I Always Feel Like, Somebodies Watching Me
Let’s talk about the current NSA surveilance brouhaha. Liberals, conservatives, AND Libertarians are all entirely up in arms about this subject; which for the reasons I’m about to discuss is patently silly.
First things first, I’m an information security consultant and architect, with extensive government, financial, medical, telecommunications, and military security experience. I do some of this stuff for a living. For those of you who are familair with federal contracting, I have several GSA contracts under my belt. In my daily professional life, I deal with the legal and technical issues surrounding this subject quite a lot. I have in fact conducted, and assisted in, trap and trace operations; as well as created solutions for trap and trace access.
Next, this IS NOT WIRETAPPING, nor in fact is it any kind of invasion of privacy (as legally established).
The data the NSA is collecting are called pen-trace records or pen-register records(technically its a “pen register trap and trace device record”, even thugh there is no such thing as a pen register anymore. I usually call it a pen-trace because it’s a more complete abbreviation, and because the operations are generally referred to as “trap and trace” oeprations. In most references it is more often referred to as a Pen Register). These are the records which indicate what calls were initiated from what number, to what number, when, for how long, how the call was routed, and what charge classes apply to each stage of call routing.
These records are legally semi-public information, not private. It is legal to collect these records without a warrant, so long as they are not used to SPECIFICALLY TARGET an individual without a warrant (there is a specific pen register warrant for that purpose), or used beyond basic identifying characteristics. Once a trace of interest is found, a warrant can then be applied for for further surveliance.
It has been legal for the government to do this since the very first telephone telecommunications laws in 1936, and it continues to be reaffirmed as such. The last law regulating this was passed last year, others that I know of in 2001, 1998, 1996, and 1994, ’88, and two HUGE ones in ’84 and ’86. The supreme court has repeatedly reaffirmed the legality and constitutionality of this, because of the third party exemption to private communications if for no other reason (and there have usually been other reasons).
Under the third party exemption, if a third party is allowed to setup or witness what is otherwise a private communication between two parties, the expectation of privacy of the existence of the communication is breached (if it existed at all which in many cases it does not), and the existence and external characteristics of that communication can then be compelled and used as evidence without a warrant.
This is settled legal doctrine, and has been for literally hundreds of years, back to english common law.
For further information, refer to Smith v. Maryland which is controlling in these situations, and which was decided under ’36 ’48 and ’78 statues. A pen register is not a search under these criteria.
There is additional controlling legislation, the electronic communications privacy act of 1984. This established certain privacy protections for electronic surveilance, as well as enforcing access to records and techncial means by the government at the providers cost (as a cost of doing business, any company defined as a pblic telecomunications utility must give the government access to tap and trace).
Under current law and precedent, so long as there is not an individual target, privacy provisions of ECPA ‘84 don’t apply; but the access provisions do. It’s a case of the government having its cake and eating it too.
Further, USAPA ‘01 (the patriot act) CLEARLY defines that global pen registers conducted through electronic means are NOT an unlawful search. Or rather it clearly correlates them to earlier definitions of pen registers which were also held not to be unlawful searches.
If there IS an individual target, then there is a low burden of proof threshold to obtain a pen register, to wit the capture of any information likely to be pertienent to a criminal investigation. Additionally, no warrant is necessary even for specific targeting, if one end of the conversation initiates or terminates outside of the country. Also there are certain standing exemptions (communications from anywhere within the country to certain known individuals or locations – official arms of the chinese government for example).
Also, it has been held that there is no warrant necessary for the disclosure of LUDs (local usage details) by telephone companies to investigative agencies; again because of the third party exemption.
Now there is an additional issue here, as to whether it is legal to capture glocal pen-trace data without a specific target, and then run traffic analysis on it which produces specific targets which were not present before the data collection…
Well so far the courts say yes; and have several times and at several levels; but I’m not sure this is technically correct.
Once the data is collected in a legitimate way, it is generally assumed that any analysis done is legitimate; even if the results of that analysis would be the same as those which would have required a warrant to produce without that analysis.
It may or may not be allowed as evidence depending on the judge, and the court; but the agency doing the analysis wouldn’t be under any sanction for doing so.
This is clearly a case of the law not being properly costructed to handle unforseen technological circumstances. The spirit of the laws (and there are more than just one, in fact more than a few) may be violated here; but in general it has been held that this IS legal.
All of these issues have additional implications in a national security context, and I’m not sure if there is a controlling decision or even controlling legislation; in part because some of the decisions that may be controlling are classified. Also some cases that may have produced controling decisions were instead vacated or dismissed by national security exemption.
Basically there are a lot of things that an NS or NCA initiated investigation can do that a criminal investigation can’t and still be legal; in some cases without the authorization of courts.
That is an executive powers question, and one that the courts have been EXTREMELY reluctant to enter into. The constitutional law (as opposed to a straight reading of the constitution – a distinction that I find distasteful but it is very real today) issues here are somewhat convoluted.
Given all this, it should be clear that in fact, telephone and electronic communications have far less LEGAL privacy protection than do face to face conversations. You may not LIKE it, it may feel creepy, but it is legal, and has been basicaly since the phone companies were first set up.
What the NSA is doing WITH this information is called traffic analysis, and it is legal, even on US. Citizens. Traffic analysis doesn’t tell you what is being said, but who is talking to who is a still a valuable source of intelligence.
More importantly, LEGALLY traffic analysis is not surveilance, it is the gathering of open intelligence; and thus does not require any specific justification or authorization.
Now as to whether it should be or not; that’s a much thornier subject. The fact is, we have allowed but the government, and business, to do this since the inception of communications technologies.
By law the telephone networks are only semi-private (as are the airways BTW). There is no dejure expectation of privacy as to the routing of your calls, because that information is both used by third parties for purposes directly related to the call itself (billing and QOS); and by third parties not realated to the call (marketers).
Just to illustrate one case, the phone companies use the info for marketing purposes, and sell it to others for marketing purposes.
People in high income zip codes will be identified, and marketers will look at their magazine and catalogue subscription info, which they either have already or purchased from some other companies. The comapanies then send those catalogues and subscription offers to the people that the high income folks called. That’s just one example.
The same thing happens with shoppers cards, credit cards, magazine subscriptions… hell some libraries sell your data, and all major bookstores (in fact all major retailers) do.
That data may or may not be personally identifiable, depending on exactly what business is selling it to what business.
Hell, the post office sells your magazine and catalogue subscription records to other magazine and catalogue publishers as well; so those publishers can send you more offers. Additionally the post office will use data on who sends you mail, and who you recieve mail from, to conduct investigations into mail fraud, terrorism, and transportation of contraband, obscenity, and child pronography through the mails, WITHOUT ANY WARRANT.
The post office is a semi-government agency, and for some reason no-one makes the connection between pen trace and this behavior; which is legally IDENTICAL; and which has been going on for decades.
So if a commercial entity can sell it to another commercial entity, can’t the government collect this data on its own?
Or should ALL of that be made illegal?
The fact is, people have a false expectation of privacy in far too many venues. The only real privacy lies in that behavior which is that which is conducted exclusively on your private property; or that which is conducted by ALL parties to a contract during which agreement is made by all parties to maintain all desired aspects as private (which lawfully guarantees your expectation of privacy. This at the core of privilige).
This isn’t a recent developement; it’s legally, and often socially been this way… well pretty much forever. You don’t have the legal expectation of privacy you FEEL you do. Perhaps you do have a moral expectation; but the law, morality, and basic rights unfortunately diverged a long time ago.
Again, I’m a Libertarian, these issues get kind of thorny with me. Do I WANT the government to do this? No I don’t; however we have constructed a government that CAN do this, both legally, and technically. I disagree with it, I’d like the laws changed; I’d even like to see a constitutional guarantee to certain privacy beyond that which I outline here; but it simply doesnt exist now (nor likely ever will).
As to a so called right to privacy; no there is no right to privacy if you mean that all others must repsect YOUR privacy and not use the means they have available to abrogate it. That so called right simply does not exist.
A right is something that can only be abrogated by force, or willful consent. Privacy of your telephone calling records need not be forced, nor does it need your consent to be abrogated; because it is already shared with a third party; the telephone company.
That said, we have the right to HIDE anything we want (presuming we control that thing legitimately), from whomever we want, for whatever reason, using whatever means we choose. It is others responsibiltiy to find it if they want to. This includes criminal evidence; and it includes lying to investigators and law enforcement (though not in court providing one swears the oath).
Additionally and related to that, we have the right to not be COMPELLED to share information we do not wish to share; assuming we hold that information alone, or in concert with other parties who also agree to keep that information private. However if there is a party to the information who does not agree, than if we continue to share information with that party, we no longer have any legitimate expectation of privacy.
Privacy is not an inherent right, it is a social construct. It is a useful, and important construct; but the only privacy we have an absolute right to is the privacy of private property; and whatever occurs entirely therein.
The problem is that peoples understanding and expection of privacy doesn’t keep pace with either their understanding and expectations of technology; or their general acceptance of technologies.
The only reason this is coming to light NOW (in the general sense – in the specific sense its so the press can use it against Bush), is because now the technical means exist for governments, and businesses, to collect and analyze this data on a global scale. That makes EVERYONE feel like they are being watched. People were fine with it when they could only track and analyze a few data streams at a time, but now they can track and analyze everyone, they feel naked, violated.
You may feel in your gut that your rights are being violated, but you never had this LEGAL right you feel you had in the first place. You had a de-facto illusion of privacy, simply because people weren’t able to do this yet.
Now they are, and your illusion of privacy no longer exists.
UPDATE: Some commenters questioned my accuracy on the law, so I included more detail. I also inserted clarification of my personal moral position on the issue. Oh and if you want privacy, here are Six-ish words: Encrypted IP Telephony, Pre-paid Mobile Phone.