Topic: Telecom, Internet & Information Policy

Are Internet Backbone Pen Registers Constitutional?

Between ongoing publication of Edward Snowden’s leaks and a series of frankly unprecedented disclosures by the government itself, the public now knows quite a bit about the NSA’s controversial telephony metadata program, which makes use of the Patriot Act’s §215 to collect, in bulk, nearly all Americans’ domestic call detail records from telephone carriers. We know far less, however about the government’s bulk collection of Internet metadata under FISA’s pen register/trap-&-trace authority, which supposedly ceased in 2011—though some such collection almost certainly continues in a more limited form. That collection merits closer attention, because the legal argument that bulk metadata acquisition doesn’t violate the Fourth Amendment—rehearsed in a recent post at Just Security by Orin Kerr—simply doesn’t work for acquisition of Internet metadata at the backbone, for technical reasons that it’s not at all clear the Foreign Intelligence Surveillance Court has considered.

The FISC’s recently declassified memorandum opinion authorizing bulk telephony metadata collection contains a dismayingly cursory Fourth Amendment analysis resting on the now-familiar reasoning of Smith v. Maryland: Users voluntarily convey phone dialing information to a “third party” (i.e., the phone company), knowing that information will be retained in the company’s records for routine business purposes. They thereby “assume the risk” that these records will be shared with the government—notwithstanding any contrary promises of confidentiality—and so waive their Fourth Amendment expectation of privacy in that information. This is the so-called “third party doctrine.” The ruling in Smith has been widely and justly condemned—and as Jennifer Granick has ably argued, is of dubious relevance to NSA’s bulk collection program anyway. But let’s pretend for the moment, strictly arguendo, that this reasoning is not crazy on its face.

To Administer the Fourth Amendment, Recognize Reasonable Searches and Seizures

Over the last few years, I’ve dedicated more and more effort to righting the Fourth Amendment, which has been weakened over decades by doctrines that don’t measure up to the times.

You can see my efforts and their evolution in my American University Law Review article, “Reforming Fourth Amendment Privacy Doctrine” (2008); Cato’s brief to the Supreme Court in U.S. v. Jones (Oct. 2011), Cato’s brief to the Supreme Court in Florida v. Jardines (July 2012); my Cato Supreme Court Review article,Escaping Fourth Amendment Doctrine After Jones: Physics, Law, and Privacy Protection (Sept. 2012); my Cato Policy Report article, “U.S. v. Jones: Fourth Amendment Law at a Crossroads” (Sept./Oct. 2012); and, most recently, Cato’s brief to the Supreme Court in In re: EPIC (August 2013).

Today, I had the opportunity to expound on my thinking at a National Press Club event hosted by the Electronic Privacy Information Center to discuss their challenge to the National Security Agency’s bulk telephone data collection. Moderator Jeffrey Rosen, recently named President and CEO of the National Constitution Center, alloted me a good deal of time, and we discussed things a little more after the session. I’m ever-sharpening my thinking about how the Fourth Amendment should operate, and how to talk about it.

The starting point is this: The “reasonable expectation of privacy” doctrine, which grew out of Katz v. United States (1967), is a failure. Courts almost never actually investigate whether a subjective “expectation of privacy” is objectively reasonable, and they’re in no position to make broad societal pronouncements on the latter question anyway. The doctrine is not a product of the Katz majority, it’s worth noting, which focused on the steps Katz had taken to conceal the sound of his voice—steps upended by government agents’ placement of a bug in a phone booth without a warrant.

The Fourth Amendment should be administered as a law once again. To administer a law protecting “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures,” you’d ask four questions:

Secrecy Is Delegation of Power

With allegations (and denials) of economic espionage and reports of broad access to cell phone data joining last week’s blockbuster revelation that the National Security Agency has worked to undermine encryption, it’s hard to keep up.

But Julian had it right on the jaw-dropping encryption news in his post last week, “NSA’s War on Global Cybersecurity.” A national-security-aimed attack on encryption systems that protect all our communications and data—our financial transactions, privileged communications with attorneys, medical records, and more—is like publishing faulty medical research just to prevent a particular foreign dictator from being cured. It is penny-wise and pound-foolish. It had been looking to me for a while like the U.S. government may be hoarding vulnerabilities and cultivating new attacks rather than contributing to worldwide security by helping to close gaps in vulnerable technologies. And now we have the proof.

Shane Harris’s excellent Foreign Policy article today looks at NSA administrator General Keith Alexander, calling him “The Cowboy of the NSA.” Fast and loose with the law, his folksy demeanor has allowed him to downplay the significance of his efforts. Meanwhile, Alexander and his “mad scientist” advisor James Heath have done anything they want—and lobbied for it adroitly—awash in taxpayer money. Harris reports:

When he was running the Army’s Intelligence and Security Command, Alexander brought many of his future allies down to Fort Belvoir for a tour of his base of operations, a facility known as the Information Dominance Center. It had been designed by a Hollywood set designer to mimic the bridge of the starship Enterprise from Star Trek, complete with chrome panels, computer stations, a huge TV monitor on the forward wall, and doors that made a “whoosh” sound when they slid open and closed. Lawmakers and other important officials took turns sitting in a leather “captain’s chair” in the center of the room and watched as Alexander, a lover of science-fiction movies, showed off his data tools on the big screen.

And:

“He moved fairly fast and loose with money and spent a lot of it,” [a] retired officer says. “He doubled the size of the Information Dominance Center and then built another facility right next door to it. They didn’t need it. It’s just what Heath and Alexander wanted to do.” The Information Operations Center, as it was called, was underused and spent too much money, says the retired officer. “It’s a center in search of a customer.”

I find myself nonplussed by the glib reaction of some conservatives to this wanton bureaucratic behavior. Cracking the encryption systems that protect us all cannot be waved off as “the task we’ve given the NSA.” So I offer this framework for thinking about the NSA and its behavior: Secrecy is a delegation of power from elected officials to unaccountable bureaucrats.

This is not to deny that there is some need for secrecy sometimes, but, at the scope we’ve seen, secrecy has the same, and worse, effects as other delegations of power that conservatives and libertarians object to.

NSA’s War on Global Cybersecurity

In its myopic quest to ensure that no digital communication remains hidden from its panoptic gaze, the National Security Agency has worked to undermine the security of all Internet users, a new story in the New York Times reveals. As security expert Bruce Schneier aptly summarizes the report, “Government and industry have betrayed the internet, and us.” 

In this case, the Times notes, the NSA has not just arrogated power to itself in secret, but has done so after unambiguously losing an extended public political debate in the 1990s over whether the government should be legally provided with backdoor access to encrypted communications, or attempt to prevent strong encryption software from being available to users around the world. As security experts understood, and successfully argued at the time, ensuring that companies and individual users around the world could trust the security of their communications was vastly more important than ensuring the NSA or FBI would never encounter a message they couldn’t decipher—something that, in any event, would be impossible to guarantee.

Having justly lost the public debate, the NSA secretly decided to sacrifice the rest of the world’s interests to its own goals anyway:

According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the acronym for signals intelligence, the technical term for electronic eavesdropping. […]

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

Will the Administration Make a Run at Transparency?

Last fall, I reported that the Obama administration lagged the House of Representatives on transparency. The conclusion was driven by a study of the quality of data publication regarding key elements of budgeting, appropriating, spending, and the legislative process. (Along with monitoring progress in these area, we’ve been producing data to show that it can be done, to produce a cadre of users, and to simply deliver government transparency at a less plodding pace.)

There are signs that the administration may make a run at improving its transparency record. Buried deep in the FY 2014 budget justification for the Treasury Department’s Bureau of the Fiscal Service, it says that funds will support “government-wide data standardization efforts to increase accuracy and transparency of Federal financial reporting.” That means the public may get better access to where the money goes – outlays – in formats that permit computer-aided oversight.

In parallel, a Performance.gov effort called the Federal Program Inventory says that, in May of 2014, it will publish a Unique Federal Program Inventory number (pg. 4-5) for each federal program, along with agency IDs and bureau IDs. This may be the machine-readable federal government organization chart whose non-existence I have lamented for some time.

If this sounds jargon-y, you’re normal. Think of federal spending as happening on a remote jungle island, where all the inhabitants speak their own language. On Federal Spending Island, no visitor from the U.S. mainland can understand where things are there, or who is saying what to whom.

True machine-readable data will turn Federal Spending Island into a place where English is spoken, or at least a some kind of Federal Spending-English dialect that makes the movement of our tax dollars easier to track.

The Defense of NSA Spying that Wasn’t

In an interview with CNN yesterday, outgoing FBI director Robert Mueller offered up words one could characterize as defending mass surveillance of all Americans’ phone calling. Indeed his interview has been portrayed as a defense of such spying, with outlets like NRO’s “The Corner” reporting “Outgoing FBI Chief: ‘Good Chance’ NSA Would Have Prevented ‘Part’ of 9/11.” But Director Mueller spoke much more equivocally than that.

Here’s what he actually said.

CNN: If we had the kind of intelligence that we were collecting through the NSA before September 11th, the kind of intelligence collection that we have now, do you think 9/11 would have been prevented?

MUELLER: I think there’s a good chance we would have prevented at least a part of 9/11. In other words, there were four planes. There were almost 20 — 19 persons involved. I think we would have had a much better chance of identifying those individuals who were contemplating that attack.

CNN: By this mass collection of information?

MUELLER: By the various programs that have been put in place since then. … It’s both the programs (under the Patriot Act) but also the ability to share the information that has made such dramatic change in our ability to identify and stop plots.

Mueller vaguely cited “various programs,” giving them a retroactive chance of preventing “a part of 9/11.” But even this defense of post-9/11 powers is insufficient.

In our 2006 paper, “Effective Counterterrorism and the Limited Role of Predictive Data Mining,” IBM scientist Jeff Jonas and I recounted the ease with which 9/11 attackers Khalid al-Mihdhar and Nawaf al-Hazmi could have been found had government investigators pursued them with alacrity. The 9/11 Commission said with respect to al-Mihdhar, “No one was looking for him.” Had they been caught and their associations examined, the 9/11 plot probably could have been rolled up. Sluggish investigation was a permissive factor in the 9/11 attacks, producing tragic results that nobody foresaw.

That absence of foresight is a twin with retrospective assessments like Mueller’s, which fail to account for the fact that nobody knew ahead of 9/11 what devastation might occur. Immediately after the 9/11 attacks, everybody knew what such an attack could cause, and everybody began responding to the problem of terrorism.

Would Patriot Act programs have prevented at least a part of 9/11? Almost certainly not, given pre-9/11 perceptions that terrorism was at the low end of threats to safety and security. A dozen years since 9/11, terrorism is again at the low end of threats to safety and security because of multiplicitous efforts worldwide and among all segments of society. It is not Patriot Act programs and certainly not mass domestic surveillance that make us safe. Even Mueller didn’t defend NSA spying.

If You Think Smith v. Maryland Permits Mass Surveillance, You Haven’t Read Smith v. Maryland

… and you’re not following developments in Fourth Amendment law.

Jeffrey Toobin is the latest to claim that Smith v. Maryland settles the Fourth Amendment issues around the National Security Agency’s acquisition of data about every call made in the United States. He even links to the text of the decision in a recent blog post.

The majority opinion in Smith did say that people don’t have a reasonable expectation of privacy in phone records, but that rationale is weak, and the facts of Smith are inapposite to the present controversy. I think that’s easily gathered from reading the case with awareness of legal currents.

Here’s what happened in Smith:

On March 5, 1976, in Baltimore, Md., Patricia McDonough was robbed. She gave the police a description of the robber and of a 1975 Monte Carlo automobile she had observed near the scene of the crime. After the robbery, McDonough began receiving threatening and obscene phone calls from a man identifying himself as the robber. On one occasion, the caller asked that she step out on her front porch; she did so, and saw the 1975 Monte Carlo she had earlier described to police moving slowly past her home. On March 16, police spotted a man who met McDonough’s description driving a 1975 Monte Carlo in her neighborhood. By tracing the license plate number, police learned that the car was registered in the name of petitioner, Michael Lee Smith.

The next day, the telephone company, at police request, installed a pen register at its central offices to record the numbers dialed from the telephone at petitioner’s home. The police did not get a warrant or court order before having the pen register installed. The register revealed that on March 17 a call was placed from petitioner’s home to McDonough’s phone. On the basis of this and other evidence, the police obtained a warrant to search petitioner’s residence. The search revealed that a page in petitioner’s phone book was turned down to the name and number of Patricia McDonough; the phone book was seized. Petitioner was arrested, and a six-man lineup was held on March 19. McDonough identified petitioner as the man who had robbed her. (citations omitted)