Wednesday, May 22, 2013

Persona Parameters in the Age of Reality Stars and YouTube Celebrities


The privacy tort of “persona rights” often manifests as an appropriation issue. Someone has value in their personhood that is wrongfully exploited by another and is the tortfeasor is liable for a violation of privacy. As technology evolves and categories, like “fame”, that were more clearly demarcated in previous decades become muddled, it remains to be answered whether laws be able to adequately morph in order to accommodate society’s changing sensibilities. This post will examine the current law, societal changes, and recent examples of this phenomenon in an effort to paint this landscape in broad strokes. 

Over the last ten years or so, technology has democratized public speaking platforms. In the past, significant resources were needed to gain access to wide audiences. Today, however, the internet and television have made these audiences much more accessible to common people. While many use this opportunity to advocate for social justice or to educate, some have sought to capitalize on their celebrity aspirations. With the increased numbers of reality television stars and YouTube celebrities, it has become harder and harder to ascertain where celebrity ends and popularity begins. It is therefore equally hard to assess whether an internet sensation has the kind of value/property right that persona rights originally aimed to protect. 

This particular privacy action is designed to safeguard the right of the individual to exclusively use his identity for benefit. While the case law on this matter is jurisdiction specific, courts have held that just because you are not a “celebrity” does not mean that your identity has no commercial value. Courts have held that commercial value can lie within a specific group of people even if not within the public at large. Similarly, a defense to a charge of (mis)appropriation of someone’s identity, is a claim that the plaintiff is not a celebrity and therefore has no verifiable worth in their identity. 

The tensions discussed above get to the heart of this post. If you do not need to be a “celebrity”, can a quasi-celebrity count? How large of  a group is necessary in order for there to be commercial value? Is a YouTube following significant? What about those members of reality television casts who enjoy a brief stint on a popular season of survivor? What counts as proof for commercial value? 

Recently, reality television “star” turned business mogul, Kim Kardashian, settled a law suit against Old Navy for allegedly using a lookalike in their ad campaign which violated Kardashian’s publicity rights. While Kim may demand big bank for her stamp of approval on a clothing retailer’s threads, other reality tv stars may not be so highly thought of. Perhaps the best approach to this is to examine whether the misappropriated use either would have earned the plaintiff money if they had used their identity in that way or whether they generally engaged in that kind of commercial use of their identity.    

Wednesday, May 15, 2013

One Step Forward and Two Steps Back: Possible Changes to CISPA and ECPA on the Horizon


So I am not sure if anyone is still checking out the blog at this point, but since I finally have a minute, I thought that I would post the last couple of articles I found before the semester officially ends. The first one is interesting because it covers how portions of CISPA would create corporate immunity for certain acts of information gathering that would, as of now, mean that they could be held responsible for various torts and statutory violations. What is interesting about this, perhaps more so than the unsurprising notion that corporations would want to immunize themselves from liability as much as possible, is the fact that CISPA would use such loosely defined language in order to define “cyber security threats.”
I find it interesting that, with all the debate over ECPA and its antiquated definitions/application, a bill being proposed in 2013 still suffers from many of the same problems. The exemption seems to leave it up to the company to determine what is, or is not, a cyber security threat. Obviously, this version of the bill did not pass, but this seems to be a troubling pattern in recent arguments over bills like CISPA and SOPA, which use broad terms that would sweep in far too much information, which is troubling for propoenents of internet privacy, and would make obtaining any sort of damages against corporations for information based harms even more difficult than they are now. The article can be found here: http://motherboard.vice.com/blog/cispas-immunity-provision-would-allow-corporate-hacking
The second article I am including is one about some of the proposed changes to ECPA. ECPA has been consistently criticized as being antequated and out of date in terms of its application to modern technology and understanding of advances in notions of privacy and communication as far as things like internet and email go. In particular, the Stored Communications Act portion seems particularly out of date insofar as it fails to protect information and methods of communication that are arguably as important today as landlines were twenty years ago (after all, how many of you guys still have landlines?).
This amendment to ECPA would require disclosure by law enforcement when an individuals email has been accessed as a result of a warrant. Though there are two exceptions (national security “gag order,” and when it would tip off a subject) it seems like a step in the right direction for privacy. After all, unlike when the police come to your door to search your house, many people are unaware of not only what data they consistently send out to the world, but also of whether a search has even taken place. This would at least serve to make such searches more visible. The article can be found here: http://www.zdnet.com/plans-to-end-warrantless-email-searches-pass-senate-committee-7000014527/
Anyways, for those of you still reading (hey Professor!) I hope you have a good summer! I hope you find these articles as interesting as I did, and congratulations to the 3L’s among us. 

Undeleted Snapchat Photos – Privacy Scandal, or Ho-Hum?



If you were intrigued by this blog's previous post about Snapchat, you may recall that it described the preferred teenage sexting application (150 Million photos uploaded per day, a few of which may not be sexually explicit or potentially incriminating) as a system that “allows the user to send photos to friends that automatically delete after a specified period of time.” While the post went on to speculate about how the application might leave a “digital trail,” and how this evidence might be discovered for litigation, the presumption seemed to be that the images were, in fact, deleted from both user devices and Snapchat's servers after they had been viewed.

Well, earlier this week, digital forensics firm Decipher Forensics announced its discovery that the photographs are not permanently deleted from users' phones, and that they can be retrieved, at least from Android devices, by anyone who has 'root' access to the phones. Although most users do not intentionally root or jailbreak their phones, this discovery presents a substantial concern for those who do, or whose devices are compromised by malware or other surveillance or forensic tools. The allure of Snapchat is that images sent via the service are supposed to be ephemeral, and the company promotes this as the key advantage of the application, stating: “[t]hey'll have that long to view your message and then it disappears forever.” But that sentence is immediately followed by the disclaimer “We'll let you know if they take a screenshot!” Does this constitute an enforceable promise that the messages will be permanently deleted, or does it plainly disclaim perfect confidentiality by warning users that Snapchat does not guarantee that the images will not be retained by their recipients?

The question is complicated by several factors. First, it is not clear from media reports whether the images are “deleted” by the operating system, as the company suggests they are, or merely renamed with a “.NOMEDIA” file extension that prevents users from accessing the images via the Android user interface. What is clear is that the images are not encrypted, and that they are not securely deleted, or “wiped,” from user devices after they expire. These technical differences reflect a spectrum of meanings of “deleted,” ranging from the least secure, in which a hypothetical application might retain all messages but exclude them from the user interface of the application so that they “disappear” from the user's perspective but remain accessible to digital experts, to the most secure, in which messages are encrypted at the endpoint devices using a nonce or one-time pad, and both the encrypted image data and the keys are securely deleted after a single use.


While there is no perfectly secure solution, surely, enforcement of privacy promises must reflect the common interpretation of those promises, not merely the porous, technical interpretations that service providers might prefer. Snapchat makes it clear that message recipients can “capture” images by taking screenshots while the images are being viewed, but this seems to suggest that it is the only way that the images can be retained, and that Snapchat will notify users if their images are retained in this manner. In fact, the images are easily accessible to anyone with either an advanced understanding of file storage or money to spend on file-retrieval applications and services. While this might not surprise many people in our privacy class, do you think that the company has misled ordinary consumers about the security and confidentiality of messages that they send via the service, or do Snapchat users have ample notice and knowledge of the risks of sending images to third parties? Can a carefully-crafted privacy policy cure any potentially misleading statements made in other, more user-accessible contexts? Do the following screenshots from the Google Play store affect your opinion?


Snapchat application description.


Snapchat users also viewed and installed...

Thursday, May 2, 2013

Privacy in 2031

In case anyone hasn't seen it yet, I thought I would point out this xckd comic:



mouseover: "2031: Google defends the swiveling roof-mounted scanning electron microscopes on its Street View cars, saying they 'don't reveal anything that couldn't be seen by any pedestrian scanning your house with an electron microscope.'" 

I thought this comic was particularly interesting, since in many ways it seems like privacy is a diminishing concern in the United States. This article by CNN questions whether 20 years from now, anyone will care about online privacy at all. Because many of the most popular websites are offered for free and paid through by advertising, the author suggests that within our lifetimes privacy is likely to become a thing of the past. Indeed, a few years ago, Mark Zuckerberg even publicly announced that he believes privacy is no longer a social norm. From that point of view, the proposition that people would object to xkcd's imagined Google Earth of 2031 is questionable.

Still, I'm not convinced that society will let privacy go without a fight. Recently, Senator Jay Rockefeller of West Virginia stated that he will be introducing legislation this year to force advertisers to honor "Do Not Track" requests. Similarly, the White House released a Consumer Privacy Bill of Rights in February of this year. While this document does not have any legal effect at the moment, it is notable because it gives an official voice to privacy advocates, and opens the door for future legislation to prevent abuses of personal information. If nothing else, this document reinforces the importance of the FTC's role in ensuring consumers know how their information will be treated, whether or not privacy remains a social norm.

Sunday, April 28, 2013

How Can a Stingray Track Your Cell Phone?


A stingray is no longer just a flat-bodied fish feared for the poisonous barb in its tail; it is also the name of a technology used by the FBI and other law enforcement agencies to track the location of cell phone users. A cousin to the Triggerfish tracking technology seen on the HBO television program “The Wire,” the Stingray puts out mobile phone signals to nearby cell phones and tricks those phones into thinking it is a cell tower. Based on a summary of the technology from the Wall Street Journal, this technology is useful to law enforcement in two separate ways: a user could have a specific location in mind and use the Stingray to capture data on all the devices being used in that setting, or have a specific device in mind and use the system’s antenna power readings to triangulate that device’s location. According to private vendors of these products, they are also able to obtain not only limited “metadata,” but also content sent to and from the phones, like text messages and call audio.

The Fourth Amendment constitutionality of the Stingray has come into focus in US v. Rigmaiden, a case in Arizona federal District Court featuring a defendant accused of being the ringleader of a $4 million tax fraud operation who was caught, in part, due to law enforcement use of a Stingray. The government had Verizon modify the defendant’s phone (by changing the settings on his “air card”), and then used the Stingray, acting as a fake cell tower, to track the location of the phone. The government has relied on a court order directed to Verizon as fulfilling the requirements of the Fourth Amendment and ECPA in this case. Because the government has conceded that this was an intrusion requiring a warrant, the case now revolves around whether this court order was sufficient to enable use of the Stingray.

The Stingray technology raises some interesting Fourth Amendment questions. If the “content-catching” capability of the device is disabled, is it like a “trap and trace” device used only to capture pen register-type non-content information? While the government conceded the issue in Rigmaiden, it may argue this point in future uses of the Stingray. Based on Jones, I think the government will be hard-pressed to claim that a device that can track a suspect to within two meters and sends signals through protected areas is not an intrusion for Fourth Amendment purposes.

 Another issue with the Stingray is that it captures data pertaining not just to the target, but also to any mobile phone within range that connects to the fake cell tower. The government claims that it deletes third party data not pertinent to the case, but the fact of that data’s collection and possible interference with innocent users’ cell phone service is problematic.

The bigger problem, well illustrated in Rigmaiden, is that the government made allusions to a “mobile tracking equipment” in its affidavit to the court but did not go into the specifics of how the Stingray operated. While these devices have been in use for almost twenty years, they are still relatively unknown and no definitive case law exists that governs their use. Courts need to be informed as to exactly what these devices can and cannot do in order to figure out whether Stingrays are effective and appropriate law enforcement tools or overbroad and invasive data collectors.

Monday, April 22, 2013

More on FERPA

Today we had an introductory look at FERPA. As a part of our discussion, we touched on some of the proposed changes and discussed the related report on issues arising during emergency situations. In September 2011, I wrote a piece as a Research Assistant at the Silha Center for the Study of Media Ethics and Law. If you are interested in reading more about the report, proposed changes, and other litigation related to journalists being rejected access to information based on FERPA, the link is below.

http://silha.umn.edu/news/Summer2011/SchoolPrivacyLawChanges.html

Thursday, April 18, 2013

Technology Evolving in Criminal Defendants' Favor: The Example of Blood Draws in DUI Cases

Yesterday the Supreme Court decided Missouri v. McNeely, No. 11-1425, 2013 WL 1628934 (U.S. Apr. 17, 2013), a case concerning the Fourth Amendment and law enforcement nonconsensually drawing the blood of someone suspected of driving under the influence. If drawing someone's blood is an unreasonable seizure, the police may do so without a warrant only if a recognized exception applies. One such exception is when the "exigencies of the situation make the needs of law enforcement so compelling that a warrantless search is objectively reasonable." The imminent destruction of evidence is such an exigency. The crux of this case was whether blood-alcohol content, which is inherently evanescent, presents an "imminent destruction" exigency such that the police could warrantlessly take blood samples.

The State of Missouri sought a per se rule that the natural dissipation of BAC always constitutes an exigency. (Many states, including Minnesota, have held this.) The Court rejected that argument, because BAC declines in a gradual and predictable fashion such that a particularized case-by-case inquiry is necessary in each case. The inquiry is thus whether the police can reasonably procure a warrant before the evidence, well, self-destructs. Because the State didn't bother to argue here that there were exigent circumstances in this case (it just wanted the per se rule), the Court affirmed the conviction.


Okay, so far this case isn't terribly remarkable-- but what I found striking about McNeely is that unlike most Fourth Amendment cases we've studied, here technology advances actually help criminal defendants. In other contexts, new technology has enhanced the police's ability to investigate and charge people with crimes: Katz (wiretapping); Smith (pen register); Kyllo (thermal sensors); Jones (long-term GPS surveillance). The defendants won in many of those cases, but one of the central conflicts common to each was this encroachment of technology on privacy without magisterial review for probable cause. (And this is to be expected, as the Fourth Amendment is about state action--technology use benefiting defendants wouldn't really figure into this analysis.)

In this case, the majority takes special note of "technological developments that enable police officers to secure warrants more quickly, and do so without undermining the neutral magistrate judge’s essential role as a check on police discretion." What sorts of technological developments? The majority points to a 1977 rule change allowing magistrates to issue warrants telephonically, and discusses states where police and prosecutors can apply for search warrants via email and video conferencing. In a separate opinion Chief Justice Roberts notes two particularly innovative jurisdictions:

Utah has an e-warrant procedure where a police officer enters information into a system, the system notifies a prosecutor, and upon approval the officer forwards the information to a magistrate, who can electronically return a warrant to the officer. Judges have been known to issue warrants in as little as five minutes. And in one county in Kansas, police officers can e-mail warrant requests to judges’ iPads; judges have signed such warrants and e-mailed them back to officers in less than 15 minutes.
(citations omitted).

Before yesterday, in a per se exigency rule state like Minnesota, law enforcement could take the blood of DUI suspects without consent or a warrant. Now, if there is a true exigency, law enforcement can still do this. This includes delays in the warrant process. But evolving technology like these e-warrant procedures and iPad requests has moved many situations out of the "exigency" box, thus necessitating a warrant. This is not to say all suspects will get off scot-free, but at least a magistrate will give their situation due consideration. And that is better for defendants than the cops being able to say, "Oh there's no possible time to talk to a magistrate, I get to take your blood right now."
(By the way, it also helps that there haven't been competing technological advances in the body's ability to more quickly eliminate alcohol from the system.)