Category: Privacy (Electronic Surveillance)

23

Template for News Stories on Government Data Gathering

surveillance3.jpgNSA warrantless wiretaps. NSA collection of phone records. CIA gathering of financial records.

The stories are endless. To help out reporters, I thought I’d just write a quick and easy template to make reporting a little bit easier. So here it is:

Under a top secret program initiated by the Bush Administration after the Sept. 11 attacks, the [name of agency (FBI, CIA, NSA, etc.)] have been gathering a vast database of [type of records] involving United States citizens.

“This program is a vital tool in the fight against terrorism,” [Bush Administration official] said. “Without it, we would be dangerously unsafe, and the terrorists would have probably killed you and every other American citizen.” The Bush Administration stated that the revelation of this program has severely compromised national security.

“This program is a threat to privacy and civil liberties,” [name of privacy advocate] said. But [name of spokesperson for Bush Administration] said: “This is a very limited program. It only contains detailed records about every American citizen. That’s all. It does not compromise civil liberties. We have a series of procedures in place to protect liberty.”

“We’re not trolling through the personal data of Americans,” Bush said, “we’re just looking at all of their records.”

The [name of statute] regulates [type of record] and typically requires a [type of court order]. Although the [name of agency] did not obtain a [type of court order], the Bush Administration contends that the progam is “totally legal.” According to the Attorney General, “we can [do whatever we did or want to do]. The program is part of the President’s emergency war powers.”

20

The NSA Phone Call Database: The European Perspective

Had a European government, instead of the Bush administration, created the NSA’s call database, would that government be in violation of European privacy law? I think so, for the reasons I explore below.

Why should anyone care that the outcome would have been so different under European privacy law? One reason for the comparison with Europe is that it enables us to understand better current developments in American law. It is striking how similar American and European data privacy law was in the early 1970s, how different it is today. The first European database privacy statutes of the 1970s drew on the U.S. Privacy Act of 1974. Alan Westin’s Privacy and Freedom, published in 1967, was read widely by both American and European policymakers. There are many reasons for the divergent paths of the two systems. This latest example of difference highlights one set of reasons: the President’s new constitutional powers in fighting terrorism, post-September 11. Congress, the courts, and the public might very well accept that the NSA program is legal, based on the President’s inherent authority as commander-in-chief. In Europe, that would not be possible.

A more pragmatic reason for caring about the different result under European privacy law is that it could undermine transatlantic cooperation in the fight against terrorism. Some European laws forbid the transfer of public security and law enforcement data to countries without adequate privacy protection. This latest revelation just reinforces the European view that U.S. privacy laws are inadequate—and therefore could make European governments reluctant to turn over information on European citizens to the American government in the fight against terrorism.

Read More

106

Is There a Good Response to the “Nothing to Hide” Argument?

skeleton-in-closet.jpgOne of the most common attitudes of those unconcerned about government surveillance or privacy invasions is “I’ve got nothing to hide.” I was talking the issue over one day with a few colleagues in my field, and we all agreed that thus far, those emphasizing the value of privacy had not been able to articulate an answer to the “nothing to hide” argument that would really register with people in the general public. In a thoughtful essay in Wired (cross posted at his blog), Bruce Schneier seeks to develop a response to this argument:

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

As a pragmatist, I’m generally unconvinced by inherent rights talk. But Schneier goes on to discuss a reason for restricting government surveillance that I do agree with — ensuring that government power is appropriately checked, monitored, and limited from potential abuse.

Another argument is that if you look hard enough at someone’s life, in the words of playwright Friedrich Durrenmatt, “a crime can always be found.” With the infinite tangle of criminal laws in this country, Durrenmatt’s line might belong in a work of non-fiction rather than fiction. But this response gets back to Schneier’s objection that we shouldn’t focus on privacy as protection to hide wrongdoing.

Read More

1

New Casebook (Privacy, Information, and Technology)

Spinoff Cover 2e.jpgApologies for the self-promotion, but in time for this fall semester, Paul Schwartz, Marc Rotenberg, and I will be publishing a short paperback casebook of about 300 pages entitled PRIVACY, INFORMATION, AND TECHNOLOGY (Aspen Publishers, forthcoming mid-July 2006), ISBN: 0735562548.

This book is intended to be an inexpensive volume that adapts the cyberspace and technology materials from our full-length casebook, INFORMATION PRIVACY LAW (Aspen Publishers, 2d ed. 2006). The full-length casebook is about 1000 pages; the shorter paperback book is a more streamlined volume of about 300 pages, focusing exclusively on cyberspace, databases, and technology. Aspen informs me that this shorter paperback adaptation will probably sell at a price between $30 and $35.

The book might be useful as a supplement for cyberlaw or information law courses for instructors who want in-depth coverage of information privacy issues for between 2 to 5 weeks.

More information about the book is here. If you’re interested in getting on the list to obtain a review copy of the book (available in mid-July), please send an email to Daniel Eckroad.

The table of contents is available here. A summary of the book’s contents is after the fold.

Read More

0

The Technicalities and Complexities of Electronic Surveillance Law

NSA3.jpgCurrently, there’s a debate raging about whether the phone companies violated the law when they supplied phone call records to the NSA. Orin Kerr opines:

The Stored Communications Act, 18 U.S.C. 2701-11, only regulates two kinds of providers: providers of electronic communication service and providers of remote computing service. Everyone agrees that the telephone companies are not acting as providers of remote computing service, so if they are liable they must be acting as providers of electronic communication service. . . .

A local telephone company is clearly a provider of electronic communication service: it literally provides users the ability to send or receive telephone calls. But is a company that only provides long distance service a provider of electronic communication service?

Maybe, but I’m not entirely sure. I don’t know much about how modern telephone networks work, but I am guessing that local carriers carry the first part of the call. In the case of a long-distance call, I assume that the long-distance carrier picks up the call at some point from the local carrier, and sends it to the local carrier at the receiving end of the call. If that’s right, I’m not entirely sure the long-distance carrier is a provider of electronic communications service.

I can see arguments on both sides. . . .

This debate gets to one of the major problems with electronic surveillance law. In my article, Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I observed:

Electronic surveillance law has not kept pace with the staggering growth of technology. As discussed earlier, the law currently makes antiquated distinctions that often do not protect what is most important. Electronic surveillance law has lagged behind technological developments and has not been responsive to new surveillance technologies. . . .

Despite . . . dramatic changes since the passage of [The Electronic Communications Privacy Act (“ECPA”) which includes the Stored Communications Act under its umbrella] in 1986, Congress has failed to engage in a major revision of the law [except for some smaller changes here and there, the most notable of which was the USA-Patriot Act]. Under this state of affairs, law enforcement cleverly employs new technologies to try to avoid triggering ECPA. Often, these technologies are quite invasive, but the debate seems to turn on technicalities—whether the surveillance fits into ECPA’s framework. This invites a technological rat race, in which law enforcement uses new technologies designed to fit within ECPA’s less stringent provisions or to fall entirely outside of ECPA’s scope. . . .

Lost amid the labyrinthian task of applying ECPA’s complex provisions is the question of whether new technologies contravene the appropriate balance between effective law enforcement and privacy. . . .

Read More

7

Kerr’s Legal Analysis of the NSA’s Phone Records Program

I was planning to do some analysis of the legality of the NSA’s phone records program, but Orin Kerr has already accomplished it. His posts are terrific and are essential reading:

* Thoughts on the Legality of the Latest NSA Surveillance Program

* More Thoughts on the Legality of the NSA Call Records Program

In the latter post, Kerr analyzes whether the telephone companies violated the Stored Communications Act, 18 U.S.C. 2702. Section 2702(a)(3) prohibits phone companies from knowingly divulging customer records to any governmental entity. Kerr notes that the most relevant possible exception to this restriction is 18 U.S.C. 2702(c)(4), as amended by the Patriot Act renewal of 2006, which allows disclosure to “a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.” Kerr notes:

The language that passed as part of the Patriot Act in 2001 allowed disclosure only when “the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.” This was the language in place from October 2001 until March 2006. Did the phone companies have such a belief under the 2001-06 language? I gather they had a reasonable belief of danger, but I don’t know of a reason to think that they had a reasonable belief of “immediate” danger. If this was a program ongoing for several years, then it’s hard to say that there was a continuing reasonable belief of immediate danger over that entire time.

Kerr also explains that the Patriot Act renewal earlier this year made a few tweaks to this exception:

The change expanded the exception to allow disclosure when there is a good faith belief instead of a reasonable belief, and when there was a danger instead of an “immediate” danger. I wouldn’t be surprised if the telephone companies were pushing the change in part out of concern for civil liability for their participation in the NSA call records program.”

Much more at Kerr’s posts.

UPDATE: Marty Lederman also has some excellent analysis that’s definitely worth reading.

0

The NSA’s Phone Call Database

phone1a.jpgUSA Today reports:

The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.

The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans — most of whom aren’t suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.

“It’s the largest database ever assembled in the world,” said one person, who, like the others who agreed to talk about the NSA’s activities, declined to be identified by name or affiliation. The agency’s goal is “to create a database of every call ever made” within the nation’s borders, this person added.

For the customers of these companies, it means that the government has detailed records of calls they made — across town or across the country — to family members, co-workers, business contacts and others.

The three telecommunications companies are working under contract with the NSA, which launched the program in 2001 shortly after the Sept. 11 terrorist attacks, the sources said.

More information is contained in this companion article at USA Today.

Wow!

UPDATE: Orin Kerr offers up a thoughtful analysis of the legality of this program here.

3

Electronic Surveillance Statistics for 2005

wiretap2.jpgThe Department of Justice (DOJ) has released its annual report on the number of Foreign Intelligence Surveillance Act (FISA) orders, Wiretap Act orders, and National Security Letters issued in 2005.

For FISA surveillance orders, 2072 applications were made to the FISA court; none were denied. Over the past few years, the number of orders has been steadily increasing:

2005 — 2072 applications approved

2004 — 1758 applications approved

2003 — 1724 applications approved

2002 — 1228 applications approved

2001 — 934 applications approved

2000 — 1012 applications approved

1999 — 880 applications approved

In all, only 4 applications have ever been denied. More statistics are on EPIC’s FISA statistics page.

One wonders what the statisics would have been had the Bush Administration properly gone to the FISA court instead of engaging in secret wiretapping by the NSA.

In 2005, according to the Administrative Office of the United States Courts, there were 1773 wiretap orders issued by courts under the Wiretap Act. In 2004, there were 1710 wiretap orders issued.

For the first time, statistics were released on the use of National Security Letters. According to the DOJ report:

Read More