Car Wreck: Data Breach at Uber Underscores Legal Dangers of Cybersecurity Failures

Matthew McCord, MJSLT Staffer

 

This past week, Uber’s annus horribilis and the everincreasing reminders of corporate cybersecurity’s persistent relevance reached singularity. Uber, once praised as a transformative savior of the economy by technology-minded businesses and government officials for its effective service delivery model and capitalization on an exponentially-expanding internet, has found itself impaled on the sword that spurred its meteoric rise. Uber recently disclosed that hackers were able to access the personal information of 57 million riders and drivers last year. It then paid hackers $100,000 to destroy the compromised data, and failed to inform its users or sector regulators of the breach at the time. These hackers apparently compromised a trove of personally identifiable information, including names, telephone numbers, email addresses, and driver’s licenses of users and drivers through a flaw in their company’s GitHub security.

Uber, a Delaware corporation, is required to present notice of a data breach in the “most expedient time possible and without unreasonable delay” to affected customers per Delaware statutes. Most other states have adopted similar legislation which affects companies doing business in those states, which could allow those regulators and customers to bring actions against the company. By allegedly failing to provide timely notification, Uber opened itself to the parade of announced investigations from regulators into the breach: the United Kingdom’s Information Commissioner, for instance, has threatened fines following an inquiry, and U.S. state regulators are similarly considering investigations and regulatory action.

Though regulatory action is not a certainty, the possibility of legal action and the dangers of lost reputation are all too real. Anthem, a health insurer subject to far stricter federal regulation under HIPAA and its various amendments, lost $115 million to settlement of a class action suit over its infamous data breach. Short-term impacts on reputation rattle companies (especially those who respond less vigorously), with Target having seen its sales fall by almost 50% in 2013 Q4 after its data breach. The cost of correcting poor data security on a technical level also weighs on companies.

This latest breach underscores key problems facing businesses in the continuing era of exponential digital innovation. The first, most practical problem that companies must address is the seriousness with which companies approach information security governance. An increasing number of data sources and applications, and increasing complexity of systems and vectors, similarly increases the potential avenues to exposure for attack. One decade ago, most companies used at least somewhat isolated, internal systems to handle a comparatively small amount of data and operations. Now, risk assessments must reflect the sheer quantity of both internal and external devices touching networks, the innumerable ways services interact with one another (and thus expose each service and its data to possible breaches), and the increasing competence of organized actors in breaching digital defenses. Information security and information governance are no longer niches, relegated to one silo of a company, but necessarily permeate most every business area of an enterprise. Skimping on investment in adequate infrastructure far widens the regulatory and civil liability of even the most traditional companies for data breaches, as Uber very likely will find.

Paying off data hostage-takers and thieves is a particularly concerning practice, especially from a large corporation. This simply creates a perverse incentive for malignant actors to continue trying to siphon off and extort data from businesses and individuals alike. These actors have grown from operations of small, disorganized groups and individuals to organized criminal groups and rogue states allegedly seeking to circumvent sanctions to fund their regimes. Acquiescing to the demands of these actors invites the conga line of serious breaches to continue and intensify into the future.

Invoking a new, federal legislative scheme is a much-discussed and little-acted upon solution for disparate and uncoordinated regulation of business data practices. Though 18 U.S.C. § 1030 provides for criminal penalties for the bad actors, there is little federal regulation or legislation on the subject of liability or minimum standards for breached PII-handling companies generally. The federal government has left the bulk of this work to each state as it leaves much of business regulation. However, internet services are recognized as critical infrastructure by the Department of Homeland Security under Presidential Policy Directive 21. Data breaches and other cyber attacks result in data and intellectual property theft costing the global economy hundreds of billions of dollars annually, with widespread disruption potentially disrupting government and critical private sector operations, like the provision of utilities, food, and essential services, turning cybersecurity into a definite critical national risk requiring a coordinated response. Careful crafting of legislation authorizing federal coordination of cybersecurity best practices and adequately punitive federal action for negligence of information governance systems, would incentivize the private and public sectors to take better care of sensitive information, reducing the substantial potential for serious attacks to compromise the nation’s infrastructure and the economic well-being of its citizens and industries.


Acquisitions of Our Lives

Zachary Currie, MJLST Staffer

 

Growing up, my mother was an avid consumer of soap operas, which aired during the daily drought of day-time television. I never watched any soap opera closely, but I occasionally stopped in the living room while one was on and caught a glimpse of the whirling melodrama—after all, the characters were beautiful, handsome, and belonged to a realm of luxury far removed from my paltry existence. The story was always the same; it was always about banal, dynastic feuding, resulting in predictable and outrageous tragedies. But never once did I think that the content of a soap opera was accurate, not in the sense of being based on a true story, but in the sense of being as realistic as a story written by Ernest Hemingway about fishing for marlin in the Gulf Stream. My perception of the quality of soap opera writing changed when I was introduced to the melodramatic world of telecommunication corporations, their acquisitions, and anti-trust law, through its latest garish episode: AT&T’s bid for Time Warner.

 

The latest episode of this soap opera involves players as glamorous, foolish, rich, and powerful as any soap opera cast. A takeover of Time Warner by AT&T would create America’s sixth largest firm by pre-tax profits; the Department of Justice has expressed its disapproval of the star-crossed lovers’ plans to elope. Some important socialites in ermine fur have hinted, with winks, that DoJ is motivated by the Donald’s hatred for CNN, a channel owned by Time Warner. Others belonging to the grapevine scoff at the match, deriding it as unsophisticated and gauche; after all, the marriage will cost over a $100 billion, return on capital is egregiously low, and attempting to increase returns by forcing Time Warner content on AT&T consumers would irritate the ever-watchful and puritanical anti-trust regulators.

So, the plot thickens: is the corporate tryst motivated by an intent to commit some dirty illegality? Well, the DoJ was suspicious and nosy enough to file a suit seeking to block the acquisition. The suit claims that after the acquisition, AT&T would be situated to force rivals to pay hundreds of millions of dollars more per year for Time Warner content, and the new formidable couple would dampen technological innovation. But is the DoJ being disingenuous? Perhaps it is motivated more by priggishness, or, maybe, political vengeance, than a concern to foster competition. Remember, this acquisition is vertical integration rather than horizontal integration; there can be good, healthy reasons for vertical integration. One way in which vertical integration can be efficient is through gaining economies of scale, when average total cost decreases with increasing output; surplus from gaining economies of scale may outweigh social costs caused by imperfect competition. Another advantage of vertical integration is the correction of market governance failures: integration allows firms to internalize the costs that arise from strategic and opportunistic behavior. Has the DoJ seriously considered all the consequences of acquisition? One anonymous attorney general claimed that the DoJ has not been forthcoming with any economic analysis helpful to decide whether to sue. Stay tuned to see the end of this Great American Corporate Love Story. Other juicy details include AT&T’s use of one of Trump’s former lawyers and Trump’s tweets about CNN (including an edited wrestling video showing Trump punching a man whose head is replaced by the CNN logo) for litigation.


Initial Coin Offerings: Buyer Beware

Kevin Cunningham, MJLST Staffer

 

Initial Coin Offerings, also known as ICOs or token sales, have become a new trend for startup companies raising capital using cryptocurrency and blockchain technology. ICOs are conducted online where purchasers use virtual currencies, like bitcoin or ether, or a flat currency, like the U.S. dollar, to pay for a new virtual coin or token created by the company looking to raise money. Promoters usually tell purchasers that the capital raised from the sales will be used to fund development of a digital platform, software, or other project and that the newly created virtual coin may be used to access the platform, use the software, or otherwise participate in the project. The companies that issue ICOs typically promote the offering through its own website or through various online blockchain and virtual currency forums. Some initial sellers may lead buyers of the virtual coins to expect a return on their investment or to participate in a share of the returns provided by the project. After the coins or tokens are issued, they may be resold to others in a secondary market.

 

Depending on the circumstances of each ICO, the virtual coins or tokens that are offered or sold may be considered to be securities. If they are classifiable as securities, the offer and sale of the coins or tokens are subject to the federal securities laws. In July 2017, the Securities Exchange Commission (SEC) issued a Report of Investigation under Section 21(a) of the Securities Exchange Act of 1934 stressing that any ICO that meets the definition of a security in the United States is required to comply with the federal securities law, regardless of whether the securities are purchased with virtual currencies or distributed with blockchain technology.

 

Since the SEC issued its July Report regarding ICOs, the Commission has charged two companies with defrauding investors. In the pair of ICOs purportedly backed by investments in real estate and diamonds, the SEC alleged that the owner of the companies, Maksim Zaslavskly, sold unregistered securities. In one instance, the SEC alleges that, despite the representations to investors of Diamond Reserve Club, Zaslavskly had not purchased any diamonds nor engaged in any business operations.

 

Issues with Initial Coin Offerings continue as the Tezos Foundation was hit with its second class-action lawsuit over its Initial Coin Offering after an ICO contributor alleged breaches of securities laws. The two cases have been filed in the California Superior Court in San Francisco and United States District Court in Florida. The Tezos ICO raised over $232 million just months ago and plaintiffs in the suit say that they have not received the promised tokens. Infighting amongst the owners of the company has led to a significant setback in the venture, which aims to create a computerized network for transactions using blockchain technology. The lawsuit alleges that contributors to the fundraiser were not told that it could take more than three years to purchase the ledger for the project’s source code. Additionally, the plaintiffs allege that the time frame was not disclosed to investors despite it being a material fact.

 

It is likely that many issuers of virtual coins and tokens will have a hard time convincing the SEC and other regulators that its coin is a merely a utility rather than a security. For many of the firms, including Diamond Reserve Club, the problem is that the tokens they are selling for the projects only exist on paper, and so they have no other function than to bring in money. Likewise, most investors currently buy tokens not for their utility, but because they are betting that on an increase in the value of the virtual currency. It seems that this will not be an issue that will be resolved quickly and it is likely that heightened regulatory scrutiny will come due to the continuing claims against ICOs for companies like Tezos.


The Electric Vehicle: A Microcosm for America’s Problem with Innovation

Zach Sibley, MJLST Staffer

 

Last year, former U.S. Patent and Trademark Office Director, David Kappos, criticized a series of changes in patent legislation and case law for weakening innovation protections and driving technology investments towards China. Since then it has become apparent that America’s problem with innovation runs deeper than just the strength of U.S. patent rights. State and federal policies toward new industries also appear to be trending against domestic innovation. One illustrative example is the electric vehicle (EV).

 

EVs offer better technological upsides than their internal combustion engine vehicle (ICEV) counterparts. Most notably, as our US grid system moves toward “smart” infrastructure that leverages the Internet of Things, EVs can interact with the grid and assist in maximizing the efficiency of its infrastructure in ways not possible with ICEVs. Additionally, with clean air and emission targets imminent—like those in the Clean Air Act or in more stringent state legislation—EVs offer the most immediate impact in reducing mobile source air pollutants, especially in a sector that recently became the highest carbon dioxide emitter. And finally, EVs present electrical utilities that are facing a “death spiral” an opportunity to recover profits by increasing electricity demand.   

 

Recent state and federal policy changes, however, may hinder efforts of EV innovators. Eighteen state legislators have enacted EV fees—including Wisconsin’s recent adoption, and the overturned fee in Oklahoma—ranging from $50 to $300 in some states. Proponents claim the fee creates parity between traditional ICEV drivers and the new EV drivers not paying fuel taxes that fund maintenance of transportation infrastructure. Recent findings, though, suggest EV drivers in some states with the fee were previously paying more upfront in taxes than their ICEV road-mates. The fee also only creates parity when solely focused on the wear and tear all vehicles cause on shared road infrastructure. The calculus for these fees often neglects that EV and ICEV drivers also share the same air resources and yet no tax accompanies EV fees that would also charge ICEVs for their share of wear and tear on air quality.

 

At the federal level, changes in administrative policy are poised to exacerbate the problem further. The freshly proposed GOP tax bill includes a provision to repeal a $7,500 rebate that has made lower cost EVs a more affordable option for middle class drivers. This change should be contrasted with foreign efforts, such as those in the European Union to increase CO2 reduction targets and offer credits for EV purchases. The contrast can be summed up with one commentator’s observation regarding The New York Times who reported, within the span of a few days, about the U.S. EPA’s rollback of the Clean Power Plan and then about General Motors moving toward a full electric line in response to the Chinese government. The latter story harkens back to Kappos’ comments at the beginning of this post, where again a changing U.S. legal and regulatory landscaping is driving innovation elsewhere.

 

It is a basic tenant of economics that incentives matter. Even in a state with a robust EV presence like California, critics question the wisdom of assessing fees and repealing incentives this early in a nascent industry offering a promising technological future. The U.S. used to be great because it was the world’s gold standard for innovation: the first light bulb, the first car, the first airplane, the first to the moon, and the first personal computers (to name a few). Our laws need to continue to reflect our innovative identity. Hopefully, with legislation like the STRONG Patents Act of 2017 and a series of state EV incentives on the horizon, we can return to our great innovative roots.


Made in China: How IP Theft Became a Norm in China

Tiffany Saez, MJLST Staffer

 

While discussions regarding North Korea and trade have comprised much of President Trump’s tour around Asia insofar, the President has yet to arrive in China – China is the third stop of his Asia tour. This has left many speculating as to what will result from the President’s visit to Beijing. This may be since Trump advocated a stronger stance against China during his campaign and has taken no significant action with respect to China’s economic policies during his presidency.

 

In light of the President’s visit, however, some are already urging him to crack down on China’s human rights violations. Others are asking President Trump to confront China about North Korea’s nuclear threats. China’s rampant intellectual property theft is one issue that has long been overlooked by political agendas but deserves more attention. IP theft by China continues to present a serious threat to the US economy. Annual cost currently exceed $225 billion in counterfeit goods, pirated software, and theft of trade secrets; this figure is expected to reach $600 billion.

 

Chinese IP theft has slowly made its way into the spotlight following the release of the HiPhone in 2008. The HiPhone is a cheap Chinese knock-off of Apple’s iPhone. The HiPhone was just the beginning of a series of IP disputes between China and both American and European businesses. Many businesses have accused Chinese nationals of illegally reproducing their creations and then misleading consumers into thinking that they are purchasing authentic products.

 

With a weak IP regime that has done little to curb a growing copycat culture among Chinese businesses and individuals alike, it is no wonder that China has become the leading country for IP theft. The Chinese intellectual property and manufacturing policies in place are largely to blame for the increase in IP theft.

 

Boasting a population of 1.38 billion, China has become one of the world’s largest markets for companies looking to expand their marketplace. The country is not only full of potential consumers but it has also demonstrated its ability as a manufacturing powerhouse. Doing business in China, however, has proven to be rather problematic since a stake in one of China’s industries often entails a trade-off in terms of technology. That is because foreign firms that wish to do business in one of China’s industries are required to enter into joint ventures with local partners or share their technologies with the state’s regulatory agencies. Such partnerships often lead to IP theft by Chinese companies

 

The United States’ intellectual property disputes with China represent only a fraction of a much larger debate over IP rights in the global context. Proponents of IP rights insist that stronger rights are needed to foster innovation and encourage individuals to participate in research and development by ensuring they will be economically rewarded for their contributions. Meanwhile critics of stronger IP rights argue that such rights favor wealthier countries over developing ones. Even so, US companies, such as Apple and IBM, – who are often the first to be impacted by Chinese IP theft – are hoping that the Trump administration will capitalize on the trip to Beijing and finally take stronger measures against China’s lax IP laws.


Prevalence of Robot-Assisted Surgery Illustrates the Negatives of Fee-For-Service Systems

Jacob Barnyard, MJSLT Staffer

 

In 2000, the Food and Drug Administration approved the use of the da Vinci Surgical System, a robot designed to aid surgeons perform minimally invasive surgeries. The system consists of multiple arms carrying a camera and surgical instruments controlled by a nearby surgeon through a specialized console.

While few would argue the cool-factor of this technology, the actual benefits are significantly less clear. Researchers have conducted multiple studies to determine how the system affects patient outcomes, with results varying based on the type of procedure. One finding has been fairly consistent, however: unsurprisingly, costs associated with the use of robots are significantly higher.  

The use of the da Vinci Surgical System has increased enormously since its initial release, even in surgeries with little or no evidence of any benefit. A rational consumer, however, would try to maximize expected utility by only undergoing robotically-assisted surgery if the expected benefits for that particular surgery outweighed the expected increase in cost. A possible explanation for part of the growing popularity of this technology may be the prevalence of fee-for-service models in the U.S. healthcare system.  

In a fee-for-service model, each service provider involved in a patient’s care charges separately and charges for each service provided. As a result, these providers have an incentive to perform as many different services as possible, frequently providing unnecessary care. The consumer has little reason to care about these increased costs because they are often paid by insurance companies. Consequently, when a surgeon suggests the use of the da Vinci Surgical System, the patient has no incentive to research whether the system actually provides any benefits for the surgery they are undergoing.

A proposed alternative method to the fee-for-service model is a system using bundled payments. Under this system, a provider charges one lump sum for its services and divides it between each party involved in providing the care. This eliminates the incentive to provide unnecessary care as that would only increase the provider’s costs without increasing revenue. Robots would theoretically only be used in surgeries if they actually provide a net benefit. A potential drawback, however, is a decrease in potentially helpful services in an effort to cut costs. Currently, the available evidence suggests that this is not an issue in practice, however, and that some performance indicators may actually improve.  

The Affordable Care Act included incentives to adopt the bundled payment system, but fee-for-service is still vastly more common in the United States. While bundled payments have been shown to lead to a modest decrease in healthcare costs, many physicians are unsurprisingly opposed to the idea. Consequently, change to a bundled payment system on a meaningful scale is unlikely to occur under the incentive structure created by current laws.


Tax Software: Where Automation Falls Short

Kirk Johnson, MJLST Staffer

 

With the rise of automated legal technologies, sometimes we assume that any electronic automation is good. Unfortunately, that doesn’t translate so well for extremely complicated fields such as tax. This post will highlight the flaws in automated tax software and hopefully make the average taxpayer think twice before putting all of their faith in the hands of a program.

Last tax season, the Internal Revenue Service (“IRS”) awarded its Volunteer Income Tax Assistance (“VITA”) and Tax Counseling for the Elderly (“TCE”) contract to the tax software Taxslayer. For many low income taxpayers using these services, Taxslayer turned out to be a double-edged sword. The software failed to account for the Affordable Care Act’s tax penalty for uninsured individuals resulting in a myriad of incorrect returns. The burden was then thrust upon the taxpayers to file amended returns if they were even aware they were affected by the miscalculations. This is hardly the first time a major tax preparation software miscalculated returns.

American taxpayers, I ask you this: at what point does the headache of filing your own 1040 or the heartache of paying a CPA to prepare your return for you outweigh the risks associated with automated tax preparation services? The answer ultimately lies with the complication of your tax life, but the answer is a resounding “maybe.” The National Society of Accountants surveyed the market and found that the average cost of a 1040 without itemized deductions is $176 (up from $152 in 2014) while the preparation of a 1040 with itemized deductions and accompanying state tax return to be $273 (up from $261 in 2014). Many taxpayers can find a service like TurboTax or H&R Block if they make less than $64,000 per year (enjoy reading the terms of service to find additional state filing fees, the cost of unsupported forms, and more!). Taxpayers making less than $54,000 or 60 years or older can take advantage of the VITA program, a volunteer tax preparation service funded by the IRS. Filing your own 1040: priceless.

When a return is miscalculated, it’s up to the taxpayer to file an amended return lest the IRS fixes your return for you, penalizes you, charges you interest on the outstanding balance, and retains future returns to pay off the outstanding debt. I assume that for many people using software, your intentions are to avoid the hassle of doing your own math and reading through IRS publications on a Friday night. Most software will let you amend your return online, but only for the current tax year. Any older debt will need to be taken care of manually or with the assistance of a preparer.

VITA may seem like a great option for anyone under their income limits. Taxpayers with children can often take advantage of refundable credits that VITA volunteers are very experienced with. However, the Treasury Inspector General reported that only 39% of returns filed by VITA volunteers in 2011 were accurate. Even more fun, the current software the volunteers are using enjoyed three data breaches in the 2016 filing season. While the IRS is one of the leading providers of welfare in the United States (feeling more generous some years than they ought to be), the low income taxpayer may have more luck preparing their own returns.

Your friendly neighborhood CPA hopefully understands IRS publications, circulations, and revenue rulings better than the average tax software. Take this anecdotal story from CBS: TurboTax cost her $111.90, refunded her a total of $3,491 in federal and state taxes, and received a total of $3,379.10. Her friendly neighborhood CPA charged a hefty $400, received $3,831 in federal and state refunds, and received a total of $3,431. Again, not everyone is in the same tax position as this taxpayer, but the fact of the matter is that tax automation doesn’t always provide a cheaper, more convenient solution than the alternative. Your CPA should be able to interpret doubtful areas of tax law much more effectively than an automated program.

Filing yourself is great… provided, of course, you don’t trigger any audit-prone elements in IRS exams. You also get to enjoy a 57% accuracy rate at the IRS help center. Perhaps you enjoy reading the fabled IRS Publication 17 – a 293 page treatise filled with Treasury-favored tax positions or out-of-date advice. However, if you’re like many taxpayers in the United States, it might make sense to fill out a very simple 1040 with the standard deduction yourself. It’s free, and as long as you don’t take any outrageous tax positions, you may end up saving yourself the headache of dealing with an amended return from malfunctioning software.

My fellow taxpayers that read an entire post about tax preparation in November, I salute you. There is no simple answer when it comes to tax returns; however, in extremely complex legal realms like tax, automation isn’t necessarily the most convenient option. I look forward to furrowing my brow with you all this April to complete one of the most convoluted forms our government has to offer.


United States v. Microsoft Corp.: A Chance for SCOTUS to Address the Scope of the Stored Communications Act

Maya Digre, MJLST Staffer

 

On October 16th, 2017 the United States Supreme Court granted the Federal Government’s petition for certiorari in United States v. Microsoft Corp. The case is about a warrant issued to Microsoft that ordered it to seize and produce the contents of a customer’s e-mail account that the government believed was being used in furtherance of narcotics trafficking. Microsoft produced the non-content information that was stored in the U.S., but moved to quash the warrant with respect to the information that was stored abroad in Ireland. Microsoft claimed that the only way to access the information was through the Dublin data center, even though this data center could also be accessed by their database management program located at some of their U.S. locations.

 

The district court of New York determined that Microsoft was in civil contempt for not complying with the warrant. The 2nd Circuit reversed, stating that “Neither explicitly or implicitly does the statute envision the application of its warrant provision overseas” and “the application of the Act that the government proposes – interpreting ‘warrant’ to require a service provider to retrieve material from beyond the borders of the United States – would require us to disregard the presumption against extraterritoriality.” The court used traditional tools of statutory interpretation in the opinion including plain meaning, presumption against extraterritoriality, and legislative history.

 

The issue in the case, according to ScotusBlog is “whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. § 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.” Essentially, the dispute centers on the scope of the Stored Communications Act (“SCA”) with respect to information that is stored abroad. The larger issue is the tension between international privacy laws, and the absolute nature of warrants issued in the United States. According to the New York Times, “the case is part of a broader clash between the technology industry and the federal government in the digital age.”

 

I think that the broader issue is something that the Supreme Court should address. However, I am not certain that this is the best case for the court. The fact that Microsoft can access the information from data centers in the United States with their database management program seems to weaken their claim. The case may be stronger for companies who cannot access information that they store abroad from within the United States. Regardless of this weakness, the Supreme Court should rule in favor of the State to preserve the force of warrants of this nature. It was Microsoft’s choice to store the information abroad, and I don’t think the choices of companies should impede legitimate crime-fighting goals of the government. Additionally, if the Court ruled that the warrant does not reach information that is stored abroad, this may incentivize companies to keep their information out of the reach of a U.S. warrant by storing it abroad. This is not a favorable policy choice for the Supreme Court to make; the justices should rule in favor of the government.

 

Unfortunately, the Court will not get to make a ruling on this case after Microsoft decided to drop it following the DOJ’s agreement to change its policy.


Microsoft Triumphs in Fight to Notify Users of Government Data Requests

Brandy Hough, MJLST Staffer

 

This week, Microsoft announced it will drop its secrecy order lawsuit against the U.S. government after the Deputy U.S. Attorney General issued a binding policy limiting the use and term of protective orders issued pursuant to 18 U.S.C. §2705(b) of the Electronic Communications Privacy Act of 1986 (“ECPA”), also referred to as the Stored Communications Act (“SCA”).

 

The ECPA governs requests to obtain user records and information from electronic service providers. “Under the SCA, the government may compel the disclosure of . . . information via subpoena, a court order under 18 U.S.C. § 2703(d), or a search warrant.” Pursuant to 18 U.S.C. § 2705(b), a government entity may apply for an order preventing a provider from notifying its user of the existence of the warrant, subpoena, or court order. Such an order is to be granted only if “there is reason to believe” that such notification will result in (1) endangering an individual’s life or physical safety; (2) flight from prosecution; (3) destruction of or tampering with evidence; (4) intimidation of witnesses; or (5) seriously jeopardizing an investigation or delaying a trial.

 

Microsoft’s April 2016 lawsuit stemmed from what it viewed as routine overuse of protective orders accompanying government requests for user data under the ECPA, often without fixed end dates. Microsoft alleged both First and Fourth Amendment violations, arguing that “its customers have a right to know when the government obtains a warrant to read their emails, and . . . Microsoft has a right to tell them.” Many technology leaders, including Apple, Amazon, and Twitter, signed amicus briefs in support of Microsoft’s efforts.

 

The Deputy Attorney General’s October 19th memo states that “[e]ach §2705(b) order should have an appropriate factual basis and each order should extend only as long as necessary to satisfy the government’s interest.” It further outlines steps that prosecutors applying for §2705(b) orders must follow, including one that states “[b]arring exceptional circumstances, prosecutors filing § 2705(b) applications may only seek to delay notice for one year or less.” The guidelines apply prospectively to applications seeking protective orders filed on or after November 18, 2017.

 

Microsoft isn’t sitting back to celebrate its success; instead, it is continuing its efforts outside the courtroom, pushing for Congress to amend the ECPA to address secrecy orders.

 

Had the case progressed without these changes, the court should have ruled in favor of Microsoft. Because the way § 2705(b) of the SCA was written, it allowed the government to exploit the “vague legal standards . . . to get indefinite secrecy orders routinely, regardless of whether they were even based on the specifics of the investigation at hand.”This behavior violated both the First Amendment – by restraining Microsoft’s speech based on “purely subjective criteria” rather than requiring the government to “establish that the continuing restraint on speech is narrowly tailored to promote a compelling interest”  – and the Fourth Amendment – by not allowing users to know if the government searches and seizes their cloud-based property, in contrast to the way Fourth Amendment rights  are afforded to information stored in a person’s home or business. The court therefore should have declared, as Microsoft urged, that § 2705(b) was “unconstitutional on its face.”

 


“Gaydar” Highlights the Need for Cognizant Facial Recognition Policy

Ellen Levish, MJLST Staffer

 

Recently, two Stanford researchers made a frightening claim; computers can use facial recognition algorithms to identify people as gay or straight.

 

One MJLST blog tackled facial recognition issues before back in 2012. Then, Rebecca Boxhorn posited that we shouldn’t worry too much, because “it is easy to overstate the danger” of emerging technology. In the wake of the “gaydar,” we should re-evaluate that position.

 

First, a little background. Facial recognition, like fingerprint recognition, relies on matching a subject to given standards. An algorithm measures points on a test-face, compares it to a standard face, and determines if the test is a close fit to the standard. The algorithm matches thousands of points on test pictures to reference points on standards. These test points include those you’d expect: nose width, eyebrow shape, intraocular distance. But the software also quantifies many “aspects of the face we don’t have words for.” In the case of the Stanford “gaydar,” researchers modified existing facial recognition software and used dating profile pictures as their standards. They fed in test pictures, also from dating profiles, and waited.

 

Recognizing patterns in these measurements, the Stanford study’s software determined if a test face was more like a standard “gay” or “straight” face. The model was accurate up to 91 percent of the time. That is higher than just chance, and far beyond human ability.

 

The Economist first broke the story on this study. As expected, it gained traction. Hyperbolic headlines littered tech blogs and magazines. And of course, when the dust settled, the “gaydar” scare wasn’t that straightforward. The “gaydar” algorithm was simple, the study was a draft posted online, and the results, though astounding, left a lot of room for both statistical and socio-political criticism. The researchers stated that their primary purpose in pursuing this inquiry was to “raise the alarm” about the dangers of facial recognition technology.

 

Facial recognition has become much more commonplace in recent years. Governments worldwide openly employ it for security purposes. Apple and Facebook both “recognize individuals in the videos you take” and the pictures you post online. Samsung allows smartphone users to unlock their device with a selfie. The Walt Disney Company, too, owns a huge database of facial recognition technology, which it uses (among other things) to determine how much you’ll laugh at movies. These current, commercial uses seem at worst benign and at best helpful. But the Stanford “gaydar” highlights the insidious, Orwellian nature of “function creep,” which policy makers need to keep an eye on.

 

Function creep “is the phenomenon by which a technology designed for a limited purpose may gain additional, unanticipated purposes or functions.” And it poses a major ethical problem for the use of facial recognition software. No doubt inspired developers will create new and enterprising means of analyzing people. No doubt most of these means will continue to be benign and commercial. But we must admit: classification based on appearance and/or affect is ripe for unintended consequences. The dystopian train of thought is easy to follow. It begs that we consider normative questions about facial recognition technology.

 

Who should be allowed to use facial recognition technologies? When are they allowed to use it? Under what conditions can users of facial technology store, share, and sell information?

 

The goal should be to keep facial recognition technology from doing harm. America has a disturbing dearth of regulation designed to protect citizens from ne’er-do-wells who have access to this technology. We should change that.

 

These normative questions can guide our future policy on the subject. At the very least, they should help us start thinking about cogent guidelines for the future use of facial recognition technology. The “gaydar” might not be cause for immediate alarm, but its implications are certainly worth a second thought. I’d recommend thinking on this sooner, rather than later.