My Troutman Sanders colleagues have written before on the continuing judicial wrangling over whether GPS tracking devices, as well as location data maintained by wireless telecom providers, require a warrant before search and seizure by the government. Last July, a New York state court ruled that a government employer did not need a warrant to attach a GPS device to an employee’s car and monitor his movements continuously for a month, contradicting an earlier decision by the New Jersey Supreme Court. More recently, the U.S. Court of Appeals for the Third Circuit held — after a thorough review of precedent dating all the way back to 1981 — that law enforcement agents must indeed first obtain a warrant based on probable cause to attach a GPS device to a criminal suspect’s vehicle.
Cases dealing with this issue merit watching because they represent the “front lines” of the intersection between personal privacy and technological capability. The Supreme Court in United States v. Jones, 131 S. Ct. 3064 (2011), decided that GPS tracking generally requires a warrant, but left open the more important question whether warrantless use of GPS devices would be “reasonable — and thus lawful — under the Fourth Amendment where officers have reasonable suspicion, and indeed probable cause,” to execute such searches. Meanwhile, a divided Fifth Circuit Court ruled in 2013 that the government may compel a wireless company to turn over 60-days worth of cell phone location data without establishing probable cause, while just last week the Massachusetts Supreme Judicial Court held that people have a reasonable expectation of privacy in their phones and thus, under the state constitution, law enforcement needs a warrant before obtaining location data from a suspect’s wireless provider.
So what does all this mean for the business community? Although law enforcement and the rather esoteric realm of constitutional law has been at the front lines of GPS privacy, there are a number of developments indicating that location privacy is also an important business issue:
First, the Federal Trade Commission — which functions as the de facto privacy regulator in the United States — has launched an inquiry into GPS tracking with a seminar convened on February 19 in Washington, D.C. This followed an FTC staff report last year, titled Mobile Privacy Disclosures: Building Trust Through Transparency, which “recommended” that companies consider offering a Do Not Track (DNT) mechanism for smartphone users among other measures to protect location privacy. Since the FTC has authority over unfair trade practices, including privacy, in almost every industry other than telecommunications, this initiative portends a risk of administrative sanction for private businesses not offering consumer choice as part of location-based services.
Second, HTC and Samsung smartphones come pre-loaded with software from the company Carrier IQ. More than 100 lawsuits filed since 2011 in federal court claim the phones unlawfully track the keystrokes of text messages and Internet searches. While the company maintains that the data are collected for customer support and to help troubleshoot network problems, it has become embroiled in litigation despite serving only as a technology vendor to other, far larger firms. (Not to leave them out, both Microsoft and Apple have also been sued over the location tracking features of their phones.) The lesson of Carrier IQ is that businesses are at risk in the GPS space even where they are not consumer-facing enterprises.
Third, a number of start-ups (Turnstyle, RetailNext, Nomi, shopkick, etc.) offer brick-and-mortar retailers the ability to use indoor location sensors and security video feeds to track movements of shoppers, recreating in the retail realm the same in-depth data on customer behavior that online merchants have long collected. Some of these firms follow best-practices by obtaining explicit opt-in for location information sharing. But the potential for adverse consumer reaction, and class action litigation, remains high ever since Nordstroms was caught in a PR whirlwind in July and unilaterally discontinued its in-store location program after notifying shoppers they were being tracked.
Legal maneuvering can, at least for now, offset some of these risks. Under the current rules governing consumer class actions, several courts have decreed that privacy injury is insufficiently direct and substantial economically to support standing or to qualify for class action certification in federal court. For instance, in a case challenging a mobile app’s collection of geo-location data without consent, Goodman v. HTC America, Inc., the Western District of Washington held that the putative class members had not sufficiently plead injury to have standing. The court accepted as cognizable injuries overpayment for phones (because the plaintiffs would have paid less if they knew their location was to be collected as alleged) and diminution in value of the phones because of reduced battery life caused by the collection of geo-location data. Still, the court concluded that the “assertion that defendants misappropriated their personal information is not a sufficiently particularized injury to support [plaintiffs’] standing.” Yet since this opinion, and others from similar cases, holds out the possibility that identity theft or other financial harm may in the future result from insecure information collection, the standing defense appears to be time-limited.
The 4th Amendment protects people only from overreaching by the government. That may have led some in the business community to conclude prematurely that GPS and location tracking are issues only of concern to hackers and criminal enterprises. As these four developments show, however, location privacy is a serious business issue too.
Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.
People have been talking, and pontificating, about a coming “Internet of Things” since 1999. The idea is that the many sensors, actuators and digital data recorders in the environment around us — like the electronic control units (ECUs) in modern automobiles — will be uniquely identified and connected via IP to each other and to the world. This would allow instantaneous supply chain fulfillment, green initiatives like demand-side management and smart refrigerators, as well as simply cool stuff that puts remotely programming one’s DVR from a smartphone app to shame. As McKinsey & Co. noted in 2010:
The physical world itself is becoming a type of information system… When objects can both sense the environment and communicate, they become tools for understanding complexity and responding to it swiftly. What’s revolutionary in all this is that these physical information systems … work largely without human intervention.
So what’s going on? Two things. The obvious one is that more than a decade later (and despite the fact that by 2008 there were already more “things” connected to the Internet than people in the world) we are still not “there” yet. Refrigerators cannot detect when the last soda can is used, let alone order more autonomously; HVAC systems largely cannot interact with electricity genitors in real time to consume more energy when rates are lower, and vice-versa; and suitcases cannot communicate with airport luggage systems to tell the machines onto which flight they should be loaded (except with barcode readers). Partially, that’s because technologists frequently overstate adoption projections for new networks by 10 years or more. Less obvious is that there’s been a quiet push in the European Union (EU) to regulate the IoT even before it is fully gestated and born.
A European Commission “consultancy” on the Internet of Things was launched in 2008. By 2009 the EU had already issued an Action Plan for Europe for the IoT, which concluded:
Although IoT will help to address certain problems, it will usher in its own set of challenges, some directly affecting individuals. For example, some applications may be closely interlinked with critical infrastructures such as the power supply while others will handle information related to an individual’s whereabouts. Simply leaving the development of IoT to the private sector, and possibly to other world regions, is not a sensible option in view of the deep societal changes that IoT will bring about.
As a result, libertarian business groups such as the European-American Business Council and TechAmerica Europe have this summer come out in opposition to the EU’s approach, pressing for industry-led standards and application of existing measures, like the existing EU data protection rules (which already exceed the United States’ by a wide margin), “in lieu of a new regulatory structure.”
This is a scary prospect. That the EU would even consider crafting a regulatory scheme now for a technology revolution that realistically remains years away, requires immense levels of cooperation among industries, and holds the potential to transform business and life as we know it, is remarkable. Remarkable because such a philosophy is so alien to American economic values and to the spirit of innovation and entrepreneurship that launched the commercial Internet and Web 2.0 revolutions.
This article is not the place to debate the conflicts, trade-offs and differing views of government animating current technology policy issues like net neutrality, privacy and cybersecurity, copyright and the like. The reality though, is that issues such as those are generally being assessed within a spectrum of solutions, worldwide, which reflect known risks and benefits, some proposals of course being more interventionist than others. But that is far different from allowing a single bureaucratic monolith to dictate the shape of an industry and technology that remains embryonic. How is it even possible to develop fair rules for the IoT when no one has any real idea what or when it will be?
More than 15 years ago, this writer worked for one of his corporate clients on a legislative amendment offered by Rep. Anna Eshoo (D-Cal.) to the Telecommunications Act of 1996. The so-called “Eshoo Amendment,” designed to limit the role of the Federal Communications Commission in mandating standards for emerging, competitive digital technologies like home automation, passed. The irony, of course, is that at the time Congresswoman Eshoo analogized home automation to a future world like that of The Jetsons. Now 16 years down the road, we are barely closer to George, Elroy and their flying cars, robotic maids and the like than we were then.
But that ’96 effort illustrated a fundamental difference between the United States and the European Union about the proper role of government with respect to innovation. The EU subsidizes research, sets agendas and looks to intervene in the marketplace in order to establish rules of the road even before new industries are launched. The US sits back, lets the private sector innovate, and generally intervenes only when there has been a “market failure.” That’s a philosophy largely embraced by both major American parties regardless of the increasingly polarized political landscape in Washington, DC.
This basic difference in world views between the home of the Internet and European regulators — as true today as in 1996, if not more so — could doom the Internet of Things. So if you are a fan of future shock, then it’s clear you should not react to the EU’s efforts to shape the IoT with a viva la difference attitude. The difference is dangerous to innovation and especially dangerous to disruptive innovation. It’s no wonder that few real digital innovations have come from Europe. Don’t expect many in the future unless the EU finds a way to decentralize and privatize its bureaucratic tendency towards aggrandizing government in the face of what IoT experts anticipate will be “a small avalanche of disruptive innovations.”
Note: Originally prepared for and reposted with permission of the Disruptive Competition Project.
I’m not sure I am altogether comfortable with this technology, yet.
Posted via web from glenn’s posterous
Yesterday the U.S. House of Representatives voted to restrict TSA from conducting what have become known as “virtual strip-searches.” House Restricts “Strip-Search Machines” [WashingtonWatch.com]. The bill provides, among other things, that:
Whole-body imaging technology may not be used as the sole or primary method of screening a passenger under this section. Whole-body imaging technology may not be used to screen a passenger under this section unless another method of screening, such as metal detection, demonstrates cause for preventing such passenger from boarding an aircraft.
Although promoted as less intrusive than x-rays, explosive sniffers and the like, this new technology presents a significant threat to personal privacy. As the sponsor (Rep. Jason Chaffetz, R-Utah) said, “Nobody needs to see my wife and kids naked to secure an airplane.” My colleague Chris Calabrese of the ACLU makes it graphically clear:
these machines produce strikingly graphic images of passengers’ bodies when they are utilized as part of the airport screening process. Those images reveal not just graphic images of “naughty parts,” but also intimate medical details like colostomy bags.
"Privacy Screen" Filter
Privacy advocacy groups are, for obvious reasons, alarmed. It is very much like the “Tunnel of Truth” hypothesized in the 1990 sci-fi film Total Recall. That was scary indeed! Not unsurprisingly, on May 31, a coalition of advocacy groups including the ACLU, the Electronic Privacy Information Center, Gun Owners of America, and the Consumer Federation of America sent a letter to Homeland Security Secretary Janet Napolitano asking her to “suspend the program until the privacy and security risks are fully evaluated.”
That will never happen. It its zeal to “protect” Americans traveling by air, TSA has turned the check-in experience into the U.S. equivalent of the Star Chamber, where ordinary citizens are presumed to be dangerous just by, for instance, wearing shoes — now routinely x-rayed separately at every U.S. airport — or putting liquids into carry-on luggage. The millimeter wave and related strip-search technologies ratchet this up yet another level. Use of a “privacy screen” to cover intimate areas is hardly an answer.
Tunnel of Truth (1990)
In my view, TSA is out of control. Yes, there were security lapses leading to 9/11, but they did not arise from business or vacation travelers and, with a bit more diligence (like following up on middle eastern males taking flying lessons but rejecting landing practice) the government could target those likeliest to have real terrorist connections. Just as TSA’s “no fly list” was overreaching, so is virtual body searching. We do not need this and we do not need TSA. I say abolish the agency, something with which Jim Harper of the Cato Institute, the premiere libertarian think tank, agrees.
Tom O’Toole at BNA TechLaw writes that Supreme Court nominee Sonya Sotamayor is unlikely to have any substantial influence on the Court’s cyberlaw jurisprudence because there basically is none:
The Supreme Court has never reviewed a case involving the Computer Fraud and Abuse Act.
The Supreme Court has never reviewed a case involving the Electronic Communications Privacy Act.
The Supreme Court has never reviewed a case involving Section 230 of the Communications Decency Act (which gives interactive computer services immunity from most claims arising from the publication of third-party content), though it did consider, and strike down, the prohibitions against indecent online speech contained in another part of the CDA in Reno v. American Civil Liberties Union, 521 U.S. 844 (1997).
The Supreme Court has never reviewed a case involving the CAN-SPAM Act or the Digital Millennium Copyright Act.
The Supreme Court has never reviewed a case involving electronic contracting, jurisdiction arising from online activities, cybersquatting or any other domain name-related dispute.
Aside from Doe v. Chao, a case involving standing to sue the federal government under the Privacy Act, the Supreme Court has never taken a case involving online privacy or security (GLB, COPPA, FTC Act, you name it). If you want to count Bartnicki v. Vopper, go ahead, though I don’t think that obscure decision in any way undermines the point I am trying to make here.
He’s right, but I find that a plus, not a minus. The evolution of this rapidly changing medium really does not need the glacial pace at which the Supreme Court decides issues, and certainly benefits from the pull-and-tug among lower courts to strike the appropriate balances among regulation, civil rights, legislative power, law enforcement and the other technology policy matters affecting the Internet. When the Supreme Court speaks on tech issues — witness the Sony Betamax case from nearly 25 years ago or the Brand X decision from 2005 — it often leaves the law in a more polarized and confused state than before. So IMHO, we don’t need no stinkin’ badges from the Supremes.
In response to what it terms its “customer’s needs,” Cisco will start to embed “lawful interception” capability into its router products. [C|Net News.com] What’s really going on here is that the convergence of packet-switched and circuit-switched networks is accelerating. So the law enforcement community is no longer content to give the Internet and ISPs a free ride when it comes to digital wiretapping, despite the Communications Assistance for Law Enforcement Act (CALEA). Cisco can’t be blamed, since it’s job is to sell products, but this is just another sign that the days of anonimity on the Internet are numbered.
EPIC has released documents obtained under the Freedom of Information Act showing that the government has established a “No Fly List” of suspected terrorists.
Problem is, TSA doesn’t compile very accurate information, so as BusinessWeek Online reports, once you’re on the list it’s impossible to get off. The System That Doesn’t Safeguard Travel [BusinessWeek].