Unlocking Phone can be Constitutional: Fingerprints vs. Passcodes

Since 2014, approximately 67% of all smart phones in police evidence lockers are encrypted. For police, detectives, and the district attorneys, this creates a huge burden with regards to evidence and prosecution. During the conflict between Apple and the FBI over the San Bernardino phone encryption, former NYPD Police Commissioner Bill Bratton asked in an op-ed, in light of encrypted phone cases, “The Constitution guarantees no absolute right to privacy.  It guards against unreasonable search and seizure. How is what we are talking at all unreasonable?”

According to the courts, it could be unreasonable. There is a difference in the law with regards to how a phone is locked. Courts have looked at physical evidence (fingerprint) vs. knowledge (passcode), and have made these distinctions in caselaw.

Recently, in Minnesota v. Diamond, the Minnesota Court of Appeals affirmed that an order requiring a suspect to provide his fingerprint to unlock his cellphone was constitutional. The defense argued that the court violated the defendant’s Fifth Amendment right against self-incrimination by ordering the defendant to provide the fingerprint to access the information on the phone. There was, in fact, incriminating evidence found in the cellphone after it was unlocked.

This was a matter of first impression for the Minnesota Court of Appeals’ attention, but a similar issue had also recently arisen in Florida.

The Florida Court ruled that a man suspected of voyeurism using his phone must turn over his four-digit passcode to police. Though police had a warrant, they could not access the phone without the passcode.  A trial judge denied the motion to force the man to submit the code. The judge equated it to compelling him to testify against himself – in violation of the Fifth Amendment. The Florida Second District Court of Appeals reversed the decision stating that the passcode is not related to criminal activity that may or may not exist on the phone.

Courts have previously ruled that suspects must provide their fingerprints to unlock a phone, as mentioned in Diamond, but not a passcode or combination. Again, the distinction is between physical evidence of a fingerprint and knowledge of a passcode. A 2014 decision by the Virginia Beach Circuit Court found that individuals could not be forced to give up their phone’s passcode, but they could be ordered to provide a fingerprint to unlock the phone.

The Supreme Court’s 1988 decision in Doe v. U.S. ruled that a person may be compelled to give up a key to a strongbox, but not a combination to a safe. This is the interpretation courts are using when it comes to providing passcodes and fingerprints. However, the three-judge Appeals Court panel didn’t agree with this approach. They found the comparison with the current state of technology outdated; that providing a passcode would not be as self-incriminating as directly giving authorities evidential documents.

The police had probable cause and a warrant to search the phone. Judge Anthony Black wrote in the Florida Second District Court’s decision, “Moreover, although the passcode would allow the State access to the phone, and therefore to a source of potential evidence, the State has a warrant to search the phone—the source of evidence had already been uncovered … Providing the passcode does not ‘betray any knowledge [Stahl] may have about the circumstances of the offenses’ for which he is charged.”


Consumer class action revived for Neiman Marcus data breach

The 7th Circuit Court of Appeals reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus.  Last Monday (7/20), the Court held that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support standing.

While we haven’t covered standing explicitly in class, standing is defined as a party’s right to make a legal claim or seek judicial enforcement of a duty or right.  For example, to have standing in federal court, a plaintiff must show (1) that the challenged conduct has caused the plaintiff actual injury, and (2) that the interest sought to be protected is within the zone of interests meant to be regulated by the statutory or constitutional guarantee in question.  Sometimes it can be referred to as “standing to sue

The initial lawsuit against Neiman Marcus was in January 2014, when the company publicly disclosed that it had suffered a data breach where hackers collected the credit card information of approximately 350,000 customers. A number of consumers filed a class action lawsuit. The suit alleged that Neiman Marcus put the plaintiffs at risk for risk for identity theft and fraud by delaying to disclose information about the breach for a month. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing.

On appeal, the 7th Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The 7th Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.

The 7th Circuit’s ruling combined with and the Central District of California’s ruling in Corona last month [Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015).] suggests a trend: consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.  For other cases in the trend see: In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., 2014 U.S. Dist. LEXIS 96588 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, 2014 U.S. Dist. LEXIS 124126, (N.D. Cal. Sept. 4, 2014).

Nevada Law Updates Definition of Personal Information

As we will learn later this semester, Nevada has been on the front lines of creating law that protects personal information, requires encryption of credit card data, and adoption of PCI-DSS standards into law.  Now they have adjusted their laws again to reflect technological changes in personal information.  Nevada Governor Sandoval recently signed into law A.B. 179, which expands the definition of “Personal Information (PI)” in the state’s famous data security law. The law will take effect on July 1, 2015. Under the new law, PI now includes:

  • A “user name, unique identifier or electronic mail address in combination with a password, access code, or security question and answer that would permit access to an online account;”
  • A medical identification or health insurance identification number; and
  • A driver authorization card number.

In addition, although Nevada’s data security law previously excluded “publicly available information…lawfully made available to the general public” from the definition of PI, the new law narrows the scope of that exclusion, limiting it to information available “from federal, state or local governmental records.”


Sample ACPA Case: CrossFit, Inc. v. Jenkins

As we have learned in class, the origins of the Anticybersquatting Consumer Protection Act (ACPA) 15 U.S.C.A. § 1125(d), was to protect trademark owners from having others use their famous and distinctive trademark in a domain name that is confusingly similar.  This law was welcomed especially in the early days of the internet, when domain name registrations were drivinf the development of internet law or “cyberlaw.”  However, although there is less cyber-squatting or cyber-piracy today, the ACPA continues to be used in courts.

For example, in CrossFit, Inc. v. Jenkins, No. 13-CV-01219-MSK-CBS, 2014 WL 4706066 (D. Colo. Sept. 22, 2014) the district court in Colorado found that the owner of the Internet website http://www.crossfitnutrition.com, which offered the sale of vitamins, supplements, and nutrition products, had engaged in cyberpiracy, in violation of the ACPA, by using a domain name confusingly similar to the famous and distinctive “CrossFit” trademark and service mark associated with fitness training and consulting.

CrossFit, Inc. is engaged in the worldwide business of fitness training and consulting. It is a well=protected IP rand and owns many registered trademarks using the term “CrossFit.”

Mr. Jenkins owned and controlled the website in question (www.crossfitnutrition.com) which offers vitamins, supplements, and nutrition products for sale.

CrossFit alleged that Jenkins utilized the CrossFit mark to trade on the good name associated with CrossFit.  CrossFit alleged violation of the ACPA – CrossFit not only sought damages ($122K) but also an order requiring the domain name registrar to transfer the http://www.crossfitnutrition.com domain to CrossFit.

According to the record, Jenkins failed to answer the complaint entirely – which was a serious mistake for any defendant in an ACPA (or any other) action.

The ACPA was written to address this exact form of piracy on the Internet called cybersquatting – the deliberate, bad-faith, and abusive registration of Internet domain names in violation of the rights of trademark owners. The ACPA provides for liability if a person registers, traffics in, or uses a domain name that is identical or confusingly similar to a distinctive mark, with a bad faith intent to profit from that mark.

As we have learned in class, in order to state a claim under ACPA, a trademark owner must show the defendant:

  1. registered, trafficked in, or used a domain name,
  2. that is confusingly similar to the plaintiff’s trademark, and
  3. had a bad faith intent to profit from that domain name.

Here, the court concluded that the allegations supported CrossFit’s claim for violation of the ACPA by Jenkins.

The court found that Jenkins engaged in cyberpiracy, in violation of the ACPA, by using a domain name confusingly similar to the famous and distinctive “CrossFit” trademark.  Jenkins had no authorization to use the mark, and acted with a bad faith intent to profit from the name.  He created the false impression that he was a licensed “CrossFit” affiliate and that his products were endorsed or sponsored by the plaintiff,.

CrossFit also showed that the crossfitnutrition.com domain name registered by Jenkins was identical or confusingly similar to their distinctive or famous marks. The CrossFit name is widely recognized around the world, and their company does an excellent job of controlling its well-built reputation through trademark and other IP protection.

The likelihood of confusion was clear from Jenkins’s use of the word “crossfit” in connection with the nutritional information and products offered on his crossfitnutrition.com website. His use of the CrossFit name created the false impression that he was a licensed CrossFit affiliate and/or that his products were endorsed or sponsored by, associated with, or originate from CrossFit, thereby creating consumer confusion.

CrossFit had specifically informed Jenkins that his domain name was likely to create consumer confusion and constituted unauthorized use of the CrossFit Marks, yet he continued to use the domain name with the intent of diverting consumers. This was evidence of bad faith the court was looking for.

The court awarded CrossFit damages, attorney’s fees, and ordered the transfer of the crossfitnutrition.com domain name to CrossFit.

ACPA can be a powerful weapon for helping control cybersquatting – the deliberate, bad-faith, and abusive registration of Internet domain names in violation of the rights of trademark owners.

Welcome to Cyberlaw Online: Summer 2015

This site is intended for students enrolled in Cyberlaw: Privacy. Ethics, and Digital Rights Online.  This semester’s blog will feature new cases and laws, discussions related to our coursework, and guest bloggers from fields such as Information Assurance, IP Law, Cybercrime, and others. To start, let’s look at a quote from CEPS that clearly quantifies many of the issues we will cover this summer.

“Cybersecurity is now a leading concern for major economies. Reports indicate that hackers can target the U.S. Department of Justice or Iranian nuclear facilities just as easily as they can mine credit card data. Threats have risen as the Internet has become a critical infrastructure for the global economy, with thousands of operations migrating onto it. Put simply, as the global economy relies more on the Internet, the latter becomes increasingly insidious. There is no doubt that the Internet is efficient. But it now needs a more concerted global effort to preserve its best aspects and guard against abuses….”

– Andrea Renda, Senior Research Fellow, Centre for European Policy Studies

October is National Cyber Security Awareness Month!

National Cyber Security Awareness Month (NCSAM) is this October! NCSAM is a “collaborative effort to ensure everyone has the resources they need to stay safe online.”

NCSAM is organized by the U.S. Department of Homeland Security and the National Cyber Security Alliance. Another partner, the Higher Education Information Security Council (HEISC) annually gathers a list of resources for colleges and universities.  I thought this might interest to the Northeastern’s IA Program community:

Additionally, in celebration of NCSAM in October, Educause is hosting a FREE online webinar featuring three CIO’s from across the United States, hosted by Marc Hoit, Vice Chancellor & CIO, North Carolina State University.

In addition to talking about current information security issues on their campuses, the CIOs will discuss the “big questions” about information security in Higher Ed.  The title is “CIO Insights on Cybersecurity” on October 14, 2014 at 1:00–2:00 p.m. ET.

Speakers include:

  • Peter J. Murray, CIO/VP, University of Maryland, Baltimore
  • Michele Norin, Chief Information Officer, The University of Arizona
  • Melissa Woo, CIO/Vice Provost for Information Services, University of Oregon

This will probably be an interesting and enlightening talk in a field (higher education) where quite a bit of IA-focused inquiry is discussed day-to-day.

Do Not Track Working Group Consensus – More Work Ahead

W3C working group that has struggled to reach agreement on industry “Do Not Track Rules” made progress in some areas issuing a consensus document during a May meeting in California.  W3C develops internet standards worldwide. The working group will proceed toward a “last call” July deadline to issue draft standards for public comment.

The issue before the group is the practice of behavioral advertising, which involves the tracking of consumers’ online activities for targeted marketing purposes.  The working group is trying to create voluntary “Do Not Track” standards by allowing consumers to make “Do Not Track” choices through their web browser settings.

Consumer advocates and the online advertising industry have clashed over how far “Do Not Track: standards should go.  Last year, Microsoft stymied the process by deciding to roll out a new IE 10 browser with a default “Do Not Track” setting.  The Digital Advertising Alliance (DAA), a consortium of marketing industry groups, objected.  They claimed that its members “will not be required to honor such a default approach because it reflects the choice of the browser manufacturer instead of the consumer and is inconsistent with industry standards.”

At an April 24 hearing before the Senate, the DAA accused Microsoft (and Mozilla) of failing to honor its commitment to cooperate with the “Do Not Track” effort. After the hearing, Senate Committee Chairman John D. Rockefeller IV (D-W.Va.) reintroduced bill S. 418 “Do-Not-Track Online Act of 2013” to create mandatory Do Not Track rules, enforceable by the Federal Trade Commission.

Stay tuned for more information from the W3C Working Group and about Senate bill S. 418.