Topic: Telecom, Internet & Information Policy

Your Congress, Your NSA Spying

The National Security Agency is collecting records of every domestic and cross-border Verizon phone call between now and July 19th. The secret court order requiring Verizon to hand over these records has been leaked to the Guardian.

You may find that outrageous. 1984 has arrived. Big Brother is watching you.

But the author of this story is not George Orwell. It’s Representative Lamar Smith of Texas, Senator Diane Feinstein of California, and you.

Here’s what I mean: In June of last year, Representative Smith (R) introduced H.R. 5949, the FISA Amendments Act Reauthorization Act of 2012. Its purpose was to extend the FISA Amendments Act of 2008 for five years, continuing the government’s authority to collect data like this under secret court orders. The House Judiciary Committee reported the bill to the full House a few days later. The House Intelligence Committee, having joint jurisdiction over the bill, reported it at the beginning of August. And in mid-September, the House passed the bill by a vote of 301 to 118.

Sent to the Senate, the bill languished until very late in the year. But with the government’s secret wiretapping authority set to expire, the Senate took up the bill on December 27th. Whether by plan or coincidence, the Senate debated secret surveillance of Americans’ communications during the lazy, distracted period between Christmas and the new year.

Senator Dianne Feinstein (D) was the bill’s chief defender on the Senate floor. She parried arguments doggedly advanced by Senator Ron Wyden (D-OR) that the surveillance law lacks sufficient oversight. My colleague Julian Sanchez showed ably at the time that modest amendments proposed by Wyden and others would improve oversight and in no way compromise security. But false urgency created by the Senate’s schedule won the day, and on December 28th of last year, the Senate passed the bill, sending it to the president, who signed it on December 30th.

The news that every Verizon call is going to the NSA not only vindicates Senator Wyden’s argument that oversight in this area is lacking. It reveals the upshot of that failed oversight: The secret FISA court has been issuing general warrants for communications surveillance.

That is contrary to the Fourth Amendment to the Constitution, which requires warrants to issue “particularly describing the place to be searched, and the persons or things to be seized.” When a court requires “all call detail records” to be handed over “on an ongoing daily basis,” this is in no sense particular. Data about millions of our phone calls are now housed at the NSA. Data about calls you make and receive today will be housed at the NSA.

The reason given for secret mass surveillance of all our phone calls, according to an unofficial comment from the Obama administration, is that it is a “critical tool” against terrorism. These arguments should be put to public proof. For too long, government officials have waved off the rule of law and privacy using “terrorism” as their shibboleth. This time, show us exactly how gathering data about every domestic call on one of the largest telecommunications networks roots out the tiny number of stray-dog terrorists in the country. If the argument is based on data mining, it has a lot to overcome, including my 2008 paper with IBM data mining expert Jeff Jonas, “Effective Counterterrorism and the Limited Role of Predictive Data Mining.”

The ultimate author of the American surveillance state is you. If you’re like most Americans, you allowed yourself to remain mostly ignorant of the late-December debate over FISA reauthorization. You may not have finished digesting your Christmas ham until May, when it was revealed that IRS agents had targeted groups applying for tax exempt status for closer scrutiny based on their names or political themes.

The veneer of beneficent government is off. The National Security Agency is collecting records of your phone calls. The votes in Congress that allowed this to happen are linked above in this post. What are you going to do about it?

How Identification Is Overused and Misunderstood

Justice Anthony Kennedy seems to be carving out his place as the Supreme Court justice who doesn’t “get” identity. Maryland v. King was the case issued today that shows that.

His opener was the 2004 decision in Hiibel v. Sixth Judicial District Court of Nevada, which ratified laws requiring people to disclose their names to police officers on request.

In that case, Deputy Lee Dove of the Humboldt County (NV) Sheriff’s Department had received a report that a man had slugged a woman. He didn’t know the names of the alleged perpetrator or the victim, but Dove found Larry Hiibel standing next to his truck at the side of the road talking to his seventeen-year-old daughter seated inside. Dove didn’t check to see if they were having a dispute, or if anyone had hit anyone. He just started demanding Hiibel’s ID.

“Knowledge of identity may inform an officer that a suspect is wanted for another offense, or has a record of violence or mental disorder,” Justice Kennedy wrote, approving Hiibel’s arrest for refusing to show his papers:

On the other hand, knowing identity may help clear a suspect and allow the police to concentrate their efforts elsewhere. Identity may prove particularly important in [certain cases, such as] where the police are investigating what appears to be a domestic assault. Officers called to investigate domestic disputes need to know whom they are dealing with in order to assess the situation, the threat to their own safety, and possible danger to the potential victim.

Even if he had gotten Larry Hiibel’s ID, that wouldn’t have told Dove any of these things. Dove would have had to stop his battery investigation to investigate Hiibel’s background, which he didn’t do until after he had arrested Hiibel–and after his partner had thrown Hiibel’s distraught daughter to the ground. (There’s your battery.)

In Maryland v. King, Justice Kennedy did it again. He wrote the decision approving DNA identification of arrestees. Like demanding Hiibel’s ID, which had no relation to investigating battery, Maryland’s practice of collecting DNA has no relation to investigating or proving the crime for which King was arrested, and it does nothing to administer his confinement. This Justice Scalia made clear in a scathing dissent.

The Court alludes at several points to the fact that King was an arrestee, and arrestees may be validly searched incident to their arrest. But the Court does not really rest on this principle, and for good reason: The objects of a search incident to arrest must be either (1) weapons or evidence that might easily be destroyed, or (2) evidence relevant to the crime of arrest. Neither is the object of the search at issue here. (citations omitted)

Justice Kennedy appears to think there are certain behaviors around detention and arrest that law enforcement is allowed without regard to the detention or arrest. Here, he has sanctioned the gathering of DNA from arrested people, supposedly presumed innocent until proven guilty, to investigate the possibility of their connection to other, unknown crimes. His logic would allow searching the cell phone of a person arrested for public drunkenness to see if they have participated in an extortion plot.

There is plenty of time to run DNA identification data past cold case files after conviction, and all parties agree that’s what would have happened in King’s case. Given that, the Supreme Court has upheld DNA-based investigation of innocent people for their connections to cold cases because they happen to have been arrested. That’s the strange result of Maryland v. King.

We Need an Independent Review of Government Spying on Reporters

Declaring that “journalists should not be at legal risk for doing their jobs,” President Obama announced Thursday that he had directed Attorney General Eric Holder to review the Justice Department’s guidelines for spying on reporters in the course of leak investigations.

That would be more reassuring if Holder himself hadn’t signed off on a search warrant for the e-mail correspondence of Fox News reporter James Rosen. The warrant application dubbed Rosen a “co-conspirator” in a violation of the Espionage Act, on the disturbing theory that asking a source to disclose classified information—as national security reporters necessarily do routinely—is itself a crime, even if publication of the same material is constitutionally protected. In other words, the president is asking the fox to investigate mysterious disappearances in the henhouse.

If reporters were looking to take comfort in the press shield bill the President asked Congress to revive in response to the Justice Department’s seizure of Associated Press phone records, they shouldn’t. Because the bill’s protections include a national security exception—and national security leak investigations are precisely when the government is most likely to spy on journalists—it seems unlikely to have made much difference in either the AP or Rosen cases. Indeed, as the Freedom of the Press Foundation points out, it could even make it easier for the government to obtain press records by overriding the common law safeguards some courts have recognized.

If the president really wants to demonstrate his concern for the potential of government spying to chill vital investigative reporting, he needs to take a very different approach, centered on greater transparency and a truly independent audit of Justice Department policy.

Transparency can begin with letting the public know exactly what the guidelines for investigating the press are—and how the Justice Department interprets them. As the FBI’s operational guidelines make clear, the rules requiring the press to be notified when their phone records are obtained only apply to subpoenas—not other secretive tools, such as National Security Letters, which can be issued without court approval. But the rules governing NSL demands for media records remain secret.

The Justice Department should also release any internal memos interpreting the rules governing press investigations. We know, for example, that there exists an informal 2009 opinion in which Justice Department lawyers analyzed how the rules would apply to sweeping demands—such as so-called “community of interest” requests—that can vacuum up a reporter’s records (among many others) even if the reporter is not specifically named as a target. Only brief excerpts of that opinion have been disclosed, thanks to a 2010 Inspector General report, and there is no way of knowing how many others remain secret.

Finally, we need an independent review—conducted by the Office of the Inspector General, not Attorney General Holder—to determine just how much surveillance of reporters has already occurred. It seems clear that the Justice Department does not think the current rules always require the press to be informed when they’ve been spied on: DOJ lawyers convinced a judge that the government never had to notify Rosen they’d read his e-mails. And because demands for electronic records can be quite broad, it would be all too easy for the government to end up with sensitive information about journalistic investigations even when no reporter was explicitly targeted.

When Congress and the public know what the rules really are, and how they have been applied in practice, we can begin a serious conversation about what reforms are needed to protect press freedom. Asking Eric Holder to investigate Eric Holder, on the other hand, is unlikely to protect much of anything—except, perhaps, Eric Holder.

Cato’s “Deepbills” Project Advances Government Transparency

It’s not the culmination–that will come soon–but a major step in our work to improve government transparency has been achieved. I’ll be announcing and extolling it Wednesday at the House Administration Committee’s Legislative Data and Transparency conference. Here’s a quick survey of what we’ve been doing and the results we see on the near horizon.

After president Obama’s election in 2008, we recognized transparency as a bipartisan and pan-ideological goal at an event entitled: “Just Give Us the Data.” Widespread agreement and cooperation on transparency has held. But by the mid-point of the president’s first term, the deep-running change most people expected was not materializing, and it still has not. So I began working more assiduously on what transparency is and what delivers it.

In “Publication Practices for Transparent Government” (Sept. 2011), I articulated ways the government should deliver information so that it can be absorbed by the public through the intermediary of web sites, apps, information services, and so on. We graded the quality of government data publication in the aptly named November 2012 paper: “Grading the Government’s Data Publication Practices.”

But there’s no sense in sitting around waiting for things to improve. Given the incentives, transparency is something that we will have to force on government. We won’t receive it like a gift.

So with software we acquired and modified for the purpose, we’ve been adding data to the bills in Congress, making it possible to learn automatically more of what they do. The bills published by the Government Printing Office have data about who introduced them and the committees to which they were referred. We are adding data that reflects:

- What agencies and bureaus the bills in Congress affect;

- What laws the bills in Congress effect: by popular name, U.S. Code section, Statutes at Large citation, and more;

- What budget authorities bills include, the amount of this proposed spending, its purpose, and the fiscal year(s).

We are capturing proposed new bureaus and programs, proposed new sections of existing law, and other subtleties in legislation. Our “Deepbills” project is documented at cato.org/resources/data.

This data can tell a more complete story of what is happening in Congress. Given the right Web site, app, or information service, you will be able to tell who proposed to spend your taxpayer dollars and in what amounts. You’ll be able to tell how your member of Congress and senators voted on each one. You might even find out about votes you care about before they happen!

Having introduced ourselves to the community in March, we’re beginning to help disseminate legislative information and data on Wikipedia.

The uses of the data are limited only by the imagination of the people building things with it. The data will make it easier to draw links between campaign contributions and legislative activity, for example. People will be able to automatically monitor ALL the bills that affect laws or agencies they are interested in. The behavior of legislators will be more clear to more people. Knowing what happens in Washington will be less the province of an exclusive club of lobbyists and congressional staff.

In no sense will this work make the government entirely transparent, but by adding data sets to what’s available about government deliberations, management and results, we’re multiplying the stories that the data can tell and beginning to lift the fog that allows Washington, D.C. to work the way it does–or, more accurately, to fail the way it does.

At this point, data curator Molly Bohmer and Cato interns Michelle Newby and Ryan Mosely have marked up 75% of the bills introduced in Congress so far. As we fine-tune our processes, we expect essentially to stay current with Congress, making timely public oversight of government easier.

This is not the culmination of the work. We now require people to build things with the data–the Web sites, apps, and information services that can deliver transparency to your door. I’ll be promoting our work at Wednesday’s conference and in various forums over the coming weeks and months. Watch for government transparency to improve when coders get a hold of the data and build the tools and toys that deliver this information to the public in accessible ways.

I Hate to Say “I Told You So” II (Web Wiretap Edition)

I wrote recently in Wired about the many problems with an FBI proposal to require Internet providers to render their services more wiretap-friendly. Perhaps chief among these is the deleterious effect such a mandate would have on cybersecurity.

This is so, first, because it would tend to push companies away from design choices that make a system more resilient or secure but harder to intercept. If you risk massive fines when you can’t cough up user communications, that’s a powerful incentive to prefer server-side over end-to-end encryption, centralized routing over peer-to-peer, and closed over open standards and source code. Second, as 20 renowned computer scientists and security experts also pointed out in a letter released last Friday [PDF], the surveillance interface companies create to comply with orders can itself become an attractive “attack surface” subject to exploitation. The primary concern there, of course, is that lawful intercept code can be hijacked by a third party to enable their own surveillance—but it can also be a source of information about government investigations for hackers in the service of foreign powers.

Lo and behold, The Washington Post reports today that a successful 2010 hack against Google, believed to have originated in China, also compromised a sensitive database of information on accounts that had been flagged for national security surveillance. That’s a boon to any foreign government looking to discover which agents have had their covers blown and which remain undetected—and something worth throwing considerable hacking resources at. It’s not clear whether the attackers were also able to use any internal law enforcement interface to assist them in targeting the accounts of Chinese dissidents, which is the part of the attack that had been previously reported.

Defenders of the FBI proposal tend to pooh-pooh security concerns raised about requirisng such backdoors: Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities. But if a company like Google, with its massive financial resources and a stable of some of the smartest coders anywhere, can be victimized in this way, how realistic is it to expect thousands of Internet startups to achieve better security?

I Hate to Say “I Told You So” (Spying on the Press Edition)

On Friday, I wrote a piece for Mother Jones speculating that government spying on press communications may not be “unprecedented,” as Associated Press head Gary Pruitt put it, but simply rarely disclosed. The rules requiring disclosure of such surveillance, after all, only appear to apply to “subpoenas” for “telephone toll records,” not secret tools like National Security Letters. Even outside the shadowy world of intelligence, as federal magistrate judge Stephen Smith has observed, court orders granting government access to electronic communication records routinely remain secret indefinitely. I suggested that there could be quite a few other cases like the AP story that we’ve simply never heard about, even if the Justice Department scrupulously follows its own rules, because they didn’t involve grand jury subpoenas for phone logs.

It is rare for someone who writes about the intelligence community to have a speculation of this sort confirmed almost instantly, but a report in the Washington Post today is already shining a spotlight on another hitherto unreported leak investigation in which the government obtained a warrant to read the e-mail of Fox News reporter James Rosen. The warrant in that case was sealed for over a year, and appears to have remained unnoticed until today—nearly three years after the search of Rosen’s e-mail was authorized. Why should anyone believe this is the only such case that hasn’t yet come to light?

The Rosen case is especially unsettling because the warrant affidavit suggests that Rosen himself could be subject to prosecution under the Espionage Act, on the grounds that his alleged encouragement to a source to provide classified information amounts to “conspiracy.” The attempt to redefine as crime what is ultimately a routine and necessary part of national security reporting really is rather unprecedented: As the Congressional Research Service has observed, “we are aware of no case in which a publisher of information obtained through unauthorized disclosure by a government employee has been prosecuted for publishing it,” and there “may be First Amendment implications that would make such a prosecution difficult.”

A successful prosecution, of course, is not necessarily the point. The case against NSA whistleblower Thomas Drake—who revealed massive waste in the Agency’s deals with intelligence contractors—ultimately collapsed: The information he’d revealed was embarrassing to the government, not dangerous to national security. But Drake’s life had still been shattered, and a clear message sent to any others who might seek to embarrass the government. Reporters are already feeling the chilling effects of the AP leak investigation—and presumably that’s the real aim: Not to jail leakers as an end int itself, but to ensure that government sources are too scared to talk to press without approval.

That might sound like a fine idea if we were really only talking about vital national security secrets whose publication would endanger the United States. But as even top intelligence officials have acknowledged, “overclassification” is rampant in government. Much of the most basic information, without which effective national security reporting would be impossible, is reflexively classified whether or not it poses any realistic security risks, and reporters routinely discuss such information. In practice, that means the government can pick and choose which leakers to go after—and which ones to wink at because they’re serving the administration’s interests.

Three Questions about Government Spying on the Press

It’s heartening to see widespread outrage—both online and from members of Congress—about the news that Justice Department vacuumed up phone records spanning two months from 20 phone lines belonging to the Associated Press or its employees. This may not be a return to the bad old days of J. Edgar Hoover, who kept files of derogatory information about hostile journalists, but surveillance of the press—even in the course of otherwise legitimate investigations—always threatens to impede the vital check on government the Fourth Estate provides. A subpoena covering so many of a major news organization’s phone lines, including shared switchboard and fax numbers used by scores of reporters, for such an extended period, seems especially troubling in the context of this administration’s unprecedented war on whistleblowers. It’s effectively a warning that nobody who speaks to the press without White House approval—whether they’re leaking classified secrets or just saying things the bosses wouldn’t like—can count on anonymity.  I’ll have plenty more to say about this soon, but a few key questions reporters and legislators ought to be asking:

  • DOJ regulations are supposed to require a careful balancing of investigative needs against First Amendment values before reporter records are sought, with advance notice to the press whenever possible. The AP is fairly certain its records were seized as part of a leak investigation aimed at uncovering the source of  a story about a foiled terrorist plot—a story the AP itself sat on until they were convinced publication posed no national security risk. The administration itself was on the verge of announcing the same facts. Given that anonymous sources discussing classified matters with press are a routine and indispensable part of journalism, what made this investigation so urgent that it was necessary to use methods experts agree were far more broad and intrusive than the norm?
  • Read hyper-literally, those same DOJ regulations refer only to “subpoenas” directed at journalists themselves or seeking “telephone toll records.” And the DOJ’s own operational guidelines make quite clear that they do read the rules hyper-literally: They apparently are not held to apply to the myriad tools other than grand jury subpoenas at the government’s disposal, such as National Security Letters or administrative subpoenas. Does DOJ employ a similarly literal reading of “telephone toll records,” such that they’re not required to observe these rules when they obtain other electronic records, such as e-mail transactional data? The DOJ, recall, says they often don’t need warrants to read e-mail or Facebook chats, let alone review transactional metadata concerning such communications. So it seems odd that they would pull out all the stops when it comes to phone records, yet ignore the channels by which modern reporters probably conduct the bulk of their correspondence. Even if it would have been infeasible to access logs of AP’s e-mail transactional data without tipping them off (my understanding is they maintain their own e-mail servers), nearly every journalist has potentially revealing Facebook friend lists, personal Gmail accounts, Twitter direct message headers, and so on—some of which would be more targeted than records from phone lines shared by dozens of journalists. Was other data that DOJ believes to be outside the scope of their reporting obligations—either because it wasn’t obtained by “subpoena” or because it wasn’t “telephone toll records”—obtained in this case? More broadly, how much press data is obtained without notification because it falls outside these categories?
  • Thanks to a 2010 Inspector General report, we know a bit about the FBI’s use of “community of interest” data requests that sweep up call log data not just on a single target, but all the phones their target is in regular contact with—and maybe even the numbers those phones are calling too. After using this technique for years—sometimes literally by accident—FBI sought an Office of Legal Counsel opinion about whether the press notification rules applied when such requests were likely to indirectly pull in press records. In January 2009, OLC concluded they did—but since they ended up not getting the records in that instance, and the agent making the request apparently hadn’t understood quite what he was requesting, the FBI decided it didn’t need to tell anyone at the time. What, then, is the Justice Department’s current policy when it comes to information about press communications obtained indirectly through “community of interest” requests? Is any attempt made to ascertain when such requests have acquired reporters’ phone records, whether or not that was either intended or foreseen when the request was made? Since records in the FBI database are retained indefinitely for potential future data mining, even records the FBI doesn’t currently know belong to reporters could easily end up revealing patterns of press activity as a result of future analysis. Does DOJ think it must inform reporters when this happens, or is it only at the acquisition stage that the notice obligation applies?  Has any broad effort been made to determine how many reporter records are in FBI databases, especially as a result of requests made before 2009? 

Of course, whatever the answers to these questions, the Electronic Frontier Foundation is right to point out that the broader problem is that communications metadata isn’t entitled to much protection under either current Fourth Amendment jurisprudence or federal statute. This means the government can typically access metadata with little or no judicial oversight—and if you’re not a reporter there are no special rules requiring the government to ever notify you that your records have been swept up in some investigation. As technological change makes such metadata increasingly revealing—because nearly everything you do online leaves some digital trace, from which ever more detailed inferences can be drawn using sophisticated analytic tools—the problem is not just for press freedom: it’s a privacy problem for all of us.