04 July 2013

Mail Covers and Memory

The New York Times notes that the US Postal Service is "Logging All Mail for Law Enforcement" through the "Mail Isolation Control and Tracking program, in which Postal Service computers photograph the exterior of every piece of paper mail that is processed in the United States - about 160 billion pieces last year".

The Times notes that "it is not known how long the government saves the images" and that "postal mail is subject to the same kind of scrutiny that the National Security Agency has given to telephone calls and e-mail".
At the request of law enforcement officials, postal workers record information from the outside of letters and parcels before they are delivered. (Opening the mail would require a warrant.) The information is sent to the law enforcement agency that asked for it. Tens of thousands of pieces of mail each year undergo this scrutiny.
The Mail Isolation Control and Tracking program was created after the anthrax attacks in late 2001 that killed five people, including two postal workers. Highly secret, it seeped into public view last month when the F.B.I. cited it in its investigation of ricin-laced letters sent to President Obama and Mayor Michael R. Bloomberg. It enables the Postal Service to retrace the path of mail at the request of law enforcement. No one disputes that it is sweeping.
“In the past, mail covers were used when you had a reason to suspect someone of a crime,” said Mark D. Rasch, who started a computer crimes unit in the fraud section of the criminal division of the Justice Department and worked on several fraud cases using mail covers. “Now it seems to be, ‘Let’s record everyone’s mail so in the future we might go back and see who you were communicating with.’ Essentially you’ve added mail covers on millions of Americans.”
The Times notes Bruce Schneier's comment that the program is an invasion of privacy, irrespective of whether it involves a postal worker taking down information or a computer taking images.
“Basically they are doing the same thing as the other programs, collecting the information on the outside of your mail, the metadata, if you will, of names, addresses, return addresses and postmark locations, which gives the government a pretty good map of your contacts, even if they aren’t reading the contents,” he said.
... “It’s a treasure trove of information,” said James J. Wedick, a former F.B.I. agent who spent 34 years at the agency and who said he used mail covers in a number of investigations, including one that led to the prosecution of several elected officials in California on corruption charges. “Looking at just the outside of letters and other mail, I can see who you bank with, who you communicate with — all kinds of useful information that gives investigators leads that they can then follow up on with a subpoena.”
But, he said: “It can be easily abused because it’s so easy to use and you don’t have to go through a judge to get the information. You just fill out a form.”
For mail cover requests, law enforcement agencies submit a letter to the Postal Service, which can grant or deny a request without judicial review. Law enforcement officials say the Postal Service rarely denies a request. In other government surveillance programs, like wiretaps, a federal judge must sign off on the requests.
The mail cover surveillance requests are granted for about 30 days, and can be extended for up to 120 days. There are two kinds of mail covers: those related to criminal activity and those requested to protect national security. Criminal activity requests average 15,000 to 20,000 per year, said law enforcement officials, who spoke on the condition of anonymity because they are prohibited by law from discussing them. The number of requests for antiterrorism mail covers has not been made public.
Law enforcement officials need warrants to open the mail, although President George W. Bush asserted in a signing statement in 2007 that the federal government had the authority to open mail without warrants in emergencies or in foreign intelligence cases.
Court challenges to mail covers have generally failed because judges have ruled that there is no reasonable expectation of privacy for information contained on the outside of a letter. Officials in both the Bush and Obama administrations, in fact, have used the mail-cover court rulings to justify the N.S.A.’s surveillance programs, saying the electronic monitoring amounts to the same thing as a mail cover. Congress briefly conducted hearings on mail cover programs in 1976, but has not revisited the issue.
In a forthcoming article in Privacy Law Bulletin I discuss this month's formal Opinion by EU Advocate General Jääskinen regarding case C-131/12 in the European Union Court of Justice (ECJ), i.e. Google Spain and Google Inc. v Agencia Española de Protección de Datos and Mario Costeja González. The dispute concerns interpretation of the European Data Protection Directive 95/46/EC in relation to internet search engines, construed by some as enshrining a 'right to be forgotten'.

The Jääskinen Opinion - which is not binding on the ECJ - follows a preliminary ruling by the Audiencia Nacional (Spain's national high court) regarding proceedings involving Google Inc, Google Spain (its subsidiary),  the Agencia Española de Protección de Datos (AEPD, Spain's national data protection agency) and Mario Costeja González.

Gonzalez - the data subject - had experienced business difficulties and appeared in La Vanguardia (a leading newspaper)  after the government took action to auction his property to cover social security debts. That coverage was factual. Gonzalez sought to have the information removed from the online version of the newspaper. (Unsurprisingly there appears to have been no action to expunge the information in archived print copies or have the newspaper publish a 'supplementary' statement).

Gonzalez separately contacted Google Spain, with the expectation that search results would not display a link to La Vanguardia's coverage (and an abstract of that coverage) whenever someone searched his name. Unsatisfied, he lodged a formal complaint with the AEPD, which called on Google Spain and Google Inc. to 'forget' the information when presenting search results. Google appealed to the Audiencia Nacional,  which referred several questions to the ECJ. Those questions relate to -
  • the territorial scope of and the applicable national law under the Data Protection Directive
  • whether search engine providers are data controllers
  • whether there is a right to be forgotten. 
Jääskinen in advising the ECJ argued that access by people in Spain (and targeting of those consumers by Google Spain) did not trigger the application of Spanish data protection law, which under Article 4 (1) of the Directive is meant to harmonise with law elsewhere in the EU.  The relevant question was instead whether Google carried out data "processing in the context of the activities of an establishment of the controller" in Spain.  Jääskinen argued that Google indeed was a "data controller" under the Act and Directive: it was irrelevant that Google Inc's servers (and the data processing) were located outside Spain, because Google Inc and its subsidiaries should be treated as a single group and because Google Spain acted as the 'bridge' to Spain's advertising market

The Opinion discusses whether a search engine operator should be considered as a "controller" in relation to Article 2(d) of the Directive. Would the copying, caching, indexing and display of content  from La Vanguardia and other sites  (including personal data such as names, contact details, descriptions and images) constitute processing of personal data?

Jääskinen differentiated between the search engine operator merely supplying an automated 'information location tool' - search results from an 'index' that drew on but did not exercise control over third party sites that featured personal data. The operator would accordingly have a protected status similar to that enjoyed by telecommunications providers, having no awareness of the personal data "in any other sense than as a statistical fact". The third party sites, such as a newspaper site, would instead be controllers under the Directive. Jääskinen argued that the "provision of an information tool does not imply any control over the content", consistent with  the Article 29 Working Party Opinion 1/2008 that characterised "a search engine provider" as acting "purely as an intermediary" and indicating that "the principal controllers of personal data are the information providers".

Search engine operators would be controllers in relation to the cache if they chose not to comply with exclusion codes (robot txt/do not follow tag) on a third party page or chose not to update a page in the cache despite a request received from the third party that originated the cached content. In those instances the operators would need to comply with all obligations imposed by the Directive on data controllers, including the Article 6 data quality principles.

Jääskinen considered that provision of internet search engine services meets the legitimate interests criteria outlined in Article 7 of the Directive, with the automated index reflecting notions of adequacy, relevancy, proportionality, accuracy and completeness.

Jääskinen accordingly considered that a national data protection agency such as the AEPD cannot require an search engine operator such as Google to expunge information from its search results, other than instances where the operator has not complied with the exclusion codes or where a request emanating from the website regarding update of cache memory has not been complied with.

Is there a broad right to be forgotten? Jääskinen says no. The Opinion discusses the Directive's provision for erasure or blocking of data and the right to object, arguing that (in the absence of a new unequivocal right under the proposed Data Protection Regulation) there is no general right to be forgotten. Gonzalez as a data subject has no right to require - on a subjective basis - a search engine operator to prevent indexation of information that has been legally published on third party sites.

Jääskinen considered the fundamental right to the protection of personal data under Article 8 of the EU Charter of Fundamental Rights, along with the corresponding provision in the European Convention for the Protection of Human Rights and Fundamental Freedoms. The Opinion argues that the right to protection of personal data and private life is not absolute. Protection must be balanced with other fundamental rights, in particular the freedom of expression, freedom of information and freedom to conduct business. A generalised right to be forgotten would sacrifice these rights, potentially resulting in censorship by private parties on a subjective basis.

The Opinion recommends that the Court decline to accept a "case-by-case" approach to the present case, as it would open up internet search providers to unmanageable numbers of requests.