Site Meter

Category: Privacy (Electronic Surveillance)

20

The NSA Phone Call Database: The European Perspective

Had a European government, instead of the Bush administration, created the NSA’s call database, would that government be in violation of European privacy law? I think so, for the reasons I explore below.

Why should anyone care that the outcome would have been so different under European privacy law? One reason for the comparison with Europe is that it enables us to understand better current developments in American law. It is striking how similar American and European data privacy law was in the early 1970s, how different it is today. The first European database privacy statutes of the 1970s drew on the U.S. Privacy Act of 1974. Alan Westin’s Privacy and Freedom, published in 1967, was read widely by both American and European policymakers. There are many reasons for the divergent paths of the two systems. This latest example of difference highlights one set of reasons: the President’s new constitutional powers in fighting terrorism, post-September 11. Congress, the courts, and the public might very well accept that the NSA program is legal, based on the President’s inherent authority as commander-in-chief. In Europe, that would not be possible.

A more pragmatic reason for caring about the different result under European privacy law is that it could undermine transatlantic cooperation in the fight against terrorism. Some European laws forbid the transfer of public security and law enforcement data to countries without adequate privacy protection. This latest revelation just reinforces the European view that U.S. privacy laws are inadequate—and therefore could make European governments reluctant to turn over information on European citizens to the American government in the fight against terrorism.

Read More

106

Is There a Good Response to the “Nothing to Hide” Argument?

skeleton-in-closet.jpgOne of the most common attitudes of those unconcerned about government surveillance or privacy invasions is “I’ve got nothing to hide.” I was talking the issue over one day with a few colleagues in my field, and we all agreed that thus far, those emphasizing the value of privacy had not been able to articulate an answer to the “nothing to hide” argument that would really register with people in the general public. In a thoughtful essay in Wired (cross posted at his blog), Bruce Schneier seeks to develop a response to this argument:

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

As a pragmatist, I’m generally unconvinced by inherent rights talk. But Schneier goes on to discuss a reason for restricting government surveillance that I do agree with — ensuring that government power is appropriately checked, monitored, and limited from potential abuse.

Another argument is that if you look hard enough at someone’s life, in the words of playwright Friedrich Durrenmatt, “a crime can always be found.” With the infinite tangle of criminal laws in this country, Durrenmatt’s line might belong in a work of non-fiction rather than fiction. But this response gets back to Schneier’s objection that we shouldn’t focus on privacy as protection to hide wrongdoing.

Read More

1

New Casebook (Privacy, Information, and Technology)

Spinoff Cover 2e.jpgApologies for the self-promotion, but in time for this fall semester, Paul Schwartz, Marc Rotenberg, and I will be publishing a short paperback casebook of about 300 pages entitled PRIVACY, INFORMATION, AND TECHNOLOGY (Aspen Publishers, forthcoming mid-July 2006), ISBN: 0735562548.

This book is intended to be an inexpensive volume that adapts the cyberspace and technology materials from our full-length casebook, INFORMATION PRIVACY LAW (Aspen Publishers, 2d ed. 2006). The full-length casebook is about 1000 pages; the shorter paperback book is a more streamlined volume of about 300 pages, focusing exclusively on cyberspace, databases, and technology. Aspen informs me that this shorter paperback adaptation will probably sell at a price between $30 and $35.

The book might be useful as a supplement for cyberlaw or information law courses for instructors who want in-depth coverage of information privacy issues for between 2 to 5 weeks.

More information about the book is here. If you’re interested in getting on the list to obtain a review copy of the book (available in mid-July), please send an email to Daniel Eckroad.

The table of contents is available here. A summary of the book’s contents is after the fold.

Read More

0

The Technicalities and Complexities of Electronic Surveillance Law

NSA3.jpgCurrently, there’s a debate raging about whether the phone companies violated the law when they supplied phone call records to the NSA. Orin Kerr opines:

The Stored Communications Act, 18 U.S.C. 2701-11, only regulates two kinds of providers: providers of electronic communication service and providers of remote computing service. Everyone agrees that the telephone companies are not acting as providers of remote computing service, so if they are liable they must be acting as providers of electronic communication service. . . .

A local telephone company is clearly a provider of electronic communication service: it literally provides users the ability to send or receive telephone calls. But is a company that only provides long distance service a provider of electronic communication service?

Maybe, but I’m not entirely sure. I don’t know much about how modern telephone networks work, but I am guessing that local carriers carry the first part of the call. In the case of a long-distance call, I assume that the long-distance carrier picks up the call at some point from the local carrier, and sends it to the local carrier at the receiving end of the call. If that’s right, I’m not entirely sure the long-distance carrier is a provider of electronic communications service.

I can see arguments on both sides. . . .

This debate gets to one of the major problems with electronic surveillance law. In my article, Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I observed:

Electronic surveillance law has not kept pace with the staggering growth of technology. As discussed earlier, the law currently makes antiquated distinctions that often do not protect what is most important. Electronic surveillance law has lagged behind technological developments and has not been responsive to new surveillance technologies. . . .

Despite . . . dramatic changes since the passage of [The Electronic Communications Privacy Act ("ECPA") which includes the Stored Communications Act under its umbrella] in 1986, Congress has failed to engage in a major revision of the law [except for some smaller changes here and there, the most notable of which was the USA-Patriot Act]. Under this state of affairs, law enforcement cleverly employs new technologies to try to avoid triggering ECPA. Often, these technologies are quite invasive, but the debate seems to turn on technicalities—whether the surveillance fits into ECPA’s framework. This invites a technological rat race, in which law enforcement uses new technologies designed to fit within ECPA’s less stringent provisions or to fall entirely outside of ECPA’s scope. . . .

Lost amid the labyrinthian task of applying ECPA’s complex provisions is the question of whether new technologies contravene the appropriate balance between effective law enforcement and privacy. . . .

Read More

7

Kerr’s Legal Analysis of the NSA’s Phone Records Program

I was planning to do some analysis of the legality of the NSA’s phone records program, but Orin Kerr has already accomplished it. His posts are terrific and are essential reading:

* Thoughts on the Legality of the Latest NSA Surveillance Program

* More Thoughts on the Legality of the NSA Call Records Program

In the latter post, Kerr analyzes whether the telephone companies violated the Stored Communications Act, 18 U.S.C. 2702. Section 2702(a)(3) prohibits phone companies from knowingly divulging customer records to any governmental entity. Kerr notes that the most relevant possible exception to this restriction is 18 U.S.C. 2702(c)(4), as amended by the Patriot Act renewal of 2006, which allows disclosure to “a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.” Kerr notes:

The language that passed as part of the Patriot Act in 2001 allowed disclosure only when “the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.” This was the language in place from October 2001 until March 2006. Did the phone companies have such a belief under the 2001-06 language? I gather they had a reasonable belief of danger, but I don’t know of a reason to think that they had a reasonable belief of “immediate” danger. If this was a program ongoing for several years, then it’s hard to say that there was a continuing reasonable belief of immediate danger over that entire time.

Kerr also explains that the Patriot Act renewal earlier this year made a few tweaks to this exception:

The change expanded the exception to allow disclosure when there is a good faith belief instead of a reasonable belief, and when there was a danger instead of an “immediate” danger. I wouldn’t be surprised if the telephone companies were pushing the change in part out of concern for civil liability for their participation in the NSA call records program.”

Much more at Kerr’s posts.

UPDATE: Marty Lederman also has some excellent analysis that’s definitely worth reading.

0

The NSA’s Phone Call Database

phone1a.jpgUSA Today reports:

The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.

The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans — most of whom aren’t suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.

“It’s the largest database ever assembled in the world,” said one person, who, like the others who agreed to talk about the NSA’s activities, declined to be identified by name or affiliation. The agency’s goal is “to create a database of every call ever made” within the nation’s borders, this person added.

For the customers of these companies, it means that the government has detailed records of calls they made — across town or across the country — to family members, co-workers, business contacts and others.

The three telecommunications companies are working under contract with the NSA, which launched the program in 2001 shortly after the Sept. 11 terrorist attacks, the sources said.

More information is contained in this companion article at USA Today.

Wow!

UPDATE: Orin Kerr offers up a thoughtful analysis of the legality of this program here.

3

Electronic Surveillance Statistics for 2005

wiretap2.jpgThe Department of Justice (DOJ) has released its annual report on the number of Foreign Intelligence Surveillance Act (FISA) orders, Wiretap Act orders, and National Security Letters issued in 2005.

For FISA surveillance orders, 2072 applications were made to the FISA court; none were denied. Over the past few years, the number of orders has been steadily increasing:

2005 — 2072 applications approved

2004 — 1758 applications approved

2003 — 1724 applications approved

2002 — 1228 applications approved

2001 — 934 applications approved

2000 — 1012 applications approved

1999 — 880 applications approved

In all, only 4 applications have ever been denied. More statistics are on EPIC’s FISA statistics page.

One wonders what the statisics would have been had the Bush Administration properly gone to the FISA court instead of engaging in secret wiretapping by the NSA.

In 2005, according to the Administrative Office of the United States Courts, there were 1773 wiretap orders issued by courts under the Wiretap Act. In 2004, there were 1710 wiretap orders issued.

For the first time, statistics were released on the use of National Security Letters. According to the DOJ report:

Read More

18

Get High (and Identified) With a Little Help From Your Friends

colorado-student3a.jpgIt’s time to modernize the lyrics to some old Beatles songs. The University of Colorado police are using a website to post surveillance photos of students and other individuals it wants to identify for smoking pot on Farrand Field. Apparently, there’s a tradition at the University of Colorado for students to spoke pot on Farrand Field on April 20th of each year. According to the Rocky Mountain News:

University of Colorado police have posted pictures of 150 people on a website smoking pot on the “420″ day celebration last week and are offering a $50 reward for anyone who can identify them.

Police spokesman Lt. Tim McGraw said they received more than 50 calls within the first hours of posting the pictures online Thursday afternoon. He said police were in the process of confirming the tips today.

According to the website:

The University is offering a reward for the identification of any of the individuals pictured below. After reviewing the photos (click on a photo for a larger image), you may claim the reward by following the directions below:

1. Contact the UCPD Operations section at (303) 492-8168

2. Provide the photo number and as much information as you have about the individual.

3. Provide your name and contact information.

4. If the identity is verified to be correct, you will be paid a $50 reward for every person identified.

5. The reward will be paid to the first caller who identifies a person below, multiple rewards will not be paid for individuals listed below.

Is this just good police work? After all, if a person is caught on camera doing a wrongful act, the police can certainly go around and ask people to identify that person. What’s wrong with doing it via a website? One problem is that the website disseminates permanent images of people smoking pot on the Internet. It forever memorializes a person’s youthful infractions to the world. Is such a police investigation tactic problematic or just efficient?

Read More

3

CCTV in NYC

cctv1a.jpgThere’s a new British import to America, and sadly, it isn’t a rock band. It’s CCTV. In many of Britain’s cities, there is an elaborate network of thousands of surveillance cameras monitored through closed circuit television (CCTV). According to estimates, there are about 4 million surveillance cameras in Britain and a citizen is caught on surveillance camera about 300 times per day.

The AP reports that NYC is starting to install hundreds of surveillance cameras in an effort to mimic Britain’s CCTV. According to the AP:

[The] program [will] place 500 cameras throughout the city at a cost of $9 million. Hundreds of additional cameras could follow if the city receives $81.5 million in federal grants it has requested to safeguard Lower Manhattan and parts of midtown with a surveillance “ring of steel” modeled after security measures in London’s financial district.

Officials of the New York Police Department — which considers itself at the forefront of counterterrorism since the Sept. 11, 2001, attacks — claim the money would be well-spent, especially since the revelations that al-Qaida members once cased the New York Stock Exchange and other financial institutions. . . .

The city already has about 1,000 cameras in the subways, with 2,100 scheduled to be in place by 2008. An additional 3,100 cameras monitor city housing projects.

New York’s approach isn’t unique. Chicago spent roughly $5 million on a 2,000-camera system. Homeland Security officials in Washington plan to spend $9.8 million for surveillance cameras and sensors on a rail line near the Capitol. And Philadelphia has increasingly relied on video surveillance.

The problem with such surveillance measures is that they are implemented without considering all of the issues. How will people be monitored? What procedures will be put in place to ensure that minorities will not be unfairly singled out? How long will the surveillance video be kept? How will it be analyzed? Who will get to see the video? How will the video be protected against leaks to the media? How will we prvent abuses by government officials? What procedures will be established to ensure that the surveillance is being done properly and not to deter lawful political protest? How do we prevent mission creep — the data being used for all sorts of different purposes down the road?

Read More

0

Every breath you take, every call you make, I’ll be watching you.

Has your cell phone been out of your sight for more than five minutes? Someone may be tracking you on it, right now. A chilling investigation from the Guardian (via Don’t Let’s Start) shows how easy cell-phone stalking has become:

For the past week I’ve been tracking my girlfriend through her mobile phone. I can see exactly where she is, at any time of day or night, within 150 yards, as long as her phone is on. It has been very interesting to find out about her day. Now I’m going to tell you how I did it. . . . First I had to get hold of her phone. . . . I only needed it for five minutes.

And as the article notes, existing methods of tracking are just the tip of the iceberg. Scary!