It’s A Whole New World

Every two years, the Massachusetts legislature starts a fresh session. Here, we review bills on the top ten topics relating to surveillance, privacy and the Fourth Amendment, that have been introduced in the new session.

Please contact your legislators via https://malegislature.gov/Search/FindMyLegislator, to express your support, and to ask for theirs. Our thanks to Julie Bernstein for conducting the legislative research for this article.

1. Civil Asset Forfeitures: HD1780 / SD2388, HD1328
2. QUALIFIED IMMUNITY REFORM: SD1970
3. Oversight of Fusion Centers: HD2088
4. Commercial Data Privacy Protection: SD745
5. Restricting Law Enforcement Use Of Facial Recognition: HD2304 / SD750
6. Restricting Automated License Plate Recognition: HD428 & HD2360
7. Protecting Locational Privacy: HD3698
8. Protecting Biometric Information: HD3053
9. Protecting Browsing Information: SD1217
10. SAFE COMMUNITIES ACT: HD2459 / SD1937

Summaries and explanations of each of these bills follow after the jump:

Read more: It’s A Whole New World
1. CIVIL ASSET FORFEITURES: HD1780 / SD2388, HD1328

HD.1780 / SD.2388 An Act Relative to Forfeiture Reform

HD.1328: An Act Relative To Civil Asset Forfeiture Transparency And Data Reporting

HD.2128: An Act Relative to Civil Asset Forfeiture

Restore The Fourth’s Issue Brief on Civil Asset Forfeiture

The threshold for civil asset forfeitures (CAFs) in MA is the lowest in the country, “probable cause” that a crime was committed. Our state is notorious for seizing cash and vehicles from people without them having committed a crime and we were ranked worst in the country for civil asset forfeiture policies by The Institute for Justice.

Last year, a special legislative commission was convened to investigate civil asset forfeiture in MA. They requested civil asset forfeiture data from every District Attorney (DA)  and every local law enforcement agency. The only response that they received was from Suffolk County and in cataloging  how the assets from their seizures and forfeitures were spent, they listed 50% as going to “other”. H.D.1780 is an outcome of the recommendations of the Commission on Civil Asset Forfeiture.

H.D.1780 raises the evidentiary standard for CAFs by one level to “a preponderance of the evidence” which is more typical nationwide. DAs and local law enforcement keep all of the proceeds from forfeiture in our state incentivizing seizures. H.D.1780 requires that all proceeds from seizures and forfeitures go to the Treasurer, who after reimbursing all non-personnel costs associated with the seizure and paying liens, would deposit the remainder in the General Fund.

This bill also narrows a major loophole. Currently police departments participating in joint task forces with the federal government (often cooperating in large seizures of contraband), are required by the federal government to contribute the 80% of the proceeds which they receive into law enforcement. This has enabled law enforcement to purchase surveillance technology like stingrays, without any oversight even when required by a local Surveillance Ordinance. Under the new provisions, if federal law prevents the distribution of CAF proceeds to the General Fund, then police departments can no longer accept forfeited property or proceeds from the federal government. A remaining  gap is that all joint seizures would have to be litigated by a local DA or the AG except for seizures of U.S. currency worth more than $50,000. 

A report by Politico and WBUR about civil asset forfeitures in Worcester County revealed that 1 in 4 seizures of cash and property that the Worcester DA’s office filed forfeitures for in 2018 either were not associated with a criminal conviction or weren’t even linked to a criminal drug charge and another 9% of seizures had no publicly available court records. Among those, there were more than 90 instances where people lost money or cars, taken most often during traffic stops, frisks and home searches — even though there weren’t related drug convictions or drug charges. WBUR documented more than 500 occasions between 2016 and 2019  where funds were held by the DA’s office for ten years or more before officials tried to notify people. More than half of funds seized between 2017 and 2019 were $500 or less. When the county finally got around to notifying someone that their assets were not legitimately seized and could be returned, they published a small notice in the local newspaper.

Elsewhere in the state there was a well-publicized case where a vehicle belonging to Malinda Harris was seized after her son was suspected of using it in a crime. The woman had nothing to do with his crime and needed her car for work. Six years later it was finally returned to her.

H.D. 1780 would require that seizures and forfeitures occur only after a court convicts the suspect of a crime with exceptions for lawful arrests and searches, and seizures of contraband. Police officers would be compelled to itemize everything that they seize and they would be prohibited from seizing currency of less than $200 and vehicles worth under $10,000. A seizure that occurred before a trial for a crime can be appealed via a hearing. Both H.D.1780 and S.D.1328 compel every law enforcement agency including the state police and all DAs to annually report all seizures and forfeitures including those under federal jurisdiction, and the crimes associated with them.  These would be entered by the executive office of administration and finance into a case tracking system and searchable public website.

H.D. 1328 requires that important additional information be reported including the outcome of any criminal charges, the details of all proceedings related to seizures and forfeitures, all case numbers and the zip code in which the seizure occurred. This granularity is crucial in view of the abuses that have occurred and the need to understand whether the new regulations adequately address these. Furthermore, whereas H.D.1780 requires that the data be reported to the AG, H.D. 1328 requires that all of the data also be reported to the Senate and House Committees on Ways and Means and the Joint Committee on the Judiciary.

H. D. 2128 would raise the standard of proof for a civil forfeiture to occur further than H. D. 1780 would do; instead of the Commonwealth having to prove that the asset was associated with a crime on “the preponderance of the evidence”, they would have to meet a standard of “clear and convincing evidence”. That standard or higher is the law in 28 states. The bill would also route all state forfeitures revenue into the Commonwealth Substance Abuse Prevention and Treatment Fund. It includes process improvements similar to H. D. 1780, though less detailed than those in H. D. 1328.

Digital Fourth supports these bills individually, and would support a consolidation of them in committee, using the standard of proof and revenues provisions from H. D. 2128, the detailed process requirements from H. D. 1780, and the detailed reporting requirements from H. D. 1328. These bills should help to ensure that forfeitures occur only when the vehicle, asset, or realty was involved in a crime, that innocent owners do not lose their property, and that law enforcement agencies have no financial incentive to conduct seizures and forfeitures.

2. QUALIFIED IMMUNITY REFORM: SD1970

Qualified immunity reform was left out of the 2020 police reform in Massachusetts, unlike in other states. Currently, Massachusetts imposes an unfeasibly high bar on civil rights lawsuits against state government agents, including police, of having to prove that the civil rights violation involved “threats, intimidation or coercion.” As a consequence, attorneys don’t take these cases, because they don’t expect to win; many plaintiffs can’t afford to pay an attorney unless they win damages.

S.D. 1970 stipulates that: “In an action brought under this section against a person or entity acting under color of law, proof shall not be required that the interference or attempted interference was by threats, intimidation or coercion.”

3. OVERSIGHT OF FUSION CENTERS: HD2088

This bill would require the Commonwealth’s “criminal intelligence systems” – the Boston Regional Intelligence Center, the Commonwealth Fusion Center, and others – to submit to regular outside auditing to ensure that they are complying with 28 CFR Part 23. This federal regulation requires that any information they hold on Massachusetts residents be based on reasonable suspicion of involvement in a crime.

It provides a private right of action to residents who believe that these entities have violated their privacy rights. It also requires the Commonwealth Fusion Center to publish the names of its privacy advisory committee, to have it meet quarterly, and to make its minutes public.

4. COMMERCIAL DATA PRIVACY PROTECTION: SD745

SD. 745: An Act Establishing the Massachusetts Data Privacy Protection Act

This is a very complete data privacy bill that covers large corporations, service providers social media companies and data brokers that either collect, process or transfer data. It requires the originating covered entity (CE), for example, Google, to limit the data that it collects from you to only what is necessary in order to provide you the service that you desire and must give you an easily accessible and user friendly affirmative consent mechanism in which you will be told what data Google collects and where it goes for what purposes and you will be able to consent to or opt out of these uses of your data. The CE must communicate your preferences to all of the service providers(SPs) or data brokers (DBs) or any other third parties with which it shares your data because they must comply with your preferences.

Each covered CE and SP must make publicly available an obvious and understandable privacy policy including a detailed and accurate representation of its data collection, processing, and transfer activities, the purpose of all data collected, the length of time that the data is to be retained, the data security practices implemented, every data broker or third party to whom the data is transferred and several forms of contact information so an individual can readily access the CE or SP to make requests concerning their data.

If the covered entity makes any changes in the data it collects, shares or transfers or sends your data to a new party, this must be communicated to you so that you can consent or opt out. You can change your data preferences and delete data twice a year without paying.

All CEs must allow individuals to access their data in a downloadable, portable, structured, interoperable, and machine-readable format and to make any corrections to inaccurate and incomplete data. Requests to change or delete your data should generally be honored within 30 days and you can make these changes twice annually for free.

Companies will have to report to the Attorney General (AG) how many requests they receive and how they have been handled. Any individual alleging a violation of their privacy rights under this act may bring “a civil action in the superior court or any court of competent jurisdiction” against the CE, DP or third parties. If a violation is found to have occurred, the plaintiff will be eligible for damages as well as an injunction or other relief and attorney fees.

DBs must register with the OCABR Office of Consumer Affairs and Business Regulation)which will maintain a searchable database with information on what data it collects and transfers and how you can contact the data broker about removing or verifying your data, linked to a website provided by the DB where you can opt out of data collection. Failure of the DB to comply will result in a fine.

Each DB will also be required to provide the AG with an impact statement for any algorithms that it uses that can potentially have a disparate impact on any protected group or individual registered to a political party along with steps they are taking to mitigate the impact. The AG can take action against CE or SP that fails to comply with civil rights provisions.

Large data holders (DHs) must hire at least one privacy officer or a data security officer and implement a data privacy program and data security program to safeguard the privacy and security of covered data. All CEs and Large DHs must perform a privacy impact assessment that weighs the benefits of the data collecting, processing, and transfer practices against the potential adverse consequences of such practices, including substantial privacy risks, to individual privacy and mustreview how technologies are being used to secure covered data.

CEs must provide all legal requests for disclosure of personal information that they receive to the AG and the general public on a bimonthly basis. This includes requests for location information and both the number of legal requests that resulted in the covered entity disclosing location or biometric information and those that did not.

The bill bans targeted advertisements to minors.

The bill has strong protections for workers against electronic monitoring that limit the monitoring to the least amount of information necessary from the fewest number of employees for the shortest length of time in order to enable tasks that are necessary to accomplish essential job functions or to monitor production processes or quality. The monitoring must not harm the employee’s mental or physical health. Employers must provide employees with notice that electronic monitoring will occur prior to conducting each specific form of electronic monitoring and include details including the purpose, the specific activities, locations, communications, and job roles that will be electronically monitored, the technologies that will be used and all vendors and third parties who will receive the data.

5. RESTRICTING LAW ENFORCEMENT USE OF FACIAL RECOGNITION: HD2304 / SD750

This bill implements the findings of last session’s Commission on Face Surveillance. The findings had support from law enforcement as well as from civil liberties organizations. The bill would provide that:

1. Law enforcement other than the State Police and FBI cannot directly possess or access a biometric surveillance database.

2. Law enforcement may not use biometric surveillance to infer a person’s emotion or affect nor for analysis of moving images or video data.

3. The State Police can access the facial recognition database used by the registrar of motor vehicles to conduct a search for local law enforcement, a federal agency or the FBI if they are presented with warrant issued by a judge based upon probable cause or if there is an immediate threat of danger of serious injury to someone or a need to identify a deceased person.

4. Law enforcement must document the basis for any emergency requests and file them with the appropriate Superior Court within 48 hours of the request.

5. All searches of the database by the State Police or FBI must be documented and reported to the executive office of public safety and security, quarterly disaggregated, by the requesting law enforcement or federal agency. The same goes for breakdowns of whether the request involved a warrant or emergency. The agency must post the total # of searches performed ID of a deceased person. These must all be publicly posted by EOPSS by March 31 of the following year.

6. Any person charged with a crime in which they were identified by a facial recognition search must be provided notice that the search occurred and defendants and their attorneys in criminal prosecutions must be provided with all records and information pertaining to any facial recognition searches performed or requested during the course of the investigation of the crime or offense.

6. Restricting Automated License Plate Recognition: HD428 & HD2360

HD.428 An Act Relative to All-Electronic Tolling Data Privacy.

This bill provides that:

1. A department may not access, search, review, disclose or exchange tolling data (meaning any data captured or created by an ALPR system or from signals or radio frequencies emitted by a transponder in connection with the assessment or collection of a toll, including, without limitation, GPS coordinates or vehicle location information, dates and times traveled, images, vehicle speed, and license plate numbers, existing in an any form or medium, whether electronic, paper or otherwise) unless this is necessary to:

a. collect, access or pursue payment tolls or fines or surcharges related to unpaid tolls

b. to install, maintain or repair a transponder

c. to respond to a reasonable belief that an individual is at imminent risk of serious physical injury, death or abduction; provided, that not later than 48 hours after responding, the access and detailed reasons for it are provided to the AG.

d. comply with a search warrant, production order, or preservation request issued in connection with the investigation or prosecution of a felony.

3. a. The department must erase or destroy the tolling data accessed within 120 days of access.

    b. The department may retain tolling data beyond 120 to comply with a search warrant, production order, or preservation request, or as necessary to collect unpaid tolls or fines or surcharges related to unpaid tolls.

4. a. A person whose tolling data was retained in violation of the above can institute a civil action in district or superior court for damages or in superior court for injunctive relief.

    b. If a violation has occurred the violator will not be entitled to absolute or qualified immunity and will be liable for proven actual damages, be liable for treble damages or for exemplary damages of between $100 and $1000 along with costs and reasonable attorney’s fees.

Why this is important: ALPR data records everywhere that someone has driven. If it is maintained in a database, then it can be reviewed retroactively for many unlawful purposes such as to identify a suspect in a crime for which there is ho particularized evidence of them having committed the crime This means that potentially many people who have traveled to the vicinity of the location of a crime will now become suspects. In addition, tolling data can be used to identify individuals who have participated in a political event or rally or a protest which are acts protected by the First Amendment and therefore should not be monitored.

HD.2360 An Act Establishing Driver Privacy Protections

This bill provides that:

Law enforcement or other state government employees or officials may not:

  • use an ALPR system to track or monitor activity protected by freedoms of religion or speech guaranteed by the Massachusetts Declaration of Rights or the First Amendment to the United States Constitution;
  • retain ALPR data longer than 14 days except in connection with a specific criminal investigation based on articulable facts linking the data to a crime;
  • disclose, sell or permit access to ALPR data except as required in a judicial proceeding; or
  • access ALPR data from other governmental or non-governmental entities except with a valid search warrant.

Toll collection technologies may only be used to identify the location of any vehicle for tolling purposes.

The department of transportation may not access, search, review, disclose, or exchange tolling data in its possession, custody, or control except to:

  • assess, collect or pursue the payment tolls or fines or surcharges related to unpaid tolls; 
  • install, maintain or repair an ALPR or transponder system or a system storing tolling data;
  • respond when an individual is at imminent risk of serious physical injury, death or abduction
  • comply with a search warrant, production order, or preservation request issued in connection with the investigation or prosecution of a felony.

The department of transportation must eliminate all tolling data that it possesses or controls within 120 days of its was creation unless it is necessary to comply with a search warrant, production order, or preservation request, or as necessary to collect unpaid tolls or fines or surcharges related to unpaid tolls.

No toll collection or vehicle data may be shared with or provided to any law enforcement entity or official without a search warrant, or production order; unless this information is requested  because of a reasonable belief that an individual is at imminent risk of serious physical injury, death or abduction and that such data is necessary to respond. Such a request must be narrowly tailored to address the emergency and subject to the following limitations:

  • the request must document the factual basis for the emergency and the applicability of toll collection and/or vehicle data
  • within 48 hours of accessing these records, the government office must file a written notice describing with particularity the grounds for emergency access and exactly what tolling data was accessed, with the Attorney General.

If ALPR data, tolling data, and vehicle data is collected, retained, disclosed, sold, or accessed without complying with the above requirements, it may  not be admitted, offered or cited by any governmental entity for any purpose in any criminal, civil, or administrative proceeding.

An individual whose rights have been violated by the improper transfer of or access to these data, may introduce evidence concerning this data in a civil action for damages or injunctive relief in a district or superior court or may allow another party in a civil proceeding to do the same.

If a willful violation occurred, the violator will not be allowed to claim any privilege absolute or qualified. In addition to any proven actual liability, the violator will be liable for treble damages, or, alternative, exemplary damages of between $100 and $1000 for each violation as well as costs and reasonable attorney’s fees.

The attorney general will enforce the above and will have the power to petition the court for injunctive relief and other appropriate relief against violators.  

7. PROTECTING LOCATIONAL PRIVACY: HD3698

In this bill, location information is defined as directly or indirectly revealing the present or past geographical location of an individual or device within the Commonwealth of Massachusetts with sufficient precision to identify street-level location information within a range of 1,850 feet or less. Location information includes but is not limited to (i) an internet protocol address (ii) Global Positioning System (GPS) coordinates; and (iii) cell-site location information.

HD. 3698 prohibits the collection, processing, or disclosure by  a Covered Entity (CE) including “any individual, partnership, corporation, limited liability company, association, or other group” (except a state or local government agency or court) of an individual’s location information  from any device that “connects to a cellular, bluetooth, or other wireless network” “for profit or in exchange for monetary or other consideration including selling, renting, trading, or leasing location information without the express consent of the individual except for the following purposes:

Location information can be collected for “(i) provision of a product, service, or service feature to the individual to whom the location information pertains when that individual requested the provision of such product, service, or service feature by subscribing to, creating an account, or otherwise contracting with a covered entity; (ii) initiation, management, execution, or completion of a financial or commercial transaction or fulfill an order for specific products or services requested by an individual, including any associated routine administrative, operational, and account-servicing activity such as billing, shipping, delivery, storage, and accounting; (iii) compliance with an obligation under federal or state law; or (iv) Response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.”

When location information is collected for any but the last two allowed purposes, the CE must list each purpose in a Location Privacy Policy and individuals must provide discrete consent for each purpose to enable the collection of location information. Each CE must provide a clear, conspicuous, and simple means to opt out of the processing of their location information for purposes of selecting and delivering targeted advertisements.

Permission will be valid for one year unless the individual chooses to revoke it before that . If permission is revoked, any location information possessed by a covered entity must be permanently destroyed. An individual can opt in again at a future time. There cannot be any retaliation against someone who chooses not to have their location information collected but a service requiring this information can be withheld.

Covered Entities may not:

  • collect more precise location information than necessary to carry out the permitted purpose,
  • retain location information longer than necessary to carry out this purpose,
  • sell, rent, trade, or lease location information to third parties; or
  • derive or infer from location information any data that is not necessary to carry out the permitted purpose.

The CE may not disclose or assist in any way the disclosure of an individual’s location information to third parties (TPs), unless this is necessary to carry out the permissible purpose for which the information was collected, or requested by the individual to whom the location data pertains.

A CE or service provider (SP) may not disclose location information to any federal, state, or local government agency or official unless:(1) the agency or official presents a valid warrant or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant ,or (2) disclosure is mandated under federal or state law, or (3) the subject of the data requests this disclosure.

The CE must maintain and make available its Location Privacy Policy including:

  • the purpose(s) for which the covered entity is collecting, processing, or disclosing any location information;
  • the type of location information collected, including the precision of the data;
  • the identities of SPs with which the CE contracts with respect to location data;
  • any disclosures of location data necessary to carry out each purpose and the identities of the third parties to whom the location information could be disclosed;
  • whether the CE’s practices include its use of location information for targeted ads
  • the data management and data security policies governing location information;
  • the retention schedule and guidelines for permanently deleting location information

Users of the CE must be given 20 days advance notice of any change in the Location Privacy Policy.

It will be illegal for the government to monetize location data.

Covered entities must annually disclose annually any warrants for location information received by themselves or any associated SPs or TPs (if known), disaggregated by the requesting agency, statutory offense under investigation, and the source of authority to the Attorney General (AG). The AG will make these reports available to the public online.

Any individual alleging a violation of this chapter by a CE or SP may bring a civil action in the superior court or any court of competent jurisdiction. They will not need to file a report with the AG or accept arbitration. If a claim is proven, the plaintiff may be rewarded damages for emotional distress, or $5,000 per violation, whichever is greater, (2) punitive damages; and (3) any other relief, including but not limited to an injunction or declaratory judgment, that the court deems to be appropriate as well as attorney’s fees and other costs.

The AG can bring an action against a CE or SP to remedy violations. The AG must conduct investigations of any possible violations of this chapter and refer cases for criminal prosecution to the appropriate federal, state, or local authorities.

Location information may be collected by a healthcare provider for treatment or research purposes in compliance with HIPPA.

CEs must comply with this chapter within 6 months of enactment and delete any location information retroactively for individuals who withhold consent.

8. PROTECTING BIOMETRIC INFORMATION: HD3053

In this bill, “Biometric information or data” means information or data that pertains to measurable biological or behavioral characteristics of an individual that can be used alone, with each other or with other information, for verification, recognition, or identification of an unknown individual. Examples include: fingerprints, retina and iris patterns, voiceprints, DNA sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. (The bill excludes medical information protected by HIPPA, medical images used for diagnosis or research. donated organs or tissues stored by a federal agency as well as writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.)

The Covered Entities (CEs) include any individual, partnership, corporation, limited liability company, association, or another group, however organized but not a state or local government agency, or any court of Massachusetts.

“ Processing includes collecting, accessing, using, storing, retaining, sharing, monetizing, analyzing, creating, generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, structuring, disclosing, transmitting, selling, licensing, disposing of, destroying, de-identifying, or otherwise manipulating biometric information.

A CE or Data Processor (DP) cannot collect or process  (collect access, use, store, retain, share, monetize analyze, create, generate, aggregate, alter, correlate, operate on, record, modify, organize, structure, disclose, transmit, sell, license, dispose of, destroy, or de-identify)

someone’s biometric information unless: they

  • provide a written explanation of exactly what it will collect or process
  • provide the individual with the Biometric Privacy Policy(BPP)
  • receive advance explicit handwritten or electronic consent from the individual or their legal guardian or representative

Consent will expire after 3 years or when the initial purpose for processing the biometric information has been satisfied, whichever occurs first. Upon expiration, any biometric information possessed by a CE must be permanently destroyed. Consent may be renewed

The BPP must include:

  • the use models, detailing whether the biometric information is going to be used for identification or verification purposes; 
  • all data management and data security policies governing biometric information; 
  • all disclosure practices; and 
  • the retention schedule and guidelines for permanently deleting biometric information.

The CE must provide notice of any change to its BPP at least 20 business days in advance of implementation and request consent for the changes.

The CE must store, transmit, and protect from disclosure all biometric data in a manner that is the same as or more protective than the manner that it stores, transmits, and protects other confidential and sensitive information, consistent with the standard for similar private industries.

Any CE, DP or third party (TP) may only disclose biometric information if:

  • disclosure is required for the provision of a service or product by the CE and the individual has consented
  • disclosure is needed to complete a financial or commercial transaction requested by the individual and to which they have consented
  • disclosure is for a single purpose to a TP that has been authorized by the individual in handwritten consent
  • federal or state law requires disclosure but individual must be notified in advance via BPP
  • in response to a valid warrant
  • response to imminent threat to life or property[JB1] 

No CE, DP or TP may monetize biometric information.

If CE, DP or TP are served with a warrant for biometric information (BI), they must immediately provide the individual with a copy of the warrant, to whom and when their BI was provided, an inventory of the data disclosed, whether the CE, DP or TP provided the data, who requested the warrant from the court, if known. However, a government entity may apply to the court for a 30 day delay in notification and for a renewal of that delay.

CEs must annually report to the Attorney General (AG) any warrants for BI received by them or by associated DPs or TPs. CEs required to report BI pursuant to a law must annually report general aggregate information pertaining to these to the AG.

An individual alleging harm by a violation of this law may bring a civil action in any court of competent jurisdiction directed to any CE, DP or TP believed to have committed the violation.

If the defendant prevails they are eligible for liquidated damages ranging from  0.1% of the annual global revenue of the covered entity or $1,000 per violation, whichever is greater for negligent violations to 0.5% of the annual global revenue of the covered entity or $5,000 per violation, whichever is greater for deliberate violations, punitive damages and any other relief, including but not limited to an injunction as well as reasonable attorney’s fees and costs, including expert witness fees and other litigation expenses. Each instance of violation is eligible for damages.

The AG may bring an action pursuant to section 4 of chapter 93A against a CE, DP or TP to remedy violations of this chapter and for other relief that may be appropriate. 

Within 6 months of enactment of the law CEs must obtain consent for all BI collected or stored and must destroy any BI for which consent was not given. The Act will be in effect one year after enactment.

9. PROTECTING BROWSING INFORMATION: SD1217

This law would apply to electronic information collected by any corporation which sends or receives electronic communications, including any service that acts as an intermediary in the transmission of electronic communications, or stores electronic communication information for the general public.

It covers any information pertaining to an electronic communication or the use of an electronic communication service, including, but not limited to the content of electronic communications, metadata, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication.

In order for a government office, law enforcement agency or public official to access your electronic information from either a service provider or an electronic device itself, they would need to get a particularized search warrant supported by probable cause from a superior court judge. Exceptions would include if there were an emergency threatening immediate physical injury or, if you had previously given written consent to the corporation that possesses your electronic data to release it to them. Even in an emergency situation, the government would need to provide a written explanation of why the data was needed to the local superior court within 48 hours. Corporations would have to share the requested information within 14 days or earlier if justified, unless the corporation appeals for and is granted more time.

A Massachusetts corporation that provides electronic communication services, remote computing services, or location information services must respond to a warrant or subpoena from another state to produce records that would reveal the identity of the customers using those services, data stored by, or on behalf of the customer, the customer’s usage of those services, the recipient or destination of communications sent to or from those customers, or the content of those communications, as if that warrant or subpoena had been issued under the law of the commonwealth. This element is concerning, because it would allow a state that prohibits abortion to access content that might reveal that someone either had an abortion or received abortion medication.

The law enforcement or government officer who obtains someone’s electronic information via a search warrant must provide them with a copy of the warrant, the application for the warrant, an explanation of the law enforcement inquiry and the information requested and date of the request within 7 days of collecting their information unless a reason is provided for a delay which may be granted for up to 90 days and may compel the entity providing the data to delay notifying the target person.

A warrant for the electronic information requested is not necessary if the owner of the electronic information or the recipient of the information gives the law enforcement or government officer their written consent to share it.

If a government office, law enforcement agency, or public official believes that an electronic device is lost, stolen, or abandoned they may access electronic device information necessary  in order to attempt to identify, verify, or contact the owner or authorized possessor of the device.

Within 5 business days of issuing or denying a warrant, the court must report to the office of court management within the trial court all of the information pertaining to the warrant described above as well as name of the agency making the application, the offense described in the warrant and any modifications or extensions made to the warrant.

Every June, the court administrator in the office of court management in the trial court must provide the legislature with a complete report of the number of applications for warrants authorizing or requiring the disclosure of or access to information including a summary and analysis of the data which will all be public records.

No government office or law enforcement may ask any court for a reverse-location court order (including a search warrant or subpoena) to obtain the location of a specific device(s) or a reverse-keyword court order to identify who electronically searched for particular words, phrases, or websites, nor may they purchase this data. No court is permitted to issue any court order allowing the disclosure of reverse-location or reverse keyword data.

No government office or law enforcement may make a reverse location request or reverse keyword request from a company. Nor may they seek the assistance of any agency of the federal government or any agency of the government of another state or subdivision thereof in obtaining information or data from a reverse-location court order, reverse-keyword court order, reverse-location request, or reverse-keyword request if they would be barred from directly seeking such information.

No government office, law enforcement agency, or public official may use a cell site simulator (CSS)device for any purpose other than to locate or track the location of a specific electronic device, pursuant to a particularized warrant based on probable cause or if exigent circumstances exist requiring swift action to prevent imminent danger to the safety of an individual or the public. A warrant issued limits the use of the CSS to 15 days unless an application is made for renewal.

A warrant application must specify

  • the facts establishing probable cause to believe the targeted individual has committed, is committing, or is about to commit a felony
  • that less invasive methods of investigation or surveillance to the privacy of non-targeted parties have been tried and failed or are reasonably unlikely to succeed
  • It must disclose the nature and capabilities of the cell site simulator to be used, the name of the government agency that owns the cell site simulator device
  • exactly how it will be deployed, including whether it will obtain data from non-target communications devices
  • the procedures that will be followed to protect the privacy of non-targets during the investigation, including the deletion of data obtained from non-target communication device
  • that all target data must be deleted within 30 days if there is no longer probable cause  that such information or metadata is evidence of a crime

Any individual whose information was obtained by a government entity in violation of the above requirements for the collection of private electronic information must be notified in writing, by the government office, law enforcement agency, or public official who committed the violation and of the legal recourse available to that person.

Any electronic information collected in violation of the above provisions may not be used in evidence any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the commonwealth, or a political subdivision thereof.

Anyone who has been harmed by a violation of these protections of private electronic information may bring a civil action against the government office, law enforcement agency, or public official who violated those sections in the Superior Court or any court of competent jurisdiction. Such a person will not need to  file an administrative complaint with the attorney general or to accept mandatory arbitration of a claim.

When the plaintiff prevails in a civil action, the court may award actual damages, including damages for emotional distress, the greater of either $1000 per violation or actual damages, (punitive damages; and any other relief, including but not limited to injunctive or declaratory relief). In addition to any relief awarded, the court will award reasonable attorney’s fees and costs to the plaintiff.

Any contract whether government or private that infringes the above rights will be considered void.

This bill would also prohibit “library user private data” meaning records of a public library which reveals the identity and intellectual pursuits of a person using the library from being collected by any government or law enforcement agency.

10. SAFE COMMUNITIES ACT: HD2459 / SD1937

This long-standing goal of Digital Fourth and allied organizations, especially MIRA, would prevent local and state law enforcement from sharing information relating to the potential presence of undocumented immigrants, with ICE or other federal agencies.

For further details, please see the action alert here: https://actionnetwork.org/letters/tell-lawmakers-prioritize-the-safe-communities-act-this-session-23

Understanding Fusion Centers

Our local fusion center, BRIC, has been at the core of police efforts to surveil and suppress social movements for over a decade. And, since 2012, we’ve been calling them out on their abusive and un-Constitutional practices.

This October 30, please join us for a livestreamed discussion on fusion centers, with Boston City Councilor Ricardo Arroyo, law student Dani Hargus, and journalist Emma Best, moderated by our own Alex Marthews!

Boston’s Spy Center Thinks It Has (Almost) Free Rein To Open A File On You

Like the Stasi, but digital

We’re long-time critics of the Boston Regional Intelligence Center, or “BRIC.” BRIC is one of over 80 “fusion centers” across the nation. that spy on Americans without probable cause.

We filed a public records request this January to delve deeper into BRIC’s surveillance practices. We partnered with the ACLU of Massachusetts, the Muslim Justice League and the Student Immigrant Movement, We have just received the first responsive record: BRIC’s “Criminal Intelligence File Guidelines.”

The key to understanding this document is that BRIC is legally obliged to follow 28 CFR Part 23. This is part of a Clinton-era Executive Order that tried to ensure that “criminal intelligence systems” don’t violate your Fourth Amendment rights. It makes it illegal for BRIC to keep a file on you not based on a “criminal predicate” — in other words, reasonable suspicion of your involvement in an actual crime.

As it turns out, BRIC’s attitude to this whole “Constitution” thing is a little … different.

BRIC’s Permanent Files

For its “Permanent” files, BRIC does indeed require a criminal predicate — though this document doesn’t include any information on how well that policy is followed.

BRIC’s Temporary Files

For its “Temporary” files, however, BRIC retains information on Boston area residents where “involvement in the suspected activity is questionable”, or where their identity cannot be established with certainty. The examples are that they have “possible associations with known criminals,” or that they have “criminal history” and “could again become criminally active.” BRIC retains “Temporary” files for up to a year, to see if information emerges that would enable to upgrade it to a “Permanent” file.

No. No, no. That’s not how the Fourth Amendment works. The government isn’t supposed to keep “criminal intelligence files” of people they generally believe to be Bad, or people with Bad Associations, based on a belief that they have a generalized propensity to commit crimes in the future. BRIC’s belief must be a reasonable one, based on evidence of your involvement in an actual crime. This violates 28 CFR Part 23 and, with it, the Fourth Amendment itself.

BRIC’s Interim Files

Oh, and it gets worse. Just in case their rules on “Temporary” criminal intelligence files don’t provide them with enough room to wiggle around the Constitution, BRIC allows itself a further category of “Interim” files. Apparently, BRIC can open an “Interim” file and retain it for up to 90 days if they receive “information that, absent additional information or change, would be deemed unnecessary for retention beyond a short term period,” or that is “specific to an anticipated event or incident with the potential for criminal conduct.”

I know, vague much?

It seems BRIC considers that they can open a file for 90 days based on literally anything at all. There’s no such thing as an “event or incident” with no “potential for criminal conduct.” This could cover everything down to your aunt’s Sunday evening knitting circle. “Interim Files” only exist as a category to allow BRIC essentially unfettered discretion.

To be fair, the Guidelines also tell BRIC employees what shouldn’t be in an intelligence file. This includes protected criminal record information, information “based solely on support of an unpopular cause”, information “based on ethnic background”, “based on religious or political affiliations” or “based on non-criminal personal habits;” and “associations that are not of a criminal nature.” However, we know from their gang databasing practices that their definition of what constitutes “associations of a criminal nature” is extremely broad, and that their notion of surveillance not “based solely” on religion, politics or ethnicity may differ sharply from Bostonians’ common understanding.

In practice, these Guidelines give BRIC permission to surveil “events or incidents” that it already dislikes and has a track record of surveilling; namely, protests that challenge the police themselves, or the current economic, social or racial arrangements in our society that police exist to violently defend.

Recommendations

We call on BRIC to make available to the public, with any legally necessary redactions, a representative sample of its current Temporary, Interim and Permanent Files, and then to delete the Temporary and Interim Files as contrary to the Fourth Amendment.

Then, at least, we will know how much surveillance BRIC is conducting that is not based on at least reasonable suspicion of involvement in an actual crime.

Penny-Ante State-Based Spies Want To Force Big Kids To Let Them Play With All The Data

mean-girls-you-cant-sit-with-us-main

The U. S. House just passed two bills under suspension, HR. 3503 and HR. 3598, sponsored by Rep. McCaul (R-TX-10) and Rep. Peter King (R-NY-2). For some reason, McCaul and King are fans of the inept and wasteful “fusion centers”, a network of 78 state-based centers funded partly through DHS.

The idea back in 2006 was that fusion centers would provide “joined-up intelligence”, coordinating federal and state information that would then thwart terrorist attacks in advance.

It didn’t quite work out that way. In fact, there’s good reason why fusion centers are not now the focus of intelligence sharing efforts: They turned out to be a waste of time and resources better spent elsewhere.

A bipartisan 2012 US Senate report blasted the fusion centers for failing to thwart any attacks, for wasting public funds on things like widescreen TVs (for “open source intelligence collection”), and for articulating absurd rationales for surveilling peaceful domestic activists. One fusion center labeled supporters of Ron Paul and the Campaign for Liberty as potential domestic terrorists; in Boston and around the country, veterans’ groups, the Occupy movement and Black Lives Matter have come under sustained scrutiny. Fusion centers don’t thwart terrorism; they offer states a bureaucratic mechanism to funnel DHS grants to, say, northeastern Ohio (which has its own fusion center), distributing them away from areas more likely to be targeted by terrorists. They collect and sit on mounds of unverified gossip about “suspicious” people, gossip that often appears motivated by racial or religious bias. These threats are nonsensical; there is no reason to lend them credence.

These bills should be seen clearly for what they are. They’re not efforts to actually thwart terrorist attacks better; they’re salvos in a turf war between intelligence agencies. Fusion centers are often left out of data sharing by other surveillance agencies, such as the FBI, TSA, CBP and other DHS agencies. Instead of allowing discretionary sharing with individual fusion centers, H. 3598 requires support for the National Fusion Center Network specifically, and aims to “ensur[e] that fusion centers in the Network are the primary focal points for the sharing of homeland security information, terrorism information, and weapons of mass destruction information with state and local entities.” HR. 3503 seeks to integrate fusion centers more closely with border security, in the form of CBP, TSA and the Coast Guard, forcing those agencies to analyze whether it would be beneficial to station CBP, TSA and CG personnel at fusion centers, in lieu of simply sharing data electronically. The bill gives the Under-Secretary of Intelligence and Analysis at DHS an ultimatum to agree within one year with all 78 fusion centers how DHS and the fusion centers will share and disclose data. Of course, the bills take no steps to make fusion centers effective in the future, so there’s no way to test whether the bills will actually do good if they pass. All they offer Congress is reports on whether fusion centers have particular policies, not whether the policies work; whether they are sharing information, not whether the sharing actually results in less terrorism or less crime.

We support the sharing of important, verified leads, based on probable cause of actual criminal plots. But these bills make us less, not more, safe, by encouraging the kind of information sharing that will overwhelm agencies like FBI and other parts of DHS with useless false positives. They will waste the time of FBI Joint Terrorism Task Force personnel, forcing them to spend time dealing with an extra agency when time is of the essence. There is no language that would involve actual evaluation of whether the information they hold is accurate, useful or constitutionally appropriate to hold. As constitutional activists, we’re no fans of the FBI’s efforts to convert themselves into a federal counterterrorism and domestic surveillance agency, and there’s plenty of overlap already among federal agencies fighting for a piece of the seemingly unending stream of counterterrorism tax dollars; but extending sharing further by forcing everything to go via the fusion centers seems even more counterproductive.

Call your Senator, and urge them to vote against these bills!

Don’t Worry: Area Counter-Terrorism Center Laser-Focused on Bicycling Cellphone Thief

Cellphone_Theft

If you like your mass surveillance steak sauced in a Keystone Kops level of organizational dysfunction, the Boston Regional Intelligence Center, or BRIC, could be your dream meal.

This story comes via a former Emmanuel College student, who received a BRIC “intelligence bulletin” to all students regarding a man stealing cell phones on his bicycle in the Fenway area (see below). Is it upsetting to have your cellphone stolen by an environmentally conscious thief? Yes. Is it at a level of criminality that warrants shoveling tens of millions of our dollars towards a gee-whiz high-tech surveillance center to gather information on all Massachusetts residents? Uh, probably not. Tell me again when we signed up for that?

Far from focusing on intelligence related to terrorism, in practice, the BRIC concentrates almost exclusively on criminal activity unrelated to any conceivable notion of what “terrorism” actually is. The truth is that the risk we face from terrorism is extremely low, but the continued existence of the BRIC, of 77 other “fusion centers” around the country, of the Department of Homeland Security itself, and of a whole ecosystem of security grifting companies, depends on taxpayers not working that out. So, to keep themselves going, BRIC has to use surveillance to disrupt a broad array of minimally criminal or even entirely non-criminal activity, and redefine that activity as much as possible as being terrorism. We have to be told, repeatedly, that the wolf is at the door, that things are getting worse, and that mass surveillance will actually help make things better. Here at Digital Fourth, we call this the “Bureaucratic Counterterrorism Imperative.”

With that in mind, here are the results of our latest Public Records Act request to the BRIC, which documents for the first time that BRIC does get data from intelligence agency sources.

Continue reading Don’t Worry: Area Counter-Terrorism Center Laser-Focused on Bicycling Cellphone Thief

MA Senate Maj. Leader Strongly Opposes Fusion Centers. So Do We.

In its October 7 hearing on “Protected Classes. Privacy, and Data Collection Legislation”, the Massachusetts legislature heard impassioned testimony on the fusion centers from Senate Majority Leader Sen. Harriette Chandler. She argued that they represent an illegitimate intrusion of federal surveillance into our everyday lives.

The fusion centers gather a vast array of data on law-abiding Massachusetts residents whom they believe to have been behaving “suspiciously” in some lawful way. This violates the Fourth Amendment, and is also bad policy. Right now, as far as we have been able to determine, no external body ever evaluates the accuracy or appropriateness of the data the fusion centers hold. DHS evaluates them every five years to certify their adherence to DHS procedures for fusion centers; the fusion centers self-certify annually that they are ramping up according to plan, and that they respect privacy and civil liberties. (They give themselves full marks, naturally). That’s it.

We too dislike the fusion centers, and also see them as sinisterly ensnaring Massachusetts residents in a web of surveillance. To us, the question is not so much whether we as a state should regulate the fusion centers, but whether we should fire all their employees, blow up their buildings, and then salt the earth beneath them as a mark of horror for future generations. Still, still, we love that there is a fusion center reform bill, and we warmly support it.

Our five-year vision for the Massachusetts fusion centers differs sharply from theirs.

The bill’s provisions make good, if incremental, sense. They require the fusion centers to audit themselves annually to determine whether they have investigations open that shouldn’t be, and make the report of that a public record; they empower an inspector-general to conduct outside audits; and they specify some metrics whereby the fusion centers can determine how well they are respecting people’s privacy. These are important first steps toward establishing whether anything that the fusion centers do, actually does the rest of us any good; and will prepare the ground better for us to have discussions in future years about closing them entirely.

Boston Fusion Center Trying to Sneak Millions of $ More Into House Budget

jackson-fire

Those sneaky folks over at the Boston Regional Intelligence Center decided that we weren’t shoveling enough tax dollars towards their hard work of spying on protesters, harassing Twitter bloviators, and serving as a praetorian guard for major corporate interests. To remedy this injustice, they got the House to approve over two million dollars in extra funding for “technology and protocol upgrades” as part of H. 3773.

8000-1001 For the Boston Regional Intelligence Center to upgrade, expand, and integrate technology and protocols related to anti-terrorism, anti-crime, anti-gang, and emergency response; provided that intelligence developed shall be shared with the BRIC communities and other State municipal and federal agencies as necessary; provided further, that BRIC shall provide technology required to access the intelligence with its municipal partners, the State police, the MBTA, the Mass Port Authority, and appropriate federal agencies to assure maximum interagency collaboration for public safety and homeland security………………………………………………………………………..$2,250,000

It should be clear to everyone that there should not be an endless spigot of tax dollars going to fund counter-terrorism when we already vastly overspend on counter-terrorism, or to fund vaguely-worded “anti-crime and anti-gang” initiatives when crime is approaching historic lows. The Senate hasn’t passed its supplemental budget yet, so we’re asking Senators not to include this language.

If you, like us, feel uneasy about no-strings-attached funding going to your local spy center, please consider giving your state Senator a call; there’s a tool here for finding out who they are.

Bodycams Delay Will Cost About Four Lives In Boston Per Year

Another kid’s DNA for our database!

Commissioner Evans of the Boston PD came before the Boston City Council last week to counter activists’ arguments that adopting an ordinance mandating police body-worn cameras would decrease police uses of force and complaints. His favored alternative solutions were (1) more ice-cream socials, because Boston is a “model” city for community policing; (2) delay, because more research is needed on whether they would work in Boston; and (3) in a sit-down interview with the Boston Herald, calling for laws requiring citizens filming police to keep their distance and for them to help police subdue suspects.

We’ll get to the ice-cream socials in a minute, shall we?

Continue reading Bodycams Delay Will Cost About Four Lives In Boston Per Year

Your Police Dept May Spy On You “For Situational Awareness”

report-suspicious-activity

“Fusion centers” are intelligence-aggregation operations, created after the 9/11 Commission found that, had agencies (namely the FBI and CIA) engaged in more free and open sharing of information, the terrorist attacks could have been prevented. (The laws in 2001 permitted sharing that would have prevented the attacks; but the agencies were overly cautious about sharing data out of turf concerns.)

There are now at least 78 fusion centers dispersed throughout the United States. They claim to focus mostly on collecting intelligence of activity that may have a “nexus” to terrorism, but also criminal activity more broadly. But they operate in almost total darkness, with virtually no transparency. The little we do know suggests that fusion centers neither prevent terrorist acts nor respect First Amendment rights to free speech and free association.

The Intercept reported last week on the fusion centers’ targeting of Black Lives Matter protests, but there are also many other examples, going back to the fusion centers’ founding. The ACLU of Massachusetts found that the Boston Regional Intelligence Center — one of two fusion centers in the Bay State — was spying on antiwar groups; the Austin Regional Intelligence Center was caught monitoring peaceful animal rights activists protesting a circus (I reported on this for MuckRock); and a fusion center in Nebraska — the Nebraska Information Analysis Center — has a special network focusing on activists opposing the Keystone XL pipeline. They justify such activities by claiming that they are monitoring “for situational awareness”, and that this doesn’t constitute surveillance. In fact, that’s exactly what surveillance is; “For Your Situational Awareness” is military jargon for obtaining the intelligence needed to make appropriate battlefield decisions.

Given the lack of sunlight surrounding the everyday activities of the dozens of fusion centers throughout the country, we decided we want to find out more. Naturally, we filed a public records request. We wanted to find out where our other local fusion center — the Commonwealth Fusion Center run by the Massachusetts State Police — gets their intelligence; who has authorized access to their databases; whether any errors in their databases have been discovered; and what kind of information the CFC has on myself and Alex Marthews, the national chair of Restore the Fourth.

Here is what we found:

Continue reading Your Police Dept May Spy On You “For Situational Awareness”

Wikileaks Hacking Team Emails Implicate NJ Fusion Center

lidless-eye

This week, Wikileaks released a searchable database of over a million internal emails from an Italian outfit called HackingTeam, which sells surveillance and hacking tools to dubious dictatorships around the world. Their software offerings include simple keyloggers all the way up to dragnet internet surveillance software.

I was willing to lay money that our friendly neighborhood fusion centers, the state-and-DHS-funded arms of the surveillance state, would be mixed up with HackingTeam somewhere. Looks like I win that bet.

Email #2640 shows the setup of a presentation from HackingTeam to the New Jersey fusion center’s most senior people, which apparently went ahead on November 1, 2013. The meeting was a success; by January, email #255362 shows that the fusion center was “interested in deploying” HackingTeam’s product. The subject line “DaVinci” shows what software is involved; “DaVinci” is the brand name for HackingTeam’s “remote control system” that promises to “break encryption and allow law enforcement agencies to monitor encrypted files and emails, Skype and other Voice over IP or chat communication […] It allows identification of the target’s location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide.” DaVinci has infamously been used by Middle Eastern governments to spy on Arab Spring activists.

It appears that the senior NJROIC figures were “excited about its capabilities.” I’ll bet they were.

The emails don’t go on to show whether NJROIC actually implemented DaVinci. Whether or not they did, it’s reasonable to deduce that NJROIC has a strong interest in being able to subvert NJ residents’ communications privacy. Reached for comment, an NJROIC spokesman was at pains to state that everything they do is under the guidance of the Attorney-General, conforms to applicable laws, and involves obtaining court orders and warrants as appropriate, but would not be drawn on the hypothetical question of whether encryption-subversion software would be treated as requiring a warrant.

Subverting encryption is, to an extent, a natural part of the arms race between users on one side, and the government and criminal hackers on the other. But if it’s done without the procedural safeguards embodied in the Fourth Amendment – safeguards that third-party firms like HackingTeam appear willing gleefully to ignore in pursuit of juicy contracts – it opens all of our communications to the government’s unsleeping eye, whether we try to encrypt them or not. The government should steer well away from this kind of “offensive cybersecurity”, and focus on keeping its elderly, hole-filled networks secure instead of exploring new ways to weaken yours and mine.