Open data and privacy law often conflict. What issues are people discussing in the realm of privacy and government-held data? What can open data advocates do to increase access to government data when privacy is a concern?

1. Review of privacy and data
issues
Emily Shaw
National Policy Manager, Sunlight Foundation

2. 4th Amendment + technology = ?
• Riley v. California (2014) – physically locked on phone, but accessible
via cloud or electronic communications service?
• Parallel construction and law enforcement use of NSA-collected data
• US v. Jones (2012) – GPS on car, but uninstalled techniques?
• ACLU study found that 237 of 250 surveyed PDs track cellphones, mostly
without warrants

3. Main 4th Am & data privacy issue areas
1. Collection of new data – what are limits on new
surveillance tools?
2. Access to existing data – what are the standards for
protection?

4. 1. New Surveillance Tools
• Automated License Plate Readers
• Stingray Tracking Devices
• Arial surveillance – known and unknown
• Sensor networks
• Public
• Public-private

5. Automatic License Plate Readers (ALPRs)
• Used regularly around the country, some states are restricting
• Where FOIA-able, can be used to track police behavior
• Not just photographing license plates – car occupants are also
subjects

6. Stingray Cellphone Tracking Devices
• Can collect phone ID, numbers dialed and
previous location (e.g., last tower)
• Used by at least 48 state and local PDs, but full
scale of adoption is not known (DC, Fairfax,
Montgomery County all have)
• Judges have been unfamiliar with tech and
unintentionally authorized
• LE often uses without explicit authorization,
though recent legal pushback
• 10 states now require warrants (yes MD, no VA)

7. Arial surveillance
• 13 states regulate drone use as of end of 2014 session but generally
exempt law enforcement. Local law enforcement use of drones is
mainly unregulated.
• Using technology developed for the war in Iraq, manned surveillance
planes like Persistent Surveillance Systems have been seeking
contracts with local law enforcement.

8. Sensor systems
• Public sensor systems: New York’s Domain Awareness System,
Chicago downtown public sensor array
• Contracted sensor systems: ShotSpotter, persistent sound recording in
over 60 US cities (as in DC, below)
• Public-private connected systems: Oakland’s Domain Awareness
Center (now reduced in scope)

9. What next?
• ACLU keeping track of emerging issues

10. 2. Privacy-based limits on access to existing
data
• Government data: 1974 Privacy Act (& FIPs), HIPAA/FERPA,
state variation
• Privately-held data: Electronic Communications Privacy Act

11. Elements of government data protection
• “Personally Identifiable Information” (PII) or “Personal Health
Information” (PHI) protection – e.g., field elimination/transformation
• HIPAA Safe Harbor standard – removal of 18 fields
• 1974 Privacy Act identified the SSN as private data for all
governments
• Privacy Act also mandates that federal agencies provide you access to
data about you held within a “system of records” and to produce
“system of record notices” (SORNs); supposed to limit sharing.
• All privacy laws have a number of exceptions

12. “Notice and Consent” –
Fair Information Practices principles
• There must be no personal data record-keeping system whose very
existence is secret.
• There must be a way for an individual to find out what information about
him is in a record and how it is used.
• There must be a way for an individual to prevent information about him
that was obtained for one purpose from being used or made available for
other purposes without his consent.
• There must be a way for an individual to correct or amend a record of
identifiable information about him.
• Any organization creating, maintaining, using, or disseminating records of
identifiable personal data must assure the reliability of the data for their
intended use and must take precaution to prevent misuse of the data.

13. Electronic Communications Privacy Act
• Federal ECPA (1986) required law enforcement to get a warrant for
individuals’ email, unless it was stored on a third-party server for over
180 days.
• Under current technological practice, this leaves out most email.
• Federal efforts to reform have not been successful so far. Current
efforts: LEADS and ECPA Amendments Acts.
• Digital Due Process Principles created by broad coalition
• Maine and Texas have passed a form of improved ECPA and California,
Montana and Maryland currently considering bills

14. But what about benefits?
Privacy and Data-Sharing for Public Good
• Federal laws like HIPAA and FERPA, and a patchwork of varying state
laws, regularly limit inter-agency data-sharing
There are
two main
possibilities.

15. 1. Keep it restricted.
Share private data within trusted partnerships, using:
• Exceptions for law enforcement
• Exceptions for improvement of a public service
• Exceptions for research to benefit the public
• Legal Mechanisms:
• Memorandums of Understanding
• Statutory change
• Other important elements:
• IRBs
• Social trust

16. 2. Take out the restricted parts!
• Aggregation or anonymization
• Always a balance between privacy and data utility, but an evolving
area

17. If you like microdata, know your PII
• Rule for open data folks: Know your PII. There are at least 4 kinds:
1. Unintentional PII (legally shouldn’t be there, but it is)
2. Unnecessary PII (doesn’t need to be there, but it is)
3. Necessary PII (needs to be there)
4. Legally-identified information
• Know your rights to legally-identified info. Know to ask for
redaction of unnecessary PII. Know to seek better controls for
unintentional PII.

18. The Future! Exciting upcoming
surveillance/public access/privacy issues!
• Police body camera data
• Government relationships with third-party shared location data –
Google, Waze
• Public service location data - Metrocards, EZ Pass (recent example of
Christie’s political use of opponent’s EZ Pass data.)