The Truth About Facebook

Ask this expert on data science what Congress should have asked Mark Zuckerberg last week, and she’ll say, nothing.

If that surprises you, please understand that these hearings are not designed to deliver the truth. They’re designed to tell the public that, if there’s a problem, the government is doing something about it. So you’re not gonna get much straight talk. It’s not that no one cares. But the problem is bigger than Facebook or the United States, as we’ve explained before.

And people have a right to know.

Now, I’m no data scientist, but I spend a lot of time on these issues in my line of work, so here are some basic truths you should know if they haven’t sunk in yet. I give the same advice to clients whenever it comes up.

  1. You are not the customer. You are the product. Their business is to derive as much information about you as possible and sell it to others. Governments like this, too, because it’s a great way to study people, keep tabs on them, and even manipulate them. No one will stop doing this for the foreseeable future.
  2. You should assume that you create a permanent record of everything you do on your phone or the internet. You can’t avoid that by logging out of an app or even deleting it. The only way may be to give up electronic devices altogether and live off the grid. And good luck with that.
  3. Your friends and family don’t decide what you see when you log in. Facebook does. Or whichever other company does. Obviously, they want to show you what they think you want to see so you’ll spend more time on their platform. But they can also manipulate what you see—or even what you think you want to see.

Welcome to the 21st century. It’s no wonder Americans are throwing up their hands over privacy. But at least we can still debate and, hopefully, decide how we want to live in the United States. The same does not apply around the world.

 

The Microsoft-Ireland Case is Moot

We covered this before here and here.

But the high-profile case of United States v. Microsoft Corporation is now over. The question was whether the government could force Microsoft to turn over data that it stored on servers in other countries. The problem was that federal law didn’t allow the government to do that, or at least it wasn’t clear. So Microsoft challenged the government. It lost in the trial court, won on appeal, and landed before the U.S. Supreme Court last fall.

The Supreme Court heard the case in February, but in March, the new federal spending bill changed everything. It included a law called the CLOUD Act, which stands for Clarifying Lawful Overseas Use of Data.

Under the new law, companies like Microsoft must produce data in their possession, custody, or control even if it’s located outside the United States. They may object if they reasonably believe that a target is not from the U.S. and that, by producing the data, they will break the laws of a “qualifying foreign government.” That means a government with which the U.S. has agreed to grant reciprocal access to such data for use in criminal cases. But there are no agreements yet. To get there, a foreign government must, among other things, not target U.S. persons, and it must be committed to due process, data privacy, free speech, and other civil rights and liberties.

Within a week of the new law, the U.S. moved to dismiss the case as moot.

A few days later, Microsoft agreed. For the full text of the CLOUD Act, see here, and scroll all the way down to page 866. For the company’s detailed statement on the new law, see here.

And so the trilogy is complete.

Getting Removed From the Megan’s Law Website in California

Last week, we wrote about certificates of rehabilitation, which relieve you from having to register as a sex offender.

As you may know, California publishes information from its sex-offender registry on a public website. The information includes your name, gender, date of birth, ethnicity, photograph, physical description, and relevant conviction. It also includes your home address or your county and zip code depending on the conviction. For violent or otherwise serious offenses, including those against children, it gives your home address. For somewhat less serious offenses, it gives your county and zip code, but if you have priors, that can change.

In a few cases, even if you can’t end or avoid registration, you can remove yourself from the public website. To do it, you have to apply directly to the California Department of Justice, and you can find the application form here.

To qualify, the state must regard you as a low risk for reoffending, and your only registry-related convictions must be for the following:

  1. felony sexual battery by restraint under Penal Code section 243.4(a);
  2. misdemeanor annoying or molesting a child under Penal Code section 647.6;
  3. some felony child-pornography offenses if all minors were 16 years of age or older; or
  4. an offense for which you’re on probation or have successfully completed probation, where you’re the victim’s parent, sibling, stepparent, or grandparent, and it didn’t involve oral copulation or sexual penetration.

If you qualify, the government must grant your exclusion. By the way, don’t go searching the Megan’s Law website yourself; it’s a misdemeanor.

[Update: Beginning January 1, 2022, these rules will change because of a new law and system for sex-offender registration. The changes will affect qualifying convictions under 1, 2, and 3, above. If you no longer qualify at that point, the state will rescind your exclusion.]

The CURES For What Ails You

Speaking of prescription drugs, almost every state now has a prescription-drug monitoring program (or PDMP). The goal is to curb prescription-drug abuse by discouraging pill-pushing and doctor-shopping. So whether you’re a patient or provider, you should pay attention because law enforcement and licensing boards are watching.

In California, for example, the program is called CURES: the Controlled Substance Utilization Review and Evaluation System. By law, pharmacies must report to CURES every prescription for a Schedule II, III, or IV drug within seven days of dispensing it. And pretty soon, under a law passed last year, doctors will be required to check CURES before prescribing such drugs to a patient for the first time and every four months after that during treatment.

Last week, the California Supreme Court ruled that the California Medical Board could freely access CURES at any time. It didn’t need to get a warrant or show good cause beforehand. The doctor who was being investigated argued that this violated the privacy of his patients. But the Court held that, on balance, the Board’s access was justified by the need to protect the public from drug abuse and protect patients from impaired or negligent doctors.

Even if your state’s law is different, remember that federal law remains supreme. Last month, a federal court decided a case in which the Drug Enforcement Administration (DEA) subpoenaed data from Oregon’s PDMP. Unlike California’s program, Oregon required all agencies—even federal ones—to get a court order before it would respond to a subpoena. It sued to compel the DEA to comply with its law, but it lost. Federal law authorizes the DEA to issue subpoenas on its own, so Oregon couldn’t force it to follow state law.

Can They Search My Phone at the Border?

Suppose you go to visit your aunt in Italy, and you take your phone and tablet with you.

When you come back through customs, can they just search your devices willy nilly?

Probably. Here’s a good overview of your rights at the border, along with some practical considerations. It’s worth reading ahead of time because the government is stepping up its enforcement at points of entry, and there have been some heavy-handed run-ins lately between agents and travelers, including U.S. citizens.

The general rule is that customs and border agents may conduct routine, reasonable searches of you and your belongings, including your electronic devices, for any reason or no reason at all. They don’t need a warrant, and they don’t need any basis to believe they’ll find evidence of a crime. It’s known as the Fourth Amendment’s border-search exception.

But how far can they go?

Can they conduct full, forensic searches or force you to give up your passwords?

According to this 2009 policy memo, the answer is yes. It says agents can seize your device, copy its contents, and search them. To do so, they can hold a device for up to five days with a supervisor’s approval. For longer periods, they must get further approval at higher levels. Ordinarily, they must conduct the search in the presence of a supervisor, too, but if that’s not feasible, they must inform a supervisor about their search as soon as possible. If they find probable cause to believe your phone contains evidence of a crime, you may not get it back for a while, if at all. If they don’t, you should get your phone back eventually, and they’re supposed to destroy any copied information.

The law is evolving, however, to require at least a reasonable suspicion for a full forensic search. That’s already the case in the federal circuit that covers California and eight other states, and the law should continue to trend in that direction. What is a reasonable suspicion? It’s a particularized and objective basis for suspecting someone of a crime.

Still, reasonable suspicion is not a tough legal standard to meet.

Plus, agents can always just ask you to unlock your phone or give up your passwords, and if you refuse, they have plenty of ways to coerce you. They can take your phone; detain you, too; search your bags more thoroughly; deny you entry if you’re visiting; or scrutinize your green-card status. Most folks just want to be on their way.

So happy trails, traveler. Leave the phone, perhaps, but take the cannoli.

The Future of Face-Recognition Technology

Face it: the future is already here. And by default, your face is ever more likely to be found in a law-enforcement database. It’s as easy as getting a driver’s license.

The facts are that face recognition is neither new nor rare, and more than one out of two American adults have already been loaded into a local, state, or federal database.

That’s according to this report by the Center on Privacy and Technology at the Georgetown University Law Center. Read it to learn more about this technology; how it’s being used; and what the future holds. For three shorter stories about it, see here, here, and here.

What did the researchers do? They sent public-records requests to more than one hundred law-enforcement agencies across the country. They interviewed representatives from dozens of those agencies as well as from the technology companies they contract with. They made two site visits to agencies that use advanced face-recognition systems. And they surveyed the state of the law (or lack thereof) in all fifty states.

What are their takeaways? Here are four.

  1. The technology has value, and its use is inevitable. The report doesn’t aim to stop it.
  2. Its use is spreading rapidly and secretly without limits, standards, or public oversight.
  3. The total network of federal, state, and local databases includes over 117 million American adults. That’s more than half the country.
  4. We’re moving toward a world of continuous, real-time face recognition through public surveillance cameras.

What are their recommendations? Here are three.

  1. Congress and state legislatures should pass commonsense laws to regulate face recognition, and police should follow them before they run a search.
    • For example, to search a database of driver’s license or state identification photos, police should have a warrant backed by probable cause.
    • To search a database of mug shots, they should have a reasonable suspicion of criminal conduct. Periodically, they should scrub the database of people who were arrested but not charged and convicted. Michigan, for one, already requires that.
    • They should not use real-time, continuous surveillance except for public emergencies.
    • They should not track people based on politics, religion, or other protected status.
  2. The federal government should develop tests and best practices to improve the technology’s accuracy. For example, in the latest available test of the FBI’s database, the system included the right person on a list of fifty potential matches 86% of the time. That means that one out of seven searches returned a list of fifty innocent look-alikes, and the other six included 49 of them.
  3. All governments should report their use of the technology, audit such use regularly, and respect civil rights and liberties.

Man Gets Indicted By His Pacemaker

Actually, the case was indicted by a grand jury in Ohio, which charged him with arson and insurance fraud.

Apparently, the man called 911 as his home burned in the background. He said he was sleeping when the fire started and that, in a hurry, he packed a bunch of bags, broke a window with his cane, threw the bags out the window, and carried them away. He mentioned that he had a pacemaker.

The police came to suspect him of arson. They say they found gasoline on his shoes, pants, and shirt, and they believe the fire had multiple points of origin from outside the house.

So they got a search warrant for the data from his pacemaker. That gave them a historical record of his heart rate and rhythms before, during, and after the fire.

Reportedly, the data showed that the man was active when he was supposed to be asleep, and a cardiologist has said it was “highly improbable” that he could carry out the strenuous activities he described.

Vulnerability Is Not The Same As Failure

We borrow those words from this smart essay on national security that was written in the wake of the terrorist attacks in Brussels this spring.

The author is a former assistant secretary at the Department of Homeland Security and a current member of the Department’s Homeland Security Advisory Council. The Advisory Council consists of top leaders from the worlds of business, government, and academia who provide the Department with real-world, independent advice on homeland security. So the author knows something of what she speaks.

And her essay is worth a read. In it, she answers some of the earnest questions she’s been asked over the years by friends and family.

  • Should I buy a gun? “Only with training and safety measures at home, and certainly not to combat Islamic terrorists.”
  • Is Times Square safe on New Year’s Eve? “Like every crowd scene, you have to stay alert, but security is high at events like that.”
  • Is my family safe? “No, not entirely.”

What she means is that the government simply cannot reduce our vulnerabilities to zero, and even if it could, we wouldn’t want it to. Doing so would destroy the country we love and believe in and derail its great experiment with freedom. That experiment—for all its flaws and growing pains—was ahead of its time in the beginning, and it continues to serve as a model for the world today. The risks we tolerate, then, are not bad bargains just because an enemy can exploit them, and even as we try to minimize those risks and maximize our defenses, we must maintain our spirit.

But you should read her words for yourself.

 

“The Fourth Amendment … Is In Retreat”

That’s how a dissenting opinion ends in a major federal case that was decided on Tuesday. This is how it begins:

“A customer buys a cell phone. She turns it on and puts it in her pocket.”

And with that, according to the majority’s opinion, the customer has consented to create a record of everywhere she goes, a record which the government can then obtain without a search warrant based on probable cause.

Neat trick, huh?

If the government wanted to plant a tracking device on you to follow you everywhere you went, it would need a warrant, but if it wants to let your cell phone do the work, it doesn’t.

Instead, under a federal law from 1986, it can apply for a special order to get your phone’s cell-site location data. These are the logs of cell towers that your phone connects to as you go about your business. They create a fairly precise record of where your phone goes.

The special order must be approved by a judge, but the government doesn’t have to show probable cause to believe you committed a crime; it only needs to show reasonable grounds to believe that your travels are “relevant and material to an ongoing criminal investigation.” Off the top of my head, I can’t think of a case where the government couldn’t argue your travels were important once it decided to investigate you for something.

In this case, the government obtained seven months’ worth of records this way.

On appeal, the court not only denied that the Fourth Amendment required a search warrant backed by probable cause, but it denied that the Fourth Amendment applied at all because, supposedly, you have no reasonable expectation of privacy in data that you share (or that your phone shares) with a third party such as your cellular service provider.

The court didn’t explain how people are supposed to work, date, or otherwise live in the real world without doing so.

As we’ve noted before, this third-party doctrine makes no sense in the digital age.

Fortunately, many states, including California, are going the other way.

Patient Privacy Gives Way for Good Cause

If you’re a doctor in California, here’s a healthy reminder that the Medical Board can subpoena your patients’ records for good cause, over their objection and yours.

In a recent decision, the California Court of Appeal upheld an order that compelled a doctor to produce three of his patients’ records even though all three didn’t want them released.

It all started when the Board got a complaint from a private investigator that the doctor, an ophthalmic plastic surgeon, was billing for services he didn’t render, misrepresenting some of the services he did render, and falsifying documents.

The Board began to investigate the complaint, and later, it issued subpoenas for the three patients’ records on the ground that the doctor had departed from the standard of care in their treatment. Two of the patients wrote to the doctor to say they didn’t want their records produced and were happy with their quality of care. The third wrote that he hadn’t received notice of any subpoena, but he didn’t want his records produced, either.

The doctor moved to quash the subpoenas, and the Board opposed it and moved to compel his compliance.

The trial court sided with the Board but limited the subpoenas to a three-year range. It doesn’t appear that the patients pursued their objections in court.

On appeal, the court upheld the order, and in the process, it surveyed the case law on what constitutes good cause for breaching the privacy rights of patients.

In three prior cases, the courts had found no good cause. In one, the evidence consisted of a declaration from the Board’s investigator that supplied no facts, only a conclusion that the records “may offer evidence to substantiate” an allegation of gross negligence. In another, the Board supplied experts who suggested, based on their review of pharmacy records, that two doctors were overprescribing, but they didn’t explain why, and the doctors submitted competent evidence to rebut them.

In the most recent case, however, the court found good cause for the subpoena because of specific billing irregularities and other evidence that a doctor was overprescribing. He’d prescribe large amounts of an amphetamine to one patient. He’d prescribe to the same patients at two different pharmacies on the same day. He’d prescribe the same drugs to multiple family members and refill their prescriptions before the due date.

In this case, too, the court held that substantial evidence supported the trial court’s finding of good cause because the investigator’s partial records revealed serious problems with the claims paperwork, which the Board’s expert reviewed. In some instances, the doctor’s paperwork didn’t support the services he billed for. In others, there was no documentation at all. In some, there were no signatures; in others, no dates of service; and his reports used canned, cut-and-paste language. So the court affirmed the order.

Ratings and Reviews

10.0Mani Dabiri
Mani DabiriReviewsout of 7 reviews
The National Trial Lawyers
The National Trial Lawyers
Mani Dabiri American Bar Foundation Emblem