Last summer, Marcus Hutchins, the security researcher who stopped the “WannaCry” malware attack, was arrested and charged for his role in allegedly creating and conspiring to sell a different piece of malware, known as Kronos. As we have previously discussed on this blog, however, the indictment was notable for its lack of allegations connecting Hutchins
On March 23, 2018, Congress passed, and President Trump signed into law, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which creates a new framework for government access to data held by technology companies worldwide.
The CLOUD Act, enacted as part of the Consolidated Appropriations Act, has two components.
Part I: Extraterritorial Reach…
On Wednesday, the Supreme Court heard oral arguments in Carpenter v. U. S., a case that involved the collection of 127 days of Petitioner Thomas Carpenter’s cell site location information as part of an investigation into several armed robberies. We attended the argument to gain any insights into how the Supreme Court may resolve this important case.
The central issue in the appeal is whether the government can access this type and amount of individual location data without a warrant. But an equally important issue is whether the Supreme Court should reevaluate the “third-party doctrine” exception to the Fourth Amendment’s warrant requirement in light of dramatic changes in the way individuals interact with technology in the digital era. The “third-party doctrine” provides that individuals have no expectation of privacy in any information that is voluntarily released to a third party—a mobile-phone provider, cloud service provider, and the like. The Court’s decision will have major implications for technology companies’ ability to protect customer data against warrantless searches by law enforcement officials.
During the 80-minute, extended oral arguments, the Justices broadly acknowledged that technology has changed dramatically in the decades since the Court originally recognized the third-party doctrine. Each Justice, however, appeared to place varying weight on the import of that change on current legal standards. Justices Kennedy and Alito focused on the information itself, rather than the technology, asking whether location information should be considered more sensitive than the bank information that United States v. Miller permitted law enforcement to access without a warrant, suggesting that banking information might be considered more sensitive. …
Continue Reading The Supreme Court Arguments in Carpenter Show that It May Be Time to Redefine the “Third-Party Doctrine”
By Fredericka Argent
Last week, the Court of Justice of the European Union (CJEU) ruled that owners of home surveillance cameras could be breaching the EU Data Protection Directive 95/46/EU (the Directive), when those cameras are used to monitor public spaces. The ruling was made following a request from the Nejvyšší správní soud (The Supreme Administrative Court of the Czech Republic) for interpretive guidance.
According to the facts, Mr Ryneš, from the Czech Republic, had set up a camera to monitor the footpath outside of his home in response to a series of break-ins that he and his family had suffered. One of the suspects of a break-in was subsequently caught on camera, and the video recording was used as evidence in the criminal proceedings that followed. However, the suspect separately made a complaint to the Czech Data Protection Office that the surveillance system used by Mr Ryneš was unlawful. The Czech Data Protection Office agreed. Mr Ryneš then brought an action challenging that decision, which was appealed to the Czech Supreme Court.
Continue Reading The EU’s Highest Court Rules That The EU’s Data Protection Directive Applies To Home Security Surveillance Cameras
This week, in a 5-4 decision in Clapper et al. v. Amnesty International USA et al., the United States Supreme Court rejected two theories of Article III standing presented by a group of attorneys, human rights, labor, legal, and media organizations who sought a declaration that surveillance under section 1881a of the Foreign Intelligence Surveillance Act (“FISA”) is unconstitutional as well as an injunction against section 1881a-authorized surveillance.
These respondents argued first that, because their work requires them to engage in sensitive and/or privileged communications with individuals located abroad who are likely targets of surveillance, there was an objectively reasonable likelihood that their communications would be acquired under section 1881a at some point in the future, thus causing them injury. (Section 1881a, which was added by the FISA Amendments Act of 2008, authorizes, under certain circumstances, the government surveillance of individuals who are not “United States persons” and are reasonably believed to be located outside the United States). Second, the respondents maintained that the risk of surveillance under section 1881a is so substantial that they had been forced to take costly and burdensome measures to protect the confidentiality of their communications that constitute present injury and are fairly traceable to section 1881a.
The Supreme Court rejected each of these arguments holding (1) that respondents’ “highly attenuated chain of possibilities” and theory of future injury was too speculative to satisfy the well-established Article III standing requirement that threatened injury be “certainly impending” and, moreover, that they could not establish that the injury was fairly traceable to section 1881a; and (2) that the respondents “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.”…