Privacy-Related Law and Regulation: The State of the Law and Outstanding Issues
The law intended to guide intelligence operations is complex and has failed to keep up with the significant changes in terrorist threats, surveillance technologies, and the volume, variety, and accessibility of digital data about individuals. The absence of a coherent and up-to-date legal framework has contributed to undermining trust in intelligence activities. A brief description of that law along with an explanation of its inadequacies will help illustrate why.
THE FOURTH AMENDMENT
The government has very broad power to obtain personal information. Historically, the primary constitutional limit on that power is the Fourth Amendment, which reflects the Framers’ hostility to general searches. A general search is a search that is not based on specific evidence that allows the search to be targeted as to the location of the search or the type of evidence the government is seeking. The purpose of the Fourth Amendment was to forbid general searches by requiring that all search and seizures must be reasonable and that all warrants must state with particularity the item to be seized and the place to be searched.
The Fourth Amendment requires that warrants be issued only “upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Fed-
eral law defines “probable cause” to mean “a belief that an individual is committing, has committed, or is about to commit a particular offense” and that the information sought is germane to that crime.1 The Supreme Court generally requires that the government provide the subject of a search with contemporaneous notice of the search.2
Collecting information from a person constitutes a search if it violates that individual’s reasonable expectation of privacy. The Supreme Court has held that a person has a reasonable expectation of privacy in their homes, sealed letters, and the contents of their telephone calls. On the other hand, the Court has determined, for example, that warrants are not required to search or seize items in the “plain view” of a law enforcement officer,3 for searches that are conducted incidental to valid arrests,4 or to obtain records held by a third party, even if those records are held under a promise of confidentiality.5 The Court has interpreted this last exception broadly to find that the Fourth Amendment is inapplicable to telecommunications “attributes” (e.g., the number dialed, the time the call was placed, the duration of the call, etc.), because that information is necessarily conveyed to, or observable by, third parties involved in connecting the call.6
Moreover, the Fourth Amendment poses no limits on how the government may use information, provided that it has been obtained legally, and some limits on the use of data obtained illegally. Consequently, personal data seized by the government in compliance with the Fourth Amendment may later be used in a context for which the data could not have been obtained lawfully. The rest of this section addresses two important examples of areas in which the evolution of technology and new circumstances suggest that current Fourth Amendment law and practice may be outdated or inadequate.
In some ways, machine-aided searching of enormous volumes of digital transaction records is analogous to a general search, especially if those records contain highly sensitive information. Much like a general search in colonial times was not based on specific evidence or limited to a particular person or place, a machine-aided search through digital databases can be very broad.
Existing Fourth Amendment law speaks to such searches only in limited contexts, however. The Fourth Amendment requires the government to obtain a search warrant when looking through a person’s hard drive or private e-mail, for example. It also requires that the warrant specify the type of evidence the government is seeking. It may also require a warrant or a subpoena to collect information that is inside a database. However, if the government collects data in compliance with the Fourth Amendment, and then it aggregates the data into a database, the process of searching through the database is not itself regulated by the Fourth Amendment. Even if the government violates the Fourth Amendment when collecting the data, the data may be stored, aggregated, and used for any purpose other than that for which the data were wrongfully accessed. So, for example, the Court has allowed records illegally seized by criminal investigators to be used by tax investigators on the basis that restricting the subsequent use would not deter the original unconstitutional conduct.7
Broad machine-aided searches and the government’s reuse of lawfully or unlawfully obtained data raise very important questions of public policy. What standards should govern access to or use of data that has already been collected? Should use of databases or specific analytical techniques such as data mining be regulated at all? If querying a database or running a data mining program on a database constitutes a search, when is such a search “reasonable”? Must the police have a specific individual in mind before searching a database for information on him or her? In the absence of clear standards or guidelines to govern their conduct or even to help them make reasonable judgments, the police cannot do their work. Moreover, what level of legal authorization should guide database queries? If a legal standard is used, is relevance the right standard? Or is something more like reasonable suspicion or probable cause the proper standard to use?
Searches and Surveillance for National Security and Intelligence Purposes That Involve U.S. Persons Connected to a Foreign Power or That Are Conducted Wholly Outside the United States
The Fourth Amendment applies to searches and surveillance conducted for domestic law enforcement purposes within the United States, and those conducted outside of the United States if they involve U.S. citizens (although not necessarily permanent resident aliens). In a 1972 case commonly referred to as the Keith decision, the Supreme Court held that the Fourth Amendment also applies to searches and surveillance conducted for national security and intelligence purposes within the United
States if they involve U.S. persons who do not have a connection to a foreign power.8 The Court, however, recognized that “different policy and practical considerations” might apply in the national security context than in traditional law enforcement investigations, and specifically invited Congress “to consider protective standards for … [domestic security] which differ from those already prescribed for specified crimes in Title III.”9 The Court left open the question of whether the Fourth Amendment applies to searches and surveillance for national security and intelligence purposes that involve U.S. persons who are connected to a foreign power or are conducted wholly outside of the United States,10 and the Congress has not supplied any statutory language to fill the gap.
The Miller-Smith Exclusion of Third-Party Records
As noted in Chapter 1, some legal analysts believe that there is no better example of the impact of technological change on the law than the exemption from the Fourth Amendment created by the Supreme Court for records held by third parties. According to this perspective, such an exemption significantly reduces constitutional protections for personal privacy—not as the result of a conscious legal decision, but through the proliferation of digital technologies that make larger quantities of more detailed information available for inspection than ever before.
Other analysts suggest that as a general point, the protection of privacy is better founded as a matter of statute and regulation (that is, of policy choices) rather than as a matter of Constitutional right.11 In this view, legislatures have many advantages that enable the legislative privacy rules regulating new technologies to be more balanced, comprehensive, and effective than judicially created rules. These advantages include the ability to act more quickly in the face of technological change than courts are able to do and to appreciate existing technology and the impact of different legal rules. In addition, and specifically relevant to the third party exemption for the privacy of records held by third par-
ties, some analysts argue that without some ability for law enforcement officials to obtain some transactional data without a warrant, criminals and terrorists operating in cyberspace would be largely able to prevent law enforcement from obtaining probable cause to obtain indictments or to investigate more deeply.
THE ELECTRONIC COMMUNICATIONS PRIVACY ACT
The Fourth Amendment is not the only restraint on the government’s power to collect and use information through surveillance. The Electronic Communications Privacy Act (ECPA) is a collection of three different statutes that also regulates government collection of evidence in the context of telecommunications networks. The Wiretap Act is amended in Title I of ECPA, and as amended deals with the interception of telephone and Internet communications in transmission.12 It applies to “wire communications,” although not to video unaccompanied by sound. To intercept communications in transit requires a “‘super’ search warrant,”13 unless an exception to the warrant requirement applies such as consent. A warrant can only be sought by designated federal officials and requires probable cause, details about the communication to be intercepted, minimization of any non-relevant communications inadvertently intercepted, and termination immediately upon completion. Information obtained in violation of these requirements can subject the responsible agent to minimum damages of $10,000 per violation and is subject to the exclusionary rule (except for e-mail) so that it cannot be used in a subsequent criminal prosecution.
Title II—the Stored Communications Act—which was adopted in 1986 deals with communications in electronic storage, such as e-mail and voice mail.14 It contains rules that govern compelled disclosure of information from service providers as well as when providers can disclose information voluntarily. Traditional warrants are required to obtain access to communications stored 180 days or less. To obtain material stored for more than 180 days, the government need only provide an administrative subpoena, a grand jury subpoena, a trial subpoena, or a court order, all of which are easier to obtain than a traditional warrant. Non-content information, such as information about a customer’s account maintained by a communications provider, can be obtained by the government either
with a subpoena or by providing “specific and articulable facts showing that there are reasonable grounds to believe that … the records or other information sought are relevant and material to an ongoing criminal investigation.”15 Violations carry a minimum fine of $1,000; no exclusionary rule applies.
Title III—the Pen Register Act—which was also adopted in 1986, applies to “pen registers” (to record outgoing call information) and “trap and trace” devices (to record incoming call information).16 To obtain information akin to what is contained in a phone bill or revealed by “Caller ID,” e-mail header information (the “To,” “From,” “Re,” and “Date” lines in an e-mail), or the IP address of a site visited on the Web, the government need only obtain a court order. The court must provide the order—there is no room for judicial discretion—if the government certified that “the information likely to be obtained by such installation and use is relevant to an ongoing investigation.”17 The exclusionary rule does not apply to violations of the act.
THE FOREIGN INTELLIGENCE SURVEILLANCE ACT
While the ECPA regulates surveillance for law enforcement purposes, successive presidents insisted that it did not limit their power to engage in surveillance for national security purposes. In the aftermath of Watergate, the Senate created the Select Committee to Study Government Operations with Respect to Intelligence Activities, chaired by Senator Frank Church (D-Idaho). The Church Committee’s final report, published in 1976, cataloged a wide array of domestic intelligence surveillance abuses committed under the protection of the president’s national security authority.18 While some must have been plainly understood at the time by their perpetrators to have involved wrong-doing, such as spying on political opponents, many involved what today would be called “mission creep.”19
That report, the unresolved nature of the president’s power to con-
duct domestic surveillance, and the Supreme Court’s 1972 invitation to Congress in the Keith decision to “consider protective standards” in this area all coalesced in enactment of the Foreign Intelligence Surveillance Act (FISA) of 1978.20 The act creates a statutory regime governing the collection of “foreign intelligence” from a “foreign power” or “agent of a foreign power” within the borders of the United States.
The act created a special court—the Foreign Intelligence Surveillance Court—of seven (now eleven) federal district court judges. The court meets in secret and hears applications from the Department of Justice (DOJ) for ex parte orders authorizing surveillance or physical searches. All that the government must show is that there is “probable cause to believe that the target of the electronic surveillance is a foreign power or agent of a foreign power”21 and that gathering foreign intelligence is “the purpose” of the requested order.22 In 2001, the USA Patriot Act changed this standard to “a significant purpose.”23 This change and a decision from the three-judge FISA review court created by the statute to hear appeals brought by the government have resulted in making information obtained from FISA surveillance freely available in criminal prosecutions.24 In 2003, for the first time, the federal government sought more surveillance orders under FISA than under ECPA.25
As this report is being written (November 2007), changes to the FISA act are being contemplated by the U.S. Congress. The final disposition of these changes remains to be seen.
THE PRIVACY ACT
The Privacy Act of 1974 provides safeguards against an invasion of privacy through the misuse of records by federal agencies and establishes a broad regulatory framework for the federal government’s use of personal information.26 The Act requires federal agencies to store only relevant and necessary personal information and only for purposes required to be accomplished by statute or executive order; to collect information
to the extent possible from the data subject; to maintain records that are accurate, complete, timely, and relevant; and to establish administrative, physical, and technical safeguards to protect the security of records.27 The Privacy Act also prohibits disclosure, even to other government agencies, of personally identifiable information in any record contained in a “system of records,” except pursuant to a written request by or with the written consent of the data subject, or pursuant to a specific exception.28 Agencies must log disclosures of records and, in some cases, inform the subjects of such disclosures when they occur. Under the Act, data subjects must be able to access and copy their records, each agency must establish a procedure for amendment of records, and refusals by agencies to amend their records are subject to judicial review. Agencies must publish a notice of the existence, character, and accessibility of their record systems.29 Finally, individuals may seek legal redress if an agency denies them access to their records.
The Privacy Act is far less protective of privacy than may first appear, because of numerous broad exceptions.30 Twelve of these are expressly provided for in the Act itself. For example, information contained in an agency’s records can be disclosed for “civil or criminal law enforcement activity if the activity is authorized by law.”31 An agency can disclose its records to officers and employees within the agency itself, the Census Bureau, the National Archives, Congress, the Comptroller General, and consumer reporting agencies.32 Information subject to disclosure under the Freedom of Information Act is exempted from the Privacy Act.33 And under the “routine use” exemption,34 federal agencies are permitted to disclose personal information so long as the nature and scope of the routine use was previously published in the Federal Register and the disclosure of data was “for a purpose which is compatible with the purpose for which it was collected.” According to the Office of Management
and Budget, “compatibility” covers uses that are either (1) functionally equivalent or (2) necessary and proper.35
Moreover, the Privacy Act applies only to information maintained in a “system of records.”36 The Act defines “system of records” as a “group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”37 The U.S. Court of Appeals for the District of Columbia Circuit held that “retrieval capability is not sufficient to create a system of records…. ‘To be in a system of records, a record must … in practice [be] retrieved by an individual’s name or other personal identifier.’”38 This is unlikely to be the case with new antiterrorism databases, in which information may not be sufficiently structured to constitute a “system of records” in the meaning of the Privacy Act.
The Privacy Act has also been subject to judicial interpretations which have created new exceptions. For example, courts have found that the following entities do not constitute an “agency”: a federally chartered production credit association, an individual government employee,39 state and local government agencies,40 the White House Office and those components of the Executive Office of the President whose sole function is to advise and assist the President,41 grand juries,42 and national banks.43
As a result, the Privacy Act plays little role in providing guidance for government intelligence activities or limiting the government’s power to collect personal data from third parties. Moreover, the Privacy Act only
applies to federal agencies—it does not generally regulate the collection of personal information by private-sector entities. In short, the Privacy Act provides limited protection when government-collected data are involved, and very little when private-sector data are involved.
EXECUTIVE ORDER 12333 (U.S. INTELLIGENCE ACTIVITIES)
Promulgated on December 4, 1981, Executive Order (EO) 12333 regulates the conduct of U.S. intelligence activities.44 Section 2.2 of EO 12333 sets forth “certain general principles that, in addition to and consistent with applicable laws, are intended to achieve the proper balance between the acquisition of essential information and protection of individual interests.” Using a definition of United States person specified in Section 3.4(i) of this order (a United States person is “a United States citizen, an alien known by the intelligence agency concerned to be a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments”), Section 2.3 of EO 12333 establishes constraints on procedures for agencies within the intelligence community (IC) to collect, retain or disseminate information concerning United States persons.
Under EO 12333, only certain types of information may be collected, retained, or disseminated by IC agencies. These types of information include “information that is publicly available or collected with the consent of the person concerned; information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations; information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation; information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations; information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure; information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility; information arising out of a lawful personnel, physical or communications security investigation; information acquired by overhead reconnaissance not directed at specific United States persons; incidentally obtained information that may indicate involvement in activities that may violate
The full text of EO 12333 can be found at http://www.tscm.com/EO12333.html.
federal, state, local or foreign laws; and information necessary for administrative purposes.”
Under Section 2.4 of EO 12333, IC agencies are required to use the least intrusive collection techniques feasible within the United States or directed against United States persons abroad. In addition, this section places certain limitations on various agencies. For example, the Central Intelligence Agency is forbidden to engage in electronic surveillance within the United States except for the purpose of training, testing, or conducting countermeasures to hostile electronic surveillance. In addition, no IC agency is allowed to conduct “physical surveillance of a United States person abroad to collect foreign intelligence, except to obtain significant information that cannot reasonably be acquired by other means.” (See the full text of the EO for additional restrictions.)
THE ADEQUACY OF TODAY’S ELECTRONIC SURVEILLANCE LAW
The law applicable to surveillance and intelligence gathering and the attention to limitations in the law suggests that the law suffers from what Professor Daniel Solove has described as “profound complexity.”45 Professor Orin Kerr has written that “the law of electronic surveillance is famously complex, if not entirely impenetrable.”46 Courts agree with these assessments and have “described surveillance law as caught up in a ‘fog,’ ‘convoluted,’ ‘fraught with trip wires,’ and ‘confusing and uncertain.’”47
Why is today’s law regarding electronic surveillance complex? Some of the complexity is certainly due to the fact that the situations and circumstances in which electronic surveillance may be involved are highly varied, and policy makers have decided that different situations and situations call for different regulations. That is, different treatment of electronic surveillance in different situations is a consequence of legislative and executive branch policy choices to treat these situations differently.
But it is another issue as to whether such differences, noted and established in a one particular set of circumstances, can be effectively maintained over time. First, circumstances evolve. For example, today’s law includes major distinctions based on the location of the surveillance, the purposes for which the intercepted information is sought, and whether
the target is a “U.S. person” or a “non-U.S. person.” Yet these distinctions are difficult to apply in a world of digital communications and networks that do not easily recognize national borders, terrorist threats of foreign origin that are planned or executed within the borders of the United States, and the growing integration of foreign intelligence, domestic intelligence, and law enforcement.
Another important distinction is the historical separation between criminal and national security investigations. Since September 11, 2001, some of the barriers separating criminal and national security investigations have been lowered (for example, the government is now freer to share information gathered by law enforcement in criminal investigations with national security authorities, and vice versa). However, the ECPA and the FISA are based on the existence of clear distinctions between criminal and national security investigations, as reflected in their disparate treatment of information that is collected and stored under each regime.
Second, evolving technologies also complicate the application of laws and precedents created in an earlier technological era, and at times existing law seems outpaced by technological change. In 2004, the Department of Defense Technology and Privacy Advisory Committee (TAPAC) wrote in its final report:
Laws regulating the collection and use of information about U.S. persons are often not merely disjointed, but outdated. Many date from the 1970s, and therefore fail to address extraordinary developments in digital technologies, including the Internet…. Dramatic advances in information technology, however, have greatly increased the government’s ability to access data from diverse sources, including commercial and transactional databases….
… Current laws are often inadequate to address the new and difficult challenges presented by dramatic developments in information technologies. And that inadequacy will only become more acute as the store of digital data and the ability to search it continue to expand dramatically in the future.48
As an example, the ECPA draws a sharp distinction regarding whether a message is “in transit” or “in storage.” When ECPA was adopted in 1986, users downloaded e-mail from their service provider onto their local computer. Messages therefore were not stored centrally after being read. Today, many e-mail systems are accessed through Web interfaces, so e-mail is by default stored on servers belonging to third parties. Thus, according to an analysis by the Center for Democracy and Technology, “As a result of ECPA’s complex rules, the same email mes-
sage will be subject to many different rules during its life span. These complex rules likely do not match the expectations of email users.”49
The government exploits such distinctions. The Federal Bureau of Investigation’s Key Logger System, which records individuals’ keystrokes on their computers, was designed to collect data only when the users’ machines are not connected to the Internet. When a user logs on, the keystroke recording stops, so that the agency argues that the device is not capturing communications “in transit,” but merely “in storage,” and therefore is not required to comply with Title I of the ECPA.50
A second example is that when the statutory authorization was adopted for the National Security Agency (NSA) to carry out electronic surveillance outside of the United States, it was highly unusual for ordinary persons in the U.S. to make international phone calls, and e-mail did not yet exist.51 Today, the proliferation of information technology into the population at large means that many ordinary people in the U.S. make international phone calls and use e-mail, with the result that many more communications of ordinary people are potentially subject to NSA surveillance.52 To be sure, a variety of regulations exist to prevent just such occurrences from intruding on the privacy of ordinary Americans, but it is undeniable that more communications involving Americans will fall within the ambit of electronic surveillance directed outside U.S. borders as global communications increase.
Third, the law today embeds in some significant inconsistencies. For example, the very high protection for communications under Title I of ECPA does not extend to video surveillance if sounds are not captured at the same time. Meanwhile, the much weaker protection of FISA does apply. “Foreign agents therefore receive protection against silent video surveillance whereas United States citizens do not.”53 Similarly, protection for stored communications hinges on whether the message has been stored for more than 180 days. Why? Telephone calls and e-mail receive significantly different protection from government surveillance without any apparent reason.
Fourth, key intelligence questions remain without clear answers. For example, do any of these laws apply to “data mining” or searches for keywords or relationships conducted by computer? Is it possible to show
probable cause, under either the high standard of Title I of ECPA or the weaker standard of FISA, for searches that target a pattern of behavior rather than an identified person? How should opened e-mail and voice mail messages be treated? DOJ argues that they are merely remotely stored files and therefore do not fall within the protection of Title II of ECPA.54 Why aren’t they simply stored communications that are directly covered by Title II (the Stored Communications Act)?55
Finally, the slow pace at which law has evolved in the face of changing technologies may have done more to undermine rather than enhance trust in information sharing. The Supreme Court initially refused to apply the Fourth Amendment to wiretapping at all,56 and it took the Court 39 years to reverse that decision.57 Conversely, in 1934 Congress prohibited wiretapping in any form and for any purpose.58 It took 34 years before Congress recognized the potential of electronic surveillance, properly regulated, to aid law enforcement,59 and another twelve before it statutorily authorized its use to advance national security.60 Congress also receives only limited information about surveillance conducted under ECPA and FISA, and even less about the Administration’s surveillance conducted outside of this statutory framework. There is no federal reporting requirement about electronic surveillance by states, which account for the majority of wiretaps, and only half of the states in fact report statistics about their wiretap orders.61
What does the analysis above imply for changing today’s law regarding electronic surveillance? There is broad agreement that today’s legal regime is not optimally aligned with the technological and circumstantial realities of the present. But there is profound disagreement both about whether the basic principles underlying today’s regime continue to be sound and about the directions in which changes to today’s regime ought to occur. Some analysts believe that the privacy has suffered as the result of an increasing gap between technology/circumstances and the more slowly changing law, while others believe that technological change is upsetting the traditional balance away from the legitimate needs of law enforcement and national security.
FURTHER REFLECTIONS FROM THE TECHNOLOGY AND PRIVACY ADVISORY COMMITTEE REPORT
Many of the issues discussed above were also flagged in the report issued by the TAPAC, a bipartisan panel of independent legal experts and former government officials appointed by Secretary of Defense Donald Rumsfeld in the wake of the TIA [Total/Terrorist Information Awareness program; see Appendix J] debacle. For example, the report noted that the risks to informational privacy of government data mining efforts were exacerbated by disjointedness in the laws applicable to data mining. Thus, programs that appear to pose similar privacy risks are subject to a variety of often inconsistent legal requirements. Such inconsistencies, the report argued, reflected “the historical divide in the United States between laws applicable to law enforcement and those applicable to foreign intelligence and national security activities, as well as the different departments, contexts, and times in which those programs were developed.”
It also noted that depending on which department developed the tools, the use of data mining to protect the homeland was either required or prohibited and that today’s laws regulating the collection and use of information about U.S. persons were created in the 1970s, and thus do not take into account recent developments in digital technologies, including the Internet. Pointing out that “the ubiquity of information networks and digital data has created new opportunities for tracking terrorists and preventing attacks,” the report argued that “new technologies [also] allow the government to engage in data mining with a far greater volume and variety of data concerning U.S. persons, about whom the government has no suspicions, in the quest for information about potential terrorists or other criminals” and that then-current laws were “often inadequate to address the new and difficult challenges presented by dramatic developments in information technologies.”
The TAPAC report concludes that “[t]hese developments highlight the need for new regulatory boundaries to help protect civil liberties and national security, and to help empower those responsible for defending our nation to use advanced information technologies—including data mining appropriately and effectively. It is time to update the law to respond to new challenges.”62