Review of privacy and data issues

Emily Shaw

National Policy Manager, Sunlight Foundation

4th Amendment + technology = ?

• Riley v. California (2014) – physically locked on phone, but accessible via cloud or electronic communications service?• Parallel construction and law enforcement use of NSA-collected data

• US v. Jones (2012) – GPS on car, but uninstalled techniques?• ACLU study found that 237 of 250 surveyed PDs track cellphones, mostly

without warrants

Main 4th Am & data privacy issue areas

1. Collection of new data – what are limits on new surveillance tools?

2. Access to existing data – what are the standards for protection?

1. New Surveillance Tools

• Automated License Plate Readers

• Stingray Tracking Devices

• Arial surveillance – known and unknown

• Sensor networks• Public

• Public-private

Automatic License Plate Readers (ALPRs)

• Used regularly around the country, some states are restricting

• Where FOIA-able, can be used to track police behavior

• Not just photographing license plates – car occupants are also subjects

Stingray Cellphone Tracking Devices

• Can collect phone ID, numbers dialed and previous location (e.g., last tower)

• Used by at least 48 state and local PDs, but full scale of adoption is not known (DC, Fairfax, Montgomery County all have)

• Judges have been unfamiliar with tech and unintentionally authorized

• LE often uses without explicit authorization, though recent legal pushback

• 10 states now require warrants (yes MD, no VA)

Arial surveillance

• 13 states regulate drone use as of end of 2014 session but generally exempt law enforcement. Local law enforcement use of drones is mainly unregulated.

• Using technology developed for the war in Iraq, manned surveillance planes like Persistent Surveillance Systems have been seeking contracts with local law enforcement.

Sensor systems

• Public sensor systems: New York’s Domain Awareness System, Chicago downtown public sensor array

• Contracted sensor systems: ShotSpotter, persistent sound recording in over 60 US cities (as in DC, below)

• Public-private connected systems: Oakland’s Domain Awareness Center (now reduced in scope)

What next?

• ACLU keeping track of emerging issues

2. Privacy-based limits on access to existing data

• Government data: 1974 Privacy Act (& FIPs), HIPAA/FERPA, state variation

• Privately-held data: Electronic Communications Privacy Act

Elements of government data protection

• “Personally Identifiable Information” (PII) or “Personal Health Information” (PHI) protection – e.g., field elimination/transformation• HIPAA Safe Harbor standard – removal of 18 fields

• 1974 Privacy Act identified the SSN as private data for all governments

• Privacy Act also mandates that federal agencies provide you access to data about you held within a “system of records” and to produce “system of record notices” (SORNs); supposed to limit sharing.

• All privacy laws have a number of exceptions

“Notice and Consent” –Fair Information Practices principles• There must be no personal data record-keeping system whose very

existence is secret.• There must be a way for an individual to find out what information about

him is in a record and how it is used.• There must be a way for an individual to prevent information about him

that was obtained for one purpose from being used or made available for other purposes without his consent.

• There must be a way for an individual to correct or amend a record of identifiable information about him.

• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precaution to prevent misuse of the data.

Electronic Communications Privacy Act

• Federal ECPA (1986) required law enforcement to get a warrant for individuals’ email, unless it was stored on a third-party server for over 180 days.

• Under current technological practice, this leaves out most email.

• Federal efforts to reform have not been successful so far. Current efforts: LEADS and ECPA Amendments Acts.

• Digital Due Process Principles created by broad coalition

• Maine and Texas have passed a form of improved ECPA and California, Montana and Maryland currently considering bills

But what about benefits? Privacy and Data-Sharing for Public Good• Federal laws like HIPAA and FERPA, and a patchwork of varying state

laws, regularly limit inter-agency data-sharing

There are two main possibilities.

1. Keep it restricted.

Share private data within trusted partnerships, using:• Exceptions for law enforcement• Exceptions for improvement of a public service• Exceptions for research to benefit the public

• Legal Mechanisms:• Memorandums of Understanding• Statutory change

• Other important elements:• IRBs• Social trust

2. Take out the restricted parts!

• Aggregation or anonymization

• Always a balance between privacy and data utility, but an evolving area

If you like microdata, know your PII

• Rule for open data folks: Know your PII. There are at least 4 kinds:

1. Unintentional PII (legally shouldn’t be there, but it is)

2. Unnecessary PII (doesn’t need to be there, but it is)

3. Necessary PII (needs to be there)

4. Legally-identified information

• Know your rights to legally-identified info. Know to ask for redaction of unnecessary PII. Know to seek better controls for unintentional PII.

The Future! Exciting upcoming surveillance/public access/privacy issues!• Police body camera data

• Government relationships with third-party shared location data –Google, Waze

• Public service location data - Metrocards, EZ Pass (recent example of Christie’s political use of opponent’s EZ Pass data.)