Author Archive
The Census Meets the Patriot Act
The Washington Post reports that the Justice Department recently sent out a letter to the chairs of the Asian Pacific, black, and Hispanic caucuses in Congress, reassuring them that the Patriot Act’s expansion of information-gathering powers, including the controversial Section 215, does not override federal statutes guaranteeing the confidentiality of census data. DOJ’s view, according to Assistant Attorney General Ronald Weich, is that “if Congress intended to override these protections, it would say so clearly and explicitly.”
Section 215, recall, is colloquially referred to as the “business records” provision of Patriot, though in fact it permits investigators to obtain “any tangible thing” from a designated person or entity by obtaining an order from the secret FISA court, subject only to a showing that the records sought are “relevant” to a national security investigation. As Weich observes, §215 does not contain the “notwithstanding any other law” language present in other parts of the Foreign Intelligence Surveillance Act, which means that it cannot be presumed on face to override other federal privacy statues establishing a higher degree of protection for specific categories of sensitive records.
What’s interesting to me, however, is that a similar issue arose several years ago, not with respect to the census confidentiality statute, but rather the Family Educational Rights and Privacy Act (aka FERPA, aka the Buckley Amendment). Initially, DOJ attorneys similarly opted not to seek education records under §215 on the grounds that the FISA court might conclude FERPA trumped Patriot in the absence of language giving §215 explicit priority, as the Office of the Inspector General’s initial report on the use of §215 explains. Nevertheless, the Counsel for Intelligence Policy told OIG that his office “would have been willing to present an application to the FISA court for educational records if the FBI considered the information important enough and wanted to press the issue with the FISA Court.”
Subsequent amendments to the statute alleviated those concerns:
According to [National Secrity Law Branch] and [Office of Intelligence Policy and Review] attorneys, this legal impediment to obtaining educational records has been addressed. Section 106(a)(2) of the Reauthorization Act amended FISA by ading 50 U.S.C. §1861(a)(3), which specifically addresses educational, medical, tax and other sensitive categories of business records. The amendment provided that when the FBI is requesting such items, the request must be personally approved by the FBI Director, the FBI Deputy Director, or the Executive Assistant Director for National Security. According to several NSLB and OPPR attorneys we interviewed, because this provision clarifies that educational records are obtainable through the use of a Section 215 order, the non-disclosure provisions of Section 215 apply rather than the notification provisions of the Buckley Amendment.
Every Time I Say “Terrorism,” the Patriot Act Gets More Awesome
Can I send Time magazine the bill for the new crack in my desk and the splinters in my forehead? Because their latest excretion on the case of Colleen “Jihad Jane” LaRose and its relation to Patriot Act surveillance powers is absolutely maddening:
The Justice Department won’t say whether provisions of the Patriot Act were used to investigate and charge Colleen LaRose. But the FBI and U.S. prosecutors who charged the 46-year-old woman from Pennsburg, Pa., on Tuesday with conspiring with terrorists and pledging to commit murder in the name of jihad could well have used the Patriot Act’s fast access to her cell-phone records, hotel bills and rental-car contracts as they tracked her movements and contacts last year. But even if the law’s provisions weren’t directly used against her, the arrest of the woman who allegedly used the moniker “Jihad Jane” is a boost for the Patriot Act, Administration officials and Capitol Hill Democrats say. That’s because revelations of her alleged plot may give credibility to calls for even greater investigative powers for the FBI and law enforcement, including Republican proposals to expand certain surveillance techniques that are currently limited to targeting foreigners.
Sadly, this is practically a genre resorted to by lazy writers whenever a domestic terror investigation is making headlines. It consists of indulging in a lot of fuzzy speculation about how the Patriot Act might have been crucial—for all we know!—to a successful investigation, even when every shred of available public evidence suggests otherwise. My favorite exemplar of this genre comes from a Fox News piece penned by journalist-impersonator Cristina Corbin after the capture of some Brooklyn bomb plotters last spring, with the bold headline: “Patriot Act Likely Helped Thwart NYC Terror Plot, Security Experts Say.” The actual article contains nothing to justify the headline: It quotes some lawyers saying vague positive things about the Patriot Act, then tries to explain how the law expanded surveillance powers, but mostly botches the basic facts. From what we know thanks to the work of real reporters, the initial tip and the key evidence in that case came from a human infiltrator who steered the plotters to locations that had been physically bugged, not new Patriot tools.
Of course, it may well be that National Security Letters or other Patriot powers were invoked at some point in this investigation—the question is whether there’s any good reason to suspect they made an important difference. And that seems highly dubious. LaRose’s indictment cites the content of private communications, which probably would have been obtained using a boring old probable cause warrant—and the standard for that is far higher than for a traditional pen/trap order, which would have enabled them to be getting much faster access to more comprehensive cell records. Maybe earlier on, then, when they were compiling the evidence for those tools? But as several reports on the investigation have noted, “Jihad Jane” was being tracked online by a groups of anti-jihadi amateurs some three years ago. As a member of one group writes sarcastically on the site Jawa Report, the “super sekrit” surveillance tool they used to keep abreast of LaRose’s increasingly disturbing activities was… Google. I’m going to go out on a limb and say the FBI could’ve handled this one with pre-Patriot authority, and a fortiori with Patriot authority restrained by some common-sense civil liberties safeguards.
What’s a little more unusual is to see this segue into the kind of argument we usually see in the wake of an intelligence failure, where the case is then seen as self-evidently justifying still more intrusive surveillance powers, in this case the expansion of the “lone wolf” authority currently applicable only to foreigners, allowing extraordinarily broad and secretive FISA surveillance to be conducted against people with no actual ties to a terror group or other “foreign power.” Yet as Time itself notes:
In fact, Justice Department terrorism experts are privately unimpressed by LaRose. Hers was not a particularly threatening plot, they say, and she was not using any of the more challenging counter-surveillance measures that more experienced jihadis, let alone foreign intelligence agents, use.
Which, of course, is a big part of the reason we have a separate system for dealing with agents of foreign powers: They are typically trained in counterintelligence tradecraft with access to resources and networks far beyond those of ordinary nuts. What possible support can LaRose’s case provide for the proposition that these industrial-strength tools should now be turned on American citizens? They caught her—and without much trouble, by the looks of it. Sure, this domestic nut may have invoked to Islamist ideology rather than the commands of Sam the Dog or anti-Semitic conspiracy theories… but so what? She’s still one more moderately dangerous unhinged American in a country that has its fair share, and has been dealing with them pretty well under the auspices of Title III for a good while now.
Filed under: Foreign Policy and National Security; General; Law and Civil Liberties
The Least Obama Could Do for Civil Liberties
Sen. Patrick Leahy (D-VT) has just fired off a letter to Barack Obama urging him to finally appoint some members to the long-vacant Privacy and Civil Liberties Oversight Board, echoing a similar recent request from a coalition of civil liberties groups.
I don’t think anyone should make excuses for Obama’s appalling about-face on Patriot Act reform, but at least in that case there’s a real, difficult, and complex policy debate that needs to play out in a preoccupied Congress for anything to happen. But there is no reason whatever that seats on this board should sit vacant a year into this presidency. Congress agreed to create the independent board—after a predecessor within the White House was deemed to lack sufficient independence—back in 2007. There’s agreement that the board is needed; the president just needs to pick people to sit on it. Yet there are precious few signs he’s even conducting a serious search. After a long series of decisions that have appalled civil libertarians, staffing the watchdog group Congress created three years ago is, quite literally, the absolute least Obama could do to begin living up to his campaign rhetoric.
Annals of Unhelpful Polling: Internet Access Edition
A new BBC poll is garnering plenty of press attention for its striking finding that 78% of global respondents believe that Internet access “should be a fundamental right of all people.” Fascinating! Except… what exactly does that mean?
The obvious problem here is that, at least as it’s worded in English, the question is ambiguous between two equally plausible readings. Especially when juxtaposed with another question about whether the Internet should be regulated by government, it could be understood as asking whether there’s a fundamental negative right to be free to use the Internet — to read and communicate free of government censorship or other onerous barriers. That’s probably how we’d interpret a parallel question about whether people had a “fundamental right” to “access” information via newspapers or books.
Many folks, though, seem to be reading it as a measure of support for a fundamental positive right to be provided with (broadband?) Internet access. And that just seems a bit silly, frankly. There’s a decent case to be made that it’s desirable for governments that can afford it to make some kind of public Internet access available to citizens who can’t. You can even imagine that, a few years down the line, some states in the developed world might have moved so heavily toward interacting with the public online that it would become more or less necessary for full political equality. But a basic human right? Something that governments are “violating fundamental rights” if they don’t do? It’s not just that I don’t believe this; I have trouble imagining that much of anyone literally thinks so. A few of my friends at Free Press, maybe, but 4/5 of the world’s population? Color me dubious.
I’ll confess being startled at the response to a much less ambiguous question: A global majority agreed that “the Internet should never be regulated by any level of government anywhere.” While I find this pattern of responses congenial enough, I can’t take it much more seriously. After all, what falls under the category of “regulation of the Internet”? Censorship, of course, which I expect is what most people immediately thought of. But in reality, of course, there are a whole panoply of laws and rules that at least arguably “regulate” the Internet in some sense, some of which even I would approve of. I have many, many issues with the Digital Millennium Copyright Act, for instance, but there’s nothing wrong with the idea that there should be a basic protocol that provides both a safe harbor for service providers hosting user content and a mechanism for complaining about copyright-infringing or libelous or otherwise tortious material. Probably there are other “regulations” I’d approve too, but I’d have to sit and think about it for an hour to even enumerate all the different kinds of rules that might be considered to “regulate the Internet” in one way or another.
Because it’s at least not susceptible to such dramatically divergent readings, this response might be more useful as a kind of big-picture attitude check. But the reality is that almost none of the respondents can really mean it because even someone steeped in tech policy would have to sit and think about the question for a half hour to really get a grip on what it entails. Or might entail. If the BBC were engaged in some kind of serious social science, they probably would have worked up better questions. But of course, that’s not the business they’re in. They’re in the business of asking the sort of question that will let them run exciting headlines that get re-tweeted and drive page views. And 100% of respondents in my poll of myself agree they’ve succeeded.
Global Internet Freedom via Government Regulation?
This morning’s Senate Judiciary Committee hearing on global Internet freedom opened with Sen. Dick Durbin (D-IL) announcing that he would “introduce legislation that would require Internet companies to take reasonable steps to protect human rights or face civil or criminal liability.” Durbin’s staff tell me they’re in the early phases of hammering out a draft, so exactly what that amounts to isn’t clear yet, but my first-pass gut reaction is that this has the potential to do as much harm as good.
The argument for establishing some such set of rules is pretty straightforward: You don’t want the perverse scenario where corporations worry they’re shirking their fiduciary responsibility to their shareholders if they fail to compete in the market to provide sophisticated technologies of control and repression to the world’s most authoritarian regimes. You don’t want despots exploiting the innovation that springs from the very freedom they deny their own people as a means to cement their own control. It’s possible to frame this as a collective action problem, with tech companies happy to “do the right thing” provided all their competitors do—but with each ultimately deciding to play ball for fear that if they don’t, someone else will. If that accurately captures the dynamic—and, crucially, if the field of competitors is heavily concentrated in the United States—the binding power of legislation could increase the pressure on foreign governments to abandon repressive Internet policies. In theory, anyway.
Filed under: International Economics and Development; Telecom, Internet & Information Policy
Wars, Crimes, and Underpants Bombers
I’ve been meaning to follow up on Gene Healy’s post from last week on the interrogation and prosecution of terror suspects. I share Gene’s bemusement at the howls emanating from Republicans who have abruptly decided that George Bush’s longstanding policy of dealing with terrorism cases through the criminal justice system is unacceptable with a Democrat in the White House. But I also think it’s worth stressing that the arguments being offered — both in the specific case of Umar Farouk Abdulmutallab and more generally — aren’t very persuasive even if we suppose that they’re not politically motivated.
Two caveats. First, folks on both sides would do well to take initial reports about the degree of cooperation terror suspects are providing with a grain of salt. For reasons too obvious to bother rehearsing, investigators won’t always want to broadcast accurately or in detail the precise degree of cooperation a suspect is providing. Second, as Gene noted, given that it seems unlikely we’ll need to use Abdulmutallab’s statements against him at trial, the question of whether the civilian or military system is to be preferred can be separated from the argument about the wisdom of Mirandizing him. That said, the facts we have just don’t seem to provide a great deal of support for the conclusion that, warning or no, criminal investigators are somehow incapable of effectively questioning terrorists.
Certainly if you ask veteran FBI interrogators, they don’t seem to share this concern that they won’t be able to extract intelligence their military counterparts would obtain. You might put that assessment down to institutional pride, but it’s consistent with the evidence, as the FBI has had impressive successes on this front already. And if you don’t want to take their word for it, you can always ask Judge Michael Mukasey who, before becoming attorney general under George W. Bush, ruled that military detainees were entitled to “lawyer up” — as critics of the Bush/Obama approach are wont to put it — explicitly concluding that “the interference with interrogation would be minimal or nonexistent.”
Filed under: Foreign Policy and National Security; Law and Civil Liberties
Patriot Act Update
It looks as though we’ll be getting a straight one-year reauthorization of the expiring provisions of the Patriot Act, without even the minimal added safeguards for privacy and civil liberties that had been proposed in the Senate’s watered down bill. This is disappointing, but was also eminently predictable: Between health care and the economy, it was clear Congress wasn’t going to make time for any real debate on substantive reform of surveillance law. Still, the fact that the reauthorization is only for one year suggests that the reformers plan to give it another go—though, in all probability, we won’t see any action on this until after the midterm elections.
The silver lining here is that this creates a bit of breathing room, and means legislators may now have a chance to take account of the absolutely damning Inspector General’s report that found that the FBI repeatedly and systematically broke the law by exceeding its authorization to gather information about people’s telecommunications activities. It also means the debate need not be contaminated by the panic over the Fort Hood shootings or the failed Christmas bombing—neither of which have anything whatever to do with the specific provisions at issue here, but both of which would have doubtless been invoked ad nauseam anyway.
Filed under: Foreign Policy and National Security; General; Government and Politics; Law and Civil Liberties; Telecom, Internet & Information Policy
School Webcams and Strange Gaps in Surveillance Law
Last week, I noted the strange story of a lawsuit filed by parents who allege that their son was spied on by school officials who used security software capable of remotely activating the webcams in laptops distributed to students. A bit more information on that case has since come out. The school district has issued a statement which doesn’t get into the details of the case, but avers that the remote camera capability has only ever been used in an effort to locate laptops believed to have been lost or stolen. (That apparently includes a temporary “loaner computer that, against regulations, might be taken off campus.”) They do, however, acknowledge that they erred in failing to notify parents about this capability. The lawyer for the student plaintiff is now telling reporters that school officials called his client in to the vice principal’s office when they mistook his Mike and Ike candies for illegal drugs.
Perhaps most intriguingly, a security blogger has done some probing into the technical capabilities of the surveillance software used by the school district. The blogger also rounds up comments from self-identified students of the high school, many of whom claim that they noticed the webcam light on their school-issued laptops flickering on and off—behavior they were told was a “glitch”—which may provide some reason to question the school’s assertion that this capability was only activated in a handful of cases to locate lost laptops. The FBI, meanwhile, has reportedly opened an investigation to see whether any federal wiretap laws may have been violated.
It’s this last item I want to call attention to. The complaint against the school district states a number of causes of action. The most obvious one—which sounds to me like a slam dunk—is a Fourth Amendment claim. But there are also a handful of claims under federal wiretapping statutes, specifically the Electronic Communications Privacy Act and the Stored Communications Act. These are more dubious, and rest on the premise that the webcam image was an “electronic communication” that school officials “intercepted” (as those terms are used in the statute), or alternatively that the activation of the security software involved “unauthorized” access by the school to its own laptop. The trouble is that courts considering similar claims in the past have held that federal electronic surveillance law does not cover silent video surveillance—or rather, the criminal wiretap statutes don’t.
That leads to a strange asymmetry in a couple of different ways. First, intelligence surveillance covered by the Foreign Intelligence Surveillance Act does include silent video monitoring. Second, it seems to provide less protection for a type of monitoring that is arguably still more intrusive. If officials had turned on the laptop’s microphone, that would fall under ECPA’s prohibition on intercepts of “oral communications.” And if the student had been engaged in a video chat using software like Skype, that would clearly constitute an “electronic communication,” even if the audio were not intercepted. But at least in the cases I’m familiar with, the courts have declined to apply that label to surreptitiously recorded silent video—which one might think would be the most invasive of all, given that the target is completely unaware of being observed by anybody.
One final note: The coverage I’m seeing is talking about this as though it involves one school doing something highly unusual. It’s not remotely clear to me that this is the case. We know that at least one other school district employs similar monitoring software, and a growing number of districts are experimenting with issuing laptops to students. I’d like to see reporters start calling around and find out just how many schools are supplying kids with potential telescreens.
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Big Teacher Is Watching
Researching government invasions of privacy all day, I come across my fair share of incredibly creepy stories, but this one may just take the cake. A lawsuit alleges that the Lower Merion School District in suburban Pennsylvania used laptops issued to each student to spy on the kids at home by remotely and surreptitiously activating the webcam built into the bezel of each one. The horrified parents of one student apparently learned about this capability when their son was called in to the assistant principal’s office and accused of “inappropriate behavior while at home.” The evidence? A still photograph taken by the laptop camera in the student’s home.
I’ll admit, at first I was somewhat skeptical—if only because this kind of spying is in such flagrant violation of so many statutes that I thought surely one of the dozens of people involved in setting it up would have piped up and said: “You know, we could all go to jail for this.” But then one of the commenters over at Boing Boing reminded me that I’d seen something like this before, in a clip from Frontline documentary about the use of technology in one Bronx school. Scroll ahead to 4:37 and you’ll see a school administrator explain how he can monitor what the kids are up to on their laptops in class. When he sees students using the built-in Photo Booth software to check their hair instead of paying attention, he remotely triggers it to snap a picture, then laughs as the kids realize they’re under observation and scurry back to approved activities.
I’ll admit, when I first saw that documentary—it aired this past summer—that scene didn’t especially jump out at me. The kids were, after all, in class, where we expect them to be under the teacher’s watchful eye most of the time anyway. The now obvious question, of course, is: What prevents someone from activating precisely the same monitoring software when the kids take the laptops home, provided they’re still connected to the Internet? Still more chilling: What use is being made of these capabilities by administrators who know better than to disclose their extracurricular surveillance to the students? Are we confident that none of these schools employ anyone who might succumb to the temptation to check in on teenagers getting out of the shower in the morning? How would we ever know?
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
My Constitutional Romance
You’ve seen Hayek and Keynes battle rapping. Now, our Emo Founding Fathers:
Retroactive Surveillance Immunity, Obama Style
There’s a lot to unpack in the Office of the Inspector General’s blistering 300-page report on illegal FBI abuse of surveillance authority issued last month, but I want to highlight one especially worrisome aspect, about which I spoke with The Atlantic’s Marc Ambinder earlier today.
The very short version of the report’s background finding is that, for several years, analysts at the FBI blithely and illegally circumvented even the minimal checks on their power to demand telephone records under the PATRIOT Act. I’ll go into this further in a future post, but there are strong indicators that the agents involved knew they were doing something shady. Thousands of records were obtained using a basically made-up process called an “exigent letter” wherein they ask for records with what amounts to an IOU promising legitimate legal process any day now. (In many of those cases, the legitimate legal process would not actually have been available for the records obtained.) Still more disturbing, an unknown number of records were obtained without even this fictitious process: Agents simply made informal requests verbally, by e-mail, or via post-it note. And hey, why bother with subponeas or National Security Letters when you can just slap a sticky on someone’s monitor?
Treated to a preview of the OIG’s damning conclusions, the FBI was eager to find some way to cover its massive lawbreaking. So they apparently crafted a novel legal theory after the fact, in hopes of finding some way to shoehorn their actions into federal privacy statutes. On January 8—as in four weeks ago, years after the conduct occurred—the Office of Legal Counsel seems to have blessed the FBI’s theory, which unfortunately remains secret. Democratic Sens. Russ Feingold, Dick Durbin, and Ron Wyden have asked the Justice Department for details, but at present we just don’t know what kind of loopholes DOJ believes exist in the law meant to protect our sensitive calling records.
Communications records are generally protected by Chapter 121 of Title 18, known to its buddies as the Stored Communications Act. The few snippets of unredacted material in the OIG report suggest that the FBI’s argument is that the statute does not apply to certain classes of call records. Presumably, the place to look for the loophole is in §2702, which governs voluntary disclosures by telecom firms. There is, of course, an exemption for genuine emergencies—imminent threats to life and limb—but these, we know, are not at issue here because most of the records were not sought in emergency situations. But there are a number of other loopholes. The statute governs companies providing electronic communications services “to the public”—which encompasses your cell company and your ISP, but probably not the internal networks of your university or employer. The activity at issue here, however, involved the major telecom carriers, so that’s probably not it. There’s another carve-out for records obtained with the consent of the subscriber, which might cover certain government employees who’ve signed off on surveillance as a condition of employment. We do know that in some cases, the records obtained had to do with leak investigations, but that doesn’t seem especially likely either, since the FBI claims (though the OIG expresses its doubts about the veracity of the claim) that the justification would apply to the “majority” of records obtained.
My current best guess, based on what little we know, is this. The SCA refers to, and protects from disclosure to any “government entity,” the records of “customers” and “subscribers.” But telecommunications firms may often have records about the calling activity of people who are not the customers or subscribers of that company. For example, reciprocal agreements between carriers will often permit a phone that’s signed up with one cell provider to make use of another company’s network while roaming. When these outside phones register on a network, that information goes to a database called the Visitor Location Register. You could imagine a clever John Yoo type arguing that the SCA does not cover information in the VLR, since it does not constitute a “subscriber” or “customer” record. Of course, it beggars belief to think that Congress intended to allow such a loophole—or, indeed, had even considered such technical details of cell network architecture.
My guess, to be sure, could be wrong. But that just points to the larger problem: The Justice Department believes that some very clever lawyerly reading of the privacy statutes—so very clever that despite the rampant “creativity” of the Bush years, they only just came up with it a few weeks ago—permits the FBI to entirely circumvent all the elaborate systems of checks and balances in place (or so we thought) to protect our calling records. If investigators can write themselves secret exemptions from the clear intent of the law, then all the ongoing discussion about reform and reauthorization of the PATRIOT Act amounts to a farcical debate about where to place the fortifications along the Maginot Line.
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Larry Lessig and the Lunching Libertarians
Outside the realm of copyright, Cato folk (and libertarians generally) don’t often see eye-to-eye with left-leaning cyberlawyer and Harvard prof Lawrence Lessig. Nevertheless, I wasn’t too surprised when Lessig signaled his interest in opening a dialogue with Cato scholars about his Change Congress project and his research on political corruption. After all, we’ve long argued that an expansive state will inevitably attract moneyed interests eager to feed at the public trough or co-opt well-intentioned regulation to stifle competitors. And as Lessig argues, legislators may come to see growing government as a means of creating supportive constituencies.
He’s posted the presentation he gave to a group of us at a luncheon discussion earlier this week, which I think makes an interesting case:
As he writes over at the Huffington Post, we see many of the same structural problems, though we differ as to the solutions. Lessig has been critical of the legal reasoning behind the recent Citizens United decision, which we at Cato welcomed. Despite this, we were pleasantly surprised to hear Lessig aver that he is not interested in overturning the decision—that he prefers, rather, to find ways of reducing the political influence of special interest money without restricting speech. Lessig’s favored solution is public financing of elections, whereas I think the majority here at Cato share the skepticism of my colleague John Samples about the viability of that kind of reform.
Filed under: Government and Politics; Political Philosophy; Telecom, Internet & Information Policy
Fresh Surveillance Data Show Spike in Traffic Tracking
The Department of Justice is required to report annually to Congress on its use of an array of surveillance tools. These include so-called “pen register” and “trap-and-trace” orders (often combined as “pen/trap orders”), which give investigators realtime access to traffic data from a target’s telephone or e-mail/Internet accounts. In combination with another type of court order, these are sometimes used to gather location tracking data on cellular users, but they’re primarily used to establish patterns of communication—to determine who the target is in contact with, and when. (Those in contact with the target may then come under further scrutiny.)
Unfortunately, there’s been no public reporting on the use of pen-traps since a five-year dump the Justice Department submitted in 2004. It’s not clear whether Congress, at least, has been getting them—other such surveillance reports are typically posted on the DOJ Web site—but thanks to intrepid privacy researcher Chris Soghoian and the Freedom of Information Act, we now have statistics on the use of pen-trap orders. In 2002, the federal government sought 4103 pen register orders (affecting 6540 people’s phone lines). By 2008, that number had risen to a whopping 11,126 pen register orders (affecting 13,998 people’s phones)—in other words, an increase of more than 171%. Bear in mind, that’s 13,998 people having their call behavior monitored in realtime, just at the federal level, and not counting foreign intelligence pen/traps under FISA. (I nevertheless use the first full year after 9/11 as a comparison point, since one might expect an uptick in terror-related criminal investigations.) It’s also not counting government requests for people’s historical call records—records that USA Today reported in 2006 were being vacuumed into a massive database by the tens of millions.
As the graph makes clear, it has also become more common for agencies to routinely obtain trap-and-trace orders (for data on incoming calls) when they obtain a pen register order (for outgoing calls), though the extent of the increase may be exaggerated because the U.S. Marshals Service, which appears to get combined pen/trap orders by default, did not provide separate statistics for trap-and-trace requests prior to 2004. The Justice Department also now appears to have begun tracking orders for e-mail and electronic networks, though it’s unclear whether these are being counted separately or represent a subset of the general pen/trap figures. In 2008, the FBI, DEA, and U.S. Marshals Service reported a total of 208 such orders.
What explains that substantial spike, at a lag of several years after 9/11? One possibility is that increasingly sophisticated tools for social network analysis and pattern-based data mining have made pen/trap orders a more valuable tool—or at least made them appear more valuable to investigators—for ferreting out suspicious patterns or uncovering organizational structures. Fans of the justly-celebrated HBO series The Wire may recall the episode “Back Burners,” in which Detective Lester Freamon shows a map of the Stanfield crew’s communication patterns, suggesting that it’s typical of a drug-dealing organization. There’s another technological angle to consider: If automation and digitization of the request process make it relatively painless to get pen/trap data, agents may be more likely to request more of them.
Intriguingly, the U.S. Marshals Service accounts for a huge proportion of the increase. In 2002, they sought only 556 pen registers (compared with 1703 for the FBI and 1841 for DEA). That had grown nearly tenfold by 2008, to a stunning 5475 (far more than the 2092 sought by FBI or 3260 for DEA). This, surely, is the figure that most cries out for further inquiry. Why is the USMS doing ten times the amount of traffic surveillance they conducted in 2002? I’ve put in a query with their public affairs office, but I’d encourage any enterprising reporters out there to follow up as well.
Let Me School You in My Austrian Perspective
It’s been making the rounds, but in case anyone hasn’t seen it, this Hayek/Keynes Battle Rap — with Friend-of-Cato Russ Roberts penning the rhymes of F.A. (for “Flow Assassin”) Hayek — may be humanity’s greatest contribution to the fields of music, theater, and political economy all at once:
If You Prick a Corporation, Does It Not Bleed?
Well, no, because as my liberal friends all seem to be indignantly announcing in the aftermath of the Citizens United ruling, corporations aren’t really people! They’re creatures of statute, and “corporate personhood” is just a convenient legal fiction. Which is fair enough, but also seems to miss the point rather spectacularly. As a practical matter, it is hard to imagine any constitutional liberty that could not be reduced to a hollow joke if we refused to count as an infringement any regulation that nominally targeted only the corporate mechanism for coordinating its exercise.
Having dispensed with the repellent doctrine of corporate personhood, we can happily declare that journalists enjoy full freedom of the press … as long as they don’t plan on using the resources of the New York Times Company or Random House or Comcast, which as mere legal fictions can be barred from using their property to circulate unpatriotic ideas. You’re free to practice your religion without interference — but if it’s an unpopular one, well, let’s hope you don’t expect to send your kids to a religious school or build a church or something, because those tend to involve incorporating. A woman’s right to choose is sacrosanct, but since clinics and hospitals are mere corporations with no such protection, she’d better hope she knows a doctor who makes house calls. Fill in your own scenarios, it’s easy.
The irony here is that it’s libertarians who are often accused of a myopic obsession with formal liberties rather than their real-world value to people — “the law in its majestic equality” and all that. But this, surely, would be the height of empty formalism — a right to swing your fist that stops at the air.
I think people are obsessing over this because we often think of rights as flowing, at least in part, from respect for our intrinsic human dignity, and it seems equal parts farcical and offensive to suggest that institutions like Exxon and Nike are in the same moral category. As a purely ethical matter, of course corporations as such don’t have rights. As a practical matter, though, rights that wither at the corporate touch won’t do you a whole lot of good in the 21st century.
Filed under: Government and Politics; Law and Civil Liberties
Hijacking Neutrality
Perhaps he’s too demure to say “I told you so” himself, but events are bearing out the concerns about net neutrality and regulatory capture that Tim Lee expressed in his excellent Cato paper “The Durable Internet.” The content industry is lobbying not just to ensure that neutrality rules permit filtering of Internet traffic by ISPs to block copyrighted material, but wants the FCC to positively encourage it. As a brief from the Motion Picture Association of America suggests:
In fact, if the Commission wants to see a meaningful and long-term reduction in the amount of bandwidth consumed by illegal content, it should foster an environment in which innovation itself is able to flourish and new tools are not only permitted, but encouraged, to develop. The government should create incentives for this investment by clarifying that industry efforts will be rewarded with open and flexible regulations.
The Electronic Frontier Foundation has been out of step with some of their usual allies on this front, arguing that however desirable the open Internet might be, the broad assertion by the FCC of authority to control network architecture sets a dangerous precedent. The implicit threat to ISPs here is: “Go along with our wish list for intrusive filtering or we’ll find a way to use the rules to make trouble for you.”
The telecoms, meanwhile, are pressing for the applicability of neutrality rules to all sorts of other application-level service providers, such as Google. An AT&T filing argued that “the commission cannot rationally impose rules on one set of providers based on hypothetical concerns while exempting other providers that act as Internet gatekeepers and have engaged in actual misconduct.” They specifically called out Google, which they assert “shapes how consumers actually experience the Internet more than any given broadband provider possibly could.”
It would, to be sure, be perverse if industry players managed to use regulations designed to promote openness and innovation as a cudgel with which to whack innovative competitors. But in the world of regulation, no less than in the domains studied by Alfred Kinsey, it turns out that the perverse is perfectly normal.
‘A Career Where X-Ray Vision And Federal Benefits Come Standard’
That’s the slogan the Transportation Security Administration is apparently using to entice people to apply for jobs as airport screeners. Now that they’re preparing to expand the use of whole body imaging scanners, which can produce moderately detailed nude images of travelers, maybe they should consider a tagline that doesn’t sound like it’s designed to recruit voyeurs.
Filed under: Foreign Policy and National Security; Law and Civil Liberties
Surveillance, Security, and the Google Breach
Yesterday’s bombshell announcement that Google is prepared to pull out of China rather than continuing to cooperate with government Web censorship was precipitated by a series of attacks on Google servers seeking information about the accounts of Chinese dissidents. One thing that leaped out at me from the announcement was the claim that the breach “was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” That piqued my interest because it’s precisely the kind of information that law enforcement is able to obtain via court order, and I was hard-pressed to think of other reasons they’d have segregated access to user account and header information. And as Macworld reports, that’s precisely where the attackers got in:
That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.
This is hardly the first time telecom surveillance architecture designed for law enforcement use has been exploited by hackers. In 2005, it was discovered that Greece’s largest cellular network had been compromised by an outside adversary. Software intended to facilitate legal wiretaps had been switched on and hijacked by an unknown attacker, who used it to spy on the conversations of over 100 Greek VIPs, including the prime minister.
As an eminent group of security experts argued in 2008, the trend toward building surveillance capability into telecommunications architecture amounts to a breach-by-design, and a serious security risk. As the volume of requests from law enforcement at all levels grows, the compliance burdens on telcoms grow also—making it increasingly tempting to create automated portals to permit access to user information with minimal human intervention.
The problem of volume is front and center in a leaked recording released last month, in which Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic. Less remarked on, though, was Taylor’s speculation that someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response—and one assumes he’d know if anyone would.
The irony here is that, while we’re accustomed to talking about the tension between privacy and security—to the point where it sometimes seems like people think greater invasion of privacy ipso facto yields greater security—one of the most serious and least discussed problems with built-in surveillance is the security risk it creates.
Filed under: General; Telecom, Internet & Information Policy
No Privacy Please, We’re Millennials
TrueSlant’s Kashmir Hill notes—and endorses—Facebook CEO Mark Zuckerberg’s conclusion that the kids today won’t stay off my lawn just don’t care much about privacy.
On the one hand, this shouldn’t be terribly surprising. Quite apart from the recent proliferation of social networking technology, generational researchers have long contrasted the heavily supervised and scheduled upbringings of (middle class) Millennials born in the ’80s and early ’90s with that of their “latch key” Gen X predecessors. And for anyone currently of college age, post-9/11 levels of security theater are viewed not as a novel expansion of official intrusion, but as the baseline, as normal. This can’t be a matter of total indifference to the fogeys among us, because shifting norms will affect both legislators’ willingness to ratchet up surveillance and, at least potentially, judicial assessments of which “expectations of privacy” society is prepared to recognize as “reasonable” for Fourth Amendment purposes.
Still, let me throw out some grounds for questioning this broad generational diagnosis. Privacy is not just a function of the raw quantity of information available about each of us, but of the control we exercise over that information. To be sure, it may seem that we have less of that as well when any scrap of data that appears on the Internet can so easily be copied and circulated. But for the generation that came of age online, those scraps of data are often part of a very conscious public performance of identity. Not necessarily a performance all of them will be eager to own ten years down the line, but a performance all the same.
In his excellent book The Digital Person, legal scholar Dan Solove contrasts two kinds of privacy dystopia: the Orwellian and the Kafkaesque. The focus in the Orwellian vision is on exposure: Big Brother’s spies and cameras are everywhere, and no detail of your personal life too minute to escape notice. But the plight of Kafka’s Josef K. is somewhat different: He finds himself at the mercy of an inscrutable bureaucracy, with no access to the details of his case file, and no way of tracing the provenance of the information it contains or correcting errors. We are more exposed, but we increasingly set the terms of our exposure.
It’s easy to look at all the information that comes up in a simple Google search for someone’s name and conclude that privacy is dead. But I think it’s at least as significant that the crucial first page of results is likely to consist of information that the individuals themselves have chosen to make public: Blogs, Facebook or MySpace profiles, Twitter accounts, Last.fm pages, YouTube channels. A similar inquiry a generation ago surely would have been much more laborious and less fruitful, but it also would have consisted to a far greater extent of what others had to say about the target: gossip first and foremost, but perhaps also press mentions, official records, and so on. It’s not that such information is now less accessible, but for the average person, it’s pushed to the margin by what we’ve chosen to disclose. That’s not an unmixed blessing—some may feel as though this merely traps them in a kind of openness arms race—but neither is it the privacy death-spiral a purely quantitative analysis might suggest.
George Clooney’s Docile Body
Running the airport maze to board my flight from Madrid back to the U.S. last week, I found myself thinking, with no small measure of envy, about Ryan Bingham, George Clooney’s character from Up in the Air. The ultimate frequent flier, Bingham slides shoes and belt off, flips laptop from case, and aligns them neatly on the x-ray conveyor in a seamless, fluid display of security Tai Chi. He navigates from curb to gate and back with crisp efficiency, every motion practiced and automatic.
My envy was tempered somewhat as I reread Discipline and Punish on the trip back. Bingham’s military precision, it struck me, was the product of a form of training implicit in the security process. As a corrective brace “teaches” the proper posture just by making it the only comfortable one, the screening procedures embed a set of tacit instructions, consisting of the optimal set of motions required to pass through smoothly. And of course, it teaches more than bodily motions: Bigham knows you don’t stand behind the Arabs in the screening line!
That’s not to say airport security is some kind of insidious brainwashing program, but there’s a dimension of privacy here that it seems to me we don’t talk about nearly enough. Our paradigms of privacy harms are invasion (the jackboot at the door, in the extreme case) and exposure (the intimate detail revealed). We generally think of these as exceptions — as what happens when surveillance goes wrong, either because it gets the wrong target or, when the surveillance is universal by design, because information that’s supposed to remain protected falls into the wrong hands or is otherwise misused. Invasion and exposure may be serious problems, but they are fundamentally mistakes — hiccups in the system we can seek to fix.
Discipline, by contrast, is what inevitably happens when the system functions as intended, at least to the extent people are conscious of being (actual or potential) targets of surveillance. It is probably not as serious a harm as invasion or exposure most of the time, but it’s also by far the most pervasive and ineradicable effect of surveillance. It would be nice if our debates about surveillance included not just the question “What will be exposed?” but also “How — and for what — are we training ourselves?”
Cato on Facebook
Cato on Twitter
Cato on YouTube
Cato Tweets