Every two years, the Massachusetts legislature starts a fresh session. Here, we review bills on the top ten topics relating to surveillance, privacy and the Fourth Amendment, that have been introduced in the new session.
Please contact your legislators via https://malegislature.gov/Search/FindMyLegislator, to express your support, and to ask for theirs. Our thanks to Julie Bernstein for conducting the legislative research for this article.
1. Civil Asset Forfeitures: HD1780 / SD2388, HD1328
2. QUALIFIED IMMUNITY REFORM: SD1970
3. Oversight of Fusion Centers: HD2088
4. Commercial Data Privacy Protection: SD745
5. Restricting Law Enforcement Use Of Facial Recognition: HD2304 / SD750
6. Restricting Automated License Plate Recognition: HD428 & HD2360
7. Protecting Locational Privacy: HD3698
8. Protecting Biometric Information: HD3053
9. Protecting Browsing Information: SD1217
10. SAFE COMMUNITIES ACT: HD2459 / SD1937
Summaries and explanations of each of these bills follow after the jump:Read more
1. CIVIL ASSET FORFEITURES: HD1780 / SD2388, HD1328
HD.1780 / SD.2388 An Act Relative to Forfeiture Reform
HD.1328: An Act Relative To Civil Asset Forfeiture Transparency And Data Reporting
HD.2128: An Act Relative to Civil Asset Forfeiture
Restore The Fourth’s Issue Brief on Civil Asset Forfeiture
The threshold for civil asset forfeitures (CAFs) in MA is the lowest in the country, “probable cause” that a crime was committed. Our state is notorious for seizing cash and vehicles from people without them having committed a crime and we were ranked worst in the country for civil asset forfeiture policies by The Institute for Justice.
Last year, a special legislative commission was convened to investigate civil asset forfeiture in MA. They requested civil asset forfeiture data from every District Attorney (DA) and every local law enforcement agency. The only response that they received was from Suffolk County and in cataloging how the assets from their seizures and forfeitures were spent, they listed 50% as going to “other”. H.D.1780 is an outcome of the recommendations of the Commission on Civil Asset Forfeiture.
H.D.1780 raises the evidentiary standard for CAFs by one level to “a preponderance of the evidence” which is more typical nationwide. DAs and local law enforcement keep all of the proceeds from forfeiture in our state incentivizing seizures. H.D.1780 requires that all proceeds from seizures and forfeitures go to the Treasurer, who after reimbursing all non-personnel costs associated with the seizure and paying liens, would deposit the remainder in the General Fund.
This bill also narrows a major loophole. Currently police departments participating in joint task forces with the federal government (often cooperating in large seizures of contraband), are required by the federal government to contribute the 80% of the proceeds which they receive into law enforcement. This has enabled law enforcement to purchase surveillance technology like stingrays, without any oversight even when required by a local Surveillance Ordinance. Under the new provisions, if federal law prevents the distribution of CAF proceeds to the General Fund, then police departments can no longer accept forfeited property or proceeds from the federal government. A remaining gap is that all joint seizures would have to be litigated by a local DA or the AG except for seizures of U.S. currency worth more than $50,000.
A report by Politico and WBUR about civil asset forfeitures in Worcester County revealed that 1 in 4 seizures of cash and property that the Worcester DA’s office filed forfeitures for in 2018 either were not associated with a criminal conviction or weren’t even linked to a criminal drug charge and another 9% of seizures had no publicly available court records. Among those, there were more than 90 instances where people lost money or cars, taken most often during traffic stops, frisks and home searches — even though there weren’t related drug convictions or drug charges. WBUR documented more than 500 occasions between 2016 and 2019 where funds were held by the DA’s office for ten years or more before officials tried to notify people. More than half of funds seized between 2017 and 2019 were $500 or less. When the county finally got around to notifying someone that their assets were not legitimately seized and could be returned, they published a small notice in the local newspaper.
Elsewhere in the state there was a well-publicized case where a vehicle belonging to Malinda Harris was seized after her son was suspected of using it in a crime. The woman had nothing to do with his crime and needed her car for work. Six years later it was finally returned to her.
H.D. 1780 would require that seizures and forfeitures occur only after a court convicts the suspect of a crime with exceptions for lawful arrests and searches, and seizures of contraband. Police officers would be compelled to itemize everything that they seize and they would be prohibited from seizing currency of less than $200 and vehicles worth under $10,000. A seizure that occurred before a trial for a crime can be appealed via a hearing. Both H.D.1780 and S.D.1328 compel every law enforcement agency including the state police and all DAs to annually report all seizures and forfeitures including those under federal jurisdiction, and the crimes associated with them. These would be entered by the executive office of administration and finance into a case tracking system and searchable public website.
H.D. 1328 requires that important additional information be reported including the outcome of any criminal charges, the details of all proceedings related to seizures and forfeitures, all case numbers and the zip code in which the seizure occurred. This granularity is crucial in view of the abuses that have occurred and the need to understand whether the new regulations adequately address these. Furthermore, whereas H.D.1780 requires that the data be reported to the AG, H.D. 1328 requires that all of the data also be reported to the Senate and House Committees on Ways and Means and the Joint Committee on the Judiciary.
H. D. 2128 would raise the standard of proof for a civil forfeiture to occur further than H. D. 1780 would do; instead of the Commonwealth having to prove that the asset was associated with a crime on “the preponderance of the evidence”, they would have to meet a standard of “clear and convincing evidence”. That standard or higher is the law in 28 states. The bill would also route all state forfeitures revenue into the Commonwealth Substance Abuse Prevention and Treatment Fund. It includes process improvements similar to H. D. 1780, though less detailed than those in H. D. 1328.
Digital Fourth supports these bills individually, and would support a consolidation of them in committee, using the standard of proof and revenues provisions from H. D. 2128, the detailed process requirements from H. D. 1780, and the detailed reporting requirements from H. D. 1328. These bills should help to ensure that forfeitures occur only when the vehicle, asset, or realty was involved in a crime, that innocent owners do not lose their property, and that law enforcement agencies have no financial incentive to conduct seizures and forfeitures.
2. QUALIFIED IMMUNITY REFORM: SD1970
Qualified immunity reform was left out of the 2020 police reform in Massachusetts, unlike in other states. Currently, Massachusetts imposes an unfeasibly high bar on civil rights lawsuits against state government agents, including police, of having to prove that the civil rights violation involved “threats, intimidation or coercion.” As a consequence, attorneys don’t take these cases, because they don’t expect to win; many plaintiffs can’t afford to pay an attorney unless they win damages.
S.D. 1970 stipulates that: “In an action brought under this section against a person or entity acting under color of law, proof shall not be required that the interference or attempted interference was by threats, intimidation or coercion.”
3. OVERSIGHT OF FUSION CENTERS: HD2088
This bill would require the Commonwealth’s “criminal intelligence systems” – the Boston Regional Intelligence Center, the Commonwealth Fusion Center, and others – to submit to regular outside auditing to ensure that they are complying with 28 CFR Part 23. This federal regulation requires that any information they hold on Massachusetts residents be based on reasonable suspicion of involvement in a crime.
It provides a private right of action to residents who believe that these entities have violated their privacy rights. It also requires the Commonwealth Fusion Center to publish the names of its privacy advisory committee, to have it meet quarterly, and to make its minutes public.
4. COMMERCIAL DATA PRIVACY PROTECTION: SD745
SD. 745: An Act Establishing the Massachusetts Data Privacy Protection Act
This is a very complete data privacy bill that covers large corporations, service providers social media companies and data brokers that either collect, process or transfer data. It requires the originating covered entity (CE), for example, Google, to limit the data that it collects from you to only what is necessary in order to provide you the service that you desire and must give you an easily accessible and user friendly affirmative consent mechanism in which you will be told what data Google collects and where it goes for what purposes and you will be able to consent to or opt out of these uses of your data. The CE must communicate your preferences to all of the service providers(SPs) or data brokers (DBs) or any other third parties with which it shares your data because they must comply with your preferences.
If the covered entity makes any changes in the data it collects, shares or transfers or sends your data to a new party, this must be communicated to you so that you can consent or opt out. You can change your data preferences and delete data twice a year without paying.
All CEs must allow individuals to access their data in a downloadable, portable, structured, interoperable, and machine-readable format and to make any corrections to inaccurate and incomplete data. Requests to change or delete your data should generally be honored within 30 days and you can make these changes twice annually for free.
Companies will have to report to the Attorney General (AG) how many requests they receive and how they have been handled. Any individual alleging a violation of their privacy rights under this act may bring “a civil action in the superior court or any court of competent jurisdiction” against the CE, DP or third parties. If a violation is found to have occurred, the plaintiff will be eligible for damages as well as an injunction or other relief and attorney fees.
DBs must register with the OCABR ( Office of Consumer Affairs and Business Regulation)which will maintain a searchable database with information on what data it collects and transfers and how you can contact the data broker about removing or verifying your data, linked to a website provided by the DB where you can opt out of data collection. Failure of the DB to comply will result in a fine.
Each DB will also be required to provide the AG with an impact statement for any algorithms that it uses that can potentially have a disparate impact on any protected group or individual registered to a political party along with steps they are taking to mitigate the impact. The AG can take action against CE or SP that fails to comply with civil rights provisions.
Large data holders (DHs) must hire at least one privacy officer or a data security officer and implement a data privacy program and data security program to safeguard the privacy and security of covered data. All CEs and Large DHs must perform a privacy impact assessment that weighs the benefits of the data collecting, processing, and transfer practices against the potential adverse consequences of such practices, including substantial privacy risks, to individual privacy and mustreview how technologies are being used to secure covered data.
CEs must provide all legal requests for disclosure of personal information that they receive to the AG and the general public on a bimonthly basis. This includes requests for location information and both the number of legal requests that resulted in the covered entity disclosing location or biometric information and those that did not.
The bill bans targeted advertisements to minors.
The bill has strong protections for workers against electronic monitoring that limit the monitoring to the least amount of information necessary from the fewest number of employees for the shortest length of time in order to enable tasks that are necessary to accomplish essential job functions or to monitor production processes or quality. The monitoring must not harm the employee’s mental or physical health. Employers must provide employees with notice that electronic monitoring will occur prior to conducting each specific form of electronic monitoring and include details including the purpose, the specific activities, locations, communications, and job roles that will be electronically monitored, the technologies that will be used and all vendors and third parties who will receive the data.
5. RESTRICTING LAW ENFORCEMENT USE OF FACIAL RECOGNITION: HD2304 / SD750
This bill implements the findings of last session’s Commission on Face Surveillance. The findings had support from law enforcement as well as from civil liberties organizations. The bill would provide that:
1. Law enforcement other than the State Police and FBI cannot directly possess or access a biometric surveillance database.
2. Law enforcement may not use biometric surveillance to infer a person’s emotion or affect nor for analysis of moving images or video data.
3. The State Police can access the facial recognition database used by the registrar of motor vehicles to conduct a search for local law enforcement, a federal agency or the FBI if they are presented with warrant issued by a judge based upon probable cause or if there is an immediate threat of danger of serious injury to someone or a need to identify a deceased person.
4. Law enforcement must document the basis for any emergency requests and file them with the appropriate Superior Court within 48 hours of the request.
5. All searches of the database by the State Police or FBI must be documented and reported to the executive office of public safety and security, quarterly disaggregated, by the requesting law enforcement or federal agency. The same goes for breakdowns of whether the request involved a warrant or emergency. The agency must post the total # of searches performed ID of a deceased person. These must all be publicly posted by EOPSS by March 31 of the following year.
6. Any person charged with a crime in which they were identified by a facial recognition search must be provided notice that the search occurred and defendants and their attorneys in criminal prosecutions must be provided with all records and information pertaining to any facial recognition searches performed or requested during the course of the investigation of the crime or offense.
6. Restricting Automated License Plate Recognition: HD428 & HD2360
HD.428 An Act Relative to All-Electronic Tolling Data Privacy.
This bill provides that:
1. A department may not access, search, review, disclose or exchange tolling data (meaning any data captured or created by an ALPR system or from signals or radio frequencies emitted by a transponder in connection with the assessment or collection of a toll, including, without limitation, GPS coordinates or vehicle location information, dates and times traveled, images, vehicle speed, and license plate numbers, existing in an any form or medium, whether electronic, paper or otherwise) unless this is necessary to:
a. collect, access or pursue payment tolls or fines or surcharges related to unpaid tolls
b. to install, maintain or repair a transponder
c. to respond to a reasonable belief that an individual is at imminent risk of serious physical injury, death or abduction; provided, that not later than 48 hours after responding, the access and detailed reasons for it are provided to the AG.
d. comply with a search warrant, production order, or preservation request issued in connection with the investigation or prosecution of a felony.
3. a. The department must erase or destroy the tolling data accessed within 120 days of access.
b. The department may retain tolling data beyond 120 to comply with a search warrant, production order, or preservation request, or as necessary to collect unpaid tolls or fines or surcharges related to unpaid tolls.
4. a. A person whose tolling data was retained in violation of the above can institute a civil action in district or superior court for damages or in superior court for injunctive relief.
b. If a violation has occurred the violator will not be entitled to absolute or qualified immunity and will be liable for proven actual damages, be liable for treble damages or for exemplary damages of between $100 and $1000 along with costs and reasonable attorney’s fees.
Why this is important: ALPR data records everywhere that someone has driven. If it is maintained in a database, then it can be reviewed retroactively for many unlawful purposes such as to identify a suspect in a crime for which there is ho particularized evidence of them having committed the crime This means that potentially many people who have traveled to the vicinity of the location of a crime will now become suspects. In addition, tolling data can be used to identify individuals who have participated in a political event or rally or a protest which are acts protected by the First Amendment and therefore should not be monitored.
HD.2360 An Act Establishing Driver Privacy Protections
This bill provides that:
Law enforcement or other state government employees or officials may not:
- use an ALPR system to track or monitor activity protected by freedoms of religion or speech guaranteed by the Massachusetts Declaration of Rights or the First Amendment to the United States Constitution;
- retain ALPR data longer than 14 days except in connection with a specific criminal investigation based on articulable facts linking the data to a crime;
- disclose, sell or permit access to ALPR data except as required in a judicial proceeding; or
- access ALPR data from other governmental or non-governmental entities except with a valid search warrant.
Toll collection technologies may only be used to identify the location of any vehicle for tolling purposes.
The department of transportation may not access, search, review, disclose, or exchange tolling data in its possession, custody, or control except to:
- assess, collect or pursue the payment tolls or fines or surcharges related to unpaid tolls;
- install, maintain or repair an ALPR or transponder system or a system storing tolling data;
- respond when an individual is at imminent risk of serious physical injury, death or abduction
- comply with a search warrant, production order, or preservation request issued in connection with the investigation or prosecution of a felony.
The department of transportation must eliminate all tolling data that it possesses or controls within 120 days of its was creation unless it is necessary to comply with a search warrant, production order, or preservation request, or as necessary to collect unpaid tolls or fines or surcharges related to unpaid tolls.
No toll collection or vehicle data may be shared with or provided to any law enforcement entity or official without a search warrant, or production order; unless this information is requested because of a reasonable belief that an individual is at imminent risk of serious physical injury, death or abduction and that such data is necessary to respond. Such a request must be narrowly tailored to address the emergency and subject to the following limitations:
- the request must document the factual basis for the emergency and the applicability of toll collection and/or vehicle data
- within 48 hours of accessing these records, the government office must file a written notice describing with particularity the grounds for emergency access and exactly what tolling data was accessed, with the Attorney General.
If ALPR data, tolling data, and vehicle data is collected, retained, disclosed, sold, or accessed without complying with the above requirements, it may not be admitted, offered or cited by any governmental entity for any purpose in any criminal, civil, or administrative proceeding.
An individual whose rights have been violated by the improper transfer of or access to these data, may introduce evidence concerning this data in a civil action for damages or injunctive relief in a district or superior court or may allow another party in a civil proceeding to do the same.
If a willful violation occurred, the violator will not be allowed to claim any privilege absolute or qualified. In addition to any proven actual liability, the violator will be liable for treble damages, or, alternative, exemplary damages of between $100 and $1000 for each violation as well as costs and reasonable attorney’s fees.
The attorney general will enforce the above and will have the power to petition the court for injunctive relief and other appropriate relief against violators.
7. PROTECTING LOCATIONAL PRIVACY: HD3698
In this bill, location information is defined as directly or indirectly revealing the present or past geographical location of an individual or device within the Commonwealth of Massachusetts with sufficient precision to identify street-level location information within a range of 1,850 feet or less. Location information includes but is not limited to (i) an internet protocol address (ii) Global Positioning System (GPS) coordinates; and (iii) cell-site location information.
HD. 3698 prohibits the collection, processing, or disclosure by a Covered Entity (CE) including “any individual, partnership, corporation, limited liability company, association, or other group” (except a state or local government agency or court) of an individual’s location information from any device that “connects to a cellular, bluetooth, or other wireless network” “for profit or in exchange for monetary or other consideration including selling, renting, trading, or leasing location information without the express consent of the individual except for the following purposes:
Location information can be collected for “(i) provision of a product, service, or service feature to the individual to whom the location information pertains when that individual requested the provision of such product, service, or service feature by subscribing to, creating an account, or otherwise contracting with a covered entity; (ii) initiation, management, execution, or completion of a financial or commercial transaction or fulfill an order for specific products or services requested by an individual, including any associated routine administrative, operational, and account-servicing activity such as billing, shipping, delivery, storage, and accounting; (iii) compliance with an obligation under federal or state law; or (iv) Response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.”
Permission will be valid for one year unless the individual chooses to revoke it before that . If permission is revoked, any location information possessed by a covered entity must be permanently destroyed. An individual can opt in again at a future time. There cannot be any retaliation against someone who chooses not to have their location information collected but a service requiring this information can be withheld.
Covered Entities may not:
- collect more precise location information than necessary to carry out the permitted purpose,
- retain location information longer than necessary to carry out this purpose,
- sell, rent, trade, or lease location information to third parties; or
- derive or infer from location information any data that is not necessary to carry out the permitted purpose.
The CE may not disclose or assist in any way the disclosure of an individual’s location information to third parties (TPs), unless this is necessary to carry out the permissible purpose for which the information was collected, or requested by the individual to whom the location data pertains.
“A CE or service provider (SP) may not disclose location information to any federal, state, or local government agency or official unless:(1) the agency or official presents a valid warrant or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant ,or (2) disclosure is mandated under federal or state law, or (3) the subject of the data requests this disclosure.
- the purpose(s) for which the covered entity is collecting, processing, or disclosing any location information;
- the type of location information collected, including the precision of the data;
- the identities of SPs with which the CE contracts with respect to location data;
- any disclosures of location data necessary to carry out each purpose and the identities of the third parties to whom the location information could be disclosed;
- whether the CE’s practices include its use of location information for targeted ads
- the data management and data security policies governing location information;
- the retention schedule and guidelines for permanently deleting location information
It will be illegal for the government to monetize location data.
Covered entities must annually disclose annually any warrants for location information received by themselves or any associated SPs or TPs (if known), disaggregated by the requesting agency, statutory offense under investigation, and the source of authority to the Attorney General (AG). The AG will make these reports available to the public online.
Any individual alleging a violation of this chapter by a CE or SP may bring a civil action in the superior court or any court of competent jurisdiction. They will not need to file a report with the AG or accept arbitration. If a claim is proven, the plaintiff may be rewarded damages for emotional distress, or $5,000 per violation, whichever is greater, (2) punitive damages; and (3) any other relief, including but not limited to an injunction or declaratory judgment, that the court deems to be appropriate as well as attorney’s fees and other costs.
The AG can bring an action against a CE or SP to remedy violations. The AG must conduct investigations of any possible violations of this chapter and refer cases for criminal prosecution to the appropriate federal, state, or local authorities.
Location information may be collected by a healthcare provider for treatment or research purposes in compliance with HIPPA.
CEs must comply with this chapter within 6 months of enactment and delete any location information retroactively for individuals who withhold consent.
8. PROTECTING BIOMETRIC INFORMATION: HD3053
In this bill, “Biometric information or data” means information or data that pertains to measurable biological or behavioral characteristics of an individual that can be used alone, with each other or with other information, for verification, recognition, or identification of an unknown individual. Examples include: fingerprints, retina and iris patterns, voiceprints, DNA sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. (The bill excludes medical information protected by HIPPA, medical images used for diagnosis or research. donated organs or tissues stored by a federal agency as well as writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.)
The Covered Entities (CEs) include any individual, partnership, corporation, limited liability company, association, or another group, however organized but not a state or local government agency, or any court of Massachusetts.
“ Processing includes collecting, accessing, using, storing, retaining, sharing, monetizing, analyzing, creating, generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, structuring, disclosing, transmitting, selling, licensing, disposing of, destroying, de-identifying, or otherwise manipulating biometric information.
A CE or Data Processor (DP) cannot collect or process (collect access, use, store, retain, share, monetize analyze, create, generate, aggregate, alter, correlate, operate on, record, modify, organize, structure, disclose, transmit, sell, license, dispose of, destroy, or de-identify)
someone’s biometric information unless: they
- provide a written explanation of exactly what it will collect or process
- receive advance explicit handwritten or electronic consent from the individual or their legal guardian or representative
Consent will expire after 3 years or when the initial purpose for processing the biometric information has been satisfied, whichever occurs first. Upon expiration, any biometric information possessed by a CE must be permanently destroyed. Consent may be renewed
The BPP must include:
- the use models, detailing whether the biometric information is going to be used for identification or verification purposes;
- all data management and data security policies governing biometric information;
- all disclosure practices; and
- the retention schedule and guidelines for permanently deleting biometric information.
The CE must provide notice of any change to its BPP at least 20 business days in advance of implementation and request consent for the changes.
The CE must store, transmit, and protect from disclosure all biometric data in a manner that is the same as or more protective than the manner that it stores, transmits, and protects other confidential and sensitive information, consistent with the standard for similar private industries.
Any CE, DP or third party (TP) may only disclose biometric information if:
- disclosure is required for the provision of a service or product by the CE and the individual has consented
- disclosure is needed to complete a financial or commercial transaction requested by the individual and to which they have consented
- disclosure is for a single purpose to a TP that has been authorized by the individual in handwritten consent
- federal or state law requires disclosure but individual must be notified in advance via BPP
- in response to a valid warrant
- response to imminent threat to life or property[JB1]
No CE, DP or TP may monetize biometric information.
If CE, DP or TP are served with a warrant for biometric information (BI), they must immediately provide the individual with a copy of the warrant, to whom and when their BI was provided, an inventory of the data disclosed, whether the CE, DP or TP provided the data, who requested the warrant from the court, if known. However, a government entity may apply to the court for a 30 day delay in notification and for a renewal of that delay.
CEs must annually report to the Attorney General (AG) any warrants for BI received by them or by associated DPs or TPs. CEs required to report BI pursuant to a law must annually report general aggregate information pertaining to these to the AG.
An individual alleging harm by a violation of this law may bring a civil action in any court of competent jurisdiction directed to any CE, DP or TP believed to have committed the violation.
If the defendant prevails they are eligible for liquidated damages ranging from 0.1% of the annual global revenue of the covered entity or $1,000 per violation, whichever is greater for negligent violations to 0.5% of the annual global revenue of the covered entity or $5,000 per violation, whichever is greater for deliberate violations, punitive damages and any other relief, including but not limited to an injunction as well as reasonable attorney’s fees and costs, including expert witness fees and other litigation expenses. Each instance of violation is eligible for damages.
The AG may bring an action pursuant to section 4 of chapter 93A against a CE, DP or TP to remedy violations of this chapter and for other relief that may be appropriate.
Within 6 months of enactment of the law CEs must obtain consent for all BI collected or stored and must destroy any BI for which consent was not given. The Act will be in effect one year after enactment.
9. PROTECTING BROWSING INFORMATION: SD1217
This law would apply to electronic information collected by any corporation which sends or receives electronic communications, including any service that acts as an intermediary in the transmission of electronic communications, or stores electronic communication information for the general public.
It covers any information pertaining to an electronic communication or the use of an electronic communication service, including, but not limited to the content of electronic communications, metadata, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication.
In order for a government office, law enforcement agency or public official to access your electronic information from either a service provider or an electronic device itself, they would need to get a particularized search warrant supported by probable cause from a superior court judge. Exceptions would include if there were an emergency threatening immediate physical injury or, if you had previously given written consent to the corporation that possesses your electronic data to release it to them. Even in an emergency situation, the government would need to provide a written explanation of why the data was needed to the local superior court within 48 hours. Corporations would have to share the requested information within 14 days or earlier if justified, unless the corporation appeals for and is granted more time.
A Massachusetts corporation that provides electronic communication services, remote computing services, or location information services must respond to a warrant or subpoena from another state to produce records that would reveal the identity of the customers using those services, data stored by, or on behalf of the customer, the customer’s usage of those services, the recipient or destination of communications sent to or from those customers, or the content of those communications, as if that warrant or subpoena had been issued under the law of the commonwealth. This element is concerning, because it would allow a state that prohibits abortion to access content that might reveal that someone either had an abortion or received abortion medication.
The law enforcement or government officer who obtains someone’s electronic information via a search warrant must provide them with a copy of the warrant, the application for the warrant, an explanation of the law enforcement inquiry and the information requested and date of the request within 7 days of collecting their information unless a reason is provided for a delay which may be granted for up to 90 days and may compel the entity providing the data to delay notifying the target person.
A warrant for the electronic information requested is not necessary if the owner of the electronic information or the recipient of the information gives the law enforcement or government officer their written consent to share it.
If a government office, law enforcement agency, or public official believes that an electronic device is lost, stolen, or abandoned they may access electronic device information necessary in order to attempt to identify, verify, or contact the owner or authorized possessor of the device.
Within 5 business days of issuing or denying a warrant, the court must report to the office of court management within the trial court all of the information pertaining to the warrant described above as well as name of the agency making the application, the offense described in the warrant and any modifications or extensions made to the warrant.
Every June, the court administrator in the office of court management in the trial court must provide the legislature with a complete report of the number of applications for warrants authorizing or requiring the disclosure of or access to information including a summary and analysis of the data which will all be public records.
No government office or law enforcement may ask any court for a reverse-location court order (including a search warrant or subpoena) to obtain the location of a specific device(s) or a reverse-keyword court order to identify who electronically searched for particular words, phrases, or websites, nor may they purchase this data. No court is permitted to issue any court order allowing the disclosure of reverse-location or reverse keyword data.
No government office or law enforcement may make a reverse location request or reverse keyword request from a company. Nor may they seek the assistance of any agency of the federal government or any agency of the government of another state or subdivision thereof in obtaining information or data from a reverse-location court order, reverse-keyword court order, reverse-location request, or reverse-keyword request if they would be barred from directly seeking such information.
No government office, law enforcement agency, or public official may use a cell site simulator (CSS)device for any purpose other than to locate or track the location of a specific electronic device, pursuant to a particularized warrant based on probable cause or if exigent circumstances exist requiring swift action to prevent imminent danger to the safety of an individual or the public. A warrant issued limits the use of the CSS to 15 days unless an application is made for renewal.
A warrant application must specify
- the facts establishing probable cause to believe the targeted individual has committed, is committing, or is about to commit a felony
- that less invasive methods of investigation or surveillance to the privacy of non-targeted parties have been tried and failed or are reasonably unlikely to succeed
- It must disclose the nature and capabilities of the cell site simulator to be used, the name of the government agency that owns the cell site simulator device
- exactly how it will be deployed, including whether it will obtain data from non-target communications devices
- the procedures that will be followed to protect the privacy of non-targets during the investigation, including the deletion of data obtained from non-target communication device
- that all target data must be deleted within 30 days if there is no longer probable cause that such information or metadata is evidence of a crime
Any individual whose information was obtained by a government entity in violation of the above requirements for the collection of private electronic information must be notified in writing, by the government office, law enforcement agency, or public official who committed the violation and of the legal recourse available to that person.
Any electronic information collected in violation of the above provisions may not be used in evidence any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the commonwealth, or a political subdivision thereof.
Anyone who has been harmed by a violation of these protections of private electronic information may bring a civil action against the government office, law enforcement agency, or public official who violated those sections in the Superior Court or any court of competent jurisdiction. Such a person will not need to file an administrative complaint with the attorney general or to accept mandatory arbitration of a claim.
When the plaintiff prevails in a civil action, the court may award actual damages, including damages for emotional distress, the greater of either $1000 per violation or actual damages, (punitive damages; and any other relief, including but not limited to injunctive or declaratory relief). In addition to any relief awarded, the court will award reasonable attorney’s fees and costs to the plaintiff.
Any contract whether government or private that infringes the above rights will be considered void.
This bill would also prohibit “library user private data” meaning records of a public library which reveals the identity and intellectual pursuits of a person using the library from being collected by any government or law enforcement agency.
10. SAFE COMMUNITIES ACT: HD2459 / SD1937
This long-standing goal of Digital Fourth and allied organizations, especially MIRA, would prevent local and state law enforcement from sharing information relating to the potential presence of undocumented immigrants, with ICE or other federal agencies.
For further details, please see the action alert here: https://actionnetwork.org/letters/tell-lawmakers-prioritize-the-safe-communities-act-this-session-23