Today, TLPC student attorneys Nate Bartell, Elliott Browning, and Zachary DeFelice filed comments in the National Telecommunications and Information Administration’s new docket on consumer privacy on behalf of twenty-one privacy law scholars, led by Colorado Law Prof. Margot Kaminski.
(by Connor Boe, TLPC alum)
Data collection, analysis, and storage is cheaper and more reliable than ever before. This advancement in technology is constantly improving public services specifically in services dedicated to emergency response. The adoption of new technologies to increase the amount and diversity of information that public safety entities have access to during an emergency response is called Next Generation 911 (NG911). In a NG911 world, the proliferation of data when responding to emergencies will inevitably increase in size and scope. Though the receipt, processing, analysis, and storage of more data in emergency responses will be beneficial for public safety, it may also create complexities for existing statutory and regulatory obligations these entities have. Specifically, these systems have the potential to complicate state open records law compliance, privacy and data protection obligations, and chain-of-custody rules of evidence. Policy makers, emergency services, and vendors of these services need to consider the legal implications before deploying NG911 systems and not after the fact.
The benefits and drawbacks when choosing to adopt NG911 systems are far reaching. The architecture choices local governments make have the potential to rewrite the public safety answering points relationship with the general public and public safety entities. Advocates and practitioners need to understand that after data is collected by the government in response to an emergency, the information that they collect will be highly scrutinized by the communities in which they serve. These NG911 data management systems need to strike a balance between public safety, personal privacy, the rule of law, and government transparency that is acceptable to all the stakeholders in the community.
Working with several 911 stakeholders, the TLPC drafted and is pleased to release the attached white paper, which discusses attempts to discuss how the architecture of NG911 systems will impact existing legal obligations and discuss the opportunities that local governments will have when adopting these systems.
(by Kristine Roach, Colorado Law 2L)
The right to erasure, colloquially known as the right be forgotten, has been adopted by the EU General Data Protection Regulation (GDPR). It gives individuals the right to have their personal data erased:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
However, the right is not absolute and the requestee can refuse to erase data of the requestor for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defense of legal claims.
(by Jordan Demo, Colorado Law 2L)
The recent Equifax breach affecting approximately 143 million people has left many to call for justice—but justice for whom? After-the-fact investigations have tended to focus on whether the targeted entities took sufficient or reasonable measures to protect their systems. But what is the process for bringing attackers to justice? How are attackers who take the personal information of companies and individuals held accountable? What can be done to help deter this kind of behavior?
(by Susan Miller, Colorado Law 2L)
A cyberattack on Equifax, a consumer credit reporting agency, was announced last week. The breach was especially problematic for a variety of reasons:
- Equifax’s job is to gather and maintain sensitive personal information. Yet it learned of the breach in July but failed to inform the public of the breach until September, taking more than two months to give consumers notice of the breach.
- The breach put the personal information of 143 million Americans, nearly one-third of the entire population, at risk. This personal information includes names, social security numbers, birth dates, addresses, driver’s license numbers, and in some cases, credit card numbers.
- Three Equifax executives sold their stock days only days after the company learned of the attack and before the public was notified.
Equifax is offering free credit monitoring and, thanks to angry consumers, waived fees for setting up credit freezes through Equifax.
(by Angel Antkers, Colorado Law 2L)
Can you imagine a complete invasion of your privacy? Nude images intended only for a significant other’s eyes can be leaked online, as Robert Kardashian did earlier this year with pictures of his ex-fiance Blac Chyna, Several other celebrities have encountered their own intimate images hacked and shown online.
Revenge porn is not the only form of online harassment. Online figures, such as game developers Brianna Wu and Zoe Quinn and media critic Anita Sarkeesian, have been targeted during the Gamergate controversy with posts containing personal information, like their social security numbers and addresses, and even threats of assault, rape, and murder. These types of threads have even included the threat of a mass shooting at a university, which prevented Sarkeesian from delivering a presentation, as well as threats that forced Sarkeesian to flee her own home. Despite FBI opening an investigation regarding the Gamergate threats against Wu and Sarkeesian, it was eventually closed.
(By Gabrielle Daley, Colorado Law 2L)
NASA scientist and U.S citizen Sidd Bikkannavar flew back into the United States on January 30th, 2017 and was detained by U.S customs and border patrol agents. Mr. Bikkannavar was detained upon his arrival at the Houston airport by agents who stated the reason for the detention was to ensure that he was not bringing anything dangerous into the country. However the agents never searched Mr. Bikkannavar’s luggage. Instead he was handed a document entitled “Inspection of Electronic Devices” and asked for his cell phone and cell phone password.
Mr. Bikkannavar was reluctant to hand over the phone because as it belonged to his employer, the NASA Jet Propulsion Laboratories. However, agents insisted on access to the phone and password, and eventually Mr. Bikkannavar gave an agent both. The agent then left the room with the device. Mr. Bikkannavar has no idea what the agent did with the phone outside of his presence, but in a Tweet last week confirmed that JPL is running digital forensics on the phone to try and determine what may have been taken—or left—on the phone.
(by Zachary Goldberg, Colorado Law 2L)
Apparently Yahoo waited two full months to disclose to its customers the largest consumer data breach in history, which Yahoo officials claim went undetected for two full years
On September 22, 2016, Yahoo officials announced that 500 million of its customers’ email accounts were hacked in 2014. The Yahoo security team believes that “state-sponsored hackers” somehow managed to penetrate Yahoo’s system to target its email users’ identifying information, passwords, and security question responses. At this stage in their investigation, Yahoo officials have not indicated precisely when they discovered the breach, and they know neither specific details as to who orchestrated it, nor how they gained access to Yahoo’s email system.
(By Sean Doran, Colorado Law 3L)
Both major political parties in the United States currently gather and aggregate massive amounts of data on American voters. Over the last several election cycles, with the advent of advanced data analytics and advances in data storage and processing, campaigns have gained the ability to learn and track a surprising amount of data about voters. This creates a level of precision that allows campaigns to build advanced models for identifying and targeting individual voters to receive (or not receive) individual messages (microtargeting). Parties are building “political dossiers” on American voters which are some of the largest, unregulated aggregations of personal data that currently exist.
(by Colter Donahue, Colorado Law 3L)
Should government agencies possess, compel, or sponsor hacking and backdoors? A backdoor is a method of bypassing the normal authentication system of a website, messaging service, or other means of electronic communications.
Privacy and encryption advocates point out that the tools created or vulnerabilities exploited by backdoors pose a privacy risk. The vulnerabilities are not not limited to exploit by U.S. agencies like the FBI and NSA; bad actors and other nations can use them too. Hacking tools don’t always stay secret; once exposed, potential damage may be measured on a global scale. But what happens when law enforcement needs access for investigatory purposes? The following post will look at a recent example and the balance of competing interests.