Tag: privacy

Reviewing the Review Group: Practice What You Preach

The “President’s Review Group on Intelligence and Communications Technologies” has issued their report. Convened in late summer to advise the president on what to do in the wake of the Snowden revelations (without mentioning Snowden), the group was rightly criticized for its ‘insider’ composition. The report has beaten the privacy community’s low expectations, which is good news. It advances a discussion that began in June and that will continue for years.

Some observations:

- Contrary to expectations, the report is outside the White House’s “comfort zone.” That’s good, because, as noted, this group could easily have decided to ratify the status quo, handing the administration and the National Security Agency a minor victory. The report positioned Senate Judiciary Committee chairman Patrick Leahy (D-VT) to say: “The message to the NSA is now coming from every branch of government and from every corner of our nation: You have gone too far.”

- There is no reason to treat the report as a reform “bible.” This was a problem with the 9/11 Commission report, for example, which was held up as sacrosanct even when it was wrong. The Review Group report is right about some things, such as eliminating administratively issued National Security Letters, it is wrong about some things, and it omits some key issues, such as the government-wide penchant for secrecy that created the current problems.

- Weaknesses are more interesting than strengths, and a particular weakness of the report is its call for retaining the phone calling surveillance program. Recommendation Five calls for legislation that “terminates the storage of bulk telephony meta-data by the government under [USA-PATRIOT Act] section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party.” The debate over data retention mandates ended some years ago, and the government was denied this power. The NSA’s illegal excesses should not be rewarded by giving it authorities that public policy previously denied it. Outsourcing dragnet surveillance does not cure its constitutional and other ills.

- The data retention recommendation is in conflict with another part of the report, which calls for risk management and cost-benefit analysis. “The central task,” the report says, “is one of risk management.” So let’s discuss that: Gathering data about every phone call made in the United States and retaining it for years produces only tiny slivers of security benefit, the NSA’s unsupported claims to the contrary notwithstanding. Considering dollar costs alone, it almost certainly fails a cost-benefit test. If you include the privacy costs, the failure of this program to manage security risks effectively is more clear. The Review Group’s conclusion about communications surveillance is inconsistent with its welcome promotion of risk management.

Most legal scholars and most civil liberties and privacy advocates punt on security questions, conceding the existence of a significant threats, however undefined and amorphous. They disable themselves from arguing persuasively about what is “reasonable” for Fourth Amendment purposes. Concessions like these also prevent one from conducting valid risk management and cost-benefit analysis. Some of us here at Cato don’t shy from examining the security issues, and we do pretty darn good risk management. The Review Group should practice what it preaches if it’s going to preach what we practice!

D.C. Court: Smith Is Not Good Law

In debates about the NSA’s mass surveillance of all our phone calling, pro-government lawyers have often tried to play a trump card called Smith v. Maryland. Smith is a 1978 Supreme Court decision as right for our times as laws requiring public buildings to provide spittoons. But lawyering rightly relies heavily on precedent, so there it was, the argument that people don’t have a constitutional interest in data about their phone calling because a suspected burglar and obscene phone-caller didn’t have such an interest back in 1976.

D.C. district court judge Richard Leon ruled today that Smith is not an appropriate precedent for considering the constitutionality of the NSA’s mass surveillance program. “[T]he Smith pen register and the ongoing NSA Bulk Telephony Metadata Program,” he concluded, “have so many significant distinctions between them that I cannot possibly navigate these uncharted Fourth Amendment waters using as my North Star a case that predates the rise of cell phones.”

When phone calling was home- or office-bound and relatively rare, people’s interest in the information about their calling was not as great as it is today. Cell phones now accompany most people everywhere they go every single day. “[T]he ubiquity of phones has dramatically altered the quantity of information that is now available and, more importantly, what that information can tell the Government about people’s lives.” (emphases omitted)

Judge Leon applied the “reasonable expectation of privacy” test in finding that he is likely to determine that the NSA’s data seizures are a Fourth Amendment violation, even though that standard has been thrown into doubt by recent Supreme Court decisions. But what is important is that his decision breaks the circular logic adopted by the panels of judges ratifying mass domestic surveillance under the Foreign Intelligence Surveillance Act. These panels believed they could act in secret because of the premise that Americans don’t have a constitutional interest in data about their calls. Their secret operations barred Americans from contesting that premise. And the band played on. Until someone leaked this mass domestic spying to the public.

Judge Leon’s assessment of the government’s interest is notable. He picked up on the fact that the government’s collection of data about all our calls is simply to make things a little quicker when they want to do an investigation.

“[T]he Government’s interest,” he writes, “is not merely to investigate potential terrorists, but rather, to do so faster than other methods might allow. … Yet … the Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature.” (emphases omitted)

Databasing of all our calls is a convenience and not a necessity. That stacks up poorly against the privacy costs all Americans suffer by having their phone-calling catalogued in government databases.

There will almost certainly be an appeal, and there will be more cases coming up through the courts that explore the many dimensions of this issue. But now we can tell our lawyer friends who have been a little too slavish to precedent that Smith v. Maryland is not good law.

Ohio Backs off of REAL ID

Sometimes there are setbacks to the efforts of the Department of Homeland Security, the American Association of Motor Vehicle Administrators, and state motor vehicle bureaucrats to quietly knit together a national ID. If this story is true, Ohio appears to be breaking with the national ID plan.

What’s remarkable about this case is Ohio’s recognition that the federal government will never act on the threat that TSA will refuse drivers’ licenses and IDs from states that decline to implement the REAL ID Act.

Ohio is among a growing number of states that are refusing to comply with federal standards intended to toughen access to driver’s licenses. … The states are betting that federal officials do not implement plans to accept only “Gold Star” licenses as proof of identity to fly on commercial flights or to enter federal buildings and courthouses. “We’re not so sure the federal government” will only honor IDs that meet its requirements, [Ohio Department of Public Safety spokesman Joe] Andrews said.

Time was when states fell in line at the suggestion of this federal government threat. Eight-and-a-half years after REAL ID became law, the states may be recognizing the inability of the feds to coerce them into implementing their national ID.

If You Think Smith v. Maryland Permits Mass Surveillance, You Haven’t Read Smith v. Maryland

… and you’re not following developments in Fourth Amendment law.

Jeffrey Toobin is the latest to claim that Smith v. Maryland settles the Fourth Amendment issues around the National Security Agency’s acquisition of data about every call made in the United States. He even links to the text of the decision in a recent blog post.

The majority opinion in Smith did say that people don’t have a reasonable expectation of privacy in phone records, but that rationale is weak, and the facts of Smith are inapposite to the present controversy. I think that’s easily gathered from reading the case with awareness of legal currents.

Here’s what happened in Smith:

On March 5, 1976, in Baltimore, Md., Patricia McDonough was robbed. She gave the police a description of the robber and of a 1975 Monte Carlo automobile she had observed near the scene of the crime. After the robbery, McDonough began receiving threatening and obscene phone calls from a man identifying himself as the robber. On one occasion, the caller asked that she step out on her front porch; she did so, and saw the 1975 Monte Carlo she had earlier described to police moving slowly past her home. On March 16, police spotted a man who met McDonough’s description driving a 1975 Monte Carlo in her neighborhood. By tracing the license plate number, police learned that the car was registered in the name of petitioner, Michael Lee Smith.

The next day, the telephone company, at police request, installed a pen register at its central offices to record the numbers dialed from the telephone at petitioner’s home. The police did not get a warrant or court order before having the pen register installed. The register revealed that on March 17 a call was placed from petitioner’s home to McDonough’s phone. On the basis of this and other evidence, the police obtained a warrant to search petitioner’s residence. The search revealed that a page in petitioner’s phone book was turned down to the name and number of Patricia McDonough; the phone book was seized. Petitioner was arrested, and a six-man lineup was held on March 19. McDonough identified petitioner as the man who had robbed her. (citations omitted)

Nat Hentoff on the NSA and Privacy

Today’s Washington Post reports that the National Security Agency violated the rules on domestic surveillance thousands of time a year since Congress granted the agency broader surveillance powers in 2008. Note this revelation did not come to light because of forthright disclosure from the professionals that run the agency, the congressional oversight committees, or the FISA court. Rather, whistleblower Edward Snowden provided this information to the Post. The U.S. government has made it clear that it wants Snowden locked away in a prison cell incommunicado. 

Over at the Wall Street Journal, Peggy Noonan interviewed Cato senior fellow Nat Hentoff about the implications of the surveillance state. Here’s an excerpt:

A loss of the expectation of privacy in communications is a loss of something personal and intimate, and it will have broader implications. That is the view of Nat Hentoff, the great journalist and civil libertarian. He is 88 now and on fire on the issue of privacy. “The media has awakened,” he told me. “Congress has awakened, to some extent.” Both are beginning to realize “that there are particular constitutional liberty rights that [Americans] have that distinguish them from all other people, and one of them is privacy”…

He wonders if Americans know who they are compared to what the Constitution says they are.

Mr. Hentoff’s second point: An entrenched surveillance state will change and distort the balance that allows free government to function successfully. Broad and intrusive surveillance will, definitively, put government in charge. But a republic only works, Mr. Hentoff notes, if public officials know that they—and the government itself—answer to the citizens. It doesn’t work, and is distorted, if the citizens must answer to the government. And that will happen more and more if the government knows—and you know—that the government has something, or some things, on you. “The bad thing is you no longer have the one thing we’re supposed to have as Americans living in a self-governing republic,” Mr. Hentoff said. “The people we elect are not your bosses, they are responsible to us.” They must answer to us. But if they increasingly control our privacy, “suddenly they’re in charge if they know what you’re thinking.”

This is a shift in the democratic dynamic. “If we don’t have free speech then what can we do if the people who govern us have no respect for us, may indeed make life difficult for us, and in fact belittle us?”

More thoughts from Nat Hentoff here.

NSA Spying in the Courts

The National Security Agency’s collection of every American’s telephone dialing information is hotly contested in the court of public opinion and in Congress. It is now seeing its first test in the courts since its existence was revealed.

The Electronic Privacy Information Center, arguing that it has no other recourse, has filed an extraordinary appeal to the Supreme Court of the order requiring Verizon to turn over telephone calling information en masse to the government. EPIC is a Verizon customer that communicates by telephone with confidential sources, government officials, and its legal counsel.

Cato senior fellow and Georgetown University law professor Randy Barnett joined me this week on a brief to the Court urging it to accept the case so it can resolve statutory and constitutional issues that have “precipitated a juridical privacy crisis.”

The brief first argues that the Foreign Intelligence Surveillance Act does not authorize a sweeping warrant for all communications data. The law requires such a warrant to show relevance to an existing investigation, which is impossible when the data is gathered in support of future, entirely speculative investigations. Not only the text of the statute, but Congress’s intent and the structure of the statute support this interpretation.

Idaho Cooperates with Homeland Security on National ID

In June 2011, I noted here how a new cardless national ID system was forming up using state driver license data. It hasn’t gone very far. Passage of an immigration reform bill containing a national E-Verify requirement would slam down the gas pedal.

But a few days ago, Idaho became the third state in the union to sign up for the Department of Homeland Security’s RIDE (Records and Information from DMVs for E-Verify) program, which is administered by the ID-friendly American Association of Motor Vehicle Administrators. Idaho joins Mississippi and Florida in volunteering state driver information to the DHS.

As the full name of the program suggests, RIDE is an “add-on” to E-Verify, the government’s highly problematic system for “internal enforcement” of immigration law via government background checks. RIDE is intended to let the E-Verify system check the authenticity of driver licenses that are typically provided as one of the forms of ID during the broader verification process. E-Verify’s problems are legion—I documented them in my 2008 paper, “Franz Kafka’s Solution to Illegal Immigration“—and we highlighted them again on Capitol Hill in March.

Much like mass-scale license plate scanning, the RIDE program represents the application of technology and systems developed for one purpose to vastly different ones. The RIDE program takes state driver licensing data—which is for driver licensing and traffic law enforcment—and turns it over to the DHS for federal law enforcement and the creation of a national ID.

In 2007, Idaho was the second state in the nation to reject the REAL ID Act, our national ID law. The Idaho House and Senate passed a resolution condemning that effort to put all Americans into a national ID system. But the bureaucrats appear to have waited out the legislature. With most people’s attention elsewhere, the Idaho Transportation Department teamed up with DHS officials to move forward with a national ID.

After the DHS has tapped into Idahoans’ driver data, there is no guarantee that the uses of it would be limited to E-Verify. Mission creep is a law of gravity in government, and it’s likely over time that E-Verify and Idaho driver data will be put to new and interesting uses by the federal government. Expect the DHS to get a lot more familiar with you and your driver license data if mandatory E-Verify comes into effect and RIDE continues to grow.