October 22, 2017

Supreme Court needs to clarify the scope of the CFAA

The Computer Fraud and Abuse Act (CFAA) has been the primary “go to” statute for the federal government to prosecute hackers since it was originally enacted in 1986. Despite being amended several times since then, it is woefully out of date and appellate courts have reached contrary conclusions about the meaning of key provisions, including what it means to access a computer without authorization or in excess of authorization, which form the CFAA’s basis for criminal and civil liability. Indeed, the very recent decision by the Second Circuit in United States v. Valle, deepened the split, between, on the one hand, the Second Circuit, Fourth and Ninth Circuit that have adopted a narrow interpretation of the exceeding authorized access and, on the other, the First, Fifth, Seventh and Eleventh Circuits that have adopted a broad interpretation that, among other things, would allow an employer to claim a violation where an employee misused employer information that he or she was otherwise permitted to obtain. Since Congress has shown no ability to act, the Supreme Court needs to resolve this serious conflict.

Valle arises from a truly gruesome and ghoulish set of facts. Gilberto Valle, a/k/a, the “Cannibal Cop,” was charged with a number of counts including mproperly accessing a computer in violation of the CFAA. The evidence at trial included detailed emails and chats on websites where defendant discussed butchering, raping, torturing and eating women whom he knew. The defendant obtained details about certain of these women using various restricted databases at work, including the National Crime Information Center database. The jury convicted Valle for violating the CFAA and the court denied Valle’s motion for judgment of acquittal on the CFAA count.

On appeal, the Second Circuit reversed the judgment of conviction on the CFAA count finding finding that while he violated the terms of his employment by accessing the restricted databases for personal reasons, his actions did not constitute a violation of the CFAA because he was authorized to access the databases. The Valle Court adopted the approach set forth by the Ninth Circuit, and by the Fourth Circuit that “without authorization” applies to “outside hackers (individuals who have no authorized access to the computer at all) and ‘exceeds authorized access’ would apply to insider hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).” The Second Circuit was concerned that while it may be distasteful not to impose criminal liability in this case, the “interpretation of ‘exceeds authorized access’ will govern many other situations” and could “unintentionally turn ordinary citizens into criminals, and, thus, “the rule of lenity requires that Congress, not the courts or prosecutors, must decide whether conduct is criminal.”

In contrast, the First, Fifth, Seventh and Eleventh Circuits have interpreted the term “exceeds authorized access” much more broadly, and upheld convictions where the defendant was authorized to access the databases, but exceeded authorized access because the defendant accessed certain files was not in furtherance of the defendant’s duty as an employee.

There is now a clear split between the narrow and broad interpretation of what it means to access a computer without authorization or in excess of authorization under the CFAA. The Supreme Court needs to resolve this circuit split at the first possible opportunity because Congress has not shown an inclination to act. Further, as one commentator has noted, the Supreme Court also must adopt the narrow interpretation in order to prevent arbitrary and discriminatory enforcement of the law under the broad interpretation, which, among other things, would be unconstitutional under the void-for-vagueness doctrine of the Due Process Clause.

Further, the fact that the government has promised not to pursue garden-variety violations of the CFAA does not provide the necessary basis to uphold the broad interpretation. Indeed, it does just the opposite. The government has admitted, in essence, that they have the power to arrest almost everyone, but we should trust them to prosecute only the serious cases. The obvious problem with this approach is that this is not a decision that should be made the government. Whatever the merits of imposing criminal liability in a case such as Valle, it is the role of Congress, and not the courts or prosecutors to decide whether conduct is criminal.

Since 1986, the CFAA has remained the principal criminal statute used by the federal government to prosecute hackers and, unfortunately, Congress appears to have largely given up any effort to remake the law to reflect the realities of the 21st Century. It is therefore high time for the Supreme Court to step in and determine the breadth of unauthorized access under the CFAA and ensure that it will not be used by the government to prosecute, for example, an individual for checking their Facebook account at work, not withstanding the government’s promise not to do so.

This blog first appeared in The Hill, Congress Blog on December 24, 2015.

The Defend Trade Secrets Act Is Not Ready for Prime Time

In my previous post, I wrote about the Senate Judiciary Committee’s hearing on the Defend Trade Secrets Act of 2015. Based on the hearing, it seems likely that the bill will more forward, but there are still a number open issues that should be addressed before the bill is ready for vote by the full Senate and House. Here are my thoughts about some of the more important issues:

 Degree of Force in executing a civil seizure order under the DTSA

The bill is silent on the amount of force that may be used in executing a seizure order. This is an issue that should be left to the district court and the Marshals Service to decide and should be determined on a case-by-case basis. Thus, the bill should be permit the use of “reasonable force.”  This language would allow a judge and the Marshals Service  to determine what is “reasonable” under the particular circumstances of the case. The Marshals Service should have the authorization to be able to determine the amount of  force necessary to execute the search so as to not endanger the lives of law enforcement or innocent bystanders, while at the same time  to obtaining the items identified in the seizure order. In some cases this may involve knocking down doors or opening locked containers if they are likely to contain the stolen trade secret information.

It should be noted that the degree of permissible force is not mentioned explicitly under the civil seizure section of the Lanham Act. See 15 U.S.C. sec. 1116(d). Courts have permitted the Marshals Service “to use all reasonable force in conducting the seizure and may open doors, locks, boxes, brief cases and containers of any type or nature to locate and identify Evidence to be seized.” Otter Products, LLC v. Anke Group Indus. 2013 WL 5910882, at *4 (D.Nev. Jan. 8, 2013). See also SATA GmbH & Co. Kg. v. Wenzhou New Century International, Ltd., (2015 WL 6680807, at *13 (C.D.Cal. Oct. 19, 2015) (“The law enforcement officers executing this Seizure Order may use all reasonable force in conducting the seizure and may open doors, locks, boxes, brief cases, and containers of any type or nature to locate and identify Evidence to be seized.”  The Otter court also required the defendant to “provide any passwords necessary to access any electronically stored documents or electronic devices;” and limited access to “any seized Evidence to” outside counsel.

 Responsibility for sorting data

The process and responsibility of reviewing and sorting the data may prove to be very difficult issues. First, with regard to sorting the data, this issue has become very contentious with regard to searching and seizing computer evidence under the 4th Amendment. While there are obvious differences between the situations, both may involve the question of comingled data. In the case of the DTSA, this may involve, for example, locating a computer file containing stolen trade secrets comingled among thousands of files that are not relevant. Should the seizure order permit the Marshals Service to seize the servers, for example, containing the single file with the stolen data for later review or should the order require that, at least, an attempt be made to remove the file with the stolen data on site. The court is in the best position to determine what is reasonable under the circumstances taking into account, for example, the type of process that it likely to be least intrusive on innocent third parties.

The issue of the identity of the party responsible for the sorting of the data should also be left to the discretion of the court which is responsible for the issuance of the seizure order. Depending on the circumstance, the court may require that the evidence be placed in the custody of a third party, who has agreed to maintain the confidentiality of the information, or in other cases, the court may order that plaintiff’s outside counsel be given custody of the information. In both of the cases cited above, the seizure orders provided that outside counsel shall retain custody of the seized items.

Are protections against wrongful or overseizure sufficient?

In both cases cited above, the courts required the plaintiff to “agree to indemnify the law enforcement officers who may assist with the seizure and hold it/them harmless form any suit, claim, cause of action, damage, loss, or injury arising from the execution of seizure described in this Order.” SATA, 2015 WL 6680807, at *13. Ottar Products (same). There is no reason that a court could not order a plaintiff to agree to similar indemnification under the DTSA.

Another issue that needs to be addressed here is the standard for determining liability for a “wrongful” seizure. The scienter level is not addressed in the bill. I do not believe that a strict liability standard should apply because such a standard would dissuade most plaintiffs from seeking a seizure order. Indeed, I think that the level should be the same as the Lanham Act that provides that a wrongful seizure cause of action shall arise only when the seizure was in “bad faith.” I think that this standard would provide sufficient disincentive to parties who may seek to obtain a seizure order for improper purposes.

Senate Judiciary Committee Hears Testimony on Defend Trade Secrets Act

On December, 2, 2015, the Senate Judiciary Committee held a hearing on the Defend Trade Secrets Act, which is authored by U.S. Senators Chris Coons (D-DE) and Orrin Hatch (R-UT) and would provide federal civil remedies for theft of trade secrets. At present, trade secrets are protected civilly only by state laws. Congress has considered enacted a civil counterpart to the Economic Espionage Act almost every year since that statute was created in 1996. According to reports, this year the chances for success are higher than ever.

Trade Secrets are the only form of intellectual property that is not protected by federal civil law. For a variety of reasons, including that patent protection has weakened in recent years, the importance and value of trade secrets has increased tremendously. Trade secret theft puts American jobs at risk and threatens incentives for continued investment in research and development in the United States. Supporters of the bill, including myself, believe that state laws do not adequately protect trade secrets and it is time for Congress to act and create a unified trade secret law in the United States. Victims of trade secret thefts should not forced to resort to creative and sometimes unsuccessful strategies to bring suits in federal courts.

The bill has received widespread support, apart from some academics who claim that such a law would cause more trouble than it’s worth. Some of the potential issues cited  included chilling innovation in the U.S., increased legal fees associated with litigating trade secret actions, and overall negative economic growth. Att the Senate hearing, however, representatives from a variety of industries, including Delaware-based DuPont, explained the need for a federal private right-of-action to give companies the ability to protect their trade secrets in federal court.

“As an innovator, DuPont depends on intellectual property protection—including trade secrets,” said Karen Cochran, Associate General Counsel and Chief IP Counsel, DuPont in testimony to the committee. “Realizing the full potential of our innovation often includes knowledge-building that can span decades. This work generates a range of intellectual property from patents to trade secrets. DuPont recently defended the trade secrets for one of our well-known products, Kevlar®. This experience brought about our realization of the importance of S. 1890 and updating trade secret protection and remedies.”

The DTSA is currently backed by at least nine members of the Senate Judiciary Committee and has over 100 bipartisan Congressional supporters in the House and Senate.

 

Defend Trade Secrets Act of 2015

On December 1, 2015, I joined with 19 other attorneys that specialize in trade secret law in writing to Congress in support of the Defend Trade Secrets Act of 2015 (S. 1890, H.R. 3326). Click here for the letter. Almost every year since the passage of the Economic Espionage Act that criminalized the theft of trade secrets, a bill has been introduced in Congress that would provide a civil counterpart. These attempts have previously gone nowhere. This year, however, Congress may actually pass such a bill. On December 2, 2015, the Senate Judiciary Committee heard testimony in support of the bill. It has bipartisan support and is sponsored by Reps. Hakeen Jeffries (D-N.Y.) and Doug Collins (R-Ga.) in the House, and Sens. Orrin Hatch (R-Utah) and Chris Coons (D-Del) in the Senate. Sen. Orrin Hatch said he believes that the bill could get through Congress before the new year.

“There is no doubt that China and other foreign competitors are working furiously to steal American innovation from all sectors of the economy, including the high-tech, life sciences, manufacturing, agricultural, aeronautics, financial services and energy industries,” Hatch, who chairs the Senate Finance Committee, said in a speech at the U.S. Chamber of Commerce.

Even though trade secret litigation continues to rise in tandem with the increasing number of methods that employees can use to steal a company’s trade secrets (flash drives, smart phones, cloud based storage devices), there is currently no federal civil cause of action that an employer can invoke if its trade secrets are misappropriated.  In most jurisdictions, trade secrets disputes are litigated in state courts under a version of the Uniform Trade Secrets Act. According to Hatch: “In the U.S., trade secrets are the only form of [intellectual property] where misuse does not provide the owner with a federal private right of action.

As a result, employers seeking to enjoin the misappropriation of a trade secret typically “plead themselves into federal court” by asserting a claim under the Computer Fraud and Abuse Act (CFAA).  While primarily a criminal statute, the CFAA also allows civil actions to be brought against an individual who “intentionally accesses a computer without authorized access, and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication.”  (See 18 U.S.C. § 1030(a)(2).)  But where the CFAA is not applicable, employers have sparse civil federal remedies to invoke if trade secrets are misappropriated.

The Defend Trade Secrets Act of 2015 attempts to cure this situation.  The proposed bill seeks to enable employers and other trade secret owners to bring a federal civil action “if the person is aggrieved by a misappropriation of a trade secret that is related to a product or service used in, or intended for use in, interstate or foreign commerce.”   Under the bill, a successful plaintiff would be able to obtain injunctive relief, damages, unjust enrichment, royalties, and attorneys’ fees.

The bill also provides emergency relief.  If a trade secret owner can demonstrate, among other things, that immediate and irreparable injury will occur, and an injunction or restraining order will not be enough to prevent that harm, the bill authorizes a court to “seize” property necessary to prevent the propagation or dissemination of the trade secret that is the subject of the action.  The bill allows a trade secret owner to seek this relief “ex parte,” or without the presence or participation of the opposing party.

While the measure hasn’t moved since it was introduced months ago, Hatch sees an opening to slip it through before the end of the year, as he sees little opposition to the measure.

“This is the type of bill that could move by unanimous consent before Congress adjourns for the holidays,” he insisted.

Is Metadata Protected by the Wiretap Act? Third Circuit: It Depends!

In general, “metadata” is data that describes other data and summarizes basic information about data, which can make finding and working with particular instances of data easier. But does that definition mean that metadata, such as URLs, are categorically non-content? For example, such a bright line distinction would mean that there is no substantive difference, for example, between the URL “www.webmd.com” and “www.webmd.com/alchoholabuse.” The former URL provides very little information about the visitor’s communications with WebMd, while the latter provides specific information other than simply the visitor was communication with WebMd. This is not an unimportant distinction since the federal Wiretap Act, which was enacted in 1968 to regulate telephone wiretapping prohibits the interception of the “contents” of a communication without the consent of a “party to the communication.” In 1986, Congress expanded the scope of the Wiretap Act to include computer networks. In an important privacy decision, on November 10, 2015, although the Third Circuit in In Re: Google Inc. Cookie Placement Privacy Litigation, dismissed the Wiretap Act claim under Rule 12(b)(6), it determined that obtaining URLs by Google did involve the collection of at least some content under the Wiretap Act.

Unbeknownst to many Internet users, a user’s visits to websites are recorded through the use of tracking cookies that have been previously placed on the user’s browser so when the user visits a Web site, the Web site can have a third-party site send to the user’s browser highly targeted advertisements. The litigation involved allegations that Google violated the Wiretap Act, the Stored Communications Act and the Computer Fraud and Abuse Act under federal law, and various California state laws include the right to privacy. With regard to the Wiretap Act, plaintiffs argued that the defendants violated the Wiretap Act on the grounds that the use of tracking cookies created a record of what websites users visited without their knowledge. Users could set their browsers to block these third party cookies, but he browser would not actually block them. In other words, advertising companies were able to gather this valuable information without the users’ knowledge. While the Third Circuit ultimately dismissed the Wiretap Act claims, the Third Circuit did find that Google’s actions amounted to “deceit and disregard” as it “not only contravened the cookie blockers—it held itself out as respecting ….” [Read more…]

“Not all Chinese are economic spies”

Here’s an article that was first published in The Hill on September 28, 2015.

The issue of Chinese economic espionage is likely to be one of the issues addressed when President Obama meets President Xi Jinping of China. This is a real and very serious issue. Economic espionage costs U.S. companies tens of billions of dollars in damages and causes the loss of thousands of U.S. jobs, and the FBI has identified China as the single greatest culprit. However, President Obama should also use this as an opportunity to apologize for the Justice Department’s misconduct in charging two Chinese-American U.S. citizens with economic espionage with the intention of benefitting China, and then abruptly dropping the charges after the evidence showed that there was no basis at all to charge the defendants, and they may have simply been caught up in a much broader dragnet aimed at combatting Chinese industrial espionage.

There is little doubt that Chinese government entities and Chinese companies are actively involved in economic espionage against U.S. companies and businesses. For example, a study I conducted found that, since the enactment of the Economic Espionage Act (“EEA”) in 1996, which the federal statute that criminalizes theft of trade secrets, more than 30% of all prosecutions involved Chinese citizens or naturalized U.S. citizens originally from China. In addition, in approximately 30% of the total EEA prosecutions, the defendant misappropriated the trade secrets to benefit the Chinese government, an existing Chinese company or to start a company there. Since 2008, approximately 50% of the cases have a China connection, and eight of ten prosecutions that the government has brought for state sponsored economic espionage involve an allegation of Chinese government involvement. [Read more…]

Intellectual Property and Computer Crimes Release 24 is Here

Release 24 to my book, Intellectual Property and Computer Crimes, is here. The release features major revisions to the chapters on criminal copyright infringement and the DMCA. It particular, it adds to the chapter on the DMCA a detailed analysis of the elements that the government must establish beyond a reasonable doubt to provide a violation of Sections 1201 and 1202 of the DMCA, including that the defendant must act “willfully.” It also discusses the regulatory exemptions under Section 1201(a)(1), including: (i) nonprofit entities; (ii) law enforcement; (iii) reverse engineering/interoperability of computer programs; (iv) encryption research; (v) preventing minors’ access to the Internet; (vi) protection of personally identifying information; and (vii) security testing.

New Computer Fraud and Abuse Act Appellate Case

The Ninth Circuit has decided an important Computer Fraud and Abuse Act case. In United States v. Christensen, the court overturned CFAA convictions for employee misuse of a sensitive database. The appeal also involved many other issues other than the CFAA. The defendants were connected with a famous investigative agency in Los Angeles, Pellicano Investigative Agency, which was known for high profile investigation of the rich and famous. Pellincano was convicted under the CFAA for bribing a Los Angeles police officer, Arneson, to get Arneson to access police databases to obtain confidential police information to help Pellicano. Pellicano also paid a telephone company technician Turner to pay another telephone company employee Wright to go into the telephone company database and obtain confidential data that Pellicano could use to install illegal wiretaps.

At trial, the defense did not challenge the jury instructions relating to the CFAA. The jury was instructed on the key question of authorization as follows:

[A] defendant exceeds authorized access . . . when the defendant accesses a computer with authorization but uses such access to obtain information in the computer that the defendant is not entitled to obtain.

Exercising plain error review because the issue was not challenged, the Ninth Circuit held that all the CFAA convictions must be overturned because the jury was obviously wrong. Under United States v. Nosal, the en banc Ninth Circuit had held that CFAA violations are “limited to violations of restrictions on access to information, and not restrictions on its use.” The Pellicano court held that the jury instruction violated the requirements of Nosal:

Although it was not obvious to the district court at the time, this definition of exceeding authorized access was flawed in that it allowed the jury to convict for unauthorized use of information rather than only for unauthorized access. Such an instruction is contrary to Nosal, and therefore the instruction constituted plain error.

The court continued:

The error was also prejudicial. Not anticipating Nosal, the government made no attempt to prove that Wright accessed any databases that she was not authorized to access in the course of doing her job. Although the government now contends that Wright’s use of the code “ERR” upon logging out in an attempt to cover her tracks constituted evidence of unauthorized access, we are not persuaded. “ERR” was a code that phone company employees were instructed to use if they accessed an account by accident. The use of that code did not necessarily prove that the employee was not authorized to access the database. Wright might have used the “ERR” code simply to divert suspicion as to what she was doing. That use of the “ERR” code may have violated company policy, but Wright may nonetheless have been authorized to access the database. Under Nosal, unauthorized use was not enough to support the convictions of Turner and Pellicano for aiding and abetting Wright’s CFAA violation.

The Ninth Circuit also reached a a similar conclusion on the convictions associated with Arneson’s misuse of information from the LAPD database. The government had contended that Nosal does not preclude criminal liability under the CFAA for violations of state or federal law that restrict access to certain types of information. See, e.g., 28 C.F.R. § 20.33(d) (restricting the dissemination of certain criminal history information). The court rejected this argument finding that while the state laws laws arguably prohibited Arneson’s conduct based on the way the information was used, as distinguished from the way it was accessed, this does not expand the reach of the CFAA. The Ninth Circuit pointed out that Congress has created other statutes under which a government employee who abuses his database access privileges may be punished, but it did not intend to expand the scope of the federal antihacking statute.

The Ninth Circuit also noted that the definition of unauthorized access under the CFAA is different from “access” under California Penal Code 502(h), which punishes one who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network[.]” In turn, “Access” is defined as “to gain entry to, instruct, . . . or communicate with, the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.” Cal. Penal Code § 502(b)(1).

The court found that defendants’ conduct violated 502(h) even thought it did not violate the CFAA rejecting defendants argument that the state statute should be interpreted consistent with the federal statute as interpreted by Nosal. The court pointed out that in contrast to the CFAA, the California statute does not require unauthorized access. It merely requires knowing access. What makes that access unlawful is that the person “without permission takes, copies, or makes use of” data on the computer. Cal. Penal Code § 502(c)(2). The focus is on unauthorized taking or use of information. In contrast, the CFAA criminalizes unauthorized access, not subsequent unauthorized use.

While the outcome of the case seems to be consistent with the Nosal decision since the evidence only established a use violation it is interesting to note that the Pellicano court found that the jury instruction with regard to exceeding authorized access to have been wrongly given, even though the jury instruction mirrored the definition found in 18 U.S.C. 1030(e)(6): “[T]he term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” How can it be possible for a jury instruction to be an obviously mistaken statement of what the statute prohibits where it simply repeats the language of the text of the statute? In other words, is it possible for a jury instruction that mirrors the statute to be obviously wrong on the basis that it is inconsistent with the statute? I don’t know the answers these questions but it does highlight the need for Congress to amend the CFAA to clarify, among other things, what it means to access a computer without authorization or in excess of authorization.

One final point: by finding that the jury instruction was erroneous instead of finding that there was insufficient evidence for the defendants to have been convicted under the requirements of Nosal, the government may retry the defendants for violating the CFAA.

 

 

Congress Again Considers Civil Trade Secrets Legislation

Its that time of the year again when Congress considers legislation that would provide for civil remedies for theft of trade secrets. The Defend Trade Secrets Act of 2015 (S. 1890 and H.R. 3326) introduced on July 29, 2015, is based on the same standards for trade secret protection, and remedies for misappropriation, that are found in the Uniform Trade Secrets Act and the Economic Espionage Act of 1996 (“EEA”).
While similar attempts to pass such legislation have failed almost on a yearly basis, this year may finally prove different since the current legislation is supported by companies and associations in a broad array of industries, including biopharmaceutical, software, semiconductors, consumer goods, medical devices, automobiles, heavy equipment, chemicals, aerospace and agriculture. In addition, there is a new found recognition of the importance to protect trade secrets as a complement to the already existing federal statutes that protect trademarks, copyrights and patents

The Defend Trade Secrets Act would create a uniform, national standard for trade secret misappropriation, harmonizing U.S. law, and provide companies with the ability to protect themselves. In limited circumstances, the law would provide for ex parte seizure relief when time is of the essence and the thief would not obey an injunction.

Last year, Sen. Orrin Hatch, R-Utah, and Sen. Christopher Coons, D-Del., introduced the Defend Trade Secrets Act of 2014 (S. 2267), and similar legislation, the Trade Secrets Protection Act of 2014 (H.R. 5233), was subsequently introduced in the House of Representatives. Both the Senate and House Committees on the Judiciary held hearings on the legislation. The House Judiciary Committee voted without dissent to report the bill favorably just before the elections, and it was never considered by the full House.

The legislation, introduced last week by Sens. Hatch and Coons and four other senators in the Senate, and by Rep. Doug Collins, R-Ga., and Rep. Jerrold Nadler, D-N.Y., with 14 cosponsors in the House. It reflects a consensus that among our most valuable currency in the global marketplace is our knowledge and creativity.

 

Collection Of Information By 5 Largest Tech Companies

The revelations by Edward Snowden about the NSA’s collection of “metadata” on every phone call that is made in the U.S. has led to concerns about whether the government should be collecting this type of information and whether there are adequate safeguards as when and how the government may be permitted to use the information. Putting aside the host of legal and security issues associated with this program, most Americans probably still are not aware that, for example, the five largest tech companies, Google, Facebook, Apple, Amazon, and Yahoo collect information that contains far more personal details, and is available to the government for the asking. While the exact types of data collected differs somewhat amongst these tech giants, nearly all collect “ad clicks,” “browser information,” email addresses” “IP addresses,” “phone numbers,” “search queries,” etc. The companies aren’t stealing this information but are obtaining it without cost from users, who either don’t care or haven’t taken the time to read the privacy policies of the tech companies which give the companies free access to this information.

Perhaps, what is equally disturbing about the companies’ unfettered use of the information is the very limited legal protection given to such information. The primary and most important federal privacy law in the United States, The Stored Communications Act (SCA), which was originally enacted in 1986, to govern the privacy of computer network communications and grants Internet users a set of statutory privacy rights that limit the government’s power to access a person’s communications and records, but does not cover, for example, search queries. In other words, search records, such as whether a person visited a website for alcohol or drug addiction centers can be disclosed to the government without even a subpoena.

Moreover, while standing alone, each of the type of data may only pose a limited threat to an individual’s privacy, by combining the different types of data generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about familial, political, professional, religious, and sexual associations that can be stored and mined for information years into the future, not only by the companies but by the government as well. Thus, if the search query for drug addiction or alcohol treatment is combined with ad clicks and phone numbers, a much more complete profile of the user is generated which is freely available to the government. Because the information can be acquired by the government at little or no cost there is no monetary restraint on the information collected by the government which can lead to the government having access a substantial quantum of information about any person whom the government wishes and may “’alter the relationship between citizen and government in a way that is inimical to democratic.”

James Madison, the principal author of the Bill of Rights, is reported to have observed, “Since the general civilization of mankind, I believe there are more instances of the abridgement of freedom by the people by gradual and silent encroachments by those in power than by violent and sudden usurpations.” Indeed, this data that can be freely obtained by the government at virtually no lower cost is just the type of “gradual and silent encroachment” into the very details of our lives that we as a society must be vigilant to prevent. Congress should carefully consider whether there should be limits on whether the government can obtain this information and how the information can be obtained. It is too important an issue for the government to decide without the knowledge and consent of the American public.