Friday, June 07, 2013

Law's Losing Race With Technology

June 7, 2013, 5:25 p.m.

This series includes: "Lavabit Confronts 'Complicit or Close?' Levison Closes," August 9, 2013; "A Simple Matter to Drag People Along," August 6, 2013; "The Future of Surveillance and How to Stop It," August 4, 2013; "Surveillance: Differences of Degree and of Kind," July 3, 2013; "Shooting the Messenger; Should Government Be Able to Keep Its Abuses Secret?," June 11, 2013; "From Zazi to Stasi; Trusting a Government That Doesn't Trust You," June 9, 2013; "Law's Losing Race With Technology," June 7, 2013.

Redefining 'Privacy'

Our decades-long suspicions that our government has been spying on us have recently been confirmed. Once again, public opinion -- not to mention our policy analysis and law -- are lagging far behind leaping technological advances.

The London Guardian broke the story that the U.S. super-secret FISA Court (Foreign Intelligence Surveillance Act) has given the NSA (National Security Agency) the legal right to gather all of our phone records indiscriminately -- even if there is no reason for the NSA to suspect we've done anything wrong -- in this specific case, the records of every Verizon customer (with legitimate reason to suspect similar authorizations have been granted for all other major phone companies). Glenn Greenwald, "NSA Collecting Phone Records of Millions of Verizon Customers Daily; Exclusive: Top Secret Court Order Requiring Verizon to Hand Over All Call Data Shows Scale of Domestic Surveillance Under Obama," The Guardian (London), June 5, 2013 (with link to text of FISA Court order). [Photo credit: multiple sources.]

Ultimately, of course, the story was picked up and repeated by mainstream U.S. media, as U.S. officials scrambled to reassure Americans that they (members of the U.S. House and Senate) had known of this all along and always considered it a dandy way to protect us from terrorists -- carefully noting that at least this order did not include the government’s right to listen to the content of our calls. "All they were doing" was gathering the date and times our calls begin and end, the locations of the parties to the calls, and the phone numbers involved. Charlie Savage and Edward Wyatt, "U.S. Is Secretly Collecting Records of Verizon Calls," New York Times, June 6, 2013, p. A16; Editorial, "President Obama’s Dragnet," New York Times, June 7, 2013, p. A26 ("The administration has now lost all credibility on this issue. Mr. Obama is proving the truism that the executive branch will use any power it is given and very likely abuse it. That is one reason we have long argued that the Patriot Act, enacted in the heat of fear after the Sept. 11, 2001 attacks, by members of Congress who mostly had not even read it, was reckless in its assignment of unnecessary and overbroad surveillance powers.") [Photo credit:]

Not to be outdone by The Guardian, the Washington Post soon had a story of its own to break:
The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track one target or trace a whole network of associates, according to a top-secret document obtained by The Washington Post.

The program, code-named PRISM, has not been made public until now. It may be the first of its kind. The NSA prides itself on stealing secrets and breaking codes, and it is accustomed to corporate partnerships that help it divert data traffic or sidestep barriers. But there has never been a Google or Facebook before, and it is unlikely that there are richer troves of valuable intelligence than the ones in Silicon Valley.
Barton Gellman and Laura Poitras, "Documents: U.S. Mining Data From 9 Leading Internet Firms; Companies Deny Knowledge,” Washington Post, June 6, 2013.

As I sometimes say, "The major problem is not so much that big corporations violate the law, it's that they write the law." The same thing's true of government. The White House, Justice Department, and the Intelligence Committees of the House and Senate tell us that all their spying on us is perfectly legal. They may well be right. Only problem is that the court that can tell us is so secret we aren't even supposed to know it exists; and unless the Guardian gets another leaked copy of an opinion we can't ever know what those judges decide, let alone their reasoning.

Legal or not, once again the technology is so far ahead of the ethicists, policy analysts, legislators and lawyers that we really need to "take it from the top," and totally rethink what we mean by "privacy" and what aspects of it are so important to us that we want legal protection.

Let's begin with a very brief review of the law.

The Fourth Amendment asserts a "right of the people to be secure in their persons, houses, papers, and effects" -- seemingly a kind of place-based security, a protection from trespassers -- albeit a protection that only extends to the exclusion of evidence so obtained. In 1928 the Supreme Court was still reading those words literally. Olmstead v. United States was a case in which the defendant had violated the prohibition laws. The prosecutor wanted to use evidence obtained by federal officers who had put wire taps on the defendant's phone lines a short distance from his property. The Supreme Court ruled that a phone tap, off the defendant's property, did not violate the language of the Fourth Amendment -- although it noted that Congress could pass a law prohibiting wiretaps (as it ultimately did).

By 1967, in Katz v. United States, Justice Stewart wrote for the Court, "the Fourth Amendment protects people, not places," even people who, as in that case, use public phones far from their homes. Justice Harlan, concurring, thought that was not enough: "The question, however, is what protection it affords to those people." Then, answering his own question, he posed the standard that has become the primary legacy of Katz: "there is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as 'reasonable'" -- generally truncated into the shorter expression, "a reasonable expectation of privacy."

So far so good. But in the 1976 U.S. v. Miller case the Court explained that once you've shared information with another, even though you did so in confidence and for very limited purposes, you no longer have an expectation of privacy in that information, let alone an expectation that courts will consider "reasonable." In Miller the defendant, Miller, attempted to claim a Fourth Amendment right of privacy in the cancelled checks and other records and documents maintained by his bank.

Few people find it possible to function without a bank account; a relationship with a bank is more of a necessity than an option. A necessary feature of a bank account is that the bank maintain some records of your financial transactions. You may consider those records private, and that you have an implied understanding of confidentiality with the bank. However, the Miller court concluded that by giving those records to the bank Miller could no longer claim a reasonable expectation that they would remain private. Because he had no "reasonable expectation of privacy" law enforcement could get access to those records from the bank, without providing Miller the protections he would have received under the Fourth Amendment if Miller had no bank account and law enforcement had come to his home for his copies of those "papers."

That standard may or may not have made sense during the last decades of our pre-cyber life. Most of our "papers and effects" were kept in our homes, protected by the Fourth Amendment. Not all; the phone company had records of our long distance calls, the gas and electric company would have records of our consumption, and there were probably other exceptions. But for the most part we weren't giving information to third parties that we considered private and confidential.

Today the combination of electronics, digitization, the Internet, computers and telecommunication result in your sharing a large portion of your "papers" with others. Neither librarians nor store owners used to keep records of what books or other merchandise you examined. Today you share a record of every search with Google, a record of every product you examine on a company's Web site, your Kindle book library with Amazon, your music choices with iTunes. You've shared your email and text messages with some company, your photos with Picasa and Facebook, your videos with YouTube, your documents with Dropbox or some other firm that offers you real estate in their "cloud." In addition to your bank, "your" financial records are held by your credit card companies, airlines, rental car companies, hotels, and many local merchants.

As Chief Justice Taft noted in Olmstead, we still have some legislative protections from invasions of our privacy by corporations and government, and the opportunity for more. But there is very little left of the Fourth Amendment protections Americans once enjoyed -- at least with regard to the records maintained by corporations, and often handed over by them to agencies such as the NSA, CIA and FBI.

As yesterday's stories regarding the government's massive, sweeping collections of phone records and Internet traffic make clear, technology has left the Fourth Amendment in the dust as it speeds past. When law enforcement had to get a search warrant to tap one individual's phone, the Fourth Amendment's requirements were administratively feasible. When the government wants to tap everyone's phones, and collect everyone's Internet traffic, that system collapses.

Remember the song with the line, "If it weren't for bad luck, I'd have no luck at all"? Well, if it weren't for the FISA court we'd have no court at all; indeed, we didn't, not that many years ago. The government contended it didn't need any judicial approval to spy on Americans. But a "Top Secret" (that is the classification on the FISA court's Verizon order) court that reportedly grants virtually every request, and never releases its cases, their resolution, or its reasons, is a pretty thin reed on which to rest the public's confidence in their government.

The Supreme Court needs to rethink the Fourth Amendment's protection of our privacy in a post-cyber world. The mere fact that today's technology means that no American can have a "reasonable expectation of privacy" anywhere, at any time, requires that standard -- and its deadly presumption regarding records shared with third parties -- be discarded.

There's much, much more to be said on this subject. And I'm told there are more revelations coming from the Guardian's Glenn Greenwald. But that's all for now.

# # #

No comments: