Tag: Julian Sanchez

The Internet Is Not .gov’s to Regulate

Imagine that Congress passed a law setting up a procedure that could require ordinary citizens like you to remove telephone numbers from your phone book or from the “contacts” list in your phone. What about a policy that cut off the phone lines to an entire building because some of its tenants used the phone to plot thefts or fraud? Would it be okay with you if the user of the numbers coming out of your phone records or the tenants of the cut-off building had been adjudged “rogue” users of the phone?

Cutting off phone lines is the closest familiar parallel to what Congress is considering in two bills nicknamed “SOPA” and “PIPA”—the “Stop Online Piracy Act” and the “PROTECT IP Act.”

Julian Sanchez has vigorously argued several points about these bills. Here, I’ll try to describe what they try to do to the Internet.

Simplifying, every computer and server has an IP (or “Internet Protocol”) address, which is a set of numbers that uniquely identify its location on the Internet. The IP address for the server hosting Cato’s Spanish language site, elcato.org, for example, is 67.192.234.234.

Now, these numbers are hard to remember, so there is a system that translates IP addresses into something more familiar. That’s the domain name system, or “DNS.” The domain name system takes the memorable name that you type into the address bar of your computer, such as elcato.org, and it looks up the IP address so you can be forwarded along to the IP address of your choice.

One of the major ideas behind SOPA and PIPA is to cut Internet sites that violate copyright out of the domain name system. No longer could typing “elcato.org” get you to the Web site you wanted to visit. Much of the debate has been about the legal process for determining whether to strike out a domain name.

But preventing a domain name lookup doesn’t take the site off the Internet. It just makes it slightly harder to access. You can prove it to yourself right now by copying “67.192.234.234” (without the quotes) and plugging it into your address bar. (The Internet is complicated. Some of you might be directed to other Cato sites.) Then come back here and read on, por favor!

The government would require law-abiding citizens to “black out” phone numbers—or Internet service providers to do the same with domain names—for this little effect on wrongdoing? It doesn’t make sense. The practical burdens on the law-abiding Internet service provider would be large. “Blacking out” an entire building—just like a Web site—would cut off the lawful communications right along with the unlawful ones. It’s through-the-looking-glass information control, with enormous potential to obstruct entirely lawful communications and impinge on First Amendment rights.

Which is why many Web sites today are “blacking out” in protest. In various ways, sites like Craigslist.org, Wikipedia, and many others are signaling to their visitors that Congress is threatening the core functioning of the Internet with bills like SOPA and PIPA. And threatening all of our freedom to communicate.

The Internet is not the government’s to regulate. It is an agreement on a set of protocols—a language that computers use to talk to one another. That language is the envelope in which our communications—our First-Amendment-protected speech—travels in hundreds of different forms.

The Internet community is growing in power. (Let’s not be triumphal—government authorities will use every wile to maintain control.) Hopefully the people who get engaged to fight SOPA and PIPA will recognize the many ways that the government regulates and limits information flows through technical means. The federal government exercises tight control over electromagnetic spectrum, for example, and it claims authority to impose public-utility-style regulation of Internet service provision in the name of “net neutrality.”

Under the better view—the view of freedom behind opposition to SOPA and PIPA—these things are not the government’s to regulate.

‘Wait and Hurry Up’ in Debate over Patriot Act

If Senate leaders believed that expiring portions of the Patriot Act constituted an immediate increase in the risk of terrorism, it’s amazing that they waited until now to even nod toward debating the law’s renewal. A few thoughts from Cato Research Fellow Julian Sanchez on the current Patriot Act debate ripped from today’s podcast:

… Democrats have had no interest in pointing out how closely President Obama has followed the playbook written by George (W.) Bush. And of course Republicans are the ones who helped write that playbook, so they don’t have much interest in revisiting it.

On Section 215 of the Patriot Act:

It seems extremely likely from what we know so far that this business records authority has been transformed into a large-scale people-tracking authority. … It strikes me as extraordinarily subject to abuse. It strikes me as a dangerous power to grant, even in this most vital task.

Listen to the whole thing. And subscribe (iTunes).

Patriot Act Extension Runs Into Conservative Opposition

Reports the Los Angeles Times:

A House GOP push to permanently extend expiring provisions of the Patriot Act is running into opposition from conservative and “tea party”-inspired lawmakers wary of the law’s reach into private affairs.

Congress has made a practice of kicking the Patriot Act can down the road, but it could be that the new crop of legislators isn’t inclined to go along.

Julian Sanchez has blogged here about the complexities of this government surveillance law. His podcast on the topic, released yesterday, is titled “The Patriot Act Sneaks to Renewal.” Maybe it can’t sneak through after all…

Cato Unbound: The Digital Surveillance State

In the years since September 11, 2001, the secret digital surveillance state has grown enormously. Given heightened security measures, heightened anxiety, and cheaper-than-ever data collection and storage, such growth was perhaps inevitable.

But what are the proper limits on the secret collection of information? Where do our constitutionally guaranteed civil liberties stand in this new era? Do the federal government’s increased powers of surveillance even accomplish the security tasks at hand?

Constitutional lawyer and columnist Glenn Greenwald argues in this month’s Cato Unbound that the digital surveillance state is out of control. It’s also failed to deliver on its promises of greater security. Rather than helping to find the needle in the haystack, we have only made the haystack bigger.

Commenting on Greenwald’s essay will be Professor John Eastman, of Chapman University Law School; Paul Rosenzweig, now of the Heritage Foundation and formerly Deputy Assistant Secretary for Policy in the Department of Homeland Security; and the Cato Institute’s own Julian Sanchez, a prolific journalist on the interface of technology and civil liberties. Please stop by through the rest of this month for a discussion of one of our country’s most pressing issues in both civil liberties and national security.

Wednesday Links

  • John McCain channels Dick Cheney: On March 4, McCain introduced a bill that  “would require that anyone anywhere in the world, including American citizens, suspected of involvement in terrorism – including ‘material support’ (otherwise undefined) – can be imprisoned by the military on the authority of the president as commander in chief.”
  • President Obama declared passage of a major student-aid reform law yesterday. Will it help? Cato education expert Neal McCluskey calls it a mixed bag.
Topics:

Wednesday Links

  • Senate Judiciary Committee abandons hope of bringing any real change to the Patriot Act. Julian Sanchez in The Nation: “The Obama administration makes vague, reassuring noises about constraining executive power and protecting civil liberties, but then merrily adopts whatever appalling policy George W. Bush put in place.”

PATRIOT Powers: Roving Wiretaps

Last week, I wrote a piece for Reason in which I took a close look at the USA PATRIOT Act’s “lone wolf” provision—set to expire at the end of the year, though almost certain to be renewed—and argued that it should be allowed to lapse. Originally, I’d planned to survey the whole array of authorities that are either sunsetting or candidates for reform, but ultimately decided it made more sense to give a thorough treatment to one than trying to squeeze an inevitably shallow gloss on four or five complex areas of law into the same space. But the Internets are infinite, so I’ve decided I’d turn the Reason piece into Part I of a continuing series on PATRIOT powers.  In this edition: Section 206, roving wiretap authority.

The idea behind a roving wiretap should be familiar if you’ve ever watched The Wire, where dealers used disposable “burner” cell phones to evade police eavesdropping. A roving wiretap is used when a target is thought to be employing such measures to frustrate investigators, and allows the eavesdropper to quickly begin listening on whatever new phone line or Internet account his quarry may be using, without having to go back to a judge for a new warrant every time. Such authority has long existed for criminal investigations—that’s “Title III” wiretaps if you want to sound clever at cocktail parties—and pretty much everyone, including the staunchest civil liberties advocates, seems to agree that it also ought to be available for terror investigations under the Foreign Intelligence Surveillance Act. So what’s the problem here?

 

To understand the reasons for potential concern, we need to take a little detour into the differences between electronic surveillance warrants under Title III and FISA. The Fourth Amendment imposes two big requirements on criminal warrants: “probable cause” and “particularity”. That is, you need evidence that the surveillance you’re proposing has some connection to criminal activity, and you have to “particularly [describe] the place to be searched and the persons or things to be seized.” For an ordinary non-roving wiretap, that means you show a judge the “nexus” between evidence of a crime and a particular “place” (a phone line, an e-mail address, or a physical location you want to bug). You will often have a named target, but you don’t need one: If you have good evidence gang members are meeting in some location or routinely using a specific payphone to plan their crimes, you can get a warrant to bug it without necessarily knowing the names of the individuals who are going to show up. On the other hand, though, you do always need that criminal nexus: No bugging Tony Soprano’s AA meeting unless you have some reason to think he’s discussing his mob activity there. Since places and communications facilities may be used for both criminal and innocent persons, the officer monitoring the facility is only supposed to record what’s pertinent to the investigation.

When the tap goes roving, things obviously have to work a bit differently. For roving taps, the warrant shows a nexus between the suspected crime and an identified target. Then, as surveillance gets underway, the eavesdroppers can go up on a line once they’ve got a reasonable belief that the target is “proximate” to a location or communications facility. It stretches that “particularity” requirement a bit, to be sure, but the courts have thus far apparently considered it within bounds. It may help that they’re not used with great frequency: Eleven were issued last year, all to state-level investigators, for narcotics and racketeering investigations.

Surveillance law, however, is not plug-and-play. Importing a power from the Title III context into FISA is a little like dropping an unfamiliar organism into a new environment—the consequences are unpredictable, and may well be dramatic. The biggest relevant difference is that with FISA warrants, there’s always a “target”, and the “probable cause” showing is not of criminal activity, but of a connection between that target and a “foreign power,” which includes terror groups like Al Qaeda. However, for a variety of reasons, both regular and roving FISA warrants are allowed to provide only a description of the target, rather than the target’s identity. Perhaps just as important, FISA has a broader definition of the “person” to be specified as a “target” than Title III. For the purposes of criminal wiretaps, a “person” means any “individual, partnership, association, joint stock company, trust, or corporation.” The FISA definition of “person” includes all of those, but may also be any “group, entity, …or foreign power.” Some, then, worry that roving authority could be used to secure “John Doe” warrants that don’t specify a particular location, phone line, or Internet account—yet don’t sufficiently identify a particular target either. Congress took some steps to attempt to address such concerns when they reauthorized Section 206 back in 2005, and other legislators have proposed further changes—which I’ll get to in a minute. But we actually need to understand a few more things about the peculiarities of FISA wiretaps to see why the risk of overbroad collection is especially high here.

In part because courts have suggested that the constraints of the Fourth Amendment bind more loosely in the foreign intelligence context, FISA surveillance is generally far more sweeping in its acquisition of information. In 2004, the FBI gathered some 87 years worth of foreign language audio recordings alone pursuant to FISA warrants. As David Kris (now assistant attorney general for the Justice Department’s National Security Division) explains in his definitive text on the subject, a FISA warrant typically “permits aquisition of nearly all information from a monitored facility or a searched location.” (This may be somewhat more limited for roving taps; I’ll return to the point shortly.) As a rare public opinion from the FISA Court put it in 2002: “Virtually all information seized, whether by electronic surveillance or physical search, is minimized hours, days, or weeks after collection.” The way this is supposed to be squared with the Fourth Amendment rights of innocent Americans who may be swept up in such broad interception is via those “minimization” procedures, employed after the fact to filter out irrelevant information.

That puts a fairly serious burden on these minimization procedures, however, and it’s not clear that they well bear it. First, consider the standard applied. The FISA Court explains that “communications of or concerning United States persons that could not be foreign intelligence information or are not evidence of a crime… may not be logged or summarized” (emphasis added). This makes a certain amount of sense: FISA intercepts will often be in unfamiliar languages, foreign agents will often speak in coded language, and the significance of a particular statement may not be clear initially. But such a deferential standard does mean they’re retaining an awful lot of data. And indeed, it’s important to recognize that “minimization” does not mean “deletion,” as the Court’s reference to “logs” and “summaries” hints. Typically intercepts that are “minimized” simply aren’t logged for easy retrieval in a database. In the 80s, this may have been nearly as good for practical purposes as deletion; with the advent of powerful audio search algorithms capable of scanning many hours of recording quickly for particular words or voices, it may not make much difference. And we know that much more material than is officially “retained” remains available to agents. In the 2003 case U.S. v. Sattar, pursuant to FISA surveillance, “approximately 5,175 pertinent voice calls .. were not minimized.”  But when it came time for the discovery phase of a criminal trial against the FISA targets, the FBI “retrieved and disclosed to the defendants over 85,000 audio files … obtained through FISA surveillance.”

Cognizant of these concerns, Congress tried to add some safeguards in 2005 when they reauthorized the PATRIOT Act. FISA warrants are still permitted to work on descriptions of a target, but the word “specific” was added, presumably to reinforce that the description must be precise enough to uniquely pick out a person or group. They also stipulated that eavesdroppers must inform the FISA Court within ten days of any new facility they eavesdrop on, and explain the “facts justifying a belief that the target is using, or is about to use, that new facility or place.”

Better, to be sure; but without access to the classified opinions of the FISA Court, it’s quite difficult to know just what this means in practice. In criminal investigations, we have a reasonable idea of what the “proximity” standard for roving taps entails. Maybe a target checks into a hotel with a phone in the room, or a dealer is observed to walk up to a pay phone, or to buy a “burner.” It is much harder to guess how the “is using or is about to use” standard will be construed in light of FISA’s vastly broader presumption of sweeping up-front acquisition. Again, we know that the courts have been satisfied to place enormous weight on after-the-fact minimization of communications, and it seems inevitable that they will do so to an even greater extent when they only learn of a new tap ten days (or 60 days with good reason) after eavesdropping has commenced.

We also don’t know how much is built into that requirement that warrants name a “specific” target, and there’s a special problem here when surveillance roves across not only facilities but types of facility. Suppose, for instance, that a FISA warrant is issued for me, but investigators have somehow been unable to learn my identity. Among the data they have obtained for their description, however, are a photograph, a voiceprint from a recording of my phone conversation with a previous target, and the fact that I work at the Cato Institute. Now, this is surely sufficient to pick me out specifically for the purposes of a warrant initially meant for telephone or oral surveillance.  The voiceprint can be used to pluck all and only my conversations from the calls on Cato’s lines. But a description sufficient to specify a unique target in that context may not be sufficient in the context of, say, Internet surveillance, as certain elements of the description become irrelevant, and the remaining threaten to cover a much larger pool of people. Alternatively, if someone has a very unusual regional dialect, that may be sufficiently specific to pinpoint their voice in one location or community using a looser matching algorithm (perhaps because there is no actual recording, or it is brief or of low quality), but insufficient if they travel to another location where many more people have similar accents.

Russ Feingold (D-WI) has proposed amending the roving wiretap language so as to require that a roving tap identify the target. In fact, it’s not clear that this quite does the trick either. First, just conceptually, I don’t know that a sufficiently precise description can be distinguished from an “identity.” There’s an old and convoluted debate in the philosophy of language about whether proper names refer directly to their objects or rather are “disguised definite descriptions,” such that “Julian Sanchez” means “the person who is habitually called that by his friends, works at Cato, annoys others by singing along to Smiths songs incessantly…” and so on.  Whatever the right answer to that philosophical puzzle, clearly for the practical purposes at issue here, a name is just one more kind of description. And for roving taps, there’s the same kind of scope issue: Within Washington, DC, the name “Julian Sanchez” probably either picks me out uniquely or at least narrows the target pool down to a handful of people. In Spain or Latin America—or, more relevant for our purposes, in parts of the country with very large Hispanic communities—it’s a little like being “John Smith.”

This may all sound a bit fanciful. Surely sophisticated intelligence officers are not going to confuse Cato Research Fellow Julian Sanchez with, say, Duke University Multicultural Affairs Director Julian Sanchez? And of course, that is quite unlikely—I’ve picked an absurdly simplistic example for purposes of illustration. But there is quite a lot of evidence in the public record to suggest that intelligence investigations have taken advantage of new technologies to employ “targeting procedures” that do not fit our ordinary conception of how search warrants work. I mentioned voiceprint analysis above; keyword searches of both audio and text present another possibility.

We also know that individuals can often be uniquely identified by their pattern of social or communicative connections. For instance, researchers have found that they can take a completely anonymized “graph” of the social connections on a site like Facebook—basically giving everyone a name instead of a number, but preserving the pattern of who is friends with whom—and then use that graph to relink the numbers to names using the data of a differentbut overlapping social network like Flickr or Twitter. We know the same can be (and is) done with calling records—since in a sense your phone bill is a picture of another kind of social network. Using such methods of pattern analysis, investigators might determine when a new “burner” phone is being used by the same person they’d previously been targeting at another number, even if most or all of his contacts have alsoswitched phone numbers. Since, recall, the “person” who is the “target” of FISA surveillance may be a “group” or other “entity,” and since I don’t think Al Qaeda issues membership cards, the “description” of the target might consist of a pattern of connections thought to reliably distinguish those who are part of the group from those who merely have some casual link to another member.

This brings us to the final concern about roving surveillance under FISA. Criminal wiretaps are always eventually disclosed to their targets after the fact, and typically undertaken with a criminal trial in mind—a trial where defense lawyers will pore over the actions of investigators in search of any impropriety. FISA wiretaps are covert; the targets typically will never learn that they occurred. FISA judges and legislators may be informed, at least in a summary way, about what surveillance was undertaken and what targeting methods were used, but especially if those methods are of the technologically sophisticated type I alluded to above, they are likely to have little choice but to defer to investigators on questions of their accuracy and specificity. Even assuming total honesty by the investigators, judges may not think to question whether a method of pattern analysis that is precise and accurate when applied (say) within a single city or metro area will be as precise at the national level, or whether, given changing social behavior, a method that was precise last year will also be precise next year. Does it matter if an Internet service initially used by a few thousands—including, perhaps, surveillance targets—comes to be embraced by millions? Precisely because the surveillance is so secretive, it is incredibly hard to know which concerns are urgent and which are not really a problem, let alone how to think about addressing the ones that merit some legislative response.

I nevertheless intend to give it a shot in a broader paper on modern surveillance I’m working on, but for the moment I’ll just say: “It’s tricky.”  What is absolutely essential to take away from this, though, is that these loose and lazy analogies to roving wiretaps in criminal investigations are utterly unhelpful in thinking about the specific problems of roving FISA surveillance. That investigators have long been using “these” powers under Title III is no answer at all to the questions that arise here. Legislators who invoke that fact as though it should soothe every civil libertarian brow are simply evading their responsibilities.