Topic: Telecom, Internet & Information Policy

In Its Bubble of Secrecy, the National Security Bureaucracy Redefined Privacy for Its Own Purposes

Rep. Jim Sensenbrenner (R-WI) is nothing if not a security hawk, and this weekend he decried the NSA’s collection of all Americans’ phone calling records in a Guardian post entitled, “This Abuse of the Patriot Act Must End.” On Thursday last week, he sent a letter to Attorney General Eric Holder demanding answers by Wednesday.

It also became apparent over the weekend that the National Security Agency’s program to collect records of every phone call made in the United States is not for the purpose of data mining. (A Wall Street Journal editorial entitled “Thank You for Data Mining” was not only wrong on the merits, but also misplaced.) Rather, the program seizes data about all of our telephone communications and stores that data so it can aid investigations of any American who comes under suspicion in the future.

Details of this program will continue to emerge–and perhaps new shocks. The self-disclosed leaker–currently holed up in a Hong Kong hotel room waiting to learn his fate–is fascinating to watch as he explains his thinking.

The court order requiring Verizon to turn over records of every call “on an ongoing daily basis” is a general warrant.

The Framers adopted the Fourth Amendment to the Constitution in order to bar general warrants. The Fourth Amendment requires warrants 1) to be based upon probable cause and 2) to particularly describe the place to be searched and the persons or things to be seized. The leaked warrant has neither of these qualities.

A warrant like this would never be adopted in an open court system. With arguments and decisions available to the public and appeals going to public courts, common sense and simple shame would foreclose suspicionless data-gathering about every American for the benefit of future potential investigations. 

Alas, many people don’t believe all that deeply in the Constitution and the rule of law when facile promises of national security are on offer. It is thus worthwhile to discuss whether this is unconstitutional law enforcement and security practice would work. President Obama said last week, “I welcome this debate and I think it’s healthy for our democracy.”

Why The NSA Collecting Your Phone Records Is A Problem

Privacy advocates and surveillance experts have suspected for years that the government was using an expansive interpretation of the Patriot Act’s §215 “business record” authority to collect bulk communications records indiscriminately. We now have confirmation in the form of a secret order from the secret Foreign Intelligence Surveillance Court to Verizon — and legislators are saying that such orders have been routinely served on phone carriers for at least seven years. (It seems likely that similar requests are being served on Internet providers — increasingly the same companies that provide us with wireless phone services).

Some stress that what is being collected is “just metadata”—a phrase I’m confident you’ll never see a computer scientist or data analyst use. Metadata—the transactional records of information about phone and Internet communications, as opposed to their content—can be incredibly revealing, as the recent story about the acquisition of Associated Press phone logs underscores. Those records, as AP head Gary Pruitt complained, provide a comprehensive map of reporters’ activities, telling those who know how to look what stories journalists are working on and who their confidential sources are. Metadata can reveal what Websites you read, who you communicate with, which political or religious groups you’re affiliated with, even your physical location.

In a way, the ground was prepared for this indiscriminate collection of Americans’ data way back in the 1970s, when the Supreme Court held, implausibly, that we surrender our expectation of privacy—and with it, the protection of the Fourth Amendment—just by using modern technology that leaves traces of our activity on someone else’s computers. But Americans were also sold a false bill of goods when Congress passed and reauthorized the Patriot Act powers used here—which we were repeatedly assured were only intended to be used to track “bad guys.” What we weren’t told was that, if the government thinks datamining ALL our records might help identify “bad guys,” then that information too is “relevant” to an investigation.

This collection is probably well enough intentioned. The problem is that these records are likely to be retained in databases indefinitely. Which means we don’t just need to worry about whether the government’s motives are pure when they collect the information. Even if they are, someone with access to that data, maybe in five or ten years, may be unable to resist the temptation to use that information for other purposes. That could mean investigating ordinary crimes: If you can data mine for suspicious terrorist activity patterns—which as Jim Harper and Jeff Jonas have pointed out is likely to be extremely difficult—you can plug in “suspicious patterns” that may identify drug dealers and tax cheats as well. Still more disturbing is the possibility that, the intelligence community has repeatedly done historically, those records could be exploited for illegitimate political purposes, or even simple greed. (Imagine probing communications for signs of an impending corporate merger, product launch, or lawsuit.)

We are, predictably, being told that this program is essential to protecting us from terrorist attacks. But the track record of such claims is unimpressive: They were made about fusion centers, and the original NSA warrantless wiretap program, and in each case collapsed under scrutiny. No doubt some of these phone records have proven useful in some investigation, but it doesn’t follow that the indiscriminate collection of such records is necessary for investigations, any more than general warrants to search homes are necessary just because sometimes searches of homes are useful to police.

In the short term, we should hope for an Inspector General audit of this program, both to look for abuses—as a similar audit of National Security Letters uncovered “widespread and serious” misuse of authority—and to skeptically interrogate the claim that such sweeping collection is somehow indispensable to national security. In the longer term, we need to follow the suggestion of Justice Sotomayor in United States v. Jones and think hard about the “third party doctrine,” which leaves all this increasingly voluminous and revealing metadata stripped of constitutional protection.

NSA Spying on a Gazillion Americans

Today’s widespread outrage over reports that the National Security Agency is conducting widespread, untargeted, domestic surveillance on millions of Americans reminds me of this post from July 2012, in which Sen. Rand Paul reported on a private briefing he’d received. He couldn’t reveal what he’d learned, but he was able to report that the number of Americans subject to surveillance was closer to “a gazillion” than to zero. Now we have a bit more information. As I wrote then:

Sen. Rand Paul (R-KY) gave a great speech on surveillance last week at FreedomFest. Actually, he gave two good speeches, but the one embedded below is his short 6-minute talk at the Saturday night banquet. He talks about our slide toward state intrusion into our phone calls, our emails, our reading habits and so on. You know how big the surveillance state has gotten? The answer is “a gazillion.” Watch the speech—complete with high-falutin’ references to Fahrenheit 451 and the martyr Hugh Latimer!

U.S. Trade Agency Bans iPhones

Well, some of them anyway. The U.S. International Trade Commission has found that Apple infringed one of Samsung’s patents related to 3G technology and issued an injunction against the importation and sale of the iPhone 3GS, iPhone 4, iPad 3G, and iPad 2 3G.  These are not the latest models, but neither are they obsolete. (For a very helpful and thorough explanation of the issues in the case, check out Florian Mueller’s FOSS Patents blog.)

The outcome in this case offers an excellent example of why having a redundant patent litigation venue at the ITC with slightly different laws and procedures is bad public policy. If this patent had been litigated in federal district court, where the vast majority of patent litigation takes place, the judge would have refused to issue an injunction as contrary to the public interest—even if Apple egregiously and remorselessly infringed Samsung’s patent.

The patent at issue in the ITC investigation is what’s known as a standard-essential patent. This is a term for technology that’s so ubiquitous as to be necessary for interoperability within the industry (like 3G) and that the patent owner has agreed to license to anyone who makes a reasonable royalty offer (thus promoting it to become the industry standard). It is highly unlikely that a federal district court would issue an injunction against any product based on infringement of such a patent, because doing so would be excessively disruptive and unfair. In fact, the Justice Department and other antitrust agencies have argued that merely seeking an injunction based on one of these patents might violate antitrust law.

None of this matters at the ITC, where injunctive relief is the only remedy available. In 2006, the U.S. Supreme Court held that courts should award only monetary damages in patent cases unless there are special circumstances necessitating an injunction and doing so would not harm the public interest. The purpose and consequence of the Supreme Court’s decision was to prevent patent trolls from using small patents to get large settlements. But monetary damages are unavailable at the ITC, and the agency decided the Supreme Court’s ruling didn’t apply to them.

In the Apple-Samsung case, Apple claimed that Samsung’s request for royalties of 2.4 percent was unreasonably high. If the patent is worth less than 2.4 percent of the product’s value, an injunction against selling the entire phone is excessive. This is especially true when the technology is virtually impossible to design around. Rather than simply deciding who pays what to whom in a dispute that is mostly about licensing fees, a sales ban deprives consumers of choice in the market.

The good news is that efforts are underway in Washington to fix the problem of excessive remedies at the ITC. The White House released a proposal for patent reform this week that included a call “to enhance consistency in the standards applied at the ITC and district courts.” Specifically, they want the ITC to use the same public interest test that courts use before issuing an injunction (Rep. Devin Nunes made a very similar proposal last year). This is a good plan. It would likely have prevented the new iPhone ban and will do a lot to make the ITC less attractive to patent trolls.

Fixing problems at the ITC by making it more like district court litigation, however, shows very clearly how redundant and unnecessary it is to have two venues for patent litigation. Why should we have the ITC hearing patent cases in the first place?  There is no satisfactory answer to that question. As I argued in a Policy Analysis last year, the ITC’s power to investigate and exclude imports for patent infringement not only disrupts the proper functioning of the U.S. patent system, it also violates international trade rules. We could save ourselves a lot of trouble down the line by shutting the whole thing down.

Your Congress, Your NSA Spying

The National Security Agency is collecting records of every domestic and cross-border Verizon phone call between now and July 19th. The secret court order requiring Verizon to hand over these records has been leaked to the Guardian.

You may find that outrageous. 1984 has arrived. Big Brother is watching you.

But the author of this story is not George Orwell. It’s Representative Lamar Smith of Texas, Senator Diane Feinstein of California, and you.

Here’s what I mean: In June of last year, Representative Smith (R) introduced H.R. 5949, the FISA Amendments Act Reauthorization Act of 2012. Its purpose was to extend the FISA Amendments Act of 2008 for five years, continuing the government’s authority to collect data like this under secret court orders. The House Judiciary Committee reported the bill to the full House a few days later. The House Intelligence Committee, having joint jurisdiction over the bill, reported it at the beginning of August. And in mid-September, the House passed the bill by a vote of 301 to 118.

Sent to the Senate, the bill languished until very late in the year. But with the government’s secret wiretapping authority set to expire, the Senate took up the bill on December 27th. Whether by plan or coincidence, the Senate debated secret surveillance of Americans’ communications during the lazy, distracted period between Christmas and the new year.

Senator Dianne Feinstein (D) was the bill’s chief defender on the Senate floor. She parried arguments doggedly advanced by Senator Ron Wyden (D-OR) that the surveillance law lacks sufficient oversight. My colleague Julian Sanchez showed ably at the time that modest amendments proposed by Wyden and others would improve oversight and in no way compromise security. But false urgency created by the Senate’s schedule won the day, and on December 28th of last year, the Senate passed the bill, sending it to the president, who signed it on December 30th.

The news that every Verizon call is going to the NSA not only vindicates Senator Wyden’s argument that oversight in this area is lacking. It reveals the upshot of that failed oversight: The secret FISA court has been issuing general warrants for communications surveillance.

That is contrary to the Fourth Amendment to the Constitution, which requires warrants to issue “particularly describing the place to be searched, and the persons or things to be seized.” When a court requires “all call detail records” to be handed over “on an ongoing daily basis,” this is in no sense particular. Data about millions of our phone calls are now housed at the NSA. Data about calls you make and receive today will be housed at the NSA.

The reason given for secret mass surveillance of all our phone calls, according to an unofficial comment from the Obama administration, is that it is a “critical tool” against terrorism. These arguments should be put to public proof. For too long, government officials have waved off the rule of law and privacy using “terrorism” as their shibboleth. This time, show us exactly how gathering data about every domestic call on one of the largest telecommunications networks roots out the tiny number of stray-dog terrorists in the country. If the argument is based on data mining, it has a lot to overcome, including my 2008 paper with IBM data mining expert Jeff Jonas, “Effective Counterterrorism and the Limited Role of Predictive Data Mining.”

The ultimate author of the American surveillance state is you. If you’re like most Americans, you allowed yourself to remain mostly ignorant of the late-December debate over FISA reauthorization. You may not have finished digesting your Christmas ham until May, when it was revealed that IRS agents had targeted groups applying for tax exempt status for closer scrutiny based on their names or political themes.

The veneer of beneficent government is off. The National Security Agency is collecting records of your phone calls. The votes in Congress that allowed this to happen are linked above in this post. What are you going to do about it?

How Identification Is Overused and Misunderstood

Justice Anthony Kennedy seems to be carving out his place as the Supreme Court justice who doesn’t “get” identity. Maryland v. King was the case issued today that shows that.

His opener was the 2004 decision in Hiibel v. Sixth Judicial District Court of Nevada, which ratified laws requiring people to disclose their names to police officers on request.

In that case, Deputy Lee Dove of the Humboldt County (NV) Sheriff’s Department had received a report that a man had slugged a woman. He didn’t know the names of the alleged perpetrator or the victim, but Dove found Larry Hiibel standing next to his truck at the side of the road talking to his seventeen-year-old daughter seated inside. Dove didn’t check to see if they were having a dispute, or if anyone had hit anyone. He just started demanding Hiibel’s ID.

“Knowledge of identity may inform an officer that a suspect is wanted for another offense, or has a record of violence or mental disorder,” Justice Kennedy wrote, approving Hiibel’s arrest for refusing to show his papers:

On the other hand, knowing identity may help clear a suspect and allow the police to concentrate their efforts elsewhere. Identity may prove particularly important in [certain cases, such as] where the police are investigating what appears to be a domestic assault. Officers called to investigate domestic disputes need to know whom they are dealing with in order to assess the situation, the threat to their own safety, and possible danger to the potential victim.

Even if he had gotten Larry Hiibel’s ID, that wouldn’t have told Dove any of these things. Dove would have had to stop his battery investigation to investigate Hiibel’s background, which he didn’t do until after he had arrested Hiibel–and after his partner had thrown Hiibel’s distraught daughter to the ground. (There’s your battery.)

In Maryland v. King, Justice Kennedy did it again. He wrote the decision approving DNA identification of arrestees. Like demanding Hiibel’s ID, which had no relation to investigating battery, Maryland’s practice of collecting DNA has no relation to investigating or proving the crime for which King was arrested, and it does nothing to administer his confinement. This Justice Scalia made clear in a scathing dissent.

The Court alludes at several points to the fact that King was an arrestee, and arrestees may be validly searched incident to their arrest. But the Court does not really rest on this principle, and for good reason: The objects of a search incident to arrest must be either (1) weapons or evidence that might easily be destroyed, or (2) evidence relevant to the crime of arrest. Neither is the object of the search at issue here. (citations omitted)

Justice Kennedy appears to think there are certain behaviors around detention and arrest that law enforcement is allowed without regard to the detention or arrest. Here, he has sanctioned the gathering of DNA from arrested people, supposedly presumed innocent until proven guilty, to investigate the possibility of their connection to other, unknown crimes. His logic would allow searching the cell phone of a person arrested for public drunkenness to see if they have participated in an extortion plot.

There is plenty of time to run DNA identification data past cold case files after conviction, and all parties agree that’s what would have happened in King’s case. Given that, the Supreme Court has upheld DNA-based investigation of innocent people for their connections to cold cases because they happen to have been arrested. That’s the strange result of Maryland v. King.

We Need an Independent Review of Government Spying on Reporters

Declaring that “journalists should not be at legal risk for doing their jobs,” President Obama announced Thursday that he had directed Attorney General Eric Holder to review the Justice Department’s guidelines for spying on reporters in the course of leak investigations.

That would be more reassuring if Holder himself hadn’t signed off on a search warrant for the e-mail correspondence of Fox News reporter James Rosen. The warrant application dubbed Rosen a “co-conspirator” in a violation of the Espionage Act, on the disturbing theory that asking a source to disclose classified information—as national security reporters necessarily do routinely—is itself a crime, even if publication of the same material is constitutionally protected. In other words, the president is asking the fox to investigate mysterious disappearances in the henhouse.

If reporters were looking to take comfort in the press shield bill the President asked Congress to revive in response to the Justice Department’s seizure of Associated Press phone records, they shouldn’t. Because the bill’s protections include a national security exception—and national security leak investigations are precisely when the government is most likely to spy on journalists—it seems unlikely to have made much difference in either the AP or Rosen cases. Indeed, as the Freedom of the Press Foundation points out, it could even make it easier for the government to obtain press records by overriding the common law safeguards some courts have recognized.

If the president really wants to demonstrate his concern for the potential of government spying to chill vital investigative reporting, he needs to take a very different approach, centered on greater transparency and a truly independent audit of Justice Department policy.

Transparency can begin with letting the public know exactly what the guidelines for investigating the press are—and how the Justice Department interprets them. As the FBI’s operational guidelines make clear, the rules requiring the press to be notified when their phone records are obtained only apply to subpoenas—not other secretive tools, such as National Security Letters, which can be issued without court approval. But the rules governing NSL demands for media records remain secret.

The Justice Department should also release any internal memos interpreting the rules governing press investigations. We know, for example, that there exists an informal 2009 opinion in which Justice Department lawyers analyzed how the rules would apply to sweeping demands—such as so-called “community of interest” requests—that can vacuum up a reporter’s records (among many others) even if the reporter is not specifically named as a target. Only brief excerpts of that opinion have been disclosed, thanks to a 2010 Inspector General report, and there is no way of knowing how many others remain secret.

Finally, we need an independent review—conducted by the Office of the Inspector General, not Attorney General Holder—to determine just how much surveillance of reporters has already occurred. It seems clear that the Justice Department does not think the current rules always require the press to be informed when they’ve been spied on: DOJ lawyers convinced a judge that the government never had to notify Rosen they’d read his e-mails. And because demands for electronic records can be quite broad, it would be all too easy for the government to end up with sensitive information about journalistic investigations even when no reporter was explicitly targeted.

When Congress and the public know what the rules really are, and how they have been applied in practice, we can begin a serious conversation about what reforms are needed to protect press freedom. Asking Eric Holder to investigate Eric Holder, on the other hand, is unlikely to protect much of anything—except, perhaps, Eric Holder.