Monthly Archives: June 2013

Privacy Protections from FISA Court May Not Compute

This is cross-post on the American Constitution Society’s blog.

After the events of the past few weeks, a discussion presented by the American Constitution Center on the search for privacy and security on the Internet posed many questions but few answers. In an article on The Daily Beast, Harvard Law Professor Lawrence Lessig has noted that the “Trust us’ does not compute,” but after a contentious, technical discussion of both the NSA’s PRISM program and the cellular metadata orders, a panel of privacy law scholars were forced to concede that “trust us” is today’s status quo when it comes to programmatic government surveillance.

It wasn’t supposed to be this way. When the Foreign Intelligence Surveillance Act was first passed in 1978, the law was designed to “put the rule of law back into things,” explained Professor Peter Swire, co-chair of the Tracking Protection Working Group at the W3C and the first Chief Counselor for Privacy at OMB. The emergence of the Internet, however, changed everything. Intelligence agencies were faced with a legal framework that could not account for situations where “games like World of Warcraft [could be] a global terrorist communication network,” he said.

But even as communications technology has been made to serve bad actors, it has also ushered in a Golden Age of surveillance. Modern technology today can easily determine an individual’s geolocation, learn about an individual’s closest associates, and connect it all together via vast databases. Within the federal government, without strong champions for civil liberties, the availability of these technologies encouraged government bureaucracy to take advantage of them to the full extent possible. Absent outside pressure from either the Congress or the public, “stasis sets in,” Swire said.

Yet while service providers collect vast amounts of data about individuals, a combination of business practicalities and Fair Information Practice Principles which stress retention limits and data minimization mean that businesses simply do not keep all of their data for very long. As a result, the government has used Section 215 of the PATRIOT Act to collect and store as much information as possible in the “digital equivalent of the warehouse at the end of Indiana Jones,” said Professor Nathan Sales, who largely defended the government’s efforts at intelligence gathering.

The difficulty is that these sorts of data collection projects present important Fourth Amendment considerations.  In his passionate dissent in the recent Maryland DNA collection case, Justice Antonin Scalia joined three of his liberal colleagues to explain that the Fourth Amendment specifically protects against general searches and demands a particularity requirement.  However, a general search is exactly what an order permitting the collection of anyone and everyone’s cellular metadata appears to be.

Professor Susan Freiwald pointed out that the plain language of Section 215 is incredibly broad.  50 U.S.C. Sec. 1861 permits surveillance wherever “reasonable grounds” exist that surveillance could be “relevant . . . to protect against international terrorism or clandestine intelligence activities” where any individual, American citizen or otherwise, is “in contact with, or known to, a suspected agent of a foreign power.”  According to Freiwald, the plain language of the statute “doesn’t limit government investigations in any meaningful way.” What checks that exist are limited: Congress appears at best half-informed and the ISPs that are hauled before the Foreign Intelligence Surveillance Court (FISC) have been incentivized not to fight via the carrot of immunity and the stick of contempt sanctions.

“We’re waiting on the courts,” Freiwald said, suggesting that these programs “cannot survive review if the court does its job.”

Professor Sales countered that the FISC was already placing minimization requirements into the its orders, though he conceded he couldn’t know for sure if this was accurate.

Former U.S. District Judge Nancy Gertner interjected:

As a former Article III judge, I can tell you that your faith in the FISA Court is dramatically misplaced. . . . Fourth Amendment frameworks have been substantially diluted in the ordinary police case. One can only imagine what the dilution is in a national security setting.

What little we do know about the FISC suggests that it, too, is wary of the government’s behavior.  In a letter to Sen. Ron Wyden (D-Ore.) last fall, the Director of National Intelligence conceded that on at least one occasion the FISC found that the government’s information collection was unreasonable under the Fourth Amendment, and moreover, that the government’s behavior had “sometimes circumvented the spirit of the law.”

Unfortunately, the FISC’s full legal opinion remains classified, and the Department of Justice continues to contest its release.  This fact reveals the core challenge facing any sensible debate about the merits of government surveillance: our current understanding rests on incomplete information, from secret court decisions to the “least untruthful” testimony of government officials.

Louis Brandeis, who along with Samuel Warren “invented” the right to privacy in 1890, also wrote that “[s]unlight is said to be the best of disinfectants.”  A discussion about the future of privacy online that forces our best privacy scholars to repeatedly profess their ignorance and rests on placing our trust in the government simply does not compute.

The Rhetoric and Law of Government Surveillance

Two weeks ago, after the President’s national security address, I was left with little reaction other than the speech sounded good.  The President made overtures to “refining” and ultimately repealing the AUMF.  There was some measured rhetoric about drone warfare and a frank discussion about GITMO.  The President even tolerated a heckler, but nothing about the speech appeared to suggest a serious re-evaluation of American national security policy.  But as this week suggests, positive words, whether in a speech or in law, can easily be used to obfuscate more alarming acts.

This week, of course, came news that our government is collecting metadata of the phone calls of millions of (if not all) Americans.  The time, location, and duration of our calls are being recorded, aggregated, and transformed into a vast network of personal information.  Last night came the further revelation that the NSA has continued a vast data mining enterprise with the participation of every major tech company–Google, Facebook, Apple, Microsoft, Yahoo, Skype, YouTube, AOL.  Whether through ignorance or an intentional gag orders, these tech giants have been forced to hem and haw about what exactly they know and what exactly they’re giving away.

As a number of people have recalled, then-Senator Obama cautioned against this sort of intelligence dragnet. “We have to find the right balance between privacy and security, between executive authority to face threats and uncontrolled power,” he said.  “What protects us, and what distinguishes us, are the procedures we put in place to protect that balance, namely judicial warrants and congressional review. These aren’t arbitrary ideas. These are the concrete safeguards that make sure that surveillance hasn’t gone too far. That someone is watching the watchers.”

Speaking to reporters today, the President has inverted his priorities:  “You can’t have 100 percent security and then also have 100 percent privacy and zero inconvenience.  You know, we’re going to have to make some choices as a society.”  The problem is that “society” hasn’t made this choice; a small collection of government officials have.

There is little question that the letter of the law has been followed here.  Both judicial review and congressional oversight are in place, but can anyone say whether they are effective?  It’s impossible, because it’s all secret.  Few members of Congress were aware of the breadth of these programs, and those that were legally prohibited from discussing them.  Our congressional oversight effectively amounts to a handful of members, having access to sensitive documents within tightly controlled conditions without the resources to effectively “oversee” anything.

Meanwhile, to be blunt, our Foreign Intelligence Surveillance Court is a judicial rubber stamp.  In 2012, 1,789 applications to conduct electronic surveillance for foreign intelligence purposes were made to the FISC.  One was withdrawn.  None were denied.  A further 212 applications were made to the FISC to access business records.  None were denied.

In February, I attended an address by Rajesh De, General Counsel of the NSA, wherein he attempted to disabuse the audience of several “myths” about the National Insecurity Apparatus:

False Myth #1: NSA is a vacuum that indiscriminately sweeps up and stores global communications.
False Myth #2: NSA is spying on Americans at home and abroad with questionable or no legal basis.
False Myth #3: NSA operates in the shadows free from external scrutiny or any true accountability.

At the time, I remember being struck by how much of his remarks focused on procedure and structural legalese.  As Jennifer Granick put it today, however, the complexity of our national security laws are such that it allows officials to offer “non-denial denials” that mask the truth and obfuscate the bigger concerns.  For example, it may well be true that the NSA neither sweeps up nor stores “communications.”  But if collecting every phone number you dial, long your call last, and where both ends of the call came from are not legally “communications,” I imagine that might come as a surprise to most average people.The government’s initial response–both in the Administration and in Congress–have been dismayed and outraged at the “magnitude of the leak” involved.   Jack Clapper, director of National Intelligence, has called this “unauthorized disclosure” utterly “reprehensible and risks important protections for the security of Americans.”  Or perhaps these officials are more worried about a political backlash:

If so much information is being gathered about almost everyone to figure out patterns, then it’s not as though you’d be tipping off a particular target that we were on to him. Would publicizing the order that this information be collected have given away technical secrets to our enemies (or rather, at this point, has publicizing it done so)? I don’t see how. I can see why the government might want to keep this data-mining program secret to avoid a political backlash, but that is of course not a good reason for concealing it.

No laws have been broken.  No single politician or political party alone should be blamed for this state of affairs, but we ought to become more mindful about the disconnect between the rhetoric surrounding government transparency and personal privacy and the actions of our society when these principles are at stake.

Would Could Facial Recognition Privacy Protections Look Like?

Concerns about facial recognition technology have appeared within the context of “tagging” images on Facebook or how it transforms marketing, but these interactions are largely between users and service providers. Facial recognition on the scale offered by wearable technology such as Google Glass changes how we navigate the outside world.  Traditional notice and consent mechanisms can protect Glass users but not the use by the user himself.  // More on the Future of Privacy Forum Blog.

 Scroll to top