Recently in United States v. InMobi Pte Ltd., the Federal Trade Commission (FTC) set a new standard for geolocational tracking. The FTC told app developers and app marketers one simple rule: honor consumers location privacy preferences and do not track them without permission.

InMobi is a Singapore Company that provides ads within mobile apps. They are a business-to-business company and its only customers are app developers who integrate InMobi’s software into their apps. InMobi allows for the collection of data from app users to display targeted ads.

Geolocation is often the best data for determining what types of ads to present to users. InMobi offers app developers three options: 1) “now” suite based on current location; 2) “conditional” suite based on customers’ past habits; and 3) “psychographic” suite based on demographics and activities in the last two months (e.g. frequent airport trips, luxury vacations). However, many consumers choose not to allow apps to access their geolocation. So one might think that this InMobi software would be useless for those consumers. On the contrary, InMobi realized they could access geolocation indirectly and still provide value to mobile app developers; InMobi started using data generated when devices connect to WiFi networks, and geolocational data from users who had opted in (i.e., figured out locations of other users by using other similar users’ data). The FTC considered this inference of the user’s location as an improper end-run around. The FTC’s investigation and enforcement against InMobi focused on InMobi’s statements to app developers: “First we take in location data on each user, in the form of user opt-in lat/long signals. Then we add real world context to these signals to figure out what places or businesses the user has visited. Our machine learning algorithms mine for patterns in this location history to identify what these trends mean about the user, from which we can infer what kind of consumer the user is.” The FTC did not consider this statement to be a complete, transparent explanation of how InMobi tracks the app’s users.

After the investigation, the FTC found that InMobi violated the Children’s Online Privacy Protection Act (COPPA) while also accusing InMobi of unfair and deceptive indirect location tracking. The consent decree, however, focused on COPPA and assessed damages only on that violation, while also enjoining InMobi from continuing its geolocation inference system. The FTC did not address the indirect location tracking’s unlawfulness overall.

This means that other app developers and app marketers are now on notice that the FTC considers inferential geolocational tracking to be unlawful (even though the consent decree only addressed monetary assessments under COPPA). After this action, the FTC also warns app developers to consider contractual terms with third party service providers to ensure they do not circumvent consumers’ privacy choices. Certainly sound advice from the FTC.

Vigilant Solutions is a company that takes photographs of cars and trucks using its network of cameras. What’s the big deal, traffic cameras are always recording our plates? Well not only is Vigilant Solutions taking photos of your license plate, but they are retaining your vehicle’s location data along with the photo of your license plate, AND they are selling it. To date, Vigilant Solutions has taken approximately 2.2 billion license plate photos in almost every major city across the United States. Among Vigilant Solutions customers (i.e. those buying your license plate numbers and locational data), 300 of them are law enforcement agencies. You might think to yourself, ‘Well don’t the police need to get a warrant to put a GPS tracking device on my car,’ and the simple answer is yes, but to get years of data on your vehicles location all the police have to do is pay Vigilant Solutions.

Vigilant Solutions subsidiary’s website, Digital Recognition Network, says, “All roads lead to revenue with DRN’s license plate recognition technology. Fortune 1000 financial institutions rely on DRN solutions to drive decisions about loan origination, servicing and collections. Insurance providers turn DRN’s solutions and data into insights to mitigate risk and investigate fraud. And our vehicle location data transforms automotive recovery processes, substantially increasing portfolio returns.” Is this reminiscent of George Orwell’s 1984? With this type of tracking technology becoming more and more affordable, we are sure to see an increase in its use before an end. As consumers (and individuals with constitutional rights) we should all be aware of this and speak up for our privacy rights.

In December, Hyatt Corporation announced that it had identified malware on computers that operate its payment processing systems. Late last week, Hyatt disclosed that upon investigating the malware it discovered “signs of unauthorized access” to customers’ payment card data from 250 Hyatt locations in approximately 50 countries, representing approximately 40 percent of Hyatt’s hotels. A list of the affected locations and at-risk dates, which range from August 13, 2015, to December 8, 2015, is available here. The malware, which was aimed at gathering customers’ names, card numbers, expiration dates and verification codes, primarily compromised cards used at Hyatt restaurants, with some other at-risk cards being used at front desks, spas, golf shops and other locations. Hilton Hotels and Starwood Hotels have also experienced payment card breaches. Hyatt is offering affected customers a free, one-year subscription to CSID’s Protector identity/fraud protection service.

On July 31, 2015, Quartavious Davis petitioned for certiorari in Davis v. United States, No. 15-146, asking (1) whether the acquisition of a cell phone user’s location data from his cellular service provider constitutes a search under the Fourth Amendment and (2) if it is a search, whether the search requires a warrant.

In previous posts, we explained how a number of courts have considered whether the Fourth Amendment requires law enforcement to obtain a warrant to access cell phone geographic location information.   In May of this year, the Eleventh Circuit Court of Appeals held that Mr. Davis had no reasonable expectation of privacy in his cell phone location records and, even if there were such an expectation, a warrantless search was still reasonable.

The Supreme Court denied Mr. Davis’s petition on November 9, 2015, but it remains an important issue. As noted in the Brief of Amici Curiae Electronic Frontier Foundation, Brennan Center for Justice at NYU School of Law, Center for Democracy & Technology, The Constitution Project and the National Association of Criminal Defense Lawyers in Support of Petitioner, there has been a dramatic increase in the number of cell phones and cell sites in the last 20 years.  Additionally, the number of law enforcement requests for location information is increasing, and Courts continue to be faced with resolving whether a warrant is required.

Everyone loves their smartphone. Everyone loves the newest app. Angry Birds has lots of company now. But most people don’t know the back end of apps and how they are accessing, using and selling your data. Why? Because no one reads the Privacy Policy and Terms of Use to figure out how they are accessing and using your data.

The most common features of apps that affect your privacy are the use of the microphone, location based and geolocation services, and access to personal data, like your photos, contacts and health information. Whether you care or not, just be aware of the data apps have access to, are using and selling, and make an educated choice about whether you want them to have access or not. This week, we will focus on apps’ use of your location through location based services.

First, you need to know which apps have requested to track you (and to which you agreed) when you downloaded the app. Touch settings on your phone and go to Privacy. Location based services is listed and is automatically on when you buy an iPhone. Why? Because Apple wants access and has access to your location and requires it for Find Your iPhone. But this means that Apple knows where you are at all times and is selling that data to advertisers so they know which cities you visit, which restaurants you go to, which supermarkets you visit and in general, your minute by minute location. If you browse down location based services, the apps that are following your every step are listed there. Some allow the app to only follow your location when you use their app, but many others automatically track you whether you are using their app or not.

Sound creepy to you? Then my suggestion is to turn your location based services off unless you are using a particular app that requires it. When you are finished using the app, turn your located based services off again. If it is off, none of your location data is being accessed, used or sold by the app developer.

When you download an app, read the fine print on how they are going to access and use your data, including location based services. I have refused to download apps if they won’t give me a choice about using my location. There is usually another app that does the same thing and respects my privacy.

Real story: a friend downloaded a trendy retail app and as she was walking by one of their stores in a mall that was located in another state than where she lived, the app pinged her to tell her that they were having a sale in that location and since she was walking by, she should stop in and check out the sale. Needless to say, it freaked her out and she called me to find out how they knew she was in that mall. Of course, she had her location based services on, and had agreed for the app to use her location based services at all times when she downloaded it. She hadn’t read the pop up information, and just clicked “I agree.”

And if you aren’t creeped out, just be aware of what apps are asking for and doing with your data, and make educated choices when you allow access to your location.

We have been watching the warrantless search cases closely. Yesterday, (August 5, 2015), the Fourth Circuit Court of Appeals held that it was unconstitutional when law enforcement used their cell phone location information without a warrant.

Two defendants were convicted of armed robbery. Some of the evidence presented at their trial included location information from their cell phones. The government obtained the information through a court order, as opposed to a warrant. They appealed the conviction saying the government should not have used the information without a warrant, that the search was a violation of their Fourth Amendment rights, and that the court order was insufficient.

Although the Court held that obtaining the location information without a warrant was unconstitutional, it agreed with the lower Court’s decision to allow the evidence in the case because the government relied in good faith on the court orders that were issued to obtain the information.

A number of courts have considered whether the Fourth Amendment requires the government to obtain a warrant to access historical and/or real time cell phone geographic location information, known as CSLI. CSLI is cell site location data your cell phone gives off when you place or receive a call. Additionally, cell phones also automatically generate location data by continually identifying themselves to the closest cell tower even when there is no live call, and some experts say, even if the cell phone is powered off.

Law enforcement views CSLI as vital to locate and track suspects as part of an criminal investigation, and often seeks the information by filing an application with the relevant court simply stating that the information to be obtained is relevant to an ongoing investigation. The applications may or may not include facts establishing probable cause or even distinguish between location information in either historical or real time. Some court orders granting access do not distinguish between historical or real time data.

Court decisions have been divided on whether probable cause and a warrant is required to obtain CSLI.  Last week, a United States District Judge in the United States District Court for the Northern District of California, San Jose division affirmed the judge magistrate’s ruling denying the government’s application for CSLI on the grounds that a warrant was required to obtain such information. Also earlier this year, the Florida Supreme Court, in Tracey v. State of Florida, held that real time cell site location information is protected by the Fourth Amendment.

However, in May of this year, in United States v. Davis, the Eleventh Circuit Court of Appeals reversed an earlier three judge panel upon rehearing en banc, and held there is no reasonable expectation of privacy in these cell phone location records and, even if there were such an expectation, a warrantless search would still be reasonable. 785 F.3d 498.

On July 31, Davis’ lawyers petitioned the U.S. Supreme Court to review and overturn the Eleventh Circuit’s decision in Davis v. United States. If the Court accepts the case, perhaps the Court will resolve the issue of whether the warrant requirement of the Fourth Amendment applies to searches of  CSLI.

While Foursquare’s new product, Pinpoint, surely isn’t the only technology tracking your location these days, with the release of this new product, businesses can transmit targeted advertising depending on an individual’s location (or the individual’s locations in the past).  Pinpoint, which was first announced on April 15, 2015, will send advertisements to individuals’ mobile devices based on where the individual has been physically located lately … or previously located for that matter.  You might be wondering,

But can they send those advertisements to me? I’m not a Foursquare user.

The answer is: yes. Foursquare announced that this new product will use more than just its own databases to expand its geolocational marketing beyond its own troves of user data.  But who will Foursquare get geolocational data on non-Foursquare users from? While the terms of any such agreements are not likely to become public, Foursquare does currently have relationships with third-party data partners like Microsoft, HTC, and Pinterest.  As Pinpoint hits the streets we may begin to see consumer protests against this new kind of privacy invasion. We’ll continue to track its use.

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. Cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information. Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021. Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

Section 2209 of the Federal Aviation Administration Extension, Safety, and Security Act (the Act) requires the Federal Aviation Administration (FAA) to establish defined boundaries protecting “critical infrastructure” from unauthorized drones.  More specifically, the FAA is tasked with defining the precise sites where drones are prohibited from operating. It is likely that the FAA would have to work with state and local governments to make these determinations (e.g., which sites are considered “fixed site facilities”). However, the Act includes many types of “sites” from oil refineries to amusement parks as well as “other locations that warrant such restrictions.” This language allows for very broad interpretation.

Specifically, Section 2209 states:

DOT shall establish procedures for applicants to petition the FAA to prohibit or restrict the operation of drones in close proximity to a fixed site facility (an affirmative designation).

A “fixed site facility” is considered to be:

  • critical infrastructure, such as energy production, transmission, and distribution facilities and equipment;
  • oil refineries and chemical facilities;
  • amusement parks; and
  • other locations that warrant such restrictions.

The FAA shall publish designations on a public website.

Deadlines for the FAA’s implementation of Section 2209 according to the FAA’s Reauthorization Act of 2018 are as follows:

  • Publish a Notice of Proposed Rulemaking by March 31, 2019
  • Final Rule Due by March 31, 2020

To date, no NPRM on Section 2209 has been issued.

Recently, the Association of Unmanned Vehicle Systems International (AUVSI), the Commercial Drone Alliance, the Consumer Technology Association, and the Small UAV Coalition sent a letter to FAA Chief Administrator Steve Dickson pushing him to act as soon as possible on Section 2209. This group of industry stakeholders urged the FAA to  “publish a proposed rule to establish a process to designate airspace above and around fixed-site critical infrastructure facilities.” The U.S. Chamber of Commerce group also presented a letter to the FAA, signed by a significant list of drone and critical infrastructure stakeholders urging for the same action. The concern by these and other industry leaders is not simply that the failure to enact Section 2209 leaves ambiguity as to what infrastructure and facilities are considered “fixed site,” but a larger failure by the FAA to firmly establish that they hold sole authority to regulate the national airspace. Without the enactment of Section 2209, states have been enacting their own legislation to protect (and define) critical infrastructure sites, which has led to a patchwork unwieldy and inconsistent laws. The commercial drone industry seeks federal guidance on “fixed sites;” otherwise, without federal regulation, drone operators may not have a central source of information that defines these types of sites and leads to unknowing violations of state/local laws and inhibits the ability to integrate drones into the national airspace.