Category: Privacy (Electronic Surveillance)

3

ACLU v. NSA

NSA3.jpgIn ACLU v. NSA, –F.3d — (6th Cir. 2007), a panel from the 6th Circuit held that the ACLU and other plaintiffs lacked standing to challenge the Bush Administration’s warrantless wiretapping program conducted by the National Security Agency (NSA). NYT coverage is here. According to the sketchy details known about the program, the court noted, “it has been publicly acknowledged that the TSP [the Terrorist Surveillance Program, as it has now been named by the Administration] includes the interception (i.e., wiretapping), without warrants, of telephone and email communications, where one party to the communication is located outside the United States and the NSA has ‘a reasonable basis to conclude that one party to the communication is a member of al Qaeda, affiliated with al Qaeda, or a member of an organization affiliated with al Qaeda, or working in support of al Qaeda.”

The plaintiffs are “journalists, academics, and lawyers who regularly communicate with individuals located overseas, who the plaintiffs believe are the types of people the NSA suspects of being al Qaeda terrorists, affiliates, or supporters, and are therefore likely to be monitored under the TSP.” The plaintiffs claimed that the NSA wiretapping violated, among other things, the First Amendment, Fourth Amendment, and the Foreign Intelligence Surveillance Act (FISA).

According to Judge Batchelder’s opinion, the plaintiffs could not establish standing because they could not directly prove that they were subject to surveillance. One of the problems with the court’s reasoning is that there is little way for the plaintiffs to find out more specific information about whether particular plaintiffs’ phone calls have been wiretapped. As a result, the government can violate the plaintiffs’ First and Fourth Amendment rights with impunity if they cannot ever learn enough to gain standing to challenge the surveillance.

In a recent article, The First Amendment as Criminal Procedure, 82 N.Y.U. L. Rev. 112 (2007), I examined the nature of the injury to First Amendment activities from government surveillance. I wrote:

Determining the existence of a chilling effect is complicated by the difficulty of defining and identifying deterrence. It is hard to measure the deterrence caused by a chilling effect because it is impossible to determine with certainty what people would have said or done in the absence of the government activity. Often, the primary evidence will be a person’s own assertions that she was chilled, but merely accepting such assertions at face value would allow anyone claiming a chilling effect to establish one. At the same time, demanding empirical evidence of deterrence is impractical because it will often be impossible to produce.

In other words, the chilling effect doctrine is a mess. By requiring too much specific proof of deterrence, courts can effectively make it impossible for any plaintiff to establish a chilling effect. In my article, I attempted to use First Amendment doctrines to help illuminate a more meaningful approach toward analyzing the existence of a chilling effect:

Read More

10

The Fourth Amendment, Email Headers, and IP Addresses

computer2b.jpgIs there a reasonable expectation of privacy in email headers and IP addresses under the Fourth Amendment? No, sayeth the 9th Circuit in US v. Forrester:

The Supreme Court held in Smith v. Maryland, 442 U.S. 735 (1979), that the use of a pen register (a device that records numbers dialed from a phone line) does not constitute a search for Fourth Amendment purposes. According to the Court, people do not have a subjective expectation of privacy in numbers that they dial because they “realize that they must ‘convey’ phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed .” . . . . Therefore the use of a pen register is not a Fourth Amendment search. Importantly, the Court distinguished pen registers from more intrusive surveillance techniques on the ground that “pen registers do not acquire the contents of communications” but rather obtain only the addressing information associated with phone calls. . . .

Neither this nor any other circuit has spoken to the constitutionality of computer surveillance techniques that reveal the to/from addresses of e-mail messages, the IP addresses of websites visited and the total amount of data transmitted to or from an account. We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. Communication by both Internet and telephone requires people to “voluntarily turn[ ] over [information] to third parties.”

Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers. When the government learns the phone numbers a person has dialed, it may be able to determine the persons or entities to which the numbers correspond, but it does not know what was said in the actual conversations. Similarly, when the government obtains the to/from addresses of a person’s e-mails or the IP addresses of websites visited, it does not find out the contents of the messages or the particular pages on the websites the person viewed. At best, the government may make educated guesses about what was said in the messages or viewed on the websites based on its knowledge of the e-mail to/from addresses and IP addresses-but this is no different from speculation about the contents of a phone conversation on the basis of the identity of the person or entity that was dialed. The distinction between mere addressing and more content-rich information drawn by the Court in Smith and Katz is thus preserved, because the computer surveillance techniques at issue here enable only the discovery of addressing information.

I’ve written extensively about the problematic application of Smith v. Maryland to email headers and especially IP addresses. I believe that Smith was wrongly decided, but the 9th Circuit was nevertheless bound to follow it. Accordingly, its holding that there is no reasonable expectation of privacy in email headers seems to fall within the holding of Smith. However, IP addresses present a different case. The holding in the Smith case turned on two rationales: (1) exposure of information to third parties (phone companies) eliminated one’s expectation of privacy; (2) the information was not sensitive since it didn’t involve the content of the communications. This second rationale is important, since it is an attempt to keep Smith logically consistent with Katz v. United States, 389 U.S. 347 (1967), where the Supreme Court held that a reasonable expectation of privacy exists in the contents of phone conversations. However, the contents of phone conversations, similar to the phone numbers dialed (pen register), are also accessible to the phone company. Thus, the first rationale (third party doctrine) would be inconsistent with Katz without the aid of the second rationale.

Orin Kerr has usefully analogized the distinction between the non-content / content information to that between an envelope and the contents of a letter. The envelope contains addressing information that is exposed to others; the contents of the letter are concealed. Envelope information falls outside Fourth Amendment protection, but content information is fully protected by the Fourth Amendment.

The envelope/content distinction works fairly well with email — the headers (which contain the to/from line) are the digital equivalent of envelopes; the text of the email itself is the content. But with IP addresses, the distinction doesn’t work. In Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I wrote:

When applied to IP addresses and URLs, the envelope/content distinction becomes even more fuzzy. An IP address is a unique number that is assigned to each computer connected to the Internet. Each website, therefore, has an IP address. On the surface, a list of IP addresses is simply a list of numbers; but it is actually much more. With a complete listing of IP addresses, the government can learn quite a lot about a person because it can trace how that person surfs the Internet. The government can learn the names of stores at which a person shops, the political organizations a person finds interesting, a person’s sexual fetishes and fantasies, her health concerns, and so on.

[Therefore,] the content/envelope distinction is not always clear. In many circumstances, to adapt Marshall McLuhan, the “envelope” is the “content.” Envelope information can reveal a lot about a person’s private activities, sometimes as much (and even more) than can content information.

Read More

2

Piercing the Veil of Anonymous Bloggers

Lives of Others Picture.jpgI’m delighted to be guest-blogging at Concurring Opinions, and thanks to the crew here for the invitation! I regularly blog to a much smaller audience at Info/Law (and will cross-post most of these guest appearances over there), but it will be fun to discuss a somewhat wider variety of topics here. That said, it turns out my first entry is at the heart of information regulation.

Brian Leiter notes this news story about a South Korean law which has just taken effect, requiring large web sites to obtain real names and the equivalent of Social Security numbers from everyone who posts content. He compares this approach to that taken in the US where, he says, “there exist only private remedies against Internet sociopaths and misogynistic freaks who hide behind anonymity. I suppose time will tell which is the better approach.”

Personally, I don’t need to wait for the passage of time to criticize the South Korean initiative (which has been under discussion there for some four years). Obviously, this law arises in a cultural context very different from our own, which I believe explains a good deal of the difference in approach. And it may not even be as different as it first appears. But there are principled reasons, distinct from cultural ones, to oppose a “show me your papers” internet.

First and foremost, it should be no surprise that China reportedly is looking at a similar model — as a technique to curb dissent, not just cyberbullying. (If you have seen the film The Lives of Others, pictured above — and you really should see it — you will remember how it portrayed East Germany registering typewriters.) The ability to remain anonymous protects unpopular speakers who might otherwise be unable to spread their ideas. In some countries, anonymous bloggers risk life and limb. Despite massive internet filtering by governments, blogging still provides dissidents a powerful tool. Even in more democratic countries, whistleblowers, political outsiders, and unhappy employees use anonymous blogging to avoid retribution. An outright ban on anonymity will curtail such often-useful speech.

Read More

RIAA’s Turn to Be a Defendant

Matthew Sag has convincingly argued that RIAA’s litigation war against downloaders is rational for the industry: it’s basically self-financing, as just about every defendant is too terrified of massive statutory damages to put up a fight. But the record industry’s declining fortunes may make its court victories Pyrrhic.

Moreover, a scorched earth litigation strategy against infringers is getting less viable as a few defendants fight back. For example, one litigant has found a creative way of subjecting RIAA’s tactics to public scrutiny:

Former RIAA defendant Tanya Andersen is now suing the major record labels and the RIAA for negligent and illegal investigation and prosecution. In a thirteen count civil suit filed in Oregon District Court, she alleges that record labels didn’t use properly licensed investigators and violated her privacy.

I’m still waiting for someone to bring the antitrust lawsuit that was forestalled by Bertelsmann’s purchase of Napster a few years ago. As Napster-slaying Judge Patel said of the RIAA’s distribution strategy then, “These ventures look bad, smell bad and sound bad” from an antitrust perspective.

Of course, given the lassitude of federal authorities, the antitrust case will be hard to make. But I look forward to more privacy challenges. As Sonia Katyal has argued,

recent developments in copyright law. . . have invited intellectual property owners to create extrajudicial systems of monitoring and enforcement that detect, deter, and control acts of consumer infringement. As a result, . . . intellectual property rights have been fundamentally altered—from a defensive shield into an offensively oriented type of weapon that can be used by intellectual property creators to record the activities of their consumers, and also to enforce particular standards of use and expression. . . .

If agencies fail to police these tactics, perhaps only individuals can fight for themselves. But as Bruce Scheier asks, why doesn’t the US have a privacy commissioner?

Hat Tip: BoingBoing.

Google Street View: All the World’s a Stage

Yesterday I joined the NPR “Talk of the Nation” program to discuss Google’s privacy policies. The callers were most fascinated by Google’s new “Street View” feature, which lets users “view street level shots of each block.” One said this was obviously not a privacy violation, since it only took photographs of things in public view. But others felt they should be able to go out in public and not worry about some random picture of them (say, leaving a chiropractor’s office) permanently in a Google database.

I had some sympathy for both sides, but ultimately more for the latter. I think it’s one thing when, say, a single photographer on Flickr takes a photograph of someone incidentally with no personally identifiable information. “Permissions culture” has gone to such extremes that it seems unfair to burden shutterbugs with obligations to get clearances from anyone they shoot–and even in this case, there are some limits internationally (“In Québec, a teenage girl successfully sued a photographer for $8,000 after he took her picture without her knowledge, even though she was sitting on the front steps of a public building.”).

But the case of a Google or Yahoo!, with immense, cross-checkable databases, is another matter altogether. We know that government has sought extensive access to these databases. Face recognition technology may reach a point where any image can be traced back to a name or number. I think it safe to assume that just about any surveillance technology applied by the private sector can eventually be coopted by the government if a security threat becomes pressing.

So should we cheer on claims like “intrusion upon seclusion” against Google Street View? I’m not willing to say that, because we have yet to see exactly how it’s being used. (Sadly, we may never get that information from Google, because the company may call it a trade secret.) But I do hope for two things:

1) A realization that technology like this is not simply a product of Google, but can be put to many ends by a security apparatus willing to force corporations to ignore existing privacy laws. We may well want to go in the direction of London’s CCTV, but we should have some architecture for regulating that transition. Someone has to be able to watch the watchers.

2) Some reflection on the types of public activity that are likely to decline when “all the world’s a stage.” Sure, we can catch people robbing banks more easily (or exiting strip clubs); but what happens to protest? Will people think twice about going to an anti-war demonstration if they know the whole thing will be captured, forever, by entities unaccountable to them? On a less political level, will everyday life become more and more a “new American performing reality?” Perhaps Goffman’s idea of the “stage” is about to be extended to every public street in America.

0

Data Mining and the Security-Liberty Debate

I’ve written a short essay (about 20 pages), entitled Data Mining and the Security-Liberty Debate, for an upcoming symposium on surveillance for the U. Chicago Law Review. The symposium website is here. The symposium looks to be a terrific event. The event will be held on June 15-16, 2007 (registration information is available at the symposium website). Besides myself, participants include Julie Cohen, Ronald Lee, Ira Rubenstein, Ken Bamberger, Deirdre Mulligan, Timothy Muris, Lior Strahilevitz, Anita Allen, Thomas Brown , Richard A. Epstein , Orin Kerr, Patricia Bellia, Richard A. Posner, Paul Schwartz, and Chris Slogobin.

terror-in-the-balance.gifMy paper can be downloaded at the symposium website or at this SSRN link. In the essay, I take on some common arguments about data mining and the debate between security and liberty.

In particular, I critique arguments by Richard Posner, William Stuntz, and a provocative new book by Eric Posner and Adrian Vermeule called Terror in the Balance: Security, Liberty, and the Courts. Posner and Vermeule argue tthat in times of crisis, courts and legislatures should defer to the executive on issues of national security. I spend a considerable part of my essay critiquing their argument.

The essay’s abstract:

In this essay, written for a symposium on surveillance for the University of Chicago Law Review, I examine some common difficulties in the way that liberty is balanced against security in the context of data mining. Countless discussions about the trade-offs between security and liberty begin by taking a security proposal and then weighing it against what it would cost our civil liberties. Often, the liberty interests are cast as individual rights and balanced against the security interests, which are cast in terms of the safety of society as a whole. Courts and commentators defer to the government’s assertions about the effectiveness of the security interest. In the context of data mining, the liberty interest is limited by narrow understandings of privacy that neglect to account for many privacy problems. As a result, the balancing concludes with a victory in favor of the security interest. But as I argue, important dimensions of data mining’s security benefits require more scrutiny, and the privacy concerns are significantly greater than currently acknowledged. These problems have undermined the balancing process and skewed the results toward the security side of the scale.

2

Enforcing the Surveillance Laws

fbi1a.jpgAs many of the recent revelations of government surveillance and information gathering are revealing, government agencies such as the FBI and NSA are violating the law. Recently, the DOJ investigation into the FBI’s use of NSLs reveals many violations of law. So where are the penalties?

In the latest surveillance scandal, the FBI says that it is sorry. According to the New York Times:

Mr. Mueller embraced responsibility for the lapses, detailed in a report by the inspector general of the Justice Department, and promised to do everything he could to avoid repeating them. . . .

Mr. Mueller left open the possibility that some F.B.I. employees might be disciplined for their errors involving national security letters. In response to a question, he said there had been “no discussion” on whether he should step down.

One of the problems with the law is that it doesn’t say much with regard to penalties for NSLs. When the FBI contravenes the law, is the only sanction that they must apologize, appear contrite, and say that they might possibly discipline a few folks? The law provides extraordinary powers to the FBI when it comes to NSLs, and these are issued in tense situations of national security, so it is predictable that overzealousness and abuses might occur. That’s why the law needs to be more than a guideline. It needs enforcement teeth.

Another interesting aspect of the NSL provision in the Electronic Communications Privacy Act, 18 U.S.C. § 2709, is that it doesn’t appear to specify any penalties for Internet Service Providers that don’t comply. The statute says that an ISP “shall comply” with an NSL and it imposes a gag order. But what’s the penalty for not complying? The statute doesn’t appear to specify one. Does anybody know what the penalty is?

5

National Security Letter Violations by the FBI

fbi6.jpgAccording to the a DOJ investigation, the FBI has violated the law on several occasions in connection with the issuance of National Security Letters (NSLs). A NSL is a demand letter issued to a particular entity or organization to turn over various record and data pertaining to individuals. They do not require probable cause, a warrant, or even judicial oversight. They also come with a gag order, preventing the recipient of the letter from disclosing that the letter was ever issued. Compliance is mandatory.

There are several NSL provisions in various federal statutes: (1) Electronic Communications Privacy Act, 18 U.S.C. § 2709 (FBI can compel communications companies to disclose customer information); (2) Right to Financial Privacy Act, 12 U.S.C. § 3414(a)(5) (FBI can compel financial institutions to disclose customer information); (3) Fair Credit Reporting Act, 15 U.S.C. § 1681u (FBI can compel credit reporting agencies to disclose records on individuals).

According to the Washington Post:

A Justice Department investigation has found pervasive errors in the FBI’s use of its power to secretly demand telephone, e-mail and financial records in national security cases, officials with access to the report said yesterday.

The inspector general’s audit found 22 possible breaches of internal FBI and Justice Department regulations — some of which were potential violations of law — in a sampling of 293 “national security letters.” The letters were used by the FBI to obtain the personal records of U.S. residents or visitors between 2003 and 2005. The FBI identified 26 potential violations in other cases.

The study revealed a range of errors:

Read More

4

Best and Worst Internet Laws

[Preface: I’ve already overstayed my guest visit, but before I go, I want to say thanks to the Concurring Opinions team for the opportunity to blog here, and thanks to all of you for the great comments and stimulating dialogue. A complete index of my guest blog posts. Meanwhile, I’ll keep blogging on technology and marketing law at my main blog and on all other topics at my personal blog. Hope to see you there!]

Over the past dozen years, the lure of regulating the Internet has proven irresistible to legislators. For example, in the 109th Congress, almost 1,100 introduced bills referenced the word “Internet.” This legislative activity doesn’t always come to fruition. Still, in total, hundreds of Internet laws have been passed by Congress and the states. This body of work is now large enough that we can identify some winners and losers. So in the spirit of good fun, I offer an opinionated list of my personal votes for the best and worst Internet statutes in the United States.

[Keep reading for the list]

Read More

3

Hewlett Packard Pays for Privacy . . . and Copyright?

hewlett-packard.jpgHewlett Packard has agreed to pay $14.5 million to resolve a lawsuit by the California attorney general over its phone records scandal. From the New York Times:

Hewlett-Packard said Thursday that it would pay $14.5 million to settle a lawsuit by the California attorney general over the company’s use of private detectives to obtain private phone records of board members and journalists.

The company is paying $650,000 in fines for “statutory damages,” but the bulk of the money, $13.5 million, is going to create a state-administered Privacy and Piracy Fund. The fund is to finance the investigation of consumer privacy violations and of intellectual-property theft, including the copying of movies and music.

“We wanted very much to enhance our ability to enforce our laws against property theft,” Bill Lockyer, the attorney general, said in an interview.

From the article, it sounds as though most of the money will go to helping the state help businesses police copyright. The purpose of the settled lawsuit was purportedly to protect privacy, and I am perplexed at how protecting against copyright piracy suddenly became an aspect of the settlement. I sure hope that the fund from the settlement is mostly used to protect consumer privacy, not as one more arrow in the music and movie industry’s copyright quiver.

For more about the HP scandal, see this terrific post by guest blogger Timothy Glynn.