NTIA Requests Comments Regarding International Internet Policy

Earlier this week, the National Telecommunications and Information Administration (NTIA), the executive branch agency responsible for telecommunications and information policy, released a Notice of Inquiry requesting that any interested party—including the private sector, technical experts, academics, and civil society—help the agency determine its international internet policy priorities. In particular, NTIA is seeking comments and recommendations regarding four topics: (1) the free flow of information and jurisdiction, (2) the multistakeholder approach to Internet governance, (3) privacy and security, and (4) emerging technologies and trends.

The Notice includes various questions regarding each topic that NTIA would like commenters to address (although commenters are free to address issues not specifically raised in the Notice), several of which are notable. For example, the agency states that foreign governments are increasingly imposing restrictions on the free movement of data—sometimes for “legitimate” reasons such as privacy but sometimes for “less valid” reasons such as the stifling of political speech. In light of this trend, NTIA asks commenters to help it identify the most pressing challenges to the free flow of information and expression on the internet. The agency also asks commenters to identify foreign laws and policies that restrict information or expression online (such as court orders to globally remove online information) and the impact that those laws and policies have on U.S. companies.

NTIA also notes that it has historically supported a multistakeholder process to internet governance through organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN) or the International Telecommunications Union (ITU). However, the Notice invites comments on whether this existing multistakeholder process is working effectively. NTIA specifically asks what its priorities should be with respect to ICANN, including whether the agency should unwind the IANA Stewardship Transition, which resulted in management of the internet’s domain name system transitioning from the U.S. government to the private sector.

Finally, the Notice asks commenters the extent to which cybersecurity threats are harming international commerce and what emerging technologies or trends should be the focus of the agency’s international policy discussion.

NTIA’s request for input on international internet policy follows the EU’s GDPR going into effect on May 25, 2018. It appears that the debate around GDPR—and in particular the impact GDPR may have on U.S. internet companies—might have informed some of the questions posed in the Notice. This policy debate has recently made news as GDPR has resulted in changes to internet governance and commerce. For example, ICANN, which is the subject of various questions in the Notice, had to overhaul the WHOIS database that contains contact information of internet domain owners.

Comments are due by July 2, 2018.

Updates to California Auto-Renewal Law Take Effect on July 1, 2018

Companies that offer or are considering subscription-based plans should take note that new requirements for automatic renewal offers (“auto-renewals”) take effect in California on July 1, 2018.  California Senate Bill No. 313 (“SB 313”) amends existing law to extend additional protections to consumers where an auto-renewal offer includes a free gift or trial or where promotional pricing will change once the promotional period ends.  It also requires that certain consumers have the ability to opt-out exclusively online. Continue Reading

Mary Meeker’s Annual Internet Report Includes Insights Into Privacy

This past week, Mary Meeker presented her annual Internet Trends report for 2018 at the Code Conference.  A copy of the slide deck is available here.  The report is widely respected by industry experts, and this year’s presentation included a number of insights that industry stakeholders will find relevant regarding data privacy and technology more broadly.

One of Meeker’s key insights in her report was what she termed the privacy paradox.  Technology companies are increasingly using consumer data to provide consumers with better experiences and lower prices.  However, by collecting more consumer data those same companies need to work to avoid betraying consumers’ trust or running afoul of consumer data protection laws.

Consumers see a real value in technology products, as Meeker highlighted the increasing amount of time people spend online.  U.S. adults spent an average of 5.9 hours per day with digital media in 2017, which was an increase from the 5.6 hours per day in 2016.  Of those 5.9 hours, approximately 3.3 of them were from mobile devices, 2.1 were from desktops or laptops, and 0.6 from other connected devices.

Continue Reading

Federal Appeals Courts Split on Forensic Searches of Devices Seized at Border

Two federal appellate courts are taking sharply different views on whether—and why—government agents must have some amount of suspicion to conduct forensic searches of electronic devices seized at the border.

The Fourth Circuit on May 9, 2018, held that government agents must have reasonable suspicion to conduct forensic searches of cell phones seized at the border.  It said that decision was based on the Supreme Court’s recognition in Riley v. California that phones contain information with a “uniquely sensitive nature.”  The Fourth Circuit and Ninth Circuit are the only two federal appellate courts to require reasonable suspicion for forensic border searches.

In contrast, the Eleventh Circuit on May 23, 2018, rejected that position—and held that no suspicion is required for forensic border searches of electronic devices.  According to the Eleventh Circuit, even after Riley, “it does not make sense to say that electronic devices should receive special treatment because so many people now own them or because they can store vast quantities of records or effects.”

The decisions evince a split in how far courts are willing to apply Riley, including whether that decision has any bearing on border searches, which are a narrow exception to the Fourth Amendment’s warrant requirement.

Fourth Circuit: Riley Applies to Border Searches

In United States v. Kolsuz, the Fourth Circuit analyzed the reasonableness of a forensic search of the cell phone of a Turkish national traveling out of Dulles International Airport who was detained after agents located unlicensed firearms in his luggage.

Kolsuz’s phone was seized at the airport and driven to an off-site facility, where agents used an extraction program that took “a full month, and yielded an 896-page report” about the phone’s contents, according to the court.  That report included Kolsuz’s personal contact lists, emails, messenger conversations, photographs, videos, calendar, web browsing history, and call logs, along with a history of Kolsuz’s physical location down to precise GPS coordinates, the court said.  Notably, the phone remained in airplane mode during the extraction, so that the forensic program obtained only data stored on the phone itself and not data stored remotely in the cloud.

The Fourth Circuit held this was a “border” search, even though it was conducted several miles from the airport after Kolsuz was in custody.  Because the government invoked the border exception in investigating the “transnational offense” of firearms trafficking, the court held there was a “direct link” to the border search rationale, unlike cases in which the government seeks to invoke the border exception “on behalf of its generalized interest in law enforcement and combatting crime.”

The court next addressed the level of suspicion required to conduct a forensic search of an electronic device seized at the border.  It held that “[a]fter Riley, . . . a forensic search of a digital phone must be treated as nonroutine border search, requiring some form of individualized suspicion.”  According to the Fourth Circuit, the “key to Riley’s reasoning is its express refusal to treat such phones as just another form of container, like the wallets, bags, address books, and dairies covered by the search incident [to arrest] exception.”  Given that refusal, the court held that “cell phones are fundamentally different . . . from other objects subject to government searches.”

Eleventh Circuit:  Riley Does Not Apply to Border Searches

In United States v. Touset, the Eleventh Circuit rejected this reasoning.  Touset involved the forensic search of two laptops, two hard drives, and two tablets seized at the border after a U.S. citizen arrived at Atlanta’s Hartsfield-Jackson International Airport.  The forensic searches revealed child pornography on two laptops and the two hard drives—although the court does not explain how those forensic searches were conducted.

According to the Eleventh Circuit, “the Fourth Amendment does not require any suspicion for forensic searches of electronic devices at the border.”  That is because the Supreme Court has afforded greater protection to persons than to property and does not distinguish between searches of “different types of property,” the court said.  It held there was “no reason why the Fourth Amendment would require suspicion for a forensic search of electronic device when it imposes no such requirement for a search of other personal property.”

To reach that conclusion, the Eleventh Circuit relied on its March 2018 decision in United States v. Vergara, which held that Riley does not apply to border searches because that decision was limited to the search-incident-to-arrest doctrine.  (Vergara did not address the issue of what level of suspicion was required, because the defendant in that case only argued a warrant was needed—and the court held it was not.)  It also distinguished Riley by finding that the rationales supporting the border exception still had force when applied to digital information—unlike the rationales supporting the search-incident-to-arrest exception.

Indeed, the Eleventh Circuit suggested that “if we were to require reasonable suspicion for searches of electronic devices, we would create special protection for the property most often used to store and disseminate child pornography.”  It found “no reason” to “create a special rule that will benefit offenders who now conceal contraband in a new type of property.”

Effect Unclear Given CBP Guidance

The practical implications of these cases are not yet clear—particularly because U.S. Customs and Border Protection in January issued guidance requiring reasonable suspicion for forensic searches of electronic devices seized at the border.  Given that guidance (summarized in our prior post), it is possible that agents may conduct fewer forensic searches without reasonable suspicion, reducing the frequency with which this issue is litigated.  Still, because the guidance contains an exception allowing for suspicionless forensic searches in cases of “national security concern,” the issue may arise more frequently in that particular context.

Lawsuit Alleges That Self-Checkout Videos Violate the Song-Beverly Act

A class-action lawsuit filed last month alleges that Wal-Mart’s video recording technology at its self-service checkout kiosks collects “personal identification information” in violation of the California Song-Beverly Act Credit Card Act of 1971 (“Song-Beverly Act”).  The Song-Beverly Act, like analogous statutes in several other states, generally prohibits businesses from recording customers’ “personal identification information” as a condition of accepting a credit card payment.

The Complaint alleges that video recordings of a person’s eye color, hair color, and facial features constitute “personal identification information” under the Song-Beverly Act, and that clearer recordings of these features require different treatment than those made using ordinary security cameras.  The Complaint further alleges that because this information allegedly is captured “throughout the entire duration of the customer’s credit card transaction,” the recording violates the statute.  The Complaint characterizes the recordings as “valuable biometric data” that allegedly is collected for Wal-Mart’s “prospective business purposes, including but not limited to targeted marketing campaigns.”

Wal-Mart has removed the lawsuit to federal district court.  It remains to be seen whether these novel allegations prove accurate or gain traction under the Song-Beverly Act, which to this point has not been applied to video recording technologies like those used at self-checkout kiosks.

GDPR Applies From Today

The much discussed and long-awaited General Data Protection Regulation (“GDPR”) applies from today, May 25, 2018.  It will update and harmonize data protection laws across the EU, and sets out comprehensive rules in relation to personal data handling, as well as the rights of individuals over their personal data.

It is unclear how aggressively the data protection authorities (“DPAs”) will seek to be in the near future when it comes to using their new powers under the GDPR, and how quickly investigations will get underway, and fines imposed.  Many DPAs have suggested they are simply not ready to carry out the extra responsibilities given to them, which may lead to an ‘informal grace period’ for many companies who themselves have struggled to ensure they are fully GDPR-compliant by today.

Information Commissioner for the UK, Elizabeth Denham, stressed two days ago that becoming compliant is “an evolutionary process for organisations” and that “organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.”  These echo sentiments from a blog post she wrote in December 2017, in which she also set out that if companies can demonstrate that they “have the appropriate systems and thinking in place” then they will “find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.”

As ever, we will continue to monitor key developments in relation to the GDPR, and will provide further updates.

The UK Adopts Data Protection Act 2018

Having received Royal Assent on May 23, 2018, the UK Data Protection Bill is now an Act of Parliament.

The Data Protection Act 2018 (the “Act”) implements the General Data Protection Regulation (“GDPR”) and replaces the UK Data Protection Act 1998.

Notable provisions that make use of the ability of Member States to implement different measures from the GDPR are as follows:

  • Section 9 of the Act sets out the age of consent in relation to information society services at 13 years old, instead of 16 years old.
  • Exemptions from certain rights and obligations set out in the GDPR when it comes to certain criminal and immigration matters, for example, as well as for reasons of freedom of expression and information (e.g., for journalistic, academic, artistic, literary purposes), among a number of other diverse areas.

The Act also sets out that the Information Commissioner’s Office will be the supervisory authority in the UK for the purposes of the GDPR, and as such, is given certain powers under the Act to investigate and enforce its provisions, among other duties.

We will continue to monitor UK data protection developments, in particular the activities of the ICO, and will provide further updates.

Lawmakers Reintroduce “Do Not Track Kids” Bill

In both the Senate and the House, a bipartisan group of lawmakers has reintroduced a bill to update the Children’s Online Privacy Protection Act of 1998 (COPPA).  Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn) and Reps. Joe Barton (R-Texas) and Bobby Rush (D-Ill.) have introduced the Do Not Track Kids Act.  The bill would expand COPPA to cover information collected from children under 15; currently, COPPA covers only information collected from children under 13.  It would also clarify what types of companies and internet-capable devices are subject to COPPA and enable parents and children to request removal of publicly-available personal information a child submits.

Barton and Markey first introduced the bill in the House in 2011, when Markey was serving as a representative from Massachusetts.  They have since introduced versions of the bill in several sessions of Congress, but it has repeatedly died in committee.

FCC Seeking Comment on Key TCPA Reform Issues in Wake of DC Circuit Ruling

By Melanie Ramey

Yesterday, the Federal Communications Commission (“FCC”) released a Public Notice seeking comment on a range of issues relevant to its interpretation of the Telephone Consumer Protection Act (“TCPA”), including how the FCC should interpret what constitutes an “automatic telephone dialing system” in the wake of a recent decision by the U.S. Court of Appeals for the District of Columbia Circuit to vacate the agency’s prior interpretation of that term.

This same issue was the focus of a petition for declaratory ruling filed earlier this month by the U.S. Chamber Institute for Legal Reform and a number of other industry organizations.

The Public Notice seeks comment on a range of other TCPA issues, some of which also were addressed by the D.C. Circuit’s recent decision.  These include how calls to reassigned mobile telephone numbers should be treated under the TCPA and the ways in which a party may revoke his or her prior express consent to receive automated or prerecorded calls under the statute.  Continue Reading

Supreme Court Unanimously Holds that Unauthorized Driver Has Reasonable Expectation of Privacy in Rental Car

By Lauren Moxley

Today, the Supreme Court released its decision in Byrd v. United States.  The Court held that under the Fourth Amendment, a driver of a rental vehicle can challenge a search of the vehicle even if he is not listed as an authorized driver on the rental agreement.

The case began in September 2014, at a Budget car rental facility in New Jersey.  While Terrence Byrd waited outside, Latasha Reed, his partner with whom he shares five children, entered the facility and signed the car rental agreement.  The agreement stated that additional drivers would only be allowed “with prior written consent.”  Reed did not add any drivers to the agreement.  Upon leaving the rental car facility, Reed gave the keys to Byrd, who began driving to Pittsburgh.  On the way, Byrd passed a Pennsylvania State Trooper, who was suspicious of Byrd because he was driving with his hands at the “10 and 2” position.

The officer pulled Byrd over for a possible traffic violation.  The officer and his partner learned that Byrd was not listed as an authorized driver on the rental agreement, and that Byrd had prior drug and weapons convictions.  Byrd told the officers that he had a marijuana cigarette in the car.  Without Byrd’s consent, the officers then searched the rental car, where they discovered a bullet-proof jacket and 49 bricks of heroin.

Byrd was charged with possession of heroin with intent to distribute and possession of body armor after a felony conviction for a violent crime.  Byrd argued that the evidence obtained in the search could not be used as evidence against him because the troopers lacked probable cause to search the trunk.  In response, the government argued that the officers did not need Byrd’s consent because he was not listed as an authorized driver on the rental agreement, and therefore had no expectation of privacy under the Fourth Amendment.

The district court agreed with the government that Byrd did not have had a reasonable expectation of privacy in the car because he was not an authorized driver on the rental car agreement.  The Third Circuit affirmed.  Neither court decided whether the troopers had probable cause to search the car.  On appeal to the Supreme Court, Byrd argued that whether he was on the rental car agreement was irrelevant to whether he had a reasonable expectation of privacy under the Fourth Amendment.  Rather, he argued, the relevant question is whether he has “possession and control” over the car—possession and control that he had, as Reed had rented the car and allowed him to drive it.

In a unanimous decision written by Justice Kennedy, the Supreme Court ruled for Byrd.  The Court rejected the government’s contention that drivers who are not listed on rental agreements always lack an expectation of privacy in the car, which “rests on too restrictive a view of the Fourth Amendment’s protections.”  The Court likewise rejected the government’s argument Byrd lacked a reasonable expectation of privacy based on the rental agreement.  “As anyone who has rented a car knows, car-rental agreements are filled with long lists of restrictions,” the Court wrote, including “prohibitions on driving the car on unpaved roads or driving while using a handheld cellphone.”  The government conceded that violating provisions like these had nothing to do with a driver’s reasonable expectation of privacy in the rental car, and the Court concluded that “there is no meaningful difference between the authorized-driver provision and the other provisions the Government agrees do not eliminate an expectation of privacy, all of which concern risk allocation between private parties—violators might pay additional fees, lose insurance coverage, or assume liability for damage resulting from the breach.”  (This reasoning may be invoked in future cases addressing the relationship between Fourth Amendment rights and Terms of Service.)

In turn, the Court rejected Byrd’s argument that a rental car’s sole occupant always has an expectation of privacy based on mere possession and control.  Without qualification, the Court reasoned, Byrd’s rule would include thieves or others who lack a reasonable expectation of privacy.

The Court’s decision expressly grounded the Fourth Amendment’s reasonable expectation of privacy test in “property concepts.”  While the Court made clear that property-based understandings of the Fourth Amendment are not always dispositive as to reasonable expectations of privacy, it suggested that where Fourth Amendment standing derives from ownership and possession of property, property-based principles may guide resolution of the reasonable expectations of privacy test.  Under the traditional property-based understanding of the Fourth Amendment, legitimate presence on the premises of the place searched, standing alone, is not enough to accord a reasonable expectation of privacy.  So too, the right to exclude others is one of the main rights attaching to property, and the one who owns or lawfully possesses or controls property will in all likelihood have a legitimate expectation of privacy by virtue of the right to exclude.

Despite the favorable decision for Byrd, the evidence against him may still be admissible—and his conviction may still be affirmed.  The Court remanded the case back to the lower courts to determine two issues.  First, whether Byrd still had an expectation of privacy even though he had engaged in “subterfuge” by using Reed to mislead the car rental company; and second, whether, even if Byrd had a right to object to the search, the police otherwise had probable cause for the search.