Americans’ right to privacy is under unprecedented siege as a result of a perfect storm: a technological revolution; the government’s creation of a post-9/11 surveillance society in which the long-standing “wall” between surveillance for law enforcement purposes and for intelligence gathering has been dismantled; and the failure of U.S. laws, oversight mechanisms, and judicial doctrines to keep pace with these developments. As a result, the most sweeping and technologically advanced surveillance programs ever instituted in this country have operated not within the rule of law, subject to judicial review and political accountability, but outside of it, subject only to voluntary limitations and political expedience.
This article briefly describes how new technology that promises to deliver ease and connectivity also permits mass government surveillance and data mining. It then explores how a structural failure—of the nation’s system of checks and balances—has permitted the erosion of Americans’ privacy rights.
In the ordinary course of constitutional decision making, Congress enacts law, the executive implements it, and the judiciary reviews the actions of both. The power of each branch is constrained by the oversight of the others. In the national security surveillance area, however, that system of intertwined oversight has failed. The executive routinely acts outside of the law, as its own reports confirm; Congress fails to curb those violations and even ratifies them with ever-more-expansive authorizations and after-the-fact immunity; and the judiciary for the most part has refused to say what the law is, instead dismissing the most significant challenges to surveillance on procedural grounds.
Today, technological innovations have made it easier—and even necessary—for Americans to conduct their lives electronically. More and more Americans communicate, in their private and professional lives, through the Internet by e-mail, social-networking sites, messaging services, and the like. Banking, making doctors’ appointments, shopping, and even dating are all increasingly taking place online. Not only are Americans conducting their lives online, but they are also storing their communications and transactions there. This is in part because, in addition to providing services on which Americans depend, telecommunications providers and commercial enterprises have developed a new business model that relies on the collection and storage of vast amounts of information about their customers.
The most popular e-mail services allow users to store many gigabytes of information—the equivalent of hundreds of thousands of messages containing users’ most intimate conversations and thoughts—without cost on servers. Financial and medical information is also increasingly archived online for the convenience of users and administrators alike. These records can aggregate years of an individual’s sensitive financial statements and medical diagnoses. The result of this digitization of people’s personal and professional lives has been the migration of their papers and effects from the home and the workplace to third-party servers and hard drives. With the many benefits of technology come significant privacy risks. As discussed below, the digitization and storage of information by third parties has had enormous consequences for the privacy of this information.
These technological advances, combined with popular and governmental anxiety about terrorism and other transnational crime, have led to the rise of a massive and secret surveillance-industrial complex—part of what the Washington Post has called the “alternative geography of the United States.” This alternative geography encompasses what Professors Jack Balkin and Sandy Levinson term the “national surveillance state”: the proliferation of government technology and bureaucracies that are able to acquire vast and detailed amounts of digital information about individuals with minimal or no judicial supervision and often in complete secrecy. The U.S. government has the capability to single out any American and track his or her movements, purchases, reading habits, and sometimes even private conversations. And it is already using this power.
Through arrangements with telecommunications providers, for example, the government can determine an individual’s location based on cellular phone signals. In 2009, an employee of a major mobile communications company, Sprint, revealed that the company had received so many governmental requests for location information—reportedly more than 8 million times in a one-year period—that it eventually allowed the government direct access to its customers’ locations through a web-based interface, without informing customers.
Location data are sometimes sought under questionable circumstances that highlight the potential for abuse. For example, in 2008, the Federal Bureau of Investigation (FBI) sought and received (without a warrant) location-tracking information not just for a robbery suspect, but for 180 other innocent people in a dragnet scheme to see if they were involved in the crime. The result of the national surveillance state is the proliferation of overbroad watch lists, dragnet surveillance programs, and extensive data-mining schemes.
Outdated and Overly Permissive Laws
The erosion of Americans’ privacy rights under the national surveillance state has occurred in part because U.S. laws have not kept pace with technology. The main statutory protection for the privacy of communications, the Electronic Communications Privacy Act (ECPA), was written in 1986, before the advent of the Internet as it is known today, and there is a large gap between ECPA’s language and protections and today’s technology. E-mail exemplifies that gap. In 1986, e-mail was typically downloaded to a recipient’s computer upon receipt and immediately deleted from the e-mail provider’s storage. ECPA was written with this behavior in mind: It requires a search warrant to retrieve a message from an e-mail provider’s storage only if the message is less than 180 days old and provides for lower standards if the e-mail is left on the server for more than 180 days. Today, however, e-mail is often both stored on and accessed from remote servers belonging to the e-mail provider, and many people “archive” their e-mail on their provider’s server rather than deleting old messages. Basing legal protection on how long an e-mail has been stored, as ECPA does, is inconsistent with the way Americans use e-mail today.
Outdated digital privacy law is not only a threat to individual privacy, but it also fails to protect adequately against government abuse. For example, both the Fourth Amendment and a domestic wiretapping statute provide for an exclusionary remedy: If a law enforcement official obtains information in violation of a defendant’s constitutional privacy rights or the statute, that information usually cannot be used in court. The same rule, however, does not apply to electronic information obtained in violation of ECPA. Without an exclusionary rule, there is little deterrence against government overreaching.
Privacy rights also have been eroded because, in the wake of 9/11, Congress dismantled the “wall” between government surveillance for domestic law enforcement purposes and surveillance activities for foreign-intelligence gathering. Domestic law enforcement surveillance requires familiar constitutional standards to be met. Before the government can conduct surveillance, for example under ECPA, it has to show probable cause based on individualized suspicion and obtain a warrant from a court. Foreign-intelligence-gathering standards are more lax. Under the Foreign Intelligence Surveillance Act (FISA), the government need not show suspicion of wrongdoing, and it can conduct electronic and covert searches domestically if the target of these searches is “foreign-intelligence information” from a foreign power or an agent of a foreign power. Unlike under ECPA, FISA surveillance orders are obtained from a secret court, the Foreign Intelligence Surveillance Court (FISC), and need not ever be made public.
FISA was enacted in 1978, after two congressional investigations, the Church and Pike Committees, found that the executive branch had consistently abused its power and conducted domestic electronic surveillance unilaterally and against journalists, civil rights activists, and members of Congress (among others) in the name of national security. Mindful of these abuses, Congress originally strictly limited FISA’s scope so that it could only be used if “the primary purpose” of government surveillance of Americans was foreign-intelligence gathering. After 9/11, however, Congress passed the USA PATRIOT Act, which amended FISA and significantly weakened this limitation. Now the government needs only to show that “a significant purpose” of domestic surveillance is to gather foreign intelligence, dismantling the wall that has historically safeguarded Americans from the reduced constitutional protection applicable in foreign-intelligence investigations.
In 2008, Congress amended FISA again to create what is now the government’s most sweeping surveillance authority, the FISA Amendments Act. Enacted to replace the warrantless domestic wiretapping program that President George W. Bush put in place shortly after 9/11, the FISA Amendments Act expands the government’s authority to monitor Americans’ international communications. On its face, the act is concerned with surveillance targeted at non-U.S. persons overseas, but one effect of the statute is to allow the government to conduct programmatic or dragnet surveillance of Americans’ calls or e-mails as long as one end of the communication is outside the United States. Judicial oversight of the surveillance is minimal. The government must implement targeting and other procedures to reduce the likelihood that purely domestic communications will be swept up in the surveillance, but the government need not identify to any court the actual people to be surveilled or the facilities to be monitored.
Various provisions of the USA PATRIOT Act supplement the FISA Amendments Act’s putatively international authority with greater domestic spying power. Section 215 of the USA PATRIOT Act, for example, allows the government to seek an order from the FISC requiring any person in the United States to disclose to the government “any tangible thing” relevant to an investigation conducted against international terrorism or clandestine intelligence activities. Recipients of section 215 orders are generally prohibited from revealing the fact of government surveillance. Section 206 of the USA PATRIOT Act authorizes “roving wiretaps” of individuals in certain situations, allowing the government to spy on that individual without identifying to any court either the targeted individual or the communication devices to be tapped. Perhaps the most permissive of the government’s domestic national-security surveillance tools are national security letters (NSLs). NSLs are authorized by four separate statutes, each of which was expanded by section 505 of the USA PATRIOT Act. One of the statutes, 18 U.S.C. § 2709, requires wire or electronic communication service providers to hand over subscriber information, billing records, and “electronic communication transactional records” if the government certifies—without any judicial review—that the records are relevant to an investigation to protect against international terrorism or clandestine intelligence activities. The statute allows the government to impose a gag on the service providers to prevent the targeted subscribers from learning of the surveillance.
Government Violations of Law
The government has repeatedly violated even the most lenient restrictions imposed by Congress. News reports in 2009 revealed, for example, that the National Security Agency (NSA) had inadvertently misused the FISA Amendments Act to target groups of Americans and collect their purely domestic communications. That unofficial report has since been confirmed by official government disclosures. In November 2010, in response to a Freedom of Information Act (FOIA) request by the American Civil Liberties Union (ACLU), the government produced several semiannual reports on its compliance with the FISA Amendments Act. Every one of the reports states that “compliance incidents continue to occur.” The precise nature of the violations is redacted, but the declassified text suggests that the NSA has improperly targeted, retained, or disseminated the communications of Americans or U.S. residents.
Even more is now known about the government’s misuse of NSLs. A series of reports from the Department of Justice (DOJ) confirms the rapidly increasing reliance by the government on these tools and its disturbingly frequent violation of even the minimal limits imposed by them. In 2007, the DOJ’s inspector general released an audit covering the FBI’s use of NSLs from 2003 to 2005. The report is eye-opening. Between 2003 and 2005, the FBI severely under-reported its use of NSLs; agents repeatedly ignored or confused the requirements of the various NSL statutes; the FBI used NSLs to collect information about individuals two or three times removed from the actual subjects of FBI investigations; FBI supervisors issued hundreds of unlawful requests that relied on false claims of emergency; and, perhaps most alarmingly, 22 percent of the files audited by the inspector general contained unreported legal violations.
In 2008, the inspector general released another audit, documenting the use of NSLs in 2006. The report tells a similar story, identifying many of the same problems uncovered by the earlier reports and disclosing that, during the four-year period from 2003 to 2006, the FBI issued 192,499 NSL requests. The report also reveals that high-level FBI officials improperly issued eleven “blanket NSLs” seeking data on 3,860 telephone numbers.
A report on section 215 orders, released at the same time, describes a particularly disquieting use of NSLs. Unlike NSLs, section 215 applications are subject to judicial review by the FISC. In at least two instances in 2006, the FISC denied section 215 applications, finding that the facts were too “thin” and that the applications implicated First Amendment rights. In response, the FBI simply used NSLs to obtain the same information without judicial review. Astonishingly, the FBI’s general counsel did not review the underlying investigation in response to the FISC’s order. According to the DOJ inspector general, “[s]he said she disagreed with the court and nothing in the court’s ruling altered her belief that the investigation was appropriate.”
Despite these disclosures, there is disappointingly little appetite in Congress for increased oversight of domestic government surveillance, let alone the restoration of the safeguards that prohibit the government from collecting Americans’ communications, international or domestic, without probable cause and a warrant.
Lagging Judicial Doctrinal Development and Lack of Judicial Review and Transparency
Another key reason for the pervasiveness and invasiveness of national-security surveillance is a doctrinal one. Quite simply, constitutional law has not kept up with the times. For example, a familiar canon of Fourth Amendment jurisprudence holds that individuals possess no reasonable expectation of privacy in their “papers and effects” once transmitted to third parties. As described above, most telecommunications are now stored on third parties’ servers, and the government has relied on outdated precedent to argue that it need not acquire a warrant based upon probable cause to read the contents of an individual’s e-mails stored online because those e-mails are in the physical possession (i.e., on the servers) of the e-mail service provider. If ultimately upheld by the Supreme Court, this theory would expose virtually all online communication to interception without judicial oversight, transforming the promise of instantaneous communication and connectivity into an instrument of ubiquitous surveillance.
A second doctrinal problem arises from the deeply problematic intersection between secrecy and the doctrine of standing, which has effectively insulated most of the government’s surveillance activities from meaningful judicial review. For years, the government has advocated, and the courts have endorsed (save in one decision, now on appeal), a restrictive theory of standing in the surveillance context, requiring would-be challengers of government surveillance programs to demonstrate that the government has actually intercepted their communications. Unsurprisingly, the government has consistently refused to identify the subjects of its surveillance. It has maintained this secrecy in various ways: by invoking the state-secrets privilege, by imposing gags on recipients of NSLs and other requests, by prosecuting or threatening to prosecute whistleblowers, and by rebuffing FOIA requests for records describing even the policy-level generalities of surveillance programs, under both presidents Bush and Obama.
Recently, in fact, in response to one ACLU FOIA request, the government refused to release the names of the telecommunications companies participating—as required by statute—in surveillance under the FISA Amendments Act. The government provided an unexpectedly honest explanation for its refusal: If the public knew which companies participated in the surveillance, customers would sue the companies, and the companies would sue the government. The upshot of the intersection between secrecy and standing is that the most significant expansion of government surveillance in the nation’s history is occurring with little meaningful judicial oversight.
Erosion of Checks and Balances
President Bush’s warrantless wiretapping program, which operated in direct violation of FISA, provides a perfect example of how executive violation of law and excessive secrecy, congressional ratification, and judicial hesitance have effectively circumvented the institutional checks that normally curb executive overreaching. The warrantless wiretapping program was justified by approximately a dozen memos issued by the DOJ’s Office of Legal Counsel, which purported to supply the legal basis for the government’s warrantless wiretapping program. These memos remain secret (most information about the Obama administration’s interpretation of its authority under the FISA Amendments Act is similarly suppressed).
After revelation of the program in 2005, the ACLU filed suit on behalf of lawyers, journalists, and human rights activists who feared, on the basis of the nature of their work and communications, that their communications had been targeted by or swept up in the NSA’s warrantless wiretapping. The district court ruled for the plaintiffs, but the Sixth Circuit ultimately dismissed the suit for lack of standing, and the Supreme Court denied the plaintiffs’ petition for further review. Rather than put an end to such warrantless wiretapping after its revelation, Congress enacted the FISA Amendments Act, which, as described above, codified a warrantless wiretapping program even more expansive than the president’s. No one has been charged under the provisions of FISA that criminalize precisely the sort of wiretapping that the NSA engaged in, and the government continues today to suppress many of the key legal memoranda the Bush administration relied upon to justify its program. (The ACLU has, more recently, challenged the government’s expanded authorities under the FISA Amendments Act. A unanimous panel of the Second Circuit held that the plaintiffs in the suit have standing and may proceed to challenge the facial constitutionality of the statute. The government has petitioned for rehearing of the panel’s decision by the full Second Circuit.)
The Way Forward
The way forward is clear. For a system of checks and balances to function, meaningful transparency and accountability are necessary. Congress must reform and update the laws governing the government’s access to and surveillance of Americans’ electronic communications and transactions in order to ensure privacy rights are protected. It should restore statutory protections that prohibit the government from collecting Americans’ communications without probable cause and a warrant. And it must exercise meaningful oversight to ensure that the executive branch stays within the limits established by the Constitution and federal laws.
The executive branch in turn must prohibit the NSA from collecting the domestic and international communications of Americans without a warrant based upon probable cause, and it must limit and regulate all intelligence community activities to fully protect Americans’ privacy and civil liberties. It also must publicly disclose the broad contours of the authority it claims to intercept Americans’ communications in the national-security context and the legal rationale underlying that authority. If the United States is truly committed to a system of checks and balances, the public must know enough about the government’s sweeping intelligence authorities to evaluate their wisdom, effectiveness, and legality.
Finally, courts must assume a more direct role in overseeing government surveillance. They must not adopt theories of standing that effectively immunize surveillance from judicial review. The purpose of the standing doctrine has always been to ensure that courts adjudicate the right cases, not to prevent courts ever from adjudicating the lawfulness of executive action.
With these changes, it may be possible to subject executive surveillance to the structural restrictions so important to the U.S. system of checks and balances. Without them, the United States risks even more expansive surveillance powers, the continued contraction of Americans’ right to privacy, and the diminishment of the rights privacy protects: the ability to learn, create, speak, dissent, exchange ideas, and engage in political activity without the chilling fear of government oversight and intrusion.
Hina Shamsi is director of the American Civil Liberties Union’s National Security Project and Alex Abdo is a staff attorney with the National Security Project.
In writing this article, the authors benefitted greatly from the articles, legal briefs, and other writings of their colleagues in the ACLU’s Speech, Privacy, and Technology Project, National Security Project, and Washington Legislative Office.