Tag: privacy

Blurry Lines, Discrete Acts, and Government Searches

I’ve written before about the “Mosaic Theory” some courts have recently employed to conclude that certain forms of government surveillance may trigger Fourth Amendment protection in the aggregate, even if the surveillance can be broken down into components that don’t fall under the traditional definition of a Fourth Amendment “search.” This has been applied specifically to high-tech forms of location tracking, where several judges have concluded that a person may have a privacy interest in the totality of their public movements over a long period of time, even though observing a person at any particular public place in a specific instance is not an intrusion on privacy. I’ve explained in that previous post why I find this reasoning compelling. Legal scholar Orin Kerr, however, remains unmoved, and suggests that divergent decisions applying the Mosaic Theory to government acquisition of stored cell phone location records effectively serve as a reductio of that theory:

To my mind, this opinion reveals the absurdity of Maynard’s mosaic theory. The analysis is all “look ma, no hands.” No one knows where the line is, or even what the line is. Sure, you could just count days of surveillance: perhaps 30 days triggers a warrant but 29 days doesn’t. But there is no reason the access to records has to be continuous. The government can skip around days, or get records from a few days here and a few days there. Who can tell how much is enough? No one knows what is revealing, because what is revealing depends on what the records actually say — and no one but the phone companies know what they say. So Judge Orenstein has to wing it, announcing that “he cannot assume” that the information would be revealing because it has breaks in time. But it’s not clear to me why the break in time matters: It’s the same net amount of data collected, so I don’t know why it matters if it was collected all at once or over several discrete periods. And how much of a break matters? If 21 days is too long, is 21 days with a one-day break enough? How about a 3-day break? One week? No one knows, it seems, not even the judge himself. [….]

There are some readers who will say that the cause of justice sometimes requires hard decisions, and that if judges need to make arbitrary calls like that, then that is what we pay them to do in order to enforce the Constitution. But as I see it, the oddity of the inquiries called for by the Maynard mosaic theory shows why it is not part of the Constitution at all. In Fourth Amendment law, the lawfulness of government conduct has always been viewed discretely: Each government act is either a search or it is not a search. Under Maynard, conduct can be a non-search if viewed in isolation but a search if viewed in context — but there is no guide to tell how much context is proper. If you want to say that certain conduct is a search, then just be direct and say it’s a search. That’s fine. But a mosaic theory, in which non-searches become searches if grouped a particular way, has no proper place in Fourth Amendment law.

Orin’s point about the seeming arbitrariness of these determinations—and the difficulties it presents to police officers who need a rule to rely on—is certainly well taken. The problem is, the government is always going to have substantial control over how any particular effort at information gathering is broken into “acts” that the courts are bound to view “discretely.” If technology makes it easy to synthesize distinct pieces of information, and Fourth Amendment scrutiny is concerned exclusively with whether each particular “act” of information acquisition constitutes a search, the government ends up with substantial ability to game the system by structuring its information gathering as a series of acquisitions, each individually below the threshold.

Let’s consider a concrete case involving location monitoring. Under the Supreme Court’s ruling in United States v. Karo, technological location monitoring does count as a Fourth Amendment search requiring a warrant when it reveals information about where the tracking device is located within a private place, such as a home. On this theory, if the police want to be able to pinpoint a target’s location with sufficient precision to be able to tell when he goes from the garage on one side of the house to the bedroom at the other end, they’ll need a full blown search warrant. If they just want to know the general area the target is in—which cellular tower the phone is closest to, for instance—a subpoena or another less demanding form of court order might be sufficient.

There are, however, several methods of determining a phone’s precise location by triangulation, using data from multiple cell towers—and many cell networks use these methods to provide location services. The records from any one cell tower only yield a very general radius within which each phone registered at that tower can be presumed to be located. Combine the records from the three nearest towers, however, along with some measurements of signal strength and timing, and in an urban area where towers are relatively densely packed, you can often pinpoint the phone within a few meters.

Let’s suppose, then, that existing doctrine would require a warrant if police plan to go to the phone company and say: “We want you to triangulate the precise location of this phone for us over the past month, including at times when our suspect was at home.” What a hassle! They’ve got an out, though: They can issue separate requests for the records from each tower, then combine the data and do the triangulation themselves. As long as each request “viewed discretely” doesn’t yield enough information to pinpoint the phone within the home, there’s no search!

I don’t mean to suggest that, in practice, police are likely to use this particular method to circumvent the warrant requirement—though I wouldn’t be shocked either. But I think the example illustrates a problem with Orin’s categorical insistence on making the binary search/no-search determination only with respect to isolated “acts” of government, when the government itself controls how its monitoring is distributed across discrete acts.

Here’s another example, and one where I think there is a very real possibility that investigators are able, in practice, to game the standards governing electronic surveillance. According to the Justice Department’s U.S. Attorneys Manual, a “pen register” (which can be obtained much more easily than a search warrant) can be used to obtain general information about the domains or IP addresses a target is visiting, but not what particular pages somebody is reading. The idea is that there’s a sharp Fourth Amendment distinction between the “content” of a communication—its “meaning or purport”—and the non-content transactional information, such as the phone number or IP address, which tells you something about who is communicating, but not what is communicated. But there’s a loophole:

This policy does not apply to applications for pen register orders that would merely authorize collection of Internet Protocol (IP) addresses, even if such IP addresses can be readily translated into URLs or portions of URLs. Similarly, this policy does not apply to the collection, at a web server, of tracing information indicating the source of requests to view a particular URL using a trap and trace order.

Emphasis added. Roughly translated, this means that the government can obtain records showing that I accessed (say) the IP address of a particular political Web site, but not which specific articles I was reading. However, they may be able to separately go to that site and request the transactional logs for each article, then search through those to determine which articles were sent to me.

It seems very likely that technology will increasingly permit this kind of multi-step searching, perhaps in ways we can’t yet predict. For all that Orin is right to worry about the practical difficulty of determining how to group discrete acts of information gathering, the consequences of dogmatically insisting on evaluating each “act” in isolation seem equally absurd if it implies that the government will have the practical ability to transform a Fourth Amendment “search” into an unregulated (or much less regulated) “non-search” just by breaking it into smaller pieces.

Julian Sanchez Talks Online Privacy on Monday, March 28 at 1pm ET on Facebook

Please join us this coming Monday, March 28 at 1pm Eastern on our Facebook page for a live video presentation, powered by Livestream, from Cato research fellow Julian Sanchez on the current state of online privacy policy.

Here is a brief list of topics he’ll cover:

  • An update on current challenges to overturn FISA, and what it means for you and me if those challenges succeed or fail
  • How this relates to current and recent efforts to reauthorize the Patriot Act, including a recap of testimony Sanchez recently delivered to the U.S. Senate Subcommittee on Crime, Terrorism, and Homeland Security
  • What’s on the FBI’s surveillance wish list
  • Reflections on the idea of an “online privacy bill of rights

We hope you can join us next Monday at 1pm Eastern for this event. Be sure to log in to Livestream with your Facebook account so you can chat with each other and submit questions–we’ll try to take as many as we can.

Not a fan of the Cato Institute yet? Join us below:


Obama Administration to Take a Stand on Privacy, But it Ain’t Fixing the Strip-Search Machine Morass

At least one report has it that a Commerce Department official will announce the Obama administration’s support for “baseline privacy legislation” at a Wednesday Senate Commerce Committee hearing.

You mean, like, the Fourth Amendment? If only it were so.

The action is in the House Government Reform Committee, which is holding a hearing on the Transportation Security Administration’s strip-search machines. What’s the administration’s “baseline privacy policy” on that?

I’ve already written two posts in the last year (1, 2) titled “Physician, Heal Thyself”…

Good News! Online Tracking is Slightly Boring

You have to wade through a lot to reach the good news at the end of Time reporter Joel Stein’s article about “data mining”—or at least data collection and use—in the online world. There’s some fog right there: what he calls “data mining” is actually ordinary one-to-one correlation of bits of information, not mining historical data to generate patterns that are predictive of present-day behavior. (See my data mining paper with Jeff Jonas to learn more.) There is some data mining in and among the online advertising industry’s use of the data consumers emit online, of course.

Next, get over Stein’s introductory language about the “vast amount of data that’s being collected both online and off by companies in stealth.” That’s some kind of stealth if a reporter can write a thorough and informative article in Time magazine about it. Does the moon rise “in stealth” if you haven’t gone outside at night and looked at the sky? Perhaps so.

Now take a hard swallow as you read about Senator John Kerry’s (D-Mass.) plans for government regulation of the information economy.

Kerry is about to introduce a bill that would require companies to make sure all the stuff they know about you is secured from hackers and to let you inspect everything they have on you, correct any mistakes and opt out of being tracked. He is doing this because, he argues, “There’s no code of conduct. There’s no standard. There’s nothing that safeguards privacy and establishes rules of the road.”

Securing data from hackers and letting people correct mistakes in data about them are kind of equally opposite things. If you’re going to make data about people available to them, you’re going to create opportunities for other people—it won’t even take hacking skills, really—to impersonate them, gather private data, and scramble data sets.

If Senator Kerry’s argument for government regulation is that there aren’t yet “rules of the road” pointing us off that cliff, I’ll take market regulation. Drivers like you and me are constantly and spontaneously writing the rules through our actions and inactions, clicks and non-clicks, purchases and non-purchases.

There are other quibbles. “Your political donations, home value and address have always been public,” says Stein, ”but you used to have to actually go to all these different places — courthouses, libraries, property-tax assessors’ offices — and request documents.”

This is correct insofar as it describes the modern decline in practical obscurity. But your political donations were not public records before the passage of the Federal Election Campaign Act in 1974. That’s when the federal government started subordinating this particular dimension of your privacy to others’ collective values.

But these pesky details can be put aside. The nuggets of wisdom in the article predominate!

“Since targeted ads are so much more effective than nontargeted ones,” Stein writes, ”websites can charge much more for them. This is why — compared with the old banners and pop-ups — online ads have become smaller and less invasive, and why websites have been able to provide better content and still be free.”

The Internet is a richer, more congenial place because of ads targeted for relevance.

And the conclusion of the article is a dose of smart, well-placed optimism that contrasts with Senator Kerry’s sloppy FUD.

We’re quickly figuring out how to navigate our trail of data — don’t say anything private on a Facebook wall, keep your secrets out of e-mail, use cash for illicit purchases. The vast majority of it, though, is worthless to us and a pretty good exchange for frequent-flier miles, better search results, a fast system to qualify for credit, finding out if our babysitter has a criminal record and ads we find more useful than annoying. Especially because no human being ever reads your files. As I learned by trying to find out all my data, we’re not all that interesting.

Consumers are learning how to navigate the online environment. They are not menaced or harmed by online tracking. Indeed, commercial tracking is congenial and slightly boring. That’s good news that you rarely hear from media or politicians because good news doesn’t generally sell magazines or legislation.

Privacy? Nuthin’. Respect My Authoritah!

A fascinating enforcement action under the Health Insurance Portability and Accountability Act (HIPAA) shows what really matters in the world of privacy regulation.

The U.S. Department of Health and Human Services has imposed a $4.3 million civil penalty against Maryland-based Cignet Health for violations of its regulations. HHS’s Office for Civil Rights (OCR) found that Cignet violated 41 patients’ HIPAA rights by denying them access to their medical records, which they requested between September 2008 and October 2009. The penalty for these violations is $1.3 million.

But Cigna’s real crime was willful disobedience of the government. Who knows why, but according to the government:

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations.

The penalty for that was $3 million.

Notably, the HHS release says nothing about the condition of the aggrieved parties. How are they doing with their $31,000 a piece? Does it fully compensate for their inability to access medical records during the relevant period?

Just kidding! Nobody really cares.

This enforcement action has nothing to do with remedying a genuine breach of privacy—an annoyance and genuine paperwork problem, yes—and everything to do with sending a message: You will respect my authoritah!

Why the Senate’s Vote on the Patriot Act Is Actually Pretty Good News

Last night, By an overwhelming 86-to-12 margin, the Senate approved a temporary 90-day extension of three controversial provisions of the Patriot Act scheduled to sunset at the end of the month. The House just voted to move forward on a parallel extension bill, which will presumably pass easily. Because I’m seeing some civil libertarian folks online reacting with dismay to this development, I think it’s worth clarifying that this is relatively good news when you reflect on the outlook from just a couple of weeks ago.

The House has already approved a one-year extension that would plant the next reauthorization vote on the right eve of primary season in a Presidential election cycle, all but guaranteeing a round of empty demagoguery followed by another punt. As of last week, everyone expected the Senate to bring Sen. Dianne Feinstein’s three year reauthorization—which also extends the odious FISA Amendments Act of 2008—to the floor. The discussion on the Senate floor last night makes it clear that this didn’t happen because of pushback from legislators who were sick of kicking the can and wanted time to hold hearings on substantive reforms.

This is actually a better outcome than simply letting the three sunsetting powers lapse—which, realistically, was not going to happen anyway. First, because at least one of the expiring authorities, roving wiretaps, is a legitimate tool that ought to be available to intelligence investigators if it’s amended to eliminate the so-called “John Doe” loophole. Second, because while all three of these provisions have serious defects that raise legitimate concerns about the potential for abuse, they are collectively small beer compared with National Security Letters, which have already given rise to serious, widespread, and well documented abuses. One of the three sunsetting powers has never been used, and the other two are invoked a couple dozen times per year. All three involve court supervision. The FBI issues tens of thousands of National Security Letter requests each year, the majority targeting American citizens and legal residents, without any advance court approval. The vast majority of the thousands of Americans whose financial and telecommunications records are seized each year are almost certainly innocent of any wrongdoing, but their information is nevertheless retained indefinitely in government databases. With very few exceptions, these people will never learn that the government has been monitoring their financial transactions or communication patterns. Forcing a debate now on the expiring provisions opens a window for consideration of proposals to rein in NSLs—including a new sunset that would create pressure for continued scrutiny.

A new Pew poll released this week reports that Americans remain fairly evenly split on the question of whether the Patriot Act is “a necessary tool that helps the government find terrorists” or “goes too far and poses a threat to civil liberties.” (Perhaps unsurprisingly, with the change of administration, Democrats have become more supportive and Republicans somewhat more skeptical.) But this is actually a signally unhelpful way to frame debate about legislation encompassing hundreds of reforms to the byzantine statutory framework governing American intelligence investigations—more a toolbox than a “tool.” The question shouldn’t be whether you’re “for” or “against” it, but whether there are ways to narrow and focus particular authorities so that legitimate investigations can proceed without sweeping in so much information about innocent people. A three-month extension signals that Congress is finally, belatedly, ready to start having that conversation.

Physician, Heal Thyself

Announcing a new Senate subcommittee devoted to privacy, Senators Leahy (D-VT) and Franken (D-MN) said nothing about privacy threats from government.

A “boom of new technologies over the last several years has … put an unprecedented amount of personal information into the hands of large companies that are unknown and unaccountable to the American public,” Franken said, according to an AFP report.

A boom of new technologies has put an unprecedented amount of personal information into the hands of the federal government—in some cases, illegally. It takes a lot of gall to point at commercial data collection from the atop the dunghill of federal privacy invasion. But there’s a lot of gall to go around in Washington, D.C.