Tag: boston

It’s A Whole New World

Every two years, the Massachusetts legislature starts a fresh session. Here, we review bills on the top ten topics relating to surveillance, privacy and the Fourth Amendment, that have been introduced in the new session.

Please contact your legislators via https://malegislature.gov/Search/FindMyLegislator, to express your support, and to ask for theirs. Our thanks to Julie Bernstein for conducting the legislative research for this article.

1. Civil Asset Forfeitures: HD1780 / SD2388, HD1328
2. QUALIFIED IMMUNITY REFORM: SD1970
3. Oversight of Fusion Centers: HD2088
4. Commercial Data Privacy Protection: SD745
5. Restricting Law Enforcement Use Of Facial Recognition: HD2304 / SD750
6. Restricting Automated License Plate Recognition: HD428 & HD2360
7. Protecting Locational Privacy: HD3698
8. Protecting Biometric Information: HD3053
9. Protecting Browsing Information: SD1217
10. SAFE COMMUNITIES ACT: HD2459 / SD1937

Summaries and explanations of each of these bills follow after the jump:

Read more: It’s A Whole New World
1. CIVIL ASSET FORFEITURES: HD1780 / SD2388, HD1328

HD.1780 / SD.2388 An Act Relative to Forfeiture Reform

HD.1328: An Act Relative To Civil Asset Forfeiture Transparency And Data Reporting

HD.2128: An Act Relative to Civil Asset Forfeiture

Restore The Fourth’s Issue Brief on Civil Asset Forfeiture

The threshold for civil asset forfeitures (CAFs) in MA is the lowest in the country, “probable cause” that a crime was committed. Our state is notorious for seizing cash and vehicles from people without them having committed a crime and we were ranked worst in the country for civil asset forfeiture policies by The Institute for Justice.

Last year, a special legislative commission was convened to investigate civil asset forfeiture in MA. They requested civil asset forfeiture data from every District Attorney (DA)  and every local law enforcement agency. The only response that they received was from Suffolk County and in cataloging  how the assets from their seizures and forfeitures were spent, they listed 50% as going to “other”. H.D.1780 is an outcome of the recommendations of the Commission on Civil Asset Forfeiture.

H.D.1780 raises the evidentiary standard for CAFs by one level to “a preponderance of the evidence” which is more typical nationwide. DAs and local law enforcement keep all of the proceeds from forfeiture in our state incentivizing seizures. H.D.1780 requires that all proceeds from seizures and forfeitures go to the Treasurer, who after reimbursing all non-personnel costs associated with the seizure and paying liens, would deposit the remainder in the General Fund.

This bill also narrows a major loophole. Currently police departments participating in joint task forces with the federal government (often cooperating in large seizures of contraband), are required by the federal government to contribute the 80% of the proceeds which they receive into law enforcement. This has enabled law enforcement to purchase surveillance technology like stingrays, without any oversight even when required by a local Surveillance Ordinance. Under the new provisions, if federal law prevents the distribution of CAF proceeds to the General Fund, then police departments can no longer accept forfeited property or proceeds from the federal government. A remaining  gap is that all joint seizures would have to be litigated by a local DA or the AG except for seizures of U.S. currency worth more than $50,000. 

A report by Politico and WBUR about civil asset forfeitures in Worcester County revealed that 1 in 4 seizures of cash and property that the Worcester DA’s office filed forfeitures for in 2018 either were not associated with a criminal conviction or weren’t even linked to a criminal drug charge and another 9% of seizures had no publicly available court records. Among those, there were more than 90 instances where people lost money or cars, taken most often during traffic stops, frisks and home searches — even though there weren’t related drug convictions or drug charges. WBUR documented more than 500 occasions between 2016 and 2019  where funds were held by the DA’s office for ten years or more before officials tried to notify people. More than half of funds seized between 2017 and 2019 were $500 or less. When the county finally got around to notifying someone that their assets were not legitimately seized and could be returned, they published a small notice in the local newspaper.

Elsewhere in the state there was a well-publicized case where a vehicle belonging to Malinda Harris was seized after her son was suspected of using it in a crime. The woman had nothing to do with his crime and needed her car for work. Six years later it was finally returned to her.

H.D. 1780 would require that seizures and forfeitures occur only after a court convicts the suspect of a crime with exceptions for lawful arrests and searches, and seizures of contraband. Police officers would be compelled to itemize everything that they seize and they would be prohibited from seizing currency of less than $200 and vehicles worth under $10,000. A seizure that occurred before a trial for a crime can be appealed via a hearing. Both H.D.1780 and S.D.1328 compel every law enforcement agency including the state police and all DAs to annually report all seizures and forfeitures including those under federal jurisdiction, and the crimes associated with them.  These would be entered by the executive office of administration and finance into a case tracking system and searchable public website.

H.D. 1328 requires that important additional information be reported including the outcome of any criminal charges, the details of all proceedings related to seizures and forfeitures, all case numbers and the zip code in which the seizure occurred. This granularity is crucial in view of the abuses that have occurred and the need to understand whether the new regulations adequately address these. Furthermore, whereas H.D.1780 requires that the data be reported to the AG, H.D. 1328 requires that all of the data also be reported to the Senate and House Committees on Ways and Means and the Joint Committee on the Judiciary.

H. D. 2128 would raise the standard of proof for a civil forfeiture to occur further than H. D. 1780 would do; instead of the Commonwealth having to prove that the asset was associated with a crime on “the preponderance of the evidence”, they would have to meet a standard of “clear and convincing evidence”. That standard or higher is the law in 28 states. The bill would also route all state forfeitures revenue into the Commonwealth Substance Abuse Prevention and Treatment Fund. It includes process improvements similar to H. D. 1780, though less detailed than those in H. D. 1328.

Digital Fourth supports these bills individually, and would support a consolidation of them in committee, using the standard of proof and revenues provisions from H. D. 2128, the detailed process requirements from H. D. 1780, and the detailed reporting requirements from H. D. 1328. These bills should help to ensure that forfeitures occur only when the vehicle, asset, or realty was involved in a crime, that innocent owners do not lose their property, and that law enforcement agencies have no financial incentive to conduct seizures and forfeitures.

2. QUALIFIED IMMUNITY REFORM: SD1970

Qualified immunity reform was left out of the 2020 police reform in Massachusetts, unlike in other states. Currently, Massachusetts imposes an unfeasibly high bar on civil rights lawsuits against state government agents, including police, of having to prove that the civil rights violation involved “threats, intimidation or coercion.” As a consequence, attorneys don’t take these cases, because they don’t expect to win; many plaintiffs can’t afford to pay an attorney unless they win damages.

S.D. 1970 stipulates that: “In an action brought under this section against a person or entity acting under color of law, proof shall not be required that the interference or attempted interference was by threats, intimidation or coercion.”

3. OVERSIGHT OF FUSION CENTERS: HD2088

This bill would require the Commonwealth’s “criminal intelligence systems” – the Boston Regional Intelligence Center, the Commonwealth Fusion Center, and others – to submit to regular outside auditing to ensure that they are complying with 28 CFR Part 23. This federal regulation requires that any information they hold on Massachusetts residents be based on reasonable suspicion of involvement in a crime.

It provides a private right of action to residents who believe that these entities have violated their privacy rights. It also requires the Commonwealth Fusion Center to publish the names of its privacy advisory committee, to have it meet quarterly, and to make its minutes public.

4. COMMERCIAL DATA PRIVACY PROTECTION: SD745

SD. 745: An Act Establishing the Massachusetts Data Privacy Protection Act

This is a very complete data privacy bill that covers large corporations, service providers social media companies and data brokers that either collect, process or transfer data. It requires the originating covered entity (CE), for example, Google, to limit the data that it collects from you to only what is necessary in order to provide you the service that you desire and must give you an easily accessible and user friendly affirmative consent mechanism in which you will be told what data Google collects and where it goes for what purposes and you will be able to consent to or opt out of these uses of your data. The CE must communicate your preferences to all of the service providers(SPs) or data brokers (DBs) or any other third parties with which it shares your data because they must comply with your preferences.

Each covered CE and SP must make publicly available an obvious and understandable privacy policy including a detailed and accurate representation of its data collection, processing, and transfer activities, the purpose of all data collected, the length of time that the data is to be retained, the data security practices implemented, every data broker or third party to whom the data is transferred and several forms of contact information so an individual can readily access the CE or SP to make requests concerning their data.

If the covered entity makes any changes in the data it collects, shares or transfers or sends your data to a new party, this must be communicated to you so that you can consent or opt out. You can change your data preferences and delete data twice a year without paying.

All CEs must allow individuals to access their data in a downloadable, portable, structured, interoperable, and machine-readable format and to make any corrections to inaccurate and incomplete data. Requests to change or delete your data should generally be honored within 30 days and you can make these changes twice annually for free.

Companies will have to report to the Attorney General (AG) how many requests they receive and how they have been handled. Any individual alleging a violation of their privacy rights under this act may bring “a civil action in the superior court or any court of competent jurisdiction” against the CE, DP or third parties. If a violation is found to have occurred, the plaintiff will be eligible for damages as well as an injunction or other relief and attorney fees.

DBs must register with the OCABR Office of Consumer Affairs and Business Regulation)which will maintain a searchable database with information on what data it collects and transfers and how you can contact the data broker about removing or verifying your data, linked to a website provided by the DB where you can opt out of data collection. Failure of the DB to comply will result in a fine.

Each DB will also be required to provide the AG with an impact statement for any algorithms that it uses that can potentially have a disparate impact on any protected group or individual registered to a political party along with steps they are taking to mitigate the impact. The AG can take action against CE or SP that fails to comply with civil rights provisions.

Large data holders (DHs) must hire at least one privacy officer or a data security officer and implement a data privacy program and data security program to safeguard the privacy and security of covered data. All CEs and Large DHs must perform a privacy impact assessment that weighs the benefits of the data collecting, processing, and transfer practices against the potential adverse consequences of such practices, including substantial privacy risks, to individual privacy and mustreview how technologies are being used to secure covered data.

CEs must provide all legal requests for disclosure of personal information that they receive to the AG and the general public on a bimonthly basis. This includes requests for location information and both the number of legal requests that resulted in the covered entity disclosing location or biometric information and those that did not.

The bill bans targeted advertisements to minors.

The bill has strong protections for workers against electronic monitoring that limit the monitoring to the least amount of information necessary from the fewest number of employees for the shortest length of time in order to enable tasks that are necessary to accomplish essential job functions or to monitor production processes or quality. The monitoring must not harm the employee’s mental or physical health. Employers must provide employees with notice that electronic monitoring will occur prior to conducting each specific form of electronic monitoring and include details including the purpose, the specific activities, locations, communications, and job roles that will be electronically monitored, the technologies that will be used and all vendors and third parties who will receive the data.

5. RESTRICTING LAW ENFORCEMENT USE OF FACIAL RECOGNITION: HD2304 / SD750

This bill implements the findings of last session’s Commission on Face Surveillance. The findings had support from law enforcement as well as from civil liberties organizations. The bill would provide that:

1. Law enforcement other than the State Police and FBI cannot directly possess or access a biometric surveillance database.

2. Law enforcement may not use biometric surveillance to infer a person’s emotion or affect nor for analysis of moving images or video data.

3. The State Police can access the facial recognition database used by the registrar of motor vehicles to conduct a search for local law enforcement, a federal agency or the FBI if they are presented with warrant issued by a judge based upon probable cause or if there is an immediate threat of danger of serious injury to someone or a need to identify a deceased person.

4. Law enforcement must document the basis for any emergency requests and file them with the appropriate Superior Court within 48 hours of the request.

5. All searches of the database by the State Police or FBI must be documented and reported to the executive office of public safety and security, quarterly disaggregated, by the requesting law enforcement or federal agency. The same goes for breakdowns of whether the request involved a warrant or emergency. The agency must post the total # of searches performed ID of a deceased person. These must all be publicly posted by EOPSS by March 31 of the following year.

6. Any person charged with a crime in which they were identified by a facial recognition search must be provided notice that the search occurred and defendants and their attorneys in criminal prosecutions must be provided with all records and information pertaining to any facial recognition searches performed or requested during the course of the investigation of the crime or offense.

6. Restricting Automated License Plate Recognition: HD428 & HD2360

HD.428 An Act Relative to All-Electronic Tolling Data Privacy.

This bill provides that:

1. A department may not access, search, review, disclose or exchange tolling data (meaning any data captured or created by an ALPR system or from signals or radio frequencies emitted by a transponder in connection with the assessment or collection of a toll, including, without limitation, GPS coordinates or vehicle location information, dates and times traveled, images, vehicle speed, and license plate numbers, existing in an any form or medium, whether electronic, paper or otherwise) unless this is necessary to:

a. collect, access or pursue payment tolls or fines or surcharges related to unpaid tolls

b. to install, maintain or repair a transponder

c. to respond to a reasonable belief that an individual is at imminent risk of serious physical injury, death or abduction; provided, that not later than 48 hours after responding, the access and detailed reasons for it are provided to the AG.

d. comply with a search warrant, production order, or preservation request issued in connection with the investigation or prosecution of a felony.

3. a. The department must erase or destroy the tolling data accessed within 120 days of access.

    b. The department may retain tolling data beyond 120 to comply with a search warrant, production order, or preservation request, or as necessary to collect unpaid tolls or fines or surcharges related to unpaid tolls.

4. a. A person whose tolling data was retained in violation of the above can institute a civil action in district or superior court for damages or in superior court for injunctive relief.

    b. If a violation has occurred the violator will not be entitled to absolute or qualified immunity and will be liable for proven actual damages, be liable for treble damages or for exemplary damages of between $100 and $1000 along with costs and reasonable attorney’s fees.

Why this is important: ALPR data records everywhere that someone has driven. If it is maintained in a database, then it can be reviewed retroactively for many unlawful purposes such as to identify a suspect in a crime for which there is ho particularized evidence of them having committed the crime This means that potentially many people who have traveled to the vicinity of the location of a crime will now become suspects. In addition, tolling data can be used to identify individuals who have participated in a political event or rally or a protest which are acts protected by the First Amendment and therefore should not be monitored.

HD.2360 An Act Establishing Driver Privacy Protections

This bill provides that:

Law enforcement or other state government employees or officials may not:

  • use an ALPR system to track or monitor activity protected by freedoms of religion or speech guaranteed by the Massachusetts Declaration of Rights or the First Amendment to the United States Constitution;
  • retain ALPR data longer than 14 days except in connection with a specific criminal investigation based on articulable facts linking the data to a crime;
  • disclose, sell or permit access to ALPR data except as required in a judicial proceeding; or
  • access ALPR data from other governmental or non-governmental entities except with a valid search warrant.

Toll collection technologies may only be used to identify the location of any vehicle for tolling purposes.

The department of transportation may not access, search, review, disclose, or exchange tolling data in its possession, custody, or control except to:

  • assess, collect or pursue the payment tolls or fines or surcharges related to unpaid tolls; 
  • install, maintain or repair an ALPR or transponder system or a system storing tolling data;
  • respond when an individual is at imminent risk of serious physical injury, death or abduction
  • comply with a search warrant, production order, or preservation request issued in connection with the investigation or prosecution of a felony.

The department of transportation must eliminate all tolling data that it possesses or controls within 120 days of its was creation unless it is necessary to comply with a search warrant, production order, or preservation request, or as necessary to collect unpaid tolls or fines or surcharges related to unpaid tolls.

No toll collection or vehicle data may be shared with or provided to any law enforcement entity or official without a search warrant, or production order; unless this information is requested  because of a reasonable belief that an individual is at imminent risk of serious physical injury, death or abduction and that such data is necessary to respond. Such a request must be narrowly tailored to address the emergency and subject to the following limitations:

  • the request must document the factual basis for the emergency and the applicability of toll collection and/or vehicle data
  • within 48 hours of accessing these records, the government office must file a written notice describing with particularity the grounds for emergency access and exactly what tolling data was accessed, with the Attorney General.

If ALPR data, tolling data, and vehicle data is collected, retained, disclosed, sold, or accessed without complying with the above requirements, it may  not be admitted, offered or cited by any governmental entity for any purpose in any criminal, civil, or administrative proceeding.

An individual whose rights have been violated by the improper transfer of or access to these data, may introduce evidence concerning this data in a civil action for damages or injunctive relief in a district or superior court or may allow another party in a civil proceeding to do the same.

If a willful violation occurred, the violator will not be allowed to claim any privilege absolute or qualified. In addition to any proven actual liability, the violator will be liable for treble damages, or, alternative, exemplary damages of between $100 and $1000 for each violation as well as costs and reasonable attorney’s fees.

The attorney general will enforce the above and will have the power to petition the court for injunctive relief and other appropriate relief against violators.  

7. PROTECTING LOCATIONAL PRIVACY: HD3698

In this bill, location information is defined as directly or indirectly revealing the present or past geographical location of an individual or device within the Commonwealth of Massachusetts with sufficient precision to identify street-level location information within a range of 1,850 feet or less. Location information includes but is not limited to (i) an internet protocol address (ii) Global Positioning System (GPS) coordinates; and (iii) cell-site location information.

HD. 3698 prohibits the collection, processing, or disclosure by  a Covered Entity (CE) including “any individual, partnership, corporation, limited liability company, association, or other group” (except a state or local government agency or court) of an individual’s location information  from any device that “connects to a cellular, bluetooth, or other wireless network” “for profit or in exchange for monetary or other consideration including selling, renting, trading, or leasing location information without the express consent of the individual except for the following purposes:

Location information can be collected for “(i) provision of a product, service, or service feature to the individual to whom the location information pertains when that individual requested the provision of such product, service, or service feature by subscribing to, creating an account, or otherwise contracting with a covered entity; (ii) initiation, management, execution, or completion of a financial or commercial transaction or fulfill an order for specific products or services requested by an individual, including any associated routine administrative, operational, and account-servicing activity such as billing, shipping, delivery, storage, and accounting; (iii) compliance with an obligation under federal or state law; or (iv) Response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.”

When location information is collected for any but the last two allowed purposes, the CE must list each purpose in a Location Privacy Policy and individuals must provide discrete consent for each purpose to enable the collection of location information. Each CE must provide a clear, conspicuous, and simple means to opt out of the processing of their location information for purposes of selecting and delivering targeted advertisements.

Permission will be valid for one year unless the individual chooses to revoke it before that . If permission is revoked, any location information possessed by a covered entity must be permanently destroyed. An individual can opt in again at a future time. There cannot be any retaliation against someone who chooses not to have their location information collected but a service requiring this information can be withheld.

Covered Entities may not:

  • collect more precise location information than necessary to carry out the permitted purpose,
  • retain location information longer than necessary to carry out this purpose,
  • sell, rent, trade, or lease location information to third parties; or
  • derive or infer from location information any data that is not necessary to carry out the permitted purpose.

The CE may not disclose or assist in any way the disclosure of an individual’s location information to third parties (TPs), unless this is necessary to carry out the permissible purpose for which the information was collected, or requested by the individual to whom the location data pertains.

A CE or service provider (SP) may not disclose location information to any federal, state, or local government agency or official unless:(1) the agency or official presents a valid warrant or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant ,or (2) disclosure is mandated under federal or state law, or (3) the subject of the data requests this disclosure.

The CE must maintain and make available its Location Privacy Policy including:

  • the purpose(s) for which the covered entity is collecting, processing, or disclosing any location information;
  • the type of location information collected, including the precision of the data;
  • the identities of SPs with which the CE contracts with respect to location data;
  • any disclosures of location data necessary to carry out each purpose and the identities of the third parties to whom the location information could be disclosed;
  • whether the CE’s practices include its use of location information for targeted ads
  • the data management and data security policies governing location information;
  • the retention schedule and guidelines for permanently deleting location information

Users of the CE must be given 20 days advance notice of any change in the Location Privacy Policy.

It will be illegal for the government to monetize location data.

Covered entities must annually disclose annually any warrants for location information received by themselves or any associated SPs or TPs (if known), disaggregated by the requesting agency, statutory offense under investigation, and the source of authority to the Attorney General (AG). The AG will make these reports available to the public online.

Any individual alleging a violation of this chapter by a CE or SP may bring a civil action in the superior court or any court of competent jurisdiction. They will not need to file a report with the AG or accept arbitration. If a claim is proven, the plaintiff may be rewarded damages for emotional distress, or $5,000 per violation, whichever is greater, (2) punitive damages; and (3) any other relief, including but not limited to an injunction or declaratory judgment, that the court deems to be appropriate as well as attorney’s fees and other costs.

The AG can bring an action against a CE or SP to remedy violations. The AG must conduct investigations of any possible violations of this chapter and refer cases for criminal prosecution to the appropriate federal, state, or local authorities.

Location information may be collected by a healthcare provider for treatment or research purposes in compliance with HIPPA.

CEs must comply with this chapter within 6 months of enactment and delete any location information retroactively for individuals who withhold consent.

8. PROTECTING BIOMETRIC INFORMATION: HD3053

In this bill, “Biometric information or data” means information or data that pertains to measurable biological or behavioral characteristics of an individual that can be used alone, with each other or with other information, for verification, recognition, or identification of an unknown individual. Examples include: fingerprints, retina and iris patterns, voiceprints, DNA sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. (The bill excludes medical information protected by HIPPA, medical images used for diagnosis or research. donated organs or tissues stored by a federal agency as well as writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.)

The Covered Entities (CEs) include any individual, partnership, corporation, limited liability company, association, or another group, however organized but not a state or local government agency, or any court of Massachusetts.

“ Processing includes collecting, accessing, using, storing, retaining, sharing, monetizing, analyzing, creating, generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, structuring, disclosing, transmitting, selling, licensing, disposing of, destroying, de-identifying, or otherwise manipulating biometric information.

A CE or Data Processor (DP) cannot collect or process  (collect access, use, store, retain, share, monetize analyze, create, generate, aggregate, alter, correlate, operate on, record, modify, organize, structure, disclose, transmit, sell, license, dispose of, destroy, or de-identify)

someone’s biometric information unless: they

  • provide a written explanation of exactly what it will collect or process
  • provide the individual with the Biometric Privacy Policy(BPP)
  • receive advance explicit handwritten or electronic consent from the individual or their legal guardian or representative

Consent will expire after 3 years or when the initial purpose for processing the biometric information has been satisfied, whichever occurs first. Upon expiration, any biometric information possessed by a CE must be permanently destroyed. Consent may be renewed

The BPP must include:

  • the use models, detailing whether the biometric information is going to be used for identification or verification purposes; 
  • all data management and data security policies governing biometric information; 
  • all disclosure practices; and 
  • the retention schedule and guidelines for permanently deleting biometric information.

The CE must provide notice of any change to its BPP at least 20 business days in advance of implementation and request consent for the changes.

The CE must store, transmit, and protect from disclosure all biometric data in a manner that is the same as or more protective than the manner that it stores, transmits, and protects other confidential and sensitive information, consistent with the standard for similar private industries.

Any CE, DP or third party (TP) may only disclose biometric information if:

  • disclosure is required for the provision of a service or product by the CE and the individual has consented
  • disclosure is needed to complete a financial or commercial transaction requested by the individual and to which they have consented
  • disclosure is for a single purpose to a TP that has been authorized by the individual in handwritten consent
  • federal or state law requires disclosure but individual must be notified in advance via BPP
  • in response to a valid warrant
  • response to imminent threat to life or property[JB1] 

No CE, DP or TP may monetize biometric information.

If CE, DP or TP are served with a warrant for biometric information (BI), they must immediately provide the individual with a copy of the warrant, to whom and when their BI was provided, an inventory of the data disclosed, whether the CE, DP or TP provided the data, who requested the warrant from the court, if known. However, a government entity may apply to the court for a 30 day delay in notification and for a renewal of that delay.

CEs must annually report to the Attorney General (AG) any warrants for BI received by them or by associated DPs or TPs. CEs required to report BI pursuant to a law must annually report general aggregate information pertaining to these to the AG.

An individual alleging harm by a violation of this law may bring a civil action in any court of competent jurisdiction directed to any CE, DP or TP believed to have committed the violation.

If the defendant prevails they are eligible for liquidated damages ranging from  0.1% of the annual global revenue of the covered entity or $1,000 per violation, whichever is greater for negligent violations to 0.5% of the annual global revenue of the covered entity or $5,000 per violation, whichever is greater for deliberate violations, punitive damages and any other relief, including but not limited to an injunction as well as reasonable attorney’s fees and costs, including expert witness fees and other litigation expenses. Each instance of violation is eligible for damages.

The AG may bring an action pursuant to section 4 of chapter 93A against a CE, DP or TP to remedy violations of this chapter and for other relief that may be appropriate. 

Within 6 months of enactment of the law CEs must obtain consent for all BI collected or stored and must destroy any BI for which consent was not given. The Act will be in effect one year after enactment.

9. PROTECTING BROWSING INFORMATION: SD1217

This law would apply to electronic information collected by any corporation which sends or receives electronic communications, including any service that acts as an intermediary in the transmission of electronic communications, or stores electronic communication information for the general public.

It covers any information pertaining to an electronic communication or the use of an electronic communication service, including, but not limited to the content of electronic communications, metadata, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication.

In order for a government office, law enforcement agency or public official to access your electronic information from either a service provider or an electronic device itself, they would need to get a particularized search warrant supported by probable cause from a superior court judge. Exceptions would include if there were an emergency threatening immediate physical injury or, if you had previously given written consent to the corporation that possesses your electronic data to release it to them. Even in an emergency situation, the government would need to provide a written explanation of why the data was needed to the local superior court within 48 hours. Corporations would have to share the requested information within 14 days or earlier if justified, unless the corporation appeals for and is granted more time.

A Massachusetts corporation that provides electronic communication services, remote computing services, or location information services must respond to a warrant or subpoena from another state to produce records that would reveal the identity of the customers using those services, data stored by, or on behalf of the customer, the customer’s usage of those services, the recipient or destination of communications sent to or from those customers, or the content of those communications, as if that warrant or subpoena had been issued under the law of the commonwealth. This element is concerning, because it would allow a state that prohibits abortion to access content that might reveal that someone either had an abortion or received abortion medication.

The law enforcement or government officer who obtains someone’s electronic information via a search warrant must provide them with a copy of the warrant, the application for the warrant, an explanation of the law enforcement inquiry and the information requested and date of the request within 7 days of collecting their information unless a reason is provided for a delay which may be granted for up to 90 days and may compel the entity providing the data to delay notifying the target person.

A warrant for the electronic information requested is not necessary if the owner of the electronic information or the recipient of the information gives the law enforcement or government officer their written consent to share it.

If a government office, law enforcement agency, or public official believes that an electronic device is lost, stolen, or abandoned they may access electronic device information necessary  in order to attempt to identify, verify, or contact the owner or authorized possessor of the device.

Within 5 business days of issuing or denying a warrant, the court must report to the office of court management within the trial court all of the information pertaining to the warrant described above as well as name of the agency making the application, the offense described in the warrant and any modifications or extensions made to the warrant.

Every June, the court administrator in the office of court management in the trial court must provide the legislature with a complete report of the number of applications for warrants authorizing or requiring the disclosure of or access to information including a summary and analysis of the data which will all be public records.

No government office or law enforcement may ask any court for a reverse-location court order (including a search warrant or subpoena) to obtain the location of a specific device(s) or a reverse-keyword court order to identify who electronically searched for particular words, phrases, or websites, nor may they purchase this data. No court is permitted to issue any court order allowing the disclosure of reverse-location or reverse keyword data.

No government office or law enforcement may make a reverse location request or reverse keyword request from a company. Nor may they seek the assistance of any agency of the federal government or any agency of the government of another state or subdivision thereof in obtaining information or data from a reverse-location court order, reverse-keyword court order, reverse-location request, or reverse-keyword request if they would be barred from directly seeking such information.

No government office, law enforcement agency, or public official may use a cell site simulator (CSS)device for any purpose other than to locate or track the location of a specific electronic device, pursuant to a particularized warrant based on probable cause or if exigent circumstances exist requiring swift action to prevent imminent danger to the safety of an individual or the public. A warrant issued limits the use of the CSS to 15 days unless an application is made for renewal.

A warrant application must specify

  • the facts establishing probable cause to believe the targeted individual has committed, is committing, or is about to commit a felony
  • that less invasive methods of investigation or surveillance to the privacy of non-targeted parties have been tried and failed or are reasonably unlikely to succeed
  • It must disclose the nature and capabilities of the cell site simulator to be used, the name of the government agency that owns the cell site simulator device
  • exactly how it will be deployed, including whether it will obtain data from non-target communications devices
  • the procedures that will be followed to protect the privacy of non-targets during the investigation, including the deletion of data obtained from non-target communication device
  • that all target data must be deleted within 30 days if there is no longer probable cause  that such information or metadata is evidence of a crime

Any individual whose information was obtained by a government entity in violation of the above requirements for the collection of private electronic information must be notified in writing, by the government office, law enforcement agency, or public official who committed the violation and of the legal recourse available to that person.

Any electronic information collected in violation of the above provisions may not be used in evidence any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the commonwealth, or a political subdivision thereof.

Anyone who has been harmed by a violation of these protections of private electronic information may bring a civil action against the government office, law enforcement agency, or public official who violated those sections in the Superior Court or any court of competent jurisdiction. Such a person will not need to  file an administrative complaint with the attorney general or to accept mandatory arbitration of a claim.

When the plaintiff prevails in a civil action, the court may award actual damages, including damages for emotional distress, the greater of either $1000 per violation or actual damages, (punitive damages; and any other relief, including but not limited to injunctive or declaratory relief). In addition to any relief awarded, the court will award reasonable attorney’s fees and costs to the plaintiff.

Any contract whether government or private that infringes the above rights will be considered void.

This bill would also prohibit “library user private data” meaning records of a public library which reveals the identity and intellectual pursuits of a person using the library from being collected by any government or law enforcement agency.

10. SAFE COMMUNITIES ACT: HD2459 / SD1937

This long-standing goal of Digital Fourth and allied organizations, especially MIRA, would prevent local and state law enforcement from sharing information relating to the potential presence of undocumented immigrants, with ICE or other federal agencies.

For further details, please see the action alert here: https://actionnetwork.org/letters/tell-lawmakers-prioritize-the-safe-communities-act-this-session-23

Understanding Fusion Centers

Our local fusion center, BRIC, has been at the core of police efforts to surveil and suppress social movements for over a decade. And, since 2012, we’ve been calling them out on their abusive and un-Constitutional practices.

This October 30, please join us for a livestreamed discussion on fusion centers, with Boston City Councilor Ricardo Arroyo, law student Dani Hargus, and journalist Emma Best, moderated by our own Alex Marthews!

Boston’s Fusion Center Gives Itself an A+ on “Privacy and Civil Liberties”

ftoaplus

Ten months ago, Digital Fourth submitted a public records request to Boston’s fusion center, the Boston Regional Intelligence Center. It took two appeals to the Secretary of State to get it, but we finally got a response.

The states operate a network of 78 fusion centers across the nation, which coordinate intelligence-related information between federal agencies and state and local law enforcement, in the name of thwarting terrorist attacks. They have never, to anyone’s knowledge, actually thwarted one, and they have become bywords in Washington for waste and ineffectiveness. Previously, we reported on constitutional violations and the results of a FOIA request at Massachusetts’ “Commonwealth Fusion Center”, operated by the State Police; now it’s the turn of Massachusetts’ other fusion center, headquartered at the Boston PD.

The most interesting document we received is the “2013 Fusion Center Assessment Individual Report: Boston Regional Intelligence Center”. This report was heavily redacted, but luckily the State of Colorado has posted on its website an unredacted 2014 report from Colorado’s fusion center that is absolutely identical in format to the Boston report we received, rendering all of the redactions in the Boston report moot. So if you’d like to understand what the BRIC didn’t want us to see, read on.

Continue reading Boston’s Fusion Center Gives Itself an A+ on “Privacy and Civil Liberties”

Mr. Anderson’s Rough Guide to Anonymous Protest

B4D45GpCMAEixpp.jpg:large

Note: These methods are not foolproof. Even if you take every precaution described below, you should still assume that you are being watched, tracked, and recorded. Act accordingly.

I. Leave your cellphone at home. It is safe to assume that “Stingrays” (also known as “cell site simulators” or “IMSI catchers”) are being used at every #BlackLivesMatter protest around the country. These devices trick your phone into connecting to them by simulating a cell tower, allowing law enforcement to intercept your text messages and phone calls as well as your location information and International Mobile Subscriber Identity (your phone’s unique identifier). They are small enough to be mounted on vehicles and can even be placed on airplanes and helicopters to track protesters from the sky. It is probably best to leave your cellphone at home. If this is impractical for you, you might want to consider using secure messaging apps such as Wickr or TextSecure. Note that as long as your phone is turned on, your location information and IMSI information can still be intercepted.

II. Avoid exposing your face to cameras. Police love to video record protesters exercising their First Amendment rights. Unless you want to run the risk of having images of your face uploaded to a network of shadowy databases to be matched with driver’s license photographs and other government records for tracking purposes, it is wise to consider covering up your face or applying face paint in a manner that prevents facial recognition software from identifying you. Some believe covering your face is cowardly, but if the choice is between being indexed in a virtually boundless, unaccountable surveillance system and the right to protest anonymously without retribution, I’ll take the latter any day.

Selection_048

III. Avoid advertising your location or other personal information on social media. Fusion centers and police departments like to track people using social media geolocation software to track social media posts in real-time. This is likely one of the tools used by the Massachusetts fusion centers for tracking #BlackLivesMatter protesters in Boston. You may want to avoid using social media altogether while at a protest; but if you feel the need, it might be a good idea to create a fake account to make it a little more difficult for spies to monitor you.

IV. Use PGP for encrypted emails. Encryption is your friend. “PGP” stands for “Pretty Good Privacy”, and it holds true to its name. Think of PGP as an airtight container that keeps your emails away from the eyes of anyone except the intended recipient(s). Sure, it can be a little tough to set up, but once you have it installed, it’s actually very easy to use.

Here is a guide to installing PGP for Mac OS X.
Here is a guide to installing PGP for Windows and GNU/Linux.

V. Use Tor and/or a VPN. Tor is free software that provides anonymity by routing your Internet activity through a series of other users running Tor relays. The goal is to prevent eavesdroppers from seeing the web pages you visit by bouncing your connection around the network, making it appear as if you are accessing the Internet from a completely random location. Similarly, Virtual Private Networks route your connection through a server of your choice, making it appear as if you are connecting to the Internet from France, Canada, Sweden, or pretty much anywhere. Unlike Tor, good VPNs are not free, but they can be as inexpensive as $3.33 per month.

It Takes A Massive Surveillance Apparatus To Hold Us Back: Fusion Centers, Ferguson and the Deep State

Dime-Fasces

Here’s a question: How much of a national security threat are people protesting the non-indictment of Ferguson police officer Darren Wilson for killing Michael Brown?

If you answered, There’s no national security threat; they’re exercising their First Amendment rights, which should be celebrated, then you’re obviously a pre-9/11-American, which is enough to get you disinvited from the major TV propaganda shows.

Local news media reported on the Black Lives Matter protest in Boston, and noted, without really thinking about it, that “the state police Commonwealth Fusion Center monitored social media, which provided “critical intelligence about protesters’ plans to try to disrupt traffic on state highways.” It didn’t really register because journalists are mostly not watching fusion centers like we are, and aren’t seeing them come up again and again and again and again, lurking at the edges of stories about free speech and national security, and policing the boundaries of what is acceptable to say.

Think, then, of fusion centers as state-based NSAs overseen loosely by the Department of Homeland Security. Set up after 9/11 to provide “joined-up intelligence” and thwart terrorist attacks, they quickly found that there just wasn’t enough terrorism of the kind not ginned up by government informants themselves to sustain 88 separate local antiterrorism centers in addition to the NSA, FBI and CIA. So they expanded their definition of terrorism to cover many other things, which in Massachusetts have included harassing peaceful activists and elected officials while missing actual terrorist plots, and now, for lack of anything better to do with their tax dollars, vetting licenseholders for marijuana dispensaries and fostering anonymous threat reporting in public schools.

We have advocated against fusion centers for a long time. Last week, we received the results of a FOIA request to Massachusetts’ Commonwealth Fusion Center that throws more light on the kind of information they hold, and the kind of society that is being constructed without our consent.

Continue reading It Takes A Massive Surveillance Apparatus To Hold Us Back: Fusion Centers, Ferguson and the Deep State

Black, Brown & Targeted: ACLU Report Reveals Massive 4th Amendment Violations by Boston PD

1008_aclu-chart

Finally, after many years of effort, the ACLU of MA has been able to secure release and analysis (by a third party) of data on police stops in Boston. What was found should grossly offend anyone with a belief that people ought to be equal before the law.

Their data spans 2007-2010, covering reported stops that did not result in arrest. During that time, for fully three-quarters of such stops, the reason the police stated for the stop was not suspicion of any identifiable crime, but simply “Investigate Person.”

Investigate Person?

Continue reading Black, Brown & Targeted: ACLU Report Reveals Massive 4th Amendment Violations by Boston PD

Are Boston Police Using Stingrays? Help MuckRock Find Out

Today’s news in Wired that the federal government is willing to send in the US Marshals to prevent disclosure of how local police departments are using stingrays, makes it seem that what they’re hiding is pretty important.

Our friends at public information service Muckrock.com are launching a new research project to find out exactly what police are doing with this kind of data. Shawn Musgrave describes their project below. We strongly encourage supporters of Digital Fourth to help them fund this important work. We don’t know yet whether any police departments in Massachusetts are using this secrecy-laden technology – wouldn’t you like to find out?

Continue reading Are Boston Police Using Stingrays? Help MuckRock Find Out

Spying is Censorship

[We welcome our newest contributor, Gregg Housh, an activist focused on internet freedoms, censorship, over-prosecution and Anonymous. This article is cross-posted at 0v.org. – Alex.]

spyingiscensorship

It was February 6th, 2011 that I had to give some bad news to my wife. Her pseudonym (one she calls “as subtle as John Zeus”) was on the list of supposed “lieutenants of Anonymous” that Aaron Barr of HB Gary Federal had compiled. Barr’s intention was to identify the people involved in various projects on the AnonOps IRC network by connecting them to real social network profiles, and then to somehow parlay this data into brownie points with the FBI. And there she was, in the cross hairs.

Continue reading Spying is Censorship

At 2014 Boston Marathon, bags searched without warrants at police checkpoints

UPDATE: The Bay State Examiner has informed us that the correct byline for this story is “Andrew.”

For the 2014 Boston Marathon, police established checkpoints on various streets near the finish line where private security guards searched the bags of any spectators who attempted to pass through. The checkpoints were part of a new security plan, which was put in place in response to last year’s Boston Marathon bombings, which killed three and injured more than 260 people.

Prior to the race, the Massachusetts Emergency Management Agency (MEMA) published a list of recommendations for spectators including no backpacks, no loose clothing, no costumes or masks, no liquids in excess of one liter, and no weapons of any kind. MEMA also said that spectators may have their bags and bulky items searched at the aforementioned checkpoints.

We saw a number of these checkpoints in action and observed that the searches were primarily carried out by private security guards under the watch of Boston police officers. Once a person’s bag had been searched, the security guards would attach a tag to it and allow the person through.

The searches were not voluntary. Each checkpoint featured a banner reading “All bags and containers are subject to search.” We saw one man being forcibly removed from the area beyond a checkpoint by police officers who noticed that his mesh bag did not have a tag on it. Police took the bag away from the man and would not allow him back into the area until a security guard had searched it.

search 1024x575 At 2014 Boston Marathon, bags searched without warrants at police checkpoints

A security guard searches through a man’s bag after police removed him from the area beyond a checkpoint

It was apparent that the police did not suspect the man had a bomb because they did not call a bomb squad to the scene. Instead, they asked the man for personal information such as his address, which they wrote down, and lectured him about the need to follow the rules the police had established.

“You got a bag, you put a tag on it. Okay? Simple,” one police officer told the man.

Continue reading At 2014 Boston Marathon, bags searched without warrants at police checkpoints

No Way To Complain = No Complaints = No Problem!

Boston’s fusion center, the Boston Regional Intelligence Center, no longer hosts their privacy policy on their website – I was told that it was “under review” and that the new policy will be posted when it’s ready – so it’s lucky for all of us that the ACLU of Massachusetts has a copy of the policy. And it’s a doozy.

If you’re worried about the fusion center’s privacy practices, and that it may have gathered information on you that it shouldn’t, then you’re essentially out of luck. Sure, you can write to them (the address is Boston Regional Intelligence Center, Boston Police Department, Privacy Committee, One Schroeder Plaza, Boston, MA 02120, (617) 343-4328), but the Privacy Policy specifies that the only complaints they will accept or review are those where:

… an individual has a complaint with regard to the accuracy or completeness of terrorism-related protected information that:
(a) Is exempt from disclosure,
(b) Has been or may be shared through the ISE [Information Sharing Environment], or
(c) (1) Is held by the BRIC and
(2) Allegedly has resulted in demonstrable harm to the complainant

So, in essence, before a complaint can even be reviewed about a given piece of information, the complainant has to know what information the fusion center holds on them, and has to be able to make an allegation of “demonstrable harm” – harm, that is, in the eyes of the BRIC. And there’s no procedure for complaining about the collection of monstrous quantities of data in the first place – only for circumstances where they have collected, and acted upon, something provably false about you personally.

That’s some catch, that catch-22.

Wonder how many people have successfully complained?

And by definition, if nobody’s complaining, they must be respecting our privacy, right?

In fact, they’re respecting our privacy so much, that they are aggregating data from the following sources (this is just the ones they’re acknowledging, summarized from the list in the appendix of their privacy policy):

“Telephone analysis software”, state crime information systems, national crime information systems, the state drivers’ license database, the Lexis-Nexis “Accurint” database, Thomson-Reuters’ “CLEAR” database [now integrated with Palantir!], “intelligence data” [up to and possibly including unminimized data collected via FISA], the Regional Information Sharing Systems (RISS) System, the Law Enforcement Online system, the Homeland Security Information Network (HSIN) System, jail management databases, the Financial Crimes Enforcement Network (FinCEN) System, state sex offender registries, “crime-specific listservs”, RSS readers, the High Intensity Drug Trafficking Areas (HIDTA) Program database, EPIC hospital records, the National Drug Intelligence Center (NDIC) database, state corrections/probation databases systems, and juvenile justice databases.

Based on information provided by BRIC employees on their LinkedIn profiles (thanks, guys!), we can also determine that the BRIC has access to gang databases, information from the Department of Youth Services, and “medical intelligence”, defined by the Department of Defense as “That category of intelligence resulting from collection, evaluation, analysis, and interpretation of foreign medical, bio-scientific, and environmental information that is of interest to strategic planning and to military medical planning and operations for the conservation of the fighting strength of friendly forces and the formation of assessments of foreign medical capabilities in both military and civilian sectors.”

So if you’ve never made an electronic financial transaction, never used the phone, never had a drivers’ license, never communicated with somebody abroad, never been in trouble with the law, never used drugs, and never been to a hospital abroad for treatment, then congratulations: you’re probably not in the fusion center’s database, and you still have a Fourth Amendment. And for the rest of us, they have records on you, that they aren’t going to allow you to review, and there’s nothing you can do about it. Why should you be concerned?

In related news, the BRIC is changing its slogan to “Share and Enjoy.”