Prefer audio? Subscribe to the podcast!
Before we get to the interview, I have one small favor to ask. I've been writing this newsletter for about two months now and I'm still trying to figure out exactly where to take it, what the right release cadence is, and what not. I need your help to figure that out. I have a short, five question survey that will take you two minutes to fill out but would help me tremendously. Can't wait to hear from you.
Yesterday in Surveillance Today I highlighted a lawsuit filed in California by a coalition of activists. They're suing Thomson Reuters for selling utility records without consumers' knowledge. Last month, the Washington Post reported that ICE was using these records to track down and detain undocumented individuals. If you haven't read it yet, go check it out.
In that piece, I included an excerpt from a conversation I had with one of those activists who is also an attorney listed on the suit: Albert Fox Cahn. Albert is the founder and executive director of the Surveillance Technology Oversight Project and based in New York City. Below you'll find our conversation in its entirety where discuss the legal strategy, why the suit is important to our Fourth Amendment rights, and what kind of legislation could help fix this problem.
Now here's the interview. Please note that the text has been slightly edited for clarity. You can also listen to it above.
Ethan Gregory Dodge: Can you put the legal argument and strategy into simple terms?
Albert Fox Cahn: Of course. Well first off, thank you so much for having me. It's really a pleasure to be here. In terms of this lawsuit, it's actually a little more complicated. So we filed it with our co-counsel at Justice Catalyst, Gibbs Law, and Gupta Wessler back in December. But we weren't actually advertising it to the public, we weren't highlighting it to the press until after it was more recently removed to federal court. This gets into some of the complexities of state vs. federal and all of that.
But basically, what the lawsuit is trying to do is leverage California common law and this right of publicity, this right to own the monetization of your own likeness. The simplest way of thinking about it is, if they put Michael Jordan's face on a box of Wheaties, they have to pay him for it. They have to compensate him for taking his likeness and using it.
But what we're seeing is, according to our complaint, CLEAR, this service that's used by Thomson Reuters, is allegedly taking lots of people's photos, taking our utility records, taking our credit records, taking all of these data points from our lives -- really intimate and invasive information -- and selling it. Not to just law enforcement, not just ICE, but even private companies and it's really violating that principle that someone shouldn't be able to profit off of your likeness without your consent.
EGD: Is your legal argument enhanced by the California Consumer Privacy Act?
AFC: So this is something that actually predates the California Consumer Privacy Act. I think there's been some great headway made in protecting privacy in California privacy. We've seen CalECPA being used, we've seen CCPA starting to come into it's own. But really, the claims here largely are going back to much older principles of who owns your likeness, your information. It's trying to update those common law principles for the 21st century.
And I think that when you take a step back and look at so many of the vendors out there that are scraping our data and selling it, it really is absurd that we've allowed this invasive model to flourish.
EGD: Interesting. So was there a particular reasoning for filing in California?
AFC: Yes, because of the California common law protection. California law is its own separate beast. For every one law that's different, that's top of mind, there are a hundred on the books that are very different. We also brought a claim under section 17200, the unfair competition law in California which is one of the strongest in the country.
There are so many different factors that come into play when thinking about where to file. We've seen some bad case law from the federal courts trying to push back against nationwide class action under state laws. I think those should exist, those should be permitted. But just to file the strongest case we could, we limited this to a class of California residents. I can't wait until there are similar federal laws or state laws in every state that let us protect everyone's privacy.
EGD: The Post reported yesterday that Senator Wyden plans on introducing federal legislation. We don't know a ton about his bill because it hasn't been presented yet, but according to what he told the Post, it will law outlaw law enforcement from obtaining data through commercial sources without a warrant. Is that the type of legislation that you're referring to that you would like to see? Or is it much more expansive than that?
AFC: I think that's a huge part of it. This lawsuit is much broader than just the law enforcement piece. But the law enforcement piece, outside of that case, is something that I focus on day-in and day-out on the policy level. I helped author and introduce the first bill in the country that would ban law enforcement purchases of location data. It's a bill pending here in New York that we hope it will help make it illegal for the police to come in and buy up these really invasive data sets. And also ban new types of warrants that we think are completely inappropriate like geo-fence warrants, which try to obtain all the location data for everyone in a specified area. Or keyword search warrants, which we only learned about last year. These are warrants that say "give us the name of everyone who searched for the following phrase, address, or information."
The common thread here between our bill in New York that was introduced by Dan Quart and Zellnor Myrie and Senator Wyden's fantastic legislation is this idea that you shouldn't be able to buy your way around the Fourth Amendment. Our Fourth Amendment jurisprudence was written in the 18th century, it never contemplated this world where police, if denied a warrant application, could simply go to a data broker and buy the information they want instead.
The way our legal system is set up, if the police want to come to you directly and seize your data, often times they need a warrant or a subpoena. There is that sort of check, as flimsy as it can be. But when they want to get that data from someplace else, they can just buy it a lot of the time.
We've seen really grotesque examples of this. We saw the U.S. Air Force buying the location data for 90 million users of a popular Muslim prayer time app. They could have never gotten a warrant to compel the production of 90 millions peoples information, but they could just go out and pay for it. And we have no idea how often this happening in American policing. We know it's happening, but there's no reporting on it so there's no way to know if it's happening every day, every week or even multiple times a day. We don't know if law enforcement are purchasing data sets just in the thousands or if they're continuing to purchase data in the tens of millions.
Thomson Reuters, who we sued, there was great research from Georgetown Center of Privacy and Technology last week, I believe, where they highlighted that CLEAR, the same tool that we're suing over, they were selling utility records to ICE. So ICE could use the fact that you signed up for a phone line in order to deport you or your family. It's nightmarish and it has to stop.
EGD: That's a nice segue into CLEAR. How involved were you in investigating what data CLEAR had on your clients?
AFC: When it gets to the specifics of the litigation, I have to be a bit high-level. But what I would say is, I was very deeply involved in evaluating the information we could obtain to really understand the harm the was posing to our clients.
EGD: If you can, what would you say is the most notable thing you found out about CLEAR in your investigation?
AFC: Let me just speak in general terms about what's been reported by others. We've seen reporting that there are arrest records in this database. We've seen that there are photos that could be run through facial recognition in this database. We've seen reporting that there's potentially other biometric data. We've seen reporting that there is credit history, job history, and location history.
Without getting into specific information that was there about our clients, one thing to keep in mind is that, depending on who you are, maybe that doesn't sound so frightening, but imagine if you were someone with an order of protection because you're getting death threat. Imagine you're someone who's constantly scared for your safety. That's not an abstract, that is the reality for one of our clients, who has constant security concerns because of the death threats she receives. And yet, even though she's paying to scrub this information from the internet and paying services to prevent her personal data from getting out there, you still have a service like CLEAR that's profiting from selling that same exact data. That's something that I think is completely at odds with even the most basic guarantees of privacy.
EGD: Is there anything reasonable that somebody can do to avoid being in CLEAR's database?
AFC: That's the thing, I haven't seen a really meaningful way to really opt out of it. I haven't seen a way to remove your data, effectively. There are some forms on the website, but I believe many of them require you to submit government ID as part of your request, giving them even more information as part of a process purportedly designed to remove that information.
This is why we need stronger privacy laws and litigation. Even if there is a great way to opt out by navigating to some really obscure page and clicking a bunch of forms, that's not meaningful privacy protections. We need this to be something that is there by default for all Americans, not something that only is available to those who invest huge amounts of time in finding some obscure little form.
EGD: Overall, how do you expect the suit to turn out?
AFC: I feel like lawyers very early on that you can't make predictions. But I think the facts here are very compelling. I think the law here is quite clear. I'm really hopeful that this will have a really substantial impact in both protecting our clients and other Californians and hopefully laying the foundation for more work against other data brokers who are doing similar things.
The scary part is that this is such a profitable industry. There are so many firms in this field that we need some really sweeping and comprehensive action to address the scope of the harm that's being done.
To learn more about Albert's organization, the Surveillance Technology Oversight Project (STOP) visit stopspying.org. They've also got a great podcast that I highly recommend called Surveillance and the City.
To learn more about what data CLEAR had on Albert's clients, be sure to read my report on it from yesterday. And don't forget to take three minutes to take the survey!