Press Releases: June 2017
Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a troubling ruling that allows police to obtain—without a warrant—location data from people’s cell phones to track them in real time.
EFF, joined by the Center for Democracy & Technology and the Constitution Project, filed a brief today asking the nation’s highest court to review the decision in U.S. v. Rios, a drug trafficking case. The court should accept the case for review and make clear that the Fourth Amendment requires a warrant for real-time location tracking—whether the tracking occurs via a GPS device on your car or the collection of location data generated by cell phones or other Internet-connected devices.
Protecting the highly personal location data stored on or generated by digital devices is one of the 21st century’s most important privacy issues. We carry our cell phones everywhere, and the location data they generate can be used to create a precise and comprehensive record of our everyday movements, such as when we visit the doctor, attend a protest, take a trip, meet with friends, or return home. Law enforcement officials are increasingly requesting cell phone location data from telecommunications providers to track down suspects, and courts have issued conflicting opinions about whether those demands require a warrant.
“The government should not be allowed to turn a cell phone into a real-time tracking device without complying with the Fourth Amendment,” said EFF Staff Attorney Andrew Crocker. “The Supreme Court has already ruled that Fourth Amendment protections apply when law enforcement secretly places a GPS device on a car. Tracking cell phones is even more invasive because people carry their phones with them at all times, revealing information about their whereabouts that couldn’t be learned by following their cars. We’re asking the Supreme Court to clarify that tracking people as they move from public spaces into private areas, such as their homes or the homes of others, is an invasion of privacy that, at a minimum, requires a warrant.”
In Rios, the police did get a warrant to track the defendant’s cell phone in real time, but last year the U.S. Circuit Court of Appeals for the Sixth Circuit said a warrant wasn't needed. The appeals court based its ruling on a flawed 2012 decision it reached in an unrelated drug trafficking case, in which it found that there’s no privacy protections for this data because people “voluntarily” carry cell phones with them. In both cases, the court ignored the privacy expectations of millions of innocent people for whom using a cell phone is not “voluntary,” but rather a necessity.
These decisions also contradict a Florida Supreme Court ruling—in a case that also involved tracking a suspect’s phone in public—that people have an expectation of privacy under the Fourth Amendment in cell phone location records.
“The Sixth Circuit got it wrong in 2012, and it was wrong to import that faulty ruling to the Rios case. But in the meantime, the Florida Supreme Court got it right. That means that depending on where you are in the country, you may or may not have constitutional protection against warrantless cell phone tracking. It’s time for the Supreme Court to step in and clarify that the Fourth Amendment prohibits warrantless real-time cell phone tracking,” said EFF Senior Staff Attorney Jennifer Lynch.
For the brief:
San Francisco, California—The Electronic Frontier Foundation (EFF) sued the Justice Department today to obtain records that can shed light on whether the FBI is complying with a Congressional mandate that it periodically review and lift National Security Letter (NSL) gag orders that are no longer needed.
The FBI has issued as many as 500,000 NSLs since 2003. Despite Congress requiring the FBI in 2015 to review and terminate unwarranted gag orders, only a handful of companies and individuals have publicly disclosed receiving an NSL after being notified the FBI terminated the gag orders.
NSLs are secret FBI demands to phone companies and Internet service providers for data about their customers’ communications and online activity. The letters are not subject to any meaningful oversight or court review and almost always come with a gag order. Companies receiving the letters are barred from telling customers their data is being sought and banned from publicly acknowledging or otherwise discussing the letters, potentially indefinitely.
Following a ruling in EFF’s lawsuit that NSL gags are unconstitutional, Congress enacted reforms in 2015 that require the bureau to review NSLs to determine whether the gag orders are still necessary, and terminate those that are not. The FBI established procedures under which a record keeping system generates reminders—when an NSL investigation closes or reaches the three-year anniversary of its initiation—that the gag order should be reviewed for possible termination.
EFF sent a FOIA request to the FBI in September seeking records about the number of NSLs reviewed under these procedures, the number of reminders generated, the number of termination notices sent to NSL recipients, and how long it takes for a review to begin after a reminder is generated. In March the FBI said it had no such records. In a complaint filed today in San Francisco, EFF asked a court to order the FBI to disclose the requested records.
“Unilateral, indefinite NSL gag orders violate the First Amendment rights of individuals and companies to speak out about government surveillance and inform customers about FBI demands for their data. The bureau’s procedures for lifting gag orders that are no longer needed do not fully address these constitutional concerns. Nevertheless, the public has an interest in knowing whether these procedures are being followed, and our FOIA request seeks to shed light on if the FBI is doing so,” said Andrew Crocker, EFF Staff Attorney.
“We would have expected the FBI to respond to our FOIA request with records about the gag orders that we know have been lifted. The FBI’s response that it has no such records raises serious questions about whether the bureau is following Congress’ command to review NSL gag orders,” said Aaron Mackey, EFF Frank Stanton Legal Fellow. “Gagging NSL recipients indefinitely is a draconian and overzealous use of surveillance power that prevents discussion and debate about government spying tools.”
For the complaint:
For more about NSLs:
Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use.
In an amicus brief filed with today, EFF urged the court to weigh in on a case in which an individual was charged with violating the Computer Fraud and Abuse Act (CFAA), a law intended to criminalize breaking into computers to access or alter data. Under the CFAA, it’s illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization. But the law doesn’t tell us what “without authorization” means.
Some courts have recognized that the CFAA must be interpreted narrowly to stay true to Congress’s intent of targeting crooks breaking into and stealing data from computers. These courts agreed that the CFAA mustn’t be used against, say, employees checking sports scores at work in violation of rules restricting Internet use at work to company business, or against people who shared their Facebook passwords, in violation of Facebook’s terms of service rules.
But other courts—including the U.S. Court of Appeals for the Ninth Circuit in its 2016 U.S. v. Nosal decision—have broadly interpreted the statute to cover using a computer in a way that violates corporate policies, preferences, and expectations. In the case, David Nosal, an ex-employee of the Korn/Ferry executive recruiting firm, was charged with violating the CFAA after other ex-employees acting on his behalf accessed Korn/Ferry’s proprietary database using legitimate credentials of a current company employee. The current employee knew of and authorized the use of her credentials, which was against Korn/Ferry’s computer policies. The Ninth Circuit found that in using the shared password, Nosal accessed the database “without authorization.” The court said that implicit in the definition of “authorization” is the proposition that authorization can come only from a computer owner—here, Korn/Ferry—not an employee with legitimate access credentials.
There is nothing in the CFAA, or even in the dictionary, that defines “authorization” to mean only permission from a computer owner. The Ninth Circuit imported a corporate ban on password sharing into its definition of “without authorization.”
“This ruling threatens to turn millions of ordinary computer users into criminals,” said EFF Staff Attorney Jamie Williams. “Innocuous conduct such as logging into a friend’s social media account or logging into a spouse’s bank account, with their permission but in violation of a corporate prohibition on password sharing, could result in a CFAA prosecution. This takes the CFAA far beyond the law’s original purpose of putting individuals who break into computers behind bars.”
“EFF has long advocated for reforming the CFAA, which overzealous prosecutors have exploited in troubling ways,” said Williams. “The Supreme Court can do its part by reviewing the Ninth Circuit’s troubling decision and giving “authorization” an appropriately narrow definition, specifically clarifying that password sharing is not—and was never intended to be—a crime.”
For EFF’s brief:
For more on this case:
Los Angeles—On Tuesday, June 6, at 9:30 am, the Electronic Frontier Foundation (EFF) and the ACLU Foundation of Southern California will argue that license plate data, collected by police indiscriminately on millions of drivers each day, are not investigative records that police can shield from public scrutiny.
Automated License Plate Readers () are high-speed cameras mounted on light poles and police cars that continuously scan the plates of every passing car. They collect not only the license plate number but also the time, date, and location of each plate scanned, along with a photograph of the vehicle and sometimes its occupants. Police departments store this data for years. Location data like this, especially when stored over time, can reveal sensitive information about the history of a person’s movements, associations, and habits.
EFF submitted public records requests to Los Angeles law enforcement agencies asking for a week’s worth of data collected by the hundreds of ALPR cameras around the city and county of Los Angeles. When the agencies refused, EFF teamed up with ACLU to sue for access to the records. A lower court ruled all license plate data could be withheld from disclosure as “records of law enforcement investigations.”
EFF co-counsel Peter Bibring, director of police practices at the ACLU SoCal, will argue that ALPR data are not investigative records because they are collected indiscriminately on all drivers within view of the cameras—the vast majority of whom are innocent citizens going about their daily lives. The data should be released so the public can understand and scrutinize how this intrusive technology is used.
What: Hearing in ACLU of SoCal and EFF v. Superior Court of Los Angeles
When: Tuesday, June 6, 9:30 am
Where: California Supreme Court
Ronald Reagan State Office Building
300 South Spring Street, Third Floor, North Tower
Los Angeles, California
For more information on this case:
For more information on ALPRs: