Daily Archives: May 5, 2020

Cole Campbell, CLS ’21

A United States District Court recently found that particular regulations targeting littering—and ostensibly unauthorized immigration—substantially burdens the free exercise of some religious practices.[1] Because these regulations are not the least restrictive means of fulfilling a compelling government interest, the court declared them invalid under the Religious Freedom Restoration Act.

Understanding how federal littering and permitting regulations could be invalidated as unduly burdensome on religious practices requires a bit of statutory background. The Religious Freedom Restoration Act, or “RFRA,” was passed by Congress in 1993 to protect the free exercise of religion. At its core, RFRA exempts religious practitioners from laws that substantially burden the exercise of their religious beliefs. But the government can override the exemption if they show that the application of that law to that practitioner is the “least restrict means” of furthering a “compelling government interest.”[2]

Lawyers and law students will recognize that language as akin to the “strict scrutiny” test employed by courts to adjudge government interference in sensitive areas like free speech and religious liberty. Here, Congress essentially imposed strict scrutiny on all federal action that touches on religious practice. Congress is understood to have overruled or superseded a past Supreme Court holding, Employment Division v. Smith (1990), which held that the Free Exercise Clause of the First Amendment “does not relieve an individual of the obligation to comply with a valid and neutral law of general applicability.”[3]

Enter the defendants in United States v. Hoffman (D. Ariz. 2020). The defendants, including named defendant Natalie Hoffman, are volunteers with “No More Deaths,” an organization associated with the Unitarian Universalist Church of Tucson. No More Deaths was founded to combat the deaths of migrants who attempted to enter the United States across dangerous terrain. The group would leave jugs of water in highly trafficked desert areas to help prevent dehydration.

And the defendants did just that in the Cabeza Prieta National Wildlife Refuge in southern Arizona. They entered the park without the requisite permitting, travelled down a restricted-access road to their destination, and dropped off food and water for the anticipated migrants. The defendants were subsequently charged with violating a series of regulations governing the CPNWR, including one that prohibited leaving water bottles, food, blankets, and clothing on the Refuge.[4]

The defendants ultimately raised a defense under RFRA, claiming that the park regs could not be applied to their activities, which they characterized as religious in nature. A typical RFRA analysis will consider first whether the Defendants are being prosecuted for a “sincere exercise of religion,” and then the court will move on assess whether the burden is substantial, whether the government interest is compelling, and whether the law or regulation is the least restrictive means of fulfilling that compelling interest. The defendants succeeded on all counts, but the court’s “sincere exercise of religion” analysis is particularly interesting.

The bulk of the court’s analysis revolves around determining whether the defendants’ practice can be characterized as religious, and whether it is sincere.[5] This is perhaps understandable: the court does not want every defendant cloaking their illegal actions in the garb of religious practice. But it is also a delicate venture. Throughout the opinion, the court is self-conscious of the distastefulness of a court evaluating whether someone’s beliefs are sufficiently sincere—especially in the religious context.[6] And because “No More Deaths” is not overtly religious, but is rather associated with the Unitarian Universalist Church, the court had a tough task on its hands.

The court ultimately engaged in a fine-grained analysis of the defendants’ religious beliefs. With certain defendants, the religious nature of the acts was apparent; Reverend Fife tied his actions to Christ’s words at the Last Judgment. But another defendant gestured towards her belief that their humanitarian activity was “sacred,” and characterized her moments of silence in the desert as a “sort of prayer.”[7] Some of the analyzed testimony would probably not strike one as traditionally “religious,” but the court cited precedent from the Supreme Court and a pair of sister circuits that suggests the protected belief need not fall within an established religion.

The Ninth Circuit will have its say on whether the defendants’ activities are properly protected under RFRA: the prosecutors have reportedly appealed the District Court’s judgment.

[1] United States v. Hoffman, 2020 U.S. Dist. LEXIS 19060 (D. Ariz. 2020).

[2] 42 U.S.C. 2000bb-1(b).

[3] Employment Div. v. Smith, 494 U.S. 872, 879 (1990).

[4] 50 C.F.R. 27.93.

[5] Hoffman, 2020 U.S. Dist. LEXIS 19060 at *10-24.

[6] Id. at *10 (“The Supreme Court has long recognized that a determination of what is a religious belief or practice is a most delicate question” (internal citations and quotation marks omitted)).

[7] Id. at *14-15.

Leo Weissburg, CLS ’21

You may not have heard of Clearview AI. However — if you are one of the hundreds of millions of Americans with a Facebook, Instagram, or Linkedin account — Clearview has almost certainly heard of you. Since 2016, Clearview has quietly “scraped” billions of publicly available photos from millions of websites.^[i] Clearview has used these photos to create a powerful facial recognition app: users simply upload a photo of a person, and Clearview’s app provides links to other publicly available photos of the person — such as their Facebook profile.^[ii] Clearview’s database is orders of magnitude larger than typical law enforcement facial recognition databases — which draw mostly from drivers’ license, passport, and jail booking photos.^[iii] Clearview counts Walmart, the NBA, ICE, and hundreds of local police departments among its clients.^[iv] Since January 2020, when New York Times reporting first brought Clearview’s activities into the public eye, Clearview has been subject to numerous legal threats.

Congress has not yet enacted a general federal data privacy law.^[v] However, some indications suggest that one may not be far off. California has passed the California Citizens’ Privacy Act (CCPA), a broad data privacy statute modeled on the European Union’s recently enacted General Data Protection Regulation (GDPR).^[vi] Many state legislatures are considering similar proposals.^[vii] Concerned that technology companies may face inconsistent (and strict) state privacy regimes, the Chamber of Commerce supports federal legislation in principle.^[viii] Two proposed bills await consideration in the Senate, one supported by the Republican caucus and another supported by the Democrats.^[ix] Concerns about Clearview’s practices may help spur action — Senators Ed Markey and Ron Wyden have sent letters to the company questioning their practices and seeking additional information.[x]

Until Congress enacts federal privacy legislation, affected parties must rely on state law remedies — or pursue theories unrelated to data privacy. Today, the CCPA is the nation’s broadest data privacy law.[xi] In relevant part, the CCPA requires that companies notify individuals when collecting their personal information.^[xii] Companies that collect personal information must also delete all collected information upon request, and allow individuals to opt-out of collection.^[xiii] To satisfy its CCPA obligations, Clearview publishes a “Clearview California Privacy Notice” on its website.^[xiv] While the notice does explain Clearview’s deletion and opt-out procedures, it isn’t clear whether such a statement satisfies the CCPA’s mandate that disclosure be made “at or before the point of collection.”

Putative class actions have been filed in California under the CCPA^[xv] and in Illinois — under that state’s “Biometric Information Privacy Act,” a 2008 law that prohibits companies from collecting individuals’ biometric data without consent.^[xvi] Vermont’s Attorney General has also sued, alleging that Clearview’s practices violate Vermont consumer protection law.^[xvii] The online services from which Clearview obtained photos have also threatened litigation. Facebook, Google, Twitter, Linkedin, Venmo, and Youtube have issued cease-and-desist letters to Clearview, each alleging that Clearview has violated the services’ terms of use.^[xviii] Clearview responds that it has a First Amendment right to make use of publicly available information.^[xix] A recent Ninth Circuit case, HiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th. Cir. 2019), involved (but did not resolve) a similar argument.^[xx] There, Linkedin argued that, by “scraping” publicly available information from Linkedin, HiQ had accessed data without authorization — thus violating the Computer Fraud and Abuse Act (CFAA).^[xxi] The Ninth Circuit rejected this restrictive reading of the CFAA—but did not address HiQ’s First Amendment argument.^[xxii]

Despite these legal challenges and mounting pressure from groups like the ACLU, Clearview’s founder has vowed that his company will continue to operate.^[xxiii] It remains to be seen whether the growth of Clearview and other companies like it will spur Congress to act on a federal privacy bill.

^[i] “Scraping” refers to automated downloading of publically-available web content, typically images. Louise Matsakis, Scraping the Web Is a Powerful Tool. Clearview AI Abused It, Wired, (Jan 25, 2020), https://www.wired.com/story/clearview-ai-scraping-web/.

^[ii] Kashmir Hill, The Secretive Company That Might End Privacy as We Know It, N.Y. Times, (Jan. 18, 2020), https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html.

^[iii] Kaixin Fan, Clearview AI Responds to Cease-and-Desist Letters by Claiming First Amendment Right to Publicly Available Data, JOLT Digest, Harv. J. L. & Tech. (Feb. 25, 2020), http://jolt.law.harvard.edu/digest/clearview-ai-responds-to-cease-and-desist-letters-by-claiming-first-amendment-right-to-publicly-available-data.

^[iv] Ryan Mac et. al., Clearview’s Facial Recognition App Has Been Used By The Justice Department, ICE, Macy’s, Walmart, And The NBA, Buzzfeed News (Feb. 27, 2020), https://www.buzzfeednews.com/article/ryanmac/clearview-ai-fbi-ice-global-law-enforcement.

^[v] David Saunders & Allison Glover, INSIGHT: A Federal Privacy Bill May Be Closer Than Once Thought, Bloomberg Law, (Feb. 14, 2020), https://news.bloomberglaw.com/privacy-and-data-security/insight-a-federal-privacy-bill-may-be-closer-than-once-thought.

^[vi] Anjali C. Das & Stefanie L. Ferrari, California Consumer Privacy Act Effective January 1, Nat’l L. Rev., (Dec. 3, 2019), https://www.natlawreview.com/article/california-consumer-privacy-act-effective-january-1-update.

^[vii] Rachel Marmor et. al., “Copycat CCPA” Bills Introduced in States Across Country, DWT Privacy & Security Law Blog, (Feb. 8, 2020), https://www.dwt.com/blogs/privacy–security-law-blog/2019/02/copycat-ccpa-bills-introduced-in-states-across-cou/.

^[viii] David Saunders & Allison Glover, INSIGHT: A Federal Privacy Bill May Be Closer Than Once Thought, Bloomberg Law, (Feb. 14, 2020), https://news.bloomberglaw.com/privacy-and-data-security/insight-a-federal-privacy-bill-may-be-closer-than-once-thought.

^[ix] Id.

Wendy Zhang, Comprehensive Federal Privacy Law Still Pending, Nat’l. Law Review, (Jan. 22, 2020), https://www.natlawreview.com/article/comprehensive-federal-privacy-law-still-pending.

[x] Ryan Mac et. Al., Senators Are Probing Clearview AI On The Use Of Facial Recognition By Gulf States And International Markets, Buzzfeed News, (Mar. 4, 2020), https://www.buzzfeednews.com/article/ryanmac/senators-markey-wyden-clearview-ai-facial-recognition.

[xi] Anjali C. Das & Stefanie L. Ferrari, California Consumer Privacy Act Effective January 1, Nat’l L. Rev., (Dec. 3, 2019), https://www.natlawreview.com/article/california-consumer-privacy-act-effective-january-1-update.

^[xii] Id.

^[xiii] Id.

^[xiv] California Privacy Notice, Clearview AI, (Last visited Mar. 31, 2020), https://staticfiles.clearview.ai/clearview_california_notice.html.

^[xv] The CCPA provides no private right of action, except for claims arising out of data breaches or hacks. The Burke complaint frames the alleged CCPA violations as also violating the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, which prohibits businesses from engaging in practices that violate other California laws—such as the CCPA. Complaint, Burke v. Clearview AI, Inc., No. 3:20-cv-00370, 4 (S.D. Cal. Feb. 27, 2020). However, the CCPA appears to explicitly disclaim this kind of bootstrapping. Cal. Civ. Code § 1798.150(c) (“Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”).

^[xvi] Daniel R. Stoller, Sarah Merken, Clearview AI Faces California, Illinois Lawsuit After Breach, Bloomberg Law, (Feb 28, 2020), https://news.bloomberglaw.com/privacy-and-data-security/clearview-ai-faces-california-illinois-lawsuit-after-breach.

^[xvii] Complaint, State of Vermont v. Clearview AI, Inc., Vt, Super. Ct. (Filed Mar. 10, 2020);

Press Release, Office of the Vermont Attorney General, Attorney General Donovan Sues Clearview AI for Violations of Consumer Protection Act and Data Broker Law (Mar. 10, 2020), https://ago.vermont.gov/blog/2020/03/10/attorney-general-donovan-sues-clearview-ai-for-violations-of-consumer-protection-act-and-data-broker-law/.

^[xviii] Kashmir Hill, Twitter Tells Facial Recognition Trailblazer to Stop Using Site’s Photos, N.Y. Times, (Jan 22, 2020) https://www.nytimes.com/2020/01/22/technology/clearview-ai-twitter-letter.html.

^[xix] Kaixin Fan, Clearview AI Responds to Cease-and-Desist Letters by Claiming First Amendment Right to Publicly Available Data, JOLT Digest, Harv. J. L. & Tech. (Feb. 25, 2020), http://jolt.law.harvard.edu/digest/clearview-ai-responds-to-cease-and-desist-letters-by-claiming-first-amendment-right-to-publicly-available-data.

^[xx] HiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th. Cir. 2019).

^[xxi] Kaixin Fan, Clearview AI Responds to Cease-and-Desist Letters by Claiming First Amendment Right to Publicly Available Data, JOLT Digest, Harv. J. L. & Tech. (Feb. 25, 2020), http://jolt.law.harvard.edu/digest/clearview-ai-responds-to-cease-and-desist-letters-by-claiming-first-amendment-right-to-publicly-available-data.

^[xxii] Id.

^[xxiii] Caroline Haskins et. al., The ACLU Slammed A Facial Recognition Company That Scrapes Photos From Instagram And Facebook, Buzzfeed News, (Feb. 10, 2020) https://www.buzzfeednews.com/article/carolinehaskins1/clearview-ai-facial-recognition-accurate-aclu-absurd.

Bastian Shah, CLS ’21

As governments ban gatherings to stop the spread of Covid-19, workplaces and universities are shifting to teleconferencing platforms to replace in-person meetings and classes. Before the pandemic, Zoom had been a go-to teleconferencing platform for companies and universities.[1] Now, many schools and businesses, including Columbia University, are meeting exclusively over Zoom. Data privacy watchdogs and digital rights groups have raised questions about Zoom’s use and handling of user data.[2] In the rush to implement social distancing while maintaining business and learning, one may question whether decisionmakers adequately considered security and privacy when choosing a teleconferencing platforms. This post summarizes what we know and don’t know about Zoom’s 1) collection, 2) sale, and 3) disclosure to law enforcement of user data.

Zoom’s Data Collection

The Electronic Frontier Foundation (EFF), an impact litigation organization advocating online free speech, has raised concerns about how much data Zoom collects from users.[3] Like most paid online services, Zoom collects payment information, names, physical locations, and device information from its users.[4] In addition, Zoom allows administrators, like employers and school officials, to record meeting sessions and track users’ computer usage while Zoom is open.[5] It is these employer surveillance measures to which EFF primarily objects.[6] As a result of social distancing policies, employers are surveilling workers in their own homes, raising additional privacy concerns.

Sale of User Data

Zoom’s “Privacy Policy” is ambivalent about whether it sells user data. It does not “allow marketing companies, advertisers, or anyone else to access Personal Data in exchange for payment.”[7] Zoom, in its “humble opinion,” does not “think most of [its] users would see [it] as selling their information.”[8] However, Zoom does share data with third parties, like Google Ads, that advertise on Zoom,[9] and those third parties may use that data for their general advertising business. Despite its “humble opinion,” Zoom’s distribution of user data to third parties for advertising purposes “may be considered a ‘sale’ … under the California Consumer Privacy Act.”[10] Zoom users in California can, therefore, opt-out of the sale of their data to third parties. Students and employees from other states required to use Zoom must either acquiesce to the sale of their data to third parties or discontinue schooling or employment.

Sharing Data with Law Enforcement.

Access Now, a watchdog group that advocates for digital privacy and civil rights, has sent an open letter to Zoom.[11] The letter requests Zoom issue reports on what “safeguards against government abuses” it has in place and “the number of government requests for user data” it receives.[12] Many large tech companies, including Microsoft, which operates Skype; Google, which operates Hangouts; and Facebook, which operates WhatsApp, publicly report data on government requests for user information and policies for data breaches.[13] Zoom does not currently issue such a report. Zoom discloses no information on how many law enforcement demands it receives, nor whether it notifies customers whose information has been requested by law enforcement. Zoom’s privacy policy states that the company will respond “to a legally binding demand for information” but gives no detail on how, or if, it protects against government overreach.[14] Fear of government overreach is compounded by the existence of “Zoom for Government,” a Zoom service for government agencies accredited and used by the Department of Homeland Security.[15] Vulnerable populations, such as undocumented immigrants, may feel less safe working or learning from home with the knowledge that Zoom may, without notice, disclose their location and demographic data to law enforcement.

Teleconferencing platforms like Zoom are allowing important economic and educational activities to continue despite the Covid-19 pandemic. However, those advocating for legal protections for digital privacy have questioned whether Zoom is unambiguously positive for students and employees. Without nationwide legislation addressing online privacy and security rights, states and watchdog groups are left on their own in addressing the digital side of the current crisis.

[1] See Laurie Clarke, Zoom Urged to Be Transparent About Government Data Requests, New Statesman (Mar. 19, 2020), https://tech.newstatesman.com/security/zoom-government-data-requests (“Even before the coronavirus outbreak, Zoom was reportedly used by over 60 per cent of Fortune 500 companies and over 96 per cent of the top 200 universities in the US.”)

[2] See Isedua Oribhador, et al., Open Letter: Zoom’s Policies Affecting Digital Rights, Access Now (Mar. 18, 2020), https://www.accessnow.org/cms/assets/uploads/2020/03/Letter-to-Zoom-.pdf; Lindsay Oliver, What You Should Know About Online Tools During the Covid-19 Crisis, Electronic Frontier Foundation (Mar. 19, 2020), https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis;

[3] See Oliver, supra note 2.

[4] Zoom Privacy Policy, Zoom (Mar. 18, 2020), https://zoom.us/privacy.

[5] Attendee Attention Tracking, Zoom (last visited Mar. 29, 2020), https://support.zoom.us/hc/en-us/articles/115000538083-Attendee-attention-tracking (detailing how to ensure employees keep the Zoom app “in focus” on their screens during meetings).

[6] See Oliver, supra note 2.

[7] Zoom Privacy Policy, supra note 4.

[8] See id.

[9] See id.

[10] Id. (California Consumer Privacy Act information only appears as a pop-up when viewing the website on a computer located in California or using a private browser session) (on file with Colum. J.L.. & Soc. Probs.). See also, Cal. Civ. Code § 1798.140(t)(1) (Deering 2020) (“‘[S]ale’ … means … making available … a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”).

[11] See Oribhador, supra note 2.

[12] Id.

[13] See Transparency Reporting Index, Access Now (last visited Mar. 22, 2020), https://www.accessnow.org/transparency-reporting-index/.

[14] See Zoom Privacy Policy, supra note 4.

[15] See Priscilla Barolo, Zoom Achieves FedRAMP Moderate Authorization, Zoom (May 7, 2019), https://blog.zoom.us/wordpress/2019/05/07/zoom-achieves-fedramp-moderate-authorization/ (Announcing Zoom for Government’s sponsorship by the United States Department of Homeland Security); Who’s Behind Ice: The Tech and Data Companies Fueling Deportations, National Immigration Project at 6, 24 (last visited Mar. 29, 2020), https://www.nationalimmigrationproject.org/PDFs/community/2018_23Oct_whos-behind-ice.pdf (noting that “Zoom for Government” is used by the Department of Homeland Security, possibly for Customs and Border Protection).