The line between monitoring consumer sentiment in general and tracking individual customers is unclear and ill-defined. Companies need to understand public perceptions about both different types of online tracking and different sorts of consumer concerns. Monitoring by schools appears to be even more complex. In an opinion piece in Education Week, Jules Polonetsky and I discuss the recent revelation that Pearson—the educational testing and publishing company—was monitoring social media for any discussion by students of a national standardized test it was charged with administering. // Read more on Education Week.
My synopsis of Laura Donohue’s The Cost of Counterterrorism: Power, Politics, and Liberty is now up on the JustSecurity blog. A couple of quick thoughts on the book:
First, it was impossible not to read in various Snowden revelations throughout the book. It read very much like a prelude to all of the different programs and oversight problems we have learned about over the past year, which suggests that Snowden’s leaks really just confirmed what security critics were already surmising. Further, considering the book was release right at the start of the smartphone explosion and the rise of “Big Data,” it’s fascinating to see how Professor Donohue talked about the capabilities of these technologies.
Second, my major criticism of the book is that it reads like a bunch of law review articles duct-taped together. This may speak volumes for how legal scholarship is produced, or how many non-fiction books are collections that build upon a certain idea or original essay. Regardless, it was impossible not to notice how jarring portions of the book were. Professor Donohue’s overall framework is to compare the national security regimes of the United States with the United Kingdom, and this leads to chapters that bounce from the Irish Troubles to American military policy in Iraq. The comparison doesn’t always hold, and it some spots feels unwarranted.
Yesterday evening, I found myself at the Mansion on O Street, whose eccentric interior filled with hidden doors, secret passages, and bizarrely themed rooms, seemed as good as any place to hold a privacy-related reception. The event marked the beta launch of my organization’s mobile location tracking opt-out. Mobile location tracking, which is being implemented across the country by major retailers, fast food companies, malls, and the odd airport, first came to the public’s attention last year when Nordstrom informed its customers that it was tracking their phones in order to learn more about their shopping habits.
Today, the Federal Trade Commission hosted a morning workshop to discuss the issue, featuring representatives from analytics companies, consumer education firms, and privacy advocates. The workshop presented some of the same predictable arguments about lack of consumer awareness and ever-present worries about stifling innovation, but I think a contemporaneous conversation I had with a friend better highlights some of the privacy challenges mobile analytics presents. Names removed to predict privacy, of course!
Big national security news yesterday: a federal court judge has ruled that the NSA’s Section 215 metadata collection program is an unconstitutional violation of the Fourth Amendment. TechDirt has a great wrap-up of Judge Leon’s opinion, but more than the excellent legal analysis on display, the case is one of the first big demonstrations of how the federal judiciary is being brought into the surveillance discussion post-Snowden. The secretive structure of FISA Court, and the difficulty – if impossibility – of getting those cases into the Supreme Court or out into the sunshine made it very easy for the the courts to avoid judging the constitutionality of broad government surveillance.
Just last year in Clapper v. Amnesty International, the Supreme Court was able to side-step today’s question by holding that a group of international lawyers and journalists had no standing to challenge the FISA Amendments Act of 2008 because they could prove no harm. The narrow majority deferred to the FISA Court’s ability to enforce the Fourth Amendment’s privacy guarantees, an assertion that has proven to be ridiculous. Snowden’s revelations have changed Clapper‘s standing equation, and this may force the Supreme Court’s hand.
After today, it appears all three branches of government may have a say in the future of the Fourth Amendment, and it seems likely they won’t be in agreement. Involving the Third Branch in an active dialog about surveillance is essential not only because it can clarify the scope of Fourth Amendment but also because it may be in a position to break a separation of powers stalemate between Congress and the President. In the end, the steady stream of lawsuits challenging the NSA’s activities may end up having a bigger legal impact than any congressional theatrics.
This morning, the European Commission released its report on the state of the US-EU Safe Harbor, a mechanism that provides for international data transfers, proposing a series of recommendations designed “to restore trust in data flows between the EU and the U.S.” Europeans have long been critical of the Safe Harbor — and America’s free-wheeling attitude toward privacy in general — but the Summer of Snowden provided a perfect pretext to “reconsider” the efficacy of the Safe Harbor.
America’s hodgepodge or “sectoral” approach to privacy has increasingly placed U.S. officials on the defensive, and there’s no question the Safe Harbor can be improved. However, conflating Safe Harbor reform with justified anger about expansive NSA snooping is counterproductive. First and foremost, while public and private data sharing is increasingly intermingled, government access to data is not the same as commercial data use. The Safe Harbor was explicitly designed to protect the commercial privacy interests of EU citizens.
It was not created to address national security issues, and the Safe Harbor specifically provides an exception from its requirements “to the extent necessary to meet national security, public interest, or law enforcement requirements.” As FTC Commissioner Julie Brill has noted, national security exceptions to legal regimes are not unusual. For example, the HIPAA Privacy Rule permits the disclosure of private health information in the interest of national security, and even the EU’s stringent Data Protection Directive includes an exception for state security or defense.
This is cross-post on the American Constitution Society’s blog.
After the events of the past few weeks, a discussion presented by the American Constitution Center on the search for privacy and security on the Internet posed many questions but few answers. In an article on The Daily Beast, Harvard Law Professor Lawrence Lessig has noted that the “Trust us’ does not compute,” but after a contentious, technical discussion of both the NSA’s PRISM program and the cellular metadata orders, a panel of privacy law scholars were forced to concede that “trust us” is today’s status quo when it comes to programmatic government surveillance.
It wasn’t supposed to be this way. When the Foreign Intelligence Surveillance Act was first passed in 1978, the law was designed to “put the rule of law back into things,” explained Professor Peter Swire, co-chair of the Tracking Protection Working Group at the W3C and the first Chief Counselor for Privacy at OMB. The emergence of the Internet, however, changed everything. Intelligence agencies were faced with a legal framework that could not account for situations where “games like World of Warcraft [could be] a global terrorist communication network,” he said.
But even as communications technology has been made to serve bad actors, it has also ushered in a Golden Age of surveillance. Modern technology today can easily determine an individual’s geolocation, learn about an individual’s closest associates, and connect it all together via vast databases. Within the federal government, without strong champions for civil liberties, the availability of these technologies encouraged government bureaucracy to take advantage of them to the full extent possible. Absent outside pressure from either the Congress or the public, “stasis sets in,” Swire said.
Yet while service providers collect vast amounts of data about individuals, a combination of business practicalities and Fair Information Practice Principles which stress retention limits and data minimization mean that businesses simply do not keep all of their data for very long. As a result, the government has used Section 215 of the PATRIOT Act to collect and store as much information as possible in the “digital equivalent of the warehouse at the end of Indiana Jones,” said Professor Nathan Sales, who largely defended the government’s efforts at intelligence gathering.
The difficulty is that these sorts of data collection projects present important Fourth Amendment considerations. In his passionate dissent in the recent Maryland DNA collection case, Justice Antonin Scalia joined three of his liberal colleagues to explain that the Fourth Amendment specifically protects against general searches and demands a particularity requirement. However, a general search is exactly what an order permitting the collection of anyone and everyone’s cellular metadata appears to be.
Professor Susan Freiwald pointed out that the plain language of Section 215 is incredibly broad. 50 U.S.C. Sec. 1861 permits surveillance wherever “reasonable grounds” exist that surveillance could be “relevant . . . to protect against international terrorism or clandestine intelligence activities” where any individual, American citizen or otherwise, is “in contact with, or known to, a suspected agent of a foreign power.” According to Freiwald, the plain language of the statute “doesn’t limit government investigations in any meaningful way.” What checks that exist are limited: Congress appears at best half-informed and the ISPs that are hauled before the Foreign Intelligence Surveillance Court (FISC) have been incentivized not to fight via the carrot of immunity and the stick of contempt sanctions.
“We’re waiting on the courts,” Freiwald said, suggesting that these programs “cannot survive review if the court does its job.”
Professor Sales countered that the FISC was already placing minimization requirements into the its orders, though he conceded he couldn’t know for sure if this was accurate.
Former U.S. District Judge Nancy Gertner interjected:
As a former Article III judge, I can tell you that your faith in the FISA Court is dramatically misplaced. . . . Fourth Amendment frameworks have been substantially diluted in the ordinary police case. One can only imagine what the dilution is in a national security setting.
What little we do know about the FISC suggests that it, too, is wary of the government’s behavior. In a letter to Sen. Ron Wyden (D-Ore.) last fall, the Director of National Intelligence conceded that on at least one occasion the FISC found that the government’s information collection was unreasonable under the Fourth Amendment, and moreover, that the government’s behavior had “sometimes circumvented the spirit of the law.”
Unfortunately, the FISC’s full legal opinion remains classified, and the Department of Justice continues to contest its release. This fact reveals the core challenge facing any sensible debate about the merits of government surveillance: our current understanding rests on incomplete information, from secret court decisions to the “least untruthful” testimony of government officials.
Louis Brandeis, who along with Samuel Warren “invented” the right to privacy in 1890, also wrote that “[s]unlight is said to be the best of disinfectants.” A discussion about the future of privacy online that forces our best privacy scholars to repeatedly profess their ignorance and rests on placing our trust in the government simply does not compute.