BILL ANALYSIS �Ó
SB 741
Page 1
Date of Hearing: June 23, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
SB
741 (Hill) - As Amended May 19, 2015
SENATE VOTE: 39-0
SUBJECT: Mobile communications: privacy.
SUMMARY: Requires local agencies to approve the acquisition or
use of cellular communications interception technology (CCIT) at
a public hearing before deploying it, requires local agencies to
develop and release a usage and privacy policy for CCIT, and
provides for civil remedies in the event of a violation.
Specifically, this bill:
1)Requires a local agency that operates CCIT to:
a) Protect the collected information and data with
reasonable operational, administrative, technical, and
physical safeguards;
b) Implement and maintain reasonable security
�
SB 741
Page 2
procedures and practices; and,
c) Implement and maintain a usage and privacy policy,
which shall be available in writing, and online if the
local agency has a website.
2)Requires a local agency's usage and privacy policy to include,
at a minimum, all of the following:
a) The authorized purposes for using the CCIT and for
collecting information or data with the CCIT;
a) A description of the employees who are authorized to
use, or access information or data collected through the
use of, CCIT, as well as the training requirements for
those authorized employees;
b) A description of how the use of CCIT will be
monitored to ensure compliance with all applicable
privacy laws, as well as the process for periodic system
audits;
c) A description of reasonable measures that will be
used to ensure the accuracy of collected information or
data, and the process for correcting errors;
d) A description of how the local agency will comply
with the security procedures and practices;
e) The length of time information or data will be
stored or retained, and the process for determining if
and when to destroy stored or retained information or
data;
�
SB 741
Page 3
f) The official custodian or owner of the collected
information or data, and the employees responsible for
implementation of statutory requirements; and,
g) The purpose of, process for, and limitations on,
sharing or disseminating information or data with other
persons.
1)Prohibits a local agency from acquiring or using CCIT without
its legislative body first adopting a resolution or ordinance
authorizing that acquisition or use.
2)Prohibits the legislative body of a local agency from
approving a resolution or ordinance authorizing the
acquisition or use of CCIT unless it is adopted at a regularly
scheduled public meeting where members of the public have a
reasonable opportunity to comment, and the resolution or
ordinance includes the proposed usage and privacy policy.
3)Authorizes an individual harmed by the knowing violation of
these provisions to bring a civil action in court.
4)Authorizes a court to order any or all of the following
remedies:
a) Actual damages, but not less than liquidated damages
in the amount of two thousand five hundred dollars
($2,500);
b) Punitive damages upon proof of willful or reckless
disregard of the law;
c) Reasonable attorney's fees and other litigation
costs reasonably incurred; and,
d) Other preliminary and equitable relief as the court
determines to be appropriate.
5)Defines the terms "cellular communications interception
�
SB 741
Page 4
technology" and "local agency."
EXISTING LAW:
1)Provides, pursuant to the California Constitution, that all
people have an inalienable right to pursue and obtain privacy.
(Cal. Const., art. I, Sec. 1.)
2)Makes it a crime to manufacture, assemble, sell, advertise for
sale, possess, transport, import, or furnish to another a
device that is primarily or exclusively designed or intended
for eavesdropping upon the communication of another, or any
device that is primarily or exclusively designed or intended
for the unauthorized interception of reception of
communications between a cellular radio telephone, as defined,
and a landline telephone or other cellular radio telephone.
(Penal Code (PC) Section 635)
3)Makes it a crime to purchase, sell, offer to purchase or sell,
or conspire to purchase or sell, any telephone calling pattern
record or list, without the written consent of the subscriber,
or to procure, obtain, attempt to obtain, or conspire to
obtain, any calling pattern record or list through fraud or
deceit, subject to certain exemptions for law enforcement
agencies. (PC 638)
4)Prohibits a state or local agency from allowing another party
to control the disclosure of information that is otherwise
subject to disclosure pursuant to the California Public
Records Act. (Government Code Section 6253.3)
FISCAL EFFECT: None. This bill has been tagged nonfiscal by
�
SB 741
Page 5
the Legislative Counsel.
COMMENTS:
1)Purpose of this bill . This bill is intended to create
transparency in the use of CCIT on the part of local law
enforcement agencies by requiring a public hearing prior to
adoption and a usage and privacy policy to guide its use. SB
741 is author-sponsored.
2)Author's statement . According to the author, "Residents
should be made aware of what type of surveillance technology
law enforcement agencies use within their community.
Residents should also be able to participate in a public
process to decide whether or not those surveillance
technologies should be used in their communities and if
adopted, how the technology should be used."
"Current law, however, does not guarantee this for the use of
cell phone intercept technology by local law enforcement
agencies. Throughout the state, local governments and law
enforcement agencies have been adopting the use of cell phone
intercept technology without providing an opportunity for
community input.
"The technology, which can be used to mimic a cell phone tower
and intercept cell phone information, including locational
data, is growing more common. According to the most recent
data, at least 11 local jurisdictions in California have
purchased the technology. None of the local governments have
allowed public input or adopted publicly available policies
governing the use of the cell phone tracking technology."
�
SB 741
Page 6
3)Understanding CCIT. What this bill calls "cellular
communications interception technology" or CCIT is more
commonly referred to elsewhere as an "international mobile
subscriber identity (IMSI) catcher" or a "StingRay," which is
a brand name for a particular line of cell site emulator.
CCIT is a portable cell phone surveillance tool used by
government agencies at the federal, state and local levels
that generally consists of an antenna, a processor, and laptop
computer for analysis and configuration. They work by
emulating the operation of a cellular telephone network tower,
which prompts nearby cell phones to switch over and
communicate with it like it was the carrier's nearest base
station.
The CCIT can be used to collect a variety of data about "caught"
cell phones, particularly the phone's unique numeric
identifier and its physical location. According to the
American Civil Liberties Union (ACLU), CCIT is generally used
for two purposes: First, if the government knows a suspect's
location, it can use CCIT to determine the unique numeric
identifier association with the cell phone. Having this
number can facilitate the government's efforts to obtain a
wiretap or call records on the target of an investigation.
Second, if the government has the unique numeric identifier,
it can determine the phone's geographic location, often with
an accuracy of up to two meters. CCIT can also be used to
capture the content of communications (like voice calls and
text messages), although the ACLU does not provide evidence
that the local law enforcement agencies have done so with any
frequency.
According to an ACLU study, at least 34 law enforcement
agencies in 15 states have purchased CCIT. The technology is
reportedly used by at least 11 local law enforcement agencies
in California, including Alameda County, Los Angeles County,
the City of Los Angeles, Sacramento County, San Bernardino
County, the City of San Diego, the City and County of San
�
SB 741
Page 7
Francisco, and the City of San Jose. There is also evidence
to suggest that the Santa Clara County Board of Supervisors
authorized its Sheriff's Office in February 2015 to purchase
CCIT as well.
4)Concerns over the use of CCIT . There are at least three major
concerns over the use of CCIT: a lack of public transparency,
a lack of clarity over the standard of evidence needed to
authorize use of CCIT, and the potentially overbroad nature of
the search itself facilitated by CCIT.
5)Transparency and non-disclosure agreements . One major problem
with understanding the full impact of CCIT is that many local
law enforcement agencies with the technology have signed
non-disclosure agreements (NDAs) with the CCIT manufacturer,
which some agencies have cited as a reason for not providing
even basic information about their CCIT use.
A KXTV News10 report from March 2014 found that, after
submitting public records requests to every major Northern
California law enforcement agency, "some agencies provided
documentation, but none would discuss how [CCIT] work[s], or
even admit they have [CCIT]." For example, the San Jose
Police Department provided heavily redacted purchase orders,
but would provide no information on CCIT-enabled arrests.
Moreover, the Department justified its withholding of
information by saying the "equipment is proprietary and used
for surveillance missions?Its capabilities can only be
discussed with sworn law enforcement officers, the military or
federal government. This equipment's capabilities are not for
public knowledge and are protected under non-disclosure
agreements?"
As another example, the Sacramento County Sheriff's Department
has been listed by other law enforcement agencies as owning
CCIT, but the Department itself refused to acknowledge its
existence, with its spokesman saying "my understanding is that
�
SB 741
Page 8
the acquisition or use of this technology comes with a strict
non-disclosure requirement?Therefore it would be inappropriate
for us to comment about any agency that may be using the
technology."
It bears noting that such agreements may already violate state
law, which prohibits state or local agencies from allowing
another party to control the disclosure of information that is
otherwise subject to disclosure pursuant to the California
Public Records Act. To the extent that the refusals to
provide information described above are premised on the
existence of a non-disclosure agreement, rather than because
they are non-disclosable under the Public Records Act, then
those justifications may be invalid.
Furthermore, the secrecy engendered by these NDAs appears to
run counter to fundamental privacy principles. What are now
called the Fair Information Practice Principles (or FIPPs),
began as an effort by the federal government in 1973 to
articulate a set of privacy principles to guide data
management, which ultimately coalesced into the eight
principles now recognized as FIPPs. The National Institute of
Standards and Technology in its National Strategy for Trusted
Identities in Cyberspace says "FIPPs are the widely accepted
framework of defining principles to be used in the evaluation
and consideration of systems, processes, or programs that
affect individual privacy. Universal application of FIPPs
provides the basis for confidence and trust..."
The first FIPP principle is Transparency: "Organizations
should be transparent and notify individuals regarding
collection, use, dissemination, and maintenance of personally
identifiable information (PII)." Put another way,
�
SB 741
Page 9
organizations should not have information collection programs
the very existence of which are secret.
To the extent that this bill requires local agencies to
publicly disclose the existence of CCIT systems and programs,
it would be entirely consistent with the FIPPs.
6)What standard of evidence applies? Another concern
exacerbated by the lack of transparency is the standard of
evidence for judicial authorization to use CCIT and the danger
of less than fully informed judicial oversight.
A February 2015 article by the ACLU states, "The secrecy is not
just from the public, but often from judges who are supposed
to ensure that police are not abusing their authority. Partly
relying on that secrecy, [Florida] police have been getting
authorization to use [CCIT] based on the low standard of
'relevance,' not a warrant based on probable cause as required
by the Fourth Amendment. In many of the investigations,
police never sought a court order authorizing [CCIT] use. In
others, they sought a court order on a low "relevance"
standard, but not a warrant based on probable cause. Perhaps
most troublingly, the records indicate a pattern of excessive
secrecy, including concealment of information that should
appear in investigative files and court filings. For example,
the [Tallahassee Police Department] provided a sample of
judicial applications and orders it says were used to justify
[CCIT] use, but not one of them contains a single mention or
description of Stingray technology. This suggests that judges
weren't being fully informed about what they were approving."
The same article also points out that none of the departments
surveyed had a formal policy on CCIT use, or evidence that
they consistently seek a warrant before using the technology,
which raises important legal questions: "Indeed, records from
Tallahassee and elsewhere indicate that police have not been
getting warrants?In a strong ruling last year, the Florida
Supreme Court held that the Fourth Amendment requires police
to get a warrant before asking a phone company to track a cell
�
SB 741
Page 10
phone user's location in real time. The logic of that opinion
should apply equally to cell phone tracking using Stingrays.
And because Stingrays sweep up information not just about
suspects, but also bystanders, the need for robust judicial
oversight is all the greater."
7)The "dragnet" problem and service disruption . Another privacy
concern raised by the use of CCIT is that it can affect all
mobile users in the vicinity of the device, not just
individuals under investigation. This raises important
constitutional questions about dragnet-style "general
searches" and their prohibition by the Fourth Amendment, as
well as practical problems with service disruption for the
public.
According to an October 2012 report by the Electronic Frontier
Foundation, the general nature of the search effected by CCIT
is highly concerning: "[CCIT] - which could potentially be
beamed into all the houses in one neighborhood looking for a
particular signal-is the digital version of the
pre-Revolutionary war practice of British soldiers going
door-to-door, searching Americans' homes without rationale or
suspicion, let alone judicial approval. . . . And when police
use [CCIT], it's not just the suspects' phone information the
device sucks up, but all the innocent people around such
suspects as well. Some devices have a range of several
kilometers, meaning potentially thousands of people could have
their privacy violated despite not being suspected of any
crime." And while the constitutional question itself (i.e.,
whether the technology violates the 4th Amendment) may be a
matter for the courts, the underlying issue is hotly contested
and clearly of great concern.
Moreover, CCIT can affect mobile device service for all nearby
individuals, even those not related to the investigation.
According to a Wired magazine article from March 2015, an ACLU
court filing referenced a Federal Bureau of Investigation
�
SB 741
Page 11
warrant application that admitted that CCIT "has the potential
to intermittently disrupt cellular service?Any potential
service disruption will be brief and minimized by reasonably
limiting the scope and duration of the use of [CCIT]". And
while some CCIT systems are designed to recognize 911 calls
and let them pass through to legitimate cell towers, Internet
access can be substantially disrupted and non-emergency phone
communications can be stopped completely by their operation.
In response, the article quotes the ACLU as saying, "We think
the fact that [CCIT can] block or drop calls of cell phone
users in the vicinity should be of concern to cell service
providers, the FCC and ordinary people?If an emergency or
important/urgent call (to a doctor, a loved one, etc.) is
blocked or dropped by this technology, that's a serious
problem."
8)The practical privacy implications of this bill . In trying to
address these issues, this bill largely takes a
disclosure-based approach. As a matter of transparency, it
requires a local agency's legislative body to approve the use
of CCIT, which gives the public a means to become aware of a
CCIT program and have meaningful input. The bill also
requires disclosure in the form of a usage and privacy policy,
which gives the public some high-level insight into the uses
of CCIT and how the collected data will be handled. It also
provides a substantial legal remedy for individuals who are
knowingly harmed by a violation of the statute, and requires
the local agency to take reasonable precautions to protect the
data
In doing so, public transparency and involvement is improved
somewhat without restricting law enforcement's ability to use
the technology.
9)Potential Committee amendments . One question raised by the
�
SB 741
Page 12
author is the possibility that a memorandum of understanding
(MOU) or other agreement between two local law enforcement
agencies could enable one department to direct the use of CCIT
owned by another for their own investigatory purposes, or
benefit from collected data, without "acquiring or using"
CCIT.
To further the transparency goals of this bill, the author and
Committee may wish to consider amending the bill to require
the usage and privacy policy to disclose any agreement with
another party related to the operation of CCIT or the sharing
of collected data.
10)Arguments in support . According to the Media Alliance, "When
technology outstrips a deliberative public process to define
appropriate and inappropriate uses of that technology, abuses
and overreach can occur, damaging civil and human rights and
creating unease and conflict with a municipality. By
establishing a usage policy pertaining to when the technology
may be employed, how the data is to be used, how the data will
be protected from unauthorized disclosure and disposed of once
it is no longer needed, SB 741 protects the rights of
residents suspected of no crime, supports the vulnerable
including those too often unfairly targeted by law enforcement
and those exercising investigative or whistle-blowing
activities or exercising their First Amendment rights, and
protects municipal employees and politicians from perceptions
or actual incidents of inappropriate usage that can occur when
policies are unclear or absent."
Small Business California writes, "[c]urrent law does not
provide for the public to know what type of surveillance
technology law enforcement agencies use within their
community. Residents should be able to participate in a
public process to decide whether these surveillance
�
SB 741
Page 13
technologies should be used within their communities and how
the technologies should be used."
The California Newspaper Publishers Association adds
"Currently, 11 jurisdictions in California have purchased
[CCIT] monitoring devices?This allows police to conduct
warrantless searches of any Californian. Law enforcement
agencies have adopted this new technology without any public
input, oversight, or in some cases, public knowledge. While
California's shield law provides enhanced protections for
journalists' data, this protection is jeopardized by the use
of cell phone intercept devices. Ultimately, this technology
allows for law enforcement to monitor the press without a
warrant and without any oversight."
11)Arguments in opposition . According to the California Police
Chiefs Association, "While we certainly respect your efforts
to strengthen public confidence in law enforcement and shine
light on how these devices are used, we are concerned that SB
741 will undermine law enforcement's ability to use discretion
to enforce the law and maintain public safety. For example,
SB 741 would prohibit a local agency from borrowing [CCIT]
from a neighboring agency for a specific investigation if the
borrowing agency did not yet have an adopted city resolution
or ordinance. Consequently, agencies will be compelled to use
alternative, less effective, technologies."
12)Double-referral . This bill is double-referred to the
Assembly Local Government Committee, where this bill will be
heard if passed by this Committee.
�
SB 741
Page 14
REGISTERED SUPPORT / OPPOSITION:
Support
Bay Area Civil Liberties Coalition
California Newspaper Publishers Association
Media Alliance
Small Business California
Opposition
California Police Chiefs Association
California State Sheriffs' Association
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916)
319-2200
�
SB 741
Page 15