15 January 2008
Word is getting out about a new plan for large-scale tapping of the Internet. The New Yorker story says
"Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the autority to examine the content of any e-mail, file transfer or Web search," author Lawrence Wright pens.There are several interesting aspects here.
"Google has records that could help in a cyber-investigation, he said," Wright adds. "Giorgio warned me, 'We have a saying in this business: `Privacy and security are a zero-sum game.'
First, from a legal perspective there's a difference between the government looking at e-mail and looking at Google searches. The former is governed by the Stored Communications Act (I won't go into the legal technicalities; besides, some of these are still being litigated). Reading someone's e-mail is considered an invasion of privacy, and a suitable court order is required.
Google searches, though, are considered "third party information". Under the doctrine set forth in Smith v. Maryland, 442 U.S. 735 (1979), someone who voluntarily gives information to a third party no longer has a privacy interest in it. To use the Supreme Court's own analogy, it's clear that if a librarian or research associate had been engaged to answer a question, that person could be subpoenaed, and the real target of the investigation would have no recourse. Why should the legal principles be different because Google has chosen to automate? Congress could make such access easier or harder — in United States v. Miller 425 U.S. 435 (1976), the Supreme Court upheld the government's right of access to financial records — but there are no constitutional barriers. Indeed, some would hold that the only protection of Google searches right now is the contract between Google and its users, though arguably Google could be considered a remote computing service and hence restricted by law in what they can give the government without a court order.
The next question is how such a plan would be implemented. Using wiretaps is the hard way; if you aren't targeting a particular individual, you have to sift through an immense amount of information (and discard most of it), and you lack a lot of context. This was at the heart of many of the criticisms of Carnivore. Still, there is an existing legal framework. Wiretaps can be authorized under either existing criminal law wiretap procedures or the Foreign Intelligence Surveillance Act (FISA). There are also existing laws requiring predeployment of wiretap capability, e.g., CALEA.
On the other hand, a CALEA-like law for access to search engine data — that is, a prepositioned government path to the search data — carries its own set of risks. The risks are quite similar to those posed by CALEA: this is an intentional vulnerability which can be exploited by the wrong people. (That's what happeed to the Greek cellphone network.)
Regardless of how surveillance is done, we need to understand the oversight mechanism. A search warrant, after all, is fundamentally a barrier to unrestricted police powers. Even under FISA, a court will sometimes issue warrants. Regardless of whether it's true or not that "privacy and security are a zero-sum game", there needs to be some third party — probably a court — as a check or an oversight mechanism.
There then, three issues:
- What data is being sought, from whom? This determines the applicable legal and constitutional principles to apply.
- How will the data be collected?
- What is the oversight mechanism?
Update: the New Yorker article that had the original story is now online here. Also see this Washington Post story.