Media and civil liberties organizations all had the same reaction to the Privacy and Civil Liberties Oversight Board’s (PCLOB) nearly six years-long, “deep dive” into the legal and policy implications of Executive Order 12333 and NSA’s XKEYSCORE program.
Some said that the public version of the report, released in the spring, reads like a Wikipedia article. Others called it a high-school book report. We suggested that next time PCLOB produce a graphic on “How a Bill Is Made.”
Now Travis LeBlanc, a Democrat appointed by President Trump to serve on PCLOB, is going public with his dissatisfaction with his colleagues on the PCLOB board. Central to these concerns is XKEYSCORE, an NSA search engine that lets our government extract a person’s social media activity, browsing history and emails, almost at a click, from global datasets.
First revealed by Edward Snowden in 2013, XKEYSCORE operates without any Congressional or judicial oversight. Sen. Richard Burr said on the Senate floor that EO 12333 gives the government the power to do whatever it wants, without oversight and “without guardrails.” At least one program in this category, XKEYSCORE, is exempt from oversight by the Foreign Intelligence Surveillance Court or any other body. Here are some choice quotes from LeBlanc’s 10-page memo, which refers to the board members who approved the report in December.
Le Blanc also referred to the longer classified report compiled by PCLOB.
LeBlanc took PCLOB to task for ignoring the most challenging questions in 21st century surveillance policy, including how to govern artificial intelligence and machine learning that guides autonomous collection of massive datasets. With the rise of artificial intelligence, more and more decisions about policy and privacy are being made by machines. Yet PCLOB had nothing to say about that, or about recent Supreme Court rulings on surveillance of geolocation and cellphone data.
He raised other issues avoided by PCLOB, such as the “extent to which a machine analysis of U.S. person information triggers Fourth Amendment scrutiny (as opposed to “human-eyes” review).”
Most concerning of all, Le Blanc – the only member of the five-member board to vote against approving the report – said the board majority “failed to adequately investigate or evaluate NSA’s collection activities.”
The fact remains that years after the Snowden revelations, what might be the world’s most robust surveillance system (at least outside of China) operates without judicial or Congressional oversight, with scant legal analysis.
Sen. Ron Wyden told The Washington Post: “I continue to be concerned that Americans still know far too little about the government’s surveillance activities under EO 12333 and how it threatens their privacy.”
SCOTUS Opinion on Warrantless Home Entry in Lange v. California Has Big Implications for Americans’ Digital Security
In February, PPSA reported that several Supreme Court Justices had, at oral argument in Lange v. California, expressed skepticism on the question of whether the Fourth Amendment always allows the police to enter the home of a fleeing misdemeanant, someone suspected of a minor crime less than a felony. We predicted that the Court would reverse a lower-court decision holding otherwise.
The facts here were straightforward. An officer followed Arthur Lange after noticing him playing loud music and honking his horn. Seconds after the officer turned on his lights, Lange pulled into his garage, failing to notice the police car behind him. As the garage door closed, the officer put his foot under the closing garage door sensor to force the door open again. Once inside, he conducted a sobriety test, which showed that Lange was intoxicated. Lange then moved to suppress the evidence of that test because it was obtained after the officer entered his garage without a warrant. He lost in both lower courts, and the California Court of Appeal held that such entries are always permissible under the Fourth Amendment.
In the recent Supreme Court opinion, PPSA’s prediction proved correct. The Court declined to hold that the police have a categorical right to enter the home of a fleeing misdemeanant without a warrant. Instead, citing well-established precedent, the Court held that “when the officer has time to get a warrant, he must do so – even though the misdemeanant fled.” In so holding, the Court recognized that some exigencies, such as the need to “prevent imminent harms of violence, destruction of evidence, or escape from the home,” might still justify a warrantless home entry. But because the lower court had applied a categorical rule – and therefore failed to address whether there were any exigencies here – the Supreme Court remanded the case for the lower court’s consideration under the proper standard.
The Court’s opinion cited many of the same common-law precedents that PPSA did in its amicus brief. But as our brief emphasized, this case is more important because of what it says about privacy in this digital age.
While the protections for electronic devices and communications remain under development, it is unlikely that courts would give such information sources more protection than the home. Accordingly, if the Court were to create a categorical misdemeanor exigency rule applicable to home entry, that rule would inexorably be extended to warrantless entry into electronic sources of information, posing an even more pernicious and extensive threat to privacy and its Fourth Amendment protections.
For example, today’s smartphones and other devices contain information detailing every aspect of a person’s life—messages to family, identifying documents, intimate pictures, personal journals, health information, financial data, and more are likely to be found on a device that the government has the technical ability to search remotely.
By making this decision, the Supreme Court not only refined the restrictions on entering garages. The Court also declined to create a new categorical rule that would always allow the police to enter a fleeing misdemeanant’s home. Because homes have always had more Fourth Amendment protections than any other space, such a precedent would have opened a door to warrantless digital snooping into our private lives. We are grateful the Court declined to create such a dangerous precedent.
SCOTUS to Consider Mechanism for Government Accountability After FBI Surveillance of Muslims
The U.S. Supreme Court has agreed to hear a privacy and religious liberty case brought by three California Muslim men, who claim that the FBI and federal government conducted illicit searches and unlawfully discriminated against them on the basis of religion. The government sought to shut down the case by claiming that such alleged behavior was subject to the “state secrets” doctrine, thus preventing any further inquiry into the government’s seeming misconduct.
In 2006, the FBI sent a confidential informant to infiltrate a mosque. The informant spent over a year collecting names, phone numbers, emails and other information, as well as planting listening devices. Lawyers for the three plaintiffs are challenging a domestic FBI surveillance program that, according to their own informant, targeted members of this community based on their dedication to their religion.
The FBI argued that it couldn’t defend itself against the religious claims of the lawsuit because to do so would involve sharing state secrets. So the FBI asked a lower federal court to dismiss the case. That judge agreed and went a step further, dismissing the religion claim and nearly every other claim as well. The Ninth Circuit Court of Appeals rejected the state secrets argument and ruled that the plaintiffs’ claims should be analyzed under procedures for viewing and protecting sensitive information set out in the Foreign Intelligence Surveillance Act (FISA).
Now the Supreme Court will examine the logic of this argument: Does Section 1806(f) of FISA displace the state secrets privilege? This would authorize a court to potentially consider the merits of a lawsuit that challenges the lawfulness of government surveillance by actually examining the previously privileged evidence, but in secret.
FISA outlines such discovery procedures in a variety of circumstances, though the parties vehemently disagree whether such circumstances include a civil rights lawsuit brought by the targets of surveillance. If the procedures do apply here, they would include inspections of materials in chambers by a judge with suitable clearance, who would then decide whether it is possible for plaintiffs with substantial claims to argue their case while protecting the secrecy of government information if there is indeed a legitimate security interest.
But would that be a win for civil liberties, or just a reshuffling of the government’s secrecy deck? There’s a need to protect government secrecy, but how do we ensure that the government isn’t covering up bad-faith actions of the executive branch by using “classification” of documents as a weapon of mass defense, hiding the facts of a case behind either the state secrets precedent or in the FISA court?
The government has a long and documented history of using secrecy to hide abuses dating as far back as 1953, in a Supreme Court case U.S. vs Reynolds, about an Air Force bomber crash that was later shown to be due to government negligence; in the infamous Pentagon Papers case, where the government sought to suppress publication of a questionably classified report that revealed the government’s concealment and deliberate deceptions surrounding the Vietnam War; and as recently as the 2020 fiasco of the FBI’s investigation of Trump campaign volunteer, Carter Page (which included one forged document and 17 serious errors of omission and commission).
Should we consider it an outrage if the FBI directed a confidential informant to plant bugs in a mosque, targeting Americans based on their religion? Yes, unless there is evidence in this case that explains the FBI’s actions. The point is, we have no way of knowing for sure as long as the FBI is never required to defend itself on the substance rather than cover the entire case with a blanket of secrecy.
The late Christopher Hitchens said that the essence of tyranny is not iron law; it is capricious law. But there are ways to defend against it.
Whether FISA as currently written allows a way around the state secrets doctrine is something the Supreme Court will have to decide. But if it doesn’t, there needs to be some other mechanism to hold government accountable for bad behavior even when the government acts under the banner of national security. PPSA supports strong reforms of FISA and other federal surveillance programs with recommendations that include more openness in the FISA court by publishing opinions and allowing outside, independent civil liberties experts as amici to advise on civil liberties.
Secret courts and secret programs should not be evaluated in secret by the same people who run them. Nor should we allow government institutions to hold our freedoms hostage behind an iron curtain of secrecy. Under the FBI’s claim of privilege and the district court’s ruling, we had slid further down that slippery slope.
Will we slide again, this time faster and further down? Or will the Supreme Court or Congress put on the brakes with a ruling in favor of FISA or with an amendment fixing the problem – and affirm our system of checks and balances? We’ll find out some time next year.
ProPublica’s report on the private tax information of the 25 richest Americans is undoubtedly based on the leaking of their returns by someone within the IRS, or someone who has access to IRS databases.
Is this a legitimate exercise of conscience by a whistleblower, or a dangerous violation of privacy by a government insider? PPSA comes down on the side of “dangerous violation.”
Much outrage has been generated by ProPublica’s report that in some years several of these high net-worth individuals avoided paying income taxes. A close reading shows that the wealthiest of the wealthy pay little in “income” taxes because they earn their money from capital gains, which are taxed differently.
Knowing what the wealthy pay – or don’t pay – is a legitimate topic of debate. Having anonymized information about their payments informs that debate. Telling us that Elon Musk – in a given year – paid no income taxes should concern every civil libertarian.
Charles C.W. Cooke neatly summarizes what is at stake:
“Oh, who cares?” you might ask. “The victims are billionaires!” And indeed, they are. But I care. For a start, they’re American citizens, and they’re entitled to the same rights — and protected by the same laws — as everyone else. Their privacy does not matter less than mine just because they’re richer than I am. Besides, even if one wants to be entirely amoral about it, one should consider that if their information can be spilled onto the Internet, anyone’s can. And, if you were in their shoes, you’d probably care a lot more than they do. A government that is this reckless or sinister with the information of men who are lawyered to the eyeballs is unlikely to worry too much about being reckless or sinister with your information.
The revelation of privacy lapses at the IRS comes at a time when the Supreme Court is considering whether the state of California can constitutionally demand disclosure of donor information listed on IRS Schedule B – despite the fact that California has handled that very information with grotesque security lapses. While California assures us that it now takes privacy more seriously, it has no protections comparable to IRS protections for tax information. And even those IRS protections were not enough to stop the most recent leak.
Lest we fall into the trap that government is benign, responsible, and not to be feared when in possession of highly sensitive private information, the latest revelation of a leaky IRS is a timely reminder that such trust is often unwarranted.
Following Revelations of DOJ Spying, PPSA Pledges to Share Any Response from NSA on Overdue FOIA Request Regarding Surveillance of Congress
Late Thursday, news broke that the Department of Justice (DOJ) under the prior Administration accessed metadata belonging to members of the House Intelligence Committee, their aides and family members, including a minor.
The New York Times, which broke this story, called DOJ’s move an “extraordinary step of subpoenaing communications metadata from Members of Congress – a nearly unheard-of move outside corruption investigations.”
But was it? Or is it the first glint from an iceberg’s tip?
In December, 2020, PPSA anticipated this issue by filing a Freedom of Information Act request seeking records from NSA and five other departments and agencies on the possible surveillance of 48 current and former Members of Congress, including House Intelligence Committee Chairman Adam Schiff and then-Sen. Kamala Harris.
After NSA rejected this FOIA request, PPSA appealed the agency’s decision. The agency reversed its position pledging to process the records request, though the agency is now past the statutory deadline to produce responsive records.
In May, PPSA filed another FOIA request asking DOJ to produce records on how the department might be modifying, implementing or replacing two key memos establishing safeguards against the political misuse of federal investigations. PPSA had previously asked the department to make permanent rules requiring heightened scrutiny when federal officials, candidates and staff are targeted for surveillance. Meanwhile, a PPSA lawsuit to compel agency responses remains pending.
“As soon as we get information from NSA regarding the potential surveillance of Members of Congress, we’ll report that,” said Gene Schaerr, general counsel of PPSA. “And we are doubling down on our call for DOJ to make permanent rules regarding the investigation of federal officials and candidates.
“The First Amendment implications of investigations of Members of Congress are obvious,” Schaerr said. “Intelligence agencies under both Republican and Democratic administrations have shown a capacity to play fast-and-loose with surveillance. It is time to clean that up.”
Don’t Try Exercising Your Right to Record the Police in Colorado, Kansas, New Mexico, Oklahoma, Wyoming or Utah
Do you have a right to use your smartphone to record police officers in the course of their public duties? Yes – in the jurisdictions of the First, Third, Fifth, Seventh, Ninth and Eleventh Circuit Courts of Appeal. But don’t try it in Colorado, Kansas, New Mexico, Oklahoma, Wyoming or Utah, where the Tenth Circuit Court protects police officers who knowingly violate a right upheld by their own department policy and training.
Since 1995, courts have increasingly upheld the rights of Americans to film police officers, as long as they are not interfering with the officers’ official duties. Many police officers were just fine with being recorded for now-cancelled television shows such as Cops or Live PD, but when a private citizen is the one behind the camera, some still take a different view. Had the courts not intervened, the extinguishing of George Floyd’s life would likely have never been judged a crime.
Enter the Tenth Circuit Court of Appeals in Denver, which shines a light on one of the greatest paradoxes in American jurisprudence – the self-negating logic in some federal courts. In 2014, Denver police knowingly prevented a man from recording an arrest before performing an illegal search of his electronic tablet. The word “knowingly” is used here because the City of Denver made sure its officers knew citizens had a right to record the public actions of police officers, and the officers involved in the illegal search had received such training the year before.
As recounted in grand detail by the Cato Institute’s Jay Schweikert, because no judge on the Tenth Circuit Court had made a specific ruling that knowingly violating a citizen’s First Amendment rights in this context is illegal, the court punted. In Frasier v. Evans, the Tenth believed it was left with no choice but to rule that that there was no “clearly established” right to record videos of police, and that the officers involved were entitled to qualified immunity that shields them from any further civil action. Similar logic led Florida’s Fourth District Court of Appeal in May to uphold the arrest of a mother recording her son’s arrest.
Thus, the Tenth Circuit follows the same logic that kept Yossarian flying in Joseph Heller’s Catch-22. The pretzel-twisted logic of the court assures that there can never be a successful challenge to the police because there has never been a successful challenge to the police. Got it?
Even the most established of rights mean little if a federal court refuses to take action against police officers who violate those rights with impunity. Left unchecked, the threat of illegal search and seizure could cause Americans in some parts of the country to think twice before pushing the record button. This is especially true where the only legal recourse one can hope for is a federal court ruling seven years later that the police were wrong – in violation of their own policy and training – but there’s nothing to be done about it.
It is time for the Supreme Court to establish that constitutional rights that exist in some parts of the country also exist in the others.
Ruling Demonstrates Need for Other Checks on Government Misconduct
Are the police breaking the law when, using their official credentials, they access a database for an illicit purpose? This week, in a 6-3 decision, the Supreme Court said no.
In 1986, in response to rising cybercrime, Congress passed the Computer Fraud and Abuse Act (CFAA) to impose criminal punishment on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”
Nathan Van Buren, while a Georgia police sergeant, ran afoul of the CFAA when he conducted a license-plate search on a law enforcement database in exchange for a bribe. Because his department’s policy authorized him to access the database only for law enforcement purposes, Van Buren was convicted for “exceed[ing his] authorized access” and sentenced to 18 months’ imprisonment.
Van Buren appealed to the Eleventh Circuit, arguing that CFAA only applies to those who obtain information to which their authorized access did not extend. The Eleventh Circuit disagreed, adopting a broader view of the statute under which someone exceeds authorized access when that person intentionally accesses information within the scope of one’s credentials, but for an inappropriate reason.
Justice Barrett, writing for the majority, rejected that broader view as contrary to the language of the statute. Interpreting the CFAA definition of “authorized access” as creating a simple “gates-up-or-down” inquiry, she concluded that the statutory language imposed criminal liability only when a person accessed a computer system—or areas within that system—beyond what their official credentials would allow. Because Van Buren’s license-plate search violated his departmental policy but was performed with valid credentials, he did not exceed his authorized access under the CFAA.
Justice Barret’s opinion warned that a broader reading of the CFAA could have the effect of “criminaliz[ing] every violation of a computer-use policy”—potentially subjecting “millions of otherwise law-abiding citizens” to criminal punishment for relatively harmless acts like sending personal emails or checking the news on a work computer.
Nevertheless, the Court’s ruling has the effect of immunizing bad-faith government actors who abuse their official computer- and database-access.
The Supreme Court’s decision highlights a critical need for other enforcement tools to check government misconduct.
While PPSA recognizes both the legal and policy reasons underlying the Court’s decision, Van Buren removes the threat of criminal prosecution as a deterrent to government computer-search abuses. If the CFAA’s broad criminal liability is too sweeping a tool to prevent the ever-present danger of government overreach, then clearly a more appropriate mechanism is needed. New legislation, perhaps targeted just to official government misconduct, could avoid overcriminalization while giving official-use policies some needed teeth.
Do Fourth Amendment rights against unreasonable searches and seizures apply at the border? Or is the border zone of airports and other ports of entry a kind of legal no-man’s land?
These questions arise from two growing trends at the border.
One is the announced rollout of facial recognition technology and other biometric surveillance by Customs and Border Patrol of every non-citizen who arrives at a U.S. airport – a practice the Transportation Security Administration is experimenting with for U.S. citizens. The other is the existing practice of accessing the contents of returning citizens’ cellphones, laptops and other electronic devices.
Your Passcode, Please
Regarding the latter trend, Americans are learning that our personal information is not protected by the Fourth Amendment at the border. In 2017, Sidd Bikkannavar, an employee of NASA’s Jet Propulsion Laboratory, was returning to George W. Bush Intercontinental Airport in Houston when he was detained by Customs and Border Patrol agents. He was told he could not leave until he gave CBP agents his access PIN to his phone.
Bikkannavar was deeply concerned because the phone in his possession belonged to NASA – a claim validated by a JPL barcode on the back. The device contained information that JPL was adamant not be copied or shared. CBP insists that it cannot compel someone to unlock their phone, but many like Bikkannavar report that the alternative is to live in the airport.
Such searches can be done with a surface examination of the contents – such as an eyeball scan of the files on a computer’s desktop screen. They can also be “forensic” examinations, in which a thumbdrive is plugged into device in order to perform a deep scan of its contents.
In an ACLU petition with the Electronic Frontier Foundation, now before the U.S. Supreme Court (Merchant v. Mayorkas), 11 U.S. citizens are suing over having their electronic devices examined at the border without a warrant or reasonable suspicion. Plaintiffs include a military veteran, journalists, an artist and a business owner, as well as Sidd Bikkannavar. Several of them are Muslims and people of color.
In an earlier version of this case, a federal district court had ruled that a reasonable suspicion was needed to manually or forensically examine a device. The U.S. Court of Appeals for the First Circuit overturned that ruling. But lower courts have held that forensic searches of electronic devices require reasonable suspicion of a crime.
Will the Supreme Court resolve these contradictions?
Your Face on File
CBP is also proposing to collect and store facial surveillance of non-citizens at every point of entry into the United States. TSA is conducting tests with volunteers for this technology at Washington’s Reagan National Airport, including U.S. citizens.
The stated intent is to shorten lines. Despite this technology’s convenience, however, facial recognition has the sinister aspect of subjecting people to continuing surveillance. Targets can be tracked by hidden security cameras or covertly operated cellphones without their knowledge, much less permission. ACLU writes: “Once government acquires a person’s faceprint, it creates a risk of a unique and unprecedented form of persistent surveillance, one that allows the government to identify and track people without their knowledge.”
Given the high false-positive rate of facial recognition technology for people of color – witness the ordeal of Robert Williams of Detroit, who was arrested after a false positive – and the fact that DHS plans to hold individual’s facial data for 75 years, it is easy see how this technology could lead to abuses. It is also easy to imagine how TSA’s experiment could lead to the use of this technology to surveil U.S. citizens and create a database of American faces.
All of these issues point to the need for clarity: Does the Fourth Amendment apply at the border or not? The U.S. Supreme Court has ruled that “the Fourth Amendment’s balance of reasonableness is qualitatively different at the international border than in the interior.”
But different how?
The arrival of powerful and intrusive technology should persuade the Supreme Court to at least consider where to draw the lines.
Lawsuit Concerns Secretive Powers of Executive Order 12333
The Project for Privacy and Surveillance Accountability filed suit today against the Privacy and Civil Liberties Oversight Board that will be a major test case of whether laws governing Freedom of Information Act requests must be obeyed. It also seeks to reveal the extent to which the Board has performed – or not performed – its watchdog role over non-statutory surveillance authorities conducted in secret.
“PCLOB is tasked with oversight of U.S. intelligence agencies, to protect against the possibility of abuse of civil liberties,” said Gene Schaerr, PPSA general counsel. “It is supposed to be our watchdog against such encroachments. The need for this lawsuit demonstrates, in fact, that PCLOB is more like a lazy pooch sleeping at the feet of its masters.
“We will demonstrate to the court that the Board is ignoring the law,” he said.
PPSA’s filing builds on a FOIA request from Patrick Eddington of the CATO Institute asking for records in April, 2019, from the Board concerning reports, and correspondence with agencies, about Executive Order 12333.
Sen. Richard Burr, former chair of the Senate Select Committee on Intelligence, alarmed civil libertarians everywhere when he took to the Senate floor to declare that under 12333 authority, the executive branch can do whatever it wants, without “guardrails” or statutory authority for mass surveillance.
The Board confirmed to Eddington that it completed at least one “deep dive report” under Executive Order 12333 concerning at least one federal agency, but withheld that report. It refused to release any records regarding agency refusals to provide information requested by the Board. In a follow on letter to the Board, PPSA concluded: “It appears from these responses that the Board has censored itself at the direction of the very agency subject to its oversight.”
PPSA filed its own FOIA request on Sept. 16, 2020, asking PCLOB to produce records mentioning the Eddington request or any denial or other responses to it. PPSA also doubled down on requests for information about 12333.
“We gave the Board far more than the maximum thirty business days from our FOIA request,” Schaerr said. “It is time to turn to the courts to determine if the laws governing FOIA requests must be respected by PCLOB, or if the law can be effectively ignored.”
“The needless secrecy surrounding the surveillance court is bad for the court, the intelligence agencies and the public – and it is also unconstitutional,” write three seasoned civil liberties experts in today’s New York Times.
The op-ed, signed by David Cole, legal director of the American Civil Liberties Union, Jameel Jaffer, executive director of the Knight First Amendment Institute at Columbia University, and former Solicitor General Theodore Olson, supports an ACLU petition to the U.S. Supreme Court to consider the Foreign Intelligence Surveillance Court’s secret opinions.
They recount some useful history. That court authorized the government to collect records on most phone calls made or received in the United States, detailing who called whom, when, and for how long – all without any suspicion of illegal activity.
In another opinion, the court upheld the government’s practice of scanning Americans’ emails for intelligence purposes as those communications enter and leave the country.
More recently, it permitted the FBI to fish for information about Americans in huge databases of international emails, online messages and web chats obtained without probable cause.
Four days ago, PPSA filed an amicus brief in support of the ACLU petition. PPSA asked the Court to consider the following question:
“How can the American people learn of, debate, and cast informed votes relating to what the Executive Branch—or, for that matter FISC [the ‘secret surveillance court’] —is doing in their names if the government refuses to disclose that information?”
In today’s op-ed, the authors note that the “surveillance court’s suggestion that it is not subject to the usual constraints of the First Amendment – and, indeed, that it lacks authority even to consider the First Amendment question – has only engendered suspicion of the court, and of the surveillance the court approves.”
For all these reasons, PPSA will continue to vigorously support ACLU’s petition.