Topic: Telecom, Internet & Information Policy

You Could Have Read It Here First

If you’ve been reading Cato at Liberty and www.cato.org, then you already know, as the lead story in the Washington Post reported this morning, that both the constitutionality and the necessity of the NSA’s massive surveillance are in doubt:

From the moment the government’s massive database of citizens’ call records was exposed this year, U.S. officials have clung to two main lines of defense: The secret surveillance program was constitutional and critical to keeping the nation safe.

But six months into the controversy triggered by former NSA contractor Edward Snowden, the viability of those claims is no longer clear.

In a three-day span, those rationales were upended by a federal judge who declared that the program was probably unconstitutional and the release of a report by a White House panel utterly unconvinced that stockpiling such data had played any meaningful role in preventing terrorist attacks.

Reviewing the Review Group: Practice What You Preach

The “President’s Review Group on Intelligence and Communications Technologies” has issued their report. Convened in late summer to advise the president on what to do in the wake of the Snowden revelations (without mentioning Snowden), the group was rightly criticized for its ‘insider’ composition. The report has beaten the privacy community’s low expectations, which is good news. It advances a discussion that began in June and that will continue for years.

Some observations:

- Contrary to expectations, the report is outside the White House’s “comfort zone.” That’s good, because, as noted, this group could easily have decided to ratify the status quo, handing the administration and the National Security Agency a minor victory. The report positioned Senate Judiciary Committee chairman Patrick Leahy (D-VT) to say: “The message to the NSA is now coming from every branch of government and from every corner of our nation: You have gone too far.”

- There is no reason to treat the report as a reform “bible.” This was a problem with the 9/11 Commission report, for example, which was held up as sacrosanct even when it was wrong. The Review Group report is right about some things, such as eliminating administratively issued National Security Letters, it is wrong about some things, and it omits some key issues, such as the government-wide penchant for secrecy that created the current problems.

- Weaknesses are more interesting than strengths, and a particular weakness of the report is its call for retaining the phone calling surveillance program. Recommendation Five calls for legislation that “terminates the storage of bulk telephony meta-data by the government under [USA-PATRIOT Act] section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party.” The debate over data retention mandates ended some years ago, and the government was denied this power. The NSA’s illegal excesses should not be rewarded by giving it authorities that public policy previously denied it. Outsourcing dragnet surveillance does not cure its constitutional and other ills.

- The data retention recommendation is in conflict with another part of the report, which calls for risk management and cost-benefit analysis. “The central task,” the report says, “is one of risk management.” So let’s discuss that: Gathering data about every phone call made in the United States and retaining it for years produces only tiny slivers of security benefit, the NSA’s unsupported claims to the contrary notwithstanding. Considering dollar costs alone, it almost certainly fails a cost-benefit test. If you include the privacy costs, the failure of this program to manage security risks effectively is more clear. The Review Group’s conclusion about communications surveillance is inconsistent with its welcome promotion of risk management.

Most legal scholars and most civil liberties and privacy advocates punt on security questions, conceding the existence of a significant threats, however undefined and amorphous. They disable themselves from arguing persuasively about what is “reasonable” for Fourth Amendment purposes. Concessions like these also prevent one from conducting valid risk management and cost-benefit analysis. Some of us here at Cato don’t shy from examining the security issues, and we do pretty darn good risk management. The Review Group should practice what it preaches if it’s going to preach what we practice!

The Economic Impact of NSA Spying

At some point, I hope someone does a thorough, empirical study of the impact of NSA spying on U.S. companies.  But for now, all we have is anecdotal evidence, like this:

Today Brazil’s government announced it won’t buy $4.5 billion worth of US fighter jets in a move attributed to anger over controversial US intelligence-gathering that targeted Brazilian citizens and officials, including president Dilma Rousseff.

The Brazilian government’s official statements pointed to performance and cost issues as the reason to pick Sweden’s Saab AB to develop 36 fighters, though many observers had believed Boeing had the upper hand while bidding to expand Brazil’s air force.

Calling the decision “disappointing” in a statement, Boeing says it isn’t done trying to sell to Brazil, a major client for the company’s commercial air business, noting that ”over the next several weeks, we will work with the Brazilian Air Force to better understand its decision.”

One way to understand it: “The NSA problem ruined it for the Americans,” a Brazilian government official told Reuters. Public opinion turned against the US, and Brazil is leading the charge for a United Nations resolution that would limit electronic surveillance. Edward Snowden, the former National Security Agency contractor whose leaks revealed the US surveillance, obliquely requested asylum in Brazil earlier this week, but it looks the country isn’t interested in hosting the whistleblower.

Today, a White House panel charged with assessing American electronic snooping released a report urging new limits on US intelligence agencies. One of its recommendations is to more carefully assess the costs of surveilling foreign leaders like Brazil’s Rousseff. On this front, Brazil’s decision on the fighter planes is a costly object lesson for the US government.

D.C. Court: Smith Is Not Good Law

In debates about the NSA’s mass surveillance of all our phone calling, pro-government lawyers have often tried to play a trump card called Smith v. Maryland. Smith is a 1978 Supreme Court decision as right for our times as laws requiring public buildings to provide spittoons. But lawyering rightly relies heavily on precedent, so there it was, the argument that people don’t have a constitutional interest in data about their phone calling because a suspected burglar and obscene phone-caller didn’t have such an interest back in 1976.

D.C. district court judge Richard Leon ruled today that Smith is not an appropriate precedent for considering the constitutionality of the NSA’s mass surveillance program. “[T]he Smith pen register and the ongoing NSA Bulk Telephony Metadata Program,” he concluded, “have so many significant distinctions between them that I cannot possibly navigate these uncharted Fourth Amendment waters using as my North Star a case that predates the rise of cell phones.”

When phone calling was home- or office-bound and relatively rare, people’s interest in the information about their calling was not as great as it is today. Cell phones now accompany most people everywhere they go every single day. “[T]he ubiquity of phones has dramatically altered the quantity of information that is now available and, more importantly, what that information can tell the Government about people’s lives.” (emphases omitted)

Judge Leon applied the “reasonable expectation of privacy” test in finding that he is likely to determine that the NSA’s data seizures are a Fourth Amendment violation, even though that standard has been thrown into doubt by recent Supreme Court decisions. But what is important is that his decision breaks the circular logic adopted by the panels of judges ratifying mass domestic surveillance under the Foreign Intelligence Surveillance Act. These panels believed they could act in secret because of the premise that Americans don’t have a constitutional interest in data about their calls. Their secret operations barred Americans from contesting that premise. And the band played on. Until someone leaked this mass domestic spying to the public.

Judge Leon’s assessment of the government’s interest is notable. He picked up on the fact that the government’s collection of data about all our calls is simply to make things a little quicker when they want to do an investigation.

“[T]he Government’s interest,” he writes, “is not merely to investigate potential terrorists, but rather, to do so faster than other methods might allow. … Yet … the Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature.” (emphases omitted)

Databasing of all our calls is a convenience and not a necessity. That stacks up poorly against the privacy costs all Americans suffer by having their phone-calling catalogued in government databases.

There will almost certainly be an appeal, and there will be more cases coming up through the courts that explore the many dimensions of this issue. But now we can tell our lawyer friends who have been a little too slavish to precedent that Smith v. Maryland is not good law.

A Data Retention Mandate? NO

The Wall Street Journal reports that a panel convened by the president to review the National Security Agency’s programs will recommend that “the records of nearly every U.S. phone call now collected in a controversial NSA program be held instead by the phone company or a third-party organization.” That recommendation is a non-starter.

Mandatory data retention has been floated for years using the most politically appealing rationale, child predation. In 2007, we characterized the idea as costly, outsourced surveillance, and Congress has consistently denied that power to the government. In fact, child protection bills containing data retention mandates were introduced in several Congresses but only passed once provisions deputizing communications providers into government surveillance were stripped out. Randy Barnett and I made this point in our brief urging the Supreme Court to take up the NSA’s mass surveillance of Americans’ telephone calling.

“Congress has declined to institute mandatory data retention laws because the costs, risks, and privacy consequences for innocent citizens outweigh their law enforcement and security benefits,” we wrote. “The Verizon order reverses this Congressional policy by requiring a telecommunications provider to turn all data over to the government for retention by the National Security Agency.”

How ironic it would be if the NSA’s illegal excesses delivered it a victory on a policy initiative that it lost years ago. Is secretly violating Americans’ communications privacy really rewarded by a policy requiring the violation of Americans’ communications privacy?

Rep. Jim Sensenbrenner (R-WI), who claims authorship of the USA-PATRIOT Act, came to Cato two months ago to lament the NSA’s use of that law for domestic spying he did not intend the NSA to have. In the past, he has said that data retention “runs roughshod over the privacy rights of people who use the Internet for thousands of lawful purposes.” Assumedly, he believes the same as to people’s use of the phone, and he will continue working with other privacy-minded legislators to relegate data retention mandates to the dustbin of history.

Ohio Backs off of REAL ID

Sometimes there are setbacks to the efforts of the Department of Homeland Security, the American Association of Motor Vehicle Administrators, and state motor vehicle bureaucrats to quietly knit together a national ID. If this story is true, Ohio appears to be breaking with the national ID plan.

What’s remarkable about this case is Ohio’s recognition that the federal government will never act on the threat that TSA will refuse drivers’ licenses and IDs from states that decline to implement the REAL ID Act.

Ohio is among a growing number of states that are refusing to comply with federal standards intended to toughen access to driver’s licenses. … The states are betting that federal officials do not implement plans to accept only “Gold Star” licenses as proof of identity to fly on commercial flights or to enter federal buildings and courthouses. “We’re not so sure the federal government” will only honor IDs that meet its requirements, [Ohio Department of Public Safety spokesman Joe] Andrews said.

Time was when states fell in line at the suggestion of this federal government threat. Eight-and-a-half years after REAL ID became law, the states may be recognizing the inability of the feds to coerce them into implementing their national ID.

FDA Moves To Crush 23andMe

23andMe is a service that combines a home-based saliva testing DNA-sample kit combined with a web-based service to explain what the results mean and put you in touch with other users. At $99, it’s a breakthrough hit in affordable personal technology – and now the Food and Drug Administration is determined to snuff it out. I discuss this appalling development in a new post at Overlawyered: 

…Some of us want to seek out distant relatives and clues about national origins, or satisfy curiosity about patterns of disease in our family lines. For adoptive families, home genome testing can be hugely valuable in cases where one knows little about the medical history of an adoptee’s birthfamily. It’s our body, and our right to inform ourselves about it — or so we thought.

The FDA very likely has decent legal grounds to forbear from a crackdown should it choose to. But the key takeaway sentence from Matthew Herper’s piece in Forbes criticizing the company is: “This is not the way to deal with a powerful government regulator.” Disrespectful, anti-authority attitudes from someone an agency intends to regulate? Ask former Buckyballs CEO Craig Zucker where that gets you. …

Science blogger Razib Khan has suggested that information services like 23andme, rather than submit to expensive and cumbersome regulation as “medical devices,” may simply pack up and move offshore. But even if they do, that won’t be the end of our government’s jealous wish to regulate them – or so I predict in my post.

P.S. Is it relevant that governments themselves, through their law enforcement agencies, run elaborate saliva-, blood- and DNA-collection operations that are hedged with few of the protections of voluntariness, privacy and openness that one finds with 23andMe?