We’ve long chronicled the downward trajectory of EO 13526, President Barack Obama’s 2009 executive order that boldly sought to stem the tide of excessive government secrecy. President Obama imposed checks on the government by forbidding classification decisions that are made to prevent embarrassment to a person, organization, or agency, and by boosting the ability of the National Archives and Records Administration (NARA) to lead a declassification program.
“My administration is committed to operating with an unprecedented level of openness,” the president declared. At the time President Obama swept his pen over this order, there were 55 million classified documents. And how has that worked out? Today 75 million classified documents have piled up. Some of them date back to the Truman administration. A report released Tuesday by the National Coalition for History makes public the inside grips of NARA in trying to fulfill its mission. The report states that NARA’s flatlined budget leaves its National Declassification Center (NDC) short-staffed and unable to cope with thousands of pending Freedom of Information Act requests. We filed one such FOIA of our own asking a slew of federal agencies in effect if “they’ve done anything to comply with President Obama’s executive order?” Some FOIAs, the History Coalition reports, sit in 12-year queues. But the bigger problems for declassification involve perverse incentives. The History Coalition reports: “Even highly skilled and experienced NDC staffers lack the authority to reverse agency decisions that they disagree with, a dynamic that perpetuates the over-classification problem.” No one ever got fired for refusing to declassify something. No one should be surprised, then, that when you ask the agency that classified a document if it should remain classified, the answer will almost always be “yes.” Another revelation from the History Coalition’s report is that the NDC lacks a secure electronic transmittal system to send classified records for agency referrals. Instead, they are sent on digitized diskettes through regular U.S. mail. You would think that if a document is so sensitive it must remain secret that sending it back with a postage stamp would be a non-starter. That laxity, more than anything, is a sure sign that what is at work isn’t the protection of vital national secrets, but bureaucratic backside covering, the only perpetual motion machine known to physics. What can be done? A good place to start is the History Coalition’s reform proposal to vest the NDC “with the authority to declassify information subject to automatic declassification without having to refer the records back to the originating agency.” Sounds like a good idea to us. From your browsing history to your physical location, every aspect of your digital footprint can be tracked and used to build a comprehensive profile of your private life – including your political, religious, and family activities, as well as the most intimate details of your personal life. This information is invaluable not only to advertisers – which want to place ads in your social media feeds – but also to governments, which often have malevolent intentions.
Hostile governments might weaponize your personal digital trail for blackmail or embarrassment. Imagine a CEO or inventor being blackmailed into revealing trade secrets. Or, if you work in the military or in an agency for a contractor involved in national security, your personal data might be used to disrupt your life during the beginning of an international crisis. Imagine a CIA officer receiving what appears to be an urgent message of distress from her daughter or an Air Force officer being told in the voice of his commanding officer to not go to the base but to shelter in place. And then multiply that effect by the millions of Americans in the crosshairs of a cyberattack. Congress and the Biden Administration acted against these possibilities this spring by including in the Israel/Ukraine weapons appropriation measure a provision banning data brokers from exporting Americans' personal data to China, Russia, North Korea, and Iran. However, this ban had notable loopholes. Adversary countries could still purchase data indirectly through middlemen data brokers in third countries or establish front companies to circumvent the ban. To attempt to close these loopholes, Sens. Ron Wyden (D-OR) and Cynthia Lummis (R-WY) have offered an amendment to the National Defense Authorization Act to further tighten the law by restricting data exports to problematic countries identified by the Secretary of Commerce that lack robust privacy laws to protect Americans' data from being sold and exported to adversaries. This measure will help reduce the flow of Americans’ personal data through third-parties and middlemen ultimately to regimes that have nothing but the worst of intentions. PPSA applauds Sens. Wyden and Lummis for working to tighten the pipeline of Americans’ data flowing out into the world. Their proposal is a needed one and deserves the vocal support of every American who cares about privacy. As Congress debated Section 702 – the authority within the Foreign Intelligence Surveillance Act that allows U.S. intelligence agencies to surveil foreign threats located abroad – the FBI solemnly informed lawmakers that the use of Section 702 is essential to allowing the bureau to catch domestic terror plots. In fact, the FBI claimed Section 702 was used to derail a “potentially imminent terrorist attack” against critical U.S. infrastructure.
FBI Director Christopher Wray doubled down on this point in a speech on April 9, saying that “only by querying that U.S. person’s identifiers in our 702 collection did we find important intelligence on the seriousness and urgency of the threat.” FBI officials repeated that claim in an interview with Politico. These are apparent references to Brandon Clint Russell, a neo-Nazi founder of the self-styled “Atomwaffen Division” – charged with conspiring to attack electrical substations across Maryland. Yet, contrary to the agency’s repeated claims that their review of Section 702 data was essential to identifying him and the risk he posed, the FBI’s affidavit filed in the criminal case does not even mention Russell’s alleged communications with foreign targets of Section 702. And the absence of such information indicates that the FBI knew enough about him to seek a warrant without using its Section 702 database as a surveillance tool. “There they go again,” said Gene Schaerr, PPSA general counsel. “It is rank dishonesty to tell Congress one thing and the courts another.” Critics of Section 702 have long criticized the use of this authority as a way for the government to conduct “backdoor searches.” The FBI rejects that term but celebrates the use of Section 702 data to do precisely that, to use the global database as a predicate to develop domestic leads. These queries of Americans’ communications allow the government to develop investigative leads pulled out of global intercepts. It is a backdoor search because defendants often never learn about the origin of their case in court. In this case, however, there seemed to be abundant independent evidence to investigate Russell. “The filing suggests that even if the FBI performed a backdoor search, it was inconsequential,” Schaerr said. “The court filing indicates that the government had enough information to investigate – read the Wikipedia page of Brandon Russell – so why didn’t they just get a warrant as required by the Fourth Amendment?” And more important than the FBI’s failure to seek a warrant in this one case, this episode unfortunately illustrates the FBI’s willingness to lie to Congress – and by extension to the American people – to get the legislation they want. The FBI shouldn’t be surprised that no one in Congress takes their “sky is falling” cries seriously the next time around. PPSA's senior policy advisor, Bob Goodlatte, and general counsel, Gene Schaerr, explain in Just Security on why it’s imperative that intel agencies listen to bipartisan concerns re: surveillance reform. Surveillance abuses degrade and threaten the vital mission these agencies must carry out. Additionally, they explain how the intel agencies' alienation of Americans and congressional representatives is dangerous for both the Constitution and national security.
The Quick Unlocking of Would-Be Trump Assassin’s Phone Reveals Power of Commercial Surveillance7/18/2024
Since 2015, Apple’s refusal to grant the FBI a backdoor to its encrypted software on the iPhone has been a matter of heated debate. When William Barr was the U.S. Attorney General, he accused Apple of failing to provide “substantive assistance” in the aftermath of mass shootings by helping the FBI break into the criminals’ phones.
Then in a case in 2020, the FBI announced it had broken into an Apple phone in just such a case. Barr said: “Thanks to the great work of the FBI – and no thanks to Apple …” Clearly, the FBI had found a workaround, though it took the bureau months to achieve it. Gaby Del Valle in The Verge offers a gripping account of the back-and-forth between law enforcement and technologists resulting, she writes, in the widespread adoption of mobile device extraction tools that now allow police to easily break open mobile phones. It was known that this technology, often using Israeli-made Cellebrite software, was becoming ever-more prolific. Still, observers did a double-take when the FBI announced that its lab in Quantico, Virginia, was able to break into the phone of Thomas Matthew Crooks, who tried to assassinate former President Trump on Saturday, in just two days. More than 2,000 law enforcement agencies in every state had access to such mobile device extraction tools as of 2020. The most effective of these tools cost between $15,000 and $30,000. It is likely, as with cell-site simulators that can spoof cellphones into giving up their data, that these phone-breaking tools are purchased by state and local law enforcement with federal grants. We noticed recently that Tech Dirt reported that for $100,000 you could have purchased a cell-site simulator of your very own on eBay. The model was old, vintage 2004, and is not likely to work well against contemporary phones. No telling what one could buy in a more sophisticated market. The takeaway is that the free market created encryption and privacy for customer safety, privacy, and convenience. The ingenuity of technologists responding to market demand from government agencies is now being used to tear down consumer encryption, one of their greatest achievements. We recently asked why Republican House Intelligence Committee Members excluded a provision in the Intelligence Authorization Act that would narrow the scope of a new law that has become known as “Make Everyone a Spy.” Now a few senators are following up behind closed doors to further protect this law from any reform or changes. This provision became law in April as an amendment in the recent reauthorization of Section 702 of the Foreign Intelligence Surveillance Act. The language in this law defining a covered “electronic communications service provider” is shockingly broad, enlisting most every kind of business and “custodian” of equipment capable of storing and carrying data. This means that virtually any business with Wi-Fi or routers could be asked to turn over Americans’ communications to the government, followed by a lifetime gag order never to reveal it to customers. Sen. Ron Wyden, D-OR, as this measure was on the verge of passage in April, said on the Senate floor: “Now, if you have access to any communications, the government can force you to help it spy. That means anyone with access to a server, a wire, a cable box, a Wi-Fi router, a phone, or a computer. Think about the millions of Americans who work in buildings and offices in which communications are stored or pass through.” Realizing how outlandish this authority is, Sen. Mark Warner, Chairman of the Senate Intelligence Committee, at the time promised his colleagues that if they passed this measure, he would later refine its language to narrow the definition of an electronic communications service provider. Sen. Warner recently offered an amendment to narrow the scope of this law in the Intelligence Authorization Act. Although Warner’s amendment is classified, it is widely believed to limit this new form of warrantless surveillance to data centers. Now two unnamed senators are said to have nixed Sen. Warner’s promise behind closed doors. This would leave in place the most expansive version of the Make Everyone a Spy law.
We ask you to contact your Senators and tell them: Do not allow senators to renege on Sen. Mark Warner’s pledge to narrow the definition of a covered electronic communications service provider in the “Make Everyone a Spy” law. If the promised reform is not included, senators should hold up the Intelligence Authorization Act until it is put back in! We reported earlier this month that Los Angeles police are alarmed at the proliferation of wireless cameras installed in bushes that allow criminals to remotely surveil homes targeted for burglaries.
Now police in Braintree, Massachusetts, have arrested two men and a woman in connection to a series of burglaries enabled by these remote, wireless cameras. One of the suspects, a Colombian man wearing all black and a mask, was arrested and charged with resisting arrest and assault and battery on a police officer, after attempting to flee when he was allegedly caught retrieving a wireless camera in front of a home that had been burgled. The three people arrested are, according to Braintree police, connected to a group known as the South American Theft Group, which uses extensive surveillance, GPS tracking technology, and counter-surveillance measures to analyze the comings and goings of their victims. The commoditization of spyware and the popularization of sophisticated plans for surveillance is driving this revolution in neighborhood crime. What can we do? In addition to the customary precautions of installing locks and alarms, outdoor lights, and installing security cameras, you should avoid posting advance notice of family vacations. Criminals are watching your social media posts as well. PPSA Asks Supreme Court to Hear X Corp.’s Constitutional Case Against Surveillance Gag Orders7/10/2024
PPSA announced today the filing of an amicus brief asking the U.S. Supreme Court to take up a case in which X Corp., formerly Twitter, objects to surveillance and gag orders that violate the First Amendment and pose a threat to the Fourth and Sixth Amendments as well.
When many consumers think of their digital privacy, they think first of what’s on their computers and shared with others by text or email. But the complex, self-regulating network that is the internet is not so simple. Our online searches, texts, images, and emails – including sensitive, personal information about health, mental health, romances, and finances – are backed up on the “cloud,” including data centers like X Corp.’s that distribute storage and computing capacity. Therein lies the greatest vulnerability for government snooping. The growth of data centers is prolific, rising from 2,600 to 5,300 such centers in 2024. And with it, so have government demands for our data. When federal agencies – often without a warrant – seek to access Americans’ personal data, more often than not they go to the companies that store the data in places like these data centers. For years, this power involved large social media and telecom companies. The power of the government to extract data, already robust, increased exponentially with the reauthorization of FISA Section 702 in April, which included what many call the “Make Everyone a Spy Act.” This provision defines an electronic communication service provider as virtually any company that merely has access to equipment, like Wi-Fi and routers, that is used to transmit or store electronic communications. On top of that, the government then slaps the data center or service provider with a Non-Disclosure Order (NDO), a gag order that prevents the company from informing customers that their private information has been reviewed. One such company – X Corp. – has been pressing a constitutional challenge against this practice regarding a government demand for former President Trump’s account data. PPSA has joined in an amicus brief supporting X’s bid for certiorari, asking the Court to consider the constitutional objections to government conscription of companies that host consumers’ data as adjunct spies, while restraining their ability to speak out on this conscription. In the case of X, the government has seized the company’s records on customer communications and then slapped the company with an NDO to force it to shut up about it. The government claims this secrecy is needed to protect the investigation, even though the government itself has already publicized the details of its investigation. Whatever you think of Donald Trump, this is an Orwellian practice. PPSA’s amicus brief informed the Court that the gag order “makes a mockery of the First Amendment’s longstanding precedent governing prior restraints. And it will only become more frequent as third-party cloud storage becomes increasingly common for everything from business records to personal files to communications …” The brief informs the Court: “NDOs can be used to undermine other constitutionally protected rights” beyond the First Amendment. These rights include the short-circuiting of Fourth Amendment rights against warrantless searches and Sixth Amendment rights to a public trial in which a defendant can know the evidence against him. Partial solutions to these short-comings are winding their way through the legislative process. Sen. Mark Warner, Chairman of the Senate Intelligence Committee, introduced legislation to narrow the scope of businesses covered by the new, almost-universal dragooning of businesses large and small as government spies – though House Intelligence Chairman Mike Turner is opposing that reasonable provision. Last year, the House passed the NDO Fairness Act, which requires judicial review and limited disclosures for these restraints on speech and privacy. As partial solutions wend their way through Congress, this case presents a number of well-defined concerns best defined by the Supreme Court. PPSA today announced the filing of a lawsuit to compel the FBI to produce records about the possible use of FISA Section 702 authority – enacted by Congress to enable surveillance of foreign targets on foreign soil – for political surveillance of Americans at home.
Activists on the left and the right have long suspected the FBI uses surreptitious means to spy on lawful protests and speech. Those suspicions were confirmed when a FISA court decision released in 2022 revealed that government investigators had used Section 702 global database to surveil all 19,000 donors to a single Congressional campaign. Acting on this concern, PPSA submitted a FOIA request to the FBI in February seeking all records discussing the use of Section 702 or other FISA authorities to surveil, collect information related to, or otherwise investigate anyone who attended:
The FBI almost immediately responded to PPSA that our FOIA request “is not searchable” in the FBI’s “indices.” The response also informed us that the FBI “administratively closed” our request. The FBI did not dispute that PPSA’s FOIA request reasonably described the requested records. This should have, under the FOIA statute, triggered a search requirement, but the FBI ignored it. The self-serving excuse that limitations to the FBI’s Central Records System overlooks the plentiful databases and search methods at the fingertips of one of the world’s premier investigative organizations. After a fruitless appeal to the Department of Justice’s Office of Information Policy, exhausting any administrative remedy, PPSA is now suing in the U.S. District Court of the District of Columbia to compel the FBI to produce these documents. We’ll keep you informed of any major developments. PPSA has fired off a succession of Freedom of Information Act (FOIA) requests to leading federal law enforcement and intelligence agencies. These FOIAs seek critical details about the government’s purchasing of Americans’ most sensitive and personal data scraped from apps and sold by data brokers.
PPSA’s FOIA requests were sent to the Department of Justice and the FBI, the Department of Homeland Security, the CIA, the Defense Intelligence Agency, the National Security Agency, and the Office of the Director of National Intelligence, asking these agencies to reveal the broad outlines of how they collect highly private information of Americans. These digital traces purchased by the government reveal Americans’ familial, romantic, professional, religious, and political associations. This practice is often called the “data broker loophole” because it allows the government to bypass the usual judicial oversight and Fourth Amendment warrant requirement for obtaining personal information. “Every American should be deeply concerned about the extent to which U.S. law enforcement and intelligence agencies are collecting the details of Americans’ personal lives,” said Gene Schaerr, PPSA general counsel. “This collection happens without individuals’ knowledge, without probable cause, and without significant judicial oversight. The information collected is often detailed, extensive, and easily compiled, posing an immense threat to the personal privacy of every citizen.” To shed light on these practices, PPSA is requesting these agencies produce records concerning:
Shortly after the House passed the Fourth Amendment Is Not For Sale Act, which would require the government to obtain probable cause warrants before collecting Americans’ personal data, Avril Haines, Director of National Intelligence, ordered all 18 intelligence agencies to devise safeguards “tailored to the sensitivity of the information.” She also directed them to produce an annual report on how each agency uses such data. PPSA believes that revealing, in broad categories, the size, scope, sources, and types of data collected by agencies, would be a good first step in Director Haines’ effort to provide more transparency on data purchases. The recent passage of the Fourth Amendment Is Not For Sale Act by the House marks a bold and momentous step toward protecting Americans' privacy from unwarranted government intrusion. This legislation mandates that federal law enforcement and intelligence agencies, such as the FBI and CIA, must obtain a probable cause warrant before purchasing Americans’ personal data from brokers. This requirement closes a loophole that allows agencies to compromise the privacy of Americans and bypass constitutional safeguards.
While this act primarily targets law enforcement and intelligence agencies, it is crucial to extend these protections to all federal agencies. Non-law enforcement entities like the Treasury Department, IRS, and Department of Health and Human Services are equally involved in the purchase of Americans' personal data. The growing appetite among these agencies to track citizens' financial data, sensitive medical issues, and personal lives highlights the need for a comprehensive warrant requirement across the federal government. How strong is that appetite? The Financial Crimes Enforcement Network (FinCEN), operating under the Treasury Department, exemplifies the ambitious scope of federal surveillance. Through initiatives like the Corporate Transparency Act, FinCEN now requires small businesses to disclose information about their owners. This data collection is ostensibly for combating money laundering, though it seems unlikely that the cut-outs and money launderers for cocaine dealers and human traffickers will hesitate to lie on an official form. This data collection does pose significant privacy risks by giving multiple federal agencies warrantless access to a vast database of personal information of Americans who have done nothing wrong. The potential consequences of such data collection are severe. The National Small Business Association reports that the Corporate Transparency Act could criminalize small business owners for simple mistakes in reporting, with penalties including fines and up to two years in prison. This overreach underscores the broader issue of federal agencies wielding excessive surveillance powers without adequate checks and balances. Another alarming example is the dragnet financial surveillance revealed by the House Judiciary Committee and its Select Subcommittee on the Weaponization of the Federal Government. The FBI, in collaboration with major financial institutions, conducted sweeping investigations into individuals' financial transactions based on perceptions of their political leanings. This surveillance was conducted without probable cause or warrants, targeting ordinary Americans for exercising their constitutional rights. Without statutory guardrails, such surveillance could be picked up by non-law enforcement agencies like FinCEN, using purchased digital data. These examples demonstrate the appetite of all government agencies for our personal information. Allowing them to also buy our most sensitive and personal information from data brokers, which is happening now, is about an absolute violation of Americans’ privacy as one can imagine. Only listening devices in every home could be more intrusive. Such practices are reminiscent of general warrants of the colonial era, the very abuses the Fourth Amendment was designed to prevent. The indiscriminate collection and scrutiny of personal data without individualized suspicion erode the foundational principles of privacy and due process. The Fourth Amendment Is Not For Sale Act is a powerful and necessary step to end these abuses. Congress should also consider broadening the scope to ensure all federal agencies are held to the same standard. We often report on the disturbing growth of surveillance camera systems in the hands of government, whether it’s through expansion of networks at city intersections, or convincing citizens to hand over video from their Ring and other private camera systems. We’ve reported on police aiming a camera at a home to create a 24-hour stakeout over eight months.
Now a new threat is emerging – criminals are leveraging these same surveillance tools for stakeouts to determine the best time to clean out your house. For years, burglars have scouted out target homes by posing as salesmen or dressing up as repairmen or utility workers. But that required shoe leather and a certain degree of risk. A report by Nathan Solis of The Los Angeles Times uncovers a troubling trend in Southern California going nationwide – criminals are installing hidden cameras in residential yards. Burglars are planting hidden cameras wreathed in plastic leaves and inserted into bushes to stake out unsuspecting homeowners’ yards to monitor the comings and goings of family members in order to plan their crimes with precision. Wi-Fi jammers, illegal to possess but legal to sell, are also often used to disable home security systems when the break-in does occur. In the face of such a threat, what can we do? The Times offers proactive steps you can take to protect against surveillance-enabled burglars. First, if you spot such a device you should alert police immediately, so law enforcement can track the secret trackers. You should have an electrician hardwire your burglary alarm with cables that go direct into your router so it cannot be turned off. Put a padlock on your circuit-breaker to further protect against someone turning off the power to your alarm system. Have lights activated by motion detectors and harden your points of entry. The Times also reports that police recommend placing Apple Air Tags or some other tracker placed inside a few valuables to allow the police to track your items if they should be stolen. In any event, as with the deep infiltration of the phones of police and journalists by cartels with “zero-day” software, we should expect any new surveillance technology in the hands of the government and law enforcement will wind up in the hands of criminals as well. We’ve long recounted the bad news on law enforcement’s use of facial recognition software – how it misidentifies people and labels them as criminals, particularly people of color. But there is good news on this subject for once: the Detroit Police Department has reached a settlement with a man falsely arrested on the basis of a bad match from facial recognition technology (FRT) that includes what many civil libertarians are hailing as a new national standard for police.
The list of injustices from false positives from FRT has grown in recent years. We told the story of Randall Reid, a Black man in Georgia, arrested for the theft of luxury goods in Louisiana. Even though Reid had never been to Louisiana, he was held in jail for a week. We told the story of Porchia Woodruff, a Detroit woman eight months pregnant, who was arrested in her driveway while her children cried. Her purported crime was – get this – a recent carjacking. Woodruff had to be rushed to the hospital after suffering contractions in her holding cell. Detroit had a particularly bad run of such misuses of facial recognition in criminal investigations. One of them was the arrest of Robert Williams in 2020 for the 2018 theft of five watches from a boutique store in which the thief was caught on a surveillance camera. Williams spent 30 hours in jail. Backed by the American Civil Liberties Union, the ACLU of Michigan, and the University of Michigan Civil Rights Litigation Initiative, Williams sued the police for wrongful arrest. In an agreement blessed by a federal court in Michigan, Williams received a generous settlement from the Detroit police. What is most important about this settlement agreement are the new rules Detroit has embraced. From now on:
Another series of reforms impose discipline on the way in which lineups of suspects or their images unfold. When witnesses perform lineup identifications, they may not be told that FRT was used as an investigative lead. Witnesses must report how confident they are about any identification. Officers showing images to a witness must themselves not know who the real suspect is, so they don’t mislead the witness with subtle, non-verbal clues. And photos of suspects must be shown one at a time, instead of showing all the photos at once – potentially leading a witness to select the one image that merely has the closest resemblance to the suspect. Perhaps most importantly, Detroit police officers will be trained on the proper uses of facial recognition and eyewitness identification. “The pipeline of ‘get a picture, slap it in a lineup’ will end,” Phil Mayor, a lawyer for the ACLU of Michigan told The New York Times. “This settlement moves the Detroit Police Department from being the best-documented misuser of facial recognition technology into a national leader in having guardrails in its use.” PPSA applauds the Detroit Police Department and ACLU for crafting standards that deserve to be adopted by police departments across the United States. In 2024, champions of surveillance reform in the House passed the Fourth Amendment Is Not For Sale Act – which would force government agencies to obtain probable cause warrants before collecting Americans’ most sensitive and personal data scraped from apps and sold by data brokers. House passage of this measure creates powerful momentum for this major surveillance reform, in the next Congress if not in this one. Congress also imposed strong reporting and accountability measures on the FBI. The Bureau must now report the number of times it searches, or “queries,” the communications of Americans in FISA Section 702 databases. This reform amendment also allows the leaders of both Houses of Congress and the House and Senate Judiciary and Intelligence Committees to attend hearings of the secret FISA Court – something Jim Jordan, Chairman of the Judiciary Committee, (R-OH) and Ranking Member Jerry Nadler, (D-NY), are publicly planning to do. Congress did reauthorize Section 702, the foreign intelligence surveillance authority, without requiring warrants to examine queries of the communications of Americans caught up in this global data trawl. Even here, however, there were bright spots. The advocates of the intelligence community avoided a warrant requirement for surveillance of Americans by the narrowest margin – the breaking of a tie vote. And champions of reform succeeded in moving the next reauthorization of Section 702 from five years to two years. As a result of this close vote and narrow window, debate is already well underway on ways to improve Section 702. On the negative side, House Intelligence Committee leaders managed to insert into Section 702 reauthorization a measure we called “Make Everyone a Spy” – now law – that requires many businesses with internet-related communications equipment to allow warrantless inspection of customer data. At this writing, efforts are underway to narrow this provision. Champions of Reform Throughout this year, many Members stepped forward to take a strong, bold stance for surveillance reform. These include:
Other prominent and diligent House surveillance reformers include:
In the Senate:
A new online surveillance danger to human rights, free expression, and liberty is emerging in the online world. This particular threat is not coming from Moscow or Beijing, but inexplicably from America’s own trade representative, Katherine Tai.
Until now, the open architecture of the internet has made it difficult for illiberal governments, ranging from Uganda to Venezuela, to access what is posted and shared by dissidents, members of vulnerable minorities, and disgruntled citizens. Dictators have many surveillance workarounds at their disposal, including increasingly robust spyware spreading around the globe like wildfire. But at least the open architecture of the internet makes it difficult for dictators and persecutors to confidently track or trace every text, email, and online search within their borders. It is thus out of a commitment to democracy and human rights that U.S. administrations and trade representatives have long strived to defend U.S. tech companies from being required to turn over data to be stored on local servers, which would Balkanize the internet. The United States also rejected requests from regimes that would compel U.S. tech companies to turn over their proprietary source codes so foreign governments could access the algorithms of messaging apps and digital platforms, potentially giving hostile actors access to the guts of their operations. Late last year, Trade Representative Tai withdrew support for these longstanding U.S. digital trade principles before the World Trade Organization, a vastly underreported story with consequences that are just now beginning to sink in. This will subject leading U.S. tech companies to strict regulation in virtually every market in the world. That’s an odd position for America’s trade representative – who is usually expected to safeguard the competitiveness of American companies. The consequences for privacy and human rights promise to be catastrophic. The Center for Democracy & Technology penned a coalition letter in February that itemized these negative consequences of Tai’s about-face. People’s personal data, the letter states, “can reveal who they voted for, who they worship, and who they love.” Data localization would upend a globally interoperable internet, placing this personal data firmly within reach of governments, “creating unique risks for people’s privacy, free expression, access to information, and other fundamental freedoms.” Restrictions of cross-border flows of information will restrict the ability of people to access information from around the world. And the forced disclosure of products’ source code has the potential to undermine privacy and security here in the United States. Why is Tai doing this? Her actions appear to be the result of lobbying from Federal Trade Commission Chair Lina Khan and DOJ Antitrust Chief Jonathan Kanter, who are actively encouraging global antitrust actions against large U.S. tech companies. Even if you are critical of Google, Apple, Amazon, and Meta, inviting Myanmar and Uzbekistan to regulate U.S. industries is astonishing, to say the least. Clearly, this proposal wasn’t widely vetted. Nathaniel Fick, the State Department’s Ambassador for Cyberspace and Digital Policy, testified in a hearing late last year that he learned of this sea change in U.S. policy from press reports. There are signs that Tai’s surprise kicked off a fierce debate within the administration. To be fair, the internet is far from perfectly open as it is. Some countries like India already require a degree of data localization. The Biden Administration’s effort to protect Americans’ personal data from hostile “countries of concern” like Russia and China will be portrayed by some as a step toward Balkanization. But Tai’s policy reversal kicks this trend into overdrive. It will enable foreign governments to surveil democracy activists and dissidents around the world, while heightening threats to Americans at home. This is a monumental shift in American policy. It must be more widely discussed, debated, and investigated by journalists and Members of Congress. Last year, we reported on “mail covers” – the practice of the U.S. Postal Service producing for other government agencies images of the exterior portions of envelopes to track communications between Americans. Now an exclusive in The Washington Post puts some meat on those bones.
Since 2015, postal inspectors have approved over 60,000 requests from federal agents and police officers to monitor snail mail. The Post Office approves these surveillance requests, issued without a court order, 97 percent of the time. Most of the requests come from the FBI, the IRS, and the Department of Homeland Security. Things could be worse: at one time, the Church Committee investigations of the 1970s found that the CIA had photographed the exterior portions of 2 million letters, and opened hundreds of thousands of them. In the early days of the Republic, Thomas Jefferson had so little trust in the post office that he devised an encryption scheme, which was used to share early drafts of the Bill of Rights with James Madison. The government stoutly defends this program today as legal. An 1879 U.S. Supreme Court ruling held that a warrant is needed to open an envelope, leaving open the inference that what is written on the surface of an envelope itself is fair game. This ongoing practice underscores a critical gap in privacy protections, where even the exteriors of our letters and packages can reveal much about our personal lives. Eight senators wrote the inspector general of the postal service last year objecting to this practice. “While mail covers do not reveal the contents of correspondence, they can reveal deeply personal information about Americans’ political leanings, religious beliefs, or causes they support,” the senators wrote. Senators ranging from Ron Wyden (D-OR) to Rand Paul (R-KY) are pushing for judicial oversight for these operations, aligning mail surveillance with the safeguards already required for monitoring digital communications. PPSA will track and report on their progress. “Curtilage” is a legal word that means the enclosed area around a home in which the occupant has an expectation of privacy. Within the zone of curtilage, the Fourth Amendment implications usually force law enforcement officers to obtain a warrant before they can enter. Where curtilage begins and ends has long been a matter of fine, Jesuitic distinctions, hotly contested in courts across the country.
Sometimes the boundaries are obvious. In a landmark case, the U.S. Supreme Court in 2021 held in Lange v. California that a police officer who followed a driver into his garage entered his curtilage. The officer had no right to do so without a warrant. PPSA was pleased to see the Court adopt logic similar to our amicus brief in Lange. So much for garages. Now what about doorknobs? Terrell McNeal Jr. of Mankato, Minnesota, was arrested after police obtained a probable cause warrant to enter his apartment and found controlled substances, cash, and guns. The evidence behind the warrant was derived from his doorknob. A police officer had earlier obtained a code from the apartment’s landlord to enter the structure’s interior communal space. He had proceeded to swab the doorknob of McNeal’s front door. It tested positive for two controlled substances. That was the basis of the warrant. The doorknob was tainted, to be sure. But that left a nagging legal question: Was the search warrant itself tainted by a violation of McNeal’s curtilage? A district court did not think so. It bought the prosecution’s argument that the door handle and lock were outside of McNeal’s home. A county prosecutor made this point on appeal: “If the court looks at the door itself, it prevents people from looking into the home. That doesn’t make the outside of the door curtilage.” Actually, it does, ruled the Minnesota Court of Appeals. On June 10, the appellate court found that officers have “no implied license to remove material from the door handle and lock for laboratory testing.” The court did distinguish this case from one in which a search warrant was obtained after a drug-sniffing dog found the aromatic traces of narcotics in the air in front of an apartment. But the officers in the McNeil case, the court ruled, “went a step further and collected a sample from a door handle and lock that were physically attached to and indivisible from appellant’s home.” The Minnesota Court of Appeals made the correct decision, voiding the conviction. As for McNeal, the authorities kept him in prison since his arrest more than two years ago, until the appellate court ruled in his favor. But at least the court recognized that swabbing any part of a home without a warrant is a violation of the Fourth Amendment. The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency since 2007, is a watchdog tasked with ensuring that federal counterterrorism programs have adequate safeguards for privacy and civil liberties.
It was only a few years ago that PCLOB was criticized for appearing more like a lapdog than a watchdog. After taking six years to study Executive Order 12333, which authorizes limited forms of surveillance outside of any statutory authority, PCLOB produced a public paper in 2021 that read like a high school book report. But under Sharon Bradford Franklin, Chair since February 2022, PCLOB has been a source of active inquiry and pinpoint distinctions that inform and enrich public debate on government surveillance. “Chair Bradford Franklin’s service is marked by balance,” said Bob Goodlatte, former Chairman of the House Judiciary Committee and Senior Policy Advisor for PPSA. “She has been a strong advocate for transparency in intelligence operations while respecting the need to enable classified programs that protect our homeland.” It was under Bradford Franklin’s leadership that the PCLOB Board reviewed the government's implementation of Presidential Policy Directive No. 28 (PPD-28), providing critical insights into how the intelligence community collects foreign intelligence. Her reports have been used by agencies as active guides on how to be both effective and compliant with the law. With the expiration of Bradford Franklin’s term as Chair, both the civil liberties community and the intelligence community should want her to be re-nominated. Her absence could disrupt critical reviews and oversight functions important to the United States and our European allies, including the review of privacy and civil liberties safeguards under Executive Order 14086 and the EU-US Data Privacy Framework. Some of our colleagues warn that the European Commission particularly values PCLOB’s oversight, and the absence of a Chair could jeopardize trans-Atlantic data flows. This one’s a no-brainer: The re-nomination of Sharon Bradford Franklin would ensure that PCLOB remains an independent watchdog that strengthens both civil liberties and national security. State financial officials in 23 states have fired off a letter to House Speaker Mike Johnson expressing strong opposition to a new Security and Exchange Commission program that grants 3,000 government employees real-time access to every equity, option trade, and quote from every account of every broker by every investor.
“Traditionally, Americans’ financial holdings are kept between them and their broker, not them, their broker, and a massive government database,” the state auditors and treasurers wrote. “The only exception has been legal investigations with a warrant." The state financial officers contend that the SEC's move undermines the principles of federalism by imposing a one-size-fits-all solution without considering the unique regulatory environments of individual states. They asked Speaker Johnson to support a bill sponsored by Rep. Barry Loudermilk (R-GA), the Protecting Investors' Personally Identifiable Information Act. This proposed legislation would restrict the SEC's ability to collect and centralize such vast amounts of personal financial data. As is so common with recent efforts at financial surveillance, the SEC justifies this data collection to combat insider trading, market manipulation, and to identify suspicious activities. Similar excuses are offered for the new “beneficial ownership” requirement that is forcing millions of Americans who own small businesses to send the ownership details of their businesses to the Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury. But such increased vigilance comes at the expense of the privacy of millions of Americans. The sheer volume of data accessible to government employees raises concerns about potential misuse and unauthorized access. “The Securities and Exchange Commission has been barreling forward with a new system – the Consolidated Audit Trail (CAT) – which tracks every trade an individual investor makes and links it to their identity through a centralized system,” Rep. Loudermilk said. “Not only is collecting all this information unnecessary, regulators already have similar systems that don’t easily match identities with transactions, but it also creates another security vulnerability and a target for hackers.” While the SEC assures lawmakers that strict safeguards are in place – given recent high-profile hacks and All the more reason for Speaker Johnson to give Rep. Loudermilk’s bill a big push on the House floor. “Why are House Intelligence Committee Republicans so happy to carry water for the Biden Administration?” This was a question put to us by an incredulous Republican politician. He added: “Why is it that Democrats in the Senate are doing a better job of protecting privacy from the administration and the intelligence community than House Republicans?”
Here is what he was getting at: in April, the House Permanent Select Committee on Intelligence slipped into the reauthorization of Section 702 a measure that would allow the government to potentially enlist almost every kind of business to warrantlessly spy on any American’s communications contained in any kind of electronic communications equipment. Now law, this measure could force ordinary businesses – from gyms to dentists’ offices, to commercial landlords with tenants that could include political campaigns or journalists – to turn over their customers’ communications that run on ordinary systems, such as WiFi. For obvious reasons, this came to be known as the new “Make Everyone a Spy” law. In April, when the Senate prepared to reauthorize FISA Section 702, which authorizes surveillance of foreign targets located abroad, Sen. Mark Warner (D-VA) won the votes of his colleagues by frankly admitting that the House language “could have been drafted better.” He promised that the Senate Intelligence Committee would fix it with a narrower definition of covered “electronic communications service providers.” “The idea that you draw it so broad, and then try to exclude things, well, you’re never going to be able to figure out all the possible exceptions,” Warner said in an interview. True to his word, Sen. Warner led his committee to include language in the Intelligence Authorization Act that narrows the definition of a covered electronic communications service provider. The actual language of the amendment, based on an opinion by the secret FISA Court, is classified. But the Warner fix is widely believed by the media to narrow this law to cover cloud computing centers, which did not exist when the governing law, the Electronic Communications Privacy Act, was enacted in 1986 and amended more than 15 years ago. (Under current law, communication companies, like Google and Verizon, are already required to cooperate with the government on data searches for foreign threats.) That fix, however, fails to impress Rep. Mike Turner (R-Ohio) and other leading Members of the House Intelligence Committee. They are avoiding Sen. Warner’s legislation and seem determined to perpetuate the expansive definition of “Make Everyone a Spy” in the House version of the Intelligence Authorization Act. House insiders tell us that it is now up to Speaker Johnson and reform-minded Republicans to ensure that the Warner fix is made in the House legislation. Absent that, civil liberties champions will have to cross our fingers and hope that the fix will be made in a House-Senate conference committee. The doxing of donors is a danger to our democracy.
When donors give to a controversial cause, they count on anonymity to protect them from public backlash. This is a principle enshrined in law since 1958, when the U.S. Supreme Court protected donors to the NAACP from forcible disclosure by the State of Alabama. Undeterred by this precedent, California tried to enforce a measure to capture the identities of donors and hold them in the office of that state’s attorney general, despite the fact that the California AG’s office has a history of leaks and data breaches. Surprisingly, the federal Ninth Circuit upheld that plan. The Project for Privacy and Surveillance Accountability filed a brief before the U.S. Supreme Court arguing that this policy is dangerous, not just to the robust practice of democracy, but to human lives. Citizens have lost their jobs, had their businesses threatened, and even been targeted for physical violence, all because they donated to a political or cultural cause. In 2021, the Supreme Court agreed with PPSA, reversing a Ninth Circuit opinion in Americans for Prosperity v. Bonta. Still, the drive to expose donors – whether progressives going after gun rights organizations or conservatives going after protest organizations – remains a hot-button issue in state politics across the country. Politicians and groups are eager to know: Is George Soros or the Koch Foundation or name-your-favorite-nemesis giving money to a cause you oppose? Thanks to the work of the People United For Privacy (PUFP) foundation, that push to expose is now stopped cold in 20 states. With help from PUFP, bipartisan coalitions in 20 states have adopted the Personal Privacy Protection Act (PPPA) to provide a shield for donor privacy by protecting their anonymity. This movement is spreading across the country, with Alabama, Colorado, and Nebraska having passed some version of this law just this year. “Every American has the right to support causes they believe in without fear of harassment or abuse of their personal information,” says Heather Lauer, who heads People United for Privacy. “The PPPA is a commonsense measure embraced by lawmakers in both parties across the ideological spectrum.” Supporters have ranged from state chapters of the ACLU, NAACP, and Planned Parenthood to pro-life groups, gun rights groups, and free market think tanks. Thanks to this campaign, 40 percent of states now protect donors. For the remaining 60 percent, the power of the internet can expose donors’ home addresses, places of work, family members, and other private information to harassers. The need to enact this law in the remaining 30 states is urgent. Still, securing donor protection in 20 states is a remarkable record given that People United for Privacy was only founded in 2018. We look forward to supporting their efforts and seeing more wins for privacy in the next few years. As the adoption of Automated License Plate Readers (ALPRs) creates ubiquitous surveillance of roads and highways, the uses and abuses of these systems – which capture and store license plate data – received fresh scrutiny by a Virginia court willing to question Supreme Court precedent.
In Norfolk, 172 such cameras were installed in 2023, generating data on just about every citizen’s movements available to Norfolk police and shared with law enforcement in neighboring jurisdictions. Enter Jayvon Antonio Bell, facing charges of robbery with a firearm. In addition to alleged incriminating statements, the key evidence against Bell includes photographs of his vehicle captured by Norfolk’s Flock ALPR system. Bell’s lawyers argued that the use of ALPR technology without a warrant violated Bell’s Fourth and Fourteenth Amendment rights, as well as several provisions of the Virginia Constitution. The Norfolk Circuit Court, in a landmark decision, granted Bell's motion to suppress the evidence obtained from the license plate reader. This ruling, rooted in constitutional protections, weighs in on the side of privacy in the national debate over data from roadway surveillance. The court was persuaded that constant surveillance and data retention by ALPRs creates, in the words of Bell’s defense attorneys, a “dragnet over the entire city.” This motion to dismiss evidence has the potential to reframe Fourth Amendment jurisprudence. The Norfolk court considered the implications of the Supreme Court opinion Katz v. United States (1967), which established that what a person knowingly exposes to the public is not protected by the Fourth Amendment. In its decision, the court boldly noted that technological advancements since Katz have expanded law enforcement's capabilities, making it necessary to re-evaluate consequences for Fourth Amendment protections. The court also referenced a Massachusetts case in which limited ALPR use was deemed not to violate the Fourth Amendment. The Norfolk Circuit Court’s approach was again pioneering. The court found that the extensive network of the 172 ALPR cameras in Norfolk, which far exceeded the limited surveillance in the Massachusetts case, posed unavoidable Fourth Amendment concerns. The Norfolk court also expressed concern about the lack of training requirements for officers accessing the system, and the ease with which neighboring jurisdictions could share data. Additionally, the court highlighted vulnerabilities in ALPR technology, citing research showing that these systems are susceptible to error and hacking. This is a bold decision by this state court, one that underscores the need for careful oversight and regulation of ALPR systems. As surveillance technology continues to evolve, this court’s decision to suppress evidence from a license plate reader is a sign that at least some judges are ready to draw a line around constitutional protections in the face of technological encroachment. Scholl and Bednarz v. Illinois State Police We recently reported on the proliferation of automated license plate readers (ALPRs) in Virginia. Now a lawsuit from two Cook County, Illinois, residents make a Fourth Amendment claim against the growing system of ALPRs. It directly sets out the dangers such systems pose to privacy and constitutional rights.
The suit by plaintiffs Stephanie Scholl and Frank Bednarz against the Illinois State Police highlights the proliferation of license plate readers to the point of near ubiquity – 300 ALPRs across every expressway in Cook County. Calling this “a system of dragnet surveillance,” the plaintiffs write that law enforcement is “tracking anyone who drives to work in Cook County – or to school, or a grocery store, or a doctor’s office, or a pharmacy, or a political rally, or a romantic encounter, or family gathering – every day, without any reason to suspect anyone of anything, and are holding onto those whereabouts just in case they decide in the future that some citizen might be an appropriate target of law enforcement.” As with so many surveillance systems, danger to privacy lies not just in the mere collection of data, but how long it is stored and when and how it is used. The plaintiffs write that when “law enforcement chooses to investigate a citizen’s past movements, the ALPRs feed databases creating a comprehensive map of their travels, recording every time they’ve driven past ISP’s cameras – and indeed every time they’ve driven past cameras in other jurisdictions using the same database.” The vendor for these devices, Vetted Security Solutions, which uses Motorola’s “Vigilant” system, feeds every detected license plate into Vigilant’s Law Enforcement Archival Reporting Network (LEARN) national database, which holds millions of license plate images that allow millions of Americans to be tracked. The good news is that the Illinois State Police only holds its license plate data for 90 days after it is collected. But this agency is not required by law or by Vigilant policy to do so. Every law enforcement customer is allowed to set their own retention limits – or none at all. The result is potentially years’ worth of data held by law enforcement agencies that track the movements of Americans around the country. Add to this all the data that our cars and GPS systems produce, in addition to all the commercial information that is purchased by federal and local agencies, and we begin to get a sense of the scale of warrantless surveillance of Americans. We should be grateful to Scholl and Bednarz for laying out in plain English the danger license plate readers can pose to Americans. This technology is one more tile being set into an enormous mosaic of capabilities, an emerging American panopticon. It is also one more reason to spark a national discussion on what data the government should collect, and the need for warrants to track Americans. Someone has to watch the watchers, and we can all do our part not to let the government gather such dangerous surveillance powers unnoticed and unchallenged. George Orwell wrote that in a time of deceit, telling the truth is a revolutionary act.
Revolutionary acts of truth-telling are becoming progressively more dangerous around the world. This is especially true as autocratic countries and weak democracies purchase AI software from China to weave together surveillance technology to comprehensively track individuals, following them as they meet acquaintances and share information. A piece by Abi Olvera posted by the Bulletin of Atomic Scientists describes this growing use of AI to surveil populations. Olvera reports that by 2019, 56 out of 176 countries were already using artificial intelligence to weave together surveillance data streams. These systems are increasingly being used to analyze the actions of crowds, track individuals across camera views, and pierce the use of masks or scramblers intended to disguise faces. The only impediment to effective use of this technology is the frequent Brazil-like incompetence of domestic intelligence agencies. Olvera writes: “Among other things, frail non-democratic governments can use AI-enabled monitoring to detect and track individuals and deter civil disobedience before it begins, thereby bolstering their authority. These systems offer cash-strapped autocracies and weak democracies the deterrent power of a police or military patrol without needing to pay for, or manage, a patrol force …” Olvera quotes AI surveillance expert Martin Beraja that AI can enable autocracies to “end up looking less violent because they have better technology for chilling unrest before it happens.” Olivia Solon of Bloomberg reports on the uses of biometric identifiers in Africa, which are regarded by the United Nations and World Bank as a quick and easy way to establish identities where licenses, passports, and other ID cards are hard to come by. But in Uganda, Solon reports, President Yoweri Museveni – in power for 40 years – is using this system to track his critics and political opponents of his rule. Used to catch criminals, biometrics is also being used to criminalize Ugandan dissidents and rival politicians for “misuse of social media” and sharing “malicious information.” The United States needs to lead by example. As our facial recognition and other systems grow in ubiquity, Congress and the states need to demonstrate our ability to impose limits on public surveillance, and legal guardrails for the uses of the sensitive information they generate. Every moral person agrees we must fight the sexual abuse of children online. But a renewed push by the Belgian Presidency within the European Union’s executive branch would force all consumers to accept software that would annihilate any semblance of communications privacy. This would be done with government technology that would break end-to-end encryption. (Hat tip to Joe Mullin of EFF.)
In the name of catching those who traffic in Child Sexual Abuse Materials (CSAM), the EU is poised to degrade the ability of anyone to privately communicate. Worse, it could enable illicit and dangerous surveillance by bad actors. The EU had previously proposed scanning the full content of encrypted messages. In what is being sold as a new approach, the executive branch is now offering a tweaked but still problematic approach called “upload moderation.” This proposal would mandate the scanning of hyperlinks and images within encrypted messages. In theory, consumers could refuse to consent to this snooping, but they would be blocked from sharing any further photos or videos. Such coerced consent is, of course, no consent at all. What is lost in this debate is that encryption is a major protector of personal security, human rights, and liberty. In an open letter to the EU, leading civil liberties organizations – including the Center for Democracy & Technology, Mozilla, and the Electronic Frontier Foundation – warn policymakers that such technology would be dangerous “bugs in our pockets.” Such “client-side scanning” pushes surveillance beyond what is shared on the cloud directly to the user’s device. Some trolls already threaten journalists by sending them unwanted CSAM. Dictatorships could use Europe’s system to send innocuous images to dissidents that contain the correct parameters to trigger a CSAM alarm – and then use the results of that alarm to locate that person. Cartels and other criminal gangs could use it to locate witnesses. Experts demonstrate that malevolent agents can manipulate the hash database of such a system to transform it into a risk for physically locating and surveilling individuals. Victims around the world could ironically include women and children hiding in safe houses from abusers and stalkers. CSAM users are despicable criminals who deserve to be ferreted out and punished. But creating a system that eradicates all privacy in electronic communications is not the solution. |
Categories
All
|