BLOGS: Communications, Tech & Media Review

Thursday, October 4, 2018, 1:12 PM

Gauntlet Thrown : DOJ Sues California Hours After Governor Signs the Nation’s Toughest Net Neutrality Rules into Law


By Nicole Su & Mark Palchick

As we previously reported, California legislature approved one of the nation’s toughest net neutrality laws - California Internet Consumer Protection and Net Neutrality Act of 2018, known as SB 822.  On Sunday, Governor Jerry Brown signed the bill, SB 822, into law.

The Trump administration wasted no time and swiftly filed suit against California to block California’s new law late Sunday night.  The Complaint was filed in the United States District Court for the Eastern District of California and can be found here.

The federal government seeks declaratory and injunctive relief against the State of California on the grounds that SB 822 is preempted by federal law and therefore violates the Supremacy Clause of the United States Constitution.

Specifically, the federal government argues that FCC’s Restoring Internet Freedom, 33 FCC Rcd 311 (2018) (“2018 Order”) direct preempts SB-882 and that SB-822 “conflicts with and otherwise impedes the accomplishment and execution of the full purposes and objectives of the federal law.”

In its suit against California, the DOJ makes the point that California, among other states, has filed suit against the FCC to overturn the 2018 Order.  But until the 2018 Order is overturned by the Court, it is the law of the land and that law precludes states like California to enact their own net neutrality rules.

Additionally, a recent Eight Circuit decision -  Charter Advanced Servs. (MN), LLC v. Lange, No. 17-2290, 2018 WL 4260322, at *1 (8th Cir. Sept. 7, 2018)  - may provide the DOJ some steam in its suit against California.  How a service is classified affects a state’s ability to regulate the service. Telecommunications services are generally subject to dual state and federal regulation, whereas information services are subject to federal law and any state regulation to the contrary is preempted by federal law.  In Charter, the Court found that Charter Advance Service LLC’s Voice Over Internet Protocol (VOIP) is an “information service” under the federal Telecommunications Act and thus preempts state regulation.  Thus, the argument goes that the FCC’s classification of broadband Internet access as “information services” means that any state regulation is preempted by federal law.

The DOJ’s lawsuit against California is of great importance as it will be the litmus test for other states who seek to enact their own net neutrality rules after the roll back of Obama-Era net neutrality rules by the Trump administration.  As of October 2, 2018, 30 states have introduced over 72 bills on the issue of net neutrality.  Governors in six states (Hawaii, New Jersey, New York, Montana, Rhode Island, Vermont) have signed executed orders on net neutrality.  Moreover, three states – Oregon, Vermont, and Washington – have enacted net neutrality legislation. See http://www.ncsl.org/research/telecommunications-and-information-technology/net-neutrality-legislation-in-states.aspx

The Court has issued a hearing on the DOJ’s preliminary injunction motion for Wednesday, November 14, 2018.  We’ll keep an eye on this case for you. 










Thursday, August 2, 2018, 11:50 AM

NDAA Includes Prohibitions on Certain Telecom, Video Surveillance Equipment


By Marty Stern

Congress yesterday passed the 2019 National Defense Authorization Act (NDAA), which includes a section on prohibitions ofcertain telecommunications and video surveillance equipment (Sec. 889).  The bill is expected to be signed into law by the President shortly.   

The bill’s prohibitions explicitly cover the use of ZTE and Huawei telecommunications equipment and services and video surveillance equipment of several other manufacturers, in government procurements as well as in government-funded projects.  In addition, the provision’s prohibitions also cover telecommunications equipment and services and video surveillance equipment of any entity that the Secretary of Defense believes is owned or controlled by or connected with China.

Here’s a very quick overview.

At a high level, the provision prohibits government agencies from (1) procuring or extending contracts for “covered telecommunications equipment or services” effective 1 year from enactment (2) or making loans or grants used in the procurement of covered telecommunications equipment or services, effective 2 years from enactment.   Our understanding is that the loan/grant prohibitions would apply to a host of government programs used to fund telecom and broadband-related infrastructure such as the Rural Utilities Service telecom and broadband programs and FCC universal service funding programs.

Covered equipment and services are initially limited to telecom equipment produced by Huawei and ZTE, and video surveillance and telecom equipment produced by Hytera Communications, Hangzhou Hikvision Digital Technology Co. and Dahua Technology Co.  Importantly,  however, the legislation specifically authorizes the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the FBI, to add the telecommunications or video surveillance equipment or services of any entity the Secretary believes to be owned or controlled by or otherwise connected to China.  Obviously it is this last provision that is the greatest concern to Chinese manufacturers in the telecom and video surveillance space, as it potentially extends the coverage of the prohibitions to other Chinese-related entities that provide telecom or video surveillance equipment or services, with little definition and no specified process.

For companies receiving government funding or grants that use covered equipment in their networks, the provision also includes a section that directs funding agencies to prioritize available funds to assist companies in transitioning from prohibited equipment to replacement equipment.   The provision also includes a few exceptions, including one that exempts the equipment of third party providers that have wireless roaming, backhaul, interconnection and similar arrangements with entities that have government contracts or government grants or loans.  The section also makes provision for a couple of different waivers by agency heads, as well as by the Director of National Intelligence.

Tuesday, July 31, 2018, 10:28 AM

Cable Price Survey Launched as FCC Gears up for Inaugural Communications Marketplace Report

By Kevin Kay


The FCC’s Media Bureau has adopted an Order initiating an industry survey on cable prices.  Survey feedback will feature in the first installment of the Communications Marketplace Report, which the Commission is required to submit to Congress in the last quarter of every even-numbered year, pursuant to the omnibus budget bill passed in March.  The consolidated biennial report replaces the eight separate reports on competition among communications service providers that the FCC was previously required to submit.


The Order directs a random sample of cable operators to respond to a price survey questionnaire about basic service rates, cable programming service, and equipment.  The survey asks about an operator’s monthly charge for basic service and expanded basic service as of January 1, 2017 and January 1, 2018.  It also requests information on other factors such as the monthly equipment charge, number of subscribers, number of channels offered on each level of service, availability of advanced services such as Internet access, and channel lineups.  In addition to being included in the Communications Marketplace Report, the survey data will be made publicly available in aggregate form as averages representing segments of the industry.


Instructions for completing the questionnaire are attached to the Order as Appendix B.  Cable operators selected for the survey must complete and file the questionnaire by September 14, 2018.

Thursday, July 12, 2018, 10:32 AM

Supreme Court Remands Berkeley Cell Phone Case to Ninth Circuit

By Kevin Kay


The Supreme Court has vacated the U.S. Court of Appeals for the Ninth Circuit’s decision upholding a Berkeley, California ordinance requiring cell phone retailers to warn customers about potential radiofrequency (RF) safety risks when carrying a cell phone close to the body.  The “right to know” law, in effect since March 2016, requires cell phone retailers to give consumers a handout that informs them of their devices’ RF exposure risks and directs them to read their cell phone manufacturers’ safety instructions.  In April 2017, the Ninth Circuit denied CTIA’s request to block the ordinance, finding that CTIA was unlikely to succeed on its claims that the ordinance was preempted by federal law and that it violated the First Amendment.  The Supreme Court remanded the case to the Ninth Circuit for further consideration in light of the Court’s recent decision in another case, National Institute of Family and Life Advocates v. Becerra.

Wednesday, June 27, 2018, 11:37 AM

Supreme Court: Warrant Now Required to Obtain Historical Cell Site Location Information

By Marjorie Spivak


In a landmark 5–4 decision, the Supreme Court of the U.S. (Court) has reversed the decision of the U.S. Court of Appeals for the Sixth Circuit holding that generally, the government’s acquisition of historical cell site location information (CSLI) is a Fourth Amendment search that requires a warrant.1


Bottom Line: The Supreme Court’s decision dramatically expands the scope of the Fourth Amendment in an attempt to modernize it, and provides new safeguards to the right of privacy. The decision and dissents, with the exception of Chief Justice Roberts, reflect party lines with the majority opinion supported by Justices appointed by Democratic Presidents, and the dissents written by Justices appointed by Republican Presidents.  While the impact on Law Enforcement (LE) will be immediate, the potential impact on the private use of consumer data will likely invite future policy battles and litigation.


Background

This case stems from the conviction of Timothy Carpenter of a series of robberies in Michigan and Detroit. In 2011, LE arrested four men suspected of robbing a series of Radio Shack and T-Mobile stores in Detroit, Michigan. One of the men confessed that a group of men had robbed nine different stores in Michigan and Ohio and identified accomplices and gave LE their cell phone numbers. Based on that information, prosecutors sought court orders under the Stored Communications Act to obtain the cell phone records for Timothy Carpenter and other suspects.2 Under that statute, the government must present specific and articulable facts showing that there are reasonable grounds to believe that the records sought are relevant and material to an ongoing criminal investigation. LE obtained two court orders directing Carpenter’s wireless carriers to disclose historical CSLI for Carpenter. The first order sought 152 days of CSLI records which produced 127 days of records and the second order requested seven days of CSLI which produced two days of records.


Carpenter was charged with six counts of robbery. Prior to trial, Carpenter moved to suppress the cell-site data provided by the wireless carriers, arguing that the government’s seizure of the records violated the Fourth Amendment because they had been obtained without a warrant supported by probable cause. LE argued that Carpenter lost his right to privacy in the CSLI because he voluntarily turned the records over to third parties. The lower district court denied Carpenter’s motion, and LE used the CSLI records to support a conviction showing Carpenter in the locations of the robberies at that time they occurred. Carpenter was convicted. The U.S. Court of Appeals for the Sixth Circuit affirmed the lower court holding, affirming that Carpenter lacked a reasonable expectation of privacy in the CSLI collected because he shared that information with his wireless carriers.3 Given that cell phone users voluntarily convey cell-site data to their carriers to establish communications, the Sixth Circuit concluded that under the third party doctrine, the CSLI amounted to business records not entitled to Fourth Amendment protection. The Supreme Court granted certiorari.



Majority Opinion

The Court framed the question presented as whether government conducts a search under the Fourth Amendment when it accesses historical CSLI records that provide a comprehensive chronicle of the user’s past movements. The Court’s answer, in an opinion authored by Chief Justice John Roberts, is that the government’s acquisition of Carpenter’s CSLI records was a Fourth Amendment search requiring a warrant. Justice Roberts explains that each time a phone connects to a cell site, it generates a time-stamped record known as CSLI which wireless carriers collect and store for their own business purposes. The Court explains that the history of the Fourth Amendment seeks to protect the rights of people to be secure in their person, houses, paper and effects, against unreasonable searches and seizures. According to the Court, the basic purpose of the Fourth Amendment is to safeguard the privacy and security of individuals against arbitrary invasions by governmental officials. While originally grounded in property rights, the Fourth Amendment protects not only property interests but certain expectations of privacy.4 When an individual seeks to preserve something as private, and this expectation of privacy is recognized by society as reasonable, the Court has held that government intrusion into that private sphere qualifies as a search and requires a warrant supported by probable cause.5


Although there is no definitive list of which expectations of privacy are entitled to protection, according to the Court, the analysis is informed by historical understandings of what was deemed an unreasonable search and seizure when the Fourth Amendment was adopted. The Court provides a framework with two basic principles: (1) the Amendment seeks to secure the privacies of life against arbitrary power;6 and (2) relatedly, a central aim of the Framers was to place obstacles in the way of too permeating police surveillance.7 As technology has enhanced the government’s capacity to encroach upon areas normally guarded, the Court has sought to assure preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted.8


The Court claims that personal location information maintained by a third party does not fit neatly under existing precedent but lies at the intersection of two lines of cases. The first line addresses a person’s expectation of privacy in his physical location, and the second addresses a person’s expectation of privacy in information voluntarily turned over to third parties. Justice Roberts frames the issue as how to apply the Fourth Amendment to a new phenomenon: the ability to chronicle a person’s past movements through the record of his cell phone signals. Much like GPS tracking of a vehicle, CSLI is detailed and effortlessly compiled. At the same time, that the individual continuously reveals his location to his wireless carrier implicates the third party doctrine which holds where a person voluntarily provides information to a third party there is no expectation of privacy.


Expectation of Privacy in Physical Location
The Court states that it has already recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements.9 The Court explains that society’s expectation has been that LE would not or simply could not, secretly monitor and catalogue every single movement of an individual’s car for a long period. In Kyllo, the Court rejected a mechanical interpretation of the Fourth Amendment and held that the use of a thermal imaging device to detect drugs from heat radiating inside a defendant’s home was tantamount to a search. Similarly, in Riley, recognizing the immense storage capacity of modern cell phones, the Court held that LE must generally obtain a warrant before searching the contents of a cell phone.10 In the GPS context, the Court held that the government’s installation of a GPS tracking device on a target's vehicle to monitor the vehicle's movements constitutes a search.


The Court asserts that allowing government access to CSLI records contravenes that expectation. Although CSLI records are generated for commercial purposes, according to the Court, that distinction does not negate Carpenter’s anticipation of privacy in his physical location. Here, mapping a cell phone’s location over the course of 127 days provides an all-encompassing record of the holder’s whereabouts. As with GPS information, the time stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his familial, political, professional, religious, and sexual associations.11 In short, Justice Roberts asserts that historical cell-site records present even greater privacy concerns than the GPS monitoring of a vehicle previously considered because when the government tracks the location of a cell phone, it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user. With access to CSLI, the government can travel back in time to retrace a person’s whereabouts, subject only to the retention polices of the wireless carriers, which the Court suggests is five years.12 Accordingly, the Court concludes that when the government accessed CSLI from the wireless carriers, it invaded Carpenter’s reasonable expectation of privacy in the whole of his physical movements.


Voluntary Disclosure to a Third Party
As to the voluntary disclosure to a third party, the Court states that it has drawn a line between what a person keeps private and what he shares with others, holding that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. Under the third party doctrine, the government is typically free to obtain shared information from the recipient without triggering Fourth Amendment protections. The third party doctrine is rooted in the Miller case where the Court rejected a Fourth Amendment challenge to the collection of bank records.13 The Court applied the same principles regarding information conveyed to a telephone company holding that the government’s use of a pen register that recorded outgoing phone numbers on a landline telephone was not a search.14 Noting the limited capabilities of pen registers, the Court concluded that people did not have an expectation of privacy in the numbers they dial since they know the numbers are used by the telco for a variety of business purposes, including call routing.


While the government contends that the third-party doctrine governs this case because cell-site records are business records created and maintained by the wireless carriers, the Court states that the government fails to account for the seismic shifts in digital technology that allows the tracking of not only Carpenter’s location for short periods but for years. In the Court’s view, the government does not ask for a straightforward application of the third party doctrine but instead seeks a significant extension to cover a distinct category of information. Recognizing that the third party doctrine stems from the notion that an individual has a reduced expectation of privacy in information knowingly shared with another, the Court distinguishes this case from Smith and Miller based on the nature of the information. In Smith and Miller, the Court did not rely solely on the act of sharing but rather the limited nature of the particular documents sought (i.e., a pen register and bank records contain limited identifying information). Here, the Court suggests that there are no comparable limitations on the revealing nature of CSLI. Justice Robert states, “There is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers today.”


The Court also rejects the rationale of voluntary exposure under the third-party doctrine. The Court asserts that CSLI is not truly shared because cell phones log a cell-site record automatically without any affirmative act of the user. “In light of the deeply revealing nature of CSLI,” Chief Justice Roberts writes, “its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection, the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection.” The Court concludes that given the unique nature of CSLI, that the government obtained the information from a third party does not overcome Carpenter’s claim to Fourth Amendment protection.


Holding
As the government did not obtain a warrant supported by probable cause before acquiring Carpenter’s cell-site records, but acquired the records pursuant to a court order requiring a showing of reasonable grounds, the showing falls short of the probable cause required for a warrant. As the Court usually requires “some quantum of individualized suspicion” before a search or seizure may take place, an order issued under the Stored Communications Act is not a permissible mechanism for accessing historical cell-site records. LE must obtain a warrant before compelling a wireless carrier to turn over a subscriber’s CSLI.15 Accordingly, the Court reversed and remanded the case for further proceedings consistent with its holding.



Conclusion

The Court did note that even though the government will generally need a warrant to access CSLI, case-specific exceptions may support a warrantless search of CSLI records such as exigent circumstances where LE needs are so compelling that a warrantless search is objectively reasonable under the Fourth Amendment. In addition, the Court cautions that its decision is a narrow one stating that it does express a view on matters not before it including real-time CSLI or “tower dumps” (a download of information on all the devices that connected to a particular cell site during a particular interval). The Court also clarifies that it does not disturb the application of Smith and Miller or call into question conventional surveillance tools, such as security cameras. Nor does the Court address other business records that might incidentally reveal location information. Further, the Court asserts that its opinion does not consider other collection techniques involving foreign affairs or national security.


The Court’s opinion is 119 pages, with the traditionally more liberal Justices (Justices Ruth Bader Ginsburg, Stephen Breyer, Sonia Sotomayor and Elena Kagan) joining the majority opinion. Separate dissenting opinions were written by Justices Anthony Kennedy, Clarence Thomas, Samuel Alito and Neil Gorsuch. Justices Thomas and Gorsuch both argue that the Court has moved beyond what the framers intended the Fourth Amendment to protect. Justice Alito, while sharing some of the majority’s concerns, argues that the Court overreacted to new technology and will guarantee a blizzard of litigation while threatening many legitimate and valuable investigative practices upon which LE rely. And, Justice Kennedy argues that the Court has unhinged the Fourth Amendment from the longstanding property-based concepts and that the decision is inconsistent with earlier rulings finding people have no protections for records from third parties, from banks to cellphone companies.



For more information, please contact Marjorie Spivak at marjorie.spivak@wbd.com.


1 Carpenter v. United States, ___ U.S. ___ No. 16–402 (June 22, 2018).
2 18 U. S. C. §2703(d).
3 Carpenter v. United States, 819 F. 3d 880 (2016).
4 Katz v. United States, 389 U. S. 347 (1967).
5 Smith v Maryland, 442 U.S. 735 (1979).
6 Boyd v. United States, 116 U. S. 616, 630 (1886).
7 United States v. Di Re, 332 U. S. 581, 595 (1948).
8 Kyllo v. United States, 533 U. S. 274 (2001).
9 Jones, 565 U. S. at 430
10 Riley v. California, 573 U. S. ___, ___ (2014) (slip op., at 27). No. 13–132
11 Jones, 565 U. S. at 415.
12 The Court notes that while the records in this case reflect the current state of technology, the accuracy of CSLI is approaching GPS-level precision, and the Court must take into account more sophisticated technology being developed.
13 United States v. Miller, 425 U. S. 435 (1976).
14 Smith v. Maryland, 442 U.S. 735 (1979).
15 The Court notes that the ultimate measure of the constitutionality of a governmental search is reasonableness, and warrantless searches are typically unreasonable where a search is undertaken by LE to discover evidence of criminal wrongdoing.





Friday, June 22, 2018, 12:33 PM

Are Call Blocking Tools Working? The FCC Seeks Input on The Progress of Robocalling Initiatives

By Rebecca Jacobs Goldman


The Consumer and Governmental Affairs Bureau of the FCC is seeking input on the progress of robocalling initiatives from the government, industry and consumers for a staff report that it plans to prepare in conjunction with the FTC’s Bureau of Consumer Protection. The report was mandated by the FCC in its November 2017 Call Blocking Order, which adopted rules allowing voice service providers to block calls from certain phone numbers as an effort to combat robocalling.


Specifically, the Public Notice seeks data on the types of blocking providers have been using since the Call Blocking Order took effect in 2018 and the progress of SHAKEN/STIR, an industry-developed set of protocols and operational procedures for caller ID authentication, which we’ve previously discussed here in TCPAland. In addition, the Bureau is asking for details on tools voice service providers and third parties have been developing to identify and block unlawful robocalls, such as call labelling products which purport to identify when a call is coming from an unlawful robocaller.


Outside of data on call blocking efforts, the Bureau is also seeking general data on trends in unlawful robocalling and the effectiveness of traceback — a tool intended to be used for identifying unlawful robocallers.


Comments are due: July 20, 2018


Reply Comments are due: August 20, 2018

Monday, June 18, 2018, 12:44 PM

LabMD Ruling Heralds a New Era in Data Security Regulation

By Ted Claypoole


Companies have a responsibility to protect the sensitive employee and consumer data they hold, but we do not know how much of their revenues must be spent on this effort before it is considered enough. We do not know what protections meet the legal requirements to secure the personal data of others. A new case may change the way these matters are considered, applied and litigated for data security breaches.


On June 6, the Eleventh Circuit Court of Appeals ruled that the FTC could not enforce its injunction ordering LabMD to “complete[ly] overhaul” LabMD’s data security program.The Eleventh Circuit made the ruling on technical grounds, but this decision could have far-reaching substantive implications in the field of data security. It may be read as the first US case to insist that reasonable standards be prescribed by regulators who attempt to remedy inadequate personal data protection by companies.


The Court did NOT rule on whether the FTC can force companies to improve data security as part of its UDAP enforcement power. The Third Circuit in the 2015 Wyndham case confirmed the FTC’s authority to regulate failures in data security as a UDAP violation, and that opinion was not questioned by the LabMD Court. To date, when the FTC ruled that a company’s security lapse rose to the level of a UDAP violation, the FTC has been able to resolve the matter with vague orders to make things better. But this may not be possible after the LabMD case.


The LabMD Court struck down the FTC’s current practice in these cases but did not propose or prescribe a clear alternative. In essence, the LabMD Court ruled where FTC finds that failure to plan adequate data security becomes unfair or deceptive to consumers, the FTC can’t enforce its decision by ordering broad, non-specific changes affecting security across the entire defendant’s business. Without using the term, the Eleventh Circuit decided that there must be standards for a business to follow, and those standards are best set forth by either the FTC or by Congress itself.


So where does this leave the FTC, whose previous chair, Maureen Ohlhausen, avowed to change the agency’s past practices and to only address tangible harms, to exercise regulatory humility, and to foster business innovation? Whoever is serving as Commissioners, the current administration has been clear that its priorities are for an FTC that is less aggressive in its filings against private companies. It is likely that in the next three years the FTC will only take up cases against companies experiencing major security breaches where it can be established that actual harm from security failures befell affected consumers. Even then, we may not see FTC action against companies where otherwise we would have expected it.


The LabMD case plays into this directional lean by the agency. Thus far, no court or agency has been eager to propose that a broadly defined set of data security standards was required of US businesses, and highly specific sets of standards tend to fall flat, because 1) the risks and technologies are ever-changing, and 2) each defendant company’s data and resources will vary widely. Courts have not yet been forced to rule on what adequate security standards look like for any specific business.


This has had the effect of imposing nearly strict liability on any company that suffers an attack from outside forces – if no standards are set forth, then regulators can simply assume that a data breach proves that security was unlawfully inadequate. But this is the same as suggesting that the simple fact that a shopper falls in a grocery store means that the store was clearly negligent in maintaining its floors. This has never been the way US tort litigation has worked. This de facto strict liability has only been apparently applied for data breaches because none of the damage claims in these cases have been fully litigated. Each major data breach UDAP case has been settled, thrown out for lack of damages, or upheld an administrative finding with no specific standards defined and applied.


The LabMD Court has blasted this status quo, demanding that where regulators meddle in a company’s data security policy decisions, they do so with some specific standards laid out for the world to see. This will make FTC enforcement in this space even rarer and difficult. So we are likely to see movement in data security UDAP violations in the near future to arise at a state-by-state process, and likely to see more emphasis on what a company should be doing right, and not simply what it was doing wrong.
back to top