Legal Docket - The limits of online privacy protections

MARY REICHARD, HOST: It’s The World and Everything in It for this 20th day of September, 2021. We’re so glad you’ve joined us today. Good morning! I’m Mary Reichard.

NICK EICHER, HOST: And I’m Nick Eicher. It’s time for Legal Docket.

Today, where your personal data and the law intersect.

Lots of electronic devices create and store personal data—especially personal fitness tracking devices, products like the Fitbit. It measures steps, heart rate, activity, sleep, and more.

Lots of different parties covet this kind of information, including law enforcement. Police can use data on your personal trackers to investigate crimes, like this one from 2018, that led to an indictment:

AUDIO: When police took a closer look at the Fitbit tracker Navarra wore on her left wrist. Investigators say it showed her heart rate spiked at 3:20pm on September 8, and stopped a few minutes later, right before her stepfather left the house.

REICHARD: Solving crime is an upside to using digital footprints, if used lawfully.

Then there’s cybercrime, one of the downsides.

AUDIO: Lockbit Ransomware isn’t a new technique we’ve seen from cybercriminals but it is making a surge here lately this past summer and it doesn’t seem to be slowing down...143 million people were affected by the Equifax data breach

The law hasn’t kept up with rapidly changing technology.

The U.S. Supreme Court has dealt with the problem in a piecemeal manner. Let’s go back to 2014 during oral argument in a case called Riley v. California. Let’s listen to the now retired Justice Anthony Kennedy.

KENNEDY: I don't think it's odd to say that we're living in a—in a new world...someone arrested for a minor crime has their whole existence exposed on this little device. From your argument, you want us just to adopt a categorical rule; it's in the custody of the police, they can search it. Do you have any limiting principles that we should consider at all as a fallback position?

EICHER: The justices in that case agreed to this limiting principle: that, during an arrest, police must get a warrant before searching the digital contents of a cell phone.

So that decision drew some boundaries around law enforcement and privacy rights.

REICHARD: It did, but I wanted to find out the general lay of the land beyond that.

Kurt Opsahl is general counsel of the Electronic Frontier Foundation. It’s a nonprofit dedicated to defending civil liberties in the digital age.

First, Opsahl echoed Justice Kennedy:

OPSAHL: Basically, your life is online at this point. For most people, they are using email or using cloud storage, they have a smartphone that is connected constantly telling what they're, everything from like, what they should pick up at the grocery store to when their appointments are. We've moved into an age in which so much of our lives are intertwined with the internet.

That “intertwining” is what makes drawing boundaries so difficult. But one way is by consent. What about my consent to use or not use my personal data?

OPSAHL: Well, for everything that you're using, there probably was a privacy policy and a terms of service that have explained some things about how that data will be used. And if you tried to read each and every one of them before you used any given service online, you would spend your entire day reading privacy policies and Terms of Service and never actually using the products….But it's also beyond the capabilities of most people to really sort of keep track of all the possible information that can be collected and how it will be used. And a lot of that information, if it's stored online, might be a target for somebody who wants to have information for use.

Opsahl pointed to ECPA—that’s an acronym that stands for the Electronic Communications Privacy Act, enacted back in the 1980s. Information stored online is somewhat protected by that law. Police can get that information with appropriate legal procedures: subpoenas, warrants, under EPCA with a court order, for example.

But when the law can’t keep up with technology, absurdities result.

OPSAHL: One of the issues with ECPA is that at the time, most people were downloading their email onto their computer and then taking it off of the server. And so the law had a notion in it that if you left your email on a server for 180 days, then you obviously didn't care about it. And they reduced the requirement for law enforcement to be able to access that information. And then you know, while you have things like Gmail comes about 20 years later, and everybody is keeping their email on a web mail server indefinitely. So this six months rule makes absolutely no sense for what ordinary people are doing.

One problem Opsahl sees is a lack of political will to put in more safeguards, as well as big tech trying to weaken proposed privacy protections that are made.

OPSAHL: In addition, there are some other investigative tools like a national security letter, can be also used to get certain subscriber information. And that can be issued by the FBI for National Security Investigations even more easily than a subpoena. And it comes with an automatic gag order. One which we believe is unconstitutional. But it puts an automatic gag on the recipient to not tell people that they received it. For foreign intelligence investigations, they can go to use the Foreign Intelligence Surveillance Act, go to a special secret court that meets inside an electronically shielded room. The public is not allowed, and get an order to get information concerning foreign intelligence. So there's a lot of different ways that the government may seek information.

Opsahl sees some reform trickling in.

OPSAHL: At this point, all the major service providers say that we will insist on warrants for content nationwide. So I think that issue, I think, has been greatly helped over the last 30 years by service providers pushing back, courts agreeing, so I'm using this as an example of a long time battle. But it would still be good to have some reform.

The COVID-19 era ushered in more privacy concerns. Contact tracing apps created by different states, for example, that send you a notification if it’s likely you’ve been exposed to COVID.

OPSAHL: It ended up being that there was a system that was proposed and fairly widely adopted from Apple and Google working together, that would use a pretty secure Bluetooth notification system, which would not reveal people's identities. But there still for a while a number of states who wanted to have ones which would do location tracking and give a whole bunch of information collected in the name of exposure notifications. Also seen some of the controversies around things like vaccine passports, where people who show proof of vaccine, then sometimes were involved in more things than just whether or not you had a vaccine or additional information that might be revealed.

This is an area of the law very much in flux. It leaves individuals vulnerable as technology rapidly changes and the terms and conditions for use remain unreasonably difficult to ascertain.

OPSAHL: So you want to be able to take advantage of the technology, and not lose all of your privacy while doing so….Because you kind of need both. You want to make sure that the best protection you can have for your information is either that it wasn't collected in the first place; if it was collected, it wasn't stored; and if it was stored, it was encrypted, where you have the key. So actually strengthening encryption is something we care a lot about, and it is a good defense to a lot of potential data leaks.

During my research, I read about the “right to be forgotten.” That is, the right to have private information removed from Internet searches. The European Union, Argentina, and the Philippines have put this into practice, in certain situations.

OPSAHL: So the right to be forgotten, and there's sort of a related concept of the right to erasure. It has some challenging aspects to it. There are instances in which the Europeans' right to be forgotten was used to suppress information. So if a politician had some embarrassing things from the past that they didn't want the public to find out about before the vote, they would try to use the right to be forgotten to remove stories about their prior scandals and things like that. And that that really comes up against freedom of expression. In the form of the people who want to say things about scandals in the past, for the public to receive that information, so they can make an informed choice.

The notion of a right to erasure has come up. If you give information to somebody say, you know, Facebook, the right to erasure will be like this, go back to them and say, "you know, what, I'm removing my consent, please remove all of my data." And that is not quite being forgotten, which is to say that like to try and get it so that there is no mention of this anywhere, but rather, that the information that you provided can be taken back.

Opsahl says change is what we need: privacy by design, with protections baked in so that the average person need not make it a full time job just to protect his or her own privacy.

And that’s this week’s Legal Docket.

WORLD Radio transcripts are created on a rush deadline. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of WORLD Radio programming is the audio record.