Privacy

Digital Millennium Copyright Act Exemptions Announced

Zach Berger, MJLST Staffer

The Digital Millennium Copyright Act (DMCA) first enacted in 1998, prevents owners of digital devices from making use of these devices in any way that the copyright holder does not explicitly permit. Codified in part in 17 U.S.C. § 1201, the DMCA makes it illegal to circumvent digital security measures that prevent unauthorized access to copyrighted works such has movies, video games, and computer programs. This law prevents users from breaking what is known as access controls, even if the purpose would fall under lawful fair use. According to the Electronic Frontier Foundation’s (a nonprofit digital rights organization) staff attorney Kit Walsh, “This ‘access control’ rule is supposed to protect against unlawful copying. But as we’ve seen in the recent Volkswagen scandal . . . it can be used instead to hide wrongdoing hidden in computer code.” Essentially, everything not explicitly permitted is forbidden.

However, these restrictions are not iron clad. Every three years, users are allowed to request exemptions to this law for lawful fair uses from the Library of Congress (LOC), but these exemptions are not easy to receive. In order to receive an exemption, activists must not only propose new exemptions, but also plead for ones already granted to be continued. The system is flawed, as users often need to have a way to circumvent their devices to make full use of the products. However, the LOC has recently released its new list of exemptions, and this expanded list represents a small victory for digital rights activists.

The exemptions granted will go into effect in 2016, and cover 22 types of uses affecting movies, e-books, smart phones, tablets, video games and even cars. Some of the highlights of the exemptions are as follows:

  • Movies where circumvention is used in order to make use of short portions of the motion pictures:
    • For educational uses by University and grade school instructors and students.
    • For e-books offering film analysis
    • For uses in noncommercial videos
  • Smart devices
    • Can “jailbreak” these devices to allow them to interoperate with or remove software applications, allows phones to be unlocked from their carrier
    • Such devices include, smart phones, televisions, and tablets or other mobile computing devices
      • In 2012, jailbreaking smartphones was allowed, but not tablets. This distinction has been removed.
    • Video Games
      • Fan operated online servers are now allowed to support video games once the publishers shut down official servers.
        • However, this only applies to games that would be made nearly unplayable without the servers.
      • Museums, libraries, and archives can go a step further by jailbreaking games as needed to get them functioning properly again.
    • Computer programs that operate things primarily designed for use by individual consumers, for purposes of diagnosis, repair, and modification
      • This includes voting machines, automobiles, and implantation medical devices.
    • Computer programs that control automobiles, for purposes of diagnosis, repair, and modification of the vehicle

These new exemptions are a small, but significant victory for consumers under the DMCA. The ability to analyze your automotive software is especially relevant in the wake of the aforementioned Volkswagen emissions scandal. However, the exemptions are subject to some important caveats. For example, only video games that are almost completely unplayable can have user made servers. This means that games where only an online multiplayer feature is lost, such servers are not allowed. A better long-term solution is clearly needed, as this burdensome process is flawed and has led to what the EFF has called “unintended consequences.” Regardless, as long as we still have this draconian law, exemptions will be welcomed. To read the final rule, register’s recommendation, and introduction (which provides a general overview) click here.


“DRONE WARS”: THE BATTLE for MIDWESTERN SKIES

Travis Waller, MJLST Staffer

Given the new Star Wars: The Force Awakens film upcoming this December, introducing a discussion on recent policies involving drone regulation seemed like a worthwhile addition to this week’s blog.

While the robotic “drones” of our day and age are certainly not cut from the same titanium alloy as George Lucas’ quasi-humanoid “droid” characters in many of his films, North Dakota may well be on it’s way to starting it’s own “robotic army” of sorts.

A friend and colleague from the University of Connecticut School of Law brought to my attention an article by Ben Woods, discussing the 2015 ND House Bill proposing the arming of drones with “non-lethal weaponry” for police functions. With the shocking amount of police deaths reported in this country last year, North Dakota may well be leading the way in finding an innovative alternative to placing human officers in potentially dangerous confrontations. However, this benefit does not come without a cost. As presented in a segment by Ashley Maas of the NY Times, drone regulation is still up in the air (excuse the pun). Only within the last year has the FAA determined that they are able to take action against civilian violators of drone regulations.

Moreover, with recent reports involving the hacking of automated vehicles, as well as Maas’ examples of civilians using drone technology for less than constructive purposes, placing dangerous technology on these machines may well develop into a major public policy concern.

While it is this author’s humble opinion that a fair amount of time exists before we, as a people, need be concerned with an Invasion of Naboo type situation, this may be exactly the type of situation where more time is needed to allow for the security measures around the technology, as well as the legal infrastructure surrounding drone regulation, to catch up to the state legislatures hopes for drone usage. As the matter stands now, allowing drones to be used in a police capacity risks a host of possible problems, including potential 4th amendment violations, and even increasing an already shockingly high risk of civilian causalities related to police activity.

With the law having already gone into effect on August 1st of this year, we will just have to wait and see how these issues play out.

Until next time,

-Travis

*Special Thanks to Monica Laskos, University of Connecticut School of Law ’17, for the idea to pursue this topic.


Digital Privacy in Autonomous Vehicles

Steven Groschen, MJLST Managing Editor

The introduction of autonomous vehicles is likely to have a widespread effect on laws related to road travel. Theoretically, a well-functioning driverless car will never speed or run a red light. Thus, driverless cars are less likely to be pulled over. But what if an autonomous vehicle is pulled over and the officer wishes to perform a search of the automated system? Clues to how a court might handle this scenario are contained in Riley v. California.

Riley v. California, 134 S.Ct. 2473 (2014), explored the amount of protection digital content residing on an electronic device receives from unreasonable searches and seizures during a lawful arrest. The Supreme Court examined two independent fact patterns involving police officers searching an arrestee’s cellphone without a warrant. In the first fact pattern, an officer seized an individual’s cellphone in the course of an arrest and proceeded to electronically search through the contact list and pictures on the device. This search yielded evidence of gang related activity which was later used to convict the individual. In the second fact pattern, a police officer searched the phone of an individual, whom was also under arrest, and located a contact entry titled “my house.” The police used the phone number in the contact entry to discover the arrestee’s address. This information and a few other pieces of evidence taken from the phone helped the police secure a warrant to search the arrestee’s home.

The Riley decision made two holdings potentially relevant to autonomous cars. First, the court held that during a lawful arrest a warrant is generally required before searching the digital content on a cellphone. Second, the court suggested this protection is for the digital content and not necessarily the cellphone itself. These holdings can be interpreted as providing protection for digital content contained within automated driving systems. As a result, a plausible argument exists that, in the future, an officer will need a warrant before searching the digital content of an autonomous vehicle.

Predicting with any level of certainty how a court will handle digital content on an autonomous vehicle is difficult. Nonetheless, the discussion is important because autonomous vehicles are likely to become ubiquitous on the roadways in the next few decades. These vehicles will contain sensitive information such as route history and a log of the car’s actions. It is important to continue debating what privacy rights owners can and should expect regarding their future cars.

For an in-depth look at Riley and its implications for digital content contained in autonomous vehicles, see Sarah Aue Palodichuk’s article entitled “Driving into the Digital Age: How SDVs Will Change the Law and Its Enforcement.”


The Shift Toward Data Privacy: Workplace, Evidence, and Death

<Ryan Pesch, MJLST Staff Member

I’m sure I am not alone in remembering the constant urgings to be careful what I post online. I was told not to send anything in an email I wouldn’t want made public, and I guess it made some sense that the internet was commonly viewed as a sort of public forum. It was the place teens went to be relieve their angst, to post pictures, and to exchange messages. But the demographic of people that use the internet is constantly growing. My mom and sister communicate their garden interests using Pinterest (despite the fact that my mom needs help to download her new podcasts), and as yesterday’s teens become today’s adults, what people are comfortable putting online continues to expand. For example, the advent of online finances illustrate that the online world is about so much more than frivolity. The truth of the matter is that the internet shapes the way we think about ourselves. And as Lisa Durham Taylor observed in her article for MJLST in the spring of 2014, the courts are taking notice.

The article concerns the role of internet privacy in the employment context, noting that where once a company could monitor its employee’s computer activity with impunity (after all, it was being done on the company time and with company resources), courts have recently realized that the internet stands for more than dalliance. In it, Taylor notes that the connectedness of employees brings with it both advantages and disadvantages to the corporation. It both helps and hinders productivity, offering a more efficient way of accomplishing a task, but providing the material for procrastination in an accompanying hand. When the line blurs, and people start using company time for personal acts, the line-drawing can get tricky. Companies have an important interest in preserving the confidentiality of their work, but courts have recently been drawing the lines to favor the employee over the employer. This is in stark contrast to the early decisions, which gave companies a broad right to discharge an “at-will” employee and found that there was no expectation of privacy in the workplace. Luckily, courts are beginning to recognize that the nature of a person’s online interactions make the company’s snooping more analogous to going through an employee’s personal possessions than it is to monitoring an employee’s efficiency.

I would add into the picture the recently-decided Supreme Court case of Riley v. California, where the Court held that a police needed a warrant to search a suspect’s phone. The Court said that there was not reasonable cause to search a cell phone because the nature of the technology means that the police would be violating more than necessary to conduct normal business. They likened it to previous restrictions which prevented police from searching locked possessions incident to arrest, and sarcastically observed that cell phones have become “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” The “vast quantities of personal information” and the fact that the phone itself is not a weapon make its taking unjustified in the course of a normal search.

This respect for the data of individuals seems to be signaling a new and incredibly complicated age of law. When does a person have the right to protect their data? When can that protection be broken? As discussed in a recent post on this blog, there is an ongoing debate about what to do with the data of decedents. To me, a conservative approach makes the most sense, especially in context with the cases discussed by Lisa Taylor and the decision in Riley v. California. However, courts have sided with those seeking access because the nature of a will grants the property of the deceased to the heirs, which has been extended to online “property.” What Rebecca Cummings points out to help swing the balance back in favor of privacy, is that it is not just the property of the deceased to which you are granting access. The nature of email means that a person’s inbox has copies of letters from others which may have never been intended for the eyes of someone else.

I can only imagine the number of people who, had they the presence of mind to consider this eventuality, would act differently either in the writing of their will or their management of their communications. I am sure that this is already something lawyers advise their clients about when discussing their plans for their estate, but for many, death comes before they have the chance to fully consider these things. As generations who have grown up on the internet start to encounter the issue in earnest, I have no doubt that the message will spread, but I can’t help but feel it should be spreading already. So: what would your heirs find tucked away in the back of your online closet? And if the answer to that is something you’d rather not think about, perhaps we should support the shift to privacy in more aspects of the digital world.


I’m Not a Doctor, But…: E-Health Records Issues for Attorneys

Ke Huang, MJLST Lead Articles Editor

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) generally provides that, by 2015, healthcare providers must comply with the Act’s electronic health record (EHR) benchmarks, or, the government would reduce these providers’ Medicare payments by one percent.

These provisions of the HITECH Act are more than a health policy footnote. Especially for attorneys, the growing use of EHRs raises several legal issues. Indeed, in Volume 10, Issue 1 of the Minnesota Journal of Law, Science & Technology, published six years ago, Kari Bomash analyzes the consequence of EHRs in three legal-related aspects. In Privacy and Public Health in the Information Age, Bomash discusses how a Minnesota Health Records Act amendment relates to: (1) privacy, especially consent of patients, (2) data security (Bomash was almost prescient given the growing security concerns), and (3) data use regulations that affect medical doctors.

Bomash’s discussion is not exhaustive. EHRs also raise legal issues running the gamut of intellectual property, e-discovery, to malpractice. Given that software runs EHRs, IP industry is very much implicated. So much so that some proponents of EHR even support open source. (Another MJLST Article explains the concept of open source.)

E-discovery may be more straightforward. Like other legal parties maintaining electronic stored information, health entities storing EHR must comply with court laws governing discovery.

And malpractice? One doctor suggested in a recent Wall Street Journal op-ed that EHR interferes with a doctor’s quality of care. Since quality of care, or lack thereof, is correlated with malpractice actions, commentators raised the concern that EHR could raise malpractice actions. A 2010 New England Journal of Medicine study addressed this topic but could not provide a conclusive answer.

Even my personal experience with EHRs is one of the reasons that lead me to want to become an attorney. As a child growing up in an immigrant community, I often accompanied adult immigrants, to interpret in contract closings, small-business transactions, and even clinic visits. Helping in those matters sparked my interest in law. In one of the clinic visits, I noticed that an EHR print-out of my female cousin stated that she was male. I explained the error to her.

“I suppose you have to ask them to change it, then,” she said.

I did. I learned from talking to the clinic administrator the EHR software was programmed to recognize female names, and, for names that were ambiguous, as was my cousin’s, the software automatically categorized the patient as male. Even if my cousin’s visit was for an ob-gyn check-up.


Stuck in Between a Rock and a Genomic Hard Place

Will Orlady, MJLST Staff Member

In Privatizing Biomedical Citizenship: Risk, Duty, and Potential in the Circle of Pharmaceutical Life, Professor Jonathan Khan wrote: “genomic research is at an impasse.” Though genomic research has advanced incrementally since the completion of the first draft of the human genome, Khan asserts, “few of the grandest promises of genomics have materialized.” This apparent lack of progress is a complex issue. Further, one may be left asking whether, within the current economic and regulatory scheme, genomics actually has promising answers to give. But Khan’s work cites to biomedical researchers, claiming that what is needed to propel genomic research forward is simple: more bodies.

Indeed, it is a simple answer, but to which question–or questions? Khan’s article explores the “interconnections among five . . . federally sponsored biomedical initiatives of the past decade in order to illuminate critical aspects of the current drive to get bodies.” To be sure, the article provides the literature with a fine starting analysis of public biomedical programs, synthesizing much of the previous research on biomedical research participation. It further evaluates previously proposed methods for increasing genomic research participation. Khan’s article, however, left me with more questions than answers. If the public and private sectors cannot work together to produce results, then who is left to ensure progress? Is progress currently feasible? Are we being too hasty and impatient demanding results from an admittedly young scientific discipline? And, ultimately, if study participants/subjects are expected to participate with their own genetic material or bodies, what do they get in return?

Khan’s article attempts to address the final question. That is, if we are to create a legal or social obligation to contribute to genomic research for the sake of the public, what benefit (or, at the least, what safety assurance) do contributors receive in return for their contribution? Clearly, issues associated with creating a system of duties while providing no corresponding rights are aplenty. Underlying this discussion is the notion that to ensure the timely progress of genomic research mandated participation in such research might be necessary. Herein lies a problem: “[t]hese duties effectively privatize citizenship, recasting service to the political community as a function of service to [an] . . . enterprise of biomedical research. . . . ” What is more, Khan is keen to point out that time and time again, promises of genomic advancement in the hands of collaborating private and public entities have failed to produce promised results.

If we are to go forward privatizing citizenship, creating duties for persons to use their bodies for the benefit of society, we must be careful to ensure that (1) individual rights in the outcome of the research are secured; and, (2) that society will in fact benefit from the collectively imposed obligations.

Although Khan’s article leaves many questions unanswered, I empathize with his weariness of creating a public duty to contribute to biomedical research. Solutions to such complex issues are not easily answered. Torpid genomic research is troubling. But, so is the notion of privatized citizenship ascribing duties without granting corresponding rights. Though more bodies may be needed to further the timely advance genomic research, policymakers academics alike should be cautious creating any programs which compromise the integrity of personal privacy for the sake of public advancement without granting corresponding rights.


“Precision Medicine” or Privacy Pitfalls? Ethical Considerations Related to the Proposed Health Database

Thomas Hale-Kupiec, MJLST Staff Member

President Barack Obama proposed spending $215 million on a ‘precision medicine’ initiative. The largest part of the money, $130 million, would go to the National Institutes of Health in order to create a population-scale study. This study would create a database containing health information with genetic, environmental, lifestyle, medical and microbial data from both healthy and sick volunteers with the aim that it will be used to accelerate medical research and to personalize treatments to patients. Though some would call this a “bio-bank,” Francis Collins, director of the National Institutes of Health, said that instead, the project is greater than that, as it is combining data from among what he called more than 200 large American health studies that are ongoing and together involve at least two million people. “Fortunately, we don’t have to start from scratch,” he said. “The challenge of this initiative is to link those together. It’s more a distributed approach than centralized.” Further, the President immediately attempted to alleviate concerns related to privacy: “We’re going to make sure that protecting patient privacy is built into our efforts from Day 1. . . I’m proud we have so many patients-rights advocates with us here today. They’re not going to be on the sidelines. This is not going to be an afterthought. They’ll help us design this initiative from the ground up, making sure that we harness the new technologies and opportunities in a responsible way.”

Three major issues seem to be implicated in this proposed database study. First, both informed consent and incidental findings seem to be problematic in this model. When ascertaining information from the American health studies, the government may be bypassing what users initially consented to when agreeing to participate in the study. Further, incidental findings and individual research results of potential health, reproductive, or personal importance to individual contributors are implicated in these studies; these aspects need to be considered in order to avoid any liability going forward, and provide participates with expectations of how their information may be used. Second, collection and retention of this information seem to be an issue. Questions on when, where, and how long this information is being held creates a vast array of privacy concerns. Further, security of this information may be implicated, as some of this data may be personal. Third, deletion or removal of this information may be an issue if the program ever becomes discontinued, or if users are allowed to opt-out. Options after closure include destroying the specimens, transferring them to another facility, or letting them sit unused in freezers. These raise a multitude of questions about what to do with specimens and when level of consent should be implicated.

Overall, this database seems to hold immeasurable potential for the future of medicine. This said, legal and ethical considerations must be considered during of this new policy’s development and implementation; with this immeasurable power comes great responsibility.


Postmortem Privacy: What Happens to Online Accounts After Death?

Steven Groschen, MJLST Staff Member

Facebook recently announced a new policy that grants users the option of appointing an executor of their account. This policy change means that an individual’s Facebook account can continue to exist after the original creator has passed. Although Facebook status updates from “beyond the grave” is certainly a peculiar phenomenon, it fits nicely into the larger debate of how to handle one’s digital assets after their death.

Rebecca G. Cummings, in her article The Case Against Access to Decedents’ Email: Password Protection as an Exercise of the Right to Destroy, discusses some of the arguments for and against providing access to a decedent’s online account. Those favoring access to a decedent’s account may assert one of two rationales: (1) access eases administrative burdens for personal representatives of estates; and (2) digital accounts are merely property to be passed on to one’s descendants. The response from those disagreeing with access is that the intent of the deceased should be honored above other considerations. Further they argue that if there is no clear intent from the deceased (which is not uncommon because many Americans die without wills), then the presumption should be that the decedent’s online accounts were intended to remain private.

Email and other online accounts (e.g. Facebook, Twitter, dating profiles) present novel problems for property rights of the deceased. Historically, a diary or the occasional love letter were among the most intimate property that could be transferred to one’s descendants. The vast catalogs of information available in an email account drastically changes what is available to be passed on. In contrast to a diary, an email account contains far more than the highlights of an individual’s day — emails provide a detailed account of an individual’s daily tasks and communications. Interestingly, this in-depth cataloging of daily activities has led some to the argument that information should be passed on as a way of creating a historical archive. There is certainly historical value in preserving an individual’s social media or email accounts, however, it must be balanced against the potential invasion of his or her privacy.

As of June 2013, seven states have passed laws that explicitly govern digital assets after death. However, the latest development in this area is the Uniform Fiduciary Access to Digital Access Act, which was created by the Uniform Law Commission. This act attempts to create consistency among the various states on how digital assets are handled after an individual’s death. Presently, the act is being considered for enactment in fourteen states. The act grants fiduciaries in certain instances the “same right to access those [digital] assets as the account holder, but only for the limited purpose of carrying out their fiduciary duties.” Whether or not this act will satisfy both parties in this debate remains to be seen.


Privacy in the Workplace and Wearable Technology

Jessica Ford, MJLST Staff Member

Lisa M. Durham Taylor’s article, The Times They Are a-Changin’: Shifting Norms and Employee Privacy in the Technological Era, in Volume 15 Issue 2 of the Minnesota Journal of Law, Science & Technology discusses employee workplace privacy rights in regard to new technologies. Taylor spends much of the article focusing on privacy concerns surrounding correspondence in the workplace. Taylor states that in certain cases, employees may be able to expect their personal email account correspondence to be private as seen in the 2008 case Pure Bower Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC. However, generally employers can legally monitor email messages and any websites an employee visits, including personal accounts.

Since Taylor’s article, new technologies have emerged, bringing new privacy implications for the workplace with them. Wearable technologies such as Google Glass, smart watches, and fitness bands find themselves in a legal void, particularly in regard to privacy concerns. Several workplaces have implemented Google Glass through Google’s Glass at Work program. While this could help productivity, especially in medical settings, it could also mean that an employer could review every recorded moment, even those containing personal conversations or experiences.

Smart watches could also have a troubling future due to the lack of legal boundaries. At the moment, it would be simple for a company to require employees to wear GPS-enabled smart watches and use the watches to track employees’ locations, see if an employee is exceeding his break time, and instantaneously communicate with employees. Such uses could be frustrating, if not invasive. All messages and activities also could be tracked outside of the office, essentially eliminating any semblance of personal privacy. Additionally, as Taylor notes in her article, there is case precedent upholding a “public employer’s search of text messages sent from and received on the employee’s employer-issued paging device.” This 2010 case, City of Ontario v. Quon, further allowed the employer to search personal messages.

For the moment, it appears that employers are erring on the side of caution. It will take some time to see whether the legal framework Taylor discusses will be applied to wearable technologies and whether it will be more permissive or restrictive for employers.


Revisiting the Constitutionality of the Emergency Medical Treatment and Active Labor Act

Mickey Stevens, MJLST Staff Member

If a person requires emergency medical treatment and shows up at any hospital that accepts payments from Medicare, that person will receive emergency health care treatment without regard to ability to pay, citizenship, or legal status. This happens because the Emergency Medical Treatment and Active Labor Act (EMTALA), enacted in 1986, requires such treatment as a method of preventing the practice of “patient dumping,” where hospitals would refuse to treat people because of inability to pay, among other reasons. A recent circuit court decision and subsequent petition for writ of certiorari to the Supreme Court of the United States has challenged this part of the EMTALA as constituting a taking in violation of the Fifth Amendment.

In February 2014, E. H. Morreim published an article discussing the EMTALA in volume 15, issue 1 of the Minnesota Journal of Law, Science and Technology. In that article, Morreim argued that EMTALA violates the Fifth Amendment’s Takings Clause. According to Morreim, the EMTALA satisfies the three elements of a taking – property, taking, and public use. The article argues that the property taken is both personal property (pharmaceuticals, medical devices, and paid staff time) and the physical invasion of spaces in the hospital, for the public use of ensuring immediate emergency care without regard to the ability to pay. Furthermore, Morreim suggests that the EMTALA may resemble what Justice Scalia has termed a “Robin Hood Taking” where the government takes wealth from those who have it and transfers it to indigent defendants. See Brown v. Legal Found. Of Wash., 538 U.S. 216, 252 (2003) (Scalia, J., dissenting).

At the time of the article’s publication, neither the Supreme Court nor any of the circuit courts had addressed the constitutionality of the EMTALA. That is no longer the case. The Eleventh Circuit addressed the issue and upheld the EMTALA as constitutional in Baker County Medical Services, Inc. v. U.S. Attorney General, 763 F.3d 1274 (11th Cir. 2014). There, the Appellant hospital appealed the lower court’s grant of a motion to dismiss a claim seeking a declaratory judgment that EMTALA was an unconstitutional taking. The Eleventh Circuit upheld the law on the basis that voluntary participation in a regulated program defeats a takings clause challenge. The decision concluded by saying that the Hospital should turn to Congress for a remedy, instead of the courts.

Morreim’s article addresses this so-called “voluntariness” of participation in EMTALA, arguing that the steep financial losses that would occur – the loss of all Medicare funding – render acceptance of the EMTALA obligations far from voluntary. In Baker County Medical Services, the court responded to these concerns, as raised by the Appellant hospital, by stating that economic hardship is not the same as compulsion.

The Eleventh Circuit’s decision prompted the hospital to file a petition for writ of certiorari with the Supreme Court. 2014 WL 6449709. The petition, which cites to Morreim’s article, was filed in November and may soon receive a response from the Supreme Court. As Morreim wrote, “[s]tay tuned . . . the conversation is likely to become quite interesting.”