Whatever your thoughts on policing in general in America, I would hope it would be largely uncontroversial to state that a huge percentage of Americans believe that police are generally over-militarized and at least slightly a little too trigger happy, especially when it comes to engaging minority communities. If you somehow think that there isn’t at least a perception problem among the public here, then you probably don’t need to keep reading the rest of this post, because it’s not going to make sense to you.
But if you do understand that there is some level of a problem here, your skin will almost certainly crawl when you see the recruiting poster the Peoria, IL police put out on social media to try to get young recruits.
A Peoria, Illinois police department tried to recruit new officers with a Call of Duty-inspired campaign on social media, and it was as tone-deaf as you’d imagine. The post, originally shared on the Peoria Police Department’s social media page, showed three white men posing with guns while wearing tactical gear. “Stop playing games and answer the Call of Duty,” the post reads, with the “Call of Duty” portion of the poster written in the same text as Activision’s wildly popular (and more than occasionally problematic) first-person shooter franchise.
Imagine just how tone-deaf you have to be in the current climate of policing in America to put this poster out. First, recruiting people with images of police in tactical gear pointing guns is precisely the wrong message you want to put out to a community in Peoria that is concerned about policing. Doubly so when the image is of three white cops in a community with a sizable black population.
And now add to all of that the simple fact that Call of Duty is a game in which you primarly spend a great deal of time shooting individuals. Like, with bullets and stuff. You know, to kill them. And, sure, it’s a video game and in that context I don’t have an issue with the game itself. But in a society where many believe that police far too often see themselves as gun-toting enforcers through violence, recruiting against a video game like CoD is absurd.
Police Chief Eric Echevarria eventually took the post down and apologized in a way that I will say does ring through as genuine.
It was never my intention to offend any of our community members with the recruitment flyer that was posted on our Facebook page yesterday. It was simply a recruitment image I thought would appeal and connect to a younger generation. I take ownership of this, and I sincerely apologize. Our goal is to recruit the best and most qualified officers for this police department in the most caring and respectful way.
It’s probably a good move, because we haven’t even gotten into the issue of intellectual property. The poster does name the game and use the same or similar font for the game’s branding when doing so. While I’m not sure there’s an actual trademark infringement case to be made here, I am also quite sure that Activision probably wouldn’t appreciate the use of its product name and branding in this way.
And so the poster is down, but the damage is done. In a community where fear of police violence is very real, that community got a reminder of how some police officers see their jobs.
Dating can be difficult, but there are certain things you can do to not make things worse on yourself. Don’t be a creep. Be kind. Take no for an answer. Actually listen to the people you date. I mean, that’s kinda the standard stuff.
Nikko D’Ambrosio was apparently unable to follow at least one (and possibly more!) of those simple rules. Nikko, a 32-year-old Chicago man (old enough to know better), apparently dated around a bit, then lost his shit when he discovered that some of the women he dated went to the Facebook group “Are We Dating the Same Guy” to offer what were mostly pretty mild complaints about him.
“Very clingy very fast,” the woman commented. “Flaunted money very awkwardly and kept talking about how I don’t want to see his bad side.”
More screenshots showed the woman — who commented as an anonymous member — claimed that after she blocked D’Ambrosio’s number, he used a different number to send her a text in which it appears he attacked her appearance.
Nikko didn’t too much like this. And the guy once described as “very clingy very fast” who allegedly told someone you “don’t want to see his bad side” showed off his bad side in filing this very obvious SLAPP suit against basically anyone he could think of. There are 56 total defendants, including 29 women (some of whom are just relatives of the people he’s actually mad at). There are also 22 variations on Meta/Facebook. While the company has multiple corporate entities, you do not need to sue them all. For good measure, he also sued Patreon and GoFundMe, because why not?
It’s not at all clear why he sued all of those defendants. Most of the individual defendants are not clearly connected to this case. The case only names one woman who he says made defamatory comments about him (they’re not, but we’ll get to that). The rest are just… thrown in there and never explained. Did they like or share the original comments? Who knows. It does appear he sued family members of the main woman he’s mad at, again, for what?
There are so, so, so many problems with the lawsuit I’ve literally restarted this paragraph about six times as I change my mind on which to cover first. But let’s start here: Section 230. As far as I can tell, D’Ambrosio’s lawyers have never heard of it. The complaint doesn’t address it. But it easily bars the lawsuit against all of the many Facebook defendants, as well as Patreon and GoFundMe. He also sues AWDTSG Inc., which is apparently a company that helps to run a series of local “Are We Dating the Same Guy” groups on Facebook, which is what Nikko is particularly pissed at.
Section 230 says that for things like defamation, you get to sue the party who said the actual defamatory thing, not the website that hosts the speech. Should the case even get that far (and it’s not clear that it will), all the Facebook/Meta parties, GoFundme, Patreon, and AWDTSG will easily get their cases tossed on 230 grounds. Having a lawyer file a lawsuit like this without understanding (or even attempting to address) Section 230 seems like malpractice.
Indeed, the lawyers who filed this lawsuit, Marc Trent and Dan Nikolic, kind of parade their ignorance. In the lawsuit they claim that because of “Defendants content moderation responsibilities” they would have had to “review” the posts, and that makes them liable for the alleged defamation. But, um, Section 230 was passed directly to deal with exactly that scenario, and to say that, no, reviewing posts doesn’t make you liable.
And Section 230 protects not just “interactive computer services” but “users” who pass along third party content. So even if he’s suing people for sharing or liking the comments he’s mad about, all of those defendants are protected by Section 230 as well.
It’s stunning that the lawyers in question seem wholly unaware of this.
Next up, defamation. Nothing in the suit appears even remotely close to defamation. The statements all appear to be statements of opinion about what kind of creepy jerk Nikko is. Sorry, Nikko, people are allowed to have opinions of you. That’s not defamation. Nearly all of the statements are clearly opinion statements. And, no, it may not feel great, but opinions that you’re “very clingy, very fast” are not defamatory.
Also, in a defamation suit, you plead which statements were defamatory, including why they are false and defamatory. This complaint does not do that.
Next, they’re trying to use Illinois’ brand new (just went into effect this year!) “doxxing” law, claiming that talking about him and posting his picture violates the law. Now, I think there are some potential 1st Amendment issues with that law, and they’re really driven home by using it here. But to try to make sure that this law is on the correct side of the 1st Amendment, it says that the law is not violated when the speech in question is “activity protected under the United States Constitution,” and boy, lemme tell ya, calling a dude “very clingy” sure qualifies.
There are a bunch of other pretty big legal problems with the lawsuit that are just embarrassing. Ken “Popehat” White covered many of them in his post on this subject. The big one, suggesting that the lawyers have little (if any) familiarity with federal court, is that to file in federal court over state law claims, you have to show “diversity,” meaning that the parties in the case are all in different states. And White notes how badly they fucked that up:
D’Ambrosio’s lawyers assert diversity jurisdiction but make an utter dumpster fire out of it. They admit that both D’Ambrosio and at least one of the defendants come from Illinois, which defeats diversity jurisdiction. They admit they don’t know what state a bunch of the defendants come from. They identify a bunch of the defendants as limited liability companies, but don’t plead the facts necessary to identify those entities’ citizenship for purposes of diversity. This is the kind of thing that makes federal judges issue orders of their own accord saying, in judicial terms, “what the fuck is this shit?”
Also, the lawyers claim it’s a “class action” lawsuit, and are actively seeking to recruit more plaintiffs on Reddit, naturally (where — hilariously — the person who originally posted the topic asked the lawyers if they wanted him to start a GoFundMe, apparently not realizing GoFundMe was one of the defendants in the case). Class action defamation lawsuits aren’t really a thing, because for it to be defamation it has to be a statement about a specific person, and the specifics matter. But even beyond that, if you’re filing a class action lawsuit, you have to take some steps, and as White points out, these lawyers didn’t do that:
The caption of the lawsuit proclaims that it’s a class action, and D’Ambrosio’s lawyers have made comments suggesting that they see themselves as suing on behalf of “victims” other than D’Ambrosio. But other than the caption, the lawsuit contains not a single relevant allegation about being a class action. It doesn’t plead any of the factors necessary to qualify as a class action. It’s also obviously unsuited to be a class action: a class action requires a pool of plaintiffs with factually and legally similar claims, but defamation claims are by their nature very individual and context-specific, and each aggrieved man’s case would be very different depending on what was said about them.
White notes that the lawsuit is so badly drafted that he expects it may get dismissed just on the jurisdictional problems without defendants even having to file anything. He also suggests it’s so bad that it could lead to sanctions from the judge.
But, also, this is exactly the kind of case for which I coined the term Streisand Effect nearly twenty years ago. Doing this kind of shit won’t protect your reputation, it will destroy your reputation. And, again as White points out, a good lawyer would warn you of that before filing this sort of lawsuit. Whether or not they warned him about it, the lawsuit has been filed and now the allegedly “very clingy, very fast” guy who might be “very awkward” is, well, having his reputation spread pretty far and wide.
And there are many, many more. So rather than just the types of people who hang out on the “Are We Dating the Same Guy” Facebook groups, now many, many, many more people — some of whom I’d assume are in the dating pool in the Chicago area — are aware of Nikko D’Ambrosio and his reputation. And not just his reputation for being very clingy, very fast, but his reputation for filing bullshit SLAPP suits to try to silence women for expressing their opinion of him.
Hopefully the judge does dump the case. While Illinois does have a decent anti-SLAPP law (which would clearly apply here), the 7th Circuit has suggested it does not apply in federal court (of course, because of the jurisdiction issues, this case doesn’t apply there either, but… whatever).
More importantly, this is a case that demonstrates yet again why Section 230 is so important to protect people against harassment like this very lawsuit. Without Section 230, it becomes way easier to abuse the legal system to try to silence women who point out that you’re a creep. Section 230 protects that kind of information sharing.
The whole case is a mess of epic proportions. It’s a lawsuit that never should have been filed, but now that it has, congrats to Nikko D’Ambrosio for making sure every dating-eligible woman in Chicago knows to avoid you.
Across the nation, bigoted politicians (of the Republican variety, almost exclusively) are trying to punish and silence content and expression they don’t like.
It’s not like it’s even a close question about who’s doing this and why. A slew of bills targeting drag shows and LGBTQ+ writing have been tossed into legislatures all over the nation. Some of those have become law. Most of those that have become law have been challenged in court — challenges often followed swiftly by injunctions prohibiting their enforcement.
But that hasn’t stopped a very motivated, very ignorant subset of politicians from continuing to push laws that threaten civil liberties. And — win or lose — it hasn’t stopped a very determined, extremely minute subset of individuals from trying to make the United States a worse place to live for anyone who isn’t straight and white.
According to an analysis by the Post, 60% of book challenges made in the 2021-2022 school year came from the same 11 adults. […] The majority of objections were on books authored by or about LGBTQ+ people or people of color.
None of these people are worried whether or not children might have access to books like, say, Mein Kampf or The Protocols of the Elders of Zion or even the super-sexed up compositions of a dozens of romance novelists. Nope, the publications these 11 people (and the politicians who cater to them) are concerned with deal with certain topics these people would rather children had no knowledge of.
Nearly half of the challenges in The Post’s database, 43 percent, targeted titles with LGBTQ characters or themes.
[…]
Thirty-six percent of targeted books featured characters of color or dealt with issues of race and racism. Of the top 10 most challenged books in The Post’s database, five fell into this category: George M. Johnson’s “All Boys Aren’t Blue,” Toni Morrison’s “The Bluest Eye,” Jonathan Evison’s “Lawn Boy,” Ashley Hope Pérez’s “Out of Darkness” and Angie Thomas’s “The Hate U Give.”
The good news is that none of this shit is going to fly in Illinois. A bill [PDF] signed by Governor JB Pritzer last year took effect January 1st. It’s a ban on book bans, and it means the tactics deployed by the 11 people noted above (along with groups like Moms for Liberty) won’t be nearly as effective in Illinois as they have been elsewhere.
The new law contains a statement of intent from state legislators:
It is further declared to be the policy of the State to encourage and protect the freedom of libraries and library systems to acquire materials without external limitation and to be protected against attempts to ban, remove, or otherwise restrict access to books or other materials.
It sounds pretty good until you look at the text of the law, which leaves it up to publicly-funded libraries to fight back against censorship with no guarantee the state of Illinois will always have its back. The law ties state funding to ban resistance at the library level — something that can easily be overridden by future laws that might, say, tie funding to complying with state or local-level book bans.
In order to be eligible for State grants, a library or library system shall adopt the American Library Association’s Library Bill of Rights that indicates materials should not be proscribed or removed because of partisan or doctrinal disapproval or, in the alternative, develop a written statement prohibiting the practice of banning books or other materials within the library or library system.
Cool, I guess. If the legislative intent is just “Hey, don’t ban books or we’ll take your money,” mission accomplished. Sure, this might make it easier for libraries to reject book challenges by pointing challengers to the law that ties funding to open access to content. On the other hand, adopting a private party’s “bill of rights” isn’t going to protect the state’s libraries from being forced to cooperate with book bans handed down by state or local politicians.
To actually protect libraries against current and future enemies, the state needs to codify this prohibition of book bans at the state level. And it should do this. There’s no reason it shouldn’t. Protecting libraries from future book bans isn’t going to turn libraries into vast repositories of pornography. All it’s going to do is protect libraries (and their users) from content bans the next time the prevailing political winds shift.
Sure, this makes it slightly more difficult for state pols to enact book bans that target public libraries by tying their funding to these stipulations. But those most likely to push statewide book bans don’t really care whether or not people have free access to published works. All that matters to them is that certain works dealing with certain subject matter written by certain people won’t be available to anyone who doesn’t have cash on hand to purchase these works.
Nice try, Illinois. But try harder. This is barely better than nothing at all.
The thin blue line between cops and cop-friendly tech continues to be erased, mostly by cops. No longer content to underserve the public, law enforcement agencies are welcoming the warm embrace of consumer surveillance products in hopes of adding private tech to their publicly-funded surveillance mesh networks.
Ring, Amazon’s home surveillance tech acquisition, was one of the first to successfully merge market expansion with law enforcement self-interest, resulting in Ring handling the PR work while cops handed out “free” cameras to locals with the implicit suggestion recipients of freebies might not ask for a warrant before handing over their security cam footage.
This unnatural relationship has only become more explicit over the last few years. Ring continues to swallow the market, helped in no small part by its conversion of police departments into marketing teams. Flock, a Ring competitor that also offers automated license plate readers, has managed to convert gated communities and government agencies into unpaid PR reps. Helping out with this effort are lazy “journalists” more than willing to publish police press releases verbatim and only seek comment from Flock reps and cop spokespeople who see nothing wrong with co-opting private cameras for public use.
That’s how local papers end up running “reporting” that features the Flock brand name a half-dozen times in the space of 400 words. And that’s how these private companies are able to quote local “reporting” while pitching products to private buyers, as well as the law enforcement agencies hoping to make these cameras a part of their own surveillance networks.
But rarely does it get more explicit than this. The city of Wheaton, Illinois has managed to cross the line from mutually advantageous to incestuous by turning its own website into a storefront for a consumer-facing surveillance camera company.
As the City continually seeks to promote and enhance public safety in our community, the Wheaton Police Department is enlisting the public’s help with a new safety initiative, Connect Wheaton. This program consists of an online security camera registry at www.connectwheaton.org where residents and businesses can register the location of their security cameras with the Wheaton Police Department to help expedite emergency response and crime investigations.
Being able to determine where there are security cameras – including video doorbells, home security systems and commercial surveillance cameras – significantly enhances the Wheaton Police Department’s response efforts. With this information, Wheaton Police Department detectives can quickly determine if video evidence might be available at a particular location and whom to contact to request it.
Absolutely. Knowing where cameras are would help law enforcement solve crimes. That’s indisputable. And a registry, as proposed by the City of Wheaton, would pinpoint location as well as provide contact info so cops can ask for footage via personal request or demand it with a warrant. Nothing about this — SO FAR! — is particularly unusual.
It starts getting weird quick, though
Residents and businesses can register their cameras with the Wheaton Police Department through the self-service portal at connectwheaton.org. Your information will be kept confidential and only accessed in the event of a criminal investigation or emergency incident.
First, this assurance is meaningless. When cops say your information “will be kept confidential,” they mean from everyone but themselves. Limiting access to investigations or “emergency incidents” is just as meaningless, considering the police can initiate “investigations” for little or no reason. And “emergency incident” is there to cover any situation where cops access people’s information when nothing is currently under investigation.
The city’s statement does note that registration does not give officers’ live access to registered cameras. While that seems like a government entity demonstrating its interest in protecting the constitutional rights of residents, this is really nothing more than the city stating a logistical reality: info on camera location, as well as the owner’s personal data, is not capable of providing direct or on-demand access to live footage or recordings.
But things really start to look ugly when you visit the city’s website, which not only allows residents to register cameras, but pushes them towards purchasing products from the city’s preferred provider, Fusus.
To share your cameras, all you need is a small fususCORE device that plugs into your camera system. Once it’s set up, it enables camera sharing based on your settings without impacting your network.
Are you, the proverbial Wheaton resident, unsure of where to get this “fususCORE” and/or incapable of performing a perfunctory Google search? Great news! The City of Wheaton allows you to purchase approved surveillance devices compatible with the city’s surveillance network and desires directly from its publicly-funded website.
There’s a memorandum of understanding (MOU) between the Wheaton PD and Fusus that the site calls “Terms and Conditions.” But unlike most ToCs, it has nothing to do with purchasers’ agreements with Fusus and everything to do with what the PD gets from this lucrative (in more than just financial terms) agreement with its chosen provider.
You know, things like this, which says the department can go through Fusus directly to obtain footage from private cameras, despite suggesting otherwise in the statement on the city’s website.
Partner grants video access to Department for videos designated by Partner that are owned by or under management by Partner.
Are cameras or tech sold through the city’s website considered to be “owned or under management?” Are registered devices considered to be “under management?” The MOU doesn’t say. And neither does the city, which has only offered the assurance there will be no real-time access to privately-owned cameras… unless the camera owner agrees to do so via a handy “panic button” included in the Fusus camera management app.
The MOU also says the PD can view recorded footage (after gaining access through Fusus) even when there’s no emergency or criminal investigation underway.
Video access by Department does not constitute commitment on the part of Department that video will be viewed in emergencies or when requested by Partner.
This is some bullshit. City residents are encouraged to purchase compatible surveillance tech via the city’s website. The included “Terms and Conditions” have nothing to do with private residents or their purchases. The agreement being made when residents buy cameras through the city’s site isn’t between them and Fusus. It’s an agreement between Fusus and the PD — one that says the PD is under no obligation to abide by the constraints stated in the city’s announcement: restraints that would restrict access to criminal investigations or emergency situations. The MOU says the PD can get the footage directly from third parties and it doesn’t even need to demonstrate it’s doing this for any particular law enforcement purpose.
Fortunately, Wheaton residents have the most powerful option in their hands: inaction. They’re not required to register cameras or buy Fusus add-ons to make it easier for cops to obtain recordings without their express permission. All they have to do is nothing to thwart this expansion of the government’s surveillance powers. And, as we all have observed from decades of low voter turnout, doing nothing is something most citizens do best.
Some city officials in Illinois are now engaged in a round of “How Can I Get Sued?” Sounds like fun, but Calumet City officials might do well to remember the only way to win is not to play.
That’s the upshot of the latest bit of officious nonsense to surface in the Chicago area. Granted, it’s far more innocuous than unjustified killings perpetrated by cops or law enforcement operating its own off-the-books, rights-free interrogation black site.
But it’s far from harmless. This suburb of Chicago — as poorly represented by elected representatives and the law enforcement agency they oversee — has decided it’s time to start punishing journalists for doing journalism, as Gregory Platt details in this report for the Chicago Tribune.
Calumet City officials have issued municipal citations to a Daily Southtown reporter who they allege violated local ordinances by seeking comment from public employees on major flooding issues in the area.
Several notices sent to reporter Hank Sanders describe the alleged violations as “interference/hampering of city employees.”
Now, there’s something you rarely see on a Civics test. How does one “hamper” a city employee, if one were so inclined (or not even inclined, as is the case here) to do so?
There’s no clear answer here. This is how it went down in Calumet, though. “Hampering” — like all the best laws — is interpreted subjectively.
Hank Sanders apparently had several questions about the city’s storm water facilities, which were apparently already in poor condition prior to their inability to handle September’s historic rainfall. After widespread flooding in the city’s poorest neighborhood, Sanders hounded city officials, including Mayor Thaddeus Jones, with questions about these facilities.
At some point, these officials decided Sanders had asked too many questions. Rather than respect someone who firmly believed the best modifier for “reporting” is “dogged,” these officials decided to hit Sanders with citations for… well, what exactly?
“Despite all FOIA requests being filled, Hank Sanders continues to contact city departments and city employees via phone and email,” the violation notice mentioning Jones states. “Despite request from Calumet City attorneys to stop calling city departments and employees, Hank Sanders continues to do so.”
Rather than simply “no comment” their way out of these interactions, the city decided to fine Sanders for asking questions. And while a “no comment” is never satisfactory, it at least does not come with fines and fees attached.
Continuing to ask questions after being given some answers is what these officials apparently believe satisfies the legal definition of “hampering.” And that belief is just as ridiculous as this response to Sanders and his ongoing queries.
I’m sure these particularly officious officials will be startled to learn that these fines and fees won’t stick because there’s simply no way for Sanders to determine when he’s crossed the line from performing his journalistic duties and (in the legal sense) “hampering” city employees.
“Between the dates of October 4th and October 12th Hank Sanders sent fourteen (14) emails to the city of Calumet City reference the recent flooding,” the Wilson notice states.
What is he supposed to glean from a legal notice like this one? Is 14 emails one too many? Would 12 be acceptable? Is it that 14 emails were sent in nine days? If 14 emails were sent over a ten-day period, would that be non-hampering? In other words, there’s nothing in this that makes it clear where persistence becomes legally actionable harassment under the ordinance being used to punish Sanders for continuing to demand answers from elected officials.
And, as long as Sanders can’t define it and city leaders can’t explicitly say what does or does not constitute a “hampering,” it remains exactly what it appears to be: a ham-fisted effort to silence a journalist who’s done nothing more than engage in acts of journalism. First Amendment litigators, start your engines!
Well, this is an unfortunate turn of events. The last time we discussed this issue in this state (March 2019), a state appeals court came to the opposite conclusion: compelling password production is a violation of rights.
That ruling said the foregone conclusion doctrine didn’t apply, at least not the way the state wanted it to apply. The state said the only thing it needed to show was that the phone likely belonged to the criminal suspect. If it could provide enough evidence linking the phone to the arrested person, and could make the reasonable assumption the device contained evidence, these conclusions would allow compelled password production to bypass the Fifth Amendment.
That’s not what’s actually at stake here, the appeals court replied. The government wasn’t interested in the passcode. It was actually interested in what the device contained, which it could access more easily if the defendant was forced to unlock it.
While the State is aware that the passcode existed and that Spicer knew it, the State could not know that the passcode was authentic until after it was used to decrypt Spicer’s phone. Moreover, the production of Spicer’s passcode would provide the State more information than what it already knew. Although the focus of the foregone conclusion is on the passcode, in our view, it properly should be placed on the information the State is ultimately seeking, which is not the passcode but everything on Spicer’s phone.
That was the call made by this appeals court in the Spicer case — a ruling that did not go so far as to call all compelled production a Fifth Amendment violation, but one that made it clear the “foregone conclusion” analysis should be applied to what the state is actually seeking, rather than what it assumes about phone ownership.
This decision (People v. Spicer) was applied by the district court in another criminal case. The court reached the same conclusion the appeals court did: compelled password production is a Fifth Amendment violation.
The state’s Supreme Court, however, has recently reversed that decision. (h/t FourthAmendment.com) And in doing so, it has not only nullified the findings in Spicer, but established precedent that says the only foregone conclusion the government needs is the one connecting the phone to the criminal suspect.
And it reaches its conclusion despite acknowledging the password is not really what the cops want. They want an unlocked phone so they can access everything inside of it. This is from the decision’s [PDF] discussion of the practical effects of the lower court’s ruling.
The search warrant issued allowing a search of defendant’s phone, and the circuit court entered an order denying the State’s motion to compel defendant to provide the passcode to the phone. In determining whether the circuit court’s order effectively quashed the search warrant, we observe that the definition of “quash” is “[t]o annul or make void; to terminate.” Black’s Law Dictionary (11th ed. 2019). Here, the search warrant authorized officers to search defendant’s phone and required defendant to unlock the phone so officers could execute the warrant. The circuit court’s denial of the motion to compel eliminated the requirement for defendant to comply with the search warrant. As such, we conclude that the circuit court’s order annulled or voided the search warrant; thus, it had the substantive effect of quashing the search warrant.
We further conclude that the circuit court’s denial of the motion to compel effectively suppressed evidence. Although the denial did not directly suppress specifically identified evidence, it prevented the State from accessing any evidence on the phone and presenting it to the factfinder, thereby having the substantive effect of suppressing evidence.
The government didn’t want the passcode. It wanted an unlocked phone. The search to be performed did not target a passcode, but everything the passcode would provide access to. Police didn’t have much evidence connecting the seized phone to the alleged crime (forged checks being deposited via mobile deposit), but still insisted the defendant should be forced to unlock the phone. There wasn’t much in the way of any “foregone conclusions,” no matter which standard the lower court applied.
[Detective Todd] Ummel believed defendant’s phone contained a photograph of the checks, and he was “hoping to find” such a photograph. Ummel further sought additional files pertaining to the mobile deposits. He conceded, however, that he did not know for certain that any such files existed and that there was currently nothing connecting defendant to the transactions besides Spurling’s statements. Ummel added that he had not attempted to subpoena records from defendant’s cell phone carrier to obtain copies of text messages.
[…]
Applying those principles, the circuit court observed that Spurling’s statements were the only evidence linking defendant’s phone to the transactions in question and it would be speculative to presume that a photograph of the checks would remain on the phone after the transactions were complete. Though the circuit court did not perceive the State’s endeavor as a fishing expedition, it concluded that the State did not establish with reasonable particularity that, at the time it sought the act of production, it knew the evidence existed, the evidence was in defendant’s possession, and the evidence was authentic.
The appellate court (not the same one that handled the Spicer case) reversed the lower court’s decision, declaring compelled passcode production to be harmless in terms of the Fifth Amendment.
In this case, the appellate court declined to follow Spicer and concluded that the compelled production of the passcode is nontestimonial, reasoning that a passcode may be used so often that retrieving it “is a function of muscle memory rather than an exercise of conscious thought.” 2021 IL App (4th) 210180, ¶ 59. The appellate court asserted that “a cell phone passcode is more akin to a key to a strongbox than a combination to a safe.”
Having decided that this act was nontestimonial, it didn’t even bother to apply the foregone conclusion doctrine and skipped straight to siding with the government’s assertions. That led to this appeal, which asked the state Supreme Court to decide whether or not compelling password production violates Fifth Amendment protections against self-incrimination.
The state of Illinois had plenty of friends pitch in on its behalf:
Before proceeding with our analysis, we acknowledge that this court granted a motion of Indiana, Arkansas, Florida, Idaho, Louisiana, Minnesota, Mississippi, New Jersey, North Dakota, Oklahoma, Oregon, South Carolina, South Dakota, Utah, and Virginia (collectively, amici states) to file an amicus curiae brief in support of the State’s position on appeal.
So, there’s a handy list of states where governments feel citizens have too many constitutional protections… at least when it comes to phone searches. Good to know.
The state’s top court says producing a passcode is testimonial, but not testimonial enough. The Fifth Amendment does not apply.
To summarize, the State established that, at the time it sought the act of production, it knew with reasonable particularity that the passcode existed, the passcode was in defendant’s possession or control, and the passcode was self-authenticating. These implicit facts add “little or nothing to the sum total of the [State’s] information.” Fisher, 425 U.S. at 411. In other words, the act of entering the passcode has no testimonial value, as the facts implicit in the act are already known by the State. Therefore, the facts are foregone conclusions and insufficientlytestimonial to be privileged under the fifth amendment. For these reasons, we conclude that the foregone conclusion doctrine applies as an exception to the fifth amendment privilege in this case.
That’s the call. The dissent, however, says the majority is forgetting there’s another constitution in the mix here.
Because police have all the cell phone’s contents, they may use any means at their disposal to decrypt the contents but one: they must not compel Sneed to decrypt or translate the contents of the cell phone. The Illinois Constitution provides: “No person shall be compelled in a criminal case to give evidence against himself ***.” Ill. Const. 1970, art. I, § 10. Prosecutors intend to use the decrypted contents to prove Sneed committed forgery. The appellate court’s order compels Sneed “in a criminal case to give evidence against himself,” and therefore it violates article I, section 10, of the Illinois Constitution.
The dissent goes on to point out investigators had other options. They just decided not to use them because it wasn’t worth the expense.
The Illinois State Police, De Witt County, and the Clinton Police Department understandably decided that the prosecution of Sneed for forging less than $1000 worth of checks did not justify the expense of hacking or commercial decryption. The circuit court’s order denying the State’s motion to compel Sneed to decrypt the cell phone’s contents left the police and prosecutors with a choice of either spending thousands in pursuit of decryption to lead to a conviction for a relatively minor offense or trying to obtain the conviction without the decryption.
But somehow the government is fine spending thousands on a single lowball prosecution in hopes that it might be easier in the future to bypass constitutional protections to engage in other lowball prosecutions.
And it worked. The state spent an untold amount of taxpayers’ money seeking precedent that diminished their constitutional protections. Now, it’s free to compel decryption in almost any criminal case, even if it has plenty of other means of obtaining evidence. The state wins. Illinoisans lose.
Protecting against threats means determining what your threat level is. Demanding everyone utilize a 53-character password with uppercase letters, numbers, and “special symbols” generally just makes people more irritated, rather than more secure.
Obviously, things must be secured. And passwords shouldn’t be so simple that anyone with an off-the-shelf HP desktop can hack them.
But people in charge of security need to weigh perceived threats against security responses. What they absolutely shouldn’t do is hammer the RESET button without considering the consequences of their actions.
When we first enter school, we’re constantly told to “be on our best behavior.” Apparently, that same warning doesn’t apply to educators. An Illinois school did one of the right things: it asked for an audit of its security. Its response, however, indicated no one at the school security level was on their best behavior. Here’s Lorenzo Franceschi-Biccierai with the details for TechCrunch:
Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”
“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today,” the school, which has around 3,000 students, wrote in an email dated June 22. “We strongly suggest that your child update this password to their own unique password as soon as possible.”
Yikes. I realize a blanket reset is far easier than simply revoking passwords to force end users to create a new one, but this is all sorts of wrong. Even if the school didn’t have a Plan B for this occurrence, it could not have done worse than informing everyone that everyone has the same password until each individual made the effort to change it.
And this was handled during the school off-season, which means the email was likely ignored or back-burnered by many recipients. But those who did read it — and any malcontents who might have realized what this reset meant — now had all the information they needed to access any account run by this school.
Fortunately, this doesn’t appear to have attracted the attention of malicious individuals. And the school has performed another reset that is far less stupid. The new reset involves sending every user their own “special password” via email, which should limit the collateral damage.
But before the damage was mitigated, not only could people access other people’s stuff, but they also had no functioning option to prevent others from accessing their stuff.
Manning Peterson, the mother of an OPRF student, replied that “this is terribly insecure and you have just invited every single students [sic] accounts to get hacked.”
Peterson said that after this email, she tried to reset her son’s password but it wasn’t possible.
“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work—anything saved on google drive (docs sheets and slides),” Peterson said in an email to TechCrunch.
Manning Peterson isn’t being paid to ensure the school’s systems are secure. But that’s the service she ended up performing. Offloading the security responsibility on end users isn’t a great way to handle perceived security flaws. Giving every end user the power to see every other user’s information is a horrendous way to respond to a security audit.
Things may be (at least temporarily) under control at Oak Park and River Forest. But this catastrophe isn’t going to ensure any student, staff member, or parent that further fuck ups aren’t inevitable.
California passed the California Age-Appropriate Design Code (AADC) nominally to protect children’s privacy, but at the same time, the AADC requires businesses to do an age “assurance” of all their users, children and adults alike. (Age “assurance” requires the business to distinguish children from adults, but the methodology to implement has many of the same characteristics as age verification–it just needs to be less precise for anyone who isn’t around the age of majority. I’ll treat the two as equivalent).
Doing age assurance/age verification raises substantial privacy risks. There are several ways of doing it, but the two primary options for quick results are (1) requiring consumers to submit government-issued documents, or (2) requiring consumers to submit to face scans that allow the algorithms to estimate the consumer’s age.
[Note: the differences between the two techniques may be legally inconsequential, because a service may want a confirmation that the person presenting the government documents is the person requesting access, which may essentially require a review of their face as well.]
But, are face scans really an option for age verification, or will it conflict with other privacy laws? In particular, face scanning seemingly directly conflict with biometric privacy laws, such as Illinois’ BIPA, which provide substantial restrictions on the collection, use, and retention of biometric information. (California’s Privacy Rights Act, CPRA, which the AADC supplements, also provides substantial protections for biometric information, which is classified as “sensitive” information). If a business purports to comply with the CA AADC by using face scans for age assurance, will that business simultaneously violate BIPA and other biometric privacy laws?
Section 15(b) of the Act deals with informed consent and prohibits private entities from collecting, capturing, or otherwise obtaining a person’s biometric identifiers or information without the person’s informed written consent. In other words, the collection of biometric identifiers or information is barred unless the collector first informs the person “in writing of the specific purpose and length of term for which the data is being collected, stored, and used” and “receives a written release” from the person or his legally authorized representative
Right away, you probably spotted three potential issues:
The presentation of a “written release” slows down the process. I’ve explained how slowing down access to a website can constitute an unconstitutional barrier to content.
Will an online clickthrough agreement satisfy the “written release” requirement? Per E-SIGN, the answer should be yes, but standard requirements for online contract formation are increasingly demanding more effort from consumers to signal their assent. In all likelihood, BIPA consent would require, at minimum, a two-click process to proceed. (Click 1 = consent to the BIPA disclosures. Click 2 = proceeding to the next step).
Can minors consent on their own behalf? Usually contracts with minors are voidable by the minor, but even then, other courts have required the contracting process to be clear enough for minors to understand. That’s no easy feat when it relates to complicated and sensitive disclosures, such as those seeking consent to engage in biometric data collection. This raises the possibility that at least some minors can never consent to face scans on their own behalf, in which case it will be impossible to comply with BIPA with respect to those minors (and services won’t know which consumers are unable to self-consent until after they do the age assessment #InfiniteLoop).
[Another possible tension is whether the business can retain face scans, even with BIPA consent, in order to show that each user was authenticated if challenged in the future, or if the face scans need to be deleted immediately, regardless of consent, to comply with privacy concerns in the age verification law.]
The primary defendant at issue, Binance, is a cryptocurrency exchange. (There are two Binance entities at issue here, BCM and BAM, but BCM drops out of the case for lack of jurisdiction). Users creating an account had to go through an identity verification process run by Jumio. The court describes the process:
Jumio’s software…required taking images of a user’s driver’s license or other photo identification, along with a “selfie” of the user to capture, analyze and compare biometric data of the user’s facial features….
During the account creation process, Kuklinski entered his personal information, including his name, birthdate and home address. He was also prompted to review and accept a “Self-Directed Custodial Account Agreement” for an entity known as Prime Trust, LLC that had no reference to collection of any biometric data. Kuklinski was then prompted to take a photograph of his driver’s license or other state identification card. After submitting his driver’s license photo, Kuklinski was prompted to take a photograph of his face with the language popping up “Capture your Face” and “Center your face in the frame and follow the on-screen instructions.” When his face was close enough and positioned correctly within the provided oval, the screen flashed “Scanning completed.” The next screen stated, “Analyzing biometric data,” “Uploading your documents”, and “This should only take a couple of seconds, depending on your network connectivity.”
Allegedly, none of the Binance or Jumio legal documents make the BIPA-required disclosures.
The court rejects Binance’s (BAM) motion to dismiss:
Financial institution. BIPA doesn’t apply to a GLBA-regulated financial institution, but Binance isn’t one of those.
Choice of Law. BAM is based in California, so it argued CA law should apply. The court says no because CA law would foreclose the BIPA claim, plus some acts may have occurred in Illinois. Note: as a CA company, BAM will almost certainly need to comply with the CA AADC.
Extraterritorial Application. “Kuklinski is an Illinois resident, and…BIPA was enacted to protect the rights of Illinois residents. Moreover, Kuklinski alleges that he downloaded the BAM application and created the BAM account while he was in Illinois.”
Inadequate Pleading. BAM claimed the complaint lumped together BAM, BCM, and Jumio. The court says BIPA doesn’t have any heightened pleading standards.
Unjust Enrichment. The court says this is linked to the BIPA claim.
Jumio’s motion to dismiss also goes nowhere:
Retention Policy. Jumio says it now has a retention policy, but the court says that it may have been adopted too late and may not be sufficient,
Prior Settlement. Jumio already settled a BIPA case, but the court says that only could protect Jumio before June 23, 2019.
First Amendment. The court says the First Amendment argument against BIPA was rejected in Sosa v. Onfido and that decision was persuasive.
[The Sosa v. Onfido case also involved face-scanning identity verification for the service OfferUp. I wonder if the court would conduct the constitutional analysis differently if the defendant argued it had to engage with biometric information in order to comply with a different law, like the AADC?]
The court properly notes that this was only a motion to dismiss; defendants could still win later. Yet, this ruling highlights a few key issues:
1. If California requires age assurance and Illinois bans the primary methods of age assurance, there may be an inter-state conflict of laws that ought to support a Dormant Commerce Clause challenge. Plus, other states beyond Illinois have adopted their own unique biometric privacy laws, so interstate businesses are going to run into a state patchwork problem where it may be difficult or impossible to comply with all of the different laws.
2. More states are imposing age assurance/age verification requirements, including Utah and likely Arkansas. Often, like the CA AADC, those laws don’t specify how the assurance/verification should be done, leaving it to businesses to figure it out. But the legislatures’ silence on the process truly reflects their ignorance–the legislatures have no idea what technology will work to satisfy their requirements. It seems obvious that legislatures shouldn’t adopt requirements when they don’t know if and how they can be satisfied–or if satisfying the law will cause a different legal violation. Adopting a requirement that may be unfulfillable is legislative malpractice and ought to be evidence that the legislature lacked a rational basis for the law because they didn’t do even minimal diligence.
3. The clear tension between the CA AADC and biometric privacy is another indicator that the CA legislature lied to the public when it claimed the law would enhance children’s privacy.
4. I remain shocked by how many privacy policy experts and lawyers remain publicly quiet about age verification laws, or even tacitly support them, despite the OBVIOUS and SIGNIFICANT privacy problems they create. If you care about privacy, you should be extremely worried about the tsunami of age verification requirements being embraced around the country/globe. The invasiveness of those requirements could overwhelm and functionally moot most other efforts to protect consumer privacy.
5. Mandatory online age verification laws were universally struck down as unconstitutional in the 1990s and early 2000s. Legislatures are adopting them anyway, essentially ignoring the significant adverse caselaw. We are about to have a high-stakes society-wide reconciliation about this tension. Are online age verification requirements still unconstitutional 25 years later, or has something changed in the interim that makes them newly constitutional? The answer to that question will have an enormous impact on the future of the Internet. If the age verification requirements are now constitutional despite the legacy caselaw, legislatures will ensure that we are exposed to major privacy invasions everywhere we go on the Internet–and the countermoves of consumers and businesses will radically reshape the Internet, almost certainly for the worse.
Illinois’ Biometric Information Privacy Act (BIPA), passed in 2008, continues to be the Little Legislation That Could. While occasionally hijacked by opportunistic litigants whose privacy hasn’t actually been violated, it’s also been used to achieve some objective good.
In 2020, the law played an instrumental part in wresting a $550 million settlement from Facebook over its noxious auto-tag feature — a feature no one asked for that automatically scans users’ photos in order to attach names to faces in newly uploaded content. The payout was a relative bargain, considering the number of violations (at $1k-5k per) by Facebook originally put the estimated fee total closer to $35 billion.
The same law also forced an entity that fed off social media services into settling as well. Clearview — the facial recognition startup that utilizes scraped content to build a database it sells to law enforcement — was sued in 2020 for violating BIPA. That ended in a settlement by facial recognition tech’s ugliest child in which it agreed to stop doing business in Illinois. (Unfortunately, that agreement only extends to private parties, not Illinois government agencies, which apparently can still utilize Clearview’s offering without either party violating the settlement.)
Illinois’ highest court on Friday said companies violate the state’s unique biometric privacy law each time they misuse a person’s private information, not just the first time, a ruling that could expose businesses to billions of dollars in penalties.
The Illinois Supreme Court in a 4-3 decision said fast food chain White Castle System Inc must face claims that it repeatedly scanned fingerprints of nearly 9,500 employees without their consent, which the company says could cost it more than $17 billion.
Obviously, this isn’t going to cost the chain $17 billion. It may have offered that top end speculation as a cautionary note to shareholders and perhaps to garner a little sympathy. But that doesn’t mean this will end with a financial wrist slap either. The court’s opinion [PDF] disagrees with every attempt made by White Castle to limit potential damages to single initial violations, rather than a years-long string of repeated violations.
We agree with plaintiff that the plain language of the statute supports her interpretation. “Collect” means to “to receive, gather, or exact from a number of persons or other sources.” Webster’s Third New International Dictionary 444 (1993). “Capture” means “to take, seize, or catch.” We disagree with defendant that these are things that can happen only once. As plaintiff explains in her complaint, White Castle obtains an employee’s fingerprint and stores it in its database. The employee must then use his or her fingerprint to access paystubs or White Castle computers. With the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.
White Castle also argued that it couldn’t violate the Act multiple times because once the original violation had taken place (the passing of biometric data to a third party without consent or notification), that privacy could no longer be violated. Interesting, says the court. But wrong. And unsupported by precedent.
Put simply, our caselaw holds that, for purposes of an injury under section 15 of the Act, the court must determine whether a statutory provision was violated. Consequently, we reject White Castle’s argument that we should limit a claim under section 15 to the first time that a private entity scans or transmits a party’s biometric identifier or biometric information. No such limitation appears in the statute. We cannot rewrite a statute to create new elements or limitations not included by the legislature.
That answers the question passed on to the state’s Supreme Court by the Seventh Circuit Appeals Court. Since the answer to the certified question is affirmative, the plaintiffs can continue to sue White Castle for perpetual violations of state law every time they were required to use their fingerprints to verify their identity — a program that began in 2004 and apparently went unaltered even after the privacy law took effect in 2008. White Castle will probably be looking to settle soon. Any agreement in the mere millions is going to sound far more enticing than the $17 billion the company has voluntarily admitted it might owe.
The company’s also no stranger to using sleazy lobbying to get whatever it wants, whether that’s less competition, fewer consumer protections, rubber stamped mergers, or gigantic tax breaks that serve no useful public purpose. The vast, vast majority of the time the company faces absolutely no repercussion for its dodgy lobbying practices, especially those on the state level.
That luck recently ran out in Illinois, where the company was fined $23 million for bribing a state lawmaker’s ally in order to secure a key policy vote. According to a deferred prosecution agreement, the vote in question was a 2017 vote on Carrier of Last Resort (COLR) legislation that would have eliminated AT&T’s obligation to continue to provide landline service to all state residents.
AT&T of course wants to be free of having to provide dated landlines. Consumer groups are quick to note many of those landlines are used by old people who often can’t afford (or don’t understand how to use) cellular service, leaving them cut off from essential services and 911. They were also paid for on the back of millions in taxpayer subsidies, suggesting that taxpayers should have some say in the matter.
Instead of just making its case, AT&T used an intermediary lobbying firm to deliver $22,500 to former Illinois Speaker of the House Michael J. Madigan to influence his vote:
AT&T allegedly used a lobbying firm as an intermediary to make the payment and disguise its true purpose. US Attorney John Lausch’s office filed a one-count criminal information in US District Court for the Northern District of Illinois, charging AT&T Illinois with using an interstate facility to promote legislative misconduct. Former AT&T Illinois President Paul La Schiazza was indicted on five charges as a result of the same investigation.
As somebody that has covered AT&T for 22 years now, I know this kind of dirty pool happens pretty much constantly. In many states, AT&T all but owns the entirety of the state legislature, routinely literally writing state telecom policy and legislation. The vast, vast majority of the time, AT&T sees absolutely no penalty for the behavior, making this a rare occurrence.
AT&T’s no stranger to these kinds of tactics on the federal level either. In the last five years alone the company managed to secure a massive $42 billion tax break in exchange for doing nothing, gutted the FCC and its consumer protection authority, eliminated both net neutrality and broadband privacy rules, and is currently helping to gridlock the nomination of FCC nominee Gigi Sohn.
All to protect its regional telecom monopoly, stall competition, and ensure U.S. consumer protection enforcement is a feckless mess. You don’t get to enjoy six straight years of captured federal lawmakers without breaking more than a few of the nation’s already extremely pathetic lobbying rules (like that time AT&T paid Trump fixer Mike Cohen $600k to gain inside access to the Trump White House).