Over the past few weeks as the scope and nature of the government's surveillance activities have been revealed, citizens have been nothing less than outraged. Or have they? A recent Pew Research survey shows a majority of Americans find the NSA's surveillance of phone records to be acceptable, while a substantial minority go the other way. As Tim Cushing explains on TechDirt, a Rasmussen poll covering the same period showed that only 26% of Americans approved. Cushing notes that the differences may reflect the phrasing of questions in each poll, or potentially unawareness or ambivalence of the severity of what's been going on. A recent Gallup poll also supports the view that most of us have had enough.
As scholars and activists have reminded us for years, "if you have nothing to hide, you should have nothing to worry about" is just a slippery slope to a loss of fundamental freedoms and merely leaves us vulnerable. While reading a draft of the forthcoming article Reforming Surveillance Law: The Swiss Model, one statistic jumped out. Footnote 136 says that all Swiss cantons and 86.4% of eligible voters approved the constitutional amendment needed to enact a new statute covering law enforcement surveillance activities. The new Criminal Procedure Code (Code) derived from requirements set by the European Court of Human Rights for signatories' compliance with the European Convention on Human Rights and from the Swiss Constitution. (Though a member of the Council of Europe, Switzerland is not a member of the EU. Still, it is a signatory to the Convention and has been influenced by the Court. See Part I.A and I.B for details.)
While comparing voting records to research surveys in countries of much different size and history isn't exactly analogous, I'm left to wonder whether each country's attitudes are the cause or effect of the legal structures. Have Americans always just presumed that the Fourth Amendment is enough of a backstop in the US? Or simply not care anymore? Do people truly value security (rhetoric) more than liberty? Or is it just that the European model has always put the individual first and the laws continue to reflect that? Either way, as Freiwald and Métille's paper concludes, reforms of US law ought to look at the Swiss model for guidance.
Most important, the Swiss law takes a positive rights approach rather than the negative rights approach of the US legal patchwork. In other words, Swiss law enforcement may only undertake surveillance activities allowed by the statute whereas in the US, law enforcement activity is presumptively allowed unless barred (by case law, the Constitution, statute, agency policy, etc.). While a suppression remedy is available in the US for Fourth Amendment or Wiretap Act violations, it is notably absent from ECPA. Any violation of the Code triggers suppression. Further, although the Wiretap Act has a high procedural bar for law enforcement, it doesn't apply to stored communications which are covered by ECPA's lesser standards.
The treatment of non-content information in the Swiss law is also particularly notable in light of the PRISM program and Verizon's surrender of mountains of metadata about phone calls. Under the Code, non-content, aka "envelope" information like sender, recipient or IP address metadata, is given the same strong protections as email. The authors note that location data would receive those protections too. Compare that to varying approaches in the US (especially for location data) and the definitional and structural complexity of ECPA, which further places different standards on obtaining envelope information versus actual message contents. The article also digs into the lack of user notice in most situations in the US, inadequate or nonexistent Congressional reporting requirements and absence of subsidiarity (exhausting less intrusive methods first), proportionality and minimization requirements for most US laws, and compares available remedies under each nation's laws.
authors are certainly not the first to call the US framework (crumbling foundation?) inadequate and confusing. The comparison to the privacy-presumptive Swiss framework illustrates one way forward for the US. Bills have been proposed to at least require a warrant for all email information, and at least that would eliminate many of the current issues. A suppression remedy, required notice, enhanced transparency and reporting and other safeguards would be nice too. Maybe this will be the issue that actually gives meaning to the rhetoric of bipartisanship. With groups like Stopwatching.us already gaining significant support, let's hope that US support soon extends far beyond 86.4% as it should be.
Wednesday, June 12, 2013
Monday, June 3, 2013
Federal prosecutors in D.C. typically provide notice to a person after receiving court approval to track them with geolocation data. However, after obtaining a warrant to search journalist James Rosen's Gmail account in May 2010, the government argued it did not have any obligation to provide the same notice to the customer/subscriber when it comes to email and ultimately won. The difference comes down to the different provisions under ECPA and other procedural rules under which the government obtains warrants for the different types of information. Check out the ACLU's post for an overview, or this link for my summary of the arguments contained in the recently unsealed documents. Keep in mind that the issue here is the ECPA language applied to the government's disclosure obligations, not the service provider's, although the latter is often prohibited from giving the user notice.