Habeas Data_Privacy vs. The Rise of Surveillance Tech
Page 30
* * *
As the June 1, 2017, meeting was called to order, and no one in the audience wanted to speak, Hofer quipped, “We may see the second half of the Warriors tonight,” referring to the underway Game 1 of the NBA Finals.
On this particular night, the PAC first discussed a proposed city law: Non-Cooperation with Identity-Based Registry Ordinance/Internment Ordinance. The bill addressed the city’s efforts to not assist in “any government program that creates or compiles a List, Database, or Registry of individuals on the basis of religious affiliation, kinship, belief, or practice; national origin; or ethnicity.”
There was a brief exchange between the commissioners about what immigration information the OPD keeps.
Timothy Birch, the non-voting police liaison to the PAC (and himself a former police officer in nearby Daly City), reminded his colleagues that he had initially told them that the OPD does not retain any immigration data. However, seated at one end of the U-shaped table in a suit and tie, Birch was now revising his statement, to elaborate that it did retain that information, but only in situations where people were reporting incidents of human trafficking and may have U or T visas. (Those federal immigration visas are reserved for victims of certain crimes who are helpful to law enforcement or are testifying against human traffickers, respectively.) But, he assured the commissioners, the data was only accessible to around 12 OPD employees.
“This is one of those times when I’m actually glad that OPD doesn’t have the systems that people wish it had,” he said. “It is literally inaccessible outside of a computer that we have.”
Earlier that day, the OPD had published a new public policy on this exact topic.
“We are not the immigration police,” Birch tried to reassure the commissioners.
Birch’s city counterpart is Joe DeVries, a career city employee who began working as a city council legislative aide two decades earlier. DeVries, who was named as the city’s first chief privacy officer in late 2017, is the non-voting liaison for the city government.
After some back-and-forth, the commission moved on to a discussion of how certain OPD databases are shared with various outside agencies and how that impacts Oakland’s immigration stance. A printed packet circulated amongst the commissioners listed 20 such databases, ranging from LPR data to CRIMS and ARIES, a county-wide and regional criminal database, respectively.
The rest of the meeting revolved around Hofer’s proposal to terminate an agreement between Immigration and Customs Enforcement (ICE) and OPD in the name of promoting Oakland’s sanctuary city policy. As a committee, its recommendations must be formally adopted by the city council to take effect. Of course, the PAC can only influence what Oakland itself does. It has no control over the Alameda County Sheriff’s Office, the California Highway Patrol, the FBI, ICE, Drug Enforcement Administration (DEA), DHS, or any other federal agency. The meeting adjourned until the following month. Most often, the affected city agencies are notified by Birch or DeVries, and sometimes are invited to speak directly before the PAC.
As of late 2017, the PAC’s most comprehensive policy success has been its stingray policy. Since the passage of the California Electronic Communications Privacy Act (CalECPA), California law enforcement agencies must, in nearly all cases, obtain a warrant before using them. But the OPD must now go a few steps further: as of February 2017, stingrays can only be approved by the chief of police or the assistant chief of police. (In an emergency situation, a lieutenant or above must approve.) In either case, each use must be logged, with the name of the user, the reason, and results of each use. In addition, the OPD must provide an annual report that describes those uses, violations of policy (alleged or confirmed), and must describe the “effectiveness of the technology in assisting in investigations based on data collected.”
CHAPTER ELEVEN
Who Watches the Watchers?
Quis custodiet ipsos custodes?
—JUVENAL
From Katz v. United States to Riley v. California, each of these cases has a common theme: law enforcement’s actions would have been allowed if they had simply sought a warrant. Had FBI special agents tried to get a warrant to go after Charlie Katz in that Los Angeles phone booth in 1965, they probably would have gotten one. Decades later, had the Oregon National Guardsman worked with the federal prosecutor to seek a warrant, Danny Kyllo might—even now—be behind bars. It’s rare that law enforcement is turned down by a judge when they are able to present probable cause of a crime. This is, after all, one of the workaday functions of federal magistrate judges, and of local county judges. In each of those cases, warrants were not sought, and yet law enforcement used its authority to make novel legal interpretations, and employ new surreptitious technologies, be they hidden microphones or infrared cameras.
For now, Fourth Amendment legal analysis primarily turns on two crucial words in the actual text of the Bill of Rights: “searches” and “unreasonable.” For the last half century, there has been an entirely new understanding of what is and isn’t a search. If there is no search, then generally the action is presumed to be legal. Law enforcement can wantonly drive police cars and indiscriminately scan license plates, as it’s not considered a search. Same goes for allowing a “TiVo-in-the-sky” to capture days’ worth of human activity down below.
Without a legislative body or a judge to step in, it seems inevitable that these actions will continue to expand through pervasive monitoring, advanced facial recognition, DNA, biochemical analysis, constant location capture via autonomous vehicles, and more.
Today, so long as the search remains “reasonable” and doesn’t conflict with an “expectation” that “society is prepared to recognize as reasonable,” then law enforcement behavior is permitted. Or, to put it in e-mail spam terms, Fourth Amendment law is basically a blacklist: police actions are generally permitted unless they run into conditions that tell them to stop, such as conducting a physical search of “persons, houses, papers, and effects,” which requires a specific warrant.
From the writing of the Constitution up until the 1928 Olmstead decision, searches were largely limited to the physical property realm anyway. Then, by the time Katz came along, this nebulous notion of “privacy” began to be kicked around, which, according to Justice Antonin Scalia, added to the historic property analysis. But what if our understanding of the Fourth Amendment has been wrong for the last century? What if what the Fourth Amendment is really about isn’t property, or even privacy: perhaps it’s really about limiting the government’s power.
In 1972, just five years after the Katz decision, a 36-year-old Stanford Law professor named Anthony Amsterdam convinced the Supreme Court in Furman v. Georgia (5–4), to strike down death penalty laws nationwide, and impose a moratorium on the death penalty. Four years later, in Gregg v. Georgia, Amsterdam was back at the Supreme Court again, but he was unsuccessful. In Gregg, the court ruled 7–2 that the modifications made to various state death penalty laws were sufficient, paving the way for future executions.
However, in between the two Supreme Court cases, in 1974, Amsterdam, then at the height of his celebrity in the legal community, was invited to give the Oliver Wendell Holmes Lecture—a notable talk given every three years by a well-known scholar. Amsterdam, whose celebrity has been likened to the late-1990s and early-2000s star pitcher Pedro Martínez, gave his talk a fairly dry title: “Perspectives on the Fourth Amendment.”
At the time, violent crime in America was at one of its highest levels between 1960 and 2010. According to the FBI’s Uniform Crime Reports as prepared by the National Archive of Criminal Justice Data, in 1974, there were 20,710 murders and nonnegligent manslaughters around the country, the first time that statistic had ever topped 20,000. In Chicago alone, 970 people were killed that year, a tragic single-year record that stands to this day.
Amsterdam spoke in the waning days of the Nixon administration—he referred to the police as the New Centurions, the title of a 1972 film, and mocked the presid
ent’s predilection for referring to the police as “peace officers.” Over the course of a landmark three-day lecture, the professor went through a comprehensive perspective on the history of the Fourth Amendment, and its modern-day interpretation.
In 1965, the Los Angeles Police Department (LAPD) only had three helicopters. By 1974, the LAPD was up to 15 helicopters. (Today it has 19, the country’s largest such municipal unit.) But other than wiretaps and helicopters, police surveillance tactics hadn’t advanced much since 1965, when Charlie Katz was strolling down Sunset Boulevard. While the first personal computer, the Xerox Alto, debuted in 1973, it was still largely an obscure research and commercial project, hidden away from most Americans. Mainstream PCs, like the Commodore PET or the Apple II didn’t arrive until 1977. The standard kit for law enforcement in most cases didn’t go beyond a sidearm and radio.
“An actual, subjective expectation of privacy obviously has no place in a statement of what Katz held or in a theory of what the fourth amendment protects,” Amsterdam said. “It can neither add to, nor can its absence detract from, an individual’s claim to fourth amendment protection. If it could, the government could diminish each person’s subjective expectation of privacy merely by announcing half hourly on television that 1984 was being advanced by a decade and that we were all forthwith being placed under comprehensive electronic surveillance. I need hardly add that, for many of us, the announcement would be gratuitous.”
He concluded with a pithy quasi-slogan: “Fortunately, neither Katz nor the fourth amendment asks what we expect of government. They tell us what we should demand of government.”
By the end of his voluminous lecture, Amsterdam reached a clear answer: To stave off government overreach, rather than allow law enforcement to interpret the edges of the law on its own, its power should be exercised with an affirmative authorization to perform that function or use a particular technology. The legislature, or other executive rulemaking body, should outline specifically what is permitted. Any undefined action, such as an e-mail whitelist, would not be allowed by default.
“The fourth amendment is thought to tolerate that power only as the result of a fine balance between its recognized intrusion upon personal privacy and security and its justification by a specific police need,” Amsterdam concluded.
While Amsterdam has since gone on to New York University and has devoted his life to death penalty cases, the mantle of his theory has been taken up by various legal scholars including Paul Ohm (Georgetown Law), Raymond Shih Ray Ku (Case Western Reserve University), and Barry Friedman (New York University), among others.
“Right now, we kind of let the government buy the tech and engage in the search first and then we ask after if it violates [the] Fourth Amendment, as opposed to having accountability from the beginning” Shih told me.
He explained that traditional, conservative notions of law only allow the executive branch—be that a local police force or the FBI—to act when it has been given explicit authorization. However, in recent decades agencies have employed the Hayden-esque policy of playing to the edge rather than waiting for a deliberative, legislative body to grant authorization. In short, the problem isn’t just that courts are slow and behind the times—they always will be.
“Technology, honestly, has rapidly advanced so much that the courts are in a quandary,” former California Supreme Court justice Kathryn Werdegar told me.
As Friedman concluded in his 2017 book, Unwarranted, even small towns have regular, boring, stodgy democratic bodies that perform a variety of functions, including regulating liquor, historic properties, and library policy. There’s no reason why cities can’t and shouldn’t do the same thing.
“Rather than simply telling the police to go forth and enforce the law as they choose, it is essential that we partner with them in determining how,” he wrote.
At the federal level, with respect to digital privacy, Congress remains stuck in a sclerotic morass.
“Right now, I will tell you that the Congress does not really want to be asked hard questions about detentions and interrogations and surveillance,” Michael Hayden, the former NSA and CIA director, told me. “The Congress is built to diffuse responsibility. They aren’t in a position to have personal responsibility for these things. They get to complain when they’re too scared, and then they get to complain when they’re not scared again.”
With partisanship driving the day, and the country divided on a profound level (even before Donald Trump’s election to the presidency), a meaningful change to surveillance practices is unlikely anytime soon. After all, the House unanimously passed Electronic Communications Privacy Act reform in 2016 (an astonishing feat in its own right), only to see the Senate not move at all on the bill. For now, some states (notably, California) have stepped in, enhancing privacy protections. The Golden State, for example, under the California Electronic Communications Privacy Act, requires that law enforcement obtain a warrant to use a stingray, get location information, and access the content of e-mail, among other requirements. Since its passage, there has been no dramatic uptick in crime. The sky has not fallen.
While that particular law is broad, it does not adequately address what Amsterdam and his more contemporary disciples remain primarily concerned with: how to come up with policies and procedures that deal with the acquisition and use of surveillance technology in advance, and to have regular check-ups on whether they are being used properly. Numerous academic law articles have reached a similar conclusion—that the legislature, rather than the judiciary, is best suited to guide policy—and many judges (conservatives and liberals alike) have agreed with this answer.
At the federal level, the only body that is remotely close to Oakland’s Privacy Advisory Commission (PAC) (besides Congress) is the Privacy and Civil Liberties Oversight Board (PCLOB). Like the PAC, the PCLOB is designed to serve as a check on the government’s national security and surveillance policy. However, it has been fraught with problems. For starters, despite being created by statute in 2007, it was not fully staffed and operational until 2013. Since then, it has produced a handful of reports. Second, it is tasked only with conducting after-the-fact analysis, rather than creating policy ahead of time. Notably, in January 2014, a majority of PCLOB members went as far as to declare the NSA’s Section 215 metadata program (which was disbanded months later anyway) “illegal.” This conclusion came 13 years after Section 215 began.
Worse still, by the time Donald Trump was inaugurated, four of the five PCLOB members had either termed out or resigned, leaving the body without a quorum. One March 2017 article in McClatchy noted that the body “barely functions.” The White House seems wholly uninterested in reviving it. But the law is on the books for any administration—Republican or Democrat—to bring it back. After all, doing something is better than doing nothing.
Back in Oakland, Saied Karamooz articulated what many legislators should take to heart: “Do you think people have the time to protect their privacy? They don’t even know that they’ve been violated—doing nothing is admitting defeat.”
NOTES
The fantastic advances: Lopez v. United States, 373 U.S. 427 (1963).
I just hate Fourth: Justice Antonin Scalia, interview with Susan Swain, C-SPAN, June 19, 2009. Available at: https://www.documentcloud.org/documents/3984805-AScalia.html#document/p13/a373041.
Introduction
I believe in big data: Author’s interview with Paul Rosenzweig, May 25, 2017.
“At issue in this case”: Carpenter v. United States, 484 U.S. 19-1987 (2017). Available at: https://www.documentcloud.org/documents/4312483-16-402-d102.html.
“chalk dust on my cleats”: Michael Hayden, “CIA Director’s Address at Duquesne University Commencement” May 4, 2007. Available at: https://www.cia.gov/news-information/speeches-testimony/2007/cia-directors-address-at-duquesne-university-commencement.html.
“order of magnitude”: Cyrus Farivar, “Grand Theft Auto Meets Robocop,
” Wired, June 17, 20015. Available at: https://www.wired.com/2005/06/grand-theft-auto-meets-robocop/
Eventually, I found out that LPR: Ibid.
I learned that in the decades: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe (Strasbourg, January 28, 1981). Available at: https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680078b37.
One of Germany’s most: Federal Data Protection Act, Bundesministerium der Justiz and für Verbraucherschutz (January 14, 2003, amended August 13, 2009). Available at: http://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0013.
In the United States, no one: Catherine Bolsover, “German Foreign Minister Joins Criticism of Google’s Mapping Program,” Deutsche Welle, August 14, 2010. Available at: http://www.dw.com/en/german-foreign-minister-joins-criticism-of-googles-mapping-program/a-5910738.
In the end, Google came up: “Low Number of Objections: Germans Unfazed by Google Street View,” Der Spiegel International, October 21, 2010. Available at: http://www.spiegel.de/international/germany/low-number-of-objections-germans-unfazed-by-google-street-view-a-724369.html.
But Google gave up: Matt McGee, “Google has stopped Street View Photography in Germany,” Search Engine Land, April 10, 2011. Available at: https://searchengineland.com/google-has-stopped-street-view-photography-germany-72368
“Where someone goes can reveal”: Cyrus Farivar, “We Know Where You’ve Been: Ars Acquires 4.6M License Plate Scans from the Cops,” Ars Technica, March 24, 2015. Available at: https://arstechnica.com/tech-policy/2015/03/we-know-where-youve-been-ars-acquires-4-6m-license-plate-scans-from-the-cops/.