F
Privacy-Related Law and Regulation: The State of the Law and Outstanding Issues

The law intended to guide intelligence operations is complex and has failed to keep up with the significant changes in terrorist threats, surveillance technologies, and the volume, variety, and accessibility of digital data about individuals. The absence of a coherent and up-to-date legal framework has contributed to undermining trust in intelligence activities. A brief description of that law along with an explanation of its inadequacies will help illustrate why.

F.1
THE FOURTH AMENDMENT

F.1.1
Basic Concepts

The government has very broad power to obtain personal information. Historically, the primary constitutional limit on that power is the Fourth Amendment, which reflects the Framers’ hostility to general searches. A general search is a search that is not based on specific evidence that allows the search to be targeted as to the location of the search or the type of evidence the government is seeking. The purpose of the Fourth Amendment was to forbid general searches by requiring that all search and seizures must be reasonable and that all warrants must state with particularity the item to be seized and the place to be searched.

The Fourth Amendment requires that warrants be issued only “upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Fed-



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 150
F Privacy-Related Law and Regulation: The State of the Law and Outstanding Issues The law intended to guide intelligence operations is complex and has failed to keep up with the significant changes in terrorist threats, surveil- lance technologies, and the volume, variety, and accessibility of digital data about individuals. The absence of a coherent and up-to-date legal framework has contributed to undermining trust in intelligence activities. A brief description of that law along with an explanation of its inadequa- cies will help illustrate why. F.1 THE FOURTH AMENDMENT F.1.1 Basic Concepts The government has very broad power to obtain personal infor- mation. Historically, the primary constitutional limit on that power is the Fourth Amendment, which reflects the Framers’ hostility to general searches. A general search is a search that is not based on specific evidence that allows the search to be targeted as to the location of the search or the type of evidence the government is seeking. The purpose of the Fourth Amendment was to forbid general searches by requiring that all search and seizures must be reasonable and that all warrants must state with particularity the item to be seized and the place to be searched. The Fourth Amendment requires that warrants be issued only “upon probable cause, supported by oath or affirmation, and particularly describ- ing the place to be searched, and the persons or things to be seized.” Fed- 0

OCR for page 150
 APPENDIX F eral law defines “probable cause” to mean “a belief that an individual is committing, has committed, or is about to commit a particular offense” and that the information sought is germane to that crime.1 The Supreme Court generally requires that the government provide the subject of a search with contemporaneous notice of the search.2 Collecting information from a person constitutes a search if it violates that individual’s reasonable expectation of privacy. The Supreme Court has held that a person has a reasonable expectation of privacy in their homes, sealed letters, and the contents of their telephone calls. On the other hand, the Court has determined, for example, that warrants are not required to search or seize items in the “plain view” of a law enforce- ment officer,3 for searches that are conducted incidental to valid arrests,4 or to obtain records held by a third party, even if those records are held under a promise of confidentiality.5 The Court has interpreted this last exception broadly to find that the Fourth Amendment is inapplicable to telecommunications “attributes” (e.g., the number dialed, the time the call was placed, the duration of the call, etc.), because that information is necessarily conveyed to, or observable by, third parties involved in con- necting the call.6 Moreover, the Fourth Amendment poses no limits on how the gov- ernment may use information, provided that it has been obtained legally, and some limits on the use of data obtained illegally. Consequently, personal data seized by the government in compliance with the Fourth Amendment may later be used in a context for which the data could not have been obtained lawfully. The rest of this section addresses two impor- tant examples of areas in which the evolution of technology and new circumstances suggest that current Fourth Amendment law and practice may be outdated or inadequate. F.1.2 Machine-Aided Searches In some ways, machine-aided searching of enormous volumes of digital transaction records is analogous to a general search, especially if those records contain highly sensitive information. Much like a general search in colonial times was not based on specific evidence or limited to a particular person or place, a machine-aided search through digital databases can be very broad. 1 18U.S.C. § 2518(3)(a). 2 Richards . Wisconsin, 520 U.S. 385 (1997). 3 Coolidge . New Hampshire, 403 U.S. 443 (1971). 4 United States . Edwards, 415 U.S. 800 (1974). 5 United States . Miller, 425 U.S. 435 (1976). 6 Smith . Maryland, 442 U.S. 735 (1979).

OCR for page 150
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS Existing Fourth Amendment law speaks to such searches only in lim - ited contexts, however. The Fourth Amendment requires the government to obtain a search warrant when looking through a person’s hard drive or private e-mail, for example. It also requires that the warrant specify the type of evidence the government is seeking. It may also require a warrant or a subpoena to collect information that is inside a database. However, if the government collects data in compliance with the Fourth Amendment, and then it aggregates the data into a database, the process of searching through the database is not itself regulated by the Fourth Amendment. Even if the government violates the Fourth Amendment when collecting the data, the data may be stored, aggregated, and used for any purpose other than that for which the data were wrongfully accessed. So, for example, the Court has allowed records illegally seized by criminal inves- tigators to be used by tax investigators on the basis that restricting the subsequent use would not deter the original unconstitutional conduct. 7 Broad machine-aided searches and the government’s reuse of law- fully or unlawfully obtained data raise very important questions of public policy. What standards should govern access to or use of data that has already been collected? Should use of databases or specific analytical tech- niques such as data mining be regulated at all? If querying a database or running a data mining program on a database constitutes a search, when is such a search “reasonable”? Must the police have a specific individual in mind before searching a database for information on him or her? In the absence of clear standards or guidelines to govern their conduct or even to help them make reasonable judgments, the police cannot do their work. Moreover, what level of legal authorization should guide database queries? If a legal standard is used, is relevance the right standard? Or is something more like reasonable suspicion or probable cause the proper standard to use? F.1.3 Searches and Surveillance for National Security and Intelligence Purposes That Involve U.S. Persons Connected to a Foreign Power or That Are Conducted Wholly Outside the United States The Fourth Amendment applies to searches and surveillance con- ducted for domestic law enforcement purposes within the United States, and those conducted outside of the United States if they involve U.S. citizens (although not necessarily permanent resident aliens). In a 1972 case commonly referred to as the Keith decision, the Supreme Court held that the Fourth Amendment also applies to searches and surveillance con- ducted for national security and intelligence purposes within the United 7 United States . Janis, 428 U.S. 433, 455 (1975).

OCR for page 150
 APPENDIX F States if they involve U.S. persons who do not have a connection to a foreign power.8 The Court, however, recognized that “different policy and practical considerations” might apply in the national security context than in traditional law enforcement investigations, and specifically invited Congress “to consider protective standards for . . . [domestic security] which differ from those already prescribed for specified crimes in Title III.”9 The Court left open the question of whether the Fourth Amendment applies to searches and surveillance for national security and intelligence purposes that involve U.S. persons who are connected to a foreign power or are conducted wholly outside of the United States,10 and the Congress has not supplied any statutory language to fill the gap. F.1.4 The Miller-Smith Exclusion of Third-Party Records As noted in Chapter 1, some legal analysts believe that there is no better example of the impact of technological change on the law than the exemption from the Fourth Amendment created by the Supreme Court for records held by third parties. According to this perspective, such an exemption significantly reduces constitutional protections for personal privacy—not as the result of a conscious legal decision, but through the proliferation of digital technologies that make larger quantities of more detailed information available for inspection than ever before. Other analysts suggest that as a general point, the protection of pri- vacy is better founded as a matter of statute and regulation (that is, of policy choices) rather than as a matter of Constitutional right. 11 In this view, legislatures have many advantages that enable the legislative privacy rules regulating new technologies to be more balanced, compre- hensive, and effective than judicially created rules. These advantages include the ability to act more quickly in the face of technological change than courts are able to do and to appreciate existing technology and the impact of different legal rules. In addition, and specifically relevant to the third party exemption for the privacy of records held by third par- 8 United States . U.S. District Court for the Eastern District of Michigan , 407 U.S. 297 (1972). 9 Id. at 322. 10 J.H. Smith and E.L. Howe, “Federal legal constraints on electronic surveillance,” p. 133 in Protecting America’s Freedom in the Information Age (Markle Foundation Task Force on Na- tional Security in the Information Age), Markle Foundation, New York, N.Y., 2002. Lower courts have found, however, that there is an exception to the Fourth Amendment’s warrant requirement for searches conducted for intelligence purposes within the United States that involve only non-U.S. persons or agents of foreign powers. See United States . Bin Laden, 126 F. Supp. 2d 264, 271-72 (S.D.N.Y. 2000). 11 O.S. Kerr, “The Fourth Amendment and new technologies: Constitutional myths and the case for caution,” Michigan Law Reiew 102:801-888, 2004.

OCR for page 150
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS ties, some analysts argue that without some ability for law enforcement officials to obtain some transactional data without a warrant, criminals and terrorists operating in cyberspace would be largely able to prevent law enforcement from obtaining probable cause to obtain indictments or to investigate more deeply. F.2 THE ELECTRONIC COMMUNICATIONS PRIVACY ACT The Fourth Amendment is not the only restraint on the government’s power to collect and use information through surveillance. The Electronic Communications Privacy Act (ECPA) is a collection of three different stat- utes that also regulates government collection of evidence in the context of telecommunications networks. The Wiretap Act is amended in Title I of ECPA, and as amended deals with the interception of telephone and Internet communications in transmission.12 It applies to “wire commu- nications,” although not to video unaccompanied by sound. To intercept communications in transit requires a “‘super’ search warrant,”13 unless an exception to the warrant requirement applies such as consent. A warrant can only be sought by designated federal officials and requires probable cause, details about the communication to be intercepted, minimization of any non-relevant communications inadvertently intercepted, and ter- mination immediately upon completion. Information obtained in viola- tion of these requirements can subject the responsible agent to minimum damages of $10,000 per violation and is subject to the exclusionary rule (except for e-mail) so that it cannot be used in a subsequent criminal prosecution. Title II—the Stored Communications Act—which was adopted in 1986 deals with communications in electronic storage, such as e-mail and voice mail.14 It contains rules that govern compelled disclosure of infor- mation from service providers as well as when providers can disclose information voluntarily. Traditional warrants are required to obtain access to communications stored 180 days or less. To obtain material stored for more than 180 days, the government need only provide an administra- tive subpoena, a grand jury subpoena, a trial subpoena, or a court order, all of which are easier to obtain than a traditional warrant. Non-content information, such as information about a customer’s account maintained by a communications provider, can be obtained by the government either 12 Wiretap Act, Public Law 90-351, 82 Stat. 197 (1968) (codified as amended at 18 U.S.C. §§ 2510-2522). 13 O.S. Kerr, “Internet surveillance law after the USA Patriot Act: The big brother that isn’t,” Northwestern Uniersity Law Reiew 97(2):607-673, 2003. 14 Stored Communications Act, Public Law 99-508, Title II, § 201, 100 Stat. 1848 (1986) (codi- fied as amended at 18 U.S.C. §§ 2701-2711).

OCR for page 150
 APPENDIX F with a subpoena or by providing “specific and articulable facts showing that there are reasonable grounds to believe that . . . the records or other information sought are relevant and material to an ongoing criminal investigation.”15 Violations carry a minimum fine of $1,000; no exclusion- ary rule applies. Title III—the Pen Register Act—which was also adopted in 1986, applies to “pen registers” (to record outgoing call information) and “trap and trace” devices (to record incoming call information).16 To obtain infor- mation akin to what is contained in a phone bill or revealed by “Caller ID,” e-mail header information (the “To,” “From,” “Re,” and “Date” lines in an e-mail), or the IP address of a site visited on the Web, the government need only obtain a court order. The court must provide the order—there is no room for judicial discretion—if the government certified that “the information likely to be obtained by such installation and use is relevant to an ongoing investigation.”17 The exclusionary rule does not apply to violations of the act. F.3 THE FOREIGN INTELLIGENCE SURVEILLANCE ACT While the ECPA regulates surveillance for law enforcement pur- poses, successive presidents insisted that it did not limit their power to engage in surveillance for national security purposes. In the aftermath of Watergate, the Senate created the Select Committee to Study Government Operations with Respect to Intelligence Activities, chaired by Senator Frank Church (D-Idaho). The Church Committee’s final report, published in 1976, cataloged a wide array of domestic intelligence surveillance abuses committed under the protection of the president’s national secu- rity authority.18 While some must have been plainly understood at the time by their perpetrators to have involved wrong-doing, such as spying on political opponents, many involved what today would be called “mis- sion creep.”19 That report, the unresolved nature of the president’s power to con- 15 18 U.S.C. § 2703(d). 16 Pen Register Act, Public Law 99-508, Title III, § 301(a), 100 Stat. 1868 (1986) (codified as amended at 18 U.S.C. §§ 3121-3127). 17 18 U.S.C. § 3123(a). 18 Senate Select Committee to Study Government Operations with Respect to Intelligence Activities, 94th Congress, Final Report on Intelligence Actiities and the Rights of Americans, Book II, April 26, 1976; see also M.H. Halperin, J.J. Berman, R.L. Borosage, and C.M. Mar- wick, The Lawless State: The Crimes of the U.S. Intelligence Agencies, Penguin Publishing Com- pany Ltd., London, U.K., 1976. 19 Senate Select Committee to Study Government Operations with Respect to Intelligence Activities, 94th Congress, Final Report on Intelligence Actiities and the Rights of Americans, Book II, April 26, 1976.

OCR for page 150
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS duct domestic surveillance, and the Supreme Court’s 1972 invitation to Congress in the Keith decision to “consider protective standards” in this area all coalesced in enactment of the Foreign Intelligence Surveillance Act (FISA) of 1978.20 The act creates a statutory regime governing the collection of “foreign intelligence” from a “foreign power” or “agent of a foreign power” within the borders of the United States. The act created a special court—the Foreign Intelligence Surveillance Court—of seven (now eleven) federal district court judges. The court meets in secret and hears applications from the Department of Justice (DOJ) for ex parte orders authorizing surveillance or physical searches. All that the government must show is that there is “probable cause to believe that the target of the electronic surveillance is a foreign power or agent of a foreign power”21 and that gathering foreign intelligence is “the purpose” of the requested order.22 In 2001, the USA Patriot Act changed this standard to “a significant purpose.”23 This change and a decision from the three-judge FISA review court created by the statute to hear appeals brought by the government have resulted in making information obtained from FISA surveillance freely available in criminal prosecu- tions.24 In 2003, for the first time, the federal government sought more surveillance orders under FISA than under ECPA.25 As this report is being written (November 2007), changes to the FISA act are being contemplated by the U.S. Congress. The final disposition of these changes remains to be seen. F.4 THE PRIVACY ACT The Privacy Act of 1974 provides safeguards against an invasion of privacy through the misuse of records by federal agencies and establishes a broad regulatory framework for the federal government’s use of per- sonal information.26 The Act requires federal agencies to store only rel- evant and necessary personal information and only for purposes required to be accomplished by statute or executive order; to collect information 20 Public Law 95-511, 92 Stat. 1783 (1978) (codified at 50 U.S.C. § 1801-1811). 21 50 U.S.C. § 1805(a)(3)(A). 22 Id. § 1804(7) (prior to being amended in 2001). 23 Uniting and Strengthening America by Providing Appropriate Tools Required to Inter- cept and Obstruct Terrorism Act of 2001, Public Law 107-56, § 204, 115 Stat. 272 (codified at 50 U.S.C. § 1804(a)(7)(B)). 24 In re Sealed Case, 310 F.3d 717 (FISA Review Court 2002). 25 P.P. Swire, “The system of foreign intelligence surveillance law,” George Washington Law Reiew 72(6):1306-1308, 2004. This article provides analysis of the history and details of FISA generally. 26 5 U.S.C. § 552a.

OCR for page 150
 APPENDIX F to the extent possible from the data subject; to maintain records that are accurate, complete, timely, and relevant; and to establish administrative, physical, and technical safeguards to protect the security of records.27 The Privacy Act also prohibits disclosure, even to other government agen- cies, of personally identifiable information in any record contained in a “system of records,” except pursuant to a written request by or with the written consent of the data subject, or pursuant to a specific exception.28 Agencies must log disclosures of records and, in some cases, inform the subjects of such disclosures when they occur. Under the Act, data subjects must be able to access and copy their records, each agency must establish a procedure for amendment of records, and refusals by agencies to amend their records are subject to judicial review. Agencies must publish a notice of the existence, character, and accessibility of their record systems.29 Finally, individuals may seek legal redress if an agency denies them access to their records. The Privacy Act is far less protective of privacy than may first appear, because of numerous broad exceptions.30 Twelve of these are expressly provided for in the Act itself. For example, information contained in an agency’s records can be disclosed for “civil or criminal law enforcement activity if the activity is authorized by law.”31 An agency can disclose its records to officers and employees within the agency itself, the Census Bureau, the National Archives, Congress, the Comptroller General, and consumer reporting agencies.32 Information subject to disclosure under the Freedom of Information Act is exempted from the Privacy Act.33 And under the “routine use” exemption,34 federal agencies are permit- ted to disclose personal information so long as the nature and scope of the routine use was previously published in the Federal Register and the disclosure of data was “for a purpose which is compatible with the pur- pose for which it was collected.” According to the Office of Management 27 Id. 28 Id. § 552a(b). 29 Id. § 552a(e)(4). 30 S. Fogarty and D.R. Ortiz, “Limitations upon interagency information sharing: The Pri- vacy Act of 1974,” pp. 127-128 in Protecting America’s Freedom in the Information Age (Markle Foundation Task Force on National Security in the Information Age), Markle Foundation, New York, N.Y., 2002. 31 5 U.S.C. § 552a (b)(7). 32 Id. § 552a(b). 33 Id. § 552a(b)(2). 34 Id. § 552a(b)(3).

OCR for page 150
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS and Budget, “compatibility” covers uses that are either (1) functionally equivalent or (2) necessary and proper.35 Moreover, the Privacy Act applies only to information maintained in a “system of records.”36 The Act defines “system of records” as a “group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying num- ber, symbol, or other identifying particular assigned to the individual.” 37 The U.S. Court of Appeals for the District of Columbia Circuit held that “retrieval capability is not sufficient to create a system of records. . . . ‘To be in a system of records, a record must . . . in practice [be] retrieved by an individual’s name or other personal identifier.’”38 This is unlikely to be the case with new antiterrorism databases, in which information may not be sufficiently structured to constitute a “system of records” in the meaning of the Privacy Act. The Privacy Act has also been subject to judicial interpretations which have created new exceptions. For example, courts have found that the fol- lowing entities do not constitute an “agency”: a federally chartered pro- duction credit association, an individual government employee,39 state and local government agencies,40 the White House Office and those com- ponents of the Executive Office of the President whose sole function is to advise and assist the President,41 grand juries,42 and national banks.43 As a result, the Privacy Act plays little role in providing guidance for government intelligence activities or limiting the government’s power to collect personal data from third parties. Moreover, the Privacy Act only 35 Privacy Act of 1974, 5 U.S.C. § 552a; “Guidance on the Privacy Act Implications of ‘Call Detail’ Programs to Manage Employees’ Use of the Government’s Telecommunications Systems,” 52 Fed. Reg. 12900, 12993 (1987) (OMB) (publication of guidance in final form); see generally S. Fogarty and D.R. Ortiz, “Limitations upon interagency information shar- ing: The Privacy Act of 1974,” pp. 127-128 in Protecting America’s Freedom in the Information Age (Markle Foundation Task Force on National Security in the Information Age), Markle Foundation, New York, N.Y., 2002. 36 5 U.S.C. § 552a(b). 37 Id. § 552a(a)(5). 38 Henke . United States Department of Commerce, 83 F.3d 1453, 1461 (D.C. Cir. 1996) (quoting Bartel . FAA, 725 F.2d 1403, 1408 n.10 (D.C. Cir. 1984)). 39 Petrus . Bowen, 833 F.2d 581 (5th Cir. 1987). 40 Perez-Santos . Malae, 23 Fed. App. 11 (1st Cir. 2001); Ortez . Washington County, 88 F.3d 804 (9th Cir. 1996). 41 Flowers . Executie Office of the President, 142 F. Supp. 2d 38 (D.D.C. 2001). 42 Standley . Department of Justice, 835 F.2d 216 (9th Cir. 1987). 43 United States . Miller, 643 F.2d 713 (10th Cir. 1981). See generally S. Fogarty and D.R. Ortiz, “Limitations upon interagency information sharing: The Privacy Act of 1974,” pp. 127-128 in Protecting America’s Freedom in the Information Age (Markle Foundation Task Force on National Security in the Information Age), Markle Foundation, New York, N.Y., 2002, supra at 128.

OCR for page 150
 APPENDIX F applies to federal agencies—it does not generally regulate the collection of personal information by private-sector entities. In short, the Privacy Act provides limited protection when government-collected data are involved, and very little when private-sector data are involved. F.5 EXECUTIVE ORDER 12333 (U.S. INTELLIGENCE ACTIVITIES) Promulgated on December 4, 1981, Executive Order (EO) 12333 regu- lates the conduct of U.S. intelligence activities.44 Section 2.2 of EO 12333 sets forth “certain general principles that, in addition to and consistent with applicable laws, are intended to achieve the proper balance between the acquisition of essential information and protection of individual inter- ests.” Using a definition of United States person specified in Section 3.4(i) of this order (a United States person is “a United States citizen, an alien known by the intelligence agency concerned to be a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments”), Section 2.3 of EO 12333 establishes constraints on procedures for agencies within the intelligence community (IC) to collect, retain or disseminate information concerning United States persons. Under EO 12333, only certain types of information may be collected, retained, or disseminated by IC agencies. These types of information include “information that is publicly available or collected with the con- sent of the person concerned; information constituting foreign intelli- gence or counterintelligence, including such information concerning cor- porations or other commercial organizations; information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation; information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organiza- tions; information needed to protect foreign intelligence or counterintel- ligence sources or methods from unauthorized disclosure; information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility; information arising out of a lawful personnel, physical or communica- tions security investigation; information acquired by overhead reconnais- sance not directed at specific United States persons; incidentally obtained information that may indicate involvement in activities that may violate 44 The full text of EO 12333 can be found at http://www.tscm.com/EO12333.html.

OCR for page 150
0 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS federal, state, local or foreign laws; and information necessary for admin- istrative purposes.” Under Section 2.4 of EO 12333, IC agencies are required to use the least intrusive collection techniques feasible within the United States or directed against United States persons abroad. In addition, this section places certain limitations on various agencies. For example, the Cen- tral Intelligence Agency is forbidden to engage in electronic surveillance within the United States except for the purpose of training, testing, or con- ducting countermeasures to hostile electronic surveillance. In addition, no IC agency is allowed to conduct “physical surveillance of a United States person abroad to collect foreign intelligence, except to obtain significant information that cannot reasonably be acquired by other means.” (See the full text of the EO for additional restrictions.) F.6 THE ADEQUACY OF TODAY’S ELECTRONIC SURVEILLANCE LAW The law applicable to surveillance and intelligence gathering and the attention to limitations in the law suggests that the law suffers from what Professor Daniel Solove has described as “profound complexity.” 45 Professor Orin Kerr has written that “the law of electronic surveillance is famously complex, if not entirely impenetrable.”46 Courts agree with these assessments and have “described surveillance law as caught up in a ‘fog,’ ‘convoluted,’ ‘fraught with trip wires,’ and ‘confusing and uncertain.’”47 Why is today’s law regarding electronic surveillance complex? Some of the complexity is certainly due to the fact that the situations and cir- cumstances in which electronic surveillance may be involved are highly varied, and policy makers have decided that different situations and situations call for different regulations. That is, different treatment of elec- tronic surveillance in different situations is a consequence of legislative and executive branch policy choices to treat these situations differently. But it is another issue as to whether such differences, noted and estab- lished in a one particular set of circumstances, can be effectively main- tained over time. First, circumstances evolve. For example, today’s law includes major distinctions based on the location of the surveillance, the purposes for which the intercepted information is sought, and whether 45 D.J. Solove, “Reconstructing electronic surveillance law,” George Washington Law Reiew 72, 2004. The article provides a description and analysis of electronic surveillance law in the United States. 46 O.S. Kerr, “Lifting the ‘fog’ of internet surveillance: How a suppression remedy would change computer crime law,” Hastings Law Journal 54:805-820, 2003. 47 D.J. Solove, op. cit., p. 1293.

OCR for page 150
 APPENDIX F the target is a “U.S. person” or a “non-U.S. person.” Yet these distinctions are difficult to apply in a world of digital communications and networks that do not easily recognize national borders, terrorist threats of foreign origin that are planned or executed within the borders of the United States, and the growing integration of foreign intelligence, domestic intel- ligence, and law enforcement. Another important distinction is the historical separation between criminal and national security investigations. Since September 11, 2001, some of the barriers separating criminal and national security investiga- tions have been lowered (for example, the government is now freer to share information gathered by law enforcement in criminal investigations with national security authorities, and vice versa). However, the ECPA and the FISA are based on the existence of clear distinctions between crim- inal and national security investigations, as reflected in their disparate treatment of information that is collected and stored under each regime. Second, evolving technologies also complicate the application of laws and precedents created in an earlier technological era, and at times exist- ing law seems outpaced by technological change. In 2004, the Department of Defense Technology and Privacy Advisory Committee (TAPAC) wrote in its final report: Laws regulating the collection and use of information about U.S. persons are often not merely disjointed, but outdated. Many date from the 1970s, and therefore fail to address extraordinary developments in digital tech- nologies, including the Internet. . . . Dramatic advances in information technology, however, have greatly increased the government’s ability to access data from diverse sources, including commercial and transactional databases. . . . . . . Current laws are often inadequate to address the new and difficult challenges presented by dramatic developments in information technolo- gies. And that inadequacy will only become more acute as the store of digital data and the ability to search it continue to expand dramatically in the future.48 As an example, the ECPA draws a sharp distinction regarding whether a message is “in transit” or “in storage.” When ECPA was adopted in 1986, users downloaded e-mail from their service provider onto their local computer. Messages therefore were not stored centrally after being read. Today, many e-mail systems are accessed through Web interfaces, so e-mail is by default stored on servers belonging to third parties. Thus, according to an analysis by the Center for Democracy and Technology, “As a result of ECPA’s complex rules, the same email mes- 48 U.S. Department of Defense, Technology and Privacy Advisory Committee, Safeguarding Priacy in the Fight Against Terrorism, March 2004, p. 6.

OCR for page 150
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS sage will be subject to many different rules during its life span. These complex rules likely do not match the expectations of email users.” 49 The government exploits such distinctions. The Federal Bureau of Investigation’s Key Logger System, which records individuals’ keystrokes on their computers, was designed to collect data only when the users’ machines are not connected to the Internet. When a user logs on, the keystroke recording stops, so that the agency argues that the device is not capturing communications “in transit,” but merely “in storage,” and therefore is not required to comply with Title I of the ECPA.50 A second example is that when the statutory authorization was adopted for the National Security Agency (NSA) to carry out electronic surveillance outside of the United States, it was highly unusual for ordi- nary persons in the U.S. to make international phone calls, and e-mail did not yet exist.51 Today, the proliferation of information technology into the population at large means that many ordinary people in the U.S. make international phone calls and use e-mail, with the result that many more communications of ordinary people are potentially subject to NSA sur- veillance.52 To be sure, a variety of regulations exist to prevent just such occurrences from intruding on the privacy of ordinary Americans, but it is undeniable that more communications involving Americans will fall within the ambit of electronic surveillance directed outside U.S. borders as global communications increase. Third, the law today embeds in some significant inconsistencies. For example, the very high protection for communications under Title I of ECPA does not extend to video surveillance if sounds are not captured at the same time. Meanwhile, the much weaker protection of FISA does apply. “Foreign agents therefore receive protection against silent video surveillance whereas United States citizens do not.”53 Similarly, protec- tion for stored communications hinges on whether the message has been stored for more than 180 days. Why? Telephone calls and e-mail receive significantly different protection from government surveillance without any apparent reason. Fourth, key intelligence questions remain without clear answers. For example, do any of these laws apply to “data mining” or searches for keywords or relationships conducted by computer? Is it possible to show 49 Center for Democracy and Technology (CDT), Digital Search & Seizure: Updating Priacy Protections to Keep Pace with Technology, CDT, Washington, D.C., 2006, p. 11. 50 See United States . Scarfo, 180 F. Supp. 2d 572 (D.N.J. 2001); see generally D.J. Solove, op. cit., pp. 1281-1282. 51 Center for Democracy and Technology (CDT), Digital Search and Seizure: Updating Priacy Protections to Keep Pace with Technology, CDT, Washington, D.C., 2006. 52 Ibid. 53 D.J. Solove, op. cit., p. 1293.

OCR for page 150
 APPENDIX F probable cause, under either the high standard of Title I of ECPA or the weaker standard of FISA, for searches that target a pattern of behavior rather than an identified person? How should opened e-mail and voice mail messages be treated? DOJ argues that they are merely remotely stored files and therefore do not fall within the protection of Title II of ECPA.54 Why aren’t they simply stored communications that are directly covered by Title II (the Stored Communications Act)?55 Finally, the slow pace at which law has evolved in the face of chang- ing technologies may have done more to undermine rather than enhance trust in information sharing. The Supreme Court initially refused to apply the Fourth Amendment to wiretapping at all,56 and it took the Court 39 years to reverse that decision.57 Conversely, in 1934 Congress prohibited wiretapping in any form and for any purpose.58 It took 34 years before Congress recognized the potential of electronic surveillance, properly regulated, to aid law enforcement,59 and another twelve before it statu- torily authorized its use to advance national security.60 Congress also receives only limited information about surveillance conducted under ECPA and FISA, and even less about the Administration’s surveillance conducted outside of this statutory framework. There is no federal report- ing requirement about electronic surveillance by states, which account for the majority of wiretaps, and only half of the states in fact report statistics about their wiretap orders.61 54 Computer Crime and Intellectual Property Section, U.S. Department of Justice, Manual on Searching and Seizing Computers and Obtaining Electronic Eidence in Criminal Inestigations III.B, 2001. 55 For more detailed analyses of gaps and inconsistencies in statutory and Fourth Amend- ment protections, see P.L. Bellia, “Surveillance law through cyberlaw’s lens,” George Wash- ington Law Reiew 72:1375, 2004; D.K. Mulligan, “Reasonable expectations in electronic communications: A Critical perspective on the Electronic Communications Privacy Act,” George Washington Law Reiew 72:1557, 2004; D.J. Solove, “Reconstructing electronic surveil- lance law,” George Washington Law Reiew 72:1264, 2004; P.P. Swire, “The system of foreign intelligence surveillance law,” George Washington Law Reiew 72:1306, 2004; O.S. Kerr, “In- ternet surveillance law after the USA Patriot Act: The big brother that isn’t,” Northwestern Uniersity Law Reiew 97(2):607-673, 2003; O.S. Kerr, “Lifting the ‘fog’ of internet surveil- lance: How a suppression remedy would change computer crime law,” Hastings Law Journal 54:805-820, 2003. 56 Olmstead . United States, 277 U.S. 438 (1928). 57 United States . Katz, 389 U.S. 347 (1967). 58 Communications Act of 1934, ch. 652, § 605, 48 Stat. 1064 (codified as amended at 47 U.S.C. § 605). 59 Omnibus Crime Control and Safe Streets Act of 1968, Public Law 90-351, § 802, 82 Stat. 212 (codified as amended at 18 U.S.C. § 2510-2520). 60 Foreign Intelligence Surveillance Act of 1978, Public Law 95-511, 92 Stat. 1783 (codified at 50 U.S.C. § 1801-1811). 61 D.J. Solove, op. cit., p. 1296.

OCR for page 150
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS What does the analysis above imply for changing today’s law regard- ing electronic surveillance? There is broad agreement that today’s legal regime is not optimally aligned with the technological and circumstantial realities of the present. But there is profound disagreement both about whether the basic principles underlying today’s regime continue to be sound and about the directions in which changes to today’s regime ought to occur. Some analysts believe that the privacy has suffered as the result of an increasing gap between technology/circumstances and the more slowly changing law, while others believe that technological change is upsetting the traditional balance away from the legitimate needs of law enforcement and national security. F.7 FURTHER REFLECTIONS FROM THE TECHNOLOGY AND PRIVACY ADVISORY COMMITTEE REPORT Many of the issues discussed above were also flagged in the report issued by the TAPAC, a bipartisan panel of independent legal experts and former government officials appointed by Secretary of Defense Donald Rumsfeld in the wake of the TIA [Total/Terrorist Information Awareness program; see Appendix J] debacle. For example, the report noted that the risks to informational privacy of government data mining efforts were exacerbated by disjointedness in the laws applicable to data mining. Thus, programs that appear to pose similar privacy risks are subject to a variety of often inconsistent legal requirements. Such inconsistencies, the report argued, reflected “the historical divide in the United States between laws applicable to law enforcement and those applicable to foreign intelligence and national security activities, as well as the different departments, con- texts, and times in which those programs were developed.” It also noted that depending on which department developed the tools, the use of data mining to protect the homeland was either required or prohibited and that today’s laws regulating the collection and use of information about U.S. persons were created in the 1970s, and thus do not take into account recent developments in digital technologies, including the Internet. Pointing out that “the ubiquity of information networks and digital data has created new opportunities for tracking terrorists and pre- venting attacks,” the report argued that “new technologies [also] allow the government to engage in data mining with a far greater volume and variety of data concerning U.S. persons, about whom the government has no suspicions, in the quest for information about potential terrorists or other criminals” and that then-current laws were “often inadequate to address the new and difficult challenges presented by dramatic develop- ments in information technologies.”

OCR for page 150
 APPENDIX F The TAPAC report concludes that “[t]hese developments highlight the need for new regulatory boundaries to help protect civil liberties and national security, and to help empower those responsible for defending our nation to use advanced information technologies—including data mining appropriately and effectively. It is time to update the law to respond to new challenges.”62 62 U.S. Department of Defense, Technology and Privacy Advisory Committee, Safeguarding Priacy in the Fight Against Terrorism, March 2004, p. ix.