the data of children between ages 13 and 17 could be transferred. The Federal Trade Commission (FTC) would form a Young Privacy Marketing Division to police the use of children’s data.
 
Best of all, the shadowy world of data brokers would be exposed to sunlight, with a public online registry created by FTC and third-party audits of how these brokers share information with others.
 
ADPPA would preempt some state privacy laws, while granting an exemption for the Illinois Biometrics Information Privacy Act (recently used to extract a sweeping settlement in the privacy practices of facial recognition provider Clearview AI), and California’s Privacy Rights Act. Other states with recent privacy laws are preempted, which Govtech.com writes “reeks of backroom dealing.”
 
The current draft includes a limited private right of action, which would allow individuals to bring suits for privacy violations after giving industry four years to adjust. Federal Trade Commission enforcement would be strengthened, and state attorneys general would be empowered to act against data holders who violate ADPPA. Companies would be given a limited right to cure a problem, which would give them standing to seek injunctive relief.
 
The discussion that took place in the House Subcommittee on Consumer Protection and Commerce reveals serious legislation with major issues to resolve. Here are a few of them.
 
How far should preemption of state privacy laws go?
 
Colorado, Texas, Virginia, Utah, and Connecticut have passed their own privacy laws. Will they eventually be excluded from preemption along with those of California and Illinois? If they are, do we run the risk of balkanizing the internet?
 
“American consumers and businesses deserve the clarity and certainty of a single federal standard for privacy,” said Former FTC Commissioner Maureen Ohlhausen.
 
Can we protect personal data by degrees of sensitivity without degrading the ability of digital commerce to function?
 
One goal of the bill is to have data minimization, which tasks companies with using only data that is needed for a given transaction. But can a law define the limits of what is needed?
 
John Miller of the Information Technology Industry Council noted that one provision, “information identifying an individual’s online activities over time or across third party websites or online services” could create restrictions for routine browsing. Or, as Ohlhausen put it, the bill “creates uncertainty for routine operational uses of information that are necessary to serve customers and operate a business.”
 
How broad should the private right of action be for individuals?
 
“The current proposal inserts several procedural hurdles that will not reduce litigation costs but will block injured individuals from having their day in court,” said David Brody, managing attorney of the Digital Justice Initiative Lawyers’ Committee for Civil Rights Under Law. “The private right of action in the Act is weak and difficult to enforce.”
 
John Miller countered, “while it is true neither punitive nor statutory damages are permitted” under the bill’s private right of action, “the availability of attorney’s fees could encourage the filing of borderline meritorious cases by specialized attorneys charging exorbitant hourly rates.”
 
Should government purchases of Americans’ personal data be included in the bill?
 
One issue that was not addressed on Tuesday is the frequent sale of Americans’ personal data to the government, a problem addressed by the proposed Fourth Amendment Is Not For Sale Act. Any privacy solution should look beyond the private uses of data by businesses to those of law enforcement and intelligence agencies. After all, only the government can use your information to bang down your door at dawn and arrest you.
 
There were further debates about how the bill might impact the ability of companies to handle cybersecurity threats, and whether small businesses would get tagged with onerous provisions aimed at tech giants. The legislative process in the House and Senate will have to untangle these and many other knotty issues to make this law workable. Yet the hearing room echoed with statements of determination by leaders in both parties to make a national privacy law a reality. 

With the pandemic under control and the summer solstice two weeks away, millions of Americans are once again daring to travel to foreign destinations. Many might be concerned about world events intruding on the ability to travel. But few are ready for how intrusive government surveillance of our personal digital devices can be at the U.S. border.
 
This is a good time, then, to turn to the Electronic Frontier Foundation, and the primer written by Sophia Cope, Amul Kalia, Seth Schoen and Adam Schwartz on the legal, constitutional, and practical aspects of the government’s digital surveillance at the border. This paper, now a few years old, remains a thorough account of what happens at international airports, seaports and entry stations at U.S. land borders with Canada and Mexico.
 
On the practical side, EFF’s paper advises travelers on how to use encryption and cloud storage to prepare data for the U.S. border. It explains how Customs and Border Protection can worm past encryption and under some circumstances view your data on the cloud. It advises travelers on how to avoid behavior that attracts suspicion and how to calmly deal with requests for passwords into one’s devices.
 
The border is a privacy disaster because the sum of federal courts’ decisions leaves the Fourth Amendment at the border as more of an aspiration than a constitutional stricture on government behavior.
 
This hash of a doctrine arises out of the Supreme Court application of a “border search exception” to protect the integrity of the U.S. border. Courts parsed this doctrine to make distinctions between “routine” searches that do not require suspicion of a particular individual, and “highly intrusive” searches that impact the “dignity and privacy” of individuals (and yes, that’s exactly what it sounds like). The latter kind of search requires an “individualized suspicion.”
 
In a grey zone are searches of Americans’ and other travelers’ digital devices. PPSA has reported on the routine sweeping of Americans’ laptops, cellphones, tablets and other digital devices on returning to the United States from abroad. Electronic devices are searched at the border tens of thousands of times every year.
 
In denying police the ability to examine all the contents of a suspect’s cellphone without a warrant in Riley v. California (2014), the Supreme Court made an eloquent defense of digital technology as holding “the privacies of life.” Let us hope the courts take a closer look and find that this is just as true at the border.