New Illinois Law Says Cops Need A Warrant To Grab Data From (Some) Third Parties
from the on-the-other-hand,-you-still-have-to-deal-with-the-Chicago-PD dept
The state of Illinois continues to provide more protection than the US Constitution. Its privacy laws exceed what has been determined to be "reasonable" violations of privacy by decades of court precedent. This has allowed it to go after companies for violating state laws, even when the collections being prosecuted would likely be legal under the Supreme Court-created "Third Party Doctrine."
State law allowed Facebook to be successfully sued over its facial recognition program -- one that detects faces and attempts to match them to Facebook profiles to "tag" photos with names of account holder's "friends." This resulted in a $550 million settlement from Facebook -- a relative bargain considering the original asking price was $35 billion.
It also has allowed the state to move forward with its lawsuit against odious facial recognition tech provider, Clearview. Clearview sells access to its database and AI to government agencies for the alleged purpose of identifying criminal suspects. The AI -- finally independently tested years after its debut -- appears to be fairly solid. But its 10 billion image (and counting) database is composed of images and personal info scraped from thousands of websites and social media platforms. According to the state of Illinois, this collection violates state privacy laws because Illinois residents are not informed of this collection, nor are they given any opportunity to opt in or out.
Third parties aren't the only ones availing themselves of data harvested from the web. Government agencies are taking advantage of massive collections assembled by data brokers. The assumption by law enforcement is that no warrant is needed to obtain location info and identifying information from third parties because there's no expectation of privacy in information shared with apps, websites, and service providers.
It should be clear that's likely not acceptable in Illinois where state law regulates these collections to ensure end users are protected (at least somewhat) by mandates requiring notification and consent. Nonetheless, law enforcement persists in accessing this data, assuming their actions aren't illegal even if the collections they're accessing have been illegally obtained.
That's going to change. A new law that went into effect at the beginning of this year says Illinois law enforcement can no longer access this information without a warrant.
A first-of-its-kind law in Illinois limiting law enforcement access to data from household digital devices sits at the forefront of an emerging legal debate over protecting the privacy of such records.
The state’s law, which takes effect Jan. 1, comes as law enforcement seeks to tap into consumers’ growing collection of internet-connected devices, from smart speakers to security cameras. These devices can capture conversations, movements, and other information that could be used for investigating crimes.
Known as the Protecting Household Privacy Act, the law restricts the sharing of device data by requiring a search warrant or permission from the device’s owner, with some exceptions in emergency scenarios.
As noted above, the law [PDF] contains warrant exceptions that can be used if law enforcement believes there's an imminent threat to someone's life or safety, as well as if the officer believes a warrant could have been obtained but is somehow prevented from obtaining one immediately. That last exception is a nod to the "good faith exception," but the law at least demands officers still apply for and obtain a warrant for data collected under the exigent circumstances exception. And it's limited to certain devices, which means information from some data brokers will still be obtainable without a warrant.
The law is pretty solid. Exigent circumstances can be used to avoid seeking a warrant first, but a warrant must be obtained within 72 hours to legitimize the warrantless collection.
The bigger problem is the Stored Communications Act. This federal law is far less stringent and would allow Illinois law enforcement agencies to bypass the law by partnering with federal agencies. In those cases, federal law would apply. And even if local agencies don't seek this information directly, they will obviously have indirect access to whatever has been obtained by federal agencies.
The law seeks to head this off with this language:
In the event of any conflict between this Act and any applicable federal or State law, the requirement that establishes the higher standard for law enforcement to obtain information shall govern.
But, as stated above, this restriction only applies to Illinois agencies. Federal agencies can still obtain the data and presumably share it with local agencies to help them route around these newly imposed restrictions.
Despite its shortcomings, the law provides far more protection for Illinois residents than federal law -- or federal court decisions -- provide. It's a win for locals that generates some friction for federal partnerships. How the applicable restrictions will be applied remains to be seen, but it's a good move by the state to protect residents from the government overreach enabled by the Third Party Doctrine.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, illinois, privacy, warrant
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'm not holding my breath that agencies like the Chicago PD will follow any law that limits their ability to do their job however they see fit.
[ link to this | view in chronology ]
Obvious. Not Oblivious.
To me it's been obvious that warrants giving specific details of the data and again, specific details as to why the data, is necessary in a common law jurisdiction - it's consistent with long-standing constitutional common law traditions. It's one of the reasons why common law jurisdictions thrived rather than merely survived for so long. It makes the state predictable and thus dependable, rather than arbitrary and incapable.
Now it's probably time for Illinois to turn the DCMA on data brokers and the like - everything you do is generated by you, and can only be regarded as being on loan to any given company, for purposes of assisting them to assist you. If you doubt me, just ask what the consequences is of moving without telling a hire-purchase finance company you are paying off a purchase with, about your new location. If your data was theirs, they would simply ignore the locations. Also ask what the consequences are for a company that fabricates customer data out of whole cloth. So, the customer owns their data, and the company with it is merely a caretaker of it. And as the customer generates their data, it is reasonable to believe that they own the copyright on it. And whatever minor copyright said company may have on such a collection of data, is merely on the aggregate of such data, and not on the individual pieces of data. Illinois should in theory have the power to bankrupt Facebook for the criminal abuse of its customers' copyrighted data, whether by Facebook or by Facebook in collusion with any data broker or suchlike.
[ link to this | view in chronology ]