Welcome back for another week of What's Next, where we report on the intersection of law and technology. This week, we survey the next Fourth Amendment battlegrounds in light of a groundbreaking district court decision over constitutional rights at the border. Plus, two data hostage negotiators share their best practices for talking it out with bad actors. And we geek out over Google v. Oracle. Let's chat: Email me at [email protected] and follow me on Twitter at @a_lancaster.


ICE and CBP Searches Violate Fourth Amendment, Judge Rules

For the first time, a federal judge has collapsed the distinction between manual and forensic searches by U.S. Immigration and Customs Enforcement and U.S. Customs and Border Protection agents.

U.S. District Judge Denise Casper of the District of Massachusetts ruled that law enforcement officers need reasonable suspicion to conduct low- and high-tech searches of border crossers, a standard that had been reserved in past rulings for forensic searches, which have been described as "essentially a computer strip search" by the U.S. Court of Appeals for the Ninth Circuit in United States v. Cotterman. However, ICE and CBP policies do not require any reasonable suspicion for manual searches that don't include the large-scale scanning of device data with software or other tools.

Casper ruled that "the CBP and ICE policies for 'basic' and 'advanced' searches, as presently defined, violate the Fourth Amendment to the extent that the policies do not require reasonable suspicion that the devices contain contraband for both such classes of non-cursory searches and/or seizure of electronic devices; and that the non-cursory searches and/or seizures of Plaintiffs' electronic devices, without such reasonable suspicion, violated the Fourth Amendment."

The case against former Homeland Security Secretary Kirstjen Nielsen and the heads of ICE and CBP centers on 11 plaintiffs including an editor, NASA engineer and a former U.S. Air Force captain who had been searched at the nation's borders. The lawsuit drew amicus support from the Brennan Center for Justice, Center for Democracy and Technology, Constitutional Accountability Center Knight First Amendment Institute at Columbia University, Reporters Committee for Freedom of the Press and R Street Institute.

Sophia Cope, senior staff attorney at the Electronic Frontier Foundation (EFF) and plaintiffs' counsel in the case, said though they had argued that both types of searches should require a warrant, she viewed the opinion as the next best thing. "The fact she raised the standard for manual searches is hugely important, because the vast majority of border device searches are manual searches. So there hasn't been any real limitation on border agents at all."

A final order on the case has yet to be entered, and the agencies' lawyers—Annapurna Balakrishna of the Department of Justice's Civil Division; Marsha Edney of the DOJ's Federal Programs Branch and DOJ attorney Michael Drezner—have until mid-January to appeal Casper's decision.

Cope said another potential Fourth Amendment battleground could be expanding the Supreme Court's ruling in Carpenter v. United States, which applies to cell-site data, to apply to officials' tracking of border crossers. The EFF has submitted FOIA requests on ICE and CBP's use of GPS tracking devices on migrants, Cope said. "We want to know what policies are regulating the use of GPS tracking at the border and what legal authority do they think they're operating under if they're disregarding Carpenter," she said.

Covington & Burling's Jadzia Pierce, who helped write the Center for Democracy and Technology's amicus brief said she's also watching how Carpenter could be interpreted in other contexts. Although the justices noted that the opinion narrowly applies to only seven day's worth of cell-site data, "the court clearly considered whether individuals deserved a reasonable expectation of privacy in their movements overtime" in its rationale, Pierce said.

Technologies such as facial recognition could also result in surveillance overtime in a way that people would not reasonably expect, she said.

"One thing we're going to have to do going forward is to decide how to strike that right balance between wanting to use technology in furtherance of public safety while also preserving the rights that we as Americans have enjoyed since the beginning and the rights we were meant to enjoy since the founding of our country," she said.


Taken: Data Hostage Negotiators

Robert Shimberg and Melina Garcia of Hill Ward Henderson in Tampa, Florida have a very particular set of skills. Skills they have acquired over a very long career. Skills that make them a nightmare for people who are asking for ransom in exchange for stolen data.

Unlike Liam Neeson's character in "Taken," who sharpened his technique through sheer audacity, Shimberg and Garcia honed their skills through years spent appearing at court hearings and attending conferences. Still, they are the ones who step up when bad actors are holding client's data hostage.

The lawyers have carved this niche out of their Gulf Coast market from simple client demand. Here's how the attorneys talk their way through better deals when their client's' data is on the line.

➤➤Is it difficult to set up a line of communication with ransomware attackers? Melina Garcia: Time is of the essence in these situations. There is a back-and-forth communication channel typically through a foreign email domain. There's a fine line to walk in these negotiations, just like any negotiation. In data or something else, we both have something we're trying to get out of it. If you make the business decision that it's worth it to them to engage in these negotiations, they have to understand that there's risks to it. The biggest one being the possibility that you can make a payment and not recover the data.

➤➤Do you have any strategies for preventing that scenario? MG: One thing we find useful in negotiations with the hacker that could further the chance of eventually being able to recover the data is eventually asking the hackers to decrypt one of the files that was encrypted with the malware the hacker used to prove that they have the tools to do it. By giving the hacker a sample set and the hacker providing you with an unencrypted clean file, it gives some assurance the hacker is able to do it and good on their word.

➤➤Even if you do get back the files does your job end there? Could the hacker still have access? MG: Part of the first steps in our assessment when we're called into a ransomware attack is advising a third-party IT professional comes in and assess the situation. That's vital to find out what was hacked, what could be recovered, is there any backup data that could be recoverable? And that IT professional also scrub the files after they're decrypted to ensure there's no remaining malware.

➤➤Are there any mistakes you see made over and over again in these situations? Robert Shimberg: In our opinion, one of the biggest things is to not get too caught up in the whole negotiations with the hacker. Certainly, that might be something you want to consider and that might be successful. But at the same time, you want to assess all of your other options to restore your data. The biggest issue that people could fall into is excluding other directions, whether that's through your internal IT department or external IT sources.

➤➤When you say time is of the essence, what does that look like for you guys when you get a call? RB: Virtually any cyber-situation where we would receive a message or call from a client, we work to be prepared to respond as quickly as possible, day or night, weekday or weekend, holiday or non-holiday.


'The Copyright Case of the Century'

Did both the IP and API nerds in your life seem downright giddy Friday? Well, the U.S. Supreme Court's decision to take up the long-running Google v. Oracle case could be to blame for the little extra pep in their step.

The SCOTUS justices could hear the nearly decade-old dispute over whether Google violated copyright laws and overstepped fair use protections when it allegedly copied Oracle's Java application programming interfaces (APIs) for its Android operating system as soon as March.

Stanford Law professor Mark Lemley, who has represented Google in copyright matters in the past, told Law.com IP reporter Scott Graham the case could "reshape" software copyright law and copyright doctrine at large.

"This is the copyright case of the century," Lemley said.

Graham said he's looking forward to finally hearing what the high court had to say about this case, after the U.S. Court of Appeals for the Federal Circuit ruled in 2014 that software APIs could indeed be copyrighted and in 2018 that copying portions of them was not fair use.

"The other thing that's exciting is, up until now we've been at the cert stage, where the question is, 'Was the Federal Circuit right?'" Graham said. "Now it's open season for the parties to advocate for whatever they want on copyrightability and fair use in the digital era. The justices could write a very narrow opinion saying, e.g. substantial evidence supported the jury verdict on fair use, or they could completely rethink the law around fair use and narrow or expand the types of subject matter that can't be copyrighted."

As an example, Graham pointed to the U.S. Court of Appeals for the Ninth Circuit's opinion in Lenz v. Universal Music, where the panel voiced a strict reading of fair use but were still confined to Supreme Court and Ninth Circuit precedent. "The Supreme Court isn't bound by anything except stare decisis, and even that isn't much of a guard rail any more," he said.

Subscribe to Scott Graham's Skilled in the Art briefing for more updates on the case and general IP wonderment.


On the Radar

Google's Medical Data Grab Google likely won't face HIPAA violations for its data deal with health care provider Ascension. Yet, the company's "Project Nightingale," which transacted Ascension patient names, lab results, hospitalization records and doctor diagnoses, could shape laws around patient disclosures. "What you might see is there are more specific obligations to record disclosures and to provide patients about more specific notice about who is getting their information," said Tatiana Melnik, an attorney and founder of Melnik Legal. Read more from Frank Ready here.

Sorry, It's Policy A class of employees seeking to revive a gender discrimination suit against Twitter will first have to prove the company had a "uniform policy" to establish commonality. Although plaintiffs' lawyer Jason Lohr of San Francisco's Lohr Ripamonti & Segarich told the California's First District Court of Appeal hundreds of pages of policy documents and testimony from a Twitter HR rep proved that Twitter had a "single promotion process," Presiding Justice Barbara Jones of said plaintiffs' own witnesses contradicted that assertion. Orrick, Herrington & Sutcliffe's Eric Shumsky said that the more than 100 managers making subjective promotion decisions based on vague criteria showed that company leaders did not use a standard policy. Read more from Ross Todd here.

Who Presides Over Cyberspace? The law around personal jurisdiction for online transactions is still buffering. Last week, the Superior Court of New Jersey Appellate Division decided that the online sale of a car in New Jersey did not fall under the purview of the state's court system. In the ruling, Appellate Division Judge Jack Sabatino wrote that 11% of all retail transactions are web-based, and the U.S. Supreme Court still has not resolved the issue. "Perhaps there may come a day in which Internet transactions become so dominant that buyers and sellers should be expected to anticipate, in the absence of an express forum selection clause, that they could be sued in the other contracting party's home state without limitation," Sabatino wrote. Read more from Charles Toutant here.


Thanks for reading. We will be back next week with more What's Next.