Federica De Santis Archives - IPOsgoode /osgoode/iposgoode/tag/federica-de-santis/ An Authoritive Leader in IP Tue, 19 Jul 2016 19:36:28 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 4th Circuit Appeals Court Rules No Warrant Needed for Suspects’ Cell-Site Location Data /osgoode/iposgoode/2016/07/19/4th-circuit-appeals-court-rules-no-warrant-needed-for-suspects-cell-site-location-data/ Tue, 19 Jul 2016 19:36:28 +0000 http://www.iposgoode.ca/?p=29464 The re-posting of this article is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. On May 31, the U.S. Court of Appeals, 4th Circuit, in a 12-3 decision ruled that a warrant is not needed to obtain suspects’ cell-site location information held by carriers, meaning that a court […]

The post 4th Circuit Appeals Court Rules No Warrant Needed for Suspects’ Cell-Site Location Data appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

On May 31, the U.S. Court of Appeals, 4th Circuit, in a 12-3 decision  that a warrant is not needed to obtain suspects’ cell-site location information held by carriers, meaning that a court order, which – unlike a search warrant – does not require to show the court probable cause that a crime has been committed, is sufficient for this.

The 4th Circuit overturned a previous three-judge panel’s decision, which held that the government’s warrantless procurement of CSLI was a unreasonable search in violation of the Fourth Amendment and that defendants had a legitimate privacy expectation in that data.

This Supreme Court still has the final word if the decision is appealed (as it likely will be). This case, which ensued in the wake of other precedents on cell-phone and GPS tracking, is of particular interest for the debate around digital privacy and the future development of surveillance law.

 

Facts

The ruling concerns a series of armed robberies of several business establishments located in Maryland in 2011. The government obtained two court orders for disclosure of CSLI for calls and text messages transmitted to and from the phones of two suspects, which eventually led to their conviction. The agents obtained from the cell phone provider information over 221 days that included roughly 29,000 location-identifying data points for each defendant, which placed them in the vicinity of the robberies when they occurred.

Defendants filed a motion to suppress use of the CSLI at trial, arguing that the length of time and extent of the CSLI monitoring conducted by the government without a warrant, intruded on defendants’ expectation of privacy and was therefore in violation of their Fourth Amendment rights.

The Fourth Amendment of the U.S. Constitution provides that “[T]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized.”

District court held that government needed no warrant to obtain CSLI; therefore, government had not violated defendants’ Fourth Amendment rights

The district court denied the defendants’ motion, holding that the government’s conduct was not an unreasonable search: the court relied on the Supreme Court’s third-party doctrine, according to which individuals have no legitimate expectation of privacy in information voluntarily turned over to third parties (, 442 U.S. 735, 1979). Under this legal theory, the U.S. government can obtain from third parties information voluntarily conveyed by individuals without a warrant, since this information is beyond the reach of the Fourth Amendment prohibition against search and seizure without probable cause and a judicial search warrant.

According to the district court, since defendants voluntarily transmitted signals to cellular towers in order for their calls to be connected, the third-party doctrine applied. U.S. courts have relied on this doctrine for a broad range of scenarios, from financial records and dialed telephone numbers to card statements, employment records and internet subscriber information.

4th Circuit’s panel reversed the district court’s ruling and found government’s data acquisition in breach of Fourth Amendment

The U.S. Court of Appeals, 4th Circuit, reversed the district court’s ruling – United States v. Graham, 796 F. 3d 332 (4th Cir. 2015). The court began by acknowledging that the government conducts a search under the Fourth Amendment when it obtains and inspects a cell-phone user’s historical CSLI for an extended period of time.

The court then held that examination of a person’s historical CSLI can enable the government to trace the movements of the cell phone and its user across public and private spaces and thereby discover the user’s private activities and personal habits.

Therefore, mobile phone users have an objectively reasonable expectation of privacy in this information and its inspection by the government requires a warrant.

The court concluded that government’s warrantless procurement of CSLI violated the Fourth Amendment’s guarantee against unreasonable searches and seizures (although the court also acknowledged that the government acted in good faith in doing so, therefore it declined to suppress the evidence). In the court’s words, “The fact that a provider captures this information in its account records, without the subscriber’s involvement, does not extinguish the subscriber’s reasonable expectation of privacy.

Applying the third-party doctrine in this context would simply permit the government to convert an individual’s cell phone into a tracking device by examining the massive bank of location information retained by her service provider, and to do so without probable cause.”

4th Circuit En Banc found that government did not breach the Fourth Amendment since users voluntarily disclosed CSLI under third-party doctrine

Now, the full panel of the U.S. Court of Appeals reversed the three-judge panel’s decision by holding that the government’s warrantless acquisition of historical CSLI from defendant’s cell-phone provider did not breach the Fourth Amendment.

First, the court contends that the government’s acquisition of this data constituted a Fourth Amendment “search”. Defendants had no reasonable expectation of privacy under the third-party doctrine since the government obtained the CSLI records from a third party (i.e. the carrier), which, in turn, collected this information in the course of its business activity and did not obtain this data through a direct surveillance of defendants.

In this respect, the court relies on the Supreme Court’s precedents that applied the third-party doctrine, recalling that the Fourth Amendment does not protect information voluntarily disclosed to a third party because even a subjective expectation of privacy in such information is “not one that society is prepared to recognize as ‘reasonable’”(, 442 U.S. 735). More recently, the 6th Circuit of the Court of Appeals held that a warrantless acquisition of cell-phone location data did not breach the Fourth Amendment (United States v. Carpenter, April 13, 2016).

The court notes that defendants “exposed” the information at issue to the phone carrier, which used it to route defendants’ cell-phone calls and texts. By doing so, they could not expect the phone carrier to keep that information secret and “assumed the risk” that it would disclose their information to the government.

The court hastened to add that the Supreme Court may in future limit, or even eliminate, the third-party doctrine, and that Congress may require a warrant for CSLI.

However, it concluded that current legislation and established precedents weigh in the government’s favor.

Dissenting Judge Wynn deems that government’s warrantless search breached Fourth Amendment

Dissenting Judge Wynn highlights many of the majority’s shortcomings. First, he disagrees that CSLI is beyond the Fourth Amendment’s reach since it would be “voluntarily conveyed” by users to phone carriers under to the third-party doctrine.

According to Judge Wynn, the Supreme Court’s precedents suggest that “voluntary conveyance” means that defendant (i) knew he was communicating particular information, and (ii) acted to submit the particular information he knew. For example, when users type a form providing their details to a service provider to secure internet access, they have knowledge of the typed information and affirmatively act to communicate it.

Judge Wynn reasons that CSLI is different from other data because it is not voluntarily disclosed by phone users, who likely are unaware that they are providing this information and do not know which cell-phone tower their call will be routed through. They also do not generally act to disclose this information – for example, CSLI is generated when a phone receives a call, even if the user does not answer.

Judge Wynn concludes that by acquiring large amounts of CSLI to trace defendants’ long-term movements the government infringed defendants’ reasonable expectation of privacy and thereby engaged in a search. Because the search was warrantless, the government breached the Fourth Amendment.

 

Next

The decision can still be appealed to the Supreme Court, which will have the task to clarify whether the 1970s third-party doctrine is still fit for a time where individuals reveal large quantities of information about themselves, sometimes without being aware of this.

For example, “Internet of Things” technologies (e.g., wearable devices, home automation, connected toys) may reveal many aspects of an individual’s private life – habits, behaviors and preferences, religious or political beliefs, sexual orientation, driving habits, whether they are at home or not, etc.

Yet this extensive information may represent a valuable resource for law enforcement authorities to prevent and detect crimes or other wrongdoings. The debate around the appropriate balance between privacy and public security is certainly set to continue, with the possible review of the 4th Circuit’s decision in the Supreme Court, the Microsoft Ireland email privacy case pending (where the company is challenging a U.S. government search warrant seeking access to customers’ emails in a data center located in Ireland) and the ongoing EU-U.S. Privacy Shield negotiations.

 

This article was first published on the IAPP’s Dz

The post 4th Circuit Appeals Court Rules No Warrant Needed for Suspects’ Cell-Site Location Data appeared first on IPOsgoode.

]]>
The Italian Data Protection Authority’s Annual Report 2013 – Big Data, Transparency and Surveillance /osgoode/iposgoode/2014/08/11/the-italian-data-protection-authoritys-annual-report-2013-big-data-transparency-and-surveillance/ Mon, 11 Aug 2014 16:47:10 +0000 http://www.iposgoode.ca/?p=25500 The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. On June 10, 2014, the Italian Data protection Authority (Garante per la protezione dei dati personali – “DPA”) presented its Annual Report for 2013. In its 17th annual edition of the Report, the […]

The post The Italian Data Protection Authority’s Annual Report 2013 – Big Data, Transparency and Surveillance appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

On June 10, 2014, the Italian Data protection Authority (Garante per la protezione dei dati personali – “DPA”) presented its . In its 17th annual edition of the Report, the Italian watchdog sets out the status of the implementation of privacy laws and indicates the operation prospects that are required to move towards genuine and effective personal data protection.

 

1. Highlights of the Annual Report 2013

The main DPA’s activities in 2013 concerned the following topics.

 

Internet and the role of large providers. Particular importance goes out to work done by the DPA, also in cooperation with other European authorities, to ensure greater transparency for users in connection with the processing of their personal data via the internet. In this respect, the DPA issued guidelines to protect privacy on smartphones and tablets and recently a resolution on consent for the use of cookies.

 

Global supervision in connection to the Datagate. Datagate stands for the revealed collecting of personal data of citizens by USA’s National Security Agency (NSA). The DPA raised concerns about espionage performed by the NSA and therefore sent a letter to the Italian Prime Minister, requesting him to support the adoption of the draft reform of the EU legal framework for data protection.

 

Transparency of the online public administration and safeguards for citizens. The DPA guidelines to make sure that transparency would not be in conflict with the right to privacy and data protection. For example, a dissemination of information on health and economically or socially disadvantaged beneficiaries of public allowances was prevented.

 

Problems caused by cyber bullying on social networks. On the occasion of the 2013 European Privacy Day, the DPA published a video on its website containing tips for knowledgeable use of social networks. Also a letter was sent to the Italian Ministry of Education to bring the growing problem of cyber bullying to his attention.

 

Confidentiality of taxpayers. In-depth prior checks were performed on the processing of data performed by the Italian Revenue Agency for purposes of the so-called “Redditometro” (i.e., an income meter tool). The DPA set forth various measures to be implemented, in order to address the many criticalities that were found. These comments related to, among the others, the quality and accuracy of the data used by the Italian Revenue Agency, the estimated expenses incurred by each taxpayer depending on multifarious life-style components, as well as the information to be provided to the taxpayers.

 

Mobile payments. The DPA launched a public consultation on the processing of personal data performed in connection with payments through the use of smartphones and tablets and, more broadly, through remote mobile payment services (the DPA has recently a resolution on such matter which takes into account the outcome of the public consultation).

 

Use of biometric data. Significant actions were taken to regulate the use of the biometric signature in banks and the use of fingerprints in the workplace. The DPA found that the use of biometrics in order to check attendance of teachers and administrative staff in several schools was disproportionate, also in accordance with the principles set out by the Article 29 Data Protection Working Party’s on developments in biometric technologies.

 

Protection of minors in the media and on the internet. The use of webcams in a nursery school was banned in order to protect children’s privacy, the unfettered development of their personality, unrestrained relationships with their teachers and freedom of teaching.

 

Protection of data used for justice purposes. Measures and arrangements were made to stimulate the security of any personal data that is being collected and used as part of interception activities, carried out by the Telecommunications Interception Centres (“Centri Intercettazioni Telecomunicazioni”), which are attached to every prosecuting office in Italy, as well as to police offices tasked with performing interceptions for judicial authorities.

 

Video surveillance. Based on spot-checks, the DPA discovered several instances of unlawful processing of employees’ and customers’ data performed by department stores using video surveillance. However, a longer retention period for video surveillance images collected in some building yards and storage areas set up in Pompeii was approved with the objective of preventing mafia-related activities. Furthermore, the DPA required health care districts that had installed video surveillance equipment in the  restrooms of their facilities for ruling out drug addiction cases to take measures and precautions such as to protect the privacy of any individual whose urine sample was being taken.

 

Unsolicited promotional calls. Inspections and injunctions against IT companies specialized in database services were carried out to counteract unregulated telemarketing and unsolicited marketing. Hefty fines were to be paid since these companies had failed to comply with previous orders. Moreover, automated pre-recorded calls to costumers for debt collection reasons were banned. Other developments related to telemarking (or customer care) activities concerned call centers located in third countries without adequate data protection levels compared to EU standards.  Measures such as the obligation to provide information and notify the DPA in advance about the call centers relied upon, enables the DPA to assess the transfer of personal data outside the EU.

 

Marketing and spam. Guidelines were adopted on marketing and for countering spam, with special emphasis on the new frontiers of spamming such as social spam (via social network sites) or spam based on the viral (or targeted) marketing. A video tutorial and was made available on the DPA’s website (named “Spam: how you can defend yourself”).

 

Consent for direct marketing. The DPA adopted a general resolution providing clarifications on the consent requirement in case of processing of personal data for direct marketing purposes. In particular, the DPA made clear that a data controller obtaining a data subject’s consent for direct marketing purposes through automated mechanisms may also process this data according to traditional/non-automated mechanisms (e.g., by post or operator-assisted calls), unless the data subject objects, also in part, to this processing, provided that other requirements set forth by the resolution are met.

 

Consumer rights. Two banks were allowed to equip their financial promoters with tablets that could perform an analysis of the signature of any customer entering into financial agreements in electronic format. However, the companies involved in enabling and managing both systems were required to take special measures to protect the data they collected. Additionally, measures were created to provide bank customers the option to undersign such agreements through conventional mechanisms as well.

 

Data retention of telephone traffic data. With the help of the tax police, the DPA performed inspections on telephone companies and internet service providers to verify compliance with the law provisions on internet and telephone traffic data retention. Sanctions in case of non-compliance with previous orders by the DPA were imposed.

 

Data breach notification. The DPA adopted a resolution for the notification of personal data breach providing guidance on who is required to fulfill the relevant obligations, what measures could ensure minimum common security standards, the timeline and content of the notification.

 

2. A few Figures

Over 606 decisions were adopted by the DPA in 2013 (almost 38% more compared to 2012).

 

The number of on-the-spot inspections has increased by 4% compared to 2012, for a total of 411. The inspections concerned, in particular, call centers and unsolicited telemarketing; mobile payment services; profiling; data breaches; the tax revenue database; consumer credit; credit bureaus; the information system of Italy’s social security agency (INPS).

 

Interestingly, also the number of the breaches of the Italian data protection law registered an increase, with 850 breach found by the DPA compared to 580 in 2012 (i.e., 47% more). 56% of the breaches concerned the failure to provide adequate information to data subjects. Other breaches involved processing without data subjects’ consent (179 cases); failure to adopt security measures (24 cases); breach of telemarketing rules (19 cases); failure to notify processing operations to the DPA (12 cases); etc.

 

The fines levied on account of administrative sanctions amounted to over 4 million Euros.

 

In 71 cases the DPA informed criminal authorities in particular relating to the failure to adopt security measures to protect personal data.

The post The Italian Data Protection Authority’s Annual Report 2013 – Big Data, Transparency and Surveillance appeared first on IPOsgoode.

]]>