Topic: Telecom, Internet & Information Policy

Good First Steps, But Real Surveillance Reform Will Require More

The president’s speech on surveillance today proposed some welcome first steps toward appropriately limiting an expanding surveillance state — notably, an end to the NSA’s bulk phone metadata program in its current form, and a recognition that judges, not NSA analysts, must determine whose records will be scrutinized.

The details are important, however. Obama’s speech left open the possibility that bulk collection might continue with some third party — which would in effect be an arm of government — as a custodian. If records are left with phone carriers, on the other hand, it’s important to resist any new legal mandate that would require longer or more extensive retention of private data than ordinary business purposes require.

It was disappointing, however, to see that many of the recommendations offered by Obama’s own Surveillance Review Group were either neglected or specifically rejected. While the unconstitutional permanent gag orders attached to National Security Letters will be time-limited, they will continue to be issued by FBI agents, not judges, for sensitive financial and communications records.

Nor did the president address NSA’s myopic efforts to degrade the security of the Internet by compromising the encryption systems relied on by millions of innocent users. And it is also important to realize that changing one controversial program doesn’t alter the broader section 215 authority, which can still be used to collect other types of records in bulk—and for all we know, may already be used for that purpose.

Most fundamentally, Congress must now act to cement these reforms in legislation — and to extend them —to ensure safeguards implemented by one president cannot be secretly undone by another.

How’s That Oversight Coming Along?

One of the claims made by defenders of NSA spying is that it’s overseen and approved by all three branches of the federal government.

Computer security expert Bruce Schneier provides some insight into how well congressional oversight is working in a short blog post entitled: “Today I Briefed Congress on the NSA.”

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. Scott, Rep. Goodlate, Rep Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me – as someone with access to the Snowden documents – to explain to them what the NSA was doing.

Many members of Congress have been derelict for years in not overseeing the National Security Agency. Now some members of Congress are asking questions, and they’re being stonewalled.

It’s the government so…

I suggested that we hold this meeting in a SCIF, because they wanted me to talk about top secret documents that had not been made public. The problem is that I, as someone without a clearance, would not be allowed into the SCIF.

Randy Barnett and I made the case last fall that the panels of judges who approve domestic spying under the Foreign Intelligence Surveillance Act should not be regarded as legitimate courts. Their use to dispose of Americans’ rights violates due process.

And the executive branch? Here’s President Obama: “I mean, part of the problem here is we get these through the press and then I’ve got to go back and find out what’s going on…”

How’s that tri-partite oversight coming along?

FCC to Make Internet Service a Public Utility

Do you want your Internet service provider to operate like the water company or the electric company? Internet access services will be more like these leaden public utilities if the Federal Communications Commission tries one of the more likely workarounds to a D.C. Circuit Court decision today that restricts its authority to regulate.

The story is long and involved—read it in the court’s opinion if you like—but the FCC has sought for years now to regulate broadband Internet service providers something like it used to regulate AT&T, with government mandated terms of service if not tarriffs and price controls. This doesn’t fit the technical environment of the Internet, which allows for diverse business models. Companies that experiment with network management, pricing, internal subsidy, and so on can find the configurations that serve widely varying consumers and their differing Internet needs the best. If government believes in fast lanes and slow lanes, surely Internet service providers could optimize service for movie delivery, video calling, and such, while email arrives a little less speedily.

The court found that the FCC’s plans don’t fit with its classification some years ago of broadband as an “information service,” subject to the light-touch regulation under Title I of the Communications Act. Title II, which applies to “telecommunications carriers,” allows common carrier regulation of the type the FCC is trying to impose. So watch for the FCC to conveniently change its mind and begin pushing for treatment of broadband once again as a “telecommunications service.” This is so it can have more control over the business decisions made by Internet service providers.

We made the case more than five years ago that “ ‘Net neutrality” is a good engineering principle, but it shouldn’t be a legal mandate. Technology and markets surpassed any need for command-and-control regulation in this area long ago. But regulators don’t give up power without a fight. To maintain power, the FCC may try to make Internet service a public utility.

Inflation and Injustice

More than a few places in this world people are trying to better themselves by saving money. Many people without access to formal financial services (or awareness of their benefits) are trying to amass capital by squirreling away cash. If wariness and luck prevent that money from being stolen, their nest-eggs might provide life-saving health care, seed capital for businesses, the means to move, education for children, and numerous other enhancements to poor people’s well-being. I say good for them. But there are people out there who don’t care if government policy stands in the way.

Unknown to many cash-hoarders—unsophisticated investors who should have our sympathy—official government policy in many countries is to inflate the currency. Under stable conditions, such policies might reduce the value of the existing stock of money at a rate of about 2% per year.

That is a boon to governments, of course, which are typically debtors. The policy quietly reduces real government debt by 2% annually without need of raising official taxes. And whether they spend the money themselves or infuse their banking sectors with liquidity, governments use monetary policy to curry favor with important political constituencies, thus solidifying power.

Ratifying NSA Spying, a Court Calls FISA ‘Courts’ Into Question

Two weeks ago, when D.C. District judge Richard Leon ruled that mass government surveillance of Americans’ telephone calling was likely unconstitutional, there was some well-poisoning about his opinion being “passionate.” The implication, of course, was that he was not being suitably judicial. The same could be said of this week’s ruling by Judge Pauley of the U.S. District Court in New York. When the first sentence intones: “The September 11th terrorist attacks revealed, in the starkest terms, just how dangerous and interconnected the world is,” and when the first citation is a “See generally” to the 9/11 Commission report, these are not signs that you’re about to get dispassionate application of law to facts.

Judge Pauley’s use of the 9/11 Commission report to argue that NSA data collection could have foiled the 9/11 plot is belied by the report’s clear statement with respect to Khalid Al-Mihdhar: “No one was looking for him.” (page 269) In our paper, “Effective Counterterrorism and the Limited Role of Predictive Data Mining,” Jeff Jonas and I detailed ways many of the 9/11 terrorists could have been found had anyone been looking. The argument that NSA spying would have prevented 9/11 is not a strong one.

But passions pitted against one another is just one of the symmetries between the two rulings. Judge Leon distinguished Smith v. Maryland. He believes that the Supreme Court case allowing the use of phone call information to convict a suspected burglar and obscene phone caller does not ratify the collection of phone calling information about every innocent American. Judge Pauley treated Smith v. Maryland as controlling. If one burglar in Baltimore doesn’t have a Fourth Amendment interest in his phone calling data, 200 million Americans don’t either. We have appeals to sort these things out, and Judge Pauley’s ruling makes it more likely that such an appeal will reach the Supreme Court, which is good.

The interesting thing in Judge Pauley’s ruling is ammunition he offers to critics of the panels of judges created by the Foreign Intelligence Surveillance Act. People often refer to them as the “Foreign Intelligence Surveillance Court” or “FISC.”

While the FISC is composed of Article III judges, it operates unlike any other Article III court. Proceedings in Article III courts are public. And the public enjoys a “general right to inspect and copy public records and documents, including judicial records and documents.” (citation omitted) “The presumption of access is based on the need for federal courts, although independent—indeed, particularly because they are independent—to have a measure of accountability and for the public to have confidence in the administration of justice.” (citation omitted)

Later, he writes:

The two declassified FISC decisions authorizing bulk metadata collection do not discuss several of the ACLU’s arugments. They were issued on the basis of ex parte applications by the government without the benefit of the excellent briefing submitted to this Court by the Governent, the ACLU, and amici curiae. There is no question that judges operate best in an adversarial system. “The value of a judicial proceeding … is substantially diluted where the process is ex parte, because the Court does not have available the fundamental instrument for judicial judgment: an adversary proceeding in which both parties may participate.” (citation omitted) … As FISA has evolved and Congress has loosened its individual suspicion requirements, the FISC has been tasked with delineating the limits of the Government’s surveillance power, issuing secret decision [sic] without the benefit of adversarial process. Its ex parte procedures are necessary to retain secrecy but are not ideal for interpreting statutes.

This echoes an argument Randy Barnett and I offered in our brief to the Supreme Court about NSA spying. These so-called ‘courts’ that administer NSA spy programs lack many of the hallmarks of a true court, and their use to dispose of rights that protect our privacy is a violation of due process.

There will be much more to come in the judicial path of the NSA spying debate. The legitimacy of FISA panels should be a part of that discussion.

You Could Have Read It Here First

If you’ve been reading Cato at Liberty and www.cato.org, then you already know, as the lead story in the Washington Post reported this morning, that both the constitutionality and the necessity of the NSA’s massive surveillance are in doubt:

From the moment the government’s massive database of citizens’ call records was exposed this year, U.S. officials have clung to two main lines of defense: The secret surveillance program was constitutional and critical to keeping the nation safe.

But six months into the controversy triggered by former NSA contractor Edward Snowden, the viability of those claims is no longer clear.

In a three-day span, those rationales were upended by a federal judge who declared that the program was probably unconstitutional and the release of a report by a White House panel utterly unconvinced that stockpiling such data had played any meaningful role in preventing terrorist attacks.

Reviewing the Review Group: Practice What You Preach

The “President’s Review Group on Intelligence and Communications Technologies” has issued their report. Convened in late summer to advise the president on what to do in the wake of the Snowden revelations (without mentioning Snowden), the group was rightly criticized for its ‘insider’ composition. The report has beaten the privacy community’s low expectations, which is good news. It advances a discussion that began in June and that will continue for years.

Some observations:

- Contrary to expectations, the report is outside the White House’s “comfort zone.” That’s good, because, as noted, this group could easily have decided to ratify the status quo, handing the administration and the National Security Agency a minor victory. The report positioned Senate Judiciary Committee chairman Patrick Leahy (D-VT) to say: “The message to the NSA is now coming from every branch of government and from every corner of our nation: You have gone too far.”

- There is no reason to treat the report as a reform “bible.” This was a problem with the 9/11 Commission report, for example, which was held up as sacrosanct even when it was wrong. The Review Group report is right about some things, such as eliminating administratively issued National Security Letters, it is wrong about some things, and it omits some key issues, such as the government-wide penchant for secrecy that created the current problems.

- Weaknesses are more interesting than strengths, and a particular weakness of the report is its call for retaining the phone calling surveillance program. Recommendation Five calls for legislation that “terminates the storage of bulk telephony meta-data by the government under [USA-PATRIOT Act] section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party.” The debate over data retention mandates ended some years ago, and the government was denied this power. The NSA’s illegal excesses should not be rewarded by giving it authorities that public policy previously denied it. Outsourcing dragnet surveillance does not cure its constitutional and other ills.

- The data retention recommendation is in conflict with another part of the report, which calls for risk management and cost-benefit analysis. “The central task,” the report says, “is one of risk management.” So let’s discuss that: Gathering data about every phone call made in the United States and retaining it for years produces only tiny slivers of security benefit, the NSA’s unsupported claims to the contrary notwithstanding. Considering dollar costs alone, it almost certainly fails a cost-benefit test. If you include the privacy costs, the failure of this program to manage security risks effectively is more clear. The Review Group’s conclusion about communications surveillance is inconsistent with its welcome promotion of risk management.

Most legal scholars and most civil liberties and privacy advocates punt on security questions, conceding the existence of a significant threats, however undefined and amorphous. They disable themselves from arguing persuasively about what is “reasonable” for Fourth Amendment purposes. Concessions like these also prevent one from conducting valid risk management and cost-benefit analysis. Some of us here at Cato don’t shy from examining the security issues, and we do pretty darn good risk management. The Review Group should practice what it preaches if it’s going to preach what we practice!