Category: Privacy (Electronic Surveillance)

0

Information Privacy Law Casebook Update

casebook2.jpgI’m pleased to announce that Paul Schwartz and I have just completed an update to our casebook, Information Privacy Law (Aspen 2006). The update is 111 pages, and is available for download (free of charge) at the casebook’s website. Among other things, it includes excerpts of many new cases: Bonome v. Kaysen, Barrett v. Rosenthal, MacWade v. Kelly, US v. Andrus, Warshak v. US, Doe v. Cahill, US v. Ellison, Gonzales v. Google, Georgia v. Randolph, Copland v. UK, and more. It also includes discussions of the NSA surveillance program, the litigation regarding the NSA surveillance, the Protect America Act of 2007 (amending FISA), national security letter litigation, the Virginia Tech shooting and privacy laws, data security breaches, US-EU sharing of airline passenger data, and more. Additionally, it includes excerpts from many new scholarly books and articles.

A new edition is in the works, and it will be ready for use in the spring 2009 semester. The book will be available in late 2008 so instructors can plan their courses. If you’re a professor currently using the book or are considering using the book in a class, please email me with any comments and suggestions for the next edition.

10

Federal Judge Strikes Down Patriot Act NSL Provision

Earlier today, a federal judge struck down a part of the Patriot Act allowing the service of National Security Letters without judicial oversight. An AP report on the decision can be found here. NSLs, as Dan has blogged about here and here, are a statutory authorization to the FBI that allow it to secretly obtain records about people from businesses and instututions with which they have a relationship. NSLs don’t require judicial oversight and some requirement of individualized suspicion or probably cause, but merely some “relevance” to an ongoing national security investigation. This relevance determination is made internally by the FBI and does not have to be put before a neutral judge or other official.

The opinion is complicated (and long at 106 pages), but I think any assertion that NSLs need to be regulated by a neutral decisionmaker is a step in the right direction. NSLs, as the district court recognizes, threaten First Amendment values. As I’ve argued in a recent article, NSLs threaten a variety of important interests, but most especially threaten the intellectual privacy of ordinary people. NSLs can be used to request a wide variety of information, including historical and transactional information relating to telephone calls and e-mails. As intellectual activity becomes increasingly mediated by the use of computers and the Internet (i.e., what you are doing right now in reading this post), the records created from such activity remain secreted by ISPs, websites like this one, and on our hard drives. The creation of these records provide a potential gold mine to government and others who are interested in learning about the ways in which we engage with and develop our thoughts and ideas. Both popular literature and legal theory have long documented the chilling effect on expression that results from the surveillance of our intellectual activities (including reading, thinking, and speaking). NSLs are one of the main tools by which government can obtain information about our intellectual activities, and thus the interposition of some meaningful legal constraint upon the power of the government to do this is essential. This is not to minimize the government interest in deterring and preventing threats to our national security, but merely to note that when the government engages in intellectual surveillance, there is an equally important interest on the other side — our freedom of thought and our ability to generate new and potentially controversial ideas.

This important case is certain to be appealed by the government, and it will be interesting to see what happens.

0

Congress, the President, and NSA Surveillance

Congress recently passed a broad authorization of the NSA surveillance program, bowing to pressure from President Bush. From the New York Times:

Racing to complete a final rush of legislation before a scheduled monthlong break, the House voted 227 to 183 to endorse a measure the Bush administration said was needed to keep pace with communications technology in the effort to track terrorists overseas. . . .

There was no indication that lawmakers were responding to new intelligence warnings. Rather, Democrats were responding to administration pleas that a recent secret court ruling had created a legal obstacle in monitoring foreign communications relayed over the Internet.

They also appeared worried about the political repercussions of being perceived as interfering with intelligence gathering.

The impetus for this legislation appears to be a decision by a FISA court judge that parts of the NSA surveillance program violate FISA. But apparently, that decision came about four or five months ago — yet the Administration waited until the eve of Congress’s recess to make the call for this legislation. Why wait until now?

Over at Balkinization, Marty Lederman (Georgetown Law Center) wonders why the Bush Administration conducted the NSA surveillance program illegally when it could have readily obtained Congressional approval:

Doesn’t this give the NSA all it had under the “TSP” between March 2004 and January 2007 — and much, much more, since there’s no requirement of any tie to an Al-Qaeda-related person? If so, and if they could get this sort of a deal from a Democratic-controlled Congress, what does that say about their unwillingness to go to a Republican-led Congress for those four years to seek a similar legislative fix, and to violate FISA unilaterally and in secret on the basis of a threadbare AUMF/Article II rationale? Is there any excuse now for their not having invoked the ordinary constitutional processes?

Jack Balkin (Yale Law School) captures the import over this latest incident most vividly:

Between the Party of Fear and the Party Without a Spine, there does not seem to be much opportunity to keep the National Surveillance State benign. Nor does there seem to be any political check on the development of an increasingly authoritarian Presidency, which controls the levers of secrecy, surveillance, and military force.

Do not be mistaken: We are not hurtling toward the Gulag or anything that we have seen before. It will be nothing so dramatic as that. Rather, we are slowly inching, through each act of fear mongering and fecklessness, pandering and political compromise, toward a world in which Americans have increasingly little say over how they are actually governed, and increasingly little control over how the government collects information on them to regulate and control them.

1

London-style CCTV Coming to New York

CCTV 2.JPGDan’s post about CCTVs in London coincides with a report by CNN that if Manhattan can obtain $90 million in funding (not to mention $8 million a year for maintenance), the city will install its own “Ring of Steel” as the British call it. The plan is called the Lower Manhattan Security Initiative and the claim is that “The primary purpose of the system is deterrence, and then an investigative tool.”

Yet at least in London it appears that the cameras have helped track people after a crime has been committed while deterence is harder to show. Here are some choice quotes from the CNN article in which Steve Swain who worked with London’s system for four years talks about his experience with the London system:

“I don’t know of a single incident where CCTV has actually been used to spot, apprehend or detain offenders in the act, he said, referring to the London system. … Asked about their role in possibly stopping acts of terror, he said pointedly: “The presence of CCTV is irrelevant for those who want to sacrifice their lives to carry out a terrorist act.” … Swain does believe the cameras have great value in investigation work. He also said they are necessary to reassure the public that law enforcement is being aggressive. “You need to do this piece of theater so that if the terrorists are looking at you, they can see that you’ve got some measures in place,” he said.

In contrast the article also details the way that Washington D.C.; Atlanta, Georgia; Baltimore, Maryland; and Chicago, Illinois among other cities use private cameras mixed with public ones as part of law enforcement . In addition, some cities have seen a drop in crime which they attribute to the cameras.

In short, one way or the other cameras are here, and we are on them. So whiten those teeth, fix your hair, get an agent, and smile, because This Is Your Life is back, and you are the star.

1

CCTV as Entertainment

cctv1a.jpgBritain has implemented an extensive video surveillance system called Closed Circuit Television (CCTV), with over 4 million cameras watching over public areas. The purpose of the cameras is for officials in monitoring centers to watch for suspicious behavior and dispatch the police if they see crime developing. CCTV footage has also been used to investigate crimes. For more about CCTV, see this great article by my colleague, Jeffrey Rosen.

In a classic example of the secondary use of information–the use of personal data for another purpose totally unrelated to the purpose for which it was originally collected–CCTV clips are frequently used by the media to entertain. From the Daily Mail:

Television shows should not be allowed to use CCTV footage as entertainment, the privacy watchdog said.

Information Commissioner Richard Thomas said it was inappropriate for images from surveillance systems set up to fight crime to be broadcast.

The crackdown could spell the end for shows that present surveillance of crimes, accidents and public disorder such as Police, Camera, Action or Booze Britain.

But it is unlikely to stop footage being shown on the news or Crimewatch.

He also set out tougher rules limiting the spread of surveillance cameras, amid growing fears that the network is creating a Big Brother state.

There are 4.2million CCTV cameras in Britain and it is estimated that people in cities are filmed 300 times a day.

Mr Thomas has already warned that Britain is the most watched country in the world.

Issuing new draft guidelines he said: “You should carefully consider whether to use CCTV.

“The fact that it is possible, affordable or has public support should not be the primary motivating factor.’

Condemning its use on TV, his report said: “It would not be appropriate to disclose images of identifiable individuals to the media for entertainment.”

Simon Davis, director of campaign group Privacy International, said: “As viewers we should be weaned off that habit. It’s often pure entertainment with no public interest.

The UK has already gotten into trouble with the European Court of Human Rights for its use of CCTV footage. In Peck v. United Kingdom, 44647/98 [2003] ECHR 44, the UK was found in violation of Article 8 of the Convention for the Protection of Human Rights for supplying CCTV footage of a man attempting suicide.

1

EFF Obtains Documents from FBI About Surveillance Abuses

eff.jpgEFF has obtained a big bunch of documents from the FBI via the Freedom of Information Act pertaining to its surveillance abuses. From the EFF announcement:

EFF has obtained FBI documents showing years of chronic problems with its use of National Security Letters (NSLs). The issue first drew widespread attention four months ago, when the Department of Justice Office of the Inspector General released a report [31M PDF] revealing extensive misuse of NSLs in a sampling of four FBI field offices.

I blogged about the Inspector General’s report here.

Among other things, the documents reveal that Attorney General Alberto Gonzales received several reports about FBI abuses before declaring to Congress that there were no instances of civil liberties abuses. According to a story in the Washington Post based on the EFF documents:

As he sought to renew the USA Patriot Act two years ago, Attorney General Alberto R. Gonzales assured lawmakers that the FBI had not abused its potent new terrorism-fighting powers. “There has not been one verified case of civil liberties abuse,” Gonzales told senators on April 27, 2005.

Six days earlier, the FBI sent Gonzales a copy of a report that said its agents had obtained personal information that they were not entitled to have. It was one of at least half a dozen reports of legal or procedural violations that Gonzales received in the three months before he made his statement to the Senate intelligence committee, according to internal FBI documents released under the Freedom of Information Act.

The acts recounted in the FBI reports included unauthorized surveillance, an illegal property search and a case in which an Internet firm improperly turned over a compact disc with data that the FBI was not entitled to collect, the documents show. Gonzales was copied on each report that said administrative rules or laws protecting civil liberties and privacy had been violated.

The reports also alerted Gonzales in 2005 to problems with the FBI’s use of an anti-terrorism tool known as a national security letter (NSL), well before the Justice Department’s inspector general brought widespread abuse of the letters in 2004 and 2005 to light in a stinging report this past March.

13

A Critique of the “Nothing to Hide” Argument

skeleton-in-closet.jpgLast year, I wrote a post asking about whether there was a good response to the “nothing to hide” argument:

One of the most common attitudes of those unconcerned about government surveillance or privacy invasions is “I’ve got nothing to hide.” I was talking the issue over one day with a few colleagues in my field, and we all agreed that thus far, those emphasizing the value of privacy had not been able to articulate an answer to the “nothing to hide” argument that would really register with people in the general public.

I received many thoughtful responses.

For a symposium about the philosophy of privacy in San Diego Law Review, I decided to return to the question with a short essay entitled “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy. I’ve posted a draft on SSRN. Here’s the abstract:

In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the “nothing to hide” argument. When asked about government surveillance and data mining, many people respond by declaring: “I’ve got nothing to hide.” According to the “nothing to hide” argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The “nothing to hide” argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the “nothing to hide” argument and exposes its faulty underpinnings.

The essay discusses my blog post and some of the comments. In the essay, I apply the theory of privacy I’ve been developing over the years to analyze the issue — in particular, my taxonomy of privacy. Is my response to the “nothing to hide” argument persuasive? I welcome any comments and feedback.

3

ACLU v. NSA

NSA3.jpgIn ACLU v. NSA, –F.3d — (6th Cir. 2007), a panel from the 6th Circuit held that the ACLU and other plaintiffs lacked standing to challenge the Bush Administration’s warrantless wiretapping program conducted by the National Security Agency (NSA). NYT coverage is here. According to the sketchy details known about the program, the court noted, “it has been publicly acknowledged that the TSP [the Terrorist Surveillance Program, as it has now been named by the Administration] includes the interception (i.e., wiretapping), without warrants, of telephone and email communications, where one party to the communication is located outside the United States and the NSA has ‘a reasonable basis to conclude that one party to the communication is a member of al Qaeda, affiliated with al Qaeda, or a member of an organization affiliated with al Qaeda, or working in support of al Qaeda.”

The plaintiffs are “journalists, academics, and lawyers who regularly communicate with individuals located overseas, who the plaintiffs believe are the types of people the NSA suspects of being al Qaeda terrorists, affiliates, or supporters, and are therefore likely to be monitored under the TSP.” The plaintiffs claimed that the NSA wiretapping violated, among other things, the First Amendment, Fourth Amendment, and the Foreign Intelligence Surveillance Act (FISA).

According to Judge Batchelder’s opinion, the plaintiffs could not establish standing because they could not directly prove that they were subject to surveillance. One of the problems with the court’s reasoning is that there is little way for the plaintiffs to find out more specific information about whether particular plaintiffs’ phone calls have been wiretapped. As a result, the government can violate the plaintiffs’ First and Fourth Amendment rights with impunity if they cannot ever learn enough to gain standing to challenge the surveillance.

In a recent article, The First Amendment as Criminal Procedure, 82 N.Y.U. L. Rev. 112 (2007), I examined the nature of the injury to First Amendment activities from government surveillance. I wrote:

Determining the existence of a chilling effect is complicated by the difficulty of defining and identifying deterrence. It is hard to measure the deterrence caused by a chilling effect because it is impossible to determine with certainty what people would have said or done in the absence of the government activity. Often, the primary evidence will be a person’s own assertions that she was chilled, but merely accepting such assertions at face value would allow anyone claiming a chilling effect to establish one. At the same time, demanding empirical evidence of deterrence is impractical because it will often be impossible to produce.

In other words, the chilling effect doctrine is a mess. By requiring too much specific proof of deterrence, courts can effectively make it impossible for any plaintiff to establish a chilling effect. In my article, I attempted to use First Amendment doctrines to help illuminate a more meaningful approach toward analyzing the existence of a chilling effect:

Read More

10

The Fourth Amendment, Email Headers, and IP Addresses

computer2b.jpgIs there a reasonable expectation of privacy in email headers and IP addresses under the Fourth Amendment? No, sayeth the 9th Circuit in US v. Forrester:

The Supreme Court held in Smith v. Maryland, 442 U.S. 735 (1979), that the use of a pen register (a device that records numbers dialed from a phone line) does not constitute a search for Fourth Amendment purposes. According to the Court, people do not have a subjective expectation of privacy in numbers that they dial because they “realize that they must ‘convey’ phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed .” . . . . Therefore the use of a pen register is not a Fourth Amendment search. Importantly, the Court distinguished pen registers from more intrusive surveillance techniques on the ground that “pen registers do not acquire the contents of communications” but rather obtain only the addressing information associated with phone calls. . . .

Neither this nor any other circuit has spoken to the constitutionality of computer surveillance techniques that reveal the to/from addresses of e-mail messages, the IP addresses of websites visited and the total amount of data transmitted to or from an account. We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. Communication by both Internet and telephone requires people to “voluntarily turn[ ] over [information] to third parties.”

Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers. When the government learns the phone numbers a person has dialed, it may be able to determine the persons or entities to which the numbers correspond, but it does not know what was said in the actual conversations. Similarly, when the government obtains the to/from addresses of a person’s e-mails or the IP addresses of websites visited, it does not find out the contents of the messages or the particular pages on the websites the person viewed. At best, the government may make educated guesses about what was said in the messages or viewed on the websites based on its knowledge of the e-mail to/from addresses and IP addresses-but this is no different from speculation about the contents of a phone conversation on the basis of the identity of the person or entity that was dialed. The distinction between mere addressing and more content-rich information drawn by the Court in Smith and Katz is thus preserved, because the computer surveillance techniques at issue here enable only the discovery of addressing information.

I’ve written extensively about the problematic application of Smith v. Maryland to email headers and especially IP addresses. I believe that Smith was wrongly decided, but the 9th Circuit was nevertheless bound to follow it. Accordingly, its holding that there is no reasonable expectation of privacy in email headers seems to fall within the holding of Smith. However, IP addresses present a different case. The holding in the Smith case turned on two rationales: (1) exposure of information to third parties (phone companies) eliminated one’s expectation of privacy; (2) the information was not sensitive since it didn’t involve the content of the communications. This second rationale is important, since it is an attempt to keep Smith logically consistent with Katz v. United States, 389 U.S. 347 (1967), where the Supreme Court held that a reasonable expectation of privacy exists in the contents of phone conversations. However, the contents of phone conversations, similar to the phone numbers dialed (pen register), are also accessible to the phone company. Thus, the first rationale (third party doctrine) would be inconsistent with Katz without the aid of the second rationale.

Orin Kerr has usefully analogized the distinction between the non-content / content information to that between an envelope and the contents of a letter. The envelope contains addressing information that is exposed to others; the contents of the letter are concealed. Envelope information falls outside Fourth Amendment protection, but content information is fully protected by the Fourth Amendment.

The envelope/content distinction works fairly well with email — the headers (which contain the to/from line) are the digital equivalent of envelopes; the text of the email itself is the content. But with IP addresses, the distinction doesn’t work. In Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I wrote:

When applied to IP addresses and URLs, the envelope/content distinction becomes even more fuzzy. An IP address is a unique number that is assigned to each computer connected to the Internet. Each website, therefore, has an IP address. On the surface, a list of IP addresses is simply a list of numbers; but it is actually much more. With a complete listing of IP addresses, the government can learn quite a lot about a person because it can trace how that person surfs the Internet. The government can learn the names of stores at which a person shops, the political organizations a person finds interesting, a person’s sexual fetishes and fantasies, her health concerns, and so on.

[Therefore,] the content/envelope distinction is not always clear. In many circumstances, to adapt Marshall McLuhan, the “envelope” is the “content.” Envelope information can reveal a lot about a person’s private activities, sometimes as much (and even more) than can content information.

Read More

2

Piercing the Veil of Anonymous Bloggers

Lives of Others Picture.jpgI’m delighted to be guest-blogging at Concurring Opinions, and thanks to the crew here for the invitation! I regularly blog to a much smaller audience at Info/Law (and will cross-post most of these guest appearances over there), but it will be fun to discuss a somewhat wider variety of topics here. That said, it turns out my first entry is at the heart of information regulation.

Brian Leiter notes this news story about a South Korean law which has just taken effect, requiring large web sites to obtain real names and the equivalent of Social Security numbers from everyone who posts content. He compares this approach to that taken in the US where, he says, “there exist only private remedies against Internet sociopaths and misogynistic freaks who hide behind anonymity. I suppose time will tell which is the better approach.”

Personally, I don’t need to wait for the passage of time to criticize the South Korean initiative (which has been under discussion there for some four years). Obviously, this law arises in a cultural context very different from our own, which I believe explains a good deal of the difference in approach. And it may not even be as different as it first appears. But there are principled reasons, distinct from cultural ones, to oppose a “show me your papers” internet.

First and foremost, it should be no surprise that China reportedly is looking at a similar model — as a technique to curb dissent, not just cyberbullying. (If you have seen the film The Lives of Others, pictured above — and you really should see it — you will remember how it portrayed East Germany registering typewriters.) The ability to remain anonymous protects unpopular speakers who might otherwise be unable to spread their ideas. In some countries, anonymous bloggers risk life and limb. Despite massive internet filtering by governments, blogging still provides dissidents a powerful tool. Even in more democratic countries, whistleblowers, political outsiders, and unhappy employees use anonymous blogging to avoid retribution. An outright ban on anonymity will curtail such often-useful speech.

Read More