Politics Foreign Affairs Culture Fellows Program

Secret Police

Can personal privacy survive the digital revolution?

Civil libertarians hoped that the Obama era would see a renewed commitment to privacy protections. But their dreams are being dashed. Congress seems likely to recess without adjusting aspects of the Patriot Act set to expire at the end of the year, which means that the existing law will be temporarily extended. Elements up for reconsideration include roving wiretaps in foreign intelligence investigations that are not targeted to a specific communication mode or person and “section 215” ability to seize business or other records in a presumptive terror investigation.

Different bills to reform these and other powers have come out of the Judiciary Committees of the House and Senate. The House version is slightly better in terms of demands it makes on law enforcement and intelligence agencies to have defensible reasons for their searches and seizures. But the controversial provisions will survive, even if slightly circumscribed.

So will other post-9/11 surveillance practices. Candidate Obama swore that under his reign, Americans would see “no more National Security Letters to spy on citizens who are not suspected of a crime.” But his administration has shown no desire to relieve itself of NSL powers. National Security Letters allow FBI agents to grab records and information about you from third parties without any judicial supervision. The recipients are legally prohibited from telling anyone other than their lawyers that they gave up the information.

The Patriot reauthorization debate unfolded as the telecommunications industry, already known for craven capitulation to the National Security Agency’s warrantless wiretapping program, was revealed by researcher Chris Soghoian to be continuing to cooperate with law enforcement against customers’ interests at a level that, in the words of a request from Yahoo! to keep its collaboration quiet, would “shock” customers and “shame” telcos.

Sprint Nextel, for example, provided the government with GPS locations of its subscribers via their cell-phone signals 8 million times between September 2008 and October 2009. As Soghoian writes, telecom and Internet providers “all have special departments, many open 24 hours per day, whose staff do nothing but respond to legal requests. Their entire purpose is to facilitate the disclosure of their customers’ records to law enforcement and intelligence agencies.” Verizon, objecting to a FOIA request by Soghoian, expressed concern that subscribers might start bothering it to provide information dumps that the company only provides for cops. Verizon also worried that customers would ask whether their info was being coughed up to law enforcement. Of course, Verizon would not tell them.

These two stories—Patriot reauthorization and telco cooperation—frame the battlefield on which American privacy is being slaughtered. On one end is a government that wants to suck up as much information as it can with as little oversight as possible. On the other end are private companies—to which we entrust more and more information about what we are saying, writing, buying, and thinking—that in effect act as government information agencies.

So many alarming procedures and plans that impact Americans’ privacy—our ability to move through the world without giving up information to authorities, whether knowingly or unaware—are either in the works or already implemented that if you talk to 10 different privacy-rights advocates, you hear 10 different primary worries. A big one, the de facto national ID card created through the “Real ID” system—a set of federal demands on security and verification measures on state ID’s—has been effectively killed by grassroots federalism: states just refused to go along, and the federal government had pretty much given up, despite the law having passed in 2005. But the Senate is now considering a revival of most of Real ID’s features through the PASS ID act, which the ACLU’s Christopher Calabrese characterizes as “the government giving us a permission slip on whether you can engage in the right to travel, and potentially to work or vote or even own a gun.”

Republicans, both in Congress and in the grassroots, don’t seem particularly concerned with these issues. As Julian Sanchez, who studies privacy and technology issues for the Cato Institute, noted, “Thus far, the approved conservative position appears to have been that Barack Obama is some kind of ruthless Stalinist with a secret plan to turn the United States into a massive gulag—but under no circumstances should there be any additional checks on his administration’s domestic spying powers.”

Meanwhile the privacy-advocacy community often conflates privacy threats from government with those from marketers. The information-collection practices that alarm privacy mavens range from such seemingly innocuous practices as supermarket discount cards—which create permanent records of your buying habits—to things as creepy as tracing and saving Internet searches and webpage visits to generate ads computer-calculated to fit a data-derived image of “you.” But these schemes are ultimately dedicated to nothing more sinister than trying to sell you things.

Government, on the other hand, can do things to you, or deny you the right to do things, based on the information it captures. This might seem to create a clear-cut free-market line between when information-gathering is a public-policy issue and when it isn’t. But the situation is more complicated than that. Private information-gathering companies such as ChoicePoint make a lot of money selling their data to … the government. A 2006 GAO study found $30 million being spent by just four government agencies on services from private information brokers.

Assaults on our ability to keep facts about ourselves to ourselves come from both private and public directions, and in many cases it’s hard to distinguish. At the heart is what privacy researcher James Rule of UC Berkeley, author of Privacy in Peril, identifies as our tendency to embrace, or at least accept, any data-collection or surveillance system as long as we think it has utilitarian benefit.

The cell phone is emblematic of our modern approach to privacy. In the space of a decade, it has gone from expensive rarity to perceived necessity. It keeps us connected everywhere we go, which most now think of as a blessing (and even many who acknowledge it as a curse feel unable to escape). But a cell phone creates a record of exactly where you have been via the signals it pings back to cell towers, a record that is generally available to government investigators with ease, though lower courts have tried to establish standards for the circumstances and methods by which the government can get that data. Even turning your phone off won’t necessarily keep it from being a silent betrayer of your every step; you either need to take the battery out or—if this can be contemplated—leave it at home.

The cell phone is the most extreme example of the trail we create in pursuit of convenience. Such data-hungry sectors as credit and insurance also hoover up information about us, but the efficiencies they provide would be difficult for most of us to live without. The credit-information industry in particular creates an interesting irony: by gathering so much about our private financial behavior in a faraway database, making decisions based on it, and often trading that information to others, these companies allow access to credit with greater face-to-face privacy since, unlike a century ago, a merchant need know nothing about our probity, wealth, family, or job before extending credit, as long as MBNA vouches for us.

In the realm of business interactions—from cell phones to credit cards to our search-engine use—we see privacy crumbling beneath the weight of a conflicting need. The same dynamic drives government surveillance, though the need is not ours but the state’s. Even before the massive security apparatus erected after 9/11, government’s desire to punish Americans for the sale or possession of certain drugs was dramatically reducing historic protections. Among the privacy-damaging precedents we owe to the war on drugs are the “good faith” exception for illegally obtained evidence; warrantless searches of private, clearly posted land; warrantless monitoring of yards via low-flying helicopters; and searches via sniffing dog without probable cause.

Various other public-policy needs are pushing us in the direction of more government data collection, monitoring, and verification—the classic “your papers, please” measures that have long evoked tyranny. The desire to ensure illegal immigrants can’t work feeds the “E-Verify” data system, currently voluntary but possibly soon to be part of comprehensive immigration reform (and requiring a true national biometric ID card to achieve its goal). Border security has led to easily hackable RFID chips in our passports and warrantless searches of our computers. The desire for safety feeds such privacy-wrecking expedients as public closed-circuit TV (with local programs often funded by the federal Department of Homeland Security) and whole-body imaging scanners at airports (150 new ones being rolled out this year).

The government’s law-enforcement goals result in data collection even outside the politically controversial Patriot Act provisions. The FBI has its National Security Branch Analysis Center, which as a September 2009 Wired story reported, “maintains a hodgepodge of data sets packed with more than 1.5 billion government and private-sector records about citizens and foreigners, the documents show, bringing the government closer than ever to implementing the ‘Total Information Awareness’ system first dreamed up by the Pentagon in the days following the Sept. 11 attacks.” (The FBI also has its own telecom listening program, the Digital Collection Systems Network.) Then there’s FinCEN, which in the words of the privacy watchdog organization Privacilla, “handles more than 140 million computerized financial records compiled from 21,000 depository institutions and 200,000 nonbank financial institutions. Banks, casinos, brokerage firms and money transmitters all must file reports with FinCEN on cash transactions over $10,000. And FinCEN is the repository for ‘Suspicious Activity Reports’ which must be filed by financial institutions under the Bank Secrecy Act.” There are deadbeat-dad databases, criminal-record databases, and “secure flight” systems to check us at airports.

But the mother of all privacy violations in its potential scope is the NSA warrantless wiretapping program codified through the FISA Amendment Act of 2008. That project, as Kevin Bankston of the Electronic Frontier Foundation says, switched American surveillance from a model where investigators “picked a target and wiretapped that person” to “a wholesale model where we essentially wiretap everyone.” It’s the realization of the vision of your most paranoid friend, quite sure that every single phone call, e-mail, and website visited is marked, recorded, and examined by spooks.

That nightmare, Bankston says, “is not paranoia.” It is at the root of lawsuits against both the NSA and AT&T after a whistleblower revealed that the NSA really did have a secret room built into a major AT&T center in San Francisco to grab all its Internet traffic. While the extent of this brazen program shocked some, the principle has been built into American telecommunications law since 1994’s Communications Assistance for Law Enforcement Act, which required telecom companies to design their systems to allow government eavesdropping. And Fourth Amendment restrictions against searches and seizures don’t apply to information given freely to a third party, including any telecom system sending your messages along.

It’s hard to know how many people are harmed by such programs. In one ACLU suit against the practice, a District Court threw out the case since none of the plaintiffs could prove he had been specifically victimized—because the program is secret.

The legal and philosophical debates about privacy continue. What standards are appropriate for law-enforcement seizure of electronic communications? To what extent can we even claim property rights to information about us or by us once it’s in someone else’s hands? In a wired age of tiny and ubiquitous detection and recording devices, where all of our communications go over third-party systems, can any vestige of 20th-century notions of private life experiences truly survive?

All of these debates about principles and processes seem beside the point in the shadow of two huge structures under construction in Utah and Texas. As NSA historian James Bamford explained in the New York Review of Books in November, the Utah facility will be “a million square feet … one-third larger than the US Capitol and will use the same amount of energy as every house in Salt Lake City combined …[it will] house trillions of phone calls, e-mail messages, and data trails: Web searches, parking receipts, bookstore visits, and other digital ‘pocket litter’… . the NSA is also completing work on another data archive, this one in San Antonio, Texas, which will be nearly the size of the Alamodome.” Their data storage capacity will probably exceed that of every computer in the world; their legal and technical ability to snoop, data mine, and draw conclusions about all of us will be nearly unstoppable.

But the public doesn’t seem concerned enough about any of this to make a political fuss. When I asked the EFF’s Bankston if the change in administrations had made any positive impact on government policy toward privacy and surveillance, he answered quickly, “None.”  

Brian Doherty is a senior editor at Reason magazine and author of This is Burning Man, Radicals for Capitalism, and Gun Control on Trial.