The utopian Dream of Internet Freedom will never become a reality, but it doesn’t
have to be a dystopian cautionary tale either. Technology has thrown the balance
of power in surveillance out of alignment, and the law has either stagnated or
been weakened in the face of this challenge. Constitutional values are at stake.
The “reasonable expectation of privacy” protected by the Fourth Amendment
is in flux. It was always a fuzzy standard and inconsistently applied. But now,
there are serious questions about whether and how the doctrine will apply to the
technological realities of the modern world. The Supreme Court is years away
from answering fundamental questions about our government’s relationship with
its citizens through expanding technological usage. By building both technology
and regulatory law for privacy and security, we can ensure the values behind
constitutional freedoms without stripping intelligence and law enforcement of
tools to protect national security. To begin this process, we must broaden warrant
requirements to cover access to most electronic data, place limits on the FISA
Amendments Act of 2008 to ensure citizens’ data is not swept up in surveillance
of foreign targets, and let privacy and encryption technology continue to evolve
for use by average citizens.
In the first days of the Internet, many early adopters dreamed of the utopian possibilities for
the technology. The decentralized structure of the Internet was a design principle intended
to make the network more robust, but it had political implications as well. The “end-to-end”
structure meant people could more freely create and innovate without needing approval or
having to pay to reach an audience. The Internet would be a place where anyone could say
anything, and anyone who wanted to hear it would be empowered not only to listen but also
to respond—a global conversation would ensue, overcoming borders, class, and government
oppression. The Internet would treat censorship as damage, and route around it. It would
create a new, more honest, open, and creative society.
Today, this dream seems likely to remain a fantasy. There has been liberation, but today
the promise of the open Internet seems more remote. Just a few dominant global platforms
structure our online experiences, providing a focus point for governments around the world
to censor expression and spy on citizens—and make no mistake; surveillance is a free
speech issue.
In the course of providing the public with desirable products and services, global Internet
companies record our messages, friendships, web searches and more. If governments are
interested in knowing who we are talking to, what we are reading, or even what we think,
the data has been recorded by a few large companies. Police can access privately held
emails, text messages, web searches, credit card records, social networking posts – our lives
are documented for anyone willing to read. What is already a Golden Age for Surveillance
is about to go further. The Internet of Things, interconnected software-enabled devices like
cars, televisions, and even medical devices will make our activities and bodily functions
ever more tracked and collectable to companies and governments alike.
This information collection has impact for both intelligence investigations and for law
enforcement. Intelligence—gathering information for situational awareness and foreign
affairs—is supposed to be proactive and somewhat predictive. In service of this mission,
modern surveillance is both massive and indiscriminate. Where international spying was
once government versus government; today it is governments versus individuals around the
globe. Spying today means opportunistically collecting information on everyone, in trying
to identify threats both known and unknown, so intelligence analysts can use computers
to comb through the mass looking for patterns to turn trillions of pieces of “information”
into usable “intelligence.” This new intelligence paradigm has trickled down to transform
traditional law enforcement practices as well. For example, the Federal Bureau of Investigation (FBI) works with the National Security Agency (NSA) to construct and use
vast databases of information about foreigners and their American contacts to then search
for evidence of criminal activity. And, local police use automated license plate detectors and
cell site simulators to track citizens’ physical location.
Only secure technology, law, and the good will of government officers stands between
people and abusive surveillance or political censorship—and good will has never been
enough. American history is rife with stories of improper surveillance of political heroes and
harmless groups like Greenpeace, People for the Ethical Treatment of Animals, Dr. Martin
Luther King, Jr. and Muhammad Ali.
Privacy law is falling far short of protecting people from massive, abusive, and
suspicionless surveillance. Legal protections for our most private data are both uncertain
and inadequate. For example, the U.S. Department of Justice says that it can access
data that is accessible to service providers without a search warrant—according to our
government, your emails, buddy lists, back-ups, social network posts, and networked
medical data are not private.
This essay will discuss three Big Ideas that the new administration should urge Congress
to undertake in order to move toward greater privacy protections from unfounded
governmental intrusion in citizens’ personal lives.
I. Require Warrants to Access Most Electronic Data
A warrant requirement is important because it means that a judge polices data access, so the
government must show probable cause for snooping. It also means that the access has to
be targeted, specifically describing what and who are the subjects—no fishing expeditions.
The warrant requirement is a limitation on arbitrary police action and on mass surveillance.
Today, there is very little data collection for which the law mandates a warrant.
Advocates have long been trying to get Congress to reform the 1986 Electronic
Communications Privacy Act (ECPA) to make it clear that police officers cannot read your
email or track your physical location without a search warrant. Currently, ECPA does not
require law enforcement to obtain a warrant to access emails older than 180 days. ECPA is
also not entirely clear on when more recent emails are protected by a warrant requirement,
although most Internet platforms follow the Sixth Circuit’s opinion in United States v. Warshak which requires a warrant to access email content.
Several bills that would reform ECPA, including the Email Privacy Act (H.R. 699)5 and the ECPA Amendments Act of 2015 (S. 356, H.R. 283), essentially codify the warrant requirement in Warshak but have not been passed because surveillance proponents keep using the proposals as an opportunity
to weaken existing law, either by expanding government access to email for non-criminal
investigations or by reducing already weak legal protections for other categories of data like
web browsing history.
Even the “ECPA reform” on the table is not sufficient because much of the law enforcement
shenanigans over surveillance are based on ECPA’s confusing and outdated tiered treatment
of different categories of data. The law enshrines lesser privacy protections for metadata
collection than it does for the content of communications across the board. Metadata, a
fuzzy blanket term that can include information like email sender and recipient addresses,
dialed phone numbers, financial transactions, geolocation information, website addresses,
and more, is extremely revealing about people’s personal relationships, religious beliefs,
and political activities. The differential treatment of metadata and content no longer makes
any sense in a world of Big Data analytics. At the same time, statistical insights show that
metadata analysis is more misleading than enlightening when it comes to finding unknown
terrorists in a haystack of information, and that it is likely to always be so. The law should
be updated to protect personal and sensitive information more generally.
II. Limit the FISA Amendments Act of 2008
Section 702 of the FISA Amendments Act authorizes the government to broadly collect,
for any foreign intelligence purpose, telephone calls, emails, instant messages, and other
communications content where the target is reasonably believed to be a non-U.S. person
located outside the U.S.
In December 2017, the FISA Amendments Act and section 702 of that Act will sunset. Congress must decide whether to renew the law, reform it, or kill it. Section 702 is highly problematic both because of the information it allows intelligence agencies to collect without a warrant—including email—and because of the range of people who can be targeted. If section 702 dies, the NSA and the FBI will still be able to wiretap individually targeted foreigners and collect their communications from service providers. However, they will not be able to do so for any foreigner talking about any foreign intelligence matter. Nor will they be able to collect foreigners’ data from Internet companies without judicial supervision—albeit that of the top secret Foreign Intelligence Surveillance Court (FISC). Instead, if the intelligence agencies follow the law, analysts will have to provide probable cause that the foreigner is an agent of a foreign power and get a warrant
for the surveillance before capturing a target’s communications. Rolling back section 702 surveillance is important as it is used to target political activists
and to collect data about Americans.
A Washington Post study of PRISM data obtained by Edward Snowden revealed a surprising array of intimate personal information collected and retained by the NSA under 702 including photos of mothers kissing babies and personal medical records; information that is admittedly irrelevant to foreign intelligence. More than half of the 160,000 PRISM files analyzed by The Washington Post contained names, e-mail addresses, or other details that the NSA marked as belonging to U.S. citizens or residents, which demonstrates that collecting Americans’ international communications
is routine under section 702. Once collected, the FBI may search the trove of section 702
data for information about Americans and crime, essentially circumventing citizens’ Fourth
Amendment protections. Congress must end this “back door search” loophole if it is to
restore protection and balance between citizens and law enforcement. Short of ending section 702’s warrantless wiretapping, there is much that Congress could do to narrow its scope to legitimate national security topics. As it stands, Section 702 is incredibly broad, allowing surveillance of foreigners if a “significant purpose” of the collection is foreign intelligence, which can include topics like trade disputes and the price of oil.
III. Let Privacy Technology Evolve
Technology has taken privacy away, ushering in the Golden Age for Surveillance. It
has created new security risks: identity theft, phishing, impersonation, stalking, revenge
porn, and more. Many consumers willingly give up some privacy and security for easy
communications and other valuable online services. But it doesn’t have to be that way. It
only makes sense to allow people and the companies we contract with to secure our private
information. This means more—and more secure—encryption. Encryption helps human rights workers,
activists, journalists, financial institutions, innovative businesses, and governments protect
the confidentiality, integrity, and economic value of their activities. However, strong
encryption may mean that governments cannot make sense of data they would otherwise be
able to lawfully access in a criminal or intelligence investigation.
The encryption dispute has resurfaced despite the debates of the 1970s and 1990s,
which resolved tradeoffs between the U.S. government’s surveillance/law enforcement
missions (potentially thwarted by encryption) and its information assurance/crime prevention missions (furthered by encryption) in favor of allowing for the proliferation
of strong encryption. The FBI argues that it should be entitled to defeat encryption
during investigations despite technical experts’ warnings that the same encryption the
U.S. government can defeat will also be defeated by oppressive regimes and criminals.
Nevertheless, earlier this year, the FBI tried to force Apple to write a new phone operating
system that defeats handset security measures and allows agents to try brute force attacks on
encrypted data. Meanwhile, Senators have introduced a “discussion draft” of short-sighted
legislation that would punish companies for securing information about their users.10
More secure technology—including encryption—can help protect journalists, human
rights workers, and those individuals, as well as average citizens, who are at the forefront
of political and social evolution. Technology will never completely insulate people from
government scrutiny. There will always be informants, eye witnesses, evidence trails, and
police ingenuity. But today, the balance is too far on the side of crime and surveillance, and
not enough on the side of privacy and personal safety. U.S. law needs to make clear that
technical security measures—including encryption—are both legal and desirable.
IV. Conclusion
The utopian Dream of Internet Freedom will never become a reality, but it doesn’t have
to be a dystopian cautionary tale either. Technology has thrown the balance of power in
surveillance out of alignment, and the law has either stagnated or been weakened in the
face of this challenge. Constitutional values are at stake. The “reasonable expectation of
privacy” protected by the Fourth Amendment is in flux. It was always a fuzzy standard and
inconsistently applied. But now, there are serious questions about whether and how the
doctrine will apply to the technological realities of the modern world. The Supreme Court is
years away from answering fundamental questions about our government’s relationship with
its citizens: Is there a privacy interest in data held by third parties like Google and Facebook?
Can customs agents search all the data on personal electronic devices when crossing the
border? Is there a right to be free from ubiquitous geolocation tracking as we move about the
public streets? Are computerized queries of digital information Fourth Amendment searches,
or does the search only occur when a human views the data? By building both technology
and regulatory law for privacy and security, we can ensure the values behind constitutional
freedoms without stripping intelligence and law enforcement of tools to protect national
security.