Blame Congress’ Patriot Act not the NSA or FBI

Prism-1When self-proclaimed whistle blower, Edward Snowden disclosed a PowerPoint presentation allegedly detailing the Prism computer system[1] at the heart of foreign data collection program, he set off a firestorm of debate over the role of  clandestine electronic surveillance on individuals outside the United States and the U.S. residents who communicate with them.

In the week that has followed, some clarity has emerged. First, the Prism system is not a code name for a clandestine operation, but the name of the computer system used to collect and store the data. According to the Director of National Intelligence, that computer system operates under Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a).

Section 702 provides that “the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” The reasonable belief focuses on the location of the target, not the threat posed by the target. Most of the other limitations emphasize that this should not be used if the purpose is to target someone inside the U.S.

Nowhere in Section 702 is there a requirement that the information is relevant to an investigation at some level – “specific articulable facts giving reason to believe,” or “reasonable suspicion.” Probable cause is likely not within the realm of possibility. The law allows and even encourages broad, general sweeping of data, which can then be analyzed for patterns and anomalies.

The Section 702 directives are the subject of quasi-judicial review. The FISA Court is comprised of 11 federal judges assigned this additional duty by the Chief Justice of the Supreme Court. This internally appointed judicial panel has operated since 1979. In that time, according to the Wall Street Journal, it has rejected 11 applications for various surveillance requests. During that time, the number of approved surveillance requests has been in excess of 33,900 or an approval rate of  99.97 percent. Without knowing anything more, it is inconceivable that any review process with over 99 percent approvals can constitute a meaningful review.

Harvard Law Professor and former U.S. District Judge Nancy Gertner highlighted the structural problem of the FISA Court.

It’s an anointment process. It’s not a selection process. But you know, it’s not boat rockers. So you have a [federal] bench which is way more conservative than before. This is a subset of that. And it’s a subset of that who are operating under privacy, confidentiality, and national security. To suggest that there is meaningful review it seems to me is an illusion.

The problem, therefore, is not a secret or rogue NSA plot but instead a widely supported provision of the Patriot Act designed to be used precisely as the NSA has been doing. It has executive, legislative and judicial support. But because it is operated by a close-knit association, the separation of powers has proven irrelevant as a limitation on its operation.

Moreover, the Patriot Act has other sections equally potent at eavesdropping on private information. As summarized by the ACLU, FISA Section 215 “allows the FBI to order any person or entity to turn over ‘any tangible things,’ so long as the FBI ‘specif[ies]’ that the order is ‘for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.’” Section 215 (50 U.S.C. 1801 et seq.)

A secret NSA phone wiretapping order was also released last week highlighting the scope of metadata collection within the U.S. under Section 215.

This FISA Court Order targeting Verizon, required Verizon on an “ongoing, daily basis” to give the NSA information on all telephone metadata in its systems. Since the Section 702 orders deal with foreign data, this Section 215 court order excluded “telephony metadata for communications wholly originating and terminating in foreign countries.” The court order explains the scope of the request:

Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. [Sec.] 2510(8), or the name, address, or financial information of a subscriber or customer.

Essentially this means that all of us with Verizon phones can be tracked anywhere in the U.S., our interaction with any other parties triangulated, our First Amendment rights of Association violated, and our notion of privacy eliminated. Non-Verizon subscribers likely are subject to identical orders. There is no reason to doubt that these orders are not routinely issued to track all phone and cell phone movement data.

Mary DeRosa summarizes the changes to Section 215 which led to the Verizon court order.

Previously, FISA required the FBI to present the [FISA Court] “specific articulable facts giving reason to believe” that the subject of an investigation was a “foreign power or the agent of a foreign power.” After section 215, the government is required only to assert that the records or things are sought for a foreign intelligence investigation or to protect against international terrorism or clandestine intelligence activities, although the investigation of a United States person may not be “solely upon the basis of activities protected by the first amendment to the Constitution.” There is no requirement for an evidentiary or factual showing and the judge has little discretion in reviewing an application. If the judge finds that “the application meets the requirements” of the section, he or she must issue an order as requested “or as modified.”

Neither the NSA nor the FBI are doing anything other than that approved by Congress. Indeed, were these departments found not to be using the authority granted by Congress, there would be outrage on Capitol Hill. Instead it is the law that has vastly over-extended the government’s reach into the movements and activities of the public, both domestic and foreign.

Moreover, the sweep of the law is growing broader by the day as more and more devices and technologies use remote communications to share information. While it might require a warrant to track a vehicle, the Internet enabled Pandora music player, the self-adjusting oil change settings, and the many other connected technologies are not subject to that warrant requirement. The movement of such cars will be routinely swept into the FBI’s database as part of the Section 215 orders.

The FTC has initiated a review of the ever-growing “Internet of Things,” which is to mean the “growing connectivity of consumer devices, such as cars, appliances, and medical devices.” Combine the power of the FBI and NSA to order metadata and tracking information on all digital data with the interconnectivity of medical devices, RFID-tagged products, installed devices on vehicles, and smart phone apps, a digital map emerges. Like ants in an ant-farm, every person’s digital trail will be on display before the government. Increasingly sophisticated data analytics will eventually enable the path of each individual ant to be highlighted and sorted from among the swarm.

The growing connectivity that has extended the Patriot Act’s reach into more and more aspects of our daily lives require that we revise the laws to reign in the power of government and create a meaningful, statutory right of privacy. These revelations add attention to the problem and highlight the lack of transparency over this tracking. Congress is not shocked at these revelations because they voted to create the programs and have been repeatedly brief on their use. It is the people who have been left in the dark. Given the growth of the programs and the power of the technology they employ, it is time for a more thoughtful, balanced statutory approach.


[1] Reddit.com provided the link to the 2002 New York Times article first describing what is now the Prism computer system. See http://www.reddit.com/r/technology/comments/1g3zqz/the_roots_of_prism_a_new_york_times_article_from/.

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Two days until NKU Law Review Symposium on Law & Informatics

The Northern Kentucky Law Review will host the inaugural Law & Informatics Symposium on March 1-2, 2012, presented in association with the NKU Chase Law & Informatics. Offering cutting edge presentations and 10.5 hours of CLE the symposium is sure to provide an important addition to the growing understanding of the intersection between law and information systems around the globe.

Limited seating is still available. See  https://supportnku.nku.edu/ChaseLII for details.

Your registration fee includes the general and special sessions, breakfast and lunch, as well as all published materials.

This two-day conference will gather academics, lawyers, and industry leaders from throughout the United States, Europe, and Asia to focus on cutting-edge issues involving data privacy, cyber-security, international trade, and internet regulation.

The first day’s topics will include criminal justice and the media, antitrust, HIPAA/HITECH Act compliance, GLBA reporting, social media marketing, and international internet regulations. The second day will include international cyber-crime cross-border transactions, international publicity, cyber currency, privacy legislation, and many related topics.

The Symposium is an opportunity for academics, practitioners, and students to exchange ideas and explore emerging issues in informatics law, disruptive innovation, and the increasingly interconnected information environment. The agenda is available online at http://chaseinformatics.org/symposium/.

Speakers:

  • P.J. Blount, National Center for Remote Sensing, Air, and Space Law, University of Mississippi School of Law
  • Galina Borisevich, Perm State University, Russian Federation
  • Eric Chaffee, University of Dayton School of Law
  • Natalya Chernyadyeva, Perm State University, Russian Federation
  • Jorge Contreras, American University Washington College of Law
  • Evelina Frolovich, Perm State University, Russian Federation
  • Vaibhav Garg, Indiana University School of Informatics and Computing
  • Anne Gilliland, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • David Harris, Harvard Law School Charles Hamilton Houston Institute for Race and Justice
  • Henry Judy, K&L Gates
  • Kalyan C. Kankanala, Brain League IP Services Ltd. (India)
  • Deborah Keeling, University of Louisville College of Justice Administration
  • Michael Losavio, University of Louisville College of Justice Administration
  • Rachel Lyon, Northern Kentucky University College of Informatics
  • Jasmine McNealy, Syracuse University S.I. Newhouse School of Public Communication
  • Mark McPhail, University of Wisconsin-Whitewater College of Arts and Communication
  • Svetlana Polyaskya, Perm State University, Russian Federation
  • David Satola, The World Bank
  • Susan Stephan, Kretsch & Gust PLLC
  • Lauren Solberg, Meharry Medical College
  • Judith Wiener, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • Peter Yu, Drake University School of Law

For details, registration, and additional restrictions please see http://chaseinformatics.org/symposium/ or call 859.572.7577.

General Pricing: $395  – Same Day Rush: $200

Alumni Pricing: $295   – Same Day Rush: $200

Academics & Students not affiliated with NKU: $50 – Same Day Rush: $10

So What is Law & Informatics and Why Study it in Law School?

On November 4th the NKU Chase Law & Informatics Institute held our opening reception at the beautiful, new LEED certified Griffin Hall, host to the NKU College of Informatics. Well over one hundred attorneys, business leaders, faculty and students attended, including representatives of NKU and many other Tri-State universities.

Among the presentations made by NKU President, Dr. James Votruba, deans Dennis Honabach (Law) and Kevin Kirby (Informatics) was a short video directed by Informatics undergraduate student Kyle Breitenstein.

You can see the video here:

We are very grateful for the time and effort from everyone who worked on the event and attended the event.

As you watch the short video, I hope you find the answers to the questions of this post. Please let me know.

What is Law & Informatics? Visit YouTube to learn more: http://www.youtube.com/watch?v=Muk5n1aDX0k

Two great day-long informatics events – small business; open source

“Social, Mobile, Local – Technology Trends, Tools, and Strategies for Small Business Success”

Wednesday, Oct. 26 – 9:00 am-4:00 pm – Madison Event Center in Covington

The NKU Small Business Development Center and NKU Chase Law & Informatics Institute are co-sponsoring a technology conference for small businesses. The conference: Social, Mobile, Local – Technology Trends, Tools and Strategies for Small Business Success, is Wednesday, Oct. 26, from 9 a.m. to 4 p.m. at the Madison Event Center in Covington. If you own a small business or work with one as a service provider, you will find the program relevant and practical. Learn more at http://somolonky.eventbrite.com.

The day-long conference is designed to provide valuable information to small businesses and those who support entrepreneurship in three categories: (1) entities interested in using / maximizing the value of their social media efforts in marketing, relationship building, and sales generation; (2) businesses who want to learn more about the newer, low cost ‘cloud computing’ tools, software, and functional capabilities to improve and expand the efficiency and productivity of their internal processes; and (3) organizations who want to be better informed about the role of intellectual property protection as it relates to their products, services, marketing materials, and business practices.

CincyIP 3rd Annual Symposium, Open Source & Security Cubed:  Dispelling the Myths

Thursday, Oct. 27 – 7:45am-4:30pm – The METS Center, 3861 Olympic Blvd., Erlanger

Full information available online.

The program will feature topics on Open Source Compliance, 3D licensing strategy, supply chain issues, M & A topics, the intersection of IP and open source security and other topics.

The use of open source software continues to grow on a daily basis. Today, enterprise applications contain 40% to 70% open source code and this fact has legal, development, IT security, risk management and compliance organizations focusing their attention on its use, as never before. They increasingly understand that the open source content within an application must be detected. Once uncovered, decisions regarding compliance with intellectual property licensing obligations must be made and known security vulnerabilities must be remediated. It is no longer sufficient from a risk perspective to not address both open source issues.

I will be at both programs and hope to see you there.

Supreme Court to Visit Role of GPS Tracking for Warrantless Searches

In the upcoming Supreme Court docket, one of the most significant decisions will involve the role of judicial oversight in the use of GPS tracking devices. Specifically, in U.S. v. Jones, 131 S. Ct. 3064 (2011) the Court will decide  “[w]hether the government violated respondent’s Fourth Amendment rights by installing the GPS tracking device on his vehicle without a valid warrant and without his consent.”

Defendant Antoine Jones was convicted of conspiracy to sell cocaine based, in part, on the use of a GPS tracking device placed on his car. The police then monitored Jones’ movements for a month. The D.C. Circuit reversed the conviction on the basis of the warrantless GPS tracking.

Jones argued the use of the GPS device violated his “reasonable expectation of privacy,” U.S. v. Katz, 389 U.S. 347, 360–61 (1967) (Harlan, J., concurring). The Katz test focuses on “whether the individual has an expectation of privacy that society is prepared to recognize as reasonable.” The judiciary provides a normative interpretation of society to determine how best to extend the obligation for warrants to situations that arise because of new technologies and new social circumstances.

Here, the Circuit Court was concerned about the 24/7 surveillance afforded to the police through the GPS tracking device. It found the constant surveillance to be different in type than the mere placing of a beeper used to follow a particular vehicle a single time, as was the case in U.S. v. Knotts, 460 U.S. 276 (1983).

Knotts is often quoted for the proposition that “[a] person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another.” Knotts, 460 U.S. at 281. But the DC Circuit rejected the analogy to tracking automobiles in public, instead choosing to analogize to the pervasiveness of an ongoing, permanent surveillance.

Other appellate courts had less concern about the GPS devices.

In U.S. v. Pineda-Moreno, 591 F.3d 1212 (9th Cir. 2010) the Ninth Circuit upheld the use of devices when used on seven different occasions. The case did not address the length of any particular tracking episode, but instead found that the undercarriage of a car was not an area with a protected zone of privacy and neither was the place where the device was affixed – in parking lots, streets, and the defendant’s driveway. The Eighth Circuit has suggested a similar outcome. U.S. v. Marquez, 605 F.3d 604 (8th Cir. 2010).

Similarly, in U.S. v. Garcia, 474 F.3d 994 (7th Cir. 2007), the court found the use of such devices unobjectionable. Judge Posner focused on the challenge of extending the law of Fourth Amendment Privacy by analogy:

If a listening device is attached to a person’s phone, or to the phone line outside the premises on which the phone is located, and phone conversations are recorded, there is a search (and it is irrelevant that there is a trespass in the first case but not the second), and a warrant is required. But if police follow a car around, or observe its route by means of cameras mounted on lampposts or of satellite imaging as in Google Earth, there is no search. Well, but the tracking in this case was by satellite. Instead of transmitting images, the satellite transmitted geophysical coordinates. The only difference is that in the imaging case nothing touches the vehicle, while in the case at hand the tracking device does. But it is a distinction without any practical difference.

U.S. v. Garcia, 474 F.3d at 997. Looking at the conduct rather than the technology, Judge Posner stated “[t]he substitute here is for an activity, namely following a car on a public street, that is unequivocally not a search within the meaning of the amendment.”

This analogy was rejected by the D.C. Circuit. There the opinion emphasized the practical limitations. “Continuous human surveillance for a week would require all the time and expense of several police officers, while comparable photographic surveillance would require a net of video cameras so dense and so widespread as to catch a person’s every movement, plus the manpower to piece the photographs together.” At the same time, however, the court recognized the disappearance of technological barriers to tracking, noting that “the marginal cost of an additional day — or week, or month — of GPS monitoring is effectively zero. Nor, apparently, is the fixed cost of installing a GPS device significant; the Los Angeles Police Department can now affix a GPS device to a passing car simply by launching a GPS-enabled dart.”

The opinions have all avoided the next question – whether similar tracking using satellites and public cameras to pervasively track a vehicle or a person in public constitutes a search.

In November, the oral arguments before the Supreme Court will provide an indication of the direction the Court is leaning. The Court did not grant certiorari for those cases upholding the searches as lawful, but that is not a particularly strong indicator. On the other hand, a decision that this particular technology requires a search warrant merely begs the question for RFID chip readers, tracking data in toll-paying devices, tracking data stored in cell phones, and tracing movement using facial recognition software on cameras installed in public places.

The ironic result of decisions invoking Katz is that the Court does not have the ability to learn what the public’s expectation of privacy is nearly as much as it has the power to inform the public what expectation of privacy it now should have.

Hopefully, the Court will move beyond the discussion of how the GPS device was attached to the car to focus on the question of pervasive tracking of citizens by the police. To analogize from the beeper in Knotts is unhelpful. Instead the Court should – and likely will – return to the first principles of Katz regarding the public’s reasonable expectation of privacy.

Undoubtedly technology will only make it easier to track individuals and record their behavior. The Court’s decision will set the agenda for discussion of privacy policy and inevitably shape the norms for our privacy expectations.

Upcoming Discussion of Disruptive Innovation

This week I will be presenting my newest paper, Mortgaging the Meme: Lessons for Financing Disruptive Innovation, which is available for free download from my SSRN page. (SSRN is the Social Science Research Network – a very useful database of scholarly articles from a number of disciplines.)

The presentation is being previewed at the University of Dayton Law School and presented at the International Business Law Conference in London. I thought I’d share my abstract and hope you take the time to review the paper. I look forward to any comments you might have.

Disruptive innovation can be described as the introduction of a new conceptual idea or meme into an existing system that causes the system to be fundamentally altered. Assembly lines, air conditioning, digital film, and personal computers represent such innovations, all of which led to fundamental paradigm shifts.

The convergence of globalization, a networked economy, and digital technologies have made disruptive innovation a threat in almost every industry. Changes to publishing, music, and television distribution – along with the rise of social media – highlight this transformation, but they are not alone; manufacturing, retail, payment systems, transportation and other industries are struggling with volatile upheaval caused by such change.

Disruptive innovation, however, follows predictable patterns. Investors can anticipate these shifts if their financial transactions are properly structured and effectively documented. The model requires a holistic intellectual property approach which looks beyond just patents. It must explicitly incorporate the underlying meme, and it must account for the inflection points in the transformation pattern. Utilizing this model, inventors, private equity investment structures and established firms can maximize value and promote innovation.

This article provides an overview of disruptive innovation from examples of the past decade, identify the underlying patterns of change common to disruptive innovation, highlight strategies to mitigate disruption for existing industry, and address the intellectual property securitization aspects to structure effective deals for both the investors and innovators.

Get the article at http://ssrn.com/abstract=1929530.