Can Vehicles be Criminal Voyeurs?

mdecrow@maine.edu Article, Blog , , ,

Can Vehicles be Criminal Voyeurs?

Rebecca Hatt

 

New vehicles come equipped with cameras and microphones that surveil the exterior, and often the interior, of the car in the name of safety and interactivity.[1] Some cameras only help with parking, however, many go much further than that.[2] For instance, Tesla’s exterior cameras surveil the outside of the car in Sentry mode, on the lookout for vandals or collisions, and the interior cabin cameras are known to record on impact and to monitor for attentiveness while using supervised features.[3] The theory is that these cameras help protect against damage, theft, and unsupervised use.[4] While these are laudable goals, the theoretical intention and the opt-in model of data sharing isn’t enough to escape state voyeurism laws in states like Maine.[5] In Maine, a person is guilty of violation of privacy if that person intentionally installs or uses in a “private place without the consent of the person or persons entitled to privacy in that place, any device for observing, photographing, recording, amplifying or broadcasting sounds or events in that place.”[6] When these vehicles, or those equipped with after-market dashcams, are parked in private garages, or used for private purposes in such a way that activity in them would normally be private, the recording conflicts with a person’s reasonable expectations of privacy, and with this criminal statute. An opt-in from the driver is not sufficient to allow the vehicle to breach the privacy of others under the law, and even if the driver sought to obtain consent from every passenger or passerby, some people are not able to give legal consent. Despite the impossibility, car makers like Tesla include disclaimers that “[i]t is your sole responsibility to consult and comply with all local regulations and property restrictions regarding the use of cameras.”[7] So when a child is changing at the back of the car using towels or a Car Cabana to provide privacy, who’s watching, how do we know, and who does the law protect?[8]

Continue reading

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

mdecrow@maine.edu Article, Paper , , , , , ,

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

Joe Jambor

 

Abstract

The Change Healthcare breach in February 2024 exposed the protected health information of 190 million individuals and cost UnitedHealth Group nearly $3 billion. The breach occurred because two-factor authentication was turned off on a single portal, but was ultimately destructive because once the intruder was inside the system, there was little that could be done to stop them. This Article argues that cybersecurity insurers are uniquely positioned to prevent breaches like this one by driving adoption of Zero Trust Architecture (ZTA), the “never trust, always verify” framework codified in NIST Special Publication 800-207, by requiring its implementation as a condition of coverage. Despite its proven success rate, full ZTA adoption remains critically low, with only ten percent of large enterprises projected to reach a mature Zero Trust posture by the end of this year, as cost, institutional resistance, and legacy technology continue to impede progress. Market incentives alone have failed to move the needle. Drawing on four intersecting bodies of law; the contractual doctrine of conditions precedent in insurance agreements, federal sectoral cybersecurity regulatory frameworks including the FTC Safeguards Rule and HIPAA’s Security Rule, the state insurance regulatory architecture under the McCarran-Ferguson Act, and the rapidly evolving common law standard of reasonable cybersecurity, this Article establishes that insurer-mandated ZTA requirements are legally permissible, practically achievable through a phased implementation framework tailored to enterprises of all sizes, and essential to stabilizing the cyber insurance market while reducing legal liability for insureds.

Continue reading

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors Introduction

mdecrow@maine.edu Article, Paper , , , ,

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors

John Blegen

 

Introduction

In March of 2026, FBI Director Kash Patel, while speaking before the House Permanent Select Committee on Intelligence made a brazen admission. When asked by Ron Wyden, a Democratic senator from Oregon, whether the FBI purchases Cell Phone Location Data from internet advertisers, Patel replied:

“We do purchase commercially available information that’s consistent with the constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us.”

Ron Wyden replied that if true, this practice by the FBI would constitute “an outrageous end run around the Fourth Amendment [that is] particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information.”[1]

This FBI practice is not just an “outrageous end run around the Fourth Amendment,” but an outright violation of Americans’ Fourth Amendment right to privacy against unwarranted government surveillance.

In Carpenter, the Supreme Court held that it is illegal for the government to access cell phone location data information without a warrant.[2] Carpenter mentions no exception to this rule for information that has been purchased from wireless carriers or data brokers. It is not the property rights wireless carriers possess over this information that the Fourth Amendment protects; it is the right to privacy against unchecked government surveillance as ensured by the Constitution.

Patel’s argument would be the same as saying, the government is free to pay a private thug to break into a suspect’s apartment and acquire his wardrobe, or his private collection of firearms, or his diary, or any other piece of evidence without a warrant, so long as they do not do so themselves. It is a brazen admission of the FBI’s intent to not follow the Constitution.[3]

What allows Patel to be brazen enough to make such a statement is the fact that there currently exists no legal mechanism by which the public can validate their right to privacy against government surveillance. This is the case due to decades of congressional lethargy on the issue of data and tech surveillance, as well as the Federal Trade Commission’s refusal to enforce what little data protection laws do exist.[4]

It is also the result of years of the Supreme Court hollowing out plaintiffs’ ability to bring lawsuits against the federal government for violations of the Constitution.[5]  Such civil suits may be brought pursuant to 42 U.S.C. § 1983, which allows suits against states for actions taken in violation of individuals’ Federal Rights, and Bivens actions, which are the equivalent of a 1983 lawsuit against the federal government.

This paper contends that 1983 actions could provide a fruitful method for individuals to validate their right to privacy and push privacy forward against government surveillance, as well as third-party surveillance conducted by AI-surveillance companies like Palantir, which synthesizes mass amounts of data from across various sources into one “fusion” profile and Clearview AI, which provides facial recognition software to law enforcement agencies, both at the state and federal level.

As I will explain below, Section 1983 is an effective tool to limit both these private companies and the government because precedent has held that government contractors may also be subject to a Section 1983 lawsuit when they are performing government functions.

This paper also examines Bivens actions, with the caveat that Bivens law has been deeply neutered by Supreme Court precedent, making it effectively impossible to bring a lawsuit against the federal government for violation of federal rights, even though 1983 allows the same to be done against the states – as implausible as that sounds.

Continue reading

Using the Current FISA Reauthorization Debate to Close the Data Broker Loophole and Introduce Relational Data Governance Over Mass Surveillance Programs

mdecrow@maine.edu Article, Paper , , , ,

Using the Current FISA Reauthorization Debate to Close the Data Broker Loophole and Introduce Relational Data Governance Over Mass Surveillance Programs

Michael Moran

 

With the upcoming sunset of Section 702 of the Foreign Intelligence Surveillance Act (FISA), congressional debate weighing national security and surveillance capabilities against civil liberties has returned, emerging around the capital like cicadas with increasing volume and urgency.[1] Amidst increasingly ubiquitous surveillance applied both at home and abroad, the “data broker loophole” has attracted particular scrutiny from lawmakers and privacy advocates.[2] This loophole allows law enforcement and intelligence agencies to circumvent a warrant requirement by purchasing commercially available personal data. At a time of heightened state surveillance capability and documented governmental data aggregation[3], introducing elements of Salomé Viljoen’s relational theory of data governance could constructively restructure this debate, weighing public safety needs against the collective harm of surveillance programs.

Current debates around FISA are still rooted in historical comparisons of public safety against individual data rights, but reframing that debate to consider these rights collectively may lead to a more durable solution.[4] Viljoen’s framework for data governance calls for a population-level lens of surveillance harm, and democratic mechanisms to evaluate privacy and data rights and uses in a more inclusive and responsive manner.[5] Reforms to increase transparency and advocacy in the Foreign Intelligence Surveillance Court (FISC), alongside the introduction of a data-governance entity, standalone, or within the FTC, could facilitate societal conversations around surveillance, rebuild public trust, and avoid the high stakes, all-or-nothing reauthorization cycles we face today.

In this article, I first define the data broker loophole in the context of FISA reauthorization and then outline the fundamentals of Viljoen’s relational theory of data governance. Next, I address why focusing on closing data pipelines or data broker loopholes is insufficient alone, without accompanying reforms that incorporate relational data governance. I then briefly propose some institutional reforms to incorporate democratic mechanisms into existing foreign surveillance oversight.

Continue reading

Challenges with Adopting Blockchain Technology in the Wine Industry

mdecrow@maine.edu Article, Blog ,

Challenges with Adopting Blockchain Technology in the Wine Industry

Amanda Violette

 

I. Introduction

A bottle of wine encapsulates a complex narrative shaped by geography, craftsmanship, logistics, and market dynamics, and, more recently, climate change.[1] Traditionally, much of this narrative has remained opaque, especially to American consumers.[2] While French wines have been highly regulated since the early 20th century with the intent of preventing fraudulent products from damaging the wine industry, American wines became regulated by the Alcohol and Tobacco Tax and Trade Bureau (TTB) later using American Viticultural Area regulation to provide warnings about the dangers of alcohol on the label.[3] However, now, with American wines, only information about the grape origin is required, leaving the consumer to question whether the wine lived up to its intended character and authenticity.[4]

Continue reading

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

mdecrow@maine.edu Paper , , ,

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

Caroline Aiello

 

I. Introduction

Nearly every modern privacy law restricts or seeks to limit how much data companies can collect and how they can process that data. Collectively, these provisions are known as data minimization standards. A foundational feature of privacy law, the concept of data minimization dates back to the earliest guidance and drafting of privacy laws. Widely considered a pivotal segment of a law, determining its effectiveness and severity, these provisions are hotly contested by industry leaders and consumer advocates throughout the legislative process.

For all the attention devoted to crafting an effective data minimization standard, legislators have overlooked a fundamental lesson from constitutional law: vague standards without concrete rules and meaningful remedies do not protect rights. The Fourth Amendment’s journey from an ineffective guarantee to an enforceable constitutional protection illustrates this principle. For over a decade after the 1949 holding in Wolf v. Colorado, the Supreme Court acknowledged the application of a prohibition on unreasonable searches and seizures to the states but declined to impose the exclusionary rule as a remedy.[1] During that period, the Court assumed that alternative mechanisms like tort suits and disciplinary actions would deter misconduct. As Justice Murphy warned in his dissent in Wolf, such alternatives were “deceptive,” and that alternatives to exclusion were effectively no remedy at all.[2]

This Article argues that federal data privacy legislation must learn from the Fourth Amendment’s institutional history. A federal privacy law’s data minimization standard should not merely set vague standards and hope that disclosure requirements, consent mechanisms, and scattered enforcement actions will protect consumer privacy. Instead, Congress should establish specific, substantive data minimization requirements that enumerate prohibited uses of personal data, backed by federal enforcement authority and meaningful penalties that create genuine deterrence. Just as the exclusionary rule transformed the Fourth Amendment from an aspirational principle into an enforceable right, federal substantive standards with robust remedies can transform data minimization from a theoretical protection into a practical safeguard.

This Article proceeds in five parts. Part II introduces data minimization, explaining the mechanical components of the law and what business practices they regulate. Part III analyzes and introduces current data minimization laws and enforcement actions both in the United States and internationally. Part IV examines the Wolf v. Colorado to Mapp v. Ohio progression, detailing how the Supreme Court’s twelve-year experiment with state-level Fourth Amendment enforcement failed and why federalization of the exclusionary rule ultimately proved necessary. Part V makes the affirmative case for federal substantive data minimization standards, proposing specific prohibited uses rather than reliance on interpretation of a reasonableness principle, and arguing for enforcement mechanisms that go beyond nominal accountability. Part VI addresses counterarguments, including concerns about business flexibility and innovation. The Article concludes by explaining how Congress can avoid repeating constitutional history’s mistakes and instead create a federal privacy framework that makes data minimization rights real rather than rhetorical.

Continue reading

“Segregate-and-Suppress:” A Solution in Search of a Solution

mdecrow@maine.edu Paper , , , , , ,

“Segregate-and-Suppress:” A Solution in Search of a Solution

Viv Daniel

 

 I. Introduction

The following paper is an analysis of Eric Goldman’s 2025 article published in the Stanford Technology Law Review, The “Segregate-and-Suppress” Approach to Regulating Child Safety Online.[1] Goldman’s article identifies an emerging legislative trend meant to protect children online, which he terms “segregate-and-suppress,” and argues that this legislative strategy is misguided because it damages privacy online, it is detrimental to the online information ecosystem, and it hurts many of the very children it was designed to protect. A segregate-and-suppress law is a law targeting publishers of content and information via websites and/or apps, which requires a publisher to distinguish between users on the basis of age, and to limit access to content for users deemed to be minors.[2]

This paper will begin by describing the problem that segregate-and-suppress was created to solve, to give context to the creation and implementation of these laws. Next, it will provide examples of the kinds of laws which fall under Goldman’s scrutiny and describe Goldman’s critiques of segregate-and-suppress and his alternative suggestions to it. Finally, this paper will evaluate the strength of Goldman’s arguments and proposed alternate solutions. This paper posits that, while Goldman’s argument is valuable to an honest debate of the topic, it would be strengthened by acknowledging the extent of the problem segregate-and-suppress is meant to solve, and by giving more consideration to the breadth of compromise-driven solutions available to alleviate threats to children’s safety online.

Continue reading

No Harm, No Court: An International Approach to Data Privacy Harms and Article III Standing

mdecrow@maine.edu Article, Blog , ,

No Harm, No Court: An International Approach to Data Privacy Harms and Article III Standing

Emily Fowler

 

In the United States, cases brought regarding privacy violations are being dismissed early in the litigation process because U.S. law remains tied to historical analysis of injuries, whereas other legal systems around the world are taking a more forward-thinking approach to these issues. Trends in recent cases show that claims for privacy violations, such as the capture of individual interactions with websites through session-replay technology, are being dismissed for lack of standing.[1] Article III standing is a concept based in Constitutional Law. Under Article III, federal courts’ authority is limited so that they may only hear “Cases” and “Controversies”.[2] To bring a case or controversy before a federal court, plaintiffs must have standing (a “personal stake” in the case).[3] Three elements must be met to have standing: (1) there is “an ‘injury in fact’ that is both ‘concrete and particularized’ and ‘actual or imminent’”; (2) “the injury is ‘fairly traceable’ to the challenged conduct”; and (3) the injury likely “‘will be redressed by a favorable decision.’”[4]

Continue reading

When Design Becomes Harmful: Why Social Media Addiction Harms Trials Could Have Lasting Impacts on Privacy Harm Remediation

mdecrow@maine.edu Article, Blog , ,

When Design Becomes Harmful: Why Social Media Addiction Harms Trials Could Have Lasting Impacts on Privacy Harm Remediation

Alex Logan

 

I. Introduction

In late January 2026, a landmark trial kicked off in California via a proceeding led by an unnamed plaintiff, “K.G.M.”. The plaintiff alleges that social media companies/platforms such as TikTok, Snapchat, YouTube, and Meta have intentionally designed platforms so as to addict children and keep them hooked on said platforms through mindless scrolling, auto-play features, other engagement techniques, and suggested or tailored content specific to their individual behaviors.[1] This is just one of several similar lawsuits which are all making their way through the courts.[2] The plaintiffs allege that the addictive design of these platforms has led to long-term mental health issues, such as depression, anxiety, tendencies toward self-harm, and even suicidal thoughts and actions.[3] The social media companies are relying heavily on Section 230 protections and publisher immunity in their defense.[4] These cases collectively could be a major step toward remediating more conceptual harms that plaintiffs have long struggled to prove in similar cases due in large part to Section 230 of the Communications Decency Act.[5] Successful plaintiff outcomes in these cases could potentially help pave the way for corporate accountability when addressing similarly squishy or conceptual privacy harms through resulting reconceptualization and generation of harm.

Continue reading

AI, a Watchful Eye: The Less than Stellar Performance of AI Security and the Consequences Thereof

mdecrow@maine.edu Article, Blog , , ,

AI, a Watchful Eye: The Less than Stellar Performance of AI Security and the Consequences Thereof

James Hotham

 

The use and abuse of widespread camera surveillance is not a novel fear. For decades, media has explored this concept. However, a new threat has arisen in a new form. It has not taken the form of an oppressive government, a terrorist group, or a supreme artificial intelligence. Rather, it comes from private party security providers. Several security providers have begun to work AI into their  security cameras for the use of threat detection.[1] However, the success of these threat detection models is dubious. Just this year in late October, one of these systems placed in a Baltimore school, detected an individual carrying a firearm.[2] Police arrived and identified the suspect as sixteen-year-old Taki Allen.[3] However, after the police drew their weapons and handcuffed young Allen, they discovered the “firearm” was actually just an empty bag of Doritos.[4]

Despite the fact that AI technology of this level of sophistication is relatively new, it has sprouted into a multimillion-dollar industry in just a few years. But despite years of development, mishaps like these still occur. This article will explore how these systems work, why they malfunction, ways consumers can avoid these malfunctions, and potential liability for when they malfunction.

Continue reading