Systematic Government Access to Private-Sector Data in the United States I
Systematic Government Access to Private-Sector Data in the United States I
Abstract and Keywords
After the September 11 attacks, law enforcement's mission expanded to include, at times even prioritize, the general “prevention, deterrence and disruption” of terrorist attacks, which presumed a new emphasis upon threat detection and identification by analyzing patterns in larger, less specific bodies of information. Indeed, the unprecedented level of “third-party” possession of information inevitably makes the private sector the most reliable and comprehensive source of information available to law enforcement and intelligence agencies alike. This chapter explores the potential applications of systematic government access to data held by third-party private-sector intermediaries that would not be considered public information sources but, rather, data generated based on the role these intermediaries play in facilitating economic and business transactions (including personal business, such as buying groceries or staying at a hotel on vacation).
After the September 11 (9/11) attacks, law enforcement’s mission expanded to include, at times even prioritize, the general “prevention, deterrence and disruption” of terrorist attacks, which presumed a new emphasis upon threat detection and identification by analyzing patterns in larger, less specific bodies of information.
Moreover, after 9/11, law enforcement was integrated into a much larger intelligence gathering operation directed at “connecting the dots” proactively, in order to avert the next terrorist attack. This new focus, spread across a broad range of federal and state agencies, has created a voracious appetite for information—data found most often in the possession of industry, given consumer use of new technologies to facilitate personal, social, business, and economic transactions.
Indeed, the unprecedented level of “third-party” possession of information inevitably makes the private sector the most reliable and comprehensive source of information available to law enforcement and intelligence agencies alike. Notwithstanding the impacts on business costs or innovation—whether for a criminal or intelligence terrorism matter or more traditional crimes where perpetrators leave electronic fingerprints with a host of third parties—there is an expectation by law enforcement, intelligence agencies, and even legislators that industry third parties will facilitate real-time government access to data when needed, and that these data will be in possession of the relevant private entities if and when a government agency realizes their potential investigative value.
This chapter will explore the potential applications of systematic government access to data held by third-party private-sector intermediaries that would not be (p.174) considered public information sources but, rather, data generated based on the role these intermediaries play in facilitating economic and business transactions (including personal business, such as buying groceries or staying at a hotel on vacation).
II. Introduction and Overview
Following the September 11th attacks, the mission of police and prosecutors expanded dramatically. Before that date, most law enforcement resources were allocated for the post-facto investigation or prospective prevention of specific crimes (such as organized crime and drug trafficking investigations), with far fewer devoted to intelligence collection and threat detection to prevent an attack upon the homeland. After September 11th, however, law enforcement’s mission expanded to include, at times even prioritize, the general “prevention, deterrence and disruption” of terrorist attacks, which presumed a new emphasis upon threat detection and identification by analyzing patterns in larger, less specific bodies of information. Moreover, after 9/11, law enforcement was integrated into a much larger intelligence gathering operation directed at “connecting the dots” proactively, in order to avert the next terrorist attack.
This new focus, spread across a broad range of federal and state agencies, has created a voracious appetite for information—data found most often in the possession of industry, given consumer use of new technologies to facilitate personal, social, business, and economic transactions. Indeed, the unprecedented level of data in the possession of third parties inevitably makes the private sector the most reliable and comprehensive source of information available to law enforcement and intelligence agencies alike. Moreover, although many sources and forms of information are already available to law enforcement, the widespread adoption of Internet of Things (IoT) technology will generate additional forms of metadata, potentially revealing sensitive information that would have been difficult for the government to obtain in the past.
Notwithstanding the impacts on business costs, business reputation, or innovation—whether for a criminal or intelligence terrorism matter or more traditional crimes where perpetrators leave electronic fingerprints with a host of third parties—there is an expectation by law enforcement, intelligence agencies, and even legislators that industry third parties will facilitate real-time government access to data when needed, and that these data will be in possession of the relevant private entities if and when a government agency realizes their potential investigative value.
Perhaps the earliest, most visible post-September 11th expression of the government’s appetite for information came in the form of a data mining project led by the Defense Advanced Research Projects Agency (DARPA), originally named “Total Information Awareness” (TIA), but later, significantly, renamed “Terrorism Information Awareness.”1 The new name might have suggested a new (p.175) and limiting precision in the scope of the project, but this change should not be read to signal any change, either in practice or in the program’s ultimate goal. In 2002, John Poindexter, retired admiral and director of DARPA’s Information Awareness Office, identified the “transaction space” as one of the “significant new data sources that need to be mined to discover and track terrorists.”2 This “transaction space” included data encompassing communications, financial, education, travel, medical, veterinary, country entry, place/event entry, transportation, housing, critical resources, and government records. As part of the TIA program, DARPA “Red Teams” would develop model attack scenarios and then determine the types of transactions that would be necessary to carry out such attacks in reality.3 These transactions could form patterns that would be discernable in databases to which the government would have lawful access. Having developed targetable patterns of attack precursor behavior, the government, it was proposed, could then search across databases to detect the presence of those patterns.
Although the funding for this kind of “total information awareness” program was ultimately terminated by Congress in 2003, following protests about the privacy impact of such an operation, the kind of threat forecasting through data mining represented by the TIA concept was an early indicator of the role powerful automated suspicion algorithms may increasingly play in law enforcement and intelligence operations. Moreover, the Snowden disclosures, beginning in the summer of 2013, revealed other kinds of collection programs aimed at facilitating certain kinds of comprehensive information awareness by the government, for specific purposes.4
This chapter will explore the potential applications of systematic US government access to data held by third-party private-sector intermediaries that would not be considered public information sources5 but, rather, data generated based on the role these intermediaries play in facilitating economic, business, and personal transactions. For the most part, US laws and regulations do not directly (p.176) authorize ongoing, indiscriminate government access to data held by third-party intermediaries.6 For purposes of this chapter, the term systematic denotes one or more of the following practices, each of which permits the government to obtain information without any process or using processes to facilitate either ongoing and indiscriminate collection or discrete but significant over-collection of information by: (1) exploiting7 gaps in existing statutes regulating government access to certain types of data held by specifically enumerated types of third parties; (2) pushing, even breaking, the boundaries of statutory language to permit the bulk collection of data; (3) using presidential authorizations; (4) creating informal partnerships with private entities; or (5) exploiting the lack of constitutional or statutory impediments to government access to certain types of data held by specific third parties. The ways in which systematic government access may operate are rarely transparent, often presenting themselves only when a controversy surfaces in the press, as was the case of the Terrorist Surveillance Program, an NSA program discussed below involving the warrantless interception of phone conversations when at least one party was located in the United States, or, more recently, the NSA’s broad, indiscriminate collection and storage of US domestic telephone records, also discussed below.
This chapter examines the primary US constitutional and statutory authorities governing law enforcement and intelligence agency access to private-sector data. As these various authorities are discussed, relevant examples of systematic government access to private-sector data—whether by voluntary disclosure or compelled legal process—are raised and integrated into the analysis.8
The primary constitutional limit on the government’s ability to obtain private or personal information is the Fourth Amendment, which prohibits unreasonable searches and seizures. Supreme Court Fourth Amendment case law has prescribed certain tests to determine whether a search has occurred, which is the preliminary question to be answered before turning to whether any particular search is unreasonable. Justice Harlan’s famous concurrence in Katz v. United States,9 now commonly referred to as the Katz test, guides courts in determining what constitutes a search under the Fourth Amendment: courts must determine whether the government conduct in question violates a subjective expectation of privacy and an objectively reasonable expectation of privacy. More recently, in United States v. Jones,10 a case involving the government’s warrantless attachment and use of a GPS device to track the movements of Jones’s car for 28 days, Justice Scalia wrote a majority opinion articulating a property-based rationale for determining what constitutes a Fourth Amendment search. This trespass-based test is satisfied when: (1) a “trespass” occurs, (2) the trespass is to a target enumerated in the Fourth Amendment (“persons, houses, papers, or effects”), and (3) it occurs with the intent “to find something or to obtain information.”11 Of note, the application of this trespass, property-based rationale allowed the majority to avoid ruling in a way that would have had implications for other types of tracking technologies that solely employ the transmission of radio or other electronic signals not enabled by a direct physical trespass, such as tracking a target’s cell phone through compelled disclosure of location information possessed by a third party. Indeed, the law is still in flux with respect to whether the Fourth Amendment protects location information in the possession of a third-party carrier.
Generally speaking, the Fourth Amendment provides little to no protection for non-content information stored by third parties. Specifically, the infamous third party doctrine, a long-standing constitutional principle suggests, when taken in its strongest expression, that once data is disclosed to a third party, it no longer receives Fourth Amendment protection.12 The seminal cases establishing the third-party doctrine are United States v. Miller,13 a case concerning (p.178) cancelled checks where the Supreme Court reasoned that the respondent “can assert neither ownership or possession” in documents “voluntarily conveyed to banks and exposed to their employees in the ordinary course of business,”14 and Smith v. Maryland,15 where the Court held that the Fourth Amendment does not apply to transactional information associated with making phone calls (for example, time/date/length of call and numbers dialed) because that information is voluntarily conveyed to third parties to connect the call, and phone companies record the information for a variety of legitimate business purposes.
The privacy protections that do exist for third-party records are primarily found in statutes enacted by Congress specifically in response to Supreme Court opinions limiting Fourth Amendment protections. Additional privacy protections may be found in agency guidelines and privacy policies, some of which exist because Congress has mandated their creation by statute. Although it is beyond the scope of this chapter to conduct an analysis of the full scope of such policies (some of which may be classified) and their impact on the government’s systematic access to third-party records, policy that is managed by political leadership of an agency is always subject to change, for better or worse.
IV. Statutory Overview and Analysis
For purposes of exploring potential systematic government access to third-party private-sector data, it is often useful to think about statutory privacy protections in terms of (1) what kind of third-party private-sector entities they regulate, and (2) what type of information they regulate. Sometimes, a statute will regulate the disclosure of a specific type of information to the government, but only by a specific type of third party. Thus, the disclosure of the same type of information by a third party not covered by the statute could lawfully occur without any legal process. In the service of exploring the potential for systematic government access, this section will analyze the primary statutes regulating third-party disclosure of information to the government, the Electronic Communications Privacy Act (ECPA),16 the Foreign Intelligence Surveillance Act (FISA),17 the statutes authorizing National Security Letters (NSLs),18 and the Right to Financial Privacy Act (RFPA).19 These statutes, although certainly not the only authorities (p.179) affecting government access to and retention of third-party private-sector data, provide the richest opportunity for discussion of systematic government access to these data. As these key statutes govern various aspects of government access to (1) electronic communications, (2) financial data, and (3) other records in the possession of third parties for both criminal and national security investigations, the discussion below will group these authorities as they relate to these three major categories of information.
A. Electronic Communications Data: ECPA, FISA, and NSLs
1. “Real-Time” Communications Content
The Wiretap Act (Title I of ECPA) governs law enforcement access to real-time wire, oral, and electronic communications in criminal investigations. To collect these communications, the government must establish, in a written application to a judge of competent jurisdiction, that there is probable cause to believe: (1) an individual is committing, has committed, or is about to commit a particular offense enumerated in the Wiretap Act; and (2) particular communications concerning that offense will be obtained through the requested interception.20 In addition to this probable cause showing, the government must also demonstrate that other normal investigative procedures have been tried and have failed, or reasonably appear unlikely to succeed if tried, or would be too dangerous to execute.21 The Wiretap Act also limits this intrusive surveillance tool to specific crimes listed in the statute. This list is extensive and includes a broad range of terrorism-related statutes.
In the case of terrorism national security investigations, however, the federal government’s ability to intercept real-time communications is not limited to authorities provided in the Wiretap Act. Such investigations—involving the collection of foreign intelligence about “foreign powers” or “agents of foreign powers” in addition to or even in the absence of pursuing activity that may violate criminal statutes—are often more readily and appropriately pursued under FISA authorities. Accordingly, FISA authorizes interception of real-time wire, oral, and electronic communications when, by written application to the FISA Court, the government demonstrates that there is probable cause to believe that (1) the target of the electronic surveillance is a foreign power or agent of a foreign power, and (2) each of the facilities or places at which electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power, which includes a so-called “lone wolf” (i.e., an unaffiliated foreign individual posing a threat).22
Warrants granted pursuant to the Wiretap Act are often called “super warrants” and considered by some to be the gold standard with respect to limiting unconstitutional and/or over-collection of communications content. The “high (p.180) comfort” with the statute derives from several factors, including, but not limited to the fact that the probable cause showing is predicated upon the discovery of evidence of a specific crime, that non-relevant communications must be minimized, and that all federal wiretap applications must go through a special review process at the DOJ in Washington DC (Main Justice). Although a comprehensive comparison between the Wiretap Act and FISA is beyond the scope of this chapter, FISA also contains minimization and oversight provisions, including its own specialized review process at Main Justice and a certification by a high-level official that such information cannot be obtained by normal investigative techniques. FISA’s probable cause standard, however, is premised on the collection of foreign intelligence relating to foreign powers or agents of foreign powers rather than the collection of evidence a crime, arguably permitting a broader, more flexible exercise of government surveillance powers.
Notwithstanding the lower threshold of FISA surveillance standards, in 2005 the New York Times reported that the Bush administration, via classified presidential authorizations, had granted the NSA authority for warrantless monitoring of international telephone calls and electronic communications (such as email), even when one party was a US person located on US soil.23 This so called Terrorist Surveillance Program (TSP), which circumvented FISA, was evidently developed through a public-private partnership where NSA informally arranged with top telecommunications company officials to gain access to switches carrying America’s communications without warrants or court orders.24 After the TSP was exposed, industry members sought and received retroactive immunity for their participation, which had been at least partially contingent upon guarantees that they would not suffer adverse consequences stemming from their uncompelled informal cooperation.25 The TSP illustrates a problematic example of systematic access to private-sector data: the executive branch, through a classified presidential order, circumvented existing provisions of the FISA statute and bypassed congressional oversight by, among other things, enlisting the assistance of third-party telecommunications providers in its legally questionably operation.26
(p.181) Ultimately, Congress brought the TSP under the umbrella of FISA and some degree of FISC oversight by enacting the Protect America Act of 2007 (PAA)27 and the FISA Amendments Act of 2008 (FAA).28 When compared with traditional FISA processes, however, the FAA, via Section 702,29 “impose[s] significantly fewer limits on the government when it targets foreigners located abroad, permitting greater flexibility and a dramatic increase in the number of people who can realistically be targeted.”30 Specifically, Section 702 authorizes the attorney general and the Director of National Intelligence jointly to authorize surveillance, and to compel third-party assistance for such surveillance, which targets people who are not US persons and who are reasonably believed to be outside the United States, so long as the surveillance is conducted to acquire foreign intelligence information. Notably, there is no requirement that the government make an individualized showing to the FISC that there is probable cause to believe a particular target is a foreign power or an agent of a foreign power. Instead, the attorney general and the director of national intelligence make annual certifications authorizing the targeting to acquire foreign intelligence information and develop targeting and minimization procedures that must meet certain criteria. The FISC reviews and approves the annual certifications and accompanying procedures, evaluating whether they satisfy the identified criteria.
When examining the government’s use of Section 702, the Privacy and Civil Liberties Oversight Board (PCLOB) found general government “compliance with the text of Section 702 [and that] the text of 702 provides the public with transparency into the legal framework for collection.”31 One significant public criticism of Section 702, however, concerns what some call “backdoor searches.”32 Although US persons cannot be targeted pursuant to Section 702 (with the understanding that some US person information will be collected incidentally), it appears that some US person identifiers have been used to query information collected under Section 702, and that Section 702 may not explicitly prohibit such searches.33 In response, lawmakers attempted to amend the Defense Appropriations Act of 2017 with a provision preventing the NSA from using funds for such queries.34 (p.182) Section 702 is set to expire in 2017. When Congress considers the statute for reauthorization, the unresolved issue of whether and how to amend Section 702 in response to backdoor searches will likely arise once again.
2. Stored Communications Content
Title II of ECPA, the Stored Communications Act (SCA),35 governs law enforcement access to the content of communications when in the possession of a third-party providing an “electronic communications service” (ECS)36 or a “remote computing service” (RCS)37 to the public. These definitions reflect the state of the Internet and corresponding Internet-based services that existed in 1986, the year the SCA was enacted by Congress. Although the definition of RCS certainly reflects Congress’s understanding that there could and would be third-party storage of content (“computer storage or processing services”), Congress could not have foreseen the extent to which various types of third-party storage used by consumers and businesses alike would become a booming business model due to an explosion in cloud-based services. Recall that in 1986, third-party storage was prohibitively expensive, causing most people and businesses using computers to store electronic content locally on a hard drive or floppy disk.
Consistent with Fourth Amendment doctrine, law enforcement must normally get a warrant in order to search and seize a laptop, desktop, or thumb drive. Congress extended the warrant protection via statute to communications content stored in an ECS (such as unopened email).38 Today, however, a large amount of data stored in the cloud (including opened emails) is arguably in RCS storage. In 1986, Congress did not extend full warrant protections to communications content in RCS storage.39 Rather, under the SCA, the government can compel third-party providers to disclose communications content in RCS storage with an 18 USC § 2703 (d) Order (a court order under which the government must show, with “specific and articulable facts,” that there are reasonable grounds to believe that the information sought is “relevant and material” to an ongoing criminal investigation), or even with a subpoena.40 This disparity in the level of privacy protections given to information stored “in the cloud” versus content (p.183) stored on a laptop, combined with the sheer amount of content now in third-party storage, has given the government much greater access to private-sector communications content. In response to this disparity, since 2010, Congress has held several hearings followed by the introduction of several bills that, among other things, would provide the same warrant protections to content stored in the cloud (or other forms of RCS storage). Although no legislation has passed as of April 2017, courts have begun to address this disparity. Specifically, in the 2010 Warshak opinion, the Sixth Circuit held that “if government agents compel an ISP to surrender the contents of a subscriber’s emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement absent some exception.”41 Moreover, the Court held that “to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.”42 Although not a Supreme Court opinion or an amendment to ECPA, Warshak is a strong step toward the protection of content “in the cloud.”
3. Stored Non-content Communications Data
A strong potential for systematic government access to non-content communications data comes from gaps in existing statutes and government practices. The SCA governs law enforcement access to stored non-content communications data when it is in possession of a third party providing an ECS or RCS service to the public. The SCA, however, only regulates non-content data (for example, transactional or other records pertaining to subscriber and customer names, addresses, length and type of service, temporarily assigned network address, means and source of payment) with respect to entities providing ECS and RCS services. If this non-content data is in the possession of a third party that is not acting as a public ECS or RCS, then the SCA does not provide any level of protection for the data. Without any statutory protection, third parties can, if they choose, voluntarily disclose data without any process. For example, when security researchers discovered that Apple and Google phones were collecting and transmitting back to the companies information about a device’s nearby wi-fi access points and geolocation data,43 the transmission of the location data was arguably not a function of an ECS or RCS service and thus would not receive the SCA protections otherwise afforded to historical location data. The government could, therefore, compel the disclosure of that location data with a subpoena (when the SCA would otherwise require a court order) or it could be disclosed to the government voluntarily by a third-party entity, in the absence of any emergency and without any process.
(p.184) Moreover, the SCA does not prohibit the entities that provide public ECS and RCS services from disclosing non-content data to other nongovernmental entities. Once in the possession of these fourth-party entities (such as data brokers), which are not providing public ECS and RCS services, the data can be sold or otherwise disclosed to the government without process. These fourth-party commercial data brokers collect information from a range of third parties (not just those regulated by the SCA) and can provide “one stop shopping” for law enforcement and intelligence agencies alike.44
The SCA also contains one of the five National Security Letter (NSL)45 authorities, a series of foreign intelligence statutory authorities, similar to subpoenas, allowing the government to compel certain types of non-content data principally from communications providers, financial institutions (defined very broadly), and credit agencies. The FBI and other designated intelligence agencies can issue NSLs without court authorization, much like subpoenas. Unlike subpoenas, however, NSLs need not even be reviewed by a prosecutor. The NSL authority found in the SCA permits the government to obtain subscriber or customer identifying records and, the government argues, other types of transactional records46 in the possession of ECS and RCS providers (for example, non-content data pertaining to telephone and email communications).
Three different DOJ Inspector General (IG) Reports released between 2007 and 2010 document a series of abuses concerning the FBI’s use of NSL authorities. Although these reports identify several types of abuses, two key problems are particularly relevant to the examination of when and how the government can get unmediated access to third-party data. First, the FBI, in violation of ECPA and various internal guidelines, used “exigent letters” (ad hoc instruments with implied legal authority where none existed) to acquire information from communication providers with the promise that actual process (NSLs or subpoenas) would follow.47 Going forward, this kind of subterfuge with promises that “process is on its way” should raise red flags for all public-private relationships. Second, from April 2003 through January 2008, employees of certain communications providers were located in FBI’s Communications Assistance Unit (CAU), which included being provided with FBI email accounts and access (p.185) to the CAU computer share drive.48 These on-site providers’ employees regularly attended CAU unit meetings and were treated by CAU personnel as “team members.” Although the IG recognized that the collegial relationship between the co-located personnel fostered a productive working relationship, the 2010 report also notes that the “proximity of the on-site providers’ employees to the CAU personnel, combined with the lack of guidance, supervision, and oversight of their interactions with FBI employees … contributed to some of the most serious abuses identified in this review.”49 Indeed, in this instance, there appeared to be a merger of the “public” and “private” roles.50
In 2014, the DOJ IG issued a fourth report reviewing the FBI’s use of NSLs. This report clarifies an issue the Washington Post had flagged four years earlier51 concerning the types of records the FBI could collect under ECPA’s NSL provision. Although the FBI has historically interpreted Section 2709 of ECPA as granting the authority to compel “electronic communication transactional records,”52 which have been defined in the media as “email metadata and header information, URL browsing data and more,”53 beginning in 2009, certain third-party companies refused to provide such records in response to NSLs on the grounds that NSLs do not, in fact, authorize the FBI to compel the production of these records.54 This dispute is premised on a discrepancy in the statute: although “electronic communication transactional records” appear in one part of the statute (18 U.S.C. § 2709(a)), they don’t appear in the part of the statute that specifically lists the kinds of records available to the FBI under ECPA’s NSL authority (18 U.S.C. § 2709(b)). The companies take the position that the list found in Section 2709(b) is exhaustive and, accordingly, the statute does not authorize the FBI to compel electronic communication transactional records.55 (p.186) The FBI disagrees with this position but has adapted by using a different authority found in FISA—Section 215 of the PATRIOT Act—to compel the production of electronic communication transactional records.56 The FBI reported to the IG that the use of Section 215, which requires more internal review and approval by the FISA Court (FISC), has slowed down national security investigations.57 The IG has consequently recommended that DOJ continue to pursue legislative clarification, consistent with DOJ’s prior efforts to seek a legislative fix.58
Whether one agrees with the FBI’s interpretation of ECPA’s NSL authority or believes that electronic communication transactional records should be obtainable under NSL authority, this example illustrates that third-party companies play an important role in controlling systematic access to private-sector data. Specifically, in this case, third-party companies challenged the FBI’s interpretation of the NSL authority, and it appears that Congress will affirmatively have to determine whether the government should have access to these kinds of records under the NSL authority’s low relevance threshold.
Although Section 215 of the PATRIOT Act (Section 501 of FISA) has added greater oversight to government collection of electronic communication transactional records, the government has also used Section 215 to obtain systematic access to domestic telephone records. Section 215 permits the government to compel “tangible things” from third parties that are “relevant” to an “authorized investigation” in order: (1) “to obtain foreign intelligence information not concerning a United States person,” or (2) to “protect against international terrorism or clandestine intelligence activities.”59 The very first published story about the Snowden disclosures in June 2013 involved the government’s use of Section 215 to collect domestic call detail records and other domestic telephony metadata in bulk. Specifically, the FISC had issued questionable orders under Section 215, renewed approximately every 90 days, “authorize[ing] the NSA to collect nearly all call detail records generated by certain telephone companies in the United States, and specifie[d] detailed rules for the use and retention of these records.”60 These records, stored in a centralized NSA database, included the date and time of a call, its duration, and the participating telephone numbers. The records did not, however, include the content of any telephone conversation. The program was “intended to enable the government to identify communications among known and unknown terrorism suspects, particularly those located inside the (p.187) United States.”61 If the government identified a phone number associated with a terrorist, for example, it could run that seed number against all the domestic telephone numbers stored in the database to assist in determining whether a known terrorist had contact with anyone in the United States.
One major criticism of this domestic surveillance program is that the “common sense” reading of the statutory text of Section 215 does not, on its face, appear to permit collection on this scale. More specifically, critics argue, an entire massive database of records—in this case the records of nearly every domestic telephone call—cannot be deemed relevant in its totality simply because some of the records in that database are actually relevant to an investigation. Indeed, if everything is relevant, then nothing is relevant and the limiting concept of relevance itself, as found in the statute, is rendered irrelevant. However well intentioned this collection program may have been, it is a problematic example of government systematic access to private-sector data. Although the government can rarely disclose the specific details of classified collection programs, it is important for the public to be able to gain a general understanding of the terrain and scope of the legal authorities permitting government surveillance. When reviewing the Section 215 bulk collection program, the PCLOB concluded that “Section 215 does not provide an adequate legal basis to support the program.”62 Moreover, prior to the program’s disclosure in the summer of 2013, Senator Wyden warned his colleagues that “when the American people find out how their government has secretly interpreted the PATRIOT Act, they will be stunned and they will be angry.”63 With the passage of the USA FREEDOM Act in 2015,64 Congress ended the bulk collection of business records under Section 215.
4. “Real Time” Non-content Communications Data
Although the SCA regulates government access to stored non-content data in the possession of certain types of third-party providers, Title III of ECPA (commonly referred to as the pen register and trap and trace device statute or simply as “Pen/Trap”) governs law enforcement’s ability to acquire real-time transactional information about phone calls.65 While DOJ’s public manual on Searching and Seizing Computers does not give a detailed list of all of the specific types of transactional information that can be obtained with a Pen/Trap order, it notes that the statute’s “ ‘dialing, routing addressing [and/or] signaling information’ (p.188) encompasses almost all non-content information in a communication.”66 The Electronic Frontier Foundation (EFF) has interpreted the scope of DOJ’s potential collection ability to include: the numbers a phone calls and from which it receives incoming calls; the starting and ending time of each call; the duration of each call; whether each call was connected or went to voicemail; and (although a disputed, controversial use of the Pen/Trap authority) “post-cut-through dialed digits” (digits dialed after a call is connected, such as a banking PIN or a prescription refill number).67
Enacted seven years after Smith v. Maryland, the Pen/Trap statute was a congressional response to the Supreme Court’s holding that the Fourth Amendment does not apply to transactional information associated with making phone calls. The USA PATRIOT Act then expanded the government’s ability to use Pen/Traps to acquire real-time transactional information about email,68 which DOJ asserts, once again, could encompass almost all non-content information in a communication69 and EFF explains may include: addresses of sent and received email, the time each email is sent or received, the size of each email that is sent or received, and IP (Internet Protocol) addresses to include IP addresses70 of other computers a target computer exchanges information with, as well as the communications ports and protocols used (which, in turn, can be used to determine the types of communications sent and the types of applications used).71
Concerns about how the Pen/Trap statute might facilitate systematic government access to third-party data primarily derive from: (1) the statute’s low certification standard, (2) the scope and volume of information that can presumably be collected with a Pen/Trap order, and (3) documented use of the statute to authorize a method of collection that courts granting orders did not realize they were authorizing. To obtain a Pen/Trap order, the government must only certify to a court that the information likely to be obtained is “relevant to an ongoing criminal (p.189) investigation.”72 Insofar as this certification does not require a court to evaluate any facts to determine if the information is likely to be relevant to an ongoing criminal investigation, there is no meaningful judicial oversight. Moreover, there is no limitation on the scope of information collected in a particular investigation, whether with single or multiple Pen/Trap orders. Although certain types of investigations require a broad collection of phone and email transactional information, if there is no meaningful judicial oversight regarding the scope of such collection, the potential for unmediated government access to third-party data looms large.
B. Financial Data: Right to Financial Privacy Act, NSLs
Just as the SCA and the Pen/Trap provisions of ECPA were a congressional response to the lack of Fourth Amendment protections afforded to electronic communications in the possession of third parties, Congress enacted the Right to Financial Privacy Act73 in 1978, two years after the Miller decision, where Supreme Court held that there was no reasonable expectation of privacy in documents voluntarily conveyed to banks and exposed to their employees in the ordinary course of business. The statute provides that federal agencies may not access the financial records of a customer of a financial institution without that customer’s consent, a search warrant, an administrative subpoena, a judicial subpoena, or a “formal written request.”74 The statute is subject to a number of exceptions, including disclosures required under other federal statues or rules. Moreover, the Act does not apply when the federal government obtains financial information from third parties that are not financial institutions, nor does it restrict disclosures to state or local governments or other private entities.75 The Act also contains one of the five NSL authorities,76 permitting the government to compel financial institution customer records in foreign intelligence investigations (for example, open and closed checking and savings accounts, transactions records from banks, private bankers, credit unions, thrift institutions, credit card companies, insurance companies, etc.).
After the September 11th attacks, it was reported that the government gained unprecedented access to the world’s banking databases through a relationship with the Society for Worldwide Interbank Financial Telecommunications (SWIFT), a Belgium-based cooperative that serves as “the central nervous system of international banking.”77 At that time, SWIFT purportedly carried information for nearly 8,000 financial institutions, which conducted up to 12.7 million (p.190) financial transactions a day.78 Although SWIFT executives insisted that their organization’s participation had not been voluntary but, rather, was in compliance with US government NSLs, SWIFT’s willing cooperation appeared to represent a major departure from typical practices.79 The SWIFT example illustrates how the government may use statutory authorities to acquire vast amounts of information—in this case purportedly with mere NSLs—such that the information collection might be characterized as systematic government access aided by the cooperation of a “friendly” third party (likely due to circumstances surrounding the September 11th attacks).
Additional mystery regarding government access to financial data surrounds a government practice referred to as “hotwatch” orders, “issued pursuant to the All Writs Act. Such orders direct a credit card issuer to disclose to law enforcement each subsequent credit card transaction effected by a subject of [an] investigation immediately after the issuer records that transaction.”80 A DOJ presentation obtained through a Freedom of Information Act (FOIA) request suggests that law enforcement’s preferred way of obtaining a “hotwatch” order is to contact the credit card security department and provide that department with an administrative subpoena and a court order for “non-disclosure.”81 Although the scope of information obtained from “hotwatch” orders is unclear, it is important to note that the data are provided in “real time” and presumably will include information about the subject of the transaction (i.e., the type of purchase made or service conducted) that, in turn, can also reveal the location of the user at the time she made the transaction (in the case of a “brick and mortar” business or institution). Indeed, the DOJ presentation characterizes credit card “hotwatch” orders as “real time tracking.”82
C. Other Records in the Possession of Third Parties
As previously noted, data not protected by the Constitution or regulated by statute requiring a court order for its production can be compelled by the government with “low level” process (i.e., subpoena or NSL) or even provided voluntarily to the government without any legal process. Such lack of regulation can potentially facilitate the kind of reported public-private partnerships with Western Union, FedEx, and major airlines seen in the aftermath of the September (p.191) 11th attacks. Shortly after the attacks, then CIA director George Tenet invited Western Union executives to his office to persuade them to “be patriots.”83 Some of the information provided by Western Union following the exchange may have been disclosed in response to subpoenas, whereas some may have been provided though “informal cooperation” rather than legal compulsion.84 Since September 11th, FedEx has also reportedly “placed its databases at the government’s disposal” and “demonstrated a willingness to open suspicious packages at the government’s informal request (i.e. without a warrant).”85 Major airlines were also reported to have turned over extensive amounts of passenger data to the government because “they thought they were obliged to do so.”86 Third-party desire and willingness to cooperate with the government post-September 11th in the fashion described is understandable and, moreover, legal. Indeed, government outreach to establish good working relationships with industry is often necessary and desirable. But if industry at large (such as supermarkets, hotels, travel agencies, etc.) routinely discloses information without minimal process, even when permitted under the law, then the government gets closer to achieving indiscriminate, systematic access to private-sector data.
DARPA’s TIA program foreshadowed the potential of how machine learning techniques, when trained on the right data sets, might assist in “predictive policing”87 and predictive intelligence efforts. Given this potential, the government’s desire and need for more private-sector data will only continue to increase. Notwithstanding efforts to expand, contract, or more specifically regulate government access to third-party data, the ongoing public debates in this area must be informed by sufficient information about the government’s interpretation and use of its criminal and foreign intelligence authorities, including government “informal” practices. (p.192)
(*) The views expressed here are those of the author and do not represent the position of the United States Military Academy at West Point, the Army, or the United States government.
(1.) Fred H. Cate, “Government Data Mining: The Need for a Legal Framework,” 43 Harv. C.R.-C.L. L. Rev. 445, 449 (2008).
(2.) John Poindexter, Director, Info. Awareness Office, Overview of the Info. Awareness Office, Prepared Remarks for Delivery at DARPATech 2002 Conference (August 2, 2002), at 1, http://www.fas.org/irp/agency/dod/poindexter.html.
(3.) Info. Awareness Office, US Dep’t of Def., Report to Congress Regarding the Terrorism Information Awareness Program (2003) 15, https://epic.org/privacy/profiling/tia/may03_report.pdf.
(4.) Although numerous classified documents have been made public since the initial Snowden disclosures in summer of 2013, this chapter will only make reference to declassified or unclassified information pertaining to these disclosures. There may be additional examples relevant to this discussion that are in the public realm but, nevertheless, remain classified.
(5.) With government access to the full Twitter Firehose, a service that pushes public tweets to end users in near real time that match customers’ criteria, the government could collect voluminous and possibly indiscriminate amounts of information on an ongoing basis. Although such activity raises significant privacy concerns, this chapter focuses on data in the possession of third parties that is not otherwise in the public realm.
(6.) US law mandates some ongoing third-party disclosures of various types of information involving, for example, cargo and passengers coming into the United States from abroad or financial data that might assist the government in identifying money laundering or terrorist financing. These data are divulged to the government pursuant to various regulatory requirements.
(7.) The term “exploiting” as used in this paragraph is not meant to convey a sinister motive. Rather, if the government is not prohibited from collecting data by the Constitution or by statute, then it can lawfully collect that data consistent with internal agency guidelines and authorized investigative activities, with very limited, if any, barriers.
(8.) This chapter is written as an overview of the subject matter and is not meant to be a comprehensive treatment of systematic access to private-sector data in the United States. Of note, this chapter does not address the application of Executive Order (E.O.) 12333, issued by President Reagan in 1981 and modified several times since, which, among other things, regulates the collection of information about foreigners outside the United States for foreign intelligence purposes. E.O. 12333 governs activities that are “not covered by statute and do not [otherwise] require a court order.” Timothy Edgar, “Surveillance Reform: Privacy Board Turns to E.O. 12,333,” Lawfare (May 3, 2015), https://www.lawfareblog.com/surveillance-reform-privacy-board-turns-eo-12333. The Privacy and Civil Liberties Oversight Board (PCLOB), an independent, bipartisan executive branch agency authorized by Congress to ensure that “liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the Nation against terrorism” (42 U.S.C. § 2000(c)(2) (2012)), has held public hearings about E.O. 12333 and also plans to issue a public report.
(9.) Katz v. United States, 389 U.S. 347, 361 (1967).
(10.) 132 S. Ct. 945 (2012).
(11.) See Orin Kerr, “The New Doctrine of What Is a Fourth Amendment Search,” Volokh Conspiracy Blog (January 23, 2012), http://volokh.com/2012/01/23/the-new-doctrine-of-what-is-a-fourth-amendment-search/.
(12.) For a detailed discussion about the difficulty of applying the third-party doctrine in an IP-based communications environment, see Steven M. Bellovin, Matt Blaze, Susan Landau, and Stephanie K. Pell, “It’s Too Complicated: How the Internet Upends Katz, Smith, and Electronic Surveillance Law,” 30 Harvard Tech. L.J. 1 (2017).
(13.) 425 U.S. 435 (1976).
(14.) Ibid. at 442–43.
(15.) 442 U.S. 735 (1979).
(16.) 18 U.S.C. §§ 2511–2520 (2012); 18 U.S.C. §§ 2701–2712 (2012); 18 U.S.C. §§ 3121–3127 (2012).
(17.) 50 U.S.C. §§ 1801–1862 (2012 & Supp. 2014).
(18.) There are five provisions of law that authorize the FBI to issue five types of NSLs: 12 U.S.C. § 3414(a)(5)(A) (2012); 18 U.S.C. § 2709 (2012); 15 U.S.C. § 1681u (2012 & Supp. 2015); 15 U.S.C. § 1681v (2012 & Supp. 2015); 50 U.S.C. § 436, recodified as 50 U.S.C. 3162 (Supp. 2014)].
(19.) 12 U.S.C. §§ 3401–3422 (2012).
(20.) 18 U.S.C. §§ 2518(3)(a),(b) (2012).
(21.) 18 U.S.C. § 2518(c) (2012).
(22.) 50 U.S.C. § 1805 (2012 & 2014 Supp.).
(23.) James Risen and Eric Lichtblau, “Bush Lets U.S. Spy on Callers without Courts,” N.Y. Times (Dec. 16, 2005); see also Jon D. Michaels, “All the President’s Spies: Private-Public Intelligence Partnerships in the War on Terror,” 96 Cal. L. Rev. 901, 910 (2008).
(25.) On December 29, 2011, the Ninth Circuit, in Hepting v. AT&T Corp., 671 F.3d 881 (9th Cir. 2011) upheld the constitutionality of § 802 of the FAA of 2008, which gave telecom companies a path to retroactive immunity from charges of misconduct, including privacy violations, for cooperating with the Bush administration’s warrantless wiretapping efforts.
(26.) For further discussion of the TSP, how it violated FISA, and how it was brought under court supervision via the FAA, see Stephanie Cooper Blum, “What Really Is at Stake with the FISA Amendments Act of 2008 and Ideas for Future Surveillance Reform,” 18 Boston Univ. Public Interest L.J. 269 (2009).
(27.) Protect America Act of 2007, Pub. L. No. 110-55, 121 Stat. 552. The PAA was limited to six months, expiring in February 2008.
(28.) FISA Amendments Act of 2008, Pub. L. No. 110-261, § 403, 122 Stat. 2463, 2473 (2008).
(29.) The second story published about the Snowden disclosures in June 2013 involved Section 702 and the PRISIM program. See PCLOB, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014) at 1–8.
(32.) See Ashley Nicole Baker, “Congress Must Shut the Backdoor on Section 702 Surveillance,” FreedomWorks, blog post (June 15, 2016).
(34.) See Amendment to H.R. 5293, offered by Rep. Thomas Massie of Kentucky.
(35.) 18 U.S.C. §§ 2701–2712 (2012).
(36.) An electronic communication service (ECS) is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” Examples include telephone or email services. 18 U.S.C. § 2510(15) (2012).
(37.) A “remote computing service” (RCS) is a “provision to the public of computer storage or processing services by means of an electronic communications system.” 18 U.S.C. § 2711(2) (2012). Roughly speaking, a remote computing service is provided by an off-site computer that stores or processes data for a user. Examples include data stored “in the cloud,” such as online backup services.
(38.) See 18 U.S.C. § 2703(a) (2012).
(39.) See 18 U.S.C. § 2703(b) (2012).
(40.) 18 U.S.C. §§ 2703(b), (d) (2012).
(41.) United States v. Warshak, 631 F.3d 266, 286 (6th Cir. 2010).
(42.) Ibid. at 288.
(43.) See Julia Angwin and Jennifer Valentino-Devries, “Apple, Google Collect User Data,” Wall Street Journal (April 21, 2011), http://online.wsj.com/article/SB10001424052748703983704576277101723453610.html.
(45.) 18 U.S.C. § 2709 (2012).
(46.) See 18 U.S.C. § 2709 (2012). The Washington Post reported that the government was seeking from Congress what it characterized as a “technical clarification” to § 2709 to facilitate the collection of transactional records. Others characterized the government’s request as an expansion of collection authority under § 2709. See Ellen Nakashima, “White House Proposal Would Ease FBI Access to Records of Internet Activity,” Washington Post (July 29, 2010), http://www.washingtonpost.com/wp-dyn/content/article/2010/07/28/AR2010072806141_pf.html.
(47.) See Oversight Review Division, Office of the Inspector General, A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records (Jan. 2010).
(50.) Another public-private interface involved Sprint Nextel developing a web interface to give law enforcement direct access to its subscribers’ location data in order to cope with the high volume of government demands the company was receiving for disclosure of these data. United States v. Pineda-Moreno, 617 F.3d 1120, 1126 (9th Cir. 2010) (Kozinski, J. dissenting from denial of rehearing en banc).
(52.) Office of the Inspector General, Oversight and Review Division, A Review of the Federal Bureau of Investigation’s Use of National Security Letters: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009 [hereinafter “2014 IG NSL Report”] (August 2014) at 70.
(53.) See Jenna McLaughlin, “Tech Companies Fight Back after Years of Being Deluged with Secret FBI Requests,” The Intercept: Unofficial Sources (June 21, 2016), https://theintercept.com/2016/06/21/tech-companies-fight-back-after-years-of-being-deluged-with-secret-fbi-requests/.
(59.) 50 U.S.C. § 1861(a)(1) (2012 & Supp. 2014).
(60.) Privacy and Civil Liberties Oversight Board (PCLOB), Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court (2014) at 8, http://www.pclob.gov/SiteAssets/Pages/default/PCLOB-Report-on-the-Telephone-Records-Programme.pdf.
(63.) Press Release, Senator Ron Wyden, In Speech, Wyden Says Official Interpretations of Patriot Act Must Be Made Public (May 26, 2011), http://wyden.senate.gov/newsroom/press/release/?id=34eddcdb-2541-42f5-8f1d-19234030d91e.
(64.) USA Freedmom Act of 2015, Pub. L. No. 114-23, 129 Stat. 268.
(65.) See 18 U.S.C. §§ 3121–3126 (2012). In foreign intelligence investigations, the government may also use FISA Pen/Trap authorities. See 50 U.S.C. § 1842 (2012 & Supp. 2014).
(66.) US Dep’t of Justice, Computer Crime and Intellectual Prop. Section, Criminal Div., Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (3d ed., 2009) at 154 [hereinafter DOJ Manual].
(67.) See: https://ssd.eff.org/wire/govt/pen-registers. With respect to “post-cut-through dialed digits” or other communications content, the DOJ Manual, citing 18 U.S.C. § 3121(c), instructs that the “government must also use ‘technology reasonably available to it’ to avoid recording or decoding the contents of any wire or electronic communications … . Where there is no way to avoid the inadvertent collection of content though the use of reasonably available technology, DOJ policy requires that the government may not use any inadvertently collected content in its investigation.” See DOJ Manual, above note 66 at 155–56.
(68.) See Public Law 107-56, Sec. 216 (Oct. 26, 2001).
(70.) See In re Application of United States, 416 F. Supp. 2d 13, 18 (D.D.C. 2006) (approving Internet Pen/Trap order seeking specified non-content information, such as originating IP addresses).
(72.) 18 U.S.C. § 3122(b)(2) (2012).
(73.) 12 U.S.C. §§ 3401–3422 (2012).
(74.) 12 U.S.C. § 3402 (2012).
(75.) 12 U.S.C. §§ 3401(1)–(3) (2012).
(76.) 12 U.S.C. § 3414 (2012).
(77.) Josh Meyer and Greg Miller, “US Secretly Tracks Global Bank Data,” L.A. Times (June 23, 2006), at A1.
(80.) DOJ Memorandum to the Honorable James Orenstein, October 11, 2005 at 9, https://www.eff.org/document/government-reply-eff-brief.
(81.) See Christopher Soghoian, “DOJ’s “Hotwatch” Real-Time Surveillance of Credit Card Transactions,” Slight Paranoia Blog (December 2, 2010), http://paranoia.dubfire.net/2010/12/dojs-hotwatch-real-time-surveillance-of.html.
(87.) See generally, Michael L. Rich, “Machine Learning, Automated Suspicion Algorithms, and the Fourth Amendment,” 164 U. Penn. L.R. 871 (2016).