Court hands at least temporary rebuke to NSA for domestic spying

nsa

NSA (Photo credit: shawnblog)

The New York Times has been highlighting the federal government defeat in the first lawsuit over NSA surveillance of U.S. telephone and internet activity outside the FISA court jurisdiction. The decision in Klayman v. Obama represents a strong rebuke to the NSA. Written in a tone of outrage, the district court decision emphasizes the profound differences that exist in the current NSA surveillance program from the historical precedents upon which the claim of constitutionality is based.

In Smith v. Maryland, 442 U.S. 745 (1979), the Supreme Court held that the use of a “pen register” was not a violation of the Fourth Amendment because the information sent to the telephone company was a business record provided without a reasonable expectation of privacy.[1] The pen register records only the numbers dialed on a telephone. Any expectation of privacy that could exist in the telephone numbers a person dialed was unreasonable.

From the diminutive pen register acorn, a mighty oak has grown to obliterate the sunlight that once shined light on government activities. That oak is the pervasive surveillance program:

[T]he almost–Orwellian technology that enables the Government to store and analyze the phone metadata of every telephone user in the United States is unlike anything that could have been conceived in 1979. … The notion that the Government could collect similar data on hundreds of millions of people and retain that data for a five-year period, updating it with new data every day in perpetuity, was at best, in 1979, the stuff of science fiction. By comparison, the Government has at its disposal today the most advanced twenty-first century tools, allowing it to “store such records and efficiently mine them for information years into the future. … Records that once would have revealed a few scattered tiles of information about a person now reveal an entire vibrant and constantly updating picture of the person’s life.”

Critics of the district court opinion point to the precedent of Smith to suggest that the decision reflects an activist agenda, but proper case analysis requires a judge to look to the facts of a case rather than a simplistic summary of the rule. Factually, the public expects far more privacy in the metadata disclosed on their computers, phones, tablets, and mobile devices than the 1979 consumer expected from the telephone company.

In addition, as the court highlighted, the relationship between the telecommunications companies and the government could be viewed as making the telco’s agents of law enforcement. As agents of the police, the third party doctrine no longer applies.

More importantly, the scale of the surveillance and the mosaic of coverage creates a vastly different experience than that previously adjudicated in Smith or the other decision before the Supreme Court.

In United States v. Jones, 132 S. Ct. 945 (2012), the Supreme Court started to review the potential for wide-scale extensive surveillance. The majority decision demurred on the question, finding a search occurred using common law trespass analogies. But five justices opined that the mosaic of surveillance has a constitutional consequence that will need to be addressed.

Dan Solove has written on both the Klayman decision and the importance of privacy in metadata. His conclusion:

 Smith, and many other Fourth Amendment cases, need to be rethought in light of modern technology where surveillance can be so systematic and pervasive. There is a real difference between being able to engage in a small discrete amount of surveillance and having such broad and sweeping surveillance powers as the NSA is exercising. The challenge is where to draw the lines. This problem exists mainly because Smith still remains viable and must be dealt with. I think it’s time for Smith to be overturned, and so there wouldn’t be such line-drawing challenges.

The Katz approach to expectation of privacy may not be the most useful tool for assessing the scope of pervasive privacy. Despite the coverage of the NSA, I expect that few members of the public can truly comprehend the extent to which the movement of every communication, every Internet-connected device, all information on those devices, the tracking of other objects that are reported to central databases, and photographs and video taken by anyone can be integrated into a pervasive picture of movement. Is this science fiction? Or is it the goal of the NSA five-year strategic plan. Unless the courts or Congress begin to say no to a mosaic of unrelenting surveillance, this plan will be enacted soon. With taxpayer dollars. And without oversight.

The decision is being appealed.


[1] Smith explains the constitutional privacy framework: The Fourth Amendment guarantees “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” In determining whether a particular form of government-initiated electronic surveillance is a “search” within the meaning of the Fourth Amendment, our lodestar is Katz v. United States, 389 U.S. 347 (1967). In Katz, Government agents had intercepted the contents of a telephone conversation by attaching an electronic listening device to the outside of a public phone booth. The Court rejected the argument that a “search” can occur only when there has been a “physical intrusion” into a “constitutionally protected area,” noting that the Fourth Amendment “protects people, not places.” Because the Government’s monitoring of Katz’ conversation “violated the privacy upon which he justifiably relied while using the telephone booth,” the Court held that it “constituted a `search and seizure’ within the meaning of the Fourth Amendment.”

Advertisements

Wireless Taps lead those actually reported by US Courts

Public disclosures regarding the otherwise secret wiretaps under the Foreign Intelligence Surveillance Act have been the focus of news reports, criminal investigations, and international intrigue in recent weeks. But the Administrative Office of the US Courts annually report the other wiretaps ordered by the federal and state  judiciary.

According to the report, “in calendar year 2012, a total of 3,395 orders authorizing the interception of wire, oral, or electronic communications, or wiretaps, were approved by state and federal judges,” according to the report. Only three percent of the wiretaps involved wires.

For the 2012 reporting period, January 1, 2012 to December 31, 2012, 97 percent of all wiretaps were authorized for “portable devices,” a category that includes cellular telephones and digital pagers. In addition, 87 percent of all 2012 applications for intercepts cited illegal drugs as the most serious offense under investigation.  As of December 31, 2012, a total of 3,743 persons had been arrested and 455 persons had been convicted as a result of interceptions reported as terminated.

The Administrative Office of the Courts points out that it is not authorized – or permitted – to include FISA-approved wiretaps. Equally importantly, the report also reminds the public that non-content data does not need a warrant. Instead pen register data about the nature of the call and the connection to the call requires a much lower legal standard to collect the data. It merely needs to be relevant to the investigation.

A Pen Register records telephone numbers called from a particular phone. The Register also records the date, time, and length of calls. Note that this is information that is already gathered for billing purposes by a communications service provider.

A Trap and Trace Order records the telephone numbers of telephones that are used to place calls to a particular phone. (i.e. Makes a log of incoming phone numbers.) Note that information of this sort is not gathered in the ordinary course of business. – Berkman Center

There is no security reason that these orders are not surveyed. In addition, the report points out that no report from a court to the Administrative Office  is necessary if “an order is issued with the consent of one of the principal parties to the communication.”

The use of wiretaps and the proportion of wiretaps in drug investigations to the exclusion of most other crimes should also raise some provocative public policy questions. Regardless of whether the information  being collected should remain private, there is no question that the information about the process and scope of these investigations should be incorporated into public policy development.

Blame Congress’ Patriot Act not the NSA or FBI

Prism-1When self-proclaimed whistle blower, Edward Snowden disclosed a PowerPoint presentation allegedly detailing the Prism computer system[1] at the heart of foreign data collection program, he set off a firestorm of debate over the role of  clandestine electronic surveillance on individuals outside the United States and the U.S. residents who communicate with them.

In the week that has followed, some clarity has emerged. First, the Prism system is not a code name for a clandestine operation, but the name of the computer system used to collect and store the data. According to the Director of National Intelligence, that computer system operates under Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a).

Section 702 provides that “the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” The reasonable belief focuses on the location of the target, not the threat posed by the target. Most of the other limitations emphasize that this should not be used if the purpose is to target someone inside the U.S.

Nowhere in Section 702 is there a requirement that the information is relevant to an investigation at some level – “specific articulable facts giving reason to believe,” or “reasonable suspicion.” Probable cause is likely not within the realm of possibility. The law allows and even encourages broad, general sweeping of data, which can then be analyzed for patterns and anomalies.

The Section 702 directives are the subject of quasi-judicial review. The FISA Court is comprised of 11 federal judges assigned this additional duty by the Chief Justice of the Supreme Court. This internally appointed judicial panel has operated since 1979. In that time, according to the Wall Street Journal, it has rejected 11 applications for various surveillance requests. During that time, the number of approved surveillance requests has been in excess of 33,900 or an approval rate of  99.97 percent. Without knowing anything more, it is inconceivable that any review process with over 99 percent approvals can constitute a meaningful review.

Harvard Law Professor and former U.S. District Judge Nancy Gertner highlighted the structural problem of the FISA Court.

It’s an anointment process. It’s not a selection process. But you know, it’s not boat rockers. So you have a [federal] bench which is way more conservative than before. This is a subset of that. And it’s a subset of that who are operating under privacy, confidentiality, and national security. To suggest that there is meaningful review it seems to me is an illusion.

The problem, therefore, is not a secret or rogue NSA plot but instead a widely supported provision of the Patriot Act designed to be used precisely as the NSA has been doing. It has executive, legislative and judicial support. But because it is operated by a close-knit association, the separation of powers has proven irrelevant as a limitation on its operation.

Moreover, the Patriot Act has other sections equally potent at eavesdropping on private information. As summarized by the ACLU, FISA Section 215 “allows the FBI to order any person or entity to turn over ‘any tangible things,’ so long as the FBI ‘specif[ies]’ that the order is ‘for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.’” Section 215 (50 U.S.C. 1801 et seq.)

A secret NSA phone wiretapping order was also released last week highlighting the scope of metadata collection within the U.S. under Section 215.

This FISA Court Order targeting Verizon, required Verizon on an “ongoing, daily basis” to give the NSA information on all telephone metadata in its systems. Since the Section 702 orders deal with foreign data, this Section 215 court order excluded “telephony metadata for communications wholly originating and terminating in foreign countries.” The court order explains the scope of the request:

Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. [Sec.] 2510(8), or the name, address, or financial information of a subscriber or customer.

Essentially this means that all of us with Verizon phones can be tracked anywhere in the U.S., our interaction with any other parties triangulated, our First Amendment rights of Association violated, and our notion of privacy eliminated. Non-Verizon subscribers likely are subject to identical orders. There is no reason to doubt that these orders are not routinely issued to track all phone and cell phone movement data.

Mary DeRosa summarizes the changes to Section 215 which led to the Verizon court order.

Previously, FISA required the FBI to present the [FISA Court] “specific articulable facts giving reason to believe” that the subject of an investigation was a “foreign power or the agent of a foreign power.” After section 215, the government is required only to assert that the records or things are sought for a foreign intelligence investigation or to protect against international terrorism or clandestine intelligence activities, although the investigation of a United States person may not be “solely upon the basis of activities protected by the first amendment to the Constitution.” There is no requirement for an evidentiary or factual showing and the judge has little discretion in reviewing an application. If the judge finds that “the application meets the requirements” of the section, he or she must issue an order as requested “or as modified.”

Neither the NSA nor the FBI are doing anything other than that approved by Congress. Indeed, were these departments found not to be using the authority granted by Congress, there would be outrage on Capitol Hill. Instead it is the law that has vastly over-extended the government’s reach into the movements and activities of the public, both domestic and foreign.

Moreover, the sweep of the law is growing broader by the day as more and more devices and technologies use remote communications to share information. While it might require a warrant to track a vehicle, the Internet enabled Pandora music player, the self-adjusting oil change settings, and the many other connected technologies are not subject to that warrant requirement. The movement of such cars will be routinely swept into the FBI’s database as part of the Section 215 orders.

The FTC has initiated a review of the ever-growing “Internet of Things,” which is to mean the “growing connectivity of consumer devices, such as cars, appliances, and medical devices.” Combine the power of the FBI and NSA to order metadata and tracking information on all digital data with the interconnectivity of medical devices, RFID-tagged products, installed devices on vehicles, and smart phone apps, a digital map emerges. Like ants in an ant-farm, every person’s digital trail will be on display before the government. Increasingly sophisticated data analytics will eventually enable the path of each individual ant to be highlighted and sorted from among the swarm.

The growing connectivity that has extended the Patriot Act’s reach into more and more aspects of our daily lives require that we revise the laws to reign in the power of government and create a meaningful, statutory right of privacy. These revelations add attention to the problem and highlight the lack of transparency over this tracking. Congress is not shocked at these revelations because they voted to create the programs and have been repeatedly brief on their use. It is the people who have been left in the dark. Given the growth of the programs and the power of the technology they employ, it is time for a more thoughtful, balanced statutory approach.


[1] Reddit.com provided the link to the 2002 New York Times article first describing what is now the Prism computer system. See http://www.reddit.com/r/technology/comments/1g3zqz/the_roots_of_prism_a_new_york_times_article_from/.

Access to Free Academic Publications Growing through Slow Steps

On February 22, 2012 the Office of Science and Technology Policy (OSTP) announced the goal of making all publicly financed scientific publications freely available to the public one year following publication. The policy applies to federal agencies with more than $100 million in research and development expenditures.

As the OSTP announcement recognizes, “OSTP has been looking into this issue for some time,” meaning that this has been a significant issue for years. A congressional attempt to reverse this trend was dropped last year. In the Research Works Act (RWA or HR 3699), congress introduced legislation to reverse the National Institutes of Health policy that requires all research with NIH funding to be freely accessible within twelve months of publication. A useful explanation of the NIH policy is available here.

The new OSTP policy extends this policy of public dissemination to the next category of research, that which is funded by the larger federal agencies. As such, this will be a significant step forward.

In the OSTP statement, it highlighted that “[t]he Obama Administration is committed to the proposition that citizens deserve easy access to the results of scientific research their tax dollars have paid for.” The policy was also part of a We the People petition process. Dr. Holden, director of the OSTP is here:  https://petitions.whitehouse.gov/response/increasing-public-access-results-scientific-research.

The policy is not inherently calling for open access. The actual plan is more complex. It calls for a multitude of considerations to be incorporated by each agency:

To the extent feasible and consistent with law; agency mission; resource constraints; U.S. national, homeland, and economic security; and the objectives listed below, the results of unclassified research that are published in peer-reviewed publications directly arising from Federal funding should be stored for long-term preservation and publicly accessible to search, retrieve, and analyze in ways that maximize the impact and accountability of the Federal research investment.

In developing their public access plans, agencies shall seek to put in place policies that enhance innovation and competitiveness by maximizing the potential to create new business opportunities and are otherwise consistent with the principles articulated in section 1. [The Policy Principles.]

Agency plans must also describe, to the extent feasible, procedures the agency will take to help prevent the unauthorized mass redistribution of scholarly publications.

To see the new policy memorandum, please visit: http://www.whitehouse.gov/sites/default/files/microsites/ostp/ostp_public_access_memo_2013.pdf

This is another modest, but important step towards making publications funded with federal dollars subject to unfettered free access to the public. Giving the publishers a one-year exclusive window may make practical sense and encourage investment in peer review, but ultimately the federal funding – and university public funding – vastly outweighs that of private publishers. In the end, the public investment in this research should be matched with public access. The work of the OSTP regarding its new policy is a positive step in this direction.

State of the Cyber Union: Policy Directive + Executive Order = Expansive Regulatory Efforts

In President Obama’s 2013 State of the Union Address, the president included announcement of a long-expected Executive Order as well as a Presidential Policy Directive focusing on the need for better cybersecurity coordination and defense. This comes on the heels of a classified National Intelligence Estimate reported first by The Washington Post which “identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” The report ties directly into the focus of the Executive Order, emphasizing the risk both to critical infrastructure and to industry.

At the heart of the Executive Order are voluntary efforts on the part of industry and the role of the Federal Government in increasing coordination. “The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” NIST is authorized to create a preliminary Cybersecurity Framework within 240 days. Compliance incentives will be developed to encourage voluntary compliance. As these standards gain adoption, they will set a new reasonableness standard, pulling the more reluctant companies up because of the risk of negligence and loss.

But the real action of the Executive Order is Section 10 which provides that each regulatory agency must report if the agency has the regulatory scope to implement the Cybersecurity Framework. If it does, presumably it will use those regulatory powers to transform the voluntary program into a regulatory one; if it does not, the agency will be expected to engage in the necessary rulemaking to do so.

The Executive Order  defines critical infrastructure very broadly to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive provides specific guidance to the Office of Homeland Security and to the other federal agencies targeted with enforcing protections of critical infrastructure and regulatory compliance.

Neither order is overwhelming on its face, but the message is clear. The Federal Government will take an aggressive approach to cybersecurity and will use the broader regulatory authority at its disposal to do so. Though it has been invited to pass legislation, Congress does not need to act because every industry sector has some regulatory oversight and cybersecurity will soon be layered on top of the existing regulations. An excerpt from the Policy Directive highlights the expansionist approach:

Additional roles and responsibilities for the Secretary of Homeland Security include:

  1. Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies;

  2. Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure;

  3. In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure;

  4. Conduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators;

  5. Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;

  6. Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and attacks against critical infrastructure;

  7. Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially, image, analyze, and sort critical infrastructure by employing commercial satellite and airborne systems, as well as existing capabilities within other departments and agencies; and

  8. Report annually on the status of national critical infrastructure efforts as required by statute.

When combined with the additional power of regulation across the spectrum of energy, finance, communications, health, agriculture, information technology and other sectors, the reach is broad enough to rewrite the regulatory landscape much as the USA Patriot Act did in the wake of 9/11.

Privacy may well be another of the casualties of this war. The Executive Order adds that “[a]gencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities,” but asks for little more than an annual report. In contrast, corporate reporting is singled out. “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.” This has been the case with the Patriot Act and the President’s policies give little comfort.

Confidentiality, rather than privacy, is part of the new regime. Paul Rosenzweig, writing the Lawfare blog from Brookings highlights the importance of the short-list: a subset of critical infrastructure organizations within the identified industry which make up the heart of each industry and will be singled out for heightened cybersecurity engagement.

Confidential Identification – The EO has one true innovation in it – a confidential naming program that will identify the critical cyber infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  This is a subset, of course, of the earlier broader definition.

Being an identified company may bring greater security obligations or improved resources or no change at all. Only time will tell. The impact will vary tremendously depending of the existing preparedness of each company.

The National Intelligence Estimate on cybersecurity risk makes clear that the threat must be addressed.

 The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document.

–          The Washington Post

The only question is the cost of the response. China, Russia, Iran, Israel, North Korea and other countries are known for releasing global cyber-attacks, some focused on military and political topics, while others highlight corporate espionage. Moreover, as I mentioned in an earlier post, the intruders use directed attacks on employees and independent contractors who open links, photos or already infected USB devices. Already behind firewalls, these tools install malignant code to glean passwords, open files and glean information which is sent back to the intruder. Some of these attacks are directly at U.S. infrastructure, others at economic targets, while many others affect U.S. interests only as collateral damage to regional conflicts which do not involve U.S. participants.

Nonetheless, the risks are increasing. After the President’s speech one thing is clear. Using the State of the Union as the basis for the announcement of the Cybersecurity Executive Order and Policy Directive has placed this topic near the top of the national agenda.

Photo:

President Barack Obama delivers the State of the Union address in the House Chamber at the U.S. Capitol in Washington, D.C., Feb. 12, 2013. (Official White House Photo by Chuck Kennedy)

New York Times disclosure of cyber-attacks should pave way for greater corporate engagement and a critical infrastructure executive order

Seal of the White House Office of Homeland Sec...

Seal of the White House Office of Homeland Security, which was formed by executive order on October 8, 2001,http://www.whitehouse.gov/news/releases/2001/10/20011008-2.html and later grew into the United States Department of Homeland Security. (Photo credit: Wikipedia)

With the lead story in the New York Times focused on its own failure to defend from Chinese political computer hacking, there is a renewed concern regarding the vulnerability of domestic computer systems, particularly those that are part of the critical national infrastructure. Homeland Security describes critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”

While the Communications Sector is one of the 18 Sectors identified as part of the critical infrastructure, the focus is on the telecommunications network rather than the content itself. Nonetheless, the continuing attack which lasted over four months raises serious questions regarding the ability of organizations to effectively defend themselves against a serious professional attack.

Among the facts that stood out was the failure of commercial antivirus software. According to the Times, “[o]ver the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.”

The nature of the exposure has also changed. Instead of attacks targeted at firewalls, the campaign is not conducted through phishing – bogus links in innocuous emails that open the firewall to allow installation of “remote access tools” — or RATs.

Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

To meet this threat the Department of Homeland Security established the Office of Infrastructure Protection in 2002. It has its hands full.

This is a complex mission. Critical infrastructure ranges from the nation’s electric power, food and drinking water to its national monuments, telecommunications and transportation systems, chemical facilities, and much more. The vast majority of critical infrastructure in the United States is privately owned and operated; thus, public-private partnerships are essential to protect and boost the resilience of critical infrastructure and respond to events.

The attacks are real.  The Washington Post has reported on an overseas attacks which target utilities, including one which gained control of a Texas water utility.

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers. … From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities.

Congress flirted with new legislation to update the obligation of companies in the 18 sectors which provide our critical infrastructure but it was ultimately unable to agree on legislative action. In its place, President Obama is expected to issue an executive order which will highlight the obligation to respond to a notice of imminent threat or to update the capacity to respond to a cyber-attack by any organization within one of the sectors which receives a governmental notice.  A possible draft of the order is available here.

While business is reluctant to embrace these new obligations, the acknowledgment by the New York Times of the vulnerability companies face should change the dialogue about the executive order and the need to plan for cyber-defense rather than complain about its costs. After all, the cost of inaction will be much, much higher.