New Illinois Law Says Cops Need A Warrant To Grab Data From (Some) Third Parties
from the on-the-other-hand,-you-still-have-to-deal-with-the-Chicago-PD dept
The state of Illinois continues to provide more protection than the US Constitution. Its privacy laws exceed what has been determined to be “reasonable” violations of privacy by decades of court precedent. This has allowed it to go after companies for violating state laws, even when the collections being prosecuted would likely be legal under the Supreme Court-created “Third Party Doctrine.”
State law allowed Facebook to be successfully sued over its facial recognition program — one that detects faces and attempts to match them to Facebook profiles to “tag” photos with names of account holder’s “friends.” This resulted in a $550 million settlement from Facebook — a relative bargain considering the original asking price was $35 billion.
It also has allowed the state to move forward with its lawsuit against odious facial recognition tech provider, Clearview. Clearview sells access to its database and AI to government agencies for the alleged purpose of identifying criminal suspects. The AI — finally independently tested years after its debut — appears to be fairly solid. But its 10 billion image (and counting) database is composed of images and personal info scraped from thousands of websites and social media platforms. According to the state of Illinois, this collection violates state privacy laws because Illinois residents are not informed of this collection, nor are they given any opportunity to opt in or out.
Third parties aren’t the only ones availing themselves of data harvested from the web. Government agencies are taking advantage of massive collections assembled by data brokers. The assumption by law enforcement is that no warrant is needed to obtain location info and identifying information from third parties because there’s no expectation of privacy in information shared with apps, websites, and service providers.
It should be clear that’s likely not acceptable in Illinois where state law regulates these collections to ensure end users are protected (at least somewhat) by mandates requiring notification and consent. Nonetheless, law enforcement persists in accessing this data, assuming their actions aren’t illegal even if the collections they’re accessing have been illegally obtained.
That’s going to change. A new law that went into effect at the beginning of this year says Illinois law enforcement can no longer access this information without a warrant.
A first-of-its-kind law in Illinois limiting law enforcement access to data from household digital devices sits at the forefront of an emerging legal debate over protecting the privacy of such records.
The state’s law, which takes effect Jan. 1, comes as law enforcement seeks to tap into consumers’ growing collection of internet-connected devices, from smart speakers to security cameras. These devices can capture conversations, movements, and other information that could be used for investigating crimes.
Known as the Protecting Household Privacy Act, the law restricts the sharing of device data by requiring a search warrant or permission from the device’s owner, with some exceptions in emergency scenarios.
As noted above, the law [PDF] contains warrant exceptions that can be used if law enforcement believes there’s an imminent threat to someone’s life or safety, as well as if the officer believes a warrant could have been obtained but is somehow prevented from obtaining one immediately. That last exception is a nod to the “good faith exception,” but the law at least demands officers still apply for and obtain a warrant for data collected under the exigent circumstances exception. And it’s limited to certain devices, which means information from some data brokers will still be obtainable without a warrant.
The law is pretty solid. Exigent circumstances can be used to avoid seeking a warrant first, but a warrant must be obtained within 72 hours to legitimize the warrantless collection.
The bigger problem is the Stored Communications Act. This federal law is far less stringent and would allow Illinois law enforcement agencies to bypass the law by partnering with federal agencies. In those cases, federal law would apply. And even if local agencies don’t seek this information directly, they will obviously have indirect access to whatever has been obtained by federal agencies.
The law seeks to head this off with this language:
In the event of any conflict between this Act and any applicable federal or State law, the requirement that establishes the higher standard for law enforcement to obtain information shall govern.
But, as stated above, this restriction only applies to Illinois agencies. Federal agencies can still obtain the data and presumably share it with local agencies to help them route around these newly imposed restrictions.
Despite its shortcomings, the law provides far more protection for Illinois residents than federal law — or federal court decisions — provide. It’s a win for locals that generates some friction for federal partnerships. How the applicable restrictions will be applied remains to be seen, but it’s a good move by the state to protect residents from the government overreach enabled by the Third Party Doctrine.