Unlocking Phone can be Constitutional: Fingerprints vs. Passcodes

Since 2014, approximately 67% of all smart phones in police evidence lockers are encrypted. For police, detectives, and the district attorneys, this creates a huge burden with regards to evidence and prosecution. During the conflict between Apple and the FBI over the San Bernardino phone encryption, former NYPD Police Commissioner Bill Bratton asked in an op-ed, in light of encrypted phone cases, “The Constitution guarantees no absolute right to privacy.  It guards against unreasonable search and seizure. How is what we are talking at all unreasonable?”

According to the courts, it could be unreasonable. There is a difference in the law with regards to how a phone is locked. Courts have looked at physical evidence (fingerprint) vs. knowledge (passcode), and have made these distinctions in caselaw.

Recently, in Minnesota v. Diamond, the Minnesota Court of Appeals affirmed that an order requiring a suspect to provide his fingerprint to unlock his cellphone was constitutional. The defense argued that the court violated the defendant’s Fifth Amendment right against self-incrimination by ordering the defendant to provide the fingerprint to access the information on the phone. There was, in fact, incriminating evidence found in the cellphone after it was unlocked.

This was a matter of first impression for the Minnesota Court of Appeals’ attention, but a similar issue had also recently arisen in Florida.

The Florida Court ruled that a man suspected of voyeurism using his phone must turn over his four-digit passcode to police. Though police had a warrant, they could not access the phone without the passcode.  A trial judge denied the motion to force the man to submit the code. The judge equated it to compelling him to testify against himself – in violation of the Fifth Amendment. The Florida Second District Court of Appeals reversed the decision stating that the passcode is not related to criminal activity that may or may not exist on the phone.

Courts have previously ruled that suspects must provide their fingerprints to unlock a phone, as mentioned in Diamond, but not a passcode or combination. Again, the distinction is between physical evidence of a fingerprint and knowledge of a passcode. A 2014 decision by the Virginia Beach Circuit Court found that individuals could not be forced to give up their phone’s passcode, but they could be ordered to provide a fingerprint to unlock the phone.

The Supreme Court’s 1988 decision in Doe v. U.S. ruled that a person may be compelled to give up a key to a strongbox, but not a combination to a safe. This is the interpretation courts are using when it comes to providing passcodes and fingerprints. However, the three-judge Appeals Court panel didn’t agree with this approach. They found the comparison with the current state of technology outdated; that providing a passcode would not be as self-incriminating as directly giving authorities evidential documents.

The police had probable cause and a warrant to search the phone. Judge Anthony Black wrote in the Florida Second District Court’s decision, “Moreover, although the passcode would allow the State access to the phone, and therefore to a source of potential evidence, the State has a warrant to search the phone—the source of evidence had already been uncovered … Providing the passcode does not ‘betray any knowledge [Stahl] may have about the circumstances of the offenses’ for which he is charged.”


Consumer class action revived for Neiman Marcus data breach

The 7th Circuit Court of Appeals reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus.  Last Monday (7/20), the Court held that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support standing.

While we haven’t covered standing explicitly in class, standing is defined as a party’s right to make a legal claim or seek judicial enforcement of a duty or right.  For example, to have standing in federal court, a plaintiff must show (1) that the challenged conduct has caused the plaintiff actual injury, and (2) that the interest sought to be protected is within the zone of interests meant to be regulated by the statutory or constitutional guarantee in question.  Sometimes it can be referred to as “standing to sue

The initial lawsuit against Neiman Marcus was in January 2014, when the company publicly disclosed that it had suffered a data breach where hackers collected the credit card information of approximately 350,000 customers. A number of consumers filed a class action lawsuit. The suit alleged that Neiman Marcus put the plaintiffs at risk for risk for identity theft and fraud by delaying to disclose information about the breach for a month. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing.

On appeal, the 7th Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The 7th Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.

The 7th Circuit’s ruling combined with and the Central District of California’s ruling in Corona last month [Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015).] suggests a trend: consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.  For other cases in the trend see: In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., 2014 U.S. Dist. LEXIS 96588 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, 2014 U.S. Dist. LEXIS 124126, (N.D. Cal. Sept. 4, 2014).

Nevada Law Updates Definition of Personal Information

As we will learn later this semester, Nevada has been on the front lines of creating law that protects personal information, requires encryption of credit card data, and adoption of PCI-DSS standards into law.  Now they have adjusted their laws again to reflect technological changes in personal information.  Nevada Governor Sandoval recently signed into law A.B. 179, which expands the definition of “Personal Information (PI)” in the state’s famous data security law. The law will take effect on July 1, 2015. Under the new law, PI now includes:

  • A “user name, unique identifier or electronic mail address in combination with a password, access code, or security question and answer that would permit access to an online account;”
  • A medical identification or health insurance identification number; and
  • A driver authorization card number.

In addition, although Nevada’s data security law previously excluded “publicly available information…lawfully made available to the general public” from the definition of PI, the new law narrows the scope of that exclusion, limiting it to information available “from federal, state or local governmental records.”


Sample ACPA Case: CrossFit, Inc. v. Jenkins

As we have learned in class, the origins of the Anticybersquatting Consumer Protection Act (ACPA) 15 U.S.C.A. § 1125(d), was to protect trademark owners from having others use their famous and distinctive trademark in a domain name that is confusingly similar.  This law was welcomed especially in the early days of the internet, when domain name registrations were drivinf the development of internet law or “cyberlaw.”  However, although there is less cyber-squatting or cyber-piracy today, the ACPA continues to be used in courts.

For example, in CrossFit, Inc. v. Jenkins, No. 13-CV-01219-MSK-CBS, 2014 WL 4706066 (D. Colo. Sept. 22, 2014) the district court in Colorado found that the owner of the Internet website http://www.crossfitnutrition.com, which offered the sale of vitamins, supplements, and nutrition products, had engaged in cyberpiracy, in violation of the ACPA, by using a domain name confusingly similar to the famous and distinctive “CrossFit” trademark and service mark associated with fitness training and consulting.

CrossFit, Inc. is engaged in the worldwide business of fitness training and consulting. It is a well=protected IP rand and owns many registered trademarks using the term “CrossFit.”

Mr. Jenkins owned and controlled the website in question (www.crossfitnutrition.com) which offers vitamins, supplements, and nutrition products for sale.

CrossFit alleged that Jenkins utilized the CrossFit mark to trade on the good name associated with CrossFit.  CrossFit alleged violation of the ACPA – CrossFit not only sought damages ($122K) but also an order requiring the domain name registrar to transfer the http://www.crossfitnutrition.com domain to CrossFit.

According to the record, Jenkins failed to answer the complaint entirely – which was a serious mistake for any defendant in an ACPA (or any other) action.

The ACPA was written to address this exact form of piracy on the Internet called cybersquatting – the deliberate, bad-faith, and abusive registration of Internet domain names in violation of the rights of trademark owners. The ACPA provides for liability if a person registers, traffics in, or uses a domain name that is identical or confusingly similar to a distinctive mark, with a bad faith intent to profit from that mark.

As we have learned in class, in order to state a claim under ACPA, a trademark owner must show the defendant:

  1. registered, trafficked in, or used a domain name,
  2. that is confusingly similar to the plaintiff’s trademark, and
  3. had a bad faith intent to profit from that domain name.

Here, the court concluded that the allegations supported CrossFit’s claim for violation of the ACPA by Jenkins.

The court found that Jenkins engaged in cyberpiracy, in violation of the ACPA, by using a domain name confusingly similar to the famous and distinctive “CrossFit” trademark.  Jenkins had no authorization to use the mark, and acted with a bad faith intent to profit from the name.  He created the false impression that he was a licensed “CrossFit” affiliate and that his products were endorsed or sponsored by the plaintiff,.

CrossFit also showed that the crossfitnutrition.com domain name registered by Jenkins was identical or confusingly similar to their distinctive or famous marks. The CrossFit name is widely recognized around the world, and their company does an excellent job of controlling its well-built reputation through trademark and other IP protection.

The likelihood of confusion was clear from Jenkins’s use of the word “crossfit” in connection with the nutritional information and products offered on his crossfitnutrition.com website. His use of the CrossFit name created the false impression that he was a licensed CrossFit affiliate and/or that his products were endorsed or sponsored by, associated with, or originate from CrossFit, thereby creating consumer confusion.

CrossFit had specifically informed Jenkins that his domain name was likely to create consumer confusion and constituted unauthorized use of the CrossFit Marks, yet he continued to use the domain name with the intent of diverting consumers. This was evidence of bad faith the court was looking for.

The court awarded CrossFit damages, attorney’s fees, and ordered the transfer of the crossfitnutrition.com domain name to CrossFit.

ACPA can be a powerful weapon for helping control cybersquatting – the deliberate, bad-faith, and abusive registration of Internet domain names in violation of the rights of trademark owners.

Welcome to Cyberlaw Online: Summer 2015

This site is intended for students enrolled in Cyberlaw: Privacy. Ethics, and Digital Rights Online.  This semester’s blog will feature new cases and laws, discussions related to our coursework, and guest bloggers from fields such as Information Assurance, IP Law, Cybercrime, and others. To start, let’s look at a quote from CEPS that clearly quantifies many of the issues we will cover this summer.

“Cybersecurity is now a leading concern for major economies. Reports indicate that hackers can target the U.S. Department of Justice or Iranian nuclear facilities just as easily as they can mine credit card data. Threats have risen as the Internet has become a critical infrastructure for the global economy, with thousands of operations migrating onto it. Put simply, as the global economy relies more on the Internet, the latter becomes increasingly insidious. There is no doubt that the Internet is efficient. But it now needs a more concerted global effort to preserve its best aspects and guard against abuses….”

– Andrea Renda, Senior Research Fellow, Centre for European Policy Studies

October is National Cyber Security Awareness Month!

National Cyber Security Awareness Month (NCSAM) is this October! NCSAM is a “collaborative effort to ensure everyone has the resources they need to stay safe online.”

NCSAM is organized by the U.S. Department of Homeland Security and the National Cyber Security Alliance. Another partner, the Higher Education Information Security Council (HEISC) annually gathers a list of resources for colleges and universities.  I thought this might interest to the Northeastern’s IA Program community:

Additionally, in celebration of NCSAM in October, Educause is hosting a FREE online webinar featuring three CIO’s from across the United States, hosted by Marc Hoit, Vice Chancellor & CIO, North Carolina State University.

In addition to talking about current information security issues on their campuses, the CIOs will discuss the “big questions” about information security in Higher Ed.  The title is “CIO Insights on Cybersecurity” on October 14, 2014 at 1:00–2:00 p.m. ET.

Speakers include:

  • Peter J. Murray, CIO/VP, University of Maryland, Baltimore
  • Michele Norin, Chief Information Officer, The University of Arizona
  • Melissa Woo, CIO/Vice Provost for Information Services, University of Oregon

This will probably be an interesting and enlightening talk in a field (higher education) where quite a bit of IA-focused inquiry is discussed day-to-day.

SCOTUS Petition Challenges 9th Circuit Ruling re: ACPA Contributory Cybersquatting

We will be covering the Anticybersquatting Consumer Protection Act (ACPA), 15 U.S.C. § 1125(d), in class this semester, but a new case was appealed to the Supreme Court this week that I thought might be of interest.  This blog entry will act as a bit of a preview of laws, cases, and legal terminology we will see and discuss this semester.

When a party appeals a case to the Supreme Court of the United States (SCOTUS), which is the highest Court in the United States, the appeal has a special name: “petition for writ of certiorari” also called “cert” or “cert petition.”  This petition asks the court a single question of law (or sometime several questions).

In this current case the cert petition was filed in a case titled Petroliam Nasional Berhad v. GoDaddy.com, Inc. (U.S., No. 13-1255), appealing a Dec. 4th decision by the U.S. Court of Appeals for the Ninth Circuit, related to the ACPA.

The ACPA is a 1999 federal law authorizing a trademark owner to obtain a federal-court order transferring ownership of a domain name from a “cybersquatter” to the trademark owner.

Cybersquatting is an act of reserving a domain name on the Internet and then seeking to profit by selling or licensing the name to the company, person, etc.  that has an interest in being identified with that domain name.

To prove a violation of the ACPA, the trademark’s owner must show that (1) the mark and the domain name are identical or confusingly similar; (2) the mark was distinctive when the domain name was first registered; (3) the trademark’s owner used the mark commercially before the domain name was registered; and (4) the domain registrant acted in bad faith and intended to profit from the trademark’s use.

The petitioner in the present case is Petroliam Nasional Berhad, a Malaysian corporation owned by the government, commonly known as “Petronas.” The corporation has a U.S. trademark registration on the term “Petronas” with respect to chemical products, petrochemicals, oil, gasoline and related goods.

Petronas initially objected to the owner of domain names petronastower.net and petronastowers.net redirecting users to adult-oriented content.  It blamed the domain registrar, GoDaddy.com Inc., for not taking action and filed a lawsuit alleging something called “contributory cybersquatting” under the ACPA.  “Contributory cybersquatting” expands liability for cybersquatting to persons or companies who aid and abet cybersquatters.  In this case, Petronas was stating that GoDaddy had “aided and abetted” the cybersquatters, and therefore should be held responsible for some of the wrongdoing.

The 9th Circuit affirmed an award of summary judgment (a motion that allows the speedy disposition of a controversy without the need for a long, expensive trial) in favor of GoDaddy, ruling that the plain meaning of the ACPA, the legislative history, and the goals of the law did not support the idea of an action for “contributory cybersquatting.”  The 9th Circuit court said that something called “contributory trademark infringement” was available to use as a law in this case, but not contributory cybersquatting.

GoDaddy had argued, at the lower court, that a contributory cybersquatting claim does not exist.  The 9th Circuit considered whether the ACPA allowed a claim of contributory cybersquatting.  A few prior cases had said contributory cybersquatting was valid, but only in “exceptional circumstances.”  But, after a short opinion, the 9th Circuit flatly stated the ACPA does not provide for contributory liability. The court gave two reasons for its conclusion:

1) The text of the ACPA does not expressly provide for “secondary liability” like contributory cybersquatting, where a third party, like Go Daddy, is held liable for the actions of others. The 9th Circuit said if Congress wanted to have secondary liability in a statute, it knows exactly how to include it in the language, and it declined to do so here.

2) The ACPA created a new cause of action when it was passed in 1999. The ACPA was enacted precisely because there was no common law for cybersquatting. The 9th Circuit said it’s fair to conclude, then, that the common law doctrines of contributory liability were not a part of the ACPA.

And that’s exactly where Petroliam Nasional Berhad disagreed, and filed a petition for SCOTUS to appeal the 9th Circuit court’s decision.  The question presented in the cert petition is:

“Do the normal rules for contributory trademark infringement…apply to trademark infringement by “cybersquatting” under Section 43(d) of the Lanham Trademark Act?”

Next SCOTUS term, we will have an answer.