Trust but Verify
Trust but Verify
The Importance of Oversight and Transparency in the Pursuit of Public Safety and National Security
Abstract and Keywords
Broad government access to personal data held by the private sector, meaning access not tied to any specific account or person, is not acceptable, and it cannot be made acceptable through oversight or governance mechanisms. In considering the merits of bulk collection programs, it helps to have an overarching framework to decompose such programs into their component parts: actors, objectives, actions, and impacts. Although law enforcement and intelligence investigations vary in their objectives and methods, and governance models need to be tailored appropriately, several important principles apply to both. First, there should be no broad or unfettered access. Second, the process for accessing data should include appropriate oversight. Third, there should be transparency. Finally, in a globally connected world, it is important to think about the international implications of surveillance programs.
This chapter addresses the elements of an oversight or governance system that should be applied to any government program seeking broad access to personal data held by the private sector, and for industry to responsibly respond to such requests or demands. If by “broad access” we mean “access not tied to any specific account or person,” our view is that such access is not acceptable, and it cannot be made acceptable through oversight or governance mechanisms. The issue of broad access received attention after the disclosures by Edward Snowden. News reports regarding US government surveillance practices highlighted several programs but, for the purpose of examining the issue of broad access, this chapter focuses on the 215 Program. This bulk collection program, so named because it was authorized under Section 215 of the PATRIOT Act, involved a secret court order that required phone companies to provide metadata to the government.
We have been asked to address, in practical terms, the elements of an oversight or governance system that should be applied to any government program seeking broad access to personal data held by the private sector, and for industry to responsibly respond to such requests or demands. If by “broad access” we mean “access not tied to any specific account or person,” our view is that such access is not acceptable, and it cannot be made acceptable through oversight or governance mechanisms.
(p.344) The issue of broad access received attention after the disclosures by Edward Snowden. News reports regarding US government surveillance practices highlighted several programs but, for the purpose of examining the issue of broad access, we will focus on the 215 Program. This bulk collection program, so named because it was authorized under Section 215 of the PATRIOT Act, involved a secret court order that required phone companies to provide metadata (time, duration, and phone numbers, as opposed to content) to the government.
Following the Snowden disclosures, it is clear that reasonable minds can differ on the propriety of broad access and the bulk collection of records. Although one can debate the merits of individual bulk collection programs, it helps to have an overarching framework to decompose such programs into their component parts and identify what, if anything, gives cause for concern. Such a framework would look as follows:
Before diving into the issue of broad access, it may be helpful to give an example of the framework in action, using a situation that is familiar to many: airport security. Over the past several years, there have been numerous attempts to improve the screening of passengers, particularly after law enforcement authorities interrupted assorted plots to blow up airplanes with liquid explosives or explosives hidden in shoes. In response to these events, a government actor (the US government), with the objective of protecting airplanes and their passengers, took the action of deploying backscatter X-ray scanners. The impact of this action included passenger exposure to radiation and graphic images of bodies. Notwithstanding government assertions that these machines were safe and appropriate, the public reaction suggested otherwise; that is, even if the right actor had the right objective, the actions taken produced unacceptable impacts. In response, the government moved to millimeter wave scanners (radio waves) and more opaque images. This change in action reduced the impacts of concern, and public opposition abated.
If we turn to the issue of broad access, the use of the framework highlights several concerns. The first element—the actor—is government. It is true that companies collect lots of data too, also raising privacy concerns.1 This being true, it is fair to ask, “Are governments unique?” The answer is yes because (1) governments can compel the production of data, over the objections of the data holder (p.345) and/or data subject; (2) governments can compel silence, by providing non-disclosure orders; and (3) methods of accountability differ. Although both governments and private parties can be castigated in the court of public opinion for their actions, private companies are accountable to government regulators and cannot avoid public scrutiny by saying their activities are “classified.” Indeed, but for the disclosure of classified information by Edward Snowden, there would have been no public discussion on the propriety of the government-run program. Thus, the concern is that the power of the state—and the secrecy rules the state can leverage—are problematic when collecting data on people who have committed no crime or suspicious activity.
The second element relates to objective. Here the objective is to protect public safety and national security by combatting terrorism and, hopefully, preventing terrorist attacks. This is clearly a proper objective for governments. Some may be concerned that data collected for this purpose may be subject to secondary uses (i.e., used to achieve some other objective), with or even without appropriate authority. For that reason, there is prophylactic value in prohibiting collection in the first instance, as data never collected can neither be repurposed nor misused. But that does not change the fact that the objective of fighting terrorism remains valid.
The third and fourth elements—action and impacts—are closely related. As reflected in the example above on airport security, actors often have a range of options, and each of those options will have different impacts. In the scenario here, the “action” is the broad collection of data. The justification for such broad collection, according to the US government, is that “if you are looking for a needle, the haystack is relevant.”2 The problem with this argument is that it knows no bounds. Governments have always sought relevant evidence but relevancy, according to the dictionary, is defined as “connected with the matter at hand.”3 Prior to these broad collection programs, law enforcement agents would identify with specificity the person being investigated and/or the particular crime under investigation. An example might be “John Smith is planning to rob a bank” or “an unknown person is planning to bomb a subway in City X on June 3rd.” In support of such an investigation, law enforcement agents would collect relevant evidence specific to that person or crime. But in an age where loosely affiliated individuals are constantly plotting unknown attacks, those responsible for protecting public safety decided it was appropriate to collect haystacks and search for needles.
One way to test this argument is to apply it in related contexts. For example, it has been written that a school shooter forecast his rampage three months (p.346) before his attack.4 One could argue that, to prevent the next school shooting, every diary in America should be collected, digitized, and stored so that this data store can be searched to prevent the next such attack. Of course, this is not possible: there are physical impracticalities (too many homes to search), as well as constitutional and legal prohibitions. But that misses the philosophical point. This is not just about the laws of physics and potential legal impediments; the deeper philosophical question is whether we should seize haystacks to create an ability to search for needles, knowing that most of that hay is lawful activity, engaged in by law-abiding citizens.
This is a particularly important question as new technologies and big data analytics change the way people can be profiled. As noted by the Supreme Court,
GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations. See, e.g., People v. Weaver, 12 N. Y. 3d 433, 441–442, 909 N. E. 2d 1195, 1199 (2009) (“Disclosed in [GPS] data … will be trips the indisputably private nature of which takes little imagination to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on”).5
As in the case with X-ray machines at airports, an action may reveal “too much” and make people uncomfortable. This is often referred to as “the creepiness factor.”
Our view that bulk collection is inappropriate is validated by recent congressional action, as Congress recently concluded that government agents can be effective without collecting haystacks.6 That said, there are times when governments should be able to access data and, in fact, do so in secret. Microsoft believes—and there is no doubt our customers believe too—that people should be safe, both online and in the physical world. We should not create safe havens for criminals, and information, simply because it is digitized, should not be off limits to those responsible for preventing, investigating, and prosecuting crime. Even for specific, tailored access, however, governance models are important.
In this regard, it is important to appreciate that different types of investigations are subject to different levels of oversight, as “one size does not fit all” when it comes to governance models. For example, when surveillance is conducted for (p.347) criminal investigative purposes, there is judicial supervision, followed by notification to the target when the investigation is complete7 and, sometimes, production of that evidence in public court proceedings. This individualized notice is supplemented by broader public reports concerning the use of wiretapping as an investigative tool, and those reports are made public.8 This is not to suggest that “after-the-fact” oversight is a substitution for “before-the-fact” relevancy requirements, but rigorous oversight is one way to ensure that rules have in fact been followed and to build trust in governance processes.
By contrast, when surveillance is conducted for intelligence purposes (e.g., to monitor a foreign spy operating on US soil), the goal may not be the bringing of public charges in open court, and notice to an intercepted party might never be appropriate. As such, there is no required notice to the parties intercepted unless evidence collected pursuant to a Foreign Intelligence Surveillance Act order is being offered in court.9 Additionally, the reporting requirements require reporting to Congress (not the Administrative Office of US Courts), and the reports can be redacted to protect national security.10
Although these situations do vary and governance models need to be tailored appropriately, from the discussion above we can glean several important principles. First, there should be no broad or unfettered access; the requests should be specific. Second, the process for accessing data should include appropriate oversight, which means an appropriate segregation of duties (e.g., having courts approve legal requests for such access). Third, there should be transparency so that legislators and the public know the general scope of such surveillance activities. Indeed, a lawsuit filed by information technology companies led to just such transparency, as companies were granted the right to describe, in broad terms, the number of orders it receives, including those related to national security.11
Although there is no doubt that government access to data cannot always be completely transparent, having specific requests, oversight by an independent judiciary, and transparency to regulators and the public will permit governments to protect public safety and national security while deflating concerns that the government is acting in ways that may chill fundamental rights, including rights of freedom of association and freedom of expression. In sum, it will ensure that the right parties pursue the right objectives with the right actions and impacts.
Finally, in a globally connected world, it is important to think about the international implications of surveillance programs. The fact is, surveillance laws (p.348) often differentiate between citizens and foreigners, as well as between domestic and international surveillance. These distinctions are premised on the fact that a government’s primary mission is to protect its own citizens’ public safety and national security. But the Snowden disclosures certainly made clear that spying on allies can create tensions in important relationships, as well as undermine trust in information technology.12 Unaddressed concerns about the security of the supply chain and communications networks can reduce the benefits offered by global innovation and connectivity.
This is not to suggest governments abdicate their responsibility to protect national security. But as the recent German SPD Report on oversight and regulation of signals intelligence makes clear, there are no international standards on intelligence collection that permit even friendly states to have a common code of conduct.13 To the extent that citizens of one country may be concerned about surveillance by governments other than their own, creating international standards, at least between like-minded countries, might increase trust in surveillance programs, especially if those standards would prohibit, as the SPD would, “a ban on the creation of an NSA-style data haystack.”14
(*) The author would like to thank John Frank for his contributions.
(1.) Microsoft is at the forefront of these discussions. See http://www.microsoft.com/en-us/twc/privacy/default.aspx.
(2.) See Ellen Nakashima & Joby Warrick, “For NSA Chief, Terrorist Threat Drives Passion to ‘Collect It All’,” Washington Post (July 14, 2013), https://www.washingtonpost.com/world/national-security/for-nsa-chief-terrorist-threat-drives-passion-to-collect-it-all/2013/07/14/3d26ef80-ea49-11e2-a301-ea5a8116d211_story.html.
(3.) Merriam-Webster, “Relevant,” (retrieved 2012), http://www.merriam-webster.com/dictionary/relevant.
(4.) Jordan Steffen, Zahira Torres & Jennifer Brown, “Report: Arapahoe High School Shooter Wrote in Diary of Coming Rampage,” Denver Post (April 26, 2016), http://www.denverpost.com/news/ci_26702161/final-details-arapahoe-high-school-shooting-be-revealed.
(5.) United States v. Jones, 132 S. Ct. 945 (2012) (Sotomayer, J., concurring).
(6.) See USA Freedom Act, Public Law No. 114-23 (eliminating bulk collection of US phone records), https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf.
(7.) 18 U.S.C. § 2518(8)(d) (2012). There are exceptions to this rule.
(8.) See 18 U.S.C. § 2519 (2012); http://www.uscourts.gov/statistics-reports/analysis-reports/wiretap-reports.
(9.) 50 U.S.C. § 1806(c) (2012).
(10.) 50 U.S.C. § 1871(d) (2012).
(12.) See Simon Shuster, “German Mistrust of the U.S. Deepens amid Latest Spy Scandals,” Time (July 7, 2014), http://time.com/2963472/spy-scandals-damage-us-german-alliance/; Claire Cain Miller, “Revelations of N.S.A. Spying Cost U.S. Tech Companies,” New York Times (March 21, 2014), http://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-companies.html?_r=0.
(13.) SPD Report, p. 8.
(14.) SPD Report, p. 3.