Tuesday, June 28, 2011

Can't Prohibit Sale of Violent Games

In this 7-2 opinion, the Supreme Court has struck down a California ban on sales of violent video games to minors. The result isn't at all surprising, though I'm guessing it will come as a shock to people like Roger "video games can never be art" Ebert. A few choice passages:

“‘From 1791 to the present,’ . . . the First Amendment has ‘permitted restrictions upon the content of speech in a few limited areas,’ and has never ‘include[d] a freedom to disregard these traditional limitations.’” United States v. Stevens, 559 U. S. ___, ___ (2010) (slip op., at 5) (quoting R. A. V. v. St. Paul, 505 U. S. 377, 382–383 (1992)). These limited areas—such as obscenity, Roth v. United States, 354 U. S. 476, 483 (1957), incitement, Brandenburg v. Ohio, 395 U. S. 444, 447–449 (1969) (per curiam), and fighting words, Chaplinsky v. New Hampshire, 315 U. S. 568, 572 (1942)—represent “well-defined and narrowly limited classes of speech, the prevention and punishment of which have never been thought to raise any Constitutional problem,” id., at 571–572.

NOTE: the above passage doesn't break any new ground. I just love it when the Supreme Court explains that the obscenity exception is well-defined and narrowly limited.

JUSTICE ALITO has done considerable independent research to identify, see post, at 14–15, nn. 13–18, video games in which “the violence is astounding,” post, at 14.

Yeah, researching...that's what he was doing...researching...

[in a footnote addressing studies purporting to link violent behavior and violent video games] 7One study, for example, found that children who had just finished playing violent video games were more likely to fill in the blank letter in “explo_e” with a “d” (so that it reads “explode”) than with an “r” (“explore”). App. 496, 506 (internal quotation marks omitted). The prevention of this phenomenon, which might have been anticipated with common sense, is not a compelling state interest.

Finally, another choice Scalia quote eviscerating California's purported rationale for the law:

California claims that the Act is justified in aid of pa-rental authority: By requiring that the purchase of violent video games can be made only by adults, the Act ensures that parents can decide what games are appropriate. At the outset, we note our doubts that punishing third partiesfor conveying protected speech to children just in casetheir parents disapprove of that speech is a proper gov-ernmental means of aiding parental authority. Accepting that position would largely vitiate the rule that “only inrelatively narrow and well-defined circumstances may government bar public dissemination of protected materi-als to [minors].” Erznoznik, 422 U. S., at 212–213.

All in all, a decision I agree with, and a nice way to end the term.

Friday, April 22, 2011

Root Cause of Privacy Furor: EULAs

People really care about the fact that their smartphones gather location data. It reached the frontpage of MSNBC.com with this article. It also inspired a flood of righteous indignation from Washington. From the article:

Why were Apple consumers never affirmatively informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?

-Al Franken (D-Minn)

Collecting, storing and disclosing a consumer's location for commercial purposes without their express permission is unacceptable and would violate current law. That's why I am requesting responses to these questions to better understand Apple’s data collection and storage policies to make certain sensitive information can't be left behind for others to follow.

-Edward Markey (D-Mass)

It seems surprising that a large company like Apple wouldn't have tried to get consent from users to collect this location information, especially since it's so trivial to include it in the EULA which everyone agrees to anyway.

Oh, wait... (from the iPhone EULA, updated 5/8/09, available here)

(b) Location Data. Apple and its partners and licensees may provide certain services through your iPhone that rely upon location information. To provide these services, where available, Apple and its partners and licensees may transmit, collect, maintain, process and use your location data, including the real-time geographic location of your iPhone. The location data collected by Apple is collected in a form that does not personally identify you and may be used by Apple and its partners and licensees to provide location-based products and services. By using any location-based services on your iPhone, you agree and consent to Apple's and its partners' and licensees' transmission, collection, maintenance, processing and use of your location data to provide such products and services. You may withdraw this consent at any time by not using the location-based features or by turning off the Location Services setting on your iPhone. Not using these features will not impact the non location-based functionality of your iPhone. When using third party applications or services on the iPhone that use or provide locaiton data, you are subject to and should review such third party's terms and privacy policy on use of location data by such third party applications or services.

(emphasis in original)

I wonder how many of those Senators read the EULA before pontificating about Apple not getting consent for collecting location data. I wonder how many consumers who have privacy concerns about their location actually read the EULA before agreeing to it. My guess is that the answer to both questions is none. That isn't to say that there isn't a real problem. After all, I think there is a big conflict between EULAs and privacy, and that that conflict is a matter of significant public concern.

But unless there's more to the story than is currently being reported, the problem isn't that people's privacy rights have been violated, it's that they were inadvertently thrown away.

Wednesday, April 13, 2011

Data privacy legislation introduced

Per Wired.com, Senators Kerry and McCain have proposed legislation that would give web users the right not to be tracked while on line (the text of the bill can be found here). While this sounds like a step forward for consumer privacy, the legislation has not been well received by privacy advocates. According to the article:

The ACLU and others would prefer what is being touted as a “universal opt-out” in which consumers could one-stop shop and end all tracking by using a national registry of sorts. The Federal Trade Commission suggested such legislation in December.

“Consumers need strong baseline safeguards to protect them from the sophisticated data profiling and targeting practices that are now rampant online and with mobile devices. We cannot support the bill at this time,” Consumer Watchdog, Center for Digital Democracy, Consumer Action Privacy Rights Clearinghouse and Privacy Times wrote McCain and Kerry on Tuesday.

While I have concerns about the proposed legislation, I don't know that I agree with the sentiments expressed by quoted advocacy organizations. True, the bill could do more for privacy. However, the U.S. has generally been slow to enact laws protecting privacy, so letting the perfect be the enemy of the good in this case doesn't seem to make sense. Also, the bill (at least as proposed) does do more than prevent tracking. For example, for example, section 101 requires the FTC to make rules requiring covered entities to establish security measures to protect the data they do collect and section 202(A)(4) requires the FTC to make rules enabling individuals to correct information stored about them. There are also provisions requiring covered entities to design their products with privacy in mind (section 103) and to minimize the data they collect (section 301). These are all potentially helpful provisions, and the fact that they weren't mentioned indicates to me that the bill might not be getting all the credit it deserves.

With that having been said, I do have two problems with the bill that (if anyone were interested in my opinion) would stop me from supporting it. First, as mentioned in the Wired article, it preempts potentially more stringent state laws (section 405). This is a significant problem, as states are generally well ahead of the federal government on privacy issues. Second, it specifically states that it does not create any kind of private right of action (section 406). This is also a significant issue, since giving people the right to sue would likely result in much more vigorous enforcement of the law than simply relying on the FTC.

The bottom line for me is that, while the legislation includes a number of privacy protective features, its incompatibility with stronger state laws, as well as its lack of a private right of action mean that, if passed, it probably wouldn't help (and might even hurt) consumer privacy rights.

Wednesday, March 30, 2011

Geolocation Bill Seeks to Unify Fourth Amendment Protections

The following guest post is provided by Sonya Ziaja, J.D. Sonya is the co-owner of Ziaja Consulting LLC, a California based consulting group. She writes regularly for LegalMatch's Law Blog and Ziaja Consulting's blog, Shark. Laser. Blawg.

Senator Ron Wyden (D-Oregon) is in the process of crafting a bill to place legal limitations on the use of geolocation technologies.

Geolocation is commonplace nowadays. People play geolocation games (Foursquare, etc.). And geolocation technologies are encouraged to protect public safety (FCC’s Enhanced 911 rule). To some extent we are comfortable with broadcasting our location, which is well and good so long as doing so is harmless. There is, however, a less carefree side to geolocation--especially where it comes into conflict with the protections of the fourth amendment against unreasonable searches.

Over the past few years, law enforcement has increasing relied on geolocation techniques to track citizens without first obtaining a warrant. Doing so is at least questionably constitutional, if not outright illegal. Law enforcement makes use of both cell phone tracking and secretly tagging vehicles with GPS devices, all without court authorization.

The courts are split on the fourth amendment issues this issue raises. The Ninth Circuit in US v. Pineda-Moreno, for example, held that surreptitiously tagging a vehicle with a GPS device does not require a warrant because it is a substitute for “following a car on a public street, that is unequivocally not a search within the meaning of the [fourth] amendment.” The D.C. Circuit, however, takes the opposite view. In US v. Maynard, the D.C. Circuit held that a warrant is constitutionally necessary before police attach a GPS device to a suspect’s car. The court also specifically rejected the automobile exception argument, stating that

the automobile exception permits the police to search a car without a warrant if they have reason to believe it contains contraband; the exception does not authorize them to install a tracking device on a car without the approval of a neutral magistrate.

A recent case highlights the split. Earlier this March, a twenty-year old college student from San Jose, California brought suit against the FBI for secretly tagging his car without a warrant. Not surprisingly, he has decided to file in Washington D.C., rather than in California.

This circuit split is part of the impetus behind Senator Wyden’s bill--the Geolocational Privacy and Surveillance Act, or GPS Act. The bill aims to clarify the law, addressing multiple forms of geolocation, covering both information gained through cell phone use and covertly tagging vehicles. The hope is that the bill will create a uniform policy that protects both privacy and public safety.

To balance privacy and safety, the bill provides exemptions for emergency cases--for example in cases of national security of when the user’s life is at risk--when police would not need to obtain a warrant. These exemptions have been the most contentious aspect of the bill. Paul Wormelli, executive of the Integrated Justice Information Systems Institute, has been particularly vocal about his concerns that the bill’s exceptions are too vague and would have a chilling effect on officers.

The bill is still in the early stages, however, and has not been formally introduced in the Senate. The language may need clarifying, but at the moment, the GPS bill looks to be our best bet to address the constitutional issues raised by widespread use of geolocation technologies.

Thursday, January 20, 2011

Use of the Stored Communications Act to Get Email Without a Warrant Violates Fourth Amendment

Most modern email services allow people to keep messages indefinitely, and provide their users with enough space that doing so is actually an option. As a result, many people use their email accounts as a long term data archive, storing messages going back years.

So what does this have to do with privacy? Well, the stored communications act was written back in the days when email was much more akin to a mailbox. Because of this, it treats old email in a manner which is similar to how one might treat abandoned mail, and provides a mechanism in 18 U.S.C. 2703(d) to allow the government to get access to it without a warrant.

Actually, it provided a mechanism to allow the government to get access without a warrant. That changed with the case of U.S. v. Warshak, which found the government's use of section 2703(d) to obtain incriminating emails without a warrant violated the fourth amendment.

The facts of the case are extreme, and make for entertaining reading. The main defendant, Steven Warshak, owned Berkeley Premium Neutraceuticals, the company behind the once ubiquitous commercials for Enzyte. According to the opinion, Warshak had owned a number of other businesses. However, Berkeley stood out, both because of the success of Enzyte, and because of its extremely slimy business practices. A sample:

in November 2003, Berkeley hired a company called West to handle “sales calls that were from . . . Avlimil or Enzyte advertisements.” During the calls, West’s representatives asked customers if they wanted to be enrolled in the auto-ship program, and over 80% of customers declined. When Warshak learned what was happening, he issued instructions to “take those customers, even if they decline[d], even if they said no to the Auto-Ship program, go ahead and put them on the Auto-Ship program.” A subsequent email between Berkeley employees indicated that “all [West] customers, whether they know it or not, are going on [auto-ship].” As a result, numerous telephone orders resulted in unauthorized continuity shipments.

Those practices eventually led to a 112 count indictment, and the government obtaining thousands of incriminating emails from Warshak's service provider without a warrant under section 2703(d) of the stored communications act. After his conviction, Warshak appealed to the Sixth Circuit court of appeals arguing (among other things) that the emails were obtained in violation of the 4th amendment, and therefore should have been excluded as evidence.

While the Sixth Circuit upheld Warshak's conviction, it agreed that the warrantless search of Warshak's emails violated the fourth amendment. First, it established that Warshak had a subjective expectations that his emails would remain private. Indeed, the court said the very fact that the emails contained so much incriminating information was evidence that Warshak saw them as private correspondence. Next, the court asked whether the expectation of privacy in emails was one society was prepared to recognize as reasonable. To answer, the court addressed the heavy reliance of modern society on email, and analogized it to other types of communication that were traditionally protected under the fourth amendment. In the end, it concluded that

because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.

The decision didn't do much for Warshak. The court also held that the government had been relying in good faith on the act, and so the emails shouldn't be excluded. However, it will help everyone else down the line, because the good faith rule can't be used to justify actions that are clearly inconsistent with the court's holding.

Tuesday, November 23, 2010

DJ Hero

I got an anonymous comment to my last post on the TSA's new security procedures saying that there has to be something we can do, rather than just submitting to whatever is advanced under the name of security. As it happens, there are several things that people can do to react to the TSA's new procedures.

The most well publicized protest is probably National Opt Out Day (warning - page includes naked picture taken with TSA's new scanners), wherein people will opt for being groped by a TSA agent to slow down processing of fliers on November 24 - the busiest flying day of the year. If that's your cup of tea, then it's certainly your right to opt out of the scanning (which you might want to do anyway, for both health and privacy reasons). For me though, I'm not at all interested in being groped by the TSA, even for the noble purpose of protest.

If you're more interested in an ineffectual protest with a touch of humor, you can try radiation shielding undergarments, or a bill or rights luggage tag (all of which are described in this article). My guess is that the bill of rights tag would just be ignored (much like the actual bill of rights), and that the metal undergarments would result in a referral for one of the TSA's special enhanced pat downs. Still, if you want to make a statement, those are another way to do it.

As a lawyer, my first thought was a declaratory judgment action seeking to preliminarily and permanently enjoin the TSA from implementing the new security measures. My next thought was that that was so obvious that someone must have already done it. However, a quick Google search didn't turn up much more than this thread, so maybe that's still available. The problem with this approach is that these types of DJ actions are really hard to win, and you may get bumped on procedural grounds before the judge ever reaches the merits of the case.

In the end though, my guess is that what will be necessary to reverse these new procedures is people (finally) taking a stand for privacy, and bringing enough bad press to the TSA and pressure on their elected representatives, that the TSA's current policies become radioactive. I'm not thrilled that we've reached that point, but it is a free country, and if our elected representatives make enough intrusive laws, sometimes the only way to respond is by replacing them with people who aren't so keen to invade people's privacy.

Sunday, November 14, 2010

Fighting the TSA

The Internet is currently burning up with a story about a man who would rather not fly than submit to the TSA's intrusive screening procedures, and how the TSA reacted to him. To make a long story short, once he decided to leave the security area and ask for a ticket refund, a TSA agent told him he had to return to the security area or would be subject to a civil fine of up to $10,000. A normal person's reaction to reading this story might be outrage at this sort of petty tyranny. As a lawyer, my first reaction was to question whether the threat was real. That is, is this a case of abuse of power by a misguided TSA employee acting outside his authority, or is it a case of abuse of power by a misguided TSA employee enforcing an egregiously bad law?

After about an hour of searching, I strongly suspect that this is a case of abuse of power by a misguided TSA employee acting outside his authority, though I have not been able to convince myself of that fact, and so the normal disclaimers about nothing on this blog being legal advice should go at least double for this post.

The reason I strongly suspect that this is a case of abuse of power by a misguided TSA employee acting outside his authority is that the regulations on penalties and prohibitions mostly focus on making sure that you can't get certain things into secure areas. For example, 49 C.F.R. 1540.107 says that no one can enter the sterile area or board an aircraft without going through a screening. However, in this case, the putative flyer wasn't trying to get into the sterile area or an aircraft without going through a screening - he made a conscious decision to avoid a screening by not entering the sterile area or boarding an aircraft. Similarly, 49 C.F.R. 1540.109 prohibits threatening, interfering with, assaulting or intimidating screening personnel. However, in this case, the putative flyer wasn't interfering at all. Indeed, the screening personnel could have done their jobs more easily if they had simply let him leave the airport. Because there is no evidence that leaving the airport had any adverse effect on security, or on the ability of the screening personnel to screen other passengers, it seems to fall outside of the general scope of the regulations, and so I suspect that the threat of a $10,000 civil penalty was not supported by law.

However, the reason I haven't been able to convince myself of the fact that a civil penalty couldn't have been imposed is that the relevant law is more than a little bit difficult to wade through, and the regs have previously been applied in ways that seem patently unjust. In terms of difficulty wading through the regs, I will give one example: 49 U.S.C. 46301(a)(5):

(A) An individual (except an airman serving as an airman) or small business concern is liable to the Government for a civil penalty of not more than $10,000 for violating—
(i) chapter 401 (except sections 40103 (a) and (d), 40105, 40106 (b), 40116, and 40117), section 44502 (b) or (c), chapter 447section 44502 (b) or (c), chapter 447 (except sections 44717–44723), or chapter 449 (except sections 44902, 44903 (d), 44904, and 44907–44909) of this title; or
(ii) a regulation prescribed or order issued under any provision to which clause (i) applies.

And that's just one example. As a lawyer, I can wade through that, cross checking sections, examining applicability to a given situation, etc. However, as a human being, I don't do that sort of thing for fun, and no one is paying me to write this blog. In terms of unjust application of the regs in the past, I refer readers to Rendon v. TSA an unhappy case where a civil fine imposed for asking some rather profane (but not unreasonable) questions about security procedures was upheld under the prohibition on interfering with screening personnel. While I think imposing a fine for trying to leave an airport is even worse than the situation in Rendon, given the result in Rendon, it wouldn't surprise me terribly if a fine, in fact, were imposed.

So what will happen in this particular case? Probably nothing. I doubt the TSA will seek penalties, given that the whole incident was video taped, and a trial would only lead to bad press and the possibility of their powers being curtailed. In the end, my guess is the whole thing will blow over, the TSA will keep their current security policies in place, and most people (e.g., me) who can't afford to skip flights just because we might not want to be molested by the TSA will end up being subjected to whatever form of invasive screening the TSA thinks is warranted without any realistic avenue for recourse.