Tuesday, June 28, 2011

Can't Prohibit Sale of Violent Games

In this 7-2 opinion, the Supreme Court has struck down a California ban on sales of violent video games to minors. The result isn't at all surprising, though I'm guessing it will come as a shock to people like Roger "video games can never be art" Ebert. A few choice passages:

“‘From 1791 to the present,’ . . . the First Amendment has ‘permitted restrictions upon the content of speech in a few limited areas,’ and has never ‘include[d] a freedom to disregard these traditional limitations.’” United States v. Stevens, 559 U. S. ___, ___ (2010) (slip op., at 5) (quoting R. A. V. v. St. Paul, 505 U. S. 377, 382–383 (1992)). These limited areas—such as obscenity, Roth v. United States, 354 U. S. 476, 483 (1957), incitement, Brandenburg v. Ohio, 395 U. S. 444, 447–449 (1969) (per curiam), and fighting words, Chaplinsky v. New Hampshire, 315 U. S. 568, 572 (1942)—represent “well-defined and narrowly limited classes of speech, the prevention and punishment of which have never been thought to raise any Constitutional problem,” id., at 571–572.

NOTE: the above passage doesn't break any new ground. I just love it when the Supreme Court explains that the obscenity exception is well-defined and narrowly limited.

JUSTICE ALITO has done considerable independent research to identify, see post, at 14–15, nn. 13–18, video games in which “the violence is astounding,” post, at 14.

Yeah, researching...that's what he was doing...researching...

[in a footnote addressing studies purporting to link violent behavior and violent video games] 7One study, for example, found that children who had just finished playing violent video games were more likely to fill in the blank letter in “explo_e” with a “d” (so that it reads “explode”) than with an “r” (“explore”). App. 496, 506 (internal quotation marks omitted). The prevention of this phenomenon, which might have been anticipated with common sense, is not a compelling state interest.

Finally, another choice Scalia quote eviscerating California's purported rationale for the law:

California claims that the Act is justified in aid of pa-rental authority: By requiring that the purchase of violent video games can be made only by adults, the Act ensures that parents can decide what games are appropriate. At the outset, we note our doubts that punishing third partiesfor conveying protected speech to children just in casetheir parents disapprove of that speech is a proper gov-ernmental means of aiding parental authority. Accepting that position would largely vitiate the rule that “only inrelatively narrow and well-defined circumstances may government bar public dissemination of protected materi-als to [minors].” Erznoznik, 422 U. S., at 212–213.

All in all, a decision I agree with, and a nice way to end the term.

Friday, April 22, 2011

Root Cause of Privacy Furor: EULAs

People really care about the fact that their smartphones gather location data. It reached the frontpage of MSNBC.com with this article. It also inspired a flood of righteous indignation from Washington. From the article:

Why were Apple consumers never affirmatively informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?

-Al Franken (D-Minn)

Collecting, storing and disclosing a consumer's location for commercial purposes without their express permission is unacceptable and would violate current law. That's why I am requesting responses to these questions to better understand Apple’s data collection and storage policies to make certain sensitive information can't be left behind for others to follow.

-Edward Markey (D-Mass)

It seems surprising that a large company like Apple wouldn't have tried to get consent from users to collect this location information, especially since it's so trivial to include it in the EULA which everyone agrees to anyway.

Oh, wait... (from the iPhone EULA, updated 5/8/09, available here)

(b) Location Data. Apple and its partners and licensees may provide certain services through your iPhone that rely upon location information. To provide these services, where available, Apple and its partners and licensees may transmit, collect, maintain, process and use your location data, including the real-time geographic location of your iPhone. The location data collected by Apple is collected in a form that does not personally identify you and may be used by Apple and its partners and licensees to provide location-based products and services. By using any location-based services on your iPhone, you agree and consent to Apple's and its partners' and licensees' transmission, collection, maintenance, processing and use of your location data to provide such products and services. You may withdraw this consent at any time by not using the location-based features or by turning off the Location Services setting on your iPhone. Not using these features will not impact the non location-based functionality of your iPhone. When using third party applications or services on the iPhone that use or provide locaiton data, you are subject to and should review such third party's terms and privacy policy on use of location data by such third party applications or services.

(emphasis in original)

I wonder how many of those Senators read the EULA before pontificating about Apple not getting consent for collecting location data. I wonder how many consumers who have privacy concerns about their location actually read the EULA before agreeing to it. My guess is that the answer to both questions is none. That isn't to say that there isn't a real problem. After all, I think there is a big conflict between EULAs and privacy, and that that conflict is a matter of significant public concern.

But unless there's more to the story than is currently being reported, the problem isn't that people's privacy rights have been violated, it's that they were inadvertently thrown away.

Wednesday, April 13, 2011

Data privacy legislation introduced

Per Wired.com, Senators Kerry and McCain have proposed legislation that would give web users the right not to be tracked while on line (the text of the bill can be found here). While this sounds like a step forward for consumer privacy, the legislation has not been well received by privacy advocates. According to the article:

The ACLU and others would prefer what is being touted as a “universal opt-out” in which consumers could one-stop shop and end all tracking by using a national registry of sorts. The Federal Trade Commission suggested such legislation in December.

“Consumers need strong baseline safeguards to protect them from the sophisticated data profiling and targeting practices that are now rampant online and with mobile devices. We cannot support the bill at this time,” Consumer Watchdog, Center for Digital Democracy, Consumer Action Privacy Rights Clearinghouse and Privacy Times wrote McCain and Kerry on Tuesday.

While I have concerns about the proposed legislation, I don't know that I agree with the sentiments expressed by quoted advocacy organizations. True, the bill could do more for privacy. However, the U.S. has generally been slow to enact laws protecting privacy, so letting the perfect be the enemy of the good in this case doesn't seem to make sense. Also, the bill (at least as proposed) does do more than prevent tracking. For example, for example, section 101 requires the FTC to make rules requiring covered entities to establish security measures to protect the data they do collect and section 202(A)(4) requires the FTC to make rules enabling individuals to correct information stored about them. There are also provisions requiring covered entities to design their products with privacy in mind (section 103) and to minimize the data they collect (section 301). These are all potentially helpful provisions, and the fact that they weren't mentioned indicates to me that the bill might not be getting all the credit it deserves.

With that having been said, I do have two problems with the bill that (if anyone were interested in my opinion) would stop me from supporting it. First, as mentioned in the Wired article, it preempts potentially more stringent state laws (section 405). This is a significant problem, as states are generally well ahead of the federal government on privacy issues. Second, it specifically states that it does not create any kind of private right of action (section 406). This is also a significant issue, since giving people the right to sue would likely result in much more vigorous enforcement of the law than simply relying on the FTC.

The bottom line for me is that, while the legislation includes a number of privacy protective features, its incompatibility with stronger state laws, as well as its lack of a private right of action mean that, if passed, it probably wouldn't help (and might even hurt) consumer privacy rights.

Wednesday, March 30, 2011

Geolocation Bill Seeks to Unify Fourth Amendment Protections

The following guest post is provided by Sonya Ziaja, J.D. Sonya is the co-owner of Ziaja Consulting LLC, a California based consulting group. She writes regularly for LegalMatch's Law Blog and Ziaja Consulting's blog, Shark. Laser. Blawg.

Senator Ron Wyden (D-Oregon) is in the process of crafting a bill to place legal limitations on the use of geolocation technologies.

Geolocation is commonplace nowadays. People play geolocation games (Foursquare, etc.). And geolocation technologies are encouraged to protect public safety (FCC’s Enhanced 911 rule). To some extent we are comfortable with broadcasting our location, which is well and good so long as doing so is harmless. There is, however, a less carefree side to geolocation--especially where it comes into conflict with the protections of the fourth amendment against unreasonable searches.

Over the past few years, law enforcement has increasing relied on geolocation techniques to track citizens without first obtaining a warrant. Doing so is at least questionably constitutional, if not outright illegal. Law enforcement makes use of both cell phone tracking and secretly tagging vehicles with GPS devices, all without court authorization.

The courts are split on the fourth amendment issues this issue raises. The Ninth Circuit in US v. Pineda-Moreno, for example, held that surreptitiously tagging a vehicle with a GPS device does not require a warrant because it is a substitute for “following a car on a public street, that is unequivocally not a search within the meaning of the [fourth] amendment.” The D.C. Circuit, however, takes the opposite view. In US v. Maynard, the D.C. Circuit held that a warrant is constitutionally necessary before police attach a GPS device to a suspect’s car. The court also specifically rejected the automobile exception argument, stating that

the automobile exception permits the police to search a car without a warrant if they have reason to believe it contains contraband; the exception does not authorize them to install a tracking device on a car without the approval of a neutral magistrate.

A recent case highlights the split. Earlier this March, a twenty-year old college student from San Jose, California brought suit against the FBI for secretly tagging his car without a warrant. Not surprisingly, he has decided to file in Washington D.C., rather than in California.

This circuit split is part of the impetus behind Senator Wyden’s bill--the Geolocational Privacy and Surveillance Act, or GPS Act. The bill aims to clarify the law, addressing multiple forms of geolocation, covering both information gained through cell phone use and covertly tagging vehicles. The hope is that the bill will create a uniform policy that protects both privacy and public safety.

To balance privacy and safety, the bill provides exemptions for emergency cases--for example in cases of national security of when the user’s life is at risk--when police would not need to obtain a warrant. These exemptions have been the most contentious aspect of the bill. Paul Wormelli, executive of the Integrated Justice Information Systems Institute, has been particularly vocal about his concerns that the bill’s exceptions are too vague and would have a chilling effect on officers.

The bill is still in the early stages, however, and has not been formally introduced in the Senate. The language may need clarifying, but at the moment, the GPS bill looks to be our best bet to address the constitutional issues raised by widespread use of geolocation technologies.

Thursday, January 20, 2011

Use of the Stored Communications Act to Get Email Without a Warrant Violates Fourth Amendment

Most modern email services allow people to keep messages indefinitely, and provide their users with enough space that doing so is actually an option. As a result, many people use their email accounts as a long term data archive, storing messages going back years.

So what does this have to do with privacy? Well, the stored communications act was written back in the days when email was much more akin to a mailbox. Because of this, it treats old email in a manner which is similar to how one might treat abandoned mail, and provides a mechanism in 18 U.S.C. 2703(d) to allow the government to get access to it without a warrant.

Actually, it provided a mechanism to allow the government to get access without a warrant. That changed with the case of U.S. v. Warshak, which found the government's use of section 2703(d) to obtain incriminating emails without a warrant violated the fourth amendment.

The facts of the case are extreme, and make for entertaining reading. The main defendant, Steven Warshak, owned Berkeley Premium Neutraceuticals, the company behind the once ubiquitous commercials for Enzyte. According to the opinion, Warshak had owned a number of other businesses. However, Berkeley stood out, both because of the success of Enzyte, and because of its extremely slimy business practices. A sample:

in November 2003, Berkeley hired a company called West to handle “sales calls that were from . . . Avlimil or Enzyte advertisements.” During the calls, West’s representatives asked customers if they wanted to be enrolled in the auto-ship program, and over 80% of customers declined. When Warshak learned what was happening, he issued instructions to “take those customers, even if they decline[d], even if they said no to the Auto-Ship program, go ahead and put them on the Auto-Ship program.” A subsequent email between Berkeley employees indicated that “all [West] customers, whether they know it or not, are going on [auto-ship].” As a result, numerous telephone orders resulted in unauthorized continuity shipments.

Those practices eventually led to a 112 count indictment, and the government obtaining thousands of incriminating emails from Warshak's service provider without a warrant under section 2703(d) of the stored communications act. After his conviction, Warshak appealed to the Sixth Circuit court of appeals arguing (among other things) that the emails were obtained in violation of the 4th amendment, and therefore should have been excluded as evidence.

While the Sixth Circuit upheld Warshak's conviction, it agreed that the warrantless search of Warshak's emails violated the fourth amendment. First, it established that Warshak had a subjective expectations that his emails would remain private. Indeed, the court said the very fact that the emails contained so much incriminating information was evidence that Warshak saw them as private correspondence. Next, the court asked whether the expectation of privacy in emails was one society was prepared to recognize as reasonable. To answer, the court addressed the heavy reliance of modern society on email, and analogized it to other types of communication that were traditionally protected under the fourth amendment. In the end, it concluded that

because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.

The decision didn't do much for Warshak. The court also held that the government had been relying in good faith on the act, and so the emails shouldn't be excluded. However, it will help everyone else down the line, because the good faith rule can't be used to justify actions that are clearly inconsistent with the court's holding.