Jul 072013

There is so much to say about the emerging news about the data capture programs run by the NSA it’s hard to know where to begin. Part of the issue is that there are multiple programs and multiple statutes in play, and details about everything are continuing to emerge, which makes analyzing any respective legality complicated. Ostensibly some of these programs may in fact be “legal” under some of these statutes, although there are credible arguments that many of these programs transcend even what these laws might purport to authorize.

But even if these programs are consistent with either their enabling statutory language or previous Fourth Amendment case law, it is not at all clear that they are consistent with either the spirit or bare language of the Fourth Amendment:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Over time, on a case by case basis specific to the facts before them, courts have whittled away at what we might understand the Fourth Amendment to protect. Which is unfortunate, because on its face it would appear to protect quite a bit of personal privacy from government intrusion, except under very narrow circumstances. But as we learn more about these surveillance programs we see how, even if “legal,” they intrude upon that privacy, and in a way that essentially destroys all vestiges of it for everyone, criminal (or foreign) or not.

Which is what the rest of this post intends to focus on, albeit in a more humorous than purely analytical manner. But such flippancy shouldn’t discredit its overall point, and indeed, humor is often an excellent vehicle for illustrating policy shortcomings. In this case what follows highlights the problem with Section 215 of the Patriot Act, a post-9/11 law that allows government authorities to access, without a warrant and only with the questionable oversight of the itself apparently unaccountable Foreign Intelligence Surveillance Court, all sorts of “tangible things.” By accounts, it seems the NSA has used this provision to underpin at least one of its programs.

Because everything this court does is shrouded in secrecy, no one knows exactly what “tangible things” applies to. But we can make some reasonable suppositions, and the following articulates a few of them. Sung to the tune of The Sound of Music’sMy Favorite Things,” here is a modern update:

“My Tangible Things.” Continue reading »

Jul 032013

I was saddened to hear the news about Doug Engelbart’s passing. Although most famous for having invented the mouse (I once had the privilege of holding the original – in some ways it was even better than its successors, as its two beveled wheels allowed the mouse to easily be drawn in a straight line), his contributions to the digital world we now take for granted run much deeper than that specific innovation.

I had the privilege of meeting Mr. Engelbart on a few occasions, and in the wake of this news I’m prompted to repost something I wrote a few years ago following one of those encounters, something that contemplated how law and innovation so often seemed to collide in a way deleterious for the latter. As we take this moment to recognize the rich legacy Mr. Engelbart leaves the world it should remind us to never allow law to deprive the world of other such gifts in future.

In early December I attended the “Program for the Future,” celebrating the 40th anniversary of a seminal event in technological history: Doug Engelbart’smother of all demos.” While today the technologies he showed off in his 1968 presentation must seem ordinary and quaint, back then they were revolutionary and laid the foundation for what we now take for granted.

While perhaps most widely known for being the world debut of the mouse, which he invented, Engelbart’s presentation is most notable for how it advanced collective intelligence. What made the presentation so important weren’t the technologies themselves but the human problems they stood to solve.

So in celebration of Engelbart’s important contribution to the world, a group of futurists and technologists gathered together at The Tech museum in San Jose to contemplate the future innovations yet to come. Personally, for me, the event was a bit nostalgic. Before law school, as a technologist in Silicon Valley, I often attended such events. Sometimes they got a bit silly, as there’d be so much “blue skying” and thinking about what could be done that nothing would actually get done. But these kinds of events were still important and because they fostered an environment where the bolts of inspiration could be seized upon and fanned into exciting innovations.

I still gravitate towards technology-related events, only today they are invariably legally-related. At these events technology is always considered in the context of regulatory frameworks, and the people doing the thinking are always lawyers and policy makers. Notably, however, at this event I was only one out of maybe a handful attendees who was a lawyer. And therein lies the disconnect.
Continue reading »

Jun 172013

Many posts here talk about laws that criminalize technology use and development. But what happens when there is no law criminalizing that use or development, but it is nonetheless prosecuted? We are seeing that happen in California with state Attorney General Kamala Harris proudly crowing about the arrest and indictment of three brothers for “conspiracy,” “receiving stolen property,” and “grand theft” as a result of running a website that allegedly allowed users to watch movies and TV shows. The only problem: there is no law in California empowering Harris to prosecute any of what she claims the brothers did. There is no law anywhere that does.

True, California has laws on the books regarding conspiracy, receiving stolen property, and grand theft, but they still don’t enable this prosecution, and a big reason for that is because nothing was actually stolen. It is always a mistake to use the word “theft” to describe what is at most copyright infringement. Theft is a word best left to the actual deprivation of tangible things, not non-rivalrous goods like digital works that, even when “stolen,” are never actually taken away from anyone.

But even if we were to describe the making infringing copies of digital works as “theft,” only federal law can speak to the consequences of having made (or enabled the making of) these infringing copies. This is because the federal law is not actually designating something as property — of the sort which could then be stolen — but instead is granting a series of exclusive rights recognized under federal law that could potentially be infringed, as also defined by that same federal law. With only a few narrow exceptions inapplicable here, the establishment, reach, and protection of these rights falls entirely within the purview of the federal government to both establish and enforce, and, moreover, that same federal law explicitly pre-empts any attempts by the states to do the same.

As attorney general, Harris is charged with enforcing California’s laws, but her enforcement powers are inherently limited to those laws. She has no power to make up laws not put on the books by the California legislature (either because it didn’t, or, as discussed above vis a vis pre-emption, because it constitutionally couldn’t) and then go out and enforce them. But that’s what she’s done here. She might as well have arrested these two men for breathing, which there’s no law in California prohibiting either. Despite there being no law for her to enforce, she nonetheless has had these people arrested, seized their actual, tangible property, destroyed their business in a way arguably no law, but especially not California law, would permit, and upended their lives and the lives of their families by throwing them into this Kafkaesque prosecutorial nightmare. What makes it so especially troubling was that even if these brothers had sought counsel from qualified attorneys before engaging in the acts for which they are now being prosecuted, no attorney would ever have been able to have advised them of such prosecution ever being a risk. The criminality Harris is pursuing is born entirely of her imagination, not through the legislative machinations of our representative democracy, thereby leading to a state of affairs that is incompatible with the notions of due process and fair play our system of justice is supposed to preserve.

Even more unseemly, her press release openly admits to her having pursued these men in conjunction with and at the behest of the Motion Picture Association of American (MPAA), thus making her wrongful exercise of prosecutorial power even more abusive. If what these men were doing were truly wrongful as recognized by copyright law, the MPAA was fully capable of seeking the civil remedy for this potential wrongfulness that copyright law allowed. It did not need to wield the enormous power of the state against these people, and it was chillingly inappropriate for them to have attempted it — and even more chillingly appropriate for the state to have allowed it. Yes, there are certain situations where we do allow private injuries to be pursued and punished by state organs (see, e.g., actual theft of actual property) but copyright infringement has never, for very good historical and policy reasons, been one of those alleged injuries where we left it to the government to seek redress, except in very narrow circumstances. And even in those circumstances, the power to prosecute was left to federal prosecutors, not every politically ambitious state attorney general more eager to score points with future campaign donors than adhere to her constitutional limits with a power-grabbing act ultimately more harmful to society than anything alleged to have happened here.

Jun 162013

While originally I intended this blog to focus only on issues where cyberlaw collided with criminal law, I’ve come to realize that this sort of analysis is advanced by discussion of the underlying issues separately, even when they don’t implicate either criminal law or even technology. For example, discussions about how copyright infringement is being criminally prosecuted is aided by discussion on copyright policy generally. Similarly, discussions about shield laws for bloggers are advanced by discussions of shield laws generally, so I’ve decided to import one I wrote recently on my personal blog for readers of this one:

Both Ken @ Popehat and “Gideon” at his blog have posts on the position reporter Jana Winter finds herself in. To briefly summarize, the contents of the diary of the alleged Aurora, CO, shooter ended up in her possession, ostensibly given to her by a law enforcement officer with access to it and in violation of judicial orders forbidding its disclosure. She then reported on those contents. She is not in trouble for having done the reporting; the problem is, the investigation into who broke the law by providing the information to her in the first place has reached an apparent dead end, and thus the judge in the case wants to compel her, under penalty of contempt that might include jailing, to disclose the source who provided it, despite her having promised to protect the source’s identity.

In his post Gideon make a compelling case for the due process issues at stake here. What’s especially notable about this situation is that the investigation isn’t just an investigation into some general wrongdoing; it’s wrongdoing by police that threatens to compromise the accused’s right to a fair trial. However you might feel about him and the crimes for which he’s charged, the very fact that you might have such strong feelings is exactly why the court was motivated to impose a gag order preventing the disclosure of such sensitive information: to attempt to preserve an unbiased jury who could judge him fairly, a right he is entitled to by the Constitution, irrespective of his ultimate innocence or guilt, which the police have no business trying to undermine.

Ken goes even further, noting the incredible danger to everyone when police and journalists become too chummy, as perhaps happened in the case here. Police power is power, and left unchecked it can often become tyrannically abusive. Journalists are supposed to help be that check, and when they are not, when they become little but the PR arm for the police, we are all less safe from the inherent danger that police power poses.

But that is why, as Ken and Gideon wrestle with the values of the First Amendment versus the values of the Fifth and Sixth the answer MUST resolve in favor of the First. There is no way to split the baby such that we can vindicate the latter interests here while not inadvertently jeopardizing these and other important interests further in the future. Continue reading »

May 142013

This specific blog post has been prompted by news that the Department of Justice had subpoenaed the phone records of the Associated Press. Many are concerned about this news for many reasons, not the least of which being that this revelation suggests that, at minimum, the Department of Justice violated many of its own rules in how it did so (ie, it should have reported the existence of the subpoena within 45 days, maybe 90 on the outside, but here it seems to have delayed a year). The subpoena of the phone records of a news organization also threatens to chill newsgathering generally, for what sources would want to speak to a reporter if the government could be presumed to know that these communications had been taking place? For reasons discussed in the context of shield laws, reporters can’t do their information-gathering-and-sharing job if the people they get their information from are too frightened to share it. Even if one were to think that in some situations loose lips do indeed sink ships and it’s sometimes bad for people to share information, there’s no way the law can differentiate which situations are bad and which are good presumptively or prospectively. In order to for the good situations to happen – for journalists to help serve as a check on power — the law needs to give them a free hand to discover the information they need to do that.

But the above discussion is largely tangential to the point of this post. The biggest problem with the story of the subpoena is not *that* it happened but that, for all intents and purposes, it *could* happen, and not just because of how it affected the targeted journalists but because of how it would affect anyone subject to a similar subpoena for any reason. Subpoenas are not search warrants, where a neutral arbiter ensures that the government has a proper reason to access the information it seeks. Subpoenas are simply the form by which the government demands the information it wants, and as long as the government only has to face what amounts to a clerical hurdle to get these sorts of communications records there are simply not enough legal barriers to protect the privacy of the people who made them. Continue reading »

May 132013

One of the cases I came across when I was writing an article about Internet surveillance was Deal v. Spears, 980 F. 2d 1153 (8th Cir. 1992), a case involving the interception of phone calls that was arguably prohibited by the Wiretap Act (18 U.S.C. § 2511 et seq.). The Wiretap Act, for some context, is a 1968 statute that applied Fourth Amendment privacy values to telephones, and in a way that prohibited both the government and private parties from intercepting the contents of conversations taking place through the telephone network. That prohibition is fairly strong: while there are certain types of interceptions that are exempted from it, these exemptions have not necessarily been interpreted generously, and Deal v. Spears was one of those cases where the interception was found to have run afoul of the prohibition.

It’s an interesting case for several reasons, one being that it upheld the privacy rights of an apparent bad actor (of course, so does the Fourth Amendment generally). In this case the defendants owned a store that employed the plaintiff, whom the defendants strongly suspected – potentially correctly – was stealing from them. In order to catch the plaintiff in the act, the defendants availed themselves of the phone extension in their adjacent house to intercept the calls the plaintiff made on the store’s business line to further her crimes. Ostensibly such an interception could be exempted by the Wiretap Act: the business extension exemption generally allows for business proprietors to listen in to calls made in the ordinary course of business. (See 18 U.S.C. § 2510(5)(a)(i)). But here the defendants didn’t just listen in to business calls; they recorded *all* calls that the plaintiff made, regardless of whether they related to the business or not, and, by virtue of being automatically recorded, without the telltale “click” one hears when an actual phone extension is picked up, thereby putting the callers on notice that someone is listening in. This silent, pervasive monitoring of the contents of all communications put the monitoring well-beyond the statutory exception that might otherwise have permitted a more limited interception.

[T]he [defendants] recorded twenty-two hours of calls, and […] listened to all of them without regard to their relation to his business interests. Granted, [plaintiff] might have mentioned the burglary at any time during the conversations, but we do not believe that the [defendants’] suspicions justified the extent of the intrusion.

For a similar view, see US v. Jones, 542 F. 2d 661 (6th Cir. 1976):

[T]here is a vast difference between overhearing someone on an extension and installing an electronic listening device to monitor all incoming and outgoing telephone calls.

And so the defendants, hapless victims though they seemed to have been in their own right, were found to have violated the Wiretap Act.

But Deal v. Spears is a telephone case, and telephone cases are fairly straight forward. The statutory language clearly reaches the contents of those communications made with that technology, and all that’s really been left for courts to decide is how broad to construe the few exemptions the statute articulates. What has been much harder is figuring out how to extend the Wiretap Act’s prohibitions against surveillance to those communications made via other technologies (ie, the Internet), or to aspects of those communications that seem to apply more to how they should be routed than their underlying message. However privacy interests are privacy interests, and no amount of legal hairsplitting alleviates the harm that can result when any identifiable aspect of someone’s communications can be surveilled. There is a lot that the Wiretap Act, both in terms of its statutory history and subsequent case law, can teach us about surveillance policy, and we would be foolish not to heed those lessons.

More on them later.

Apr 112013

The Computer Fraud and Abuse Act is no stranger to these pages.  The tragic suicide of Aaron Swartz at the beginning of the year following the relentless pursuit of the Department of Justice against him for his downloading of the JSTOR archive has galvanized a reform movement to overhaul – or at least ameliorate – some of the most troublesome provisions of the CFAA.

One such provision can be found at 18 U.S.C. § 1030(g), which creates a civil cause of action for a party claiming to be aggrieved by the purported wrongdoings described in subsection (a).  While civil causes of action are generally beyond the scope of this blog, having a civil cause of action buried in a statute designed to enable criminal prosecutions can be problematic for defendants facing the latter because the civil litigation, as it explores the contours of the statute and its internal definitions, tends to leave in its wake precedent that prosecutors can later use.  Which is unfortunate, because how the statute may be interpreted in a civil context — which inherently can only reflect the particular dynamics of the particular civil dispute between these particular private parties — reshapes how the statute will be interpreted in a criminal context.  Especially with a law like the CFAA, whose language always tempts excessive application, these civil precedents can vastly expand the government’s prosecutorial power over people’s technology use, and easily in a way Congress never intended.  One should also never presume that the outcome of a civil dispute correlates to a result that is truly fair and just; miscarriages of justice happen all the time, often simply because it is often so difficult and expensive to properly defend against a lawsuit, especially one asserting a claim from such an imprecisely-drafted and overly broad statute like the CFAA.

The reality is that plaintiffs often abuse the judicial process to bully defendants, and that brings us to the second subject of this post, Prenda Law, which is currently being exposed, judicially and publicly  as one of the biggest bullies on the block.  But why should we care here?  Because although Prenda has most notoriously exploited the Copyright Act for its legal attacks, it has also showed itself ready, willing, and able to abuse the easily-abusable CFAA in order to enrich itself as well. Continue reading »

Apr 092013

I found myself blogging about journalist shield law at my personal blog today. As explained in that post, an experience as the editor of the high school paper has made newsman’s privilege a topic near and dear to my heart. So I thought I would resurrect a post I wrote a few years ago on the now-defunct blog I kept as a law student about how newsman’s privilege interacts with blogging as food for thought here. Originally written and edited in 2006/2007, with a few more edits for clarity now.

At a blogging colloquium at Harvard Law School 1 Eugene Volokh gave a presentation on the free speech protections that might be available for blogging, with the important (and, in my opinion, eminently reasonable) suggestion that free speech protections should not be medium-specific. In other words, if these protections would be available to you if you’d put your thoughts on paper, they should be available if you’d put them on a blog. Continue reading »

Mar 272013

I was interviewed yesterday about my concerns for the new Golden Gate Bridge toll system. Like an increasing number of other roadways, as of this morning the bridge will have gone to all-electronic tolling and done away with its human toll-takers, ostensibly as a cost-cutting move. But while it may save the Bridge District some money on salaries, at what cost does it do so to the public?

With the toll-takers bridge users could pay cash, anonymously, whenever they wanted to use the bridge. Fastrak, the previous electronic toll system, has also been an option for the past several years, offering a discount to bridge users who didn’t mind having their travel information collected, stored, and potentially accessed by others in exchange for some potential expediency. But now bridge users will either have to use Fastrak, or agree to have their license plates photographed (and thereby have their travel information collected, stored, and potentially accessed by others) and then compared to DMV records in order to then be invoiced for their travels.
Continue reading »

Mar 272013

I’ve written before about the balance privacy laws need to take with respect to the data aggregation made possible by the digital age. When it comes to data aggregated or accessed by the government, on that front law and policy should provide some firm checks to ensure that such aggregation or access does not violate people’s Fourth Amendment right “to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” Such limitations don’t forever hobble legitimate investigations of wrongdoing; they simply require adequate probable cause before the digital records of people’s lives be exposed to police scrutiny. You do not need to have something to hide in order not to want that.

But all too often when we demand that government better protect privacy it’s not because we want the government to; on the contrary, we want it to force private parties to. Which isn’t to say that there is no room for concern when private parties aggregate personal data. Such aggregations can easily be abused, either by private parties or by the government itself (which tends to have all too easy access to it). But as this recent article in the New York Times suggests, a better way to construct the regulation might be to focus less on how private parties collect the data and more on the subsequent access to and use of the data once collected, since that is generally from where any possible harm could flow. The problem with privacy regulation that is too heavy-handed in how it allows technology to interact with data is that these regulations can choke further innovation, often undesirably. As a potential example, although mere speculation, this article suggests that Google discontinued its support for its popular Google Reader product due to the burdens of compliance with myriad privacy regulations. Assuming this suspicion is true — but even if it’s not — while perhaps some of this regulation vindicates important policy values, it is fair to question whether it does so in a sufficiently nuanced way so that it doesn’t provide a disincentive for innovators to develop and support new products and technologies. If such regulation is having that chilling effect, we may reasonably want to question whether these enforcement mechanisms have gone too far.

Meanwhile public outcry has largely been ignoring much more obvious and dangerous incursions into their privacy rights done by government actors, a notable example of which will be discussed in the following post.