Microsoft vs. the USA/DOJ

The Complaint: pdf; 17 pages (April 14, 2016)

Statement of Microsoft’s President and Chief Legal Officer (Brad Smith): Keeping Secrecy the Exception, Not the Rule: An Issue for Both Consumers and Businesses (April 14, 2016)

News Report: Microsoft Sues Justice Department to Protest Electronic Gag Order Statute (April 14, 2016) – New York Times

Legal Analysis:

A New Lawsuit from Microsoft: No More Gag Orders! (April 14, 2016) – law professor Jennifer Daskal at JustSecurity

Why Microsoft’s Fight with the Government Should Overshadow Apple’s – the Electronic Frontier Foundation and Two Law Professors Explain Its Significance (April 15, 2016) – Inverse

Related: House Panel’s Bill Strengthens Privacy for Older Emails – New York Times

04/24/2016: 

EU Deal on New Data Protection Rules

Press Release from the European Commission

EU Directive (pdf – 106 pages – of the “Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data”)

EU Regulation (pdf – 209 pages – of the consolidated text of the draft General Data Protection Regulation to replace 1995 Directive)

News Reports:

EU Strikes Deal on Data Protection Rules; Agreement is the Biggest Overhaul of European Privacy Laws in Two Decades – Politico

Europe Approves Tough New Data Protection Rules – New York Times

EU Officials Reach Agreement on Text of New Privacy Law; Deal on EU Privacy Law Caps Four Years of Haggling, Lobbying – Wall Street Journal

Reaction:

Ten Implications of the New EU General Data Protection Regulation – Daniel Solove at his TeachPrivacy

People Aren’t Happy with Europe’s Tough New Rules for Data Protection – Business Insider

New EU Privacy Rule Could Cost U.S. Firms Billions – USA Today

12/16/2015: 

EU Court of Justice Safe Harbor Ruling (link round-up)

The Judgment of the Court of Justice of the European Union (October 6, 2015)

Press Release of the Court of Justice of the European Union

Interview (Wall Street Journal) with the new President of the European Court of Justice

News Reports:

Data Transfer Pact Between U.S. and Europe Is Ruled Invalid – New York Times

This Privacy Activist Has Just won an Enormous Victory Against U.S. surveillance – Here’s How – Washington Post

Layperson Explainer:

US and EU in Data Privacy Clash: What You Need to Know – CNBC

Subsequent Developments – What Now?

Privacy Watchdogs Give EU, US Three Months to Negotiate New Safe Harbor Deal If There’s No New Deal by the End of January, National Data Protection Authorities Threaten Coordinated Legal Action Against Offending Companies – PCWorld

Europe’s Top Digital-Privacy Watchdog Zeros In on U.S. Tech Giants – New York Times

U.S. Tech Firms Look To Data Centers on European Soil – Wall Street Journal

Plaintiff Max Schrems:

Tech Companies Like Facebook Not Above the Law, Says Max Schrems; Austrian Student Who Took on Facebook over Data Privacy in the European Court of Justice and Won Says the Fightback is Just Beginning – The Guardian

First Thoughts on Decision C-362/14 – Max Schrems at Europe v. Facebook; Also see more Max Schrems reaction and background (pdf)

Big Tech Reaction:

The Collapse of the US-EU Safe Harbor: Solving the New Privacy Rubik’s Cube – Microsoft President and Chief Legal Officer, Brad Smith

Eric Schmidt Thinks a Ruling by Europe’s Top Court Threatens ‘One of the Greatest Achievements of Humanity’ – Business Insider

Other Reaction and Analysis:

Here’s How the Facebook Case has Just Transformed the Surveillance Debate – Washington Post

No Safe Harbor: How NSA Spying Undermined U.S. Tech and Europeans’ Privacy – EFF

Behind the European Privacy Ruling That’s Confounding Silicon Valley – New York Times

Fallout From EU-US Safe Harbor Ruling will be Dramatic and Far-Reaching; Clever Ruling by the Court of Justice will be Almost Impossible to Circumvent – ArsTechnica

Schrems v. Data Protection Commissioner – Some Inconvenient Truths The European Court of Justice Ignores and Surveillance Reform Is Only Hope for Reviving Safe Harbor – both by Timothy Edgar at LawFare

Adding Some Nuance on the European Court’s Safe Harbor Decision – Megan Graham at LawFare

Europe’s Top Court Goes Off the Rails – Richard Epstein at Politico

The Party’s Over: EU Data Protection Law after the Schrems Safe Harbour Judgment – EULaw.Analysis

My FT Oped on the Safe Harbor Fallout – Evgeny Morozov

Europe Has to Rebuild Its Safe Harbor – BloombergView Editorial Board

Enacting ECPA Reforms Will Help Resolve the US-EU Safe Harbor Negotiations – The Hill

10/20/2015: 

CalECPA Enactment

Text of CalECPA (California Electronic Communications Privacy Act) as signed into law by Governor Brown

News Story: California Requires Warrant To Search Electronic Communications – National Law Review

Reaction to Enactment:

California Now Has the Nation’s Best Digital Privacy Law – Kim Zetter at Wired

California Cops, Want to Use a Stingray? Get a Warrant, Governor Says – ArsTechnica

Background on CalECPA: EFF’s CalECPA information page

Background on ECPA Reform (federal): ECPA Reform: A Primer – Andrew K. Woods in JustSecurity

10/14/2015: 

President Obama on Surveillance, Cybersecurity and Related Matters


Re/code’s Kara Swisher interviews the President at Stanford University on February 13th (25 minute video).

00:20    Cybersecurity breaches
04:17    U.S. offensive capabilities
06:22    U.S. cybercommand
08:02    Government relationship with Silicon Valley
10:51    Encryption and Backdoors
15:24    Privacy and Data Ownership
18:13    Immigration, STEM, diversity, loss of U.S. tech leadership
23:22    President’s personal tech habits

But:

President Obama’s Cyber Pitch Misses Mark in Silicon Valley – The Hill

What President Obama is Getting Wrong about Encryption – The Washington Post

The Problem with Privacy Policies

“Today’s privacy policies don’t tell consumers the whole story for two main reasons. First, websites have adopted a kind of precautionary legalese to inoculate themselves against lawsuits and fines. The vaguer and more elastic their language, the more risk reduced. Second, over the past ten years, a new industry of ‘data brokerage’ has arisen to help sites learn more about the people like you and me on the other side of the screen . . . Gathering and analyzing that data is big business, and it creates a strong financial incentive for the firms that collect it to make it as difficult as possible for you to opt out of their net.” – Why Privacy Policies Are So Inscrutable – The Atlantic

Related: The Potemkinism of Privacy Pragmatism – Civil Liberties are Too Important to be Left to the Technologists – Slate

09/16/2014: 

More Morozov

“A robust privacy debate should ask who needs our data and why, while proposing institutional arrangements for resisting the path offered by Silicon Valley. Instead of bickering over interpretations of Facebook’s privacy policy as if it were the US constitution, why not ask how our sense of who we are is shaped by algorithms, databases and apps, which extend political, commercial and state efforts to make us – as the dystopian Radiohead song has it – ‘fitter, happier, more productive’? This question stands outside the privacy debate, which, in the hands of legal academics, is disconnected from broader political and economic issues. The intellectual ping pong over privacy between corporate counsels and legal academics moonlighting as radicals always avoids the most basic question: why build the ‘private spaces’ celebrated by Mr Zuckerberg if our freedom to behave there as we wish – and not as companies or states nudge us to – is so limited?” — from Evgeny Morozov’s OpEd in the Financial Times

08/11/2014: 

A Fundamental Problem with the NSA’s Domestic Bulk Data Collection

NSA = J. Edgar Hoover On SteroidsThe Big Picture:

“With a few hundred cable probes and computerized decryption, the NSA can now capture the kind of gritty details of private life that J. Edgar Hoover so treasured and provide the sort of comprehensive coverage of populations once epitomized by secret police like East Germany’s Stasi. And yet, such comparisons only go so far. After all . . . . J. Edgar Hoover still only knew about the inner-workings of the elite in one city: Washington, D.C. To gain the same intimate detail for an entire country, the Stasi had to employ one police informer for every six East Germans — an unsustainable allocation of human resources. By contrast, the marriage of the NSA’s technology to the Internet’s data hubs now allows the agency’s 37,000 employees a similarly close coverage of the entire globe with just one operative for every 200,000 people on the planet. In the Obama years, the first signs have appeared that NSA surveillance will use the information gathered to traffic in scandal, much as Hoover’s FBI once did.”

Read the whole thing. Domestic bulk data collected by the NSA conveys immense power on those with access to this information and will be prone to political (and financial) abuse. History demonstrates that the lure of such data for improper purposes likely will be irresistible. Hoover stayed in office for decades, aided in large part by the information the the FBI had collected on politicians of the day. Imagine what could be done with the data collected by the NSA.

07/16/2014: 

The Latest on the EU’s “Right to Be Forgotten”

“[T]he incongruity of having Google – or any private party, for that matter – as a decision maker about rights. To place Google in that role is to diminish Europe’s sovereign power, not enhance it, even if the role is compelled by European authorities. It turns a rights problem into a customer service issue, and one that Google and others in its position no doubt rightly disdain. If Google can process 70,000 requests, so can and should the data protection authorities. And not every public decision needs the full, lawyer-heavy trial format to be sufficient to the cause – any more than Google is using it now. This would place decisions about rights in the public sphere where they belong, and limit the scope to the sovereign’s jurisdiction, so a European decision would still not affect use beyond the relevant country-specific Google portals.”

Professor Zittrain also puts forward the sensible proposal that redactions pursuant to the “right to be forgotten” be limited in duration, with claimants required to pursue renewals – after all, information not relevant today for public policy purposes could become so tomorrow.

“[T]he European court found that people have the right to ask for information to be removed from search results that include their names if it is ‘inadequate, irrelevant or no longer relevant, or excessive’. In deciding what to remove search engines must also have regard to the public interest. These are, of course, very vague and subjective tests . . . [W]e obviously respect the court’s authority and are doing our very best to comply quickly and responsibly. It’s a huge task, as we’ve had over 70,000 take-down requests covering 250,000 web pages since May. So we now have a team of people reviewing each application individually, in most cases with limited information and almost no context . . . When it comes to determining what’s in the public interest, we’re taking into account a number of factors. These include whether the information relates to a politician, celebrity or other public figure; if the material comes from a reputable news source, and how recent it is; whether it involves political speech; questions of professional conduct that might be relevant to consumers; the involvement of criminal convictions that are not yet ‘spent’; and if the information is being published by a government. But these will always be difficult and debatable judgments.”

“The issue with the ECJ judgement isn’t European privacy law, or the response by Google. The real problem is the impossibility of an accountable, transparent, and effective censorship regime in the digital age, and the inevitable collateral damage borne of any attempt to create one, even from the best intentions. The ECJ could have formulated a decision that would have placed Google under the jurisdiction of the EU’s data protection law, and protected the free speech rights of publishers. Instead, the court has created a vague and unappealable model, where Internet intermediaries must censor their own references to publicly available information in the name of privacy, with little guidance or obligation to balance the needs of free expression. That won’t work in keeping that information private, and will make matters worse in the global battle against state censorship.”

Get a Warrant: Supreme Court Rules on Cell Phone Searches Incident to Arrest

Chief Justice Roberts, writing for a unanimous Supreme Court in Riley v. California, 573 U. S. ____ (2014), held today that the police generally may not, in the absence of a warrant, search digital information on a cellphone seized from an individual under arrest:

“Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life’ . . . . The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought. Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple— get a warrant.”

This decision calls into serious question the constitutionality of the NSA’s bulk data collection and will likely impact other areas as well, such as cases involving access to cloud-based data and the third-party doctrine.

More:

In Riley v. California, a Unanimous Supreme Court Sets out Fourth Amendment for Digital AgeSCOTUSblog

The Supreme Court Brings the Fourth Amendment into the 21st Century – Law Professor Glenn Harlan Reynolds in Popular Mechanics

Why the Supreme Court May Finally Protect Your Privacy in the CloudWired

06/25/2014: