Author's Note: Just as I was finishing this diary on what I believed formed the legal rationale used to justify the NSA metadata collection program, The Guardian published a leaked 2007 DoJ memo advocating for the expansion of surveillance powers. I decided to publish anyway. My analysis largely conforms with that in the memo, so I hope it adds to your understanding of the memo and why this rationale, as it is applied to the NSA, is so dangerous.The recent disclosure of NSA data mining programs collecting massive amounts of information on nearly all American citizens from the nation’s telephone and internet companies without a warrant shook many Americans’ conception of jurisprudence and our legal system. It exposed an immense gulf between what you and I consider private and what the courts and our government have determined is private.
Whenever this story fully plays itself out, what may be most surprising to the public isn’t the scale of the program itself, but rather that the warrantless collection of data for this program is considered legal in the first place. Members of Congress and the Administration repeatedly stress that these programs operate under court supervision. They claim the programs are legal because the collection of metadata does not require a warrant. Metadata, for the purposes of the Verizon court order, consists of call routing information like originating and terminating phone numbers, cell tour ID, calling card number, and duration of the call. Since they claim that the programs are not collecting the underlying content that creates the metadata (i.e. not recording the conversation), the government insists that a subpoena or FISA court order is sufficient.
This focus on business records by public officials suggests that the FBI and the NSA are relying upon a legal rationale known as the Third Party Records Doctrine to claim legitimacy for its mass collection of metadata without a warrant. The ABA Journal describes the doctrine thusly:
In essence, the doctrine holds that information lawfully held by many third parties is treated differently from information held by the suspect himself. It can be obtained by subpoenaing the third party, by securing the third party’s consent or by any other means of legal discovery; the suspect has no role in the matter, and no search warrant is required.The basis for the Third Party Records Doctrine can best be understood by examining three Supreme Court cases – Katz, Miller, and Smith – that help shape the modern legal conception of privacy in the United States. Each case deals with expectations of privacy and whether a warrant or a subpoena is sufficient to collect evidence. I briefly explain these cases on the other side of the fold and lay out why, because of modern technology, this legal rationale needs a radical change.
Katz v United States (1957) revolved around the question of Fourth Amendment protection against warrantless wiretapping of a public phone. In this case, the Supreme Court established a new test - a “reasonable expectation of privacy” – that effectively expanded Fourth Amendment protection beyond the previous standard of trespass. It held that, “Because the Fourth Amendment protects people rather than places, its reach cannot turn on the presence or absence of a physical intrusion into any given enclosure. The ‘trespass’ doctrine of Olmstead v. United States and Goldman v. United States is no longer controlling.” The Court recognized that even in a public setting there ought to be protected spheres of privacy.
However, in United States v Miller (1976), a case focused on whether a subpoena to a bank was sufficient for the government to obtain an individual’s bank records, the Court narrowed the potential scope of Katz by describing certain activity where no expectation of privacy can be presumed to exist. Miller established that documents such as checks, deposit slips, and bank account statements represent business records and contain information voluntarily shared in the course of business. They ruled that these were not an individual’s private papers, and therefore, not due Fourth Amendment protection. It held that, “The Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities.” By sharing information with a third party in a business transaction, the Court claimed, individuals give up their reasonable expectation of privacy, and, along with it, their Fourth Amendment rights in those situations. A subpoena was deemed sufficient; no warrant was required to obtain business records. This is the basis on which the government claims metadata are business records for the purposes of the NSA programs.
Three years later, the Court would further restrict spheres of privacy. Smith v Maryland (1979), a case revolving around a subpoena to a phone company for a log of dialed phone numbers, added a second prong to the Katz test. The Court held that satisfying the Katz test of a individual’s reasonable expectation of privacy wasn’t enough to guarantee Fourth Amendment protection if society itself would not consider that expectation reasonable. “Even if petitioner did harbor some subjective expectation of privacy, this expectation was not one that society is prepared to recognize as ‘reasonable.’ When petitioner voluntarily conveyed numerical information to the phone company and ‘exposed’ that information to its equipment in the normal course of business, he assumed the risk that the company would reveal the information.” This second prong to the Katz test serves to further restrict Fourth Amendment protection by requiring society to confirm as reasonable your own expectation of privacy.
Where Katz initially expanded Fourth Amendment protections by requiring the government to obtain a warrant beyond its trespass onto private property and into a more public sphere, Miller and Smith limited much of that gain. They effectively lowered the burden on the government to obtain court approval to collect business records. Although court supervision occurs with both warrants and subpoenas, the level of judicial scrutiny applied to a warrant is much higher than that applied to a subpoena. Search warrants require probable cause, that sufficient information exists at the time of request for a warrant that would lead a prudent person to believe that evidence of a crime exists in the place to be searched. Subpoenas, on the other hand, primarily require the request to be relevant to an investigation and reasonable in scope.
Despite that lower burden, it appears the FISA court went out of its way to render meaningless the hurdles of being relevant and reasonable in granting approval to obtain metadata for the NSA programs. Relevance seems to be satisfied merely by the fact that some terrorist, somewhere out there, at some point in time, used a phone, an internet connection, or a bank. Reasonability seems to be satisfied by the fact that NSA’s computing power and data storage capabilities allow for a scope of billions of records daily and its communications infrastructure permits the timely transfer of those records.
How can the FISA court justify permitting the collection of data on over 95% of the population? The rationale for the Third Party Records Doctrine grew out of cases that targeted specific individuals for suspected crimes. It isn't clear at all to me that the FISA court's leap from targeting individuals to targeting an entire population is justified. In this highly digitized society which we live, the FISA court effectively removed any limit on the government’s ability to amass surveillance data on citizens. When Miller and Smith were being decided, the government was forced to prioritize its surveillance activities. Data collection methods were still quite laborious and placed a restraint on the government’s resources. But as more records became digitized and the cost of data storage and computing power fell, this constraint disappeared. Seemingly, the biggest restraint government faces today is imagination. We have fallen off the slipperiest of slopes.
Justice Sonia Sotomayor recognized this in her concurring opinion in United States v Jones (2012). While she concurred with the majority's opinion and the narrow rationale the majority chose to decide the case, she felt strongly enough about an encroaching surveillance state that she added:
[P]hysical intrusion is now unnecessary to many forms of surveillance. With increasing regularity, the Government will be capable of duplicating the monitoring undertaken in this case by enlisting factory- or owner-installed vehicle tracking devices or GPS-enabled smartphones. In cases of electronic or other novel modes of surveillance that do not depend upon a physical invasion on property, the majority opinion’s trespassory test may provide little guidance. But “[s]ituations involving merely the transmission of electronic signals without trespass would remain subject to Katz analysis.” As Justice Alito incisively observes, the same technological advances that have made possible nontrespassory surveillance techniques will also affect the Katz test by shaping the evolution of societal privacy expectations. Under that rubric, I agree with Justice Alito that, at the very least, “longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.”In light of the FISA court permitting such a broad data collection program, it is time to reset society’s expectation of privacy if we wish any privacy to remain. At a minimum, it is time to put Smith to the test. While the second prong of the Katz test added by Smith has, thus far, restricted Fourth Amendment protections over time, a dedicated campaign to increase society’s expectations of privacy would force the Supreme Court to use Smith to broaden Fourth Amendment protections again.
In cases involving even short-term monitoring, some unique attributes of GPS surveillance relevant to the Katz analysis will require particular attention. GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations. The Government can store such records and efficiently mine them for information years into the future. And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: “limited police resources and community hostility.”
Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse. The net result is that GPS monitoring—by making available at a relatively low cost such a substantial quantum of intimate information about any person whom the Government, in its unfettered discretion, chooses to track—may “alter the relationship between citizen and government in a way that is inimical to democratic society.”
I would take these attributes of GPS monitoring into account when considering the existence of a reasonable societal expectation of privacy in the sum of one’s public movements. I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on. I do not regard as dispositive the fact that the Government might obtain the fruits of GPS monitoring through lawful conventional surveillance techniques. I would also consider the appropriateness of entrusting to the Executive, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent “a too permeating police surveillance,”
More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice Alito notes, some people may find the “tradeoff ” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.
The Supreme Court would have you believe privacy exists in a binary state, you either have it or you don’t. But our lives are not lived that way. We understand and practice privacy by degree every day. It is practiced by the young couple who shares with a few close friends that they are pregnant, but withholds that information from their own family until the risk of miscarriage subsides. It is practiced by the philanthropist donating a large sum to a charity, but asks the board to let her donation remain anonymous. It’s why we share lots of intimate information with a confidant and much less so with a gossip. Limiting the sphere of people with whom you share information is itself a form of privacy.
I'm not one given to hyperbole, but the application of the Third Party Records Doctrine to all business metadata without regard to suspicion destroys all concepts of privacy. Without privacy, does a presumption of innocence exist?
There is no way to opt out of our digitized society. And I dare say, if you attempt it, that will be considered suspicious activity and leave you open for further surveillance. As it stands today, privacy only exists in the never recorded thoughts in your head, an absolutely unreasonable standard indeed.