PRISM

All posts tagged PRISM

This week the foundation that runs Wikipedia filed a lawsuit against the National Security Agency (“NSA”), arguing that the “upstream” internet surveillance conducted by the NSA violates the agency’s statutory authority, as well as the First and Fourth Amendments to the Constitution.  This is only the latest in a series of legal actions against the NSA in the wake of the revelations about its surveillance by Edward Snowden.  The organization Pro Publica has complied this helpful list which describes thirty-eight different lawsuits that have been filed since 2006 against the NSA, other branches of the Obama administration, or private companies who were complying with NSA orders.  Most of these lawsuits can be roughly divided into four different categories:

(1) The first wave of cases, from 2006 to 2008, which alleged that the government surveillance programs violated the First and Fourth Amendment.  These cases were all effectively disposed of by the 2008 Supreme Court decision of Clapper v. Amnesty International, in which the Supreme Court held that the plaintiffs lacked standing because they could not prove that they themselves had been surveilled by the government.

(2) Lawsuits which seek to release information–either forcing the NSA to reveal more information about its surveillance program, or permitting private companies to reveal the fact that they have provided information to the NSA.  For the most part, these lawsuits have been successful, although many are still pending.

(3) Criminal defendants who are challenging the use of covert NSA surveillance evidence in their case.  Many of these cases are still pending, but so far none have been successful.

(4) A second wave of cases, post-Clapper v. Amnesty International, in which various organizations claim that the NSA surveillance programs violate its statutory authority and the Constitution.  The new case filed by Wikimedia falls under this category.

There are three separate NSA programs that are being challenged by this second wave of lawsuits.  The first is the “bulk metadata collection” program, in which the NSA collects massive amounts of non-content data from private companies, such as telephone numbers, email addresses, and other “address” information.  Because the NSA was collecting this information pursuant to Section 215 of the USA Patriot Act, this surveillance is sometimes referred to as “Section 215 collection.”  The second program is codenamed “PRISM,” and it involves the NSA collecting information that is stored by private companies (Microsoft, Facebook, Google, Apple, etc.).  PRISM data included content information, but (allegedly) the surveillance would only take place if the NSA agent has a “reasonable belief” (defined as at least 51% assurance) that the specified target is a foreign national who is overseas at the time of the data collection.  Because this program is allegedly authorized by Section 702 of the Foreign Intelligence Surveillance Act (“FISA”), it is sometimes referred to as “Section 702 surveillance.”  The third program is codenamed “UPSTREAM,” and it involves realtime interception of data and communication flowing across the fiber cables and other infrastructure of the internet (sometimes called the “backbone” of the internet).  The UPSTREAM program collects large amounts of data as it is transmitted, but then uses software filters to filter out purely domestic transmissions and then further filters the data to look for specific target words that would make the message of particular interest to the NSA.

upstream-slide    prism-slide-2

With the new Wikipedia lawsuit, there are now five lawsuits pending in federal court which challenge these programs:

Jewell v. NSA (filed in 2008) — This case was filed in the Northern District of California by the Electronic Frontier Foundation, an advocacy group for digital privacy, on behalf of Carolyn Jewel and other AT&T customers.  The plaintiffs were seeking an injunction against the NSA’s bulk collection of telephone metadata and against the NSA’s UPSTREAM  surveillance program.  The case was originally dismissed in 2010 for lack of standing, but was re-instated by the Ninth Circuit in 2011.  Most recently, the plaintiffs suffered a setback in February of 2015 when the district judge granted the government’s motion for summary judgment on the issue of UPSTREAM surveillance, holding that the publicly available information was not sufficient to support the plaintiff’s standing in the case, or to adjudicate the substantive Fourth Amendment issues:

Notwithstanding the unauthorized public disclosures made in the recent past and the Government’s subsequent releases of previously classified information about certain NSA intelligence gathering activities since 2013, the Court notes that substantial details about the challenged program remain classified. The question of whether Plaintiffs have standing and the substantive issue of whether there are Fourth Amendment violations cannot be litigated without impinging on that heightened security classification. Because a fair and full adjudication of the Government Defendants’ defenses would require harmful disclosures of national security information that is protected by the state secrets privilege, the Court must exclude such evidence from the case.

The trial court noted that this was a “frustrating” ruling:

The Court is frustrated by the prospect of deciding the current motions without full public disclosure of the Court’s analysis and reasoning. However, it is a necessary by-product of the types of concerns raised by this case. Although partially not accessible to the Plaintiffs or the public, the record contains the full materials reviewed by the Court. The Court is persuaded that its decision is correct both legally and factually and furthermore is required by the interests of national security.

Notwithstanding this recent ruling, the Jewell case is still pending, since the court only granted summary judgment on the UPSTREAM surveillance question, not on the bulk collection of telephone metadata.
Klayman v. Obama (filed in 2013) — This case was filed in the District of Columbia District Court by customers of Verizon Wireless, and it challenges the NSA’s bulk metadata collection program.  In December of 2013, District Court Judge Leon ruled in favor of the plaintiffs and granted an injunction that would bar the NSA from continuing the surveillance.  The judge then stayed the injunction pending appeal.  The most controversial aspect of Judge Leon’s opinion was his rejection of the Supreme Court case Smith v. Maryland, which held that the Fourth Amendment does not protect telephone numbers that an individual dials, both because of the third party doctrine and because the telephone numbers are merely “address” information as opposed to “content” information.  The government understandably relied heavily on Smith in its argument that the surveillance program did not violate the Fourth Amendment, but Judge Leon essentially held that Smith‘s reasoning–and therefore, presumably, its holding–was hopelessly outdated:

The Government, in its understandable zeal to protect our homeland, has crafted a counterterrorism program with respect to telephone metadata that strikes the balance based in large part on a thirty-four year old Supreme Court precedent, the relevance of which has been eclipsed by technological advances and a cell phone-centric lifestyle heretofore inconceivable. 

The case is now on appeal to the D.C. Circuit, and oral argument took place in November of 2014.

 

ACLU v. Clapper (filed in 2013) — This case was filed in the Southern District of New York by the ACLU as Verizon subscribers, challenging the NSA’s bulk metadata collection program.  In December of 2013, just a few days after Judge Leon ruled against the government in Klayman, Judge William Pauley ruled in favor of the government in this case.   Judge Pauley cited Smith v. Maryland as binding Supreme Court precedent, and also noted the necessity of this kind of surveillance in the modern world:

No doubt, the bulk telephony metadata collection program vacuums up information about virtually every telephone call to, from, or within the United States. That is by design, as it allows the NSA to detect relationships so attenuated and ephemeral they would otherwise escape notice. As the September 11th attacks demonstrate, the cost of missing such a thread can be horrific, Technology allowed al-Qaeda to operate decentralized and plot international terrorist attacks remotely. The bulk telephony metadata collection program represents the Government’s counter-punch: connecting fragmented and fleeting communications to re-construct and eliminate al-Qaeda’s terror network.

The case is now on appeal to the Second Circuit, and oral argument took place in September of 2014.

 

Paul v. Obama (filed in 2014) — This is a lawsuit filed in the District of Columbia District Court  by Senator Rand Paul and FreedomWorks, challenging the warrantless collection of cell phone records and metadata by the NSA.  it is currently pending in the D.C. District Court.  Although this lawsuit has more political overtones than the others, since the lead plaintiff is likely to be a contender for the Republican nomination in the 2016 Presidential Contest, the plaintiffs claim it is different from the others because it has been filed as a class action on behalf of “all Americans.”

 

Wikimedia vs. NSA (filed in 2015) — This lawsuit was filed just this week in the District of Maryland.  Like the Jewel case, Wikimedia’s case challenges the NSA’s UPSTREAM surveillance program.  And like the Jewel case, this case could be dismissed in whole or in part because national security secrecy makes the plaintiffs unable to establish a cause of action.  However, if the case is able to go forward, the case will likely turn on when (if ever) the NSA is held to have “searched” and “seized” the data in the UPSTREAM program.  The following graphic (which comes from the Electronic Frontier Foundation’s website) explains the case from Wikimedia’s point of view, arguing that the internet traffic is “seized” when it is copied as it flows along the internet backbone, and then “searched” when the NSA’s computer software sifts through it to identify messages and data that include the suspicious words or terms.

backbone-3c-color

One question that a court will eventually have to decide is whether this information is actually ever being “seized.”  A seizure occurs when the government exercises “some meaningful interference” with an individual’s possessory interest in the property.  But merely copying data as it flows through the fiber-optic cables is not really a seizure–it does not interfere at all with the individual’s possessory interest.  Under current Supreme Court doctrine, merely making a copy of information does not constitute a “seizure”–although this doctrine has been criticized by some commentators, it is hard to see how any other rule would be consistent with existing law.

The real question is: when is the information “searched?”  If the government has copies of all of the data flowing across the internet, it does not help the government at all (nor does it meaningfully infringe on our privacy rights) unless the government actually looks at the data–and once the government looks, it has committed a search.

But what exactly constitutes “looking” at the data?  When a computer program sifts through the data looking for specific key words, can we classify that as a “search,” even if no human being ever sees the data?  In a 2005 article, I wrote that using software in this way could be a valuable new tool for police–increasing the efficiency of law enforcement with very little intrusion into our privacy.

As technology gets more sophisticated, software will be better able to focus on illegal behavior and thus narrow the scope of the surveillance—perhaps even to the point where the surveillance only alerts a human law enforcement agent when there is a near certainty of illicit conduct.  At that point, only the mindless computers  will “know” the private information about what we are writing, and they will quickly and unconsciously examine and discard any private innocent information they discover.  In the meantime, the human law enforcement agents will leave us alone. 

The NSA collection methods are coming close to reaching this point, but we are not there yet.  Unfortunately, the NSA filters still allow a large amount of innocent data to come through–and as soon as the NSA officers look at innocent information, they are conducting a “search.”  It may be a very efficient search, with a very high probability of leading to illegal activity, but it is still a search.  Perhaps the filters are refined enough such that there is probable cause to believe that any data that survives the filter is evidence of a crime.   Perhaps the filters are effective in removing all purely domestic communications, and so can all be justified under a FISA warrant.  But until we get a full, public review of the program, we will be unable to answer these questions.