NY Cybersecurity Laws Seek a Much-Needed Update

Civil liberties lawyers take to Reddit to drum up support for new privacy legislation

Activists Luis Nolasco (L), Aki Rose (C) and Josh Rabb (R) hold placards reading "Secure Phones Saves Lives" during a protest in front of the US District Court in Riverside, California, on March 22, 2016. The US government's decision to delay its effort to force Apple to help unlock an attacker's iPhone may only postpone the inevitable drawn-out battle over encryption and data protection. / AFP / FREDERIC J. BROWN (Photo credit should read FREDERIC J. BROWN/AFP/Getty Images)

The March scuffle between the FBI and Apple sparked public debate over cyber security. (Photo by Frederic J. Brown/Getty Images) Photo by Frederic J. Brown/Getty Images

We all know (or at least, suspect) that when it comes to our personal electronic data, law enforcement can be a bit…grabby. This spring’s highly publicized battle between Apple and the FBI culminated in the government’s tech forces breaking open the San Bernardino shooter’s cell phone without the help of the manufacturer itself, and reignited the debate over whether old standards of privacy and compliance can or should apply to digital data as well.

According to the New York Civil Liberties Union, New York State is currently considering legislation, known as the Electronic Communications Privacy Act (ECPA), that would require state law enforcement to obtain a warrant before “physically or electronically accessing digital data.” Supporters see this law as a first layer of protection for cellphone users against law enforcement that can, as it stands now, access any emails, texts, Facebook messages or Twitter direct messages that are over six months old without any additional legal action.

To promote this effort, three lawyers from the ACLU and NYCLU, Mariko Hirose, Alex Abdo and Rashida Richardson, along with Wired reporter Kim Zetter (who has written extensively about the aforementioned Apple conflict) held a Reddit AMA this afternoon.

Many of the questions posed to the team centered on the partnership between public and private sectors – in other words, law enforcement hiring third party companies and contractors for use of their tech innovations. Hirose says that the use of stingrays, surveillance devices that can track and identify cell phone users, highlights “new oversight and transparency questions.” “How will public records acts apply to records held by those companies?” she continued, identifying a strange gray area that has concerned the ACLU and should probably concern everyone.

Some regions are already taking steps to combat this “spy-tech.” Commenters optimistically brought up a new law adopted in Santa Clara County, California that doesn’t only protect against one specific technology, but rather demands that the public and city council be notified of any new, potentially invasive technologies as they are invented or purchased. This came on the heels of an aborted effort last year in which the County Sheriff’s Office quietly intended to purchase half a million dollars worth of Stingray technology, but then was forced to drop the issue after widespread public outcry compounded with a belligerently uncooperative and secretive contractor. Hirose pointed to this new ordinance as a “promising” development in the fight for transparency.

California, incidentally, also currently has the nation’s strongest ECPA. Adopted last October, it provides the basis for the New York version and requires warrants for any state law enforcement agency to demand any metadata or digital communications, even the location of cell phones. Richardson considers this a strong victory for digital privacy and civil liberties as a whole, and a shining precedent for the plausibility of this type of legislation.

Things aren’t always so rosy, however, especially in the courtroom. Zetter decried the fact that law enforcement often misleads judges as the exact nature of their technology. Many judges simply don’t have a clear idea of the extent of what stingrays are capable of, for example, and are easily led astray by crafty defense attorneys: “Without knowing, for example, that a stingray affects every phone in its vicinity, not just a targeted phone, judges won’t know that they should impose minimization rules that would force law enforcement to purge data from bystanders immediately,” Zetter wrote.

The lack of immediate accessibility for these guidelines has impacted state lawmakers as well. Although Richardson said legislators are “generally receptive” to the bill, “some education” about the technology would be helpful in convincing concerned legislators that the bill wouldn’t negatively impact law enforcement’s ability to do its job.

The current version of the ECPA is nearly as old as the lawmakers themselves. It hasn’t been overhauled since 1986 – 30 years of technological advances that render a law that only concerns wiretaps completely obsolete. With the help of a Reddit community concerned about its privacy, and a public coming off the heels of the most highly visible tech security scuffle in recent memory, the NYCLU wants the updated ECPA to serve as a first step in protecting citizens’ data from the government.

NY Cybersecurity Laws Seek a Much-Needed Update