Archive for December, 2012

New FTC COPPA Rule will better protect 21st century children

Posted by fgilbert on December 19th, 2012

The Federal Trade Commission final updated COPPA Rule, published this morning (December 19, 2012),  brings child protection online to the 21st century. While most of the high level requirements, which stem directly from the Child Online Privacy Protection Act (COPPA) remain unchanged, the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites, such as behavioral targeting. It also takes into account more than ten years of practice and attempts to address some of the shortcomings and complexities of the prior rule. For example, the new Rule requires better accountability from Safe Harbor programs, which will have to annually audit their members and also report annually to the FTC on the outcome of these annual reviews.  It also requires better accountability from companies.  Companies that release children personal information to third parties service providers or otherwise will be responsible for ensuring that these third parties are capable of protecting the confidentiality, security and integrity of children’s personal information, and that they actually do provide these protections when handling the children information in their custody.

 

More covered entities

The new definition of “operator” now also covers website or online service directed to children that integrate outside services, such as a plug-in or ad network.  The new definition of “website or online service” will also include plug-ins and ad networks that has actual knowledge that it is collecting personal information through a child-directed website or service.

 

More personal information protected

The definition of personal information is expanded to include:

  • Geolocation information
  • Photos, videos, and audio files that contain a child’s image or voice
  • Persistent identifiers, such as IP address or mobile device IDs, that can be used to recognize a user over time and across different websites or online services.

 

More permitted activities

Conversely, more activities are specifically permitted. These contextual advertising, frequency capping, legal compliance, site analysis, and network communications. However, this does not include behavioral advertising. Parental consent is required when using or disclosing information to contact a specific person or develop a profile on that person.

 

New form of disclosures

The Rule still requires a direct notice to parents in addition to the online notice of information practices, but it streamlines what website or service must disclose in their online privacy statements describing their information practices.

 

New forms of parental consent

The new Rule offers more ways in which parents can communicate their consents. These additional means include electronic scans of signed parental consent forms (in addition to mail and fax), videoconferencing, use of government-issued ID, and use of online payment systems (other than credit or debit cards) that provides notification of each discrete transaction to the primary account holder.

 

Stronger security and confidentiality

While operators continue to be responsible for protecting the confidentiality, security and integrity of children’s information, they will be required, in addition, to ensure, before releasing information to service providers and third parties, that these entities are capable of maintaining the confidentiality, security, and integrity of the information. They will be responsible for obtaining assurances that these measures will be maintained.

 

New limited retention and disposal rules

Operators will be expected to retain personal information collected online from a child for only as long as reasonably necessary to fulfill the purpose for which the information was collected. They will also be required to delete such information by using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

 

New monitoring and reporting requirements

The new Rule strengthens the FTC’s oversight of safe harbor programs. Safe harbor programs will be required to arrange for annual assessment of operators compliance with the program guidelines, and to provide the FTC with an annual report of the aggregated results of these independent assessments.

 

USA Patriot Act Effect on Cloud Computing Services

Posted by fgilbert on December 11th, 2012

Recent reports and press articles, with attention grabbing headlines, have expressed concern, and at times asserted, that the U.S. government has the unfettered ability to obtain access to data stored outside the United States by U.S. cloud service providers or their foreign subsidiaries. They point to the USA PATRIOT Act (“Patriot Act”) as the magic wand that allows U.S. law enforcement and national security agencies unrestricted access to any data, anywhere, any time. In fact, the actual impact of the Patriot Act in this cloud context is negligible.

To the extent that the U.S. law enforcement or national security agencies can access data held in the cloud or elsewhere, it is not through the Patriot Act but through decades-old laws and judicial decisions. For more than 40 years, government access to personal data and communications in the context of national security and law enforcement matters has been regulated by a wide range of federal and state laws. These laws were enacted long before the passage of the Patriot Act, and have been amended further since then. These laws are not so different from those that are in effect elsewhere. Most other nations have in place comparable provisions for access to data in the context of national security or law enforcement. Others do not, and in this case, their governments have unrestricted powers to access any data anywhere from anyone.

This article will examine the actual role and effect of the Patriot Act, and briefly describe some of the U.S. laws that govern access to data by the U.S. law enforcement, national security, and intelligence services. A subsequent article will address how other countries, in Europe and elsewhere, regulate access to data by their respective governmental entities in similar circumstances.

 

Only a Series of Amendments

Contrary to press reports, the Patriot Act is not “the” US law that governs the rules for access to data or communications by law enforcement and national security agencies. Signed into law in 2001 after the September 11 attacks, the USA PATRIOT Act (acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) is primarily a combination of amendments to existing laws that were enacted in the 1970’s and 1980’s.

The amendments brought in by the Patriot Act were designed to make it easier for the U.S. law enforcement and national security agencies, in the context of criminal investigations, to conduct surveillance and access data for the purpose of preventing, detecting, and investigating crimes and terrorist acts. For example, previously, if law enforcement needed to have access to data held by communication providers in multiple states, it had to seek separate search warrants from separate judges. The Patriot Act amendments allowed for this type of investigation to require only one search warrant to be obtained from one federal judge. This change streamlined the process for U.S. government searches in certain cases, but did not affect the underlying laws, regulations, and prior court decisions pertaining to government requests for access to data.

 

Rules for Government Access to Data

It is not as easy as the press depicts it for U.S. prosecutors, law enforcement or national security agencies to have access to data, information, document or premises owned or controlled by private entities, enterprises, financial institutions, and the like. Numerous rules govern the circumstances and manner in which state or federal government agents may act and collect the evidence that they are seeking. In addition, other rules govern the use of this evidence. Evidence may be admitted in court only if it has been legally collected in accordance with applicable laws.

At the federal level, the basic rule written in the 4th Amendment to the U.S. Constitution grants individuals the right to be secure from unreasonable searches and seizures. In addition, several federal laws, such as the Wiretap Act, Stored Communications Act, Pen Register Act, Foreign Intelligence Surveillance Act, Communications Assistance to Law Enforcement Act, or the Economic Espionage Act define specific rules. A similar regime exists under state law. Most U.S. states have general surveillance laws as well as specific laws, such as laws that govern the use of RFID technologies for surveillance purposes.

These laws may depend on the nature of the information to be retrieved and the purpose for which it is retrieved. For example, the Wiretap Act pertains to access to data in transit, whereas the Stored Communications Act pertains to access to data in storage. There are different provisions for access to content (e.g., the actual message or communication) as opposed to access to non-content (e.g., the identity of the sender or recipient, or time of the call or communication). The law may distinguish whether the person being investigated is a U.S. citizen or resident, or, instead an “agent of a foreign power,” as is the case under the Foreign Intelligence Surveillance Act.

The laws described above define the specific rules and requirements that must be met for a federal or state investigator to have access to specific data, premises, or equipment where the data is located, and for specific purposes. In most cases, the investigator is required to obtain a subpoena, a court order, or a warrant. In rare cases, it may be possible to have access to data without a subpoena, court order, or warrant; these cases are specifically identified in the applicable law, and are generally associated with extraordinary circumstances and grave hostile acts. There, other types of control and oversight apply.

 

Stored Communications Act

The rules of the Stored Communications Act are frequently used in the context of access to data stored by cloud service providers. Enacted in 1986, the Stored Communications Act governs access to wire, oral, and electronic communications in storage (as opposed to communications in transit). The law contains general prohibitions against access to these communications, and exceptions, such as rules that allow disclosure of these communications by providers of electronic communications services (e.g., Verizon, AT&T). It also contains an exception for allowing a governmental entity to obtain access to data stored by communication and computing service providers. These rules are very complex and detailed.

When the data are held by an electronic communications service provider, the rules for obtaining access to the content differ according to the length of the period during which the service provider has held the data. The threshold is 180 days. The requirements are most stringent for access to data held for less than 180 days than for data held for longer than 180 days. This dichotomy was developed in the late 80’s, at a time when the Internet, as we know it now, did not exist, and before we started using servers for storage purposes. At that time, it was deemed that a communication that had been stored for 180 days was abandoned and thus deserved less protection.

When a governmental entity seeks to obtain access to content that an electronic communications service has held in storage for less than 180 days, it must first obtain a search warrant. The standard for obtaining a warrant is very high: the government agent must show that “probable cause” exists, based on his or her personal observation or hearsay information, to show that evidence of a crime would be found in the requested search.

On the other hand, to obtain access to the same content held by the same electronic communications service provider for more than 180 days, a subpoena or court order would suffice. The requirement for a subpoena or a court order is much less stringent than that for a search warrant. However, if the government elects to use a subpoena or a court order, it must give prior notice to the subscriber or customer of that service. If the government wants to avoid providing notification, then a warrant is required.

This is just an example of the complexity of these rules; they are detailed in lengthy provisions, with numerous exceptions and nuances. For example, the rules described above apply only to “electronic communication services” (“ECS”) (i.e., services that send or receive wire or electronic communications). Different requirements apply to access to data held by “remote computing services” (“RCS”) (i.e., services that provide computer storage or processing services”). In this case, the 180-day dichotomy does not apply and the requirements are different. Further, while the rules above would apply for access to “content” (i.e., what was said, what was the message), there are different rules for access to “non-content” (i.e., when the messages was sent, from whom, to whom).

 

Foreign Intelligence Surveillance Act and Amendment

Enacted in 1978, the Foreign Intelligence Surveillance Act (FISA) prescribes procedures for physical searches and electronic surveillance of activities of foreign entities and individuals where a significant purpose of the search or surveillance and the collection of information is to obtain “foreign intelligence information.”

The term “foreign intelligence information” is defined to include information that relates to actual or potential attacks or grave hostile acts of a foreign power or an agent of a foreign power, sabotage, international terrorism, weapons of mass destruction, clandestine intelligence activity by or on behalf of a foreign power, or similar issues.

Like for the other laws described in this article, the Patriot Act did not create the FISA, it only amended it. For example, the Patriot Act enlarged the scope of the existing law to apply when “a significant purpose” of the search or surveillance is the collection of foreign intelligence, whereas the scope of FISA was initially limited to searches where “the primary purpose” was the collection of foreign intelligence.

The FISA allows the President of the United States, through the U.S. Attorney General, to authorize electronic surveillances without a court order in order to acquire foreign intelligence for a period of up to one year. Instead, the government must seek an order from the FISA Court (or “FISC”), a special court that oversees surveillance activities under the FISA. The application to conduct the surveillance must set out the facts to support a finding by the FISC judge reviewing the application that there is probable cause to believe that the proposed target is a foreign power, and must describe the premises or property that is the proposed subject of the search or surveillance. The U.S. Attorney General representative must certify, in writing and under oath, that the electronic surveillance is solely directed at the acquisition of communications between or among foreign powers and that the proposed procedures meet the “minimization procedures” requirement. The U.S. Attorney General representative must immediately transmit, under seal, a copy of this certification procedure to the FISC.

The FISA was amended in 2008 through the FISA Amendment Act (FAA) to permit the U.S. Attorney General and the Director of National intelligence to jointly authorize the targeting of non-U.S. persons reasonably believed to be located outside the United States, in order to acquire foreign intelligence information. Targeting under the FAA requires a determination by the U.S. Attorney General and the Director of National Intelligence that exigent circumstances exist because intelligence important to the national security of the United States may be lost.

There are numerous limits to the way in which the targeting may be conducted, and minimization procedures must be used. In addition, the targeting must be conducted in a manner consistent with the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable searches and seizures.

The U.S. government does not have jurisdiction over non-U.S. entities located outside the U.S. territory. The FAA does not grant U.S. governmental entities the right to access servers held outside the United States. It only defines the rules that federal agents must follow to target communications made by non-U.S. persons believed to be located abroad.

 

Annual Reports

The issuance of search warrants or orders allowing access to or interception of communication is highly controlled. It is not enough that each investigator must provide substantial information to show why the search is needed, and provide the grounds for why the content is relevant or material. In addition, any judge who has issued an order for an interception or has denied the request for access to data must provide detailed reports on the approvals or denials annually to the Administrative Office of the United States Courts.

Concurrently, the U.S. Attorney General who made a request for access must also file a report to the courts’ administrative office. This report must contain detailed information about each investigation, including, for example, the number of persons whose communications were intercepted, number of arrests resulting from the interception, or number of convictions. Compilations of the judge reports and U.S. Attorney General reports are prepared annually, and a summary report is provided to Congress. These reports are publicly available for anyone to review and posted on the Internet.

Consequently, investigations are not initiated lightly; having to prepare so many applications, sworn statements and reports would already be a deterrent. In addition, each such investigation is very costly. According to the report of these investigations filed in 2010, the average cost of an “interception” ranges from $20,000 to over $100,000, with a median around $50,000.

 

U.S. Government Access to Data Outside the U.S.

What happens when an investigation would require access to data held in a foreign country? Generally, a U.S. prosecutor or investigator will not be permitted to conduct an investigation or to interview witnesses abroad. In most cases, the help of the local government will be necessary. To this end, over the years, nations have agreed on a variety of bilateral or multilateral treaties that define how they will cooperate in certain matters.

For example, the U.S. is party to several Mutual Legal Assistance Treaties (MLAT) for the purpose of gathering and exchanging information in an effort to enforce civil or criminal laws. There are numerous MLATs related to police and law enforcement cooperation and MLATs with respect to tax evasion, for example.

In addition, the U.S. is a member of the Council of Europe Convention on Cybercrime, which it ratified in 2007. The Convention governs electronic surveillance, sharing of evidence and computer crime. It allows governments to request and provide mutual assistance in the investigation and prosecution of a number of crimes, such as hacking, unauthorized access to computer systems, child pornography, or copyright infringements.

In some cases, law enforcement may attempt to obtain access to information held abroad by making the request from the U.S. affiliate of a company located abroad that may have custody or control over the documents or information at stake. In the U.S., courts have held that a company with a presence in the U.S. is obligated to respond to a valid demand for information by the U.S. government (made under one of the applicable U.S. laws) so long as the company retains custody or control over the data. The key question is whether the U.S. company does have the required level of “custody or control” to be forced to respond to the government request.

The question whether a U.S. based company has custody or control over data held outside the United States has been the subject of many cases and controversies. The seminal case in this area involves the Bank of Nova Scotia, where a U.S. court required the U.S. branch of the Canadian bank to produce documents that were held in the Cayman Islands for criminal proceedings in the U.S. This principle of extraterritorial reach has been followed elsewhere, for example in Australia. In the 1999 case of the Bank of Valletta PLC vs. National Crime Authority, the Australian branch of a Maltese bank was required to produce documents held in Malta for use in an Australian criminal proceeding.

 

Government Investigations and Privacy

There is an inherent opposition between governments’ requests for access to data in the context of criminal investigations or the fight against drugs or terrorism, and the basic rights of individuals to privacy in their home or their papers. The laws that govern government access to data and communications have attempted to provide a balance between the individual interest of a person and the community’s interest in fighting crime and terrorism, but have also recognized that national security may trump personal privacy. The laws discussed above are intended to curb the enthusiasm limit the powers of law enforcement and national security personnel in their quest for evidence.

In the European Union, there is a similar analysis. Directive 95/46/EC, the foundation document that defines the principles of privacy protection for all individuals and that is implemented into the national laws of each E.U. and E.E.A. Member State, recognizes that there are cases where privacy rights have to defer to other rights. The Directive has carved out from the blanket protection of individuals with respect to the processing of personal data, the ability for governments to have access to, or use of, personal information in connection with investigations that pertain to national security, defense and related areas. Some of the issues of privacy in the context of police and judicial investigation are addressed in a separate document, the Council Framework Decision 2008/977/JHA of November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

A similar carve-out is provided in the E.U.-U.S. Safe Harbor Principles, which state, “adherence to [the Safe Harbor] principles may be limited to the extent necessary to meet national security, public interest, or the requirements of law enforcement.”

 

What Rules Apply Abroad?

While rules that pertain to government access to data and communications in the United States have received a lot of attention, most countries also have laws authorizing government investigations for national security and other purposes. We will examine these foreign laws in an upcoming article.

 

 

NOTE:  A prior version of this article was published in May 2012 by TechTarget under the title: Demystifying the Patriot Act; Cloud Computing Impact.