From tracking Big Foot to curbing piracy to managing big data, it's all in this issue of Tech Policy Download. "Big Foot" was the codename of a drug suspect who was located without a warrant using data from his cell phone. Online pirates are being fought not with cannon, but with math, as Google tweaks its search algorithm to depress the rankings of sites hosting copyright infringing material. And in a new paper CDT explores how to better protect massive amounts of health data.
Tracking Big Foot: Why GPS Location Requires a Warrant
The federal Sixth Circuit Court of Appeals ruled recently that law enforcement officers did not need a warrant to locate a drug suspect, codenamed "Big Foot," using data from his cell phone. The decision, in U.S. v. Skinner, has been widely derided as legally incorrect, lazy, shallow, and vague.
Several flaws in the court's ruling stand out. First of all, whether the data was GPS or cell site, it is clear that it was generated by "pinging" the phone at the insistence of law enforcement. Therefore, the data was not subject to the "business record" exception to the Fourth Amendment. And if the data was GPS, as it seems it was, the court completely missed a key point: the Justice Department has previously recommended that investigators use warrants to obtain GPS data, even for short term monitoring. (Why the agents in this case ignored Department policy is not clear.)
Finally, as the concurrence pointed out, a warrant requirement for location information, would not have stopped the government from finding and arresting Skinner: the government in the case already had enough information to meet the Fourth Amendment standard.
CDT and many others, including leading communications and tech companies, are arguing that the federal surveillance statute should be updated to make it clear that a warrant is needed to track a cell phone (except in emergencies). While the government has so far saved its conviction of Big Foot, a statutory warrant requirement would remove the chances that a criminal will elude jail because location tracking evidence was thrown out on constitutional grounds.
Of Pirates and PageRank
In an attempt to give less prominence to copyright infringing websites, Google has announced a change in the way it ranks search results. It works like this: sites that Google's DMCA takedown data suggest are more likely to be offering copyright-infringing content will be demoted in search results. The new approach was quickly dubbed the "pirate penalty."
Google's approach is certainly preferable to and may indeed have a more meaningful impact on online infringement than misguided blocking legislation like SOPA and PIPA. One obvious risk, however, is third parties gaming the system to disadvantage competitors. Transparency will also be important: Without compromising its need for secrecy where the algorithm is concerned, Google should make it clear what criteria it uses. Ultimately, the success of Google's move here will be determined by the results that rise to the top of the rankings.
Better Policies for De-Identified Health Data
The staggering amount of personal health data now being collected for treatment or billing purposes has a life beyond the doctor's clipboard. Often, that data is aggregated, stripped of personally identifying information ("de-identified") and re-used for medical research, for public health purposes, to improve patient care, for marketing, and many other purposes.
However, de-identified data isn't guaranteed to remain that way. Indeed, concerns about de-identification practices are growing. The concerns fall into three categories: 1) sufficiency of the methods used for de-identification; 2) lack of accountability for unauthorized or inappropriate re-identification; and 3) disapproval of certain uses of de-identified data.
Since 2009, CDT's health privacy project has been exploring the issues around de-identification. We recently published a paper detailing the policy options available to best ensure the benefits that come from uses of de-identified data while reducing the privacy risks. Among other options we explore is requiring reasonable security safeguards for de-identified data (today no such safeguards are required).
CDT has teamed up with the law firm of Manatt, Phelps & Phillips LLP to publish "Strategies for Safeguarding Patient-Generated Health Information Created or Shared Through Mobile Devices."
Click to view this email in a browser
If you no longer wish to receive these emails, please reply to this message with "Unsubscribe" in the subject line or simply click on the following link: Unsubscribe
Center for Democracy & Technology
1634 I St.
Washington, District of Columbia 20006
Read the VerticalResponse marketing policy.