There has been an ongoing discussion about how privacy rights can be eroded because laws do not anticipate changing technology. The most prominent example is the Electronic Communications Privacy Act, which was passed in 1986 and remains mired in the technology of that time, which did not include cloud computing, location tracking via always-on mobile devices and other current technology that can reveal our most personal information. (The World Wide Web was invented three years later, in 1989.)

While ECPA includes protection for email and voicemail communications, the 180-day rule is archaic as applied to how the technology is used today. (The rule is: If the email or voicemail message is unopened and has been in storage for 180 days or less, the government must obtain a search warrant. If the message is opened or has been stored unopened for more than 180 days, the government can access your message via a special court order or subpoena.) Thirty-two years ago, people had to download their email to their computers; the download would trigger an automatic deletion of the content from the provider’s servers. The government could not subpoena an Internet Service Provider (ISP) for your email because it did not have them in 1986. Now, copies of your private email remain stored in the cloud for years by third-party service providers (Google, Facebook, Dropbox, etc.)

Privacy and civil liberty advocates have been trying for years to update ECPA. Last year, the U.S. House passed the Email Privacy Act, which would codify the rule set out in 2008’s Sixth Circuit case Warshak v. United States: The government must obtain a warrant before they could seek to compel an ISP or other service providers to hand over a person’s private messages. This year, the Email Privacy Act is part of the House version of the National Defense Authorization Act, a must-pass bill. But the Senate has its own version of the NDAA and it’s unknown whether the privacy legislation will be part of it. Read more »

Two Florida detectives tried to use a dead man’s fingerprints to unlock his phone, the Tampa Bay Times reported, and that act raised privacy questions.

Linus F. Phillip “was shot and killed [by a Largo, Fla., police officer] March 23 at a Wawa gas station after police said he tried to drive away when an officer was about to search him,” the Times reported. Later, two detectives came to the Sylvan Abbey Funeral Home in Clearwater with Phillip’s phone, according to Phillip’s fiancee, Victoria Armstrong. “They were taken to Phillip’s corpse. Then, they tried to unlock the phone by holding the body’s hands up to the phone’s fingerprint sensor,” the Times reported.

Phillip’s fiancee is upset. She was not notified that the detectives would be coming to the funeral home, and the police did not get a warrant for their actions.

Although the detectives’ actions have been criticized as unethical, they are legal because dead people have fewer rights than the living, especially concerning privacy and search and seizure. The courts have split on whether living defendants can be forced to use biometrics such as fingerprints or facial scans to unlock their mobile devices. (Another difference from the Phillips case is that these court cases involved warrants.) Read more »

A couple of years ago, we discussed the increasing use license-plate-recognition camera technology and the possible privacy, civil liberty and security implications about the surveillance tech used to gather and record information on drivers’ movements. At the time, we noted that license-plate-reader technology (also called automated license plate readers, ALPRs), like other surveillance systems, has the ability to create a profile of an individual using personal, possibly sensitive data. Now, the technology is in even more jurisdictions nationwide, and the privacy questions remain.

Two examples of the proliferation of the license-plate-reader technology are in Rhode Island and Tennessee. In Rhode Island, state legislators are considering HB 5531, “An Act Relating to Motor and Other Vehicles — Electronic Confirmation and Compliance System,” which would create a state-wide license-plate-reader network to identify and fine uninsured drivers. The chief sponsor is Rep. Robert Jacquard (D), who “said he has made a number of changes to address fears of growing state surveillance and concerns the cameras could be used to expand highway tolling,” reports the Providence Journal.

The ACLU of Rhode Island testified (pdf) against the bill, noting “this legislation would nevertheless facilitate the capture and storage of real time location information on every Rhode Islander on the road, with no guidance as to how this information is to be used, at the benefit of a third-party corporation.” ACLU-RI wants the state to “implement clear and specific restrictions on the use of this technology, particularly by law enforcement” and notes such restrictions are included in HB 5989, whose chief sponsor is Rep. John G. Edwards (D). Read more »

People use a lot of services and devices to transmit and retain sensitive personal information. A person could use daily: a work computer, a personal computer, multiple email addresses, a work cellphone, a personal cellphone, an e-reader or tablet, a fitness tracker or smart watch, and an Artificial Intelligence assistant (Amazon’s Echo, Apple’s Siri, Google’s Assistant, or Microsoft’s Cortana). The data retained or transmitted on these services and devices could include sensitive medical or other information, personal photos, financial data, and more.

There’s also the issue of the collection of information that could lead to other data being learned. For example, I wrote recently about health-app data and the surprising results of scrutinizing it. A man was alarmed by his wife’s heart rate data, as collected by her Fitbit, and asked others for assistance analyzing it. One theory: She could be pregnant. Did you know that heart-rate changes could signal a pregnancy?

Currently, there’s ongoing controversy concerning the data possibly collected by an Amazon Echo. The Washington Post explains, “The Echo is equipped with seven microphones and responds to a ‘wake word,’ most commonly ‘Alexa.’ When it detects the wake word, it begins streaming audio to the cloud, including a fraction of a second of audio before the wake word, according to the Amazon website. A recording and transcription of the audio is logged and stored in the Amazon Alexa app and must be manually deleted later.” Arkansas police have served a warrant to Amazon, as they seek information recorded by a suspect’s Echo. Amazon has refused to comply with the warrant.  Read more »

The Stingray surveillance technology, also called cell-site simulator technology, can gather a significant amount of personal data from individuals’ cellphones. A recent federal case in New York and a new law in Illinois aim to curtail the warrantless use of Stingrays.

The technology simulates a cellphone tower so that nearby mobile devices will connect to it and reveal sensitive personal data, such as their location, text messages, voice calls, and other information. The Stingray surveillance technology vacuums information from every cellphone within its range, so innocent people’s private data are gathered, as well. It is a dragnet that can capture hundreds of innocent people, rather than just the suspect targeted.

As I have discussed before, law enforcement officials are using this technology in secret. Documents obtained by the ACLU showed that the U.S. Marshals Service directed Florida police to hide the use of Stingray surveillance technology from judges, which meant the police lied in court documents. Sarasota police Sgt. Kenneth Castro sent an e-mail in April 2009 to colleagues at the North Port (Florida) Police Department: “In reports or depositions we simply refer to the assistance as ‘received information from a confidential source regarding the location of the suspect.’” A recent San Diego Union-Tribune investigation showed that local police are using the surveillance technology in routine investigations – not ones involving terrorism or national security.

Now, a federal judge in New York has thrown out Stingray evidence gathered without a warrant. The case is United States v. Lambis (pdf) in the Southern District of New York. Without a warrant, the Drug Enforcement Administration used a powerful cell-site simulator to determine the location of a cellphone was in Raymond Lambis’s home. Agents then searched his home and found drugs and drug paraphernalia. Read more »

Lots of people use personal health devices, such as Fitbits, or mobile health or wellness apps (there are a variety offered through Apple’s and Google’s app stores). There are important privacy and security questions about the devices and apps, because the data that they can gather can be sensitive — disease status, medication usage, glucose levels, fertility data, or location information as the devices track your every step on the way to your 10,000 steps-per-day goal. And the medical diagnoses drawn from such information can surprise people, especially the individuals using the apps and devices.

For example, one man was concerned after reviewing his wife’s Fitbit data. He “noticed her heart rate was well above normal.” He thought the device might be malfunctioning, so he posted the data on message-board site Reddit and asked for analyses. One person theorized that his wife would be pregnant. The couple made a doctor’s appointment and confirmed the pregnancy.

This case illustrates the sensitive medical data gathered by personal medical devices and apps that a person might not even realize is possible. Did you know that heart-rate changes could signal a pregnancy?

And this isn’t the first time that sensitive information of Fitbit users has been inadvertently revealed. Five years ago, there was an uproar over Fitbit’s privacy settings when people who were logging their sexual activity as a form of exercise learned that the data was showing up in Google searches. Read more »