Article

Can Vehicles be Criminal Voyeurs?

mdecrow@maine.edu Article, Blog , , ,

Can Vehicles be Criminal Voyeurs?

Rebecca Hatt

 

New vehicles come equipped with cameras and microphones that surveil the exterior, and often the interior, of the car in the name of safety and interactivity.[1] Some cameras only help with parking, however, many go much further than that.[2] For instance, Tesla’s exterior cameras surveil the outside of the car in Sentry mode, on the lookout for vandals or collisions, and the interior cabin cameras are known to record on impact and to monitor for attentiveness while using supervised features.[3] The theory is that these cameras help protect against damage, theft, and unsupervised use.[4] While these are laudable goals, the theoretical intention and the opt-in model of data sharing isn’t enough to escape state voyeurism laws in states like Maine.[5] In Maine, a person is guilty of violation of privacy if that person intentionally installs or uses in a “private place without the consent of the person or persons entitled to privacy in that place, any device for observing, photographing, recording, amplifying or broadcasting sounds or events in that place.”[6] When these vehicles, or those equipped with after-market dashcams, are parked in private garages, or used for private purposes in such a way that activity in them would normally be private, the recording conflicts with a person’s reasonable expectations of privacy, and with this criminal statute. An opt-in from the driver is not sufficient to allow the vehicle to breach the privacy of others under the law, and even if the driver sought to obtain consent from every passenger or passerby, some people are not able to give legal consent. Despite the impossibility, car makers like Tesla include disclaimers that “[i]t is your sole responsibility to consult and comply with all local regulations and property restrictions regarding the use of cameras.”[7] So when a child is changing at the back of the car using towels or a Car Cabana to provide privacy, who’s watching, how do we know, and who does the law protect?[8]

Continue reading

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

mdecrow@maine.edu Article, Paper , , , , , ,

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

Joe Jambor

 

Abstract

The Change Healthcare breach in February 2024 exposed the protected health information of 190 million individuals and cost UnitedHealth Group nearly $3 billion. The breach occurred because two-factor authentication was turned off on a single portal, but was ultimately destructive because once the intruder was inside the system, there was little that could be done to stop them. This Article argues that cybersecurity insurers are uniquely positioned to prevent breaches like this one by driving adoption of Zero Trust Architecture (ZTA), the “never trust, always verify” framework codified in NIST Special Publication 800-207, by requiring its implementation as a condition of coverage. Despite its proven success rate, full ZTA adoption remains critically low, with only ten percent of large enterprises projected to reach a mature Zero Trust posture by the end of this year, as cost, institutional resistance, and legacy technology continue to impede progress. Market incentives alone have failed to move the needle. Drawing on four intersecting bodies of law; the contractual doctrine of conditions precedent in insurance agreements, federal sectoral cybersecurity regulatory frameworks including the FTC Safeguards Rule and HIPAA’s Security Rule, the state insurance regulatory architecture under the McCarran-Ferguson Act, and the rapidly evolving common law standard of reasonable cybersecurity, this Article establishes that insurer-mandated ZTA requirements are legally permissible, practically achievable through a phased implementation framework tailored to enterprises of all sizes, and essential to stabilizing the cyber insurance market while reducing legal liability for insureds.

Continue reading

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors Introduction

mdecrow@maine.edu Article, Paper , , , ,

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors

John Blegen

 

Introduction

In March of 2026, FBI Director Kash Patel, while speaking before the House Permanent Select Committee on Intelligence made a brazen admission. When asked by Ron Wyden, a Democratic senator from Oregon, whether the FBI purchases Cell Phone Location Data from internet advertisers, Patel replied:

“We do purchase commercially available information that’s consistent with the constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us.”

Ron Wyden replied that if true, this practice by the FBI would constitute “an outrageous end run around the Fourth Amendment [that is] particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information.”[1]

This FBI practice is not just an “outrageous end run around the Fourth Amendment,” but an outright violation of Americans’ Fourth Amendment right to privacy against unwarranted government surveillance.

In Carpenter, the Supreme Court held that it is illegal for the government to access cell phone location data information without a warrant.[2] Carpenter mentions no exception to this rule for information that has been purchased from wireless carriers or data brokers. It is not the property rights wireless carriers possess over this information that the Fourth Amendment protects; it is the right to privacy against unchecked government surveillance as ensured by the Constitution.

Patel’s argument would be the same as saying, the government is free to pay a private thug to break into a suspect’s apartment and acquire his wardrobe, or his private collection of firearms, or his diary, or any other piece of evidence without a warrant, so long as they do not do so themselves. It is a brazen admission of the FBI’s intent to not follow the Constitution.[3]

What allows Patel to be brazen enough to make such a statement is the fact that there currently exists no legal mechanism by which the public can validate their right to privacy against government surveillance. This is the case due to decades of congressional lethargy on the issue of data and tech surveillance, as well as the Federal Trade Commission’s refusal to enforce what little data protection laws do exist.[4]

It is also the result of years of the Supreme Court hollowing out plaintiffs’ ability to bring lawsuits against the federal government for violations of the Constitution.[5]  Such civil suits may be brought pursuant to 42 U.S.C. § 1983, which allows suits against states for actions taken in violation of individuals’ Federal Rights, and Bivens actions, which are the equivalent of a 1983 lawsuit against the federal government.

This paper contends that 1983 actions could provide a fruitful method for individuals to validate their right to privacy and push privacy forward against government surveillance, as well as third-party surveillance conducted by AI-surveillance companies like Palantir, which synthesizes mass amounts of data from across various sources into one “fusion” profile and Clearview AI, which provides facial recognition software to law enforcement agencies, both at the state and federal level.

As I will explain below, Section 1983 is an effective tool to limit both these private companies and the government because precedent has held that government contractors may also be subject to a Section 1983 lawsuit when they are performing government functions.

This paper also examines Bivens actions, with the caveat that Bivens law has been deeply neutered by Supreme Court precedent, making it effectively impossible to bring a lawsuit against the federal government for violation of federal rights, even though 1983 allows the same to be done against the states – as implausible as that sounds.

Continue reading

Using the Current FISA Reauthorization Debate to Close the Data Broker Loophole and Introduce Relational Data Governance Over Mass Surveillance Programs

mdecrow@maine.edu Article, Paper , , , ,

Using the Current FISA Reauthorization Debate to Close the Data Broker Loophole and Introduce Relational Data Governance Over Mass Surveillance Programs

Michael Moran

 

With the upcoming sunset of Section 702 of the Foreign Intelligence Surveillance Act (FISA), congressional debate weighing national security and surveillance capabilities against civil liberties has returned, emerging around the capital like cicadas with increasing volume and urgency.[1] Amidst increasingly ubiquitous surveillance applied both at home and abroad, the “data broker loophole” has attracted particular scrutiny from lawmakers and privacy advocates.[2] This loophole allows law enforcement and intelligence agencies to circumvent a warrant requirement by purchasing commercially available personal data. At a time of heightened state surveillance capability and documented governmental data aggregation[3], introducing elements of Salomé Viljoen’s relational theory of data governance could constructively restructure this debate, weighing public safety needs against the collective harm of surveillance programs.

Current debates around FISA are still rooted in historical comparisons of public safety against individual data rights, but reframing that debate to consider these rights collectively may lead to a more durable solution.[4] Viljoen’s framework for data governance calls for a population-level lens of surveillance harm, and democratic mechanisms to evaluate privacy and data rights and uses in a more inclusive and responsive manner.[5] Reforms to increase transparency and advocacy in the Foreign Intelligence Surveillance Court (FISC), alongside the introduction of a data-governance entity, standalone, or within the FTC, could facilitate societal conversations around surveillance, rebuild public trust, and avoid the high stakes, all-or-nothing reauthorization cycles we face today.

In this article, I first define the data broker loophole in the context of FISA reauthorization and then outline the fundamentals of Viljoen’s relational theory of data governance. Next, I address why focusing on closing data pipelines or data broker loopholes is insufficient alone, without accompanying reforms that incorporate relational data governance. I then briefly propose some institutional reforms to incorporate democratic mechanisms into existing foreign surveillance oversight.

Continue reading

Challenges with Adopting Blockchain Technology in the Wine Industry

mdecrow@maine.edu Article, Blog ,

Challenges with Adopting Blockchain Technology in the Wine Industry

Amanda Violette

 

I. Introduction

A bottle of wine encapsulates a complex narrative shaped by geography, craftsmanship, logistics, and market dynamics, and, more recently, climate change.[1] Traditionally, much of this narrative has remained opaque, especially to American consumers.[2] While French wines have been highly regulated since the early 20th century with the intent of preventing fraudulent products from damaging the wine industry, American wines became regulated by the Alcohol and Tobacco Tax and Trade Bureau (TTB) later using American Viticultural Area regulation to provide warnings about the dangers of alcohol on the label.[3] However, now, with American wines, only information about the grape origin is required, leaving the consumer to question whether the wine lived up to its intended character and authenticity.[4]

Continue reading

No Harm, No Court: An International Approach to Data Privacy Harms and Article III Standing

mdecrow@maine.edu Article, Blog , ,

No Harm, No Court: An International Approach to Data Privacy Harms and Article III Standing

Emily Fowler

 

In the United States, cases brought regarding privacy violations are being dismissed early in the litigation process because U.S. law remains tied to historical analysis of injuries, whereas other legal systems around the world are taking a more forward-thinking approach to these issues. Trends in recent cases show that claims for privacy violations, such as the capture of individual interactions with websites through session-replay technology, are being dismissed for lack of standing.[1] Article III standing is a concept based in Constitutional Law. Under Article III, federal courts’ authority is limited so that they may only hear “Cases” and “Controversies”.[2] To bring a case or controversy before a federal court, plaintiffs must have standing (a “personal stake” in the case).[3] Three elements must be met to have standing: (1) there is “an ‘injury in fact’ that is both ‘concrete and particularized’ and ‘actual or imminent’”; (2) “the injury is ‘fairly traceable’ to the challenged conduct”; and (3) the injury likely “‘will be redressed by a favorable decision.’”[4]

Continue reading

When Design Becomes Harmful: Why Social Media Addiction Harms Trials Could Have Lasting Impacts on Privacy Harm Remediation

mdecrow@maine.edu Article, Blog , ,

When Design Becomes Harmful: Why Social Media Addiction Harms Trials Could Have Lasting Impacts on Privacy Harm Remediation

Alex Logan

 

I. Introduction

In late January 2026, a landmark trial kicked off in California via a proceeding led by an unnamed plaintiff, “K.G.M.”. The plaintiff alleges that social media companies/platforms such as TikTok, Snapchat, YouTube, and Meta have intentionally designed platforms so as to addict children and keep them hooked on said platforms through mindless scrolling, auto-play features, other engagement techniques, and suggested or tailored content specific to their individual behaviors.[1] This is just one of several similar lawsuits which are all making their way through the courts.[2] The plaintiffs allege that the addictive design of these platforms has led to long-term mental health issues, such as depression, anxiety, tendencies toward self-harm, and even suicidal thoughts and actions.[3] The social media companies are relying heavily on Section 230 protections and publisher immunity in their defense.[4] These cases collectively could be a major step toward remediating more conceptual harms that plaintiffs have long struggled to prove in similar cases due in large part to Section 230 of the Communications Decency Act.[5] Successful plaintiff outcomes in these cases could potentially help pave the way for corporate accountability when addressing similarly squishy or conceptual privacy harms through resulting reconceptualization and generation of harm.

Continue reading

AI, a Watchful Eye: The Less than Stellar Performance of AI Security and the Consequences Thereof

mdecrow@maine.edu Article, Blog , , ,

AI, a Watchful Eye: The Less than Stellar Performance of AI Security and the Consequences Thereof

James Hotham

 

The use and abuse of widespread camera surveillance is not a novel fear. For decades, media has explored this concept. However, a new threat has arisen in a new form. It has not taken the form of an oppressive government, a terrorist group, or a supreme artificial intelligence. Rather, it comes from private party security providers. Several security providers have begun to work AI into their  security cameras for the use of threat detection.[1] However, the success of these threat detection models is dubious. Just this year in late October, one of these systems placed in a Baltimore school, detected an individual carrying a firearm.[2] Police arrived and identified the suspect as sixteen-year-old Taki Allen.[3] However, after the police drew their weapons and handcuffed young Allen, they discovered the “firearm” was actually just an empty bag of Doritos.[4]

Despite the fact that AI technology of this level of sophistication is relatively new, it has sprouted into a multimillion-dollar industry in just a few years. But despite years of development, mishaps like these still occur. This article will explore how these systems work, why they malfunction, ways consumers can avoid these malfunctions, and potential liability for when they malfunction.

Continue reading

The Collapse of Capability Theory: Ambriz, Popa, and the Future of Article III Standing in AI Privacy Cases

mdecrow@maine.edu Article, Blog , , , , ,

The Collapse of Capability Theory: Ambriz, Popa, and the Future of Article III Standing in AI Privacy Cases

Caroline Aiello

 

Introduction

In February 2025, the Northern District of California denied Google’s motion to dismiss in a class action lawsuit that claimed Google’s artificial intelligence (“AI”) tools violated the California Invasion of Privacy Act (“CIPA”) by transcribing phone calls of users.[1] The court in this case, Ambriz v. Google, ruled that Google’s technical “capability” to use customer call data to train its AI models was enough to state a claim under California’s Invasion of Privacy Act, regardless of whether or not Google actually exploited that data.[2] Six months later, the Ninth Circuit took the opposite approach. The later ruling in Popa v. Microsoft held that routine website tracking did not constitute actual harm and the claims were dismissed for lack of Article III standing before reaching the merits.[3]

These two decisions present privacy law with incompatible standards. Ambriz asks what a technology could do with personal data and finds liability in that potential. Popa demands proof of what a technology actually did and requires concrete injury beyond the action itself. The collision between the two theories is inevitable. When a plaintiff sues an AI company under Ambriz’s capability theory, alleging that the defendant’s system has the technical ability to misuse data, and the defendant responds with a Popa-based standing challenge, the courts will face an impossible choice. The capability to cause harm is not the same as harm itself, and if capability cannot satisfy Article III’s concrete injury requirement, then Ambriz’s approach becomes constitutionally unenforceable in federal court. While Popa has not technically overruled Ambriz, the Ninth Circuit will inevitably need to choose which standard to adopt. 

Continue reading

“Don’t Reinvent the Wheel, Just Realign It.” How Lessons from the Belmont Report Can Help Govern the Use of AI in Research

mdecrow@maine.edu Article , , ,

“Don’t Reinvent the Wheel, Just Realign It.”Just Realign It.”[1] How Lessons from the Belmont Report Can Help Govern the Use of AI in Research How Lessons from the Belmont Report Can Help Govern the Use of AI in Research

Steven Hammerton

 

Background

Artificial intelligence (AI) is becoming increasingly integrated into many areas of life, including research. However, legislation and regulation lag. Years into the widespread adoption of AI and the United States is still without meaningful guardrails to address the ethical quandaries that stem from the use of AI. Until there is comprehensive legislation, the burden of ensuring ethical training, development, and usage of AI will be on the developers, deployers, and users of AI, such as researchers and research participants. This article will explore three different ethical issues associated with AI and how principles from the Belmont Report can guide researchers and other users of AI in their pursuit of ethical AI.

Continue reading