nationalsecuritylaw forthcoming/recent scholarship (privacy & surveillance)

Privacy and Surveillance

Section 702 and the Collection of International Telephone and Internet Content

Laura Donohue (Georgetown)

Harvard Journal of Law and Public Policy, Vol. 38, No. 1(2015)

Programs initiated just after 9/11 involving the interception of communications to and from the United States shifted to the 2007 Protect America Act and, subsequently, the 2008 FISA Amendments Act. It was not until 2013 that the public became fully aware that the NSA interprets its authority under FISA §702 to intercept international, and at times, wholly domestic, communications. This Article is the first to question whether the NSA’s interpretations are statutorily consistent and constitutionally sound.

The Article begins with a statutory analysis, considering targeting, post-targeting analysis, and the retention and dissemination of data. In the first category, targeting, the Article argues that the NSA has sidestepped legislative restrictions in three critical ways: by adopting procedures that allow analysts to acquire information to, from, or “about” targets; by creating an assumption of non-U.S. person status; and by failing to construct adequate procedures to ascertain whether the target is located within domestic bounds. These interpretations undermine Congress’s inclusion of §§703 and 704 and open the door to the collection of U.S. persons’ communications. In the second category, post-targeting analysis, the Article draws attention to the aim of the analysis, the failure of prior minimization procedures to account for multi-communication transactions, the use of U.S. person information to query data, and the impact of recombinant information on §702 collection. In the third category, the retention and dissemination of data, the Article notes that increasing public reliance on cryptography raises questions about the automatic retention of encrypted data, even as the breadth of “foreign intelligence” underscores the danger of looking to retention policies to delimit information retained. The use of the data obtained under §702 for criminal prosecution, while consistent with traditional FISA, fails to reflect the equivalent procedural protections at the collection stage. This discussion leads naturally to Fourth Amendment considerations.

As a constitutional matter, outside of narrowly circumscribed exceptions, a search in criminal law is presumptively unreasonable under the Fourth Amendment unless the government first obtains a warrant from a neutral, disinterested magistrate, based on a finding of probable cause of involvement in criminal activity. This applies to all searches within the United States. It does not apply to non-U.S. persons without a significant attachment to the country who are outside domestic bounds. Between these book-ends are numerous, slimmer volumes that take account of questions such as whether the search centers on intelligence gathering or criminal prosecution, whether the target is a U.S. person or a non-U.S. person, where the search takes place, and the extent to which U.S. persons’ privacy is implicated.

The Article briefly lays out this broader Fourth Amendment territory before turning to the government’s argument that §702 collection takes place subject to a foreign intelligence exception to the warrant requirement. In the nearly four decades that have elapsed since the Court raised the possibility of such an exception — and in relation to which Congress responded by enacting FISA — not a single case has found a domestic foreign intelligence exception. Pari passu, as a matter of the international intercept of U.S. persons’ communications, practice and precedent prior to the FAA turned on a foreign intelligence exception to the warrant requirement derived from the President’s foreign affairs powers. Through §§703 and 704, Congress has since introduced stronger safeguards for U.S. persons targeted for foreign intelligence purposes. By defaulting to §702, however, and “incidentally” collecting U.S. persons’ international communications, the NSA is bypassing Congressional requirements. Acknowledging that the President and Congress share foreign affairs powers, the persistent use of §702 in this manner may be regarded in Justice Jackson’s third category under Youngstown Sheet & Tube Co. v. Sawyer.

Even if one takes the position that the Warrant Clause is inapposite to collection of U.S. persons’ information under §702, the FAA and NSA practice must still comport with the reasonableness requirements of the Fourth Amendment. To the extent that the target is a non-U.S. person based outside of domestic bounds, and the communications are to or from the target, the programs appear to be consistent with the constitutional mandate. But to the extent that the NSA interprets the statute to include information about such targets, in the process collecting the communications of wholly domestic communications, as well as conversations between U.S. persons, the practice fails to meet the totality of the circumstances test articulated by the Court with regard to reasonableness.

Human rights Treaties and Foreign Surveillance: Privacy in the Digital Age

Marko Milanovic (University of Nottingham)

Harvard International Law Journal (Forthcoming)

The 2013 revelations by Edward Snowden of the scope and magnitude of electronic surveillance programs run by the US National Security Agency (NSA) and some of its partners, chief among them the UK Government Communications Headquarters (GCHQ), have provoked intense and ongoing public debate regarding the proper limits of such intelligence activities. Privacy activists decry such programs, especially those involving the mass collection of the data or communications of ordinary individuals across the globe, arguing that they create an inhibiting surveillance climate that diminishes basic freedoms, while government officials justify them as being necessary for the prevention of terrorism.

The purpose of this article, however, is not to assess the general propriety or usefulness of surveillance programs or their compliance with relevant domestic law. I do not want to argue that electronic surveillance programs, whether targeted or done on a mass scale, are per se illegal, ineffective or unjustifiable. Rather, what I want to look at is how the legality of such programs would be debated and assessed within the framework of international human rights law, and specifically under the major human rights treaties to which the ‘Five Eyes’ and other states with sophisticated technological capabilities are parties.

In the wake of the UN General Assembly’s 2013 resolution on the right to privacy in the digital age, it can be expected that electronic surveillance and related activities will remain on the agenda of UN bodies for years to come, especially since the political relevance of the topic shows no signs of abating. Similarly, cases challenging surveillance on human rights grounds are already pending before domestic and international courts. The discussion has just started, and it will continue at least partly in human rights terms, focusing on the rights and interests of the affected individuals, rather than solely on the interests and sovereignty of states.

The primary purpose of this article is to advance this conversation by looking at one specific, threshold issue: whether human rights treaties such as the ICCPR and the ECHR even apply to foreign surveillance. The article will show that while there is much uncertainty in how the existing case law on the jurisdictional threshold issues might apply to foreign surveillance, this uncertainty should not be overestimated – even if it can and is being exploited. The only truly coherent approach to the threshold question of applicability, I will argue, is that human rights treaties should apply to virtually all foreign surveillance activities. That the treaties apply to such activities, however, does not mean that they are necessarily unlawful. Rather, the lawfulness of a given foreign surveillance program is subject to a fact-specific examination on the merits of its compliance with the right to privacy, and in that, I submit, foreign surveillance activities are no different from purely domestic ones.

A Rule of Lenity for National Security Surveillance Law

Orin S. Kerr (George Washington University)
Virginia Law Review (Forthcoming)

This essay argues that Congress should adopt a rule of lenity for the interpretation of national security surveillance statutes. Under the rule of lenity, ambiguity in the powers granted to the Executive Branch in the sections of the United States Code on national security surveillance should be trigger a narrow judicial interpretation in favor of the individual and against the state. A rule of lenity would push Congress to be the primary decisionmaker to balance privacy and security when technology changes, limiting the rule-making power of the secret Foreign Intelligence Surveillance Court. A rule of lenity would help restore the power over national security surveillance law to where it belongs: The People.

Borrowing Balance, How to Keep the Special Needs Exception Truly Special: Why a Comprehensive Approach to Evidence Admissibility is needed in Response to the Expansion of Suspicionless Intrusions

Dru Brenner-Beck (Independent)

South Texas Law Review, Vol. 56, No. 1 (2014)

Recognizing the inevitable expansion of the government’s use of the Fourth Amendment’s special needs exception to support suspicionless searches in counter-terrorism operations, this article argues that adoption of an evidentiary rule based on Military Rule of Evidence 313 is the best method to enforce the proper balance between necessary national security and individual liberties. After an extensive normative analysis of the foundations of the Supreme Court’s special needs jurisprudence, which includes not only “special needs” cases, but also traffic checkpoint and administrative search cases, I examine post 9-11 cases in both the US and Britain under section 44 of its Anti-Terrorism Act. The three lines of cases that support searches in the absence of particularlzed suspicion, as well as the British experience with section 44 searches, show that a core concern is unbridled discretion of the government agents performing the search.

While subjective intent on the part of these agents is irrelevant when probable cause is required to justify a search, a key concern in the special needs, vehicle checkpoint, and administrative inspections cases is the concern that these searches, because of the very lack of any particularized suspicion, are particularly susceptible to misuse, subterfuge, or pretext by the government. This weakness potentially eviscerates the protections of the Fourth Amendment. Because of this, Courts should be particularly concerned at ferreting out instances or programs designed to achieve illegitimate ends or which involve means prohibited by the Constitution such as profiling based on race, ethnicity, or religion. Under the current ad hoc approach, identification of programmatic purpose at the appropriate level can prove as difficult as the evaluation of an individual police officer’s subjective intent. Both remain core judicial tasks under the Fourth Amendment’s special needs exception.

A federal rule akin to Military Rule of Evidence 313, which uses the mechanism of shifting presumptions that shift the burden of persuasion to the government to disprove subterfuge at a high evidentiary level — that of clear and convincing evidence — can prove a valuable tool in the evaluation of special needs searches. Even under the special needs exception in the US, unbridled discretion is constitutionally suspect. By restoring the principled cabining of police discretion by courts through use of objective evidentiary tests, the evils of unchecked police discretion can be curtailed. I argue that the creation of an analogue Federal Rule of Evidence would serve multiple purposes. First, it provides a means for defense counsel to attack suspected subterfuge searches, legitimizing the inquiry and providing a rule under which a motion to exclude can be made, and discovery sought. Secondly, its high evidentiary burden provides incentives to the police to ensure that “special needs” searches can be justified both at their inception, and in implementation when challenged in court. Enactment of a federal rule of evidence akin to Military Rule of Evidence 313, restricting police discretion, thus contributes to the achievement of a long-term constitutionally supportable balance between national security and liberty, and recognizes that the personal autonomy and liberty protected by the Fourth Amendment is both an individual and societal good.

Your Secret Stingray’s No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy

Stephanie K. Pell (Stanford), Christopher Soghoian (Yale)
Harvard Journal of Law and Technology (Forthcoming)

In the early 1990s, off-the-shelf radio scanners allowed any snoop or criminal to eavesdrop on the calls of nearby cell phone users. These radio scanners could intercept calls due to a significant security vulnerability inherent in then widely used analog cellular phone networks: calls were not encrypted as they traveled over the air. In response to this problem, Congress, rather than exploring options for improving the security of cellular networks, merely outlawed the sale of new radio scanners capable of intercepting cellular signals, which did nothing to prevent the potential use of millions of existing interception-capable radio scanners. Now, nearly two decades after Congress passed legislation intended to protect analog phones from interception by radio scanners, we are rapidly approaching a future with a widespread interception threat to cellular communications very reminiscent of the one scanner posed in the 1990s, but with a much larger range of public and private actors with access to a much more powerful cellular interception technology that exploits security vulnerabilities in our digital cellular networks.

This Article illustrates how cellular interception capabilities and technology have become, for better or worse, globalized and democratized, placing Americans’ cellular communications at risk of interception from foreign governments, criminals, the tabloid press and virtually anyone else with sufficient motive to capture cellular content in transmission. Notwithstanding this risk, US government agencies continue to treat practically everything about this cellular interception technology, as a closely guarded, necessarily secret “source and method,” shrouding the technical capabilities and limitations of the equipment from public discussion, even keeping its very name from public disclosure. This “source and method” argument, although questionable in its efficacy, is invoked to protect law enforcement agencies’ own use of this technology while allegedly preventing criminal suspects from learning how to evade surveillance.

This Article argues that current policy makers should not follow the worn path of attempting to outlaw technology while ignoring, and thus perpetuating, the significant vulnerabilities in cellular communications networks on which it depends. Moreover, lawmakers must resist the reflexive temptation to elevate the sustainability of a particular surveillance technology over the need to curtail the general threat that technology poses to the security of cellular networks. Instead, with regard to this destabilizing, unmediated technology and its increasing general availability at decreasing prices, Congress and appropriate regulators should address these network vulnerabilities directly and thoroughly as part of the larger cyber security policy debates and solutions now under consideration. This Article concludes by offering the beginnings of a way forward for legislators to address digital cellular network vulnerabilities with a new sense of urgency appropriate to the current communications security environment.

Law, Logarathims and Liberties: Legal Issues Arising from CSEC’s Metadata Program

Craig Forcese (University of Ottawa)

University of Ottawa Press (2014)

Two thousand and thirteen was the year of the spy. Edward Snowden – “leaker” or “whistleblower” depending on one’s perspective – ignited a mainstream (and social) media frenzy in mid-2013 by sharing details of classified US National Security Agency (NSA) surveillance programs with the U.K. Guardian and Washington Post newspapers. For related reasons, 2013 was also the year in which the expression “metadata” migrated from the lexicon of the technologically literate to the parlance of everyday commentary. The NSA revelations fuelled media, academic and other speculation about whether similar surveillance programs exist in Canada. That attention focused on Canada’s NSA equivalent (and close alliance partner), the Communications Security Establishment Canada (CSEC). CSEC does have a metadata collection program, prompting questions about its legal basis, and the extent to which CSEC is governed by robust accountability mechanisms.

This article focuses on a single aspect of this debate: By reason of technological change and capacity, have the state’s surveillance activities now escaped governance by law? A broad question with a number of facets, this article examines the specific sub-issue of metadata and its relationship with conventional rules on searches and seizures. The article concludes that the privacy standards that CSEC must meet in relation to metadata are much more robust than the government seems to have accepted to date.

Privacy and Security in the Cloud: Some Realism About Technical Solutions to Transnational Surveillance in the Post-Snowden Era

Ira Rubenstein (NYU), Joris Van Hoboken (NYU)

66 Maine Law Review 488 (2014)

This Article considers the organizational and technical responses of cloud computing companies in response to the Snowden leaks, which revealed the extent of NSA surveillance of foreign citizens whose data was held by U.S. based cloud services. The industry has sought to restore trust in their services by stepping up their efforts to protect the privacy and confidentiality interests of their customers against what we call “transnational surveillance.” While the legal debate about the proper legal standards for such surveillance is ongoing, the article focuses on two broad classes of technical and organizational responses and their interaction with the law. First, leading cloud firms like Google and Microsoft have implemented long-established cryptographic protocols that secure both communications with their customers and information flows among their own company data centers. In particular, these solutions help ensure that access takes place only through the “front door” of a valid legal process involving the service providers. Second, the article explores the availability of more far-reaching security innovations based on Privacy Enhancing Technologies (PETs). These increasingly popular solutions would limit the ability of service providers to comply with government orders, notwithstanding the technical assistance provisions in existing domestic and foreign surveillance laws.

The solutions discussed raise a number of legal issues. For example, do investigative agencies have sufficient legal authority to seek court orders compelling U.S. firms to modify their services in order to facilitate surveillance? More broadly, do U.S. firms (other than telephone carriers subject to a 1994 law requiring them to design wiretap-ready equipment) have a free hand in modifying existing services, or designing new services, to make them more resistant to transnational surveillance? Or may the U.S. government rely on existing surveillance laws to oversee the design of cloud services to ensure that court-ordered access remains achievable when duly authorized by judges or magistrates?

In analyzing these issues, the article draws upon an earlier debate about encryption export controls in the 1990s (the so-called “crypto wars”). It concludes that new laws may be necessary for the U.S. government to maintain its current levels of access and that Congress may be reluctant to enact such laws in the current climate. More generally, it concludes that many of the technical and organizational measures under discussion are likely to fall short of providing the kind of absolute protection sought by certain cloud customers, especially those located abroad. At the same time, under the right conditions, these measures can help to lower some of the risks of transnational surveillance and work to restore the balance in favor of privacy, information security, and confidentiality interests in the context of cloud data

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: