Privacy, Law Enforcement, and National Security
The tension between individual privacy and law enforcement or national security interests has been an enduring force in American life, its origins long predating the advent of new media or current technologies. Nowhere else is the tension between “it’s none of your business” and “what have you got to hide” so easily seen.1
Although these tensions predate the information revolution, new technologies, new societal contexts, and new circumstances have sharply intensified that conflict, and even changed its focus. Section 9.1 focuses on the uses of information technology in law enforcement and discusses the pressures that such uses place on individual privacy. Section 9.2 does the same for national security and intelligence.
INFORMATION TECHNOLOGY, PRIVACY, AND LAW ENFORCEMENT
By its very nature, law enforcement is an information-rich activity. The information activities of law enforcement can be broken into three categories.
Gathering and analyzing information to determine that a law has been violated;
Gathering and analyzing information to determine the identity of the person or persons responsible for a violation of law; and
Gathering and analyzing information to enable a legal showing in court that the person or persons identified in fact were guilty of the violation.
All of these gathering and analysis activities have been altered in basic ways by functional advancements in the technologies that have become available for collecting, storing, and manipulating data.
In actual practice, these categories can overlap or the activities in each category can occur in several temporal sequences. When a police officer observes someone breaking a law, the officer is determining that a law has been violated, gathering information about who broke the law (presumably the person he or she is observing), and gaining evidence that may be introduced in court (the testimony of the officer).
The essential difference between these categories is the locus or subject about which the information is gathered. In the first category concerning the breaking of a law, the locus of information is the event or activity. In the second sort of activity, the locus is the determination of an individual or set of individuals involved in the activity. In the third category, information associated with categories one and two are combined in an attempt to link the two in a provable way.
Although activities in the first category usually precede those in the second, this is not always the case. Law enforcement authorities have been known to start with “suspicious people” and then seek to discover what laws they might have broken, might be breaking, or might be planning to break. This is one of the rationales for certain kinds of undercover activity and is frequently regarded as more controversial.
These distinctions are important because they help to differentiate cases that generate concern about invasions of privacy from those that involve less controversial uses of the state’s investigatory power.
Concerns about privacy invasions often involve the possibility that law enforcement officials can cast an unduly broad net, or one that is seen as discriminatory, as they gather information about persons in the absence of specific reasons to suspect that these individuals have violated some particular law.
A case in which an individual is targeted to see if he or she has violated a law is conceptually (and legally and morally) different from a case in which information is gathered about an individual as part of an investigation into a known or suspected violation of law or in which there are other grounds for suspicion. In the former case, information may be gathered about individuals who in fact were not involved in a violation—which is different in kind from the task of assembling information about an individual in the hope of finding a violation of law.
The potential for data gathering targeted at a particular individual or set of individuals to aid in the discovery of previously unknown violations of the law, or the risk that data gathered by law enforcement may be used for political or harassment purposes, often underlies efforts to restrict the kinds of information that law enforcement agencies can gather and the ways in which it is gathered. Even if the information is never used, the very fact that considerable amounts of data have been collected about individuals who have not been accused or convicted of a crime ensures that substantial amounts of information about non-criminals will end up in the databases of law enforcement agencies. Moreover, with such data a permanent part of their files, citizens may be concerned that this information will eventually be misused or mistakenly released, even if they are not suspects in any crime. They may even engage in self-censorship, and refrain from expressing unpopular opinions. For individuals in this position, issues such as recourse for police misbehavior or carelessness are thus very important.
Nor are worries about the gathering of information by law enforcement agencies restricted to how that information could be used in legal proceedings. Such proceedings are governed by the laws and professional ethics that protect the privacy of the individual, and the inappropriate use (in a criminal context) of information gathered by law enforcement agencies can be balanced by judicial review. However, even the suspicion of wrongdoing or being a “person of interest” can have an effect on an individual’s ability to fly in a commercial airliner, obtain certain kinds of permits, gain some kinds of employment, obtain financial services, or conduct business. For example, watch lists, such as those used by the Transportation Security Agency, are not subject to the same level of scrutiny as evidence in a court of law yet can still affect the lives of those whose names appear on such lists. These uses of information are often not
balanced by judicial or any other kinds of review, leaving the individual at a severe disadvantage when information is inaccurate or incomplete.2
None of these concerns about balancing the need for law enforcement agencies to gather information and the need of the citizen for privacy are new. What is new are the modern information technologies that law enforcement agencies can now use to observe situations and identify individuals more quickly, more accurately, and at less expense than ever before. These technologies include surveillance cameras, large-scale databases, and analytical techniques that enable the extraction of useful information from large masses of otherwise irrelevant information.
The sections that follow describe a number of technologies that allow law enforcement agencies expanded capabilities to observe, to listen, and to gather information about the population. Just as the ability to tap phone lines offered law enforcement new tools to gather evidence in the past century, so also these new technologies expand opportunities to discover breaches in the law, identify those responsible, and collect the evidence needed to prosecute. And just like the ability to tap telephones, these new technologies raise concerns about the privacy of those who are—rightly or wrongly—the targets of the new technologies. Use of the technologies discussed requires careful consideration of the resulting tension posed between two legitimate and sometimes competing goals: information gathering for law enforcement purposes and privacy protection.
Technology and Physical Observation
As a point of departure, consider the issue of privacy as it relates to government authorities conducting surveillance of its citizens. Using the anchoring vignette approach described in Chapter 2 (see Box 2.2), a possible survey question might be, How much does [your/“Name’s”] local town or city government respect [your/“Name’s”] privacy in [your/her/his] routine local activities? Here are a number of possibilities:
[Anita] lives in a city that prohibits any form of video or photographic monitoring by government agencies.
[Bita] commutes to work every day into a city that automatically photographs each car to see whether it runs a particular stoplight.
[Jake] lives in a city that videotapes all cars on city-owned property.
See, for example, Peter M. Shane, “The Bureaucratic Due Process of Government Watch Lists,” Ohio State Public Law Working Paper No. 55, February 2006, available at http://ssrn.com/abstract=896740.
[Beth] lives in a city that videotapes all people inside the hallways of city-owned buildings.
[Mark] lives in a city that uses a device in police cars to detect whether individuals are at home.
[Juanita] lives in a city that uses an imaging device in police cars that can see through walls and clothes.
These vignettes, ordered from most to least privacy-protecting, illustrate only a single dimension of privacy (namely image-based personal information), but they are a starting point for knowing what must be analyzed and understood in this particular situation, and what decisions society will have to make with respect to the issues the vignettes raise.
Whether it is used to see that a law has been or is being broken, to determine who broke the law, or to find a suspect for arrest, physical observation has historically been the main mechanism by which law enforcement agencies do their job. Physical observation is performed by law enforcement officers themselves, and also by citizens called as witnesses in an investigation or a trial. The vignettes above suggest that physical observation has evolved far beyond the in-person human witness in sight of the event in question.
When individuals are watched, particularly by the state with its special powers, privacy questions are obviously relevant. The usual expectation is that, unless there is a reason to suspect an individual of some particular infraction of the law, individuals will not be under observation by law enforcement agencies. But because of advances in technology, the means by which law enforcement can conduct physical observation or surveillance have expanded dramatically. New technologies that provide automated surveillance capabilities are relatively inexpensive per unit of data acquired; vastly expand memory and analytical ability, as well as the range and power of the senses (particularly seeing and hearing); and are easily hidden and more difficult to discover than traditional methods. They can be used to observe violations of law as well as a particular individual over extended periods of time unbeknownst to him or her.
Today, for example, the use of video cameras is pervasive. Once only found in high-security environments, they are now deployed in most stores and in many parks and schools, along roads, and in public gathering places. A result is that many people, especially in larger cities, are under recorded surveillance for much of the time that they are outside their homes.
Law enforcement officials, and indeed much of the public, believe that video cameras support law enforcement investigations, offering the prospect of a video record of any crime committed in public areas where they are used. Such a record is believed to have both investigatory value
(in identifying perpetrators) and deterrent value (in dissuading would-be perpetrators from committing crimes).3 However, these cameras also give those who operate them ever more information, often in the form of a reusable and possibly permanent record regarding where many law-abiding individuals are, who they are with, and what they are doing.
Another example concerns automobiles equipped with tracking systems, such as General Motors’ OnStar system, that permit the location tracking to a fairly fine resolution of anyone holding a cell phone. (Such systems may be based on the use of GPS or on cell phones that provide location information as part of E-911 services.) By tracking people’s position over time, it is also possible to track their average speed,4 where they have been, and (by merging the positional information for multiple people) with whom they might have met. If such tracking is recorded, correlations can be made at any time in the future. Indeed, given the right monitoring equipment and enough recording space, it is even possible that the locations of every person for much of a lifetime could be made available to law enforcement agencies or even family members or researchers.
Similar issues regarding data reuse arise with respect to the use of video cameras for the enforcement of traffic regulations. In many cities the traffic lights have been equipped with cameras that allow law enforcement agencies to determine violations of red-light stop zones simply by photographing the offending vehicles as they pass through the red light. Such images allow local police agencies to automatically send red-light-running tickets to the vehicle owners. Even such a seemingly straightforward use of surveillance technology, however, brings up a host of privacy
It is unquestionable that video records have had forensic value in the investigations of crimes that have already been committed. The deterrent effect is less clear. A study done for the British Home Office on the crime prevention effects of closed-circuit television (CCTV) cameras systematically reviewed two dozen other empirical studies on this subject and concluded that, on balance, the evidence suggested a small effect on crime reduction (on the order of a few percent) and only in a limited set of venues (namely, car parks). The deployment of CCTV cameras had essentially no effect in public transportation or in city-center contexts. Welsh and Farrington also noted that poorly controlled studies systematically indicated larger effects than did well-controlled ones. See Brandon Welsh and David Farrington, Crime Prevention Effects of Closed Circuit Television, Home Office Research Study 252, August 2002, available at http://www.homeoffice.gov.uk/rds/pdfs2/hors252.pdf.
A lower-tech version of this capability is inherent in toll systems on highways. For some highways, periodic toll plazas on turnpikes were replaced by a system in which the driver picked up a ticket at the point of entry that was then used to determine the toll at the location where the car exited. Given that these tickets included the time of entry into the turnpike, there were concerns that the tickets could also be used upon exit to determine if the car had exceeded the speed limit. Stories of such secondary use have the ring of urban myth, but they continue to surface on the Internet and are certainly consistent with what the technology enables.
issues. For example, consider that these cameras could also be used to trace and record the presumed locations of people based on the observed time and location of their cars. That is, they could take pictures even when no car was running a red light. Such a concern is based on the future possibilities for repurposing the information gathered by such cameras rather than on the purpose for which these cameras were originally deployed.
Note that nothing intrinsic in the use of a video system to catch those running traffic lights enables secondary use of the information. The system could be designed in such a way that only those images showing someone running a red light were kept, and all other images were discarded immediately. Such a system could not be used to track the location of any but a small number of vehicles. Designing such a system in this way is simple to do when the system is first being built but is far more difficult once the system has been installed. However, privacy concerns associated with possible secondary uses are usually not raised when a system is designed, if nothing else because those secondary uses are not yet known or anticipated.
It could be argued that a video camera at the stoplight is no different in principle from posting a live police officer at the same place. A police officer can issue a ticket for a car that runs a red light, and if a live police officer on traffic detail at the intersection is not a threat to privacy, then neither is the placement of a video camera there. Others, however, would argue that a live officer could not accurately record all vehicles passing lawfully through the intersection, and could not be used to trace the movements of every vehicle passing through a busy intersection—lawfully or not—in the way that a video camera can. The image-retention capacity of a video system vastly exceeds that of even the most astute human observer and thus allows the tracking of all vehicles, not just those that are of interest at the time they move through the intersection. The images stored by the video system can, in principle, be not just those of vehicles that have violated the law, but of all vehicles that have passed by the camera.
In addition, information gathered by a video camera ostensibly deployed to catch cars running a red light can be used for other purposes, such as tracking the location of particular cars at particular points in time, or finding speeders (this would require combining of information from multiple cameras at multiple locations)—purposes that are not possible with a human officer. Further, when the images are stored, law enforcement agencies gain the capability to track what individuals have done in the past, and not just what they are currently doing. The worry is that once the information has been gathered and stored, it will be used in a variety of ways other than that for which it was originally intended. Such “feature creep” is possible because what is stored is the raw information, in image form, which can be used in a variety of ways.
Finally, video surveillance is far less expensive than the use of many human officers. From an economic point of view, it is impossible in large jurisdictions to station officers at every intersection, but placing a video camera at many intersections is much less expensive and within the means of many police departments. An important check on executive power has always been based on the allocation of resources, and if technology can enable a greater amount of police activity—in particular, more surveillance—for the same cost, the introduction of that technology changes the balance of power. Perhaps most importantly, this change in the balance of power is often unnoticed or not discussed—and when it is, a dispute about the amount of police activity must be resolved explicitly on policy grounds rather than implicitly on economic grounds.
Beyond video technologies such as those discussed above, there is also the prospect that emerging technologies can extend the reach of observation from public spaces into what have traditionally been private spaces. There has been some use of infrared detectors to “look through” walls and see into a suspect’s home;5 although the Supreme Court recently suggested that such law enforcement surveillance tactics might violate the resident’s “reasonable expectation of privacy” (Section 1.5.5), the courts have not categorically rejected the use of such sophisticated imaging devices. If environmental sensors become pervasive, it may in the near future become possible to infer the location of people from the information gathered for purposes such as energy conservation—and to infer identities by correlating that information with other recorded information (such as building access records).
The conditions under which law enforcement agencies will or should have access to such information raises difficult questions both of law and of policy. Concern over the potential use of such sensitive information lies at the heart of many privacy-based concerns about the deployment of such technologies. The deepest concern, from the privacy perspective, is the potential for combining constant and non-obvious data gathering and the ability to assemble the data gathered to give the effect of largely constant observation of any space, whether public or private. Such a prospect, combined with the temporally permanent nature of the data when they are stored, appears to give law enforcement agencies the ability to constantly monitor almost any place and to have access to a history of that
place. Together with the ability to aggregate and mine the data that have been gathered (discussed below), this prospect would appear to give law enforcement enormous amounts of information.
The most serious issues arise if and when such technologies enable monitoring of specific individuals. Many present-day technologies indicate bodies, but not the identities of the persons who own those bodies. Future technologies may enable the identification of individuals—that is, the high-accuracy association of specific names with the bodies within view—in which case the privacy concerns are accentuated many-fold. (Even today, modern cell phones with location identification capabilities yield information about the whereabouts of individuals, because of the generally unviolated presumption that individuals carry their cell phones with them.)
Communications and Data Storage
Both communication and data storage technologies have long been of interest and use to the law enforcement community. Being able to observe and overhear the discussions of those suspected of breaking the law and to obtain records of criminal activity has been an important means for gaining evidence—but has also created inevitable threats to principles of privacy.
The primary difference between records and communications is that by definition, records are intended to persist over time, whereas communications are more transient. Transient phenomena vanish, and they are generally more private than persistent entities that can be reviewed anew, copied, and circulated. For this reason, technologies that threaten the privacy of records are often seen as less problematic than those that threaten the privacy of communications.
For keeping records private, the most common technique used has been to hide the records in a location known only to their owner. One can “hide” records by placing the file in a secret location (e.g., in an “invisible” directory on one’s disk, on a CD-ROM stored under the mattress or under a rock in the back yard or in a safe deposit box, or embedded secretly in another document). Today, there are few generally applicable technologies that enable law enforcement authorities to find records in a secret location without the (witting or unwitting) cooperation of their owner. Thus, debates over the appropriate balance between the privacy of records—even digital records—and the needs of law enforcement authorities for those records have been relatively straightforward, and based on the ability of law enforcement authorities to compel or trick the owner into revealing the records’ location. (The use of encryption to hide records, discussed in more detail below, presents a wrinkle in this debate, but the
same techniques are available to law enforcement authorities to compel or trick the owner or others into revealing the decryption keys that would allow law enforcement access.)
But history paints a much different picture when it comes to communications. For the interception of telephone conversations, e-mail, and Internet-based communication, the proper balance between the claimed needs of law enforcement for access to such communications, and the privacy interests of persons who are the participants in the targeted communication, has been elusive and more difficult to define.
When the Bill of Rights was enacted, communication consisted either of spoken language (which could only be heard directly) or written. Written communications are a type of record, and such records can be obtained by law enforcement personnel as the result of a search (under rules covered by the Fourth Amendment). But what of written communications being sent through the mails—were these communications more like utterances made in public, and therefore not subject to the same explicit protections of privacy, or were they more like records private and covered by the protections of the Fourth Amendment?
In the case of mail carried by the U.S. Postal Service, the decision was that the outside of the mail (such as the address and return address) was public information, and not covered by the need for a search warrant,6 but that any communication inside the envelope was considered private and any viewing of that information by law enforcement required a search warrant obtained under the requirements of probable cause.7
As communication technologies advanced, the distinction between what was publicly available and what was private in those technologies became the crux of the debates about the privacy of those communica-
tions and what access law enforcement agencies had to the communication. Perhaps the best example concerns communication by telephone. When telephones were first introduced, the circuits were connected by an operator who often needed to listen in on the call to monitor quality, and most of the telephone lines were shared or “party” lines, allowing conversations to be heard by anyone with whom the line was shared (although good manners suggested not listening when the call was not for you).
With this history, it was generally held that discussions over a telephone were like discussions in public, so that law enforcement agents could listen in on such conversations, and could use in criminal prosecutions the contents of what they heard, with no oversight and without the consent of those whose words were monitored. Indeed, in Olmstead v. United States, 277 U.S. 438 (1928), the U.S. Supreme Court held that “the reasonable view is that one who installs in his house a telephone instrument with connecting wires intends to project his voice to those quite outside, and that the wires beyond his house, and messages while passing over them, are not within the protection of the Fourth Amendment. Here those who intercepted the projected voices were not in the house of either party to the conversation.” In so holding, it ruled that “the wire tapping here disclosed [in the case] did not amount to a search or seizure within the meaning of the Fourth Amendment,” and thus that telephone conversations were not protected or privileged in any way over ordinary speech outside the home. There was, in this view, no (rational) expectation of privacy for such conversations (although the term “expectation of privacy” had not yet come into use).
This view of telephone conversations lasted until 1967,8 when the Supreme Court ruled that there was, in fact, a constitutional expectation of privacy in the use of the telephone. By this time, operators were hardly ever used for the connection of circuits and were not expected to monitor the quality of phone conversations, nor were most phone lines shared. However, the decision that there was an expectation of privacy in such conversations lagged significantly behind the technological developments that created such an expectation. At this point, the court decided that telephone calls were like physical mail, in which each call had a public “outside” and a private “contents.” The public envelope contained the information necessary to establish the circuit for the call (including the phone from which the call was being made and the phone to which the call was made) but did not include the contents of the call, which was considered private. Gaining legal access to that part of the call required a warrant issued by a judge after a showing of probable cause.
The last two decades have seen a novel set of communication technol-
ogies become generally available. The Internet, encompassing both electronic mail and the World Wide Web, has provided new mechanisms for communication. The Web allows one-to-many communication, enabling nearly everyone to be a publisher for very little cost. Electronic mail allows communication between parties in ways that are fast, efficient, and highly resilient to failure. The cell phone network has changed many of the old limitations on telephony, allowing conversations between people who are mobile. New emerging technologies such as voice-over-IP, in which telephone-like communication can be carried over the same Internet using protocols first designed for data transmission, merge the functionality of voice networks with the underlying technologies of data networks.
New communication technologies are of obvious interest to law enforcement agencies. Some law enforcement officials see the Web sites that a person visits, or the e-mail that a person sends or receives, as information that could be relevant to the prosecution of criminals. On that basis, they have argued that law enforcement agencies should have legal access to such information equivalent to that available for telephone conversations. Law enforcement officials currently have access to pen registers and trap-and-trace registers on telephone calls, which show what calls were made from a particular phone (pen registers) or to the phone (trap and trace). The installation or attachment of pen registers and trap-and-trace registers does require a court order, but obtaining such an order need not overcome a high standard of probable cause, requiring only a request by the law enforcement agency. Similarly, because agents can discover the source and destination of paper mail simply by observing an envelope, it has been argued by analogy that law enforcement agencies should have access to the destinations of Web browsing and e-mail messages. Those who are troubled by this analogy note (correctly) that on the Internet addressing information cannot easily be separated from the content of the message, a distinction that is central to the availability of routing information for telephone calls and paper mail (Box 9.1).
In a similar fashion, cell phone networks are quite different from those that connect landlines. Cell phone networks allow the users to move while a call is in progress. This new functionality requires that the “circuit” connecting the cell phone and the rest of the network go through a series of connections, depending on the cell that is handling the phone. As the phone moves from one cell to another, technical handoff protocols allow the voice traffic to be moved from cell to cell without the interruption of service. While the voice service being offered is similar to that provided by landlines, the technology underlying the network is very different.
The claim that law enforcement should have access to Internet and cell phone communication rests on analogies drawn between these sorts
of communication and more traditional communication mechanisms such as landline phones and physical mail. However, the technology needed to provide the same capabilities is very different, as the characteristics of the networks underlying the communication mechanisms are very different. The separation of information that made it possible to provide the “public” information without compromising the “private” information is a property of the underlying network. While it is possible to separate seeing the addressing information on a piece of sealed physical mail from seeing its content (although the letter could always be surreptitiously opened), there is no easy equivalent physical separation for electronic mail.
Debates over law enforcement access to Internet and cell phone communications also reveal another point of contention that is rarely acknowledged explicitly: whether the protection of privacy should be a property or a characteristic or a feature afforded by technology or by policy. Those taking the position that the protection of privacy should be technologically based argue that technologically based assurances of privacy cannot be easily circumvented by capricious changes in policy or by law enforcement personnel acting outside their authority. A more moderate version of this position is to build technology that enforces policy rigidly, so that, for example, a wiretap that requires legal authorization from a judge cannot physically be performed without a one-time-use key (physical or logical) that is available only from a judge. Thus, grounding privacy protection in technology eliminates or reduces the need to trust law enforcement authorities to respect privacy rights of law-abiding citizens, and advocates of this position often justify their position by references to past government violations of privacy.
By contrast, those who argue that policy considerations should be the source of privacy protections note that without special attention, changing technologies can also change the pre-existing balance between privacy protection and law enforcement access—a balance that has been obtained through the policy-making process, and thus should be changed only by that process (rather than by technological advancement). Further, they argue, procedural protections—such as excluding evidence obtained through improperly obtained techniques and strict enforcement of internal regulations against improper behavior—suffice to deter abuse of authority. Thus, proponents of this position argue that technological developments in communications should be guided or regulated in such a way that they do not compromise the communications access capabilities that prior policy decisions have endorsed and sanctioned. Policy decisions and law, rather than ever-changing technology, should determine functionality and use.
These differences in perspective have played out many times in recent years, notably in debates over the Communications Access for Law
Telephone Networks, Data Networks, and the Law
Much of the law having to do with access by law enforcement and national security agencies to data networks has been drawn from similar laws dealing with telephone networks. Indeed, notions of tapping a communication line and establishing pen registers, and decisions about when a warrant is needed for data communications, often make explicit reference to the decisions and laws governing the phone network. Intuitively, such an extension from the phone system to data networks like the Internet makes sense. Both are communication networks, and much of the traffic that is now carried over the Internet (such as e-mail and newsgroups) was originally carried over the phone lines. However, these analogies lead to confusing and contradictory results, since the technology underlying data networks such as the Internet and the technology that underlies phone networks are intrinsically different in ways that are relevant to the decisions that have been made.
Traditional phone networks are circuit based. When a phone call is initiated, information is supplied to the network that allows a bidirectional connection to be made between the caller and the phone being called. In early incarnations of the phone network, this was done by calling an operator, who would literally connect a cable that would complete the connection between the two phones. Automated switching and dialing have eliminated the operator, but the idea is the same; when you dial a call, the switching hardware is used to create a connection between the two phones that is unshared, is bidirectional, and carries the signal that is the conversation between one phone and the other.
Unlike the traditional phone network, the protocols that are the basis of the Internet are packet based. Rather than establishing a circuit between the sender of information and the receiver and then sending the information over that circuit, any message is broken into chunks, with each chunk being wrapped with information about its destination and each being sent over the network. These packets are sent from one machine to another, with each machine looking at the information having to do with where the packet is to be sent and forwarding that packet. Different packets may take very different routes to the same destination. At the final destination, the packets are reassembled into a single message, which is then delivered to the intended recipient.
One of the major differences between a packet-based network and a circuit-based network is that a packet-based network mixes the routing information with the information being sent over the network. In a circuit-based network, the routing information is used only to establish a circuit; once the circuit is established this information is not needed. Further, during the establishment of the circuit, no content is sent or revealed. Packet-based networks make no such separation between the routing information and the content—indeed, these two kinds of information are present in all of the packets.
Enforcement Act (CALEA) and over encryption. CALEA required that telecommunications providers build into their networks and switching systems the capability to provide the contents of voice communications to law enforcement authorities (subject to all of the existing restrictions on such wiretaps imposed by law) regardless of the technology used. Thus,
These differences may seem minor until we see how the law has been extended from one kind of network to the other. For example, the law concerning interception of communication on a traditional phone network distinguishes between a pen register, which allows the recording of the establishment of a call (essentially, a trace of all of the calls made from a particular phone, showing the numbers to which the calls were made) and tapping the phone, which allows listening in on the conversation. The burden of proof for a pen register is much lower than that for a phone tap. Such a distinction makes sense in the case of the traditional phone network, where the information gathered as part of the pen register is concerned with the setting up of the circuit, which happens in a fashion that is distinct from the carrying of information over the circuit.
Extending the distinction between a pen registry and a full tap is not so easy in the case of a packet-based network. As with phone networks, requests by law enforcement agencies for information about the recipients of messages from a computer require much less cause for granting than requests to intercept the content of such messages. However, since the routing information is mingled with the content, it is not clear how the observation of the routing information can be done in such a way that the content of the messages is not also revealed.
Circuit-based networks also dedicate a separate circuit to each connection, keeping the contents of each circuit separate. This allows the tapping of a particular telephone conversation to be done without the observation of the contents of other telephone conversations. In packet-based networks, there is no such isolation of contents. Packets from all communications are mixed together on the same network, and it is only by the observation of the packets that one can tell which packet is part of which communication. This also means that any attempt to view the contents of one communication on such a packet-based network can require the observation of many other communications over that network.
There have been attempts to interpose technology on packet-based networks in an attempt to allow pen registries and isolated tapping of communications in such networks. One such attempt was the Carnivore program,1 which interposed a piece of specialized hardware between the network and the observers of network communications. The purpose of the hardware was to pass along to law enforcement officials only those packets that they had legal authorization to read, but to do so the hardware had to observe all packets passing by. However, critics noted that the hardware was under the control of the very agencies that were doing the observation, and that the process required trust in the law enforcement agency using the hardware to configure it properly (i.e., to pass along only the legally authorized information) without external oversight.
debates have arisen about the extent and nature of technological measures needed to comply with this regulation with technologies in use such as voice-over-IP and cellular technology.
In the case of encryption, the past 20 years have seen a revolution in easy access to encryption technology, and easy access to high-grade cryp-
tography has the potential to change the balance between individuals and their government (Box 9.2). With encryption widely available today, it is now possible for agencies to have physical access to data but not be able to interpret the data without the cooperation of parties with access to the relevant decryption keys.
Law enforcement authorities have expressed concerns that the use of encryption by criminals would stymie access to communications and records important to prosecution. A problem arises because encryption is also a tool that can be used to prevent many crimes—theft of proprietary data, identity theft, non-authorized wiretapping, and so on.
To address this issue, the U.S. government proposed in the 1990s a concept of encryption known as key escrow, in which strong encryption systems would be allowed subject to the proviso that the decryption keys for such systems be placed in a database that could be accessed by the government under certain conditions.9 While the initial plans for such a database required that access be protected by ensuring court review, privacy objections to the plan were based on the inability of the government to guarantee that such review would always be required and that the requirement for such a review would always be followed. Furthermore, implementing key escrow would potentially introduce additional security vulnerabilities that non-governmental entities could exploit. For these and other reasons unrelated to the protection of personal privacy, key escrow systems for communications have largely been abandoned.10
Technology and Identification
Observation of the physical presence of a person, or the ability to intercept the communications of a person, is most useful to law enforcement if the person who is being observed, or whose communications are intercepted, can be identified. Identification is essential to enable multiple observations or communications to be correlated. It is the identity of the individual that allows a coherent picture to be pieced together from the set of observations and communications that have been taken. Even when sure identification of the individual is impossible, the ability to limit the identity to a member of a small group might be enough to make
For many years, strong encryption algorithms were the property and province of government, since the ability to generate good encryption algorithms and to build the machinery to employ those algorithms was prohibitively expensive for most corporations, let alone individuals. However, the combination of much faster computing machinery and the development of public-key cryptosystems (along with the expanded interest in other cryptographic systems) have brought within the abilities of an individual the capacity to encrypt all of his or her data in a way that makes it extremely difficult (or impossible) and costly for law enforcement agencies to read that data.
Such cryptographic techniques are no longer limited to computer-based communication systems. As more and more communication systems move to a digital base, it becomes progressively easier to apply the same cryptographic techniques used in computers to those other communication channels. Cell phones, which are now reaching the computational capacity found only on desktop computers as recently as 3 to 5 years ago, are now capable of performing reasonable-grade cryptography on voice communications.
One method to prevent criminal use of encryption would be to forbid private encryption, making the private possession of encryption devices an offense by itself. This is not feasible for two reasons. First, it would necessarily outlaw the legitimate applications of cryptography, such as those used to secure networks, enable safe electronic commerce, and protect intellectual property. Second, it would be largely impossible to enforce, since any general-purpose computer (including anyone’s desktop machine) can be programmed to provide encryption capabilities. Consider, for example, software cryptographic systems such as Pretty Good Privacy (PGP) that are easily obtained in open-source form and can be built and run by users with little technical sophistication, or commercial operating systems such as Mac OS X and Windows that include features that allow all of the user’s data to be encrypted (in the case of the MacIntosh, using a U.S. government-approved encryption algorithm). Utilities such as the secure shell (SSH) allow easy encryption of data over the network.
Historically, the U.S. government’s position on cryptography reflected the premises that drove the asserted need for national security access to data. By limiting the economic viability of developing strong cryptographic systems (by, for example, making it difficult for U.S. information technology vendors to export such systems), the spread of strong cryptography internationally was inhibited for many years, and this phenomenon had the collateral effect of inhibiting the domestic use of cryptography as well. Law enforcement considerations were much more prominent in the key escrow proposal, which the administration floated in the mid-1990s as an intermediate step between weak encryption and the widespread availability of strong encryption.
the information useful in an investigation. Further, the ability to identify an individual is essential to the capturing of that individual once it has been determined that there is reason to prosecute that individual for some violation of law.
The most common form of identification is that which occurs when some other person directly observes and identifies a suspect or target. However, such identification requires that the person to be identified must first be known to the person doing the identification. The most common form of identification not dependent on personal knowledge of the suspect or target involves the use of identification documents. Such documents are often government issued, although there is currently no single governing standard in the United States for whom and under what circumstances such a document is issued. Indeed, the chain of documents used to establish identity often leads through multiple governmental bodies; passports (which are issued by the federal government) are often issued based on identity established via a driver’s license (issued by the state government) and a birth certificate (usually issued by the city or county). This documentation chain is long enough and the connections between the documents tenuous enough that it is often possible to obtain fraudulent identification.11
The task of identification in the law enforcement context is complicated by at least two factors. The first is that the person who is the subject or target may wish to remain anonymous, and will thus have done whatever is possible to preclude or at least hamper accurate identification. This process does not entail identification in the sense of authentication, where all that is at issue is whether or not the subject is who he or she claims to be with respect to some (often non-personal) standard of eligibility, but rather full-fledged identification, where the task is to determine, often in the face of falsified evidence or testimony, a person’s true identity.12 The second complicating factor is that law enforcement can seek to identify a subject at various times during an investigation, using different types of evidence. Such evidence might be the reports of an eyewitness or might involve more circumstantial evidence (such as the use of a computer or cell phone at a particular time).
Biometrics is a technology that has long been used to aid in the identification of persons. Perhaps the best known biometric identification system involves the use of fingerprints. The use of fingerprints for
National Research Council, IDs—Not That Easy: Questions About Nationwide Identity Systems, Stephen T. Kent and Lynette I. Millett, eds., National Academy Press, Washington, D.C., 2002.
Recall that Section 1.5.1 of this report comments on the issue of a person’s “true” identity.
identification is possible because of two factors: the putative uniqueness of a person’s fingerprints and their relatively unchanging nature over time. Because of these characteristics, fingerprints can be used to identify a subject as the same person over time (although not identify who that person is, unless there are prior records that associate a particular fingerprint with a particular individual on the basis of still other records or accounts).
The ability to identify a person consistently over time is all that is needed to knit together the information that might be gathered about an individual through observation (either direct or indirect) or through the interception of communications. Technology is beginning to provide a number of such biometric measures that are of interest to law enforcement agencies. Emerging as an identification mechanism on a par with fingerprints is DNA profiling, which has been used in court cases to establish that a subject is (or is not) the person who left some DNA at a crime scene. Other biometrics that can aid in uniquely identifying a person, such as palm prints or retinal scanning, are being investigated as mechanisms to ensure the identity of a person, both by law enforcement agencies and to aid in the control of access to secure areas. None of these forms of identification is foolproof, with some (like fingerprints and DNA profiling) offering a high degree of accuracy, and others (such as palm prints, retinal scanning, or voice prints) having a lower degree of accuracy today. Most must be measured either in the laboratory or in carefully controlled conditions.
The aforementioned biometric mechanisms share a third characteristic: most currently require that the person being identified be in close proximity to or in actual contact with the device that is doing the reading of the biometric identifier, and are therefore seldom if ever used without the knowledge (and, often, without the consent and active participation) of the person being identified. Of even greater interest to the law enforcement community and relevance to issues of privacy are a set of biometric identification techniques that can be used from a distance without the knowledge or consent of the person being identified. Such remote identification techniques offer the promise of being able not only to identify individuals as part of routine observation, but also to aid in the capture of fugitives by enabling covert identification in a broad set of contexts.
Perhaps the best known remote identification technique is automated facial recognition, which attempts to identify a person from the characteristics of his or her face. This technology is currently being used in a number of prototype systems. The technology allows automated matching from a database of pictures to images that can be taken from photographs or video streams. Especially in the case of video streams, facial recognition technology promises to allow the identification of individuals from a
distance and without their knowledge (or consent). However, the results of the use of this technology have been mixed, at best, in all but the most controlled of conditions. In addition, there have been few real tests of the efficacy of facial recognition technology in the kinds of environments that are of most interest to law enforcement agencies that have not been conducted by self-interested parties (e.g., the vendors of such technology). Without independent analysis by uninvolved parties, it is difficult to assess the real promise of such technology.
In the same way that facial recognition technology might be combined with the visual observation technologies to enable the tracking of the activities of a person, the biometric of voice recognition can be used as an identification mechanism for vocal forms of communication. Voice recognition technologies are reasonably robust in controlled environments (making them excellent choices for some forms of access control) but are less so in noisy environments.
Other biometric identification mechanisms have also been proposed or are being actively studied. Among those listed by the International Biometric Group13 as having “reduced commercial viability or in exploratory stages” are odor recognition, through which an individual can be identified by his or her smell, and gait recognition, in which a person can be recognized by the way in which he or she walks.
Today, the technology is relatively immature for remote biometric identification and/or identification without the consent or participation of the individual being identified, and in no meaningful sense can remote biometric identification technology be said to usefully work. Thus, there exists an opportunity for discussion of the privacy aspects of the technology to begin before the systems have been fully formed.14 This fact allows, for example, discussions of such things as the repurposing of the identification information or the long-term storage of information coming from such systems before the systems are actually built. The premature deployment of these technologies has made everyone more aware of the problems that can arise because of false positive identifications. By understanding the limitations of these technologies, it is also possible to design
International Biometric Group, “What Are the Leading Biometric Technologies?,” available at http://www.biometricgroup.com/reports/public/reports/biometric_types.html, accessed June 14, 2006.
Non-consensual and/or remote identification of individuals poses by far the most serious privacy issues, as compared to identification techniques that require consent. However, this is not to say that biometrics of all kinds do not pose other issues. A forthcoming CSTB report on biometrics will address these points in greater detail than is possible here, but as one example, consider the possibility that a biometric identifier might somehow be compromised. “Gummi bear” fingerprint duplicates have been used to fool fingerprint readers, thus raising the question of how a biometric identifier might somehow be revoked.
the systems using the technologies for those contexts in which they can be most valuable, rather than thinking that they can be extended to any environment.
Presented in such a way, the debate over the use of biometrics could be an example of how the development of such technology can be more effectively, more rationally, and less contentiously considered in relation to privacy and related values. The technology has great promise but also is open to significant abuse. By raising the issue before it is too late to shape the direction of the technology, the development of biometric identification might offer a model case study for future technologies that pose issues arising from conflicting societal needs.
Biometrics technology by itself is not inevitably privacy invasive. However, when combined with the various forms of surveillance technologies discussed in the previous section, such identification technologies (especially those that allow identification at a distance in a non-invasive fashion) permit the repeated collection of information about individuals and linking of information to that individual. This in turn can be used to populate a database that stores information on where a person has been and when he or she has been there.
Aggregation and Data Mining
Databases, generally in paper format, have long been created and maintained on the habits, histories, and identifying characteristics of those who have been arrested, convicted of breaking laws, or are otherwise considered by law enforcement agencies to be a “person of interest.” For example, collections of fingerprints of individuals have been assembled and kept at both the local and national level since the early parts of the 20th century, when it was determined that identification by fingerprint could be used in linking individuals to violations and in locating them for arrest and trial.
Computers were adopted early by law enforcement agencies in order to improve their ability to collect, collate, manipulate, and share information. Moving information into computer databases, rather than keeping it in paper files, allowed the information to be searched, located, shared, and cross-referenced in ways that were previously impossible. By vastly increasing the amount of information that could be gathered and stored and by introducing new ways in which that information could be retrieved and correlated, the computer soon became an indispensable tool in law enforcement.
What has changed is the amount of digital information generated and stored about everyone. Almost every activity in modern life, from grocery shopping to surfing the Web to making a phone call, generates
some record in a database somewhere. The sum total of these records, which might be described as our “digital shadow,” provides a view into the activities of a person that can reveal activities, interests, tastes, and routines. For law enforcement agencies, these digital shadows can also provide a rich environment for investigation and evidence gathering.
How much of this digital shadow is available to law enforcement agencies, and under what circumstances that information should be available, are currently open questions. Some databases compiled by the federal government, such as those of the Census Bureau, are protected by statutorily enforced confidentiality guarantees, and law enforcement agencies do not have legal access to them. General federal databases are open to law enforcement examination but are governed by the Privacy Act of 1974, which requires that databases containing individually identifying information be identified to the public and that those whose information is stored in those databases be allowed to have access to the information and to correct or amend the information within the database. (This issue is addressed further in Section 9.3.)
Also of interest (and concern) from the privacy perspective are the data gathered and stored by non-governmental agencies. This information would include most of the digital shadow of any individual, including financial information, transaction histories, and the myriad other forms of data that are accumulated about each of us in our everyday lives. Some of this information (such as personal health information stored in one’s medical record) is mostly private under existing law. But the vast majority of the information gathered and stored by third parties (such as banks or other financial institutions) has been determined by the courts and legislation not to be private records and is routinely available to law enforcement agencies. When that information is stored electronically, there are fears that the information can be shared and linked even more easily. The end result is that the amount of information that is available to a law enforcement agency about any particular individual is considerable, and the tools that can be used to comb through that information continue to grow in sophistication.
The valid concerns created by the vast amount of information available to law enforcement agencies should be tempered by the realization that the process of aggregating such information is not a simple undertaking. When talking about the information that is gathered by law enforcement agencies, people often speak as if there were a single database containing all of the information about a particular person, or even a single database containing all of the information about all persons. In fact, this is far from the case. Different law enforcement agencies at different levels of government (local, state, federal) do not share a single mega-database of information. Different agencies even at the same level of government
maintain their own distinct data repositories. Even within a particular law enforcement agency, there are many different databases, in many different forms, containing the information gathered on individuals. These databases may not share formats, or even have compatible mechanisms for identifying an individual.
As discussed in Section 3.9, aggregation of the information in such databases is not a trivial undertaking. Generally these databases have been designed with different keys, different fields, and different ways of interpreting the fields.
The task of formulating queries that will be understood by multiple databases or in interpreting the results from any such queries requires that the person formulating the query know the details of each of the databases. This task can easily become more complex than current techniques can handle, although in any given instance and with sufficient work, the task is often doable. For example, consider the seemingly simple problem of identifying a person in multiple databases. The name of the person is generally not sufficient for unique identification. Some number can be assigned to the individual, but it is unlikely that the number will be the same from one database to the next unless that number has some other significance (such as being the person’s Social Security number).
Nor is it the case that the information gathered by law enforcement, even when in digital form, can always be easily manipulated or aggregated with other information. For example, the video taken from observation cameras may be in digital form, but it is not captured in a form that can easily be manipulated by the computer or correlated with other digital information. To correlate the digital shadow of an individual with the movements of that person as shown by video cameras requires that the video camera images be identified as those of a particular individual. To convert from data that represents information about the light that entered the video lens to information about the location of some person requires the ability to recognize the pictures on the video as particular individuals. As noted above, remote identification technology that will aid in this conversion is currently being developed, but it is far from being in a state that allows even the most sophisticated of government agencies to routinely convert observation information into something that could be used in data-mining applications.
In fact, very little technology exists that allows the automatic conversion of the kinds of raw data collected by the sophisticated sensors discussed above into a format that permits the data to be mined or otherwise collated. If law enforcement agencies have the raw data (in the form of, say, video images from cameras in public places) that would allow them to trace the movements of a person, the technology today will allow that tracing only by the application of large amounts of human effort (a law
enforcement agent watching all of the tape for all of the places that a person might have been). Nor is there any feature today that permits these raw data to be converted into information in a fully automated fashion. While there have been attempts to automate such a conversion in the fields of image processing, years of research have failed to move the techniques to a level beyond the most basic, in which images of people (rather than a particular person) can be distinguished from images of other environmental features such as houses or plants. The same also holds for thermal imaging devices, which yield only very crude representations of heat patterns and cannot provide much identification information by themselves. Today, it appears that the automated recognition of individuals will be a labor-intensive activity for the foreseeable future.
Even the much simpler task of identifying the drivers of vehicles that have been photographed running a stoplight cannot currently be automated. In this case, all that is required is identifying the license number on the car, a much simpler task than recognizing a person from a photo of his or her face. But even this seemingly simpler process cannot be executed with the level of fidelity needed for law enforcement purposes, which requires human mediation in the recognition of which car was pictured.
The ability of the police to reconstruct movements of a person of interest has been misconstrued by many as an indication that law enforcement agencies can follow the movements of anyone in an ongoing fashion. However, reconstructions (which often use as data positional information from cars, video images from various public and commercial locations, and the like) are time-consuming, human-intensive activities that can only be done by using the known location of the individual at a given time to reduce the search space of possible locations at a previous time. Connecting the dots, in such cases, is possible only because a human being is looking for a known person at each of the locations where the known “dot” might be present, and when finding such a location is using that information to cut down on the next places to search. It is not an activity that can be fully automated, nor is it one that could be easily and routinely performed for broad segments of the population.
Even if we restrict the supposed data mining to the information in an individual’s digital shadow, there are problems inherent in data aggregation. The same information can be represented in very different ways in different databases. Correlating information between those databases is a non-trivial problem, generally requiring significant design and programming to ensure that the information can be interpreted in a consistent way across the databases.
Somewhat ironically, the very fact that the law enforcement agencies were early adopters of information technology now works against their ability to use the cutting edge of that technology. As early adopters, those
agencies made significant investments in technology that is now obsolete. Further, those early technologies were developed in a fashion that makes them far more difficult to knit together into integrated systems, instead leaving “silos” of information in the various systems that cannot be correlated in the ways that reflect the worst privacy invasion nightmares. For example, the Federal Bureau of Investigation has struggled for many years to integrate and upgrade its systems,15 with the end result at this writing that the FBI is still using an antiquated system with capabilities far below those envisioned by people concerned about the use of the system to violate personal privacy.
Law enforcement authorities can also obtain significant amounts of personal information from data aggregation companies, as described in Section 6.5. As noted in that section, there is particular concern over the use by law enforcement agencies of the aggregated information assembled by these companies. The laws and regulations that govern the gathering of information by the law enforcement establishment do not necessarily apply (or do not apply with clarity) to these data aggregators, and there is some concern that by contracting with these companies law enforcement will be able to avoid the restraints that have been placed on it to ensure the privacy of the individual citizen.
Privacy Concerns and Law Enforcement
Any modern society requires an effective and rational law enforcement system. Gathering, storing, and analyzing extensive information are vital to the law enforcement process, even though some information will also be gathered about persons who are manifestly beyond suspicion.
Privacy concerns arise most clearly when law enforcement agencies gather information about those who have broken no law and are not suspects, or when such information is used for purposes other than the discovery or prosecution of criminals, or when the very process of gathering the information or the knowledge that such information is being gathered changes the behavior of those who are clearly innocent and above reproach.
One of the basic safeguards against potential abuse by law enforcement agencies of information gathering is the long-standing constitutional
See, for example, National Research Council, A Review of the FBI’s Trilogy Information Technology Modernization, James McGroddy and Herbert S. Lin, eds., The National Academies Press, Washington, D.C., 2004; and Dan Eggen and Griff Witte, “The FBI’s Upgrade That Wasn’t: $170 Million Bought an Unusable Computer System,” Washington Post, August 18, 2006, available at http://www.washingtonpost.com/wp-dyn/content/article/2006/08/17/AR2006081701485_pf.html.
barrier to the use in court of evidence that has been obtained unlawfully—for example, through a warrantless search or other means that violatea suspect’s or defendant’s rights. While prosecutors are sometimes—or often, depending on the authorities queried on the matter—able to introduce evidence that came to light as a consequence of illegality in law enforcement, the barrier against official exploitation of a suspect’s privacy is an important protection against excesses and abuses in information gathering. (The primary loophole in the exclusionary rule is that if law enforcement authorities are not themselves guilty of unlawful warrantless searches, it does not matter very much how evidence was brought to the attention of those authorities.)
Moreover, prosecutors are usually obligated to reveal the content and sources of evidence they wish to use at trial against a defendant, thus adding further to the safeguards and protections. In a manner consistent with the principles of fair information practices (Chapter 1), courts generally insist that the accused should have access to relevant information that has been gathered about him or her, and the ability to challenge and correct that information should it be introduced in court.
One extreme in the spectrum of views is that the collection of information by various branches of government about those governed is part of the price that must be paid for the continued security of the whole. In this view, the ability of government to collect data should not be limited, as the individual cannot be harmed by the information gathered unless the individual was in fact doing something wrong. Such a view holds that these government agencies are well intentioned and therefore will not use the information gathered for illicit or mischievous purposes. The laws that exist ensure that abuses cannot be used against the citizen even if they do occur.
This view adopts a narrow construction of what “harm” might be possible. That is, it requires a belief that a law-abiding individual is not “harmed” if personal information (e.g., buying habits, reading history, mental health status) is viewed by people who have no reason to have access to that information but who as a consequence of their jobs do have such access. In this view, a large-breasted woman whose clothed body is viewed close-up through the zoom telephoto lens on a remotely controlled surveillance camera by security guards during daylight hours suffers no harm.16 Nor is a farmer harmed who misses a flight because his
or her name is put onto a do-not-fly list because of recent large purchases of ammonium nitrate and fuel oil and a truck rental.
There is a different view that arises from the sheer imbalance between the power of the state and that of the individual. This imbalance makes some citizens understandably anxious about the information-gathering abilities of the state. Consequently, the disparity in resources that can be brought to bear by the state versus those that are available to most individuals also justifies the imposition of certain limits on government’s information gathering—even if such limits complicate or impede the task of law enforcement agencies.
INFORMATION TECHNOLOGY, PRIVACY, AND NATIONAL SECURITY
Nowhere is the disparity of power and resources greater than that between the individual citizen and the federal government. At the same time, it is primarily the federal government that needs to gather information not only for law enforcement purposes but also to ensure the national security of the country. Such data-gathering activity differs in several respects from similar activities performed for law enforcement, notably in the procedures that must be followed, the oversight that constrains the intelligence agencies, and the ability of those about whom data is gathered to view and amend or correct that data.
The general category of national security comprises many functions of government, including those performed by the armed forces and federal law enforcement agencies. However, the term “national security” has recently become associated with the agencies of the federal government that are most directly involved in the gathering and analysis of intelligence information relating to threats against the United States, and those agencies of other governments that play a similar role for other countries. The tension between individual privacy and national security arises, for the most part, with regard to these intelligence-gathering and analysis functions for national security.
While the information-gathering role of the government in law enforcement serves mainly to aid detection and conviction of a suspect after a law has been violated, the role of government agencies charged with protecting national security often entails gathering information about possible future threats, and identifying possible ways to change or control that future. Indeed, the role of an intelligence agency can be characterized as ensuring that its government knows all the secrets of its
adversaries or potential adversaries while at the same time ensuring that these adversaries know none of the government secrets. Given this role, the technologies developed for intelligence may define both the boundary for technology that can be privacy invasive, and the boundary for those technologies that help to ensure privacy. Furthermore, in order to maintain advantages over foreign adversaries, the nature and the extent of intelligence-related technological capabilities are often kept secret.
Because the mission of national security agencies is quite open-ended, limiting the scope of inquiry by such agencies becomes far more difficult and complex than imposing comparable limits on law enforcement. While law enforcement data gathering may be reviewed by other agencies and confined to active investigations, intelligence agencies are not required to demonstrate in advance the potential relevance of the information they gather. Instead, such agencies often try to compile as much information as possible that might be potentially relevant to their tasks, and then analyze all of that data in an attempt to define and describe potential adversaries. As Information Technology for Counterterrorism put it:17
Because terrorists are not clearly identified with any entity (such as a nation-state) whose behavior can be easily studied or analyzed, their individual profiles of behavior and communication are necessarily the focus of an intelligence investigation. Most importantly, it is often not known in advance what specific information must be sought in order to recognize a suspicious pattern, especially as circumstances change. From the perspective of intelligence analysis, the collection rule must be “collect everything in case something might be useful.” Such a stance generates obvious conflicts with the strongest pro-privacy rule “Don’t collect anything unless you know you need it.”
The notion of intelligence agencies being compelled to respect the privacy of the individual seems almost as quaint as Henry Stimson’s justification for shutting down the original cryptography section in the State Department, stating in 1930 that “gentlemen do not read other gentlemen’s mail.” Since the time of World War II, it has been the role of the intelligence agencies to read nearly everyone’s mail (or cables, or radio transmissions) to protect national security. The role of the intelligence agency is, in effect, to violate the privacy of those individuals and countries that might jeopardize national security.
The second aspect of intelligence gathering for national security that makes this activity different from the gathering of information for law enforcement is the inherent need for secrecy in the very process itself.
Any information gathered by law enforcement agencies and subsequently used as evidence in the prosecution of an individual eventually becomes public and is open to challenge by the person being prosecuted. Much of the information gathered by intelligence agencies for national security, however, must be kept secret. Secrecy is required not only to keep an adversary from learning what is known about him, but also to ensure that the sources of information cannot be identified and compromised. The need for secrecy in this realm means that those who might be the subjects of interest for information gathering cannot know what information is gathered about them (or even if information is being gathered about them), much less check or challenge the accuracy of that information.
The balance between individual privacy and national security is often seen as a balance between the types of information necessary to ensure national security, and the constraints imposed on those that gather the information. There is a common belief that the more the ability to gather information is constrained, the more likely it is that information of potential relevance to national security will be lost or overlooked.18 This tension, like its counterpart in the realm of law enforcement, is as old as the republic. What has changed is the technology of information gathering and analysis that can be used by the intelligence agencies.
Along with the changes in the technology, there has been a major change in the nature of the national security endeavor itself. The traditional intelligence endeavor, shaped by World War II and the ensuing Cold War, was focused on the preservation of the state from the threats posed by other states. These threats were long term, comparatively overt, and carried out on a stage on which all of the players were known to each other. The decrease in this sort of threat, occasioned largely by the ending of the Cold War, has been replaced by a far more amorphous threat coming from non-governmental bodies using non-traditional tactics. While perhaps best illustrated by the terrorist attacks on the World Trade Center and the Pentagon on September 11, 2001, these groups perform acts of terrorism meant to destabilize governments by undermining the sense of security of the citizens of those governments. While U.S. citizens tend to focus on the threat to the United States and its allies, the threat from terrorists is not confined to any particular country or region. These combatants, who are hard to identify and willing to sacrifice their own lives in the course of their attacks, now form a threat whose proactive neutralization is one of the main objects of national security.
National Security and Technology Development
While law enforcement agencies were among the early adopters of information technology, the agencies involved in intelligence gathering and analysis have often been the generators of technological innovation. Since the efforts during World War II to break the codes of other countries and to ensure that U.S. codes could not be broken, the intelligence community has directly developed, collaborated in the development, or funded the development of much of the current information infrastructure.
Many of the technologies that are used to gather, sift, and collate data were developed initially by the intelligence agencies either for the purposes of cryptography or to allow them to sift through the vast amounts of information that they gather to find patterns for interpretation. At the same time, the cryptographic techniques that can be used both to ensure the privacy of stored information and to secure channels of communication trace their roots back to the same intelligence services, in their role as securers of the nation’s secrets. Moreover, many of the concepts of computer security, used to ensure that only those with the appropriate rights can access sensitive information, have been leveraged from developments that trace back to the intelligence or defense communities.
There is considerable uncertainty outside the intelligence community about the true nature and extent of national capabilities in these areas. Many of those concerned about protecting privacy rights assume that the technology being used for intelligence purposes has capabilities far above technology available to the public. Rightly or wrongly, it is often assumed that the intelligence community can defeat any privacy-enhancing technology that is available to the general public, and has a capability of gathering and collating information that is far beyond any that is commercially available. Given the secret nature of the national security endeavor, this assumption is understandably neither confirmed nor denied by either those intelligence-gathering groups themselves or the governmental bodies that are supposed to oversee those groups.
Legal Limitations on National Security Data Gathering
Analysis of the limitations on national security-based data gathering is complicated by the distinction between U.S. citizens and non-citizens, especially lawfully resident aliens. Some constitutional rights extend to all persons; thus, the Supreme Court ruled as early as 1896 (and has repeatedly reaffirmed as recently as 1982) that aliens could invoke the equal protection clause against invidious discrimination as readily as could U.S. citizens.19 But some protections (such as privileges and immunities)
apply only to citizens; indeed the Supreme Court has held that states may, if they wish, make U.S. citizenship an essential qualification for certain occupations (notably teaching in the public schools20 and being police officers21) if the qualification has a rational basis.
The problem arises with respect to rights and liberties that are neither expressly confined to citizens nor available alike to citizens and aliens. In fact, most of the safeguards of the Bill of Rights fall into this third category, leading to intense debate over such issues as whether a lawfully resident alien may be deported for advocacy or political activity for which a citizen could not be punished under the First Amendment. Limited precedent may be cited on both sides of that debate, and the issue is one that the Supreme Court seems consciously to have avoided.
When it comes to information gathering, even citizens have few rights to object to the placement of their sensitive personal information into a government database, regardless of whether the information is obtained legally or illegally.22 However, even in cases where such an objection is raised, it is not clear that the citizens have any recourse on the gathering of that information. If that is true for citizens, it is at least equally true for non-citizens, even those who have long and lawfully resided in the United States. Moreover, a non-citizen who is not physically present in this country—even though formerly a lawful resident—has severely attenuated legal claims (as, for example, would have been the fate of the Guantanamo detainees absent the agreement between the United States and Cuba that gave the naval base quasi-domestic status). Thus, the grounds on which a non-citizen might object to information gathering and data storage in the interests of national security seem remote. The issues of focus for this report are those that might be raised by U.S. citizens. And as a practical matter, the committee is concerned only about information gathering within the United States (i.e., information gathering on subjects located on U.S. soil), though noting that citizens do retain certain rights even when they are out of country.
The distinction between the rights of citizens and those of others matches the perception (and, perhaps, the historical reality) that the gravest national security threats originate beyond our borders. Until rela-
whose presence in this country is unlawful are “persons” guaranteed due process of law by the Fifth and Fourteenth Amendments.
tively recently, neither the military nor the U.S. foreign intelligence agencies were allowed to gather information about purely domestic activity, even if that activity seemed to pose a national security threat. Under this premise, if actions of U.S. citizens and resident aliens within the United States evoke suspicion on security grounds, any investigation would be conducted by the FBI and other domestic law enforcement agencies. That precept was recently reinforced when the Department of the Army formally apologized for having interrogated participants at a University of Texas conference on women and Islam, making clear in the apology that any such inquiry should have been handled by the FBI and not by the military (or for that matter the Central Intelligence Agency). This division of labor partly reflects the difficulty of distinguishing legitimate and protected dissent from genuine security threats, and an abiding fear that government power of inquiry could be abused if the more secretive U.S. foreign intelligence agencies possessed such domestic authority.
In this regard, as with the limits placed on the law enforcement agencies, the United States is somewhat different from other countries. Outside the United States, it is common for a country to have a domestic intelligence service whose job it is to accumulate information on citizens and those within the borders of the country for the purposes of national security. There have been times that some parts of the U.S. federal government have performed this function within the United States, but such activities have been rare and either were discontinued after a period of national emergency or became the cause of major scandal when they were generally discovered. Further, when such activities were undertaken, they were often undertaken as an adjunct activity for a law enforcement agency (such as the FBI) rather than as part of the activity of an organization whose primary charter was the gathering of domestic intelligence for the purpose of national security.
An important part of the current legal framework for national security intelligence gathering in the United States was established by the Foreign Intelligence Surveillance Act (FISA). As noted in Section 4.3.1, FISA was passed in order to regulate executive branch authority to conduct wiretaps in intelligence matters and thus could be fairly regarded as a privacy protection measure. FISA, and a series of executive orders based on it, cover the surveillance (both electronic and non-electronic) of “a foreign power or an agent of a foreign power,” including U.S. persons who fall under the definition of an agent of a foreign power. FISA establishes a special court of 11 federal district court judges who review requests for warrants. These warrants can cover electronic surveillance (including wiretapping and electronic eavesdropping) and covert physical searches.
To obtain a warrant, law enforcement authorities must demonstrate to the FISA Court that there is probable cause to believe that the target of the warrant is an agent of a foreign power. Unlike standard search warrants
obtained for criminal cases, applications for FISA warrants do not require a statement of what information is being sought through the warrant, nor is there a requirement that the party granted the warrant return to the court a listing of what information was obtained through the warrant. While FISA warrants cannot be granted for the purpose of criminal prosecution, information obtained secondarily via a FISA warrant has been allowed in criminal trials.
Since the intelligence process depends on gathering information, one premise of the current system is that the entities whose information is being obtained do not know the extent of what is known about them or the sources of that information. Thus the FISA law forbids any person upon whom a FISA Court subpoena is served from disclosing that fact to anyone other than a colleague or subordinate whose involvement is vital to obtain the subpoenaed information.23 Moreover, the FISA procedure for information gathering differs sharply from what is allowed under standard law enforcement search and seizure rules. While judicial approval of the FISA Court is required for national security searches, the proceedings of that court (and even the identity of its members) are secret. The substantive standard required for issuance of such a secret warrant is also said to be far lower than for a regular warrant, requiring no specific evidence of actual complicity in or even specific contribution to any terrorist activity.
Traditionally, as noted in the previous section, the separation between intelligence gathering for national security purposes and law enforcement surveillance has served to protect the privacy at least of U.S. citizens and to some degree that of permanent resident aliens while they are in the United States. Gathering information on such persons had been generally forbidden except in aid of law enforcement or if a person was determined to be an agent of a foreign power. This meant that the gathering of information could happen only in an attempt to investigate the breaking of a particular law, and the obtaining of information was subject to the kinds of restrictions and third-party judicial reviews that have characterized law enforcement information gathering.
The events of September 11, 2001, and the subsequent efforts to identify, find, and eliminate the threat from both the terrorists directly responsible and others who support groups that have been identified with similar tactics have caused many to call into question the traditional separation of law enforcement and national security intelligence gathering. National security was traditionally seen as served by gathering information about threats from other countries; suddenly the highest level of threat seemed to be from non-governmental entities. National security intelligence was gathered from outside the borders of the United States; suddenly the threat seemed to be within those borders as well as without. The domestic collection of information was bound to the prosecution of crimes; suddenly there was a perceived need for the domestic collection of information for intelligence purposes. The traditional notion of limiting intelligence gathering to outside the borders of the United States and to other than U.S. persons appeared to be dangerously out of date.
One indication of this trend is the adoption, in October 2001, of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act. This act is seen by its supporters as an overdue response to restrictions on intelligence gathering that had impeded cooperation and collaboration among agencies, and that needed to be relaxed or removed if the nation was to protect itself from the new threats to national security, identified not as other governments but as smaller, non-governmental organizations willing to launch suicide attacks. Opponents of the act, however, charge that many of its provisions seriously threaten or erode basic rights and liberties enshrined in the Constitution, as well as jeopardizing privacy to an unprecedented degree.
One of the difficulties of judging between these two viewpoints is the complexity of the act itself, which is a collection of amendments and additions to other laws rather than a stand-alone act. In some cases, the act defines limitations on technologies that had not been addressed in law
before; in other cases the act expands or clarifies the scope of previously existing law.
In general, the USA PATRIOT Act eased a number of restrictions on foreign intelligence gathering within the United States and granted the U.S. intelligence community somewhat greater access to information unearthed during a criminal investigation.24 For example, the USA PATRIOT Act authorizes the release to federal intelligence and immigration officials of information obtained during the course of a grand jury investigation, whereas such information was previously protected under very strict disclosure rules. The act codified the use of trap-and-trace devices and pen registers, already established under long-standing FISA Court practices, for treating electronic communications such as e-mail in a similar way to telephone communications. Section 215 of the USA PATRIOT Act also allowed the FISA Court to issue orders granting access to any records and tangible items from any entity (e.g., bookstores, libraries, department stores, schools), not just common carriers, public accommodation facilities, physical storage facilities, and car rental facilities, as under previous law; this provision substantially enlarged the range of items subject to FISA jurisdiction. Finally, the act also allowed “roving” surveillance of a subject, where previously FISA had required the identification of a particular scope (e.g., a specific telephone number or physical location) where the surveillance would occur.
To guard against official abuse, the USA PATRIOT Act established a claim against the United States for certain communications privacy violations by government personnel and expanded the prohibition against FISA orders based solely on the exercise of an individual’s First Amendment rights. In addition, the USA PATRIOT Improvement and Reauthorization Act of 2005 provided greater congressional oversight, enhanced procedural protections, more elaborate application requirements, and a judicial review process for the exercise of Section 215 authorities. Finally, the USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006 establishes a judicial review procedure for Section 215 nondisclosure orders that allows recipients of a Section 215 production order to challenge the nondisclosure requirement 1 year after the issuance of the production order. In response to such a challenge, the FISA Court judge has the discretion to modify or set aside a nondisclosure order, unless the attorney general, deputy attorney general, an assistant attorney general, or the director of the FBI certifies that disclosure may endanger the national
security of the United States or interfere with diplomatic relations (unless the judge finds that the certification was made in bad faith).25
From a FISA perspective, more important than any of the particular sections of the USA PATRIOT Act is the fact that the law encourages the sharing of information from law enforcement with intelligence agencies. The success of the September 11, 2001, attacks has been seen by many as a result of the distinction drawn between law enforcement and intelligence gathering; in this view if all of the relevant information held by both the law enforcement agencies (such as the FBI) and the intelligence community had been put together and seen correctly, the attacks could have been predicted and stopped. Not sharing such information was faulted as a reflection of the distinction between law enforcement and intelligence gathering for national security, a distinction that had historically been drawn in part to ensure the privacy of U.S. citizens.
It is in this context that the sharing with law enforcement officials of information derived from intelligence operations has proven controversial. Under the USA PATRIOT Act, FISA Court orders need no longer serve the primary purpose of gathering foreign intelligence information, but may now be authorized by the FISA Court under a less stringent standard of serving a “significant purpose” of obtaining such information. Generally, the concern about such sharing has been that the privacy (and other) protections embedded in the processes of domestic law enforcement may be circumvented or mooted by the use of intelligence processes that are less subject to such protections.
See Yeh and Doyle, “USA PATRIOT Improvement and Reauthorization Act of 2005,” 2006.
Michelle Maynard, “JetBlue Moves to Repair Its Image After Sharing Files,” New York Times, September 23, 2003, available at http://www.nytimes.com/2003/09/23/business/23AIR.html?ex=1379649600&en=1e13d100496b900d&ei=5007&partner=USERLAND.
sale of passenger information to third parties for marketing purposes.27 Another example is the recently revealed (late 2005) wiretaps of communications involving certain U.S. persons in pursuit of intelligence related to al-Qaeda without the approval of the FISA Court (Box 9.3). As this writing, the program is still controversial amidst many calls for further investigation.
The quest for more and better technologies for analyzing information for national security purposes also raises privacy concerns. In particular, one common view of the failure to foresee and stop the events of September 11, 2001, is that the failure was not one of a lack of information, but rather a lack of putting together the information that was already available. In this view, better analysis tools are needed more than (or in addition to) the ability to gather more information.
One attempt at creating such tools taken by the DOD’s Defense Advanced Research Projects Agency (DARPA) was the Total (later Terrorist) Information Awareness (TIA) program (Box 9.4). The exact goals of this program are difficult to determine, as they shifted significantly over the time the program was active. However, the goals were always centered on developing and providing technology that would allow the detection and tracking of terrorist or suspected terrorist activities by aggregating data that are collected by both government and non-government agencies and then mining that data to find patterns of behavior that are highly correlated with future terrorist actions.
A full analysis of the privacy implications of the TIA program has appeared elsewhere and is not repeated here.28 The point that is important to make is that one of the legacies of the September 11 attacks is the willingness of the intelligence agencies charged with the national defense to gather information about U.S. persons in their attempt to track and find terrorists. In addition, the TIA program shows the willingness of these agencies to use or invent technologies that will help them in that undertaking, even when those technologies may be privacy invasive.
Sara Kehaulani Goo, “Confidential Passenger Data Used for Air Security Project,” Washington Post, January 17, 2004, available at http://www.washingtonpost.com/ac2/wp-dyn/A26037-2004Jan17.
Technology and Privacy Committee (TAPAC), Safeguarding Privacy in the Fight Against Terrorism, Department of Defense, Washington, D.C., March 1, 2004. This report (1) concluded that TIA was a flawed effort to achieve worthwhile ends; (2) argued that although data mining is a vital tool in the fight against terrorism, it could present significant privacy issues if used in connection with personal data concerning U.S. persons; (3) stressed the importance of government actions to protect privacy in developing and using data-mining tools; and (4) noted that existing legal requirements applicable to the government’s data-mining programs were numerous, disjointed, and often outdated, with the possible effect of compromising privacy protection, public confidence, and the nation’s ability to craft effective and lawful responses to terrorism.
National Security Agency Domestic Surveillance and Data Mining of Calling Records
In 2002, the president authorized the National Security Agency (NSA) to begin conducting surveillance of electronic communications in the United States without a court-approved warrant. Since the public became aware of this program late in 2005,1 many questions have been raised about both its legality and its constitutionality.
According to what has been revealed publicly in news reports, the classified NSA program has focused on intercepting, without a warrant, phone calls and e-mails of U.S. persons that are believed to be linked, directly or indirectly, to the al-Qaeda terrorist organization. It is further said to be limited to only domestic-to-international communication; warrants are obtained when both parties in the communication are within U.S. borders. Although official sources have not provided an authoritative description of the activities and scope of this program, the administration has defended it—and its ability to monitor possible terrorist group activity—as both legal and within the authority granted to the president under the Authorization for Use of Military Force (AUMF) against al-Qaeda,2 passed by Congress on September 14, 2001. The AUMF authorized the president to “use all necessary and appropriate force against those nations, organizations, or persons he determines planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored such organizations or persons, in order to prevent any future acts of international terrorism against the United States by such nations, organizations or persons.” Additionally, the administration contends that the president’s inherent constitutional authority as commander in chief authorizes the president to take whatever action is necessary to combat terrorism.3
Critics, however, debate the legality and constitutionality of the program that was authorized outside the Foreign Intelligence Surveillance Act (FISA) of 1978, which provides explicit legal guidance on how domestic surveillance can be conducted.4 Recently amended in 2001 by the USA PATRIOT Act, FISA was passed to balance the need
for foreign intelligence surveillance for national security purposes with an individual’s constitutional rights. It established procedures for the oversight of domestic surveillance activities conducted by U.S. intelligence agencies, including the creation of the Foreign Intelligence Surveillance Act Court, an independent body designed to grant surveillance authority rather than its being determined by the intelligence agency itself. Additionally, the legislation addressed circumstances in which surveillance could be conducted without a warrant, including after a declaration of war for a period of 15 days and in times of emergency when warrants could be obtained ex post facto within 72 hours. Critics argue that changes to domestic surveillance procedures should be authorized by Congress and should take place through amendments to FISA. Furthermore, critics underscore that FISA legislation was drafted on the basis that the president’s constitutional power is “inherent” but should not be exclusive, and that Congress, rather than the executive branch, has the power to regulate the exercise of that authority.
A number of analysts have also raised a variety of concerns about the implications of this program and the legal basis used to authorize it. Among the concerns is the reliance on AUMF as a legal basis for electronic domestic surveillance activities, which could also be used to authorize warrantless physical search and seizures. Related questions have been raised in terms of the admissibility in a court of law of information obtained without a warrant.5 The inclusion in the program of phone and Internet traffic from U.S. telecommunications companies has also raised concerns that the scope of the program was not limited to domestic-to-international communication as initially described by the administration.6 Broader constitutional questions also have been raised by the authorization of this program that has taken place outside a system of checks and balances designed to protect individuals’ rights from possible abuses by government authorities.7
Similar concerns have arisen as the result of an NSA program to use the calling records of the customers of AT&T, Verizon, and BellSouth. Reported in USA Today on May 11, 2006,8 the program supposedly uses these data to analyze calling patterns in an effort to detect terrorist activity. Calling records do not involve the content of the calls themselves, but do include, at a minimum, the originating number, the called number, the duration of the call, and the time of day of the call. Such records are usually protected less stringently than the content of phone calls, but their disclosure to government authorities has historically entailed an explicit legal authorization, albeit with lower standards of cause, to produce such records. As in the case of content surveillance, controversy arises because the carriers in question may have provided the records without such authorization in hand.
The Total Information Awareness Program
The Total Information Awareness (TIA) program caused considerable worry among many Americans across the political spectrum, much of it provoked by bad public relations and the political concerns raised over those in charge of the program. Notably absent from the debate over the TIA program was any discussion of exactly what technology was being sought by the program, and whether or not the technology being sought was actually possible. This was in part due to a constant changing of the goals articulated for the program; it was hard to determine exactly what the technology being developed was supposed to do. But even the various alternatives that were proposed at different times were not examined in the light of their technological possibilities or the repercussions of that technology if it were possible. This is especially odd given that the agency sponsoring the TIA program, DARPA, is a research agency charged with just this kind of technical evaluation.
A number of the proposed components of the TIA program were never the focus of controversy; these had to do with automated translation aids and tools for standardizing the format of information being gathered by intelligence agencies. More controversial were the proposed tools that would allow discovery of patterns of activity. These tools would mine a consolidated database built from the information gathered by governmental and non-governmental entities, which would include data on commercial transactions. In one version of the TIA statement of goals, the analysis tools would scan this database for events or sets of events of interest (such as the purchase of one-way rental trucks coupled with the purchase of large amounts of fertilizer) and identify persons who had participated in such transactions, allowing those persons to come to the attention of the national security agencies. The result would be an automated mechanism for “connecting the dots.” Such a system would solve the problem of not seeing the patterns in the information that had been acquired, which some thought was the main failure that made the attacks of September 11, 2001, possible.
Such a system is not technically feasible, however. To aggregate the information from the various sources into a single database would require a solution to the problem of data integration (Section 3.9). Different databases store data in different forms, meaning that the information held in one database cannot be read or manipulated by programs that understand the second database. To allow a program to use both databases requires some form of data integration, which in turn requires converting one
While the USA PATRIOT Act, the warrantless National Security Agency surveillance of certain U.S. persons, and the Total Information Awareness program are perhaps the most obvious examples of changes in law and attitude on the balance between privacy and national security after the events of September 11, they are hardly the only examples. The establishment of “do not board” watch lists by the Department of Homeland Security, in which information from unknown sources can be used
(or both) of the database formats into some common format that can be manipulated and understood by a single program. This problem has existed in industry for the past 40 years; all attempts to solve the problem even on a small scale have succeeded only for very simple aggregations and have proven to be exceptionally expensive. To hypothesize a single aggregation, whether virtual or physical, of all of the databases, both public and private, as is done in this version of the TIA program, is to hypothesize a general solution to the still-unsolved data integration problem.
Even if the data integration problem could be solved, the solution sought by the TIA program would require the ability to evaluate arbitrary sets of events in that database to find patterns. However, the set of possible events grows at a pace that makes the general evaluation of all of those sets computationally infeasible. The number of sets of events that can be formed from a group of individual events is equal to 2 to the power of the number of events; that is, for 20 different events the number of distinct sets of those events is 220, or more than 1,000,000 different sets of events. If we were to look at each commercial transaction in the United States as a separate event, the set of possible sets made up of those events is far larger than the number of atoms in the universe.
A second version of the TIA goal avoided this problem of computational complexity by stating that the tools would allow analysts to identify a person of interest, and then use the tools to track all of the activities of that person that were traced in all of the databases that had been aggregated. This approach eliminated the problem of the prior goal by concentrating on a particular subject or set of subjects and picking out the events associated with that subject. By starting with a subject of interest, the events in the database could be examined individually to see if they involved that individual, thus keeping the complexity of the search proportional to the size of the database (rather than growing exponentially with the size of the database). This goal still assumed that the aggregation of databases into a single search set would be possible, but even if only a small number of databases were aggregated, this goal could provide a more complete picture of an individual than could be found in any of the single databases.
The problem with this narrower goal is that, even if it can be achieved, it is unlikely that it will help disrupt terrorist attacks before they are carried out. The ability to find out more information about known persons does not help in the identification of potential terrorists with no previous records of such involvement or other reason to fall under suspicion—and there is no shortage of such individuals in the world.
to place even U.S. citizens on lists that make it difficult or impossible to board commercial airline flights, has come to light because of recent cases of people being placed on such a list erroneously. One problem with such watch lists, as they now appear to be implemented, is that it is difficult to find out if a particular person has been placed on such a list and, if placed on the list, to find out the information that caused that placement. There is no formal mechanism for challenging either the placement on the list or
the information that was used to make the determination. Even Edward Kennedy, senior senator from Massachusetts, has had problems getting his name off the watch list.29
Even if corrective mechanisms were in place, lists such as these suffer from a cluster of problems having to do with establishing the identity of those who are being compared to the list. If a list is kept in terms of names, its usefulness is limited by the fact that a single name can be shared by many different people. A combination of name and address may be better, but falls prey to the ease with which people move from place to place, and the time lag between such a move and the time at which all relevant records have been updated to reflect the new address. Indeed, such lists seem to presume, contrary to fact, that there is a way (or set of ways) to uniquely identify each person who might appear on such a list. There is no such mechanism available today, and establishing such a mechanism is far from simple.30
Tensions Between Privacy and National Security
In many ways, the tension between privacy and national security parallels the tension between privacy and law enforcement. Both law enforcement and national security require government to amass large amounts of information about people, including much information that the subject or target might want to keep private and information that will ultimately not prove useful for any mission-related function. Both law enforcement and national security require that that information be analyzed to try to infer even more about a person. Both are heavy users of technology, and both use technology to gather information, identify individuals, and analyze that information.
National security differs from law enforcement, however, in two significant ways. First, law enforcement authorities are usually (though not always) called in when a criminal act has been committed, and the criminal act itself serves to focus investigative resources—that is, they tend to be reactive. National security authorities are most interested in preventing hostile acts from taking place—they tend to be proactive. Second, most of the information gathered by law enforcement and used to prosecute a person for the violation of a law will eventually be made public, along with the mechanisms used to gather that information. Intelligence gathering
for the purposes of national security, on the other hand, is an intrinsically non-public activity. The mechanisms used to gather information, along with the information itself, are not made public, even when the information is used in a way that has an impact on the life of the subject of that information.
This greater need for secrecy makes it unlikely that citizens will be able to discover if the agencies charged with national security are violating their privacy. The mechanisms for gathering information are often unknown, so those wishing to ensure privacy may not know the techniques against which they must guard. The information gathered must remain secret, and so there is no easy way to know what information is gathered, if that information is accurate, whether it might be subject to different interpretations, or how to correct the information if it is inaccurate or incomplete. The only thing known with certainty is that there is an entity that is capable of gathering information about foreign governments, and it is reasonable to presume that such an entity can easily gather information about private citizens in the United States.
Because of the secret nature of the information gathered by national security agencies, it can be difficult to establish a trust relationship if one does not already exist between the citizens about whom the information is gathered and the agencies doing the gathering. There are few in the United States who would worry about the gathering of information even within the borders of the United States and about U.S. citizens if they could be assured that such information was only being used for genuine national security purposes, and that any information that had been gathered about them was accurate and appropriately interpreted and treated. How to obtain that assurance is a public policy issue of the utmost importance. This is why oversight is so important, all the more so in times of crisis. Accountability need not mean indiscriminate transparency; rather, trusted agents such as members of Congress or special commissions should be entrusted with offering, and hopefully can be trusted to offer, needed assurances.
LAW ENFORCEMENT, NATIONAL SECURITY, AND INDIVIDUAL PRIVACY
Even before the formation of our nation, government was seen as posing the principal threats to individual privacy. Many of the grievances against the English crown that were detailed in the Declaration of Independence reflected an erosion of the right to be left alone, and many provisions of the Bill of Rights sought to codify limitations on government power which the framers saw as vital to the new nation. While the Constitution nowhere expressly recognizes a “right to privacy,” several
provisions (especially, but not only, the Fourth Amendment) unmistakably limit the power of government to invade the lives of citizens.
When law enforcement and national security are concerned, the sources of concern about privacy rights are readily apparent. On the one hand, law enforcement must be able to gather information about individuals in order to identify and apprehend suspects and to enforce criminal law and regulatory standards. National security agencies gather and analyze information about individuals and organizations in order to protect and enhance national security. On the other hand, the very process of gathering and using such information may pose serious risks to individual privacy.
A somewhat similar set of tensions apply to data that have already been collected for some purpose other than law enforcement or national security. As noted in earlier chapters, a wide variety of personal information on individuals is collected for a wide variety of purposes by both government agencies (e.g., the Internal Revenue Service, the Census Bureau) and private sector organizations such as banks, schools, phone companies, and providers of medical care. In some instances (such as survey data collected by the Census Bureau), such information has been collected under a promise, legal or otherwise, that it would be used for a certain purpose and only for that purpose, and would otherwise be kept confidential.31 If and when external circumstances change (e.g., the nation comes under attack), some would argue strongly that it is criminal to refrain from using all resources available to the government to pursue its law enforcement and national security responsibilities. Others would argue just as strongly that the legal restrictions in effect at the time of data collection effectively render such data unavailable to the government, legally if not physically.
According to scholars William Seltzer and Margo Anderson,32 an example of such government use of privileged data occurred during World War II, when the Bureau of the Census assisted U.S. law enforcement authorities in carrying out the presidentially ordered internment
of Japanese-Americans. In a meeting of the Census Advisory Committee held in January 1942, J.C. Capt, director of the census, was reported to say, “We’re by law required to keep confidential information by [sic] individuals. But in the end, [i]f the defense authorities found 200 Japs missing and they wanted the names of the Japs in that area, I would give them further means of checking individuals.”
It is not known if the Census Bureau actually provided information on individual Japanese-Americans, but Seltzer and Anderson cite documents indicating that the Census Bureau clearly did provide mesodata (i.e., census results tabulated for very small geographic units, some as small as a city block) that did facilitate the internment process. Indeed, on the Monday after the December 7 attack on Pearl Harbor (which occurred on a Sunday), the Census Bureau initiated the production of reports on the distribution of Japanese-Americans across the United States based on macrodata (data from the 1940 census aggregated in terms of large geographic units).
Seltzer and Anderson note also that the Census Bureau has recognized possible threats to privacy arising from certain kinds of mesodata, and in response has progressively introduced stricter disclosure standards. Indeed, the bureau has indicated that under the standards now in place the release of mesodata from the 1940 census on Japanese-Americans would have been severely restricted.
A number of points are worth noting about this example. First, whether or not the Census Bureau provided information on individuals, the use of census data violated the spirit of the confidentiality law in the sense that respondents provided information under promises of confidentiality33—information that was subsequently used against them. Second, Capt’s remarks suggest a willingness to exploit legal loopholes in order to cooperate with the internment order. Third, even if the actual wording of the confidentiality promise made a “fine print” provision for “other legally authorized uses,” it would still have left survey respondents with the impression that their responses were confidential.
Issues related to privacy in a law enforcement or national security context are hard for citizens to assess. Citizens are not told what information these agencies are capable of gathering or what they do gather, because that knowledge being made public can limit the very information that agencies will be able to gather. In addition, the stakes are higher because these agencies can use information they gathered to imprison citizens. Citizens are asked to trust that abuses are not occurring and to trust in the oversight mechanisms that often require one part of the government to ensure that another is not generally overstepping appropriate bounds.
Similarly, law enforcement and national security agencies are put into a difficult position regarding the gathering and analysis of information. If these agencies fail to gather enough information to accomplish their missions, they are faulted for not using the latest techniques and technologies. However, if these agencies are perceived as gathering too much information about ordinary citizens, they are faulted for invasion of privacy.
Unfortunately, it is often impossible to determine, before the fact, who is going to be a law breaker or terrorist in the future. There is no way for law enforcement and national security agencies to determine about whom they should gather information without requiring that these agencies also know the future. The conundrum is further accentuated by a declaratory national policy that emphasizes prevention of terrorist attacks rather than prosecution or retaliation after they occur. That is, law enforcement activities must take place—successfully—in the absence of the primary event that usually focuses such activities. With few definitively related clues to guide an investigation, a much more uniform spread of attention must be cast over those who might have some contact or connection, however tenuous, to a possible terrorist event in the future.
The best that can be expected is that these agencies put into place the appropriate safeguards, checks, and balances to minimize the possibility that they gather information in an inappropriate way about citizens. But the more such safeguards are in place, so the argument goes, the more likely it is that mistakes are made in the opposite direction, and that these agencies will miss some piece of information that is vital for the performance of their function.
Yet areas of overlap between privacy and law enforcement and national security also exist. For example, citizens who have faith in their government and who believe that it generally follows democratic rules (one reflection of which is respect for privacy) will be more likely to cooperate with law enforcement in providing information and other forms of support. In that sense, just as it is sometimes said that privacy is a good business practice, it might also be said that a law enforcement agency’s respect for a citizen’s privacy, rather than necessarily being in opposition to, can be supportive of law enforcement goals.
An important influence on the process of balancing governmental and societal needs for safety and security and individual privacy is the fact that public safety is—almost by definition—a collective benefit, while government infringements of privacy in the name of public safety tend to affect individuals or relatively small or politically marginal groups of people, at least in the short term. Under such circumstances, it is easier for public safety officials to dismiss or minimize privacy concerns that their actions might raise. As an illustration of the sentiment, Harvard Law School Professor William Stuntz has asserted that “reasonable people can differ about the balance, but one could plausibly conclude that the efficiency gains from profiling outweigh the harm from the ethnic tax that post-September 11 policing is imposing on young men of Middle Eastern origin.”34
The flip side of this sentiment, of course, is that community involvement and good will may well be an essential element, perhaps the most important element, of a strategy that seeks to counter terrorists concealing themselves in the nation’s communities. That is, tips about unusual and suspicious behavior are most likely to emerge when the communities in which terrorists are embedded are allied with, or at least not suspicious of, law enforcement authorities—and singling out young men of Middle Eastern origin for special scrutiny is not an approach that will create a large amount of good will in the affected communities.
These tensions have been magnified since the terrorist attacks of September 11. There are many who feel that if the right information had been available, along with the right tools to analyze that information and the right governmental structures that would allow the sharing of the information between law enforcement and national security agencies, those attacks could have been avoided. Part of the reaction to those attacks was the passing of laws and the creation of policies that made it easier for agencies to collect and share information and the weakening of some traditional checks and balances in the hope of enhancing national security.
At the same time, there is worry that the increasingly sophisticated technology available for surveillance, data sharing and analysis, and data warehousing, when joined with the weakening of rules protecting individual information, will allow law enforcement and national security agencies a vastly expanded and largely unseen ability to monitor all citizens. The potential for abuse given such an ability is easy to imagine—for example, a law enforcement agency might be able to monitor the group gatherings of citizens objecting to a certain government policy, identifying who they meet with and perhaps what they talk about. Most citizens do not know what is technically possible, either now or in the near future. Because of this, there is often a tendency to believe that the technology
is capable of far more than it can actually do, either currently or in the foreseeable future. The problem may not be in what these government agencies are capable of doing with technology, but rather with what the citizens believe those agencies can do.
These comments should not be taken to suggest that policy makers in government agencies are unaware of privacy interests. For example, under the E-Government Act of 2002, any federal agency contemplating a substantially revised or new information technology system is required to develop a privacy impact assessment (PIA; Box 9.5) for such a system before work on that system begins in earnest. In the case of the Department of Homeland Security (DHS), DHS officials indicate that findings of PIAs are, to some extent, folded into the requirements development process in an attempt to ensure that the program or system, when deployed, is at least sensitive to privacy considerations. (It should also be noted that DHS officials reject the paradigm that privacy trades off against security; they assert that the challenge is enhancing security while protecting privacy.) Nevertheless, the concern from the privacy advocates remains regarding the extent to which privacy considerations are taken into account, and the specific nature of the privacy-driven system or program adaptations.
The Department of Homeland Security Privacy Impact Assessment
A privacy impact assessment (PIA) is an analysis of how personally identifiable information is collected, stored, protected, shared, and managed. “Personally identifiable information” is defined as information in a system or online collection that directly or indirectly identifies an individual whether the individual is a U.S. citizen, legal permanent resident, or a visitor to the United States.
The purpose of a PIA is to demonstrate that system owners and developers have consciously incorporated privacy protections throughout the entire life cycle of a system. This involves making certain that privacy protections are built into the system from the start, not after the fact when they can be far more costly or could affect the viability of the project.
Personally identifiable information is information in a system, online collection, or technology (1) that directly identifies an individual (e.g., name, date of birth, mailing address, telephone number, Social Security number, e-mail address, zip code, address, account numbers, certificate and license numbers, vehicle identifiers including license plates, uniform resource locators, Internet Protocol addresses, biometric identifiers, photographic facial images, or any other unique identifying number or characteristic), or (2) by which an agency intends to identify specific individuals in conjunction with other data elements, that is, indirect identification. These data elements may include
Finally, the discussion in this chapter raises the question of what must be done when law enforcement authorities or intelligence agencies invade the privacy of Americans who are law-abiding or who pose no threat to national security. It is unrealistic to expect that the number of false positives (i.e., the number of people improperly implicated) can be reduced to zero, and thus public policy must necessarily anticipate that some such cases will arise. One option is to minimize the number of false positives, and in the event of a false positive, the person improperly implicated simply absorbs the cost and consequences of the false positive (e.g., loss of privacy and any consequential costs, such as personal embarrassment, financial loss, and so on) on behalf of the rest of society. But these costs and consequences can be dire indeed, and at least in principle our society has generally adopted the principle that individuals suffering the consequences of improper or mistaken government behavior are entitled to some kind of compensation. Providing recourse for citizens improperly treated by government authorities is generally thought to make government authorities more careful and more respectful of rights than they might otherwise be.
a combination of gender, race, birth date, geographic indicator, and any information that reasonably can be foreseen as being linked with other information to identify an individual.
In some cases the technology might only collect personal information for a moment. For example, a body-screening device might capture the full scan of an individual, and even if the information was not retained for later use, the initial scan might raise privacy concerns, and thus the development and deployment of the technology would require a PIA.
Questions asked by the PIA include the following:
Section 1.0 Information collected and maintained
1.1 What information is to be collected?
1.2 From whom is information collected?
1.3 Why is the information being collected?
1.4 What specific legal authorities, arrangements, or agreements define the collection of information?
1.5 Privacy Impact Analysis: Given the amount and type of data being collected, discuss what privacy risks were identified and how they were mitigated.
Section 2.0 Uses of the system and the information
2.1 Describe all the uses of information.
2.2 Does the system analyze data to assist users in identifying previously un
known areas of note, concern, or pattern (sometimes referred to as “data mining”)?
2.3 How will the information collected from individuals or derived from the system be checked for accuracy?
2.4 Privacy Impact Analysis: Given the amount and type of information collected, describe any types of controls that may be in place to ensure that information is used in accordance with the above described uses.
Section 3.0 Retention
3.1 What is the retention period for the data in the system?
3.2 Has the retention schedule been approved by the National Archives and Records Administration (NARA)?
3.3 Privacy Impact Analysis: Given the purpose of retaining the information, explain why the information is needed for the indicated period.
Section 4.0 Internal sharing and disclosure
4.1 With which internal organizations is the information shared?
4.2 For each organization, what information is shared and for what purpose?
4.3 How is the information transmitted or disclosed?
4.4 Privacy Impact Analysis: Given the internal sharing, discuss what privacy risks were identified and how they were mitigated.
Section 5.0 External sharing and disclosure
5.1 With which external organizations is the information shared?
5.2 What information is shared and for what purpose?
5.3 How is the information transmitted or disclosed?
5.4 Is a memorandum of understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared?
5.5 How is the shared information secured by the recipient?
5.6 What type of training is required for users from agencies outside DHS prior to receiving access to the information?
5.7 Privacy Impact Analysis: Given the external sharing, describe what privacy risks were identified and how they were mitigated.
Section 6.0 Notice
6.2 Do individuals have an opportunity and/or right to decline to provide information?
6.3 Do individuals have the right to consent to particular uses of the information, and if so, how does the individual exercise the right?
6.4 Privacy Impact Analysis: Given the notice provided to individuals above, describe what privacy risks were identified and how they were mitigated.
Section 7.0 Individual access, redress and correction
7.1 What are the procedures that allow individuals to gain access to their own information?
7.2 What are the procedures for correcting erroneous information?
7.3 How are individuals notified of the procedures for correcting their information?
7.4 If no redress is provided, are alternatives available?
7.5 Privacy Impact Analysis: Given the access and other procedural rights provided for in the Privacy Act of 1974, explain the procedural rights that are provided and, if access, correction, and redress rights are not provided, explain why not.
Section 8.0 Technical access and security
8.1 Which user group(s) will have access to the system?
8.2 Will contractors to DHS have access to the system? If so, please submit to the Privacy Office with this PIA a copy of the contract describing their role.
8.3 Does the system use “roles” to assign privileges to users of the system?
8.4 What procedures are in place to determine which users may access the system, and are they documented?
8.5 How are the actual assignments of roles and rules verified according to established security and auditing procedures?
8.6 What auditing measures and technical safeguards are in place to prevent misuse of data?
8.7 Describe what privacy training is provided to users either generally or that is specifically relevant to the functionality of the program or system.
8.8 Are the data secured in accordance with FISMA requirements? If yes, when were certification and accreditation last completed?
8.9 Privacy Impact Analysis: Given access and security controls, describe what privacy risks were identified and how they were mitigated.
Section 9.0 Technology
9.1 Was the system built from the ground up or purchased and installed?
9.2 Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system.
9.3 What design choices were made to enhance privacy?
SOURCE: Department of Homeland Security, Privacy Impact Assessments: Official Guidance, DHS Privacy Office, available at http://www.dhs.gov/interWeb/assetlibrary/privacy_pia_guidance_march_v5.pdf.