Government Promises to Protect Personal Data While Collecting and Using Americans’ Personal Data10/21/2024
Digital data, especially when parsed through the analytical lens of AI, can detail almost every element of our personal lives, from our relationships to our location histories, to data about our health, financial stability, religious practices, and political beliefs and activities.
A new blog post from the White House details a Request for Information (RFI) from OMB’s Office of Information and Regulatory Affairs (OIRA) seeking to get its arms around this practice. The RFI seeks public input on “Federal agency collection, processing, maintenance, use, sharing, dissemination, and disposition of commercially available information (CAI) containing personally identifiable information (PII).” In plain language, the government is seeking to understand how agencies – from the FBI to the IRS, the Department of Homeland Security, and the Pentagon – collect and use our personal information scraped from our apps and sold by data brokers to agencies. This request for public input follows last year’s Executive Order 14110, which represented that “the Federal Government will ensure that the collection, use, and retention of data is lawful, is secure, and mitigates privacy and confidentiality risks.” What to make of this? On the one hand, we commend the White House and intelligence agencies for being proactive for once on understanding the privacy risks of the mass purchase of Americans’ data. On the other hand, we can’t shake out of our heads Ronald Reagan’s joke about the most terrifying words in the English language: “I’m from the government and I’m here to help.” The blog, written by OIRA administrator Richard L. Revesz, points out that procuring “CAI containing PII from third parties, such as data brokers, for use with AI and for other purposes, raises privacy concerns stemming from a lack of transparency with respect to the collection and processing of high volumes of potentially sensitive information.” Revesz is correct that AI elevates the privacy risks of data purchases. The government might take “additional steps to apply the framework of privacy law and policy to mitigate the risks exacerbated by new technology.” Until we have clear rules that expressly lay out how CAI is acquired and managed within the executive branch, you’ll forgive us for withholding our applause. This year’s “Policy Framework for Commercially Available Information” released by Director of National Intelligence Avril Haines, ordered all 18 intelligence agencies to devise safeguards “tailored to the sensitivity of the information” and produce an annual report on how each agency uses such data. It is hard to say if Haines’ directive represents a new awareness of the Orwellian potential of these technologies, or if they are political theater to head off legislative efforts at reform. Earlier this year, the U.S. House of Representatives passed the Fourth Amendment Is Not For Sale Act, which would subject purchased data to the same standard as any other personal information – a probable cause warrant. The Senate should do the same. The government’s recognition of the sensitivity of CAI and accompanying PII is certainly a step in the right direction. It is also clear that intelligence agencies have every intention of continuing to utilize this information for their own purposes, despite lofty proclamations and vague policy goals about Americans’ privacy. To quote Ronald Reagan again, when it comes to the promises of the intel community, we should “trust but verify.” The recent approval of the House Intelligence Committee’s annual intelligence policy bill sets up a critical moment for the ongoing debate over surveillance powers, particularly the controversial FISA Section 702. While the bill does not include a provision to narrow the definition of "electronic communication service providers" (ECSP), this issue will soon come to a head in the House-Senate conference. Rep. Jim Himes (D-CT) signaled his acceptance of Senate Intelligence Chair Mark Warner’s "technical fix," which would narrow the scope of the ECSP definition. Himes said the change “would be totally fine with me,” and that “I always believed that the language was overbroad in the initial amendment…” This change would prevent ordinary businesses—like coffee shops or small offices—from being forced to assist in government surveillance. While Himes expressed he would be "totally fine" with Warner’s proposal, the issue has yet to be fully debated or incorporated into House legislation. We’ve seen efforts at reform falter before, and the final outcome will be determined behind closed doors in the House-Senate conference, where transparency is sorely lacking. As we’ve previously noted, broadening the ECSP definition without clear limitations would create a “Make Everyone a Spy” law, enlisting small businesses into the surveillance apparatus. Moreover, the administration’s reassurance that the law will only be applied to specific providers, based on a classified FISA court decision, is insufficient. History shows that such promises often erode over time, allowing the intelligence community to expand its surveillance reach through legal loopholes. John Wiegmann, the new top lawyer for the Office of the Director of National Intelligence, also supported Warner’s. But as with everything, we want to see the changes in writing in the bill. The closed-room conference between the House and Senate is where these decisions will play out, but the lack of public scrutiny makes it a fraught process. Given past betrayals on surveillance reform, we have ample reason for anxiety. Privacy advocates must remain vigilant and press for real reforms that ensure no further expansion of surveillance powers. The House and Senate need to guarantee that any changes made truly limit the scope of ECSPs and protect Americans from warrantless data collection. PPSA will be monitoring this situation closely as it unfolds. The Project for Privacy and Surveillance Accountability recently submitted a series of FOIA requests to law enforcement and intelligence agencies seeking critical information on how the agencies handle data obtained through the use of cell-site simulators, also known as Stingrays or Dirtboxes, which impersonate cell towers and collect sensitive data from wireless devices. Specifically, PPSA submitted requests to DOJ, CIA, DHS, NSA, and ODNI. These requests focus on what happens after the government collects this data. As PPSA’s requests state, PPSA “seeks information on how, once the agency obtains information or data from a cell-site simulator, the information obtained is used.” We are particularly interested in learning about the agencies’ policies for data retention, usage, and deletion, especially for data collected from individuals who are not the target of surveillance. PPSA has long been concerned with the invasive nature of these surveillance tools, which capture not only targeted individuals' data but also data from anyone nearby. As we previously stated in a 2021 FOIA request, “this technology gives the government the ability to conduct sweeping dragnets of metadata, location, and even text messages from anyone within a geofenced area.” These FOIA requests specifically demand transparency about what happens after the government collects such data. We seek records regarding policies on data retention, use, and destruction, particularly for information unrelated to surveillance targets. As our requests state, “PPSA wishes to know what policies govern such use and what policies, if any, are in place to protect the civil liberties and privacy of those whose data might happen to get swept up in a cell-site simulator’s data collection activities.” As we previously highlighted, Stingrays represent a significant intrusion into personal privacy, and we are committed to holding the government accountable for its use of such tools. By pursuing these requests, we aim to inform the public about the scope and potential risks of the agencies’ surveillance activities, and to push for greater safeguards over Americans’ private information. PPSA will continue to push towards transparency, and we will keep the public informed of our efforts. An important analysis from Real Clear Investigations probes the extent to which censorship abroad threatens the First Amendment here at home. Writer Ben Weingarten asks whether foreign demands that domestic media companies operating abroad comply with those nations’ often far more censorial legal requirements will lead in turn to more censorship here at home. The preponderance of the evidence suggests bad news for fans of the First Amendment. Weingarten points specifically to the European Union’s Digital Services Act, which imposes content moderation standards that far exceed what would be considered constitutional in the United States. For example, companies doing business in the EU must combat “illegal content online,” which includes the disfavored rhetoric like “illegal hate speech.” Writes Weingarten: “Platforms also must take ‘risk-based action,’ including undergoing independent audits to combat ‘disinformation or election manipulation’ – with the expectation those measures should be taken in consultation with ‘independent experts and civil society organisations.’ The Commission says these measures are aimed at mitigating ‘systemic issues such as … hoaxes and manipulation during pandemics, harms to vulnerable groups and other emerging societal harms’ driven by ‘harmful’ but not illegal content.” What’s more, investigations pursuant to the DSA can result in fines of up to 6% of annual global revenue, a potential outcome likely to give companies like X and Facebook pause when considering whether to comply with the invasive oversight of European bureaucrats and NGOs serving as arbiters of the appropriate. Then there’s the question of whether social media companies that agree to the EU’s demands are likely to run parallel services – for example, a DSA compliant version of X and another that is consistent with the requirements of the First Amendment. Elon Musk seemed willing to abandon Brazil after that country banned X for failing to de-platform the account of former president Jair Bolsonaro. (Though Musk’s company is now very much back in business there.) But the EU is a much bigger market with a lot more monetizable users. As Weingarten documents, the punishment of media companies abroad for speech that is well within the bounds of the First Amendment is a growing trend – not just in the EU but also in countries like the UK and Australia. And Weingarten reserves no small amount of criticism for the Biden Administration’s silence – and even capitulation – in the face of such foreign censorship. Bills like the No Censors on our Shores Act, which could “punish foreign individuals and entities that promote or engage in the censorship of American speech,” offer one potential solution to foreign censorship creep. So do articles like Weingarten’s, which provide a much-needed diagnosis of our speech-related ailings and failings. The Cato Institute is challenging the FBI and Department of Justice in court to demand transparency regarding the government’s warrantless surveillance practices under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The lawsuit, brought under the Freedom of Information Act (FOIA), seeks the release of records on how well the FBI is complying with restrictions placed on the use of this controversial program. Section 702 allows U.S. agencies to monitor communications between foreigners abroad, but it has also been used to capture the communications of Americans, leading to allegations of overreach and privacy violations. Despite bipartisan efforts in Congress to reform or even dismantle Section 702, the public has been kept in the dark about whether any meaningful changes have occurred. Cato has been stonewalled in its efforts to obtain information that could reveal the extent of this surveillance. As Cato Senior Fellow Patrick Eddington pointed out: “When the FBI stonewalls public records requests about a massive surveillance program that gobbles up billions of communications yearly — including yours and mine — it’s violating the law… A law its agents and managers are sworn to uphold.” This case is about more than just documents; it’s about shedding light on potential abuses of power and ensuring that the law protects ordinary citizens from unwarranted government surveillance. The lawsuit raises an essential question about the balance between national security and civil liberties. Without transparency, it's impossible to know whether surveillance programs are being misused or if they adequately protect Americans’ privacy. Cato’s case is a crucial step toward uncovering whether the FBI is following the legal limits placed on Section 702 or if it continues to overreach under the cover of secrecy. If successful, this case could force the government to reveal whether it is truly adhering to the law in its use of FISA's broad surveillance powers. At stake is the privacy of millions of Americans whose communications could be intercepted without their knowledge or consent. This case deserves attention from everyone who values privacy and accountability. PPSA is proud to support Cato’s efforts to push for a future where government overreach is kept in check and individual liberties are safeguarded. We look forward to further developments in this case. The intelligence agencies are, on paper, subject to congressional oversight. From the Senate’s Church Committee that revealed CIA misdeeds in the 1970s, to the current revelations of the House Judiciary Committee about domestic political surveillance by the federal government, the nation has benefited from the watchdog role of Congress.
But such moments are rare. Many congressional attempts to peer into the actual intelligence operations of federal agencies amount to howling in the wind. Often, the agencies don’t bother to even answer congressional queries with substantive responses, if they reply at all. This includes efforts to learn if the agencies are spying on those tasked with overseeing them. The arrogance of the agencies arises from the fact that Congress doesn’t know what it is overseeing. Often accused of fishing expeditions by the intelligence community, Congress is reduced to fishing for the lack of a diving mask to see clearly. When few congressional staff members are given the top secret/sensitive clearances, they cannot inform their bosses what is actually going on within the intelligence agencies. Historically, only a few staffers for a few select committees, such as the House and Senate intelligence committees, were given clearances. The actual Members of these committees, tasked with many other responsibilities, simply don’t have the time to go into a secure compartment to do a deep dive into the hundreds of pages of classified documents that reveal how federal agencies might be conducting warrantless surveillance on Americans. In 2021, Majority Leader Chuck Schumer changed that for the Senate. He took the bold step to improve oversight by the Senate by allowing top secret/sensitive clearance to be available for one personal aide per senator. The intelligence community and its champions on the Hill now resolutely oppose, behind the scenes of course, extending a similar rule to one personal aide for each House Member. Members should take this as the calculated insult that it is. Every aide granted clearance, like those in the Senate, would have to clear an FBI background check. The idea that a few hundred clearances cannot be extended to trusted advisors of House Members accountable to their constituents is laughable given that the federal government itself issues an estimated 1.3 million top-secret security clearances to people working in the intelligence community and consultants. Yet only a small number of staffers in the U.S. House of Representatives are allowed to review top secret information for their Members. The good news is that it doesn’t have to be this way. We don’t need a new law. All that is needed is for the next Republican or Democratic House majority to ensure that wider access to clearances is part of the House Rules package for the 119th Congress that begins in January. Even without enhanced Congressional oversight, what we have learned about federal government surveillance abuse has kept PPSA busy since we began five years ago. What we don’t know is undoubtedly more significant. House Members of all political leanings have a stake in extending Congressional oversight in a healthy way. What better way to kick off the next Congress? Sen. Mike Lee (R-UT) is advancing his new Saving Privacy Act to protect Americans’ personal financial information from warrantless snooping by federal agencies.“The current system erodes the privacy rights of citizens, while doing little to effectively catch true financial criminals,” Sen. Lee said. The bill’s co-sponsor, Sen. Rick Scott (R-FL), added: “Big government has no place in law-abiding Americans’ personal finances. It is a massive overreach of the government and a gross violation of their privacy.”
Are these two senators paranoid? Or are they reacting to genuine “massive overreach” from a government that already illicitly spies on Americans’ personal finances? Consider what PPSA has reported in the last three years:
“Traditionally, Americans’ financial holdings are kept between them and their broker, not them, their broker, and a massive government database,” state auditors and treasurers wrote in a recent letter to House Speaker Mike Johnson. “The only exception has been legal investigations with a warrant.”
TRAC sucks in wire transfers within the United States between American citizens, as well as with those sending or receiving money from abroad. Sen. Wyden told The Wall Street Journal that TRAC lets the government “serve itself an all-you-can-eat buffet of Americans’ personal financial data while bypassing the normal protections for Americans’ privacy.”
Could that actually happen? It did across the border, when the Canadian government used emergency powers to debank truckers engaged in a political protest. At home, the tracking of Americans’ spending is a Fourth Amendment violation that inevitably leads to the degradation of the First Amendment.
Sen. Lee’s bill counters this financial surveillance state by repealing many of the reporting requirements of the Bank Secrecy Act. It also repeals the Corporate Transparency Act (which forces small businesses to reveal their ownership), closes the SEC’s database on Americans’ trades, prohibits the creation of a Central Bank Digital Currency, and requires congressional approval before any agency can create a database that collects personally identifiable information of U.S. citizens. Finally, Sen. Lee’s Saving Privacy Act would institute punishments for federal employees who release Americans’ protected financial information, while establishing a private right of action for Americans and financial institutions harmed when their privacy is compromised by the government. The Saving Privacy Act is a landmark bill that deserves to become the basis of debate and action in the next Congress. A whitepaper from social media company Meta presents a startling new reality in bland language. It claims that magnetoencephalography (MEG) neural imaging technology “can be used to decipher, with millisecond precision, the rise of complex representations generated in the brain.”
In layman’s terms, AI can crunch a person’s brainwaves and apply an image generator to create an astonishingly accurate representation of what a person has seen. Paul Simon was right, these really are the days of miracles and wonders – and also of new threats to personal privacy. (If you want to see this science-fictional sounding technology in action, check out these images from science.org to see how close AI is to representing images extrapolated from brain waves.) Until now, even in a total surveillance state such as North Korea or China, netizens could have their faces, movements, emails, online searches and other external attributes recorded throughout the day. But at least they could take comfort that any unapproved thoughts about the Dear Leader and his regime were theirs and theirs alone. That is still true. But the robustness of this new technology indicates that the ability of brain data to fully read minds is not far off. Researchers in China in 2022 announced technology to measure a person’s loyalty to the Chinese Communist Party. A number of non-invasive brain-wave reading helmets are on the U.S. market for wellness, education, and entertainment. The Members of the California State Assembly and Senate were sufficiently alarmed by these developments to follow the example of Colorado and regulate this technology. This new law amends the California Consumer Privacy Act to include “neural data” under the protected category of “personal sensitive information.” On Saturday, Gov. Gavin Newsom signed that bill into law. Under this new law, California citizens can now request, delete, correct, and limit what neural data is being collected by big tech companies. We know what you’re thinking, would I be sufficiently concerned about my privacy that I would register with a state-mandated database to make changes to my privacy profile? Actually, that was just our best guess about what you’re thinking. But give it a few years. The Customs and Border Patrol (CBP) has little respect for the Fourth Amendment. From international airports to border stations, Americans returning from abroad often fall prey to the routine CBP practice of scanning their laptops, mobile phones, and other digital devices without a warrant.
As if that were not enough, CBP also scans people’s faith, violating their First Amendment rights as well. Consider the case of Hassan Shibly, a U.S. citizen and student at the University of Buffalo Law School. When he returned to the United States in 2010 with his wife, a lawful permanent resident, and their seven-month-old son, from a religious pilgrimage and family visit in the Middle East, Shibly was taken aside by CBP agents. A CBP officer asked him: “Do you visit any Islamist extremist websites?” And: “Are you part of any Islamic tribes?” And then the kicker: “How many gods or prophets do you believe in?” Other returning Muslim-Americans are interrogated about the mosques they attend, their religious beliefs, and their opinions about the U.S. invasion of Iraq and support for Israel. One New Jerseyan, Lawrence Ho, attended a conference in Canada and returned to the United States by car. He was asked: “When did you convert?” Ho does not know how the agent knew he had converted to Islam. A group of Muslim-Americans, fed up by this treatment, are now being represented by the American Civil Liberties Union in a suit before the Ninth Circuit Court of Appeals against CBP for civil rights violations. The plaintiffs are correct that subjecting Americans to deep questions about their faith – as a condition to reentry to their home – violates their First Amendment rights, as well as the Religious Freedom Restoration Act (RFRA). Ashley Gorski, senior staff attorney with ACLU’s National Security Project, said that “this religious questioning is demeaning, intrusive, and unconstitutional. We’re fighting for our clients’ rights to be treated equally and to practice their faith without undue government scrutiny.” To be fair, CBP has its work cut out for it when it comes to screening the border for potential terrorists. And we should not avert our eyes to the fact that there are sick and dangerous ideologies at work around the world. But we are also fairly confident that actual terrorists would not be stumped by the kind of naïve and unlawful interrogations CBP has imposed on these returning Americans. Heavy-handed questions about adherence to one of the great world religions doesn’t seem to be a useful security strategy or a demonstration that our government is familiar with its own Constitution. A Federal Trade Commission staff report released last week got huge play in the media. We were bombarded by stories about the FTC’s report that Meta, YouTube, and other major social media and video streaming companies are lax in controlling and protecting the data privacy of users, especially children and teens.
There is much in this report to consider, especially where children are concerned. But there was also a lot that was off-target and missing. The FTC’s report blithely recommended that social media and video streaming companies abandon their practice of tracking users’ data. This would be no small thing. Without the tracking that allows Facebook to know that you’re an aficionado of, say, old movie posters, you would not receive ads in your feed trying to sell you just that – old movie posters. Forbid the trade-off in which we give away a bit of our privacy for a free service, and overnight large social media companies would collapse. Countless small businesses would lose the ability to go toe-to-toe with big brands. Trillions of dollars in equity would evaporate, degrading the portfolio of retirees and putting millions of Americans out of work. In a crisply written concurring and dissenting statement, FTC Commissioner Andrew Ferguson notes that the FTC report “reveals this mass data collection has been very difficult to avoid. Many of these products are necessities of modern life. They are critical access points to markets, social engagement, and civil society.” Ferguson looks beyond what the advertising logarithms of Meta or Google do with our data. He looks to how our data is combined with information from a host of sources, including our location histories from our smartphones, to enable surveillance. It is this combination of data, increasingly woven by AI, that creates such comprehensive portraits of our activities, beliefs and interests. These digital dossiers can then be put up for sale by a third-party data broker to any willing buyer. Ferguson writes: “Sometimes this information remains internal to the company that collected it. But often, they share the information with affiliates or other third parties, including entities in foreign countries like China, over which the collecting company exercises no control. This information is often retained indefinitely, and American users generally have no legal right to demand that their personal information be deleted. Companies often aggregate and anonymize collected data, but the information can often be reassembled to identify the user with trivial effort. “This massive collection, repackaging, sharing, and retention of our private and intimate details puts Americans at great risk. Bad actors can buy or steal the data and use them to target Americans for all sorts of crimes and scams. Others, including foreign governments who routinely purchase Americans’ information, can use it to damage the reputations of Americans by releasing, or threatening to release, their most private details, like their browsing histories, sexual interests, private political views, and so forth.” We would add that the FBI, IRS, and a host of other federal law enforcement and intelligence agencies also purchase our “dossiers” and access them without warrants. As dangerous as China is, it cannot send a SWAT team to break down our doors at dawn. Only our government can do that. The FTC report ignores this concern, focusing on the commercial abuses of digital surveillance while ignoring its usefulness to an American surveillance state. It is no small irony that a federal government report on digital surveillance doesn’t concern itself with how that surveillance is routinely abused by government. This insight gives us all the more reason to urge the U.S. Senate to follow the example of the House and pass the Fourth Amendment Is Not For Sale Act. This legislation requires the FBI and other federal agencies to obtain a warrant before they can purchase Americans’ personal data, including internet records and location histories. It is also time for Congress to shine a bright light on data brokers to identify all the customers – commercial, foreign, and federal – who are watching our digital lives. This year, the coalition of surveillance reformers in Washington, D.C., mounted the most spirited, bipartisan campaign in legislative history.
The reform coalition fought to require warrants for FISA Section 702, which authorizes the government to surveil foreign threats on foreign soil but is often used to spy on Americans. The House also passed the Fourth Amendment Is Not For Sale Act, which would forbid the warrantless collection of Americans’ personal, digital information. How did we do? The Section 702 fix was lost to a single, tie-breaking vote in the House. The Fourth Amendment Is Not For Sale Act remains stuck behind last-minute business in the Senate. It is easy for surveillance reformers to feel like Sisyphus, rolling legislative stones up Capitol Hill only have them come tumbling back down. But national reformers should take heart from the example set by Utah, which proves that surveillance reform is popular and that reasonable compromises can be set into law. Start with geofence warrants, which use a reverse search technique to pluck the identities of criminal suspects out of pools of data extracted from a given area. The federal Fifth and Fourth Circuit Courts of Appeal have taken starkly opposite views over whether geofence warrants can be allowed. The Fifth Circuit finds them to be inherently unconstitutional. The Fourth Circuit finds them to raise no Fourth Amendment issues at all. Meanwhile, the intrusion of government snooping grows. Google reports that requests for geofence warrants grew by 9,000 in 2019 to 11,500 in 2020. That number is surely much higher today. When the U.S. Supreme Court inevitably wades into this issue to resolve the circuit split, the Justices would well to consider the example set by Utah. Last year, Utah passed HB57, which balances law enforcement’s protection of public safety with the privacy rights of Utahans in law enforcement’s use of geofencing. Leslie Corbly of the Libertas Institute in Utah reports that as a result of this new law, police must now submit requests for geofence data to a judge for a warrant application. This new law also mandates that warrant applications must “include a notification to judges regarding the nature of a geofence search by way of a map or written description showing the size of the virtual geofence.” Results from the search must be specified and reported to the court, including not just the identification of criminal perpetrators, but also people not involved in a crime. Armed with enough information to evaluate the merits of a warrant request, judges remain involved with geofence warrants throughout the process. Finally, state law enforcement agencies must report the number of geofence warrants requested, the number approved by a judge, the number of investigations that used information obtained through a geofence warrant, and the number of electronic devices used for this collection. Mike Maharrey of the Tenth Amendment Center reports that Utah has “chipped away at the surveillance state,” passing laws limiting surveillance of all kinds. These include:
Utah demonstrates to Congress and the Supreme Court that we can place limits on surveillance while accepting reasonable access to information agencies need to protect the public. Gary Herbert, a former governor of Utah who signed many of these measures into law, said “Utah is no longer a flyover state.” When it comes to surveillance reform, Utah is a state that should lead the nation. And Utah should be an inspiration to reformers in Congress to keep pushing those boulders all the way to the top of the Hill. Does Congress have oversight of the federal intelligence community, or do the spies and intelligence officials have oversight of Congress?
Under our Constitution, the answer should be obvious – the legislative branch oversees executive agencies. Besides, no American should want spies and intelligence officials looking over the shoulders of our elected representatives. That is why the founders established Congress in Article One of the Constitution. And yet, at times, it seems as if the intelligence community regards oversight of Congress as its legitimate business. We learned last year that Jason Foster, the former chief investigative counsel for Sen. Chuck Grassley – Ranking Member of the Senate Judiciary Committee – is among numerous staffers and Congressional lawyers, Democrats and Republicans, who had their personal phone and email records searched by the Department of Justice in 2017. Foster later founded Empower Oversight Whistleblowers & Research, which went to court to press for disclosure of the misuse of Justice’s subpoena power that risked identifying confidential whistleblowers who provided information to Congress about governmental misconduct. Now federal Judge James E. Boasberg has ordered the partial unsealing of a Non-Disclosure Order (NDO) application filed by the Department of Justice to prevent Google from notifying users like Foster that their phone records, email, and other communications were ransacked by the Justice Department. This is a significant victory for transparency. We eagerly await the results of the unsealed NDO for clues about the Justice Department’s intentions in spying on Congressional attorneys with oversight responsibility. In the meantime, PPSA continues to use every legal means to press a Freedom of Information Act request seeking documents on “unmasking” and other forms of surveillance of 48 current and former House and Senate Members on committees that oversee the intelligence agencies. We will alert you about any further revelations from the court. In the meantime, the Senate can do its part by following up on the unanimous passage of the Non-Disclosure Order Fairness Act by the House. This bill restricts the government’s currently unlimited ability to impose gag orders on telecom and digital companies. These gag orders keep these companies’ customers from learning that their sensitive, personal information has been surveilled by the government. As Congress learns about the degree to which its Members are being watched by the executive branch, the NDO Fairness Act should be more popular than ever. Are the Charges Against Telegram CEO Pavel Durov Meant to Lead the World to Outlaw Encryption?9/3/2024
For days after the arrest of Telegram CEO Pavel Durov by French authorities at Le Bourget Airport near Paris, the world civil liberties community held back.
The impulse to rush to the defense of a Russian dissident/entrepreneur was almost overwhelming. Durov had refined his skills with the creation of VK, a social media website that allowed dissidents, opposition politicians, and Ukrainian protesters to evade Vladimir Putin’s emerging surveillance state as late as 2014. After Durov fled Russia with his brother Nikolai, they created the encrypted messenger service Telegram, which allows users not only to communicate in secrecy, but to also set their messages to disappear. Across Asia, Africa, Latin America, and our own country, Telegram enables dissidents, journalists, and people in fear of cartels or abusive spouses to communicate without making themselves vulnerable. So civil libertarians were naturally poised to rush to Durov’s defense. But they didn’t. There was the matter of the 12 charges approved by a French judge this week, including “complicity” in crimes such as aiding in the distribution of international narcotics and child sex abuse material. The many devils in this case lurk in its many details, some of which are far from well understood. At this point, however, we can at least pose preliminary questions. Some answers must come from the French government. Some must come from every person who cares about privacy, including the almost 1 billion users of Telegram.
We can already highlight at least one aspect of this case that should concern civil libertarians and free speech advocates around the world. Thanks to an insightful analysis by Kevin Collier and Rob Wile in Slate, we know that two of the 12 charges involve a purported obligation of providers of cryptological services to require their users to register with their real identities. Another count declares it a crime to import such an encrypted service “without prior declaration.” Collier and Wile write that this latter provision, which at first sounds like a matter of bureaucratic form-filling, actually implies that “France sees the use of internationally based, unregulated ‘encryption’ service as a crime all its own.” If so, will France get away with criminalizing private encryption services? And if that happens, might this become EU policy? We are already seeing Europe employ illiberal interpretations of the recently enacted Digital Services Act. The EU’s top digital regulator, Thierry Breton, threatened X with legal action if it ran Elon Musk’s full interview with Donald Trump. While Breton’s threat was later disowned by his boss, EU President Ursula von der Leyen, it was still breathtaking to see in Europe today that a powerful regulator believes the European public would be well served by censoring the words of a major party nominee to lead the United States. It is not a stretch to imagine such people also wanting to stamp out private communications. Is France now using possibly legitimate charges about Telegram’s operation to undermine the very idea of encryption? Everyone who cares about privacy should watch how this case unfolds. After all, thanks to Telegram, we know that there are at least one billion of us. The U.S. Department of Justice is pioneering ever-more dismissive gestures in its quest to fob off lawful Freedom of Information Act (FOIA) requests seeking to shed light on government surveillance. One PPSA FOIA request, aimed at uncovering details about the DOJ's purchase of Americans’ commercially available data from third-party data brokers, sets a new record for unprofessionalism.
Until now, we had become used to the Catch-22 denials in which the government refuses to even conduct a search for responsive records with a Glomar response. This judge-made doctrine allows the withholding of requested information if it is deemed so sensitive that the government can neither confirm nor deny its existence. But when the government issues a Glomar response without first conducting a search, we can only ask: How could they know that if they haven’t even searched for the records? DOJ’s latest response that arrived this week, however, is a personal best. The DOJ’s response shows that it didn’t bother to even read our FOIA request. Our request sought records detailing the DOJ's acquisition of data on U.S. persons and businesses, including the amounts spent, the sources of the data, and the categories of information obtained. This request was clearly articulated and included a list of DOJ components likely to have the relevant records. Despite this clarity, DOJ responded by stating that the request did not sufficiently identify the records. DOJ's refusal to conduct a proper search appears to be based on a misinterpretation, either genuine or strategic, of our request. DOJ claimed an inability to identify the component responsible for handling a case based solely on the “name” of the case or organization. However, PPSA's request did not rely on any such identifiers. Instead, DOJ's response indicates that it may have resorted to a generic form letter to reject our request without actually reviewing its contents. Precedents like Miller v. Casey and Nation Magazine v. U.S. Customs Service establish that an agency must read requests “as drafted” and interpret them in a way that maximizes the likelihood of uncovering relevant documents. DOJ’s blanket dismissal is not just a bureaucratic oversight. It is an affront to the principles of openness and accountability that FOIA is designed to uphold. If the DOJ, the agency responsible for upholding the law, continues to disregard its legal obligations, it sets a dangerous precedent for all government agencies. The good news is that DOJ’s Office of Information Policy has now ordered staff to conduct a proper search in response to PPSA’s appeal, a directive that should have been unnecessary. It remains to be seen whether the DOJ will comply meaningfully or continue to obstruct … perhaps with another cookie-cutter Glomar response. How far might DOJ go to withhold basic information about its purchasing of Americans’ sensitive and personal information? In a Glomar response to one of our FOIA requests in 2023, DOJ came back with 40 redacted pages from a certain Mr. or Mrs. Blank. They gave us nothing but a sea of black on each page. The only unredacted line in the entire set of documents was: “Hope that’s helpful.” This latest response is just another sign that those on the other end of our FOIA requests are treating their responsibilities with flippancy. This is unfortunate because the American public deserves to know the extent to which our government is purchasing and warrantlessly accessing our most private information. Filing these requests and responding to non-responsive responses administratively and in court is laborious and at times frustrating work. But somebody has to do it – and PPSA will continue to hold the government accountable. The Texas Observer reports that the Texas Department of Public Safety (DPS) signed a 5-year, nearly $5.3 million contract for the Tangles surveillance tool, originally designed by former Israeli military officers to catch terrorists in the Middle East.
In its acquisition plan, DPS references the 2019 murder of 23 people at an El Paso Walmart, as well as shooting sprees in the Texas cities of Midland and Odessa. If Tangles surveillance stops the next mass shooter, that will be reason for all to celebrate. But Tangles can do much more than spot shooters on the verge of an attack (assuming it can actually do that). It uses artificial intelligence to scrape data from the open, deep, and dark web, combining a privacy-piercing profile of anyone it targets. Its WebLoc feature can track mobile devices – and therefore people – across a wide geofenced area. Unclear is how DPS will proceed now that the Fifth Circuit Court of Appeals in United States v. Jamarr Smith ruled that geofence warrants cannot be reconciled with the Fourth Amendment. If DPS does move forward, there will be nothing to keep the state’s warrantless access to personal data from migrating from searches for terrorists and mass shooters, to providing backdoor evidence in ordinary criminal cases, to buttressing cases with political, religious, and speech implications. As the great Texas writer Molly Ivins wrote: “Many a time freedom has been rolled back – and always for the same sorry reason: fear.” The Wall Street Journal editorial page beat us to the punch to be the first to call the Securities and Exchange Commission the “Surveillance and Exchange Commission.”
It is an apt description, increasingly not a stretch or even a bit of sarcasm. In April we reported that the SEC had taken it upon itself, authorized by no law and under no Congressional or judicial oversight, to create a huge database called the Consolidated Audit Trail. This database allows 3,000 government employees to track, in real time, the identities of tens of millions of Americans who buy and sell stocks and other securities. In June we reported on the protest of state auditors and treasurers in 23 states over this program, which allows government agents to conduct fishing expeditions with the data of millions of Americans who’ve done nothing wrong or suspicious. The state financial officers wrote: “Traditionally, Americans’ financial holdings are kept between them and their broker, not them, their broker, and a massive government database. The only exception has been legal investigations with a warrant.” Now it has come to light, thanks to The Journal, that the SEC fined 26 financial firms almost $400 million for failing to track the private communications of their employees on their personal phones. Most financial firms already enforce policies that prohibit their employees from using their personal devices and messaging apps like WhatsApp for business. But until now, it was not the business of an employer to force employees to hand over their personal phones for inspection. Under this mandate from the SEC, firms must search the personal phones of their employees for evidence of business-related communications. Unlike the Consolidated Audit Trail database, which is government operated, the SEC is outsourcing the task of monitoring of the communications of hundreds of thousands of Americans to their employers. This is a sneaky move. Making employers into the government’s spies obviates the pesky need to worry about niceties like the Fourth Amendment and probable cause warrants. Never mind that the SEC fails to report any crimes or rule-bending from all this surveillance. Readers will recall that a wave of protest prevented the reporting of all financial transactions to the government in excess of $600. But the broad movement to collect, record, and analyze the financial lives of all Americans is ongoing. And the Surveillance and Exchange Commission is its leader. The phrase “national security” harks back to the George Washington administration, but it wasn’t until the National Security Act of 1947 that the term was codified into law. This new law created the National Security Council, the Central Intelligence Agency, and much of the apparatus of what we today call the intelligence community. But the term itself – “national security” – was never defined.
What is national security? More importantly, what isn’t national security? Daniel Drezner, a Fletcher School of Law and Diplomacy professor, writes in Foreign Affairs that it was the Bush-era “war on terror” that put the expansion of the national security agenda into overdrive. Since then, he writes, the “national security bucket has grown into a trough.” The term has become a convenient catch-all for politicians to show elevated concern about the issues of the day. Drezner writes: “From climate change to ransomware to personal protective equipment to critical minerals to artificial intelligence, everything is national security now.” He adds to this list the Heritage Foundation’s Project 2025’s designation of big tech as a national security threat, and the 2020 National Security Strategy document, which says the same for “global food insecurity.” We would add to that the call by politicians in both parties to treat fentanyl as a matter of national security. While some of these issues are clearly relevant to national security, Drezner’s concern is the strategic fuzziness that comes about when everything is defined as a national security priority. He criticizes Washington’s tendency to “ratchet up” new issues like fentanyl distribution, without any old issues being removed to keep priorities few and urgent. For our part, PPSA has a related concern – the expansion of the national security agenda has a nasty side effect on Americans’ privacy. When a threat is identified as a matter of national security, it also becomes a justification for the warrantless surveillance of Americans. It is one thing for the intelligence community to use, for example, FISA Section 702 authority for the purpose for which Congress enacted it – the surveillance of foreign threats on foreign soil. For example, if fentanyl is a national security issue, then it is appropriate to surveil the Chinese labs that manufacture the drug and the Mexican cartels that smuggle it. But Section 702 can also be used to warrantlessly inspect the communications of Americans for a crime as a matter of national security. Evidence might also be warrantlessly extracted from the vast database of American communications, online searches, and location histories that federal agencies purchase from data brokers. So the surveillance state can now dig up evidence against Americans for prosecution in drug crimes, without these American defendants ever knowing how this evidence was developed – surely a fact relevant to their defense. As the concept of national security becomes fuzzier, so too do the boundaries of what “crimes” can be targeted by the government with warrantless surveillance. “Trafficking” in critical minerals? Climate change violations? Repeating alleged foreign “disinformation”? When Americans give intelligence and law enforcement agents a probable cause reason to investigate them, a warrant is appropriate. But the ever-expanding national security agenda presents a flexible pretext for the intelligence community to find ever more reason to set aside the Constitution and spy on Americans without a warrant. Drezner writes that “if everything is defined as national security, nothing is a national security priority.” True. And when everything is national security, everyone is subject to warrantless surveillance. Imagine this scenario: It’s early evening, and you and your special someone are on the couch preparing to binge-watch your favorite streaming show.
Ding-dong. You answer the door and, as you hoped, it is the dinner delivery person. He hands you your prepaid, pre-tipped meal and you start to shut the door when the delivery worker puts his foot down, blocking you. He snaps a picture over your shoulder and asks: “Why is the wall over your couch bare? It should have a picture of the Dear Leader. I now have no choice but to report you.” This fantastical scenario of a police state enlisting food delivery workers as auxiliary police is taking place, for real, in the People’s Republic of China, according to disturbing reports from Radio Free Asia. Beijing recently posted a directive: “We will hire a group of online delivery personnel with a strong sense of responsibility to serve as part-time social supervisors and encourage them to take part in grassroots governance through snapshots and snap reports …” Radio Free Asia reports that this program is being expanded in China’s annexed territory of Tibet, where food delivery workers are being recruited to perform “voluntary patrol and prevention work.” In addition, Chinese police are requiring Tibetans to revise their personal passwords on their social media accounts, link them to their personal cellphones and identity cards, and make it all accessible to the government. Police are also stopping Tibetans in Lhasa to check their cellphones for virtual private networks, or VPNs, that allow users to get around the “Great Firewall of China,” the government’s restrictive controls on the internet. We can shake our heads and laugh. But the fundamental principle of coopting private-sector industries for internal surveillance is one that is gaining purchase in our own country. The federal government isn’t so crude as to turn the Domino’s pizza delivery guy into a spy. But federal agencies can extract Americans’ personal data from FISA Section 702, even though this program was enacted by Congress not to spy on Americans, but to surveil foreign threats on foreign soil. Prosecutors in the United States can extract information about witnesses and criminal defendants from telecoms and service providers of emails, cloud computing, and online searches, then gag those same companies with a non-disclosure order, which keeps them from ever informing their customers they were surveilled. The good news is that more and more Members of Congress are awakening to the threat of a home-grown American surveillance state. The recent reauthorization of Section 702 sets up a debate over the reach of this program in early 2026. The House passed a measure called the NDO Fairness Act, which would limit non-disclosure orders, putting the onus on the Senate to follow suit. The field of surveillance is one area in which public-private partnerships can go very wrong. Unlike China, however, America is still a democracy with a Congress that can counter expansive government threats to our privacy. The U.S. Supreme Court will almost certainly take up and resolve two furthest – some would say extreme – rulings by the Fourth and Fifth Circuit Courts of Appeals on the Fourth Amendment implications of geofence searches.
The Fourth Circuit ruled that geofence warrants – which search the mobile devices of many people in designated areas – contain no Fourth Amendment implications. The Fifth Circuit ruled that geofence warrants are inherently unconstitutional. This is the Grand Canyon of circuit splits. At stake are not just geofence warrants, but conceivably almost every kind of automated digital search conducted by the government. At stake, too, is the very meaning and viability of the Fourth Amendment in the 21st century. We had previously reported on the gobsmacking ruling of the Fourth Circuit in July that held that a geofence warrant to identify a bank robber within a 17.5-acre area – including thousands of innocent people living in apartments, at a nursing home, eating in restaurants, and passing by – did not implicate the privacy rights of all who were searched. In United States v. Chatrie, the court held in a split opinion that this mass geofence warrant had no Fourth Amendment implications whatsoever. In doing so, the Fourth reversed a well-reasoned opinion by federal Judge Mary Hannah Lauck, who wrote that citizens are almost all unaware that Google logs their location 240 times a day. Judge Lauck wrote: “It is difficult to overstate the breadth of this warrant.” The same overbreadth can be seen, in a very different context, in the Fourth Circuit’s jettisoning of the Fourth Amendment in its reversal. Now the Fifth Circuit Court of Appeals has weighed in on a similar case, United States v. Jamarr Smith. The Fifth came to the opposite conclusion – that geofence warrants cannot be reconciled to the Fourth Amendment. Orin Kerr of the UC Berkeley School of Law argues that the Fifth’s ruling conflicts with Supreme Court precedent, including Carpenter v. United States, in which the Court held that the government needs a warrant to extract cellphone location data. Kerr also asserts that the lack of particularity in which a suspect’s identity is not known at the beginning of a search (indeed, that’s the reason for these kind of searches) is a well-established practice recognized by the Supreme Court. Jennifer Granick and Brett Max Kaufman of the American Civil Liberties Union push back at Kerr, finding the digital inspection of the data of large numbers of people to identify a needle-in-a-haystack suspect is, indeed, a “general warrant” forbidden by the Constitution. They write: “Considering the analog equivalents of this kind of dragnet helps explain why: For example, police might know that some bank customers store stolen jewelry in safe deposit boxes. If they have probable cause, police can get a warrant to look in a particular suspect’s box. But they cannot get a warrant to look in all the boxes – that would be a grossly overbroad search, implicating the privacy rights of many people as to whom there is no probable cause.” The implications of this circuit split are staggering. If the Fourth Circuit ruling prevails, it will be anything goes in digital search. If the Fifth Circuit’s ruling prevails, almost any kind of digital search will require a probable cause warrant that has the particularity the Constitution clearly requires. There will be no way for the U.S. Supreme Court to reconcile these opposite takes on digital warrants. It will be up for the Court to set a governing doctrine, one that examines at its root what constitutes a “search” in the context of 21st century digital technology. Let us hope that when it does so, the Supreme Court will lean toward privacy and the Fourth Amendment. Judges and District Attorneys Must Hide the Use of Stingrays, or Face the Wrath of the FBI8/20/2024
Cell-site simulators, often known by the trade name “stingrays,” are used by law enforcement to mimic cell towers, spoofing mobile devices into giving up their owners’ location and other personal data. Thousands of stingrays have been deployed around the country, fueled by federal grants to state and local police.
PPSA has long reported that the FBI severely restricts what local police and prosecutors can reveal about the use of stingrays in trials. Now we can report that these practices are continuing and interfere with prosecutors’ duty to participate in discovery and turn over potentially exculpatory evidence. The government’s response to a PPSA FOIA request reveals a standard non-disclosure agreement between the federal government and state and local police departments. This template includes a directive that the locals “shall not, in any civil or criminal proceeding, use or provide any information concerning the [redacted] wireless collection equipment/technology.” This includes any documents and “evidentiary results obtained through the use of the equipment.” The agreement also states that if the agency “learns that a District Attorney, prosecutor, or a court” is considering releasing such information, the customer agency must “immediately notify the FBI in order to allow sufficient time for the FBI to intervene …” Most likely the squeeze will come with a threat to end the provision of stingrays to the state or local police, but other forms of intimidation cannot be ruled out. Got that, judges and district attorneys? Any attempt to fully disclose how evidence was obtained, even if it would serve to clear a defendant, must be withheld from the public and defense attorneys or the FBI will want a word with you. “Quiet Skies” is a federal aviation security program that includes singling out flyers for close inspection by giving them an “SSSS” or “Secondary Security Screening Selection” designation on their boarding pass. In the case of Tulsi Gabbard, it is alleged she was also put on a “terror threat list” that requires that she receive intense surveillance as well.
You probably know Gabbard as an outspoken and iconoclastic former U.S. Representative from Hawaii who ran for president. During a slew of domestic flights after returning from a recent trip to Rome, Gabbard and husband Abraham Williams were allegedly designated as security threats requiring enhanced observation. A war veteran of Iraq who signed up after 9/11, Gabbard told Matt Taibbi of The Racket that she and her husband are getting third-degree inspections every time they go to the airport. Every inch of her clothes is squeezed. The lining of the roller board of her suitcase is patted down. Gabbard has to take out every personal electronic and turn on each one, including her military-issue phone and computer. This process can take up to 45 minutes. What may be happening in the air is far more worrisome. Sonya LaBosco, executive director of the advocacy group Air Marshals National Council, is the source that told Taibbi that Gabbard is on the TSA’s domestic terror watch list. Every time someone on that list travels, LaBosco said, that passenger gets assigned two Explosive Canine Teams, one Transportation Security Specialist in explosives, and one plainclothes TSA Supervisor. Such passengers are assigned three Federal Air Marshals to travel with them on every flight. LaBosco says that Gabbard’s recent three-flight tour would have required no fewer than nine Air Marshals to tail her and her husband. Taibbi writes that an Inspector General’s report in 2019 revealed one-half of the Air Marshal’s budget is wasted, and that much of $394 million in funds for air security are put to questionable use. In our personal experience, the “SSSS” designation can be randomly assigned. Judging from publicly available sources, that designation can also be algorithmically triggered by a host of activities deemed suspicious, such as flying out of Turkey, paying cash for plane tickets, and buying one-way tickets. (We can only imagine what would happen to the brave or foolhardy person who bought a one-way ticket out of Istanbul with cash.) To be fair, many complaints about the TSA that seem absurd have a basis in hard experience. That experience goes back to 1986, when an extra close inspection by El Al security officers of a pregnant Irish nurse flying to meet her boyfriend in Jordan revealed that he had betrayed her by secreting a bomb in her bag. TSA has to contend with the fact that anyone – a decorated war hero, a handicapped grandmother, a toddler – could be the unknowing carrier of a threat. But the treatment of Gabbard raises the unavoidable question if this outspoken political figure was put on the SSSS list out of political pique. Gabbard has certainly irritated a lot of powerful people and agencies. In Congress, she advocated for dropping charges against Edward Snowden. As vice chair of the Democratic National Committee in 2016, she publicly criticized the party’s reliance on superdelegates and endorsed Bernie Sanders over Hillary Clinton. She later left the Democratic Party and was recently on the list of Donald Trump’s possible vice-presidential candidates. She has been a consistent critic of “elites” who want “nation-building wars.” Gabbard found herself on the threat list just after she left Rome where she had called Vice President Kamala Harris “the new figurehead for the deep state.” You might find Gabbard insightful or a flittering gadfly, but no one should be targeted for surveillance for merely expressing controversial views. And if Gabbard did somehow inadvertently trigger a threat algorithm, one has to wonder if anyone is in charge with the ability to apply common sense – if, in fact, such vast resources are being deployed to follow her. If that is true, even the most benign explanation reveals a diversion of manpower (and dogpower) that could be used to deter real threats. A Congressional investigation – perhaps by the Weaponization of the Federal Government subcommittee – is warranted to discover if the facts reported by Taibbi are correct and, more importantly, if Gabbard has been targeted for enhanced surveillance and harassment for her speech. After all, crazier things have happened, like Matt Taibbi finding himself targeted with a rare home visit from the IRS on the same day the journalist testified before Congress about federal meddling in social media curation. Police have access to more than 71,000 surveillance cameras in New York City, and to more than 40,000 cameras in Los Angeles.
This technology is rapidly becoming ubiquitous from coast to coast. As it does, civil libertarians are shifting from outright opposition to public surveillance cameras – which increasingly seems futile – to advocating for policy guardrails that protect privacy. That American cities are going the way of London, where police cameras are on every street corner, is undeniable. The Harvard Crimson reports that Cambridge, Massachusetts, is one of the latest cities to debate whether to allow police to deploy a network of surveillance cameras. The Cambridge Police Department was on the verge of installing highly visible cameras that would surveil the city’s major parks and even Harvard Yard when the city council suspended a vote after hearing from a prominent civil rights attorney. Even then, Emiliano Falcon-Morano of the Technology for Liberty Program at the Massachusetts ACLU seemed to bow to the inevitability of cameras. He recommended that this technology not be installed until the “police department addresses several important questions and concerns to ensure that it is deployed in a manner that conforms with civil rights and civil liberties.” In Philadelphia Dana Bazelon, a former criminal defense attorney and frequent critic of police intrusions into privacy, is now advocating the expansion of surveillance cameras. As an advisor to the Philadelphia district attorney, Bazelon sees police cameras as the only way to stem gun violence. This turnabout prompted Reason’s J.D. Tuccille to accuse Bazelon of discarding “concerns about government abuses to endorse a wide-reaching surveillance state.” Tuccille notes how much easier surveillance cameras may make the job of policing. He archly quotes Charlton Heston’s character in Touch of Evil, “A policeman’s job is only easy in a police state.” The argument in favor of public surveillance cameras is that when we step into the public square, we can expect to lose a degree of privacy. After all, no law keeps an officer on patrol from glancing our way. What’s so bad about being seen by that same officer through a lens? The answer, simply, is that camera networks do more than see. They record and transform faces into data. That data, combined with facial recognition software, with cellsite simulators that record our movements by tracking our cellphone location histories, with social media posts that log our political views, religious beliefs, and personal lives, brings us to within spitting distance of a police state. It is out of this concern that the Electronic Frontier Foundation has helpfully provided Americans with the ability to see the surveillance mechanisms unfolding in their communities through its Street Level Surveillance website. Yet, whether we like it or not (and we don’t like it), ubiquitous camera surveillance by the police in almost every city is coming. It is coming because public surveillance is useful in solving so many crimes. As city leaders temporarily shelved the police surveillance proposal in Cambridge, a man in New York City was freed after serving 16 years in prison, exonerated by evidence from old surveillance footage. Arvel Marshall was railroaded in 2016 by a Brooklyn prosecutor who sat on the exonerating tape, which clearly showed someone else committing the murder for which Marshall was convicted. There is no denying that, when the images are clear, surveillance footage can provide irrefutable identification of a criminal (or not, as in Marshall’s case). But the flip side is that the same technology, once it becomes networked and seamlessly integrated by AI, will give the powerful the means to track Americans with little more than a snap of the fingers or a click of the mouse – not just criminals, but protestors, political groups, journalists, and candidates. As this new reality unfolds, questions emerge. How will police surveillance data be stored? How secure will it be from hackers? How long will it be kept? Will it be networked with other forms of tracking, such as our purchased digital data, and combined by AI into total personal surveillance? Will this data be used to follow not just potential terrorists but Americans with criminal records in a predictive effort at “precrime”? Should technology be deployed that anonymizes the faces of everyone on a tape, with deanonymization or unmasking only at the hands of an authorized person? Should a warrant be issued to watch a given crime or to unmask a face? The terms of this new debate are changing as technology evolves at fast forward. But it is not too early to ask these questions and debate new policies, city by city, as well as in Congress. U.S. intelligence agencies justify tens of thousands of warrantless backdoor searches of Americans’ communications by claiming an exception to the Fourth Amendment for “defensive” purposes.
In testimony to Congress, FBI Director Christopher Wray has said that such defensive searches are absolutely necessary to protect Americans in real time who may be potential victims of foreign intelligence agents or cyberattacks. On this basis, the FBI and other agencies every year conduct tens of thousands of warrantless “backdoor” searches of Americans’ communications with data extracted from programs authorized by FISA Section 702 – even though this program was enacted by Congress not to spy on Americans, but to authorize U.S. agencies to surveil foreign spies and terrorists located abroad. Noah Chauvin, Assistant Professor of Law at Widener University School of Law, in a 53-page paper neatly removes every leg of the government’s argument. He begins with the simple observation that there is no “defensive” exception in the Fourth Amendment. Indeed, an analogous claimed exception for “community caretaking” was rejected by the U.S. Supreme Court in the 2021 decision on Caniglia v. Strom, holding that the government could not enter a home without a warrant based on the simple, non-exigent claim that the police needed to check on the homeowner’s well-being. Whether for community caretaking or for surveillance, the “we are doing this for your own good” excuse does not override the Fourth Amendment. In surveillance, the lack of constitutional validity makes the government’s position “a political argument, not a legal one.” Chauvin adds: “It would be perverse to strip crime victims of the Fourth Amendment’s privacy protections – a person should not lose rights because they have been violated.” It is apparently on the basis of such a “defensive search,” for example, that the FBI violated the Fourth Amendment rights of Rep. Darin LaHood (R-Ill). In that case, the FBI was concerned that Rep. LaHood was being unknowingly targeted by a foreign power. If the FBI can secretly violate the rights of a prominent and respected Member of Congress, imagine how blithely it violates your rights. While making these sweeping claims of violating the Fourth Amendment to protect Americans, “the government has provided almost no public information about how these defensive backdoor searches work.” Chauvin adds: “The government has claimed it uses backdoor searches to identify victims of cyberattacks and foreign influence campaigns, but has not explained how it does so, saying only that backdoor searches have ‘contributed to’ or ‘played an important role in’ intelligence services.” Also unexplained is how the government identifies potential American victims, or why it searches for victims instead of potential perpetrators. Nor does it reveal its success rate at identifying potential victims and how that compares to traditional methods of investigation. Finally, Chauvin asks: “Would obtaining permission before querying a victim compromise the investigation?” It is a matter of settled law that any American can give informed consent to waive his or her Fourth Amendment rights. “It seems particularly likely,” Chauvin writes, “that would-be victims will grant the government permission to perform defensive backdoor searches.” One can easily imagine a long list of companies – from hospitals to cloud providers – that would grant such blanket permission. So why not just do that? Finally, Chauvin appeals to Congress not just to remedy this backdoor search loophole for Section 702. He proposes closing this loophole for Americans’ digital data that U.S. intelligence and law enforcement agencies purchase from third-party data brokers, as well as for Executive Order 12333, a non-statutory surveillance authority claimed by the executive branch. At the very least, Congress should demand answers to Chauvin’s questions about how defensive searches are used and how they work. He concludes, “the government’s policy preferences should never override Americans’ constitutional rights.” United States v. ChatrieWe reported on the bold opinion of federal district Judge Mary Hannah Lauck of Virginia who ruled in 2022 that the government erred by seeking a warrant for the location histories of every personal digital device within a 17.5-acre area around a bank that had been robbed in Richmond, Virginia, in 2019.
To identify the suspect, Nathaniel Chatrie, law enforcement officials obtained a geofence warrant from Google, requesting location data for all devices within that large area. Swept into this mass surveillance – reminiscent of the “general warrants” of the colonial era – were people in restaurants, in an apartment complex, and an elder care facility, as well as innumerable passersby. Judge Lauck wrote that these consumers were almost all unaware that Google logs their location 240 times a day. She wrote: “It is difficult to overstate the breadth of this warrant” and that every person in the vicinity has “effectively been tailed.” At times it almost seems that no good opinion goes upheld, at least where the Fourth Amendment is concerned. On July 9, the Fourth Circuit Court of Appeals reversed Judge Lauck’s decision in United States v. Chatrie. The court held that a geofence warrant covering a busy area around a bank robbery did not qualify as a Fourth Amendment search at all, a sweeping decision that has serious implications for privacy rights and law enforcement practices across the country. The two-judge majority on the Fourth Circuit Court of Appeals concluded that the geofence warrant did not, after all, constitute a Fourth Amendment search because the collection of location data from such a broad geographic area, even a busy one, did not infringe upon reasonable expectations of privacy. Got that? Judge J. Harvie Wilkinson III, writing for the majority, emphasized that the geofence warrant was a valuable tool for law enforcement in solving serious crimes. He wrote that the use of such warrants is necessary in an era where traditional investigative methods may be insufficient to address modern criminal activities. In a strongly worded dissent (beginning on p. 39), Judge James Andrew Wynn Jr. criticized the majority opinion, highlighting the potential dangers of allowing such broad warrants. Judge Wynn, with solid logic and command of the relevant precedents, demonstrated that the decision undermines the Fourth Amendment’s protections and opens the door for pervasive surveillance. Judge Wynn showed that the geofence warrant lacked the necessary particularity required by the Fourth Amendment. By allowing the collection of data from potentially thousands of innocent people, the warrant was not sufficiently targeted to the suspect. He emphasized that individuals have a reasonable expectation of privacy in their location data, even in public places. The widespread collection of such data without individualized suspicion poses significant privacy concerns. And Judge Wynn warned that the majority's decision sets a dangerous precedent, ignoring the implications of the U.S. Supreme Court’s 2018 Carpenter v. United States opinion in its landmark case on location data. So what, you might ask, is the harm of geofencing in this instance, which caught a suspect in a bank robbery? Answer: Enabling law enforcement to use geofence warrants in such a broad way will almost certainly lead to a variety of novel contexts, such as political protests, that could implicate Americans’ rights to free speech and freedom of assembly. Judge Wynn's dissent highlights the need for a careful balance between effective law enforcement and the preservation of civil liberties. While the majority’s decision underscores the perceived necessity of geofence warrants in modern investigations, Judge Wynn's dissent serves as a poignant reminder of the constitutional protections at stake. The Electronic Frontier Foundation reports that Chatrie’s lawyers are petitioning for an en banc hearing of the entire Fourth Circuit to review the case. PPSA supports that move and we hope that if it happens, there are judges who take the same broad view as Judge Lauck and Judge Wynn. Earlier this year, students in a high school art class were called to a meeting of administrators to defend the contents of their art portfolio.
This happened after Lawrence High School in Lawrence, Kansas, signed a $162,000 contract with Gaggle safety software to review all student messages and files for issues of concern. Gaggle had flagged the digital files of the students’ art portfolio for containing nudity. The students vehemently protested that there was no nudity at all in their work. But it was a hard case to make considering that the files had already been removed from the students accounts so the student artists themselves couldn’t refer to it. Max McCoy, a writer with the nonprofit news organization The Kansas Reflector, wrote that if you’re a Lawrence High student, “every homework assignment, email, photo, and chat on your school-supplied device is being monitored by artificial intelligence for indicators of drug and alcohol use, anti-social behavior, and suicidal inclinations.” The same is true of many American high schools from coast-to-coast. Gaggle claims to have saved an estimated 5,790 student lives from suicide between 2018 and 2023 by analyzing 28 billion student items and flagging 162 million for reviews. McCoy took a hard look this incredibly specific number of lives saved, finding it hard to validate. Simply put, Gaggle counts each incident of flagged material that meets all safety criteria as a saved life. Still, it is understandable that school administrators would want to use any tool they could to reduce the potential for student suicide (the second-leading cause of death among Americans 15-19), as well as reduce the threat of school violence that has plagued the American psyche for decades now. But is an artificial surveillance regime like Gaggle the way to do it? McCoy likens Gaggle to the science-fictional “precrime” technology in the Philip K. Dick novel and Stephen Spielberg movie Minority Report. But could Gaggle technology in its actual use be more like the utterly dysfunctional totalitarian regime depicted in the classic movie Brazil? McCoy reports that a cry for help from one student to a trusted teacher was intercepted and rerouted to an administrator with whom the student has no relationship. The editors of the Lawrence student paper, The Budget, are concerned about Gaggle’s intrusion into their newsgathering, notes, and other First Amendment-protected activities. McCoy quotes Rand researchers who recently wrote, “we found that AI based monitoring, far from being a solution to the persistent and growing problem of youth suicide, might well give rise to more problems than it seeks to solve.” It is one thing to keep tabs on student attitudes and behavior. Spyware technology over all student messages and content looks pointlessly excessive. Worse, it trains the next generation of Americans to be inured to a total surveillance state. |
Categories
All
|