John Stephenson Testimony on Electronic Data Privacy Protection
On March 20, 2014 ALEC Communications and Technology Task Force Director John Stephenson was asked to testify in front of the South Carolina House Judiciary’s Constitutional Laws Subcommittee hearing on H 4791, the Electronic Data Privacy Protection Act. South Carolina is one of eight states considering cellphone digital privacy legislation. His written testimony can be found below.
Last week, John Stephenson went on the Kelly Golden Show on 94.3 WSC FM in South Carolina to talk about this issue. Listen to his interview here:
Testimony of John Stephenson before the South Carolina House Judiciary Subcommittee on Constitutional Laws Hearing on H. 4791, The Electronic Data Privacy Protection Act March 20, 2014:
Thank you, Chairman Bannister and Members of the Subcommittee, my name is John Stephenson and I am the Director of the Task Force on Communications and Technology at the American Legislative Exchange Council (ALEC). I am honored to appear before you today on behalf of the ALEC and to present these remarks regarding state efforts to reform surveillance laws and the policy contained in House Bill 4791, the Electronic Data Privacy Protection Act sponsored by Rep. Garry Smith.
As drafted, the key provisions of the Electronic Data Privacy Protection Act would amend South Carolina’s surveillance laws to require state and local law enforcement agencies to obtain a warrant in order to search the contents of electronic communications, to obtain geolocation information, or to search an electronic device found incident to arrest. The bill requires notice on the subject of the search, but that notice can be delayed if it would lead to an adverse result such as suspect flight or harm an investigation. Further, the Electronic Data Privacy Protection Act requires reports from the state’s courts on the number of warrants and exceptions issued. The Electronic Data Privacy Protection Act also permits law enforcement to get an extension of a warrant and to conduct searches under statutory or court-recognized exceptions to the warrant requirement such as user consent, a threat of death or serious injury to a person, or to locate a missing child. Additionally, the Electronic Data Privacy Protection Act tracks long standing procedural rules and court-established precedents for interpretation under the federal Electronic Communications Privacy Act and the Stored Communications Act to provide more consistency between state and federal requirements.
The Electronic Data Privacy Protection Act is consistent with ALEC’s model policy on law enforcement access to geolocation information and searching electronic devices incident to arrest, therefore ALEC supports the policy proposals in the Act on these issues. Our model was developed over the course of a year in consultation with Rep. Smith and with several attorneys with law enforcement, industry, and civil liberties groups from across the policy spectrum including the American Civil Liberties Union, the Center for Democracy and Technology, the Competitive Enterprise Institute, the Electronic Frontier Foundation, and TechFreedom.
We are living in an age of privacy concerns. It seems as though every new day brings news about how companies and government agencies collect, use, lose, or misuse South Carolinians’ data including personal information, health records, tax liabilities, and private communications. According to a survey conducted last July by the Pew Internet Center, most Americans believe that existing laws are inadequate to protect their privacy online. Some of those surveyed said they cleared browsing histories, deleted social media posts or used virtual networks to conceal their Internet Protocol addresses — and a few even said they used encryption tools. A majority of Americans also wants stricter limits on the government’s collection of communications data, according to a poll taken following the leak of classified documents detailing the NSA’s surveillance programs by the infamous former government contractor Edward Snowden. The concerns are bipartisan: the same proportion of Democrats and Republicans said they are more worried about their civil liberties than they are about terrorism.
While the public has been focused on the NSA’s surveillance programs, it is worth paying attention to recent reports of sophisticated data spying by state and local police agencies, and what these revelations mean for South Carolinians. Last month, USA Today reported that at least 125 police agencies in 33 states, including South Carolina, have used a variety of tactics and technologies to obtain information about thousands of cell phones and their users.
The newspaper’s investigation found that one in four law enforcement agencies use a tactic known as a “tower dump” to get the identity, activity and location information of any cell phone that connects with a particular cell tower in a specific timespan. Additionally, 25 law enforcement agencies used federal grants to purchase a piece of equipment developed for military and intelligence gathering purposes known as a “Stingray,” which mimics a cell tower, allows police to track the movements of a specific cell phone and captures data from a cell phone, such as the phone numbers dialed and text messages received.
Law enforcement agencies argue that access to cell phone data such as geolocation information is essential for saving lives and solving crimes. Colorado police credit cell phone data, specifically location information and numbers dialed, to solving the murder of ten-year-old Jessica Ridgeway in 2012. Here in South Carolina, the Richland County Sheriff’s Department also used a tower dump to assist in successful investigations of a murder and a series of gun thefts.
While there may be benefits to such data collection, there is concern that the tactics and tools employed by police are capturing the private information of innocent people alongside targeted individuals. Civil liberties groups indicate law enforcement agencies can obtain valuable or sensitive information with little oversight or public knowledge. Moreover, data from cell phones, especially the latest smartphones, can yield deep insights into individuals’ lives and behaviors.
Little is known about how law enforcement collects or uses the cell phone data; in fact, most of what USA Today reported came only from Freedom of Information Act (FOIA) requests because officials refused to comment, and even the FOIA’ed information was largely limited to budget documents.
The main problem is that there are few restrictions or reporting requirements on government efforts to obtain access to cell phone and electronic data. In most states, law enforcement agencies can obtain cell phone records and data without a court-approved warrant. Furthermore, the laws governing electronic surveillance are woefully outdated. The Electronic Communications Privacy Act (ECPA), the principal federal law providing rules for police to access electronic data, was written in 1986, years before cell phones were commonplace and the Internet was widespread. Neither the 1986 statute nor the Constitution could have anticipated how much information cellphones may contain, including detailed records of people’s travels and diagrams of their friends and families.
There is also little disagreement about the value of cell phone data to the police. In response to a Congressional inquiry, cellphone carriers said they responded in 2011 to 1.3 million demands from law enforcement agencies for text messages and other information about subscribers. Among the most precious information in criminal inquiries is the location of suspects, and when it comes to location records captured by smartphones, court rulings have also been inconsistent.
In the absence of legislative guidance as to the level privacy for cellphones, courts have been forced to write new and inconsistent requirements for access to cell phone data. A Rhode Island judge threw out evidence that led to a man being charged with the murder of a 6-year-old boy, saying the police needed a search warrant to obtain the suspect’s cellphone information. Meanwhile, a Washington state court compared text messages to voice mail messages that can be overheard by anyone in a room and, therefore, not protected by the state’s privacy laws. But state courts in New Jersey and Massachusetts have ruled that citizens have reasonable expectations of privacy for their cellphone location records. The result has been confusion and uncertainty for users, providers, and even law enforcement. Without clear rules of the road to outline how and when law enforcement can obtain cell phone data, neither police or the public are well served.
Courts have also issued divergent rulings on when and how cellphones can be inspected. In Ohio, a court ruled that the police needed a warrant to search a cellphone because a it may hold “large amounts of private data” unlike a piece of paper that might be stuffed inside a suspect’s pocket and can be confiscated during an arrest. But California’s highest court said, as long as the phone was with the suspect at the time of arrest, the police could look through a cellphone without a warrant. In fact there have been volumes of law review articles written about whether a cellphone is akin to a “container” — like a suitcase stuffed full with marijuana found in the trunk of a car — or whether, as the judge in the Rhode Island murder case suggested, it is more comparable to a face-to-face conversation.
In response, state legislators are looking to limit the information state and local law enforcement can get from cellphones. In an emergency, police in all states can directly request a cellphone location from carriers and in some states, they can access email and social media posts without a warrant. Generally, states are focusing on individual technologies, rather than trying to pass broad measures to protect digital privacy. For example, states might place limits on how long police can keep data collected from license plate readers, which are scanners attached to police cars or road signs that take photos of each passing license plate, recording the time and location. They also might require police to get warrants before they examine cellphone data, and restrict government drone use.
To date, Maine, Montana, and Texas have adopted stronger surveillance laws. Both Maine and Montana require warrants for law enforcement to obtain geolocation information. Texas, on the other hand, requires a warrant for searching the contents of electronic communications such as e-mail messages. The legislatures in Indiana and Virginia have adopted bills that also require warrants for geolocation information. By our count, eight states are currently considering bills that aim to strengthen citizens’ privacy by requiring warrants or imposing other restrictions on access to data.
Without federal action and as privacy concerns grow with new revelations about data collection, state legislators will feel compelled to act. Jonathan Stickland, a Texas State Representative who sponsored his state’s warrant for e-mail requirement, has been quoted as saying “Congress is obviously not interested in updating those things or protecting privacy…If they’re not going to do it, states have to do it.” Additionally, John Pezold, a state representative in Georgia, has been quoted saying “[Citizens are] becoming increasingly wary that their lives are going to be no longer their own…We have got to protect that.” To protect that value known as privacy, it’s important for legislators here and elsewhere to deliberate to find the appropriate balance between the important values of ensuring citizens’ privacy and protecting public safety.
Thank you again for the opportunity to present these remarks and I look forward to your questions.