Klayman v. Obama Preliminary Injunction of NSA Program

Judge Richard Leon in the District of Columbia federal court has again issued a preliminary injunction against the continuation of the NSA bulk telephony metadata collection program.  The bulk collection program is set to expire on November 29, 2015 under the USA FREEDOM Act, so the injunction in this case will not have long-term impact.  Judge Leon’s reasoning, however, could be important to the evaluation of future government data collection programs.  As Judge Leon stated in his November 9, 2015 Memorandum Opinion, this

will not . . . be the last chapter in the ongoing struggle to balance privacy rights and national security interests under our Constitution in an age of evolving technological wizardry.  Although this Court appreciates the zealousness with which the Government seeks to protect the citizens of our Nation, that same Government bears just as great a responsibility to protect the individual liberties of those very citizens.

Mem. Op. at 42.  The first portion of Judge Leon’s Opinion addresses the plaintiffs’ standing to challenge the NSA program.  I will address the standing issue in another post.

On the likelihood of success on the merits, Judge Leon found that the plaintiffs likely will be able to prove that the NSA bulk collection program violates the Fourth Amendment.  According to Judge Leon, plaintiffs “have a very significant expectation of privacy in an aggregated collection of their telephony metadata,” the government’s intrusion on that interest is very broad, and the government has not shown the program has successfully fulfilled the goal of protecting the nation from terrorism.  Mem. Op. at 28-37.  Judge Leon also found that the plaintiffs likely would suffer irreparable harm absent a preliminary injunction and that the public interest favors injunctive relief.  Id. at 37-42.

One notable aspect of Judge Leon’s Opinion is his discussion of expectations of privacy in relation to mobile technology.  He suggests that “Americans’ constant use of cellphones for increasingly diverse and private purposes illustrates the attitude with which people approach this technology as a whole” and that “a person’s expectation of privacy is not radically different when using his or her cellphone to make a call versus to check his or her bank account balance.”  Id. at 29.  Moreover, Judge Leon notes, mobile devices are a necessary part of modern life and therefore entail stronger expectations of privacy than high-security environments that most people enter only occasionally, such as airports.

Another notable aspect of the Opinion is Judge Leon’s often colorful descriptions of the NSA program and the government’s arguments in its favor.  Here is a sampling:  the bulk data collection program “is a sweeping, and truly astounding program that targets millions of Americans arbitrarily and indiscriminately” (Id. at 31); it is “absurd to suggest that the Constitution favors, or even tolerates, such extreme measures!” (Id. at 32 (exclamation point in original)); the government’s evidence in support of the program’s efficacy is “[n]ot exactly confidence inspiring!” (Id. at 35 (exclamation point in original)); “the Government .  .  . suggests that this Court should defer to [its] judgment . .  . Please!” (exclamation point in original)); “the Government incredibly argues that the [newly added] plaintiffs’ claim of irreparable harm is necessarily undercut by their more than two-year delay in joining this suit . . . . Come on!” (Id. at 38, n. 22 (exclamation point in original)); the government argues that the Court must “defer to Congress’ ‘determination’ that continuing the Program during the 180-day transition period is the best way to protect the public interest. . . . Not quite!” (Id. at 39 (exclamation point in original));  “Congress, of course, is not permitted to prioritize any policy goal over the Constitution . . . .  Nor am I!” (Id. at 40 (exclamation point in original)); “[t]his Court simply cannot, and will not, allow the Government to trump the Constitution merely because it suits the exigencies of the moment”) (Id.).

Earlier today, Judge Leon denied the government’s emergency application for a  stay of the preliminary injunction pending appeal, and the government filed an appeal with the D.C. Circuit.


PLI Presentation

I presented this morning at PLI’s annual “Think Like a Lawyer, Talk Like a Geek” seminar.  Here is my presentation, which focuses on cyber risk insurance issues.

BitPay Cyber Insurance Litigation

An interesting cyber insurance coverage case was filed recently in the the Northern District of Atlanta involving bitcoin payment processor Bitpay.  Bitpay’s CFO was spear phished, leading to an improper transfer of bitcoins valued at  $1.8 Million.  Bitpay had been issued a Commercial Crime Policy by Hanover Insurance Group, which included coverage for “Computer Fraud,” as follows:

We will pay for loss of or damage to ‘money’, ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’:
a.  To a person (other than a ‘messenger’) outside those ‘premises’; or
b.  To a place outside those ‘premises.’

Hanover denied the claim because, according to Hanover, the transfer of bitcoins as a result of spear phishing did not “directly” result from the use of a computer.  This kind of spear phishing attack, Hanover stated in its denial letter, does not entail “a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money.”  Hanover further argued that “there is an important distinction between fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer, which is what occurred upon the CEO’s approval of the bitcoin transactions after receiving the fictitious emails.”  Finally, Hanover argued that “the term ‘premises’ is defined in the policy as, ‘the interior of that portion of any building you occupy in conducting your business'” and does not over bitcoins “held online, and transferred online.”  After further attempts to obtain coverage were unsuccessful, Bitpay filed the coverage action.

If the case does not settle, it will be interesting to see how the court construes the disputed terms in the context of this bitcoin spear phishing scam.