Category Archives: Law: Constitutional Law

Do You Have a Constitutional Right to Have the Government Safeguard Personal Data It Collects From You?

Posted on September 26, 2017 by Michael Froomkin

Most legal academics are happy to be cited by courts–it’s at least proof of relevance. But it’s better if the Judge agrees with you, and that’s not what happened this week when Judge Amy Berman Jackson of the District Court of the District of Columbia, discussed my article Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009).

My article argues, correctly I still believe, that if the government takes your personal data, and then mishandles it so that it leaks to your detriment, the government has committed an actionable harm:

The key case in establishing the contours of the Due Process right to compensation for certain government data breaches is Chief Justice Rehnquist’s opinion in DeShaney [v. Winnebago Cty. DSS, 489 U.S. 189 (1989)]. Chief Justice Rehnquist is an unexpected source for a major information privacy right, and DeShaney is a particularly unexpected locus for its elucidation. DeShaney is notorious as an opinion in which the Supreme Court held that the state of Wisconsin had no duty under the Constitution to protect a boy, the infamous “poor Joshua” of Justice Blackmun’s dissent, from a permanently disabling beating by his father. The absence of a duty was controversial because the state social services were on actual notice that Joshua had been repeatedly injured and was at risk. In finding that the Due Process clause imposed no duty of care on state social services regarding children residing with a parent, at least absent a statutory or regulatory undertaking to protect children from their parents, Chief Justice Rehnquist distinguished Joshua’s case from one where a duty would have existed. Mere notice was not enough; the state would have had a duty only if it had placed Joshua in circumstances where it “renders him unable to care for himself, and at the same time fails to provide for his basic human needs ….” The duty arises “from the limitation which it has imposed on his freedom to act on his own behalf’ not “its failure to act to protect his liberty interests against harms inflicted by other means.’ Chief Justice Rehnquist immediately added in a footnote that, “[e]ven in this situation, we have recognized that the State ‘has considerable discretion in determining the nature and scope of its responsibilities.'”

When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has “by the affirmative exercise of its power” taken the data and “so restrain[ed]” it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s “affirmative duty to protect” the data “arises … from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.’ Again, “it is the State’s affirmative act of restraining the individual’s freedom to act on his own behalf” which creates a duty on the government to keep the data secure. The State created the danger, and thus the State is responsible for the outcome.

The plaintiffs in sought to apply this theory to the massive data breach by the Office of Personnel Management, AKA the OPM hack. Plaintiffs claimed the government breached an actionable duty by failing to protect (or, as plaintiffs put it, being grossly negligent in failing to protect) their personal data.

Unfortunately, Judge Jackson did not agree (footnotes omitted):

Given … the absence of binding precedent one way or the other, this Court also finds it prudent to avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general when it is not necessary to do so. And it is not necessary here because the NTEU claim is asking the Court to recognize a constitutional violation that no court has even hinted might exist: that the assumed constitutional right to informational privacy would be violated not only when information is disclosed, but when a third party steals it. See NTEU Compl. ¶¶ 96-98; NTEU’s Opp. at 25-44 (arguing that the government has an affirmative duty “grounded in the constitutional right to informational privacy” to safeguard plaintiffs’ private data). In other words, even if an individual who completes an SF 85 or SF 86 has a constitutional right to privacy in the information he or she is being asked to provide, it is well-established that the government has the right to gather that information. And even if it might violate the Constitution for the government to then deliberately disclose the information, there is no authority for the proposition that the Constitution gives rise to an affirmative duty — separate and apart from the statutory requirements enacted by Congress — to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).

The sole source plaintiffs identify for the existence of the affirmative duty they would have this Court enforce is a law review article. NTEU’s Opp. at 37, citing A. Michael Froomkin, Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009) (“When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has `by the affirmative exercise of its power’ taken the data and `so restrain[ed]’ it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s `affirmative duty to protect’ the data `arises . . . from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.”). Given the absence of any binding precedent — or even any persuasive writing from other courts — that recognizes a constitutionally based duty to safeguard personal information, and the D.C. Circuit’s expressed skepticism about the existence of a right to informational privacy in the first place, this Court is compelled to hold that plaintiffs have failed to state a constitutional claim.

The thing is, my article anticipates Judge Jackson’s rejoinder:

One might object that the DeShaney holding stands for the proposition that when the government stands by and lets another do harm to a person, that person has no recourse unless the government has taken on an affirmative duty to protect. In this view, exposing private data on the web or losing an unencrypted database is not the harm. Rather, the harm comes from a third party’s use of the data, something for which this reading of DeShany says the government should not be blamed. But this is a misreading of De- Shaney because the analogy is incorrect. In DeShany, the State had no duty because it had never taken Joshua into care. The harms he suffered at his father’s hands were private wrongs, a direct transaction in which the government had no part. […]

Indeed, it was the claim that the government had a duty to intervene which was the heart of the plaintiffs case, and which the majority rejected.

Contrast this to a hypothetical lost database: there is no question that the government had taken full control of the data before it lost them. Once the government takes that control, the subject of the data is completely disempowered with regards to how the data will be protected. Therefore, it is nonsensical to suggest that when the government negligently allows a third party to access the data, that third party is the only relevant actor for Due Process purposes. The government remains the critical intermediary, the one actually responsible for allowing the loss. In the case of information controlled by the government, it is not a bystander, but rather a direct agent. The government’s active role in controlling the data, one that displaces the subject or owner of the data, is what creates the duty of care. Or as the Seventh Circuit stated, “The state must protect those it throws into snake pits, but the state need not guarantee that the volunteer snake charmer will not be bitten.” [Walker v. Rowe, 791 F.2d 507, 511 (7th Cir. 1986).]

In short, Judge Jackson links two issues that I think ought to be seen as separate. One issue is whether the Constitution creates a a generalized right to information privacy. Judge Jackson notes, fairly enough, that currently there is no judicial recognition of such a right. But that’s not the only question at issue here. Even in the absence of a general substantive constitutional duty to protect information privacy, I believe that the rule in Chief Justice Rehnquist’s DeShaney opinion compels the conclusion that when the government demands your data, takes it, and fails to care for it, that creates a valid claim.

Judge Jackson may be right that the D.C. Circuit is not ready to find a general constitutional right to information privacy, a right that likely would extend far beyond data breaches and into, for example, data collection practices. But why, even if we stipulate that Judge Jackson correctly reads the DC Circuit tea leaves on information privacy rights generally, does this tell us anything about the much narrower Due Process claim at issue in the OPM case?

One need not find a generalized right to information privacy to hold, following the logic of DeShaney, that the government has a duty of care when it creates the circumstances which both make the data vulnerable and makes self-help by the data subject impossible. What exactly that duty of care requires could certainly be debated, but whatever the level of care turns out to be, it surely must exceed the gross negligence alleged by the plaintiffs in the OPM case.

I should note that Judge Jackson cites one case in support of her assertion that the Due Process clause cannot create a governmental duty “to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).” I think the citation to Harris is misplaced. Harris is a 1980 case; DeShaney was decided in 1989, and in case of conflict the later case ought to prevail. But in fact there is no conflict: Harris was a challenge to the Hyde Amendment, and in rejecting the challenge the Supreme Court stated that the Due Process Clause could not be invoked to create a requirement that Congress providing funding for something. Given the bedrock principle that “No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law,” U.S. Const. Article I, § 9, Cl. 7, the Harris holding on this point seems clearly correct — but also irrelevant to the OPM case which is not about legislation or funding.

I think it’s only a matter of time before US law recognizes a right to have the government apply at least reasonable safeguards to personal information it holds. This case shows why that rule is necessary. I wonder if the plaintiffs will appeal?

Posted in Law: Constitutional Law, Law: Privacy | Comments Off on Do You Have a Constitutional Right to Have the Government Safeguard Personal Data It Collects From You?

Horrible

Posted on June 20, 2017 by Michael Froomkin

19 kids are shot every day in the United States.

I start from the view that the 2nd Amendment should be interpreted liberally, just like the 1st, 4th, 5th, or any amendment in the Bill of Rights should be. On the other hand, the 2nd Amendment is unique in that it has an explanatory, and thus perhaps limiting clause (“A well-regulated millitia…”), and I am also committed to the view that the Constitution is short enough that we should labor mightily to avoid surplussage. But on the gripping hand, the Supreme Court has made it clear that it cares not about the latter.

Certainly if I were advising a candidate for office today, I would not suggest making gun control a big issue beyond banning assault weapons or the like, as I doubt much narrower limits would stand up in court.

If we want meaningful gun control it would require a constitutional amendment. And I’m not sure I want to open the floodgates to undermining any part of the Bill of Rights, because who knows what would be next.

All that said, shooting 19 kids/day seems a very high price to pay for our liberties, even in a country of 320+ million people.

It puts me in mind of Shirley Jackson’s “The Lottery” — although this deadly lottery is rigged: “9 out of 10 children who get shot in the United States are between the ages of 12 and 17”; 8 out of 10 are boys; and, more than half of the child gun victims are nonwhite.

Incidentally, of those 19 kids shot per day about 3.5/day die from their wounds. 3.5 per day.

Posted in Law: Constitutional Law | 5 Comments

Impeachment Issue Spotter

Posted on January 30, 2017 by Michael Froomkin

In How Many Impeachable Offenses Can A President Commit In Nine Days?, UM law grad Howard Brilliant lists (and documents) what he calls 18 impeachable offenses committed in nine days:

  1. Removing DNI & CJCS from NSC and replacing them with a white supremacist[1];
  2. Unconstitutional discrimination against legal immigrants- including visa holders, lawful permanent residents, and reportedly even some U.S. Citizens- based on religion and national origin[2];
  3. Undermining confidence in our democracy by perpetuating meritless allegations of voter fraud[3];
  4. Constant and repeated demonstrations of hostility to first amendment rights[4][5];
  5. Intentionally and repeatedly lying to the American public[6][7][8];
  6. Using the Office of President to enrich himself and members of his family[9];
  7. Operating with extensive conflicts of business and personal interests[10];
  8. Receiving emoluments from foreign governments[11];
  9. Refusal to release his tax returns[12];
  10. Violating his lease with GSA for the Old Post Office[13];
  11. Potential subjection to blackmail by a foreign intelligence service allegedly in possession of compromising material[14];
  12. Continued associations with individuals he knew or should have known possessed ties to hostile foreign governments[15][16][17];
  13. Blatant disregard for established governmental norms and protocols[18][19];
  14. Issuing executive orders against the advice of and/or without consulting the Office of Legal Counsel or other participants in the review process[20][21];
  15. Apparent defiance of court orders[22][23];
  16. Failure to rule out the use of torture[24];
  17. Suffering from mental instability and/or psychological impairment[25]; and
  18. Being generally incompetent and unfit for office[26];

While I grasp that at the end of the day, grounds for impeachment may just be what two houses say it is, it seems to me that under a fair reading of the Constitution, most of these are not in fact impeachable offenses but just actions that are evil, stupid, or both.

Have a look and mark down which you think qualify, then take a look at my cull from the list:
Continue reading

Posted in Law: Constitutional Law, The Resistance | 2 Comments

Carter Coal Lives

Posted on April 30, 2016 by Michael Froomkin

trainstatusThe DC Circuit issued a major separation of powers ruling today in Ass’n of American Railroads v. DOT. The main part of the opinion adopts a view of the non-delegation doctrine that I explained and relied on as part of the argument in my article Wrong Turn in Cyberspace: Using ICANN to Route Around the APA and the Constitution, 50 Duke L.J. 17 (2000), so I’m glad about that–at least in principle; whether these facts justified invocation of the doctrine I leave for others to decide. The legal issue was whether in addition to the well-known and now rather (but not utterly) toothless non-delegation doctrine that limits the breadth and discretion that Congress might give a federal agency, there is a parallel doctrine, rooted in the Due Process Clause and in the Carter Coal case, that prevents Congress from giving public regulatory power to self-interested parties who might then wield it against their competitors.

To reach that doctrinal point, the panel (Judge Brown and Senior Judges Sentelle and Williams), had to decide that Amtrak is not a governmental body for Due Process non-delegation purposes. I’m not so sure about that given the previous decisions of the Supreme Court relating to Amtrak, which have treated it as governmental for other purposes.

I have rather more serious doubts about the panel’s alternate holding that the arbitrator who could have been appointed to settle disputes between Amtrak and the plaintiff railroad would have been an Officer of the United States, and not an inferior officer. There are two issues here, both en banc and cert bait. First, there’s the question of ripeness. The panel argues that this is a structural violation, and that even the threat of an improperly appointed decision-maker down the road so taints the process that it must be thrown out before it is even invoked. That is plausible, but not compelling. More difficult to swallow is the method by which the panel decided that the official in question was not inferior but a full Officer. Suffice it to say that the panel got there from what amount to first principles, a process that (too conveniently) ignored the two major modern Supreme Court cases on the topic. If those cases, Morrison v. Olson and Free Enterprise Fund v. PCAOB had not existed, the panel’s opinion might be hailed as a model of clarity and simplicity. As it neither cites nor, I would argue, much follows them, I think the case for further proceedings may be strong.

Posted in Law: Constitutional Law | Comments Off on Carter Coal Lives

Court Rules that Pastafarianism is not a Religion

Posted on April 16, 2016 by Michael Froomkin

Tangled issue in First Amendment law: when is a professed ‘faith’ protected, and when is it not? Faith is unknowable after all. Religions cannot be tested for truth by outsiders. Now comes Judge John Gerrard of the District of Nebraska, holding that an inmate’s claim he’s being denied equal treatment for his religion based on the Flying Spaghetti Monster (FSM) is half-baked:

This is not a question of theology: it is a matter of basic reading comprehension. The FSM Gospel is plainly a work of satire, meant to entertain while making a pointed political statement. To read it as religious doctrine would be little different from grounding a “religious exercise” on any other work of fiction. A prisoner could just as easily read the works of Vonnegut or Heinlein and claim it as his holy book, and demand accommodation of Bokononism or the Church of All Worlds. 6 See, Kurt Vonnegut, Cat’s Cradle (Dell Publishing 1988) (1963); Robert A. Heinlein, Stranger in a Strange Land (Putnam Publ’g Grp. 1961). Of course, there are those who contend—and Cavanaugh is probably among them—that the Bible or the Koran are just as fictional as those books. It is not always an easy line to draw. But there must be a line beyond which a practice is not “religious” simply because a plaintiff labels it as such. The Court concludes that FSMism is on the far side of that line.

Spotted via ars Technica

Posted in Law: Constitutional Law | 1 Comment

Microsoft Sues to Kill or Reduce ECPA Gag Orders

Posted on April 14, 2016 by Michael Froomkin

Microsoft filed suit today seeking a judicial declaration that 18 U.S.C. § 2705(b) violates its First Amendment Rights, and the Fourth Amendment rights of the subjects of the orders.

I think this lawsuit is a Big Deal, and Microsoft has the right of it on moral grounds. On legal grounds it has a good arguable case, although the law is not so clear that I can call it a slam dunk. This excellent article by Steve Lohr in the NYT gives the outline, and quotes a soi-disant expert.

Perhaps the most interesting, if disturbing, fact is this one:

From September 2014 to March 2016, Microsoft received 5,624 federal demands in the United States for customer information or data. Nearly half — 2,576 — were accompanied by secrecy orders.

And of those secrecy orders, more than two-thirds contained no fixed end date. I.e. unless Microsoft were to go to court later to challenge them in individual proceedings, they orders would on their own terms last forever.

The text of Microsoft’s complaint is worth reading as it is very well done. Here’s the first paragraph:

Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them. Yet the Electronic Communications Privacy Act (“ECPA”) allows courts to order Microsoft to keep its customers in the dark when the government seeks their email content or other private information, based solely on a “reason to believe” that disclosure might hinder an investigation. Nothing in the statute requires that the “reason to believe” be grounded in the facts of the particular investigation, and the statute contains no limit on the length of time such secrecy orders may be kept in place. 18 U.S.C. § 2705(b). Consequently, as Microsoft’s customers increasingly store their most private and sensitive information in the cloud, the government increasingly seeks (and obtains) secrecy orders under Section 2705(b). This statute violates both the Fourth Amendment, which affords people and businesses the right to know if the government searches or seizes their property, and the First Amendment, which enshrines Microsoft’s rights to talk to its customers and to discuss how the government conducts its investigations—subject only to restraints narrowly tailored to serve compelling government interests. People do not give up their rights when they move their private information from physical storage to the cloud. Microsoft therefore asks the Court to declare that Section 2705(b) is unconstitutional on its face.

Update: For an argument that courts will deny Microsoft’s facial challenge on the grounds that the claims can only be asserted ‘as applied’ — very much an emphasis of recent Supreme Court decisions disfavoring as facial challenges to statutes, see Jennifer Daskal at Just Security, A New Lawsuit from Microsoft: No More Gag Orders!. It’s more pessimistic than I would be, but not implausible.

Update2: Microsoft’s statement.

Posted in Civil Liberties, Law: Constitutional Law, Law: Free Speech, Law: Internet Law, The Media | Comments Off on Microsoft Sues to Kill or Reduce ECPA Gag Orders