InsideSources

At a privacy forum hosted by the American Enterprise Institute on Wednesday, the Department of Justice’s Chief Privacy Officer Peter Winn pushed back on the idea of “individual control” in a federal privacy law.

Winn launched the forum by stating, “Privacy is not about giving individuals complete control over their personal information in all contexts. Some people think we need a privacy law like the one in the EU. I disagree.”

Furthermore, he added, sweeping privacy laws like the EU’s GDPR “often have consequences they go far beyond their intended purposes and end up impacting core public safety initiatives,” specifically referencing concerns regarding the Internet Corporation for Assigned Names and Numbers (ICANN).

ICANN now allows cookies, internet domain names and IP addresses, to be obscured in order to comply with GDPR because these data points can be used to identify an individual and are now classified as “personal information.” Opponents of GDPR argue this hinders law enforcement from tracking down cybercriminals.

From Winn’s perspective, a privacy law that grants the consumer total control over his or her data conflicts with the needs of law enforcement officials trying to ensure public safety.

He’s not the only one to draw attention to this point. Last fall, a group of cybersecurity firms filed comments with the National Technology and Information Administration (NTIA) stating that sometimes companies compromise their customers’ privacy for the sake of security, by sharing data with other companies after a cyberattack to better mitigate future cyberattacks.

“This is consistent with consensus best practices for comprehensive security programs, such as the NIST Cybersecurity Framework,” the Cybersecurity Coalition wrote in the filing. “By necessity, some of this data can be linked to individuals or specific devices, thereby potentially falling under common definitions of ‘personal information.’ For example, phishing, a highly prevalent and effective attack vector used to steal sensitive data, is based on spoofed emails and identities. To detect and avoid suspected phishing attempts, cybersecurity service providers may process such personal information including the email address, purported identity, and the IP address associated with the origination of the phishing email.”

Winn also said stakeholders should play a central role in any privacy law discussion, but did not mention consumer advocates or consumer protection.

“Understanding the democratic process in the U.S. is also important to understanding how privacy policies work — all the major stakeholders have weighed in, and there at least needs to be a substantial consensus among them and at least a clear understanding of why the privacy standards are needed before a bill can become law,” he said.

If stakeholders can agree on privacy standards, he argued, then they’re more likely to comply. Consumer advocates frequently point out that Congress should consider consumer perspectives when discussing privacy legislation, as any privacy law will directly impact consumers as well as stakeholders.

“Some bemoan the fact that the American democratic process requires greater buy-in from the people who will actually have to comply with the laws we enact, but a requirement of more buy-in for a proposed law upfront results in a greater level of compliance when it becomes law,” he said. “Compliance has a lot to do with trust.”

The Electronic Frontier Foundation (EFF) points out in a blog post that listening to stakeholders alone enables them to push ideas and legislative efforts that benefit them, but may not be good for consumers.

“The testimony and responses from industry representatives [are] predictable: lip service to the idea of strong federal consumer privacy legislation, but few specifics on what those protections should actually look like,” the EFF’s Legislative Analyst India McKinney and Research Associate Gennie Gebhart wrote. “These witnesses also continue to advocate for unwritten, vague federal preemption of existing state laws like California’s Consumer Privacy Act (CCPA) or Illinois’s Biometric Information Privacy Act (BIPA).”

Instead of an aggressive legislative crackdown, Winn thinks companies should try to regain consumers’ trust by treating their data well.

“We can only earn this trust by making sure we handle their information appropriately and lawfully,” Winn said, despite constant news reports detailing how companies abused consumers’ trust in the past, from Equifax to Facebook to Google.

Follow Kate on Twitter

The Department of Justice wants a federal court to sanction Google for failing to comply with a search warrant for user data stored on servers overseas, where the search giant argues the government has no jurisdiction.

Justice Department attorneys asked the U.S. District Court for the Northern District of California to sanction the search giant in court documents filed Wednesday, DOJ’s latest move in the case to get data from 22 Google email accounts.

“[W]hen faced with a valid court order, Google, like any other person or entity, must either comply with such an order or face consequences severe enough to deter willful noncompliance,” DOJ lawyers wrote in a brief first posted by Inside Counsel. “The issue before this court is what sanction is sufficient to achieve that goal.”

The same court ordered Google in August to comply with the warrant issued in 2016. Google argues it doesn’t have to be based on a legal precedent set last year in a very similar case DOJ is pursuing against Microsoft. That legal battle began in 2014, when the government ordered the Redmond-based tech giant to turn over emails stored on a server in Ireland.

Microsoft argued DOJ had no authority to compel the Windows maker to turn over data stored on another country’s sovereign soil, and that DOJ must request the emails from the foreign government in question. The government countered that as a company based in the U.S., Microsoft is obligated to adhere to the Electronic Communications Privacy Act (ECPA) — a Reagan-era law granting law enforcement access to Americans’ emails after they’re 180 days old.

After initially losing in a lower court, the Second Circuit Court of Appeals ruled in Microsoft’s favor last July, saying ECPA “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.” In that case Microsoft agreed to be held in contempt to speed up the case’s appeal, currently pending at the Supreme Court. At the same time, both parties and the court agreed to stay sanctions.

Google is also being held in contempt, but not for mere judicial procedure. The government wants the court to sanction Google for noncompliance with the most recent court decision while awaiting appeal to the U.S. Court of Appeals for the Ninth Circuit, noting “customary sanction for an individual’s refusal to comply with court-ordered disclosure is immediate imprisonment.”

“Because a corporate entity obviously cannot be imprisoned for its refusal to comply with a court order, the usual contempt sanction imposed against corporate entities is a fine,” the government told the court. “Google’s conduct here amounts to a willful and contemptuous disregard of various court orders.”

As a side note, the government accused Google of designing its system architecture to store emails on cross-border servers, specifically for the purpose of refusing search warrants.

“Even more alarming is the fact that Google went out of its way, spending thousands of man-hours and forgoing other engineering projects, all so that it would be positioned to refuse to disclose any of its foreign-stored data—or, more precisely, any data it could not confirm was held in the United States—without seeking judicial relief or guidance and without limiting its new tooling to be used for warrants issued out of the Second Circuit,” the DOJ filing reads.

Google in a previous September brief to the court noted the government agreed to stay sanctions in the Microsoft case.

“In this case, however—despite this court’s recognition that Google is proceeding in good faith in this litigation to seek clarity on an important legal issue—the government refused to enter into any stipulation with a stay of sanctions,” Google wrote to the court.

Attorneys for the search giant go on to ask the court to devise a sanction or fine, and stay it until the case is decided.

“Google will continue to preserve information in its possession that is called for by the warrant but stored outside of the United States, and would immediately produce this information if, after exhausting its appellate options, it does not prevail,” Google’s brief reads.

The DOJ said Google is welcome to appeal the case after being sanctioned.

“The government merely seeks to develop the record here to determine the appropriate sanction for its willful disregard of this court’s order,” DOJ lawyers said, adding that in the Microsoft case cited by Google, Microsoft filed to quash the warrant within two weeks.

Google, they note, waited six months “and did not move to quash the warrant until after it learned that the government intended to file an order to show cause, all as a result of its significant efforts to re-design its compliance tooling to allow it to withhold information that might be held on one or more of its foreign servers.”

If the case is successfully appealed to the Ninth Circuit, there’s no guarantee Google will prevail like Microsoft did in the Second Circuit. Federal appeals courts aren’t bound to recognize sister rulings, but if the Supreme Court agrees to hear the case, the potential ruling will filter down to the rest.

Google has two weeks to respond to the brief filed last Wednesday. Meanwhile, DOJ inadvertently revealed Google will no longer challenge search warrants for data stored overseas in a reply brief to the Supreme Court last week, filed in the Microsoft case.

“Google has reversed its previous stance and informed the government that it will comply with new Section 2703 warrants outside the Second Circuit (while suggesting that it will appeal the adverse decisions in one or more existing cases),” the government said.

Follow Giuseppe on Twitter

Since Inauguration Day, President Donald Trump’s administration has been systematically removing pertinent information and delaying agency work in an effort to eradicate contradictory views from their current ideology. From climate change research to delays in civil rights cases, the new administration has hurriedly put their stamp across the U.S. government.

Environmental Protection Agency (EPA)

Soon after Trump was inaugurated, the administration ordered EPA officials to begin removing climate change data from its website. According to a Reuters report, “The employees were notified by EPA officials on [Jan. 24] that the administration had instructed EPA’s communications team to remove the website’s climate change page, which contains links to scientific global warming research, as well as detailed data on emissions.”

This is not surprising. President Trump has made his opinions known about his climate change beliefs. In a tweet from Nov. 6, 2012, Trump said, “The concept of global warming was created by and for the Chinese in order to make U.S. manufacturing non-competitive.” This has been demoralizing for the agency, and for those who have spent considerable resources in studying climate change, who educates the American public on the dangers of a warming planet. It is also not a surprise that Trump nominated Oklahoma Attorney General Scott Pruitt as the agency’s administrator.

Pruitt has been at war with the EPA. He has led 14 lawsuits against the agency he is nominated to lead while calling himself, “the leading advocate against EPA’s activist agenda.” Among the lawsuits, Pruitt has challenged mercury pollution regulations, ozone pollution limits, fighting the Cross-State Air Pollution Rule, the Clean Water Rule, and to block the Clean Power Plan.

This duo will do as much as they can to limit knowledge of climate change and to pursue an aggressive energy agenda that is certain to cause long-term negative effects on our environment and health. Luckily, there are scientists who want to fight this administration by preserving this information.

On Trump’s inauguration day, a group of about 60 individuals worked together at the University of Pennsylvania to download and preserve this data. The Wired article describes hackers, scientists, archivists, and librarians working diligently to save this data in anticipation that the Trump administration would remove it from EPA and NOAA websites.

Department of Agriculture (USDA)

In another troubling sign of the absence of transparency from the Trump administration, National Geographic reported that thousands of documents on animal welfare violations across the country have been removed from the USDA website. The documents included inspection records and annual reports for commercial animal facilities, including zoos, labs, factory farms, and breeders.

Think about that for a moment: Under the direction of this administration, citizens will not have direct access to information about animal rights abuses. This information led to Mother Jones’s highly publicized report, “The Cruelest Show on Earth,” detailing Ringling Bros. deplorable treatment of elephants. And to make this information prohibitive for future use, animal welfare groups and journalists would need to file a Freedom of Information Act (FOIA) request with the USDA. The burdensome process of a FOIA request can take months to fulfill, which means by the time law enforcement action is taken, many more animals could be dead. Why the administration would want to do this is anyone’s guess, but is more likely attributed to Trump’s penchant to side with businesses and not any regulatory measure that is deemed a nuisance for them.

The removal of USDA information poses significant risks for the welfare of animals around the country. The Humane Society of the United States filed a lawsuit against the USDA stating that the scrubbing of the website violated a 2009 agreement between the two parties.

Department of Justice (DOJ)

Since President Trump was sworn-in, the DOJ has stopped doing their job on many important cases undertaken during the Obama administration. According to the New York Times, hours after Trump’s inauguration, the DOJ filed requests to delay hearings challenging a voter ID law in Texas and an overhaul of the Baltimore Police Department.

The Baltimore case is particularly important after the revelations of the methodical abuse within the department leading to the death of Freddy Gray. After the Obama-era Justice Department released a critical 164-page report detailing excessive and continuous civil rights abuses towards the city’s African-American population, the need to delay the case seems especially confounding. The report concluded in one of the most stunning rebukes of a city police department:

“For the foregoing reasons, the Department of Justice concludes that there is reasonable cause to believe that BPD engages in a pattern or practice of conduct that violates the Constitution or federal law.”

This list is simply a sample of how the Trump administration has been operating during its first 100 days. The lack of transparency, enforcement, and removal of agency information will prove damaging to our country. The media and other interested non-profit organizations have to stay engaged to keep this administration honest. It will not be easy, but as long as we have an active citizenry, we can keep information from disappearing and demand that our civil rights are not infringed upon.

Sign up for NH Journal’s must-read morning political newsletter.