NSA Surveillance Song

For some NSA surveillance humor, check out this animated song, adapted from Stevie Wonder's "I Just Called to Say I Love You."

Posted by Daniel J. Solove at 09:48 PM | Comments (1) | TrackBack

The NSA Bill in the Mainstream Media vs. the Blogosphere

In reading the mainstream media accounts, one would get the impression that Senator Specter's NSA surveillance bill is a compromise with the Administration, a way to limit Executive power, and that the Administration is reluctantly capitulating to judicial oversight.

New York Times: "Bush Would Let Secret Court Sift Wiretap Process." The article states that the "proposed legislation represents a middle-ground approach."

Reuters: "Bush agrees to court review of spy program"

LA Times: "Bush Agrees to Review of Domestic Spying Program: The tentative proposal would let a secret court decide whether the NSA can eavesdrop on Americans without first obtaining warrants."

Associated Press: "Bush Agrees to Eavesdropping Court Review"

Washington Post: "Bush Compromises On Spying Program: Senate Bill Would Permit Court Review"

How can it be that they all seem to have almost identical news stories? Did they all get together to write the same story? The content of these stories is quite similar -- they all seem to be based largely on interviews with Specter and his staff. Occasionally, there's a quick soundbite from Senators Leahy or Feingold, but by and large, the mainstream media accounts are remarkably the same. It is as if Senator Specter and the Bush Administration's PR team had written the stories.

The articles barely contain a whiff of what the blogosphere contains, which paints a very different picture of Specter's bill.

Orin Kerr: "Maybe I’m missing something, but my sense is that it largely tracks the David Addington/John Yoo approach to Article II; that is, it would have Congress back away from the claims to authority that Congress made in 1978 that the Administration has suggested it believes are unconstitutional because they infringe on the Commander-in-Chief power."

Marty Lederman: "So what does Specter do in the wake of the momentous Hamdan decision, which put all the cards in Congress's hands? He introduces a bill, with Administration blessing, that gives the Administration everything it ever wanted, and much, much more. Indeed, come to think of it, the Specter bill is basically the sort of legislation one would expect if the Supreme Court had just held that Congress is powerless to enact legislation constraining the President's "inherent" war powers -- something that not a single Justice in Hamdan so much as suggested."

Steve Vladeck: "The bill is remarkable in a number of respects, including that it does not require the President to submit the [NSA surveillance program] to the FISA Court, but does require transfer of a whole host of other actions to the FISA Court, where proceedings are ex parte and often secret."

Hmmm. So the Bush Administration agrees to do what the law already requires it to do. It's like a bank robber agreeing to set up a legitimate bank account. But what's more, the bill doesn't even require the Administration to go to the FISA court; and it gives the Administration a ton of new powers. To return to the bank robber analogy, it's like authorizing the robber to continue to steal if he wants to; and providing him with a special entrance to the bank and a personal set of keys to the vault.

Of course, the mainstream media need not be as extreme as I am in describing the bill, but perhaps just a tiny bit of balance might be in order. At least provide a more complete account of the bill, not one that comes with the incredible spin that Specter and the Administration have put on it. Perhaps consult an independent expert or two. I thought the media's job is to do some independent reporting, not just copy down what they've been told. I guess I was wrong.

Posted by Daniel J. Solove at 01:59 PM | Comments (5) | TrackBack

Jack Balkin on the NSA Bill

Jack Balkin has some insightful analysis of the Senator Specter's NSA Bill over at Balkinization:

In short, if this bill is passed in its present form, it would seem to give the Executive everything it could possibly dream of-- a lax method of oversight and the possibility of ignoring that oversight whenever the President chooses. The NSA can (1) engage in ongoing electronic surveillance within FISA with indefinite 90 day renewals, (2) engage in electronic surveillance without even seeking a court order for a year, and finally (3) under section 801, engage in electronic surveillance outside of FISA under the President's constitutional authority to collect foreign intelligence surveillance.

Barely two weeks after Hamdan, which appeared to be the most important separation of powers decision in our generation, the Executive is about to get back everything it lost in that decision, and more. In Hamdan, the Supreme Court gave the ball to Congress, hoping for a bit of oversight, and Senator Specter has just punted.

No wonder why the Bush Administration is willing to "compromise" and support this bill -- it's easy to compromise when you get everything you want.

Is it better to have the Administration flaunting the rule of law while a few in Congress groan? Or is it better to simply change the law to suit whatever the Administration wants to do? The latter has the appearance of legitimacy, but it makes a mockery of the issue. The penalty for the Executive's violating the law and overreaching in its powers shouldn't be to get more power, especially not raw power cloaked under the illusion of legitimacy.

Jack Balkin has much more analysis in his excellent post. The text of the bill is available here. A summary of the bill is available here.

Orin Kerr and Marty Lederman also weigh in.

UPDATE: Orin Kerr has a new insightful post here.

Posted by Daniel J. Solove at 10:28 AM | Comments (0) | TrackBack

There Goes the Times Again

The paper of record has published the locations of several key terrorist targets in the United States. Will they never learn? We're at war! The Mule Day Parade, the Sweetwater Flea Market, and the “Beach at End of a Street” are all in jeopardy now. As the Snidely-Whiplash-type Cuban terrorist says in Invasion: USA, "They make it so easy."

Posted by Bruce Boyden at 12:42 PM | Comments (1) | TrackBack

The AUMF and The Road Not Taken.

I'm reading Ron Suskind's "The One Percent Doctrine." I haven't gotten too far, but my eyebrows definitely went up when I read that the draft of the Authorization for the Use of Military Force that administration lawyers submitted to Congress just after the September 11 attacks would have authorized the President to use all necessary and appropriate military force even within the United States in order to prevent future attacks. The language about domestic deployment of military force didn't make the final cut in Congress.

Posted by Eric Muller at 03:16 PM | Comments (3) | TrackBack

Hamdan, Endo, Disarray, and Arrogance

In this NYTimes article on hesitations about legislation to establish military tribunals, this passage stood out:

Until now, the White House and particularly Vice President Dick Cheney had been dead set against working with Congress on issues involving the detainees, against the advice of some Republicans and some administration lawyers. By waiting until the court forced the issue, the White House may have made its task more difficult, leaving Mr. Bush with less support in Congress than he had after the attacks of Sept. 11.

I am reminded of the discussions within the Roosevelt Administration (the War Department, the Justice Department, the Department of the Interior, and to a lesser extent the President himself) during the summer and fall of 1944 as they awaited the Supreme Court's decision in Ex parte Endo.

The Endo decision came on December 18, 1944; it declared illegal the continued detention of loyal Japanese Americans in the eight "relocation centers" that the War Relocation Authority was operating at that time.

What's interesting to me is that the Administration spent the summer and fall of '44 preparing for the possibility of an adverse outcome in Endo. Felix Frankfurter tipped the Administration off that the decision was coming on the 18th; this enabled the Administration to preempt the Supreme Court's decision by announcing on the 17th of December that it would be bringing the detention and exclusion of Japanese Americans from the West Coast to an end. It had a plan in place to end the mass exclusion of Japanese Americans and to replace it with a system of targeted individual exclusions of those it deemed especially dangerous.

Compare this to the disarray in Washington over the last couple of days.

It's quite obvious to me that this Administration just could not bring itself to believe and plan effectively for the possibility that it might lose the Hamdan case, and lose it big.

Why am I not surprised?

Posted by Eric Muller at 04:07 PM | Comments (6) | TrackBack

Template for News Stories on Government Data Gathering

NSA warrantless wiretaps. NSA collection of phone records. CIA gathering of financial records.

The stories are endless. To help out reporters, I thought I'd just write a quick and easy template to make reporting a little bit easier. So here it is:

Under a top secret program initiated by the Bush Administration after the Sept. 11 attacks, the [name of agency (FBI, CIA, NSA, etc.)] have been gathering a vast database of [type of records] involving United States citizens.

"This program is a vital tool in the fight against terrorism," [Bush Administration official] said. "Without it, we would be dangerously unsafe, and the terrorists would have probably killed you and every other American citizen." The Bush Administration stated that the revelation of this program has severely compromised national security.

"This program is a threat to privacy and civil liberties," [name of privacy advocate] said. But [name of spokesperson for Bush Administration] said: "This is a very limited program. It only contains detailed records about every American citizen. That's all. It does not compromise civil liberties. We have a series of procedures in place to protect liberty."

"We're not trolling through the personal data of Americans," Bush said, "we're just looking at all of their records."

The [name of statute] regulates [type of record] and typically requires a [type of court order]. Although the [name of agency] did not obtain a [type of court order], the Bush Administration contends that the progam is "totally legal." According to the Attorney General, "we can [do whatever we did or want to do]. The program is part of the President's emergency war powers."

Posted by Daniel J. Solove at 01:32 PM | Comments (22) | TrackBack

Massive Government Data Mining of Financial Records

Apparently, warrantless wiretapping and gathering of phone call records just aren't enough to quench the Bush Administration's thirst for data. Now we learn that the government has gathered massive quantities of financial records. The New York Times reports:

Under a secret Bush administration program initiated weeks after the Sept. 11 attacks, counterterrorism officials have gained access to financial records from a vast international database and examined banking transactions involving thousands of Americans and others in the United States, according to government and industry officials.

The program is limited, government officials say, to tracing transactions of people suspected of having ties to Al Qaeda by reviewing records from the nerve center of the global banking industry, a Belgian cooperative that routes about $6 trillion daily between banks, brokerages, stock exchanges and other institutions. The records mostly involve wire transfers and other methods of moving money overseas and into and out of the United States. Most routine financial transactions confined to this country are not in the database.

Viewed by the Bush administration as a vital tool, the program has played a hidden role in domestic and foreign terrorism investigations since 2001 and helped in the capture of the most wanted Qaeda figure in Southeast Asia, the officials said.

The program, run out of the Central Intelligence Agency and overseen by the Treasury Department, "has provided us with a unique and powerful window into the operations of terrorist networks and is, without doubt, a legal and proper use of our authorities," Stuart Levey, an under secretary at the Treasury Department, said in an interview on Thursday.

The program is grounded in part on the president's emergency economic powers, Mr. Levey said, and multiple safeguards have been imposed to protect against any unwarranted searches of Americans' records. . . .

That access to large amounts of confidential data was highly unusual, several officials said, and stirred concerns inside the administration about legal and privacy issues.

"The capability here is awesome or, depending on where you're sitting, troubling," said one former senior counterterrorism official who considers the program valuable. While tight controls are in place, the official added, "the potential for abuse is enormous."

Posted by Daniel J. Solove at 01:18 PM | Comments (6) | TrackBack

Issei Internment and the Turkmen Opinion: The Shoe Does Fit.

I blogged yesterday about Judge Gleeson's decision in Turkmen v. Ashcroft, permitting the Executive to single out certain illegal aliens for prolonged and unreviewed detention on the basis of race or national origin. I suggested that Judge Gleeson framed his opinion in a way that would support the multi-year incarceration of the Issei in World War II -- a racial internment for which the Congress apologized and offered reparations in the Civil Liberties Act of 1988.

My comparison to the internment of the Issei has led some to cry foul. The claim is that because the Turkmen ruling applies only to illegal aliens, and the Issei were legal resident aliens, the analogy to the Issei internment is inapt, even scandalous.

Not so. The Issei were legal resident aliens until December 7, 1941 -- but after that date they were also enemy aliens, over whom the President, by statute, had as complete a power as is imaginable. The Alien Enemy Act (50 U.S.C. sec. 21) gave FDR the power to arrest, detain, and deport aliens of countries with which the U.S. was at war, under rules of his own making, without (or virtually without) judicial review.

Attorney General Francis Biddle decided to offer hearings to individuals arrested as enemy aliens after Pearl Harbor, even though the Alien Enemy Act did not formally require this. But in administering the system of hearings, the government engaged in stark racial discrimination. The government selectively arrested certain German and Italian aliens, and gave them hearings. (These hearings were not models of fairness, it must be noted. But they were hearings of a sort.) The government detained the Issei en masse, and offered hearings to almost none of them -- just a very small subset of a couple of thousand who were arrested immediately after Pearl Harbor.

It was this racial selectivity in enforcement -- even as to enemy aliens -- that led the Congress to apologize and pay reparations in 1988.

And it is just this sort of racial selectivity in enforcement that Judge Gleeson's opinion in Turkmen permits.

UPDATE: David Cole, one of the Turkmen plaintiffs' attorneys, draws the parallel with the Issei internment in this piece, "Manzanar Redux," in today's Los Angeles Times.

Posted by Eric Muller at 08:24 AM | Comments (0) | TrackBack

Canada's Balance

Do the recent arrests of suspected terrorists in Canada show that the country has struck the right balance between security and civil liberties?

A New York Times article suggests that requiring the police in Canada to obtain a warrant before conducting surveillance and covert searches was conducive to thwarting the terrorist plot. The article quotes Mike McDonell, assistant commissioner of the Royal Canadian Mounted Police: "I never sought greater authority to conduct monitoring and surveillance, and I don't expect to be asking for any more now." A scholar is also quoted as saying that Canada doesn't need broader government surveillance of the N.S.A. variety.

(While the article reports that the Canadian Security Establishment is permitted to intercept foreign communications upon authorization by the Minister of Defense (but without the need for a judicial warrant), the article suggests that the CSE was not involved in the recent terrorist arrests.)

It's easy to say you've struck the right balance when you work within the law and manage to stop a terrorist cell. I'm not sure, though, that that's the best basis for assessing whether we've struck the right balance between security and liberty. If the terrorists in Canada had succeeded in blowing up buildings and people, would we conclude that the Canadian balance was wrong and needed to be readjusted?

The right balance between security and liberty might allow for some failures, i.e. some acts of terrorism that don't get stopped, because stopping them would involve too great a limit on liberty. On the other hand, the right balance might be security measures and restrictions on civil liberty greater than necessary (as measured by the number of actual terrorist incidents) because we'd rather err on the side of caution.

Posted by Jason Mazzone at 08:52 PM | Comments (0) | TrackBack

European Court of Justice Strikes EU-US Agreement on PNR Data

The European Court of Justice dealt a blow yesterday to European Union and U.S. policymakers, with two important judgments on privacy and transatlantic relations. Back in 2004, the European Union and the United States signed an agreement guaranteeing the privacy of European airline passenger data when that data was transferred to the U.S. government. In European Parliament v. Council of the European Union and European Parliament v. Commission of the European Communities, the Court of Justice found that the Europeans did not have the power, under their constitutional rules, to enter into the agreement. Luckily for the airlines and the governments, the Court delayed the effect of its decision until September 30, 2006. Until then, European airlines will keep on being able to transfer their passenger data—and keep on being able to fly into American airports--without having to worry about breaking European privacy law. Afterwards, it could get complicated.

Some background. After the September 11 terrorist attacks, airlines flying into the United States were required to give the U.S. Bureau of Customs and Border Protection (CBP) access to the passenger name records (PNR data) in their computer systems. In other words, the CBP was to be afforded access to the airlines’ databases in London, Rome, Amsterdam, and other European cities to extract PNR data on their American-bound passengers, before those passengers actually touched down in an American airport. The PNR data would be extracted by the CBP and stored in the CBP’s own computer system. This was designed to allow the CBP to check on any terrorist connections of passengers before their arrival in the United States; the information could also be used in future investigations. If European airlines did not comply, they faced stiff U.S. penalties. But, if European airlines did comply, they ran the risk of breaking European privacy laws. As I said in my last post, many European privacy laws require “adequate” protection for private data transferred abroad and the United States is widely viewed as not affording “adequate” protection. Therefore, European airlines that transferred PNR data to the U.S. government risked being prosecuted by their own authorities.

The European Commission (the European Union’s civil service) took the lead in trying to fix the airlines’ dilemma. This it did based on its powers under the European Union’s Data Protection Directive. (Data protection is the European expression for data privacy and a directive is a type of EU law.) Because in my last post I was dealing with the NSA, I didn’t mention this law, which guarantees data privacy when firms and other actors process data for economic purposes. The Directive, passed in 1995 and in force since 1998, standardizes the privacy rules for market actors in all Member States of the European Union.

In February 2003, the European Commission and the CBP began negotiations on an agreement that would guarantee the privacy of European PNR data after it had been collected by the CBP. In spring 2004, the two sides reached an agreement. In May 2004, the Council of Ministers (the intergovernmental body where the Member States take decisions) and the European Commission adopted the decisions necessary to render the PNR agreement effective, internally, for the European Union. And, on May 28, 2004, the EU-U.S. PNR agreement was signed by a representative of the Council and the Secretary of the Department of Homeland Security. At that time, the agreement became effective externally, under international law.

But the European Parliament was not happy with the PNR agreement. Therefore, the Parliament challenged in the European Court of Justice both the Commission’s and the Council’s decisions rendering the agreement effective under internal, European Union law. The lawsuit was driven in large part by institutional politics unrelated to the substance of the agreement. For years, the European Parliament has been asserting, quite successfully, greater powers vis-à-vis the other two branches of EU government (the Council and the Commission); the PNR lawsuit represented a bid for greater powers in the foreign relations field. But setting aside the politics, what were the alleged defects, in EU law, of the PNR agreement? There were numerous legal grounds for the European Parliament’s challenge, most of which went to the inadequate protection of privacy.

In yesterday’s judgments, the Court of Justice found for the European Parliament. Not to cause too much turmoil for the governments and the airlines, the Court of Justice allowed the Commission’s decision—and, therefore, the PNR agreement too--to stay effective until September 30, 2006.

Perhaps more surprising than the outcome was the reasoning of the Court of Justice. (The Court was following the opinion of the Advocate General assigned to the case. Advocate Generals are members of the Court who are responsible for writing a public opinion before cases are decided, advising the Court on the law and the correct outcome.) The Court of Justice did not consider any of the privacy-related claims. Rather, it found that neither the Commission nor the Council had the power to enter into the PNR agreement.

To explain the Court’s logic, I must get into some basic EU law. The European Union has a bizarre constitutional structure that comes out of the fact that it used to be an international organization, now is a quasi-federal polity. It has three “Pillars.” The First Pillar governs the regulation of the common market—things like the rules that apply when a plane takes off from Rome and lands in Munich. This is not an area that goes to the core of national sovereignty, and so the European Union (actually “European Community” when we’re talking about First Pillar) has acquired a lot of power in the First Pillar—and the Member States have lost a lot of power. In the PNR episode, the European institutions acted under the First Pillar: the Commission based its decision on the Data Protection Directive (a market-regulating, First Pillar law) and the Council based its decision on the Data Protection Directive, together with its more general First Pillar powers.

By contrast, the Second and the Third Pillars apply to matters that do go to the core of national sovereignty: defense and other types of foreign policy (Second Pillar) and fighting crime and protecting against internal security threats like terrorism (Third Pillar). The European Union has powers in these areas, but it is hamstrung in various ways by Member States anxious to preserve national sovereignty.

Since the PNR agreement involved private, commercial European air carriers, the Commission and the Council thought they could act under the First Pillar. But the Court of Justice disagreed—essentially the Court said that the European Union would have to act under the Third Pillar or not at all. Here I’m simplifying slightly. What the Court actually said was that since the text of the Data Protection Directive expressly does not cover “[data] processing operations concerning public security . . . and the activities of the State in areas of criminal law” (i.e., matters that fall under the Third Pillar) and since the PNR agreement covers “processing operations concerning public security and the activities of the State in areas of criminal law,” the Commission’s decision could not be based on the Data Protection Directive. It applied a similar logic to annul the Council’s decision. What the Court did not say was that the deeper, Three-Pillar constitutional structure of the European Union, which puts regulation of the market in the First Pillar, cooperation on fighting terrorism in the Third Pillar, barred the European Union from entering into PNR agreement. In this, it was careful not to follow the Advocate General’s opinion to the letter (see his opinion at paras. 140-155). Therefore, the Court left the door open to an agreement based on, not the Data Protection Directive, but another aspect of the First Pillar. But it is extremely difficult to envisage what that might be, since the Data Protection Directive excludes public security and criminal law precisely because of the constitutional Three-Pillar structure. Plus, the Court, in its own analysis, put the transfer of PNR data squarely in the Third Pillar: the Court stated, without reservation that the data transfer covered by that agreement was “not data processing necessary for a supply of services, but data processing regarded as necessary for safeguarding public security and for law enforcement purposes.” Para. 57.

What happens now? Because the basic problem remains: if European airlines refuse the CBP’s request for their PNR data, they face stiff U.S. penalties; if they comply with the CBP’s request, they risk breaking European privacy laws. (But after the Court of Justice’s decision, only national laws and the Council of Europe instruments I described in my earlier post, not EU law, since the Court of Justice said that the Data Protection Directive does not cover security-related data transfers.) As I see it, there are two scenarios. Either the European Union will enter into a similar, now Third-Pillar, agreement with the U.S. or the 25 different data protection laws of the 25 Member States will apply.

Under the Third Pillar, the Council can enter into international agreements. Thus the Council could sign another PNR agreement with the United States, just wearing its Third Pillar hat. But there are many hurdles, as compared to international agreements under the First Pillar. First, all the Member States in the Council must agree—over most Third Pillar matters, each Member State has a right of veto. Second, for such an international agreement to be effective, internally, it must comply with whatever ratification requirements exist in each of the 25 Member States. Third, the Council might very well first have to adopt internal, intra-European legislation on sharing airline data among European police authorities before it can enter into an external agreement with the United States. I’m not an expert on the Second and Third Pillars but that would be my reading of the applicable articles of the Treaty on European Union (arts. 24 and 30) together with the Court of Justice’s so-called ERTA doctrine. Ironically, the only advantage, speed-wise, that a Third Pillar agreement would have over the First Pillar is that the European Parliament would have no powers--it does not have the right to be consulted on proposed international agreements and it does not have standing to challenge such agreements in the Court of Justice. Would the European Union be able to surmount all of these obstacles before September 30? It is not impossible but keep in mind that those long, European summer vacations are coming up.

The second scenario is that the European Union will do nothing and, therefore, national laws would apply. As I alluded to in my last post, national laws are incredibly variable. In countries like the United Kingdom and Italy, air carriers could transfer passenger data for public security purposes without any guarantees of “adequate” data protection. But French and German carriers would probably need such guarantees. Moreover, under the Council of Europe’s Convention 108 and under all national, European laws, air carriers would need a basis in law for transferring PNR data. Without that, the personal data wouldn’t be processed “fairly and lawfully” as required by those instruments. Therefore, in all 25 Member States, national regulations would have to be passed, creating a legal duty for airlines to comply with the CBP’s requests.

These two fairly convoluted scenarios remind me of that famous quip of Henry Kissinger’s: “When I want to speak to Europe, whom do I call?” In the more humdrum area of trade and market regulation, this isn’t so much of a problem anymore. On security-related issues, however, it is still unclear whom the U.S. government should be calling.

Posted by Francesca Bignami at 03:35 PM | Comments (3) | TrackBack

Snuggly the Security Bear

For some privacy and national security humor, check out this animated cartoon, Snuggly the Security Bear.

Posted by Daniel J. Solove at 12:12 PM | Comments (0) | TrackBack

The NSA Phone Call Database: The European Perspective

Had a European government, instead of the Bush administration, created the NSA’s call database, would that government be in violation of European privacy law? I think so, for the reasons I explore below.

Why should anyone care that the outcome would have been so different under European privacy law? One reason for the comparison with Europe is that it enables us to understand better current developments in American law. It is striking how similar American and European data privacy law was in the early 1970s, how different it is today. The first European database privacy statutes of the 1970s drew on the U.S. Privacy Act of 1974. Alan Westin’s Privacy and Freedom, published in 1967, was read widely by both American and European policymakers. There are many reasons for the divergent paths of the two systems. This latest example of difference highlights one set of reasons: the President’s new constitutional powers in fighting terrorism, post-September 11. Congress, the courts, and the public might very well accept that the NSA program is legal, based on the President’s inherent authority as commander-in-chief. In Europe, that would not be possible.

A more pragmatic reason for caring about the different result under European privacy law is that it could undermine transatlantic cooperation in the fight against terrorism. Some European laws forbid the transfer of public security and law enforcement data to countries without adequate privacy protection. This latest revelation just reinforces the European view that U.S. privacy laws are inadequate—and therefore could make European governments reluctant to turn over information on European citizens to the American government in the fight against terrorism.

The details of the NSA call database are murky. For purposes of my analysis, I’m assuming the following: (1) it was authorized by a secret, executive order, based on the President’s constitutional commander-in-chief powers; (2) the database contains call records—when, for how long, and to which phone numbers the calls were made--of millions of American citizens that are traceable to those citizens; (3) before the program became operative, no government officer independent of the President’s administration had the opportunity to review the program for privacy concerns and, since it has become operative, no independent officer has the power to enforce compliance with basic privacy safeguards.

In Europe, any database of electronic information that can be traced to individuals, including phone records, is considered a possible threat to the fundamental right to private life. For databases created for intelligence and law enforcement purposes, there are two Europe-wide sets of standards: Article 8 of the European Convention of Human Rights on private life and the Council of Europe’s Convention 108 on Personal Data Processing. The European Court of Human Rights has decided a number of telecommunications surveillance and data privacy cases under Article 8. A third set of standards, covering intra-European exchanges of personal information to prevent, investigate, and prosecute crime, is being negotiated in the European Union. All European countries also have their own data protection laws, which set down more precise duties and rights. The ones I’ll be referring to here are the laws of Germany, France, Italy, and the UK.

Under Article 8 of the European Convention on Human Rights, the NSA’s database would have to satisfy three conditions. First, it would have to be authorized by a law that was accessible to the public and that contained precise enough provisions to curb arbitrary government action and to put citizens on notice of possible incursions into their private sphere. Second, the purpose of the interference with privacy would have to be legitimate. Both “national security” and “public safety” count as legitimate purposes. Third, the interference with privacy would have to be proportional. Proportionality turns on two, related inquiries: Is there evidence that the government action can achieve the stated purpose? Is the government action necessary for accomplishing the stated purpose or are there alternative means of accomplishing the same purpose that will burden the right less? The burden of justification on the government, under the proportionality test, varies tremendously, depending on the right at stake and the public interest being pursued. The more important the right, the higher the burden on the government, the more important the public purpose, the lower the burden on the government.

When the privacy right at stake is data privacy, the proportionality investigation is guided by some of the more specific guarantees of Convention 108. For instance, the amount of the data processed should be no more than necessary to accomplish the purpose. Neither should the time during which the data are stored be any longer than necessary to accomplish the purpose. As a special safeguard for the burdened, privacy right, individuals should have the right to check their personal data, to make sure that it is accurate and that, in all other respects too, their personal data is being processed in accordance with the law. Most European countries have also ratified a protocol to the Convention, providing for an independent supervisory authority, and even those that have not ratified the protocol, have such a supervisory authority. In most countries, privacy authorities have advisory powers over proposed legislation, while everywhere they have oversight powers, to ensure compliance. The Convention allows for certain exceptions from its privacy guarantees, including exceptions for national security and law enforcement. However, those exceptions must themselves be based on law and be proportional.

How would the NSA’s database fare under this European privacy law? First, based on European Court of Human Rights’ case law as well as French and German data protection law, I think that the database would fail the requirement of an authorizing law. It does not appear to me that a secret, executive order based on a constitutional conferral of power to the President to serve as “commander in chief” would be good enough. (Of course, the administration’s lawyers might have in mind more precise statutory text as the authority for the database, in which case this analysis could change.) It is neither accessible to the public, nor is it specific enough to curb arbitrary exercises of power and to put citizens on notice of how their government is interfering with their basic rights. What about the Bush administration’s argument that any disclosure of the NSA call program threatens American national security? For, as I mentioned above, the Europeans allow for exceptions based on national security concerns. In my view, that argument would fail, both in the European Court of Human Rights and in national, European courts. Certainly, courts have permitted European governments to keep secret the some of the methods used in surveillance, together with the specific targets of surveillance. (Paul Schwartz has a terrific discussion of some of the German law in his article, German and U.S. Telecommunications Privacy Law, 54 Hastings L.J. 751 (2002-2003). And Verna Zöller provides an informative update in Liberty Dies by Inches, 5 German L. J. 469 (2004).) But I don’t know of any instance in which they have allowed such a massive government program, involving almost entirely national citizens, to go forward without some basis in a reasonably detailed, public law.

The good news for the NSA call program is that it would satisfy the second European legal requirement: national security is, most certainly, a legitimate purpose. Then we get to proportionality. Is a database with the calling records of tens of millions of citizens necessary for fighting terrorism? When making this kind of determination, European courts and privacy officers show considerable deference to their intelligence services. Courts and privacy officers are acutely aware of their limits in understanding how to combat terrorism, as compared to the seasoned professionals in their national intelligence services. But, in Europe, the government would have to make the case—not necessarily in public or in an ordinary court of law—that the data collection was capable of reducing the terrorist threat. The government would also have to consider other types of regulation, less invasive of the private lives of ordinary Americans--say, a database of the telephone records of al Qaeda suspects only. The government would also have to demonstrate that there were privacy-protecting safeguards in place. Again, European laws allow for exceptions based on national security concerns, but, again, I don’t think that those exceptions would apply here. Since we don’t know much about the NSA call program, we don’t know whether it is, in fact, supported by this type of reasoning. On the proportionality issue, therefore, I can’t come to any conclusion.

What about an independent privacy agency? That is certainly absent from the NSA call program. In much of Europe—including Germany (Federal Data Protection Act, section 26) and France (Law No. 78-17, article 11.4 and article 26.I)—this independent agency would have had to be consulted on the NSA program before it became operational. Many things can go wrong when a government collects information on the habits of its citizens, including phone records: phone numbers might be matched to the wrong people, leading the government to suspect ordinary citizens of being covert al Qaeda operatives; an intelligence officer who thinks that his wife is cheating on him might check her phone records; once the phone records get too old to help in the fight against terrorism, they might be passed along to tax fraud investigators or to direct marketers. Consultation of a privacy expert, when a government program is being designed, is an important way of ensuring that the necessary safeguards are in place, before any of these abuses can occur.

Moreover, in all of Europe, an independent privacy agency would have to have the power to ensure that government officers, in running the program, were complying with basic privacy safeguards. Here, even under European laws, there are exceptions for intelligence agencies. For instance, under German law, the Federal Commission for Data Protection does not have jurisdiction over telecommunications surveillance (which, under German law, includes calling records) when conducted by an intelligence agency (Federal Data Protection Act, section 24). But another independent, government body does have the power to order the government to stop illegal surveillance: a special, bi-partisan, parliamentary commission known as the G-10 Commission. Under French law, individuals do not have the right to check, directly, whether the information held on them by security agencies is lawful, but must be able to do so, indirectly, through their national privacy agency (Law 78-17, article 41). Furthermore, under European laws, these exceptions to jurisdiction do not apply to personal data used for law enforcement purposes. This is significant for the NSA program because it is unclear whether the information is being used only by intelligence officers, or by law enforcement agencies too. In sum, under European laws, the NSA program could not be exempted entirely from oversight by an independent government body with the power to investigate and to stop violations of privacy rights.

Now for the bottom line. Why does it matter that the NSA call program would be illegal under European privacy law? That, if any European government tried to do the same thing, it would be breaking the law? As I said at the beginning, I think that the different result under European law is revealing for what it says about current transformations in American law: it underscores the extent to which national security concerns are coming to dominate American law.

There is also a more pragmatic reason for taking European privacy law seriously. The National Security Agency might want information on the calls made by Europeans, in Europe. But because the way it handles private data is so out-of-line with European law, it is increasingly unlikely that the NSA will be able to get call information-- or any other private information for that matter--from European governments.

Let me explain a bit further. In some European countries, private data cannot be transferred to countries without “adequate” privacy safeguards, even if that data is requested for national security purposes. This is the case in Germany, where an exception to the adequacy principle can be made only “for compelling reasons of defence or to discharge supranational or international duties in the field of crisis management or conflict prevention or for humanitarian measures.” (Federal Data Protection Act, section 4b(2)). This is also the case for France, where there is a public security exception to the adequacy principle, but that exception is still subject to a determination that the personal information will be protected in the country of destination (Law No. 78-17, article 69). Furthermore, at the European Union level, a series of laws are being negotiated that would enable police authorities, for purposes of preventing or prosecuting crimes, including terrorism, to freely exchange data like calling records and then transfer that data to their intelligence agencies. These are: the European Parliament and Council Data Retention Directive (adopted in March but not yet in force), the Council Framework Decision on the exchange of information under the principle of availability (under negotiation), and the Council Framework Decision on the protection of personal data (under negotiation). However, under the current version of the privacy part of the package, information like calling records could only be transferred to third countries that ensure “an adequate level of data protection” (Council Framework Decision on the protection of personal data, article 15.1(d)). Therefore, with one exception (article 15.6), national, European police and security agencies would have to deny an NSA request for call records. No wonder that the Americans expressed concern about this provision at a March 2-3, 2006 EU-US meeting.

Under all of these laws, even if privacy is not adequately protected in the destination country, an international agreement can stipulate privacy safeguards for the transferred data, and therefore render the transfer lawful. But the news of secret U.S. surveillance programs has made it more difficult to take this route. How are European governments to trust that an undertaking of an agency like the NSA or the FBI will not be quickly superseded by a secret order issued by the President, based on his constitutional powers? Of course, if that were to occur, European governments would have claims against the United States under international law. But given the weak enforcement mechanisms of international law and changing American surveillance practices, it is unclear whether such an undertaking could serve as a sufficient guarantee of European privacy.

Posted by Francesca Bignami at 03:51 PM | Comments (7) | TrackBack

The Technicalities and Complexities of Electronic Surveillance Law

Currently, there's a debate raging about whether the phone companies violated the law when they supplied phone call records to the NSA. Orin Kerr opines:

The Stored Communications Act, 18 U.S.C. 2701-11, only regulates two kinds of providers: providers of electronic communication service and providers of remote computing service. Everyone agrees that the telephone companies are not acting as providers of remote computing service, so if they are liable they must be acting as providers of electronic communication service. . . .

A local telephone company is clearly a provider of electronic communication service: it literally provides users the ability to send or receive telephone calls. But is a company that only provides long distance service a provider of electronic communication service?

Maybe, but I’m not entirely sure. I don’t know much about how modern telephone networks work, but I am guessing that local carriers carry the first part of the call. In the case of a long-distance call, I assume that the long-distance carrier picks up the call at some point from the local carrier, and sends it to the local carrier at the receiving end of the call. If that’s right, I’m not entirely sure the long-distance carrier is a provider of electronic communications service.

I can see arguments on both sides. . . .

This debate gets to one of the major problems with electronic surveillance law. In my article, Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I observed:

Electronic surveillance law has not kept pace with the staggering growth of technology. As discussed earlier, the law currently makes antiquated distinctions that often do not protect what is most important. Electronic surveillance law has lagged behind technological developments and has not been responsive to new surveillance technologies. . . .

Despite . . . dramatic changes since the passage of [The Electronic Communications Privacy Act ("ECPA") which includes the Stored Communications Act under its umbrella] in 1986, Congress has failed to engage in a major revision of the law [except for some smaller changes here and there, the most notable of which was the USA-Patriot Act]. Under this state of affairs, law enforcement cleverly employs new technologies to try to avoid triggering ECPA. Often, these technologies are quite invasive, but the debate seems to turn on technicalities—whether the surveillance fits into ECPA’s framework. This invites a technological rat race, in which law enforcement uses new technologies designed to fit within ECPA’s less stringent provisions or to fall entirely outside of ECPA’s scope. . . .

Lost amid the labyrinthian task of applying ECPA’s complex provisions is the question of whether new technologies contravene the appropriate balance between effective law enforcement and privacy. . . .

Moreover, the FBI has been developing and using new surveillance technologies without discussing them publicly. As one FBI spokesperson said: “It’s completely inappropriate [to discuss new surveillance technologies]. Why would we? That would defeat the whole purpose of surveillance.” . . . . In a self-governing democracy, it is hard to justify the secret deployment and use of surveillance technology on United States citizens without affording adequate public discussion about the costs and benefits of these new technologies.

One of the major problems with current electronic surveillance law is that it was built tightly around technologies existing in the mid-1980s, rather than built more broadly and generally around basic principles for balancing privacy and the need for government surveillance. As a result, the application of the law to new technologies becomes very complex and uncertain. Kerr may be right that the law is up in the air with regard to whether the NSA phone record database contravenes the Stored Communications Act, but if he is right, then this is evidence of a much larger problem. Time and again, our electronic surveillance laws are failing to provide answers when it comes to questions of critical importance.

Posted by Daniel J. Solove at 02:52 PM | Comments (0) | TrackBack

Kerr's Legal Analysis of the NSA's Phone Records Program

I was planning to do some analysis of the legality of the NSA's phone records program, but Orin Kerr has already accomplished it. His posts are terrific and are essential reading:

* Thoughts on the Legality of the Latest NSA Surveillance Program
* More Thoughts on the Legality of the NSA Call Records Program

In the latter post, Kerr analyzes whether the telephone companies violated the Stored Communications Act, 18 U.S.C. 2702. Section 2702(a)(3) prohibits phone companies from knowingly divulging customer records to any governmental entity. Kerr notes that the most relevant possible exception to this restriction is 18 U.S.C. 2702(c)(4), as amended by the Patriot Act renewal of 2006, which allows disclosure to "a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency." Kerr notes:

The language that passed as part of the Patriot Act in 2001 allowed disclosure only when “the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.” This was the language in place from October 2001 until March 2006. Did the phone companies have such a belief under the 2001-06 language? I gather they had a reasonable belief of danger, but I don’t know of a reason to think that they had a reasonable belief of “immediate” danger. If this was a program ongoing for several years, then it’s hard to say that there was a continuing reasonable belief of immediate danger over that entire time.

Kerr also explains that the Patriot Act renewal earlier this year made a few tweaks to this exception:

The change expanded the exception to allow disclosure when there is a good faith belief instead of a reasonable belief, and when there was a danger instead of an “immediate” danger. I wouldn’t be surprised if the telephone companies were pushing the change in part out of concern for civil liability for their participation in the NSA call records program."

Much more at Kerr's posts.

UPDATE: Marty Lederman also has some excellent analysis that's definitely worth reading.

Posted by Daniel J. Solove at 10:35 AM | Comments (7) | TrackBack

The NSA's Phone Call Database

USA Today reports:

The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.

The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans — most of whom aren't suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.

"It's the largest database ever assembled in the world," said one person, who, like the others who agreed to talk about the NSA's activities, declined to be identified by name or affiliation. The agency's goal is "to create a database of every call ever made" within the nation's borders, this person added.

For the customers of these companies, it means that the government has detailed records of calls they made — across town or across the country — to family members, co-workers, business contacts and others.

The three telecommunications companies are working under contract with the NSA, which launched the program in 2001 shortly after the Sept. 11 terrorist attacks, the sources said.

More information is contained in this companion article at USA Today.

Wow!

UPDATE: Orin Kerr offers up a thoughtful analysis of the legality of this program here.

Posted by Daniel J. Solove at 10:59 AM | Comments (0) | TrackBack

Electronic Surveillance Statistics for 2005

The Department of Justice (DOJ) has released its annual report on the number of Foreign Intelligence Surveillance Act (FISA) orders, Wiretap Act orders, and National Security Letters issued in 2005.

For FISA surveillance orders, 2072 applications were made to the FISA court; none were denied. Over the past few years, the number of orders has been steadily increasing:

2005 -- 2072 applications approved
2004 -- 1758 applications approved
2003 -- 1724 applications approved
2002 -- 1228 applications approved
2001 -- 934 applications approved
2000 -- 1012 applications approved
1999 -- 880 applications approved

In all, only 4 applications have ever been denied. More statistics are on EPIC's FISA statistics page.

One wonders what the statisics would have been had the Bush Administration properly gone to the FISA court instead of engaging in secret wiretapping by the NSA.

In 2005, according to the Administrative Office of the United States Courts, there were 1773 wiretap orders issued by courts under the Wiretap Act. In 2004, there were 1710 wiretap orders issued.

For the first time, statistics were released on the use of National Security Letters. According to the DOJ report:

During calendar year 2005, the Government made requests for certain information concerning 3,501 different United States persons pursuant to National Security Letters (NSLs). During this time frame, the total number of NSL requests (excluding NSLs for subscriber information) for information concerning U.S. persons totaled 9,254. In other words, there were 3,501 different U.S. persons involved in the total of 9,254 NSLs that related to U.S. persons.

According to the Washington Post:

The report, released late Friday, represents the first official count of NSL use. It was required under legislation that extended the USA Patriot Act anti-terrorism law.

The count does not include other such letters that are issued by the FBI to obtain more limited subscriber information from companies, such as a person's name, address or other identifying data, according to the report. Sources have said that would include thousands of additional letters and may be the largest category of NSLs issued. The Washington Post reported in November that the FBI now issues more than 30,000 NSLs each year, including subscriber requests.

Related Posts:
1. Solove, National Security Letters (Nov. 2005)
2. Solove, More on National Security Letters (Nov. 2005)
3. Solove, Did President Bush Have the Legal Authority Under FISA to Authorize NSA Surveillance? (Dec. 2005)

Posted by Daniel J. Solove at 12:47 AM | Comments (3) | TrackBack

Stuntz Responds: Further Thoughts on Privacy and Transparency

A few weeks ago, I wrote a post criticizing an essay by William Stuntz (law, Harvard) in The New Republic. Today, he has responded to my post in The New Republic Online.

I'll reply briefly here to a few of Stuntz's points in response. Stuntz observes:

What are the worst things governments do to their citizens, the abuses that most characterize despots and dictators? For my money, spying and snooping are pretty far down the list. I'd rank these much higher: torture and other physical abuse, harassment of political and religious dissidents, and (most of all) arbitrary punishment--prison sentences handed down not because the prisoners did some terrible wrong or caused some horrible injury, but because they got on the wrong side of some local party boss.

Stuntz seems to assume that privacy and transparency are separate issues from the ones he lists above, but I see privacy and transparency as integral checks to prevent the kinds of abuses Stuntz mentions.

Stuntz then writes:

Solove says that it's "silly" to say that we're better off if the government listens to lots of phone conversations rather than only a few. If so, then current law is silly--for as he knows, the law today and for some time has drawn precisely that line. That is why the police can set up roadblocks and stop every car to check for drunk drivers, even though the cops have no reason to suspect any one driver. In my view, the same principle should apply to phone calls, and to DNA tests. If I understand the news stories correctly, nearly all the members of Duke's lacrosse team were tested in connection with the ongoing Durham rape investigation. That strikes me as a very good thing: DNA tests reduce the odds that the guilty will escape punishment, and also reduce the odds that innocents will suffer it. Does Solove disagree?

I am not an absolutist when it comes to protecting privacy. I believe that the police should have the power to conduct a variety of investigations; they should be able to conduct DNA tests; they should be able to wiretap and engage in surveillance. The issue isn't whether or not they should be allowed to do these things; rather, it is what kinds of oversight and accountability do we want in place when the police engage in searches and seizures. The police can employ nearly any kind of investigatory activity with a warrant supported by probable cause. This is a mechanism of oversight -- it forces the police to justify their suspicions to a neutral judge or magistrate before engaging in the tactic. Driver checkpoints are limited in the kinds of questions the police can ask; in what they can stop motorists for; in how long they can stop people; and so on. The law allows for wiretapping but only under judicial supervision, procedures to minimize the breadth of the wiretapping, and requirements that the police report back to the court to prevent abuses. It is these procedures that the Bush Administration has ignored by engaging in the warrantless NSA surveillance. The question is not whether we want the government to monitor such conversations; it is whether the Executive Branch should adhere to the appropriate oversight procedures that Congress has enacted into law or whether it should be allowed to covertly ignore any oversight.

Regarding the DNA tests of the Duke lacrosse members, there was a legitimate reason to suspect them of a crime, so they should be tested. Moreover, DNA presents very different considerations from surveillance. Because current DNA typing uses only parts of DNA and cannot be used to ferret out medical histories and conditions (at least not currently), it might not present as substanial a privacy risk. In one post a while ago, I examined whether everybody should be included in a DNA database. As my post indicates, I believe that with the right set of protections, DNA identification can be successfully used. The question is not one of yea or nay to DNA databases, but of whether they can be implemented in ways with the appropriate oversight and protections. Other forms of surveillance poste different problems, such as the NSA surveillance, which is far more troublesome because of the kind of information it can reveal.

Turning to transparency, Stuntz argues:

As I understand American political history, we once had a political culture in which the legislative and executive branches operated much like appellate courts. There were public debates and votes that produced public decisions. But before those debates and votes, a good deal of discussion and analysis happened behind the scenes, outside public view. Not coincidentally, that style of governing seemed to accomplish more than the transparent government we usually see now. I'd like to return to that older style. For the life of me, I can't understand why that makes me an enemy of freedom.

I disagree with several premises. I'm not so sure that we have progressed from a golden era of a highly functional government to the dark ages of a disfunctional one. The government has had its high points and low points in history, and I don't think that transparency is the problem. The problems, as I see it, are excessively divisive partisan politics and a government that isn't responsive enough to the people -- it serves the interests of the rich and powerful, the big corporations, or the highly vocal interest groups. Closed doors facilitate the kind of Washington lobbying and special influence culture that often makes the government out of touch with the people it governs.

Finally, Stuntz observes:

Limits on government power that look wise when the other side holds the reins sometimes look foolish when your side is in charge. Better to put aside today's partisan debates and think about the long term. Not all civil liberties are created equal; some matter more than others. If we protect the wrong ones too much, we're liable to protect the right ones too little.

I have several responses. First, it doesn't strike me as inevitable or likely that by protecting some civil liberties that we won't protect others. If anything, Stuntz's logic works better when it comes to particular security measures. We have limited money and resources, and thus we have to choose which security measures to adopt. In my view, we should be focusing on tracking down loose nukes and other serious threats; securing our ports; and so on. Engaging in random subway searches or spending millions of dollars on data mining systems that have no proven track record of actually working strike me as making the wrong security choices. Privacy and transparency force some debate into the mix when it comes to these measures, and this debate might steer the government away from some very poor security choices.

Second, limits on government power are especially important when one side controls many of the branches -- whether it is your side or not. Stuntz may have legitimate gripes about a government that is not working as efficiently and intelligently as it should be, but the cause isn't privacy or transparency. It is a two-party system that doesn't adequately represent the views of many citizens. It is the constant game-playing and partisan rancor that persists in Washington. It is a system that faciliates gerrymandering to keep incumbents in power and less accountable for their actions. It is the profound influence of money in politics. It is politicians voting for measures not because they're good for the country, but because they help out local interests or companies that make robust financial contributions. There's a lot that is wrong with government, but it surely isn't privacy and transparency.

Posted by Daniel J. Solove at 02:04 PM | Comments (7) | TrackBack

William Stuntz's Misguided Theory of Privacy and Transparency

William Stuntz (law, Harvard) has long been advancing thoughtful provocative ideas about criminal procedure. I've always found Stuntz to be insightful even when I disagree (and I have disagreed with him a lot). Stuntz's recent essay in The New Republic entitled Against Privacy and Transparency has me not just disagreeing, but doing so rather sharply.

Stuntz begins with an interesting historical generalization. He argues that privacy and transparency (open government) "seem like quintessentially liberal ideas," although historically they had long been conservative ideas. Stuntz notes that the call for greater government transparency "flowed from pro-business conservatism" because it made it hard for an activist government to alter the status quo. He argues that privacy helped make it hard to regulate big business during the progressive movement in the early 20th century. Stuntz observes: "Privacy, once the right's favorite right, became the left's friend thanks to the civil rights movement. In a time when J. Edgar Hoover was spying on Martin Luther King Jr. and Southern sheriffs were enforcing America's own version of apartheid, police snooping had a decidedly right-wing cast." As for transprency, "Vietnam and Watergate made the left suspicious of government power generally and executive power in particular. When liberals looked for a way to make Richard Nixon's imperial presidency a little less imperial, they stumbled on weaponry that Taft's Republicans had used against Harry Truman: force the president to disclose as much as possible."

The historical picture is far more complicated than the one Stuntz paints. Justice Louis Brandeis, one of the leading liberals in the early 20th century, was one of the main proponents of privacy and transparency, and he was strongly in favor of New Deal politics. Indeed, it was Brandeis who wrote the famous article, The Right to Privacy in the Harvard Law Review that gave birth to the privacy torts; it was Brandeis who penned the powerful dissent in Olmstead v. United States, 277 U.S. 438 (1928) where the Court held that the Fourth Amendment didn't cover wiretapping; and it was Brandeis who wrote the famous line in favor of transparency, "Sunlight is said to be the best of disinfectants." Stuntz is right when he acknowledges that privacy and transparency have strong roots in conservative thinking. But they also have strong roots in liberal thinking, and they are not concepts that have been passed like a baton from the conservatives to the liberals.

But this is not the part of Stuntz's essay that makes my blood boil. It is his main thesis, where he argues:

Today, the danger that American democracy faces is not that rulers will know too much about those they rule, nor that too many decisions will be made without public scrutiny. Another danger looms larger: that effective, active government--government that innovates, that protects people who need protecting, that acts aggressively when action is needed--is dying. Privacy and transparency are the diseases. We need to find a vaccine, and soon.

Huh? The problem with our government stems from privacy and transparency? To justify this startling conclusion, Stuntz argues that:

[D]ifferent forms of evidence-gathering are substitutes for one another. Anything that raises the cost of one lowers the cost of all others. The harder it is to tap our phones, the more government officials will seek out alternative means of getting information: greater use of informants and spies, or perhaps more Jose Padilla-style military detentions with long-term interrogation about which no court ever hears, or possibly some CIA "black ops," with suspected terrorists grabbed from their homes and handed over to the intelligence services of countries with fewer qualms about abusive questioning. In an age of terrorism, privacy rules are not simply unaffordable. They are perverse.

Stuntz's logic seems to be that we should let the government invade our privacy to a significant degree, because if we don't, the government will resort to even worse things. The argument that if you stop somebody from doing something bad, they'll do something even worse can be used in almost any situation to defeat almost any law or regulation. Using this logic, one might argue that we should let thieves steal, because if we don't, then they'll resort to even worse crimes. The argument proves way too much, and as a result, winds up proving nothing in the end. Moreover, the kinds of information gathering techniques Stuntz lists as examples of "alternatives" rest on very uneasy legal and constitutional ground. Perhaps one of the reasons they have occurred is because of a lack of adequate transparency and a lack of sufficient checking of the Executive Branch. But Stuntz, however, sees transparency as part of the problem.

Stuntz has many more arguments which are worth responding to.

He argues that transparency makes it harder for government officials to do something, and doing something is better than doing nothing: "For most officials most of the time, the key choice is not between doing right and doing wrong, but between doing something and doing nothing. Doing nothing is usually easier--less likely to generate bad headlines or critical blog posts."

Is this really true? Government officials often always try to do something -- the problem is that the "something" they try to do isn't the result of an informed and thoughtful policy analysis but often a cheap gimmicky solution that will grab headlines. Stuntz frequently complains (correctly, in my opinion) of the excessive increase in criminal laws, and in this essay, he writes that "American criminal codes have metastasized." Why has this happened? It's not the result of the government doing nothing. It is because of the strong sentiment that the government must do something, and it's easy to enact more criminal laws. So the choice for officials isn't between doing something or nothing -- it's between doing something symbolic versus doing something meaningful but more nuanced and complicated. When it comes to security, the symbolic measures often have high civil liberty costs with very little security payoff. Left unexplored are the many more meaningful alternatives where the benefits might outweigh the costs. Perhaps transparency and privacy are just what the doctor ordered -- they make it harder for government officials to resort to quick easy measures and force them to think harder and consider measures that will have a security payoff that outweighs the costs. I have blogged a lot about these issues in connection with the NYC subway searches:

* NYC Subway Searches Upheld: A Critique of the Court’s Decision
* Rational Security vs. Symbolic Security
* Subways, Searches, and Slippery Slopes

Stuntz goes on to argue that we shouldn't restrict government information-gathering but should focus on restricting the use or disclosure of information after the government gathers it. Stuntz begins by observing:

Every year, tens of millions of Americans fill out their tax returns, giving the IRS a tremendous amount of information about their finances. The affront to privacy mostly goes unnoticed. Why? Because anonymity matters more than privacy.

I don't think that the issue here is anonymity. It's confidentiality. There are strict rules and strong expectations that tax information will be kept confidential. Also, filing tax information is mandatory. Even if a person cares deeply about her privacy, if she doesn't turn over tax information to the IRS, she'll wind up in jail. So I don't know what Stuntz's proposition about filing tax returns really proves other than the fact that people don't want to go to prison.

Stuntz then states that two "key propositions follow" from this insight into our filing our taxes as required by law:

First, the more people whose lives the government invades, the better. When targets are few, anonymity disappears. If there were 100 tax forms filed instead of 100 million, the IRS might do more snooping than is healthy. The more phones are tapped, the less freedom is threatened.

So we should want the government to invade our privacy more in order to protect it? Stuntz's argument may sound like a profound paradox, but it is really little more than doublespeak. This statement might have been true in the days long before computer technology and before Herman Hollerith invented the punch card machine. But in today's day and age, we have sophisticated computer technology that can analyze zillions of bits of data in nanoseconds. As Bob O'Harrow notes in his book No Place to Hide (2005), the database company ChoicePoint has "more than 250 terabytes of data regarding the lives of about 220 million adults." (p. 145). Modern data mining techniques make it much less likely that a piece of data will exist as a needle in a haystack. So I find it almost silly when Stuntz says that more wiretapping and more invasive information gathering equals less of a threat to freedom.

Stuntz goes on to argue:

Second, the initial invasion of privacy isn't the problem; subsequent disclosure is. The true image of privacy intrusion is not some NSA bureaucrat listening in on phone calls, but rather Kenneth Starr's leaky grand jury investigation, which splashed a young woman's social life across America's newspapers and TV screens. That is the nightmare worth protecting against. The best way to stop the nightmare from happening is to limit not what information officials can gather, but what they can do with the information they find.

Why isn't the initial invasion of privacy the problem? Stuntz mentions the leaks from Kenneth Starr's investigation as the big problem, but what about calling Monica's mother to testify, which outraged many? What about the subpoenas to Kramerbooks for Monica's book purchases? There were many dimensions of Starr's investigation that struck people as problematic -- they brought attention to the extremely powerful tools currently in a prosecutor's arsenal. Moreover, there are many forms of problematic government information gathering. Would J. Edgar Hoover's dossiers have posed no problem so long as he couldn't leak them? Why not put a surveillance camera in all of our homes so long as the government is limited in its use and disclosure of that data? It is certainly true that the Fourth Amendment focuses heavily on government information gathering and little to none on how the government uses the information once it has been collected. But why not regulate both collection and use?

Stuntz argues that a better approach to transparency is to "require limited disclosure: say, to the key congressional committees and to any courts designed to supervise the relevant process." This is what the law does with regard to foreign intelligence gathering -- the Foreign Intelligence Surveillance Act (FISA) requires a court order from a secret court to engage in surveillance. The Bush Administration, however, has violated the FISA and has authorized warrantless wiretaps by the NSA. And it has done so through a lack of transparency. It is only now that the information about the NSA surveillance has been released that the public has the opportunity to analyze the merits of the Bush Administration's actions. As for congressional oversight, recent events make me skeptical of Congress serving as a meaningful check on the Executive Branch. Perhaps when Congress is controlled by a different party than the Executive it can function as a better check, but one of the lessons we've been learning over the past decade or so is that Congress doesn't care to do much checking when the White House is occupied by the same party.

Stuntz concludes his essay by observing: "We have too much privacy, and those who govern us have too little." Unfortunately, Stuntz has it exactly backwards.

Posted by Daniel J. Solove at 07:33 PM | Comments (14) | TrackBack

NSA Surveillance: No Limit

When it comes to surveillance for the Bush information, it appears that only the sky's the limit. From the Washington Post:

Attorney General Alberto R. Gonzales left open the possibility yesterday that President Bush could order warrantless wiretaps on telephone calls occurring solely within the United States -- a move that would dramatically expand the reach of a controversial National Security Agency surveillance program.

In response to a question from Rep. Adam Schiff (D-Calif.) during an appearance before the House Judiciary Committee, Gonzales suggested that the administration could decide it was legal to listen in on a domestic call without supervision if it were related to al-Qaeda.

"I'm not going to rule it out," Gonzales said.

In the past, Gonzales and other officials refused to say whether they had the legal authority to conduct warrantless eavesdropping on domestic calls, and have stressed that the NSA eavesdropping program is focused only on international communications.

Are there any limits to its power that the Administration will acknowledge and respect? Thus far, none have been articulated. As I argued in an earlier post on the issue:

The problem with Bush's argument is that he has articulated virtually no conceivable limits to his power. The stakes of the debate aren't just about what the President has already done. They are about what the President has defiantly declared he has the power to do in the future.

The arrogance of power is astounding.

Posted by Daniel J. Solove at 10:19 AM | Comments (8) | TrackBack

Moussaoui and the Government Litigator

I don’t claim insight on the criminal laws involving terrorism. But terrorists prosecutions, as far as I can tell, tend to reveal that terrorists, or at least the ones who hope to attack America, don’t exactly operate like SPECTRE does in the movies. The massive government effort against them accordingly tends to look unbalanced, a major bureaucratic initiative against a tiny number of marginal outcasts who live in a twisted fantasyland. It’s Max Weber against a particularly vile Charles Bukowski novel.

This may be appropriate criminal law enforcement. But in the Moussaoui case, it has made for a very weird trial, where an unhinged defendant has been paired with a well-resourced and experienced team of defense lawyers. To push the analogy some more, it's Weberian order against the half-crazy and half-slick. The trial only got weirder when a TSA lawyer helping out on the case got much of the government’s sentencing phase evidence suppressed by prepping a number of witnesses.

I do know something about civil litigation on behalf of the government, but criminal law must be very different. Here’s my takeaway on what the TSA lawyer did:
- she a