There’s an adage that goes: “As goes California, so goes the nation.” In all fairness, that’s said about a lot of states, but we believe it is especially true for California, since not only is the Golden State bigger in population and GDP than most sovereign nations, but because so many technological companies are headquartered here. A new law in California can have nation-wide, and potentially global, ramifications.
This year, EFF beefed up its in advocacy in Sacramento with the aim of moving the needle forward on digital freedom in the California legislature. We assembled a team of internal activists and lawyers and hired an excellent lobbying duo—Samantha Corbin and Danielle Kando-Kaiser of Corbin and Kaiser. Now that we’re at the end of the legislative session, we can say with zero uncertainty that our mission was a success.
Last week, the governor signed three bills reining in heretofore unchecked electronic surveillance and another bill requiring new transparency measures on the local level. He also vetoed a bill that would’ve started embedding tracking chips in driver licenses.
Here’s a round-up of our legislative victories:
California now has what Wired has called the “nation’s best digital privacy law.”
The California Electronic Communications Privacy (CalECPA) ensures that when state law enforcement wants to search or obtain your digital records, such as email, or track your location through your device, they need to get a warrant first. Not only does the bill protect data on devices and in the cloud, it also means that California police will need to get a warrant before they can use an IMSI catcher (i.e. a “Stingray” or “Dirtbox”) to emulate a cell phone tower. Evidence obtained illegally under this law is inadmissible in court.
EFF, the ACLU, and the California Newspaper Publisher Association were original sponsors of the bill, which was championed by Sen. Mark Leno (D-San Francisco) and Sen. Joel Anderson (R-Alpine). We were joined by a long list of tech companies—such as Google, LinkedIn, Apple, and Twitter—as well as law professors, child advocates, community justice organizations, and a slew of newspaper editorial boards. The state’s major law enforcement associations withdrew their opposition to the bill, issuing positive statements about the balance between public safety and privacy, while the San Diego Police Officers Association endorsed it without reservation. Thousands of Californians sent emails to the governor demanding his signature on the bill, and tens of thousands more signed petitions, which the ACLU and EFF delivered to the governor’s office in the form of dot matrix print-outs.
Wired is right: California now leads the nation in digital privacy, which we hope will carry over to federal reforms.
S.B. 34 introduces a whole slew of accountability measures for public agencies and private companies that operate automated license plate recognition (ALPR) systems.
ALPR systems are networks of cameras that collect license plates of any car that passes. EFF has long been concerned about these mass surveillance systems because this information, in aggregate, can reveal sensitive information about drivers, including where they worship, what doctors they see, and where they sleep at night.
Here are some of the key provisions of the new law, which adds ALPR to the list of the types of information covered by the state’s data breach laws:
- ALPR operators are required to “maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure.”
- The policies at a minimum must describe the purpose of the system, the retention policies for the data, and, how data will be shared or sold. The policy must also explain who can access the system and the training requirements for accessing the system. The policies must further include how data will be protected and how the data will be ensured and errors will be corrected.
- You can sue an ALPR operator if a data breach or unauthorized access harms you.
Public agencies that use ALPR have further restrictions. For one, agencies must provide an opportunity for public comment before implement an ALPR program. They also can’t sell or share ALPR data, except with other public agencies.
S.B. 741 applies similar principles as S.B. 34, but to “cellular communications interception technology,” such as IMSI catchers (a.k.a. "Stingrays" and "Dirtboxes"), including public disclosures about the use of this surveillance equipment. The new law says:
- A public agency that uses a cell site simulator must maintain adequate security measures to protect collected data from “unauthorized access, destruction, use, modification, or disclosure.”
- Local agencies must disclose the existence of agreements with other agencies regarding the IMSI catchers and help limit the use of non-disclosure agreements to hide how law enforcement uses this equipment.
- Local agencies, with the exception of sheriff departments, will not be able to obtain this equipment without approval of the legislative body and a public process. Sheriffs will need to at the very least provide public notice online of the acquisition of these devices.
- An individual harmed by violations of this law can sue the agency.
Under S.B. 249, the Department of Motor Vehicles would have begun issuing “Enhanced Driver Licenses” (EDLs), identity cards with an embedded RFID chip. The bill’s authors believed this would relieve congestion at the Mexican border, because it would allow the checkpoints to begin verifying your identity while you’re still queuing up in your vehicle. The RFID chip make it possible for your identification number to be read up to 30 feet away.
EFF opposed this bill because RFID is an insecure technology that could reveal your identity and location to anyone with an RFID reader. As a meager security measure, the law would have required the DMV to hand out little protective envelopes, although research has shown these envelopes to be ineffective. At one point, the bill ensured that these EDLs were optional. However, at the last minute, legislators stripped out measures that would have protected civil liberties and privacy. The version that arrived on the governor’s desk would have allowed an employer to discriminate against employees who did not apply for EDLs.
Hundreds of members of the public sent emails to the legislature and governor opposing S.B. 249. Ultimately, Brown vetoed the bill with the message that EDLs are unnecessary, since there are already other options out there to ease border-crossing wait times.
Transparency measures had a hard time this legislative session. EFF supported S.B. 573, which would have created the state-level position of Chief Data Officer, who would have been charged with creating an open data hub and open data roadmap. Unfortunately, the bill died in committee.
However, another bill we supported, S.B. 272, made it to the governor’s desk and was signed. The new law would require local agencies to create catalogs of “enterprise systems” that store information and post this information to their websites. For each data system, the agencies must disclose the purpose of the system, what kind of data is stored in it, how often it is stored and updated, and the vendors offering the product. By doing so, we believe local agencies will allow for greater accountability and transparency regarding the types of information collected on members of the public.