Cybersecurity in the UK: “Worse Than Scary”

This week, the House of Lords passed the Investigatory Powers Bill, which is likely to become law within weeks. One year ago, the UN’s special rapporteur on privacy, Joseph Cannataci, described the bill as “just a bit worse than scary.”  Some provisions of the bill include:

Continue reading

Face Recognition Technology

Last month, I had the opportunity to attend Northern Kentucky University’s 9th Annual Cybersecurity Symposium. One of the excellent speakers, Zachary S. Heck (IU Maurer Law grad, ’14, magna cum laude), provided a timely and enlightening presentation on “Biometrics: With Great Data Comes Greater Cybersecurity Responsibility.”  Zach is an attorney in the Dayton office of Faruki, Ireland, and Cox.  You can read more from Zach and his colleagues on his law firm’s blog.

Zach’s presentation was particularly timely because a few days before the conference, the Georgetown Law Center on Privacy & Technology issued a comprehensive report on law enforcement use of face recognition technology titled, The Perpetual Line-Up: Unregulated Police Face Recognition in America (Oct. 18, 2016).  The report includes the following conclusions.  First, in the context of law enforcement, the “benefits of face recognition are real” and this “report does not aim to stop” the use of this biometric technology.  Second, there is little, if any, regulation, transparency, or accountability of law enforcement use of face recognition databases; and, this must change to ensure the rights of individuals are not violated.  The report offers several recommendations, model face recognition legislation, and a model use policy that law enforcement agencies could adopt.

To be sure, the Georgetown report is not a solution in search of a problem.  In September 2016, the Associated Press published an article titled, “Across US, Police Officers Abuse Confidential Databases.” Also in September 2016, the Eighth Circuit Federal Court of Appeals noted that a Minnesota legislative auditor’s report found that “at least half of Minnesota’s law enforcement officers were misusing personal information in the [state’s motor vehicle registration] database.” Tichich v. City of Bloomington, 835 F.3d 856, 866 (8th Cir. 2016).

Finally, I had the pleasure of reconnecting with a great friend and former colleague at the NKU Cybersecurity conference, Joe Dehner. Joe is a Member in the Cincinnati office of Frost Brown Todd.  Joe’s has an exciting and useful podcast, called the “Data Privacy Detective.” You can listen to Episode 6 of the the Data Privacy Detective, which provides my brief thoughts on the Georgetown “Perpetual Line-Up” report, including possible First and Fourth Amendment concerns that the use of face recognition technology implicates.

Australian Cybersecurity Leader Highlights Importance of Public-Private Partnerships

Today, Michelle Price shared inspiring remarks about her experience and vision for cybersecurity at the Indiana University Maurer School of Law. Price is currently a Senior Adviser for Cyber Security at the Australian National University’s National Security College.  She is on secondment from the Department of the Prime Minister and Cabinet. You can follow Michelle Price on Twitter @Mich1175.  Here are some highlights from remarks earlier today.

price-michelle-2016-11-10-01

Michelle Price at IU Maurer School of Law, November 10, 2016

Continue reading

Will Congress Finally Pass Cybersecurity Legislation?

Congress is back in session, so I thought now would be a good time to talk about the Cybersecurity Information Sharing Act (CISA), one of the more prominent bills believed to be a high priority among party leaders (assuming there isn’t a shutdown). The timing for the bill is excellent, with the Ashley Madison hack fresh in our minds, but its passage is currently opposed by several privacy and civil liberties organizations, with the Electronic Frontier Foundation even starting a campaign against the law. And while I like the EFF, I like arguing more, and I happen to disagree with them on this point. Cybersecurity legislation has proved to be surprisingly difficult to pass in recent years, primarily because it always seems to implicate other civil liberties. Yet I don’t think the necessity of modern cybersecurity legislation is up for debate. So let’s dive in. Continue reading

SCOTUS and Privacy: Spokeo v. Robins

The Supreme Court has been on a roll this past week. Obergefell v. Hodges found that same-sex marriage is a fundamental right and therefore legal in all 50 states; King v. Burwell upheld Obamacare (I would encourage you to also read Justice Scalia’s dissent); Kimble v. Marvel gave us some wonderful Supreme Court Spiderman puns; and Los Angeles v. Patel resolved a case with potentially major privacy ramifications in a manner that was decidedly uneventful. As such, I thought this would be a good time to talk about an upcoming Supreme Court case involving consumer privacy: Spokeo v. Robins. Spokeo is a corporate challenge to class action lawsuits that are based purely on statutory violations: basically, it asks if consumers can sue a company for shady privacy practices even if they cannot show that anything bad happened. This case is potentially a big deal, particularly for big business, and so its worth a closer look.  Continue reading