On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap.

Since the government’s respective plans became public, the new bill has drawn widespread criticism in Germany. First, the content of the new provisions is highly controversial:

  • Compared to most other countries (including the U.S.), where such measures are not permitted, the measures to be introduced by the new law would significantly lower the German standard of protection of individuals’ privacy against governmental access.
  • In 2008, the German Federal Constitutional Court introduced a new fundamental right aimed at protecting end user devices against access and tampering by the authorities. In its decision, the court also set a high level of safeguards that were meant to prevent intrusion into an individual’s private life. Even though the new law also generally contains such safeguards, it is likely that it will be found to violate privacy rights and thus be declared void if brought before the Court.
  • Authorities have to rely on security loopholes or designated backdoors to hack into end user devices – which is diametrically opposed to tech companies’ aim of making their products as safe as possible.

Second, the way the bill was rushed through Parliament was subject to heavy criticism. Ultimately, the governing parties managed to push wide-ranging surveillance powers through Parliament in just a few days by burying these new provisions under seemingly insignificant procedural amendments on short notice. Former Federal Data Protection Commissioner Peter Schaar issued a statement labeling this procedure “reckless” given the grave implications the new law would have for the individual freedoms of the people.

The issue of governmental access to end user devices remains a very hot topic globally, creating complicated (legal) issues between technology companies and law enforcement.

The new law will come into force immediately once it passes the Federal Council (Bundesrat) and after its publication in the Federal Gazette.

2015 11 30 DJV NAT 218Facebook’s four-year battle on behalf of its users, seeking to quash 381 warrants obtained by the New York County District Attorney’s Office, has come to a close. The decision of the New York Court of Appeals—which is New York’s highest court—leaves Facebook users exposed to wide-ranging and largely unchecked inquiries by New York criminal prosecutors into their Facebook accounts.

The story begins in July 2013, when the New York Supreme Court—which is the trial court in New York—issued 381 warrants arising out of the district attorney’s (DA) application for warrants under the Stored Communications Act (SCA). The DA was investigating an alleged Social Security Disability fraud scheme.

The DA’s request was extraordinarily broad. The warrants functionally amounted to a request for 381 users’ entire Facebook histories. The warrants compelled Facebook to produce not only any and all text, photos or videos a user had shared with his or her limited universe of friends, but also any private messages exchanged between the user and another individual (who could have been a spouse, doctor, religious figure or attorney) as well as information the user had chosen to no longer share with anyone, such as a previous email address, a deleted friend or a hidden post, and information the user had never intended to share with anyone, such as his or her searches and location.

The warrants also compelled Facebook to produce content shared by users who were not named in the 381 warrants, and may not even have known anyone named in the 381 warrants, but who had the misfortune of posting on the timelines of those users uploading photos of those users, or simply belonging to any one of the groups with which a named user was affiliated. At least several of the affected users were high school students who were highly unlikely to have been involved in a Social Security Disability fraud scheme. The issuing court also expressly prohibited Facebook from disclosing the existence or execution of the warrants.

While Facebook receives many such requests from law enforcement each year and often provides information in response, Facebook strongly objected to the wide-ranging requests in this case.

Facebook moved to quash the warrants on the ground that they were overly broad, but the New York Supreme Court denied the motion, finding that Facebook did not have standing to assert any privacy or Fourth Amendment rights on behalf of its users. Facebook also challenged the nondisclosure provisions of the warrants, but again the court sided with the DA, reasoning that disclosure of the warrants could jeopardize the DA’s ongoing investigation.

The intermediate appellate court dismissed Facebook’s appeal. The court explained that the orders from the lower court denying Facebook’s motion to quash were unappealable because, under New York law, there is no authority permitting review of interlocutory orders issued in criminal proceedings.

Facebook took the fight all the way to the New York Court of Appeals. Facebook argued that an order denying a motion to quash an SCA warrant should be treated like an appealable order denying a motion to quash a subpoena, rather than like an unappealable order denying a motion to quash a traditional warrant. While a traditional search warrant authorizes law enforcement officials to enter, search and seize property, an SCA warrant, like a subpoena, requires the target of the warrant to compile and turn over its own digital data.

On April 4, 2017, Facebook lost that fight when New York’s highest court ruled that it does not have authority to hear appeals from motions to quash search warrants issued under the SCA.

In a 5-1 decision, the Court of Appeals concluded that, despite the similarities between the manner of responding to SCA warrants and the manner of responding to subpoenas, an SCA warrant is a warrant, not a subpoena. As with traditional warrants, SCA warrants are only issued in criminal proceedings to a government entity that has supported its request for a warrant with probable cause. The court explained that the difference between execution of traditional warrants and SCA warrants is due to “the nature of the material sought”—it “ensures efficiency and minimizes intrusion” for a service provider to search and compile its own digital information rather than for law enforcement to conduct the search. Accordingly, the Court of Appeals found that the order denying Facebook’s motion to quash was not appealable.

Further, the Court of Appeals suggested that Facebook may not have had a right to bring a motion to quash in the first place. For purposes of this case, the Court of Appeals assumed, without deciding, that a motion to quash an SCA warrant was proper. However, the court noted that the SCA discusses warrants, subpoenas and court orders requiring disclosure of information separately, and only expressly provides for a motion to quash court orders.

The Court of Appeals did express some sympathy for Facebook’s concerns regarding the privacy of its users. At the outset, the court stated that “[t]his case undoubtedly implicates novel and important substantive issues regarding the constitutional rights of privacy and freedom from unreasonable search and seizures,” and that it was “tempting for the court to address those issues.” The court also noted that “Facebook’s concerns, as a third party, about overbroad SCA warrants may not be baseless.”

Notwithstanding its expressed concerns, and over a strenuous dissent from Judge Wilson, the New York Court of Appeals has provided criminal prosecutors wide-ranging investigative powers without providing Internet service providers an ability to obtain appellate review. With New York’s high court having spoken, the online industry’s focus is likely to shift toward a legislative fix that will promote users’ privacy interests and limit overreaching SCA warrants.

*        *       *

For other Socially Aware posts addressing user data and the Stored Communications Act, please see the following: Google Ordered to Comply with Warrant for Foreign-Stored User Data; Second Circuit: Email Stored Outside the U.S. Might Be Beyond Government’s Reach; and We’ve Come for Your Tweets: Twitter to Appeal Denial of Its Motion To Quash District Attorney’s Subpoena.

 

Computer laptop with ransomware malware virus key icon on red display background. Vector illustration technology data privacy and security concept.

The global WannaCry ransomware attack should be a wake up call for all companies about the threat ransomware poses. While WannaCry was one of the first highly publicized attacks in which ransomware was weaponized and used against numerous companies at once, there will undoubtedly be future attacks.  Companies can take proactive steps to reduce their chances of being hit by the next ransomware attack, and our team is working with companies around the world to help them be more resilient in light of these evolving threats.

Here are some key steps you can take to help your company protect itself from the next attack:

  1. Make sure software patches are routinely applied.
  2. If possible, only use supported operating systems and other software.
  3. Utilize antimalware and antivirus software tools and services.
  4. Back up your critical data.
  5. Train your employees on how to spot phishing emails.
  6. Create a cross-functional incident response plan.
  7. Practice responding to a ransomware attack in a table top exercise to be able to hit the ground running when this type of event occurs.
  8. Establish or enhance relationships with law enforcement and other critical partners.

In addition, we’ve compiled several resources to help you prepare for and respond to a ransomware incident:

Live Webinar: June 6, 2017 at 12:00 PM (ET) / 9:00 AM (PT)

The May 2018 compliance deadline for the EU’s new General Data Protection Regulation (GDPR) is fast approaching and—with non-compliance penalties of up to €20 million or 4% of annual global turnover at stake—you cannot afford to miss the deadline.

Please join Socially Aware contributors and Morrison Foerster privacy & data security attorneys Lokke Moerel and Marian A. Waldmann Agarwal for a complimentary, practical webinar explaining where you should be in your efforts to meet the May 2018 compliance deadline, where you need to be in a year, and how to get there.

Lokke and Marian will pay particularly close attention to the aspects of the GDPR that will have the greatest impact on your company’s operations:

  • How to best implement the GDPR’s extensive documentation requirements;
  • How the right to data portability and the individual’s right to be forgotten (RTBF) will impact your business; and
  • How vendors are implementing their new obligations under the GDPR and how vendor contracts will need to evolve to comply with GDPR requirements.

Register for the Data Protection Masterclass here.

GettyImages-520390753-600pxThe U.S. Department of Justice (DOJ) recently secured a notable victory against Google in a dispute over the enforceability of a U.S. search warrant seeking access to foreign-stored account data.

The April 19 ruling—from Magistrate Judge Beeler in the U.S. District Court for the Northern District of California—is the latest sign that DOJ is continuing to rely on the Stored Communication Act (SCA) to seek overseas account data even after the Department’s high profile defeat in the Second Circuit’s ruling in the Microsoft case.

And the opinion suggests that DOJ’s litigation strategy may be working.

The dispute arose after DOJ obtained a search warrant last year under the SCA directing Google to provide information related to specified Google user accounts. Google withheld some of the requested information and challenged the request. Google explained that it relies on algorithms to move user data around the world automatically to aid in network efficiency. Invoking the Second Circuit’s Microsoft ruling, which rejected DOJ’s efforts to obtain content stored on Microsoft servers in Ireland, Google argued that some of the requested data was stored exclusively overseas and therefore beyond the purview of an SCA warrant. Continue Reading Court Orders Google to Turn Over Foreign-Stored Data

03_April_SociallyAware_thumbnailThe latest issue of our Socially Aware newsletter is now available here.

In this edition, we explore the threat to U.S. jobs posed by rapid advances in emerging technologies; we examine a Federal Trade Commission report on how companies engaging in cross-device tracking can stay on the right side of the law; we take a look at a Second Circuit opinion that fleshes out the “repeat infringer” requirement online service providers must fulfill to qualify for the Digital Millennium Copyright Act’s safe harbors; we discuss a state court decision holding that Section 230 of the Communications Decency Act immunizes Snapchat from liability for a car wreck that was allegedly caused by the app’s “speed filter” feature; we describe a recent decision by the District Court of the Hague confirming that an app provider could be subject to the privacy laws of a country in the European Union merely by making its app available on mobile phones in that country; and we review a federal district court order requiring Google to comply with search warrants for foreign stored user data.

All this—plus an infographic illustrating how emerging technology will threaten U.S. jobs.

Read our newsletter.

Twitter is suing the Department of Homeland Security in an attempt to void a summons demanding records that would identify the creator of an anti-Trump Twitter account.

Facebook has joined the fight against the nonconsensual dissemination of sexually explicit photos online—content known as “revenge porn”—by having specially trained employees review images flagged by users and using photo-matching technologies to help stop revenge porn images from being shared on the company’s apps and platforms.

Amid its own revenge porn scandal, the U.S. Marines Corps has expanded its social media policy to clarify how military code can be used to prosecute members’ offensive or disrespectful online activities.

A Minnesota judge has ordered Google to disclose all searches for the name of the victim of a wire-fraud crime worth less than $30,000.

Scientists are studying the use of emoji in human interactions, marketing campaigns and business transactions. Here at Socially Aware we’ve taken a look at the difficulty that courts have had in evaluating the meaning of emoji in connection with contract, tort and other legal claims.

Did the White House’s social media director violate the Hatch Act with a tweet?

In the interest of maintaining big-spending advertisers’ business, Google is trying to teach computers the nuances of what makes content objectionable.

The upcoming desktop version of the popular mobile dating app Tinder, Tinder Online, prompts users to talk more and swipe less.

One jet-setting couple with a combined three million Instagram followers is earning between $3,000 and $9,000 per post.

The New York Times’s Brian Chen walks readers through some of the most worthwhile apps and tech gadgets in the pet-care category.

BigBrotherEye-GettyImages-149355675-600pxIf your company collects information regarding consumers though Internet-connected devices, you will want to take note of the Federal Trade Commission’s (FTC) recent privacy-related settlement (brought in conjunction with the New Jersey Attorney General) with smart TV manufacturer Vizio, Inc. The settlement is significant for four reasons:

  • The FTC reinforces the position it has taken in other actions that the collection and use of information in a way that would surprise the consumer requires just-in-time notice and choice in order to avoid a charge of deception and/or unfairness under Section 5 of the FTC Act.
  • The FTC takes the position that television viewing activity constitutes sensitive data. This marks a departure from its approach of limiting sensitive data to information that, for example, can facilitate identity theft, precisely locate an individual, is collected online from young children or relates to matters generally considered delicate (such as health information).
  • The settlement includes a payment of $1.5 million to the FTC (as well as payment of civil penalties to New Jersey), but the legal basis for the FTC payment is not stated. This could suggest that the FTC will more aggressively seek to obtain injunctive monetary relief in Section 5 cases.
  • Acting Chairwoman Maureen Ohlhausen explicitly noted in a concurring statement her skepticism regarding both the allegation that TV viewing data is “sensitive” and that the FTC’s complaint adequately established that the practices at issue constitute “substantial injury” under the unfairness prong of Section 5.

Leaving aside what the chairwoman’s concurrence may portend for future enforcement efforts, the FTC again seems to be using allegedly bad facts about privacy practices to push the envelope of its authority. Accordingly, with the Internet of Things boom fueling a dramatic increase in the number of Internet-connected devices, companies that either collect information via such devices or make use of such collected information should consider the implications of this enforcement action.

Continue Reading Watch Out: The Federal Trade Commission Continues to Watch the (Alleged) Watchers

Gradient and transparent effect used.

In a major development for cloud and other data storage providers, and further complicating the legal landscape for the cross-border handling of data, a Federal Magistrate Judge in the Eastern District of Pennsylvania ruled for the Department of Justice and ordered Google, Inc., to comply with two search warrants for foreign-stored user data. The order was issued on February 3, 2017 pursuant to the Stored Communications Act, (SCA), and the reasoning of the Court rested heavily on the court’s statutory analysis of the SCA. The ruling is a marked departure from a recent, high-profile Second Circuit decision holding that Microsoft could refuse to comply with a similar court order for user data stored overseas.

The SCA regulates how service providers like Google and Microsoft who store user data can disclose user information. The Magistrate Judge issued two warrants under the SCA for emails sent from Google users in the United States to recipients in the United States. Google refused to fully comply, invoking Microsoft, and the Government moved to compel. In its briefing, Google argued that the SCA can only reach data stored in the United States and that, because Google constantly shuffles “shards” of incomplete user data between its servers across the world, Google could never know for certain what information is stored domestically and what is stored overseas. Therefore, Google argued, the data sought under the warrants was beyond the reach of the SCA. Continue Reading Google Ordered to Comply with Warrant for Foreign-Stored User Data

GettyImages-169937464_SMALLCan the mere offering of a mobile app subject the provider of such app to the privacy laws of countries in the European Union (EU)—even if the provider does not have any establishments or presence in the EU? The answer from the District Court of The Hague to that question is yes. The court confirmed on November 22, 2016, that app providers are subject to the Dutch Privacy Act by virtue of the mere offering of an app that is available on phones of users in the Netherland, even if they don’t have an establishment or employees there.

Context. EU privacy laws generally apply on the basis of two triggers: (i) if a company has a physical presence in the EU (in the form of an establishment or office or otherwise) and that physical presence is involved in the collection or other handling of personal information; or (ii) if a company doesn’t have a physical presence but makes use of equipment and means located in the EU to handle personal information.

Continue Reading The Hague District Court’s WhatsApp Decision Creates Concerns for Mobile App Developers