Two District Courts see NSA very differently

(Photo credit: Wikipedia)

On the last day of 2013, the federal district court for the Southern District of New York handed the Obama Administration a sweeping endorsement of the NSA’s bulk telephony metadata collection program. Unlike the decision in Klayman v. Obama, the district court in ACLU V. Clapper began with the terrorist attacks of 9/11 to frame the power of the government to defend national security.

The September 11th terrorist attacks revealed, in the starkest terms, just how dangerous and interconnected the world is. While Americans depended on technology for the conveniences of modernity, al-Qaeda plotted in a seventh-century milieu to use that technology against us. It was a bold jujitsu. And it succeeded because conventional intelligence gathering could not detect diffuse filaments connecting al-Qaeda. …

The Government learned from its mistake and adapted to confront a new enemy: a terror network capable of orchestrating attacks across the world. It launched a number of counter-measures, including a bulk telephony metadata collection program—a wide net that could find and isolate gossamer contacts among suspected terrorists in an ocean of seemingly disconnected data.

This blunt tool only works because it collects everything. …

If reasonableness stands as the constitutional framework for First Amendment rights of association and Fourth Amendment Rights to be free from governmental searches and seizures, then the reasonable government reaction to terrorism can well be understood to depend on the magnitude of the threat to determine the reasonableness of the government’s response to that threat. As the court highlighted, “[t]he natural tension between protecting the nation and preserving civil liberty is squarely presented by the Government’s bulk telephony metadata collection program.”

Unlike the Klayman decision, this opinion relies not upon the search and seizure doctrines of Smith v. Maryland, 442 U.S. 745 (1979) as the distinct powers of the government to conduct foreign and domestic security in United States v. U.S. Dist. Court for East. Dist. of Mich., 407 U.S. 297 (1972).

The court quoted a recent decision interpreting Keith to provide for wide latitude in reviewing surveillance powers.

 Although the Keith opinion expressly disclaimed any ruling ‘on the scope of the President’s surveillance power with respect to the activities of foreign powers,’ it implicitly suggested that a special framework for foreign intelligence surveillance might be constitutionally permissible.

 Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1143 (2013) (quoting Keith. 407 U.S. at 322– 23) (internal citations omitted).

Klayman and Clapper diverge quickly because they begin at very different points. Klayman emphasized the importance of being the first court to provide a non-secret review of the bulk telephony program. Clapper, in contrast, offers great deference both to Congress and to the FISA judges who have reviewed the secret process. The court notes that “[f]ifteen different FISC judges have found the metadata collection program lawful a total of thirty-five times since May 2006.”

Clapper also sites evidence of success from the program:

The effectiveness of bulk telephony metadata collection cannot be seriously disputed. Offering examples is a dangerous stratagem for the Government because it discloses means and methods of intelligence gathering. Such disclosures can only educate America’s enemies. Nevertheless, the Government has acknowledged several successes in Congressional testimony and in declarations that are part of the record in this case. In this Court’s view, they offer ample justification:

• In September 2009, NSA discovered that an al-Qaeda-associated terrorist in Pakistan was in contact with an unknown person in the United States about efforts to perfect a recipe for explosives. NSA immediately notified the FBI, which investigated and identified the al-Qaeda contact as Colorado-based Najibullah Zazi. The NSA and FBI worked together to identify other terrorist links. The FBI executed search warrants and found bomb-making components in backpacks. Zazi confessed to conspiring to bomb the New York subway system. Through a section 215 order, NSA was able to provide a previously unknown number of one of the co­conspirators—Adis Medunjanin.[1]

• In January 2009, while monitoring an extremist in Yemen with ties to al- Qaeda, the NSA discovered a connection with Khalid Oazzani in Kansas City. NSA immediately notified the FBI, which discovered a nascent plot to attack the New York Stock Exchange. Using a section 215 order, NSA queried telephony metadata to identify potential connections. Three defendants were convicted of terrorism offenses.

• In October 2009, while monitoring an al-Qaeda affiliated terrorist, the NSA discovered that David Headley was working on a plot to bomb a Danish newspaper office that had published cartoons depicting the Prophet Mohammed. He later confessed to personally conducting surveillance of the Danish newspaper office. He was also charged with supporting terrorism based on his involvement in the planning and reconnaissance for the 2008 hotel attack in Mumbai. Information obtained through section 215 orders was utilized in tandem with the FBI to establish Headley’s foreign ties and put them in context with U.S. based planning efforts.

These successes are helpful to begin to understand the program. They do not, however, provide context into the efforts of anti-terrorist activities or explain whether a more focused program would provide equal or greater protections without affecting millions of individuals who have a right to be free from data searching.

Or perhaps the Clapper court is correct that national security is different from criminal investigations and more needs to be done to codify the distinction articulated in Keith. The constitutional question remains what his reasonable under the circumstances. Neither decision has been able to answer that question because too much information and power is left to the discretion of the executive branch and secret proceedings.

Investigations need to be clandestine, but there is no reason that the nature of constitutional protections is not fully understood and debated.

I do not know if the geographic location of the court is relevant, but the shape and culture of lower Manhattan has been transformed by 9/11 in a manner that makes it part of its zeitgeist. Having by coincidence visited the site of the 9/11 memorial with my family the day the Clapper decision was handed down, I was overwhelmed by the thousands of visitors who spoke all languages and came from towns across the world to remember and reflect. The meaning of reasonable takes on different aspects in the shadow of such history. Whether it should do so must also be part of our national debate.

The tension between Klayman and Clapper should lead to a healthier understanding regarding terrorism and surveillance, but only if the two starting points of the two decisions can be understood and reconciled. Liberty is protection from oppression. Oppression can come from the government, its enemies, or the unchecked, mob-like will of the majority. Oppression cannot be stopped with more oppression, only with more liberty.

Klayman and Clapper cannot be reconciled, but the two decisions have the potential to help us find the right path. The lessons of each decision are best understood as part of a dialogue rather than discrete declarations. That dialogue has only begun.

---

[1] The court explains the Section 215 order as follows:

In 1998, Congress amended FISA to allow for orders directing common carriers, public accommodation facilities, storage facilities, and vehicle rental facilities to provide business records to the Government. See Intelligence Authorization Act for Fiscal Year 1999, Pub. L. 105-272, § 602, 112 Stat. 2396, 2410 (1998). These amendments required the Government to make a showing of “specific and articulable facts giving reason to believe that the person to whom the records pertain is a foreign power or an agent of a foreign power.” §602.

After the September 11th attacks, Congress expanded the Government’s authority to obtain additional records. See USA PATRIOT Act of 2001, Pub. L. 107-56, § 215, 115 Stat. 272, 287 (2001) (codified as amended at 50 U.S.C. § 1861) (“section 215”).’ Section 215 allows the Government to obtain an order “requiring the production of any tangible things (including books, records, papers, documents, and other items),” eliminating the restrictions on the types of businesses that can be served with such orders and the requirement that the target be a foreign power or their agent. The Government invoked this authority to collect virtually all call detail records or “telephony metadata.” See infra, Part II. See generally David S, Kris, On the Bulk Collection of Tangible Things, 1 Lawfare Res. Pap. Ser. 4 (2013).

Court hands at least temporary rebuke to NSA for domestic spying

NSA (Photo credit: shawnblog)

The New York Times has been highlighting the federal government defeat in the first lawsuit over NSA surveillance of U.S. telephone and internet activity outside the FISA court jurisdiction. The decision in Klayman v. Obama represents a strong rebuke to the NSA. Written in a tone of outrage, the district court decision emphasizes the profound differences that exist in the current NSA surveillance program from the historical precedents upon which the claim of constitutionality is based.

In Smith v. Maryland, 442 U.S. 745 (1979), the Supreme Court held that the use of a “pen register” was not a violation of the Fourth Amendment because the information sent to the telephone company was a business record provided without a reasonable expectation of privacy.[1] The pen register records only the numbers dialed on a telephone. Any expectation of privacy that could exist in the telephone numbers a person dialed was unreasonable.

From the diminutive pen register acorn, a mighty oak has grown to obliterate the sunlight that once shined light on government activities. That oak is the pervasive surveillance program:

[T]he almost–Orwellian technology that enables the Government to store and analyze the phone metadata of every telephone user in the United States is unlike anything that could have been conceived in 1979. … The notion that the Government could collect similar data on hundreds of millions of people and retain that data for a five-year period, updating it with new data every day in perpetuity, was at best, in 1979, the stuff of science fiction. By comparison, the Government has at its disposal today the most advanced twenty-first century tools, allowing it to “store such records and efficiently mine them for information years into the future. … Records that once would have revealed a few scattered tiles of information about a person now reveal an entire vibrant and constantly updating picture of the person’s life.”

Critics of the district court opinion point to the precedent of Smith to suggest that the decision reflects an activist agenda, but proper case analysis requires a judge to look to the facts of a case rather than a simplistic summary of the rule. Factually, the public expects far more privacy in the metadata disclosed on their computers, phones, tablets, and mobile devices than the 1979 consumer expected from the telephone company.

In addition, as the court highlighted, the relationship between the telecommunications companies and the government could be viewed as making the telco’s agents of law enforcement. As agents of the police, the third party doctrine no longer applies.

More importantly, the scale of the surveillance and the mosaic of coverage creates a vastly different experience than that previously adjudicated in Smith or the other decision before the Supreme Court.

In United States v. Jones, 132 S. Ct. 945 (2012), the Supreme Court started to review the potential for wide-scale extensive surveillance. The majority decision demurred on the question, finding a search occurred using common law trespass analogies. But five justices opined that the mosaic of surveillance has a constitutional consequence that will need to be addressed.

Dan Solove has written on both the Klayman decision and the importance of privacy in metadata. His conclusion:

 Smith, and many other Fourth Amendment cases, need to be rethought in light of modern technology where surveillance can be so systematic and pervasive. There is a real difference between being able to engage in a small discrete amount of surveillance and having such broad and sweeping surveillance powers as the NSA is exercising. The challenge is where to draw the lines. This problem exists mainly because Smith still remains viable and must be dealt with. I think it’s time for Smith to be overturned, and so there wouldn’t be such line-drawing challenges.

The Katz approach to expectation of privacy may not be the most useful tool for assessing the scope of pervasive privacy. Despite the coverage of the NSA, I expect that few members of the public can truly comprehend the extent to which the movement of every communication, every Internet-connected device, all information on those devices, the tracking of other objects that are reported to central databases, and photographs and video taken by anyone can be integrated into a pervasive picture of movement. Is this science fiction? Or is it the goal of the NSA five-year strategic plan. Unless the courts or Congress begin to say no to a mosaic of unrelenting surveillance, this plan will be enacted soon. With taxpayer dollars. And without oversight.

The decision is being appealed.

---

[1] Smith explains the constitutional privacy framework: The Fourth Amendment guarantees “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” In determining whether a particular form of government-initiated electronic surveillance is a “search” within the meaning of the Fourth Amendment, our lodestar is Katz v. United States, 389 U.S. 347 (1967). In Katz, Government agents had intercepted the contents of a telephone conversation by attaching an electronic listening device to the outside of a public phone booth. The Court rejected the argument that a “search” can occur only when there has been a “physical intrusion” into a “constitutionally protected area,” noting that the Fourth Amendment “protects people, not places.” Because the Government’s monitoring of Katz’ conversation “violated the privacy upon which he justifiably relied while using the telephone booth,” the Court held that it “constituted a `search and seizure’ within the meaning of the Fourth Amendment.”

Commission report warns U.S. is losing the spy race from lack of R&D, STEM-education

On Nov. 5, 2013, The National Commission for the Review of the Research and Development Programs of the United States Intelligence Community released an unclassified version of its assessment of U.S. research and development programs, finding that the U.S. is falling behind and highly uncoordinated. [The Report can be found here.]

The Commission making the review was originally constituted at the 9-11 Commission (properly The National Commission on Terrorist Attacks Upon the United States. In 2010, the Commission was reauthorized to serve more broadly on the Intelligence Community readiness.

The New York Times described the report as “blistering … charging that the intelligence world’s research-and-development efforts are disorganized and unfocused.”

The Commission said the lack of investment, coordination, infrastructure and foresight is putting the nation at risk.

U.S. technological superiority is diminishing in important areas, and our adversaries’ investments in [Science and Technology]—along with their theft of our intellectual property, made possible in part by insufficient cyber protection and policies—are giving them new, asymmetric advantages. The United States faces increasing risk from threats against which the IC could have severely limited warning, deterrence, or agility to develop effective countermeasures.

The report is not primarily an intelligence report. The Commission was not focused on the failures associated with the NSA massive – and in some cases unconstitutional – spying campaign. Nor was it tied to the Edward Snowden disclosures and the global embarrassment triggered by those disclosures.

Instead, the report identifies the need to treat intelligence as a global issue that needs broad reforms, such as STEM education and immigration/workforce reform. It identifies a wide range of concerns about the lack of investment in intelligence and the failure to be prepared.

The report calls for much greater data analytics, which will likely be the platform used by the NSA to justify its ongoing activities. Even a pro-intelligence report such as this, however, identifies the need for intelligent data analytics rather than the massive, undifferentiated and largely counter-productive methods currently highlighted by the NSA disclosures. Not surprisingly, the admonitions also demand better coordination, including “development of a new joint program plan between the Director of Science and Technology and the Deputy Director of National Intelligence for Intelligence Integration for Enhanced Integrated Intelligence, which it will use to track, prioritize, and coordinate Enhanced Integrated Intelligence R&D across the [intelligence community].”

“Exacerbating these challenges are U.S. policies that weaken the U.S. R&D talent base,” the report warned.  “As scientific and technical knowledge and the resulting economic growth spread around the world, the competition for R&D talent is increasingly global.”

This is just one of many reports highlighting the continued disarray of the intelligence community, an infrastructure struggling to keep up with cyber-threats and embarrassing the U.S. with political follies.

The report opens with a powerful juxtaposition of quotes that should help guide future discussions:

Failure to properly appraise the extent of scientific developments in enemy countries may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—Task Force Report on National Security Organization (the Eberstadt Report) (1948)

Failure to properly resource and use our own R&D to appraise, exploit, and counter the scientific and technical developments of our adversaries—including both state and non-state actors—may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—National Commission for the Review of the Research and Development Programs of the United States Intelligence Community (2013)

Report of the National Commission for the Review of the Research and Development Programs of the United Sta…

2013 NKU Security Symposium tomorrow, Friday, October 18, 2013

The NKU Chase Law + Informatics Institute, the Center for Applied Informatics, and our event sponsors look forward to the 2013 NKU Security Symposium tomorrow, Friday, October 18, 2013.

The program is free, but you must register. This is your last opportunity.

The Legal Issues in Privacy and Security (Legal Track) will be in Development B of the NKU METS Center in Erlanger, KY.

Legal Track Speakers:

• John C. (Jack) Greiner, attorney, Graydon Head

• Scot Ganow, attorney, Faruki Ireland & Cox P.L.L.

• Jennifer Orr Mitchell, partner, Dinsmore & Shohl LLP

• Michael G. Carr, JD, CISSP, CIPP, Chief Information Security Officer, University of Kentucky

Click here for the CLE Materials for the maximum of 4.0 general CLE credits approved by KY, OH & IN (new lawyer credits in IN).

• Jon M. Garon, NKU Chase College of Law

Data Security: Breach Notification Law Issues [pdf]

• Jennifer Orr Mitchell, Dinsmore & Shohl LLP

Attorneys and Other Contractors – HIPAA Business Associates in 2014 and Beyond [pdf]

For your convenience we have included directions below.

A detailed agenda can be found on the event website at http://cai.nku.edu/security2013/agenda.html

Directions to the NKU METS Center
From Downtown Cincinnati and Northern Kentucky:
I-71/75 South From the South: I-71/75 North … to I-275 West. Take first exit (Exit No. 2 – Mineola Pike). Left turn onto Mineola Pike crossing over I-275. Right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

From Indiana:
I-74 to I-275 South into Kentucky. Stay on I-275, which curves East in Kentucky and go about 22 miles all the way past the Greater Cincinnati Airport until you get to Exit No. 2 – Mineola Pike. Right turn onto Mineola Pike. Then right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

Special thanks to the sponsors of the legal track:  CincyIP and Frost Brown Todd. 

Negligence might finally be actionable for breach of duty to protect customer data

Business relationships are often strained when a third party successfully breaches the data security of a target, creating profound negative consequences not only to the target but also to that company’s vendors, business associates, and customers. These damages are often costly but sometimes hard to identify or quantify.

In the majority of security breaches, the customers who have had their identity exposed have suffered no actual economic harm. The courts, therefore, are appropriately reluctant to give monetary damages to those injured customers and generally refuse to compensate for the time lost checking credit scores or otherwise dealing with the problems associated with the data breach.

The vendors and business associates, however, may incur substantially greater economic losses and more direct financial injury. Because this injury is exclusively economic loss, a question remains whether such loss is compensable under tort law or whether all remedies are limited entirely to contract claims.

In Lone Star Nat. Bank v. Heartland Payment Systems, No. 12-20648, 2013 WL 4728445 (5th Cir. Sept. 3, 2013), the Fifth Circuit reversed a dismissal of a tort claim based on the plaintiff bank’s assertion it suffered financial harm when it had to replace consumers’ compromised credit cards and to refund fraudulent charges as a result of the negligence of the defendant in securing against data breach. The case arose from a 2008 data breach of the defendant’s payment processor’s systems, exposing 130 million credit card numbers.

The Fifth Circuit focused on the law of New Jersey after establishing the jurisdictional basis for the claim. The court explained, “the economic loss doctrine generally limits a plaintiff seeking to recover purely economic losses, such as lost profits, to contractual remedies.” Economic losses are generally covered exclusively by contract remedies, unlike tort principles which “are better suited for resolving claims involving unanticipated physical injury, particularly those arising out of an accident.”

Contract may be better than tort, but such a limitation oversimplifies the scope of tort law. Tort injuries occur in inchoate interests such as defamation and assault. Not all tortious harms are physical.

The New Jersey Supreme Court had earlier held the tort remedy applied when a duty was breach. It explained that when “a defendant owes a duty of care to take reasonable measures to avoid the risk of causing economic damages, aside from physical injury, to particular plaintiffs or plaintiffs comprising an identifiable class with respect to whom defendant knows or has reason to know are likely to suffer such damages from its conduct. . . .” People Express Airlines, Inc. v. Consolidated Rail Corp., 495 A.2d 107 (N.J. 1985).

Based on this line of reasoning, the Fifth Circuit reinstated the claim. It acknowledged that New Jersey law generally did not permit the tort claim if there was a contract between the parties, since the terms of their express agreement should govern the allocation of risk. But third party beneficiary law often provides that parties not directly negotiating the agreement may still be affected by it, and so to might a group of readily identifiable tort victims who are not party to the contract but affected by the duties created.

Since the defendant, Heartland “would not be exposed to ‘boundless liability,’ but rather to the reasonable amount of loss from a limited number of entities [then] even absent physical harm, Heartland may owe the Issuer Banks a duty of care and may be liable for their purely economic losses.” The decision merely allows the case to proceed and a great many additional defenses will be addressed. Nonetheless, the decision is an important reminder on the creation of contracts and the scope of those contracts as they affect third parties contemplated but not direct parties to the agreements.

Upcoming CincyIP Program: Current Trends in Computer Security

CincyIP August Luncheon “Current Trends in Computer Security” The world has experienced quite a spectrum of computer security attacks in the last couple years and they have changed in interesting ways. While 99.9% of investigations deal with IP theft on some international basis, the issues very rarely make it to a courtroom. Understanding the technical approaches to rapid response, remediation and working with the business on damage assessments are key to helping clients deal with these issues since many of these incidents never see the inside of a courtroom. A panel of experts, including Nick Hoffman, an incident responder at GE, Craig Hoffman, partner at Baker Hostetler, and Jon Garon, Director of NKU Chase Law + Informatics Institute, will discuss recent computer security attacks, how they have recently evolved, and how the immediate and long term responses to these attacks have developed to address the ever-changing threats. The panel will also address how attorneys can assist clients to prevent against an attack, and what to do when they are the victim of an attack. When Tuesday August 13, 2013 from 12:00 PM to 1:30 PM EDT Add to Calendar Where: McCormick & Schmick’s Private Dining Room Get more information Register Now!

Blame Congress’ Patriot Act not the NSA or FBI

When self-proclaimed whistle blower, Edward Snowden disclosed a PowerPoint presentation allegedly detailing the Prism computer system[1] at the heart of foreign data collection program, he set off a firestorm of debate over the role of  clandestine electronic surveillance on individuals outside the United States and the U.S. residents who communicate with them.

In the week that has followed, some clarity has emerged. First, the Prism system is not a code name for a clandestine operation, but the name of the computer system used to collect and store the data. According to the Director of National Intelligence, that computer system operates under Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a).

Section 702 provides that “the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” The reasonable belief focuses on the location of the target, not the threat posed by the target. Most of the other limitations emphasize that this should not be used if the purpose is to target someone inside the U.S.

Nowhere in Section 702 is there a requirement that the information is relevant to an investigation at some level – “specific articulable facts giving reason to believe,” or “reasonable suspicion.” Probable cause is likely not within the realm of possibility. The law allows and even encourages broad, general sweeping of data, which can then be analyzed for patterns and anomalies.

The Section 702 directives are the subject of quasi-judicial review. The FISA Court is comprised of 11 federal judges assigned this additional duty by the Chief Justice of the Supreme Court. This internally appointed judicial panel has operated since 1979. In that time, according to the Wall Street Journal, it has rejected 11 applications for various surveillance requests. During that time, the number of approved surveillance requests has been in excess of 33,900 or an approval rate of  99.97 percent. Without knowing anything more, it is inconceivable that any review process with over 99 percent approvals can constitute a meaningful review.

Harvard Law Professor and former U.S. District Judge Nancy Gertner highlighted the structural problem of the FISA Court.

It’s an anointment process. It’s not a selection process. But you know, it’s not boat rockers. So you have a [federal] bench which is way more conservative than before. This is a subset of that. And it’s a subset of that who are operating under privacy, confidentiality, and national security. To suggest that there is meaningful review it seems to me is an illusion.

The problem, therefore, is not a secret or rogue NSA plot but instead a widely supported provision of the Patriot Act designed to be used precisely as the NSA has been doing. It has executive, legislative and judicial support. But because it is operated by a close-knit association, the separation of powers has proven irrelevant as a limitation on its operation.

Moreover, the Patriot Act has other sections equally potent at eavesdropping on private information. As summarized by the ACLU, FISA Section 215 “allows the FBI to order any person or entity to turn over ‘any tangible things,’ so long as the FBI ‘specif[ies]’ that the order is ‘for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.’” Section 215 (50 U.S.C. 1801 et seq.)

A secret NSA phone wiretapping order was also released last week highlighting the scope of metadata collection within the U.S. under Section 215.

This FISA Court Order targeting Verizon, required Verizon on an “ongoing, daily basis” to give the NSA information on all telephone metadata in its systems. Since the Section 702 orders deal with foreign data, this Section 215 court order excluded “telephony metadata for communications wholly originating and terminating in foreign countries.” The court order explains the scope of the request:

Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. [Sec.] 2510(8), or the name, address, or financial information of a subscriber or customer.

Essentially this means that all of us with Verizon phones can be tracked anywhere in the U.S., our interaction with any other parties triangulated, our First Amendment rights of Association violated, and our notion of privacy eliminated. Non-Verizon subscribers likely are subject to identical orders. There is no reason to doubt that these orders are not routinely issued to track all phone and cell phone movement data.

Mary DeRosa summarizes the changes to Section 215 which led to the Verizon court order.

Previously, FISA required the FBI to present the [FISA Court] “specific articulable facts giving reason to believe” that the subject of an investigation was a “foreign power or the agent of a foreign power.” After section 215, the government is required only to assert that the records or things are sought for a foreign intelligence investigation or to protect against international terrorism or clandestine intelligence activities, although the investigation of a United States person may not be “solely upon the basis of activities protected by the first amendment to the Constitution.” There is no requirement for an evidentiary or factual showing and the judge has little discretion in reviewing an application. If the judge finds that “the application meets the requirements” of the section, he or she must issue an order as requested “or as modified.”

Neither the NSA nor the FBI are doing anything other than that approved by Congress. Indeed, were these departments found not to be using the authority granted by Congress, there would be outrage on Capitol Hill. Instead it is the law that has vastly over-extended the government’s reach into the movements and activities of the public, both domestic and foreign.

Moreover, the sweep of the law is growing broader by the day as more and more devices and technologies use remote communications to share information. While it might require a warrant to track a vehicle, the Internet enabled Pandora music player, the self-adjusting oil change settings, and the many other connected technologies are not subject to that warrant requirement. The movement of such cars will be routinely swept into the FBI’s database as part of the Section 215 orders.

The FTC has initiated a review of the ever-growing “Internet of Things,” which is to mean the “growing connectivity of consumer devices, such as cars, appliances, and medical devices.” Combine the power of the FBI and NSA to order metadata and tracking information on all digital data with the interconnectivity of medical devices, RFID-tagged products, installed devices on vehicles, and smart phone apps, a digital map emerges. Like ants in an ant-farm, every person’s digital trail will be on display before the government. Increasingly sophisticated data analytics will eventually enable the path of each individual ant to be highlighted and sorted from among the swarm.

The growing connectivity that has extended the Patriot Act’s reach into more and more aspects of our daily lives require that we revise the laws to reign in the power of government and create a meaningful, statutory right of privacy. These revelations add attention to the problem and highlight the lack of transparency over this tracking. Congress is not shocked at these revelations because they voted to create the programs and have been repeatedly brief on their use. It is the people who have been left in the dark. Given the growth of the programs and the power of the technology they employ, it is time for a more thoughtful, balanced statutory approach.

---

[1] Reddit.com provided the link to the 2002 New York Times article first describing what is now the Prism computer system. See http://www.reddit.com/r/technology/comments/1g3zqz/the_roots_of_prism_a_new_york_times_article_from/.

W. Bruce Lunsford contribution to create Academy for Law, Business + Technology

With apologies for posting a press release as a blog post, the news that W. Bruce Lunsford has pledged $1 million to Chase under the direction of the Law + Informatics Institute for the creation of the the W. Bruce Lunsford Academy for Law, Business + Technology is exciting enough for us to share our news.

HIGHLAND HEIGHTS, Ky. (May 15, 2013) — The Northern Kentucky University Chase College of Law has received a $1 million gift from W. Bruce Lunsford to establish and support the W. Bruce Lunsford Academy for Law, Business + Technology.

Lunsford, a 1974 graduate of Chase College of Law, is chairman and CEO of Lunsford Capital, LLC, a private investment company headquartered in Louisville, Ky.

The W. Bruce Lunsford Academy for Law, Business + Technology will be an honors immersion program operated by the NKU Chase Law + Informatics Institute. The focus of the program will be to develop “renaissance lawyers” for the Information Age. The Lunsford Academy will provide students with the technological, financial and professional skill sets essential to the modern practice of law.  Through the program’s technology-driven, skills-based curriculum, students will acquire the fundamental skills that will make them more productive for their clients, more attractive to employers and better prepared to practice law upon graduation.

For those interested in learning more about the details of the program, the most comprehensive vision is provided in my forthcoming article from Connecticut Law Review. An working draft of the paper may be found here: Jon M.Garon, Legal Education in Disruption: The Headwinds and Tailwinds of Technology, (Conn. L. Rev. forthcoming) at SSRN: http://ssrn.com/abstract=2040560.

In addition to taking the program’s required and elective law and informatics courses, Chase students participating in the Lunsford Academy will have the opportunity to participate in technology-focused semester-in-practice placements and study abroad programs; they will also be able to seek joint degrees.

Chase College of Law partners with the NKU College of Informatics to offer a Juris Doctor/Master of Business Informatics and Juris Doctor/Master of Health Informatics and with the NKU Haile/US Bank College of Business to offer a Juris Doctor/Master of Business Administration.

Professor Jon Garon, director of the Law + Informatics Institute, said the development of the Lunsford Academy is the next step in the evolution of legal education. “In addition to a solid foundation in legal doctrine, theory and practice, law students need business education, information technology and intellectual property knowledge, and law practice management experience,” he said. “These skills will enable students to compete in today’s highly networked, efficient and global business community. The generous donation by Bruce Lunsford enables Chase to meet this challenge and redefine the scope of legal education.”

In recognition of Lunsford’s gift, the academy will be named the W. Bruce Lunsford Academy for Law, Business + Technology, upon approval by the NKU Board of Regents.

“We are extremely honored and pleased that Bruce has made this significant investment in our Law + Informatics Institute,” said Dennis R. Honabach, dean of the College of Law. “The Lunsford Academy will provide our law students with invaluable opportunities to become uniquely prepared for the modern practice of law.”

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare Rules of Engagement Offensive and defensive approaches Responses to state actors Engagement of non-state actors Distinguishing corporate espionage from national defense Proportionality and critical infrastructure Cyber diplomacy Cold War footing and concerns of human rights implications Front Lines for Industry Role of regulators such as FERC Legacy systems and modern threats NIST guidelines NIST Cybersecurity Framework Engaging Dept. of Homeland Security Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities) Health and safety issues

Global Perspectives Concepts of cyber engagement in Europe Perception of Internet and social media as threat to national soverignty Rules of engagement outside U.S. and NATO Implications for privacy and human rights Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement   Corporate Governance Confidentiality and disclosure obligations Responsibilities of the board of directors Staffing, structures and responses Data protection & obligations regarding data breaches Corporate duty to stop phishing and other attacks for non-critical industries Investment and threat assessment Litigation and third party liability   Other Issues Executive orders and legislative process Lawyer responsibility in the face of potential threats Practical implications of government notices Perspective on the true nature of the threat

Submissions & Important Dates: 

• Please submit materials to Nkylrsymposium@nku.edu
• Submission Deadline for Abstracts: September 1, 2013
• Submission Deadline for First Draft of Manuscripts: January 1, 2014
• Submission Deadline for Completed Articles: February 1, 2014
• Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

• Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
• Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
• Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Beyond Google’s Looking Glass – The Internet of Things is Already Here

(photo: Wikipedia)

Perhaps triggered by the New York Times coverage of Google Glass, The FTC announced both a call for submissions and a workshop related to the Internet of Things and its implications on privacy, fair trade practice, and security implications for both data and people. The FTC announcement highlights both the benefits and risks of device connectivity.

Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, healthcare providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.  The devices can provide important benefits to consumers:  they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable, pose privacy and security risks.

The issue is not new. The ITU released a 2005 study discussing the implications of the Internet of Things. The ITU described a near, technological future in which “industrial products and everyday objects will take on smart characteristics and capabilities. … Such developments will turn the merely static objects of today into newly dynamic things, embedding intelligence in our environment, and stimulating the creation of innovative products and entirely new services.”

I have previously described some of these concerns in an article, Mortgaging the Meme.[1]

In each of these situations, an automated and consumer-defined relationship will replace the pre-existing activities. In many situations, this will create efficiency and convenience for the consumer, but it will also reduce the opportunities for human interaction and subtly rewrite the engagement between customer and company. Those that understand this change will adjust their technologies to improve the service and increase the customer‘s reliance on its systems. Companies that do not understand how this engagement will occur, risk alienating customers and losing markets quickly.

Beyond consumer interactions, other uses may arise. Ethical and privacy concerns regarding misuse tend to focus on government, business and organized crime. These include unwarranted surveillance, profiling, behavioral advertising and target pricing campaigns. As a result, as companies increasingly rely on these tools, they also bear a responsibility to do so in a socially positive manner that increases the public‘s estimation of the company.

Timing for the FTC submissions and workshop are overdue. Reading the New York Times quote regarding app developers, there is a sense that unlike the technology giants such as Microsoft and Google, the developers are thinking more about the technology’s potential than its potential impact. One such example from the Times: “‘You don’t carry your laptop in the bathroom, but with Glass, you’re wearing it,’ said Chad Sahlhoff, a freelance software developer in San Francisco. ‘That’s a funny issue we haven’t dealt with as software developers.’”

Many fields will benefit from increased device connectivity. Just a few:

• Public transportation systems designed around real-time usage and traffic patterns.
• Prescription monitoring to help patients take the right medications at the correct time.
• Fresher, healthier produce.
• Protection of pets and children.
• Social connectivity, with photo-tagging and group-meeting moving into the real world.
• Interactive games played on a real-world landscape.

There are also law enforcement uses that must be carefully considered. After the Boston Marathon attack, for example, calls for public surveillance will undoubtedly increase, including calls for adding seismic devices and real-time echo-location. Gunshots, explosions, and even loud arguments could become self-reporting.

Common household products sometimes become deadly in large quantities. RFID technology could be used to monitor quantity concentration of potentially lethal materials and provide that data to the authorities.

The consumer use, public use, and law enforcement use must be thoughtfully reviewed to balance the benefits of the technology with the intrusions into privacy and the legacy of retrievable information that such technology creates.

FTC staff will accept submissions through June 1, 2013, electronically through iot@ftc.gov or in written form. The workshop will be held on November 21^st. These are the questions posed by the FTC thus far:

• What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
• What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
• What types of companies make up the smart ecosystem?
• What are the current and future uses of smart technology?
• How can consumers benefit from the technology?
• What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
• How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve healthcare decision making or to promote energy efficiency?
• Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

While the FTC has asked some good questions, they are only the beginning. Please submit your thoughts and join the FTC conversation.

---

[1] Jon M. Garon, Mortgaging the Meme: Financing and Managing Disruptive Innovation, 10 NW. J. TECH. & INTELL. PROP. 441 (2012).