A US federal judge has denied a warrant request for GPS data when “not to collect evidence of a crime, but solely to locate a charged defendant”.

The warrant asked for “unlimited location data at any time on demand during a 30-day period”. The defense attorney argued that a search warrant requires proof of “a fair probability that contraband or evidence of a crime will be found in a particular place.” A suspect, in other words, does not automatically lose the right to privacy — unless there is a flight risk the data on all movement by a suspect is not sufficient on its own to justify a warrant.

The NYT reports that the US Supreme Court also is about to hear similar arguments for using GPS data to track a suspect.

In April, Judge Diane P. Wood of the federal appeals court in Chicago wrote that surveillance using global positioning system devices would “make the system that George Orwell depicted in his famous novel, ‘1984,’ seem clumsy.” In a similar case last year, Chief Judge Alex Kozinski of the federal appeals court in San Francisco wrote that “1984 may have come a bit later than predicted, but it’s here at last.”

Last month, Judge Nicholas G. Garaufis of the Federal District Court in Brooklyn turned down a government request for 113 days of location data from cellphone towers, citing “Orwellian intrusion” and saying the courts must “begin to address whether revolutionary changes in technology require changes to existing Fourth Amendment doctrine.”

The Supreme Court is about to do just that. In November, it will hear arguments in United States v. Jones, No. 10-1259, the most important Fourth Amendment case in a decade. The justices will address a question that has divided the lower courts: Do the police need a warrant to attach a GPS device to a suspect’s car and track its movements for weeks at a time?

[…]

The Jones case will address not only whether the placement of a space-age tracking device on the outside of a vehicle without a warrant qualifies as a search, but also whether the intensive monitoring it allows is different in kind from conventional surveillance by police officers who stake out suspects and tail their cars.

The ruling could also affect how warrants are applied to other location-aware technology used by large service providers. I will discuss it Tuesday in my presentation on “Trends in Cloud Forensics” at the High Technology Crime Investigation Association International Conference. Hope to see you there.

Apparently impersonating police officers, searching homes without a warrant, and threatening immigrants has not worked very well for the giant media/technology company:

Calderón told us that six badge-wearing visitors came to his home in July to inquire about the phone. Calderón said none of them acknowledged being employed by Apple, and one of them offered him $300, and a promise that the owner of the phone would not press charges, if he would return the device.

The visitors also allegedly threatened him and his family, asking questions about their immigration status. “One of the officers is like, ‘Is everyone in this house an American citizen?’ They said we were all going to get into trouble,” Calderón said.

One of the officers left a phone number with him, which SF Weekly traced to Anthony Colon, an [ex San Jose police officer and] investigator employed at Apple, who declined to comment when we reached him.

Apple must have finally tasted some of the pickle they are in or maybe it’s just a coincidence that they now are hiring a security manager to oversee new products. Note the tone of the qualifications in the “proven record” of their “ideal candidate”.

Simultaneously working with multiple constituencies, balancing disparate priorities, problem solving in high-demand situations, defining and establishing attainable measures of success, and regularly achieving positive outcomes in large-scale business environments.

Translation: You will be responsible for convincing others who probably do not even get along with each other, and who see you as an impediment to their success, to follow what you say. Also known as experience marketing a very low bar as success because advocating too high a bar would just make everyone align even more against security.

Accurately assessing physical and logical security implementations and making actionable risk management recommendations that consider impact on corporate culture, business operations, system architectures, manufacturing processes, and employee workflows.

Translation: Experience not getting in they way; knowledge of how to let the business make the final decision on the amount of risk they will run while leaving the responsibility of risk (e.g. your reputation as a security “manager”) on you.

Formulating, and successfully implementing, a variety of security technologies utilizing industry-recommended practices and/or risk frameworks.

Translation: Experience buying and implementing security controls three or four years after they already should have been in place.

Looks like an excellent opportunity and a much-needed role. The question is how effective it can be if they are constantly emphasizing in the job spec that they want someone who will not push them too much too soon. Apple could see a significant turnaround if they find the right person, but a manager-level role could be argued as too little too late to alter course from where they appear to be headed.

It reminds me of the patient who will only work with a doctor under certain conditions. The patient, for example, might accept advice but disallow being told what to do and forbid any intervention, even to save their life. The medical profession seems to call this the “difficult” patient problem.

Doctors report that about one in six patients is “difficult.” […] The data suggest that some doctors may simply have a shorter fuse when it comes to dealing with a challenging patient. The researchers noted that older, more experienced practitioners are likely better at dealing with unhappy patients and may be less likely to view patient visits as difficult, even when they’re not perfect. […] An editorial suggested…doctors need better training to cope with the psychological challenges of caring for patients…doctors are advised to rise to the challenge of working with a difficult patient.

Who will rise to the challenge of working with Apple?

A new bill just signed into law, to take effect on the first day of 2012, aims to improve breach reporting data by replacing SB 1386:

Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.
[…]
In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians. This requirement will “give law enforcement the ability to see the big picture and better understand the patterns and practices of identity theft statewide,” [State Sen. Joe] Simitian explained.

The new Governor, Brown, clearly does not harbor the same concerns as his predecessor.

Schwarzenegger vetoed multiple similar bills, including one last year. Here is how in a letter he stated his objections:

This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.

I have to say I disagree. A repository of information leads to tangible benefits to consumers by enhancing our awareness and understanding of vulnerabilities and threats. A standardized repository of information leads to even more tangible benefits. It could even be argued the biggest improvements to privacy have come as a result of analysis of the breaches, not from the fines. Then again, since I regularly do analysis of breach data but I do not collect money for fines, I might be biased.

The interesting twist to this story is that Schwarzenegger apparently had no issue with the laws put on his desk to collect breach data related to medical information. After his wife’s data was compromised in the infamous UCLA case of 2008 he signed into law AB 211 and SB 541.

Monday’s report was the fifth by the public health agency following articles in The Times this year about UCLA employees’ prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.

Schwarzenegger then established a repository of breaches at the Department of Public Health (Health & Safety Code section 1280.15) a full year before he announced a lack of consumer benefit from a repository of breaches.

(b) (1) A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.

The big difference to him seems to have been the presence of fines in the text — penalties to make collecting breach data worthwhile. Now that he is out of office SB 24 has passed without any mention of fines. In that sense it is very unlike the text of Health & Safety Code section 1280.15.

The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed. […] Upon appropriation by the Legislature, moneys in the account shall be expended for internal quality improvement activities in the Licensing and Certification Program

California led the country when it passed SB 1386 and changed the landscape of consumer privacy protection. Now it trails more than a dozen other states that already have passed breach laws like SB 24. And while it is not clear that a breach law is any more effective with a fine in its text, a central repository of breach data in standardized format to me has very obvious benefits to consumer privacy.