While the dispute between Apple and the Department of Justice over terrorists’ iPhones appears to have come to a conclusion, it is clear that we can expect to see privacy issues continue to develop between the government and private sector. While the privacy issues between Apple and the DOJ received significant media attention, another matter between the government and Mozilla, a “free software community” that created the Firefox web browser, provides further insight into privacy concerns arising out of criminal investigations.

On July 10, 2015, the U.S. government filed a criminal complaint in Washington state alleging Jay Michaud possessed child pornography. The criminal complaint contained a number of allegations related to the FBI’s investigation of Michaud, including his extensive use of computer equipment to access child pornography. In particular, the criminal complaint discussed Michaud’s use of software that allowed him to anonymously use the Internet.

The criminal complaint describes a process where “software protects users’ privacy online by bouncing their communications around a distributed network of relay computers run by volunteers around the world, thereby masking the users’ IP address which could otherwise be used to identify a user.” In an effort to make sure the government met its burden, Michaud filed a motion seeking information on the government’s investigation which, in turn, could publicly disclose Firefox’s code.

Mozilla was concerned that this anonymity was created by an altered form of its Firefox browser, and, on May 11, 2016, filed a motion to allow it to enter into the criminal child pornography case. In its Motion to Intervene or Appear As Amicus Curiae in Relation to Government’s Motion for Reconsideration of Court’s Order on the Third Motion to Compel, Mozilla sought to intervene “for the purpose of requesting that this court modify its order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the defendant.”

In its motion, Mozilla argued “[a]bsent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of its vulnerability.” Mozilla asserted Firefox’s source code “is continuously developed” and is “publicly available for developers to view, modify, share, and reuse to make other products….” And, in the case of the government’s investigation, it became clear that Michaud used a modified version of Firefox that provided him the anonymity necessary to access child pornography.

Mozilla further argued that, while it is not opposed to disclosure, “any disclosure without advance notice to Mozilla will inevitably increase the likelihood the exploit will become public before Mozilla can fix any associated Firefox vulnerability.” Consequently, Mozilla requested the court modify its prior orders to require the government to disclose how it accessed Michaud’s browser at least 14 days prior to disclosure to Michaud in order to allow Mozilla to “analyze the vulnerability, create a fix, and update its products before the vulnerability can be used to compromise the security of its users’ systems by nefarious actors.”

On May 11, 2016, Michaud filed his response to Mozilla’s motion where he stated “Mr. Michaud has no stake in Mozilla’s dispute with the government. Further, the defense has no intention of disclosing any NIT discovery to Mozilla, a third party, or the public in general under any circumstances….”

After hearing the motion (and the related motion for reconsideration of order, granting defendant’s motion to compel) on May 12, 2016, the court held, after an In Camera presentation (closed chambers meeting) on the topics included in Mozilla’s motion, that the government was not required to produce the information related to Mozilla’s code.

While the information in the court’s May 12 order is limited, it is clear that the parties and the court made the security of Firefox’s code a priority. That is, the In Camera inspection allowed the parties to determine the security issues without disclosing Mozilla’s code to the public (“Following the conclusion of the In Camera hearing, the Court finds the Pltf is not required to produce requested discovery.”)

Interestingly, the security and privacy issues could not be ignored when Mozilla’s motion papers pointed out the fact that even government workers used the Firefox browser and public disclosure could put them at risk. While the Apple/DOJ privacy dispute was heated, it appears a result was achieved in this matter that all the parties could work with: Mozilla’s code was protected; Michaud was able to see if the government met its burden; and the government was given the opportunity to show how it intended to meet its burden.

The post Mozilla’s Firefox Browser Code Creates Privacy Issues in Criminal Proceeding appeared first on Privacy Risk Report.

The largest privacy case to date is currently pending in the U.S. District Court for the Central District of California between Apple and the U.S. Government. This case arises out of a request by the Department of Justice and FBI for Apple to create software installing a “backdoor” to retrieve data from an encrypted iPhone. Specifically, the government’s request is related to its attempts to access data from an iPhone that was used by a person who carried out the December 2, 2015 terrorist attacks in San Bernardino, Calif. After the attacks, law enforcement requested Apple’s help with their investigation of data stored on one of the terrorist’s phone. In Apple’s Motion to Vacate Order Compelling Apple to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, Apple claims the government’s request is unwarranted under the All Writs Act, violates the First and Fifth Amendments and would place a burden on Apple.

The government filed a request with the court that, if granted, would require Apple to create software that would provide access to the data stored on the phone by the government. Apple claims this technology presently does not exist and would have to be developed to provide a backdoor to the iPhone for access sought by the government. Essentially, Apple would have to create a program that defeats the security features it created in the first place. In its submission to the court, Apple claims complying with this request causes concern for at least two reasons:

1. Apple does not agree with the suggestion that it can simply destroy the software after it has been used “this one time,” as argued by the government. Apple argues that this will not be a one-time request but rather law enforcement will request that the software Apple developed be used again in the future.
2. Apple does not agree that once this software is developed that it could be safely kept after it is used “this one time.” Apple argues that it cannot keep the software because “criminals, terrorists and hackers will no doubt view the code as a major prize and can be expected to go to considerable lengths to steal it…”

This litigation is already shedding light on privacy law and data retention issues and will likely do so for many years to come.

Privacy Litigation Impact

From a litigation perspective, if Apple is forced to respond to the government request, it “would effectively require Apple to create full-time positions in a new ‘hacking’ department to service government requests and to develop new versions of the backdoor software every time iOS changes…” Even more troubling for Apple is its argument that this request would effectively “require Apple engineers to testify about this backdoor as government witnesses at trial.” Apple warns the government would “coercively deputize Apple and other companies to serve as a permanent arm of the government’s forensic lab.”

The issue of whether Apple engineers and staff may be required to offer testimony on the safeguards they put into their products or the methods they used to get around their own safeguards will undoubtedly present a difficult question for the court. In this specific instance, Apple personnel may not be called upon to testify concerning the iPhone used by a terrorist in the San Bernardino attack since the terrorists are dead and there may be no need for a cross-exam on the backdoor software. But it may be shortsighted for the court to not analyze this issue because it may conceivably be an issue in the near future.

From a practical standpoint, this situation presents an interesting question for any company concerned about the safety and protection of the data it stores and the best safeguards to put into place. Apple is now arguing that the government is requesting that security be compromised to some extent in order to allow access. Apple’s arguments should also cause companies to think about backdoors and how safe those backdoors may be against hackers and criminals. It also illustrates how company personnel could be called upon to testify on its safeguards and the backdoors around those safeguards.

Insurance Impact

Litigation has already surfaced concerning the “failure to follow minimum required practices” exclusion in a cyber insurance policy. This litigation was based on the premise that this exclusion required the insured to “continuously implement” its cyber security controls identified in the insurance application submitted prior to the inception of the policy. Apple is clearly concerned about its potential liability should hackers obtain the information concerning the backdoors around its safeguards. This risk may directly impact how insurers approach cyber coverage. The questions presented by the Apple litigation may result in insureds having to disclose not only the cyber controls they have adopted, but also the backdoors providing access to that stored data and the safeguards in place to secure the backdoor.

Regardless of the outcome of the Apple litigation, there should be little doubt that the arguments and the court’s ruling will impact privacy litigation for years to come.

The post Apple’s Privacy Battle – Early Observations for Litigation and Insurance appeared first on Privacy Risk Report.

Apple unveiled its first “smartwatch” on September 9, 2014 and it will be available to the public in early 2015. It is widely reported that, in order for the Apple Watch to be a success, Apple will need to partner with health insurance carriers to use the device to monitor and collect private health data. Fitness tracking devices are already being used to gauge health insurance premiums. For example, British Petroleum has used a fitness bracelet to track the health data of its employees and their spouses in order to lower its health insurance premiums.

Whether people will use health monitoring devices such as the Apple Watch to the extent they have used iTunes or other apps remains to be seen. Beyond the ethical questions, there are a number of questions of whether this data has value and will be targeted by hackers. One thing is certain, the risks for a data breach increases with each new method for data collection and storage.

The post Apple Watch Poses a Number of New Privacy Risks appeared first on Privacy Risk Report.

A recent case illustrates the vast amounts of data that company’s may be collecting from our daily lives and the value of this data. On July 24, 2014, iPhone user Chen Ma brought a purported class action against Apple, Inc. alleging that the operating system on certain Apple’s iPhones tracks users’ location down to the minute and transmits this information to a database owned by Apple. Mr. Ma claims that Apple does so without the consent of users and without notice thus invading her privacy. Despite a user’s ability to disable the tracking, Mr. Ma alleges that disabling this feature severely hampers the phone’s functionality. Mr. Ma’s claim that the U.S. government has made more than 1,000 requests to Apple for this tracking information without any established protocol for such a request is among the more notable allegations in the complaint.

Given the pervasiveness of phones and apps that use geo-tracking feature phones, it will be interesting to note the outcome of this suit and similar cases and what impact it may have on other companies that use similar features.

The post Apple iPhone’s Geo-Tracking Alleged to Infringe on Individuals’ Privacy Rights appeared first on Privacy Risk Report.