The U.S. House of Representatives today passed the NDO Fairness Act by voice vote. This legislation would restrain the government practice of using non-disclosure orders to block service providers from informing American consumers that their personal information held by third parties, often in the cloud, has been searched by the government.
“This was a strong stand by the House that Americans are concerned about privacy and will not grant the government carte blanche to riffle through our personal data in defiance of the Fourth Amendment to the Constitution,” said Bob Goodlatte, PPSA senior policy advisor and former Chairman of the House Judiciary Committee. “This measure earlier passed the Judiciary Committee by a unanimous, bipartisan voice vote – a good sign of how popular it is on both sides of the aisle. And kudos to Chairman Jerry Nadler and Ranking Member Jim Jordan for driving it to a successful floor vote.”
The Project for Privacy and Surveillance Accountability earlier joined with 11 other leading civil liberties organizations in sending a letter (see below) to every Member of the House urging passage.
“PPSA will now join with our civil liberties peer organizations to encourage passage of this legislation in the Senate,” Goodlatte said. “There is great support behind this bill by the American people, which should provide enough momentum to expeditiously propel this bill to final passage.”
This bill, H.R. 7072, passed by a unanimous, bipartisan voice vote in the House Judiciary Committee on April 6. Once enacted into law, this measure will rein in the widespread practice by the government in surveilling Americans’ email and internet records and then obtaining a non-disclosure order (NDO) to block service providers from notifying their customers that their personal information has been searched.
Under current practice, thousands of Americans – including many who are not even under investigation or suspected of any wrongdoing – will never know that records that could potentially reveal their health status, financial transactions, and personal relationships have been disclosed to the government. Recent media reports reveal that federal agencies have obtained non-disclosure orders when demanding the private data of Members of Congress, journalists at major news outlets, and law-abiding companies. If powerful individuals and institutions can be targeted in secret, just imagine how little power the average individual has in the face of such actions.
People who have been subject to surveillance should have a right to know that their personal information has been obtained by the government. Among other things, the secrecy imposed by a non-disclosure order has the effect of denying the person being investigated the ability to challenge such an order in court. In such cases, there may be no way to hold the government accountable for unlawful surveillance—a state of affairs that only increases the likelihood of improper conduct by the government.
The NDO Fairness Act is an important first step toward bringing balance to this system by amending 18 U.S.C. 2705 to require prosecutors to justify their non-disclosure orders in court and limit both initial orders and any extensions to a reasonable time period of 60 days. It would also require notice to customers 72 hours after these orders expire, including what information was disclosed.
This Act is not a comprehensive solution to the problem of notice. There are service providers who do not provide notice to their customers when the government obtains their data. In many of those cases, the targets of surveillance will continue to be unaware of the surveillance, as the government’s own legal obligations to notify the targets are far too weak. Nonetheless, the NDO Fairness Act makes a significant improvement to the status quo and could serve as a model for further efforts to contain secret government surveillance and data collection.
That is no doubt why the NDO Fairness Act enjoys wide, bipartisan support in the Judiciary Committee. It was introduced by Chairman Jerry Nadler and Rep. Scott Fitzgerald, and the committee markup session featured enthusiastic support from Ranking Member Jordan as well as other leading members of both parties.
The NDO Fairness Act is an important curb on governmental power that will help protect our rights without weakening the government’s ability to identify wrongdoers. We urge you to support the Act. And we stand ready to support and amplify your efforts.
Advocacy for Principled Action in Government
American Civil Liberties Union
Americans for Prosperity
Brennan Center for Justice at NYU School of Law
Free Press Action
Government Information Watch
Muslim Justice League
Project for Privacy and Surveillance Accountability
Restore The Fourth
Court Sets Sept. 15 for Oral Arguments in Appeal
Oral arguments in a federal lawsuit against six government agencies over their stonewalling about “unmasking” and surveillance of the 2016 presidential campaign and transition has been set for September 15.
The general counsel of the Project for Privacy and Surveillance Accountability had filed the appeal in January before the U.S. Court of Appeals for the D.C. Circuit. The lawsuit is challenging the refusal of the agencies to respond to its Freedom of Information Act (FOIA) requests seeking information on the surveillance of campaign and transition officials in the 2016 election.
The FOIA requests filed with the Department of Justice, the FBI, CIA, National Security Agency, Department of State and the Office of the Director of National Intelligence sought records regarding the unmasking and “upstreaming,” or the interception of internet communications, of people, including Members of Congress, who were affiliated with the Trump campaign and transition.
The agencies responded by issuing “Glomar” responses that refuse to confirm or deny the existence of such records.
Gene Schaerr, PPSA general counsel, who filed the appeal, said: “We ask the court to understand that judicial doctrine is being distorted into a cover-up of alarming misbehavior by the U.S. intelligence community. Americans deserve to know if our government has used its sweeping surveillance authority under the Foreign Intelligence Surveillance Act as a political weapon wielded against the campaign and presidential transition team of an opposing party.
“However you feel about the candidate in question, Donald Trump, what was done to him in 2016 can be done by an administration of either party in a future election,” Schaerr said.
When it comes to digital privacy, Americans feel like a well-dressed person caught in the rain without an umbrella. At first, you try to wait it out under an eave. Then you accept getting a little bit wet. Finally, when your clothes are thoroughly soaked, you just give up.
When it comes to digital privacy, Americans have long accepted we couldn’t get any wetter. The social media services and apps we use track and sell our location history, our contacts, our communications, our purchases and (most revealing) our web searches. These data points, like the dots in a pointillistic painting, create a portrait of users with great detail. These portraits are then sold by data brokers to government agencies and commercial entities.
A recent Apple commercial portrayed this process by putting a young woman’s virtual self on an auction block. In the ad, the heroine Ellie turns on Apple’s privacy devices, vaporizing her would-be auctioneers. But such controls on a smartphone only involve a small portion of the torrents of information that are collected about us and sold wholesale.
So just when many are ready to declare the death of privacy, a bicameral, bipartisan group of legislators have put forward a discussion draft of the American Data Privacy and Protection Act (ADPPA). In a House hearing on Tuesday morning, this bill drew robust discussion from civil rights groups, digital reformers, and industry-allied organizations. This legislation is the first attempt at a comprehensive, national approach to, in the words of House Energy and Commerce Committee Chairman, Rep. Frank Pallone put “consumers back in control of their data and protecting their privacy.”
Under ADPPA, companies would have to obtain consumers’ consent for them to collect, process or transfer sensitive personal information. Affirmative consent would be required before the data of children between ages 13 and 17 could be transferred. The Federal Trade Commission (FTC) would form a Young Privacy Marketing Division to police the use of children’s data.
Best of all, the shadowy world of data brokers would be exposed to sunlight, with a public online registry created by FTC and third-party audits of how these brokers share information with others.
ADPPA would preempt some state privacy laws, while granting an exemption for the Illinois Biometrics Information Privacy Act (recently used to extract a sweeping settlement in the privacy practices of facial recognition provider Clearview AI), and California’s Privacy Rights Act. Other states with recent privacy laws are preempted, which Govtech.com writes “reeks of backroom dealing.”
The current draft includes a limited private right of action, which would allow individuals to bring suits for privacy violations after giving industry four years to adjust. Federal Trade Commission enforcement would be strengthened, and state attorneys general would be empowered to act against data holders who violate ADPPA. Companies would be given a limited right to cure a problem, which would give them standing to seek injunctive relief.
The discussion that took place in the House Subcommittee on Consumer Protection and Commerce reveals serious legislation with major issues to resolve. Here are a few of them.
How far should preemption of state privacy laws go?
Colorado, Texas, Virginia, Utah, and Connecticut have passed their own privacy laws. Will they eventually be excluded from preemption along with those of California and Illinois? If they are, do we run the risk of balkanizing the internet?
“American consumers and businesses deserve the clarity and certainty of a single federal standard for privacy,” said Former FTC Commissioner Maureen Ohlhausen.
Can we protect personal data by degrees of sensitivity without degrading the ability of digital commerce to function?
One goal of the bill is to have data minimization, which tasks companies with using only data that is needed for a given transaction. But can a law define the limits of what is needed?
John Miller of the Information Technology Industry Council noted that one provision, “information identifying an individual’s online activities over time or across third party websites or online services” could create restrictions for routine browsing. Or, as Ohlhausen put it, the bill “creates uncertainty for routine operational uses of information that are necessary to serve customers and operate a business.”
How broad should the private right of action be for individuals?
“The current proposal inserts several procedural hurdles that will not reduce litigation costs but will block injured individuals from having their day in court,” said David Brody, managing attorney of the Digital Justice Initiative Lawyers’ Committee for Civil Rights Under Law. “The private right of action in the Act is weak and difficult to enforce.”
John Miller countered, “while it is true neither punitive nor statutory damages are permitted” under the bill’s private right of action, “the availability of attorney’s fees could encourage the filing of borderline meritorious cases by specialized attorneys charging exorbitant hourly rates.”
Should government purchases of Americans’ personal data be included in the bill?
One issue that was not addressed on Tuesday is the frequent sale of Americans’ personal data to the government, a problem addressed by the proposed Fourth Amendment Is Not For Sale Act. Any privacy solution should look beyond the private uses of data by businesses to those of law enforcement and intelligence agencies. After all, only the government can use your information to bang down your door at dawn and arrest you.
There were further debates about how the bill might impact the ability of companies to handle cybersecurity threats, and whether small businesses would get tagged with onerous provisions aimed at tech giants. The legislative process in the House and Senate will have to untangle these and many other knotty issues to make this law workable. Yet the hearing room echoed with statements of determination by leaders in both parties to make a national privacy law a reality.
In the early post-Cold War era, anti-Communist crusaders were often accused of being hysterical, seeing Communists under their beds. Now a report from Christopher Balding and Joe Wu, researchers at New Kite Data Labs, sees the Chinese Communist Party inside coffee makers in American homes. And they are not crazy.
This alarming report is a consequence of the Internet of Things (IoT), in which ordinary appliances are given smart applications to interact with each other, as well as to report on performance and consumer behavior. According to Balding, interviewed by The Washington Times, Chinese-made coffee makers gather and report information about customers’ names, their locations, usage patterns and other information. In hotels, a coffee maker could report to China types of payments and routing information.
Similar issues have been found with vacuum cleaners that respond to voice commands, baby monitors and video doorbells.
The Chinese government has famously built a “panopticon,” a ubiquitous surveillance network that seamlessly integrates facial recognition, social media activities, payments, and other data to potentially track every citizen of that country. IoT, by design but mostly by technological evolution, is rapidly scaling the capacity to bring universal surveillance into the homes of the world.
Done Either to Hide an Embarrassment or to Politicize Official Actions
A record produced by the Office of the Director of National Intelligence (ODNI) in response to a 2020 Freedom of Information Act (FOIA) request by PPSA indicates that the White House in 2018 had directed the ODNI to classify an action to prevent embarrassment or stop disclosure of something official that had been done for political purposes.
This is the tantalizing glimpse into one of two heavily redacted ODNI records produced by that agency in response to a FOIA request filed by PPSA seeking documents from a wide range of agencies that contain references to Executive Order 13526. That order, issued by President Obama, was meant to streamline government classification of documents.
The action at the heart of this memo is redacted. But the fact that ODNI disclosed this record in response to a FOIA request about challenges to classification decisions strongly suggests that the action did involve classification. Under EO 13526, officials are forbidden from classifying documents to prevent embarrassment or to hide an error. The redacted, partially declassified Top Secret document sent by an investigative analyst to the Assistant Inspector General for Investigations at ODNI confirms that a confidential complaint had centered around an act intended to “prevent embarrassment and for political purposes.”
The Inspector General of the Intelligence Community decided not to conduct its own investigation, purportedly because this matter fell outside of its purview to investigate “waste, fraud and abuse.” It did refer the complaint to two ODNI offices, the Office of Civil Liberties, Privacy, and Transparency, and the Office of Analytic Integrity and Standards Group.
Civil libertarians and journalists should dig into the remaining questions: Who in the White House issued this request? What was the act itself and what was the classification meant to hide? And finally, what was the ultimate disposition of this investigation?
PPSA will report any new revelations in our inquiry.
Opinion piece by PPSA Senior Policy Advisor, Bob Goodlatte, on The Hill.
The FBI searches through databases of foreign communications in a program that Congress created specifically to catch foreign terrorists and spies. But the FBI uses this same program to glean private information about American citizens and our communications. These so-called “U.S. person queries” are transforming one of the most powerful and invasive surveillance authorities — Section 702 of the Foreign Intelligence Surveillance Act — into a means for FBI agents to spy on Americans without a warrant, gutting the Fourth Amendment of the Constitution.
With the pandemic under control and the summer solstice two weeks away, millions of Americans are once again daring to travel to foreign destinations. Many might be concerned about world events intruding on the ability to travel. But few are ready for how intrusive government surveillance of our personal digital devices can be at the U.S. border.
This is a good time, then, to turn to the Electronic Frontier Foundation, and the primer written by Sophia Cope, Amul Kalia, Seth Schoen and Adam Schwartz on the legal, constitutional, and practical aspects of the government’s digital surveillance at the border. This paper, now a few years old, remains a thorough account of what happens at international airports, seaports and entry stations at U.S. land borders with Canada and Mexico.
On the practical side, EFF’s paper advises travelers on how to use encryption and cloud storage to prepare data for the U.S. border. It explains how Customs and Border Protection can worm past encryption and under some circumstances view your data on the cloud. It advises travelers on how to avoid behavior that attracts suspicion and how to calmly deal with requests for passwords into one’s devices.
The border is a privacy disaster because the sum of federal courts’ decisions leaves the Fourth Amendment at the border as more of an aspiration than a constitutional stricture on government behavior.
This hash of a doctrine arises out of the Supreme Court application of a “border search exception” to protect the integrity of the U.S. border. Courts parsed this doctrine to make distinctions between “routine” searches that do not require suspicion of a particular individual, and “highly intrusive” searches that impact the “dignity and privacy” of individuals (and yes, that’s exactly what it sounds like). The latter kind of search requires an “individualized suspicion.”
In a grey zone are searches of Americans’ and other travelers’ digital devices. PPSA has reported on the routine sweeping of Americans’ laptops, cellphones, tablets and other digital devices on returning to the United States from abroad. Electronic devices are searched at the border tens of thousands of times every year.
In denying police the ability to examine all the contents of a suspect’s cellphone without a warrant in Riley v. California (2014), the Supreme Court made an eloquent defense of digital technology as holding “the privacies of life.” Let us hope the courts take a closer look and find that this is just as true at the border.
In a 6-3 decision today, the U.S. Supreme Court granted U.S. Customs and Border Patrol agents who violate the Fourth Amendment and other provisions of the U.S. Constitution almost total immunity from lawsuits. This ruling shrinks the scope of Bivens v. Six Unknown Agents (1971), in which the Court held that a “violation of [the Fourth Amendment] by a federal agent acting under color of his authority gives rise to a cause of action for damages.”
In January, PPSA had filed an amicus brief on behalf of Robert Boule in his quest to obtain justice after being warrantlessly searched and manhandled by Border Patrol Agent Erik Egbert near the Canadian border.
PPSA had noted that since the Magna Carta, the right to sue the Crown for a violation of one’s rights has been a basic principle of English law. Shortly after the American Revolution, U.S. federal courts recognized a common-law right of individuals to sue government officials for damages to remedy violations of foundational law. As English jurist William Blackstone noted, it would be an “absurdity in any system of positive law, to define any possible wrong, without any possible redress.”
Similar logic appears in the sharp, though partial dissent of Justice Sonia Sotomayor, joined by Justices Stephen Breyer and Elena Kagan. She noted the extent to which Bivens has been narrowed. Justice Sotomayor wrote:
“Respondent Robert Boule alleges that petitioner Erik Egbert, a U.S. Customs and Border Patrol agent, violated the Fourth Amendment by entering Boule’s property without a warrant and assaulting him. Existing precedent permits Boule to seek compensation for his injuries in federal court …
“The Court goes to extraordinary lengths to avoid this result: It rewrites a legal standard it established just five years ago, stretches national-security concerns beyond recognition, and discerns an alternative remedial structure where none exists. The Court’s innovations, taken together, enable it to close the door to Boule’s claim and, presumably, to others that fall squarely within Bivens’ ambit.”
Justice Sotomayor was clear that she does not believe that today’s ruling overrules Bivens. But, she wrote, “it nevertheless contravenes precedent and will strip many more individuals who suffer injuries at the hands of other federal officers, and whose circumstances are materially indistinguishable from those in Bivens, of an important remedy.”
PPSA will remain alert to other efforts to curtail Americans’ ability to protect their rights by suing law enforcement officers when they violate the law.
A conversation between former House Judiciary Chairman Bob Goodlatte and Liza Goitein of the Brennan Center.