Last week, witnesses before the Senate Judiciary Committee faced much more amicable questions than then-Judge Gorsuch. In a rare moment of bipartisan consensus, Senators on both sides of the aisle agreed to pass legislation by year end. The subject: law enforcement’s ability to collect email evidence under the Electronic Communications Privacy Act (“ECPA”). While electronic communications have changed rapidly, the law protecting consumers’ private data has stood still. ECPA was written when Facebook founder Mark Zuckerberg was two years old. Back then, emails were an up-and-coming technology with no international implications, and storing an email was a costly affair. As the hearing last week underscored, it is time for Congress to take ECPA out of storage and fix it. [Read More]
It is one of the Supreme Court’s most consequential and controversial decisions, and no one should have been surprised that now-Justice Neil Gorsuch was asked about it during his confirmation hearings. In the 1965 case of Griswold v. Connecticut, the Court held unconstitutional a Connecticut statute that prohibited the use of contraceptives, affirming a “right of privacy” that appears nowhere in the Constitution’s text. Justice William O. Douglas’s majority opinion, which speaks of “penumbras, formed by emanations” from non-textual “guarantees that help give [the guarantees in the Bill of Rights] life and substance” has been ridiculed ever since it was issued. Conservativecritics of the Court have long invoked “penumbras” and “emanations” to heap scorn upon the notion that the Constitution protects any rights that are not expressly listed in the Constitution’s text. [Read More]
A recent article in the Wall Street Journal (paywall) points out a legal issue that judges are increasingly facing as they consider class action lawsuits brought against companies that become victims of criminal hacking:
Data breaches have forced judges to wrestle with a new notions of what it means to suffer an injury. Though cyberattacks against companies can cause widespread damage, any harm to customers is often hard to quantify and tough to trace, making it difficult for them to pursue redress in the courts.
In most cases, the economic damage falls on the primary victim of the hacking, i.e., the company whose systems are breached. In addition to any embarassment, the victim must also spend resources to investigate the hacker's entry point, identify the scope of the compromise, and purge the intruder from its systems.
If the hacker actually obtains data about individuals from the victim company, the victim company may also become a target for legal action from a variety of sources, including state attorneys general, the Federal Trade Commission, and class action lawsuits brought by private parties. As the article explains, plaintiffs bringing private cases often have a hard time showing standing and damage. That's because most of the time, there's no clear indication that the hacker used any particular person's information in a way that caused actual damage.
Many of us expected the Supreme Court to clarify whether these kinds of suits can survive in Spokeo, Inc. v. Robinsthis year, but the Court dodged. So there's a good chance that the issue will be coming back up to the high court eventually.
In the “Internet of Everything,” electronic devices are constantly connecting with cell towers, Internet service providers, apps and other devices. The growing use of these devices has created a particular challenge in defining reasonable expectations of privacy in their use, and in identifying appropriate legal tools to control government law enforcement surveillance. Howard W. Cox, an adjunct professor at George Washington University and former federal prosecutor, has written an article examining this issue as it applies to government use of cell-tower simulators, popularly known as StingRay devices. Prof. Cox argues that modern cell phone users cannot reasonably expect privacy in the connectivity data that their devices transmit, and that Congress must define and create any such privacy right.
Writing for the Hoover Institution, Richard A. Epstein comments:
Can the United States government compel Apple to help break into the phone of Syed Rizwan Farook, who, along with his wife Tafsheen Malil, gunned down fourteen innocent people last December at the Inland Regional Center in San Bernardino? That question has sparked fireworks in recent days. The dispute arises because Apple has equipped its new iPhones with encryption settings that erase the data contained on the phone whenever ten false password entries have been made. It was agreed on all sides that only Apple has the technology that might overcome the encryption device. [...]
In dealing with that issue, it is important to note that Farook did not own the phone; his employer did, and it gave consent to the search. This knocked out any Fourth Amendment claim that the government intended to perform some unreasonable search and seizure. The point is true, but also inconsequential, that the legal situation would not materially change if Farook had used his personal password on his very own phone. The Fourth Amendment states, “no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Clearly, these requirements were satisfied when the government identified the iPhone to be searched, knowing that its possessor had committed mass murder. One of the tragic gaps in Cook’s letter is that he ignores the strength of the government’s Fourth Amendment case. He also fails to explain why granting the government’s request necessarily involves the compromise of the privacy of millions when only one iPhone is at stake.