06 May 2014

Surveillance Safeguards

'Modern Safeguards for Modern Surveillance: An Analysis of Innovations in Communications Surveillance Techniques' by Gus Hosein and Caroline Wilson Palow in (2013) 74(6) Ohio State Law Journal [PDF] comments that
 To understand communications surveillance law is to try to resolve the three-body problem of simultaneously comprehending law, policy, and technology while at least two of the three may be changing at any moment in time. This makes it one of the more exciting domains for scholars, analysts, and technologists, but it is also one of the most challenging. 
Communications surveillance is a rapidly shifting landscape from the perspectives of policy and technology. Governments across the world are deploying new techniques and technologies with alarming speed. We are achieving new levels of surveillance, quickly approaching what Justice Brandeis warned about when he said that “[s]ubtler and more far-reaching means of invading privacy have become available to the Government,” and that “[d]iscovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.” There is a rapidly growing market in communications surveillance technologies that can conduct surveillance in ways that just ten years ago were well beyond the limits of our technology and often our imaginations. 
With widespread innovations in policy and technology across the world, what is most surprising is how old-fashioned our legislation is, and in turn, our safeguards. Many communications surveillance laws were drafted in the 1980s and 1990s, with updates in the 1990s and early 2000s. Many countries across the world are still introducing laws on communications surveillance, but their models are quite old, often borrowing language from laws from the 1990s (in the case of U.S. and UK law) and international conventions such as the Council of Europe Cybercrime Convention of 2001. They all ban interception of communications content, grant exceptions to government agencies, permit access to information about the communications (so-called communications metadata), establish authorization and oversight regimes, and permit government to order communications service providers to provide capabilities for lawful intercept and/or access. But they are not keeping pace with the new forms of advanced surveillance techniques and policies being deployed. 
In this Article we will draw out the modern landscape of surveillance policy and technologies (Part I). The deployment of new techniques and technologies is being done without new legal frameworks, and as such, we must resort to relying on older frameworks that may be unable to understand these new techniques, or constitutional safeguards that have a long and troubled history with innovation (Part II). Using the example of the lack of legislative activity in the United States, we look at how lower courts are trying to resolve the Fourth Amendment concerns inherent in some of these techniques, and make suggestions regarding how we believe current law should be applied (Part III). We are in a moment of great uncertainty characterized by the absence of legislative activity implementing real safeguards, use of new communications surveillance capabilities often in secretive ways, and courts grappling to understand new technologies. Laws, technologies, and the courts have, until now, maintained a delicate balance on communications surveillance; when new technologies posed new threats, often the courts or the legislative bodies would respond. If one branch failed, another would usually pick up the gauntlet. After the U.S. Supreme Court decided that interception of communications did not qualify as a search under the Fourth Amendment in 1928, Congress responded in the 1930s with strict controls. In the 1960s the Supreme Court and Congress fed off one another to develop jurisprudence and legislation. 
Responding to abuses in the 1970s, Congress enacted new laws, and when the Supreme Court decided against protecting certain metadata, Congress responded with rules on “trap and trace” and “pen registers.”  Unfortunately, we are currently seeing a lack of interest in safeguards from Congress and other legislatures around the world, while technical capabilities are expanding. There is even speculation that the Foreign Intelligence Security Court is being activist in enabling surveillance. It is high time to reintroduce safeguards into the conversation, and to apply them against technologies that are increasingly used to conduct directed and mass surveillance of our sensitive information.
The authors conclude -
We are in need of a reconceptualization of modern surveillance powers. Inasmuch as we still consider “interception” as the tapping of a line outside of someone’s home, we still believe that surveillance is as targeted in design as it is in implementation. Neither is necessarily true anymore. Even the emphasis in the literature on the “third party doctrine” may require re-thinking, as it presumes that modern surveillance requires third party Internet companies and telephony providers. As we see with the technologies reviewed in this Article, the human is no longer necessarily the observer nor the identified target within modern surveillance. An individual may be placed under communications surveillance because of his or her location (e.g., near an IMSI catcher), virtual address (e.g., on the same stream of communications as someone else or using the same IP address or computer that is then attacked with a Trojan), or characteristics (e.g., same spoken language, similar topic of conversation). The surveillance may be authorized because of these characteristics, not because a known individual is using a particular communications medium. Such practices only increase the need for legal safeguards to protect our privacy. 
Technological change has long been compelling us to rethink the application of our constitutional values. In theory, Parliaments and Congresses could act to regulate these technologies, to place them under strict rules. They have, to date, failed to do so. Instead, we are seeing that the courts are exploring these questions around new communications surveillance techniques. Our analysis, based on Supreme Court decisions regarding the Fourth Amendment, recommends that the courts establish strong boundaries around these new investigative techniques.