Congress took action in 2015 to address privacy and transparency, but state legislatures emerged as the nation’s leaders for policy innovation. From Virginia to California, states adopted new policies to reclaim digital privacy, advance government transparency, and protect free expression. These new laws both protect residents of these states, and also provide models for other jurisdictions to emulate.
Over the course of 2015, EFF and our grassroots supporters helped secure a series of important victories for privacy and transparency in California and Virginia, while enduring a disappointing setback in Florida undermining privacy and freedom of expression.
California adopts groundbreaking protections for privacy, transparency
Our work was largely successful in California, where we helped secure three new laws to advance privacy and transparency in law enforcement, a fourth promoting transparency by other local agencies, and stopped two bills that, if successful, would have eroded anonymity.
Securing “the nation’s best digital privacy law”
One of California’s new laws, known as the California Electronic Communications Privacy Act (or CalECPA), was introduced as S.B. 178 by Sen. Mark Leno (D-San Francisco) alongside Republican Sen. Joel Anderson (R-Alpine). Described by Wired magazine as “the nation’s best digital privacy law,” CalECPA garnered broad support not only from privacy advocates like EFF, the ACLU, and the California Newspaper Publishers Association, but also technology companies from Google and Apple to LinkedIn and Twitter, and even the San Diego Police Officers Association.
By requiring police to obtain a warrant from a neutral judge in order to search stored communications like email in the cloud, CalECPA enshrines some of the nation's most protective privacy standards. It helps restrict otherwise arbitrary electronic surveillance, protecting both the content and location data of email and other digital communications.
Two other states—Maine and Utah—have adopted similarly broad digital privacy protections. Yet California’s decision represents a sea change because it is the home of both the technology and entertainment sectors, as well as the world’s seventh largest economy when compared to those of other countries. As my colleague Dave Maass recently wrote, “because so many technological companies are headquartered here…[a] new law in California can have nation-wide, and potentially global, ramifications.”
Promoting transparency and security in law enforcement surveillance
Two other new California laws restrict the uses of high-tech surveillance tools used by law enforcement authorities and private actors: S.B. 34 and S.B. 741 were introduced by Sen. Jerry Hill (D-San Mateo) and contain provisions imposing similar limits on two sets of surveillance methods.
- S.B. 34 addresses automated license plate recognition systems (ALPR), high-speed camera systems often mounted on police cars or light poles that capture an image and metadata such as time, date, and location whenever a license plate comes into view.
- S.B. 741 addresses IMSI catchers—commonly known by the brand “Stingray”—devices that mimic a cell phone tower in order to record data flowing through it.
Both of these surveillance tools subject entire communities to monitoring without the individual basis for suspicion required under the Fourth Amendment to justify law enforcement scrutiny.
The new laws impose parallel restrictions on local agencies using Stingrays, and also create restrictions on local agencies, state agencies, and private contractors using ALPRs. They require local agencies to publicly post a usage and privacy policy, and also adopt “reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards” to prevent potential data breaches. Finally, the new laws require law enforcement agencies seeking to use these tools to first disclose their plans and secure approval from local policymakers.
These measures create vital protections for privacy, transparency, and security. They also have teeth: both laws create rights of private action in the event of a data breach, placing members of the public in a position to represent the public interest. And because IMSI catchers like Stingrays monitor electronic communications, CalECPA also applies, requiring public agencies using them to secure a judicial warrant.
Stopping enhanced drivers licenses
In addition to EFF’s work in California addressing privacy and transparency to help restrain otherwise arbitrary law enforcement surveillance, we also championed both values in other contexts.
First, along with supporters from across the state, we helped stop S.B. 249, a problematic bill that would have allowed the California Department of Motor Vehicles to begin issuing to enhanced driver licenses (EDLs), ID cards with embedded Radio Frequency Identification (RFID) chips. Purportedly proposed to relieve congestion at the San Diego border crossing, the bill would have created enormous security and privacy risks, potentially allowing anyone with an RFID reader to discover the identities of drivers.
Despite proposals to protect privacy and civil liberties, such as a requirement that EDLs remain optional, the version of the bill ultimately passed by the legislature and vetoed by Gov. Jerry Brown would have allowed employers to discriminate against employees who declined to obtain an EDL.
Fighting the digital currency licensing scheme
Finally, EFF worked with allied organizations including Fight for the Future and Taskforce to mobilize public support against a hasty and vague measure that would have required licenses for “virtual currency businesses” that maintain “full custody or control of virtual currency in [California] on behalf of others.”
Meant to addresses digital currencies like Bitcoin, A.B. 1326 threatened to create an array of problems from invasive data collection in the context of the proposed licensing scheme to technical inaccuracies in the measure’s definition of covered services. Over a dozen companies and non-profit groups joined a coalition letter to state Senators noting “serious technical issues, due process concerns, and overbroad language,” pervading the proposal and urging them to “provide adequate time for informational hearings, testimony, and revisions to make this bill better for all Californians.”
While the concerted efforts of supporters from across the state held the line and kept the proposal from finding its way into law this year, we anticipate the issue returning in 2016. Let us know if you’re willing to take action where you live when it does.
Advancing government disclosure and transparency
While our California campaigns promoting privacy achieved enormous success, our work advancing transparency attained more mixed results.
On the one hand, we supported an unsuccessful proposal in S.B. 573 to create a Chief Data Officer (CDO) for the State of California. The CDO would have been authorized to create an open-data roadmap, open-data guidelines, an open-data working group, and a statewide open-data portal.
On the other hand, we also supported a successful measure, S.B. 272, that enhanced the California Public Records Act (CPRA) by requiring local agencies to create a publicly accessible catalog of their enterprise data systems and the vendors that supply them. Ensuring transparency into vendor relationships “is important for ensuring accountability in this age of outsourcing,” while the catalogs of enterprise data can help CPRA requestors find the public information they seek.
Virginia splits the difference
Reflecting a consensus across the ideological and partisan spectrum, Virginia policymakers passed no fewer than three bills reinforcing the right to privacy by restraining mass surveillance by local and state authorities. Two of them became law following the approval of Gov. Terry McAuliffe, who rejected the third.
Each of the bills addressed different ambient surveillance methods, despite the common concerns surrounding each of their uses. Reflecting that similarity, two measures reiterated the constitutional warrant requirement, which law enforcement agencies have widely circumvented by classifying surveillance as intelligence collection, rather than a search subject to Fourth Amendment protections.
McAuliffe approved H.B. 1408, a measure requiring state & local police to secure a judicial warrant prior to using IMSI cell site emulators like Stingrays. Virginia’s policy proved prescient, predating by nearly six months a similar policy at the federal level announced by the Justice Department in September.
Thanks to pressure from EFF supporters in Virginia, McAuliffe also signed into law H.B. 2125, which similarly requires police to obtain a warrant before using drone aircraft to conduct surveillance. It also ensures that evidence obtained by drones without a supporting warrant can not be introduced as evidence supporting a criminal prosecution. Finally, the measure prohibits the deployment of weaponized drones generally while permitting their use at two testing & training facilities.
In contrast, McAuliffe chose to veto H.B. 1673, which lawmakers passed to force police to purge after one week data collected from “any surveillance technology,” including tools deployed today and those that may emerge in the future. Gov. McAuliffe first sought to unilaterally narrow the bill to address only ALPR data, which co-sponsor Del. Chap Petersen (D-Fairfax) described as “essentially destroying the bill,” and “completely miss[ing] the point of the legislation.”
McAuliffe’s rejection of H.B. 1673 is especially striking because retention of ALPR data had already been unauthorized since 2013, when the state’s then-Attorney General, Ken Cuccinelli, concluded as the state’s chief prosecutor that existing state law did not support it. State legislators proposed the bill in 2015 only after news reports revealed that police departments were violating the rule by retaining ALPR data for years.
Despite McAuliffe’s veto of H.B. 1673, his approval of H.B. 1408 and H.B. 2125 established a mixed record for 2015. Virginia state legislators, in contrast, took assertive action by trying to include “any surveillance technology” among those limited by its reform legislation. Their concerns will likely re-emerge in 2016, suggesting opportunities for constituents to continue educating the Governor.
Florida steps back, undermining anonymity
In contrast to our work in Sacramento and Charlottesville, our efforts met with less success in Tallahassee. EFF marshaled supporters in Florida to challenge H.B. 271, the True Origin of Digital Goods Act (TODGA), only to watch the bill become law in spite of our efforts.
A proposal to undermine anonymity and freedom of expression in the guise of a “consumer protection” reform advancing the interests of major entertainment companies, TODGA requires any website or Internet service operator "dealing in substantial part in the electronic dissemination of commercial recordings or audiovisual works” to “disclose his or her true and correct name, physical address, and telephone number or e-mail address."
Modeled on similar laws that in other states have been used to justify police raids of music studios, the bill could be used to unmask even anonymous bloggers or musicians. TODGA also raises constitutional problems given its intrusion on the federal government’s authority to regulate interstate commerce.
We are disappointed that TODGA has become law in Florida, since it enhanced the enforcement powers of corporate copyright holders, while undermining both anonymity and freedom of expression. On the other hand, EFF’s work did soften the law’s harmful impacts by adding an exemption for websites and services that distribute the site owner’s own creative work.
Fighting for your rights wherever we can
With the help of concerned grassroots activists and organizers around the country, we plan to expand our reach to address more state legislatures in future legislative sessions.
Would you like to participate in campaigns coordinated through the EFF grassroots organizing network? Sign up for updates, and we’ll share invitations to events in your area, opportunities to connect with other organizers around the country addressing similar issues, and analysis of legislative proposals that present opportunities to defend or advance digital rights.
This article is part of our Year In Review series; read other articles about the fight for digital rights in 2015. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.