Tuesday, June 13, 2017

FTC Announces Third PrivacyCon, Calls for Presentations

FTC Announces Third PrivacyCon, Calls for Presentations

FOR RELEASE

Building on the success of its two previous PrivacyCon events, the Federal Trade Commission is announcing a call for presentations for its third PrivacyCon, which will take place on February 28, 2018.

The 2018 PrivacyCon will expand collaboration among leading privacy and security researchers, academics, industry representatives, consumer advocates, and the government. As part of this initiative, the FTC is seeking general research that explores the privacy and security implications of emerging technologies, such as the Internet of Things, artificial intelligence and virtual reality. The 2018 event will focus on the economics of privacy including how to quantify the harms that result from companies' failure to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices.

"Deepening the FTC's understanding of the economics of privacy and consumer harm in the context of information exposure is integral to the FTC's enforcement and educational efforts," said Acting FTC Chairman Maureen K. Ohlhausen. "I have made studying the economics of privacy a centerpiece of my consumer protection agenda, and I hope that PrivacyCon 2018 will highlight important research in this area."

The call for presentations seeks research and input on a wide range of issues and questions to build on previously presented research and promote discussion, including:

  • What are the greatest threats to consumer privacy today? What are the costs of mitigating these threats? How are the threats evolving? How does the evolving nature of the threats impact consumer welfare and the costs of mitigation?
  • How can companies weigh the costs and benefits of security-by-design techniques and privacy-protective technologies and behaviors? How can companies weigh the costs and benefits of individual tools or practices?
  • How can companies assess consumers' privacy preferences?
  • Are there market failures (e.g. information asymmetries, externalities) in the area of privacy and data security? If so, what tools and strategies can businesses or consumers use to overcome or mitigate those failures? How can policymakers address those failures?

Submissions for PrivacyCon must be made by November 17, 2017.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook(link is external), follow us on Twitter(link is external), read our blogs and subscribe to press releases for the latest FTC news and resources.

CONTACT INFORMATION 

MEDIA CONTACT:
Juliana Gruenwald Henderson(link sends e-mail)
Office of Public Affairs
202-326-2924

STAFF CONTACT:
Kristen Anderson
Bureau of Consumer Protection
202-326-3209

Friday, June 09, 2017

Is an IP Number the Same as a Telephone Number? :: U.S. v Ulbright, 2nd Cir. May 31, 2017 (The Silk Road Case)

Both telephone numbers and IP numbers function as network addresses. Are they analogous in terms of law and policy? The recent Second Circuit decision U.S. v Ulbright (The Silk Road Case) concludes that they are. But of course the answer to this question depends on the context in which it is asked.

Source: Wikicommons
CASE SUMMARY: "Defendant Ulbricht appeals from a judgment of conviction and sentence to life imprisonment entered in the United States District Court for the Southern District of New York. A jury convicted Defendant of drug trafficking and other crimes associated with his creation and operation of Silk Road, an online marketplace whose users primarily purchased and sold illegal goods and services. He challenges several aspects of his conviction and sentence, arguing that (1) the district court erred in denying his motion to suppress evidence assertedly obtained in violation of the Fourth Amendment; (2) the district court committed numerous errors that deprived him of his right to a fair trial, and incorrectly denied his motion for a new trial; and (3) his life sentence is both procedurally and substantively unreasonable. Because the appellate court identified no reversible error, it AFFIRMED Defendant's conviction and sentence in all respects."

In this post, we look at Defendant's claim that evidence was obtained in violation of the Fourth Amendment, specifically that for purposes of Trap and Trace, an IP number is not functionally the same as a telephone number.

FACTS: Suspecting Defendant's involvement in Silk Road, law enforcement agents (LEAs) obtained five pen/trap orders pursuant to 18 U.S.C. § 3121-27. "The orders authorized LEAs to collect IP address data for Internet traffic to and from Defendant's home wireless router and other devices that regularly connected to Defendant's home router." "The pen/trap orders did not permit the government to access the content of Defendant's communications, nor did the government 'seek to obtain the contents of any communications.'"

"According to Defendant, the government's use of his home Internet routing data violated the Fourth Amendment because it helped the government match Defendant's online activity with DPR's use of Silk Road. Defendant argues that he has a constitutional privacy interest in IP address traffic to and from his home and that the government obtained the pen/trap orders without a warrant, which would have required probable cause."

RULE: "The government obtained the orders pursuant to the Pen/Trap Act, which provides that a government attorney "may make [an] application for an order . . . authorizing or approving the installation and use of a pen register or a trap and trace device . . . to a court of competent jurisdiction." 18 U.S.C. § 3122(a)(1). A "pen register" is defined as a "device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted," and "shall not include the contents of any communication." Id. § 3127(3). A "trap and trace" device means "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication." Id. § 3127(4). Like pen registers, trap and trace devices may not capture the "contents of any communication." Id."

The level of legal process required is an application to a court, unlike a Fourth Amendment search and seizure that requires a warrant. LEAs receive transactional information about the communications, such as the communications' addressing. Courts have held that pursuant to the Third Party Doctrine, individuals have no expectation of privacy in transactional information - individuals turn this information over to network providers in order to set up and complete communications.

It is settled caselaw that telephone numbers are "addressing" that fall within this precedent. They are network addresses used by individuals given over to the network provider to set up and complete telephone calls. According to the Supremes,
Telephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes.
Smith v. Maryland, 442 U.S. 735, 743-44 (1979) .

ISSUE: Is an IP number an "address" analogous to a telephone number?

ANALYSIS: Federal courts have concluded that IP numbers provide the same function as telephone numbers and fall under the Third Party Doctrine in the same way as telephone numbers.
E-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users' imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742, 99 S.Ct. 2577. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information. Like telephone numbers, which provide instructions to the "switching equipment that processed those numbers," e-mail to/from addresses and IP addresses are not merely passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third party's servers. Id. at 744, 99 S.Ct. 2577.
United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008).

The 2nd Circuit in Ulbright agrees with the 9th Circuit, stating that "the recording of IP address information and similar routing data, which reveal the existence of connections between communications devices without disclosing the content of the communications, are precisely analogous to the capture of telephone numbers at issue in Smith… The substitution of electronic methods of communication for telephone calls does not alone create a reasonable expectation of privacy in the identities of devices with whom one communicates."

HOLDING: IP numbers are analogous to telephone numbers for purposes of Trap and Trace and Pen Registers.

WHERE IP NUMBERS and TELEPHONE NUMBERS INTERSECT: There are other points where IP numbers and telephone numbers intersect. Recently the FCC in the 2015 Open Internet order revised the definition of " telecommunications service" to include networks that utilize the North American Numbering Plan as well as ICANN's IP address resource. When the FCC then applied privacy regulations to the Internet, the Internet Society adamantly argued that IP numbers are not analogous to telephone numbers. . However, ISOC elsewhere indicated support for the Open Internet. ISOC's concern appeared to be less about the analogy and more about applying "telephone era regulations to the Internet."

The analogy between IP numbers and telephone numbers has also arisen in the context of Regional Internet Registries (RIRs) who have grappled with address transfers and whether network addresses are the property of the assignee or of the network. FCC precedent has held that network addresses are the property of the network, not the subscriber - a policy necessary to ensure the efficient operation of the network. A policy that views network addresses as the property of subscribers encumbers the network resource in bankruptcy proceedings, trademark disputes, mergers and acquisitions, and speculations. Following the precedent of the telephone numbering resource, RIRs have contractual terms that state that IP numbers are the property of the RIRs and not assignees.

Finally, IP Numbers and telephone numbers intersect with VoIP. iVoIP providers need access to the telephone number resource in order to assign telephone numbers to their customers and must make number portability available. They also need to be able to interconnect with other North American Numbering Plan networks (in other words, reach other network end points addressable by telephone numbers). See also ENUM.

CITATION: U.S. v Ulbright, 2nd Cir. May 31, 2017 (The Silk Road Case)