Supreme Court rules unanimously that GPS tracking of suspects requires a warrant

The U.S. Supreme Court published a decision yesterday in United States v Jones, in which it held unanimously (although with three separate opinions using different reasoning to reach the same conclusion) that the use of a GPS monitoring device to conduct long-term surveillance of an individual requires a warrant. When the Court granted certiorari and the case was argued last November, legal analysts suggested the ruling could be the most significant Fourth Amendment case in recent memory, but the arguments among the justices authoring the three opinions (Scalia, writing for the Court and joined by four of his colleagues; Alito, joined by two others; and Sotomayor) as to the best way to interpret key precedents leave unresolved some fundamental questions about the constitutionality of electronic surveillance methods.

In the D.C. Circuit appellate case that was the basis of the appeal to the Supreme Court, the crux of the government's argument was that use of a GPS device to conduct surveillance did not violate an individual's reasonable expectation of privacy, applying Justice Harlan's test from his concurring opinion in Katz v. United States. The Supreme Court appeared to find the reasonable expectation of privacy issue moot, concluding simply that placement of a GPS tracking device on the suspect's vehicle (an "effect" for purposes of applying the Fourth Amendment") constituted a search, and rejecting the government's assertion that without a reasonable expectation of privacy, no search occurred. The court's opinion refutes the government's apparent suggestion that applying Katz somehow substitutes for common-law approaches based on trespass rights. The strength of the argument applied here is that the trespass perpetrated by the police involved a personal effect, an item explicitly protected in the Fourth Amendment.

Justice Alito's concurring opinion reaches the same decision on the facts of the case as the official opinion but relies solely on Katz to do so, due to the many difficulties associated with relying on trespass law and pointing out that court precedent has established that the fact that a trespass occurred is neither necessary nor sufficient to establish a violation under the Fourth Amendment. Justice Alito further argues that the two separate events (installing the GPS device and using the device to gather information) alone would not constitute a search. With the specifics of this case, the court did find that the combination of physical trespass with an intent to gather information unquestionably constitutes a search and therefore invokes the protections of the Fourth Amendment. The problem with this approach, as both Justice Alito and Justice Sotomayor note in their concurring opinions, is that if GPS monitoring can be performed without a technical trespass, the court's argument in this case would provide little protection.

This ruling stops short of addressing another issue raised during the appellate process regarding whether the length of time during which a subject is under continuous surveillance has any bearing on his or her reasonable expectation of privacy. Other cases involving electronic surveillance devices, notably including United States v. Knotts, addressed limited or short-term tracking, leaving open the question of whether more prolonged use would require a different application of constitutional principles. Justice Alito, relying solely on Katz to base his concurring opinion argument, determined that "longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy." Justice Scalia expresses some frustration with Justice Alito's reasoning, suggesting that under the Harlan standard, prolonged continous electronic surveillance would be permissible under current constitutional interpretation. Justice Sotomayor provided a closer consideration of the nature of GPS tracking technology and potential evolution of societal expectations of privacy, which are a key element in the Harlan test under Katz. She goes so far as suggesting that "it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties" and to reject the prevailing assumption that secrecy is a prerequisite for privacy. It appears a more comprehensive ruling on GPS tracking and other forms of electronic monitoring will have to wait for a case with a set of circumstances that limits the Court to considerations of the reasonableness of such monitoring, with or without regard to the length of time over which it occurs.

TRICARE data breach shows (again) why encryption of removable media is essential

The Department of Defense's TRICARE program disclosed last week that backup tapes containing medical records on nearly 5 million active-duty and retired military personnel and their dependents were stolen from the car of a contractor who was transporting the tapes. According to spokesmen for TRICARE and the contractor (SAIC) quoted in the media, only some of the personal information included on the tapes had been encrypted prior to backup, and that encryption apparently did not satisfy government standards for strength of cryptographic modules. More surprising is a statement attributed to a TRICARE spokesman that the military healthcare provider does not have a policy on encryption of backup tapes. The TRICARE Management Authority (TMA) provides a link on its website to a June 2009 memo from DoD Senior Privacy Official Michael Rhodes that issues department-wide policies regarding "Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII)." This memo, among other provisions, refers to the DoD's statutory obligations for protecting PII, specifically citing government-wide guidance from OMB in Memorandum M-07-16. This OMB memo, and M-06-16 that preceded it, require all federal agencies to encrypt agency data stored on portable devices, and to use encryption complying with the FIPS 140-2 standard. The language in M-06-16 is even more explicit, directing agencies transporting or storing PII offsite to use encryption during transport and for storage at a remote site. The DoD also has policies in place requiring that that all electronic records containing personally identifiable information be categorized at either moderate or high impact levels, and mandating encryption at rest (including storage on removable media) for all data categorized as high impact.

Reports of this latest breach often note that the number of individuals potentially affected makes this the largest breach of protected health information since the federal health data breach notification and disclosure rules went into effect in September 2009. Those rules provide an exception for lost, stolen, or otherwise compromised health data that is encrypted, giving healthcare organizations a strong incentive to implement encryption even where it is not required (under the HIPAA Security Rule, encryption of electronic PHI in transit and at rest is "addressable" rather than required). For government entities however, there seems little basis on which to argue that encryption is optional, since even where PHI-specific policies allow for discretionary use of encryption as a security control, agency-level and federal policies on the protection of all personally identifiable information obligate agencies to use encryption for data while in transport.

Supreme Court will hear case on GPS tracking, warrants, and the 4th Amendment

The U.S. Supreme Court has scheduled oral arguments for November 8, 2011 in United States v. Jones, an appeal by the government of an August 2010 D.C. Circuit Court ruling that continuous monitoring of a GPS tracking device placed on a suspected drug trafficker's vehicle without a warrant violated the suspect's 4th Amendment rights. The diversity of opinions by courts at multiple levels over the past couple of years helped to increase the probability that the Supreme Court would take up the issue, as the cases brought before the courts address classes of technology and tracking capabilities that go far beyond what was envisioned when the current laws were enacted or when major precedent cases like United States v. Knotts were decided. A recent New York Times article calls United States v. Jones "the most important 4th Amendment case in a decade" and invokes comparisons of the government's efforts to use comprehensive surveillance technologies to the "Big Brother" state described in George Orwell's 1984. Perhaps more notable is the potential for the Supreme Court's attention to these issues to prompt a more comprehensive review of the outdated laws and regulatory practices that are so often unsuccessfully applied to modern communications technologies. Some members of Congress have repeatedly tried to get traction on overhauling the Electronic Communications Privacy Act (ECPA), enacted in 1986, to bring its provisions in line with current technology and possibly revised social norms and standards about what constitutes reasonable expectations of privacy. These efforts often focus on geolocation data, which while certainly not the only product of new technology poorly addressed by current laws, seems to bring about multiple perspectives and open questions. Beyond the disposition of the current case, it will be interesting to see if judicial action prompts any legislative response.

VA decision to allow iPad use without FIPS certification provides good example of risk-based decsion making

The decision by Department of Veterans Affairs CIO Roger Baker to allow users to connect mobile devices such as the Apple iPad and iPhone to the agency's computing network provides a good example of the trade-off many organizations face between security, user desires, and practical business considerations, but also illustrates the subjectivity inherent in security management decisions and the authority delegated to federal agency executives to apply their own risk tolerance to decisions. Baker was quoted in an article by Nextgov in July acknowledging the fact that the security software is not FIPS certified, but indicating that he is willing to accept the risk associated with the decision to allow the devices to be used anyway, with the assumption that even without FIPS certification the encryption technology is sufficient to provide the needed protection. While the VA prepares for broader support for mobile devices this fall, it is operating a pilot program with Apple devices. Baker is participating in the pilot, and according to FederalTimes.com has traded his own laptop for an iPad.

From a security standpoint, the VA's plan to allow agency-issued and personal mobile devices to access Departmental networks is most noteworthy because the devices in question do not yet satisfy federal standards for encryption. This is a particularly sensitive issue for the VA, which has a checkered history when it comes to data breaches, including the well-publicized 2006 theft of a VA laptop containing unencrypted records on some 26.5 million veterans. To be fair, Apple devices do offer encryption capabilities, but the software used to do so is not certified compliant with Federal Information Processing Standard (FIPS) 140-2, and so fails to satisfy federal security requirements for cryptographic modules. Apple is currently in the process of validating its cryptographic modules for both the iPhone and iPad through the National Institute of Standards and Technology's Cryptographic Module Validation program. According to NIST's "Modules in Process" list both Apple modules are in the first phase of the process, called "implementation under test," meaning Apple has a testing contract in place with a cryptographic security and testing lab and has provided the module and all required documentation to the lab. While still in the early stages of certification, this progress may give the VA and other agencies some degree of confidence that FIPS certification is pending, making the risk associated with running un-certified security a temporary issue.

The fact that VA can independently make the decision to essentially waive a federal technology standard reflects the authority that most federal agencies have under current law and policy. The majority of agencies are self-accrediting when it comes to determining the appropriate security measures to put in place to adequately protect enterprise information and other assets. Federal agencies are expected to apply risk-based decision-making to security management practices, and since the authority rests with each agency, decision makers evaluate the risk to the organization from the use of a given system or technology against the benefits offered and the cost of implementing security safeguards. Different organizations (and different decision makers within those organizations) have different appetites for risk, so what may be acceptable to one agency would be unacceptable to another. In the VA's case, it seems likely that Baker is not demonstrating especially high risk tolerance, but instead that the perceived risk of using encryption that has not yet achieved FIPS certification is not high enough to preclude the use of mobile computing devices in health care delivery settings.

Among the potential downsides of using encryption that doesn't have FIPS 140-2 certification is in the area of breach notification. The new federal health data breach notification and disclosure requirements, which went into effect in September 2009 under the authority of an interim final rule, exempt organizations from having to disclose data breaches if the data is "unusable, unreadable, or otherwise indecipherable to unauthorized
individuals," which HHS declared to mean that the data has either been encrypted or destroyed. The FIPS 140-2 requirements apply whenever government regulations call for the use security based on cryptographic modules, so the practical interpretation of HHS' breach disclosure exemption for encrypted data is that such encryption must use FIPS 140-2 certified cryptography. In theory this means if the VA loses one of its newly network-connected iPads with protected health information on it, it would have to report the breach even if the device had encryption enabled. Practically speaking, VA already reports many types of data breaches to Congress and to the public, and does so to comply with requirements of the Veterans Benefits, Health Care, and Information Technology Act of 2006 (Pub. L. No. 109-461), so the new health data breach rules stemming from the HITECH Act are in many ways redundant to existing practice.

HIPAA "access report" potentially much simpler to implement, more valuable than accounting of disclosures

Among the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act garnering significant attention are the changes to existing HIPAA requirements for covered entities to produce accounting of disclosures of protected health information and a new proposed requirement that entities and business associates also maintain (and furnish upon request) a record of accesses to individuals' electronic health records. Both of these measures are addressed in a notice of proposed rulemaking (NPRM) published by HHS in the Federal Register in late May, the comment period for which closed August 1. Public objections to the proposed rules emphasize the administrative burden to health care organizations to collect and store the information required for accountings of disclosures and access histories, and the apparent lack of interest among members of the public in requesting this information from health care entities. While the two provisions share obvious functional elements, there are significant differences in both technical feasibility and practical relevance that justify separate consideration of the proposed rules, and in particular suggest that the new access record provision may be more difficult to dismiss using the arguments put forth to date.

Many industry watchers are more familiar with the proposed changes to the accounting of disclosure requirements, since those changes are spelled out in the HITECH Act (at §13405(c)), which most notably change the time period covered from six years to three and also remove the exception under current HIPAA provisions for disclosures for the purpose of treatment, payment, or health care operations. The NPRM repeats the current (45 CFR §164.528(b)(2)) implementation specifications for the content that must be included for each disclosure in the accounting:

• Date of disclosure
• Name of the entity or person (and their address, if known) receiving the disclosed PHI
• Description of the PHI disclosed
• Purpose for the disclosure

These requirements apply to PHI disclosed in both paper and electronic form, although the objections to the rule seem to focus on electronic disclosure, perhaps due to the inherent limitations of many electronic health record (EHR) systems and other applications to capture the required information. There are valid procedural objections as well, because with the exception of the date of the disclosure, the content required cannot easily be extracted or automatically recorded from EHR systems, and with respect to the purpose for disclosure in particular, it seems likely that the need to capture this information would insert a step in routine business processes where the purpose would need to be recorded before the process could be completed. By applying the accounting of disclosure to the types of disclosure that likely make up the vast majority of purposes for most health care entities, the removal of the exceptions for treatment, payment, and health care operations will unquestionably add to the administrative workload of covered entities and business associates who must comply with the law. Before developing the NPRM, HHS issued a request for information in May 2010 seeking comments on the accounting of disclosure changes in the HITECH Act, in which HHS sought to "better understand the  interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform the Department’s rulemaking in this area." Many commenters apparently pointed to the lack of consumer demand for accountings of disclosures, with few requests received by entities in the several years since the provision was first enacted. It seems possible however that while health care organizations will undoubtedly need to devote greater resources to complying with the revised rule, by covering a much greater proportion of total disclosures that individuals might find the accounting more valuable than in the past, when those requesting accountings would likely get no information regarding the most common or perhaps consumer-intuitive situations where disclosures had occurred.

Under the definition used in HIPAA (45 CFR §160.103), a "disclosure" only occurs when information leaves the entity holding it, so the accounting of disclosures only covers release or transfer of PHI from one person or organization to another. The new access report provision has no such limitation, and HHS indicated in its NPRM that it chose to add coverage for access to PHI by members of an entity's workforce as part of an expanded perspective that includes both internal and external access to information in an individual's health record. In contrast to the accounting of disclosures, the access report would apply only to records in electronic form, which might make the provision seem somewhat less comprehensive than the accounting of disclosures, but which – intentionally or not – greatly simplifies the collection and maintenance of record access information. The proposed implementation standard for the content of the access report specifies the following information:

• Date of access
• Time of access
• Name of the person accessing the record (if available, or else the name of the entity)
• What information was accessed, if available
• Action taken by the user (e.g. create, modify, access, delete)

With the exception of describing what information was accessed, all of the elements proposed in the implementation specification reflect data routinely captured in audit logs that can typically be automatically generated by database-centric computer systems such as those used to manage EHRs. Distinguishing subsets of data contained in a single record accessed by a user would likely require more granular tracking than many audit logs provide, particularly in read-only events where no data is changed. However, the simpler set of content required for the access report makes the technical feasibility of this proposed requirement much greater than for the accounting of disclosures. This is true even without the flexibility afforded to organizations about providing the name of the person accessing the record, although the NPRM acknowledges that producing the first and last name may require mapping the user ID captured in an audit log to a list of full names. According to the NPRM, allowing for entity-level attribution rather than person-level is intended for situations where organizations outside the entity holding the information are provided access; employees or contractors working for the entity cannot share authentication credentials, as unique user identification is required under the technical safeguards specified in the HIPAA Security Rule (45 CFR §164.312).

One valid criticism regarding the proposed access record provision is that HHS seems to assume that relevant organizations would have only one electronic record system, but hospitals and large health care entities often have multiple systems, so creating the access report would require an aggregation of audit logs or other data drawn from multiple systems, adding cost and complexity to efforts to comply. Given the nature of the data required the technical barrier to producing an integrated view of audit records may not be too great, particularly for organizations that have implemented standards such as the IHE's Audit Trail and Node Authentication, which include standard formats for audit logs to facilitate integrated audit reporting.

Previous objections to the accounting of disclosure rule often center on covered entities' prior experience with patients and consumers and the apparent lack of interest by individuals in getting accountings, based on the few historical requests they have received. The implication is that there is a lot of administrative overhead to produce a "product" that for which there is little demand. This argument rings a bit hollow when applied to access records. Accounting of disclosures to date exclude many – perhaps most – occurrences, and only cover external exchanges of data. The access report is focused as much or more on access by insiders, to provide some insight into routine authorized accesses and, more importantly, to indicate instances of inappropriate access by authorized users. There is ample anecdotal evidence to suggest that inappropriate insider access is all too common, although the most well publicized incidents tend to involve abuse of privilege to view celebrity medical records. This type of incident is not limited to health care – recall the State Department contractors who improperly accessed the passport records on the candidates in the 2008 presidential election. In government agencies like the IRS there are formal policies against misuse of authorized access privileges to, for instance, browse tax records, such as Internal Revenue Manual 10.8.34.2, which explicitly forbids users from accessing their own accounts or accounts of friends, relatives, coworkers, other IRS employees, or celebrities. Absent access records, discovery of inappropriate user access must rely on technologies like intrusion detection or auditing systems, and if the latter are in place, it seems a short step to leverage the data already being collected through routine user event monitoring. In large organizations where inappropriate use may be a concern, implementing mechanisms to support data collection needed for access reports under the proposed HIPAA rule – and making employees aware of such data collection – may actually serve as a deterrent to inappropriate behavior.

HHS releases new draft accounting of disclosure rules

The Department of Health and Human Services (HHS) has released a long-anticipated Notice of Proposed Rulemaking that would implement the changes to accounting of disclosures requirements under the HIPAA Privacy Rule. HHS opened a 60-day comment period effective May 31, the date when the NPRM is scheduled to be published in the Federal Register. The changes, specified in the Health Information Technology for Economic and Clinical Health (HITECH) Act, would expand the types of transactions and uses of data that must be include in accountings of disclosures, reduce the time period for which organizations must maintain the disclosure information, and modify the set of information that must be recorded for each disclosure.

Under the current provisions of the HIPAA Privacy Rule, codified at 45 CFR §164.528, covered entities are required to maintain records on disclosures of protected health information for a period of six years, and to furnish that historical record of disclosures (the "accounting") to individuals who request them. The Privacy Rule included an exemption for disclosures for the purposes of treatment, payment, health care operations, and a variety of other special circumstances, including disclosures to the individual of their own PHI. Collectively, the excepted purposes constitute the vast majority of activity involving disclosure. The current rules also cover all PHI, whether in paper or electronic form. HITECH shortened the accounting period to three years, but removes the exemptions for treatment, payment, and health care operations when the disclosure of information is from an electronic health record (EHR). HHS is also proposing to explicitly list the types of disclosures that are subject to the accounting of disclosure requirement, rather than the prior approach of generally requiring inclusion but enumerating specific exceptions. When the HITECH Act passed, many covered entities expressed concerns about the increased administrative burden they would face by essentially having to track all disclosures rather than the more limited set currently required under the law. Some have also pointed out that many EHR systems currently on the market do not provide the built-in functionality to record the information about each disclosure that is required under the revised rule in HITECH.

As part of the rules promulgated under the "meaningful use" EHR incentive program, the HHS Office of the National Coordinator last year adopted a new standard and EHR certification criterion for recording accounting of disclosure information. When it published its final rule for standards and certification criteria, however, ONC chose to make the accounting of disclosure criterion optional, pending further analysis and discussion on the potential impact of the new requirements to covered entities and business associates. In parallel, HHS issued a request for information in May 2010 seeking input from the industry and other interested parties about the potential burden of complying with the new accounting of disclosure rules, the technical capabilities available in the market to facilitate or automate this process, and evidence about the relative interest among individuals in requesting accountings of disclosures. The new NPRM includes some summary data about the comments received in response to the RFI, perhaps most interestingly noting that a large number of respondents reported no or very few requests for accountings since the Privacy Rule went into effect in 2003.

HHS' new proposed rule divides individual rights in two, providing for separate rules that give individuals the right to an accounting of disclosures and to an "access report" that, in contrast to disclosures, would provide details about who has electronically accessed the individual's PHI. The access report provision includes accesses both by employees of covered entities and business associates and by those external to the organization. There is no comparable provision in the current law, but the NPRM notes that since the rule applies only to electronic access, covered entities should already be collecting the relevant information about accesses under practices required in the HIPAA Security Rule. It seems likely that at least part of the justification for this new right is the heightened attention focused on the need for such a record of even routine accesses following a series of well-publicized incidents where hospital employees apparently abused their authorized access by viewing the health records of celebrities or other public figures.

Proposed amendments to ECPA would restrict disclosure of geolocation data

Legislation introduced last week for consideration by the Senate Judiciary Committee would update some of the provisions in the Electronic Communications Privacy Act of 1986 (ECPA) to extend legal protections on information collected and maintained by electronic communications service provider to include geolocation information. The bill, introduced by Judiciary Committee chairman and Vermont Senator Patrick Leahy as the Electronic Communications Privacy Act Amendments Act of 2011 (S.2011) adds geolocation information (such as GPS coordinates and cell site location information) to the types of data that government authorities cannot obtain from service providers without first getting a warrant. The bill explicitly defines geolocation information as, "any information concerning the location of an electronic communications device that is in whole or in part generated by or derived from the operation or use of the electronic communications device."

Leahy, who is cited as the original author of the ECPA in the press release announcing the introduction of the new bill, has spearheaded a campaign through his committee to highlight the many ways in which modern technology has developed beyond what the law was envisioned to cover. In a series of hearings dating from before the 2010 mid-term elections, the Judiciary Committee has heard testimony from a variety of stakeholders, including government, academic, judicial, and industry representatives. More recently, committee hearings have focused on privacy issues associated with GPS coordinates and other geolocation information collected automatically by many popular mobile devices, with or without the knowledge of device users. These issues, coupled with a series of inconsistent federal court rulings that tried to interpret ECPA to apply its terms to technologies and data types that didn't exist 15 years ago, have left a somewhat confusing picture regarding just what information is subject to privacy protections, under what circumstances, and with what level of legal and administrative constraints. If enacted as written, it would appear that the proposed amendments to the ECPA would resolve the ambiguity surrounding how geolocation data should be treated. The text of the bill would amend the sections of Chapters 119 and 121 in Title 18 of the U.S. code to prohibit the disclosure of such information by service providers and preventing government authorities from accessing an electronic device for the purpose of retrieving geolocation information.

The focus on geolocation data in the proposed amendment is understandable given the attention generated by news that Apple's popular iPhone devices stores a cache of location information that some have interpreted as potentially useful for tracking an individual's location over time. Of course, cellular service providers have long collected device location information as part of their routine business operations, leading to some legal debates over just who owns that information and, in particular, whether subscribers can assert privacy rights about that information. The proposed bill addresses this key issue and several related topics about information disclosure, warrant or subpoena requirements, and emergency exceptions. Still unaddressed are other provisions in ECPA and the Stored Communications Act language it contains that cover the contents of electronic communications generally, but are not explicitly intended to address the wide variety of communications media, smartphones, tablets, and other sophisticated technologies using the services and infrastructure that modern electronic service providers now offer.