Last week, we discussed the US Supreme Court ruling in the case of United States v. Jones. In a unanimous decision (Supreme Court pdf; archive pdf), the court held that police do need a valid warrant to place a GPS device on a vehicle. The majority opinion was premised on the fact that there was a physical trespass, or intrusion, by putting the device on the vehicle. It did not decide an issue of privacy, and a New York Times editorial criticizes the Supreme Court ruling for being too narrow:

The Supreme Court ruled unanimously on Monday that the police violated the Constitution when they hid a Global Positioning System tracking device on the car of Antoine Jones and monitored his movements for 28 days. It put law enforcement on notice that most GPS electronic surveillance will be suspect without a judge’s warrant.

As welcome as the ruling was, the court left too many questions unanswered. It did not say how long this kind of surveillance can go on before requiring a warrant or what types of crimes justify GPS monitoring. It did not say what the rule would be if the police had tracked Mr. Jones with a technology not hidden on his car. Read more »

In the last few months, there have been reports about how smartphone users’ data could be quietly gathered and used by companies via software from a company called Carrier IQ. Sen. Al Franken (D-Minn.), chairman of the subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee, wrote to Carrier IQ demanding answers about how this technology affects cellphone users’ privacy. European officials are investigating the company for possible privacy violations. Carrier IQ spoke with the Wall Street Journal about its software.

Now, the Hill reports that Rep. Ed Markey (D-Mass), a co-chairman of the House caucus on privacy, has released a discussion draft (pdf) of the Mobile Device Privacy Act, which would require telecommunications providers such as Verizon, AT&T and Sprint to reveal if they are using data-tracking software such as Carrier IQ on mobile devices:

Consumers would have to consent to any data collection or transmission, and third parties would have to have policies in place to secure the data they collect.

Companies that want to transfer data to third parties would have to file applications with the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC). Read more »

The Washington Post reports on a lawsuit by employees at the Food and Drug Administration over the privacy of their personal e-mail. The story is a good reminder that technology can allow employers to see and record whatever you do on a work computer. There can be questions as to the legality of employers doing so in various cases, such as this one:

The Food and Drug Administration secretly monitored the personal e-mail of a group of its own scientists and doctors after they warned Congress that the agency was approving medical devices that they believed posed unacceptable risks to patients, government documents show.

The surveillance — detailed in e-mails and memos unearthed by six of the scientists and doctors, who filed a lawsuit against the FDA in U.S. District Court in Washington last week — took place over two years as the plaintiffs accessed their personal Gmail accounts from government computers.

Information garnered this way eventually contributed to the harassment or dismissal of all six of the FDA employees, the suit alleges. All had worked in an office responsible for reviewing devices for cancer screening and other purposes.

Copies of the e-mails show that, starting in January 2009, the FDA intercepted communications with congressional staffers and draft versions of whistleblower complaints complete with editing notes in the margins. [...] Read more »

USA Today reports on how companies such as Google and Facebook are reacting to changes proposed in the European Union that would limit tracking of individuals’ online activities:

They may be battling each other tooth-and-nail to win over online advertisers. But Google and Facebook are on the same side when it comes to opposing new data-handling privacy laws fast-gelling in Europe and the U.S.

On Wednesday, the European Union formally proposed strict rules that could restrict much of the systematic tracking and profiling Google and Facebook routinely do of Internet users, as part of delivering targeted ads to them.

If Europe’s new rules are implemented as expected in 2013, the tech rivals could face hefty fines, up to 2% of annual revenue, for any violations. In Google’s case that translates into a maximum penalty of $800 million.

On Tuesday, Facebook Chief Operating Officer Sheryl Sandberg delivered a statistics-filled speech at a tech conference in Munich outlining how Europe’s proposed rules are very likely to stymie the global economy. [...]

Meanwhile, refinements announced this week by Google and Facebook, about how each tracks and profiles Internet users, added heat to the domestic debate over the need for new data privacy rules here in the U.S. Read more »

Last week, there was discussion of HB 2288 (pdf) in Hawaii, a bill that could have lead to the state keeping tracking of all Web sites visited, which would raise numerous privacy and civil liberties questions. Now, Computerworld reports that lawmakers in Hawaii have dropped the legislation:

Lawmakers in Hawaii on Thursday quietly dropped a bill that would have required Internet service providers to collect the detailed browsing histories of Internet users in the state and store the data for at least two years.

The bill, HB 2288, would have required anyone providing access to the Internet in Hawaii to maintain “consumer records” of every Internet user’s subscriber information and data such as the IP addresses, domain names and host names of the sites they visit.

In theory at least, the bill would have covered not only ISPs but also libraries, coffee shops and employers, the Electronic Frontier Foundation noted in a blog post Thursday. [...]

The bill was scheduled to be heard on Thursday before the Hawaii State Legislature’s House Committee on Economic Revitalization & Business (ERB). It was instead tabled, in what appears to have been a response to overwhelming opposition to the bill from many quarters. Read more »

The Constitution Project has released a new report, “Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy” (Project pdf; archive pdf), calling on Congress to include strong privacy protections in any cybersecurity legislation it adopts. The report is “endorsed by legal and policy experts (including former federal judges and prosecutors, retired military and intelligence officers, and law school professors) from across the ideological spectrum,” according to a press release.

From the report’s introduction:

It is important that our nation develop and operate cybersecurity programs and policies to reduce or eliminate these vulnerabilities. These programs, however, pose a potential threat to Americans’ privacy rights and civil liberties. As proposals have arisen that would enable the federal government to move toward monitoring all information transferred over private networks, individuals face the risk of being subjected to the equivalent of a perpetual “wiretap” on their private communications and web browsing behavior. Moreover, the debate regarding cybersecurity has been hampered by excessive secrecy surrounding the true nature and scope of the threat and the best mechanisms for protecting against it.

The report details items that could substantially affect individual privacy rights and civil liberties, cybersecurity programs such as Einstein (a Bush-era pilot program, continued under Obama, that seeks to have private telecommunications companies route the Internet traffic of civilian government agencies through hardware and software that would search for and block malicious computer codes; see more here and here) and legislation such as S. 413, the Cybersecurity and Internet Freedom Act of 2011, which would allow the executive branch to use a “kill switch” to limit Internet traffic in an emergency.

The report also lists recommendations on how to protect privacy rights and civil liberties in cybersecurity programs, including:  Read more »