Angiulo: New Mass. Case Limits Warrantless Electronic Surveillance

Monday, February 24, 2014

Leonardo Angiulo, GoLocalWorcester Legal Contributor

It is precisely because emotions can have such a large impact on decision making that our Constitution encourages that the rule of law be applied by objective members of the judiciary, believes Leonardo Angiulo.

We, as a group of individuals, put a remarkable amount of information out into the world. At the supermarket, your store customer card not only gets you lower grocery prices but also keeps a running tally of the items that you buy and the brands you prefer. Your oil change place, if part of a chain, will likely have software that sends out a coupon when your car is forecasted to pass the three thousand mile mark. Along with innocuous details like the ones described, our service providers and vendors also end up with much more sensitive information about our daily lives. As the February 18, 2014 Massachusetts case of Commonwealth v. Shabazz Augustine points out, the cell phone residing in your pocket creates a log of everywhere you go and when you went there. Not only is there a record of everywhere you go, but that information is held by your service provider for an undisclosed length of time, whether you agreed to it or not.

In Commonwealth v. Augustine, the Supreme Judicial Court (aka the “SJC”) did a nice job of explaining exactly how this record gets created and the technical aspects of how cell towers and smartphone technology works. A very basic description for the purposes of this article is as follows: a) our cell phones make calls by using towers, b) as we pass through different areas of the city, state and country different towers pick up our phone's signal, c) a log of the towers that receive our signal is kept by our service providers.

Currently, federal law permits law enforcement to collect these records and other information pursuant to http://www.gpo.gov/fdsys/pkg/USCODE-2011-title18/html/USCODE-2011-title18-partI-chap121-sec2703.htm" target="_blank">18 USC §2703. Under that statute, carriers may produce records without notifying a customer if a court order is issued. In 18 USC §2703(d) the proof required for the issuance of an order is “reasonable grounds to believe” the records are relevant to an ongoing criminal investigation. The reasonable grounds standard from the statute is a lesser burden than the probable cause required for search warrants.

In the Augustine case the SJC ruled that, no matter what the federal statute may permit, state law enforcement must get a search warrant because Article 14 of the Massachusetts Declaration of Rights requires it. Exactly why Massachusetts law enforcement requires a search warrant and a higher burden of proof, while Federal law enforcement does not, is a short question with a long answer.

Since the companies targeted by these orders only produce records upon the request of law enforcement, the SJC concluded the information was gathered as a result of state action. When state action results in the collection of information used in a criminal investigation, the constitutional provisions governing search and seizure contained in Art. 14 and the Fourth Amendment are implicated. Even though these two constitutional provisions deal with the same subject, the scope of behavior they permit members of the executive branch to engage in are different. Since Massachusetts has its own constitution, our state courts can grant greater protections to individuals that those afforded by the Fourth Amendment.

When our court decided that Article 14 requires a search warrant for cell site location information (aka “CSLI”), even though the Fourth Amendment does not, they made some important notes about modern life and how the executive branch may be restricted from using corporations to do what what they cannot do themselves. One of the important issues that the opinion describes is that almost every one of us has a cell phone in our pocket at all times. This means that the practical application of CSLI records gathered by law enforcement is that they give a record of activity that would otherwise only be available using GPS tracking. Since GPS tracking for significant periods of time is only permitted through judicial oversight and a showing of probable cause the SJC refused to allow CSLI collection without the same level of court involvement.

It is easy to dismiss cell phone spying concerns as the type of thing conspiracy theorists and the paranoid dwell on. You might even say to yourself, “who cares if some criminal's records get scooped if it helps solve a crime.” The counter-argument is that both the Federal and State Constitutions were drafted to prevent the type of random and arbitrary invasions of personal liberty faced by Colonists. The next step in the logic of a counter-argument might be that it is only by holding strict probable cause requirements as technology develops that our State and Federal constitutions remain viable sources of liberty.

No matter which side you are on now, your tune might change if it's your records being reviewed or your loved one's killer pursued. It is precisely because emotions can have such a large impact on decision making that our Constitution encourages that the rule of law be applied by objective members of the judiciary.

Leonardo Angiulo is an Attorney with the firm of Glickman, Sugarman, Kneeland & Gribouski in Worcester handling legal matters across the Commonwealth. He can be reached by email at [email protected].

Related Slideshow: 10 Big Companies with Recent Major Security Breaches

Prev Next

Epsilon

March 2011

Tens of millions affected

In March 2011, Epsilon, the world's largest permission-based email marketing service, announced that the names and email addresses of customers of Citigroup, TiVo, and many other U.S. companies, were exposed in a huge data breach. The hack affected names and email addresses stored in over 108 retail stores, major financial firms and non-profit organizations like College Board. At the time of the incident, Epsilon had more than 2,500 clients sending 40 billion emails annually.

Result: Epsilon notified clients of the breach on April 1. Epsilon's clients then notified their customers of the hack. Epsilon has stated that 50 clients were affected, but the exact number of names and email addresses has not been released. Computerworld.com estimated that "tens of millions" of people were affected.

Prev Next

Sony

April 2011

77 million customers affected

In the spring of 2011, Sony was hacked through its through its PlayStation Network twice. The first security breach exposed customers' personal information to hackers, but not their credit card information. The second hack, disclosed in late April, did result in customers' credit card information being stolen. The pair of hacks affected 77 million people.

Result: Two weeks after the breach, Sony released a PlayStation 3 firmware update as a security patch. The firmware required users to change their password.

Prev Next

Global Payment Systems

March 2012

7 million customers affected

In the spring of 2012, the credit card processor service Global Payment Systems discovered that 1.5 million credit card records had been stolen from its system. Additionally, roughly 5.5 million consumer records were compromised, bringing the total to 7 million.

Result: As a result of the breach, Global Payments was delisted until it could prove it was in compliance with security standards. In April 2013, the payment card networks returned Global Payments its client list after it proved it was compliant with security standards.

Prev Next

Zappos

January 2012

24 million customers affected

In early 2012, the online retail store Zappos announced that it had been hacked, exposing the names, addresses, phone numbers, partial credit card numbers, and email addresses of 24 million customers.

Result: One day following the cyberattack, Zappos sent emails to all customers directing them to change their passwords.

Prev Next

Adobe Systems

October 2013

152 million customers affected

In October, the computer software company Adobe disclosed that hackers obtained personal data for almost 38 million of its customers, including names, credit and debit card numbers, and expiration dates. In November, it was discovered that the hackers had posted the personal data of more than 150 million Adobe users.

Adobe Call Center: 1-800-833-6687

For more information, MA residents may contact the Consumer Protection Division at the Office of Attorney General at 617-727-8400 or by email at [email protected].

Prev Next

Target

December 2013

110 million customers affected

In December, Target announced that 40 million customer accounts were hacked stealing encrypted PIN numbers, credit and debit card numbers, card expiration dates, and the embedded code on the magnetic strip on the back of cars. Additionally, 70 million customers' personal information was compromised.

Target Call Center: 1-800-440-0680

For more information, MA residents may contact the Consumer Protection Division at the Office of Attorney General at 617-727-8400 or by email at [email protected].

Prev Next

Neiman Marcus

January 2014

1.1 million customers affected

In January, high-end retailer Neiman Marcus revealed more than 1.1 million customers were affected in hack. Between July 2013 and October 2013, customer payment cards could have been potentially visible to hackers. Additionally, 2,400 unique customer payment cards used at Neiman Marcus stores were subsequently used fraudulently.

Neiman Marcus Call Center: 1-888-888-4757

For more information, MA residents may contact the Consumer Protection Division at the Office of Attorney General at 617-727-8400 or by email at [email protected].

Prev Next

Yahoo

January 2014

Up to 81 million U.S. users

Late last month, Yahoo disclosed that Yahoo's email customers may have had their passwords compromised through a third-party application. The web company recently identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts, and notified RI Attorney General Peter Kilmartin. Upon discovery, the Company took action, urging users to reset passwords on impacted accounts.

Yahoo Call Center: 1-800-318-0612

For more information, MA residents may contact the Consumer Protection Division at the Office of Attorney General at 617-727-8400 or by email at [email protected].

Prev Next

Michaels Stores

January 2014

Number of affected customers yet to be determined

In January, Michaels Stores announced that it is investigating a possible data security breach that may have led to customers' debit and credit card information being compromised. Michaels has more than 1,250 locations in the United States, including 29 in Massachusetts.

Michaels Stores Call Center: 1-800-642-4235

For more information, MA residents may contact the Consumer Protection Division at the Office of Attorney General at 617-727-8400 or by email at [email protected].

Prev Next

White Lodging - Marriott, Hilton, Sheraton, Westin

February 2014

Number of affected customers yet to be determined  

This week, the hospitality company White Lodging Services announced that a data breach occurred at 14 of its properties including Marriott, Radisson, Renaissance, Sheraton, Westin and Holiday Inn franchises around the country. Compromised information may have included names printed on credit or debit cards, the actual numbers, the security codes and expiration dates.  

White Lodging Call Center: 219-472-2900.

For more information, MA residents may contact the Consumer Protection Division at the Office of Attorney General at 617-727-8400 or by email at [email protected].