Topic: Telecom, Internet & Information Policy

How Much Bulk Records Snooping Bypasses Judges?

The revelation that the National Security Agency has been indiscriminately collecting Americans’ phone records using sweeping bulk orders issued by a secret court has sparked enormous controversy. Yet we know that at least in the first few years after 9/11, something very similar occurred without any judicial process at all, as first reported by USA Today in 2006. Though that story was dwarfed at the time by the controversy over the Bush administration’s warrantless wiretap program, it was actually the call records program that provoked a dramatic showdown between the White House and Justice Department, nearly triggering a mass resignation when the president threatened to reauthorize it over the objections of the acting attorney general that it was unlawful.

The controversy reemerged earlier this month when the Guardian published a leaked court order to Verizon’s business-focused subsidiary to produce “all call detail records,” including all “routing information,” and specifically requesting communications “wholly within the United States, including local telephone calls.” The order made it clear that the program continued, and was not merely large-scale but sought literally all domestic records. Moreover, it raised concerns about the Foreign Intelligence Surveillance Court’s interpretation of §215 more generally. The court had apparently determined that an authority to demand “any tangible thing” from nearly any person or entity could be exercised in a completely non-particularized way: Give us everything, we may eventually decide some of it is “relevant.” But it’s still not wholly clear when and why the FISC got involved in the metadata program—and how much of it may still bypass judicial supervision.

It’s clear from the original USA Today story that the metadata program in its original incarnation “didn’t need a court order—or approval under FISA—to proceed.” It’s also relatively clear that something changed around 2006. Statements from the program’s defenders in Congress indicate that the current version of the program, involving orders reissued at three-month intervals, has been operating for seven years. Moreover, you can read between the (heavily redacted) lines of a March 2008 Inspector General report on the use of §215 in 2006 and see intimations that “unlike in previous years,” the authority was being used in some programmatic way that would not be included in the IG’s discussion or metrics.

Yet the numbers reported annually for §215 orders, as Amie Stepanovich of the Electronic Privacy Information Center reminded me, are hard to square with a major shift to reliance on the authority for metadata at that time. Only a handful of §215 orders were issued in the subsequent years: six in 2007, 13 in 2008, and 21 in 2009. Even if those metrics only count the “primary order” authorizing acquisition from multiple providers, and not the “secondary orders” issued to each provider, that seems low. You’d still need at least four each year for each type of bulk order, and the Wall Street Journal has reported that the program reaches far beyond telephone data to encompass “records from Internet-service providers and purchase information.”

Instead, we see two enormous jumps in orders starting in 2010. That year, there were 96 orders, of which a surprising 43 were modified. That seemed odd to observers because §215 authority is so broad, requiring only “relevance” to an investigation, that the court would rarely have occasion to intervene—unless what was being demanded was so mindbogglingly expansive that it strained even that flaccid standard. We then see another big jump in 2011, to 205 orders (176 modified), which levels off in 2012 at 212 orders (200 modified). What was going on there? If the NSA bulk metadata program moved over to reliance on §215 in 2006, why is there no sign of anything like it in the numbers until four years later?

NSA Snooping: a Majority of Americans Believe What?

Yesterday, the Washington Post and the Pew Research Center released a joint poll that purportedly showed that “a large majority of Americans” believe the federal government should focus on “investigating possible terrorist threats even if personal privacy is compromised.”

But a careful look at the poll shows citizens are far less sanguine about surrendering their privacy rights, as the facts continue to be revealed.

Pollsters faced a difficult challenge—to accurately capture public opinion during a complex and evolving story. Recall, on Wednesday of last week, the story was about the NSA tracking Verizon phone records. So the pollsters drew up a perfectly reasonable and balanced question:

As you may know, it has been reported that the National Security Agency has been getting secret court orders to track telephone call records of MILLIONS of Americans in an effort to investigate terrorism. Would you consider this access to telephone call records an acceptable or unacceptable way for the federal government to investigate terrorism?

Fifty-six percent found this “acceptable.” Thus, the “majority of Americans” lead in the Washington Post.

However, on Thursday, the Washington Post revealed explosive details about the massive data-collection program PRISM—and the public was alerted that the NSA was not just collecting phone records, but email, Facebook, and other online records. So the pollsters quickly drew up a new question, asked starting Friday, from June 7-9:

Do you think the U.S. government should be able to monitor everyone’s email and other online activities if officials say this might prevent future terrorist attacks?

Fifty-two percent—a majority—said “no.” So Americans feel differently about the story based on the facts on Wednesday, when the story was about tracking “telephone calls,” and facts on Thursday, when the story was about monitoring all “email and other online activity.”

The Washington Post could have fairly gone with a story that a majority of Americans do not agree that the federal government should monitor everyone’s email and online communication, even if it might prevent future terrorist attacks.

Unfortunately, that’s not the story that the Washington Post went with. Subsequent media coverage of the Post-Pew poll has neglected this nuance and cemented this misinterpretation of what “majority of Americans” believe.

A more reasonable interpretation of the Post-Pew poll is that citizens’ views seem to be changing as more details are revealed about the massive extent of the NSA snooping program. Indeed, most citizens have not been following this story as closely with only 48 percent report following thing “very closely” or “fairly closely.”

I’ll be watching eagerly to see what the next polls find out about that ever elusive “majority of Americans.”

In Its Bubble of Secrecy, the National Security Bureaucracy Redefined Privacy for Its Own Purposes

Rep. Jim Sensenbrenner (R-WI) is nothing if not a security hawk, and this weekend he decried the NSA’s collection of all Americans’ phone calling records in a Guardian post entitled, “This Abuse of the Patriot Act Must End.” On Thursday last week, he sent a letter to Attorney General Eric Holder demanding answers by Wednesday.

It also became apparent over the weekend that the National Security Agency’s program to collect records of every phone call made in the United States is not for the purpose of data mining. (A Wall Street Journal editorial entitled “Thank You for Data Mining” was not only wrong on the merits, but also misplaced.) Rather, the program seizes data about all of our telephone communications and stores that data so it can aid investigations of any American who comes under suspicion in the future.

Details of this program will continue to emerge–and perhaps new shocks. The self-disclosed leaker–currently holed up in a Hong Kong hotel room waiting to learn his fate–is fascinating to watch as he explains his thinking.

The court order requiring Verizon to turn over records of every call “on an ongoing daily basis” is a general warrant.

The Framers adopted the Fourth Amendment to the Constitution in order to bar general warrants. The Fourth Amendment requires warrants 1) to be based upon probable cause and 2) to particularly describe the place to be searched and the persons or things to be seized. The leaked warrant has neither of these qualities.

A warrant like this would never be adopted in an open court system. With arguments and decisions available to the public and appeals going to public courts, common sense and simple shame would foreclose suspicionless data-gathering about every American for the benefit of future potential investigations. 

Alas, many people don’t believe all that deeply in the Constitution and the rule of law when facile promises of national security are on offer. It is thus worthwhile to discuss whether this is unconstitutional law enforcement and security practice would work. President Obama said last week, “I welcome this debate and I think it’s healthy for our democracy.”

Why The NSA Collecting Your Phone Records Is A Problem

Privacy advocates and surveillance experts have suspected for years that the government was using an expansive interpretation of the Patriot Act’s §215 “business record” authority to collect bulk communications records indiscriminately. We now have confirmation in the form of a secret order from the secret Foreign Intelligence Surveillance Court to Verizon — and legislators are saying that such orders have been routinely served on phone carriers for at least seven years. (It seems likely that similar requests are being served on Internet providers — increasingly the same companies that provide us with wireless phone services).

Some stress that what is being collected is “just metadata”—a phrase I’m confident you’ll never see a computer scientist or data analyst use. Metadata—the transactional records of information about phone and Internet communications, as opposed to their content—can be incredibly revealing, as the recent story about the acquisition of Associated Press phone logs underscores. Those records, as AP head Gary Pruitt complained, provide a comprehensive map of reporters’ activities, telling those who know how to look what stories journalists are working on and who their confidential sources are. Metadata can reveal what Websites you read, who you communicate with, which political or religious groups you’re affiliated with, even your physical location.

In a way, the ground was prepared for this indiscriminate collection of Americans’ data way back in the 1970s, when the Supreme Court held, implausibly, that we surrender our expectation of privacy—and with it, the protection of the Fourth Amendment—just by using modern technology that leaves traces of our activity on someone else’s computers. But Americans were also sold a false bill of goods when Congress passed and reauthorized the Patriot Act powers used here—which we were repeatedly assured were only intended to be used to track “bad guys.” What we weren’t told was that, if the government thinks datamining ALL our records might help identify “bad guys,” then that information too is “relevant” to an investigation.

This collection is probably well enough intentioned. The problem is that these records are likely to be retained in databases indefinitely. Which means we don’t just need to worry about whether the government’s motives are pure when they collect the information. Even if they are, someone with access to that data, maybe in five or ten years, may be unable to resist the temptation to use that information for other purposes. That could mean investigating ordinary crimes: If you can data mine for suspicious terrorist activity patterns—which as Jim Harper and Jeff Jonas have pointed out is likely to be extremely difficult—you can plug in “suspicious patterns” that may identify drug dealers and tax cheats as well. Still more disturbing is the possibility that, the intelligence community has repeatedly done historically, those records could be exploited for illegitimate political purposes, or even simple greed. (Imagine probing communications for signs of an impending corporate merger, product launch, or lawsuit.)

We are, predictably, being told that this program is essential to protecting us from terrorist attacks. But the track record of such claims is unimpressive: They were made about fusion centers, and the original NSA warrantless wiretap program, and in each case collapsed under scrutiny. No doubt some of these phone records have proven useful in some investigation, but it doesn’t follow that the indiscriminate collection of such records is necessary for investigations, any more than general warrants to search homes are necessary just because sometimes searches of homes are useful to police.

In the short term, we should hope for an Inspector General audit of this program, both to look for abuses—as a similar audit of National Security Letters uncovered “widespread and serious” misuse of authority—and to skeptically interrogate the claim that such sweeping collection is somehow indispensable to national security. In the longer term, we need to follow the suggestion of Justice Sotomayor in United States v. Jones and think hard about the “third party doctrine,” which leaves all this increasingly voluminous and revealing metadata stripped of constitutional protection.

NSA Spying on a Gazillion Americans

Today’s widespread outrage over reports that the National Security Agency is conducting widespread, untargeted, domestic surveillance on millions of Americans reminds me of this post from July 2012, in which Sen. Rand Paul reported on a private briefing he’d received. He couldn’t reveal what he’d learned, but he was able to report that the number of Americans subject to surveillance was closer to “a gazillion” than to zero. Now we have a bit more information. As I wrote then:

Sen. Rand Paul (R-KY) gave a great speech on surveillance last week at FreedomFest. Actually, he gave two good speeches, but the one embedded below is his short 6-minute talk at the Saturday night banquet. He talks about our slide toward state intrusion into our phone calls, our emails, our reading habits and so on. You know how big the surveillance state has gotten? The answer is “a gazillion.” Watch the speech—complete with high-falutin’ references to Fahrenheit 451 and the martyr Hugh Latimer!

U.S. Trade Agency Bans iPhones

Well, some of them anyway. The U.S. International Trade Commission has found that Apple infringed one of Samsung’s patents related to 3G technology and issued an injunction against the importation and sale of the iPhone 3GS, iPhone 4, iPad 3G, and iPad 2 3G.  These are not the latest models, but neither are they obsolete. (For a very helpful and thorough explanation of the issues in the case, check out Florian Mueller’s FOSS Patents blog.)

The outcome in this case offers an excellent example of why having a redundant patent litigation venue at the ITC with slightly different laws and procedures is bad public policy. If this patent had been litigated in federal district court, where the vast majority of patent litigation takes place, the judge would have refused to issue an injunction as contrary to the public interest—even if Apple egregiously and remorselessly infringed Samsung’s patent.

The patent at issue in the ITC investigation is what’s known as a standard-essential patent. This is a term for technology that’s so ubiquitous as to be necessary for interoperability within the industry (like 3G) and that the patent owner has agreed to license to anyone who makes a reasonable royalty offer (thus promoting it to become the industry standard). It is highly unlikely that a federal district court would issue an injunction against any product based on infringement of such a patent, because doing so would be excessively disruptive and unfair. In fact, the Justice Department and other antitrust agencies have argued that merely seeking an injunction based on one of these patents might violate antitrust law.

None of this matters at the ITC, where injunctive relief is the only remedy available. In 2006, the U.S. Supreme Court held that courts should award only monetary damages in patent cases unless there are special circumstances necessitating an injunction and doing so would not harm the public interest. The purpose and consequence of the Supreme Court’s decision was to prevent patent trolls from using small patents to get large settlements. But monetary damages are unavailable at the ITC, and the agency decided the Supreme Court’s ruling didn’t apply to them.

In the Apple-Samsung case, Apple claimed that Samsung’s request for royalties of 2.4 percent was unreasonably high. If the patent is worth less than 2.4 percent of the product’s value, an injunction against selling the entire phone is excessive. This is especially true when the technology is virtually impossible to design around. Rather than simply deciding who pays what to whom in a dispute that is mostly about licensing fees, a sales ban deprives consumers of choice in the market.

The good news is that efforts are underway in Washington to fix the problem of excessive remedies at the ITC. The White House released a proposal for patent reform this week that included a call “to enhance consistency in the standards applied at the ITC and district courts.” Specifically, they want the ITC to use the same public interest test that courts use before issuing an injunction (Rep. Devin Nunes made a very similar proposal last year). This is a good plan. It would likely have prevented the new iPhone ban and will do a lot to make the ITC less attractive to patent trolls.

Fixing problems at the ITC by making it more like district court litigation, however, shows very clearly how redundant and unnecessary it is to have two venues for patent litigation. Why should we have the ITC hearing patent cases in the first place?  There is no satisfactory answer to that question. As I argued in a Policy Analysis last year, the ITC’s power to investigate and exclude imports for patent infringement not only disrupts the proper functioning of the U.S. patent system, it also violates international trade rules. We could save ourselves a lot of trouble down the line by shutting the whole thing down.