Anonymous on Campus?

Topic:

     This past year has seen a rise in racially related incidents and protests on college campuses.  Popular apps like Yik Yak and Yeti (which allow anonymous users to post to a geo-location restricted feed such as a college campus) have been used to make racist or threatening posts.  A survey of college officials in April of 2015 showed that a majority of those responding monitored the public feeds of such anonymous apps.

Blog:

            Geo-restricted, anonymous apps such as Yik Yak and Yeti have become popular on college campuses because they provide a space for students to share their experiences and opinions with fellow students, free of social dynamics that may otherwise inhibit expression. Along with being a place to share humor and gossip, these apps have been used to make threats and racist, sexist, or otherwise dangerous or offensive posts. Simultaneously, protests and racist speech have been occurring frequently on college campuses, prompting many college administrators to monitor student social media feeds, and even take action to determine the student’s identity if a concerning post is found. This monitoring and identity seeking takes place in the name of safety, but raises concerns about student's privacy and right to free speech.

Reasons for Monitoring

            Monitoring of student social media sites of all kinds has become one way for administrators to try to prevent bombings, shootings, and racist or sexist incidents from occurring on college campuses. This method has become common practice because perpetrators have been known to post hints or plans of an attack on social media, and anonymous platforms in particular have allowed students to harass and degrade others without consequences. Even if posts don’t pose a direct threat, they can be hateful and directed at an individual or group of people, which can cause mental health problems and social anxiety for students on campus, so administrators have felt pressure to try to protect their students. Some students have even requested that their peers be outed and disciplined for posts made about them, such as in a case brought by five female students and two feminist groups against the University of Mary, Washington and the school’s president, because feminist students had been harassed and received threats of sexual violence by fellow students on Yik Yak, but the students did not think administrators responded correctly.

Privacy Concerns Around Monitoring Anonymous Student Media

            Active, ongoing monitoring of anonymous student social media by school administrators can be viewed as an invasion of privacy because administrators are conducting a form of mass surveillance, especially if the school is state funded. Anonymous posts may still contain personally identifiable information, such as specific classes a student is in or the student’s residence hall, which could lead to their identity being discovered. It is also possible that a student could be identified and targeted online by an anonymous student, so only the victim would be revealed to administrators. If a student makes an anonymous post on social media and is then outed by administration they may be judged by their professors, peers, and potential employers. This outing may even go so far as to violate FERPA, if private information about a student is distributed without permission from the student.

Deliberate attempts by administrators to determine the identity of a student that has posted anonymously may also be considered a violation of the First Amendment, especially if the school is run by the state. If students know their administration will seek to determine their identity for any posts deemed inappropriate by the administration, then their free speech will be limited and they will have to self-censor. Censoring of hate speech is good, but students may  have to avoid posting opinions that cast administrators, professors, and schools as a whole in a negative light. Attempts by administrators to determine who made a post by requesting information from the app may violate a student's privacy because it attempts to take away their anonymity, and could lead to the student being sanctioned. If administrators attempt to sanction a student for speech, even unpopular speech, that doesn’t directly threaten anyone or break the student code of conduct, they are violating the First Amendment.

Current Laws Regulating Student Free Speech, Anonymous App Use and Monitoring

            According to the National Association of College and University Attorneys, “public institutions may only prohibit and discipline speech falling in those categories outside the protection of the First Amendment, such as “fighting words,” [10] speech inciting imminent lawless action [11], “true threats,” [12] unlawful harassment [13], obscenity, and defamation.” Based on a number of different court cases, student speech on and off campus is protected by the First Amendment. It is important to note that private schools have more power to restrict student speech on campus and take disciplinary action than public schools do, so long as rules are outlined in their student code of conduct. There is no law regulating administrators monitoring, or addressing student speech if no disciplinary action is taken that would violate the student’s First Amendment rights.
            In Utah, there is a law that doesn’t allow colleges and universities to ask students for their social media account information, but allows monitoring of the accounts. This law was created to respond to the athletics department at Utah State University requiring students to give administrators and a third-party monitoring company their usernames and passwords so the accounts could be directly monitored. USU also stopped active monitoring after finding that it was taking up a lot of their staff’s time. Now, instead of monitoring, the USU athletics department has a class to teach athletes about responsible social media use.

My Opinion

I do not think college administrators should actively monitor public student social media feeds. I think it’s the duty of administrators to educate students, not to monitor their social media activity. To me it is a waste of time and money, and counts as surveillance. While I recognize that ensuring student safety is one facet of a school administrator's job, I think they should approach safety through educating students, encouraging respectful discourse, and deferring to experts. If a problematic post is brought to an administrator’s attention, I think they should work with the Title IX Office and/or university police to address the issue because those departments have the training to recognize and respond appropriately to potential threats or illegal activity. While I am okay with administrators asking students to take down posts that are offensive but not threatening or illegal once, I don’t think they should seek to determine student’s identities unless a post is brought to their attention that presents clear danger, and law enforcement is involved.

Q. OF THE WEEK NO. 9

The Food and Drug Administration has required all TV advertisements for prescription drugs to list possible side effects.  Should the Federal Trade Commission require all TV advertisements for "smart devices" to list possible privacy and security risks?

The Internet of Things: Left to their own Connected Devices

Brady Jacobson

Blog Post 8

The Evolution of the Internet:

Although initially limited to devices such as computers, the internet allowed users to find information, communicate with others, and even run businesses with greater ease than ever before. The internet embedded itself into society thanks to the way it revolutionized sharing information, and yet the internet may become even more ingrained into our lives.  The Internet of Things (IoT) allows users to connect many devices in their possession through the internet, such as thermostats, phones, toasters, and more. This interconnection of items offers several concerns, such as what the information is used for and how easy it is to gain access to personal data. While I believe the Federal Trade Commission (FTC), the agency in charge of ensuring consumer protection in the marketplace, should set regulations on the IoT, I understand why some believe the IoT industry itself should employ self regulation.

The Danger of Connection:

The IoT allows users to live efficient lives. Connected cars give drivers useful information about their trip and Smart fridges keep track of the owner’s groceries. Even with its benefits, the IoT can be abused by others. If a business has access to your fridge information, you may be targeted with advertisements for regularly purchased products. Governments can use information from your car to track the driver. As posited by Philip N. Howard, “The IoT may improve resource allocation and decision making… but this does not necessarily mean that it will give citizens more say in how society is run.”(Howard, O’Maley, 178)

Those with access to this information may cross the line into illegal territory by stealing the data. For example, while connected pacemakers can assist medical experts, such data “...can leave a patient exposed to the theft of personal data or even threats to personal safety.”(Howard, O’Maley, 176-77) Even those without legal access to information can still find ways to break in. Hospitals benefit greatly from a tightly connected network, but a competent hacker can ruin the system. As detailed in an article by Rachel Z. Arndt, if a hacker enters the system they can “...easily disrupt an entire network. They … can demand ransom in exchange for the decrypted files...”(Arndt)The greatest concerns regarding the IoT is how a user’s information can be used for detrimental purposes, such as business invading privacy by profiling users or hacker breaking security by stealing information.

Steps towards Regulation:

While most members of the FTC and congress want some kind of regulation, there is little consensus on who should create the regulation.  In March of 2017, the chairman of the FTC, Maureen Ohlhausen, announced that the FTC would employ a “wait and see” approach. Ohlhausen stated “We don't know if that risk will materialize. It may well materialize, but a solution may materialize at the same time...” (Ohlhausen). Ohlhausen decided her agency would not create any legislation regarding the IoT, instead relying on the creators of such products to decide on a series of best practices. While some companies may look out for the user’s safety, others may value making a profit over the protection of its users. This is clear in a survey completed in 2015 that found “...85% of IoT developers admitted to being pressured to get a product to market before adequate security could be implemented.”(Basenese)

In most industries businesses don’t always regulate based on the safety of its users. At the same time, if businesses relied on the government to regulate, new laws may pass that will severely limit innovation. The IoT may not even exist if it wasn’t for competition among competitors, so the government would need to be careful with regulation. In December of 2017, the FTC, led by Ohlhausen, hosted an “Information Injury Workshop” where researchers, industry representatives, and more were invited to discuss the misuse of user information. The workshop furthered the discussion of personal threats like doxing alongside financial threats. For the FTC, the workshop was an attempt to “...prioritize action to address real consumer harm, while being mindful not to stifle innovation and economic benefits by casting an overly-broad net based on potential harms that may never occur.”(Wasch) It is clear that regulation will have to hit a fine line between defending users and encouraging improvements.

Complete Safety vs Innovation:

Between the government creating laws to protect citizens or the industry creating best practices to encourage technological breakthroughs, I would prefer the government to ensure my safety regarding the Internet of Things. When the IoT can collect info through connected toys, speakers, televisions, and more, it's becoming easier for hackers to steal valuable information or businesses to profit off of my data. The industry should be able to innovate and evolve over time, but there our countless examples where big businesses have prioritized profit over protecting the user. Although the FTC is currently trying to find a middle ground between innovation and protection, I ultimately believe the government would be able to defend us better by creating regulations to limit the use of our information and taking steps to deter hackers.

Citations:

     O'Maley, D. Howard, P. The Internet of Things. https://muse-jhu-edu.ezproxy.lib.utah.edu/article/623619/pdf

     Arndt, R. (2018, January 22nd). The Internet of Things that can be Hacked. http://go.galegroup.com.ezproxy.lib.utah.edu/ps/i.do?&id=GALE|A524863911&v=2.1&u=marriottlibrary&it=r&p=AONE&sw=w

    Thielman, S. (2017, March 14th). Acting Federal Trade Commission head: internet of things should self-regulate; Maureen Ohlhausen, the commission's sole Republican and its acting chair under Trump, defended using big data to alter pricing from consumer to consumer. http://go.galegroup.com.ezproxy.lib.utah.edu/ps/i.do?&id=GALE|A485443534&v=2.1&u=marriottlibrary&it=r&p=AONE&sw=w&authCount=1

   Basenese, L. (2015, December 21st). The Best Play on the Internet of Things Trend. https://www.wallstreetdaily.com/2015/12/21/internet-of-things-future/

    Flittner, K. (2015, November 6th). Suprised? Turns out, Consumers don't Trust IoT Security. https://auth0.com/blog/surprised-turns-out-consumers-dont-trust-iot-security/

    Wasch, K. (2018, February 26th). FTC should focus on actual, not speculative, consumer harm. http://thehill.com/opinion/technology/375580-ftc-should-focus-on-actual-not-speculative-consumer-harm

    Information Injury Workshop. https://www.ftc.gov/news-events/events-calendar/2017/12/informational-injury-workshop

Q. OF THE WEEK NO. 8

Should any designer of an operating system for a smartphone or tablet that is manufactured, leased or sold in the United States be legally required to ensure that data on such devices is accessible pursuant to a search warrant?

Topic:

In early 2013, Edward Snowden, an employee of an American defense contractor, leaked a trove of classified documents to the media regarding a massive surveillance program run by the National Security Agency.  The leaks sparked national and international debates about the powers of the NSA and numerous lawsuits were filed challenging the constitutionality of the surveillance.

Snowden has been charged by the DOJ with theft of government property and violating the Espionage Act of 1917 by communicating national defense information to unauthorized persons.  Snowden is currently in Russia pursuant to a temporary grant of asylum.

Snowden has been called a “traitor,” a “hero,” a “whistleblower” and a “common criminal.”  The U.S. public seems split on whether he should be praised or condemned.

Blog Post:

Edward Snowden: Patriot or Traitor?

In June 2013, The Guardian reported on leaked information about a mass surveillance program orchestrated by the United States NSA known as PRISM. the PRISM program began in 2007 under President George W. Bush under the passage of the Protect America Act, a controversial amendment to FISA that removed the warrant requirement for government surveillance targets reasonably believed to be outside the United States. However, Edward Snowden's justification for leaking the PRISM program was that its extent was far greater than what the public knew. The leak began on June 6, 2013, when The Guardian reported that Verizon had been court ordered, under PRISM, to hand over all its telephone data on an ongoing, daily basis.

The next day, The Guardian and The Washington Post reported in-depth on the PRISM program and the participants in it. The leaked documents identified several different technology corporations as participants in the PRISM program, such as Microsoft, Yahoo, Google, Facebook, Youtube, Skype, and Apple. However, the report stated that 98% of information came from Yahoo, Google, and Microsoft.

Snowden, knowing that his disclosure of this information was highly illegal, flew to Hong Kong in May 2013 before leaking the information. He was charged with two counts of violating the Espionage Act and theft of government property. His passport was also revoked. He now lives at an undisclosed location in Moscow, Russia, where he has been permitted by the Russian government to stay until at least 2020.

Privacy Concerns Regarding PRISM and its Leak

Many see the PRISM program as a vast overreach of government surveillance, especially since the Protect America Act on which PRISM was built only allows for the warrantless surveillance of foreign targets. However, as The Verge states, "the basic idea [of PRISM] is that it allows the NSA to request data on specific people from major technology companies like Google, Yahoo, Facebook, Microsoft, Apple, and others. The US government insists that it is only allowed to collect data when given permission by the secretive Foreign Intelligence Surveillance Court."

However, this creates several issues. Essentially, the NSA has the ability to collect data on anybody, including Americans. This was largely confirmed by James Clapper in 2014. This obviously creates countless privacy concerns among Americans regarding their technology and exposure to the NSA. Another issue is the government's own secrecy about PRISM. The FISA Court is extremely secretive and classified, so Americans have little to no way of knowing if it actually serves as a check or balance on the NSA.

However, many government officials, including most members of Congress, seem more worried about the secrets of the United States Government being released to potential adverseries than the privacy of its own citizens. Many have called Snowden's actions treasonout and have branded him a traitor.

Benefits of PRISM and its Leak

Still, many would say that in this Post-9/11 world, the PRISM program is essential to national security. The argument typically made in defense of government surveillance is that in order to live in a safer world, we must give up some of our privacy rights. This defense was used by President Obama immediately following the leaks. 

Still, one could argue that in order to defend one's own privacy, or to even have privacy in the first place, one must know the parameters of it. It could be said that Edward Snowden gave privacy rights back to the American people when he leaked this information and it became public knowledge.

Current Laws Regarding Surveillance in the US

As far as I know, PRISM is still active, but some other programs revealed by Edward Snowden have since ended, at least officially. It's obviously hard to know whether or not certain laws or rules exist given the United States' secrecy on the subject. FISA and many of its amendments still exist, however.

My Opinion

I think what Edward Snowden did was right. Americans have every right to know the parameters of their privacy and his leaks did much to expose that. With that being said, I would never expect the government to let him off without any punishment. He was contracted by the government to fulfill a certain duty, and he betrayed that duty – still largely to the benefit of Americans and people around the world. After researching this complex issue, I would label him a whistle-blower, since I think that what the NSA was doing was largely illicit. I also hope and believe that in a generation or two, we will look back on Snowden fondly, and be critical of the Post-9/11 decay of personal privacy that took place here.

Week Eight Takeaways

26 February 2018

Blog Post Discussion:

• Quaid’s Conclusions - the use of body cameras is generally beneficial and will increase “transparency in police-public interactions”, but to work properly they need “strong regulation”.
• Can protect police from false accusations
• Generally good because they help ascertain the truth - Ivana reminds that video is not absolute and is still subject to interpretation
• Shooting of Abdullahi Omar Mohamed - Fight over whether SLCPD had used excessive force or not.
• Dispute between police and news about release of body cam footage - DA refused to release because of ongoing investigation and privacy concerns (for the officers). ACLU sued and tapes were subsequently released by the DA ~ 1 year after the court proceedings. 
• Footage+Article, More Raw Footage
• This shooting is a good instance of protection of the police through the use of body cameras; after body cam footage was released, debate about excessive force quieted down because people could see it was justified, if not warranted. 

Groups recorded through the use of body cameras:

• Perpetrators/suspects
• Victims
• Bystanders/non-suspects
• Police officers

Privacy Questions:

• Should the camera include video, audio, or both? 
• Although in certain cases audio/video may be invasive of privacy, in general it seems that the need for transparency and the increased efficacy of both audio and video supersedes individual privacy concerns. 
• When should the camera be activated? 
• On every time they interact with the public vs. on every time they put on the uniform/always on. Always on could record private interactions (e.g. in the home, using the restroom) and prevents additional privacy concerns. 
• Once activated, when should the camera be deactivated? 
• At the end of the interaction/2-3 minutes after interaction ends vs. at the end of their shifts 
• Should advance notice of activation be required? 
• Yes, but no consent required. Alternatively, notice should be encouraged, but because circumstances may make it impractical, notice should not be required. 
• What happens when someone objects to the use of body cameras? 
• Have a way to censor the identity of the person objecting 
• Consent to their request, but only if the perpetrator has been arrested or otherwise handled 
• Should there be special rules when an officer wearing a body camera 
• interacts with certain types of persons? Or 
• No, it should be dealt with later. However, the footage should be taken regardless of privacy concerns. A type of person could include minors, and the footage would be censored for private content prior to release. 
• operates the body cam in certain spaces? 
• Possibly have them off in private places (AA, churches, homes, restrooms). In the case of a perpetrator being in their home, getting a warrant for access would also include provisions for recording within the home. In other words, home should be excluded unless the officer wouldn’t ordinarily need a warrant or the warrant itself provisions the use. 
• May the body camera be used surreptitiously ? 
• Yes, but only in undercover operations. Otherwise, should be used in easily visible locations 
• How should the video be stored? How long? 
• Encrypted storage with a five year maximum 
• It depends on the circumstances. If it’s a traffic citation, maybe 24 hours to a couple of weeks 
• Who should have access to the camera footage, and when? 
• Public records request required - sensitive information (e.g. minors) may be censored to protect privacy of individuals 
• Should camera footage that is released to the public be redacted or blurred to obscure the identities of certain individuals? 
• Should body cameras be equipped with FRT? 
• It would be helpful, but it would also have grounds for serious abuse. It removes the time/human resources required that make police forces evaluate the need to identify an individual - with FRT, they can do it in an instant. 
• This also leads to the possibility of tracking and removes the need for permission. 
• Use of FRT would identify others who would ordinarily not be identified, e.g. passengers in a car pulled over for speeding.

SLCPD Policy (HB 300): (their answers to the above questions)

• Both audio and video required. 
• Anytime there is an encounter with the public
• Activated until the encounter is over
• Advance notice is not required, unless they are entering a private residence. Notice can be audible or visual (e.g. in a clearly visible position with a red indicator light showing that it is recording). 
• If it involves a victim/witness reporting or discussing a crime and they request that the officer turn off the camera, and that the officer believes they will not obtain the information otherwise and the information outweighs the use of the body camera, the officer has discretion and may/may not turn off the camera. 
• Body cameras never used when talking with/interviewing CONFIDENTIAL informants, or with another undercover officer. 
• Also, body cameras should not be activated when there is a reasonable expectation of privacy (e.g. homes, restrooms, dressing rooms, the gym, etc.)
• SLCPD has no ruling on surreptitious use of body cameras. 
• Store footage in online encrypted database. Data retained for 6 months minimum, to three years with chance of extension. Any shooting is required to be stored for 2 years minimum.
• Public records request required to obtain footage - however, they are classified as public records. Footage required to be released in a minimum of 10 days in cases involving shootings/violence.
• Violation of any policies could lead to discipline. 

28 February 2018

Recent Privacy Developments:

• US v Microsoft - US requested access to records stored on a server in Ireland. Microsoft refused to help, and told the US to get assistance through Ireland (which would have been possible; US and Ireland have MLAT) to avoid violating Irish law. US argues that because Microsoft is a US based company and has access to the content on the servers from the US, the privacy is accessible through US warrants.

Drones and Privacy:

• Drones themselves are not inherently invasive of privacy, but they can be equipped with technology to make them invasive of privacy (e.g. thermal imaging, ALPR, video cameras, night vision, FRT, etc.)
• What are ways drones could be used to invade privacy by the gov. or by private citizens?
• Recording private moments (spying)
• Follow/surveil an individual - commercial/private drones already have tracking and object avoidance technology
• Stalking & harassment
• Drones have become more of a privacy concern because cost has decreased significantly and will likely continue to do so.
• Drone regulations by FAA DO NOT address issues of privacy

Addressing Drone Privacy Concerns:

• Electronic Privacy Information Center (EPIC) sued FAA for failing to implement privacy issues in their drone regulations. Suit still pending. 
• NTIA adopted voluntary “best practices” for both commercial and private use of drones. Most organizations have adopted these “best practices” but they are not backed by law.
• Give notice of use of drones which collect information
• Do not collect data where operator knows a person has a expectation of privacy
• Avoid persistent or prolonged surveillance
• Make reasonable efforts to minimize flying over private property
• Retain information collected for as short a period of time as possible
• Do not use any information collected for employment, credit, or health care purposes
• Establish a process for people to complain and request deletion
• Limit sharing of information collected with third-parties
• Take reasonable steps to de-identify any information released to public
• Comply with all federal, state, and local laws

Legal sources for redress of possible privacy violations by drones:

• Civil and criminal statutory privacy protections
• Common law privacy protections
• Constitutional privacy protections

State Regulation: 32 states have decided the existing legal sources for redress do not adequately cover the privacy concerns of drone use, and have banned or regulated the use of drones. 

• Idaho - no surveillance, no flying over another person’s private property. Also, no drone use for hunting. 
• Kansas - drones for stalking/harassment = violation
• Louisiana - illegal to use drone w/ video on any school premises or prisons

Drone No Fly Zones: areas where drones are completely prohibited. Similar to firearm prohibitions in cities. Could be for the entire city, or for specific buildings (e.g. hospitals, churches, schools).

Utah Law:

• SB167/HB296 - Use of drones by law enforcement. Law enforcement is prohibited from using drones w/o warrants, places limits on data storage, and prohibits the use of privately collected data. It also authorizes police to shoot down drones, and from using drones within 5 miles of wildfires.
• SB0111

Open Legal Issues:

• Property defense by shooting down drones - ongoing issue, but generally destroying drones flying over one's property is not acceptable
• Right to anonymity - drones with facial recognition technology remove right to anonymity in a way that other technologies (surveillance cameras, body cameras) do not

QoW Discussion:

• Niccolo (No, regulation not required) - comparison to California v. Ciraolo, “drones are not significantly different than airplanes . . . [so the case] should hold true for drones”.
• Drones more readily available, cost less, more mobile, can hover, are significantly smaller, quieter, etc. There’s a difference in technology and ease of use. 
• Court will likely determine that courts are different than airplanes 
• Andrew (Yes, regulation is required) - different technology applied to drones can lead to in-home surveillance