Here is a copy of the Order from U.S. Magistrate Judge Sheri Pym in California requiring Apple to render “reasonable technical assistance” to the FBI in obtaining access to an iPhone used by one the San Bernardino terror shooters.
I have previously argued that, under appropriate circumstances and pursuant to a search warrant, the government should be able to obtain passwords and decryption keys from suspects necessary to obtain the plaintext versions of files on seized devices. The Apple case, however, is different because the court is ordering a non-suspect third party technology company to actively assist with an investigation. While I might support carefully tailored legislation regarding law enforcement access to encryption keys, a court order such as this one without specific statutory authorization seems troubling.
Here is Part 2 of my Internet Law and Governance video series.
Here is Part 1 in my video series on Internet Law and Governance.
Here are my slides from the University of South Carolina Law School symposium on civil liability in data breach cases.
On November 9, 2015, Judge Richard Leon issued a preliminary injunction against the NSA bulk data collection program. On November 10, in a per curiam Order, the D.C. Circuit stayed the preliminary injunction pending the government’s appeal. Last Friday, November 20, the Circuit denied the plaintiffs’ emergency request for rehearing of the stay order en banc. In a somewhat unusual move, Circuit Judge Brett Kavanaugh wrote a concurrence to the Order denying the request for hearing en banc. Judge Kavanaugh states in the concurrence that “the Government’s metadata collection program is entirely consistent with the Fourth Amendment.” Concurrence at 1. Judge Kavanaugh states that the bulk data collection program satisfies the “special needs” exception under the Fourth Amendment because it “serves a critically important special need — preventing terrorist attacks on the United States.” Id. at 2. According to Judge Kavanaugh, “that critical national security need outweighs the impact on privacy occasioned by the program.” Id.
In my view, Judge Kavanaugh’s concurrence is troubling. An emergency petition for en banc review is an extraordinary request that can be denied for many reasons without opining on the merits. It is difficult to see how Judge Kavanaugh could reach such an easy conclusion about the NSA program in the context of an emergency en banc petition, without full briefing and argument on the merits. Unfortunately, it seems that the threat of terrorist attacks will remain with us in the foreseeable future. While the threat is deadly serious, the ordinary rule of law cannot remain suspended in a perpetual state of exception, or else it is a rule of power and not of law.
The ability of an ISP or social media site to block access to controversial or inflammatory content is a difficult issue at the intersection of cybersecurity and Internet governance. In a case just decided by Judge Lucy Koh in the Northern District of California, Facebook won dismissal on the pleadings of Sikhs for Justice’s (“SFJ”) claim that Facebook blocked access to SFJ’s page in India.
SJF’s claim was based on Title II of the Civil Rights Act of 1964, 42 U.S.C. § 2000a, which provides that “[a]ll persons shall be entitled to the full and equal enjoyment of the goods, services, facilities, privileges, advantages, and accommodations of any place of public accommodation . . . without discrimination or segregation on the ground of race, color, religion, or national origin.”
The court held that SJF’s Title II claim is barred by the Communications Decency Act (“CDA”), 47 U.S.C. § 230. This holding was consistent with other cases holding that ISPs are publishers entitled to CDA immunity.
Cases like this are important for Internet governance because of the gate keeping role played by large ISPs, search providers, and social media sites such as Facebook. If these gate keepers can arbitrarily block access to sites a government finds objectionable, traditional political sovereigns can exercise significant control over the Internet. On the other hand, if these gate keepers cannot accede to the wishes of governments in territories where they have users without threat of liability elsewhere, users in one country (such as the U.S.) could use local law to thwart the policies of another country (such as India).
Yesterday the New York State Department of Financial Services sent a letter to members of the Financial and Banking Information Infrastructure Committee announcing a plan to enact new cybersecurity regulations for financial institutions. The regulations would require covered entities to
- Maintain written internal cybersecurity policies and procedures;
- Maintain policies and procedures to ensure the security of data held by third party providers;
- Adopt multi-factor authentication for some resources;
- Designate a CISO responsible for the institution’s cybersecurity program;
- Adopt procedures and guidelines to ensure the security of applications used by the entity;
- Employ personnel adequate to manage the entity’s cyber risks;
- Conduct annual penetration testing and quarterly vulnerability assessments;
- Maintain an audit trail system; and
- Notify the Department of cyber incidents.
While most sophisticated financial institutions already engage many of these functions, the regulations would add a new dimension to compliance. The requirement to employ certain kinds of personnel, in particular, will be controversial.
Federal prosecutors unsealed indictments against three men who allegedly engaged in a sprawling cybercriminal enterprise that hacked into J.P. Morgan Chase & Co. and several U.S. financial institutions.
Source: Charges Announced in J.P. Morgan Hacking Case – WSJ
Here is a nifty graphic from the McAfee Labs 2016 Threat Predictions Report.