Tag Archives: privacy

The Supreme Court recognizes privacy right to cell phone location history.

On May 22, 2018, the U.S. Supreme Court issued an important decision extending the Fourth Amendment right against unlawful search and seizure into the digital age. In Thomas Ivory Carpenter v. United States, the Court sided with the privacy rights of cellphone users over law enforcement using private tracking data compiled and saved by cell phone companies. At issue was whether the Fourth Amendment required law enforcement to obtain a warrant before accessing cell phone location history from cell phone service providers.

The Supreme Court recognized the importance and prominence of cell phones in an individual’s daily life and the right to privacy of the sensitive information generated by the cell phone’s use.

The Court stated that there are 396 million cell phone service accounts in the United States for a Nation of 326 million people. Cell phones perform their wide and growing variety of functions by connecting to a set of radio antennas called “cell sites” mounted on towers, light posts, flagpoles, church steeples, or the sides of buildings. Cell sites typically have several directional antennas that divide the covered area into sectors. Cell phones continuously scan their environment looking for the best signal, which generally comes from the closest cell site. Cell phones, smartphones, tablets, and other devices tap into the wireless network several times a minute whenever their signal is on. Each time the smart device connects to a cell site, it generates a time-stamped record known as cell-site location information (CSLI). Wireless carriers collect and store CSLI for their own business purposes, including finding weak spots in their network and applying “roaming” charges when another carrier routes data through their cell sites. In addition, wireless carriers often sell aggregated location records to data brokers, without individual identifying information. Carriers retained CSLI for the start and end of incoming calls,text messages and routine data connections. Accordingly, modern cell phones generate increasingly vast amounts of increasingly precise CSLI.

In December of 2010, there were a series of robberies in Michigan and Ohio of cell phones, ironically. Several cell phones stores were robbed of their cell phones at gunpoint. Eventually, the FBI arrested four men suspected of the robberies. One of the men confessed and provided names and cell phone numbers of accomplices including the petitioner, Timothy Carpenter.

Prosecutors applied for court orders under the Stored Communications Act (“SCA”) to obtain cell phone records for Carpenter and several other suspects. The SCA permits the Government to compel the disclosure of certain telecommunications records when it “offers specific and articulable facts showing that there are reasonable grounds to believe” that the records sought “are relevant and material to an ongoing criminal investigation.” The SCA stops short of requiring that prosecutors demonstrate probable cause, which is necessary to obtain a warrant.

Federal Magistrate Judges issued two orders directing Carpenter’s wireless carriers to disclose the CSLI for Carpenter’s telephone at call origination and at call termination for incoming and outgoing calls during the four-month period when the string of robberies occurred.

Law enforcement was able to track Carpenter’s locations and connect Carpenter to the crimes by obtaining more than 100 days’ worth of his smartphone location data records without a warrant. The location data records placed his phone in over 12,000 locations including when he was at church and whether or not he spent the night at home.

Before his trial, Carpenter argued that obtaining the records constituted a Fourth Amendment search, and therefore the police should have needed a warrant. His motion was denied, and the Sixth Circuit Court of Appeals later upheld the case.

The Supreme Court reversed and remanded with Chief Justice Roberts providing the deciding vote and writing the majority opinion.

The Court held that the acquisition of Carpenter’s CSLI records was a Fourth Amendment search. The Fourth Amendment protects not only property interests but certain expectations of privacy as well. Thus, when an individual “seeks to preserve some thing as private,” and his expectation of privacy is “one that society is prepared to recognize as reasonable,” official intrusion into that sphere generally qualifies as a search and requires a warrant supported by probable cause.

The Court further held that the digital data at issue, personal location information maintained by a third party, does not fit neatly under existing precedents but lies at the intersection of two lines of cases. One set of cases addressing a person’s expectation of privacy in his physical location and movements. The other set of cases addresses a person’s expectation of privacy in information voluntarily turned over to third parties.

The third-party doctrine, as first set forth in United States v. Miller, 425 U. S. 435 (no expectation of privacy in financial records held by a bank), and Smith v. Maryland, 442 U. S. 735 (no expectation of privacy in records of dialed telephone numbers conveyed to telephone company) holds that information customers voluntarily provide to a third party is outside the bounds of Fourth Amendment protections and, therefore, law enforcement does not need a warrant in order to access that information.

The Supreme Court stated that the third-party doctrine partly does not apply given “the nature of the particular documents sought” and “legitimate ‘expectation of privacy’ concerning their contents.” The Supreme Court cited prior case law where the court had already recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements. Additionally, the Supreme Court recognized in many way CSLI is not voluntarily provided by the cell phone users but automatically obtained when the cell phone is used in some form.

The Supreme Court found the Government did not obtain a warrant supported by probable cause before acquiring Carpenter’s cell-site records. It acquired those records pursuant to a court order under the SCA, which required the Government to show “reasonable grounds” for believing that the records were “relevant and material to an ongoing investigation” which falls well short of the probable cause required for a warrant.

Advertisements

1 Comment

Filed under Constitutional Law, Uncategorized

Stick with Security: FTC Providing Insights on Data Security Practices

ftc_logo_430As part of its ongoing efforts to help businesses ensure they are taking reasonable steps to protect and secure consumer data, the Federal Trade Commission (FTC) is publishing a series of blog posts using hypothetical examples based on lessons from closed investigations, FTC law enforcement actions, and questions from businesses. These new posts will build on the FTC’s Start with Security guide for businesses.

FTC Acting Chairman Maureen K. Ohlhausen pledged earlier this year to be more transparent about the lessons learned from the FTC’s closed data security investigations and to provide additional information for businesses about practices that contribute to reasonable data security, culminating in this “Stick with Security” Initiative.

In the first blog post published July 21, 2017, the FTC highlights some of the themes that have emerged from an examination of closed FTC data security investigations. For example, while news reports might call attention to a data breach, they might not focus on the fact that the company that suffered the breach had encrypted the data, which substantially reduces the risk of consumer injury (and legal liability). Another lesson gleaned is that security researchers’ valuable work can alert us to new vulnerabilities, but sometimes the risk of a vulnerability being exploited to cause consumer injury is more theoretical than likely. Another key lesson is that in almost every closed case, the entities involved used the same common-sense security fundamentals outlined in the FTC’s Start with Security guide for businesses.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

New FTC Website Helps Small Businesses Avoid Scams and Cyber Attacks

Attacks can be especially devastating to small businesses; FTC provides information on how businesses can protect themselvesftc

At the direction of Acting Chairman Maureen Ohlhausen, the Federal Trade Commission (FTC) has launched a new website – ftc.gov/SmallBusiness – with articles, videos, and other information aimed at helping small business owners avoid scams and protect their computers and networks from cyberattacks and other threats.

“Small businesses are critical to our economic strength, building America’s future, and helping the United States compete in today’s global marketplace,” Acting Chairman Ohlhausen said. “This innovative new website is a one-stop shop where small businesses can find information to protect themselves from scammers and hackers, as well as resources they can use if they are hit with a cyberattack.”

According to the U.S. Small Business Administration (SBA), there are more than 28 million small businesses nationwide, employing nearly 57 million people. Scammers frequently target small businesses with deceptive tactics designed to get them to pay for supplies they didn’t order, donate to fake charities or trick them into giving access to their network or downloading malware that can corrupt their business’s computers.

Cyberattacks can be particularly devastating to small businesses, and many of them lack the resources that larger companies have to devote to cybersecurity. Symantec Corp.’s 2016 Internet Security Threat Report indicates the percentage of spear-phishing attacks targeting small business rose dramatically from 18 percent to 43 percent between 2011 and 2015.

The FTC’s new web page offers specific information to help small businesses protect their networks and their customer data. This includes a new Small Business Computer Security Basics guide, which shares computer security basics to help companies protect their files and devices, train employees to think twice before sharing the business’s account information, and keep their wireless network protected, as well as how to respond to a data breach. It also has information on other cyber threats such as ransomware and phishing schemes targeting small businesses. The FTC is continuing to work with the SBA on additional ways to help small businesses.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy, News & Events

Protecting Personal Information: A Guide for Business

ftcThe Federal Trade Commission (FTC) has published an updated version of its Protecting Personal Information: A Guide for Business.

A sound data security plan is built on 5 key principles:

  1. TAKE STOCK. Know what personal information you have in your files and on your computers.
  2. SCALE DOWN. Keep only what you need for your business.
  3. LOCK IT. Protect the information that you keep.
  4. PITCH IT. Properly dispose of what you no longer need.
  5. PLAN AHEAD. Create a plan to respond to security incidents.

Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees.

This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business.

Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this brochure will go a long way toward helping you keep data secure.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

1 Comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras

Device-maker’s alleged failures to reasonably secure software created malware risks and other vulnerabilities

ftc

The Federal Trade Commission (FTC) filed a complaint today against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.

In a complaint filed in the Northern District of California, the FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.

The complaint filed today is part of the FTC’s efforts to protect consumers’ privacy and security in the Internet of Things (IoT), which includes cases the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.

“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:

  • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

These tips can help you secure your router:

  • Before you buy or replace a device, do research online. Use search engines to find reviews, but be skeptical about the source of the information. Is it from an impartial security expert, a consumer, or the company itself?
  • Download the latest security updates. To be secure and effective, update the software that comes with your device. Check the manufacturer’s website regularly for new software and updates.
  • Change your pre-set passwords. Change the device’s default password to something more complex and secure.

There are additional steps you can take to help keep your IP camera secure.

The FTC has provided guidance to IoT companies on how to preserve privacy and security in their products while still innovating and growing IoT technology.

The Commission vote authorizing the staff to file the complaint against D-Link Corporation and California-based D-Link Systems, Inc. was 2-1, with Commissioner Maureen K. Ohlhausen voting no. The complaint was filed in the U.S. District Court for the Northern District of California.

NOTE: The FTC files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. The case will be decided by a federal district court judge.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

ASUS Settles FTC Charges Routers Put Consumers’ Privacy At Risk

ftc_logo_430ASUSTeK Computer, Inc. (ASUS)  has agreed to settle Federal Trade Commission charges that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk. The administrative complaint also charges that the routers’ insecure “cloud” services led to the compromise of thousands of consumers’ connected storage devices, exposing their sensitive personal information on the internet.  If you have a ASUS router at home, perhaps it is time for an upgrade.

The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

For instance, according to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge.  A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic. The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that  hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.

In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices.

The Commission alleges that, in many instances, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers.  In addition, the complaint alleges that ASUS did not notify consumers about the availability of security updates.  For example, according to the complaint, the router’s software update tool – which allowed consumers to check for new router software – often told consumers that their router was on the most current software when, in fact, newer software with critical security updates was available.

In addition to establishing a comprehensive security program, the consent order will require ASUS to notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification).  The consent order will also prohibit the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software.

This matter is part of the FTC’s ongoing effort to ensure that companies secure the software and devices that they provide to consumers.

The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 24, 2016, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy

Identity Theft Assistance

Identity theft victims can now go online and get a free, personalized identity theft recovery plan as a result of significant enhancements to the Federal Trade Commission’s IdentityTheft.gov website.3 - homepage

The new one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved.
The upgraded site offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others.

“Millions of Americans have been victims of identity theft, and until now, there has not been a single site where they can quickly file an official complaint and then get real, personalized help,” said FTC Chairwoman Edith Ramirez. “The FTC’s new IdentityTheft.gov website empowers consumers to fight back faster and more effectively against identity thieves.”

“Identitytheft.gov is a vital resource as identity theft has reached epidemic levels,” said Illinois Attorney General Lisa Madigan. “As most Americans know, we live in an age when it’s not a matter of if, but when you will become a victim of identity theft. The FTC’s website is a great place for consumers to go for practical and personalized help to recover from the financial mess created by identity theft.”

“Local law enforcement is often the first place identity theft victims turn for help,” said Mary Gavin, Chief of Police for Falls Church, VA, and an Executive Committee member of the International Association of Chiefs of Police. “IdentityTheft.gov will be a powerful tool to help police assist victims, and the information victims report to the FTC can help law enforcers build cases.”

In 2015, the FTC received over 490,000 consumer complaints about identity theft, representing a 47 percent increase over the prior year, and the Department of Justice estimates that 17.6 million Americans were victims of identity theft in 2014.

When a consumer initiates a response plan through IdentityTheft.gov, the site will automatically generate affidavits and pre-fill letters and forms to be sent to credit bureaus, businesses, police, debt collectors and the IRS. Should a consumer’s recovery run into issues, the site will suggest alternative approaches. Once a consumer completes their initial report on the site, they will receive follow up e-mails and can return to their personalized plan online to continue the recovery process.

IdentityTheft.gov is also available in Spanish at RobodeIdentidad.gov, and allows Spanish-speaking consumers to view the automatically generated letters and other documents in Spanish, but print them in English for sending to the relevant recipients.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

 

1 Comment

Filed under Business Law, Computer Law, Consumer Advocacy