Human Rights Law

I’ve Been Shot! Give Me a Donut!: Linking Vaccine Verification Apps to Existing State Immunization Registries

Ian Colby, MJLST Staffer

The gold rush for vaccination appointments is in full swing. After Governor Walz and many other governors announced an acceleration of vaccine eligibility in their states, the newly eligible desperately sought vaccinations to help the world achieve herd immunity to the SARS-CoV-2 virus (“COVID”) and get back to normal life.

The organization administering a person’s initial dose typically gives the recipient an approximately 4” x 3” card that provides the vaccine manufacturer, the date and location of inoculation, and the Centers for Disease Control (“CDC”) logo. The CDC website does not specify what, exactly, this card is for. Likely reasons include informing the patient about the healthcare they just received, a reminder card for a second dose, or providing batch numbers in case a manufacturing issue arises. Maybe they did it for the ‘Gram. However, regardless of the CDC’s reason for the card, many news outlets have latched onto the most likely future use for them: as a passport to get the post-pandemic party started.

Airlines, sports venues, schools, and donut shops are desperate to return to safe mass gatherings and close contact, without needing to enforce as many protective measures. These organizations, in the short-term, will likely seek assurance of a person’s vaccination status. Aside from the equitable and scientific issues with requiring this assurance, these business will likely get “proof” with these CDC vaccination cards. The cardboard and ink security of these cards rivals social security cards in the “high importance – zero protection” category. Warnings of scammers providing blank CDC cards or stealing the vaccinated person’s name and birthdate hit the web last week (No scammers needed: you can get Missouri’s PDF to print one for free).

With so little security, but with a business-need to reopen the economy to vaccinated folks, businesses and governments have turned to digital vaccine passports. Generically named “digital health passes,” these apps will allow a person to show proof of their vaccination status securely. They “provide a path to reviving the economy and getting Americans back to work and play” according to a New York Times article. “For any such certificate or passport to work, it is going to need two things – access to a country’s official records of vaccinations and a secure method of identifying an individual and linking them to their health record.”

A variety of sources have undertaken development of these digital health passes, both governments and private firms. Israel already provides a nationwide digital proof of vaccination known as a Green Pass. Denmark followed suit with the Coronapas. In addition, a number of private companies and nonprofits are vying to become the preeminent vaccine status app for the world’s smartphones. While governments, such as Israel, have preexisting authority to access immunization and identification records, private firms do not. Private firms would require authorization to access your medical records.

So, in the United States, who would run these apps? Not the U.S. federal government. The Biden Administration unequivocally denied that it would ever require vaccine status checks, and would not keep a vaccination database. The federal government does not need to, though. Most states already manage a digital vaccination database, pursuant to laws authorizing them. Every other state, which doesn’t directly authorize them, still maintains a digital database anyway. These immunization information systems (“IIS”) provide quick access to a person’s vaccination status. A state’s resident can make a request for their vaccination status on myriad vaccinations for free and receive the results via email. Texas and Florida, who made big hubbubs about restricting any use of vaccine passports, both have registries to provide proof of vaccination. So does New York, who has already published an app, known as the Excelsior Pass, that does this for the COVID vaccine. The State’s app pulls information from New York’s immunization registry, providing a quick, simple yes-no result for those requiring proof. The app uses IBM’s blockchain technology, which is “designed to enable the secure verification of health credentials such as test results and vaccination records without the need to share underlying medical and personal information.”

With so many options, consumers of vaccine status apps could become overwhelmed. A vaccinated person may need to download innumerable apps to enter myriad activities. “Fake” apps could ask for additional medical information from the unwary. Private app developers may try to justify continued use of the app after the need for COVID vaccination proof passes.

In this competitive atmosphere, apps that partner with state governments likely provide the best form of digital vaccination verification. These apps have direct approval from the states that are required by law to maintain these vaccination records. They provide some authority to avoid scams. And cooperation to achieve state standardization of these apps may facilitate greater use. States seeking to reopen their economies should authorize digital interfaces with their pre-existing immunization registries. Now that the gold rush for vaccinations has started, the gold rush for vaccine passports is something to keep an eye on.

 


Hailstorms in Baltimore: The Fourth Circuit’s Opportunity to Create Oversight and Accountability for a Secretive Police Technology

Jordan Hughes, MJLST Staffer

The past several months have once again shone a spotlight on the difficulty of holding police and law enforcement accountable for their actions. The American public has become more aware than ever of the unions and structures in place to shield officers from liability. Despite years of DOJ investigations and investigative reporting into the procedures of departments around the country, many regular police practices remain hidden from the public eye. Including the use of secretive new technologies that allow for unprecedented levels of discretion—and unprecedented potentials for abuse.

The Hailstorm is one such dragnet-style electronic capturing device that over 85 federal and state enforcement agencies have used largely in secret for more than two decades. This past spring, the 4th Circuit joined the fledgling ranks of federal courts asked to grapple with constitutional questions raised by the elusive technology. Baltimore police used a Hailstorm in 2014 to locate Kerron Andrews, who had an outstanding arrest warrant. Andrews v. Balt. City Police Dep’t, No. CCB-16-2010, 2018 U.S. Dist. LEXIS 129523, at *4 (D. Md. Aug. 1, 2018). The device enabled Baltimore police to pinpoint the apartment building where Andrews was sitting, despite having been unable to find him using standard location information released to them by his phone carrier. The police never disclosed the device during their surveillance, citing instead a “pen register order” as authorization for its use. A Maryland state court held that the government violated Andrews’ Fourth Amendment rights through use of the Hailstorm, and a state appellate court upheld that decision. Andrews then sued the police department in a federal district court, but the federal court considered the search constitutional and granted summary judgment against him. Andrews appealed.

The 4th Circuit, in Andrews v. Balt. City Police Dep’t, No. 18-1953, 2020 U.S. App. LEXIS 9641 (4th Cir. Mar. 27, 2020), both acknowledged the serious constitutional questions at stake and declined to make a ruling on them due to a lack of information. The district court was directed on remand to make findings concerning the Baltimore Police Department’s practice regarding Hailstorm technology, as well as the extent of constitutional intrusions involved in the search. Whatever the outcome, the 4th Circuit is likely to hear this case again. When it finally does, the court will have to decide how to apply the Fourth Amendment to a technology that may be fully incompatible with the freedom from broad and general searches that it typically guarantees.

What is a Hailstorm?

The “Hailstorm” is a model of “cell site simulator” technology sold by Harris Corporation. Other commonly used Harris models include the “StingRay,” “TriggerFish,” and “KingFish.” Generically, these devices are known as international mobile subscriber identity (“IMSI”) catchers.

IMSI catchers essentially mimic a wireless carrier’s base station, causing cell phones to communicate their unique identifiers and location data to the device even when they’re not in use. They function as a dragnet, capturing the unique numerical identifiers of all wireless devices within a particular area. The technology provides both identification and location data for devices. It is precise enough for law enforcement to narrow a device’s location to six feet, and to identify the exact unit a device is in from outside a large apartment complex. IMSI catchers are also capable of capturing the contents of communications, although there has not been a disclosed instance yet of law enforcement using an IMSI catcher in this fashion. IMSI catchers are small, and can easily be handheld or mounted on vehicles or drones.

What is the concern?

The Hailstorm raises a number of concerns under the Fourth Amendment—the constitutional provision meant to protect Americans from unreasonable searches and seizures. The ACLU, in a 2014 guide for defense attorneys, outlined the major Fourth Amendment questions that arise with the use of any IMSI catcher. These include:

  1. Level of scrutiny: IMSI catchers are almost certainly intrusive enough to violate both reasonable expectations of privacy and property interests, thus giving rise to Fourth Amendment scrutiny. When used in connection with a residence, the devices provide critical details about the inside of the property that constitutes a search under any framework. While the Supreme Court has held that there is no reasonable expectation of privacy on outgoing phone numbers voluntarily sent to a third party, that analysis likely cannot extend to data that gets redirected and captured by a Hailstorm without the phone-owner’s knowledge or consent.
  2. General search: There is an argument that any search conducted by an IMSI catcher constitutes a general search, and thus should be categorically barred by the Fourth Amendment. An IMSI catcher indiscriminately gathers all signaling information from a captured phone, seemingly incompatible with a constitutional requirement that surveillance minimize the collection of information unsupported by probable cause. Further, the dragnet functionality conducts this information grab on all devices in a vicinity, including innocent third parties whom the government lacks probable cause to search.
  3. Inaccurate warrants: When law enforcement does apply for a warrant to use an IMSI catcher, those warrants are very likely inaccurate. Warrant applications, driven by federal policies of non-disclosure, typically either (a) omit the fact that the government intends to use an IMSI catcher, (b) mislead the court by saying the government intends to use less intrusive devices (like a pen register) instead, or (c) fail to provide any information on what the technology is and how it operates. In either scenario, the warrant is predicated on a material omission that deprives a court of its constitutional obligation to balance government interests against intrusions into private rights.
  4. Invalid warrants: If a warrant accurately states law enforcement’s intended use of an IMSI catcher, it may be facially invalid due to the necessarily general nature of the search. The entire purpose of the warrant requirement is to require law enforcement to state with particularity the area to be searched and the persons or things to be seized. It remains an open question whether warrant particularity requirements can ever be compatible with intrusive dragnet surveillance technologies.

A separate and perhaps more troubling concern is the extreme lengths, only recently uncovered, that the government has gone to in order to keep this technology a secret. The federal government uses extensive non-disclosure agreements to prevent federal, state, and even local law enforcement from disclosing any details on the capabilities and usage of IMSI catchers. There have been a couple instances where judges demanded police to disclose possible use of an IMSI catcher at trial. Prosecutors in these instances have voluntarily dropped the evidence, offered plea bargains without jail time, or voluntarily dismissed the case altogether rather than disclose the device’s usage. Law enforcement agents have also demonstrated a willingness to offer alternative explanations for evidence obtained by an IMSI catcher. In one case where the FBI used a StingRay, for example, a discovered email from a special agent read: “we need to develop independent probable cause for the search warrant . . . FBI does not want to disclose the [redacted] (understandably so).”

IMSI catchers in the courts so far

The first reported decision dealing with an IMSI catcher was in 1995. In re United States, 885 F. Supp. 197 (C.D. Cal. 1995). The court, which had difficulty applying current law to the new surveillance technology, demanded that law enforcement develop stronger safeguards before permitting its use. Since 1995, nation-wide police practices of avoiding disclosure of the devices has largely shielded them from the view of courts. More recent orders from even the most tech-savvy magistrate judges suggest that judicial officers across the country still have little exposure to or understanding of IMSI technology. The lack of exposure and understanding is critical to continuing the law enforcement practice of applying for approval to use a “pen register” device.

Among the courts that have been faced with the question of IMSI catcher use, several—including the 7th Circuit in 2016—have declined to answer questions concerning the devices’ constitutionality. United States v. Patrick, 842 F.3d 540 (7th Cir. 2016). In his dissent, Chief Judge Wood described the avoidance strategies of law enforcement as “bad faith” that could justify suppression, and closed by writing that “it is time for the Sting[R]ay to come out of the shadows, so that it can be subject to the same kind of scrutiny as other mechanisms.”

The 7th Circuit ultimately did revisit the question of Sting[R]ays in Sanchez-Jara in 2018. United States v. Sanchez-Jara, 889 F.3d 418 (7th Cir. 2018). That court rejected the “general search” argument and upheld a warrant that referred generally to “electronic investigative techniques” without specifying the use of IMSI catcher technology. The other federal circuits have yet to reach a decision on the issue.

Andrews v. Balt. City Police Dep’t will almost certainly appear before the 4th Circuit again. While the question in that case deals with whether a pen register application can cover use of a Hailstorm device, deeper questions surrounding the constitutionality of a Hailstorm search underlie every aspect of the litigation. The court will be faced with a police department that has a history of abusing discretion, and that has shielded the courts from its use of IMSI catchers for years, in a moment of increased public scrutiny of police practices and procedures. The 4th Circuit thus has a unique opportunity to create a level of increased accountability for law enforcement, and to change the trajectory of police surveillance strategies for years to come.


The EARN IT Act has Earned Sex Workers’ Criticism: How a Bill Regulating Internet Speech will Harm an Under-resourced Community Often Overlooked by Policymakers

Ingrid Hofeldt, MJLST Staffer

In March of 2020, as the COVID-19 pandemic swept across the nation, Senator Lindsey Graham introduced the EARN IT Act (EIA), a bill that would allow Congress to coerce internet providers into decreasing the security of communications on their platforms or risk a potential deluge of legal battles. In addition to violating the freedom and security many U.S. citizens enjoy online, this bill will particularly harm sex workers, who already face instability, housing insecurity, and the threat of poverty as the COVID-19 pandemic has made their work nearly impossible. Many human rights groups, including the American Civil Liberties Union, Human Rights Watch, and the Stanford Center for Internet and Society strongly oppose this bill. 

With the aim to protect children from sexual exploitation online, the EIA would amend Section 230 of the Communications Decency Act of 1996 (CDA). The CDA protects internet platforms from legal liability for the content shared by their users. Because of the CDA, the government cannot currently prosecute Facebook for its users’ decisions to upload child pornography onto their accounts. However, the EIA strips platforms of this protection. Additionally, the EIA establishes a National Commission on the Prevention of Online Child Sexual Exploitation. This commission will develop best practices for internet platforms to “prevent, reduce, and respond” to the online sexual exploitation of children. Though not legally binding, these guidelines could influence courts’ decision making as they interpret the EIA.

While preventing the sexual exploitation of children is a worthy aim, this act will provide victimized children with little protection they don’t already have, while opening sex workers and child victims of sexual exploitation up to greater violence at the hands of sex traffickers. Officials at the National Center for Missing and Exploited Children (NCMEC) are overburdened by the existing reports of online child sexual exploitation. The center has reached “a breaking point where NCMEC’s manual review capabilities and law enforcement investigations are no longer doable.” Sex traffickers also don’t necessarily use the platforms that the EIA would target or use internet platforms at all. As one sex worker explained, “[i]t’s interesting to note that Jeffrey Epstein didn’t use a website to traffic young women and neither do the pimps I have met in my 17 years as a sex worker.”

The EIA will impact internet providers’ ability to offer end-to-end encryption, the software that allows internet users to anonymously and securely message each other. Sex workers rely on end-to-end encryption to connect, share information relating to health and safety, and build their businesses. An anonymous sex worker explains that websites with end-to-end encryption allow them to “safely schedule and screen their clients before meeting them in person,” while making them “less dependent on exploitative third parties like pimps.”  If enacted, the EIA will likely harm sex workers immensely, because (1) sex workers will likely make less money without online platforms to secure clients; (2) sex workers will have to resort to less safe, offline means of finding clients; and (3) sex workers who continue using these platforms that have become unencrypted will face the risk of prosecution if law enforcement or website monitors discover they are engaging illegal activity. The EIA will affect internet providers’ ability to offer end-to-end encryption in primarily two ways. 

Firstly, strong evidence exists that the commission the EIA creates will establish anti-encryption guidelines. This commission will  include 19 unelected officials, some of whom must have experience in law enforcement. Unsurprisingly, this commission has no mandated representation of sex workers or sex worker advocates. The EIA will not require this commission to conduct human rights impact assessments, write transparency reports, or establish metrics of success. Given that the commission is headed by Attorney General Barr, who has strongly opposed encryption in the past, it is likely that the commission will recommend that internet platforms either (1) not employ end-to-end encryption, the practice that allows for private, secure internet communications or (2) allow law enforcement agencies a “backdoor” around end-to-end encryption so they can monitor otherwise secure internet communications. The commission also has the power to create whatever recommended standards for internet platforms that it desires, which could a recommendation ban end-to-end encryption. While these guidelines do not have the force of law, courts could look at them persuasively when ruling on whether an internet provider has violated the EIA.

Additionally, the EIA has the potential to open internet providers up to crushing liability from state governments or private individuals based on whether these providers offer encrypted messaging. Regardless of how courts ultimately rule, lengthy and costly court battles between internet providers and state governments will likely ensue. Some internet providers will probably choose to stop offering encrypted messaging services or allow law enforcement agencies a “backdoor” into their messaging services so law enforcement agents can view private Facebook messages or videos. The “voluntary” policies offered by the commission could become essentially mandatory if providers wish to save money.

Senator Patrick Leahy responded to the concerns around encryption by adding an amendment to the EIA that stipulates that “no action will be brought against the provider for utilizing [encryption];” however, Senator Leahy did not address the issue of a law enforcement “backdoor.”  Additionally, state governments could still use the EIA hold internet platforms accountable under their state laws, for recklessly or negligently failing to moderate encrypted and report it to NCMEC. Mike Lemon, the senior director and federal government affairs counsel reasons that “the new version of the [EIA] replaces one set of problems with another by opening the door to an unpredictable and inconsistent set of standards under state laws that pose many of the same risks to strong encryption.” 

Sex workers are already vulnerable to food insecurity, housing insecurity, and the threat of poverty because of the COVID-19 pandemic and the recent passage of FOSTA/SESTA, a law that resulted in the extermination of websites such as Backpage that sex workers commonly used.  As one sex worker explains, “my work is all contact work… a pandemic with a transmittal virus means… [my work has] moved completely online.” Based on survey results conducted by Hacking/Hustling, 78.5% of sex workers secure the majority of their income through sex work. Following the passage of FOSTA/SESTA, 73.5% of sex workers reported that their financial situations had changed. In the words of these anonymous respondents: “I’m homeless and can’t pay the bills.” “My income decreased by 58% following FOSTA/SESTA.” “I used to make enough to feel comfortable. Now I’m barely scraping by.” “I feel totally erased.” 

The EIA will narrow the amount of websites that sex workers can safely use, if a backdoor for encryption is allowed to law enforcement. Additionally, if internet platforms are liable under state laws, these platforms will more heavily police their content, resulting in the removal or prosecution of sex workers. Many sex workers will likely leave platforms that don’t provide encryption given safety and privacy concerns. While “sex workers were pioneers of the digital realm . . . [they] are now being kicked off the same online platforms . . .[they] built and inspired.”

Sex workers and sex worker advocacy organizations have come out in strong opposition against the EIA; however, given the lack of political sway sex workers hold due to societal biases, their outcry has fallen largely on deaf ears.  In response to the EIA, several prominent sex workers organized a live, virtual art exhibit to protest the EIA. In the words left behind on this page: “[t]hey can try to keep on killing us, to put their hands over our mouths, but they can never keep us away. We’ll be back.


A Rising Tool in International Climate Litigation: The Right to Life

Jessamine De Ocampo, MJLST Staffer

There has been a growing national and international trend placing environmental rights and environmental justice under the umbrella of human rights. The empirical data around climate change is vastly shaping the international human rights arena, allowing environmental rights to be considered and litigated amongst human rights. As of 2019, air pollution is estimated to have resulted in and continues to result in 7 million yearly premature deaths worldwide; of which 600,000 are children under the age of 5. Entire communities, particularly island nations, are being forced to relocate due to rising sea levels while climate variability and changing weather is resulting in severe food crises threatening food security.

Climate and environmental issues have been actively permeating the international human rights field. The UN Human Right Council entered a mandate for an investigation into the correlation between human rights and environmental rights, the Inter-American Commission of Human Rights commissioned their first special rapporteur on Economic, Social, Cultural and Environmental Rights, and the UN Human Rights Committee in a General Comment, recognized the relevance of climate issues in the context of the right to life. The Right to Life is a universally recognized fundamental human right. While it can be found in a multitude of international and regional doctrines, it is primarily referenced in relation to Article 3 of the United Nation’s Universal Declaration of Human Rights and Article 6 of the International Covenant on Civil and Political Rights. The right to life doctrine essentially states that every person has a right, protected by law, to live.

In the international courts, climate litigation cases have been decided under the Right to Life doctrine with growing success. A Pakistani farmer sued his country for failing to implement environmental legislation and won; a family of rural workers sued their home country of Paraguay for failing to protect them from severe environmental contamination in which the court held “the link between environmental protection and human rights is ‘undeniable.’ ” Finally, in December 2019, the Dutch Supreme Court held that the Dutch government must reduce emissions immediately in line with its human rights obligations.

As climate change and environmental justice concerns continue to pose an ever-growing multi-layered effect on our societies, these new tools may prove to be crucial in implementing liability. As the link tying climate change and human rights becomes stronger, individuals have more than before to establish a claim. The right to life doctrine can, and should, be used to enforce government liability for failing to regulate the harmful effects of climate change.