Topic: Telecom, Internet & Information Policy

D.C. Court: Smith Is Not Good Law

In debates about the NSA’s mass surveillance of all our phone calling, pro-government lawyers have often tried to play a trump card called Smith v. Maryland. Smith is a 1978 Supreme Court decision as right for our times as laws requiring public buildings to provide spittoons. But lawyering rightly relies heavily on precedent, so there it was, the argument that people don’t have a constitutional interest in data about their phone calling because a suspected burglar and obscene phone-caller didn’t have such an interest back in 1976.

D.C. district court judge Richard Leon ruled today that Smith is not an appropriate precedent for considering the constitutionality of the NSA’s mass surveillance program. “[T]he Smith pen register and the ongoing NSA Bulk Telephony Metadata Program,” he concluded, “have so many significant distinctions between them that I cannot possibly navigate these uncharted Fourth Amendment waters using as my North Star a case that predates the rise of cell phones.”

When phone calling was home- or office-bound and relatively rare, people’s interest in the information about their calling was not as great as it is today. Cell phones now accompany most people everywhere they go every single day. “[T]he ubiquity of phones has dramatically altered the quantity of information that is now available and, more importantly, what that information can tell the Government about people’s lives.” (emphases omitted)

Judge Leon applied the “reasonable expectation of privacy” test in finding that he is likely to determine that the NSA’s data seizures are a Fourth Amendment violation, even though that standard has been thrown into doubt by recent Supreme Court decisions. But what is important is that his decision breaks the circular logic adopted by the panels of judges ratifying mass domestic surveillance under the Foreign Intelligence Surveillance Act. These panels believed they could act in secret because of the premise that Americans don’t have a constitutional interest in data about their calls. Their secret operations barred Americans from contesting that premise. And the band played on. Until someone leaked this mass domestic spying to the public.

Judge Leon’s assessment of the government’s interest is notable. He picked up on the fact that the government’s collection of data about all our calls is simply to make things a little quicker when they want to do an investigation.

“[T]he Government’s interest,” he writes, “is not merely to investigate potential terrorists, but rather, to do so faster than other methods might allow. … Yet … the Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature.” (emphases omitted)

Databasing of all our calls is a convenience and not a necessity. That stacks up poorly against the privacy costs all Americans suffer by having their phone-calling catalogued in government databases.

There will almost certainly be an appeal, and there will be more cases coming up through the courts that explore the many dimensions of this issue. But now we can tell our lawyer friends who have been a little too slavish to precedent that Smith v. Maryland is not good law.

A Data Retention Mandate? NO

The Wall Street Journal reports that a panel convened by the president to review the National Security Agency’s programs will recommend that “the records of nearly every U.S. phone call now collected in a controversial NSA program be held instead by the phone company or a third-party organization.” That recommendation is a non-starter.

Mandatory data retention has been floated for years using the most politically appealing rationale, child predation. In 2007, we characterized the idea as costly, outsourced surveillance, and Congress has consistently denied that power to the government. In fact, child protection bills containing data retention mandates were introduced in several Congresses but only passed once provisions deputizing communications providers into government surveillance were stripped out. Randy Barnett and I made this point in our brief urging the Supreme Court to take up the NSA’s mass surveillance of Americans’ telephone calling.

“Congress has declined to institute mandatory data retention laws because the costs, risks, and privacy consequences for innocent citizens outweigh their law enforcement and security benefits,” we wrote. “The Verizon order reverses this Congressional policy by requiring a telecommunications provider to turn all data over to the government for retention by the National Security Agency.”

How ironic it would be if the NSA’s illegal excesses delivered it a victory on a policy initiative that it lost years ago. Is secretly violating Americans’ communications privacy really rewarded by a policy requiring the violation of Americans’ communications privacy?

Rep. Jim Sensenbrenner (R-WI), who claims authorship of the USA-PATRIOT Act, came to Cato two months ago to lament the NSA’s use of that law for domestic spying he did not intend the NSA to have. In the past, he has said that data retention “runs roughshod over the privacy rights of people who use the Internet for thousands of lawful purposes.” Assumedly, he believes the same as to people’s use of the phone, and he will continue working with other privacy-minded legislators to relegate data retention mandates to the dustbin of history.

Ohio Backs off of REAL ID

Sometimes there are setbacks to the efforts of the Department of Homeland Security, the American Association of Motor Vehicle Administrators, and state motor vehicle bureaucrats to quietly knit together a national ID. If this story is true, Ohio appears to be breaking with the national ID plan.

What’s remarkable about this case is Ohio’s recognition that the federal government will never act on the threat that TSA will refuse drivers’ licenses and IDs from states that decline to implement the REAL ID Act.

Ohio is among a growing number of states that are refusing to comply with federal standards intended to toughen access to driver’s licenses. … The states are betting that federal officials do not implement plans to accept only “Gold Star” licenses as proof of identity to fly on commercial flights or to enter federal buildings and courthouses. “We’re not so sure the federal government” will only honor IDs that meet its requirements, [Ohio Department of Public Safety spokesman Joe] Andrews said.

Time was when states fell in line at the suggestion of this federal government threat. Eight-and-a-half years after REAL ID became law, the states may be recognizing the inability of the feds to coerce them into implementing their national ID.

FDA Moves To Crush 23andMe

23andMe is a service that combines a home-based saliva testing DNA-sample kit combined with a web-based service to explain what the results mean and put you in touch with other users. At $99, it’s a breakthrough hit in affordable personal technology – and now the Food and Drug Administration is determined to snuff it out. I discuss this appalling development in a new post at Overlawyered: 

…Some of us want to seek out distant relatives and clues about national origins, or satisfy curiosity about patterns of disease in our family lines. For adoptive families, home genome testing can be hugely valuable in cases where one knows little about the medical history of an adoptee’s birthfamily. It’s our body, and our right to inform ourselves about it — or so we thought.

The FDA very likely has decent legal grounds to forbear from a crackdown should it choose to. But the key takeaway sentence from Matthew Herper’s piece in Forbes criticizing the company is: “This is not the way to deal with a powerful government regulator.” Disrespectful, anti-authority attitudes from someone an agency intends to regulate? Ask former Buckyballs CEO Craig Zucker where that gets you. …

Science blogger Razib Khan has suggested that information services like 23andme, rather than submit to expensive and cumbersome regulation as “medical devices,” may simply pack up and move offshore. But even if they do, that won’t be the end of our government’s jealous wish to regulate them – or so I predict in my post.

P.S. Is it relevant that governments themselves, through their law enforcement agencies, run elaborate saliva-, blood- and DNA-collection operations that are hedged with few of the protections of voluntariness, privacy and openness that one finds with 23andMe?

Government: The Bigger, the Leakier

One of the many problems with Big Government is that it abuses our privacy. The potential for abuse has been greatly heightened in the information age. The problem is not just that government officials themselves can abuse the vast troves of data that they collect, but that thieves, hackers, organized crime, and other private actors can gain access as well.

Federal bureaucracies are collecting vast amounts of data and storing it in giant sieves. Officials promise to put safety procedures in place, but those procedures always fall short because the government is so large and vulnerable to human failure. Two stories in the Washington Post today highlight the problems.

One story solves the mystery of how Edward Snowden was able to walk away with tens of thousands of secret NSA documents. As a computer systems administrator, he apparently just asked a couple of dozen agency employees for their log in passwords.

Another story describes how a defense contractor in Asia allegedly used moles in the U.S. Navy Department to gain access to sensitive data about contracts, ship movements, and internal investigations. The contractor used old-fashioned tools to prey on the weaknesses of Navy officials: money and prostitutes. The leaks happened “despite past pledges by the Pentagon to strengthen oversight,” notes the Post.

The huge data data collection effort to support Obamacare is another threat. Despite government promises about ensuring privacy, we now know that the administration skipped crucial security and privacy testing as it rushed to launch the health website.  

Politicians and officials will keep promising to fix things, but as long as the government is a giant vacuum cleaner sucking up and storing vast troves of data, sensitive information will leak. Another dimension of risk is the increased proclivity of our government to share tax, financial, security, and intelligence data with other governments.

Free Trade on the Internet

This is from a recent speech by Senator Ron Wyden (D-OR):

Today, the Internet represents the shipping lane of 21st Century goods and services. It is reshaping global commerce just like social media is reshaping societies. But right now the trade rules don’t neatly apply to the digital economy, despite the growing number of protectionist barriers popping up. The most recent WTO rules were written before the Internet.

It’s time for the digital economy to be within the Winners Circle by keeping data flows open and ensuring that foreign markets aren’t more legally hazardous than the U.S.

This is an important point. With regard to international trade in goods, the impact of the Internet has been significant, but only within certain limits. With the exception of goods for which electronic versions have been developed, you still need to make the goods at a factory and ship them around the world.  

With services, by contrast, the Internet revolution has been greater. A number of services that used to be difficult to trade internationally at all are now tradable with the click of a mouse. To use an example I’ve written about recently, online higher education services are taking off. Someday soon it may be just as convenient for a Washingtonian to get a degree from Melbourne University in Australia as it is to do so from Georgetown.

One problem, though, as Senator Wyden points out, is that many of our international trade rules were written in the pre-Internet era. This became apparent during the WTO dispute over online gambling. The rules could barely fit with this new industry.

The Unpersuasive Case for the NSA Call Dragnet’s Effectiveness

Sen. Dianne Feinstein (D-CA) has an op-ed in the Wall Street Journal ($) defending the NSA’s bulk call records database as a “vital” counterterrorism tool.  While this wouldn’t make the program legal even if true, it also seems clear that the secret Foreign Intelligence Surveillance Court (FISC) has relied, rather uncritically, on the government’s assertions of “necessity” to draw the strained conclusion that every American’s phone records are “relevant” to FBI counterterrorism investigations. It’s thus worth pointing out how extraordinarily weak the case for the program’s utility really is.  Feinstein begins by recycling the claim that if only the NSA program had existed in 2001, the 9/11 hijackers could have been identified and halted before carrying out their catastrophic attack:

Intelligence officials knew about an al Qaeda safe house in Yemen with ties to [hijacker Khalid] al-Mihdhar as well as the safe house’s telephone number, but they had no way of knowing if anyone inside the U.S. was in contact with that phone number in Yemen. Only after 9/11 did we learn that al-Mihdhar, while living in San Diego, had called the safe house.

In congressional testimony in June, FBI Director Bob Mueller said that if intelligence officials had had the NSA’s searchable database of U.S. telephone-call records before 9/11, they would have been able to connect the number to al-Mihdhar and produce actionable intelligence on participants of the developing plot. NSA Director Keith Alexander testified before Congress in October that if the call-records program had existed before 9/11, there is a “very high” likelihood that we would have detected the impending attack that killed 3,000 Americans.

The most obvious problem with this argument is that the court order we’ve seen for phone records explicitly demands two distinct categories of records, for calls “(i) between the United States and abroad, or (ii) wholly within the United States, including local telephone calls.” The first category might have helped identify calls to or from a known safehouse in Yemen, but the latter, much larger category rather obviously would not.  This is simply an attempt to exploit the tragedy of 9/11 to deflect criticism of massive domestic surveillance that would not have been any use in preventing that attack.