Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 150
F
Privacy-Related Law and Regulation:
The State of the Law and
Outstanding Issues
The law intended to guide intelligence operations is complex and has
failed to keep up with the significant changes in terrorist threats, surveil-
lance technologies, and the volume, variety, and accessibility of digital
data about individuals. The absence of a coherent and up-to-date legal
framework has contributed to undermining trust in intelligence activities.
A brief description of that law along with an explanation of its inadequa-
cies will help illustrate why.
F.1 THE FOURTH AMENDMENT
F.1.1 Basic Concepts
The government has very broad power to obtain personal infor-
mation. Historically, the primary constitutional limit on that power is
the Fourth Amendment, which reflects the Framers’ hostility to general
searches. A general search is a search that is not based on specific evidence
that allows the search to be targeted as to the location of the search or the
type of evidence the government is seeking. The purpose of the Fourth
Amendment was to forbid general searches by requiring that all search
and seizures must be reasonable and that all warrants must state with
particularity the item to be seized and the place to be searched.
The Fourth Amendment requires that warrants be issued only “upon
probable cause, supported by oath or affirmation, and particularly describ-
ing the place to be searched, and the persons or things to be seized.” Fed-
��0
OCR for page 150
���
APPENDIX F
eral law defines “probable cause” to mean “a belief that an individual is
committing, has committed, or is about to commit a particular offense”
and that the information sought is germane to that crime.1 The Supreme
Court generally requires that the government provide the subject of a
search with contemporaneous notice of the search.2
Collecting information from a person constitutes a search if it violates
that individual’s reasonable expectation of privacy. The Supreme Court
has held that a person has a reasonable expectation of privacy in their
homes, sealed letters, and the contents of their telephone calls. On the
other hand, the Court has determined, for example, that warrants are
not required to search or seize items in the “plain view” of a law enforce-
ment officer,3 for searches that are conducted incidental to valid arrests,4
or to obtain records held by a third party, even if those records are held
under a promise of confidentiality.5 The Court has interpreted this last
exception broadly to find that the Fourth Amendment is inapplicable to
telecommunications “attributes” (e.g., the number dialed, the time the
call was placed, the duration of the call, etc.), because that information is
necessarily conveyed to, or observable by, third parties involved in con-
necting the call.6
Moreover, the Fourth Amendment poses no limits on how the gov-
ernment may use information, provided that it has been obtained legally,
and some limits on the use of data obtained illegally. Consequently,
personal data seized by the government in compliance with the Fourth
Amendment may later be used in a context for which the data could not
have been obtained lawfully. The rest of this section addresses two impor-
tant examples of areas in which the evolution of technology and new
circumstances suggest that current Fourth Amendment law and practice
may be outdated or inadequate.
F.1.2 Machine-Aided Searches
In some ways, machine-aided searching of enormous volumes of
digital transaction records is analogous to a general search, especially if
those records contain highly sensitive information. Much like a general
search in colonial times was not based on specific evidence or limited
to a particular person or place, a machine-aided search through digital
databases can be very broad.
1 18U.S.C. § 2518(3)(a).
2 Richards �. Wisconsin, 520 U.S. 385 (1997).
3 Coolidge �. New Hampshire, 403 U.S. 443 (1971).
4 United States �. Edwards, 415 U.S. 800 (1974).
5 United States �. Miller, 425 U.S. 435 (1976).
6 Smith �. Maryland, 442 U.S. 735 (1979).
OCR for page 150
��� PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS
Existing Fourth Amendment law speaks to such searches only in lim -
ited contexts, however. The Fourth Amendment requires the government
to obtain a search warrant when looking through a person’s hard drive or
private e-mail, for example. It also requires that the warrant specify the
type of evidence the government is seeking. It may also require a warrant
or a subpoena to collect information that is inside a database. However, if
the government collects data in compliance with the Fourth Amendment,
and then it aggregates the data into a database, the process of searching
through the database is not itself regulated by the Fourth Amendment.
Even if the government violates the Fourth Amendment when collecting
the data, the data may be stored, aggregated, and used for any purpose
other than that for which the data were wrongfully accessed. So, for
example, the Court has allowed records illegally seized by criminal inves-
tigators to be used by tax investigators on the basis that restricting the
subsequent use would not deter the original unconstitutional conduct. 7
Broad machine-aided searches and the government’s reuse of law-
fully or unlawfully obtained data raise very important questions of public
policy. What standards should govern access to or use of data that has
already been collected? Should use of databases or specific analytical tech-
niques such as data mining be regulated at all? If querying a database or
running a data mining program on a database constitutes a search, when
is such a search “reasonable”? Must the police have a specific individual
in mind before searching a database for information on him or her? In
the absence of clear standards or guidelines to govern their conduct or
even to help them make reasonable judgments, the police cannot do their
work. Moreover, what level of legal authorization should guide database
queries? If a legal standard is used, is relevance the right standard? Or is
something more like reasonable suspicion or probable cause the proper
standard to use?
F.1.3 Searches and Surveillance for National Security and Intelligence
Purposes That Involve U.S. Persons Connected to a Foreign Power
or That Are Conducted Wholly Outside the United States
The Fourth Amendment applies to searches and surveillance con-
ducted for domestic law enforcement purposes within the United States,
and those conducted outside of the United States if they involve U.S.
citizens (although not necessarily permanent resident aliens). In a 1972
case commonly referred to as the Keith decision, the Supreme Court held
that the Fourth Amendment also applies to searches and surveillance con-
ducted for national security and intelligence purposes within the United
7 United States �. Janis, 428 U.S. 433, 455 (1975).
OCR for page 150
���
APPENDIX F
States if they involve U.S. persons who do not have a connection to a
foreign power.8 The Court, however, recognized that “different policy and
practical considerations” might apply in the national security context than
in traditional law enforcement investigations, and specifically invited
Congress “to consider protective standards for . . . [domestic security]
which differ from those already prescribed for specified crimes in Title
III.”9 The Court left open the question of whether the Fourth Amendment
applies to searches and surveillance for national security and intelligence
purposes that involve U.S. persons who are connected to a foreign power
or are conducted wholly outside of the United States,10 and the Congress
has not supplied any statutory language to fill the gap.
F.1.4 The Miller-Smith Exclusion of Third-Party Records
As noted in Chapter 1, some legal analysts believe that there is no
better example of the impact of technological change on the law than the
exemption from the Fourth Amendment created by the Supreme Court
for records held by third parties. According to this perspective, such an
exemption significantly reduces constitutional protections for personal
privacy—not as the result of a conscious legal decision, but through the
proliferation of digital technologies that make larger quantities of more
detailed information available for inspection than ever before.
Other analysts suggest that as a general point, the protection of pri-
vacy is better founded as a matter of statute and regulation (that is,
of policy choices) rather than as a matter of Constitutional right. 11 In
this view, legislatures have many advantages that enable the legislative
privacy rules regulating new technologies to be more balanced, compre-
hensive, and effective than judicially created rules. These advantages
include the ability to act more quickly in the face of technological change
than courts are able to do and to appreciate existing technology and the
impact of different legal rules. In addition, and specifically relevant to
the third party exemption for the privacy of records held by third par-
8 United States �. U.S. District Court for the Eastern District of Michigan , 407 U.S. 297 (1972).
9 Id. at 322.
10 J.H. Smith and E.L. Howe, “Federal legal constraints on electronic surveillance,” p. 133
in Protecting America’s Freedom in the Information Age (Markle Foundation Task Force on Na-
tional Security in the Information Age), Markle Foundation, New York, N.Y., 2002. Lower
courts have found, however, that there is an exception to the Fourth Amendment’s warrant
requirement for searches conducted for intelligence purposes within the United States that
involve only non-U.S. persons or agents of foreign powers. See United States �. Bin Laden,
126 F. Supp. 2d 264, 271-72 (S.D.N.Y. 2000).
11 O.S. Kerr, “The Fourth Amendment and new technologies: Constitutional myths and the
case for caution,” Michigan Law Re�iew 102:801-888, 2004.
OCR for page 150
��� PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS
ties, some analysts argue that without some ability for law enforcement
officials to obtain some transactional data without a warrant, criminals
and terrorists operating in cyberspace would be largely able to prevent
law enforcement from obtaining probable cause to obtain indictments or
to investigate more deeply.
F.2 THE ELECTRONIC COMMUNICATIONS PRIVACY ACT
The Fourth Amendment is not the only restraint on the government’s
power to collect and use information through surveillance. The Electronic
Communications Privacy Act (ECPA) is a collection of three different stat-
utes that also regulates government collection of evidence in the context
of telecommunications networks. The Wiretap Act is amended in Title I
of ECPA, and as amended deals with the interception of telephone and
Internet communications in transmission.12 It applies to “wire commu-
nications,” although not to video unaccompanied by sound. To intercept
communications in transit requires a “‘super’ search warrant,”13 unless an
exception to the warrant requirement applies such as consent. A warrant
can only be sought by designated federal officials and requires probable
cause, details about the communication to be intercepted, minimization
of any non-relevant communications inadvertently intercepted, and ter-
mination immediately upon completion. Information obtained in viola-
tion of these requirements can subject the responsible agent to minimum
damages of $10,000 per violation and is subject to the exclusionary rule
(except for e-mail) so that it cannot be used in a subsequent criminal
prosecution.
Title II—the Stored Communications Act—which was adopted in
1986 deals with communications in electronic storage, such as e-mail and
voice mail.14 It contains rules that govern compelled disclosure of infor-
mation from service providers as well as when providers can disclose
information voluntarily. Traditional warrants are required to obtain access
to communications stored 180 days or less. To obtain material stored for
more than 180 days, the government need only provide an administra-
tive subpoena, a grand jury subpoena, a trial subpoena, or a court order,
all of which are easier to obtain than a traditional warrant. Non-content
information, such as information about a customer’s account maintained
by a communications provider, can be obtained by the government either
12 Wiretap Act, Public Law 90-351, 82 Stat. 197 (1968) (codified as amended at 18 U.S.C.
§§ 2510-2522).
13 O.S. Kerr, “Internet surveillance law after the USA Patriot Act: The big brother that isn’t,”
Northwestern Uni�ersity Law Re�iew 97(2):607-673, 2003.
14 Stored Communications Act, Public Law 99-508, Title II, § 201, 100 Stat. 1848 (1986) (codi-
fied as amended at 18 U.S.C. §§ 2701-2711).
OCR for page 150
���
APPENDIX F
with a subpoena or by providing “specific and articulable facts showing
that there are reasonable grounds to believe that . . . the records or other
information sought are relevant and material to an ongoing criminal
investigation.”15 Violations carry a minimum fine of $1,000; no exclusion-
ary rule applies.
Title III—the Pen Register Act—which was also adopted in 1986,
applies to “pen registers” (to record outgoing call information) and “trap
and trace” devices (to record incoming call information).16 To obtain infor-
mation akin to what is contained in a phone bill or revealed by “Caller
ID,” e-mail header information (the “To,” “From,” “Re,” and “Date” lines
in an e-mail), or the IP address of a site visited on the Web, the government
need only obtain a court order. The court must provide the order—there
is no room for judicial discretion—if the government certified that “the
information likely to be obtained by such installation and use is relevant
to an ongoing investigation.”17 The exclusionary rule does not apply to
violations of the act.
F.3 THE FOREIGN INTELLIGENCE SURVEILLANCE ACT
While the ECPA regulates surveillance for law enforcement pur-
poses, successive presidents insisted that it did not limit their power to
engage in surveillance for national security purposes. In the aftermath of
Watergate, the Senate created the Select Committee to Study Government
Operations with Respect to Intelligence Activities, chaired by Senator
Frank Church (D-Idaho). The Church Committee’s final report, published
in 1976, cataloged a wide array of domestic intelligence surveillance
abuses committed under the protection of the president’s national secu-
rity authority.18 While some must have been plainly understood at the
time by their perpetrators to have involved wrong-doing, such as spying
on political opponents, many involved what today would be called “mis-
sion creep.”19
That report, the unresolved nature of the president’s power to con-
15 18 U.S.C. § 2703(d).
16 Pen Register Act, Public Law 99-508, Title III, § 301(a), 100 Stat. 1868 (1986) (codified as
amended at 18 U.S.C. §§ 3121-3127).
17 18 U.S.C. § 3123(a).
18 Senate Select Committee to Study Government Operations with Respect to Intelligence
Activities, 94th Congress, Final Report on Intelligence Acti�ities and the Rights of Americans,
Book II, April 26, 1976; see also M.H. Halperin, J.J. Berman, R.L. Borosage, and C.M. Mar-
wick, The Lawless State: The Crimes of the U.S. Intelligence Agencies, Penguin Publishing Com-
pany Ltd., London, U.K., 1976.
19 Senate Select Committee to Study Government Operations with Respect to Intelligence
Activities, 94th Congress, Final Report on Intelligence Acti�ities and the Rights of Americans,
Book II, April 26, 1976.
OCR for page 150
��� PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS
duct domestic surveillance, and the Supreme Court’s 1972 invitation to
Congress in the Keith decision to “consider protective standards” in this
area all coalesced in enactment of the Foreign Intelligence Surveillance
Act (FISA) of 1978.20 The act creates a statutory regime governing the
collection of “foreign intelligence” from a “foreign power” or “agent of a
foreign power” within the borders of the United States.
The act created a special court—the Foreign Intelligence Surveillance
Court—of seven (now eleven) federal district court judges. The court
meets in secret and hears applications from the Department of Justice
(DOJ) for ex parte orders authorizing surveillance or physical searches.
All that the government must show is that there is “probable cause to
believe that the target of the electronic surveillance is a foreign power or
agent of a foreign power”21 and that gathering foreign intelligence is “the
purpose” of the requested order.22 In 2001, the USA Patriot Act changed
this standard to “a significant purpose.”23 This change and a decision
from the three-judge FISA review court created by the statute to hear
appeals brought by the government have resulted in making information
obtained from FISA surveillance freely available in criminal prosecu-
tions.24 In 2003, for the first time, the federal government sought more
surveillance orders under FISA than under ECPA.25
As this report is being written (November 2007), changes to the FISA
act are being contemplated by the U.S. Congress. The final disposition of
these changes remains to be seen.
F.4 THE PRIVACY ACT
The Privacy Act of 1974 provides safeguards against an invasion of
privacy through the misuse of records by federal agencies and establishes
a broad regulatory framework for the federal government’s use of per-
sonal information.26 The Act requires federal agencies to store only rel-
evant and necessary personal information and only for purposes required
to be accomplished by statute or executive order; to collect information
20 Public Law 95-511, 92 Stat. 1783 (1978) (codified at 50 U.S.C. § 1801-1811).
21 50 U.S.C. § 1805(a)(3)(A).
22 Id. § 1804(7) (prior to being amended in 2001).
23 Uniting and Strengthening America by Providing Appropriate Tools Required to Inter-
cept and Obstruct Terrorism Act of 2001, Public Law 107-56, § 204, 115 Stat. 272 (codified at
50 U.S.C. § 1804(a)(7)(B)).
24 In re Sealed Case, 310 F.3d 717 (FISA Review Court 2002).
25 P.P. Swire, “The system of foreign intelligence surveillance law,” George Washington Law
Re�iew 72(6):1306-1308, 2004. This article provides analysis of the history and details of FISA
generally.
26 5 U.S.C. § 552a.
OCR for page 150
���
APPENDIX F
to the extent possible from the data subject; to maintain records that are
accurate, complete, timely, and relevant; and to establish administrative,
physical, and technical safeguards to protect the security of records.27 The
Privacy Act also prohibits disclosure, even to other government agen-
cies, of personally identifiable information in any record contained in a
“system of records,” except pursuant to a written request by or with the
written consent of the data subject, or pursuant to a specific exception.28
Agencies must log disclosures of records and, in some cases, inform the
subjects of such disclosures when they occur. Under the Act, data subjects
must be able to access and copy their records, each agency must establish
a procedure for amendment of records, and refusals by agencies to amend
their records are subject to judicial review. Agencies must publish a notice
of the existence, character, and accessibility of their record systems.29
Finally, individuals may seek legal redress if an agency denies them access
to their records.
The Privacy Act is far less protective of privacy than may first appear,
because of numerous broad exceptions.30 Twelve of these are expressly
provided for in the Act itself. For example, information contained in an
agency’s records can be disclosed for “civil or criminal law enforcement
activity if the activity is authorized by law.”31 An agency can disclose its
records to officers and employees within the agency itself, the Census
Bureau, the National Archives, Congress, the Comptroller General, and
consumer reporting agencies.32 Information subject to disclosure under
the Freedom of Information Act is exempted from the Privacy Act.33
And under the “routine use” exemption,34 federal agencies are permit-
ted to disclose personal information so long as the nature and scope of
the routine use was previously published in the Federal Register and the
disclosure of data was “for a purpose which is compatible with the pur-
pose for which it was collected.” According to the Office of Management
27 Id.
28 Id. § 552a(b).
29 Id. § 552a(e)(4).
30 S. Fogarty and D.R. Ortiz, “Limitations upon interagency information sharing: The Pri-
vacy Act of 1974,” pp. 127-128 in Protecting America’s Freedom in the Information Age (Markle
Foundation Task Force on National Security in the Information Age), Markle Foundation,
New York, N.Y., 2002.
31 5 U.S.C. § 552a (b)(7).
32 Id. § 552a(b).
33 Id. § 552a(b)(2).
34 Id. § 552a(b)(3).
OCR for page 150
��� PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS
and Budget, “compatibility” covers uses that are either (1) functionally
equivalent or (2) necessary and proper.35
Moreover, the Privacy Act applies only to information maintained in
a “system of records.”36 The Act defines “system of records” as a “group
of any records under the control of any agency from which information
is retrieved by the name of the individual or by some identifying num-
ber, symbol, or other identifying particular assigned to the individual.” 37
The U.S. Court of Appeals for the District of Columbia Circuit held that
“retrieval capability is not sufficient to create a system of records. . . . ‘To
be in a system of records, a record must . . . in practice [be] retrieved by
an individual’s name or other personal identifier.’”38 This is unlikely to
be the case with new antiterrorism databases, in which information may
not be sufficiently structured to constitute a “system of records” in the
meaning of the Privacy Act.
The Privacy Act has also been subject to judicial interpretations which
have created new exceptions. For example, courts have found that the fol-
lowing entities do not constitute an “agency”: a federally chartered pro-
duction credit association, an individual government employee,39 state
and local government agencies,40 the White House Office and those com-
ponents of the Executive Office of the President whose sole function is to
advise and assist the President,41 grand juries,42 and national banks.43
As a result, the Privacy Act plays little role in providing guidance for
government intelligence activities or limiting the government’s power to
collect personal data from third parties. Moreover, the Privacy Act only
35 Privacy Act of 1974, 5 U.S.C. § 552a; “Guidance on the Privacy Act Implications of ‘Call
Detail’ Programs to Manage Employees’ Use of the Government’s Telecommunications
Systems,” 52 Fed. Reg. 12900, 12993 (1987) (OMB) (publication of guidance in final form);
see generally S. Fogarty and D.R. Ortiz, “Limitations upon interagency information shar-
ing: The Privacy Act of 1974,” pp. 127-128 in Protecting America’s Freedom in the Information
Age (Markle Foundation Task Force on National Security in the Information Age), Markle
Foundation, New York, N.Y., 2002.
36 5 U.S.C. § 552a(b).
37 Id. § 552a(a)(5).
38 Henke �. United States Department of Commerce, 83 F.3d 1453, 1461 (D.C. Cir. 1996) (quoting
Bartel �. FAA, 725 F.2d 1403, 1408 n.10 (D.C. Cir. 1984)).
39 Petrus �. Bowen, 833 F.2d 581 (5th Cir. 1987).
40 Perez-Santos �. Mala�e, 23 Fed. App. 11 (1st Cir. 2001); Ortez �. Washington County, 88 F.3d
804 (9th Cir. 1996).
41 Flowers �. Executi�e Office of the President, 142 F. Supp. 2d 38 (D.D.C. 2001).
42 Standley �. Department of Justice, 835 F.2d 216 (9th Cir. 1987).
43 United States �. Miller, 643 F.2d 713 (10th Cir. 1981). See generally S. Fogarty and D.R.
Ortiz, “Limitations upon interagency information sharing: The Privacy Act of 1974,” pp.
127-128 in Protecting America’s Freedom in the Information Age (Markle Foundation Task Force
on National Security in the Information Age), Markle Foundation, New York, N.Y., 2002,
supra at 128.
OCR for page 150
���
APPENDIX F
applies to federal agencies—it does not generally regulate the collection
of personal information by private-sector entities. In short, the Privacy
Act provides limited protection when government-collected data are
involved, and very little when private-sector data are involved.
F.5 EXECUTIVE ORDER 12333 (U.S. INTELLIGENCE ACTIVITIES)
Promulgated on December 4, 1981, Executive Order (EO) 12333 regu-
lates the conduct of U.S. intelligence activities.44 Section 2.2 of EO 12333
sets forth “certain general principles that, in addition to and consistent
with applicable laws, are intended to achieve the proper balance between
the acquisition of essential information and protection of individual inter-
ests.” Using a definition of United States person specified in Section 3.4(i)
of this order (a United States person is “a United States citizen, an alien
known by the intelligence agency concerned to be a permanent resident
alien, an unincorporated association substantially composed of United
States citizens or permanent resident aliens, or a corporation incorporated
in the United States, except for a corporation directed and controlled by a
foreign government or governments”), Section 2.3 of EO 12333 establishes
constraints on procedures for agencies within the intelligence community
(IC) to collect, retain or disseminate information concerning United States
persons.
Under EO 12333, only certain types of information may be collected,
retained, or disseminated by IC agencies. These types of information
include “information that is publicly available or collected with the con-
sent of the person concerned; information constituting foreign intelli-
gence or counterintelligence, including such information concerning cor-
porations or other commercial organizations; information obtained in the
course of a lawful foreign intelligence, counterintelligence, international
narcotics or international terrorism investigation; information needed
to protect the safety of any persons or organizations, including those
who are targets, victims or hostages of international terrorist organiza-
tions; information needed to protect foreign intelligence or counterintel-
ligence sources or methods from unauthorized disclosure; information
concerning persons who are reasonably believed to be potential sources
or contacts for the purpose of determining their suitability or credibility;
information arising out of a lawful personnel, physical or communica-
tions security investigation; information acquired by overhead reconnais-
sance not directed at specific United States persons; incidentally obtained
information that may indicate involvement in activities that may violate
44 The full text of EO 12333 can be found at http://www.tscm.com/EO12333.html.
OCR for page 150
��0 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS
federal, state, local or foreign laws; and information necessary for admin-
istrative purposes.”
Under Section 2.4 of EO 12333, IC agencies are required to use the
least intrusive collection techniques feasible within the United States or
directed against United States persons abroad. In addition, this section
places certain limitations on various agencies. For example, the Cen-
tral Intelligence Agency is forbidden to engage in electronic surveillance
within the United States except for the purpose of training, testing, or con-
ducting countermeasures to hostile electronic surveillance. In addition, no
IC agency is allowed to conduct “physical surveillance of a United States
person abroad to collect foreign intelligence, except to obtain significant
information that cannot reasonably be acquired by other means.” (See the
full text of the EO for additional restrictions.)
F.6 THE ADEQUACY OF TODAY’S
ELECTRONIC SURVEILLANCE LAW
The law applicable to surveillance and intelligence gathering and
the attention to limitations in the law suggests that the law suffers from
what Professor Daniel Solove has described as “profound complexity.” 45
Professor Orin Kerr has written that “the law of electronic surveillance
is famously complex, if not entirely impenetrable.”46 Courts agree with
these assessments and have “described surveillance law as caught up
in a ‘fog,’ ‘convoluted,’ ‘fraught with trip wires,’ and ‘confusing and
uncertain.’”47
Why is today’s law regarding electronic surveillance complex? Some
of the complexity is certainly due to the fact that the situations and cir-
cumstances in which electronic surveillance may be involved are highly
varied, and policy makers have decided that different situations and
situations call for different regulations. That is, different treatment of elec-
tronic surveillance in different situations is a consequence of legislative
and executive branch policy choices to treat these situations differently.
But it is another issue as to whether such differences, noted and estab-
lished in a one particular set of circumstances, can be effectively main-
tained over time. First, circumstances evolve. For example, today’s law
includes major distinctions based on the location of the surveillance, the
purposes for which the intercepted information is sought, and whether
45 D.J. Solove, “Reconstructing electronic surveillance law,” George Washington Law Re�iew
72, 2004. The article provides a description and analysis of electronic surveillance law in
the United States.
46 O.S. Kerr, “Lifting the ‘fog’ of internet surveillance: How a suppression remedy would
change computer crime law,” Hastings Law Journal 54:805-820, 2003.
47 D.J. Solove, op. cit., p. 1293.
OCR for page 150
���
APPENDIX F
the target is a “U.S. person” or a “non-U.S. person.” Yet these distinctions
are difficult to apply in a world of digital communications and networks
that do not easily recognize national borders, terrorist threats of foreign
origin that are planned or executed within the borders of the United
States, and the growing integration of foreign intelligence, domestic intel-
ligence, and law enforcement.
Another important distinction is the historical separation between
criminal and national security investigations. Since September 11, 2001,
some of the barriers separating criminal and national security investiga-
tions have been lowered (for example, the government is now freer to
share information gathered by law enforcement in criminal investigations
with national security authorities, and vice versa). However, the ECPA
and the FISA are based on the existence of clear distinctions between crim-
inal and national security investigations, as reflected in their disparate
treatment of information that is collected and stored under each regime.
Second, evolving technologies also complicate the application of laws
and precedents created in an earlier technological era, and at times exist-
ing law seems outpaced by technological change. In 2004, the Department
of Defense Technology and Privacy Advisory Committee (TAPAC) wrote
in its final report:
Laws regulating the collection and use of information about U.S. persons
are often not merely disjointed, but outdated. Many date from the 1970s,
and therefore fail to address extraordinary developments in digital tech-
nologies, including the Internet. . . . Dramatic advances in information
technology, however, have greatly increased the government’s ability to
access data from diverse sources, including commercial and transactional
databases. . . .
. . . Current laws are often inadequate to address the new and difficult
challenges presented by dramatic developments in information technolo-
gies. And that inadequacy will only become more acute as the store of
digital data and the ability to search it continue to expand dramatically
in the future.48
As an example, the ECPA draws a sharp distinction regarding
whether a message is “in transit” or “in storage.” When ECPA was
adopted in 1986, users downloaded e-mail from their service provider
onto their local computer. Messages therefore were not stored centrally
after being read. Today, many e-mail systems are accessed through Web
interfaces, so e-mail is by default stored on servers belonging to third
parties. Thus, according to an analysis by the Center for Democracy and
Technology, “As a result of ECPA’s complex rules, the same email mes-
48 U.S. Department of Defense, Technology and Privacy Advisory Committee, Safeguarding
Pri�acy in the Fight Against Terrorism, March 2004, p. 6.
OCR for page 150
��� PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS
sage will be subject to many different rules during its life span. These
complex rules likely do not match the expectations of email users.” 49
The government exploits such distinctions. The Federal Bureau of
Investigation’s Key Logger System, which records individuals’ keystrokes
on their computers, was designed to collect data only when the users’
machines are not connected to the Internet. When a user logs on, the
keystroke recording stops, so that the agency argues that the device is
not capturing communications “in transit,” but merely “in storage,” and
therefore is not required to comply with Title I of the ECPA.50
A second example is that when the statutory authorization was
adopted for the National Security Agency (NSA) to carry out electronic
surveillance outside of the United States, it was highly unusual for ordi-
nary persons in the U.S. to make international phone calls, and e-mail did
not yet exist.51 Today, the proliferation of information technology into the
population at large means that many ordinary people in the U.S. make
international phone calls and use e-mail, with the result that many more
communications of ordinary people are potentially subject to NSA sur-
veillance.52 To be sure, a variety of regulations exist to prevent just such
occurrences from intruding on the privacy of ordinary Americans, but it
is undeniable that more communications involving Americans will fall
within the ambit of electronic surveillance directed outside U.S. borders
as global communications increase.
Third, the law today embeds in some significant inconsistencies. For
example, the very high protection for communications under Title I of
ECPA does not extend to video surveillance if sounds are not captured
at the same time. Meanwhile, the much weaker protection of FISA does
apply. “Foreign agents therefore receive protection against silent video
surveillance whereas United States citizens do not.”53 Similarly, protec-
tion for stored communications hinges on whether the message has been
stored for more than 180 days. Why? Telephone calls and e-mail receive
significantly different protection from government surveillance without
any apparent reason.
Fourth, key intelligence questions remain without clear answers. For
example, do any of these laws apply to “data mining” or searches for
keywords or relationships conducted by computer? Is it possible to show
49 Center for Democracy and Technology (CDT), Digital Search & Seizure: Updating Pri�acy
Protections to Keep Pace with Technology, CDT, Washington, D.C., 2006, p. 11.
50 See United States �. Scarfo, 180 F. Supp. 2d 572 (D.N.J. 2001); see generally D.J. Solove,
op. cit., pp. 1281-1282.
51 Center for Democracy and Technology (CDT), Digital Search and Seizure: Updating Pri�acy
Protections to Keep Pace with Technology, CDT, Washington, D.C., 2006.
52 Ibid.
53 D.J. Solove, op. cit., p. 1293.
OCR for page 150
���
APPENDIX F
probable cause, under either the high standard of Title I of ECPA or the
weaker standard of FISA, for searches that target a pattern of behavior
rather than an identified person? How should opened e-mail and voice
mail messages be treated? DOJ argues that they are merely remotely
stored files and therefore do not fall within the protection of Title II of
ECPA.54 Why aren’t they simply stored communications that are directly
covered by Title II (the Stored Communications Act)?55
Finally, the slow pace at which law has evolved in the face of chang-
ing technologies may have done more to undermine rather than enhance
trust in information sharing. The Supreme Court initially refused to apply
the Fourth Amendment to wiretapping at all,56 and it took the Court 39
years to reverse that decision.57 Conversely, in 1934 Congress prohibited
wiretapping in any form and for any purpose.58 It took 34 years before
Congress recognized the potential of electronic surveillance, properly
regulated, to aid law enforcement,59 and another twelve before it statu-
torily authorized its use to advance national security.60 Congress also
receives only limited information about surveillance conducted under
ECPA and FISA, and even less about the Administration’s surveillance
conducted outside of this statutory framework. There is no federal report-
ing requirement about electronic surveillance by states, which account for
the majority of wiretaps, and only half of the states in fact report statistics
about their wiretap orders.61
54 Computer Crime and Intellectual Property Section, U.S. Department of Justice, Manual
on Searching and Seizing Computers and Obtaining Electronic E�idence in Criminal In�estigations
III.B, 2001.
55 For more detailed analyses of gaps and inconsistencies in statutory and Fourth Amend-
ment protections, see P.L. Bellia, “Surveillance law through cyberlaw’s lens,” George Wash-
ington Law Re�iew 72:1375, 2004; D.K. Mulligan, “Reasonable expectations in electronic
communications: A Critical perspective on the Electronic Communications Privacy Act,”
George Washington Law Re�iew 72:1557, 2004; D.J. Solove, “Reconstructing electronic surveil-
lance law,” George Washington Law Re�iew 72:1264, 2004; P.P. Swire, “The system of foreign
intelligence surveillance law,” George Washington Law Re�iew 72:1306, 2004; O.S. Kerr, “In-
ternet surveillance law after the USA Patriot Act: The big brother that isn’t,” Northwestern
Uni�ersity Law Re�iew 97(2):607-673, 2003; O.S. Kerr, “Lifting the ‘fog’ of internet surveil-
lance: How a suppression remedy would change computer crime law,” Hastings Law Journal
54:805-820, 2003.
56 Olmstead �. United States, 277 U.S. 438 (1928).
57 United States �. Katz, 389 U.S. 347 (1967).
58 Communications Act of 1934, ch. 652, § 605, 48 Stat. 1064 (codified as amended at 47
U.S.C. § 605).
59 Omnibus Crime Control and Safe Streets Act of 1968, Public Law 90-351, § 802, 82 Stat.
212 (codified as amended at 18 U.S.C. § 2510-2520).
60 Foreign Intelligence Surveillance Act of 1978, Public Law 95-511, 92 Stat. 1783 (codified
at 50 U.S.C. § 1801-1811).
61 D.J. Solove, op. cit., p. 1296.
OCR for page 150
��� PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS
What does the analysis above imply for changing today’s law regard-
ing electronic surveillance? There is broad agreement that today’s legal
regime is not optimally aligned with the technological and circumstantial
realities of the present. But there is profound disagreement both about
whether the basic principles underlying today’s regime continue to be
sound and about the directions in which changes to today’s regime ought
to occur. Some analysts believe that the privacy has suffered as the result
of an increasing gap between technology/circumstances and the more
slowly changing law, while others believe that technological change is
upsetting the traditional balance away from the legitimate needs of law
enforcement and national security.
F.7 FURTHER REFLECTIONS FROM THE TECHNOLOGY
AND PRIVACY ADVISORY COMMITTEE REPORT
Many of the issues discussed above were also flagged in the report
issued by the TAPAC, a bipartisan panel of independent legal experts and
former government officials appointed by Secretary of Defense Donald
Rumsfeld in the wake of the TIA [Total/Terrorist Information Awareness
program; see Appendix J] debacle. For example, the report noted that the
risks to informational privacy of government data mining efforts were
exacerbated by disjointedness in the laws applicable to data mining. Thus,
programs that appear to pose similar privacy risks are subject to a variety
of often inconsistent legal requirements. Such inconsistencies, the report
argued, reflected “the historical divide in the United States between laws
applicable to law enforcement and those applicable to foreign intelligence
and national security activities, as well as the different departments, con-
texts, and times in which those programs were developed.”
It also noted that depending on which department developed the
tools, the use of data mining to protect the homeland was either required
or prohibited and that today’s laws regulating the collection and use of
information about U.S. persons were created in the 1970s, and thus do not
take into account recent developments in digital technologies, including
the Internet. Pointing out that “the ubiquity of information networks and
digital data has created new opportunities for tracking terrorists and pre-
venting attacks,” the report argued that “new technologies [also] allow
the government to engage in data mining with a far greater volume and
variety of data concerning U.S. persons, about whom the government
has no suspicions, in the quest for information about potential terrorists
or other criminals” and that then-current laws were “often inadequate to
address the new and difficult challenges presented by dramatic develop-
ments in information technologies.”
OCR for page 150
���
APPENDIX F
The TAPAC report concludes that “[t]hese developments highlight
the need for new regulatory boundaries to help protect civil liberties and
national security, and to help empower those responsible for defending
our nation to use advanced information technologies—including data
mining appropriately and effectively. It is time to update the law to
respond to new challenges.”62
62 U.S. Department of Defense, Technology and Privacy Advisory Committee, Safeguarding
Pri�acy in the Fight Against Terrorism, March 2004, p. ix.
Print
Share
Research
Rights & Permissions
