By Mark Rasch† and
Sophia Hannah‡
Last post, we wrote about the NSA‟s secret program to obtain
and then analyze the telephone metadata relating to foreign
espionage and terrorism by obtaining the telephone metadata
relating to everyone. In this post, we will discuss a darker, but
somewhat less troubling program called PRISM. As described in
public media as
leaked PowerPoint slides, PRISM and its progeny is a program to
permit the NSA, with approval of the super-secret Foreign
Intelligence Surveillance Court (FISC) to
obtain “direct access” to the servers of internet companies (e.g.,
AOL, Google, Microsoft, Skype, and Dropbox) to search for
information related to foreign terrorism – or more accurately,
terrorism and espionage by “non US persons.”
Whether you believe that PRISM is a wonderful program narrowly
designed to protect Americans from terrorist attacks or a massive
government conspiracy to gather intimate information to thwart
Americans political views, or even a conspiracy to run a false-flag
operation to start a space war against alien invaders, what the
program actually is, and how it is regulated, depends on how the
program operates. When Sir Isaac Newton published his work Opticks in 1704, he
described how a PRISM could be used to – well, shed some light on
the nature of electromagnetic radiation. Whether you believe that
the Booz Allen leaker was a
hero, or whether you believe that he should be given the full
Theon
Greyjoy for treason, there is little doubt that he has sparked
a necessary conversation about the nature of privacy and data
mining. President Obama is right when he says that, to achieve the
proper balance we need to have a conversation. To have a
conversation, we have to have some knowledge of the programs we are
discussing.
Different Data
Unlike the telephony metadata, the PRISM programs involve a
different character of information, obtained in a potentially
different manner. As reported, the PRISM programs involve not only
metadata (header, source, location, destination, etc.) but also
content information (e-mails, chats, messages, stored files,
photographs, videos, audio recordings, and even interception of
voice and video Skype calls.)
Courts (including the FISA Court) treat content information
differently from “header”information. For example, when the
government investigated the ricin-laced letters sent
to President Obama and NYC Mayor Michael Bloomberg, they reportedly
used the U.S. Postal Service‟s Mail Isolation Control and Tracking
(MICT) system which photographs the outside of every letter or
parcel sent through the mails – metadata. When Congress passed the
Communications Assistance to Law Enforcement Act (CALEA),
which among other things established procedures for law enforcement
agencies to get access to both “traffic” (non-content) and content
information, the FBI took the posistion that it could, without a
wiretap order, engage in what it called “Post-cut-through dialed
digit extraction” -- that is, when you call your bank and it
prompts you to enter your bank account number and password, the FBI
wanted to “extract” that information (Office of Information
Retrival)
as “traffic” not “content.” So the lines between “content” and
“non-content”may be blurry. Moreover, with enough context, we can
infer content. As Justice Sotomeyor observed in the
2012 GPS privacy case:
… it may be necessary to reconsider the premise that an
individual has no reasonable expectation of privacy in information
voluntarily disclosed to third parties. E.g., Smith, 442 U.S., at
742, 99 S.Ct. 2577; United States v. Miller, 425 U.S. 435, 443, 96
S.Ct. 1619, 48 L.Ed.2d 71 (1976). This approach is ill suited to
the digital age, in which people reveal a great deal of information
about themselves to third parties in the course of carrying out
mundane tasks. People disclose the phone numbers that they dial or
text to their cellular providers; the URLs that they visit and the
e-mail addresses with which they correspond to their Internet
service providers; and the books, groceries, and medications they
purchase to online retailers.
But the PRISM program is clearly designed to focus on content.
Thus, parts of the Supreme Court‟s holding in Smith v. Maryland
that people have no expectation of privacy in the numbers called,
etc. therefore does not apply to the PRISM-type information.
Right?
Again, not so fast.
Expecting Privacy
Simple question. Do you have a reasonable expectation of privacy
in the contents of your e-mail?
Short answer: Yes.
Longer answer: No.
Better answer: Vis a vis whom, and for what purposes. You see,
privacy is not black and white. It is multispectral – you know,
like light through a triangular piece of glass.
When the government was conducting a criminal investigation of
the manufacturer of Enzyte (smiling Bob and his gigantic – um –
putter) they subpoenaed his e-mails from, among others, Yahoo! The
key word here is subpoena – not search warrant. Now
that‟s the thing about data and databases -- if information exists
it can be subpoenaed. In fact, a
Florida man has now demanded production of cell location data
from – you guessed it – the NSA.
But content information is different from other information. And
cloud information is different. The telephone records are the
records of the phone company about how you used their service. The
contents of emails and documents stored in the cloud are
your records of which the provider has incidental custody.
It would be like the government subpoenaing your landlord for the
contents of your apartment (they could, of course subpoena
you for this, but then you would know), or subpoenaing the
U-stor-it for the contents of your storage locker (sparking a real
storage war). They could, with probable cause and a warrant, seach
the locker (if you have a warrant, I guess you‟re cooing to come
in), but a subpoena to a third party is dicey.
So the Enzyte guy had his records subpoenaed. This was done
pursuant to the stored communications act which permits it. The
government argued that they didn‟t need a search warrant to read
Enzyte guy‟s email, because – you guessed it – he had no
expectation of privacy in the contents of his mail. Hell, he stored
it unencrypted with a thjird party. Remember Smith v. Maryland? The
phone company case? You trust a third party with your records, you
risk exposure. Or as Senator Blutarsky (I. NH?) might opine, “you
()*^#)( up, you trusted us…”(actually
Otter said that, with apologies to Animal House fans.)
Besides, cloud provider contracts, and email and internet
provider privacy policies frequently limit privacy rights of users.
In the Enzyte case, the
government argued that terms of service that permitted scanning
of the contents of email for viruses or spam (or in the case of
Gmail or others, embedding context based ads) meant that the user
of the email service “consented” to have his or her mail read, and
therefore had no privacy rights in the content. (“Yahoo! reserves
the right in their sole discretion to pre-screen, refuse, or move
any Content that is available via the Service.”) Terms of service
which provided that the ISP would respond to lawful subpoenas made
them a “joint custodian” of your email and other records (like your
roommate) who could consent to the production of your
communications or files. Those policies that your employer has that
says, “employees have no expectation of privacy in their emails or
files"? While you thought that meant that your boss (and the IT
guy) can read your emails, the FBI or NSA may take the position
that “no expectation of privacy” means exactly that.
Fortunately, most courts don’t go so far. In general, courts
have held that the contents of communications and information
stored privately online (not on publicly accessible Facebook or
Twitter feeds) are entitled to legal protection even if they are in
the hands of potentially untrustworthy third parties. But this is
by no means assured.
But clearly the data in the PRISM case is more sensitive and
entitled to a greater level of legal protection than that in the
telephony metadata case. That doesn‟t mean that the government,
with a court order, can't search or obtain it. It means that
companies like Google and Facebook probably can't just “give it” to
the government. I''s not their data.
The PRISM Problem
So the NSA wants to have access to information in a massive
database. They may want to read the contents of an email, a file
stored on Dropbox, whatever. They may want to track a credit card
through the credit card clearing process, or a banking transaction
through the interbank funds transfer network. They may want to
track travel records – planes, trains or automobiles. All of this
information is contained in massive databases or storage facilities
held by third parties – usually commercial entities. Banks.
VISA/MasterCard. Airlines. Google.
The information can be tremendously useful. The NSA may have
lawful authority (a Court order) to obtain it. But there is a
practical problem. How does the NSA quickly and efficiently seek
and obtain this information from a variety of sources without
tipping those sources off about the individual searches it is
conducting – information which itself is classified? That appears
to be the problem attempted to be solved by PRISM programs.
In the telephony program, the NSA “solved” the problem by simply
taking custody of the database.
In PRISM, they apparently did not. And that is a good thing. The
databases remain the custody of those who created them.
Here‟s where it gets dicey – factually.
The reports about PRISM indicate that the NSA had “direct
access” to the servers of all of these Internet companies. Reports
have been circulating that the NSA had similar “direct access” to
financial and credit card databases as well. The Internet companies
have all issued emphatic denials. So what gives?
Speculation time. The NSA and Internet companies could be
outright lying. David Drummond, Google‟s Chief Legal Officer aint
going to jail for this. Second, they could be reinterpreting the
term “direct” access. When
General Alexander testified under oath that the NSA did not
“collect any type of data on millions of Americans” he took the
term “collect” to mean “read” rather than “obtain.”
Most likely, however, is that the NSA PRISM program is a
protocol for the NSA, with FISC approval, to task the computers at
these Internet companies to perform a search. This tasking is most
likely indirect. How it works is, at this point, rank speculation.
What is likely is that an NSA analyst, say in Honolulu, wants to
get the communications (postings, YouTube videos, stored
communications, whatever) of Abu Nazir, a non-US person, which are
stored on a server in the U.S., or stored on a server in the Cloud
operated by a US company. The analyst gets “approval” for the
“search,” by which I mean that a flock of lawyers from the NSA, FBI
and DOJ descend (what is the plural of lawyers? [ a "plague"?
--spaf] ) and review the request to ensure that it asks for info
about a non US person, that it meets the other FISA requirements,
that there is minimization, etc. Then the request is transmitted to
the FISC for a warrant. Maybe. Or maybe the FISC has approved the
searches in bulk (raising the Writ of Assistance issue we described
in the previous post.) We don‟t know. But assuming that the FISC
approves the “search,” the request has to be transmitted to, say
Google, for their lawyers to review, and then the data transmitted
back to the NSA. To the analyst in Honolulu, it may look like
“direct access.” I type in a search, and voilia! Results show up on
the screen. It is this process that appears to be within the
purview of PRISM. It may be a protocol for effectuating
court-approved access to information in a database, not direct
access to the database.
Or maybe not. Maybe it is a direct pipe into the servers,
which the NSA can task, and for which the NSA can simply suck out
the entire database and perform their own data analytics. Doubtful,
but who knows? That‟s the problem with rank speculation. Aliens,
anyone?
But are basing this analysis on what we believe is reasonable to
assume.
So, is it legal? Situation murky. Ask again later.
If the FISC approves the search, with a warrant, within the
scope of the NSA‟s authority, on a non-US person, with
minimization, then it is legal in the U.S., while probably
violating the hell out of most EU and other data privacy laws. But
that is the nature of the FISA law and the USA PATRIOT Act which
amended it. Like the PowerPoint slides said, most internet traffic
travels through the U.S., which means we have the ability (and
under USA PATRIOT, the authority) to search it.
While the PRISM programs are targeted at much more sensitive
content information, if conducted as described above, they actually
present fewer domestic legal issues than the telephony metadata
case. If they are a dragnet, or if the NSA is actually conducting
data mining on these databases to identify potential targets, then
there is a bigger issue.
The government has indicated that they may release an
unclassified version of at least one FISC opinion related to this
subject. That‟s a good thing. Other redacted legal opinions should
also be released so we can have the debate President Obama has
called for. And let some light pass through this PRISM.
† Mark
Rasch, is the former head of the United States Department of
Justice Computer Crime Unit, where he helped develop the
department’s guidelines for computer crimes related to
investigations, forensics and evidence gathering. Mr. Rasch is
currently a principal with Rasch Technology and Cyberlaw and
specializes in computer security and privacy.
‡ Sophia Hannah has a BS degree in Physics with a minor
in Computer Science and has worked in scientific research,
information technology, and as a computer programmer. She currently
manages projects with Rasch Technology and Cyberlaw and researches
a variety of topics in cyberlaw.
Rasch Cyberlaw (301) 547-6925 www.raschcyber.com