I've Been Mugged Blog

During a speech recently in San Francisco at the American Bar Association's annual conference, Federal Bureau of Investigation (FBI) Director James Comey suggested a national discussion about encryption versus safety. Comey said that during the past 10 months, the FBI was able to access only 650 of 5,000 electronic devices. And, the agency's inability to access devices will get worse as more people use encryption. So, United States citizens should discuss and decide what balance is desired between privacy and law enforcement's ability to access devices.

I agree. That is a valuable conversation that needs to happen. It should happen. So far, the discussion has been sporadic; promptly largely by disclosures in 2013 about a secret court order allowing NSA spy programs on U.S. citizens by former National Security Agency (NSA) contractor Edward Snowden. In June, the Electronic Frontier Foundation (EFF) concluded:

"The Snowden leaks caused a sea change in the policy landscape related to surveillance. EFF worked with dozens of coalition partners across the political spectrum to pass the USA Freedom Act, the first piece of legislation to rein in NSA spying in over thirty years—a bill that would have been unthinkable without the Snowden leaks. They also set the stage for a major showdown in Congress over Section 702 of the FISA Amendments Act, the controversial section of law set to expire in 2017 that the government claims authorizes much of the NSA’s Internet surveillance... Perhaps most importantly, the Snowden leaks published over the last three years have helped to realign a broken relationship between the intelligence community and the public. Whistleblowers often serve as a last-resort failsafe when there are no other methods of bringing accountability to secretive processes. The Snowden leaks have helped illuminate how the NSA was operating outside the law with near impunity, and this in turn drove an international conversation about the dangers of near-omniscient surveillance of our digital communications."

However, the situation is far from resolved. Many surveillance programs still operate.

Moreover, who will participate in the discussion -- lawyers or the general population? Director Comey's suggestion was to a room full of lawyers. Plenty of non-lawyers are interested in this discussion.

After the initial Snowden disclosures, a mentor reminded me: "you just can't run away from the Fourth Amendment." Persons and companies need to be able to protect their personal and intellectual property. So, an expectation of privacy is reasonable and necessary. There are plenty of benefits to privacy, so the erosion of these rights by surveillance programs is not a good thing.

You may be surprised to know that the encryption-versus-safety conversation has already begun. An essay in April in the Yale law Journal by Robert S. Litt, the General Counsel for the Office of the Director of National Intelligence, stated:

"First, I am not proposing a comprehensive theory of Fourth Amendment law. Rather, I want to offer some tentative observations that might be explored in shaping a productive response to the challenges that modern technology creates for existing legal doctrine. In particular, I would like to suggest that the concept of “reasonable expectation of privacy” as a kind of gatekeeper for Fourth Amendment analysis should be revisited.

Second, these thoughts are not informed by deep research into the intent of the Framers, or close analysis of case law or academic scholarship. Rather, they derive from almost forty years of experience in law enforcement and intelligence... I find it hard to understand the alchemy by which information that you choose to disclose to a third party develops an expectation of privacy because you have chosen to disclose a lot of that information. That seems counter-intuitive to say the least..."

"... I suggest that—at least in the context of government acquisition of digital data—we should think about eliminating the separate inquiry into whether there was a “reasonable expectation of privacy” as a gatekeeper for Fourth Amendment analysis. In an era in which huge amounts of data are flowing across the Internet; in which people expose previously unimagined quantities and kinds of information through social media; in which private companies monetize information derived from search requests and GPS location; and in which our cars, dishwashers, and even light bulbs are connected to the Internet, trying to parse out the information in which we do and do not have a reasonable expectation of privacy strikes me as a difficult and sterile task of line-drawing. Rather, we should simply accept that any acquisition of digital information by the Government implicates Fourth Amendment interests...."

"... I agree with those who criticize the broad proposition that any information that is disclosed to third parties is outside the protection of the Fourth Amendment. Courts can appropriately take into account whether information is content or non-content information, whether it is publicly disclosed through social media or is stored in the equivalent of the cloud, or whether its exposure is “voluntary” only in the most technical sense because of the demands of modern technology. But we should not be viewing this analysis of privacy interests as an on/off switch to determine whether or not the Fourth Amendment applies, as today’s third-party doctrine does, but as more of a rheostat to identify the degree of protection that would ensure that the collection and use of that data is reasonable. So the flip-side of my argument is that even where there is a substantial privacy interest in digital data, we should not default immediately to the rule that a warrant is required unless we can fit the collection of such data into one of the twentieth-century exceptions to the warrant requirement..."

I have attempted to highlight relevant sections, but you should read Litt's entire analysis. Cindy Cohn, the Executive Director of the EFF, wrote a rebuttal in July:

"... Mr. Litt makes two initial statements with which I agree. First, he notes that the “reasonable expectation of privacy” test currently employed in Fourth Amendment jurisprudence is a poor test for the digital age. Second, he states that the “third-party doctrine”—under which an individual who voluntarily provides information to a third party loses any reasonable expectation of privacy in that information—should not be an on-off switch for the Fourth Amendment... From there, however, our paths diverge quite sharply.

Mr. Litt argues that since the “reasonable expectation of privacy” formulation is not well suited to digital surveillance, it should simply be eliminated. This would leave a “reasonableness” balancing test to carry the entire weight of the Fourth Amendment’s protection against governmental intrusions. He says that a court in each case should balance the “actual harm” suffered by the individual affected by the surveillance with the governmental interests in conducting the surveillance. This argument throws the baby out with the bathwater. By abandoning the “reasonable expectation of privacy” standard without a suitable replacement, Mr. Litt also implicitly suggests abandoning the foundational constitutional protection against general warrants, as well as the rule that a warrantless search of someone with a reasonable expectation of privacy is per se unconstitutional unless an exception applies..."

"Under current doctrine, since Americans have a reasonable expectation of privacy in the content of their communications, full-content searching is per se unconstitutional unless an exception to the warrant requirement applies. None does. In order to prevail, therefore, the government must convince the Supreme Court to read a broad national security “special needs” exception into the Fourth Amendment authorizing mass, suspicionless seizure and full-content searches of millions of nonsuspect Americans’ most private international and domestic communications. That is a tall order... Such a large implied exception does not readily align with history: the Fourth Amendment contains no national security exception, even though it was adopted in the shadow of the Revolutionary War. Further, the Fourth Amendment was expressly intended to prevent general warrants. The FISA Court of Review—where the government alone presents its case and the arguments and decisions are kept secret—has recognized some form of a national security exception..."

"Moreover, Mr. Litt’s balancing test is unbalanced at its inception. According to his argument, courts can only evaluate the “actual harm” to a single person from mass surveillance because his reformulation retains the caselaw holding that Fourth Amendment rights are personal and cannot be asserted vicariously.20 Meanwhile, Mr. Litt’s formulation would allow the government to present its interest broadly without also showing “actual” increased safety of Americans as a result of the surveillance, much less the individual safety of the plaintiff."

"More importantly, Mr. Litt’s central claim is that there can be no actual harm when a person’s communications are seized by the government and searched, even with content searching, as long as computers but not humans conduct the search. He says that communications are “unseen and unknown” until they turn up in search results that are shown to a human... This argument—what I call the “human-eyes” theory of the Fourth Amendment—is where we most seriously disagree. Mr. Litt’s “human-eyes” theory would effectively authorize a surveillance state in which a person’s every action and interaction could be technologically monitored and algorithmically analyzed without violating the Fourth Amendment..."

Again, I have tried to highlight relevant section, but you should read all of Cohn's rebuttal and her summary. This is important stuff. People are thinking about how to modify the FOurth Amendment of the U.S. Constitution.

Both essays are a good start with the encryption-versus-safety discussion, but the discussion seems focused upon attorneys. Both essays appeared in a legal journal and Director Comey's speech was to a room full of attorneys. One should not have to be an attorney to understand things. Any legislation resulting from the discussions would affect all citizens. So, the discussion needs to be more inclusive. It needs to happen in a way that engages the broader population.

Major newspapers have a role in making this happen. Politicians have a responsibility, too. Senator Ron Wyden (Democrat- Oregon) has been one of too few lone voices warning citizens. More politicians need to step up their game, or get out of the way for ones willing to do so.

What are your opinions of the encryption versus safety discussion? Of the essays by Litt and Cohn?