Journalists Covering Fallout from George Floyd Death Take Legal

Home , Brian Karem, Facebook Messenger Rooms, Max Schrems

A PUBLICATION OF THE SILHA CENTER FOR THE STUDY OF MEDIA ETHICS AND LAW | SUMMER 2020 Journalists Covering Fallout from George Floyd Death Take Legal Action; Misinformation Underscores Lessons from 2020 Silha Spring Ethics Forum ournalists and news organizations covering the Winter/Spring 2020 issue; “Judge Allows Media and Public to fallout from the May 2020 death of George Floyd in Make Copies of Evidence from Trial of Former Minneapolis Minneapolis filed numerous lawsuits and took other Police Officer, Restricts Live Streaming of Noor Sentencing legal action seeking to vindicate their newsgathering Hearing” in the Summer 2019 issue, and “Media Coalition Wins rights and obtain information. Meanwhile, false Legal Victory to Access Body Camera Video in Trial of Former Jinformation circulated about the events surrounding Floyd’s Minneapolis Police Officer” in the Winter/Spring 2019 issue.) death provide a case study about the pernicious nature of On May 29, Minnesota Gov. Tim Walz’s office announced misinformation and how it spreads, particularly online, which that the governor had signed Executive Order 20-65, which was the subject of the 2020 Silha Spring Ethics Forum. “implement[ed] a temporary nighttime curfew that will provide On May 25, 2020, Floyd, a 46-year-old African American man, safety for Minnesota residents from individuals who have was arrested in south Minneapolis after he allegedly used a engaged in unlawful and dangerous activity in recent days counterfeit $20 bill. Surveillance footage released on May 27 and threatened the security of lawful demonstrators and first showed Floyd being dragged out of his vehicle. After Floyd was responders.” However, the news media were among those pulled out of his vehicle at the intersection of East 38th Street exempt from the curfew order. and Chicago Avenue, Minneapolis Police Department (MPD) On June 1, 2020, the Hennepin County Medical Examiner Officer J.A. Kueng held Floyd’s back and Officer Thomas (ME) released its updated findings and ruled that Floyd’s death Lane held his legs. Officer Tou Thoa, who arrived at the scene was a homicide, finding that he died of “cardiopulmonary with MPD Officer Derek Chauvin, blocked witnesses from arrest complicating law enforcement subdual, restraint, interfering. Chauvin “dug his knee into the man’s neck,” despite and neck compression.” The ME’s report claimed that the Floyd pleading that he was in pain and could not breathe, as “injury occurred” because the “[d]ecedent experienced reported by the Associated Press (AP) on May 28. Chauvin a cardiopulmonary arrest while being restrained by law continued to press his knee down on Floyd’s neck for nearly enforcement officer(s),” though it also noted that Floyd had nine minutes, causing Floyd to fall silent and unresponsive. other “significant conditions, including “[a]rteriosclerotic Officers eventually called an ambulance, which transported and hypertensive heart disease; fentanyl intoxication; [and] Floyd to the Hennepin County Medical Center where Floyd was recent methamphetamine use.” Also on June 1, an independent pronounced dead at approximately 9:25 p.m. autopsy commissioned by Floyd’s family called Floyd’s death In a May 29 statement, Hennepin County Attorney Mike a homicide and determined that he died of “asphyxiation from Freeman announced criminal charges against Chauvin, sustained pressure,” meaning a lack of blood flow to the brain including for third-degree murder and manslaughter. Freeman due to compression on his back and neck caused by officers noted that Chauvin “is the first white officer in Minnesota kneeling on him. to be criminally prosecuted in the death of a black civilian.” On May 31, Walz announced that Minnesota Attorney The Minneapolis Star Tribune explained on May 29 that General Keith Ellison would take over the investigation and Hennepin County charged former MPD Officer Mohamed prosecution of the MPD officers involved in Floyd’s death. On Noor in the 2017 shooting death of Justine Damond. Noor was June 3, Ellison announced that he had upgraded the charges later convicted in 2019 of third-degree murder and second- against Chauvin to second-degree murder and had also charged degree manslaughter. (For more information on the shooting Kueng, Lane, and Thoa with aiding and abetting. and trial of Noor, as well as the legal battles around press Meanwhile, in the days following Floyd’s death, peaceful and public access, see “Recent Minnesota Legal Disputes and violent protests erupted in Minneapolis, including at the Involve Information Access and Defamation Liability” on page scene of the incident and near the MPD’s Third Precinct police 32 of this issue of the Silha Bulletin; see also “Twin Cities station. Local and national journalists provided live coverage Media Seek Juror Names in Noor Trial; Minneapolis Advisory Committee Allegedly Violates Open Meeting Law” in the Protests, continued on page 3 Inside This Issue Summer 2020: Volume 25, No. 3

1 Journalists Covering Fallout from George Floyd Death Take 26 CJEU Strikes Down EU-U.S. Privacy Shield, Confirms Legal Action; Misinformation Underscores Lessons from Validity of Standard Contractual Clauses 2020 Silha Spring Ethics Forum Privacy Cover Story 29 Clearview AI Raises Privacy Concerns, Pursues First 11 COVID-19 Pandemic Raises Data Privacy and Security Amendment Defense Questions and Concerns Privacy Privacy 31 Twitter Hack Included Data Breach of User Accounts 18 Federal Judge Finds Most of North Carolina's Ag-Gag Law Privacy Unconstitutional Ag-Gag Laws 32 Recent Minnesota Legal Disputes Involve Information Access and Defamation Liability 20 D.C. Circuit Affirms Ruling Requiring White House to Return Minnesota White House Reporter's Press Credential First Amendment 34 FRONTLINE Counsel Dale Cohen to Deliver 35th Annual Silha Lecture, "Inconvenient Truths and Tiger Kings: The 22 President Trump's Campaign Demands CNN Retract and Vital Role of Documentaries Today" on Oct. 19, 2020 Apologize for Poll, But Network Declines Silha Center Events Prior Restraint

23 California Consumer Protection Act Takes Effect Privacy

Silha Center Staff

Jane E. Kirtley Silha Center Director and Silha Professor of Media Ethics and Law

Jonathan Anderson Scott Memmel Silha Bulletin Editor Postdoctoral Associate

Sarah Wiley Elaine Hargrove Silha Research Assistant Silha Center Staff

2 Protests, continued from page 1 The complaint provided previous examples, including the arrest of Democracy Now! journalist Amy Goodman during of the protests each night that they took place. Amidst the the 2008 Republican National Convention (RNC) in St. Paul, protests, numerous journalists in Minneapolis and around the Minn. and the arrests of City Pages journalist Susan Du and country faced arrests, attacks, and threats by law enforcement. Minnesota Daily reporter David Clarey during the protests For example, on May 29, 2020, CNN correspondent Omar following the fatal shooting of Philando Castile by Jeronimo Jimenez, his producer Bill Kirkos, and photojournalist Leonel Yanez, a Hispanic-American police officer in St. Anthony, Mendez were arrested by Minnesota State Patrol officers Minnesota, in 2017. (For more information on the arrest of while reporting live from the protests in south Minneapolis. Goodman and other reporters at the 2008 Republican National The arrests prompted significant criticism from observers, Convention, see “Dozens of Journalists Arrested at Republican including the Silha Center for the Study of Ethics and Media National Convention in St. Paul” in the Fall 2008 issue of the Law. On May 30, Tom Aviles, a veteran photographer at WCCO, Silha Bulletin. Goodman also faced arrest after covering the Twin Cities’ CBS affiliate, was arrested while covering the oil pipeline protests in North Dakota in 2016. For more ongoing protests over the death of Floyd. information on the warrant issued against Goodman, see North For a full list of the incidents between the press and police Dakota Officials Issue Warrant forDemocracy Now! Reporter around the country, see the U.S. Press Freedom Tracker, a During Pipeline Protests in “Independent Journalists Face database of press freedom violations Threats to Newsgathering Rights” in the Fall 2016 issue of the in the United States and around the COVER STORY Silha Bulletin.) world managed by the Freedom of the Second, the complaint further argued that the defendants Press Foundation, available online at: had “a history of deficient or non-existent training with respect https://pressfreedomtracker.us/. (For more information on to the Constitution in general and Plaintiff’s First Amendment the protests around the death of George Floyd, as well as the rights in particular.” The complaint provided the example of incidents between the press and police, see “Special Report: Minneapolis Police Policy and Procedure Manual Section 6-200, Journalists Face Arrests, Attacks, and Threats by Police which provides that “MPD employees shall not unnecessarily Amidst Protests Over the Death of George Floyd” in the Winter/ obstruct news media personnel from performing their duties at Spring 2020 issue of the Silha Bulletin.) emergency scenes,” but does not provide any “other instruction or guidance on how to identify the media or ensure their First Incidents Between Press and Police Amidst Protests Amendment rights are respected.” The complaint added that Over George Floyd’s Death Lead to Multiple Lawsuits, the MPD “has not investigated, disciplined, or suspended any Reporter Sues Newspaper for Barring Her From officer involved in any of the unlawful conduct described in Covering Protests this Complaint.” The incidents between journalists and members of law Third, the complaint alleged three counts against the enforcement in the Twin Cities and around the United States defendants under 42 U.S.C. § 1983, known as a “1983 action.” amidst the protests over the death of George Floyd prompted The first count claimed that the defendants “retaliated against several lawsuits, including two by members of the news media Plaintiff and the Plaintiff Class for engaging in constitutionally at the protests in Minneapolis, who argued that arrests and/or protected [reporting] activity,” in violation of the First attacks by police violated their First and Fourth Amendment Amendment. The complaint argued that the police’s actions rights, among other claims. The incidents also prompted at created a chilling effect on constitutionally protected activity, least one lawsuit regarding police transparency. Meanwhile, namely journalists’ ability “to observe and record some a Black reporter for the Pittsburgh Post-Gazette sued the events of public interest, including constitutionally protected newspaper after she was barred from covering the protests in demonstrations and the conduct of law enforcement officers Pittsburgh, Penn. on duty in a public place.” On June 2, 2020, the American Civil Liberties Union The second count alleged that the defendants violated the (ACLU) of Minnesota filed a class action lawsuit in the U.S. Fourth Amendment protections against unlawful seizure and District Court for the District of Minnesota on behalf of excessive force. The complaint claimed that the plaintiff and freelance journalist Jared Goyette and “other similarly situated plaintiff class “were seized by Defendants” when officers 1) individuals,” namely several additional journalists who faced detained and/or arrested the members of the news media arrests, rubber bullets, pepper bullets, tear gas, physical and 2) “intentionally, through the use of force and threat of attacks, and more by law enforcement. arrest, chemical agents, and nonlethal projectiles, terminated The complaint first contended that the defendants — The their freedom of movement.” The complaint claimed that law City of Minneapolis, Minneapolis Chief of Police Medaria enforcement officers did so even though the journalists “did Arradondo, Minneapolis Police Lieutenant Robert Kroll, not commit a crime.” Minnesota Department of Public Safety Commissioner John The third count alleged that the “Due Process rights of Harrington, and Minnesota State Patrol Colonel Matthew Plaintiff and the Plaintiff Class were violated” when police Langer, in their official capacities — each had 1) “a custom or “arrested members of the Plaintiff Class without probable policy of deploying chemical agents and injurious, less-lethal cause, and deployed chemical agents and nonlethal projectiles ballistics against members of the news media,” 2) “a custom without providing a warning and opportunity to disperse in a or policy of failing to provide warnings and/or dispersal way that a person of ordinary intelligence could understand orders before using chemical agents and injurious, less-lethal and comply with.” ballistics against protesters and members of the news media,” Finally, the complaint sought several forms of relief, and 3) “a custom or policy of arresting or detaining news media including a permanent injunction “barring Defendants lawfully reporting on protests and other First Amendment expressive activity.” Protests, continued on page 4 3 Protests, continued from page 3 310 U.S. 88, 95 (1940). She added, “The recently, few Americans could have protests in Minnesota, and now around imagined police officers shooting at from engaging in unconstitutional the globe, are rooted in acts of shocking journalists reporting on civil protests.” conduct targeting journalists.” The police brutality. The police response Second, the complaint alleged that complaint also sought a “declaration to those protests is of exceptional police tear gassed Tirado even though that Defendants’ conduct violated importance to how the community “her press credentials were displayed the First, Fourth, and Fourteenth moves forward. Media reporting on prominently around her neck” and was Amendments of the U.S. Constitution.” events like those at issue here enables allowed to photograph the protests Additionally, the complaint sought the public to meaningfully participate as because members of news media were “[d]amages compensating [Goyette] for citizens in a constitutional democracy.” exempt from the city-wide curfew. The his injuries, including but not limited to complaint also compensatory, pecuniary, and medical noted that Tirado expense damages.” “The protests in Minnesota, and yelled “I’m press, The full complaint is available online now around the globe, are rooted in I’m press” as the at: https://www.aclu.org/legal-document/ acts of shocking police brutality. The police fired tear gas goyette-v-city-minneapolis. at protesters and In a press release accompanying police response to those protests is herself. the lawsuit, the ACLU of Minnesota of exceptional importance to how the Third, the stated, “Throughout the George Floyd community moves forward. Media complaint asserted protests, there have been numerous, that Tirado was well-documented instances of deliberate reporting on events like those at issue acting under abuse against journalists by law here enables the public to meaningfully color of law and enforcement officers.. . . These attacks participate as citizens in a constitutional that the police’s violate the press’s clearly established actions were an First Amendment right to report on democracy.” affront to freedom public protests and police activities. An of the press. The open society depends on a free press to — District of Minnesota complaint read, keep the public informed and to bear Judge Wilhelmina M. Wright “Whatever one’s witness to government actions. When view of police law enforcement officers target members Wright therefore wrote that conduct in relation to the protestors, of the press with impunity, they strike members of the news who were and of protestors’ actions, there can at the root of our democracy.” The “allegedly threatened or subject to be no doubt that under the . . . First press release added, “Law enforcement unlawful arrests” and/or “sustained Amendment, the police must not shoot officers who perpetrate these abuses severe, permanent injuries while journalists reporting on civil protests. must be held accountable for their reporting on events of intense public Journalists, like Linda Tirado, cover actions to the fullest extent of the law.” concern . . . deserve better.” But that the protests and capture any tactics On June 9, 2020, District of Minnesota was not enough, according to Wright, employed by law enforcement. If the Judge Wilhelmina M. Wright dismissed for Goyette to “establish[] that the press is silenced, the story does not get Goyette’s motions for a temporary ‘extraordinary’ equitable relief he seeks.” amplified, and nobody can see the police restraining order (TRO) and class She therefore denied his motion for a violence committed against citizens certification. Regarding the TRO, TRO without prejudice. for exercising their First Amendment Wright held that Goyette “d[id] not Regarding the motion for class rights[.]” allege that any of the conduct that he certification, Wright held that although Fourth, the complaint raised several seeks to enjoin — occurring over a “Goyette’s claims may ultimately be causes of action, including § 1983 five-day period of unprecedented civil suitable for class-wide resolution, the actions alleging violations of the First unrest — has occurred since May 31, Court concludes that fact discovery is Amendment. The complaint contended 2020, or facts that plausibly demonstrate necessary to determine” whether the that the defendants “used excessive that such conduct is likely to recur requirements for filed a class action were force against [Tirado] to prevent her imminently.” As a result, he did not met. She therefore dismissed the motion coverage of the matters of public meet his burden of showing “irreparable without prejudice. concern,” therefore violating her “First harm,” according to Wright. As the Bulletin went to press, the Amendment rights to free press, speech However, Wright wrote that she ACLU of Minnesota had not filed a and the right to peacefully assemble.” “recognize[d] the gravity of Goyette’s revised complaint, nor had the lawsuit The complaint also alleged that the claims.” She continued, “Essential to moved to discovery. defendants “retaliated against Plaintiff free government, the freedom of speech On June 10, 2020, Linda Tirado, a and other members of the press by and freedom of the press are among our freelance journalist who permanently use of excessive force in response to most fundamental rights and liberties. lost vision in one eye after being hit the exercise of their constitutional Abridgment of these rights ‘impairs with a rubber bullet while covering the rights.” Additionally, the complaint those opportunities for public education protests in Minneapolis, filed a lawsuit asserted that law enforcement’s actions that are essential to effective exercise against Arradondo, Kroll, Harrington, “chill[ed Tirado] from exercising her of the power of correcting error through Langer, and four unnamed police constitutional rights” because she the process of popular government,’” officers in the District of Minnesota. was “not medically cleared to visit the citing Thornhill v. State of Alabama, The complaint first stated that “[u]ntil protests because the tear gas utilized by

4 law enforcement is a chemical irritant, dismissed because it does not contain provided some limited responsive and may further damage her eye.” ‘enough facts to state a claim to relief records, but they did not match what Additional causes of action included that is plausible on its face.’” was available on the City of Minneapolis’ § 1983 actions regarding violations The memorandum further argued that website, according to the complaint. under the Fourth Amendment and “[t]o allow this case to move forward In a June 8 tweet, Webster noted that “Civil Conspiracy to Violate Plaintiff’s would have a significant chilling effect “[i]n what little complaint and discipline Constitutional Rights,” as well as claims on [the Minneapolis Police] Unions’ and data Minneapolis Police did give me, under state law for assault and battery. its elected union officials to engage in they illegally redacted officer names and Finally, the complaint sought a speech on matters of public concern.” removed the factual details in discipline permanent injunction “enjoining The memorandum added, “It would matters, which is public under law. Defendants from engaging in the use decimate the protections of the First And the complaint quantity is wildly of excessive force against Plaintiff Amendment and create a deluge in inaccurate as compared to prior data in violation of her constitutional litigation based solely on the content releases.” rights. The complaint also asked of a Defendant’s speech.. . . The irony According to the complaint, seven the District of Minnesota to declare that this lawsuit comes from a member months after Webster filed his request, that the defendants’ actions were of the media, traditional stalwarts of the MPD had “still not produced any unconstitutional, including under the First Amendment protections, against discipline details or letters for any First and Fourth Amendments. Lastly, Defendant Kroll based solely upon Minneapolis police officers; the MPD has the complaint sought “[d]amages Defendant Kroll’s protected speech not produced the substantive details on compensating Plaintiff for her injuries cannot be lost.” any sustained complaints or discipline against all Defendants, jointly and The full memorandum is available for any Minneapolis police officers; severally,” as well as punitive damages. online at: https://www.courtlistener. and the MPD has not produced any The full complaint is available online com/recap/gov.uscourts.mnd.188119/ employment settlement agreements at: https://www.courthousenews.com/ gov.uscourts.mnd.188119.20.0.pdf. As for any Minneapolis police officers” wp-content/uploads/2020/06/Tirado-v- the Bulletin went to press, the District (emphasis in original). The complaint Minneapolis.pdf. As the Bulletin went to of Minnesota had not ruled on Kroll’s added that the MPD “ignored Webster’s press, the District of Minnesota had not motion. request for a time and cost estimate, and ruled on the lawsuit. A final lawsuit arose amidst growing for a rolling production of responsive According to Minnesota Public concerns regarding police not releasing data.” According to the complaint, the Radio (MPR) on June 16, 2020, MPD public records in the wake of the result was that Webster “currently does spokesperson John Elder acknowledged protests. On June 8, 2020, Tony Webster, not know when or if the MPD will ever that an MPD officer may have fired the a journalist and open records advocate comply with his request. And Webster rubber bullet at Tirado. in the Twin Cities, filed a lawsuit against has heard from other community In a June 10 interview with the MPD, City of Minneapolis, and members that they, too, have been Courthouse News, Tirado said, “I had Casey Joe Carl in his official capacity unable to get access to this data, which no reasonable expectation for being in as statutory responsible authority in the is public under law.” any sort of trouble for being out at that Minnesota Fourth Judicial District Court. Finally, the complaint asked the hour, because the press was specifically The complaint first argued that the court “to enjoin the MPD’s further expected [to cover the protests].” She MPD “has been systemically withholding violations, issue an order compelling continued, “My goal here is to ensure police officer complaint and discipline their compliance with the MGDPA, that this does not continue to happen, to data from the public in violation of state award damages, costs, and attorney’s bring attention to the fact that this has law, and releasing inaccurate data.” fees, order a civil penalty, and order happened a lot around the country, that Second, the complaint explained such other relief as allowed by law.” this happened in Minneapolis, and that that in October 2019, Webster filed The full complaint is available online it’s really not fair.” Tirado added that she an open records request to the MPD at: https://assets.documentcloud.org/ hoped to donate a portion of proceeds under the Minnesota Government Data documents/6939235/Complaint-Webster- from the lawsuit to communities affected Practices Act (MGDPA) seeking police v-Minneapolis-Police-Department.pdf. by the fallout of the protests and riots. officer complaint and discipline data On June 18, Webster tweeted that On July 8, 2020, Kroll, one of the for all current MPD officers, including the MPD had “started sending me some defendants in the case and the president “complaints and charges, the final discipline records! I'll start putting of the union representing MPD officers, disposition of disciplinary action, and them online once I have a bigger set. filed a motion to dismiss pursuant to the complete terms of any employment I am appreciative for their work, but Rule 12(B)(6). The memorandum in dispute settlement agreement.” it sucks that I have to sue to get basic support of the motion argued that there According to the complaint, such compliance with the law.” was “no allegation” that Kroll “deployed records are classified as “public” under On June 22, Webster filed a the projectile that allegedly injured the MGDPA and are therefore subject to “stipulation to extend time for Plaintiff” or “directed MPD officers to release. defendants to answer,” meaning he and deploy a projectile (or use force on Third, the complaint alleged that the defendants agreed to grant more Plaintiff).” The memorandum continued, six weeks after Webster submitted the time for the City of Minneapolis to “In fact, there is no allegation that request, the MPD had not provided any respond to his complaint. The stipulation Defendant Kroll was even on duty as a responsive data, despite the MGDPA noted that “[w]ithout admitting liability police officer at the time of the alleged requiring “prompt” compliance with injuries.. . . The Complaint should be requests. A week later, the MPD Protests, continued on page 6 5 Protests, continued from page 5 Pittsburgh Post-Gazette, filed a lawsuit The complaint further alleged that on under the Civil Rights Act of 1866, June 1, 2020, three Post-Gazette editors, at this juncture, the City agrees Webster 42 U.S.C. § 1981, against the newspaper including the managing editor, “told is entitled to copies of the data he in the Western District of Pennsylvania, Johnson her tweet showed she could requested, subject to any provisions of alleging that the news outlet refused not cover the protests fairly and that law which would require redaction or to allow her to cover the protests over therefore she would not be assigned to withholding of some of the data, and the the death of George Floyd in Pittsburgh report on them.” The complaint added, City avers that it is working to evaluate because of a tweet from her personal “Defendant’s Managing Editor informed how much time it needs to complete account regarding racial biases towards Johnson that because she had opposed production.” The stipulation added, “So riots and looting. and spoke out [sic] about racism and that the Parties may attempt to work On May 31, 2020, Johnson tweeted the murder of black people at the hands toward an early resolution of the case, of police, and this extension of time is warranted. offered an opinion Additionally, the ongoing COVID-19 “More public oversight leads to better opposing those pandemic and civil unrest in Minneapolis policing, which leads to better public things, she was further warrants the extension of time.” safety and stronger communities. A theretofore [sic] The full stipulation is available online at: precluded from https://tonywebster.com/files/20200622- small, but concrete, show of good faith covering any story Webster-v-MPD-Stipulation-to-Extend- would be for every state to enact reforms involving protests Time-for-Defendants-to-Answer.pdf. opening every aspect of the police or demonstrations Concerns about law enforcement concerning racial transparency following the protests misconduct oversight process to public discrimination over George Floyd’s death prompted a scrutiny.” or the murder of statement by the National Freedom of black people by Information Coalition and the Brechner — Statement signed by the Silha Center for the white police.” Center for Freedom of Information. The Study of Media Ethics and Law and other media According statement was signed by more than 50 advocacy organizations to Courthouse organizations, including the Silha Center News on June for the Study of Media Ethics and Law. four photographs showing debris- 16, members of Johnson’s union, The statement read in part, “Many of strewn parking lots. The photos were the Newspaper Guild of Pittsburgh, our nation’s cities have experienced accompanied by a message reading, started a protest on Twitter supporting unrest and violence in response to the “Horrifying scenes and aftermath Johnson. The complaint asserted that death of George Floyd at the hands from selfish LOOTERS who don’t the 80 journalists employed by the of a Minneapolis police officer with care about this city!!!…oh wait sorry. Post-Gazette were similarly barred a long record of public complaints. No these are pictures from a Kenny from covering the protests. The ‘Business as usual’ in the oversight of Chesney concert tailgate. Whoops.” complaint also alleged that Michael law enforcement is not a satisfactory The tweet is available online at: Santiago, “an African American Pulitzer response to urgent and well-founded https://twitter.com/alexisjreports/ Prize-winning photojournalist who was concerns that police officers are able status/1267081467731103749?s=20. at the time employed by Defendant, to avoid consequences for wrongdoing, Johnson’s complaint first explained and who had tweeted in support of abetted by a tight regime of official that the tweet, which was “posted on Johnson’s Twitter protest[,] also was secrecy. Change must happen.” her private Twitter account,” was her removed from photographing racial The statement added, “More public “object[ion] to the racial bias exhibited demonstrations.” oversight leads to better policing, by those members of society and public Fourth, the complaint argued that which leads to better public safety and officials who equated property damage the Post-Gazette had “not treated stronger communities. A small, but to human life.” The complaint continued, reporters and journalists who have concrete, show of good faith would “By sharing these photographs and commented on bias toward whites be for every state to enact reforms commentary on her private Twitter in a similar manner.” It provided the opening every aspect of the police page, Johnson intended to mock and example of Joshua Axelrod, a white misconduct oversight process to public ridicule, and thus to protest, the racial Post-Gazette employee, who called a scrutiny. Only by seeing the substance bias and discrimination in a society man accused of vandalism and looting a of each complaint, how it is resolved, that condemns African Americans who “scumbag.” According to the complaint, and what consequences are imposed oppose racial injustice by protests that Axelrod was not prevented from can the public trust that justice is result in some property damage, while covering the protests. The complaint being dispensed without favor.” The tolerates similar property damage by also referenced how the Post-Gazette full statement is available online at: predominately white crowds who attend did not prevent reporters who had https://www.nfoic.org/sites/default/ Chesney concerts.” made similar public statements against files/2020-06/Statement%20on%20law%20 Second, her complaint alleged that race discrimination from covering enforcement%20transparency%20and%20 Johnson had worked for the Pittsburgh the 2018 shooting at the Tree of Life accountability%20issues%20June%20 Post-Gazette since October 2018 and had Synagogue in Pittsburgh. 2020%20%282%29.pdf. “often” been assigned “to cover social The complaint alleged one count Meanwhile, on June 16, 2020, Alexis issues that manifested themselves in under the Civil Rights Act of 1866, Johnson, a black reporter for the online social media platforms.” 42 U.S.C. § 1981, for retaliation, arguing

6 that the Post-Gazette “precluded and their nose in that to me is only racial and emotion.” Cahill also cited Globe removed Johnson, and others from discrimination. Prove me wrong and put Newspaper Co. v. Superior Court, 457 covering major stories involving race them back on the coverage.” U.S. 596 (1982), which found that public based protests and demonstrations Johnson told reporters at the press and press access to a criminal trial in retaliation for opposing race conference, “None of us should be here “enhances the quality and safeguards discrimination and publically [sic] today.. . . We should be covering one of the integrity of the factfinding process,” announcing her opposition to such the pivotal moments in history.” “fosters an appearance of fairness, practices.” The complaint further argued thereby highlighting public respect that such actions were “materially Multiple Disputes Arise About for the judicial process,” and “permits adverse employment action[s] because Access to Information the public to participate in and serve a reasonable newspaper reporter would George Floyd’s death led to as a check upon the judicial process.” have been dissuaded from complaining multiple disputes over public access to Finally, Cahill quoted Press-Enterprise of race discrimination had she known information about the killing, subsequent Co. v. Superior Court, 478 U.S. 1 (1986): she would have been precluded from criminal proceedings, and the people “The value of openness lies in the fact the assignment of coverage of a major involved in the case. One significant legal that people not actually attending trials story[.]” The complaint added that the issue involving the news media related can have confidence that standards actions “deprived Johnson of the same to access to footage of videos recorded of fairness are being observed; the right to make and enforce contracts as by body-worn cameras that the charged sure knowledge that anyone is free to is enjoyed by white citizens in violation police officers were wearing when they attend gives assurance that established of . . . 42 U.S.C. §1981.” encountered Floyd. On July 7, a lawyer procedures are being followed and The complaint also alleged one for Thomas Lane, one of the police that deviations will become known. count of race discrimination under officers charged, filed the footage with Openness thus enhances both the basic 42 U.S.C. § 1981, arguing that the the court as exhibits as part of a motion fairness of the criminal trial and the Post-Gazette precluded and removed to dismiss the criminal charges for lack appearance of fairness so essential to Johnson from covering the protests of probable cause. Hennepin County public confidence in the system.” “because of her race, and therefore[,] District Judge Peter Cahill allowed However, Cahill explained that the deprived Johnson of the same right members of the press and public to defendants in the criminal cases “are to make and enforce contracts as view the videos but not make copies; he entitled to a fair trial, before an objective is enjoyed by white citizens.” The had previously raised concerns about and impartial jury, applying the evidence complaint alleged that Johnson the possibility that pretrial publicity that will be presented in open court suffered “[g]reat mental anguish and would prejudice the defendants’ Sixth during a trial governed by the rules of emotional strain,” “[h]umiliation and Amendment right to a fair trial. On July evidence to the law applicable to the inconvenience,” and “[d]iminished career 13, a coalition of media organizations, crimes with which they are charged.” advancement because of the inability including the Silha Center for the Study Cahill wrote that the Supreme Court to cover one of the major newspaper of Media Ethics and Law, filed a motion of the United States has “made clear stories of her time.” seeking permission to get copies of the that trial judges have an ‘affirmative Finally, the complaint requested videos. The Court held a hearing on the constitutional duty to minimize the several forms of relief, including that motion on July 21. effects of prejudicial pretrial publicity’ the Post-Gazette “be ordered to cease On August 7, Cahill granted the to safeguard a criminal defendant’s precluding Johnson from coverage coalition’s request to obtain copies due process rights,” citing Gannett of racial discrimination protests and “upon payment of an appropriate fee Co., Inc. v. DePasquale, 443 U.S. 368 demonstrations” and “be required established by this Court’s administrative (1979). Cahill also quoted at length to compensate Johnson for the personnel.” In a memorandum opinion from Sheppard v. Maxwell, 384 U.S. diminishment of her career advancement filed August 11, Cahill explained the 333 (1966), in explaining why the court she would have obtained had it not been rationale for his decision, writing: “Cases must take steps to ensure the defendants for Defendant’s illegal treatment,” among that generate intense public interest “receive a trial by an impartial jury free other relief. and media scrutiny highlight the tension from outside influences.” Cahill added, The full complaint is available online between two fundamental rights: the “Important, fundamental rights oft at: https://www.courthousenews.com/ right guaranteed under the federal times find themselves in tension; that is wp-content/uploads/2020/06/Post- and state constitutions to criminal unavoidable. This Court is committed to Gazette-complaint.pdf. As the Bulletin defendants to receive a fair trial before the management of pretrial proceedings went to press, the Western District of an impartial jury, on the one hand, and and the eventual trial(s) in these cases Pennsylvania had not ruled in the case. the right of the public and press to not only to vindicate the public’s and According to KDKA, Pittsburgh’s CBS attend criminal trials, on the other hand.” press’ rights of access guaranteed by the affiliate, at a June 8 press conference, Cahill first discussed various positive First Amendment, the common law, and Newspaper Guild of Pittsburgh president benefits that courts have found flow from court rules but also Lane and his fellow Michael Fuoco called the Post-Gazette’s public access to judicial information. co-defendants’ Sixth Amendment rights actions a “national embarrassment” and Citing Richmond Newspapers v. to a fair trial, and this Court’s and the that the Post-Gazette “is on the wrong Virginia, 448 U.S. 555 (1980), Cahill parties’ interests in seeing that justice side of history. We’re on the right side of acknowledged that the “the open be done by a fair and objective jury history.” He added, “[Y]ou hire diversity processes of justice serve an important determining the facts based solely on to get all points of view, different prophylactic purpose, providing an evidence that will be admitted at trial.” lived experiences. For them to thumb outlet for community concern, hostility, Protests, continued on page 8 7 Protests, continued from page 7 Amendment right of access to the after Floyd’s death. Both Kellie and body-worn camera footage because he Derek Chauvin filed a joint motion Cahill wrote that he did not issue granted access under the “Minnesota to seal the divorce case, arguing that the gag order or restrict copying of the Rules of Criminal Procedure, the sealing was warranted because they body camera video “in the interests of Minnesota Rules of Public Access to had been subject to “rage and violence” ‘secrecy,’” and he pointed out that court Records of the Judicial Branch, and the and alleged identity theft and financial filings in the cases have been posted common law.” crimes, according to the Star Tribune. online and that the body camera footage On August 3, several days before Public access to the case records would was made available for inspection. Cahill’s ruling allowing copies of the enable additional harassment of Kellie Rather, Cahill wrote, “the Court was body-camera footage to be released, the Chauvin and open hearings would allow attempting to mitigate what some might the public to know colloquially characterize as efforts to ‘try where the Chauvins the case in the press,’ to seek to avoid “The law does not tolerate this level of reside and or at least to ameliorate the prospects secrecy.” “negatively affect of unduly tainting the prospective jury the parties from a pool engendered by the intense media — Media coalition memorandum seeking to safety standpoint,” interest and reporting on these cases, unseal divorce file of Kellie and Derek Chauvin the joint motion and to seek to vindicate the Defendants’ argued, according rights and the State’s interest in ensuring to the Star justice is done in these cases by a fair U.K.’s Daily Mail newspaper published Tribune. On July 24, information about and impartial jury deciding whether the leaked segments of the footage, which the case became unavailable through Defendants are guilty or not guilty of was obtained in apparent violation the state’s online electronic docketing the State’s charges based solely upon of Cahill’s earlier order authorizing system, the Star Tribune reported, the evidence presented during trial, viewing of the videos but prohibiting “presumably because a judge had not based on media reporting, public recording or distribution of them. The granted the Chauvins’ request.” speculation, and extraneous information, Daily Mail reported that the footage On July 27, 2020, a coalition of local inadmissible at trial, circulating during had been “leaked” to the newspaper. and national news organizations, as the months of pretrial preparation.” On August 3, the Star Tribune reported well as the Minnesota Coalition on In his analysis, Cahill first found that that a Hennepin County District Court Government Information, filed a motion the media coalition had standing to spokesperson said an investigation had to intervene and unseal the case file intervene, citing federal court access been launched into the leaked video. and a memorandum in support of that cases such as Globe Newspaper Co. v. The court had made the videos motion. The memorandum argues Superior Court, 457 U.S. 596 (1982) and available for viewing on laptops in a that the apparent wholesale sealing of Richmond Newspapers v. Virginia, 448 room where attendees were required the case file, including the docketing U.S. 555 (1980), as well as state cases to put away phones and personal information and the existence of the including Mankato Free Press Co. v. computers. “Sheriff’s deputies and court case, is not permissible. “The law does Dempsey, 581 N.W.2d 311 (Minn. 1998), staff were stationed throughout the not tolerate this level of secrecy,” the and Northwest Publications, Inc. v. room as several members of the media memorandum reads. It added that there Anderson, 259 N.W.2d 254 (Minn. 1977). and public viewed the videos,” the Star was considerable public interest in Cahill then cited Minn. R. Crim. P. 25.03 Tribune reported. Derek Chauvin, the criminal and civil subds. 1-3 in finding that the “Minnesota In response to the Daily Mail’s proceedings involving him, and the Rules of Criminal Procedure expressly posting of the videos, the media coalition broader social issues that Floyd’s death confer standing on the news media to filed a letter with Cahill on August 4 highlighted, such as the Black Lives challenge certain orders ‘restricting informing the court that members of Matter movement. The memorandum public access to public records relating the media coalition “respect the Court’s linked the divorce proceedings directly to a criminal proceeding.’” orders and were surprised by the leak to Floyd’s death by asserting that the Second, Cahill found that the public of this footage.” The media coalition divorce “may be an attempt to shield the and press have a right of access to the further argued that the leak “serves only couple’s assets from criminal forfeiture body-camera video under both the to bolster the Coalition’s argument for or from recovery by the Floyd family in common law and court rules. Cahill making all of the [body-worn camera] the civil lawsuit,” and that information found that access was governed under footage available, through official in the divorce proceedings may also be Nixon v. Warner Communications, Inc., channels, for copying and distribution.” relevant to felony tax fraud charges filed 435 U.S. 589 (1978), and Minneapolis Following Cahill’s order allowing for against the couple, all of which increase Star Tribune Co v. Kammeyer, copies of the body-worn camera footage, the public interest in the divorce case. 341 N.W.2d 550 (Minn. 1983), as well journalists sought and obtained copies The coalition argued that they have a as the Minnesota Rules of Criminal and published the footage. right to intervene in the divorce case to Procedure and Rules of Public Access Another access issue that arose pursue access to public records, that to Records of the Judicial Branch. Cahill was the sealing of court records the press and public are presumptively rejected some cases the media coalition about divorce proceedings between entitled to access court files, including cited because the cases were either Minneapolis Police Officer Derek divorce proceedings, and that there is materially distinguishable or arose in Chauvin — the officer who kneeled sufficient justification for sealing the other jurisdictions and were not binding. on Floyd’s neck — and his wife, Kellie records at issue. Third, Cahill did not rule on whether Chauvin, who filed for divorce days the public and press have a First 8 On Oct. 8, 2020, Washington County acts.” The order did not preclude the information” in a May 31 tweet that District Judge Juanita C. Freeman public from attending court hearings blamed “Antifa-led anarchists” in granted the media coalition’s request to held in connection with the case. Minneapolis for the violence and intervene in the divorce proceedings, A third dispute that arose about damage and called Antifa a “Terrorist finding that the coalition satisfied the public access to information involved Organization,” whereas it as an anti- four-part test that a non-party must a gag order that Cahill imposed on fascist protest movement. meet to intervene as a matter of right. speech related to the case. On July 9, On June 5, KSTP, the Twin Cities’ ABC Freeman found that the coalition’s Cahill issued a gag order after some affiliate, reported that some of the false motion was timely, that the coalition attorneys involved in the case spoke information spread about Floyd and had an interest in the proceedings, that to the news media. Cahill expressed the protests was repeated and shared the court had previously restricted concern that pretrial publicity “by the by local politicians in Minnesota. KSTP access to court records, and the attorneys involved will increase the risk provided the example of Minnesota coalition's interests were not sufficiently of tainting a potential jury pool and will Rep. Ryan Winkler (DFL-Golden Valley), represented by the other parties. impair all parties’ right to a fair trial.” the Minnesota House Majority Leader, Freeman analyzed the coalition’s The text of the order restricted speech of who tweeted about the tanker truck arguments that access was required “all parties, attorneys, their employees, driving into a crowd of protesters on under both the First Amendment agents, or independent contractors Interstate 35W on May 31. Winkler and common law and rejected both working on their behalf.” tweeted, “Protestors I know are saying arguments. Under the First Amendment, On July 17, a coalition of local and truck driver drove into a crowd and a court may restrict access when there national media outlets, as well as the intentionally ran into them. Confederate is a compelling government interest Silha Center for the Study of Media flags and white supremacist insignia. and the restriction is narrowly tailored Ethics and Law and the Minnesota [sic]” It later turned out, according to to serve that interest. Freeman found Coalition on Government Information, KSTP, that such claims were not true. restricting access to the Chauvins’ filed a motion objecting to the gag order. Winkler deleted the tweet, but not before personal and financial information The objection argued that the gag order it was retweeted or shared more than in court records served a compelling was impermissibly overbroad in violation 500 times. government interest in prevention of of the First Amendment. The coalition Winkler told KSTP in an interview, crime, and withholding this information argued that the order “threatens the right “I think I behaved reasonably under was narrowly tailored. “The record of the press and the public to engage in the circumstances. I was clear that this amply demonstrates that restricting important dialogue with a wide range was not something that I saw. This was access to this information is not only of people on a broad range of topics something that people were saying.” warranted but necessary to counteract that could be viewed as ‘related’ to However, in a June 5 interview the persistent efforts of criminals, these prosecutions. The Order could with KSTP, Clair Wardle, the co- hackers, and other malicious actors who also directly (if inadvertently) delay founder of First Draft, a nonprofit seek to exploit the Chauvins’ personal communications, to the public, about dedicated to fighting misinformation information to commit theft, fraud, important work government officials are around the world, explained that even stalking, harassment, property damage, doing to address critical issues of public unintentionally false information can be and other crimes,” Freeman wrote. safety, racial equality and police reform. a problem. “Right now, when emotions Freeman also explained why the Such issues, while carrying little to no are so high on both sides, everybody is court file can be sealed under common risk of prejudicing the Defendants’ right more susceptible than ever, but we’re law, balancing “the interests favoring to a fair trial, are nonetheless ‘related’ weaponizing information. These tweets access, along with the presumption in to the prosecutions.” Defense counsel are not harmless,” she said. “Anybody favor of access, against those asserted also objected to the gag order. On July can post anything on social media. They for restricting access.” Freeman cited 21, the Star Tribune reported that Cahill might have a blue tick next to their the various harms to the Chauvins that vacated the gag order. name, they might be in a position of she discussed in the First Amendment leadership.. . . We have always looked to analysis, and added that “the Chauvins’ Misinformation About George gatekeepers for the truth and so, when marital status is not a matter of public Floyd’s Death and Ensuing Protests you see information from those people, concern, nor is the division of their Spreads on Social Media we are hard-wired to believe that, so that material assets and debts.” On June 1, 2020, The New York Times, does make it more dangerous.” Although Freeman denied the media among several other media outlets, KSTP also noted how Minneapolis coalition’s motion to unseal the divorce reported that “untruths, conspiracy Council Members Alondra Cano and file, she ordered that the case be listed theories, and other false information Phillipe Cunningham also shared on the court system’s public docket and [were] running rampant online as the misinformation about the presence of that various filings be public. Freeman furor over [the death of George Floyd] the Minnesota National Guard and the also ordered that the divorce petition has built.” Among the misinformation Ku Klux Klan (KKK), respectively. The be sealed, but attached a redacted online was the unfounded rumor that Minneapolis Star Tribune similarly version of the petition to the order. Floyd was still alive and that “Antifa” found on June 6, 2020 that “[t]hrough The order stated that all personal activists were responsible for the the chaos of a riotous string of days information about the Chauvins should riots and looting in several U.S. cities, following George Floyd’s death under be sealed, including financial and including Minneapolis. the knee of a Minneapolis police officer, property information and “descriptions The Times noted that President of unlawful acts[] and the effects of such Donald Trump “stoked the divisive Protests, continued on page 10 9 Protests, continued from page 9 a special emphasis for people who do recommended that individuals “check have that power, whose voice will not [their] bias” and “[d]on’t trust everything Winkler was hardly the only public just be heard but have a lot of credibility, you see,” among other tips and advice. official to unwittingly disseminate false that they have to get it right to the extent The full article is available online or unverified information about the facts they can from the get-go.” She added at: https://www.usatoday.com/story/ on the ground.” The Star Tribune and that it “is incumbent on people who have tech/2020/06/01/george-floyd-protests- KSTP both reported that media research a prominent platform to be especially disinformation-misinformation-surging- company Zignal Labs had tracked careful” and that public officials delete online/5313920002/. more than 1.7 million mentions of and correct inaccurate posts if possible A June 2 article by Rolling Stone misinformation related to Floyd’s death to try to prevent misinformation from magazine also provided a number of and the subsequent protests. spreading further. ways that members of the public can Additionally, KSTP described how In a June 1 interview with The “differentiate between truth and fiction misinformation was also spread by New York Times, Graham Brookie, on social media.” Among the pieces of public officials offline, including when director of the Atlantic Council’s Digital advice were to “[c]heck the source of Minnesota Gov. Tim Walz, among others, Forensic Research Lab, explained that the story” and “[a]pproach posts about incorrectly stated in May 30 and May 31 the combination of racial tensions missing people with caution.” The news conferences that all or most of the and political polarization during the article also encouraged people looking people arrested during the protests and COVID-19 pandemic led to a significant to make donations to do so through riots were from “out of state” or “outside increase in misinformation, including “an accredited organization.” The full the region.” Officials later corrected related to Floyd’s death and the article is available online at: https:// those assertions when jail records were ensuing protests. “The combination of www.rollingstone.com/culture/culture- released, according to KSTP. KSTP’s full evolving events, sustained attention features/misinformation-facebook- report is available online at: https://kstp. and, most of all, deep existing divisions george-floyd-protest-1008909/. com/news/amid-flood-of-misinformation- make this moment a perfect storm for (The 2020 Silha Spring Ethics surrounding-george-floyd-death-days- disinformation,” he said. “All of it is Forum featuring Barbara Allen, the of-unrest-local-leaders-share-false- toxic, and make our very real challenges director of college programming at information/5752299/. and divisions harder to address.” (For the Poynter Institute of Media Studies In an interview with the Star Tribune, more information about the spread (Poynter), focused on the spread of retired Carleton College political of mis- and disinformation during the mis- and disinformation online and scientist Steven Schier said public COVID-19 pandemic, see COVID-19 how journalists and members of the officials face “a higher bar” for reporting Pandemic Raises New Concerns public can spot and address it. For and sharing accurate information, About Misinformation Online in more information on the forum, see including on social media. However, “Special Report: COVID-19 Pandemic “2020 Spring Forum Webinar Addresses he acknowledged that meeting that Raises Media Law and Ethics Issues, the Impact of Fact-Checking and standard can be especially challenging Challenges, and Opportunities” in the Misinformation on Journalism” in the amid a “fog of conflict.” “They’re trying Winter/Spring 2020 issue of the Silha Winter/Spring 2020 issue of the Silha to make real-time assessments,” he said. Bulletin.) Bulletin.) “A lot of that information is going to be In a June 1, 2020 article, USA Today fuzzy or false and they have to correct it provided several tips to identify false — Scott Memmel as they occur.” or misleading claims online, including Postdoctoral Associate Emily Vraga, an associate professor related to Floyd and the protests. The at the University of Minnesota Hubbard article encouraged members of the — Jonathan Anderson School of Journalism and Mass public to “[d]o your homework before Silha Bulletin Editor Communication similarly told the Star sharing” and “[w]atch out for posts that Tribune on June 6, 2020, that “[t]here is make your blood boil.” The article also

Director’s Note The Summer 2020 issue of the Silha Bulletin includes several articles adapted from “Global Privacy and Data Protection,” a chapter published in the course handbook for the Practising Law Institute’s Communications Law in the Digital Age conference, which will take place in November 2020. Professor Kirtley gratefully acknowledges the contributions of Silha research assistants Jonathan Anderson, Scott Memmel, and Sarah Wiley, and Silha staff member Elaine Hargrove. Jane E. Kirtley Silha Center Director and Silha Professor of Media Ethics and Law

10 COVID-19 Pandemic Raises Data Privacy and Security Questions and Concerns n spring and summer 2020, the letter sent by Yuan and other Zoom office issued a warning that hackers COVID-19 pandemic raised a executives to their clients, Zoom is a had interrupted online instruction of number of challenges and issues “video-first communications platform a Massachusetts high school class, related to data privacy and for the enterprise segment.” The shouted a profanity, and revealed the security, including regarding Washington Post described Zoom teacher’s home address. In a separate I1) Zoom Video Communications, as a “business-friendly video chat.” incident at another Massachusetts Inc. (Zoom) and 2) the tracking of According to its website, Zoom, which school, the hacker was visible on the individuals’ mobile location data to is headquartered in San Jose, Calif., video camera and displayed swastika combat the spread runs across mobile devices, desktops, tattoos. PRIVACY of the coronavirus. telephones, and room systems. On April 2, 2020, Vice reported that According to Among Zoom’s features are a software the white supremacist group 8chan had the U.S. Centers application and a video conferencing plans to highjack the Zoom meetings of for Disease Control and Prevention platform. a Jewish school in Philadelphia, Pa. in (CDC), COVID-19 is an illness caused When the COVID-19 pandemic forced an anti-Semitic campaign. The following by “a new coronavirus that can spread large numbers of people worldwide to day, The New York Times reported that from person to person.” As early as stay at and work from home in the first an analysis carried out by the newspaper late 2019, the virus began spreading months of 2020, Zoom’s use expanded revealed that “thousands” of people had around the world, therefore constituting from businesses meetings to school gathered on “153 Instagram accounts, a global pandemic. The spread of the and university classes and church dozens of Twitter accounts and private coronavirus, especially beginning services, surpassing the popularity of chats on Reddit and 4Chan” to organize in March 2020, prompted a range video teleconferencing services such as Zoom harassment campaigns, sharing of responses by different countries, Facebook’s Messenger Rooms, Google meeting passwords and plans to disrupt including the United States, in which Meet, Apple’s Facetime, and others. public and private meetings. These states took varying degrees of action. According to an Aug. 5, 2020 statement plans included disrupting meetings by Zoom, usage increased from with “shocking imagery, racial epithets Privacy and Security Concerns Arise 10 million daily users in December 2019 and profanity.” Disruptions included from Zoom Services, Practices, to 300 million by April 2020. someone who embedded a racial slur and Claims Amidst the COVID-19 Amidst the COVID-19 pandemic in a presentation slide during a meeting Pandemic in 2019, several media outlets and of the Concordia Forum, a global Zoom, a video communications observers highlighted a variety of network of Muslim leaders, followed by app and video conferencing platform, privacy and security issues raised by a pornographic video; projecting a GIF originally launched in 2013, but it Zoom, including “Zoombombing”; the of a person drinking during Alcoholic was not a household word until the vulnerability of recordings; problematic Anonymous meetings; and writing COVID-19 pandemic forced people to data sharing; surveillance; bugs and racist messages during a meeting of the work and attend school from home. malware; domestic and international American Jewish Committee in Paris. However, Zoom’s platform raises hacking; and encryption deficiencies. On April 21, The Hill reported that multiple privacy and security concerns, First, several observers noted an April 20 virtual Holocaust memorial including “Zoombombing,” hacking of significant privacy and security concerns service held by the Israeli Embassy meeting recordings stored in the cloud, associated with Zoombombing, which in Germany was Zoombombed with unauthorized data sharing, surveillance, occurs when a Zoom meeting is anti-Semitic slogans, photos of Adolf bugs and malware, domestic and interrupted by a hacker engaging in Hitler, and pornographic images. international hacking threats, and activities that disrupt the event, such Hackers also shouted pro-Palestinian encryption deficiencies. Amidst these as posting pornography. According to slogans. privacy and security concerns, Zoom CNET and “Krebs on Security,” a blog Additional instances of Zoombombing took several actions to address such by former Washington Post reporter were committed by high school students problems, leading to mixed reactions Brian Krebs, Zoom conference calls are in several parts of the United States by observers and those affected. assigned a Meeting ID that consists of 9 who disrupted their online classes with Meanwhile, Zoom was the target of to 11 digits. If meetings are not protected “disruptive but largely inoffensive jokes.” several legal actions, including a 2019 by passwords or by other means, they These and other issues led some school lawsuit filed by the Electronic Privacy can be easily interrupted. In some cases, districts to ban the use of Zoom. Information Center (EPIC), as well as hackers simply guessed or automated Second, observers pointed out four class action lawsuits filed in federal the guessing of random IDs within that privacy issues associated with the court in March and April 2020 and a space of digits. Additionally, tools such recording features on Zoom. On April lawsuit filed in the District of Columbia as “Tor” allowed hackers to find about 16, 2020, CNET reported that a security in August 2020. 100 open Zoom meetings every hour. researcher had discovered a way Zoom was founded in 2011 by CEO News outlets reported a number of to access and download previously Eric Yuan and launched in January instances of Zoombombing, including on recorded videos in the cloud through 2013 before going public in April March 30, 2020 when the Federal Bureau an unsecured link. In addition, the 2019. According to an Aug. 5, 2020 of Investigation’s (FBI) Boston, Mass. COVID-19, continued on page 12 11 COVID-19, continued from page 11 “Motherboard” noted that Zoom was “not another user, overriding his efforts to researcher discovered that previously forthcoming with the data collection or keep it private.” Additionally, the Times recorded videos may “live” in the cloud the transfer of it to Facebook. Zoom’s discovered that Zoom “automatically for hours, even after being deleted by policy says the company may collect sent participants’ personal information the users. As a result, Zoom provided users’ ‘Facebook profile information to its data-mining tool even when no one updates to prevent malicious access (when you use Facebook to log-in to in a meeting had activated it.” to such videos. In addition, it changed our Products or to create an account Josh Golin, the executive director of its “Record to Cloud” default setting to for our Products),’ but doesn’t explicitly the Campaign for a Commercial-Free request that the user add a password to mention anything about sending data to Childhood, a nonprofit group in Boston, the video file. CNET cautioned, however, Facebook on Zoom users who don’t have told the Times, “People don’t know this that these updates might not protect a Facebook account at all.” is happening, and that’s just completely videos that had previously been made In a statement to “Motherboard,” unfair and deceptive.” The Times noted available via shared links. Zoom confirmed the data collection, that its findings added “to an avalanche On April 3, 2020, The Washington writing, “Zoom takes its users’ privacy of reports about privacy and security Post reported that “[t]housands of extremely seriously. We originally issues with Zoom, which has quickly personal Zoom videos have been left implemented the ‘Login with Facebook’ emerged as the go-to business and viewable on the open Web, highlighting feature using the Facebook SDK in social platform during the [COVID-19] the privacy risks to millions of order to provide our users with another pandemic.” Americans as they shift many of their convenient way to access our platform. In an April 2020 statement, Zoom personal interactions to video calls However, we were recently made aware said it took users’ privacy “extremely in an age of social distancing.” The that the Facebook SDK was collecting seriously” and was “removing the exposed videos included one-on-one unnecessary device data.” LinkedIn Sales Navigator to disable the therapy sessions, a training orientation The statement continued, “To address feature on our platform entirely.” In a for workers doing telehealth calls that this, in the next few days, we will separate statement, LinkedIn said it included people’s names and telephone be removing the Facebook SDK and worked “to make it easy for members numbers, small business meetings that reconfiguring the feature so that users to understand their choices over what included private company financial will still be able to login with Facebook information they share” and would statements, and elementary school via their browser. Users will need to suspend the profile-matching feature on classes, in which children’s faces, voices, update to the latest version of our Zoom “while we investigate this further.” and personal details were revealed. The application once it becomes available Fourth, the Electronic Frontier Post further reported that a number in order for these changes to take hold, Foundation (EFF) posted several of the videos included personally and we encourage them to do so. We findings related to how the hosts of identifiable information and “deeply sincerely apologize for this oversight, Zoom meetings, as well as school intimate” conversations, some of which and remain firmly committed to the administrators, can conduct varying were recorded in people’s homes. Other protection of our users’ data.” forms of surveillance on those using recordings contained nudity, such as in In a message to Vice, privacy advocate the app. EFF determined that the host an instructional video provided by an Pat Walshe, who had previously analyzed of a Zoom meeting had “the capacity aesthetician. Zoom’s privacy policy, called the to monitor the activities of attendees The Post noted that many of revelation “shocking.” He added, “There while screen-sharing.” According to these videos were recorded through is nothing in the privacy policy that EFF, this meant that “[i]f attendees of Zoom’s software, then saved without a addresses that.” a meeting do not have the Zoom video password. Videos that were stored in About one week after “Motherboard” window in focus during a call where Zoom’s own system did not appear to reported its findings,The New York the host is screen-sharing, after 30 be as vulnerable. Because Zoom has a Times wrote on April 2, 2020 that a seconds the host can see indicators next consistent formula for naming videos, “data-mining feature on Zoom allowed to each participant’s name indicating the Post stated that anyone who knew some participants to surreptitiously have that the Zoom window is not active.” Zoom’s system of naming could find, access to LinkedIn profile data about Furthermore, EFF found that Zoom download, and watch the vulnerable other users — without Zoom asking for “allows administrators to see detailed videos. The Post did not reveal Zoom’s their permission during the meeting or views on how, when, and where naming system, and stated that the even notifying them that someone else users are using Zoom, with detailed newspaper had alerted Zoom to the issue was snooping on them.” According to dashboards in real-time of user activity. before running the story. the Times, “when people signed in to a Zoom also provides a ranking system of Third, on March 26, 2020, Vice’s meeting, Zoom’s software automatically users based on total number of meeting “Motherboard” blog found that Zoom’s sent their names and email addresses to minutes. If a user records any calls via iOS app sent “some analytics data to a company system it used to match them Zoom, administrators can access the Facebook, even if Zoom users don’t with their LinkedIn profiles.” contents of that recorded call, including have a Facebook account.” The report The Times found that “even when a video, audio, transcript, and chat files, as noted that although such data transfers reporter signed in to a Zoom meeting well as access to sharing, analytics, and were “not uncommon,” Zoom users may under pseudonyms — ‘Anonymous’ cloud management privileges.” not have been aware it was happening, and ‘I am not here’ — the data-mining EFF criticized these practices, “nor understand that when they use tool was able to instantly match him to especially in light of the increasing one product, they may be providing his LinkedIn profile. In doing so, Zoom use of Zoom as part of online data to another service altogether.” disclosed the reporter’s real name to learning. “Surveillance shouldn’t be a 12 prerequisite for getting an education,” prepared by the DHS Intelligence “designed to maintain geofencing around EFF contended. “But even before Enterprise, Cyber Mission Center, and China ensuring that users outside of more school districts started moving Counterintelligence Mission Center and China do not have their meeting data their classes and coursework to digital was coordinated with the Department routed through servers in China.” forums for purposes of social distancing, of Energy, Department of State, Additionally, the Zoom spokesperson surveillance has become more and more Department of the Treasury, and the FBI, asserted that paid Zoom customers “are common in schools. With the advent of among other government entities. now able to further customize which COVID-19 and the associated uptick in The report listed a number data center regions their account can use distributed digital learning, the potential of concerns involving the use of for real-time meeting traffic,” allowing for this surveillance to ramp up is Zoom, including that hackers “likely them to “opt in or out of specific data alarming.” will identify new or use existing center locations.” Furthermore, the EFF therefore recommended that vulnerabilities in Zoom to compromise Zoom spokesperson told ABC News that “[o]ne of the best things you can do to user devices and accounts for further not only did Zoom use cloud data centers keep yourself and others safe during this exploitation of corporate networks.” The globally, the company also had 17 data crisis is to learn how to minimize risk. report added that malicious actors could centers “around the world,” but only Many of the problems presented in this view Zoom users as targets of hacking one in China. “All Zoom source code post can be mitigated or circumvented efforts to exploit a broad range of public is stored and versioned in the United with careful consideration of the risks, and private sector entities including States,” the Zoom spokesperson said. employing ‘privacy as a team sport’ critical infrastructure. Additionally, the Josh Cohen, a former DHS acting tactics, and minimizing the data that report concluded that although Zoom is undersecretary and current ABC News corporations, employers, and others can headquartered in the United States, the contributor, noted that in general, track.” main Zoom application appears to be “China, Russia and other hostile nations Fifth, on May 8, 2020, CNET reported developed by three companies in China, view the coronavirus as an opportunity that several “bugs” or pieces of malware employing at least 700 workers. to expand their intelligence-gathering were plaguing Zoom users, including one The report concluded that “Zoom’s efforts and they are actively targeting that allowed people’s passwords to be sudden immense growth and use the private communications of those in stolen. Another bug allowed malicious across both public and private sector government, the private sector, academia users to assume control of a Zoom user’s entities in combination with its highly and others, who have increasingly turned microphone or webcam, and another publicized cybersecurity issues creates to online communications.” He added, allowed Zoom to gain root access to a vulnerable, target-rich environment “Private conversations using online MacOS desktops. Additionally, on April that [Advanced Persistent Threat] communications and video conferencing 22, 2020, researchers at Morphisec Labs, actors likely see value in exploiting to apps are vulnerable to being intercepted which describes itself as an endpoint achieve nation-state objectives against by criminals and foreign intelligence security solutions company, identified a the Homeland, which could include operatives. Securing these platforms bug that could enable hackers to record disruption, espionage, or financial gain. must be a priority especially since they Zoom sessions and capture chat text Successful compromise of a critical are being used more frequently during without the knowledge of any of the infrastructure entity could inflict the current health crisis.” participants, even if the host has not economic loss on at least the targeted Finally, several news outlets and enabled any of the participants to record. organization, and if left undetected, experts have also pointed out issues The result was that the bug effectively preposition the cyber actors for future with Zoom’s encryption efforts. On allowed the hackers to spy on meetings. operations. Any organization currently March 31, 2020, The Intercept reported On April 16, 2020, ZDNet reported using — or considering using — Zoom that although Zoom “claim[ed] to that Zoom had hired Luta Security, should evaluate the risk of its use.” implement end-to-end encryption, widely a company specializing in managing An unidentified Zoom spokesperson understood as the most private form of system vulnerabilities and “bug bounty” told ABC News that the company internet communication,” the company programs, which pay people to identify disagreed with the government’s report, was “using its own definition of the problems and weaknesses with websites saying it was “heavily misinformed, term, one that lets Zoom itself access and company security systems. Luta includes blatant inaccuracies about unencrypted video and audio from Security, which is known for setting Zoom’s operations, and the authors meetings.” up bug bounty programs for Microsoft, themselves admit only ‘moderate The Intercept further alleged that Symantec, and the Pentagon, was given confidence’ in their own reporting. Zoom “actually does not support a “free hand” to rebuild Zoom’s existing We are disappointed the authors did end-to-end encryption for video and program. not engage with Zoom to verify the audio content, at least as the term Sixth, on April 28, 2020, ABC News accuracy of these claims and understand is commonly understood. Instead it reported that Zoom “could be vulnerable the real facts about Zoom.” The Zoom offers what is usually called transport to intrusions by foreign government spokesperson stated, “We actively and encryption . . . which is different from spy services, including China.” ABC quickly addressed specific security end-to-end encryption because the Zoom News had acquired a federal intelligence concerns as they were raised over the service itself can access the unencrypted analysis report issued jointly by past few weeks.” video and audio content of Zoom the U.S. Department of Homeland Regarding the statements that Zoom meetings. So when you have a Zoom Security’s (DHS) Cyber Mission and was vulnerable to infiltration by the meeting, the video and audio content Counterintelligence Mission Centers. Chinese, the Zoom spokesperson told will stay private from anyone spying on The report, dated April 27, 2020, was ABC News that Zoom’s systems are COVID-19, continued on page 14 13 COVID-19, continued from page 13 These features include Zoom installing the legitimate right of all users to privacy a hidden web-server on Mac computers and the safety of users on our platform. your Wi-Fi, but it won’t stay private from to circumvent a Safari popup that users This will enable us to offer [end-to-end the company.” must click through before joining a encryption] as an advanced add-on In an April 3, 2020 report, Citizen Zoom meeting; a Zoom feature that feature for all of our users around Lab, a research laboratory at the removes a password prompt during the the globe — free and paid — while University of Toronto, examined installation process, a Zoom feature maintaining the ability to prevent and the encryption that protected Zoom intended to allow Zoom users at the fight abuse on our platform.” meetings, and found that Zoom “rolled” same company or ISP to find one In response to many of the privacy its own encryption scheme, which had another, and Zoom’s 9 or 10 digit code, and security concerns faced by the significant weaknesses. The report, titled which is sufficient to join a meeting company, Zoom announced — through “Move Fast and Roll Your Own Crypto: created with default settings, but can an April 1, 2020 message by Zoom A Quick Look at the Confidentiality of lead to Zoombombing. founder and CEO Eric Yuan, a July 2020 Zoom Meetings,” found that although Citizen Lab concluded its report by white paper, and an Aug. 5, 2020 letter Zoom claimed that its applications used noting that Zoom lacked a transparency to Zoom clients — several initiatives to “AES-256” encryption for its meetings, report requested on March 18, 2020 by better protect its users. However, some the mode of encryption that was actually Access Now, a nonprofit organization observers asserted that Zoom would used was Electronic Code Book (ECB) that defends the digital rights of people need to step up its efforts to better mode, which is “not recommended around the world. A July 1, 2020 post ensure the privacy and security of its because patterns present in the plaintext on Zoom’s website stated that although users. are preserved during encryption.” the report was not yet ready, the Yuan wrote in an April 1, 2020 The report also found that Zoom company has “made significant progress message, “[W]e recognize that we have was unclear about the encryption it defining the framework and approach fallen short of the community’s — and offered. According to Citizen Lab, for a transparency report that details our own — privacy and security “[s]ome Zoom documentation (as well information related to requests Zoom expectations. For that I am deeply sorry.” as the Zoom app itself) claims that Zoom receives for data, records, or content.” Yuan explained that Zoom was created offers a feature for “end-to-end” (E2E) The post noted that a transparency for customers such as “large institutions encrypted meetings.” However, other report could be expected later in 2020. with full IT support,” including financial documentation claimed that Zoom’s On May 22, 2020, Zoom released a services companies, telecommunications meeting software for Windows, MacOS, draft design of its end-to-end encryption providers, government agencies, and Linux used the industry-standard after the company said it had consulted universities, healthcare organizations, TLS 1.2 scheme, whereas a September with civil liberties organizations, child and telemedicine practices. According to 2014 blog post by Zoom implied that TLS safety advocates, encryption experts, Yuan, “exhaustive security reviews of our 1.2 was not used. government representatives, users, and user, network, and data center layers” On April 1, 2020, Zoom released a others. However, the company came had been completed, and organizations blog post apologizing for the confusion under fire in early June 2020 when had “confidently” selected Zoom for their surrounding its encryption practices and several media outlets reported that use. “However,” Yuan continued, “we did saying that it did, in fact, use end-to-end the company was implementing “real not design the product with the foresight encryption. “Zoom has always strived end-to-end encryption” for its users, but that, in a matter of weeks, every person to use encryption to protect content in only for those paying for a subscription. in the world would suddenly be working, as many scenarios as possible, and in A June 5, 2020 piece by Forbes studying, and socializing from home. We that spirit, we used the term end-to-end magazine senior contributor Kate now have a much broader set of users encryption. While we never intended O’Flaherty argued that “if you delve who are utilizing our product in a myriad to deceive any of our customers, we deeper, Zoom’s reasoning behind this of unexpected ways, presenting us with recognize there is a discrepancy between is clearer.” She continued, “First, you challenges we did not anticipate when the commonly accepted definition of lose a lot of functionality if you make the platform was conceived.” end-to-end encryption and how we Zoom end-to-end encrypted. There are Yuan’s message included several were using it.” The blog continued, “To no more dial ins to calls, so you can’t measures Zoom had taken to that point. be clear, in a meeting where all of the join by phone, and you also lose features The company explained to users how participants are using Zoom clients, and like cloud recordings and streaming to to address “Zoombombing,” removed the meeting is not being recorded, we YouTube. Plus, remember that Zoom’s the Facebook SDK in their iOS client encrypt all video, audio, screen sharing, main competitors don’t have end-to-end and reconfigured it to prevent it and chat content at the sending client, encryption: Microsoft Teams, Blue Jeans, from collecting unnecessary device and do not decrypt at any point before Google Meet, Cisco Webex (although information from users, and updated it reaches the receiving client.” Citizen Webex has e2e for some enterprise users its privacy policy to be more clear and Lab noted, however, that the Zoom blog too).” transparent. Yuan also announced post did not provide further details as to Nevertheless, on June 17, 2020, Zoom training and tutorial webinars, live how Zoom’s encryption works, or clarify founder and CEO Eric Yuan announced daily demos, upcoming webinars, video whether they use TLS or AES-256. in a blog post that the company had trainings, and more. He also noted new Citizen Lab also flagged a number “released an updated [end-to-end guides for administrators on how to set of additional Zoom security issues, encryption] design on GitHub. We are up a virtual classroom, how to better including Zoom’s features designed to also pleased to share that we have secure a classroom, and revealed a reduce “friction” in meetings, which identified a path forward that balances dedicated K-12 privacy policy. then also reduce privacy and security. 14 Yuan ended his blog post by discovered a flaw in Zoom that allowed have only become worse.. . . Each day disclosing a 90-day plan with further attendees and remote attackers ‘to hijack that passes presents a new report of a steps, which included shifting all control of presenters’ desktops, spoof previously undisclosed problem with of Zoom’s engineering resources to chat messages, and kick attendees out of Zoom.” focus on the most pressing trust, Zoom calls,’” among other examples. EPIC’s letter acknowledged that safety, and privacy issues; conducting Third, the complaint cited several Zoom had addressed some problems, a comprehensive review with third- security vulnerabilities associated with but that the company’s “haphazard party experts and representative Zoom, including that “[i]f a Zoom user approach to consumer privacy does users to understand and ensure the does not opt-out of video, Zoom may little to assure consumers that Zoom is security on new consumer use cases; enable the user’s webcam and subject a reliable service.” Citing the number and conducting penetration tests to the user to remote surveillance,” among of schoolchildren needing to use Zoom identify problems. On Sept. 11, 2020, The multiple additional concerns. for remote learning and the need for Verge reported that Zoom was making Fourth, the complaint argued that patients to seek online health advice two-factor authentication available through July 2019, Zoom had failed to from medical professionals, EPIC for mobile and desktop applications. address the privacy concerns highlighted again asked the FTC to “make clear Two-factor authentication requires users by news outlets and other observers, its commitment to consumer privacy to confirm their identity using a second despite significant opposition and precisely because we are all more method or device. concern from consumers to Zoom’s dependent on online services today failure to protect their privacy. The than we were just a few weeks ago. The EPIC Files Complaint against Zoom complaint contended that “[w]hen [FTC] should open the investigation that with the FTC, Follows Up With informed of the vulnerabilities Zoom did EPIC proposed last summer. The [FTC] Letter; Zoom Faces Additional not act until the risks were made public, should publish Best Practices for Online Lawsuits several months after the matter was Conferencing.” Although concerns about Zoom’s brought to the company’s attention.” On May 11, 2020, Reuters reported privacy and security issues were not Fifth, the complaint argued that that Simons, during a teleconference widely known until the COVID-19 Zoom had violated the FTC Act by with a subcommittee of the U.S. House pandemic forced people to stay at “engaging in unfair and deceptive acts of Representatives Committee on Energy home and use it, nearly a year earlier, and practices.” The complaint therefore and Commerce, had indicated that on July 11, 2019, the Electronic Privacy asserted that the “harms of Zoom’s the FTC “was looking at” the privacy Information Center (EPIC) filed a practices are within the scope of the complaints regarding Zoom. “We are “Complaint, Request for Investigation, FTC’s authority to enforce Section 5 very happy to take complaints from any Injunction, and Other Relief” (complaint) of the FTC Act, and Zoom should face source,” he said. “If you’re reading about against Zoom with the Federal Trade FTC action for these violations.” The it (an issue) in the press, in the media, Commission (FTC). The complaint complaint further claimed that “Zoom’s then you can be assured that we’re stated that Zoom had “placed at risk the actions — including its decision to install looking at it already or we will because privacy and security of the users of its a hidden web server on users’ Macs and of the media attention. If it’s out there services” and “intentionally designed require consumers to manually change in the media, we’re on it.” As of October their web conferencing service to bypass their default camera settings — placed 2020, the FTC had not announced any browser security settings and remotely users at risk of severe violations of their actions regarding Zoom. enable a user’s web camera without the privacy.” The complaint went on to In addition to the lawsuit filed by consent of the user.” As a consequence, highlight several instances in which the EPIC, beginning in March 2020, Zoom according to the complaint, “Zoom FTC “previously barred companies from faced at least four class action lawsuits exposed users to the risk of remote circumventing privacy settings without filed in federal court regarding various surveillance, unwanted videocalls, and user consent” and “from propagating privacy and security issues. The lawsuits denial-of-service attacks.” deceptive claims about privacy and included: The complaint first asserted the security, as well as “enjoined companies • Cullen v. Zoom Video “[i]mportance of [p]rivacy [p]rotection,” from maintaining inadequate privacy Communications, Inc., No. 5:20-cv- including that the “right of privacy is a policies.” 02155-SVK (N.D. Cal. filed March 30, personal and fundamental right in the Finally, the complaint asked the FTC 2020), available online at: https:// United States.” The complaint added to “investigate Zoom, enjoin its unfair www.courtlistener.com/recap/gov. that the FTC, through Section 5 of the and deceptive business practices, and uscourts.cand.357336/gov.uscourts. FTC Act, “has routinely investigated require Zoom to protect the privacy of cand.357336.1.0.pdf companies for violations of privacy when Zoom users.” • In Re: Zoom Video the company has engaged in ‘[u]nfair Nearly nine months later, on April 6, Communications, Inc., No. 5:20-CV- methods of competition in or affecting 2020, EPIC sent a letter to FTC Chairman 02155-LHK (N.D. Cal. filed July 30, commerce, and unfair or deceptive acts Joseph J. Simons and the other FTC 2020), available online at: https:// or practices in or affecting commerce.’” commissioners, demanding that the www.courtlistener.com/recap/gov. 15 U.S.C. § 45. agency open an investigation into uscourts.cand.357336/gov.uscourts. Second, the complaint outlined Zoom’s privacy and security practices cand.357336.114.0.pdf a number of ways in which Zoom and to issue a “Best Practices for Online • Taylor v. Zoom Video previously jeopardized users’ privacy, Conferencing Services.” The letter read, Communications, Inc., No. 3:20- including in October 2018 when “[T]he FTC never acted on the flaws we “Tenable, a cyber exposure company, identified with Zoom, and the problems COVID-19, continued on page 16 15 COVID-19, continued from page 15 location tracking efforts to combat the movement of people in certain areas coronavirus. of geographic interest drawn from cv-02170 (N.D. Cal. filed March 31, Human Rights Watch defines “mobile cellphone data.. . . The data comes from 2020), available online at: https://www. location data” as “geolocation and the mobile advertising industry rather dropbox.com/s/h078rfxsq4x22um/TZ_ proximity information from mobile than cellphone carriers.” TaylorVZoom_Complaint_Final.pdf?dl=0 phones and other devices.” Mobile According to The Wall Street Journal, • Ohlweiler v. Zoom Video location data can be obtained by the goal was to create a “portal” Communications, Inc., No. 2:20-cv- government and private entities from through which federal, state, and local 03165-SVW-JEM (C.D. Cal. April 3, a variety of sources, including cell site government bodies and officials could 2020), available online at: https:// location information (CSLI), Global track geolocation data across as many www.courtlistener.com/recap/gov. Positioning System (GPS) signals, and as 500 cities across the United States. uscourts.cacd.778595/gov.uscourts. Bluetooth beacons. In doing so, government officials could cacd.778595.1.0.pdf. Human Rights Watch explained “learn how coronavirus is spreading • Hurvitz v. Zoom Video on May 13, 2020 that “[g]overnments around the country and help blunt its Communications, Inc., No. 2:20-cv-3400 view mobile location data as a key advance.” (N.D. Cal. filed April 13, 2020), available component of measures to contain the Private companies also took efforts online at: https://www.law360.com/ spread of Covid-19. They are presenting in spring 2020 to increase tracking of articles/1263127/attachments/0. individualized tracking as a reliable way individuals’ locations to address the Additionally, on Aug. 10, 2020, to track the movement of people who spread of the coronavirus and the Consumer Watchdog, a Washington, D.C. are infected and identify individuals with COVID-19 pandemic. For example, non-profit which says it is dedicated to whom they came into contact during on April 3, Google announced that protecting consumers’ online privacy and the period in which they are contagious. it would begin publishing COVID-19 security, filed a lawsuit in the Superior Individualized tracking can also be Community Mobility Reports, which Court for the District of Columbia Civil used to ascertain whether people are would “use aggregated, anonymized data Division against Zoom, alleging that the complying with social distancing and to chart movement trends over time by company made “false and deceptive quarantine measures.” The advocacy geography, across different high-level representations to consumers about organization added, “Analysis of categories of places such as retail and its data security practices in violation aggregate location data, on the other recreation, groceries and pharmacies, of the District of Columbia Consumer hand, might provide insight into the parks, transit stations, workplaces, and Protection Procedures Act (CPPA),” effectiveness of social distancing residential.” D.C. Code § 28-3901, et seq. (2019). measures, model the potential for The blog post explained that Consumer Watchdog v. Zoom Video transmission, and identify potential ‘hot the company “use[s] aggregated, Communications, Inc., No. 2020 CA spots’ of transmission.” anonymized data showing how busy 003516 (filed Aug. 10, 2020). The lawsuit According to Human Rights Watch, certain types of places are — helping is available online at: https://www. mobile location data can be used identify when a local business tends to consumerwatchdog.org/sites/default/ for “contact tracing,” which is “the be the most crowded. We have heard files/2020-08/Zoom%20Complaint.pdf. process of identifying individuals who from public health officials that this (For more about Cullen v. Zoom Video may have come into contact with an same type of aggregated, anonymized Communications, Inc. and Hurvitz infected person. Its goal is to interrupt data could be helpful as they make v. Zoom Video Communications, transmission by rapidly identifying critical decisions to combat COVID-19.” Inc. cases, as well as the CCPA, see individuals who have been in close The post added, “We will release these “California Consumer Protection Act contact of someone who is infected, reports globally, initially covering 131 Takes Effect” on page 23 of this issue of defined by the United States Centers countries and regions. Given the urgent the Silha Bulletin.) for Disease Control and Prevention need for this information, where possible (CDC) as within 6 feet of someone for we will also provide insights at the COVID-19 Pandemic Prompts approximately 10 or more minutes.” regional level. In the coming weeks, we Questions and Concerns About Mobile location data can also be used will work to add additional countries and Government Entities and Private to “[e]nforc[e] quarantine and social regions to ensure these reports remain Companies Tracking Individuals’ distancing orders,” “[b]ig data analytics,” helpful to public health officials across Locations and “[h]ot spot mapping.” the globe looking to protect people from In spring and summer 2020, On March 28, 2020, The Wall Street the spread of COVID-19.” government entities and private Journal reported that “[g]overnment Since March 2020, several public companies in the United States and officials across the U.S. are using and private entities, including the abroad began tracking individuals’ location data from millions of cellphones Massachusetts Institute of Technology locations through their smartphones in a bid to better understand the (MIT), developed mobile phone apps and electronic devices to help movements of Americans during the used to track and trace who was tested address and combat the spread of the coronavirus pandemic and how they for and/or diagnosed with COVID-19. COVID-19 pandemic through contact may be affecting the spread of the For example, on April 11, 2020, The tracing and geo-tracking. Such moves disease.” More specifically, the report New York Times reported that Apple prompted concern from observers explained that the “federal government, and Google were building software into regarding the privacy implications of through the [CDC], and state and local smartphones that would enable them surveilling members of the public, as governments . . . started to receive “to constantly log other devices they well as the potential ineffectiveness of analyses about the presence and get close to through the short-range

16 wireless technology Bluetooth, enabling to be the sole solution, but as part of a In a June 17, 2020 interview with what is known as ‘contact tracing’ of the robust sophisticated response, it has a WGN Radio, University of Minnesota disease.” role to play.” Silha Center Director and Silha The Times noted that the rare Human Rights Watch contended on Professor of Media Ethics and Law Jane partnership “could prove to be May 13, 2020 that the “privacy risks of Kirtley similarly argued that “there is significant in slowing the spread of the mobile location tracking are significant a lot of concern for people, and I think coronavirus. Public-health authorities and well-established. Mobile location rightfully so, about who will collect have said that improved tracking of information can contain sensitive and [mobile location and geo-tracking] data, infected people and their contacts could revealing insights about a person’s where it will be collected, how long it slow the pandemic, and such measures identity, location, behavior, associations, will be kept, all of the classic questions have been effective in places like South that are raised in Korea that also conducted mass virus the context of data testing.” On May 20, Alabama, North “Because this is a free country where privacy, but [are] Dakota, and South Carolina became people have the right to make decisions brought to the the first states to use the new tracing like this, there is a real problem with [forefront] here technology. The Washington Post because people are reported on Aug. 17, 2020 that there were trying to set up this kind of electronic so understandably initiatives in 20 states and territories to system because it is going to require a anxious about adopt or otherwise use the Apple-Google buy-in from the American public. You're what’s going to technology. going to have to agree with it.” happen with this In an April 16, 2020 blog post, the data, could it be American Civil Liberties Union (ACLU) used against them, praised Apple’s and Google’s efforts as — Jane Kirtley, for example.. . . The protecting privacy to a great extent. The Silha Center Director and question is post read, “To their credit, Apple and Silha Professor of Media Ethics and Law whether you are Google have announced an approach comfortable . . . that appears to mitigate the worst not knowing how privacy and centralization risks, but and activities. The use of mobile phone they’re using it not only for their own there is still room for improvement. We network data creates granular, real-time internal purposes, but for marketing will remain vigilant moving forward targeting opportunities, which can purposes and passing it on to other to make sure any contact tracing app be used by governments to forcefully people, maybe even the government.” remains voluntary and decentralized, and enforce quarantine, discriminate, or Kirtley also noted that government used only for public health purposes and crackdown on populations for other entities and private companies using only for the duration of this pandemic.” reasons. And in the hands of abusive “geo-tracking” technology to determine The Post noted that many of the tracking governments that already have adopted the level of social distancing in American apps similarly “work by using Bluetooth intrusive surveillance practices, this can cities face a significant hurdle in the technology to detect when a user has serve to enhance repression.” United States. “Because this is a free prolonged and close contact, typically The article continued, “The mobile country where people have the right to at least 15 minutes and within about six phone tracking programs described make decisions like this, there is a real feet, with another person who also is above raise concern that governments problem with trying to set up this kind of using such an app.” are collecting, using, and retaining data electronic system because it is going to However, some observers pointed out beyond what is necessary for legitimate require buy-in from the American public. that the use of individuals’ smartphones and targeted disease surveillance You’re going to have to agree with and other electronic devices to track measures. The lack of transparency it.. . . Experts on this technological side their location raises significant data regarding many Covid-19 tracking of it say that if they don’t get at least 60 privacy concerns. In an interview with initiatives . . . prevents the public from percent buy-in on this then it’s not going The New York Times, Mike Reid, an assessing whether there are meaningful to work. So that is the first hurdle.” assistant professor of medicine and limits on the types of personal infectious diseases at the University information that will be collected, used, — Scott Memmel of California, San Francisco, said the aggregated, and retained, or whether Postdoctoral Associate software installed by Apple and Google tracking and data collection will end — Elaine Hargrove “could be a useful tool, but it raises once the pandemic is contained.” Silha Center Staff privacy issues.” He added, “It’s not going

17 Federal Judge Finds Most of North Carolina’s Ag-Gag Law Unconstitutional n June 12, 2020, Judge Oldest ‘Ag-Gag’ Law” in the Winter/ On May 2, 2017, Judge Schroeder Thomas D. Schroeder of Spring 2019 issue, “Fourth Circuit Allows ruled against the organizations. People the U.S. District Court Lawsuit Targeting North Carolina Ag-Gag for the Ethical Treatment of Animals for the Middle District of Law to Continue; District Court Rules v. Stein, 259 F.Supp.3d 369 (M.D.N.C. North Carolina ruled that Wyoming Law Unconstitutional” in the 2017). He found that they could not show Oseveral provisions of North Carolina’s Fall 2018 issue, “Minneapolis Legislature an “injury-in-fact” and, therefore, did not ag-gag law were unconstitutional under Introduces an ‘Ag-Gag’ Law; Federal have Article III standing under the U.S. the First Amendment. People for the Appeals Courts Strike Down Two States’ Constitution to bring the case. Schroeder Ethical Treatment Laws” in the Winter/Spring 2018 issue, wrote that the lawsuit “contain[ed] not AG-GAG LAWS of Animals, Inc. Journalists Face Evolving, Uncertain a single allegation” that the defendants, v. Stein, No. Legal Landscape in “‘Drone Journalism’ which included the state and the 1:16CV25, 2020 Presents Possibilities But Faces Legal University of North Carolina, “had ever WL 3130158 (M.D.N.C. 2020). Previously, Obstacles” in the Fall 2014 issue, and sued or threatened to sue PETA or [the] Schroeder had held that the plaintiffs in “States Consider Banning Undercover ALDF for investigatory conduct.” the case, which included People for the Recording at Agricultural Operations” in On June 5, 2018, the Fourth Circuit Ethical Treatment of Animals (PETA) the Summer 2011 issue.) reversed the district court’s dismissal of and the Animal Legal Defense Fund The case regarding the North Carolina the lawsuit, finding that the animal-rights (ALDF), among other animal-rights ag-gag law arose shortly after the law groups had alleged a plausible “injury-in- organizations, did not have standing to was passed in 2016 when PETA and fact,” namely that they could not conduct bring the case, though his ruling was the ALDF, among other animal-rights undercover investigations of public and reversed and remanded by the U.S. Court organizations, filed a lawsuit against private facilities in North Carolina for of Appeals for the Fourth Circuit. North Carolina Attorney General alleged animal cruelty, causing a “chilling Ag-gag laws vary from state-to-state, Joshua Stein and University of North effect” and “self-censorship.” People but generally criminalize or hold civilly Carolina, Chapel Hill (UNC) Chancellor for the Ethical Treatment of Animals liable individuals or groups who uncover Carol L. Folt, alleging that the statute v. Stein, 737 Fed.Appx. 122 (4th Cir. or expose cases of animal abuse or “interfere[d] with their plans to 2018). The Fourth Circuit remanded food safety violations at agricultural conduct undercover investigations of the case to the Middle District of North facilities. Such statutes often prohibit government facilities in North Carolina Carolina, after which the North Carolina the unauthorized recording of videos for the purpose of gathering evidence Farm Bureau Federation, Inc. moved of agricultural operations and facilities. of unethical and illegal animal practices to intervene in the case, which was These laws raise First Amendment and to disseminate this information to unopposed. concerns from advocacy groups, as the public, in violation of the First and (For more information on North well as media organizations, who argue Fourteenth Amendments.” Carolina’s ag-gag law, as well as the that such laws chill protected First The North Carolina Property district court and Fourth Circuit rulings, Amendment activity, namely undercover Protection Act, N.C. Gen. Stat. see Federal Appellate Court Allows investigations seeking to expose unsafe § 99A-2 (2016), provides that “[a]ny Lawsuit to Continue Against North conditions or illegal practices. Ag-gag person who intentionally gains access Carolina Ag-Gag Law in “Fourth Circuit laws can also take the form of agriculture to the nonpublic areas of another’s Allows Lawsuit Targeting North Carolina disparagement laws, which establish a premises and engages in an act that Ag-Gag Law to Continue; District Court cause of action for damages arising from exceeds the person’s authority to Rules Wyoming Law Unconstitutional” in negative statements or dissemination of enter those areas is liable to the owner the Fall 2018 issue of the Silha Bulletin.) false information about the safety of food or operator of the premises for any On June 22, 2020, Judge Schroeder products. damages sustained.” “Non-public” held that North Carolina’s ag-gag law Since 2017, several federal courts areas are defined as “those areas not violated the First Amendment, finding have ruled in favor of animal rights and accessible to or not intended to be that two provisions were facially food activist groups in their lawsuits accessed by the general public.” unconstitutional, while two other targeting ag-gag laws, including those in The statute provides several scenarios provisions were unconstitutional as Iowa, Wyoming, North Carolina, Idaho, where this may occur, including an applied. Schroeder first held that the and Utah. (For more information on individual “[k]nowingly or intentionally plaintiffs had established Article III the conflict between journalism and placing on the employer’s premises standing in the case, reasoning that they ag-gag laws, as well as the federal court an unattended camera or electronic had plausibly argued an “injury-in-fact” rulings, see “Federal Courts Rule Iowa surveillance device and using that device that was “a concrete and particularized and Kansas “Ag-Gag” Laws Violated to record images or data.” The Act invasion of a legally protected interest,” First Amendment, Dismiss Lawsuit provides for equitable relief, as well as citing the U.S. Supreme Court’s 2016 Challenging Arkansas’ Statute” in the the recovery of compensatory damages, opinion in Spokeo, Inc. v. Robins, Winter/Spring 2020 issue of the Silha costs and attorneys’ fees, and exemplary 136 S. Ct. 1540, 1548 (2016). (For Bulletin, “Federal Judge Strikes Down damages in the amount of $5,000 for more information on Spokeo, Inc. v. Iowa’s ‘Ag-Gag’ Law; Coalition of Animal each day that the person has acted in Robins, see “Ninth Circuit Addresses Rights Groups Challenges Nation’s violation of the statute. Spokeo after Supreme Court Remands 18 Case; Circuit Court Splits on Article III court must determine whether there and (b)(5), and given where the statute Standing Bar Following Spokeo” in the was a compelling government interest does not reach, the court finds that Summer 2017 issue of the Silha Bulletin, in restricting speech and whether the the Act does not cover a substantial “Supreme Court Issues Long-Awaited restrictions were narrowly tailored to amount of protected activity to render Spokeo Ruling” in the Summer 2016 achieve that interest. it overbroad.” Regarding vagueness, issue, and “U.S. Supreme Court Accepts Conversely, he held that the First he held that the provisions were “not Review of Robins v. Spokeo, Inc.” in the Amendment challenge to subsection (b) impermissibly vague as a facial matter, Summer 2015 issue.) (1) could only be brought as an applied and Plaintiffs’ motion for summary Schroeder found that the challenge. Schroeder found that although judgment will be denied.” animal-rights groups had established the prohibition on “capturing” the owner Finally, Schroeder ruled that that they “engaged in or supported of the facility’s information and data “subsections (b)(1) and (b)(5) of the undercover investigations in the past constituted a prohibition on protected Act are unconstitutional as-applied for the purpose of gathering and speech, he could “ignore the possible and subsections (b)(2) and (b)(3) are disseminating information or have myriad legitimate applications of unconstitutional both facially and as- relied on undercover investigations to subsection (b)(1).” Schroeder reached a applied.” He therefore ordered that the disseminate information,” and also that similar conclusion regarding subsection defendants, “as well as their officers, they “refrained from doing so out of fear (b)(5), which “creates liability for agents, employees, attorneys, and all of [civil] liability” under the ag-gag law. acts that ‘substantially interfere[] other persons in active concert or He added that the plaintiffs had also with the ownership or possession participation with them, are therefore “set forth sufficient facts to establish of real property.’” He reasoned that permanently enjoined from attempting both causation and redressability and “[a]ll sorts of non-speech acts” could to enforce subsections (b)(1) and consequently have standing.” be proscribed by that provision and (b)(5) against Plaintiffs in their Second, Schroeder turned to the that the plaintiffs had failed “to show stated exercise of speech.” He further plaintiff’s motion for summary judgment that subsection (b)(5) lacks any plainly ordered that “[s]ubsections (b)(2) and arguing that subsections (b)(1), (b)(2), legitimate sweep.” Schroeder therefore (b)(3) are therefore struck down as (b)(3) and (b)(5) of the ag-gag law concluded that these subsections were unconstitutional. Defendants, as well violated the First Amendment “because subject to intermediate scrutiny, a lower as their officers, agents, employees, they fail the requisite scrutiny and are standard than strict scrutiny requiring attorneys, and all other persons in active unconstitutionally overbroad.” He held that government prove that the law is concert or participation with them, are that although North Carolina’s law “narrowly tailored to serve a significant permanently enjoined from attempting differed from others that had been struck government interest and leave[s] to enforce subsections (b)(2) and (b)(3) down in that it imposed civil rather than open ample alternative channels of against Plaintiffs.” The full ruling is criminal penalties, it still represented communication.” available online at: https://www.rcfp.org/ government restriction of speech, Schroeder ruled that because the wp-content/uploads/2020/06/2020.06.12- therefore constituting “state action.” defendants “failed to defend the Act PETA-v.-Stein-ag-gag-ruling.pdf. He reasoned that North Carolina, in on strict scrutiny grounds” and did not In a statement following the passing the law, “identified speech (or in “put forward any compelling interest,” ruling, North Carolina Rep. John some cases, conduct which can include they had “failed to carry their burden Szoka (R-Cumberland), the ag-gag speech) it wishe[d] to allow to be as to subsections (b)(1) and (b)(2).” law’s primary sponsor, said he was proscribed and . . . empowered private He further held that “even under disappointed in the ruling. “I did parties to enforce the prohibition,” citing intermediate scrutiny each of the everything I could to make sure that no Cohen v. Cowles Media Co., 501 U.S. 663, challenged provisions fails.” Schroeder one’s First Amendment rights were being 668 (1991). reasoned that North Carolina’s existing restricted,” he said. Schroeder then held that the trespass law, among other statutes, David Muraskin, an attorney with prohibition on undercover recording provided alternative means to target Public Justice, a nonprofit law firm restricted speech, rather than only those trespassing into agricultural representing the plaintiffs, called the conduct. He rejected the defendants’ facilities without implicating speech. ruling a “complete win” in a statement. argument that “image capture and As a result, Schroeder held that “Essentially . . . anyone who wants to recording following a trespass under although the defendants had “identified engage in an undercover investigation the Act [are] unprotected speech.” He a legitimate governmental interest in of a facility should not fear [this law],” reasoned that although “free speech protecting private property, they have he said. “To the extent the function cannot be used to justify violation failed to demonstrate through evidence of your activity is speech, rather than of laws of general application that that the Property Protection Act is stealing . . . you should be protected operate independent of speech, such narrowly tailored to further that interest by the First Amendment.” He added, “I as trespass,” citing Food Lion, Inc. v. or that existing laws, such as trespass, think this [ruling] should alleviate a lot Capital Cities/ABC, Inc., 194 F.3d 505, are insufficient to address the problem.” of fear for people who want to come 521 (4th Cir. 1999), it does not mean that Fourth, Schroeder turned to the forward.” “that category of speech is unprotected.” plaintiffs’ arguments that subsections (b)(1) and (b)(5) were unconstitutionally Next, Schroeder determined that — Scott Memmel subsections (b)(2) and (b)(3), which overbroad and unconstitutionally Postdoctoral Associate prohibited the recording of images in vague. Regarding the former, Schroeder the agriculture facilities, were subject held that “[c]onsidering the plainly to strict scrutiny review, meaning the legitimate sweep of subsections (b)(1) 19 D.C. Circuit Affirms Ruling Requiring White House to Return White House Reporter’s Press Credential n June 5, 2020, the U.S. On Aug. 20, 2019, Karem filed a pass could be suspended under these Court of Appeals for the lawsuit against President Trump and circumstances.” D.C. Circuit ruled in favor then-White House Press Secretary Contreras also held that Karem of Playboy magazine senior Stephanie Grisham, requesting that the had adequately demonstrated that White House reporter and federal District Court for the District “even the temporary suspension of OCNN political analyst Brian Karem in of Columbia “vacate the suspension his pass inflict[ed] irreparable harm his lawsuit against President Donald and order that Karem’s hard pass be on his First Amendment rights.” He Trump’s administration, which stemmed immediately restored.” The complaint reasoned that Karem’s “First Amendment from the White argued that the suspension violated interest depends on his ability to freely FIRST House’s August Karem’s Fifth Amendment rights, citing pursue ‘journalistically productive AMENDMENT 2019 suspension Sherrill v. Knight, 569 F.2d 124 (D.C. Cir. conversations’ with White House of Karem’s hard 1977), in which the D.C. Circuit “made officials.” Contreras therefore held that pass — a physical press credential “the only way to granting him access to the White House. “Karem is likely to succeed on his due remedy the injury The D.C. Circuit unanimously held that is to return the Karem was “likely to succeed on his process claim because, on this record, hard pass and the [Fifth Amendment] due process claim he lacked fair notice that the White access that comes because, on this record, he lacked fair House might punish his purportedly with it. Under those notice that the White House might circumstances, punish his purportedly unprofessional unprofessional conduct by suspending Karem’s First conduct by suspending his hard pass,” his hard pass for a month.” Amendment injury affirming a September 2019 preliminary undoubtedly injunction issued by Judge Rudolph — D.C. Circuit Judge David S. Tatel constitutes Contreras of the U.S. District Court for a concrete, the District of Columbia. unrecoverable The case arose in August 2019 when very clear . . . [that] the White House may harm sufficient to warrant preliminary the White House suspended Karem’s deny, revoke or suspend a press pass relief.” press pass for 30 days. The White based only on ‘explicit and meaningful (For more information on Karem’s House cited Karem’s July 11, 2019 standards’ that have been ‘publish[ed]’ lawsuit and Contreras’ ruling, see confrontation with conservative radio so as to afford fair notice to reporters, “Federal Judge Orders White House to host Sebastian Gorka. While waiting for and to avoid arbitrary or discriminatory Reinstate Reporter’s Press Credential” in a presidential press conference in the punishments.” the Fall 2019 issue of the Silha Bulletin.) Rose Garden, Karem called the attendees The complaint also argued that On June 5, 2020, the D.C. Circuit of the preceding social media summit, that the suspension violated the First affirmed Contreras’ ruling, holding which observers contended was largely Amendment, including because the that “Karem is likely to succeed on meant for President Donald Trump’s suspension was “clearly meant to his due process claim because, on supporters, “a group of people eager for punish and deter his reporting on the this record, he lacked fair notice that demonic possession.” Karem and Gorka Administration rather than based on the White House might punish his then shouted at each other, including anything he said in the Rose Garden purportedly unprofessional conduct Gorka yelling “You’re a punk, you’re not in July.” The complaint therefore by suspending his hard pass for a a journalist, you’re a punk.” argued that the suspension was “an month.” Judge David S. Tatel wrote for In an Aug. 2, 2019 tweet, Playboy impermissible content-based regulation the unanimous three-judge panel and wrote that Gibson, Dunn & Crutcher LLP of speech, and an attempt to censor the first citedSherill , including the D.C. attorney Theodore J. Boutrous would press and exclude from the White House Circuit’s finding that “the protection represent Karem and appeal the White reporters who challenge and dispute the afforded newsgathering under the House’s decision. (Boutrous delivered President’s point of view.” [F]irst [A]mendment . . . requires that the 33rd Annual Silha Lecture, titled On Sept. 3, 2019, Judge Contreras [access to White House press facilities] “The First Amendment and #MeToo” granted the motion for a temporary not be denied arbitrarily or for less on Oct. 17, 2018. For more on the restraining order and preliminary than compelling reasons.” Tatel wrote lecture, see “33rd Annual Silha Lecture injunction brought by Karem, ordering that “[f]orty years on, today’s hard-pass Addresses the Free Speech Implications the Trump administration to restore system is little changed from the one of the #MeToo Movement” in the Fall the reporter’s hard pass. Karem v. described in Sherrill.” 2018 issue of the Silha Bulletin. For Trump, 404 F.Supp.3d 203 (D.D.C. 2019). Second, Tatel cited the White more information on the background of Contreras held that Karem had, “at this House’s previous attempt to revoke Karem’s case, see “White House Revokes early stage of the proceedings, shown CNN reporter Jim Acosta’s credential in and Suspends Hard Press Passes Under that he is likely to succeed on this due November 2018, which led to a similar New Rules” in the Summer 2019 issue of process claim, because the present ruling by the District Court for the the Silha Bulletin.) record indicates that Grisham failed to District of Columbia. That case arose provide fair notice of the fact that a hard on Nov. 7, 2018, when President Trump 20 called Acosta “a rude, terrible person” and Actions” in the Fall 2018 issue of the that some other, egregious conduct after he asked the president repeated Silha Bulletin.) might justify the same sanction.” He questions during a press conference Third, Tatel turned to Karem’s added, “And even if the White House following the 2018 midterm elections. due process claim and cited the U.S. could impose that sanction for such Boutrous filed a lawsuit on behalf of Supreme Court’s finding in FCC v. Fox egregious conduct consistent with due CNN and Acosta in November 2018 Television Stations, Inc., 567 U.S. process, Karem’s behavior as reflected against President Trump and several 239, 253 (2012) that “[a] fundamental in the preliminary injunction record members of his administration, arguing principle in our legal system . . . is that fell below that threshold. Notions that Acosta’s First and Fifth Amendment laws which regulate persons or entities of professionalism are, after all, rights had been violated, and that must give fair notice of conduct that is context-dependent.” President Trump’s administration failed forbidden or required.” He found that Fourth, Tatel held that Karem to follow the proper protocols, therefore this “‘essential . . . protection[]’ of fair stood “to suffer immediate irreparable violating the Administrative Procedure notice applies here.” harm absent an injunction.” He cited Act, 5 U.S.C. § 706. Tatel held that “Karem’s due Gordon v. Holder, 721 F.3d 638, 653 On Nov. 16, 2018, Judge Timothy J. process claim is likely to succeed (D.C. Cir. 2013), in which the D.C. Kelly held that the White House was because, on this record, nothing put Circuit concluded that “a prospective wrong to revoke Acosta’s credentials, him on notice of ‘the magnitude of the violation of a constitutional right ordering the Trump administration to sanction’ — a month-long loss of his constitutes irreparable injury immediately return them. Cable News White House access, an eon in today’s for . . . purposes [of] . . . seeking Network, Inc. v. Trump, No. 18 Civ. 2610 news business — that the White House equitable relief.” (D.D.C. 2018). Although Kelly did not ‘might impose’ for his purportedly Finally, Tatel affirmed the district rule on the underlying case regarding the unprofessional conduct at the non- court’s preliminary injunction, but First and Fifth Amendments, he found press-conference event.” He cited “the clarified one aspect of its scope, that the White House did not provide lack of formally articulated standards holding that the injunction did not run Acosta with the due process required to and sanctions” by the White House, to President Trump, but instead “only legally revoke his press pass, therefore including in the Acosta Letter. Tatel to the Press Secretary.” He cited the causing Acosta “irreparable harm.” added that even if the White House had defendants’ uncontested argument On Nov. 19, 2018, the White House articulated such standards in the Acosta that “[t]he President is not a proper restored Acosta’s credential, but also Letter, previous examples of “journalistic defendant in this case and . . . no sent a letter (the Acosta Letter) to the misbehavior . . . elicited no punishment temporary injunctive relief can issue White House press corps detailing new at all, let alone a month’s exile.” against him.” The full ruling is available rules at presidential press conferences, Tatel rejected several of the online at: https://www.cadc.uscourts. which included: “(1) a journalist White House’s arguments, including gov/internet/opinions.nsf/BC95D- called upon to ask a question will the claim that “‘basic standards of 2B55151A3A18525857E00506384/$- ask a single question and then will professionalism’ should have put Karem file/19-5255-1845846.pdf. yield the floor to other journalists; on notice that “breaches of [such] In a June 5 statement following the (2) At the discretion of the President standards . . . can carry consequences ruling, White House Correspondents’ or other White House official . . . a stricter than an admonition not to Association (WHCA) president Jonathan follow-up question or questions may engage in that behavior again.” Tatel Karl praised the decision, writing, be permitted . . . (3) ‘Yielding the floor’ contended that the White House could “Today the DC Circuit affirmed what includes, when applicable, physically not “rely on unarticulated standards of we all know — the work of journalists surrendering the microphone to professionalism or ‘the adage that some reporting from the White House is White House staff for use by the next things go without saying’ to justify the essential to our republic. The WHCA questioner.” Failure to abide by these thirty-day suspension for the conduct at stands ready to fend off efforts by any rules could “result in suspension or issue here.” administration to constrain the rights revocation of the journalist’s hard pass.” Tatel also noted that the White of journalists or to threaten our ability (For more information on the White House, “raising the specter of the to . . . exercise our First Amendment House’s attempt to revoke Acosta’s absurd, . . . argue[d] that it cannot be the rights.” hard pass, the ensuing legal battle, and case that ‘the Press Secretary would be In a June 5 tweet, the Reporters the new rules for presidential press powerless to take action even were a Committee for Freedom of the Press conferences, see President Trump Calls reporter to ‘moon’ the President, shout (RCFP) wrote that the D.C. Circuit’s CNN Reporter “Rude, Terrible Person,” racial epithets at a foreign dignitary, or ruling “upholds the rights of press Revokes His Press Credentials; Federal sexually harass another member of the covering the White House.” Judge Requires Trump Administration press corps.’” Tatel held that the White Reinstate Credentials in “President House could not defend the suspension — Scott Memmel Trump Continues Anti-Press Rhetoric of Karem’s hard pass “on the ground Postdoctoral Associate

21 President Trump’s Campaign Demands CNN Retract And Apologize for Poll, But Network Declines n June 10, 2020, CNN reported to harm [President Trump’s campaign].” advertising. The letter contended that that Donald J. Trump for The letter therefore requested that CNN CNN Broadcasting, Inc., CNN Productions, President, President Donald retract the poll and publish a “full, fair, Inc., and CNN Interactive, Inc. violated Trump’s re-election campaign, and conspicuous retraction, apology, the statute by misrepresenting President sent a cease-and-desist letter and clarification to correct its misleading Trump, and threatened legal action unless Oto CNN President Jeff Zucker demanding conclusions.” The full letter is available CNN agreed to an “appropriate resolution that CNN retract and apologize for a poll online at: https://twitter.com/tedstew/ of the matter.” Several observers criticized revealing that Trump was “well behind” status/1270789222849548288/photo/1. the letter, contending that such a lawsuit then-presumptive On June 10, Vigilante sent a letter would face a significant First Amendment PRIOR Democratic responding to President Trump’s campaign, defense and was unlikely to succeed. For RESTRAINT presidential including Senior Legal Adviser Jenna Ellis. example, in an Oct. 18, 2019 tweet, Gibson, nominee and Vigilante began the response by writing, Dunn & Crutcher LLP attorney Theodore former Vice President Joe Biden. The same “To my knowledge, this is the first time J. Boutrous called the letter “absolutely day, CNN Executive Vice President and in its 40-year history that CNN had been ridiculous,” adding that “[n]o serious General Counsel David Vigilante criticized threatened with legal action because an lawyer would ever think of sending such the demands, calling them “factually and American politician or campaign did not a frivolous letter making such a baseless legally baseless.” like CNN’s polling results.” The response threat.” (Boutrous delivered the 33rd On June 8, 2020, CNN published a poll continued, “To the extent we have received Annual Silha Lecture, titled “The First under the headline “CNN Poll: Trump legal threats from political leaders in Amendment and #MeToo” on Oct. 17, 2018. losing ground to Biden amid chaotic week.” the past, they have typically come from For more on the lecture, see “33rd Annual The poll, which was conducted by SSRS, an countries like Venezuela or other regimes Silha Lecture Addresses the Free Speech independent research company, sampled where there is little or no respect for a free Implications of the #MeToo Movement” in 1,259 respondents between June 2 and June and independent media.” the Fall 2018 issue of the Silha Bulletin. 5, including “an oversample of 250 black, The response also discussed the For more information on the letter and non-Hispanic respondents.” The poll found reputation of McLaughlin & Associates, resulting criticism by observers, see that President Trump trailed Biden by 14 noting that the firm had a “C/D rating” from “Letter Sent on Behalf of President Trump points, 55%-41%, among registered voters. It FiveThirtyEight, a website focused on Threatens Legal Action Against CNN, also found that President’s approval rating opinion polling and analysis. The response Prompting Criticism” in the Fall 2019 issue had fallen to 38%, the lowest rating since added that the firm was able to evaluate of the Silha Bulletin.) January 2019, according to CNN. The full and criticize CNN’s poll because the Harder, of Harder LLP, is best known poll results are available online at: http:// network “is transparent and publishes its for his successful lawsuit against media cdn.cnn.com/cnn/2020/images/06/08/rel6a.- methodology along with its polling results.” gossip website Gawker on behalf of .race.and.2020.pdf. CNN’s story about the The response continued, “Because of this, former professional wrestler Hulk Hogan, poll is available online at: https://www.cnn. McLaughlin was free to publish his own as well as his more recent legal attacks com/2020/06/08/politics/cnn-poll-trump- critique of CNN’s analysis and share his on technology news website TechDirt biden-chaotic-week/index.html. criticisms across the U.S. media landscape. and women’s website Jezebel. (For more The cease-and-desist letter sent by That’s how free speech works. It’s the information on Harder and his lawsuits President Trump’s campaign was dated American way.” against media outlets, see Book About the June 9, 2020 and first contended that the The response concluded by stating, Trump Administration’s White House “upcoming November 3, 2020 election is a “Your letter is factually and legally Raises Ethical and Legal Questions in ripe target for peddlers of misinformation baseless. It is yet another bad faith attempt “The Ethics of Covering President Donald and false manipulated content, including by the campaign to threaten litigation and Trump” in the Winter/Spring 2018 issue media polls.” The letter argued that CNN’s muzzle speech it does not want voters to of the Silha Bulletin, “Attorney Charles poll was “designed to mislead American read or hear. Your allegations and demands Harder Continues Attacks on News voters through a biased questionnaire are rejected in their entirety.” The full Websites by Filing Defamation Suits” in and skewed sampling.” The letter cited an response is available online at: https:// the Fall 2017 issue, “Gawker Shuts Down investigation by McLaughlin & Associates, www.cnn.com/2020/06/10/politics/cnn- After Losing Its Initial Appeal of $140 a polling firm selected by President letter-to-trump-over-poll/index.html. Million Judgment in Privacy Case” in the Trump’s campaign, according to The Hill As the Bulletin went to press, President Summer 2016 issue, and “Gawker Faces on Oct. 12, 2019. According to the letter, Trump’s campaign had not taken any $140 Million Judgment after Losing Privacy the investigation found that the poll was further action regarding the CNN poll. Case to Hulk Hogan” in the Winter/Spring “only 23% Republican” and targeted adults, Previously, on Oct. 18, 2019, attorney 2016 issue.) rather than likely voters. Charles Harder sent a letter on behalf of The letter further criticized the poll and President Trump to Zucker and Vigilante argued that CNN pollsters would continue accusing CNN of violating the Lanham — Scott Memmel to “manipulate polling data.” The letter Act of 1946, 15 U.S.C. § 1051 et seq., a Postdoctoral Associate added that the poll was “intentionally false, federal statute that governs trademarks defamatory, and misleading, and designed and also includes provisions against false

22 California Consumer Protection Act Takes Effect he California Consumer notifications of alleged violation to non- schooling, socializing with family and Protection Act (CCPA), which compliant businesses. friends, or working remotely — we are officially took effect on Jan. On July 1, 2020, the CCPA became turning to mobile phones and computers 1, 2020, continued to be a enforceable by the California Attorney as a lifeline. With such a dependency on moving target for privacy General, despite calls from the tech online connectivity, it is more important Tregulation. After several draft regulations industry to delay due to business than ever for Californians to know their and comment periods, on June, 2, 2020, disruptions caused by the COVID-19 privacy rights,” Becerra wrote. California Attorney General Xavier Becerra pandemic and concerns that final Although Becerra had previously submitted final regulations had not yet been approved. declined to state whether the office would regulations to the The CCPA grants California residents begin enforcement on July 1, in a July 9 PRIVACY California Office more control over how certain businesses keynote presentation with the International of Administrative use their personal information. Although Association of Privacy Professionals Law (OAL) for approval as well as a final the CCPA went into effect on Jan. 1, (IAPP), California Supervising Deputy “statement of reasons” to clarify the 2020, a previous 2018 amendment added Attorney General Stacey Schesser requirements and enforcement of the six months before enforcement by the confirmed that initial compliance notice CCPA. The final regulations were approved California Attorney General could begin. letters had been sent. Although the letters by the OAL on Aug. 14, 2020. Despite calls However, businesses were required to themselves remain confidential, according from businesses to delay enforcement begin complying by the January 1 effective to ReedSmith privacy attorneys Samuel F. because of business disruptions caused date. Under the statute, businesses are Cullari and Alexis Cocco, Deputy Schesser by the COVID-19 pandemic, as well as the granted 30 days to cure any alleged provided some insight into the letters’ delayed final regulations, the California violations of the law after being notified substance: Attorney General began enforcing the of alleged noncompliance. If a business • “They targeted multiple industries act on July 1, 2020. Meanwhile, several fails to cure the alleged violation, it may and business sectors.” lawsuits have been brought under the be subject to an injunction and liable for • “They focused on businesses that CCPA that raise noteworthy questions a civil penalty of up to $2,500 for each operated online and were missing either about the scope of the CCPA’s private right violation or $7,500 for each intentional key privacy disclosures or a ‘Do Not of action. Each event is discussed in more violation. Sell’ link (where AG thought one was detail below after a broad overview of the On March 20, 2020, more than two necessary).” CCPA. dozen trade associations and business • “The targets of the letters were Passed in 2018, the statute is the first groups sent a joint letter to the office identified based, at least in part, on law in the United States to establish of the attorney general requesting that consumer complaints, including a comprehensive set of rules around enforcement be delayed until Jan. 2, complaints made using social media.” consumer data. The statute applies to any 2021. The letter, which was signed by the According to Cullari and Cocco, Deputy business that operates in California and Internet Coalition and the California U.S. Schesser also offered insight into future either makes at least $25 million in annual Chamber of Commerce, among others, enforcement actions by referencing past revenue, gathers data on more than 50,000 also pointed out that the state-issued enforcement actions, which have focused users, or makes more than half its money regulations for the law had yet to be on wide-scale impact and actual harm to from user data. For California residents, finalized. “We are concerned that given Californians. the statute grants more control over how current events and the presently unfinished After several draft regulations and covered businesses use their personal status of the regulations implementing comment periods, on June, 2, 2020, information. The law allows California the CCPA, businesses will not have the Becerra submitted final regulations to residents to demand that businesses operational capacity or time to bring their the OAL for approval as well as a final disclose any personal information they systems into compliance with the final “statement of reasons” to clarify the have collected, delete that information regulatory requirements by July 1, 2020,” requirements and enforcement of the if asked, and refrain from selling or the letter stated. CCPA. Under the statute, the Attorney transferring it to third parties. In an interview with The Washington General is allowed to provide guidance Businesses in violation of the CCPA Post, Becerra acknowledged the request through additional regulations “necessary face both private rights of action and but noted that the law had already gone to further the purposes of the [CCPA].” investigation by the California Attorney into effect on January 1. “It’d be very On Aug. 14, 2020, the OAL approved the General’s Office. California consumers can awkward to continue another six months Attorney General’s CCPA regulations. bring private actions against businesses as some companies were requesting where Five provisions were withdrawn from for failure to maintain reasonable security people would have rights, companies OAL review; those provisions “required procedures that result in “unauthorized would have obligations, but no one would businesses to obtain express consent access and exfiltration, theft, or disclosure” be there to make sure those rights are from consumers before using previously of their nonencrypted and nonredacted being complied with,” Becerra told the collected information for a materially personal information. For private rights of newspaper. different purpose, required businesses action, statutory damages will amount to Meanwhile, privacy experts anticipated substantially interacting with consumers the greater of actual damages, or between strong enforcement from Becerra offline to provide notice of right to opt- $100 and $750 per consumer, per incident. during the COVID-19 pandemic, citing a out via an offline method, established Additionally, following July 1, 2020, the coronavirus-related alert Becerra issued minimum standards for submitting California Attorney General began sending on April 10. “Whether it’s our children’s CCPA, continued on page 24 23 CCPA, continued from page 23 unknown as courts are just beginning This trend, Jehl writes, “may incentivize to grapple with the new law, privacy the California attorney general to bring requests to opt-out to businesses, and attorneys have noted several themes early enforcement actions to establish provided businesses with the ability to arising from plaintiffs’ complaints such as binding precedent in state courts before deny certain requests from authorized a preference for class actions and federal many cases are adjudicated by the federal agents.” The approved regulations put court, as well as attempts to bring broad courts.” forth specific requirements and procedures claims under several CCPA provisions and Meanwhile, although the CCPA’s private for items such as the drafting of notices, use alleged CCPA violations as a basis for right of action is explicitly limited to the contents of web pages and privacy liability under other California statutes. allegations arising under the data security policies, opt-in and opt-out notices, Furthermore, privacy attorneys have noted provision and the defendant’s failure to and how businesses should respond to that the popularity of video conferencing provide “reasonable security,” plaintiffs are consumer requests. software and social media apps in light of attempting to bring claims for violations Importantly, a GDPR-compliant the COVID-19 pandemic has spurred much arising under other CCPA provisions. program does not provide a safe harbor for litigation. For example, in Taylor v. Zoom Video CCPA compliance. As the Final Statement In addition to enforcement by the Communications, Inc., plaintiffs alleged of Reasons explains: “[B]ecause of the California Attorney General, the CCPA violations arising under Cal. Civ. Code § key differences between the GDPR and provides a narrow private right of action 1798.100(b), requiring notice at or before CCPA, especially in terms of how personal applicable only to the CCPA’s data the point at which personal information information is defined and the consumer’s security provision. That provision states: is collected and limiting additional uses right to opt-out of the sale of personal “Any [California resident] consumer of personal information; and Cal. Civ. information (which is not required in whose nonencrypted and nonredacted Code §1798.120(b), requiring a business the GDPR),” the Office of the Attorney personal information . . . is subject to an to provide notice of the right to opt-out of General rejected a limited exemption for unauthorized access and exfiltration, theft, sales of personal information. GDPR-compliant firms as “it would be or disclosure as a result of the business's In addition, plaintiffs have also less effective in carrying out the purposes violation of the duty to implement and attempted to use alleged violations of the of the CCPA.” Therefore, as Strauss and maintain reasonable security procedures CCPA as constituting claims under other Rogers highlighted, businesses subject and practices appropriate to the nature California statutes, such as the California to GDPR will need to take additional of the information to protect the personal Unfair Competition Law. For example, in measures to comply with the CCPA as well. information may institute a civil action.” Hurvitz v. Zoom Video Communications, Further, compliance with Privacy Shield The definition of “personal information” in Inc. et al., the plaintiffs alleged that does not guarantee compliance with the the context of the private right of action defendant Zoom did not provide notice CCPA or GDPR. For more information on is narrower than the expansive definition to consumers of the categories and uses the status of Privacy Shield, see “CJEU applicable to other CCPA provisions of personal information it collects at or Strikes Down EU-U.S. Privacy Shield, and applies only to an individual’s name before the point of collection, in violation Confirms Validity of Standard Contractual together with an identifying data element, of the CCPA. However, because of the Clauses” in the Summer 2020 issue of the such as a Social Security number, driver’s limited private right of action in the CCPA, Silha Bulletin. license number, or medical information. the plaintiffs alleged that the violation Privacy experts raised frustrations that Under the provision, a plaintiff may seek constitutes an unlawful business practice the final regulations failed to clarify how injunctive or declaratory relief, actual in violation of the California Unfair to interpret key terms, meaning that will damages or statutory damages in an Competition Law, even though the CCPA be determined through litigation. Mary amount not less than $100 and not greater explicitly bars such action. Although the Stone Ross, consultant and past president than $750 per consumer, per incident. statute presumably bars such claims, it of the advocacy group Californians for Before seeking statutory damages, remains to be seen if courts will follow the Consumer Privacy that helped draft the however, the consumer must provide the statute. ballot initiative that spurred the enactment business 30 days written notice to cure the Finally, lawsuits filed against of the CCPA, stated “I'd imagine that, once alleged violation. The CCPA also explicitly videoconferencing companies such as the attorney general starts enforcing, there prohibits plaintiffs from alleging that a Zoom Video Communications, Inc., may will be a lot of debates and arguments over CCPA violation constitutes a violation of help clarify the meaning of the terms the trickier definitions in these regulations, other statues. “unauthorized access” and “reasonable which will ultimately eventually lead to Privacy attorneys have noted that security procedures and practices” more consensus on these issues.” several of the current cases pending in the CCPA’s private right of action. under the CCPA have been brought as For example, in Cullen v. Zoom Video Litigation Under the California class actions in federal court. McDermott Communications, Inc., plaintiffs highlight Consumer Privacy Act’s Private Right Will and Emery partner Laura E. Jehl that Zoom’s iOS app previously featured of Action Begins asserted that although the number of class a digital advertising platform’s software Several lawsuits have already been actions is not surprising, the fact that development kit that collected certain brought under the CCPA that raise the claims have been brought in federal device identifiers, such as device carrier, noteworthy questions about the scope of court creates “an interesting dynamic device model and time zone. Several the CCPA’s private right of action. Although whereby the federal courts may have the days after an article was published on the the extent of possible liability from private opportunity to examine and adjudicate practice, Zoom released a blog post stating litigation brought under the CCPA is largely CCPA before California state courts do.” that it had been unaware that the software

24 was collecting device identifiers and had • create new rights around the use entities are using our data.” Mactaggart removed the advertising platform and and sale of sensitive personal information was the drafter of the 2018 California ballot software. The plaintiffs allege that Zoom’s (health, financial, racial or ethnic origin, initiative that served as the basis for the actions violated its duty to implement and precise geolocation); California Consumer Privacy Act of 2018. maintain reasonable security procedures • enhance children’s privacy by tripling However, in an open letter announcing the and practices, resulting in the unauthorized fines for violations of the CCPA’s opt-in to new ballot initiative, Mactaggart stated disclosure of plaintiffs’ nonencrypted sale right and create a new requirement to that CCPA “now seems insufficient” and and nonredacted personal information. obtain opt-in consent to collect data from emphasized that “some of the world’s “Although the private right of action is consumers under the age of 16; largest companies have actively and widely understood to protect only against • create transparency obligations explicitly prioritized weakening the CCPA.” data breaches, the Cullen plaintiffs make around automated decision-making and Privacy advocates noted that the new at least a colorable allegation that the profiling of consumers; initiative included several compromises right of action may apply to exchanges of • create a right to data minimization, between business and consumer privacy information between business partners,” as well as providing notice to consumers concerns. For example, in an October Jehl wrote. For more information about about the length of time each category of 2019 open letter, a coalition of eleven privacy issues with Zoom during the personal information will be retained; privacy groups including the Electronic COVID-19 pandemic, see “COVID-19 • create a right to correct inaccurate Frontier Foundation (EFF), the Center Pandemic Raises Data Privacy and Security personal information; for Digital Democracy, and the American Questions and Concerns” on page 11 in this • direct obligations on service Civil Liberties Union California Chapter, issue of the Silha Bulletin. providers to assist businesses with CPRA proposed several ways to strengthen the compliance activities; initiative. One of the proposals was that California Privacy Rights Act Qualifies • include email account credentials Mactaggart remove an exemption that for November Ballot in the categories of personal information states businesses do not have to comply On June 25, 2020, California Secretary potentially subject to the CCPA with certain data requests if the data helps of State Alex Padilla certified that the “reasonable security” private right of “ensure security and integrity;” however, California Privacy Rights Act (CPRA) action under Section 1798.150(a); the final ballot measure still includes such qualified for and will appear on the • create a new California Privacy an exemption. EFF staff attorney Adam California fall ballot. The referendum, Protection Agency that would replace the Schwartz noted that ad tech firms could backed by California real estate attorney general’s office as the regulator use the exemption as an excuse to hoard developer Alastair Mactaggart and implementing CPRA rules and enforcing its data in the name of preventing click fraud. consumer advocacy group Californians requirements against violators; “On the whole, I think the initiative is a for Consumer Privacy, would amend the • expand the private right of action for mixed bag with some steps forward, steps CCPA and establish a new California consumers to cover breach of an email backward, some missed opportunities, and Privacy Protection Agency to replace the address in combination with a password half steps,” Schwartz told Protocol. California attorney general’s office as the and security question and answer main privacy rights regulator. Both privacy permitting access to the email account. advocates and business experts expressed In a statement following the — Sarah Wiley concerns about the initiative. qualification announcement, Mactaggart Silha Research Assistant If passed, the CPRA would go into emphasized that “[d]uring these times of effect on Jan. 1, 2023. According to the unprecedented uncertainty, we need to International Association of Privacy ensure that the laws keep pace with the Professionals the initiative would: ever-changing ways corporations and other

The Silha Bulletin is available online at the University of Minnesota Digital Conservancy.

Go to: http://conservancy.umn.edu/discover?query=Silha+Bulletin to search past issues

25 CJEU Strikes Down EU-U.S. Privacy Shield, Confirms Validity of Standard Contractual Clauses n July 16, 2020, the Court specific rules on automated decisions; her opening argument and explained of Justice of the European the general right of data subjects the relevant EU and U.S. laws and Union (CJEU), the to object to the processing of data authorities. Additionally, several European Union’s (EU) top relating to them; the specific right of experts provided testimony, including court, released its ruling in any data subject to be informed and to Peter Swire, a Georgia Institute of OSchrems II, in which it struck down the object to use of personal data without Technology Scheller College of Business EU-U.S. Privacy Shield (Privacy Shield), justification; and the lack of assurance professor, who served as an expert the framework adopted in 2016 to govern that mass, indiscriminate collection of witness on behalf of Facebook. In a trans-Atlantic personal data would not take place. Sept. 11, 2017 commentary for Lawfare, data flow. Case Following Schrems I, Facebook Swire summarized his testimony into PRIVACY C-311/18, Data switched to using SCCs with the belief four findings. First, Swire provided a Protection that they would provide adequate “detailed explanation documenting Commissioner v. Facebook privacy protections for its users. On systemic protections under U.S. law Ireland Limited (Schrems II), Dec. 1, 2015, Max Schrems, an Austrian for foreign intelligence surveillance.” ECLI:EU:C:2020:559 (July 16, 2020). privacy advocate, filed a renewed Second, Swire documented “how the However, the Court also confirmed the complaint to the Data Protection U.S. legal system provides numerous validity of standard contractual clauses Commissioner of Ireland (DPC), Helen ways for an individual to remedy (SCCs) — language widely adopted in Dixon, asking her to halt data transfers violations of privacy.” Third, Swire’s EU data transfer written agreements under SCCs. Schrems argued that such testimony included “original research” used by companies, including Facebook, clauses do not provide adequate legal into Foreign Intelligence Surveillance to transfer personal data — but required protection necessary to permit personal Court (FISC) oversight, with the general companies to ensure that third-party data transfers, including between conclusion that “the FISC provides far countries outside the EU meet EU Facebook Ireland and Facebook’s U.S. stronger oversight than many critics privacy standards and requirements. headquarters. Schrems contended that have alleged.” Finally, Swire contended Following the ruling, several observers U.S. surveillance law was not in line with that there are broader implications of an raised concerns with the invalidation the Schrems I ruling. “inadequacy finding” of SCCs inSchrems of the Privacy Shield and the increased Around the same time that Schrems II beyond cross-border data flows requirements related to SCCs, providing filed his complaint, the Irish High Court between Ireland and the United States, several recommendations to companies overturned Dixon’s earlier decision to including on the Privacy Shield. that handle EU data. not investigate Facebook Ireland in light In October 2017, Irish High Court Schrems II arose following the of Schrems’ original complaint. Dixon Justice Caroline Costello filed a 152-page European Court of Justice’s (ECJ) summarily launched an investigation, opinion in which she addressed whether October 2015 decision to invalidate which focused on two issues: whether SCCs violate applicable law and court the EU-U.S. Safe Harbor framework the United States provides adequate precedent in both the EU and the (Schrems I). Case C-362/14, Schrems legal protection to EU users whose data United States. Costello concluded v. Data Prot. Comm’r. (Schrems I), is transferred, and, if not, whether SCCs that neither three ECJ decisions 2015 E.C.R. I-650 (Oct. 6, 2015). On July used by Facebook provided the level of regarding SCCs in 2001, 2004, and 2010, 12, 2016, the European Commission protection that previously existed under nor the introduction of the Privacy officially adopted an amended version the Safe Harbor framework. Shield Ombudsperson mechanism, of the Privacy Shield to replace the Safe In May 2016, Dixon issued a Draft “eliminate[d] the wellfounded concerns Harbor framework. The Privacy Shield Decision, in which she explained her raised by the DPC in relation to the included several additional commitments preliminary opinion that Schrems’ adequacy of the protection afforded by U.S. government agencies concerning complaint was “well-founded.” Dixon to EU data subjects whose personal surveillance of individuals in the United wrote that U.S. law failed to adequately date is wrongfully interfered with by States. On Oct. 18, 2017, the European provide legal remedies to EU citizens. the intelligence services of the United Commission released a report on the The Decision further found that SCCs States once their personal data has been annual review of the Privacy Shield, could not fully address such concerns, transferred for processing to the United which concluded that the United making them invalid under EU law. States.” However, she also found that the States had “put in place the necessary However, Dixon concluded that she Irish High Court “lack[ed] jurisdiction structures and procedures to ensure the did not have the authority to declare to pronounce upon the validity of the correct functioning of the [Shield].” the SCCs invalid under EU law. SCC decisions.” As a result, Costello Following the adoption of the Privacy Furthermore, Dixon contended that she “refer[red] the issue of the validity of Shield, several critics contended that could not complete the investigation into the SCC decisions to the [CJEU] for a it did not depart significantly from the Facebook without a CJEU ruling that the preliminary ruling.” Safe Harbor framework. The Article clauses were, in fact, invalid. On July 9, 2019, the CJEU heard 29 Working Party, which provided the The proceedings in the Irish High arguments in the case after the Supreme European Commission with independent Court, which has jurisdiction in criminal Court of Ireland previously rejected an advice on data protection matters, had and civil cases, began in February 2017. attempt by Facebook to block the EU several concerns, including a lack of During this period, Dixon provided court from hearing the case. (For more 26 information on Schrems I and II, as well of the ‘privacy shield’ decision to Article The Court provided several reasons as the Privacy Shield, see “The United 45(1) of the GDPR” and EU law more why this was the case, including States, the European Union, and the generally. that U.S. law lacks “effective legal Irish High Court Wrangle Data Privacy Øe’s full opinion is available on- remedies for data subjects,” as well as a Concerns” in the Fall 2017 issue of the line at: http://curia.europa.eu/juris/ “principle of proportionality” to ensure Silha Bulletin.) document/document.jsf?text=&do- that data collection and use by the On Dec. 19, 2019, Advocate General cid=221826&pageIndex=0&do- federal government only occurs when Saugmandsgaard Øe issued his opinion clang=EN&mode=req&dir=&occ=- “necessary” to meet legitimate interests in Schrems II, finding that SCCs were first&part=1&cid=49246. or “to protect the rights and freedoms of valid. He first reasoned that “EU law On July 16, 2020, the CJEU released others.” applies to transfers of personal data to its decision in Schrems II, which The Court also cited U.S. government a third country where those transfers largely followed Øe’s opinion. The surveillance, including Section 702 of form part of a commercial activity, Court first ruled that SCCs remained a the Foreign Intelligence Surveillance even though the transferred data might Act (FISA) undergo processing, by the public Amendments Act authorities of that third country, for the “Data flows are essential not just to tech (FAA), which purposes of national security.” companies — but to businesses of all authorized Second, Øe found that SCCs “adopted sizes in every sector.” the PRISM by the [European] Commission provide and Upstream a general mechanism applicable to — U.S. Secretary of Commerce Wilbur Ross programs by transfers irrespective of the third the National country of destination and the level Security Agency of protection guaranteed there.” Øe valid method of transferring personal (NSA). The Court held that “[i]n those emphasized that the “appropriate data outside the EU, but emphasized circumstances, the limitations on the safeguards afforded by the exporter, certain requirements for companies and protection of personal data arising from inter alia by contractual means, must organizations using such mechanisms. the domestic law of the United States themselves ensure th[e] level of The Court wrote that a data “controller on the access and use by US public protection” required under the EU’s or processor may transfer personal authorities of such data transferred General Data Protection Regulation data to a third country only if the from the European Union to the United (GDPR), a set of rules governing how controller or processor has provided States . . . are not circumscribed in a businesses handle European Union (EU) ‘appropriate safeguards’, and on way that satisfies requirements that citizens’ personal data, which took effect condition that ‘enforceable data subject are essentially equivalent to those on May 25, 2018. rights and effective legal remedies for required . . . under EU law.” Third, Øe wrote that “there is an data subjects’ are available.” The Court The Court further found that the obligation” placed on those handling EU concluded that “such safeguards [are] “introduction of a Privacy Shield citizens’ data “to suspend or prohibit able to be provided by the standard Ombudsperson cannot remedy the a transfer when, because of a conflict [contract] clauses adopted by the deficiencies which the Commission itself between the obligations arising under Commission.” found in connection with the judicial the standard clauses and those imposed The Court further found that SCCs protection of persons whose personal by the law of the third country of “provide[] . . . an “effective mechanism[]” data is transferred to that third country.” destination, those clauses cannot be that can, and must, ensure “compliance The Court therefore ruled that the complied with.” with the level of protection required by Privacy Shield was incompatible with the Fourth, Øe determined that it was EU law.” One way such clauses needed GDPR and declared it “invalid.” The full not necessary to examine the validity to do so, according to the CJEU, is ruling is available online at: http://curia. of the Privacy Shield, including allowing for a “competent [EU member europa.eu/juris/document/document. because “although the Court’s answers state supervisory authority (SA)] . . . to jsf?text=&docid=228677&pageIndex- to . . . questions [regarding the Privacy suspend or prohibit a transfer of data =0&doclang=EN&mode=req&dir=&oc- Shield] might, at a later stage, prove to a third country pursuant to standard c=first&part=1&cid=11629969. helpful to the DPC for the purposes data protection clauses adopted by the In a July 16, 2020 statement, U.S. of determining, in the context of the Commission, if . . . those clauses are not Secretary of Commerce Wilbur Ross said procedure underlying the dispute, or cannot be complied with in that third that the U.S. Department of Commerce whether the transfers in question country and the protection of the data was “deeply disappointed that the should . . . be suspended because of transferred . . . cannot be ensured by court appears to have invalidated the the alleged absence of appropriate other means.” European Commission’s adequacy safeguards, it would, in my view, be Second, the CJEU turned to whether decision underlying the EU-U.S. Privacy premature to resolve them in the context the United States “ensures an adequate Shield.” He continued, “We have been of the present case.” level of protection” to make the Privacy and will remain in close contact with the Nevertheless, Øe wrote that he Shield an effective and legal mechanism European Commission and European found “it appropriate to develop, in the to protect EU citizens’ data privacy. The Data Protection Board on this matter alternative and with certain reservations, Court concluded that the U.S. law and and hope to be able to limit the negative some non-exhaustive observations on authorities did not adequately protect consequences to the $7.1 trillion that subject.” He ultimately wrote that he EU citizens’ data to the extent required transatlantic economic relationship that had “certain doubts as to the conformity by EU law, including under the GDPR. Privacy Shield, continued on page 28 27 Privacy Shield, continued from page 27 to be expected that a new mechanism personal data at all — and if they do is so vital to our respective citizens, will be created in the wake of the not, these issues disappear. However, companies, and governments.” Privacy Shield,” companies “[i]n the if personal data is being transferred, a Ross added, “Data flows are essential meantime . . . should review transfers careful analysis should be performed not just to tech companies — but of personal data from the EU to the to determine if the transfer is actually to businesses of all sizes in every U.S. and make sure they are protected necessary, and if not, minimize the scope sector. As our economies continue by the Standard Contractual Clauses, of the transfers. Finally, if personal data their post-COVID-19 recovery, it is which remain valid legal mechanisms to transfers are at issue, then affected critical that companies — including comply with the GDPR. Valid transfers of U.S. businesses need to confer with the 5,300+ current Privacy Shield personal data are only one step toward their EU controllers to determine what participants — be able to transfer data compliance with the GDPR, however. measures can be taken to satisfy both without interruption, consistent with the Full compliance with the GDPR requires the controllers and their specific data strong protections offered by Privacy a fact-intensive review of all aspects processing agreements [(DPA’s)].” Dort Shield.” Ross’s statement is available of business operations, and should concluded, “Depending on the stridency online at: https://www.commerce. be undertaken with the assistance of the DPA, some transfers to the U.S. gov/news/press-releases/2020/07/ of experienced counsel.” The Nixon may have to cease.” us-secretary-commerce-wilbur-ross- Peabody LLP commentary is available In a commentary following the CJEU statement-schrems-ii-ruling-and online at: https://www.nixonpeabody. ruling, four Jones Day partners laid A Department of Commerce press com/ideas/articles/2020/07/17/eu-privacy- out “three key takeaways,” including release containing Ross’ statement noted shield-ruling that “[c]ompanies that until now have that the department would “continue to In a July 27, 2020 interview with relied on the EU-U.S. Privacy Shield administer the Privacy Shield program, The National Law Review, Kenneth K. for data transfers from the European including processing submissions for Dort, a partner at Faegre Drinker Biddle Union to the United States should self-certification and re-certification & Reath LLP, laid out the two “main implement alternative safeguards (e.g., to the Privacy Shield Frameworks and compliance concerns” arising from SCCs, Binding Corporate Rules within maintaining the Privacy Shield List.” It the invalidating of the Privacy Shield. their group).” Second, the commentary added, “Today’s decision does not relieve “First, for those businesses relying on cautioned that “[a]lthough companies participating organizations of their the Privacy Shield for data transfers can continue to use [SCCs] as a Privacy Shield obligations.” from the EU to the US, they now lack safeguard for transferring personal data Similarly, the Federal Trade the protective devices mandated by to processors outside the EU/EEA, they Commission (FTC) released a the GDPR. Because the decision did will have to follow the level of data statement in which it clarified that it not provide for any grace period, they protection provided in the third country “continue[d] to expect companies to must adopt replacement measures and, where conflicts with the provisions comply with their ongoing obligations immediately,” Dort said. “Second, of the Clauses arise, to suspend data with respect to transfers made under for those businesses relying on EU exports. Monitoring the relevant aspects the Privacy Shield Framework. We Standard Contractual Clauses (SCCs), of the legal system of the third countries also encourage companies to continue the decision called into question their concerned should therefore be integrated to follow robust privacy principles, viability in light of questions over their into corporate compliance programs.” such as those underlying the Privacy ability to protect EU personal data Finally, the commentary noted that Shield Framework, and to review their against national security inquiries by the EU Commission was already working privacy policies to ensure they describe the U.S. federal government.” He added, on “instruments for international their privacy practices accurately, “Thus, the major consequences of the transfers of personal data, including including with regard to international decision for businesses transferring data by reviewing the existing SCCs.” The data transfers.” The FTC statement is into jurisdictions lacking an adequacy commentary therefore emphasized available online at: https://www.ftc.gov/ determination (such as the U.S.) will that “[t]he further development of new tips-advice/business-center/privacy-and- be to implement recognized protocols safeguards as announced by the EU security/privacy-shield that address the national security issues Commission should be closely followed.” Nevertheless, several observers raised in the decision and which also The Jones Day commentary is available raised concerns with the CJEU’s ruling satisfy EU data protection authorities.” online at: https://www.jonesday.com/en/ and provided recommendations to Dort also noted that the CJEU insights/2020/07/schrems-ii-confirms- companies for how to proceed with ruling required “additional safeguards” validity. transferring data between the EU and related to SCCs, which “ may put U.S. businesses in a difficult position United States. — Scott Memmel between their EU clients (the data In a July 17, 2020 commentary, Nixon Postdoctoral Associate Peabody LLP attorneys contended that transferors) and their legal obligations the CJEU’s ruling “creates uncertainty under U.S. national security law.” He for any business relying on the Privacy continued, “First, companies should Shield.” They argued that although “it is carefully determine whether they handle

28 Clearview AI Raises Privacy Concerns, Pursues First Amendment Defense n January 2020, The New York nearly 500,000 searches of Clearview’s the data unless it obtains consent, it Times published an article faceprint database. is required to complete an authorized detailing the practices of Shortly after The New York Times financial transaction, it is required by Clearview AI (“Clearview”), a article appeared, several lawsuits state or local law, or it is required by technology company that created were filed in federal and state courts warrant or subpoena. Ia groundbreaking facial recognition app in California, Illinois, New York, and In Mutnick v. Clearview AI, Inc., in which a user can upload a picture Virginia. On March 20, 2020, Vermont plaintiffs alleged that Clearview of an individual and obtain a trove of Attorney General Thomas J. Donovan covertly scraped individuals’ images “public photos also filed a lawsuit against Clearview from the internet and then used of that person, for violations of the Vermont Consumer artificial intelligence algorithms to PRIVACY along with links Protection Act. The complaint also unlawfully scan and retain the facial to where those alleges that Clearview AI violated geometry of each individual depicted photos appeared.” Several lawsuits Vermont’s data broker law by in the images in violation of the notice, and class actions have been filed in fraudulently acquiring data through its consent, and retention requirements response, alleging that Clearview’s use of data-scraping. under the BIPA. Plaintiffs also allege practices violate individuals’ privacy. In Illinois, several cases, including that the data-scraping practices of Some of the lawsuits, including Mutnick v. Clearview AI, Inc. and Clearview were “in violation of the one brought by the American Civil ACLU et al., v. Clearview AI, Inc., contractual terms governing its use of Liberties Union (ACLU) and other allege violations arising under BIPA, the websites from which the images privacy advocacy groups, allege that which limits how companies can collect originated,” therefore, plaintiffs argue, Clearview’s practices violate the and use biometric data. Mutnick v. that “Clearview impaired the rights of Illinois Biometric Privacy Act (BIPA). Clearview AI, Inc., No. 1:20-cv-00512 Plaintiff and Class Members, who were In response, Clearview has argued that (N.D. Ill. Jan. 22, 2020); American contractual parties and/or third-party its data-scraping and sharing practices Civil Liberties Union v. Clearview AI, beneficiaries of those contracts.” are protected by the First Amendment. Inc., No. 9337839 (Ill. Cir. Ct. May 28, On August 12, Judge Sharon Johnson Although the lawsuits have yet to be 2020). A copy of the Mutnick plaintiff's Coleman of the U.S. District Court for heard on their merits, they highlight complaint is available online at: https:// the Northern District of Illinois denied growing concerns over data-scraping cdn.arstechnica.net/wp-content/ Clearview’s motion to dismiss for lack of and facial recognition technology and uploads/2020/03/clearview_illinois_suit. jurisdiction or alternatively to transfer the potential conflict between privacy pdf. A copy of the ACLU's complaint is the case to the Southern District of New and legitimate information gathering. available online at: https://www.aclu. York, where Clearview is based. Judge Clearview’s app relies on a massive org/legal-document/aclu-v-clearview-ai- Coleman highlighted that Clearview had database of “more than three billion complaint. Passed in 2008, the BIPA is entered hundreds of agreements with images” that Clearview claimed to considered the most comprehensive U.S. local law enforcement and government have scraped from public-facing law regarding biometric information. agencies, including police departments websites such as Facebook, YouTube, The BIPA defines a “biometric in Chicago, to provide them access to its Venmo, and millions of other websites. identifier” to include “a retina or iris facial recognition database. “Through Data-scraping — sometimes referred scan, fingerprint, or scan of hand or these agreements, defendants have sold, to as text and data mining — means face geometry.” However, the law also disclosed, obtained and profited from the extracting information from a website specifically excludes photographs from biometric identifiers of Illinois citizens,” or computer database, and is often its definition of biometric identifiers. Judge Coleman wrote. Judge Coleman done using automated software. The BIPA also defines “biometric also asserted that the company’s Clearview claimed that, through information” as “any information, contacts in Illinois were not “random, this enormous database, its app can regardless of how it is captured, fortuitous or attenuated,” and there is instantaneously identify the subject converted, stored, or shared, based on no legal requirement that a company of a photograph with unprecedented an individual’s biometric identifier used exclusively target state residents or accuracy. According to court documents to identify an individual.” Among other customers to satisfy jurisdictional and news reports, Clearview’s users measures, the BIPA prohibits companies requirements. A copy of Coleman's include private individuals, companies from collecting or using biometric decision is available online at: https:// such as Kohl’s, Walmart, Wells Fargo, information unless they (1) inform the files.lbr.cloud/public/2020-08/1300000- and the Chicago Cubs, as well as subject about the data’s collection, (2) 1300810-https-ecf-ilnd-uscourts-gov- law enforcement agencies and other inform the subject in writing about the doc1-067124516552.pdf?dJm2aRIJTfP- governmental entities throughout the purpose and length of the data collection JQQRuCRZVD0LwIfrGCIAN. United States at the federal, state, and and use, and (3) receive a written release In a separate order on August local levels. According to a Buzzfeed by the subject authorizing the collection 12, Judge Coleman granted plaintiff News investigation, by February 2020, and use of the data. Furthermore, the Mutnick’s request to consolidate the people associated with 2,228 companies, BIPA states that companies possessing related cases of Hall v. Clearview AI, law enforcement agencies, and other biometric information cannot “disclose, Inc., and Marron v. Clearview AI, Inc. institutions had collectively performed redisclose, or otherwise disseminate” Clearview, continued on page 30 29 Clearview, continued from page 29 and disseminate information. (Abrams opposite — extremely personal and delivered the 2005 Silha Lecture, titled private information being used by the Judge Coleman granted the Mutnick “Confidential Sources of Journalists: government (through Clearview AI) to plaintiffs leave to file a consolidated Protection or Prohibition,” on Oct. 24, track, police, and control the populace,” complaint by no later than Aug. 31, 2020 2005. For more on the lecture, see “2005 wrote Kaminski and Skinner-Thompson. and stated that Defendant Clearview’s Silha Lecture Features First Amendment “[P]rivacy isn’t always the enemy of the answer is due on Sept. 14, 2020. Hall v. Attorney Floyd Abrams” in the Fall 2005 First Amendment, as companies eager Clearview AI, Inc., No. 1:20-cv-00846 issue of the Silha Bulletin.) for a deregulatory approach to their (N.D. Ill. Feb. 5, 2020); Marron v. Clearview is also represented by privacy-infringing activities would have Clearview AI, Inc., No. 1:20-cv-02989 Tor Ekeland, an attorney known for you believe.” (N.D. Ill. May 20, 2020). Marron v. representing hackers against charges of On August 16, Clearview challenged Clearview AI, Inc., No. 1:20-cv-02989 violating the Computer Fraud and Abuse a motion for a preliminary injunction (N.D. Ill. May 20, 2020). Act (CFAA). On May 28, Ekeland told in Mutnick, arguing that an injunction On May 28, 2020, the ACLU, Chicago requiring the Alliance Against Sexual Exploitation, “[P]rivacy isn't always the enemy of the company to stop the Sex Workers Outreach Project, the collecting and Illinois State Public Interest Research First Amendment, as companies eager selling biometric Group, and Mujeres Latinas en Acción for a deregulatory approach to their data is “flatly at sued Clearview in Illinois state court privacy-infringing activities would have odds with the First claiming that the company had violated Amendment.” the biometric privacy rights of their you believe.” In making the members, program participants, and argument, other Illinois residents on a “staggering — University of Colorado Law School professors Clearview scale.” The complaint argues that Margot E. Kaminski and Scott Skinner-Thompson highlighted the U.S. vulnerable communities — including Supreme Court’s sex workers, sexual assault survivors, 2011 decision in and undocumented immigrants — are Law360 that the lawsuit brought by the Sorrell v. IMS Health Inc., which struck especially harmed by facial recognition ACLU is an “opportunistic attempt” to down a Vermont law that prevented surveillance and alleges that Clearview’s censor a search engine that uses only pharmacies from selling prescription data-scraping practices captured publicly available images accessible records. Sorrell v. IMS Health Inc., faceprints from images without consent on the internet. “It is absurd that the 131 S. Ct. 2653 (2011). Vermont had in violation of the BIPA. “In capturing ACLU wants to censor which search passed the law in order to protect the these billions of faceprints and engines people can use to access public privacy of doctors (patients’ information continuing to store them in a massive information on the internet,” Ekeland was already anonymized), however database, Clearview has failed, and said. “The First Amendment forbids the Court ruled that the law violated continues to fail, to take the basic steps this.” Ekeland's comments are available the First Amendment. “The creation necessary to ensure that its conduct is online at: https://www.law360.com/ and dissemination of information are lawful, including by obtaining the prior articles/1277681/advocacy-orgs-say- speech within the meaning of the First written consent of the individuals’ who clearview-ai-broke-biometric-privacy- Amendment,” Justice Anthony Kennedy appear in the photos; informing those law. wrote in Sorrell. individuals of when their biometric data However, other legal experts have (For more information about Sorrell, will be deleted; or even telling them to pushed back against the argument that see “U.S. Supreme Court Invalidates whom Clearview will be disclosing or Clearview’s practices are constitutionally Vermont Prescription Confidentiality selling their faceprints,” the complaint protected. Albert Fox Cahn, attorney Law” in the Summer 2011 issue of the states. and executive director of the nonprofit Silha Bulletin.) In response to the allegations, Surveillance Technology Oversight In its challenge to the preliminary Clearview has argued that its Project, told Law360 that “[n]o court has injunction, Clearview also argued that its practices — collecting and disseminating found there to a be a First Amendment data-scraping code “matches information public information — are protected right to harvest the public’s biometric on the public internet to a specific user under the First Amendment. On August data to create a surveillance product.” search query by running algorithms 11, The New York Times reported that In a March 9 essay for Slate, on public data.” “Computer language Clearview had retained prominent First University of Colorado Law School is the language of the Internet, and it Amendment attorney Floyd Abrams. professors Margot E. Kaminski and is protected by the First Amendment,” Litigation against Clearview “has the Scott Skinner-Thompson asserted Clearview wrote. As of August 2020, potential of leading to a major decision that courts will probably consider Judge Coleman had yet to rule on the about the interrelationship between whether the information collected preliminary injunction. privacy claims and First Amendment and disseminated concerns matters of defenses in the 21st century,” Abrams the public interest. “The information — Sarah Wiley told the Times. Abrams went on to Clearview AI is gathering — biometric Silha Research Assistant explain that, in his view, although data of our faces from personal profiles the technology used by Clearview is on Facebook, LinkedIn, Twitter, and novel the underlying premise of the YouTube — usually isn’t a ‘matter cases is a company’s right to create of public interest.’ It’s the exact 30 Twitter Hack Included Data Breach of User Accounts n July 15, 2020, hackers further spreading their scam as well as disappointed, and more than anything, breached Twitter’s internal to prevent them from being able to take we’re sorry. We know that we must work systems and compromised control of any additional accounts while to regain your trust, and we will support 130 user accounts, in some we were investigating. We also locked all efforts to bring the perpetrators to instances posting rogue accounts where a password had been justice. We hope that our openness and Otweets and downloading user data recently changed out of an abundance transparency throughout this process, from the accounts. Dozens of high- of caution,” Twitter said. Most accounts and the steps and work we will take to profile users were targeted, including were restored to full functionality by the safeguard against other attacks in the presidential following day. future, will be the start of making this nominee and The company further said that it right,” Twitter said. PRIVACY former Vice was investigating the incident, working That hackers exploited Twitter’s President Joe with police, and evaluating how it could internal operations was not a surprise Biden, Bill Gates, and Elon Musk. The improve system security. Part of the to some observers. On July 27, 2020, rogue tweets posted to some users’ investigation included determining Bloomberg reported that Twitter had accounts promised readers they could precisely what information the hackers “struggled for years to police the double an investment or contribution, were able to view. Twitter said that growing number of employees and but were in fact a financial scam. for the compromised accounts, the contractors who have the ability to The incident began to emerge publicly hackers (1) could not access previous reset users’ accounts and override their around 4 p.m. Eastern when numerous passwords; (2) could see email security settings.” Chief Executive prominent Twitter accounts tweeted addresses, phone numbers, and other Officer Jack Dorsey and the company’s a similar message offering to double personal information; (3) accessed 36 board of directors had received multiple people’s money. “I am giving back to users’ direct messages, including one warnings in recent years about the the community,” one tweet read on Joe elected official from the Netherlands; issue, according to Bloomberg, citing Biden’s account. “All Bitcoin sent to the and (4) “may have been able to view former Twitter employees. Specifically, address below will be sent back doubled! additional information” in accounts that Bloomberg reported that “Twitter’s If you send $1,000, I will send back were taken over by the hackers. oversight over the 1,500 workers who $2,000. Only doing this for 30 minutes.” In a July 30 update to the blog reset accounts, review user breaches On its company blog, Twitter said it post, the company described how and respond to potential content believed the hackers were able access it believed the attack unfolded. “A violations for the service’s 186 million the accounts by “target[ing] certain successful attack required the attackers daily users have been a source of Twitter employees through a social to obtain access to both our internal recurring concern.” Twitter workers’ engineering scheme,” which entails network as well as specific employee access to user data is mostly limited “the intentional manipulation of people credentials that granted them access to information like email addresses, into performing certain actions and to our internal support tools. Not all phone numbers, and internet protocol divulging confidential information.” The of the employees that were initially addresses, but it can be enough blog post continued: “The attackers targeted had permissions to use account information “to snoop on or even hack successfully manipulated a small number management tools, but the attackers an account.” Bloomberg reported that of employees and used their credentials used their credentials to access our within the last several years, oversight to access Twitter’s internal systems, internal systems and gain information of employees was so lax that “some including getting through our two-factor about our processes. This knowledge contractors made a kind of game out protections. As of now, we know that then enabled them to target additional of creating bogus help-desk inquiries they accessed tools only available to employees who did have access to our that allowed them to peek into celebrity our internal support teams to target account support tools,” Twitter said. The accounts, including Beyoncé’s, to track 130 Twitter accounts. For 45 of those post continued: “This attack relied on the stars’ personal data including their accounts, the attackers were able to a significant and concerted attempt to approximate locations gleaned from initiate a password reset, login to the mislead certain employees and exploit their devices’ IP addresses.” Twitter’s account, and send Tweets.. . . In addition, human vulnerabilities to gain access to security team at times “struggled to we believe they may have attempted to our internal systems. This was a striking keep track” of account spying because sell some of the usernames.” In seven of reminder of how important each person of the prevalence of the practice, the compromised accounts, the hackers on our team is in protecting our service. according to Bloomberg. “While some of also used the platform’s “Your Twitter We take that responsibility seriously the contractors were caught and fired, Data” feature and downloaded detailed and everyone at Twitter is committed to others started beating the formal logging account information and activity. “We keeping your information safe.” system by creating fraudulent tickets are reaching out directly to any account Twitter’s blog post ended by saying that claimed something was wrong owner where we know this to be true,” the company would work to improve with a user account, only to grab that Twitter said. security and bolster company-wide complaint themselves to resume their Among the actions that Twitter training to address social engineering escapade, according to the employees,” took in response to the breach was to attacks. “We’re acutely aware of our Bloomberg reported. restrict the ability of some accounts to responsibilities to the people who A Twitter spokesperson disagreed post tweets or change passwords. “We use our service and to society more with how the former employees did this to prevent the attackers from generally. We’re embarrassed, we’re Twitter, continued on page 32 31 Recent Minnesota Legal Disputes Involve Information Access and Defamation Liability wo notable disputes involving to a request from the Star Tribune president, said the newspaper was information access and and Hubbard Broadcasting seeking considering whether to appeal defamation liability were the names and other information. Quaintance’s denial of the additional resolved in the summer of Quaintance had kept the names sealed juror information. “We are surprised 2020 in Minnesota. In the because of concerns with how news that she would withhold basic juror Tfirst case, a judge granted a request from organizations would use the information, information that is routinely public the news media to unseal the names of the possibility that jurors might be in every other trial in the state of jurors in a high-profile murder trial from asked about their deliberations, and the Minnesota,” Dardarian told the Star 2019. In the second potential that jurors could be harassed. Tribune for the July 17, 2020, story. She case, a University Although Quaintance ordered release added: “Now is not the time for secrecy MINNESOTA of Minnesota law of the names on August 3, she declined in our criminal justice system,” she said.” professor prevailed to release additional information about On April 30, 2019, a jury convicted in a libel lawsuit against a former the jurors, such as where they live, Noor of third-degree murder and romantic partner and was awarded dates of birth, occupations, marital second-degree manslaughter in almost $1.2 million in damages. status, and education. The order also connection with the July 2017 shooting On July 17, 2020, the Minneapolis sought to require journalists to contact death of 40-year-old Justine Ruszczyk Star Tribune reported that Fourth jurors through their lawyers if they are Damond. Quaintance withheld juror Judicial District Court Judge Kathryn L. represented by one. Quaintance issued a names after the conviction multiple Quaintance ordered the release of names letter to jurors informing them that they times. She wrote in a May 2019 order of jurors in the 2019 trial of former may obtain free legal representation. that disclosure of the names would Minneapolis police officer Mohamed Suki Dardarian, the Star Tribune’s likely mean their publication and the Noor. The order came in response senior managing editor and vice possibility of “unwanted publicity

Twitter, continued from page 31 to find the hackers based on unspecified information, pose the biggest insider clues they left about their identities and threat to organization.” described the company’s policing of how they sought to hide the money they On July 16, 2020, HuffPost reported user account access to Bloomberg and collected through Bitcoin, according to that the incident raised questions about said the company had the ability to the Times. As of August 2020, Clark was the potential for hackers to disrupt “stay ahead of threats as they evolve.” facing 30 felony charges, including fraud. the November 2020 election by sowing The spokesperson also confirmed In an Aug. 11, 2020 blog post with disinformation. The outlet reported that Twitter has a staff of about 1,500 Infosecurity Magazine, cybersecurity that hackers could cause confusion or employees and contractors to handle expert Karen Bowen said the Twitter suppress voting by tweeting out false user accounts, but said “we have no hack illustrates the risk of allowing information through real accounts, such indication that the partners we work too much internal access to user data. as those belonging to governments and with on customer service and account Bowen asked: “[W]hy did so many the media. Nina Jankowicz, author of management played a part here.” employees have access to verified the book How To Lose The Information Workers are given only as much access accounts? Who had back-end access War and a disinformation fellow at the as they need to perform their job duties to the administrative tool? How could Woodrow Wilson International Center and participate in “extensive security anyone easily alter trusted accounts for Scholars in Washington, D.C., told training and managerial oversight,” the without any approval?” Bowen suggested HuffPost: “The biggest concern for me spokesperson told Bloomberg. that such broad access made Twitter isn’t necessarily that an account like On July 31, 2020, The New York Times and the security of user data vulnerable. [President Donald] Trump’s would be reported that three people were believed To improve security, she suggested hacked, it’s if people could gain access to be responsible for the Twitter hack. separating employee duties so that to really legitimate, non-partisan sources Prosecutors alleged that 17-year-old they require more than just one person. of information and post misleading Graham Ivan Clark of Tampa, Fla., was Another way to secure user data is to information on those accounts.” principally responsible for the breach limit authority for tasks; some actions, Investigative researcher Diara J. Townes and was assisted by 19-year-old Mason such as resetting passwords, do not of First Draft, a nonprofit seeking to John Sheppard of the United Kingdom necessarily require complete access combat misinformation, told HuffPost and 22-year-old Nima Fazeli of Orlando, to user data or full authorization in a that hacks about the election could Fla. Prosecutors alleged that Clark was system. “Employees, contractors, service undermine trust in the voting process. able to talk a Twitter employee into providers and other insiders are in an “It would be a question of how many believing that he was a co-worker who opportune position to compromise data,” people still believe voting by mail is safe, needed another employee’s security Bowen wrote. “Privileged users, such rather than how much bitcoin did the credentials to access the company’s as managers with access to sensitive scammers get,” Townes said. internal systems. Investigators were able — Jonathan Anderson Silha Bulletin Editor

32 and harassment,” a rationale that between Parisi and Wright. The two she “accused Parisi of crimes, sexual she continually cited in subsequent had met in September 2014 and soon impropriety or misconduct, and orders keeping the information sealed. made plans to jointly purchase a condo unprofessional behavior outside of her Quaintance also cited a pending appeal above Parisi’s unit. When Wright stopped false police report.” Defamation per se by Noor as another reason to prevent paying contractors and withdrew her “presumes reputational damages and disclosure of juror names. money for the project, Parisi attempted personal losses” and can be actionable On Oct. 28, 2019, Quaintance attended to evict her. She later sued Parisi for “without any proof of actual damages,” the 2019 Silha Lecture, in which attorney battery, claiming he attempted to run her the court wrote. Kelli L. Sager talked about the public’s down with his vehicle. After Wright lost In evaluating damages, the court right of access to judicial records and her civil suit and a subsequent appeal, found that Parisi was entitled to proceedings. During the Q&A session she alleged to police that Parisi raped $50,000 for the cost of hiring defense moderated by Silha Center Director her. The court found the timing of the counsel after his arrest on the false and Silha Professor of Media Ethics allegations suspect as they came shortly rape accusation; $130,000 to cover and Law Jane Kirtley, Quaintance said after Wright incurred legal setbacks. “diminished salary raises” that Parisi “jurors have a right to be anonymous.” In analyzing the defamation could have received as a professor; She further said that in her experience, allegations, the court first found that $87,500 for lost speaking and secondary jurors want protection and do not want Wright’s statements to police alleging teaching opportunities; $250,000 for lost the press intruding into their private that Parisi raped her were not protected consulting revenue; $67,164 for losing lives. “Those are very real, pragmatic by a qualified privilege because she the opportunity to serve as director concerns, and are about keeping the did not act in good faith. “Wright of a law and economics program; trials fair,” Quaintance said. (For more fabricated the many accusations she $279,850 for lost income that would information on the Silha Lecture and made against Parisi in retaliation for have come from serving on the board Quaintance’s comments and questions, a failed relationship and a real estate of directors of an Italian organization; see “34th Annual Silha Lecture Tackles venture gone awry. Good faith cannot $100,000 in general and emotional Public and Media Access to Court exist in this context,” the court wrote in damages for being jailed as a result of Proceedings and Records” in the Fall its ruling. “Although Wright professes the rape allegation, during which time 2019 issue of the Silha Bulletin. For to believe her own accusations, it his mother died; $25,000 in general more information about the news cannot be the case that one acts in good and emotional damages for the toll on media’s pursuit of the juror names, see faith by convincing oneself that false Parisi’s personal life; and $100,000 for “Minneapolis Star Tribune and Hubbard accusations regarding the experience of “general reputational damages.” The Broadcasting Seek Juror Names and a crime are true. Reckless disregard for court also awarded Parisi $100,000 in Information in Noor Trial” in the Winter/ the truth precludes good faith — Wright punitive damages and further awarded Spring 2020 issue of the Silha Bulletin.) acted in reckless disregard for the truth him recovery of his costs in pursuing the when she made a false police report lawsuit. University of Minnesota Law claiming Parisi raped her.” The court John Braun, Parisi’s attorney, told the Professor Wins Defamation Lawsuit further found that Wright did not meet Minneapolis Star Tribune that despite On May 18, 2020, Fourth Judicial other elements of qualified privilege, the financial award his client won, an District Court Judge Daniel C. Moreno namely that she lacked proper motive or internet search for his name “returns ruled in a defamation lawsuit brought reasonable or probable cause to make a mug shot and headlines about him by University of Minnesota Professor the rape allegations to police. “The being a rapist, and it will forever. So of Law Francesco Parisi. The lawsuit, Court has found that Wright’s report to part of the court’s message is that in the against Parisi’s former girlfriend, Morgan the police was based on her desire to 21st century this is a greater harm than Wright, was a bench trial awarding him retaliate against Parisi for their broken it might have been in the past, and an almost $1.2 million in damages, including relationship, the failed real estate deal, award needs to anticipate the long arc $100,000 in punitive damages. At issue in and her litigation losses,” the court of future harm still to be endured by its the suit were allegations by Wright that wrote. victim.” Parisi beat and raped her and attempted The court then found that Parisi had A copy of the court’s decision is to run her down with his vehicle, that he “demonstrated that Wright committed available online at: https://docs.google. raped his own daughter and underage many acts of defamation against him. com/viewerng/viewer?url=https:// girls, and that he was HIV positive. She caused false statements to be abovethelaw.com/uploads/2020/05/ Wright made these claims to police, published, and the record is replete with FINAL-Order-for-jdt-18-5381.pdf&hl=en_ the Minnesota Department of Health, Wright’s varying false allegations, made US. and to Parisi’s employer, the University to others, that tended to harm Parisi’s of Minnesota. The court found these reputation, and that were understood to — Jonathan Anderson statements false and defamatory. refer to Parisi.” Silha Bulletin Editor Underlying the defamatory statements The court also found that Wright was a real estate deal that went sour engaged in defamation per se because

33 FRONTLINE Counsel Dale Cohen to Deliver 35th Annual Silha Lecture, “Inconvenient Truths and Tiger Kings: The Vital Role of Documentaries Today” on Oct. 19, 2020 ocumentary films are ethical standards. Cohen is also Director open to the public, but preregistration everywhere. There is and founder of the UCLA Doc Film Legal is required. To preregister, go to an unlimited supply of Clinic. https://z.umn.edu/2020SilhaLecture. streaming shelf space, an In addition to the Clinic, Cohen The Silha Center for the Study of endless array of stories teaches News Media Law in the Digital Media Ethics and Law is based at the Dto be told, and dwindling resources at Age at UCLA. His other teaching Hubbard School of Journalism and traditional media outlets to tell them. experience includes media law courses Mass Communication at the University As the George Floyd killing at University of North Carolina’s School of Minnesota. Silha Center activities, demonstrates, of Law, Emory College, the Philip Merrill including the annual Silha Lecture, are SILHA CENTER the power of College of Journalism at the University made possible by a generous endowment EVENTS video to convey of Maryland, and the Medill School of from the late Otto and Helen Silha. For news and other Journalism at Northwestern University. further information, please contact the messages is unmatched. Yet, the law A frequent speaker at documentary film Silha Center at 612-625-3421 or silha@ and our institutions do not always treat festivals and media law conferences, umn.edu, or visit https://hsjmc.umn.edu/ documentaries the same as other news Cohen is also the co-author of the research-centers/centers/silha-center- media. textbook, Media and the Law (2d ed., study-media-ethics-and-law. The 2020 Silha Lecture, “Inconvenient LexisNexis). A graduate of Syracuse The University of Minnesota Truths and Tiger Kings: The Vital Role of University with degrees in American is an equal-opportunity educator Documentaries Today,” will explore the Political Thought and Journalism, and employer. To request disability unique legal and ethical issues relating Cohen’s J.D. is from the Northwestern accommodations, please contact to documentaries. Where have we been University Pritzker School of Law. Disability Services at 612-626-1333 or and where is the law headed as everyone The 35th Annual Silha Lecture is [email protected] at least two weeks before carries a sophisticated video camera and sponsored by the Silha Center for the the event. partisan advocacy grows? Study of Media Ethics and Law. Due This year’s Silha Lecturer is Dale to the coronavirus pandemic, it will Cohen, Special Counsel to FRONTLINE, take place virtually on Monday, Oct. 19, — Elaine Hargrove the award-winning PBS documentary 2020 as a synchronous Zoom webinar, Silha Center Staff series. He advises and leads the news starting at 7:30 pm Central Time (US team and producers on legal issues and and Canada). This event is free and

The Silha Bulletin is a publication of the Silha Center for the Study of Media Ethics and Law. It is published three times a year: late fall, late spring, and late summer. It is available online at: https://hsjmc.umn.edu/research-centers/centers/silha-center/silha-center-bulletin and the University of Minnesota Digital Conservancy at: http://conservancy.umn.edu/discover?query=Silha+Bulletin.

If you would like to be notified when a new issue of the SilhaBulletin has been published online, or receive an electronic copy of the Bulletin, please email us at [email protected]. Please include “Silha Bulletin” in the subject line. You may also call the Silha Center at (612) 625-3421.

34 Inconvenient Truths and Tiger Kings: The Vital Role of Documentaries Today DALE COHEN, SPECIAL COUNSEL TO PBS’s ‘FRONTLINE’

ocumentary films are everywhere. We will explore the unique legal and There’s an unlimited supply of ethical issues relating to documentaries. Dstreaming shelf space, an endless Where have we been and where is the law array of stories to be told, and dwindling headed as everyone carries a sophisticated resources at traditional video camera and partisan advocacy 35th media outlets to tell grows? annual them. This year’s Silha Lecturer is Dale silha The George Floyd Cohen, Special Counsel to Frontline, the lecture killing demonstrates the award-winning PBS documentary series, unmatched power of video where he advises and leads the news team > MONDAY, OCT. 19, 2020 to convey news and other and producers on legal issues and ethical > 7:30PM CDT messages. Yet, the law and our institutions standards. He is also Director and founder > REMOTE PRESENTATION don’t always treat documentaries the same of the UCLA Doc Film Legal Clinic and an > FREE & OPEN TO THE PUBLIC, BUT ADVANCE as other news media. adjunct professor of law. REGISTRATION IS REQUIRED > TO REGISTER, VISIT The University of Minnesota is an equal opportunity educator and employer. To https://z.UMN. request disability accommodations, please contact Disability Services at 612- 626-133 or [email protected] at least two weeks before the event. edu/2020SilhaLecture

SILHA CENTER FOR THE STUDY OF MEDIA ETHICS AND LAW Hubbard School of Journalism and Mass Communication University of Minnesota 111 Murphy Hall 206 Church Street SE Minneapolis, MN 55455 [email protected] www.silha.umn.edu (612) 625-3421