On systematic government access to private sector data
The Sixth Circuit Court of Appeals has recently decided in United States v. Skinner that police does not need a warrant to obtain GPS location data for mobile phones. The decision, based on the holding of the Supreme Court in US v. Jones, highlights the need for a comprehensive reform of rules on government access to communications non-contents information (“communications data”). Once consisting of only a list of phone numbers dialed by a customer (a “pen register”), communications data have become rife with personal information, including location, clickstream, social contacts and more.
To a non-American, the US v. Jones ruling is truly astounding in its narrow scope. Clearly, the Justices aimed to sidestep the obvious question of expectation of privacy in public spaces. The Court did hold that the attachment of a GPS tracking device to a vehicle and its use to monitor the vehicle’s movements constitutes a Fourth Amendment “search”. But it based its holding not on the persistent surveillance of the suspect’s movements but rather on a “trespass to chattels” inflicted when a government agent ever-so-slightly touched the suspect’s vehicle to attach the tracking device. In the opinion of the Court, it was the clearly insignificant “occupation of property” (touching a car!) rather than the obviously weighty location tracking that triggered constitutional protection.
Suffice it to say, that to an outside observer, the property infringement appears to have been a side issue in both Jones and Skinner. The main issue of course is government power to remotely access information about an individual’s life, which is increasingly stored by third parties in the cloud. In most cases past – and certainly present and future – there is little need to trespass on an individual’s property in order to monitor her every move. Our lives are increasingly mediated by technology. Numerous third parties possess volumes of information about our finances, health, online endeavors, geographical movements, etc. For effective surveillance, the government typically just needs to ask.
This is why an upcoming issue of International Data Privacy Law (IDPL) (an Oxford University Press law journal), which is devoted to systematic government access to private sector data, is so timely and important. The special issue covers rules on government access in multiple jurisdictions, including the US, UK, Germany, Israel, Japan, China, India, Australia and Canada.
In one of the special issue’s articles, Peter Swire makes the case that government access to the cloud is set to become even more significant than before. Swire explains that as communications channels are increasingly encrypted, traditional wiretap techniques become obsolete. Law enforcement authorities, which can no longer intercept decrypted information in transit, will inevitably approach cloud storage facilities for access to plaintext data. Silicon Valley businesses, which dominate the cloud, will thus become hubs for requests by global law enforcement agencies. Consider a policeman in Lima, Peru, who can no longer obtain useful information from the local ISP, and therefore submits legal process to a company based in California.
The upshot is that government access to the cloud is becoming a diplomatic hot potato. European politicians and regulators have expressed concern over the domination of the cloud by US companies (think Amazon, Google, Microsoft, Rackspace, Salesforce, and many many more) and potential access to their data warehouses by US government authorities. Arguably, the entire legal edifice erected by the Europeans to regulate transborder data transfers is geared to prevent access to European citizens’ data by foreign governments.
My contribution to the special issue is a piece on “Systematic government access to private-sector data in Israel”. Israel is an interesting test case because it is on the frontlines of the war against terrorism while also trying to maintain robust protection of fundamental rights. Privacy is a constitutional right in Israel; yet communications data are a powerful tool in the hands of national security and law enforcement agencies.
In a recent decision, the Israeli Supreme Court upheld the validity of the Communications Data Act, which was enacted in 2007 to provide law enforcement authorities with access to communications data, despite its infringement on the constitutional right to privacy. The Communications Data Act sets forth procedures for law enforcement access to communications data, defined to include subscriber information, traffic data and location details. Compared to some of the other jurisdictions surveyed by the IDPL, including the US and UK, Israeli law fares pretty well, requiring a judicial warrant for access to communications data in most cases.
However, far broader powers are conferred on the Israel Security Agency, also known as the General Security Service (GSS) (a literal translation of its Hebrew name, “Sahabak”). The GSS draws its powers from a separate statute, the General Security Service Act, 2002, which is an opaque piece of legislation conferring broad powers on the Prime Minister, including the authority to set forth secret rules in connection with access to communications data. The powers of the Prime Minister and the security apparatus are tempered by reporting requirements to a special parliamentary committee as well as to the Attorney General, who in Israel is a very powerful, non-political public servant. As is often the case, though, the devil lies in the details, including the mechanics of data transfers; whether transfers are moderated by an employee of the telecom operator or are under the control of security service operatives; whether the “switch” to the “pipe” resides in the hands of the telecom company or the security service; who pays for retention and use of stored communications data; etc. I hope those of you who are interested will read the article. In this context too, Israel is no outlier. National security organizations enjoy broad powers in all of the reporting jurisdictions.
A couple of lessons can be drawn from the survey:
First, law enforcement and national security agencies expect that business organizations will facilitate real time government access to data when needed. Through formal or informal channels, handing over a warrant or a note written on an intelligence agency’s letterhead, the government is able to get what it wants.
Second, government access to private sector data, and specifically the cloud, is by no means a US phenomenon. In Europe and elsewhere, law enforcement and national security agencies have broad powers to access information. Indeed, in the UK, the Home Secretary and a long list of security services have drastic surveillance powers, largely insulated from the courts and opaque to public oversight. This isn’t to say that the situation in the US is optimal. Clearly the ECPA, with its outdated terms such as “electronic communications service” and “remote computing service”; multiple tracks (warrant, subpoena, National Security Letter); and differing treatment of information depending on technologically-specific criteria (in transit, in storage for X amount of days) –needs reform. But compared to other jurisdictions on matrix such as legal standards, transparency and judicial oversight, the situation in the US is not all bad.