Nearly three years after former NSA contractor Edward Snowden first leaked details about massive domestic spying, his revelations have prompted a broader discourse, especially among legal scholars, over the potentially invasive nature of big data cybersurveillance tools.
Even as intelligence officials, the FBI and Congress worry about the rise of terrorists using encryption to communicate, legal experts are concerned that the enormous volume of data still being collected and stored by the National Security Agency and other intelligence agencies will pose legal concerns based on the Fourth Amendment of the U.S. Constitution. The Fourth Amendment prohibits unreasonable searches and seizures without a judge's warrant supported by probable cause.
Since Snowden's first leaks in June 2013, hundreds of formerly covert programs have been revealed, all of which have contributed to an enormous storage trove of data. At least one ongoing lawsuit seeks to delete much of that data. Recently, an appendix of Snowden's revelations from June 2013 to January 2015 was compiled by Margaret Hu, an assistant professor at Washington and Lee University School of Law, with assistance from her students.
Hu is also author of an academic article, Big Data Blacklisting, published last month, that describes a process of finding individuals "guilty until proven innocent" based on suspicious digital data and database screening results.
"This is absolutely a critical time to really examine these programs before they are normalized and integrated into the system of governance and the way we live our lives," Hu said last week in a Madison Vision Series lecture at James Madison University in Harrisonburg, Va. Madison is widely hailed as the father of the U.S. Constitution.
Decisions expected by the U.S. Supreme Court in the next two years could expand the rights protected under the Fourth Amendment, she said.
"The Supreme Court could say we're going to reach farther and read more protections in order to safeguard the Fourth Amendment. Or, the second choice is [for the Supreme Court] to say to government to make technology smaller," Hu said. "The democratic experiment will fail unless we find a way to make the Constitution bigger or technology smaller."
Hu has joined a growing number of legal scholars concerned with the rise of what they term the "National Surveillance State." In 2008, well before Snowden's revelations, Yale University law professor Jack Balkin outlined that concern in an academic paper, The Constitution in the National Surveillance State. Back in 2006, University of Texas law professor Sanford Levinson had joined Balkin to write, The Process of Constitutional Change: From Partisan Entrenchment to the National Surveillance State.
Hu titled her JMU lecture The Rise of the Cybersurveillance State. Using the term "cybersurveillance," she said, emphasizes the use of big data and its connections to the Internet and data mining in surveillance.
"Under this theory, nothing the government is doing is necessarily oppressive," Hu asserted. But she also described how U.S. passports embedded with RFID chips and driver's licenses with digital photos that can be recognizable in a police department database transform the way that government surveillance functions.
Essentially, she said, the government is now targeting suspicious data and not suspicious people. "As we create a more digital footprint, there's a way to look for the hologram of a person, but not the actual person," she said.
As an example, she said, in the vast majority of drone strikes, the attacks are not on individuals, but on the phones that are used — tracked by surveillance of the phone's metadata after multiple times of use.
A potential problem with a digital footprint can arise when a name appears on the increasingly expanding no-fly list, Hu said. "Many on the no-fly list have very limited due process and some are told they will never be able to be removed," she said. "Even if they might be allowed to fly, they won't be told the evidence that led to the nomination of being on there."
In her recent blacklisting article, Hu noted that before people are allowed to fly, work, drive or vote, they might be subjected to mass data collection and automated database screening by intelligence officials.
"Are we using more identity management to infer risk?" Hu asked the JMU audience. "Are we creating more pre-crime systems to keep us safe? Right now, when cases are litigated in court, those unable to exercise their rights are basically told they are collateral damage to keep us safe in this war on terror. What is the reliability of this and the efficacy of this? Going back to Snowden: Do these systems work and are they constitutional?"
Recent court actions involving cybersurveillance
Civil rights lawyers and legal experts are tracking at least two big court cases involving cybersurveillance.
The case of ACLU v. Clapper still continues before U.S. District Court Judge William Pauley after the American Civil Liberties Union first filed a lawsuit in June 2013 challenging, on First and Fourth Amendment grounds, the legality of the NSA's mass collection of Americans' phone records.
After an initial ruling by Pauley that ruled the NSA's phone record program was legal and threw out the ACLU's suit, the U.S. Court of Appeals for the Second Circuit overturned part of his ruling in May 2015, saying that the metadata collection program violated Section 215 of the Patriot Act. In June 2015, Congress passed the USA Freedom Act, which amended Section 215 to prohibit bulk collection of call records.
Since that time, the secretive Foreign Intelligence Surveillance Court has allowed the NSA to continue bulk collection during a 180-day transition period in the Freedom Act, and the ACLU has asked a judge to halt the continued collection. In addition, the ACLU has asked that billions of NSA call records collected going back to at least 2008 (and possibly back to 2001) be destroyed, but a decision hasn't been reached as Pauley awaits on declassification of a related ruling by the FISC regarding the NSA.
The Electronic Frontier Foundation also raised a concern recently that if bulk records are destroyed, it will erase the ability to bring two pending cases against the NSA over bulk collection of records.
In another case, the ACLU challenged the NSA's searches of international communications under the 2008 FISA Amendments, which a U.S. district court dismissed in October 2015. The challenge is now on appeal in the U.S. Fourth Circuit Court of Appeals, and attorneys are expected to file briefs later in February. FISA, the Foreign Intelligence Surveillance Act, was first created in 1978 to improve the ability of courts to oversee foreign intelligence surveillance activities and was amended in 2008.
The NSA claims that the FISA amendments allow "upstream" surveillance of virtually any international communications by Americans, including emails, Web content and even search inquiries. U.S. wireless carriers have cooperated in the surveillance with devices installed on the Internet backbone, according to the ACLU.
Hints about how the Supreme Court might act
Given the nature of some surveillance of communications metadata by the NSA without a court warrant, some civil rights lawyers believe there are fairly good chances the Supreme Court will push further to protect privacy rights.
These attorneys, who asked that they not be identified, said that metadata can be too invasive, even though the government defends the use of metadata as not prying into actual content in calls and messages. For example, knowledge of a phone's location — often considered metadata — on a repeated basis can give invasive clues about places a person has visited and his or her lifestlyle, potentially violating Fourth Amendment rights.
Supreme Court Chief Justice John Roberts may have tipped his hand, one legal expert said, in favor of civil liberties and protections of personal privacy under the Fourth Amendment in his comments in a landmark case, Riley v. California, decided unanimously in June 2014. The ruling held that police may not search digital information on a cell phone without a warrant, even if the phone was seized from an arrested person.
In that decision, Robert wrote: "The United States asserts that a search of all data stored on a cell phone is 'materially indistinguishable' from searches of these sorts of physical items… That is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together. Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. A conclusion that inspecting the contents of an arrestee's pockets works no substantial additional intrusion on privacy beyond the arrest itself may make sense as applied to physical items, but any extension of that reasoning to digital data has to rest on its own bottom."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.