The StarLink Scandal and Biofuels: Recommendations for Amendments to the EPA’s Giant Reed and Napier Grass Ruling

By Kaitlin C. Straker, A. Bryan Endres, Elise C. Scott, & Alison Gomer

I. Introduction

The risks and benefits of emerging biology-based technology have engendered significant debate, particularly regarding the scope of the Environmental Protection Agency’s (EPA) biotechnology-related regulations.[1] Critics charge that federal regulation of biotechnology has been minimal and influenced by industry at the expense of precautionary environmental and health protection.[2] They warn that previous negative experiences with pesticides concerning harmful effects on human safety and the environment should caution regulators against allowing unfettered development and marketing of novel technologies.[3]

Moreover, the EPA’s patchwork and ad hoc regulatory approach[4] lacks clarity and consistency which fuels the debate and can have costly consequences.[5] For example, the EPA’s regulatory oversight of biotechnology, specifically pesticides incorporated through genetic engineering of seeds, relied on a novel interpretation of the Federal Insecticide, Fungicide, Rodenticide Act (FIFRA)[6]—an act passed a decade[7] before the invention of genetic engineering[8] and intended to regulate application of pesticides. The EPA’s regulation of feedstocks intended for biofuels involves a similar twisting of regulatory authority under the Clean Air Act.[9] The EPA’s new regulations under the Clean Air Act require the agency to carry out Weed Risk Assessments (WRAs), an area normally left to the USDA and its Animal and Plant Health Inspection Service (APHIS)[10] under the Plant Protection Act.[11]

This Article examines the EPA’s role in bioenergy regulation, and the agency’s past attempts to control genetically engineered plants. Part II of this Article discusses the Clean Air Act’s authority over plants intended for bioenergy. Part III of this Article reviews the history of the EPA’s regulation of genetically engineered corn, and Part IV of this Article recommends a regulatory innovation based on the lessons learned.

II. Bioenergy Feedstock Regulation

The Renewable Fuel Standard (RFS),[12] part of the Energy Independence and Security Act,[13] directed the EPA to develop and implement regulations to increase biofuel use through a series of escalating mandates.[14] From a compliance perspective, fuel retailers must blend in certain percentages of biofuels to achieve the overall RFS mandate.[15] Renewable Identification Numbers (RINs) associated with biofuel production ensure a reduction in life-cycle greenhouse gas (GHG) emissions associated with the feedstock’s production and processing.[16] The EPA evaluates each potential bioenergy feedstock as part of this GHG calculation.[17] Feedstock pathways meeting the required GHG reduction will qualify for RINs and thus blending to meet the RFS mandates.[18]

In 2012, Chemtex Group and BP Biofuels North America petitioned the EPA[19] to approve Arundo donax (giant reed)[20] and Pennisetum purpureum (napier grass),[21] and though initially approved,[22] the EPA later rescinded its decision[23] based, in part, on public concern related to the potential for these crops to escape cultivation and become invasive.[24] In July 2013, the EPA finalized a revised rule that approved the biofuel pathways for napier grass and giant reed.[25] This revised ruling imposes a unique requirement on fuel producers to ensure the feedstocks used to generate biofuels do not become invasive outside of cultivation.[26] The rationale behind this Clean Air Act requirement is that additional GHG emissions would result from eradication activities in the event of an invasion.[27] The EPA’s ruling also poses a regulatory challenge to fuel producers, who are responsible for feedstock production practices instead of the feedstock grower—the party actually implementing those practices.

Specifically, the agency requires fuel producers, not growers, utilizing napier grass or giant reed to submit a Risk Mitigation Plan (RMP) that specifies invasion prevention procedures and record-keeping.[28] Essential documents in a RMP include the agreements with the feedstock growers and other intermediaries involved in harvest, transport, or storage of the biomass.[29] Incorporated within these agreements should be the assignment of rights, duties, and liability associated with the RMP or potential spread of the feedstock.[30] In addition to submitting copies to the EPA, the agency requires a third party auditor to monitor compliance.[31]

Researchers note that because this rule requires a close, communicative relationship between the biomass grower and fuel producer prior to the sale of biomass for conversion to biofuel, the EPA is oversimplifying the agricultural supply chain.[32] The agency assumes a direct relationship between the feedstock grower and ultimate fuel producer. It is difficult, however, even in this initial stage of industry development to trace feedstocks on a producer-by-producer basis, and as this industry expands into a commodity-based supply chain, traceability will be increasingly difficult. Moreover, the rule, as written, could eventually keep farmers without a pre-existing relationship with a fuel producer out of the bioeconomy.[33]

III. Previous Biotechnology Regulation: Bt Corn Example

Under FIFRA,[34] the Federal Food, Drug, and Cosmetic Act (FFDCA),[35] and the Toxic Substance Control Act (TSCA),[36] the EPA obtained authority to regulate pesticides and ensure a given pesticide would not produce negative consequences for the environment, human safety, or non-target species.[37] With the invention of genetically engineered plants containing pesticide activity, the Presidential-level working group charged with determining the regulatory policy for biotechnology concluded the existing laws were adequate to meet the needs of new biotechnology inventions.[38] Accordingly, the EPA’s responsibility for regulating pesticides expanded to include regulating genetically modified crops containing pesticide activity through a reinterpretation of its FIFRA authority.[39]

Starting in the mid-1990s, the EPA began approving genetically engineered Bt corn[40] as a plant pesticide[41] (now referred to as plant incorporated protectants).[42] In 1998, the EPA registered a particular variety of Bt corn, StarLink,[43] for industrial uses and animal feed.[44] The EPA amended StarLink’s registration several times, and in 2000, the EPA added conditions, which imposed unique requirements on seed manufacturers to help prevent commingling with other corn varieties intended for human consumption.[45] Specifically, seed manufacturers were tasked with ensuring that corn grown within 660 feet of StarLink could not be used for human consumption and required the creation of grower agreements negotiated between the seed manufacturer and the farmer, which mandated a twenty percent refuge[46] of non-Bt corn be planted to prevent insect resistance.[47]

During this time, concern regarding under-regulation of novel genetically engineered crops led the organization Genetically Engineered Food Alert[48] to test foods for the presence of foreign DNA, and in September 2000, the group discovered taco shells that contained StarLink corn.[49] The discovery led to a flurry of negative media coverage, and Aventis, StarLink’s manufacturer, voluntarily requested a revocation of its pesticide registration for StarLink to prevent further sales and scandal.[50] As an additional mitigation strategy, Aventis developed the StarLink Enhanced Stewardship (SES) Program to prevent further contamination; the program provided a twenty-five cent per bushel incentive for growers to allow StarLink and corn grown within the 660 foot buffer to be handled through the program, a separate five to ten cent per bushel payment for non-StarLink corn accidently mixed with StarLink, and free DNA testing kits to growers and grain elevators.[51] Aventis paid out a reported $130 million through the SES program by 2004.[52] Despite the SES program, Aventis faced litigation.[53] Non-StarLink corn farmers brought a class action suit against Aventis for the consumer backlash against the corn market, which the company eventually settled for $110 million plus interest.[54] Consumers of the commingled corn who claimed they suffered an allergic reaction from the consumption of StarLink also brought a suit against Aventis that settled for a reported $9 million.[55]

Following the StarLink incident, when the EPA extended registrations for non-StarLink variety Bt corn in October 2001, they included additional requirements for the Bt corn seed manufacturers.[56] The revised registration rules require seed manufacturers to:

  • prepare and induce seed users to sign grower agreements which contractually bind growers to plant the proper refuge;
  • create and execute educational programs for growers about refuges and insect resistance;
  • create a remedial action plan to implement if resistance is discovered;
  • hire an independent third party to survey and measure the degree of compliance by growers;[57] and
  • submit annual reports to the EPA on grower agreements, sales, compliance, and education.[58]

Although the EPA’s prior requirements included grower agreements,[59] after the StarLink incident, the public and the EPA realized additional post-approval monitoring and requirements were required to ensure comprehensive information was given to and carried out by growers.[60]

Although some critics may see the current EPA rule as overbroad stating that the risk of the species becoming invasive is minimal, the overall industry response to the approval of giant reed and napier grass was positive as Chemtex in particular was pleased to move forward with their plan to build a refinery for giant reed in North Carolina.[61] In the interest of avoiding a similar economic and reputation scandal as StarLink, the biotech industry’s response to the increased requirements following StarLink was neutral, and instead the focus was on farmer compliance.[62] Likewise, the suggested amendments define the scope of the RMP more fully and thus help to limit industry liability.

IV. Recommendations

Although the StarLink episode created an opportunity for government agencies to gain more control over biotechnology, an area formerly controlled largely by industry,[63] the EPA’s rule approving napier grass and giant reed fuel pathways does not employ such strict regulation. Similar to the initial Bt corn requirements,[64] the EPA’s rule approving napier grass and giant reed does not include adequate post-approval monitoring for compliance and education.[65] The EPA explicitly states that the fuel producer is expected to exercise a “level of responsibility for and oversight of the feedstock production, harvest, transport and storage that may not normally exist in a buy-sell contract for agricultural products[,]”[66] yet it fails to require educational programs to ensure growers understand their responsibilities, much like the pre-StarLink scandal regulations. Further, comparable to the initial Bt corn regulations, although the EPA requires a copy of the agreement between the fuel producer and grower regarding the RMP and invasion liability,[67] this does not ensure that the grower understands his or her responsibilities or how to implement best management practices.

An economic and reputational incident comparable to StarLink would be damaging to this nascent bioenergy industry. Amending the EPA’s Arundo ruling provides the agency and biofuel industry an opportunity to avoid a possible scandal. The EPA should issue an amended rule that is modeled after post-StarLink Biopesticide Registration Action Documents.[68] Specifically, the rule could require fuel producers to:

  • prepare and obtain feedstock growers’ signatures to contractually bind growers to implement specific best management practices;
  • create and execute educational programs for growers regarding invasive species and preventing invasion;
  • create an explicit remedial action plan to implement if invasion is detected;
  • hire an independent third party auditor to assess compliance by growers, via both surveys and on-farm assessments (in addition to the auditor the EPA already requires to examine the fuel producers compliance); and
  • submit annual reports to the EPA on agreements, compliance, and education.

Although the EPA’s current mechanism for regulating feedstock production requires a relationship between the fuel producer and grower that predates the sale of biomass,[69] a more specific and robust rule could inform growers’ actions before they enter into a relationship with a fuel producer and provide better instruction on avoiding an invasion. Additionally, it would allow tenant farmers to include the specific terms required by the EPA in their leases to demonstrate compliance and facilitate later sales of napier grass or giant reed to a fuel producer.[70] There is also a need to consider improved regulatory regimes based on existing noxious weed/plant pest authorities and common law tort theories to protect the environment in the absence of a relationship with fuel producers seeking RFS certification.[71] For example, growers of giant reed or napier grass that fail to satisfy the precautionary measures required for the RFS could re-direct their feedstocks to the electric power industry that needs substantial quantities of biomass to satisfy state renewable portfolio standards.

V. Conclusion

Biotechnology, including bioenergy, as an emerging medium and market, requires improved, comprehensive regulation to maintain a place in the U.S. and world economies. Bt corn regulation and the StarLink scandal demonstrate the importance of well-defined requirements and provide a potential framework for amending the current EPA approval of napier grass and giant reed. Such amendments will assist the EPA in avoiding a similar scandal due to a patchwork regulatory scheme and instead promote more comprehensive and effective regulations.


[1] A. Bryan Endres, “GMO:” Genetically Modified Organism or Gigantic Monetary Obligation? The Liability Schemes for GMO Damage in the United States and European Union, 22 Loy. L.A. Int’l & Comp. L. Rev. 453, 480 (2000).

[2] A. Bryan Endres, An Evolutionary Approach to Agricultural Biotechnology: Litigation Challenges to the Regulatory and Common Law Regimes for Genetically Engineered Plants, 4 Ne. U. L.J. 59, 70 (2012); Aseem Prakash & Kelly L. Kollman, Biopolitics in the EU and US: Race to the Bottom or Convergence to the Top?, 47 Int’l Stud. Q. 617, 624 (2003).

[3] Endres, supra note 1 at 453.

[4] A. Bryan Endres, Coexistence Strategies in a Biotech World: Exploring Statutory Grower Protections, 13 Mo. Envtl. L. & Pol’y Rev. 206, 207 (2006); Lauren D. Quinn et al., Resolving Regulatory Uncertainty: Legislative Language for Potentially Invasive Bioenergy Feedstocks, GCB Bioenergy, available at (forthcoming).

[5] See, e.g., D.L. Uchtmann, Starlink—A Case Study of Agricultural Biotechnology Regulation, 7 Drake J. Agric. L. 159, 195 (2002) (discussing the costs of the commingling of StarLink corn not approved for food-use with the food supply); see also Quinn et al., supra note 4 (discussing how the EPA’s eighteen month delay in approval of two species of feedstocks for bioenergy cost the petitioners millions of dollars).

[6] 7 U.S.C. §§ 136–136y (2012).

[7] FIFRA was first passed as P.L. 80-104 in 1947.  However, it was rewritten in 1972 with the Federal Environmental Pesticide Control Act (FEPCA).  Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA), U.S. Envtl. Prot. Agency, (last visited Nov. 9, 2014); see also 7 U.S.C. §§ 136–136y (2012).

[8] Coordinated Framework for Regulation of Products of Biotechnology, 51 Fed. Reg. 23,303 (June 26, 1986).

[9] 42 U.S.C. § 7401 et seq. (2012).

[10] About APHIS, U.S. Dep’t Agric. Animal & Plant Health Inspection Service (Sept. 2, 2014),

[11] Plant Protection Act, Pub. L. No. 106-224, 114 Stat. 438 (2000).

[12] Regulation of Fuels and Fuel Additives: Renewable Fuel Standard Program, 83 Fed. Reg. 23,900 (May 1, 2007).

[13] Energy Independence and Security Act of 2007, Pub. L. No. 110-140, 121 Stat. 1492.

[14] 40 C.F.R. §§ 80.1100–80.1167 (2013).

[15] Regulation of Fuels and Fuel Additives: Renewable Fuel Standard Program, 83 Fed. Reg. 23,900 (May 1, 2007).

[16] 40 C.F.R § 80.1426 (2013).

[17] Id.

[18] Id.

[19] Fuels and Fuel Additives: Approved Pathways, U.S. Envtl. Prot. Agency, (last visited Nov. 9, 2014).

[20] Arundo donax is a tall perennial reed-like grass and is among the largest of the grasses, growing to a height of 8 meters.  This species is believed to be native to freshwaters of eastern Asia, but has been cultivated throughout Asia, southern Europe, northern Africa, and the Middle East for thousands of years and has been planted widely in North and South America and Australasia in the past century.  It was intentionally introduced to California from the Mediterranean in the 1820s in the Los Angeles area as an erosion control agent in drainage canals, and was also used as thatching for roofs of barns, sheds, and other buildings.  Gary Bell, Plant Invasions: Studies from North America and Europe 103–113 (J.H. Brock ed., 1997).

[21] Napier or elephant grass, is a tropic bunchgrass with high growth and biomass production rates.  Xin-Ming Xie et al., Dynamic Changes of Lignin Contents of MT-1 Elephant Grass and its Closely Related Cultivars, 35 Biomass & Bioenergy 1732 (2011).

[22] Regulation of Fuels and Fuel Additives: Identification of Additional Qualifying Renewable Fuel Pathways Under the Renewable Fuel Standard Program, 77 Fed. Reg. 699 (Jan. 5, 2012); see also Quinn et al., supra note 4.

[23] Regulation of Fuels and Fuel Additives: Identification of Additional Qualifying Renewable Fuel Pathways Under the Renewable Fuel Standard Program, 77 Fed. Reg. 13,009 (Mar. 5, 2012); see also Quinn et al., supra note 4.

[24] Quinn et al., supra note 4.

[25] Regulation of Fuels and Fuel Additives: Additional Qualifying Renewable Fuel Pathways Under the Renewable Fuel Standard Program; Final Rule Approving Renewable Fuel Pathways for Giant Reed (Arundo donax) and Napier Grass (Pennisetum purpureum), 78 Fed. Reg. 41,703 (July 11, 2013) (to be codified at 40 C.F.R. pt. 80) [hereinafter Final Rule]; see also Quinn et al., supra note 4.

[26] Final Rule, supra note 25 at 41,705; see also Quinn et al., supra note 4.

[27] Id.

[28] Final Rule, supra note 25 at 41,709.

[29] Id. at 41,711.

[30] Id.

[31] Id.

[32] Elise C. Scott et al., The Bioenergy Farm Lease, Part 4: Incorporation of Evolving Standards, FarmDocDaily (Nov. 22, 2013),

[33] Id.

[34] 7 U.S.C. §§ 136–136y (2012).

[35] 21 U.S.C. §§ 301–399 (2012).

[36] 15 U.S.C. §§ 2601–2629 (2012).

[37] See Uchtmann, supra note 5, at 184.

[38] Coordinated Framework for the Regulation of Products of Biotechnology, 51 Fed. Reg. 23,303 (June 26, 1986); see Uchtmann, supra note 5, at 169.

[39] See Uchtmann, supra note 5, at 184; see also Endres, supra note 1, at 480.

[40] Bt corn refers to genetically engineered corn that produces toxins derived from the Bacillus thuringiensis bacterium as a means of protection from insect pests.  Richard L. Hellmich & Kristian Allyse Hellmich, Use and Impact of Bt Maize, 3 Nature Educ. Knowledge 4 (2012).

[41] See Plant Incorporated Protectants, U.S. Envtl. Prot. Agency, (last updated Jan. 2013).

[42] See 40 C.F.R. § 174.3 (2013).

[43] StarLink was a variety of corn engineered to produce the Cry9C protein as a pesticide.  At the time of its registration with the EPA, there was not sufficient data to show if the protein was a human allergen, and StarLink was approved only for animal feed or industry use.  StarLink Corn Regulatory Information, U.S. Envtl. Prot.Agency, (last updated Apr. 2008).

[44] Certain Companies; Approval of Pesticide Product Registrations, 63 Fed. Reg. 43,936 (Aug. 17, 1998); see Uchtmann, supra note 5, at 198 (citations omitted).

[45] Uchtmann, supra note 5, at 185–86 (citing U.S. Env’t Prot. Agency, EPA/730/F-00/005, Biopesticide Fact Sheet: Bacillus thuringiensis Subspecies tolworthi Cry9C Protein and the Genetic Material Necessary for Its Production in Corn (Apr. 2000)).

[46] A refuge is an area planted nearby without a certain pesticide (in this case, planted without Bt corn) to conserve alleles in the population that are susceptible to that pesticide and prevent resistance.  A.M. Shelton et al., Economic, Ecological, Food Safety, and Social Consequences of the Deployment of Bt Transgenic Plants, 47 Ann. Rev. Entomology 845, 862 (2002).

[47] Uchtmann, supra note 5, at 185–86 (citing U.S. Env’t Prot. Agency, EPA/730/F-00/005, Biopesticide Fact Sheet: Bacillus thuringiensis Subspecies tolworthi Cry9C Protein and the Genetic Material Necessary for Its Production in Corn (Apr. 2000)).

[48] Id. at 182.

[49] Id.

[50] Id. at 187, 192.

[51] Id. at 193–94 (citations omitted).

[52] Kevin O’Hanlon, StarLink Corn Settlement Also to Include Interest, USA Today (Aug. 23, 2004, 5:55 PM),

[53] See, e.g., In re StarLink Corn Products Liab. Litig., 212 F. Supp. 2d 828 (N.D. Ill. 2002).

[54] O’Hanlon, supra note 52; see D.L. Uchtmann, Filing Deadline Extended to July 31: How to File Claims for Compensation from the Non-StarLink Farmer’s Class Action Settlement, Farm Doc (June 4, 2003),

[55] O’Hanlon, supra note 52.

[56] Uchtmann, supra note 5, at 206 (citations omitted); see U.S. Envtl. Prot. Agency, Biopesticide Registration Action Document—Bacillus thuringiensis Plant-Incorporated Protectants (2001), available at [hereinafter BRAD].

[57] Due to concerns over compliance, in 2010, when the EPA re-registered several brands of Bt corn, they included additional compliance requirements including continued annual surveys as well as on farm assessments.  See U.S. Envtl. Prot. Agency, Biopesticide Registration Action Document—Cry1Ab and Cry1F Bacillis thuringiensis (Bt) Corn Plant-Incorporated Protectants (2010), available at

[58] BRAD, supra note 56.

[59] Uchtmann, supra note 5, at 184–85 (citations omitted).

[60] Id. at 206.

[61] See John Murawski, EPA Approves Arundo Reed for Use in Proposed Sampson County Ethanol Refinery, News & Observer (July 3, 2013) (discussing Chemtex’s plan to build a refinery for giant reed); NC Biofuels Pleased with EPA Approval of Arundo donax, SFN Today (July 11, 2013), (noting Chemtex’s positive response to giant reed approval).

[62] See Jessica Goldberger, Jeanne Merrill & Terrance Hurley, Bt Corn Farmer Compliance with Insect Resistance Management Requirements in Minnesota and Wisconsin, 8 J. Agrobiotechnology Mgmt. Econ. 151, 152 (2005), available at (comparing their compliance results with several other studies on farmer compliance).

[63] Prakash & Kollman, supra note 2, at 633.

[64] Uchtmann, supra note 5, at 184–84 (citations omitted).

[65] See Final Rule, supra note 25.

[66] Id. at 41,711.

[67] Id.

[68] See BRAD, supra note 56.

[69] See Scott et al., supra note 32.

[70] See id. (discussing how incorporation of the EPA’s regulations into a bioenergy farm lease could facilitate tenant farmers’ entry into the bioeconomy).

[71] See generally James McCubbins et al., Frayed Seams in the “Patchwork Quilt” of American Federalism: An Empirical Analysis of Invasive Plant Species Regulation, 43 Envtl. L. 35 (2013) (discussing shortcomings of regulatory frameworks and proposing a negligence-based liability regime for controlling the introduction and spread of invasive plant species).

Is the Battle Over for Smart-Phones? Search Warrants Should Not Overcome Biometric Protections

By Sonthonax SaintGermain*

In Riley v. California,[1] the Court held that a warrant is required for all searches of cellular phones regardless of whether the search is incident to a lawful arrest.[2]  The Court reasoned that the traditional considerations for the “search-incident-to-arrest doctrine” are not applicable to the capacity and nature of data stored in modern smart-phones.[3]  Riley is a resounding victory for “privacy specialists” and advocates of a digital approach to the Fourth Amendment doctrine.[4]  Yet determining whether Riley carries those aspirations to fruition requires the Court to keep up with the rapid changes in the smart-phone industry.  It is almost certain that a smart-phone model would become either obsolete within a year or unfashionable within a shorter time period.[5]  The technological advances that are made with every “jump” to the next generation are, to the untrained-eye, somewhat nonexistent.[6]  The legal possibilities, however, are ever changing, as the functions of a handheld device resemble less those of a landline than those of a personal computer.[7]  Hence, the next challenge for the Court may be the use of biometric technology (or Biometrics) in smart-phones and computing tablets.

Biometrics “take[s] something unique to the individual—a fingerprint, an iris, voice or facial features—as authentication” to identify that person.[8]  The latest iterations of the Apple iPhone use Biometrics—the Touch ID—to allow customers to access to their device by using their fingerprints.[9]  Each iPhone is equipped with “Touch ID . . . capable of 360-degree readability” allowing rapid access to the device without the added step of entering the previously required four-digit personal identification number (PIN).[10]  Hours after its initial announcement privacy concerns were voiced.[11]  This essay, however, addresses a separate question: whether a search warrant requires a person to bypass the biometric lock on his phone.

Protection could be through the Fifth Amendment’s Privilege against Self-Incrimination. The privilege is violated when a person is forced to communicate information that would lead to evidence incriminating him in the commission of a crime.[12]  There are three requirements in this prohibition.  First, there must be compulsion or involuntary disclosure.[13]  Second, the information obtained must be incriminating against the person providing it.[14]  However, the person need only have a belief the information is incriminating.[15]  And finally, the compulsion must apply to conduct that is communicative.[16]  Thus, the Court’s Self-Incrimination cases look at whether there was a testimonial communication.  Hence three factual patterns raise the Self-Incrimination clause: (1) physical exhibition;[17] (2) production of evidence;[18] and (3) information attesting to the defendant’s state of mind.  The Court drew distinctions between “real or physical evidence” and evidence of factual assertions.[19]  Because of its nature, any information gleaned from fingerprints through the Touch ID would be considered as “real or physical evidence” and be barred from Self-Incrimination protection under the first line of cases.

Stemming from Holt v. United States,[20] these cases hold that the exhibition of certain “physical characteristics” is not dispositive of the accused’s belief of his guilt.  In Holt, the Court reviewed the guilty verdict of a murder trial.[21]  Holt, the defendant, argued that the trial court could not compel him to wear a blouse allegedly belonging to the murderer.[22]  The Court found that this claim was “an extravagant extension of the [Fifth] Amendment.”[23]  The Court reasoned that trial courts are required to compel defendants to come forward in criminal cases to allow the “jury to look at [him] and compare his features with a photograph in proof.”[24]  The Court reasoned that, no “statements” were made and the order did not “extort [any] communications . . . from him . . . .”[25]  The Court understood the Fifth Amendment as not abrogating the state power to compel the physical exhibition of defendants in a criminal matter.[26]  Since Holt, the Court has held that compulsion to participate in police lineups,[27] to provide voice exemplars,[28] to submit to a blood test[29] or a roadside sobriety test,[30] or to give a handwriting sample are not protected by the Self-Incrimination clause.[31]

However, for fingerprints, protection depends on the Court’s characterization of biometric locks: Are they manual key locks or combination locks? In Doe v. United States[32] (Doe II) the Court upheld a “consent directive” compelling the petitioner to “authorize foreign banks to disclose” certain documents.[33]  The Court held that the directive was non-testimonial.[34]  Justice Stevens dissented.[35]  He posited whether a defendant “can . . . be compelled to use his mind to assist the prosecution in convicting him of a crime . . . .”[36]  The answer, to Justice Stevens, seemed clear: “no.”[37]  In reaching this conclusion, he stated that the defendant “may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but . . . he [cannot] be compelled to reveal the combination to his wall safe by word or deed.”[38]  No member of the Court joined his dissent.  In a footnote responding to this hypothetical, Justice Blackmun, writing for the majority, stated:

We do not disagree with the dissent that the expression of the contents of an individual’s mind is testimonial communication for purposes of the Fifth Amendment.  We simply disagree with the dissent’s conclusion that the execution of the consent directive at issue here forced petitioner to express the contents of his mind.  In our view, such compulsion is more like being forced to surrender a key to a strongbox containing incriminating documents than it is like being compelled to reveal the combination to [petitioner’s] wall safe.[39]

The majority accepted the distinction,[40] but it pointed that the disagreement between Justice Stevens and his colleagues was whether the directive was a key or a combination.[41]

Stevens’ position did not win the day, and his distinction may have gone unnoticed if not for United States v. Hubbell.[42]  In Hubbell the Court held that producing documents pursuant to a subpoena, which does not describe with particularity the documents sought, violates the Self-Incrimination clause.[43]  Justice Stevens, now writing for an eight-member majority, stated, “[the] assembly of those documents was like telling an inquisitor the combination to a wall safe, not like being forced to surrender the key to a strongbox.”[44]  The distinction was reiterated and entered the Court’s jurisprudence if only as a dictum.  Nonetheless, it is relevant to our concerns.

Two things are clear from Doe II’s footnote 9.  First, a defendant cannot be compelled to reveal the content of his mind.  This proposition is inherent from the Self-Incrimination clause and the Court’s line of cases on physical characteristics.  A defendant cannot reveal his thoughts and knowledge without bearing testimony to his guilt—that is a given.

Second, producing the key to a strongbox, unlike providing the combination to a wall safe,[45] is not testimonial of the defendant’s content of his mind.  Put differently, the possession of a key—even if it is the only copy—does not testify that the possessor is aware of the content of the strongbox.  When stated as such, this proposition is obvious and has no practical application.[46]  But it may yet be incorrect.  For one, the production of tangible evidence is indicative, almost akin to testimony, of “existence, control, and location of” potentially incriminating evidence.[47]  Equally so, in providing the key upon request, the arrestee is clearly stating that he is aware of its purpose.  Yet even if this notion stands, this would suggest that if a person is privy to the combination of a safe he is automatically privy to its contents.  That is simply incongruent.  One can point to several persons sharing the combination of their safe with guarantors—if only to insure against memory failure.  But if the Court were suggesting that knowledge of the combination creates a temptation to investigate its content and thus leading to testimonial knowledge, what would prevent the detainer of the key from pursuing the same end?[48]  The truth is simple: the Court accepted the distinction without elaboration.[49]

If fingerprint locks are comparable to key locks, then the privilege does not insulate the owner of the iPhone from being compelled to provide access to it.  But if they are more like the combination locks, then the privilege applies.  At first glimpse, a thumbprint is more like a key.  It is tangible.  It is mechanical in its application.  And it requires no recollection of memory in order to operate it.[50]  This lack of memorization may have created this odd distinction.  But the differences are more compelling.  A fingerprint does more than provide access.  It could be use to authenticate identity.[51]  Hence the fingerprint—much like the PIN—must be chosen as the exact means of access to the device;[52] and thus, although to a minimum, testify that there was a conscious thought process applied in its selection.

The strongbox analogy does nothing to resolve this issue.  It is clear that the Court would not entertain compelled acquisition of a safe combination, PIN or Password.[53]  However the analogy creates more uncertainty than it would resolve.  Fingerprint locks are more like passwords and usernames when used in conjunction to gain access.  It identifies the user and authenticates his identity all in one motion.[54]

However, if biometric access suggests identity and control, the problem is perhaps moot, since all searches must be pursuant to a warrant, and hence subject to the particularity requirement.[55]  This is not necessarily true.  Evidence seized from smart-phones may not be accessible unless police officers can bypass the biometric locks.    Yet, regardless of a warrant, a defendant is under no obligation “to aid” police officers in accessing evidence on his device.[56]  In Andresen v. Maryland,[57] the Court addressed whether the Self-Incrimination clause precludes the prosecution from introducing evidence seized pursuant to a search warrant in its case-in-chief against the defendant.[58]  The evidence at issue was “business records [containing] statements made by the petitioner.”[59]  The Court held that “suppression” was not compelled because the defendant “was not asked to say or to do anything.”[60]  The Court said, “when these records were introduced at trial, they were authenticated by a handwriting expert, not by” the defendant.[61]

However in reaching this conclusion the Court was careful to separate the Fifth Amendment problem from the defendant’s obligations vis-à-vis the police investigation under a search warrant: “a seizure of [incriminating] materials by law enforcement officers differs [from production of the same materials in compliance with a subpoena], in a crucial respect . . . . [The] individual against whom the search is directed is not required to aid in the discovery, production, or authentication of incriminating evidence.”[62]  Andresen conflicts with the strongbox analogy found in Doe II and Hubbell.  But it is clear from Andresen that a defendant need not “aid” the police in its investigation.[63]  Providing the key to a strongbox, one clearly insurmountable by any other means, is providing aid in a criminal investigation.

If Andresen is still good law, it stands that a warrant cannot compel the defendant to “aid” in his indictment, arrest or prosecution.[64]  The Fifth Amendment guarantees this protection, and the Fourth Amendment does not deplete it.  The state cannot circumvent one constitutional prohibition by satisfying another.  Meeting all of the requirements for a valid warrant cannot—and should not—allow police officers to compel criminal suspects to assist in their own prosecution.[65]  Thus police officers seeking to access a smart-phone must bypass the biometric lock by means independent from compelling the defendant to do so.


*J.D. University of Illinois (’14); M.Sc. Applied Economics, Florida State University (’09). Special thanks go to Benjamin Sunshine for bringing this topic to my attention. I also give thanks my Professors: Margareth Etienne, Andrew Leipold, and Shannon Moritz, as well as Dean Jamelle Sharpe for their advice. Thanks are also due to my friends: Michael Corliss, and Derek Dion, in conjunction with the Editing Board at the Illinois Journal of Law, Tech. & Policy for their support and indulgence. Finally I thank my family and loved ones, in particular my parents.

[1] Riley v. California, 134 S. Ct. 2473 (2014).

[2] Id. at 2485 (“[O]fficers must generally secure a warrant before conducting such a search.”).

[3] Id. (declining to extend United States v. Robinson, 414 U.S. 218 (1973)).

[4] Richard Re, Symposium: Inaugurating the Digital Fourth Amendment, SCOTUSblog (June 26, 2014, 12:37 PM),

[5]  See Suzanne Choney, Planned Obsolescence: Cell Phone Models, NBC News (Feb. 24, 2009, 8:57 AM), ( (“[M]ost phones have a market life cycle of nine to 12 months.”).

[6]  See id.  (stating a new model may “still look[] like the original . . . but . . . has a few new features”).


[7] Riley v. California, 134 S. Ct. 2473, 2489 (2014) (“The term ‘cell phone’ is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone.”) (emphasis added).

[8] Mark G. Milone, Biometric Surveillance: Searching For Identity, 57 Bus. Law 497, 497 (2001) (“Biometrics use immutable personal characteristics, such as facial features, fingerprints, and retinal patterns, to establish and authenticate identity.”).

[9] Touch ID. Security. Right at Your Fingertip., Apple, (last visited Oct. 4, 2014).

[10] Id.; see also David Pogue, In Arrival of 2 iPhones, 3 Lessons, N.Y. Times (Sept. 17, 2013), (“[Y]es, a password is a hassle; half of [smart-phone] users never bother setting one up.”).

[11] Apple Fingerprint Tech Raises “Privacy Questions,” BBC News (Sept. 20, 2013, 1:28 PM), (“Senator Al Franken, chairman of the influential Senate Judiciary Subcommittee on Privacy, Technology and the Law, has written to Apple boss Tim Cook explaining his security concerns.”).

[12] See U.S. Const. amend. V (“No person shall . . . be compelled in any criminal case to be a witness against himself.”); see also Holt v. United States, 218 U.S. 245, 252–53 (1910) (expressing the self-incrimination as a “prohibition of the use of [extorted] communications”).

[13] Holt, 218 U.S. at 252–53 (stating the clause “is a prohibition [against] the use of physical or moral compulsion”).

[14] That is simply found in the language of the Amendment. Cf. U.S. Const. amend. V (“No person shall . . . be compelled in any criminal case to be a witness against himself.”).

[15] Cf. Pennsylvania v. Muniz, 496 U.S. 582, 615 (1990) (Rehnquist, C.J., concurring) (“By ‘incriminating response’ we refer to any response—whether inculpatory or exculpatory—that the prosecution may seek to introduce at trial.”) (internal citation omitted).

[16] Holt, 218 U.S. at 252–53 (stating the clause “is a prohibition [against extorting] communication”).

[17] Id. at 245; Schmerber v. California, 384 U.S. 757 (1967); United States v. Wade, 388 U.S. 218 (1967); Gilbert v. California, 388 U.S. 263 (1967); United States v. Dionisio, 410 U.S. 1 (1973); Pennsylvania v. Muniz, 496 U.S. 582 (1990).

[18] Fisher v. United States, 425 U.S. 391 (1976); United States v. Doe (Doe I), 465 U.S. 605 (1984); Doe v. United States (Doe II), 487 U.S. 201 (1988).

[19] Muniz, 496 U.S. at 591.

[20] Holt, 218 U.S. at 245.

[21] Id. at 246.

[22] Id. at 252.

[23] Id. at 252.

[24] Id. at 253.

[25] Id. at 253.

[26] Schmerber v. California, 384 U.S. 757, 761 (1966).

[27] United States v. Wade, 388 U.S. 218, 222 (1967).

[28] Id. at 222–23; United States v. Dionisio, 410 U.S. 1, 17–18 (1973).

[29] Schmerber, 384 U.S. at 761.

[30] Pennsylvania v. Muniz, 496 U.S. 582, 590 (1990).  The Court however framed its ruling to only include test that would not require the accused from giving an answers the veracity of which can become testimonial.  Id. at 600.

[31] Gilbert v. California, 388 U.S. 263, 266–67 (1967).

[32] Doe v. United States, 487 U.S. 201 (1988).

[33] Id. at 219.

[34] Id.

[35] Id. at 219–21 (Stevens, J., Dissenting).

[36] Id.

[37] Id.

[38] Id. (emphasis added).

[39] Id. at 210 n.9 (internal citation and quotation marks omitted) (emphasis added).

[40] Id.

[41] Id.

[42] United States v. Hubbell, 530 U.S. 27 (2000).

[43] Id. at 43.

[44] Id. at 43 (citing Doe II, 487 U.S. at 210 n.9).

[45] This part is almost self-evident.  Safe combinations, much like passwords, require mental recollection.

[46] Practically speaking, combination locks are nothing more than the evolutionary successors of key locks.

[47] Adam M. Gershowitz, Password Protected? Can a Password Save Your Cell Phone from a Search Incident to Arrest?, 96 Iowa L. Rev. 1125, 1171 (2011) (citing Fisher v. United States, 425 U.S. 391, 410 (1976); Commonwealth v. Hughes, 404 N.E.2d 1239, 1244–45 (Mass. 1980)).

[48] One answer is that a person may be in possession of a key without knowing its purpose.  That cannot be the answer because a person can also know a sequence of numbers without knowing its meaning.  For example: what is the meaning of 01.02.54?

[49] The Strongbox analogy gets more complicated when we expand its reach.  Take the following two scenarios that paradoxically lead to opposing results.  First if a person has four keys on a keychain, one of which opens a door, he can be compelled to identify which one opens the door.  Yet consider a door that has four locks, and the same key opens all four.  If, to open the door, the person must always unlock the locks in a given sequence—almost like a safe combination—then it stems from Dow II that he cannot be compelled to tell the authorities which sequence, even though he is required to provide the key.

[50] See Gershowitz, supra note 48 at 1171 (suggesting PINs are testimonial because they “reveal the contents of [a person’s] mind by recalling” the sequence).

[51] Kristian Köhntopp, Comment to Fingerprints are Usernames, not Passwords, Dustin Kirland (Oct. 7, 2013), (“We could each conveniently identify ourselves by our fingerprint.”).

[52] See Apple, supra note 10 (explaining the process for calibrating the fingerprint authentication system).

[53] See, e.g., In re Boucher, No. 2:06-mj-91, 2007 WL 4246473, at *2 (D. Vt. Nov. 29, 2007), rev’d No. 2:06-mj-91, 2009 WL 424718 (D. Vt. Feb. 19, 2009) (denying prosecutors request that the subject of Grand Jury subpoena provides access to his computer by entering the password, even if done privately in a secluded room).

[54] But see Köhntopp, supra note 52 (suggesting “biometrics cannot, and absolutely must not, be used to authenticate an identity”).

[55] Cf. Riley v. California, 134 S. Ct. 2473, 2485 (2014) (“[O]fficers must generally secure a warrant before conducting such a search.”).  The particularity requirement would overcome the generality of the subpoena found in Hubbell.

[56] Andresen v. Maryland, 427 U.S. 463, 473–74 (1976).

[57] Id..

[58] Id. at 465.

[59] Id. at 471.

[60] Id. at 473.

[61] Id. at 474.  This answer reinforced a consistent theme requiring an intermediary separating an inference of guilt from the conduct.  See, e.g., Holt v. United States, 218 U.S. 245 (1910) (requiring jury to authenticate physical match); Schmerber v. California, 384 U.S. 757 (1967) (requiring blood testing); United States v. Wade, 388 U.S. 218 (1967) (requiring voice matching); Gilbert v. California, 388 U.S. 263 (1967) (requiring hand exemplar matching).

[62] Id. at 473–74 (emphasis added).

[63] Id.

[64] Id.

[65] Cf. id. This is true both from Andresen, and the language and spirit of the Bill of Rights.

Anything You Say May Be Used Against You: Corporate Voiceprint Tactics Trigger Latest Privacy & Security Concerns

By Shruti Panchavati*

“We raid speech for its semantic meaning, and then discard the voice like detritus leftovers.”[1]

I. Introduction

Work is being done to integrate various biometrics into mobile devices, but the human voice is a natural choice for businesses because public attention on voiceprinting is shockingly low.  For instance, it came as no surprise when privacy concerns began to take form even as Apple unveiled its fingerprint scanner on the newest iPhone 5S;[2] lawmakers and advocates declared it a hacker’s “treasure trove.”[3]  And yet, despite its obvious functional similarities, Apple’s voiceprint scanner “Siri” has received little public scrutiny, suggesting a widespread misunderstanding about the human voice, one that mobile giants have been quick to market.[4]  The result is chilling: in the absence of legal and regulatory guidelines these corporations could be on their way to creating the largest name to voice database, without even trying.

An increasing number of mobile companies are combining voiceprint technology with broad privacy policies to gain an unfettered right to collect, store, and use an individual’s data for an indefinite period of time.  This Article examines Apple’s voiceprint policy and argues that modern-day remedial strategies have failed to protect users’ privacy and security.  In response, states should adopt and implement California’s Right to Know Act, which would allow users to access and track their digital footprint.  Part II of this Article highlights the sweeping implications of corporate voiceprinting.  Part III exposes the wide-reaching privacy and security implications in Apple’s ill named “Privacy” Policy.  Part IV recommends a practical, effective solution that balances the privacy concerns of the user against the commercial interests of the mobile industry.

II. An Audible Signature

Voiceprinting (also referred to as “voice biometrics”) creates a mathematical representation of the sound, pattern, pitch, and rhythm of an individual’s voice, which can then be used for any number of purposes, such as recognition or identification.[5]  The technology has the distinct advantage of basing authentication on an intrinsic human characteristic—the human voice.  It is our audible signature and, just as no two fingerprints are alike, no two voices are alike.[6]  It is also a powerful guide to the speaker’s most terrifyingly intimate details.[7]  With just a few words, the voice can reveal an individual’s gender, age, height, health, emotional state, sexual orientation, race, social class, education, and relationship to the person being spoken.[8]  It is a remarkably rich resource that is largely taken for granted, in part, because of the spread of mobile devices.

Mobile technology appears to have dissociated the voice from the body, lulling the public into a false sense of security about corporate voiceprinting.  To see its implications, consider that financial service organizations have already implemented voice biometrics to allow users to check account balances, make payments, track transactions simply using their voice.[9]  Additionally, governments across the globe are investing in voice biometrics that would allow them to tuck away millions of voiceprints for surveillance and law enforcement.[10]  Indeed, the human voice is now more valuable than any password or PIN number and widespread corporate collection, storage, and use of our audible signatures raises grave privacy and security concerns, begging the question: can mobile companies be trusted to handle this technology responsibly?

III. Unraveling Apple’s Voiceprint Policy

On October 4, 2011, Apple unveiled the iPhone 4S with Siri, a built-in interactive personal assistant.[11]  While it was not the first foray into speech-recognition technology,[12] it is the most popular and, after only five months of availability, the iPhone 4S sold about 15.4 million units.[13]  It is undoubtedly a remarkable technological achievement, but combined with its overbroad Privacy Policy, it can have many unforeseeable consequences for innocent users.

Apple’s iOS7 Software Licensing Agreement, in relevant part, notes that, “[w]hen you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text and to process your requests.”[14]  In other words, anything said to Siri is recorded and sent to the company’s data farm in North Carolina, where Apple converts the spoken words into a digital code.[15]  Not mentioned in the Privacy Policy is that the company assigns each user a randomized number and, as voice files from Siri requests are received, the data is assigned to that number.[16]  After six months, Apple then “disassociates” the user number from the voice clip, but maintains records of these disassociated files for up to eighteen months for “testing and product improvement purposes.”[17]  However, it remains unclear what Apple really does when it “dissociates” these files or what it means to use user voiceprints for “testing and product improvement purposes.”  Moreover, without any regulatory oversight, there is no guarantee that Apple ever actually deletes these records after eighteen months or at all.

Siri’s Privacy Policy further states that “[b]y using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including [the user’s] voice input and User Data, to provide and improve Siri, Dictation, and dictation functionality in other Apple products and services.”[18]  This information collected includes “all types of data associated with your verbal commands and may also include audio recordings, transcripts of what [is] said, and related diagnostic data.”[19]  What Apple is referring to here is a voiceprint, so by signing the licensing agreement, a user consents to the company’s collection, storage, and use of their voice biometric data.  Additionally, Apple gives itself the right to share this data with any of its unnamed partners and subsidiaries without notice or cause and for an indefinite period of time.

It may be argued that Apple and other like companies know better than to misuse user information because it would be poor public relations strategy.  There is no evidence to prove that corporations are currently exploiting their position.[20]  However, the problem remains that no one—users, lawmakers, privacy advocates, or politicians—knows what is happening behind closed doors and Apple is not saying either way.[21]  Personal data economy has become a largely elusive and highly lucrative world and, as always, real concern in privacy and security is not what is happening, but what could happen.

IV. Recommendation & Conclusion

With the widespread use of voiceprint technology in mobile phones, it is no surprise that companies, such as Apple, have digital portfolios on each user.  Banning voice biometric technology is not a desired option and admittedly companies do need some information about a user and his or her preferences to operate applications, such as Siri, efficiently.[22]  However, present-day remedies do not provide sufficient protections against corporate intrusions and data thefts.[23]

In the face of this dilemma, California’s “Right to Know” Act sets an unprecedented level of corporate transparency that gives users the right to access and track their own private data.[24]  Specifically, the Act requires that “any business that holds a customer’s personal information to disclose it within 30 days of that customer’s request. Adding to this, names and contact information of all third parties with which the business has shared that customer’s data with during the previous 12 months must also be disclosed.”[25]  Additionally, if the company refuses disclosure, the user has the legal right to bring a civil claim, forcing them to comply with the law.[26]  The Act mimics the right to access data that is already available to residents in Europe, proving that big technology giants, such as Apple, already have the procedures in place to respond.[27]  As more and more companies continue to implement efficient strategies to facilitate the process, the Act will not only have introduced corporate transparency into the digital age, but will likely have also made it the norm.

It may be argued that the Right to Know Act is too modest and does not actually give users the right to correct or delete their personal data.  These are certainly important considerations down the road and, in a perfect world, users would have full and complete control of all of their information.  However, it may be a long time, if ever, before that robust privacy and security strategies can be implemented.  In the meantime, the Right to Know Act is an important first step in putting privacy and security back in the hands of the user.


*J.D. Candidate, University of Illinois College of Law, expected 2015.  B.S. Psychology with Neuroscience Option, Pennsylvania State University, 2012.  I am grateful to the editors of the Journal of Law, Technology, and Policy for their advice and insight on this piece.

[1] Anne Karpf, The Human Voice: How this Extraordinary Instrument Reveals Essential Clues About Who We Are 13 (Bloomsbury USA, 1st ed. 2006).

[2] Chenda Ngak, Should You Fear Apple’s Fingerprint Scanner?, CBS News (Sept. 24, 2013, 10:12 AM),

[3] Charlie Osborne, iPhone Fingerprint Scanner Sparks Privacy Worries, CNET (Sept. 17, 2013, 9:55AM),

[4] See Kevin C. Tofel, How to Enable Experimental “OK Google” Voice Recognition on your Chromebook, Gigaom (Nov. 21, 2013, 8:33 AM), (noting that Google Voice is already a popular feature on the Android smartphone and Chrome).

[5] Authentify, Voice Biometric Authentication, (last visited Sep. 15, 2014).

[6] See id. (“A voice biometric or ‘voice print,’ is as unique to an individual as a palm or finger print.”).

[7] Karpf, supra note 1, at 10–11.

[8] Id.

[9] Omar Zaibak, 3 Banks Using Voice Biometrics for Security and Authentication, Voice Trust (Mar. 24, 2014),

[10] Noel Brinkerhoff, Governments Begin to Build Voice Print Databases, All Gov (Oct. 6, 2012),

[11] Press Release, Apple Launches iPhone 4S, iOS 5 & iCloud (Oct. 4, 2011), available at

[12] Bernadette Johnson, How Siri Works, HowStuffWorks, (last visited Sep. 15, 2014).

[13] Id.

[14] iOS Software License Agreement, Apple, available at (last visited Sep. 15, 2014) (emphasis original).

[15] John W. Mashni & Nicholas M. Oertel, Does Apple’s Siri Records and Store Everything You Say?, Technology Law Blog (July 17, 2012),

[16] Eric Slivka, Anonymized Siri Voice Clips Stored by Apple for Up to Two Years, MacRumors (Apr. 19, 2013, 6:42 AM),

[17] Id.

[18] iOS Software License Agreement, supra note 14.

[19] John Weaver, Siri is My Client: A First Look at Artificial Intelligence and Legal Issues, N.H. B. J., Winter 2012, at 6 available at

[20] See Matthew Panzarino, Apple Says It Has Never Worked With NSA To Create iPhone Backdoors, Is Unaware of Alleged DROPOUT JEEP Snooping Program, Tech Crunch (Dec. 31, 2013), (indicating that Apple denied creating any iPhone “backdoors” for the National Security Agency that would allow NSA to monitor Apple’s users).

[21] Barbara Ortutay, Apple Privacy Concerns: Experts Slam Apple Over ‘Locationgate,’ The Huffington Post (June 28, 2011),

[22] iOS Software License Agreement, supra note 14.

[23] Australian Associated Press, Facebook Gave Government Information on Hundreds of Australian Users, The Guardian (Aug. 28, 2013, 2:41 AM) (noting the failure of a claim by an Austrian law student, who invoked a “habeas data” right by demanding Facebook data).

[24] Rainey Reitman, New California “Right to Know” Act would Let Consumers Find out who has their Personal Data—and Get a Copy of it, Electronic Frontier Foundation (Apr. 2, 2013),

[25] Assembly Bill, 14 California Legislature 1291, (2013), available at

[26] Id.

[27] Reitman, supra note 24.