Tag: privacy

Want Privacy? Increase Government Surveillance!

This morning, the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law had a hearing entitled: “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy.”

Among the witnesses was Deputy Assistant Attorney General Jason Weinstein from the Department of Justice’s Criminal Division. Weinstein made a gallingly Orwellian pitch: If you want privacy protection, increase government surveillance.

From his written statement:

ISPs may choose not to store IP records, may adopt a network architecture that frustrates their ability to track IP assignments and network transactions back to a specific account or device, or may store records for only a very short period of time. In many cases, these records are the only evidence that allows us to investigate and assign culpability for crimes committed on the Internet. In 2006, forty-nine Attorneys General wrote to Congress to express “grave concern” about “the problem of insufficient data retention policies by Internet Service Providers.”

Without more customer data retention by ISPs, and without greater government access to this data, the government won’t be able to prosecute crimes, some of which threaten privacy, Weinstein said in his spoken comments.

So there you have it. Turn more data over to the government so we can protect your privacy. War is peace. Freedom is slavery.

Record Number of Americans Targeted by National Security Letters

The latest report to Congress on the Justice Department’s use of foreign intelligence surveillance powers has just been released, and it shows a truly stunning increase in the number of Americans whose sensitive phone, Internet, and banking records were obtained by the FBI — without judicial oversight — pursuant to National Security Letters. In 2009, a total of 14,788 NSL requests were issued targeting U.S. persons — a number that excludes requests for “basic subscriber information” as opposed to phone or e-mail logs — and 6,114 different Americans were affected by those demands for information. In 2010, the number of NSL requests targeting Americans rose to 24,287.

What’s really shocking, however, is the number of people affected. A whopping 14,212 American citizens and permanent residents had records of their financial, telephone, and online activity seized last year.  The previous record, set in 2005, was 9,475. Were you one of those 14,212? If so, what did the FBI get? Thanks to the gag orders that come with NSLs, you will almost certainly never get to find out. But even if the Bureau decides there’s no reason to continue investigating you, whatever data they obtained — lists of phone numbers, credit card purchases, financial transactions, e-mail correspondents, or IP addresses visited — are likely to remain in a massive government database indefinitely

This pattern suggests that the Bureau is doing broader but shallower investigation — sweeping more people into the information vacuum, but issuing fewer requests per person, presumably because the results of the initial request provide few grounds for further scrutiny.  Needless to say, the overwhelming majority of those people are not terrorists — and, indeed, are probably guilty of nothing more than a second- or third-degree connection to the subject of an investigation. Remember, as expiring Patriot Act provisions come up for reauthorization at the end of this month: These tools are fundamentally not about spying on terrorists. The government has always had ample power to do that. They’re about authority to spy on the innocent.

The ‘Privacy Bill of Rights’ Is in the Bill of Rights

Every lover of liberty and the Constitution should be offended by the moniker “Privacy Bill of Rights” appended to regulatory legislation Senators John Kerry (D-MA) and John McCain (R-AZ) introduced yesterday. As C|Net’s Declan McCullagh points out, the legislation exempts the federal government and law enforcement:

[T]he measure applies only to companies and some nonprofit groups, not to the federal, state, and local police agencies that have adopted high-tech surveillance technologies including cell phone tracking, GPS bugs, and requests to Internet companies for users’ personal information–in many cases without obtaining a search warrant from a judge.

The real “Privacy Bill of Rights” is in the Bill of Rights. It’s the Fourth Amendment.

It takes a lot of gall to put the moniker “Privacy Bill of Rights” on legislation that reduces liberty in the information economy while the Fourth Amendment remains tattered and threadbare. Nevermind “reasonable expectations”: the people’s right to be secure against unreasonable searches and seizures is worn down to the nub.

Senators Kerry and McCain should look into the privacy consequences of the Internal Revenue Code. How is privacy going to fare under Obamacare? How is the Department of Homeland Security doing with its privacy efforts? What is an “administrative search”?

McCullagh was good enough to quote yours truly on the new effort from Sens. Kerry and McCain: “If they want to lead on the privacy issue, they’ll lead by getting the federal government’s house in order.”

Surveillance, San Francisco-Style

San Francisco’s Entertainment Commission will soon be considering a jaw-dropping attack on privacy and free assembly. Here are some of the rules the Commission may adopt for any gathering of people expected to reach 100 or more:

3. All occupants of the premises shall be ID Scanned (including patrons, promoters, and performers, etc.). ID scanning data shall be maintained on a data storage system for no less than 15 days and shall be made available to local law enforcement upon request.

4. High visibility cameras shall be located at each entrance and exit point of the premises. Said cameras shall maintain a recorded data base for no less than fifteen (15 days) and made available to local law enforcement upon request.

Would you recognize a police state if you lived in one? How about a police city? The First Amendment right to peaceably assemble takes a big step back when your identity data and appearance are captured for law enforcement to use at whim simply because you showed up. (ht: PrivacyActivism.org)

Blurry Lines, Discrete Acts, and Government Searches

I’ve written before about the “Mosaic Theory” some courts have recently employed to conclude that certain forms of government surveillance may trigger Fourth Amendment protection in the aggregate, even if the surveillance can be broken down into components that don’t fall under the traditional definition of a Fourth Amendment “search.” This has been applied specifically to high-tech forms of location tracking, where several judges have concluded that a person may have a privacy interest in the totality of their public movements over a long period of time, even though observing a person at any particular public place in a specific instance is not an intrusion on privacy. I’ve explained in that previous post why I find this reasoning compelling. Legal scholar Orin Kerr, however, remains unmoved, and suggests that divergent decisions applying the Mosaic Theory to government acquisition of stored cell phone location records effectively serve as a reductio of that theory:

To my mind, this opinion reveals the absurdity of Maynard’s mosaic theory. The analysis is all “look ma, no hands.” No one knows where the line is, or even what the line is. Sure, you could just count days of surveillance: perhaps 30 days triggers a warrant but 29 days doesn’t. But there is no reason the access to records has to be continuous. The government can skip around days, or get records from a few days here and a few days there. Who can tell how much is enough? No one knows what is revealing, because what is revealing depends on what the records actually say — and no one but the phone companies know what they say. So Judge Orenstein has to wing it, announcing that “he cannot assume” that the information would be revealing because it has breaks in time. But it’s not clear to me why the break in time matters: It’s the same net amount of data collected, so I don’t know why it matters if it was collected all at once or over several discrete periods. And how much of a break matters? If 21 days is too long, is 21 days with a one-day break enough? How about a 3-day break? One week? No one knows, it seems, not even the judge himself. [….]

There are some readers who will say that the cause of justice sometimes requires hard decisions, and that if judges need to make arbitrary calls like that, then that is what we pay them to do in order to enforce the Constitution. But as I see it, the oddity of the inquiries called for by the Maynard mosaic theory shows why it is not part of the Constitution at all. In Fourth Amendment law, the lawfulness of government conduct has always been viewed discretely: Each government act is either a search or it is not a search. Under Maynard, conduct can be a non-search if viewed in isolation but a search if viewed in context — but there is no guide to tell how much context is proper. If you want to say that certain conduct is a search, then just be direct and say it’s a search. That’s fine. But a mosaic theory, in which non-searches become searches if grouped a particular way, has no proper place in Fourth Amendment law.

Orin’s point about the seeming arbitrariness of these determinations—and the difficulties it presents to police officers who need a rule to rely on—is certainly well taken. The problem is, the government is always going to have substantial control over how any particular effort at information gathering is broken into “acts” that the courts are bound to view “discretely.” If technology makes it easy to synthesize distinct pieces of information, and Fourth Amendment scrutiny is concerned exclusively with whether each particular “act” of information acquisition constitutes a search, the government ends up with substantial ability to game the system by structuring its information gathering as a series of acquisitions, each individually below the threshold.

Let’s consider a concrete case involving location monitoring. Under the Supreme Court’s ruling in United States v. Karo, technological location monitoring does count as a Fourth Amendment search requiring a warrant when it reveals information about where the tracking device is located within a private place, such as a home. On this theory, if the police want to be able to pinpoint a target’s location with sufficient precision to be able to tell when he goes from the garage on one side of the house to the bedroom at the other end, they’ll need a full blown search warrant. If they just want to know the general area the target is in—which cellular tower the phone is closest to, for instance—a subpoena or another less demanding form of court order might be sufficient.

There are, however, several methods of determining a phone’s precise location by triangulation, using data from multiple cell towers—and many cell networks use these methods to provide location services. The records from any one cell tower only yield a very general radius within which each phone registered at that tower can be presumed to be located. Combine the records from the three nearest towers, however, along with some measurements of signal strength and timing, and in an urban area where towers are relatively densely packed, you can often pinpoint the phone within a few meters.

Let’s suppose, then, that existing doctrine would require a warrant if police plan to go to the phone company and say: “We want you to triangulate the precise location of this phone for us over the past month, including at times when our suspect was at home.” What a hassle! They’ve got an out, though: They can issue separate requests for the records from each tower, then combine the data and do the triangulation themselves. As long as each request “viewed discretely” doesn’t yield enough information to pinpoint the phone within the home, there’s no search!

I don’t mean to suggest that, in practice, police are likely to use this particular method to circumvent the warrant requirement—though I wouldn’t be shocked either. But I think the example illustrates a problem with Orin’s categorical insistence on making the binary search/no-search determination only with respect to isolated “acts” of government, when the government itself controls how its monitoring is distributed across discrete acts.

Here’s another example, and one where I think there is a very real possibility that investigators are able, in practice, to game the standards governing electronic surveillance. According to the Justice Department’s U.S. Attorneys Manual, a “pen register” (which can be obtained much more easily than a search warrant) can be used to obtain general information about the domains or IP addresses a target is visiting, but not what particular pages somebody is reading. The idea is that there’s a sharp Fourth Amendment distinction between the “content” of a communication—its “meaning or purport”—and the non-content transactional information, such as the phone number or IP address, which tells you something about who is communicating, but not what is communicated. But there’s a loophole:

This policy does not apply to applications for pen register orders that would merely authorize collection of Internet Protocol (IP) addresses, even if such IP addresses can be readily translated into URLs or portions of URLs. Similarly, this policy does not apply to the collection, at a web server, of tracing information indicating the source of requests to view a particular URL using a trap and trace order.

Emphasis added. Roughly translated, this means that the government can obtain records showing that I accessed (say) the IP address of a particular political Web site, but not which specific articles I was reading. However, they may be able to separately go to that site and request the transactional logs for each article, then search through those to determine which articles were sent to me.

It seems very likely that technology will increasingly permit this kind of multi-step searching, perhaps in ways we can’t yet predict. For all that Orin is right to worry about the practical difficulty of determining how to group discrete acts of information gathering, the consequences of dogmatically insisting on evaluating each “act” in isolation seem equally absurd if it implies that the government will have the practical ability to transform a Fourth Amendment “search” into an unregulated (or much less regulated) “non-search” just by breaking it into smaller pieces.

Julian Sanchez Talks Online Privacy on Monday, March 28 at 1pm ET on Facebook

Please join us this coming Monday, March 28 at 1pm Eastern on our Facebook page for a live video presentation, powered by Livestream, from Cato research fellow Julian Sanchez on the current state of online privacy policy.

Here is a brief list of topics he’ll cover:

  • An update on current challenges to overturn FISA, and what it means for you and me if those challenges succeed or fail
  • How this relates to current and recent efforts to reauthorize the Patriot Act, including a recap of testimony Sanchez recently delivered to the U.S. Senate Subcommittee on Crime, Terrorism, and Homeland Security
  • What’s on the FBI’s surveillance wish list
  • Reflections on the idea of an “online privacy bill of rights

We hope you can join us next Monday at 1pm Eastern for this event. Be sure to log in to Livestream with your Facebook account so you can chat with each other and submit questions–we’ll try to take as many as we can.

Not a fan of the Cato Institute yet? Join us below:


Obama Administration to Take a Stand on Privacy, But it Ain’t Fixing the Strip-Search Machine Morass

At least one report has it that a Commerce Department official will announce the Obama administration’s support for “baseline privacy legislation” at a Wednesday Senate Commerce Committee hearing.

You mean, like, the Fourth Amendment? If only it were so.

The action is in the House Government Reform Committee, which is holding a hearing on the Transportation Security Administration’s strip-search machines. What’s the administration’s “baseline privacy policy” on that?

I’ve already written two posts in the last year (1, 2) titled “Physician, Heal Thyself”…