“Tracking the Brothers Katzin”
In May, the Third Circuit will rehear en banc the case of United States v. Katzin. In Katzin, a panel of Third Circuit judges held that the installation of a GPS device on a car by the police requires a warrant, and further held that the police who installed the device could not rely on the Davis good faith exception to the exclusionary rule, though they had installed the device before the Supreme Court held in 2012, in the widely-covered case of United States v. Jones, that installing and monitoring a GPS device on a car constituted a Fourth Amendment search.
The Department of Justice’s petition for rehearing en banc did not challenge the warrant requirement for GPS tracking, so it is likely that the Third Circuit will only review the part of the ruling that there was no good faith exception. However, I would like to use this post to discuss the prior question of whether installing and monitoring a GPS tracking device on a car traveling on public roads requires the police to first obtain a warrant, which the Jones Court left undecided, and which I imagine will one day return to the Supreme Court for an ultimate decision. This question is largely an open question among the circuits; several sister circuits considering similar cases where the GPS tracking took place before Jones split with the Third Circuit to hold that the good faith exception did apply, and did not reach the warrant requirement issue. See, e.g., United States v. Sparks (1st Cir. 2013); United States v. Aguiar (2d Cir. 2013).
The Government’s best argument for why a warrant should not be required is to nestle this search in the “automobile exception.” Under this longstanding automobile exception, recognized since Carroll v. United States in 1925, the Constitution permits the police to conduct warrantless searches of vehicles where there is probable cause to believe that the vehicle contains evidence of a crime. In Katzin, the Third Circuit assumed, but did not decide, that the police did have probable cause. The rationale for the automobile exception is strikingly similar to the argument for why there should be no Fourth Amendment search in Jones. The Supreme Court has explained that “[o]ne has a lesser expectation of privacy in a motor vehicle because its function is transportation…. A car has little capacity for escaping public scrutiny. It travels public thoroughfares where its occupants and its contents are in plain view.” Indeed, a GPS tracking device only obtains information about the vehicle that the owner has placed in public view—its location on public roads. The Third Circuit wrote that the automobile exception was inapposite because searches under the automobile exception are limited to a discrete moment in time, whereas GPS tracking is a continuous search.
One potential flaw in this argument is that the Supreme Court majority in Jones did not accept that the evil of GPS tracking was the fact that continuous monitoring took place, and rejected the D.C. Circuit’s rationale below that one has a reasonable expectation of privacy in one’s movements over the course of an entire month. (I also note that while Alito’s concurrence in Jones seemed concerned that long-term monitoring would be unconstitutional, it left open the possibility of short-term monitoring. In Katzin, the monitoring only lasted two days.) Instead, the Court revived an ancient theory of trespass—the installation by police of a GPS device on private property (a car) was a trespass under common law, and therefore it was a Fourth Amendment search.
This case illustrates a fundamental weakness of holding up Jones as a victory for privacy. Every search under the automobile exception would likely be a Fourth Amendment search under Jones because it involves a technical trespass with the intent to find information. If traditional automobile searches are trespasses that don’t require a warrant because of the inherent properties of the automobile, then perhaps neither should a warrant be required for GPS tracking devices on automobiles. And it’s difficult to see a law enforcement-friendly Court moving away from the automobile exception, which has survived nearly a century.
To escape this conflict, if the Supreme Court has another opportunity to protect the nation from warrantless GPS tracking from the government, it should supplement its milquetoast trespass reasoning by firmly grounding the Fourth Amendment protection against GPS searches in terms of our reasonable expectation of privacy of being free from continuous government monitoring. If no warrants are required before the police may install and monitor GPS devices on cars, then Jones will be even less protective of our privacy than we thought.
Brazilian “Internet Constitution” Signed Into Law Yesterday
Yesterday, Brazilian President Dilma Rouseff signed into law an Internet-rights bill known as Marco Civil. This legislation, which has been dubbed an “Internet constitution” and an “Internet bill of rights,” is among the first national Internet laws of its kind.
For privacy and open internet advocates, Marco Civil checks off some boxes but not others. On the one hand, the law enshrines access to the Internet, guarantees net neutrality and limits the metadata that can be collected from Internet users in Brazil. On the other, it requires Internet service providers to comply with court orders to remove libelous and offensive material published by their users, although providers themselves will not be liable for such content. A draft version of the legislation in the original Portuguese can be found here.
Although experts including World Wide Web inventor Tim Berners-Lee have applauded the Brazilian law for balancing the rights and duties of users, governments and corporations while ensuring an open and decentralized Internet, the enactment of the Marco Civil was not entirely uncontroversial. For one, Rousseff’s government had to drop a contentious provision that was added to the bill following revelations last year that Brazilians, including President Rousseff herself, had been the target of surveillance by the United States’ National Security Agency. This provision would have required global Internet companies like Google and Yahoo to store their data on Brazilian users on servers within the country. On the other hand, the Brazilian government refused to drop a net neutrality provision that telecom companies fiercely opposed. This provision prohibits companies from charging users higher rates for accessing services that use more bandwidth, such as video streaming and Skype.
Marco Civil was signed into law just prior to the opening ceremony of the “Global Multistakeholder Meeting on the Future of Internet Governance,” a two-day conference co-hosted by Brazil, the U.S. and ten other countries. This conference marks the first step away from a U.S. controlled Internet and towards a globalized, decentralized model, following the U.S. government’s announcement back in March that it was relinquishing its remaining control over the Internet.
Both the structure of the Marco Civil itself and the collaborative process leading up to its enactment will likely prove to be a template for future Internet legislation in other countries.
The Evolving Regulatory Landscape for Health App Developers.
The widespread adoption and use of mobile applications (apps) is opening new and innovative ways to improve health and health care delivery. Apps can help people manage their own health and wellness, promote healthy living, and gain access to useful information when and where they need it. With the ever-increasing pace of app development and adoption, a comprehensive yet flexible regulatory regime that promotes innovation and at the same time protect customers’ health and safety is now needed more than ever.
Last September, the U.S. Food and Drug Administration (FDA) issued final guidance for mobile medical apps. (http://www.fda.gov/newsevents/newsroom/pressannouncements/ucm369431.htm). The FDA will apply the same risk-based approach the agency uses to assure safety and effectiveness for other medical devices. Therefore, the FDA’s regulatory oversight will be focused on apps that are intended to be used as an accessory to a regulated medical device, or transform a mobile platform into a regulated medical device. FDA has also published draft guidance on cyber security in medical devices. (http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm356186.htm). The guidance is similar to the HIPAA omnibus in some ways, namely it’s emphasis on risk analyses, which, under the draft guidance, companies will be required to complete to secure clearance for new medical devices.
However, FDA is only one among several agencies that have started to focus their regulatory attention to mobile medical apps. Other regulatory entities in this landscape include the FCC, the FTC, the Office for Civil Rights, which enforces HIPAA, and state attorneys general. However, Sharon Klein, the chair of Pepper Hamilton’s Privacy, Security and Data Protection practice, thinks that “[t]he regulatory overlap is confusing and in some instances it’s duplicative”. (http://mobihealthnews.com/29336/health-app-makers-face-privacy-and-security-regulation-from-many-quarters/). To bring some order in, Congress passed the FDA Safety Act of 2012, which has mandated that the department of Health and Human Services (HHS) produce a report with a strategy and a recommendation, dealing with mobile health apps, which would balance innovation, patient safety, and avoid regulatory duplication. In April 3, 2014, HHS released a draft report that includes a proposed strategy and recommendations for a health information technology framework. (http://www.hhs.gov/news/press/2014pres/04/20140403d.html). The report was developed by the FDA in consultation with HHS’ Office of the National Coordinator for Health IT (ONC) and the FCC. The FDA seeks public comment on the draft document.
In the meantime, ONC has launched new site offering guidance for physicians and hospitals to deal with HIPAA compliance in the bring-your-own-device era. (http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security). This site offers advice for health care providers, as well as educational materials such as a series of four posters to hang in the break room reminding employees of their mission to protect patient data. It also offers videos, fact sheets, frequently asked questions (FAQ) lists and other advice content for health care providers to shore up their mobile device security. Hopefully all these regulatory efforts will soon converge into a comprehensive and flexible framework to promote innovation while maintaining patient safety and information health privacy.
China: Draft rules to introduce first personal health data protection framework Updated: 20/02/2014
Public consultation on a draft regulation on the administration of personal health information (PHI) (‘the regulation’) – published by the Chinese National Health and Family Planning Commission (NHFPC) on 19 November 2013 – closed on 20 December 2014. PRC laws and regulations have long protected the general concept of a “patient’s privacy,” without providing specific guidance for what all is encompassed by this term. The regulation, when promulgated, will be the very first dedicated framework for the protection of PHI in China.
Under the regulation, greater protection will be accorded to PHI, such as the requirement to inform the data subjects of the purpose of data collection and obtaining their consent, and prohibiting the collection or use of PHI for commercial reasons. Furthermore, health institutions will be required to establish rules on identity verification and access to databases containing PHI and the storage of PHI will be restricted to servers located in China. However, the purpose of the regulation provided under Article 1 it to regulate the collection, regulation ans share of PHI, to guarantee the security of PHI and to support the development of health and science industry—the protection of personal privacy has not been mentioned. Besides, under the regulation, there are no practical and specific remedial measures for contravention of its provisions. Like Mr. Louvel said in this news, ” (the regulation) looks more like a promise for the future!” PRC health data management law still has a long way to go.
During Wednesday’s Milbank Tweed Forum, Microsoft General Counsel Brad Smith spoke about the future of privacy law and asked if people, especially young people, still care about privacy. Smith turned to the tech behemoths of Facebook and Google to address this question. He posited that Facebook seemingly knows everything there is to know about you, so if people voluntarily share volumes of information about themselves, how can we say they still care about their privacy? However, Smith stated that people around the world still believe that privacy is important. To demonstrate this belief, Smith charted Facebook’s smooth rise in popularity and contrasted it to MySpace’s swift decline. In 2007, MySpace had more than four times as many users as Facebook had; whereas today I think it is a reasonable question to ask if MySpace even still exists. Smith attributed Facebook’s popularity to the fact that, as opposed to MySpace, the default Facebook settings were to share personal information only to people who you chose to connect with. Oppositely, the default settings for MySpace were to share everything you posted on the site to the entire world. Smith concluded that people want to share more information now about themselves, but they want to share it only with a certain number of people or identifiable “friends.”
The Wall Street Journal recently put together a panel to discuss the same issue that Brad Smith discussed on Wednesday: what does privacy mean to people in the digital age? One panelist, Jeff Jarvis, an associate professor at the CUNY Graduate School of Journalism, warns against “over-regulating” privacy so that our society retains the benefits of “publicness and sharing.” Jarvis believes that, “Our new sharing industry is premised on an innate human desire to connect. These aren’t privacy services. They are social services.” Another panelist, Dr. Danah Boyd, a senior researcher at Microsoft, added that people still want privacy, but they also want to share their experiences and make some of them public. The key for Dr. Boyd is empowering people to make their own decisions about what information is available on the Internet; “People want to share. But that’s different than saying that people want to be exposed by others.”
A third panelist, Stewart Baker, a partner in Washington, D.C., at the law firm of Steptoe & Johnson, is of the opinion that privacy is a notion of the past. Baker believes that no one today thinks that photography is a privacy violation. (I’m sure however that many people think being photographed is indeed a privacy violation.) Baker wants people living in the 21st Century to realize that “keeping data hidden is a hopeless task…in the end,” Baker says, “we will adjust. Privacy is the most adaptable of rights.”
The launch of the Facebook Home App has reignited the discussion of whether or not people still believe there can be a level of privacy attainable while subscribing to social networks, such as Facebook. CNN supposes that with the introduction of Facebook Home and other similar apps that “in today’s world, the documentation of our every move and every desire is becoming increasingly inescapable.” Wired editor David Rowan reflects that, “It also could be argued that privacy is a long-dead illusion that is fast becoming an outdated concept.” Smith’s introduction of the remark of Ray Kurzweil at Wednesday’s forum is a fitting close; Google will soon know you better than your spouse does.
The Obamacare website security breaches raised enough concern for even an incredibly inactive House of Representatives to pass a bill to address it. The situation highlighted the particular concerns surrounding sensitive health information. It also highlighted differences between government and corporate action.
At the same time that people were raising concerns about the Obamacare website’s security, Target suffered a breach of thousands of consumers’ data. However, as the congressmen noted, Target consumers willingly interacted with Target and shared their information. While we may argue over the level of choice involved in interacting with different companies, it is certainly higher than in most of our interactions with the government. In this case, many were compelled by their employers to obtain coverage through the Obamacare website. The government also compelled the interaction in a sense, by leveling a penalty on those that did not register. To the extent that we care about consumer choice in such privacy matters, the Obamacare security breaches were particularly concerning.
The breaches were all the more concerning because they involved health information. Because information about people’s health feels particularly intimate, these breaches felt particularly threatening.
In order to sign up for health coverage people had to turn over information they would never want their employers to know for fear of discrimination. While the plethora of sensitive data on our consumption patterns has spurred committee meetings and vague resolutions, the potential breach of health information felt private, personal, and threatening enough to spur a dormant House to action.
Microsoft Defends Its Right to Read Your Email & Then Quickly Decides It’s Actually A Bad Idea To Snoop
In 2012, Microsoft uncovered that one of its former employees had leaked certain proprietary software to a blogger. Following this discovery, the legal team at Microsoft green-lit an emergency “content pull” whereby Microsoft investigators entered bloggers’ Hotmail accounts and read through emails and IMs. On March 19, 2014 this investigation ended with the arrest of Alex Kibkalo, a former Microsoft employee then residing in Lebanon
But only a week later, Microsoft double-backed, rethinking this position. General Counsel, Brad Smith commented that this type of investigation would not be Microsoft’s practice going forward: “[R]ather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.” Smith was certain to note that Microsoft was operating within its legal capacity in pouring over the emails and IMs, while recognizing that reliance on formal legal processes is appropriate in these types of situations.
 Jose Pagliery, Microsoft Defends its Right to Read Your Email, CNN Money (Mar. 21, 2014) http://money.cnn.com/2014/03/21/technology/security/microsoft-email/.
 Kashmir Hill, Microsoft Decides It’s Actually a Bad Idea to Snoop Through Users’ Emails, Forbes (Mar. 28, 2014) http://www.forbes.com/sites/kashmirhill/2014/03/28/microsoft-decides-its-actually-a-bad-idea-to-snoop-through-users-emails/.