Tag: privacy

The Obama Girls’ Health Care Choices

According to the White House, President Obama recently told a crowd of supporters:

Mr. Romney wants to get rid of funding for Planned Parenthood.  I think that is a bad idea.  I’ve got two daughters. I want them to control their own health care choices.

Umm, yeah. Two things about that.

One, if—as President Obama wills it—the president of the United States gets to determine Planned Parenthood’s funding levels, then his daughters do not control their health care choices.

Two, it hardly seems that Obama’s daughters—these children of The One Percent—have even the most plausible claim that low-income Americans should be forced to pay for their … eventual … services that Planned Parenthood provides.

Fourth Amendment Gone to the Dogs—and to Lasers?!

For all their use by law enforcement across the country, drug-sniffing dogs haven’t gotten a lot of consideration in the Supreme Court. In a pair of cases next fall, though, the Court seems likely to give them some attention. Florida v. Harris is one of the cases it has taken. Harris will examine “[w]hether an alert by a well-trained narcotics detection dog certified to detect illegal contraband is insufficient to establish probable cause for the search of a vehicle.”

This week, we filed an amicus brief in the other drug-sniffing dog case, coming out of the same state. Florida v. Jardines asks whether the Fourth Amendment would be implicated if the government brought a drug-sniffing dog to the front door of your home seeking the scent of illegality.

What the Court has done with drug-sniffing dogs so far is not very good. We homed in on the major precedent, Caballes, to illustrate the weakness of the “reasonable expectation of privacy” test that originated in United States v. Katz (1967).

In Illinois v. Caballes, 543 U.S. 405 (2005), this Court did not apply Katz analysis. It did not examine (or even assume) whether Roy Caballes had exhibited a subjective expectation of privacy, the first step in the Katz test. Thus, the Court could not take the second step, examining its objective reasonableness.

Instead, the Caballes Court skipped forward to a corollary of the Katz test that the Court had drawn in United States v. Jacobsen, 466 U.S. 109 (1984): “Official conduct that does not ‘compromise any legitimate interest in privacy’ is not a search subject to the Fourth Amendment.” Caballes, 543 U.S. at 408 (quoting Jacobsen, 466 U.S. at 123).

This is a logical extension of the Katz test, and one that helps reveal its weakness in maintaining the Fourth Amendment’s protections consistently over time. Now, instead of examining whether searches and seizures are reasonable, courts applying the Jacobsen/Caballes corollary can uphold any activity of government agents sufficiently tailored to discovering only crime.

What kinds of activities might those include? We talked about lasers.

A DHS program that might be directed not only at persons, but also at their houses and effects, is called the “Remote Vapor Inspection System” (or RVIS). RVIS “generates laser beams at various frequencies” to be aimed at a “target vapor.” Beams “reflected and scattered back to the sensor head” reveal “spectral ‘signatures’” that can be compared with the signatures of sought-after gasses and particulates. [citations omitted] Using RVIS, government agents might remotely examine the molecular content of the air in houses and cars, quietly and routinely explore the gasses exiting houses through chimneys and air ducts, and perhaps even silently inspect any person’s exhaled breath. If RVIS technology is programmed to indicate only on substances that indicate wrongdoing, the Jacobsen/Caballes corollary extinguishes the idea that its pervasive, frequent, and secret use would be a search.

If a dog sniff only reveals illegal activity, compromising no privacy interest, it’s not a search. So using lasers to check your breath for illegal substances is not a search either. We hope, obviously, that the Court will do away with this rule, which is so attenuated from both the language and the purpose of the Fourth Amendment.

Instead of determining whether a person has “reasonable expectations of privacy”—we called that doctrine a “jumble of puzzles”—courts should examine whether a “search” has occurred by seeing if police accessed something that was hidden from view.

When a person has used physics and law to conceal something from others, the Fourth Amendment and the Court should back those privacy-protective arrangements, breaching them only when there is probable cause and a warrant (or some exception to the warrant requirement).

To hold otherwise would be to allow the government to invade privacy not just using drug-sniffing dogs but using ever more sophisticated technology.

NSA Spying and the Illusion of Oversight

Last week, the House Judiciary Committee hurtled toward reauthorization of a controversial spying law with a loud-and-clear declaration: not only do we have no idea how many American citizens are caught in the NSA’s warrantless surveillance dragnet, we don’t care—so please don’t tell us! By a 20–11 majority, the panel rejected an amendment that would have required the agency’s inspector general to produce an estimate of the number of Americans whose calls and e-mails were vacuumed up pursuant to broad “authorizations” under the FISA Amendments Act.

The agency’s Inspector General has apparently claimed that producing such an estimate would be “beyond the capacity of his office” and (wait for it) “would itself violate the privacy of U.S. persons.” This is hard to swallow on its face: there might plausibly be difficulties identifying the parties to intercepted e-mail communications, but at least for traditional phone calls, it should be trivial to tally up the number of distinct phone lines with U.S. area codes that have been subject to interception.

If the claim is even partly accurate, however, this should in itself be quite troubling. In theory, the FAA is designed to permit algorithmic surveillance of overseas terror suspects—even when they communicate with Americans. (Traditionally, FISA left surveillance of wholly foreign communications unregulated, but required a warrant when at least one end of a wire communication was in the United States.) But FAA surveillance programs must be designed to “prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States”—a feature the law’s supporters tout to reassure us they haven’t opened the door to warrantless surveillance of purely domestic communications. The wording leaves a substantial loophole, though. “Persons” as defined under FISA covers groups and other corporate entities, so an interception algorithm could easily “target persons” abroad but still flag purely domestic communications—a concern pointedly raised by the former head of the Justice Department’s National Security Division. The “prevent the intentional acquisition” language is meant to prevent that. Attorney General Eric Holder has made it explicit that the point of the FAA is precisely to allow eavesdropping on broad “Categories” of surveillance targets, defined by general search criteria, without having to identify individual targets. But, of course, if the NSA routinely sweeps up communications in bulk without any way of knowing where the endpoints are located, then it never has to worry about violating the “known at the time of acquisition” clause. Indeed, we already know that “overcollection” of purely domestic communications occurred on a large scale, almost immediately after the law came into effect.

If we care about the spirit as well as the letter of that constraint being respected, it ought to be a little disturbing that the NSA has admitted it doesn’t have any systematic mechanism for identifying communications with U.S. endpoints. Similar considerations apply to the “minimization procedures” which are supposed to limit the retention and dissemination of information about U.S. persons: How meaningfully can these be applied if there’s no systematic effort to detect when a U.S. person is party to a communication? If this is done, even if only for the subset of communications reviewed by human analysts, why can’t that sample be used to generate a ballpark estimate for the broader pool of intercepted messages? How can the Senate report on the FAA extension seriously tout “extensive” oversight of the law’s implementation when it lacks even these elementary figures? If it is truly impossible to generate those figures, isn’t that a tacit admission that meaningful oversight of these incredible powers is also impossible?

Here’s a slightly cynical suggestion: Congress isn’t interested in demanding the data here because it might make it harder to maintain the pretense that the FAA is all about “foreign” surveillance, and therefore needn’t provoke any concern about domestic civil liberties. A cold hard figure confirming that large numbers of Americans are being spied on under the program would make such assurances harder to deliver with a straight face. The “overcollection” of domestic traffic by NSA reported in 2009 may have encompassed “millions” of communications, and still constituted only a small fraction of the total—which suggests that we could be dealing with a truly massive number.

In truth, the “foreign targeting” argument was profoundly misleading. FISA has never regulated surveillance of wholly foreign communications: if all you’re doing is listening in on calls between foreigners in Pakistan and Yemen, you don’t even need the broad authority provided by the FAA. FISA and the FAA only need to come into play when one end of the parties to the communication is a U.S. person—and perhaps for e-mails stored in the U.S. whose ultimate destination is unknown. Just as importantly, when you’re talking about large scale, algorithm-based surveillance, it’s a mistake to put too much weight on “targeting” in the initial broad acquisition stage. If the first stage of your acquisition algorithm says “intercept all calls and e-mails between New York and Pakistan,” that will be kosher for FAA purposes provided the nominal target is the Pakistan side, but will entail spying on just as many Americans as foreigners in practice. If we knew just how many Americans, the FAA might not enjoy such a quick, quiet ride to reauthorization.

Congress Has No Idea What the NSA Is Doing

Didja think that the legislative branch oversees the executive branch? Think again! Congress has no idea what the National Security Agency (NSA) is doing.

Spencer Ackerman at Wired’s Danger Room blog reports on a letter the inspector general of the intelligence community sent earlier this month to Senators Ron Wyden (D-OR) and Mark Udall (D-CO). They had asked how many people in the United States have had their communications collected or reviewed by the NSA.

The letter repeated the NSA IG’s conclusion that estimating this number was “beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission.” Not only that, figuring out the number of people in the United States that the NSA has snooped on “would itself violate the privacy of U.S. persons.”

A federal agency can write a tart, dry non-response like this because Congress is utterly supine before the security bureaucracy. The tough-talking politicians in both parties have no idea what is happening in the agencies they routinely defend as essential. And Congress still hasn’t approved nominations for the Privacy and Civil Liberties Oversight Board, weak sauce that it is, nearly five years since it was reconstituted with greater independence and subpoena power.

The letter concludes with a hopeful note: “I will continue to work with you and the Committee to identify ways that we can enhance our ability to conduct effective oversight.” That also serves as a confession: We have no idea what the NSA is doing.

David Davis Is Right

British Conservative Party member and former shadow home secretary David Davis says that data retention requirements being debated in the U.K. are “incredibly intrusive” and would only “catch the innocent and incompetent.” He’s right.

The United States was formed after a Revolutionary War against Britain so that we could live under a government more protective of liberty. The Fourth Amendment’s requirement of particularity with respect to warrants prevents our government from issuing blanket requirements that information about all of our communications be retained in case it’s needed for law enforcement.

At least we must hope so. Because some in our Congress seem to have little qualm about reversing the Revolutionary War’s results.

Oh, the Uses of the ‘Cyber’ Prefix: Cyberbellicosity, for Example

Senate Majority Leader Harry Reid’s (D-Nev.) announcement yesterday of upcoming Senate action on cybersecurity legislation coincides nicely with reporting that the recently discovered Flame virus has similarities to Stuxnet. You see, the best example of a cyberattack having kinetic effects—causing physical damage—is Stuxnet. It targeted Siemens industrial software and equipment used in Iran’s nuclear program, causing damage to some centrifuges used in that program.

Stuxnet is widely believed to be a product of the U.S. and Israeli governments. Flame’s kinship with Stuxnet adds to the story: Our government is a top producer of cyberattacks.

The methods used in these viruses will be foreclosed as researchers unpack how they work. Our technical systems adapt to new threats the way humans develop antibodies to disease. But in the near term the techniques in Stuxnet and Flame may well be incorporated into attacks on our computing infrastructure.

The likelihood of attacks having extraordinary consequences is low. This talk of “cyberwar” and “cyberterror” is the ugly poetry of budget-building in Washington, D.C. But watch out for U.S. cyberbellicosity coming home to roost. The threat environment is developing in response to U.S. aggression.

This parallels the United States’ use of nuclear weapons, which made “the bomb” (Dmitri) an essential tool of world power. Rightly or wrongly, the United States’ use of the bomb spurred the nuclear arms race and triggered nuclear proliferation challenges that continue today. (To repeat: Cyberattacks can have nothing like the consequence of nuclear weapons.)

Senator Reid has gone hook, line, and sinker for the “cyber-9/11” idea, of course. Like all politicians, his primary job is not to set appropriate cybersecurity policies but to re-elect himself and members of his party. The tiniest risk of a cyberattack making headlines to use against his party justifies expending taxpayer dollars, privacy, and digital liberties. This it not to prevent cyberattack. It is to prevent political attack.

Politics is well understood by the authors of the letter Senator Reid cited in his statement about bringing cybersecurity legislation to the Senate floor. They are mostly from the party opposite his. Several of them participated at some level in developing our nation’s cyberbellicose world posture. And several now make their living in consulting and contracting firms that respond to the danger they helped create.

They are:

  • Michael Chertoff, Homeland Security secretary under President Bush, is now co-founder and Managing Principal of The Chertoff Group, which “provides business and government leaders with the same kind of high-level, strategic thinking and diligent execution that have kept the American homeland and its people safe since 9/11.”
  • Mike McConnell, former director of the National Security Agency and National Intelligence under President Bush, is now Vice Chairman of Booz Allen Hamilton.
  • Paul Wolfowitz was a deputy defense secretary under President Bush, now a visiting scholar at AEI.
  • General Michael Hayden, former director of the NSA and the CIA under President Bush, is now a principal at the Chertoff Group, and in January 2011 was elected to the Board of Directors of Motorola Solutions, which “provides business- and mission-critical communication products and services to enterprises and governments.”
  • Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, is on the board of advisors of TASC, Inc. TASC “provides advanced systems engineering, integration and decision–support services to the Intelligence Community, Departments of Defense and Homeland Security and civilian agencies of the federal government. We deliver honest counsel, forward–thinking engineering and advanced technologies that help our customers protect Americans at home, in the air, on the battlefield and in cyberspace.”
  • Hon. William J. Lynn III, former deputy defense secretary, is now Chairman & CEO of DRS Technologies, a Defense and Security Electronics Division of Italian industrial group Finmeccanica. DRS Technologies is “leading supplier of integrated products, services and support to military forces, intelligence agencies and prime contractors worldwide.”

Joe Barton, Meet Alessandro Acquisti

We were all very excited about the Facebook IPO last week (I guess), and Washington, D.C. wants to have its part in the action. This Politico article, “Facebook IPO Pits Privacy vs. Profits,” is a good illustration. It is the organs of government saying we are relevant, you know.

I was particularly intrigued by the comment of Rep. Joe Barton (R-TX). He’s playing against type—if we’re still to believe that Republicans stand for limited government—where he’s quoted saying: “I believe in free market principles, but there are some things the market can’t put a price on because they lack a monetary value. Privacy is one of those things.”

Aha! Washington does have a role the market can’t provide.

Except that the observation isn’t valid. There are lots of things in markets that “lack a monetary value.” You don’t think that every dimension of every good and service has a price tag on it, do you? Markets still deliver these things through the decision-making of their participants.

Alessandro Acquisti at Carnegie Mellon University has been studying how consumers value privacy for years. Crucially, he’s been studying how they value privacy when confronted with real and simulated trade-offs. (What consumers and politicians say isn’t very informative.) He sometimes puts a price tag on privacy in his studies.

It’s often a low price. Consumers don’t value privacy as much as many of us would like. But markets do implicitly price privacy. You make a little bit more—not a lot—if you deliver privacy. You stand to lose—sometimes a lot—if you don’t protect privacy.

Stand down, Mr. Barton. Stand down, Washington, D.C. You are not relevant to the Facebook IPO. Free market principles suggest leaving markets free to serve consumers’ actual preferences as determined by market processes. This is the case whether you think of privacy as having a “monetary value” or not.