A couple of weekends ago I attended Western State University Law Review’s National Security Symposium, featuring keynote speaker, Dean Erwin Chemerinsky. The dean’s speech focused on the Supreme Court’s “failure” to uphold the Constitution and served as an introduction to the afternoon panel on the constitutionality of the National Security Agency’s (NSA) surveillance programs. The latter panel featured Attorney Todd Gallinger, Professor John Radsan, Professor Ryan Williams, and this blog’s administrator, Professor William C. Snyder.
In his presentation, Dean Chemerinsky asserted that the “reasonable expectation of privacy” test—established by Katz v. United States (389 U.S. 247 (1967)) to determine the applicability of the Fourth Amendment and, if applicability is determined, the reasonableness of warrantless searches and seizures under the Fourth Amendment—“doesn’t work” to protect against the threats of the twenty-first century. I live tweeted during Dean Chemerinsky’s speech (@Tara_Pistorese, #WSULRSymp2014), but was intrigued by the Fourth Amendment assertions by the dean and thought it prudent to devote a blog post to this topic.
To begin, here is the language of the Fourth Amendment for your reference:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
As contributors to this blog and cyber scholars across the nation have argued, “the Supreme Court has repeatedly and consistently held that production of records about you in the hands of third parties[,]” such as metadata housed by your phone company, “does not implicate your constitutional rights. You have no 4th Amendment protections regarding those records, [unless you meet the Katz test.]” This argument finds additional support in Supreme Court cases such as Smith v. Maryland (44 U.S. 735 (1979)) and United States v. Miller (425 U.S. 435 (1976)), where the Court held that no reasonable expectation of privacy exists over phone company or bank records. In other words, searches of such records do not meet the Katz test for implicating the Constitution at all.
Dean Chemerinsky’s argument, however, was more concerned with what he considers to be an outdated test that must be amended than with the constitutionality of searches that have thus far been conducted under the standard as presently articulated. Specifically, the dean said, “What the Supreme Court needs to do, but has not yet done, is develop a theory of informational privacy.”
In Katz, which eventually established the “reasonable expectation of privacy” standard, the majority discussed the Fourth Amendment and the proper scope of its protections as follows:
[T]he Fourth Amendment cannot be translated into a general constitutional, ‘right to privacy.’ The Amendment protects individual privacy against certain kinds of government intrusion, but its protections go further, and often have nothing to do with privacy at all. Other provisions of the Constitution protect personal privacy from other forms of governmental invasion. But the protection of a person’s general right to privacy—his right to be let alone by other people—is like the protection of his property and of his very life, left largely to the law of the individual states. . . .
[T]he Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. . . . But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected (citations omitted).
Later, Justice Harlan’s concurring opinion explicated the words of the majority by saying (again, internal citations have been omitted):
I join the opinion of the Court, which I read to hold only (a) that an enclosed telephone both is an area where, like a home, a person has a constitutionally protected reasonable expectation of privacy; (b) that electronic as well as physical intrusion in to a place that is in this sense private may constitute a violation of the Fourth Amendment; and (c) that the invasion of a constitutionally protected area by federal authorities is, as the Court has long held, presumptively unreasonable in the absence of a search warrant. . . .
The critical fact in this case is that ‘(o)ne who occupies  [a telephone booth,] shuts the door behind him, and pays the toll that permits him to place a call is surely entitled to assume’ that his conversation is not being intercepted. The point is not that the booth is ‘accessible to the public’ at other times, but that it is a temporarily private place whose momentary occupants’ expectations of freedom from intrusion are recognized as reasonable (emphasis added).
Using Katz as a foundation, in my mind, Dean Chemerinsky’s proposal to change the standard upon which we consider searches and seizures with a technological component would require either: (1) broadening the current standard, or (2) employing a separate standard only for instances concerning “informational privacy.” In either case, my question, generally, is: are we prepared to sacrifice elements of security in the name of this expanded right to privacy?
During the NSA panel at the same Western State University Symposium two weekends ago, Professor Ryan Williams discussed this trade-off between privacy and security and the implications of sacrificing one over the other. Interestingly, Professor Williams posited that the word “sacrifice” itself implies an element of “knowledge”—in other words, you cannot sacrifice that which you do not know you are surrendering. Think about this in the context of the NSA metadata collection program. According to Professor Williams, it cannot be considered a “sacrifice” to permit the government to collect metadata from our phone calls in the name of increased security if we are not made aware that the government is doing so.
I cannot say I entirely agree with Professor Williams on this point for I think there may be instances where sacrifice could be simply the willingness not to know. (My mind goes to the families of servicemen and women who are on classified assignment. Would anyone argue that a mother or father’s willingness not to know the specifics of their son or daughter’s mission is not a sacrifice?) Could it not be just as compellingly asserted that, if I choose security over privacy, I am making a sacrifice by accepting that there are actions the government may take in the name of security of which I choose not know? To me, the willingness not to know of certain government programs is just as much a sacrifice as an explicit authorization of those activities.
However, even accepting that “knowledge” is somehow inherent in the concept of sacrifice, I would argue that the “reasonable expectation of privacy” test, against which Dean Chemerinsky advocates, at least contemplates “knowledge” by identifying instances where I am not entitled to it.
In other words, by identifying that there are circumstances under which our expectation of privacy would be “unreasonable,” the Court has effectively determined that we are not entitled to knowledge of government intrusion in those cases. Thus, the Supreme Court has apparently drawn a line between security and privacy for us.
For example, when the NSA collects metadata from my phone calls, I am still sacrificing some of my privacy in the name of increased security even if I do not have true knowledge that it is occurring. This is because, under the Katz standard, any expectation of privacy I have over that data would be unreasonable. Am I entitled to “knowledge” if I don’t have a reasonable expectation to privacy? When we think about it in this context, perhaps the Katz standard can be effectively applied in the technological or cyber realm.
Covering our previous posts on cyber proliferation and export controls (Wassenaar Agreement, Hacking Team, Exploit Sales, i.a.), this research paper provides a comprehensive political and technological analysis of current regimes in place in the United States, Great Britain, and in Germany, which relate to the export of surveillance technology. The report has been published in March as a joint research project of the New America Foundation, the Open Technology Institute, Privacy International, and Digitale Gesellschaft.
The authors conducted their research guided by the insight that government regulation may have negative impacts on technological innovation and trade, pointing out concerns and ensuring “targeted and careful policy analysis to avoid negative consequences. As a key finding, the authors conclude that
existing export control regulations have become out-dated and have not kept up with new technology.
Today, Richard P. Quinn, National Security Special Agent in Charge for the FBI’s Philadelphia Field Office, gave a statement before the House Homeland Security Committee, Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies. In the statement, Quinn outlined the FBI’s role in cybersecurity. Here are the takeaways:
- The Cyber Threat and the FBI Response. Recognizing the broad range of entities that present a cyber threat–state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists–the FBI is: (1) “prioritizing high-level intrusions”; (2) working in cooperation with federal, state, and local Cyber Task Forces and through the National Cyber Investigative Joint Task Force (NCIJTF); (3) partnering with the private sector; and, (4) coordinating overseas cyber investigations and supporting key partners, such as The Hague.
- Recent Successes. To name a few:
- By “targeting infrastructure [the FBI] believe[s] has been used in distributed denial of service (DDoS) attacks[,]” the FBI has enabled “foreign partners to take action” and reduced the “effectiveness of the botnets and the DDos attacks“;
- Operation Clean Slate–an FBI Cyber Division initiative to disrupt and dismantle botnets threatening US security–”to date . . . has resulted in several successes[,]” including the disruption of Citadel Botnet and ZeroAccess Botnet;
- Aleksandry Andreevich Panin pled guilty in January of this year to conspiracy to commit wire and bank fraud, charges arising from his role in developing Spyeye, which is “malicious software” that “infected more than 1.4 million computers.”
- Next Generation Cyber Initiative. Briefly, “[t]he FBI’s Next Generation Cyber Initiative, which [it] launched in 2012, entails a wide range of measures, including focusing the Cyber Division on intrusions into computers and networks–as opposed to crimes committed with a computer as a modality; establishing Cyber Task Forces in each of [the FBI's] 56 field offices to conduct cyber intrusion investigations and respond to significant cyber incidents; hiring additional computer scientists to assist with technical investigations in the field; and expanding partnerships and collaboration at the NCITJF.”
- Private Sector Outreach. “The FBI’s newly established Key Partnership Engagement Unit (KPEU) manages a targeted outreach program focused on building relationships with senior executives of key private sector corporations. Through utilizing a tiered approach, the FBI is able to prioritize our efforts to better correlate potential national security threat levels with specific critical infrastructure sectors.”
Cyber Round Up: SCOTUS Denies Klayman’s Request; China Concerned About Growing Number of Cyber Warriors; Vanity Fair Exclusive with Snowden
- Presiding Foreign Intelligence Surveillance Court Judge Reggie Walton was misled by Department of Justice officials resulting in an erroneous ruling on March 7 that the government should not be permitted to store phone records longer than five years, U.S. News reports. Specifically, DOJ officials failed to inform the Court of preservation of evidence orders issued against the NSA. Without this information, Judge Walton deemed the government’s fear of penalties for deleting older records “far-fetched.” Judge Walton has ordered an apology and explanation from the DOJ, the article further explains.
- According to the New York Times, in an attempt to relieve some of China’s concerns over the U.S.’s intent to triple the number of cyberwarriors it employs by 2016, the Obama Administration has “quietly held an extraordinary briefing for the Chinese military leadership on . . . the Pentagon’s emerging doctrine for defending against cyberattacks against the United States—and for using its cyber technology against adversaries, including the Chinese.” The Times further reports that Defense Secretary Chuck Hagel is concerned about “the growing possibility of a fast-escalating series of cyberattacks and counterattacks between the United States and China.”
- Jamshid Muhtorov, a Colorado resident charged with providing material support to a terrorist organization, has become the first defendant to challenge the constitutionality of the law authorizing foreign intelligence surveillance without a warrant, the Los Angeles Times reports. Although Mr. Muhtorov’s defense team has thus far not been allowed to see classified evidence in the case, the team believes Mr. Muhtorov’s phones were secretly tapped and emails read pursuant to this law.
- Klayman’s unconventional request that the Supreme Court expeditiously rule on the constitutionality of the NSA surveillance programs has been denied, Reuters reports.
- Here’s a link to Vanity Fair’s exclusive interview with Edward Snowden.
- The U.S. Army Military Academy at West Point has established a cyber warfare reasearch institute and plans to build “a cyber brain trust unprecedented within the service academies,” according to USA Today. Through these programs, elite cybertroops will betrained, with seventy-five positions available to scholars of technology, psychology, history and the law, and other relevant areas of expertise over the next three years.
- According to Ars Technica and an FCC filing, in-flight WiFi provider, GoGo has voluntarily exceded the information sharing requirements imposed by the government, a choice that has been criticized by the ACLU. GoGo claims its decision was born out of a desire to thwart spammers and protect against other network vulnerabilities.
- A new report authored by an independent group led by former Attorney General Richard Thornburgh indicates that “lax security at NASA centers has compromised the agency’s sensitive technology network,” reports Asbury Park Press. Here’s a link to Mr. Thornburgh’s written statement before the House Committee on Appropriations on April 8.
As promised, here is a mini round up detailing the public’s response, generally, to President Obama’s NSA reform proposal:
- The Hill reports that Obama’s proposal is “sure to come under fire as it heads to Congress.” The report notes several possible reasons. Here are a few:
(1) Although lawmakers have generally expressed support for the idea of ending collection and storage of metadata, there is disagreement over the proper manner in which government agents should be permitted to search for records.
(2) Some have expressed concern over the proposal’s failure to address other “symptom[s] of the NSA’s overreach.” As Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute reportedly put it, “Any proposal to address the problem of bulk data is fatally incomplete if it doesn’t prohibit bulk collection of any kind of record under any of the NSA’s different legal authorities.”
(3) “A big factor affecting the outcome of the president’s proposal is who gets authority.” This is because, as the article explains, the Judiciary Committee would traditionally have jurisdiction over matters concerning foreign intelligence. But, the House Intelligence Committee “was given primary authority over its leaders’ bill[.]”
This last point brings me to the next article I want to highlight.
- Politico reports that Bob Goodlatte (R-Va), House Judiciary Committee Chairman, declared his intent to “fight any effort to move [NSA] surveillance reform legislation to the House floor without going through his panel.” Goodlatte further indicated that, although input from the House Intelligence Committee is welcomed, the Judiciary Committee should be the central venue in charge.
- In a separate article, Politico identifies an additional hurdle—“no major force pushing for the changes.” As the report explains, the NSA’s Section 215 authority is set to expire in June of next year; however, “rank-and-file lawmakers . . . caution that there’s no serious pressure coming from home to support the kinds of changes Obama wants.”
- Alex Jones’ Info Wars has also come out and criticized private companies for failing to take a more active approach in order to force legislation on this issue. Trevor Timm of the London Guardian stated, Facebook and others are “holding fire” when it comes to pushing reform on the hill. But, “[t]he keepers of the everyday [I]nternet seem to care more about PR than helping their users. The truth is, if the major tech companies really wanted to force meaningful surveillance reform, they could do so tomorrow.”
- The Brennan Center’s Elizabeth Goitein has also identified what some believe is a hole in the President’s proposal, MSNBC reports. “The problem is there are no meaningful limits on what [the government] can do with [the] data, the only limits are on what they have to do to get the data,” Goitein reportedly said.
On March 20, 2014, the German Bundestag, the country’s federal parliament, formed a parliamentary investigative commission to probe the surveillance activities of the 5-eyes states, in particular of the National Security Agency (NSA) and the British Government Communication Headquarters (GCHQ), that targeted and involved Germany. The inquiry panel has taken up work, as the German Attorney General has filed charges neither against the NSA, nor against the German government. In February, the Chaos Computer Club and the International Federation for Human Rights filed a criminal complaint against the German government (we blogged about that matter 8 weeks ago).
Germany’s international news outlet Deutsche Welle (DW) covers the investigation in English. As the commission has not been able yet to agree on what role Edward Snowden should play in the process, DW reported two days ago about the resignation of its chairman Clemens Binninger. “A parliamentary inquiry’s first order of business should not be to serve party-political profiling,” Binninger said according to DW, referring to the unresolved question if Snowden should be heard as a whiteness or not. The oppositional Green and Left Party representatives are pressing to summon Snowden as a crucial whiteness. In contrast, the representatives of the ruling Christian and Social Democrat party factions delayed the decision and will, so DW, not take it until after Chancellor Merkel’s visit to the United States in 3 weeks.
It is worth following the happenings on the inquiry panel, as, to me, they reflect the dilemma of German politics to resolve the contradicting interests of a flawless examination of the 5-eyes’ invasive intelligence collection and keeping the diplomatic relationship with the United States in good terms.
Today, the Canadian Broadcasting Corporation (CBC) recounted the happenings around the Heartbleed Bug, a pervasively occurring vulnerability of the widespread OpenSSL cryptographic software that was revealed by Google and a Finnish security firm on Monday. Along with the public notification, the information website heartbleed.com was established, explaining that “[t]he Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software[,]” allowing attackers to eavesdrop on communications and steal sensitive data among others. On his security blog, cryptography guru Bruce Schneier mentioned 500K sites to be vulnerable, classifying the level of how catastrophic the event is on a scale from 1 to 10 as 11.
I found that the coverage of the incident gained another momentum just a few hours ago, when Bloomberg reported that the National Security Agency (NSA) had exploited the vulnerability for “at least two years [...] and regularly used it to gather critical intelligence,” according to “two people familiar with the matter.” USA today cited an official statement of the NSA denying knowledge of the Heartbleed Bug.
Reviewing the news of this week, two major implications in terms of cyber security policy seem to be represented by the Heartbleed Bug:
- As CBC mentioned: “Disclosing a web problem also means alerting hackers.” The more widespread the vulnerability, the less co-ordinated the patch. This can lead to differing times of exposure to the alerted hackers. On the one hand, the many users of the vulnerable systems (e.g. different banks, or the website of the Canadian Revenue Agency, which has been compromised) patch the vulnerability at different times. On the other hand, user notification about potential compromises happens at varying paces. As a result of the Heartbleed disclosure, so CBC, “there has been confusion among consumers about what they should be doing, including whether they should be altering their passwords.” For more on the issue of breach notification on Crossroads, follow this link.
- Regardless if the NSA knew about Heartbleed and exploited it or not, intelligence collection does use exploits to accomplish its mission (see also our coverage of exploits in cyber security). The dilemma is as obvious to me: national security interests confront those of millions of users who rely on a system which is known to be insecure to those who are tasked to guard them.
Symposium Tomorrow: “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program”
Western State University’s Law Review is hosting a symposium tomorrow entitled, “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program.” Dean at University of California–Irvine School of Law, Erwin Chemerinsky, will be the keynote speaker. The symposium, moderated in part by Professor Ryan T. Williams, will also feature two distinguished panels. The first panel is on the lethal use and legality of unmanned aerial vehicles and, later, there will be a panel on the NSA surveillance programs.
The latter panel, on which this blog’s administrator, Professor William C. Snyder, will sit as a contributor, will analyze the current NSA surveillance programs through the lens of constitutional law, the proper scope of the public’s knowledge on NSA and other government surveillance programs, and the hot and ever-controversial issue of whether Edward Snowden is a patriot or a villain.
The symposium tomorrow, April 12, will run from approximately 8:30am until 5pm at Western State University College of Law.
I just wanted to make available to you the following statement, which was released jointly by Attorney General Eric Holder and Director of National Intelligence James Clapper on March 28.
Joint Statement by Attorney General Eric Holder and Director of National Intelligence
Cyber Round Up: DOJ Pushes for Increased Hacking Abilities; Google Appeals Turkish YouTube Blackout; Microsoft Ends “Snooping” Practices
- The DOJ is advocating for less stringent standards to obtain warrants to hack the computers of criminal suspects, the Wall Street Journal Blog reports. “The Justice Department effort is raising questions among some technology advocates, who say the government should focus on fixing the holes in computer software that allow such hacking rather than exploiting them.” DOJ investigators, however, say increased flexibility is necessary in this regard “especially when multiple computers are involved or the government doesn’t know where the suspect’s computer is physically located[,]” according to WSJ.
- Shortly after the Turkish government blocked citizen access to Twitter, officials made a similar play against YouTube, according to AP reports. (Here’s the link to the “Cyber Round Up” on the initial social media block). Again, these actions came just days before crucial local elections were held, the results of which have still not been released. (Although, as the WSJ reports, “[O]ne thing is clear: the secularist opposition suffered a walloping by Prime Minister Recep Tayyip Erdogan, failing to capitalize on corruption allegations, bans on social media and ongoing dissent.”) WSJ also reports that Google, Inc. has appealed the YouTube blackout in the Turkish courts.
- A perspective piece by columnist Hiawatha Bray published in the Boston Globe argues that, although we may seem doomed to become a “surveillance state,” “by combining anonymizing technology with tougher legal limits on access to location data, each of us might be able to preserve a cocoon of location privacy.” As an interesting side note, this piece reveals the results of location data research that shows, “if you track someone’s cellphone-usage patterns over a three-month period, you could probably predict where this person will be with an accuracy of 93 percent.”
- Wired reports that the cyber attack on Target, Neiman Marcus, and others just months ago has resulted in a class action lawsuit that calls into question whether third-party companies responsible for certifying the security of credit card-accepting entities, like Target, should be held liable in the event of a breach.
- A New York Times blog reports that Microsoft recently announced an end to its policy permitting “snooping” on private customer communications during the course of an investigation into stolen property. Here’s the announcement by Microsoft general counsel, Brad Smith.
- According to K&L Gates’ “European Regulatory Watch,” the outcome of a current debate over whether to overhaul the privacy protection framework in place in the EU “could shape the future of the digital economy, particularly with privacy and cyber sovereignty becoming key talking points in transatlantic diplomacy since the Snowden/NSA case.”
is completing her Juris Doctor and Masters of Public Administration degrees at the Maxwell School of Citizenship and Public Affairs and the College of Law of Syracuse University. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
- Is the Fourth Amendment “Fighting for its Life”?
- Cyber Proliferation and Export Controls – New Report Outlines The State of Play
- The FBI’s Role in Cybersecurity
- Cyber Round Up: SCOTUS Denies Klayman’s Request; China Concerned About Growing Number of Cyber Warriors; Vanity Fair Exclusive with Snowden
- Cyber Round Up: Reactions to NSA Reform Proposal
- Crossroads Blog » Is the Fourth Amendment “Fighting for its Life”? on Fourth Amendment does not (yet) apply to NSA’s telephone call database (metadata)
- Crossroads Blog » Is the Fourth Amendment “Fighting for its Life”? on Symposium Tomorrow: “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program”
- Crossroads Blog » Cyber Proliferation and Export Controls – New Report Outlines The State of Play on Hacking Team: The Italian Spyware Company’s Data Laundry Operations in the U.S.
- Crossroads Blog » Cyber Proliferation and Export Controls – The State of Play on Talks to Address Cyber Proliferation in Cold War’s Wassenaar Arrangement
- Crossroads Blog » Cyber Round Up: SCOUTS Denies Klayman’s Request; China Concerned About Growing Number of Cyber Warriors; Vanity Fair Exclusive with Snowden on Cyber Roundup: Including More Updates from President Obama’s January 17th Speech
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010