Tag: privacy

NSA Spying and a National ID Are Peas in a Pod and You Should Eat Your Peas

That’s the upshot of a column by Froma Harrop appearing in the Seattle Times.

“Arguments leveled against Real ID are being recycled to bash the National Security Agency’s surveillance program,” she writes. “They inevitably lead to the assumption that the government is up to no good.”

Well, … yes.

The argument against creating a U.S. national ID is that its cost in dollars and privacy are greater than the tiny margin of security they might provide. Over years, I’ve pointed out that spending billions of dollars to herd law-abiding Americans into a national ID system might mildly inconvenience any terrorists. It’s not worth doing.

That idea—that security measures should be cost-effective—is wisely ‘recycled’ for use with respect to the NSA’s program to gather data about every call made in the United States. Doing so doesn’t provide a margin of security worth the cost in dollars, privacy, and menace to liberty.

When the government wastes our money, privacy, and liberty on programs that don’t provide a sufficient margin of security, that is bad. That is government “up to no good.”

The states asked to implement our national ID law rejected it because, in the disorganized way our federal republic makes decisions, it was decided that REAL ID does not pass muster. (Some states and national ID advocate groups continue to press forward with it, a subject on which I’ll say more soon.)

In a similarly messy process, the organs of democracy are finding that the NSA’s programs—originally constructed and conducted in secrecy—do not pass muster either. We’re rightly pushing this plate of peas away.

…In Which Katz Is Not Cited

The Supreme Court is gradually coming to terms with the effect information technology is having on the Fourth Amendment. In 2001, the Kyllo court curtailed the use of high-tech devices for searching homes. In its early 2012 decision in United States v. Jones, a unanimous Court agreed that government agents can’t attach a GPS device to a vehicle and track it for four weeks without a warrant.

But the Court was divided as to rationale. The majority opinion in Jones found (consistent with Cato’s brief) that attaching the device to the car was at the heart of the Fourth Amendment violation. Four concurring members of the Court felt that the government’s tracking violated a “reasonable expectation of privacy.”

What is the right way to decide these cases? Fourth Amendment law is at a crossroads.

The next round of development in Fourth Amendment law may come in a pair of cases being argued in April. They ask whether government agents are entitled to search the cell phone of someone they’ve arrested merely because the phone has been properly seized. Riley v. California and Wurie v. United States have slightly different fact patterns, which should allow the fullest exposition of the issues.

Cato’s brief in Riley, filed this week, again seeks to guide the Court toward using time-tested principles in Fourth Amendment cases. Rather than vague pronouncements about privacy and people’s expectations around it, we invite the Court to apply the Fourth Amendment as a law.

VMT Fees Yes — V2V No

The National Highway Traffic Safety Administration (NHTSA) says it wants to require auto makers to include vehicle-to-vehicle (V2V) communications systems in all new cars. Calling V2V “the next generation of auto safety improvements,” the agency says such devices would “improve safety by allowing vehicles to “talk” to each other and ultimately avoid many crashes altogether by exchanging basic safety data, such as speed and position, ten times per second.”

The government wants every vehicle on the road to transmit its location to every other nearby vehicle–as well as any other receivers that happen to be in range.

Supposedly, “the system as contemplated contains several layers of security and privacy protection.” However, privacy advocates should be far more suspicious of V2V than of electronic vehicle-mile fee systems. The big difference between them is that V2V by definition incorporates both a receiver and a transmitter, while it is possible to design vehicle-mile fee systems that do not include wireless transmitters. No transmitter means no invasion of privacy is possible; on the other hand, despite whatever privacy protection is included in V2V, a transmitter necessarily allows someone to receive the signal.

Perhaps the biggest argument against V2V is that it will soon be obsolete as a safety device, so mandating that it be included in cars adds an unnecessary expense to auto buyers. According to the NHTSA, V2V will “provide warnings to drivers so that they can prevent imminent collisions” but “not automatically operate any vehicle systems, such as braking or steering.” Yet many cars on the market today, such as the Ford Fusion shown above, do this and more solely with built-in radar or other sensors rather than V2V transmitters. Moreover, the occupants of such cars are safer even if no other car on the road has those sensors, which isn’t true of a V2V system.

The Ford Fusion is a mid-priced car that has numerous built-in radar sensors that can detect and warn drivers of potential collisions, even braking if necessary to avoid accidents–all without V2V transmissions.

Moreover, as contemplated by the NHTSA, V2V will not be mandated in cars before 2018 at the earliest. Yet the kind of self-driving cars that Nissan and other companies expect to have on the market by 2020 will use radar, infrared, lasers, or other means to detect all other vehicles on the road without transmitting any signals themselves. They would get no benefit from a wireless V2V system.

If systems that are already being included in more and more new cars work as well, if not better, than V2V, then why have V2V at all? It is worth noting that self-driving cars are coming from the private sector, while the National Highway Traffic Safety Administration has expressed a go-slow attitude. Meanwhile, the push to mandate V2V comes from government agencies, both here and in Europe. I suspect governments are more interested in technologies that centralize transportation and communications, while private manufacturers are supporting technologies that promote decentralization.

In any case, it will be interesting to see if privacy groups protest this plan as loudly as they do proposals for vehicle-mile fees. Those who don’t may be using privacy concerns to cover their reluctance to paying the full cost of the roads they use. But, where VMT fees are an important step to using markets, rather than politics, to manage transportation systems, V2V is both a potential invasion of privacy and a waste of money.

Good First Steps, But Real Surveillance Reform Will Require More

The president’s speech on surveillance today proposed some welcome first steps toward appropriately limiting an expanding surveillance state — notably, an end to the NSA’s bulk phone metadata program in its current form, and a recognition that judges, not NSA analysts, must determine whose records will be scrutinized.

The details are important, however. Obama’s speech left open the possibility that bulk collection might continue with some third party — which would in effect be an arm of government — as a custodian. If records are left with phone carriers, on the other hand, it’s important to resist any new legal mandate that would require longer or more extensive retention of private data than ordinary business purposes require.

It was disappointing, however, to see that many of the recommendations offered by Obama’s own Surveillance Review Group were either neglected or specifically rejected. While the unconstitutional permanent gag orders attached to National Security Letters will be time-limited, they will continue to be issued by FBI agents, not judges, for sensitive financial and communications records.

Nor did the president address NSA’s myopic efforts to degrade the security of the Internet by compromising the encryption systems relied on by millions of innocent users. And it is also important to realize that changing one controversial program doesn’t alter the broader section 215 authority, which can still be used to collect other types of records in bulk—and for all we know, may already be used for that purpose.

Most fundamentally, Congress must now act to cement these reforms in legislation — and to extend them —to ensure safeguards implemented by one president cannot be secretly undone by another.

Ratifying NSA Spying, a Court Calls FISA ‘Courts’ Into Question

Two weeks ago, when D.C. District judge Richard Leon ruled that mass government surveillance of Americans’ telephone calling was likely unconstitutional, there was some well-poisoning about his opinion being “passionate.” The implication, of course, was that he was not being suitably judicial. The same could be said of this week’s ruling by Judge Pauley of the U.S. District Court in New York. When the first sentence intones: “The September 11th terrorist attacks revealed, in the starkest terms, just how dangerous and interconnected the world is,” and when the first citation is a “See generally” to the 9/11 Commission report, these are not signs that you’re about to get dispassionate application of law to facts.

Judge Pauley’s use of the 9/11 Commission report to argue that NSA data collection could have foiled the 9/11 plot is belied by the report’s clear statement with respect to Khalid Al-Mihdhar: “No one was looking for him.” (page 269) In our paper, “Effective Counterterrorism and the Limited Role of Predictive Data Mining,” Jeff Jonas and I detailed ways many of the 9/11 terrorists could have been found had anyone been looking. The argument that NSA spying would have prevented 9/11 is not a strong one.

But passions pitted against one another is just one of the symmetries between the two rulings. Judge Leon distinguished Smith v. Maryland. He believes that the Supreme Court case allowing the use of phone call information to convict a suspected burglar and obscene phone caller does not ratify the collection of phone calling information about every innocent American. Judge Pauley treated Smith v. Maryland as controlling. If one burglar in Baltimore doesn’t have a Fourth Amendment interest in his phone calling data, 200 million Americans don’t either. We have appeals to sort these things out, and Judge Pauley’s ruling makes it more likely that such an appeal will reach the Supreme Court, which is good.

The interesting thing in Judge Pauley’s ruling is ammunition he offers to critics of the panels of judges created by the Foreign Intelligence Surveillance Act. People often refer to them as the “Foreign Intelligence Surveillance Court” or “FISC.”

While the FISC is composed of Article III judges, it operates unlike any other Article III court. Proceedings in Article III courts are public. And the public enjoys a “general right to inspect and copy public records and documents, including judicial records and documents.” (citation omitted) “The presumption of access is based on the need for federal courts, although independent—indeed, particularly because they are independent—to have a measure of accountability and for the public to have confidence in the administration of justice.” (citation omitted)

Later, he writes:

The two declassified FISC decisions authorizing bulk metadata collection do not discuss several of the ACLU’s arugments. They were issued on the basis of ex parte applications by the government without the benefit of the excellent briefing submitted to this Court by the Governent, the ACLU, and amici curiae. There is no question that judges operate best in an adversarial system. “The value of a judicial proceeding … is substantially diluted where the process is ex parte, because the Court does not have available the fundamental instrument for judicial judgment: an adversary proceeding in which both parties may participate.” (citation omitted) … As FISA has evolved and Congress has loosened its individual suspicion requirements, the FISC has been tasked with delineating the limits of the Government’s surveillance power, issuing secret decision [sic] without the benefit of adversarial process. Its ex parte procedures are necessary to retain secrecy but are not ideal for interpreting statutes.

This echoes an argument Randy Barnett and I offered in our brief to the Supreme Court about NSA spying. These so-called ‘courts’ that administer NSA spy programs lack many of the hallmarks of a true court, and their use to dispose of rights that protect our privacy is a violation of due process.

There will be much more to come in the judicial path of the NSA spying debate. The legitimacy of FISA panels should be a part of that discussion.

Reviewing the Review Group: Practice What You Preach

The “President’s Review Group on Intelligence and Communications Technologies” has issued their report. Convened in late summer to advise the president on what to do in the wake of the Snowden revelations (without mentioning Snowden), the group was rightly criticized for its ‘insider’ composition. The report has beaten the privacy community’s low expectations, which is good news. It advances a discussion that began in June and that will continue for years.

Some observations:

- Contrary to expectations, the report is outside the White House’s “comfort zone.” That’s good, because, as noted, this group could easily have decided to ratify the status quo, handing the administration and the National Security Agency a minor victory. The report positioned Senate Judiciary Committee chairman Patrick Leahy (D-VT) to say: “The message to the NSA is now coming from every branch of government and from every corner of our nation: You have gone too far.”

- There is no reason to treat the report as a reform “bible.” This was a problem with the 9/11 Commission report, for example, which was held up as sacrosanct even when it was wrong. The Review Group report is right about some things, such as eliminating administratively issued National Security Letters, it is wrong about some things, and it omits some key issues, such as the government-wide penchant for secrecy that created the current problems.

- Weaknesses are more interesting than strengths, and a particular weakness of the report is its call for retaining the phone calling surveillance program. Recommendation Five calls for legislation that “terminates the storage of bulk telephony meta-data by the government under [USA-PATRIOT Act] section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party.” The debate over data retention mandates ended some years ago, and the government was denied this power. The NSA’s illegal excesses should not be rewarded by giving it authorities that public policy previously denied it. Outsourcing dragnet surveillance does not cure its constitutional and other ills.

- The data retention recommendation is in conflict with another part of the report, which calls for risk management and cost-benefit analysis. “The central task,” the report says, “is one of risk management.” So let’s discuss that: Gathering data about every phone call made in the United States and retaining it for years produces only tiny slivers of security benefit, the NSA’s unsupported claims to the contrary notwithstanding. Considering dollar costs alone, it almost certainly fails a cost-benefit test. If you include the privacy costs, the failure of this program to manage security risks effectively is more clear. The Review Group’s conclusion about communications surveillance is inconsistent with its welcome promotion of risk management.

Most legal scholars and most civil liberties and privacy advocates punt on security questions, conceding the existence of a significant threats, however undefined and amorphous. They disable themselves from arguing persuasively about what is “reasonable” for Fourth Amendment purposes. Concessions like these also prevent one from conducting valid risk management and cost-benefit analysis. Some of us here at Cato don’t shy from examining the security issues, and we do pretty darn good risk management. The Review Group should practice what it preaches if it’s going to preach what we practice!

D.C. Court: Smith Is Not Good Law

In debates about the NSA’s mass surveillance of all our phone calling, pro-government lawyers have often tried to play a trump card called Smith v. Maryland. Smith is a 1978 Supreme Court decision as right for our times as laws requiring public buildings to provide spittoons. But lawyering rightly relies heavily on precedent, so there it was, the argument that people don’t have a constitutional interest in data about their phone calling because a suspected burglar and obscene phone-caller didn’t have such an interest back in 1976.

D.C. district court judge Richard Leon ruled today that Smith is not an appropriate precedent for considering the constitutionality of the NSA’s mass surveillance program. “[T]he Smith pen register and the ongoing NSA Bulk Telephony Metadata Program,” he concluded, “have so many significant distinctions between them that I cannot possibly navigate these uncharted Fourth Amendment waters using as my North Star a case that predates the rise of cell phones.”

When phone calling was home- or office-bound and relatively rare, people’s interest in the information about their calling was not as great as it is today. Cell phones now accompany most people everywhere they go every single day. “[T]he ubiquity of phones has dramatically altered the quantity of information that is now available and, more importantly, what that information can tell the Government about people’s lives.” (emphases omitted)

Judge Leon applied the “reasonable expectation of privacy” test in finding that he is likely to determine that the NSA’s data seizures are a Fourth Amendment violation, even though that standard has been thrown into doubt by recent Supreme Court decisions. But what is important is that his decision breaks the circular logic adopted by the panels of judges ratifying mass domestic surveillance under the Foreign Intelligence Surveillance Act. These panels believed they could act in secret because of the premise that Americans don’t have a constitutional interest in data about their calls. Their secret operations barred Americans from contesting that premise. And the band played on. Until someone leaked this mass domestic spying to the public.

Judge Leon’s assessment of the government’s interest is notable. He picked up on the fact that the government’s collection of data about all our calls is simply to make things a little quicker when they want to do an investigation.

“[T]he Government’s interest,” he writes, “is not merely to investigate potential terrorists, but rather, to do so faster than other methods might allow. … Yet … the Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature.” (emphases omitted)

Databasing of all our calls is a convenience and not a necessity. That stacks up poorly against the privacy costs all Americans suffer by having their phone-calling catalogued in government databases.

There will almost certainly be an appeal, and there will be more cases coming up through the courts that explore the many dimensions of this issue. But now we can tell our lawyer friends who have been a little too slavish to precedent that Smith v. Maryland is not good law.