Crocker’s article is a defining summary of the legal problems associated with the U.S. Government’s attempts to use malware to conduct lawful surveillance of persons suspected of breaking the law. He explores how even after the law is shifted to authorize magistrates to issue warrants pertaining to persons outside of their jurisdictions, broader precedent concerning wiretaps may prevent the FBI or other actors from using currently-drafted warrants to deploy malware en masse. Specifically, the current framework adopted might violate basic constitutional guarantees that have been defined in caselaw over the past century, to the effect of rendering mass issuance of malware an unlawful means of surveillance.
In March, Brazilian police briefly jailed a Facebook exec after WhatsApp failed to comply with a surveillance order in a drug investigation. The same month, The New York Times revealed that WhatsApp had received a wiretap order from the US Justice Department. The company couldn’t have complied in either case, even if it wanted to. Marlinspike’s crypto is designed to scramble communications in such a way that no one but the people on either end of the conversation can decrypt them (see sidebar). “Moxie has brought us a world-class, state-of-the-art, end-to-end encryption system,” WhatsApp cofounder Brian Acton says. “I want to emphasize: world-class.”
For Marlinspike, a failed wiretap can mean a small victory. A few days after Snowden’s first leaks, Marlinspike posted an essay to his blog titled “We Should All Have Something to Hide,” emphasizing that privacy allows people to experiment with lawbreaking as a precursor for social progress. “Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed,” he wrote. “How could people have decided that marijuana should be legal, if nobody had ever used it? How could states decide that same-sex marriage should be permitted?”
We live in a world where mass surveillance is a point of fact, not a fear linked with dystopic science fiction novels. Moxie’s work doesn’t blind the watchers but it has let massive portions of the world shield the content of their communications – if not the fact they are communicating in the first place – from third-parties seeking to access those communications. Now unauthorized parties such a government agencies are increasingly being forced to target specific devices, instead of the communications networks writ large, which may have the effects of shifting state surveillance from that which is mass to that which is targeted. Such a consequence would be a major victory for all persons, regardless of whether they live in a democratic state or not.
But government social media monitoring could very easily cross over into a legal gray area. Christopher Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, said the collection of personal data from online sources needs to be rigorously justified, and even when it is, the data needs to be handled and stored safely.
“The government can’t just collect information about Canadians—even from public sourced data repositories such as social media—just because it wants to,” said Parsons in an email to me. “There have to be terms set on the collection, handling, disclosure, and disposal of personal information that the government wants to gather. As a result, even when data is collected for legitimate reasons that doesn’t mean the data can then be used in any way that the government (subsequently) decides.”
Strict oversights into how the government gleans and uses this intelligence—even in the service of testing policy reactions, as Parsons thinks this service will likely do—is required.
According to Parsons, that comes in the form of internal “privacy impact assessments” related to the specific social media surveillance program.
“Government agencies are supposed to conduct such assessments before collecting Canadians’ personal information and explain the specifics of how and why they will collect Canadians’ personal data,” said Parsons.
In the medium term, it appears Canadians can count on more of their tweets to be sucked up into a government social media surveillance system—then potentially shared across government departments.
Parsons told me that the sharing of the personal data of Canadian, in general, is only becoming more pervasive across government agencies.
“There has been a marked increase in the sharing of personal data between and across different departments because information is initially being collected for vague or far-sweeping reasons. Were social media information collected for similarly vague reasons then the government could then try to expansively share collected information across government,” he said.
Toronto – The Canadian Civil Liberties Association (CCLA) has launched a constitutional challenge to parts of the federal privacy legislation that effectively permits private companies to engage in warrantless disclosure of personal information to government. The challenge is part of CCLA’s ongoing work in the areas of privacy, national security, and accountability in law enforcement, and comes in the wake of recent revelations that telecommunications service providers provide government agencies with customer information on a massive scale. CCLA’s General Counsel, Sukanya Pillay, described the court challenge as “a way to protect the privacy rights of Canadians and ensure accountability across the board.”
CCLA is challenging parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) that allow private corporations to disclose their users’ personal information to a government institution (including law enforcement agencies) for a number of reasons including national security and the enforcement of any law of Canada, any province or a foreign jurisdiction. While law enforcement may have a need to access some personal information in a narrow set of circumstances, the current law is too broad and should be struck out. The consequences of government accessing and sharing personal information without an individual’s knowledge or consent, can be very serious and violate fundamental constitutional rights. The fact that information is being obtained from the private sector further complicates things. As CCLA’s General Counsel stated: “Non-state actors are playing an increasingly large role in providing law enforcement and government agencies with information they request. The current scheme is completely lacking in transparency and is inadequate in terms of accountability mechanisms.”
CCLA’s legal challenge asks that provisions of PIPEDA be struck as an unconstitutional violation of the right to life, liberty and security of the person and the right to be free from unreasonable search and seizure. CCLA brings this challenge to create the impetus for change necessary to effectively protect the privacy rights of individuals.
I’ve been busy parsing a nice hefty government document that documents a lot of federal agencies’ surveillance practices the past few days, and my post on “Accountability and Government Surveillance” is the result. It’s admittedly long but is fairly interesting. Go read!
When members of the intelligence community brief Congress on highly classified programs, they’re incentivized to do so in a way that provides the necessary amount of detail to satisfy legal and administrative requirements, and not a shred more. Since most members of the intelligence committees aren’t experts, an imbalance is built into the system. The briefers will use technical language, knowing that members often can’t share with their staffs enough information to develop follow-up questions. Members know this and tend to be the alert for weasel words or any hints or indications that there are depths to the particular program that might not be visible in a briefing. The less trust there is between institutions, the more games are played in the briefings. These games have become endemic, which for oversight is troubling. The less trust we have in government, the more likely it is for freelancers and hobbyists, people who traffic in classified information that is expressly often pulled from its context, to decide whether to publish secrets. Don’t blame this on the lone wolves. Blame it on the gatekeepers for failing to maintain credibility.
Government photograph databases form the basis of any police facial recognition system. They’re not very good today, but they’ll only get better. But the government no longer needs to collect photographs. Experiments demonstrate that the Facebook database of tagged photographs is surprisingly effective at identifying people. As more places follow Disney’s lead in fingerprinting people at its theme parks, the government will be able to use that to identify people as well.
In a few years, the whole notion of a government-issued ID will seem quaint. Among facial recognition, the unique signature from your smart phone, the RFID chips in your clothing and other items you own, and whatever new technologies that will broadcast your identity, no one will have to ask to see ID. When you walk into a store, they’ll already know who you are. When you interact with a policeman, she’ll already have your personal information displayed on her Internet-enabled glasses.
Soon, governments won’t have to bother collecting personal data. We’re willingly giving it to a vast network of for-profit data collectors, and they’re more than happy to pass it on to the government without our knowledge or consent.
- Bruce Schneider, “The Public/Private Surveillance Partnership”
It’s the ability for government to prospectively combine public and private data that makes American laws such as CISPA, which would permit the disclosure of private information to public bodies without absent warrant requirements, so significant. Privacy legislation serves as a necessary friction to delay, limit, and prevent governments from accessing citizens’ and resident aliens’ personal information unless such access is absolutely necessary: we need to strengthen such laws to preserve basic democratic freedoms, not weaken or erode them.