In order to fully appreciate how the revelations of this past week will impact non-Americans based outside of the United States, a little background on the legal framework on how the U.S. foreign intelligence apparatus operates is helpful. The centerpiece of this framework is the Foreign Intelligence Surveillance Act (FISA), enacted in the late 70s. Historically, relying on a national security exception contained in the Wiretap Act, the United States government considered it had no obligation to obtain authorization from a court before intercepting communications for the purpose of national security. This changed in 1972, when the Supreme Court of the United States first held that the Fourth Amendment warrant requirement does apply to surveillance carried out in the name of national security – at least with respect to domestic threats:
Security surveillance is especially sensitive because of the inherent vagueness of the domestic security concept, the necessarily broad and continuing nature of intelligence gathering, and the temptation to utilize such surveillance to oversee political dissent. We recognize, as we have before, the constitutional basis of the President’s domestic security role, but we think it must be exercised in a manner compatible with the Fourth Amendment. In this case we hold that this requires an appropriate prior warrant procedure.
These words of caution rang true when it was later revealed that the Government’s unauthorized intelligence-gathering activities had included extensive surveillance of journalists, anti-war protestors, dissident groups and even political opponents. The congressional hearings that followed, called the Church Committee, led to what was perhaps the first comprehensive public look at the activities of the National Security Agency–a clandestine intelligence entity that had been colloquially dubbed “No Such Agency” to reflect its unique ability to defy any attempt to document or oversee its activities. Against this backdrop, FISA was passed specifically for the purpose of limiting foreign intelligence activities from being directed at U.S. persons.
While FISA was always generous in the powers it granted U.S. government agencies with respect to the surveillance of foreign agents, a series of amendments beginning with the USA PATRIOT Act and culminating with the FISA Amendment Act, 2008, transformed FISA into the vehicle for mass surveillance it is today. Notably, these amendments, as the U.S. government ultimately interpreted them:
- (a) provided a broader set of powers under which various digital service providers were compelled to assist U.S. foreign intelligence agencies in their activities;
- (b) removed the need for intelligence agencies to direct their activities at ‘foreign powers’ or ‘agents of foreign powers’ by making any non-U.S. person the legitimate focus of surveillance; and
- (c) applied these extra-ordinary powers to a broader set of circumstances by removing the obligation to ensure ‘foreign intelligence’ is a primary objective for their use.
These amendments furnished the United States government with at least two powerful secret legal surveillance powers that have apparently been used by the NSA to conduct broad surveillance of both U.S. and non-U.S. persons:
- a business records power (section 215 of the USA PATRIOT Act, codified as 50 USC §1861) under which the U.S. Government can compel production of ‘any tangible thing’ reasonably believed to be relevant to an authorized investigation conducted for the purpose of obtaining foreign intelligence. The government has now confirmed that it has secretly interpreted ‘any tangible thing’ to include ”all call detail records”, and its telephone metadata surveillance program is based on this power; and
- a new general acquisition and interception power (section 702 of FISA, codified as 50 USC §1881a) that allows U.S. government agencies to compel access –possibly in real-time – to information from a diverse range of communications and data processing services. This second power has played a central role in populating the PRISM program.
Lots of problems surround the breadth of these powers and the secretive manner by which they have been interpreted. Very few substantive limits are placed on these powers. To make matters worse, these powers are interpreted secretly and are highly and effectively insulated from any adversarial challenge. This permits the government to adopt the most favourable interpretations it can devise, as has been shown in other contexts. The secret and non-adversarial context in which these interpretations are occurring is particularly problematic given the challenges inherent in applying privacy protections to technologically advanced state surveillance techniques.
Of the few existing internal limits FISA places on its powers, most relate to the need to limit exposure of U.S. persons. The only substantive protections that do not relate to this objective include a loose obligation that the powers be employed for foreign intelligence purposes, compatibility with the Fourth Amendment and the fact that both powers are subject to some limited, but highly secretive Judicial and Congressional review. None of these safeguards is highly reassuring, particularly to non-U.S. persons.
Safeguards primarily designed to limit exposure of U.S. persons
To the extent there are limitations placed on these two FISA powers, they are primarily designed to limit the exposure of U.S. persons. The business records power, for example, cannot be directed at U.S. persons solely on the basis of activities protected by the First Amendment. The general acquisition power can only be directed at persons reasonably believed to be located outside the United States and reasonably believed to be non-U.S. persons. A recent leak, however, suggests that the United States Government has secretly interpreted this to require only 51% assurance of foreignness.
The general acquisition power is also subject to general minimization (§1801 (h)) and targeting (§1881a (i)(2)(B)) procedures, which must be approved by FISC. The sole objective of these requirements is to minimize the targeting, collection and retention of private information of U.S. persons. Of course, it remains secret how the specific techniques adopted seek to achieve this. The business records power also includes minimization procedures, but these only relate to minimizing the retention and dissemination of non-public information concerning U.S. persons, not, apparently, its collection (§1861 (g)(2)).
It has become clear over the past several days that the Government and FISC have secretly interpreted these various safeguards in a woefully inadequate manner that fails to achieve even the basic requirement of insulating U.S. persons from their reach. Non-U.S. persons, however, will probably be most concerned by the fact that nothing in FISA or elsewhere in U.S. law seems to effectively limit the extent to which their own online activities are being surveiled.
Next in our Spies Without Borders series, we will examine how the few protections FISA offers to individuals outside the United States provide little or no protection under US law.
A federal magistrate judge in New York recently ruled that cell phone location data deserves no protection under the Fourth Amendment and that accordingly, the government can engage in real-time location surveillance without a search warrant. In an opinion straight from the Twilight Zone, magistrate judge Gary Brown ruled two weeks ago that “cell phone users who fail to turn off their cell phones do not exhibit an expectation of privacy.”
The case in question involved a physician who the DEA believed had issued thousands of prescriptions for pain killers in exchange for cash. In March of this year, the DEA had obtained a warrant for his arrest, and, not knowing where he was, sought an order from magistrate judge Brown forcing the phone company to provide real-time data identifying the location of the physician’s phone.
Although the DEA agents requested a search warrant and the judge found that there was probable cause to believe that the cell phone location data would assist in the location and apprehension of an individual for whom there was already a valid arrest warrant, the judge later published a 30-page opinion further stating that he didn’t think the government needed to seek a search warrant in the first place.
Don’t Want the Government Tracking You? Turn Your Phone Off
In his puzzling opinion, the judge squarely criticizes people naive enough to expect privacy while also leaving their cell phones on when they’re not using them.
Given the ubiquity and celebrity of geolocation technologies, an individual has no legitimate expectation of privacy in the prospective location of a cellular telephone where that individual has failed to protect his privacy by taking the simple expedient of powering it off.
As to control by the user, all of the known tracking technologies may be defeated by merely turning off the phone. Indeed—excluding apathy or inattention—the only reason that users leave cell phones turned on is so that the device can be located to receive calls. Conversely, individuals who do not want to be disturbed by unwanted telephone calls at a particular time or place simply turn their phones off, knowing that they cannot be located.
The Catch-22 here is that the only people who the judge believes would have any reasonable expectation of privacy are those whose phones are turned off (and thus, not generating any location data that the government could access, even with a warrant). And it ignores the necessity of keeping your cell phone turned on for communicating with family or for work.
That consumers are dumb enough to willingly share their location using the “Girls Around Me” app (which the judge specifically calls out by name, although the wrong one), only further justifies covert, warrantless government surveillance:
Given the notoriety surrounding the disclosure of geolocation data to retailers purveying soap powder and blue jeans to mall shoppers, the police searching for David Pogue’s iPhone and, most alarmingly, the creators and users of the Girls Around You app, cell phone users cannot realistically entertain the notion that such information would (or should) be withheld from federal law enforcement agents searching for a fugitive.
This is, in a word, ridiculous. There is a big difference between location information you knowingly share with a select group of friends (or, in fact, the world) and information collected about you without your knowledge or consent. Someone might be happy to share their location with a few friends by “checking in” using Foursquare while at a music festival, but not want law enforcement to access that same information. And, they would still reasonably expect that their location a week later while at an Alcoholics Anonymous meeting or abortion clinic should remain private. Sharing location data isn’t and shouldn’t be all or nothing.
We are also baffled by the judge’s willingness to tie a reasonable expectation of privacy to the use of a cell phone power button. We’re not sure if the judge has watched the Onion’s spoof news video describing a fictional “Google Opt Out Village” for people who don’t want to be tracked by the advertising company, but the logic in his opinion is consistent with the absurdity of that spoof. If you don’t want Google to track you, stop using all modern technology and move to a remote village. If you don’t want the government to covertly track your phone, turn it off and leave it off. What could be simpler, right?
With tax day behind us, taxpayers may soon have something else to celebrate from the IRS. In testimony before the Senate Finance Committee today, IRS Acting Commissioner Steven Miller was questioned aggressively about documents released by the ACLU last week that indicate that the IRS does not think it needs a warrant to read all emails and other electronic communications during criminal investigations. Under pressure from senators, Miller agreed to update IRS policy documents within 30 days to state that a warrant is required for access to all emails, regardless of their age.
Two senators from opposite sides of the aisle, Senator Grassley (R-IA) and Senator Wyden (D-OR), pressed Miller about whether the IRS has sought or obtained emails without a warrant since a federal appeals court ruled in 2010 that a warrant is required for all emails. (You can watch the hearing here. Sen. Grassley’s questions start at 1:25:00 and Sen. Wyden’s questions start at 1:31:10.) They asked why the IRS seems to be ignoring that 2010 decision—United States v. Warshak—in most of the country, and advising its criminal investigative agents that emails stored on a server for more than 180 days can be obtained without a warrant. Surprisingly, Miller answered that the IRS follows Warshak across the country. That’s not what internal IRS documents and its public policy manual show, but if true it is welcome news. Importantly, Miller committed to clarify written IRS policy within 30 days to state that a warrant is always required.
Miller’s testimony leaves several important questions unanswered, however:
- Although Miller stated that the IRS Criminal Investigation unit obtains warrants for all emails, he did not discuss other forms of electronic communication such as text messages, instant messages, and direct messages on social media. Under the Fourth Amendment, a warrant should be required for those private communications as well.
- Miller stated that, to his knowledge, the IRS has not obtained electronic communications without a warrant in the past. But an internal IRS Chief Counsel Advice memorandum from 2011 reveals that, months after Warshak, IRS investigative agents requested emails from an internet service provider without a warrant at least once. The IRS should explain when it started following Warshak nationally, and whether it has sought or obtained emails without a warrant in the past.
We applaud Senators Grassley and Wyden for quickly taking up this important issue and getting an answer from the IRS, less than a week after the ACLU released the IRS documents. But while the IRS’s apparent change of policy is a step in the right direction, there is more for Congress to do. The current IRS policy manual relies on the outdated Electronic Communications Privacy Act (ECPA), which only requires a warrant for some emails and other electronic communications. In order to uniformly protect the privacy of Americans’ private communications, lawmakers must update ECPA to require a warrant for the contents of all electronic communications, regardless of age or other factors. Strong reform legislation has been introduced by a bipartisan group of sponsors, and is starting to make its way through the legislative process. Follow this link to urge Congress to modernize our electronic privacy law and close the loophole that’s letting the government access email and other electronic communications without a warrant.
- New Documents Suggest IRS Reads Emails Without a Warrant (alethonews.wordpress.com)
Everyone knows the IRS is our nation’s tax collector, but it is also a law enforcement organization tasked with investigating criminal violations of the tax laws. New documents released to the ACLU under the Freedom of Information Act reveal that the IRS Criminal Tax Division has long taken the position that the IRS can read your emails without a warrant—a practice that one appeals court has said violates the Fourth Amendment (and we think most Americans would agree).
Last year, the ACLU sent a FOIA request to the IRS seeking records regarding whether it gets a warrant before reading people’s email, text messages and other private electronic communications. The IRS has now responded by sending us 247 pages of records describing the policies and practices of its criminal investigative arm when seeking the contents of emails and other electronic communications.
So does the IRS always get a warrant? Unfortunately, while the documents we have obtained do not answer this question point blank, they suggest otherwise. This question is too important for the IRS not to be completely forthright with the American public. The IRS should tell the public whether it always gets a warrant to access email and other private communications in the course of criminal investigations. And if the agency does not get a warrant, it should change its policy to always require one.
The IRS and Email: Reading Between the Lines
The federal law that governs law enforcement access to emails, the Electronic Communications Privacy Act (ECPA), is hopelessly outdated. It draws a distinction between email that is stored on an email provider’s server for 180 days or less, and email that is older or has been opened. The former requires a warrant; the latter does not. Luckily, the Fourth Amendment still protects against unreasonable searches by the government. Accordingly, in 2010 the Sixth Circuit Court of Appeals decided in United States v. Warshak that the government must obtain a probable cause warrant before compelling email providers to turn over messages.
However, the IRS hasn’t told the public whether it is following Warshak everywhere in the country, or only within the Sixth Circuit.
The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 “Search Warrant Handbook” from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications.” Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the “4th Amendment Does Not Protect Emails Stored on Server” and there is “No Privacy Expectation” in those emails.
Other older documents corroborate that the IRS did not get warrants across the board. For example, the 2009 edition of the Internal Revenue Manual (the official compilation of IRS policies and procedures) explains that “the government may obtain the contents of electronic communication that has been in storage for more than 180 days” without a warrant.
Then came Warshak, decided on December 14, 2010. The key question our FOIA request seeks to answer is whether the IRS’s policy changed after Warshak, which should have put the agency on notice that the Fourth Amendment does in fact protect the contents of emails. The first indication of the IRS’s position, from an email exchange in mid-January 2011, does not bode well. In an email titled “US v. Warshak,” an employee of the IRS Criminal Investigation unit asks two lawyers in the IRS Criminal Tax Division whether Warshak will have any effect on the IRS’s work. A Special Counsel in the Criminal Tax Division replies: “I have not heard anything related to this opinion. We have always taken the position that a warrant is necessary when retrieving e-mails that are less than 180 days old.” But that’s just the ECPA standard. The real question is whether the IRS is obtaining warrants for emails more than 180 days old. Shortly after Warshak, apparently it still was not.
The IRS had an opportunity to officially reconsider its position when it issued edits to the Internal Revenue Manual in March 2011. But its policy stayed the same: the Manual explained that under ECPA, “Investigators can obtain everything in an account except for unopened e-mail or voice mail stored with a provider for 180 days or less using a [relevant-and-material-standard] court order” instead of a warrant. Again, no suggestion that the Fourth Amendment might require more.
The first indication that the IRS was considering the effect of Warshak came in an October 2011 IRS Chief Counsel Advice memorandum available on the IRS website but not provided in response to our FOIA request. An IRS employee sought guidance about whether it is proper to use an administrative summons, instead of a warrant, to obtain emails that are more than 180 days old. (The emails in question were located on an internet service provider’s (ISP) server somewhere in the territory covered by the Ninth Circuit Court of Appeals). The memo summarized the holding of Warshak and advised that “as a practical matter it would not be sensible” to seek older emails without a warrant. This is good advice, but the memo’s reasoning leaves much to be desired. The memo explained that Warshak applies only in the Sixth Circuit but that, because the ISP had informed the IRS that it did not intend to voluntarily comply with an administrative summons for emails, there was not “any reasonable possibility that the Service will be able to obtain the contents of this customer’s emails . . . without protracted litigation, if at all.” Any investigative leads contained in the emails would therefore be “stale” by the time the litigation could be concluded, making attempted warrantless access not worthwhile.
The memo misses another chance to declare that agents should obtain a warrant for emails because the Fourth Amendment requires it. Instead, the memo’s advice (which may not be used as precedent and is not binding in other IRS criminal investigations) is limited to situations in the Ninth Circuit where an ISP intends to challenge warrantless requests for emails. The IRS shouldn’t obey the Fourth Amendment only when it faces the inconvenience of protracted litigation; it should recognize that the Fourth Amendment requires warrants for the contents of emails at all times.
Finally, to the present: has the IRS’s position changed this tax season? Apparently not. The current version of the Internal Revenue Manual, available on the IRS website, continues to explain that no warrant is required for emails that are stored by an ISP for more than 180 days. Apparently the agency believes nothing of consequence has changed since ECPA was enacted in 1986, or the now-outdated Surveillance Handbook was published in 1994.
The IRS Owes the American Public an Explanation—and a Warrant Requirement
Let’s hope you never end up on the wrong end of an IRS criminal tax investigation. But if you do, you should be able to trust that the IRS will obey the Fourth Amendment when it seeks the contents of your private emails. Until now, that hasn’t been the case. The IRS should let the American public know whether it obtains warrants across the board when accessing people’s email. And even more important, the IRS should formally amend its policies to require its agents to obtain warrants when seeking the contents of emails, without regard to their age.
(We also sent FOIA requests to the FBI and other components of the Department of Justice—we will be receiving records from those offices in the coming weeks).
- Like rest of the feds, the IRS can get your e-mails with no problem (arstechnica.com)
- When a Secretive Stingray Cell Phone Tracking “Warrant” Isn’t a Warrant (alethonews.wordpress.com)
An Arizona federal court this afternoon will be the battleground over the government’s use of a “Stingray” surveillance device in a closely watched criminal case, United States v. Rigmaiden. And in an important development, new documents revealed after an ACLU of Northern California Freedom of Information Act (FOIA) request should leave the government with some explaining to do.
“Stingray” is the brand name of an International Mobile Subscriber Identity locator, or “IMSI catcher.” A Stingray acts as a fake cell-phone tower, small enough to fit in a van, allowing the government to route all network traffic to the fake tower. We’ve warned that Stingrays are dangerous because they have the capability to obtain the contents of electronic and wire communications while necessarily sucking down data on scores of innocent people along the way.
The Fourth Amendment requires searches be “reasonable,” generally meaning they must be accompanied by a warrant. To get a warrant, the government must show there is probable cause to believe the place they want to search will have evidence of a crime. And it means the judge must ensure the warrant is “particular,” or limited to only allow searches into areas where the evidence is most likely to be found. The only way a judge can make these tough decisions is with the government being forthright about what it’s doing.
But when it comes to Stingrays the government has been extremely secretive about its use, withholding documents in FOIA requests, failing to explain (or even understand) the technology to a Texas federal judge and in Rigmaiden, misleading the court about the fact it’s even using one at all.
Daniel David Rigmaiden is charged with a variety of tax and wire fraud crimes. Hoping to pinpoint Rigmaiden’s precise location within an apartment complex, federal agents applied for an order requesting the court to order Verizon to help the agents pinpoint the physical location of a wireless broadband access card and cell phone they believed Rigmaiden was using. The order is clearly directed towards Verizon:
The Court therefore ORDERS, pursuant to Federal Rule of Criminal Procedure 41(b); Title 18, United States Code, Sections 2703 and 3117; and Title 28, United States Code, Section 1651, that Verizon Wireless, within ten (10) days of the signing of this Order and for a period not to exceed 30 days, unless extended by the Court, shall provide to agents of the FBI data and information obtained from the monitoring of transmissions related to the location of the Target Broadband Access Card/Cellular Telephone…
Ultimately, it turns out the government did not just get Verizon to give it the data. It also used a Stingray device to find Rigmaiden, sucking up loads of other data from other electronic devices in the complex as well, which it deleted.
When Rigmaiden filed a motion to suppress the Stingray evidence as a warrantless search in violation of the Fourth Amendment, the government responded that this order was a search warrant that authorized the government to use the Stingray. Together with the ACLU of Northern California and the ACLU, we filed an amicus brief in support of Rigmaiden, noting that this “order” wasn’t a search warrant because it was directed towards Verizon, made no mention of an IMSI catcher or Stingray and didn’t authorize the government—rather than Verizon—to do anything. Plus to the extent it captured loads of information from other people not suspected of criminal activity it was a “general warrant,” the precise evil the Fourth Amendment was designed to prevent.
The FOIA documents bolster our argument that this isn’t a warrant. The documents are a series of internal emails from DOJ attorneys in the United States Attorney’s Office for the Northern District of California, the district where the order in Rigmaiden’s case was issued. The emails make clear that U.S. Attorneys in the Northern California were using Stingrays but not informing magistrates of what exactly they were doing. And once the judges got wind of what was actually going on, they were none too pleased:
As some of you may be aware, our office has been working closely with the magistrate judges in an effort to address their collective concerns regarding whether a pen register is sufficient to authorize the use of law enforcement’s WIT technology (a box that simulates a cell tower and can be placed inside a van to help pinpoint an individual’s location with some specificity) to locate an individual. It has recently come to my attention that many agents are still using WIT technology in the field although the pen register application does not make that explicit.
While we continue work on a long term fix for this problem, it is important that we are consistent and forthright in our pen register requests to the magistrates…
These emails, combined with the text of the disputed order itself, suggest agents obtained authorization to use a pen register without indicating they also planned to use a Stingray. Either at the time of the application or after the fact, the government attempted to transform that order into a warrant that authorized the use of a Stingray.
Judicial superivison of searches is most needed when the government uses new technologies to embark into new and unknown privacy intrusions. But when the government hides what it’s really doing, it removes this important check on government power. We hope the court sees its been duped, and makes clear to the government that honesty and a warrant are requirements to using a Stingray.
Yesterday the drone regulation bill in the Washington state legislature died, having failed to meet the cutoff date for moving to the House floor. Although our lobbyist there thought the bill would have passed both houses had the Democratic leadership allowed it to get there, they did not. Boeing lobbied against the bill, as did law enforcement.
One of the arguments presented by opponents, our Washington state lobbyist Shankar Narayan reports, was the claim that no regulations are needed for drones because we ought to let the courts work out the privacy issues surounding drones and deal with any abuses that arise. I have also heard spokespeople for the drone industry association, the AUVSI, making this argument lately. It seems to be emerging as a primary argument of drone-legislation opponents.
This is a weak argument. Let me briefly give five reasons why:
- There is no reason to wait for abuses to happen when they are easily foreseeable. When you put an enormously powerful surveillance technology in the hands of the police and do not place any restrictions on its use, it will be abused, sooner or later, in ways illegal (i.e. by bad apples) and legal (i.e. through officially approved policies that nonetheless violate our Constitution and/or values). Why wait, when we can prevent them before they take place and spare their victims the grief?
- The legal system has always been very slow to adapt to new technology. For example, it took the Supreme Court 40 years to apply the Fourth Amendment to telephone calls. At first the court found in a 1928 decision that because telephone surveillance did not require entering the home, the conversations that travel over telephone wires are not protected. It was not until 1967 that this literal-minded hairsplitting about “constitutionally protected areas” was overturned (with the court declaring that the Constitution “protects people, not places”). Today, technology is moving far faster than it did in the telephone era—but the gears of justice turn just as slowly as they ever have (and maybe slower).
- There are many uncertainties about how our Constitution will be applied by the courts to aerial surveillance. Just as the new technology of the telephone broke the Supreme Court’s older categories of understanding, so too will drones with all their new capabilities bring up new situations that will not fit neatly within existing jurisprudential categories of analysis. For example, how will the courts view the use of drones for routine location tracking? The Supreme Court started to grapple with such questions in its recent decision in the Jones GPS case, but it is far from clear what the ultimate resolution will be. The Supreme Court has ruled before that the Fourth Amendment provides no protection from aerial surveillance, even in one’s backyard surrounded by a high fence, and while the new factors that drones bring to the equation could shift that judgment, we cannot be certain. Legislators should not sit around waiting for cases to come before the courts; they should act to preserve our values now.
- Legislatures often set rules even when the Constitution would seem to cover something. To take just one example: after the Supreme Court issued that 1967 ruling that a warrant was needed to tap someone’s phone, Congress went on to enact detailed standards the government had to follow before it could do so. What it did not do was throw its hands up and say “the court has ruled, if there are any further abuses we can let the courts take care of them.”
- Our courts often defer to the judgments of elected bodies. While the courts’ role is to step in and protect fundamental rights when they are threatened by the majority, they normally show great deference toward the judgments of elected representatives of the people. And for good reason—we live in a democracy, and unless fundamental rights are at stake decisions should be made by our democratic representatives. A legislature acting to protect fundamental rights such as privacy does not threaten such rights, and there is no reason why elected representatives shouldn’t act to protect our fundamental values if they feel that the citizens in their districts want them to.
Let’s hope that state legislators in other states don’t fall for this line of argument.
The Supreme Court recently heard oral argument in Maryland v. King, a case considering the constitutionality of warrantless DNA collection from arrestees. We’ve long warned about the privacy problems with the rise of cheap, easy and fast blanket DNA collection, and filed an amicus brief with the Court urging it to hold the government can only obtain this sensitive genetic material with a search warrant. While it can be fruitless trying to read the tea leaves of oral argument, one specific idea — that technological advances making DNA analysis faster means warrantless collection may be OK — should leave you worried about the fate of privacy going forward in the digital age.
One of the main disagreements surrounding the issue of DNA collection is whether the state is collecting DNA from arrestees for immediate identification — to figure out if they’ve arrested the right person and learn who that person is for purposes of making a bail determination — or for past and future investigation — to solve cold cases and to store DNA for future searches. The state has long claimed they used DNA for both, while we’ve argued the government simply isn’t able to use DNA collection for immediate identification purposes since there’s currently a delay in analyzing DNA ranging from several days up to a few months. But with the rise of rapid DNA analyzers which can analyze DNA in 90 minutes, law enforcement is chomping at the bit to purchase and install these devices at police stations across the country. When the lawyer challenging the blanket DNA collection argued that law enforcement’s interest in using DNA for immediate identification was simply not possible because of the lengthy delays in DNA analysis, Chief Justice Roberts interrupted to note (PDF):
Now, your brief says, well, the only interest here is the law enforcement interest. And I found that persuasive because of the concern that it’s going to take months to get the DNA back anyway, so they are going to have to release him or not before they know it. But if we are in a position where it now takes 90 minutes or will soon take 90 minutes to get the information back, I think that’s entirely different…
Other members of the court echoed this idea, hinting that if DNA analysis was done faster, than there could be a legitimate identification — as opposed to investigative — need for the practice. And if that was the case, then DNA collection was no different than fingerprinting, and the police could swab and collect DNA without a search warrant. This would be a dangerous Fourth Amendment precedent.
The reasonableness of a search under the Fourth Amendment has always depended on whether the search is reasonably related in scope to the circumstances that justify the search in the first place. But that determination shouldn’t hinge on how long it takes to do the search, but rather what the search reveals. And with DNA searches, an enormous amount of sensitive information is being revealed to the government: a person’s entire genome. Ignoring the breadth of this intrusion by focusing on the ease of collection — implicitly believing the easier it is to intrude into a private place, the less protected it is — elevates form over substance to the detriment of the right of privacy enshrined in the Fourth Amendment.
This dangerous thinking extends beyond DNA collection. We’ve already warned about the problems with warrantless home video surveillance and stingrays, or fake cell phone towers which the government has been very secretive about. As technological advances like these allow the government to easily collect and catalog greater amounts of information, courts run the risk of allowing broader and more intrusive searches to pass Fourth Amendment scrutiny simply because of the possibility of exposure. Instead, courts should be focusing on the actual intrusion and people’s expectation that private information will not be exposed, regardless of how technological advances can make government access easier or faster.
The fact the government can do something now it couldn’t do before doesn’t make it constitutional. In fact, it should be the opposite. As it becomes easier for the government to seize and analyze, institutional checks — like a search warrant — on the government’s power is necessary to protect privacy before it becomes a casualty to technological advances.
Homeland Security Approves Seizure of Cell Phones and Laptops within 100 Miles of Border; Report Remains Secret
Americans have no Fourth Amendment rights against unreasonable searches and seizures if they happen to be within 100 miles of the border, according to the “Executive Summary” of a still-secret report by the Department of Homeland Security (DHS). As the ACLU-created map above shows, nearly 2/3 of Americans (197 million people)—including the entire populations of Florida, Maine, New Hampshire, Vermont, Massachusetts, Connecticut, Rhode Island, New Jersey, Delaware, Maryland, Washington, DC, and Michigan—live in this “Constitution free” zone, as do the residents of the nation’s five most populous cities: New York, Los Angeles, Chicago, Houston and Philadelphia.
The secret report is DHS’s response (two years late) to critics of its policy, in place since at least 2008, of allowing border control agents, without a warrant or even a suspicion of wrongdoing, to search any travelers’ electronic devices (laptops, cell phones, tablets, cameras, etc.) and seize data they find. According to a Freedom of Information Act request (FOIA) filed three years ago by the ACLU, DHS subjected more than 6,500 travelers—nearly half of them U.S. citizens—to searches under this policy between October 2008 and June 2010.
The Executive Summary of the secret report, which DHS is allowing the public to see, sets forth its conclusions without even summarizing the reasoning underlying them. Thus it asserts that “imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits,” but is silent on how DHS defines “civil rights/civil liberties benefits” or how it balances these against its institutional needs.
The ACLU, which has already filed an FOIA request demanding the full report, released a statement arguing that “allowing government agents to search through all of a traveler’s data without reasonable suspicion is completely incompatible with our fundamental rights: our Fourth Amendment right to privacy—and more specifically the right to be free from unreasonable searches—is implicated when the government can rummage through our computers and cell phones for no reason other than that we happen to have traveled abroad. Suspicionless searches also open the door to profiling based on perceived or actual race, ethnicity, or religion. And our First Amendment rights to free speech and free association are inhibited when agents at the border can target us for searches based on our exercise of those rights.”
To Learn More:
DHS Watchdog OKs ‘Suspicionless’ Seizure of Electronic Devices Along Border (by David Kravets, Wired)
Law Enforcement Should Not Gather Genetic Information Without a Warrant
San Francisco – The Electronic Frontier Foundation (EFF) urged the Supreme Court Friday to block DNA collection from everyone arrested for a crime, arguing that law enforcement must get a warrant before forcing people to give samples of their genetic material.
EFF’s amicus brief was filed Friday in Maryland v. King – a case challenging a law in the state of Maryland that requires DNA collection from all arrestees, whether they are ultimately convicted of a crime or not. Maryland officials claim that DNA is necessary for definitive identification, but they do not use the sample to “identify” the arrestee. Instead, they use the sample for other investigatory purposes – retaining and repeatedly accessing the wealth of personal information disclosed by an individual’s genetic material despite lacking individualized suspicion connecting the arrestee to another crime. This violates the Fourth Amendment.
“Your DNA is the roadmap to an extraordinary amount of private information about you and your family,” said EFF Staff Attorney Jennifer Lynch. “It contains data on your current health, your potential for disease, and your family background. For government access to personal information this sensitive, the Fourth Amendment requires a warrant.”
In addition to Maryland, 27 states and the federal government have laws that mandate DNA collection from anyone arrested, even if they are not yet convicted of a crime. EFF has filed amicus briefs in a number of cases challenging these unconstitutional laws. Meanwhile, the Supreme Court has shown increasing sensitivity to the power of sophisticated technology to undermine traditional privacy protections.
“Let’s say you were picked up by police at a political protest and arrested, but then released and never convicted of a crime. Under these laws, your genetic material is held in a law enforcement database, often indefinitely,” said EFF Senior Staff Attorney Lee Tien. “This is an unconstitutional search and seizure.”
The Supreme Court is set to hear arguments in Maryland v. King later this month.
For the full brief in Maryland v. King:
Electronic Frontier Foundation
Senior Staff Attorney
Electronic Frontier Foundation
Two Out of Every Three US Demands to Google Come Without A Warrant
This morning, Google released their semi-annual transparency report, and once again, it revealed a troubling trend: Internet surveillance around the world continues to rise, with the United States leading the way in demands for user data.
Google received over 21,000 requests for data on over 33,000 users in the last six months from governments around the world, a 70% increase since Google started releasing numbers in 2010. The United States accounted for almost 40% the total requests (8,438) and the number of users (14,791). The total numbers in the US for 2012 amounted to a 33% increase from 2011. And while Google only complied with two-thirds of the total requests globally, they complied with 88% of the requests in the United States.
Admirably, Google expanded their transparency report this time around, providing more detailed information about what kind of requests they get from the US government—specifically the type of requests they get under the main email privacy law in the US, the Electronic Communications Privacy Act (ECPA).
EFF has long criticized ECPA for not providing email with the same warrant protection as the Fourth Amendment gives to physical letters and phone calls. The Justice Department believes that it doesn’t need a warrant for emails over 180 days. Google’s lawyers, to their credit, have criticized the law as well, saying just this week, “our view is that [ECPA] is out of compliance with the Fourth Amendment because the government can call for the production of your data without a search warrant.”
Even on dry land, Americans should fear the stingray. Not the flat cartilaginous fishes related to sharks, but the secret government surveillance device that not only tracks suspected criminals but also intercepts the private information of law-abiding citizens who happen to be nearby. Now, because of a Freedom of Information Act (FOIA) request and lawsuit brought by the Electronic Privacy Information Center (EPIC) against the FBI, the government is slowly releasing thousands of relevant documents that are already raising alarms among privacy and civil liberties advocates.
The stingray came to public notice in 2011 when the FBI used a “cell-site simulator” to track down a suspect. This portable device, also called an “IMSI catcher” or a “stingray,” sends out a signal that fools nearby wireless phones into connecting with a fake network. It can then capture all sorts of personal data from all of those phones, including location data that can then be used to track a person’s movements in real time. A stingray can be handheld or mounted on a motor vehicle or an unmanned surveillance drone.
As the FBI has admitted to EPIC, because the stingray fools all nearby wireless phones into connecting with its bogus network and uploading private data to it, its use would constitute a “search and seizure” under the Fourth Amendment to the Constitution and thus require a warrant. However, because the FBI argues that wireless phone users have no reasonable expectation to privacy, the agency says it does not need a warrant. The Supreme Court has not yet ruled on the privacy of cell phone calls.
In addition to (probably) violating the constitution, the use of stingrays is also prohibited by federal law. Although heavily redacted, the files reluctantly released by the FBI reveal snippets of internal Justice Department discussions of how to justify use of the stingray as compliant with the provisions of the Communications Act that prohibit “interference” with communication signals like those of wireless phones.
These documents demonstrate, according to EPIC attorney Alan Butler, that “there are clearly concerns, even within the agency, that the use of Stingray technology might be inconsistent with current regulations. I don’t know how the DOJ justifies the use of Stingrays given the limitations of the Communications Act prohibition.”
Nor is it just the FBI. According to a recent report, local police are “quietly” using stingrays in Los Angeles, Miami, Fort Worth, and Gilbert, Arizona. And likely other places, as well.
In a potentially precedent-setting decision, the Ninth Circuit Court of Appeals ruled Monday that a Guild lawyer’s challenge to military spying on peace activists can proceed. The ruling marks the first time a court has affirmed people’s ability to sue the military for violating their First and Fourth Amendment rights.
“This has never been done before,” said NLG member attorney Larry Hildes, who is handling the case. “The U.S. government has spied on political dissidents throughout history and this particular plot lasted through two presidencies, but never before has a court said that we can challenge it the way we have.”
The ruling is the latest development in the lawsuit, Panagacos v. Towery, first brought by Hildes in 2009 on behalf of a group of Washington state antiwar activists who found themselves infiltrated by John Towery, an employee at a fusion center inside a local Army base. Fusion centers are multi-jurisdictional intelligence facilities which house federal and local law enforcement agencies alongside military units and private security companies. Their operations are largely secret and unregulated. There are currently 77 fusion centers in the United States.
The lawsuit names Towery as well as the Army, Navy, Air Force, FBI, CIA, Department of Homeland Security, and other law enforcement agencies. For at least two years, Towery posed as an activist with the antiwar group Port Militarization Resistance (PMR), a group that sought to oppose the wars in Iraq and Afghanistan through civil disobedience. The infiltration came to light when public records requests filed with the City of Olympia unearthed documents detailing an expansive surveillance operation. In addition to PMR, Towery targeted Students for a Democratic Society, the Olympia Movement for Justice and Peace, the Industrial Workers of the World, Iraq Veterans Against the War, an anarchist bookstore in Tacoma, and other activist groups.
The latest ruling denies the government’s appeal on the basis that the allegations of First and Fourth Amendment violations carried out by Towery are “plausible.” His lawyers have until December 31 to appeal the decision. If they do not appeal, the case will return to district court and the discovery phase will begin.
The National Lawyers Guild is the oldest and largest public interest/human rights bar organization in the United States. Its headquarters are in New York and it has members in every state.