Cybersecurity and Corporate Social Responsibility

My article Cybersecurity, Encryption, and Corporate Social Responsibility has been published in the current edition of the Georgetown Journal of International Affairs.  I argue in this paper that “[c]ompanies such as Apple should recognize that they have a social responsibility to work with governments on security issues, and such a corporate social responsibility norm should become part of international CSR principles.”

Fourth Circuit Revives Wikimedia NSA Case

Yesterday the Fourth Circuit reinstated a case brought by the Wikimedia Foundation concerning the National Security Agency’s bulk “Upstream” surveillance program.  Under the Upstream program, the NSA collects traffic on the U.S. Internet backbone.  The Government claims that this collection is targeted to specific queries relating to terror investigations and other intelligence matters.  As a result, the government claimed, it is unlikely that any communications involving Wikimedia were reviewed by the NSA as part of the Upstream program, and therefore Wikimedia lacks standing to assert its claims.  The district court, relying on Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), agreed and Granted the government’s motion to dismiss on the pleadings.  The Fourth Circuit reversed.

Wikimedia alleged that  that, because of the way packets travel over the network, the NSA necessarily must collect substantially all the the international text-based communications traveling  over high-capacity cables, switches and routers in the U.S.  The Government argued that this was a speculative assertion that should not be taken at face value even at the pleading stage.  However, Wikimedia also alleged that, given the enormous number of Internet communications involving Wikimedia each year — a number Wikimedia put at over one trillion — it is nearly certain that the NSA has collected and reviewed communications involving Wikimedia even if the NSA’s data collection were limited to one trunk line.  As the Complaint put it, “even if one assumes a 0.00000001% chance  . . . of the NSA copying and reviewing any particular communication, the odds of the government copying and reviewing at least one of the Plaintiffs’ communications in a given one-year period would be greater than 99.9999999999%.”  Complaint, 46-47.  

The Government disputed these factual statistical assertions as well, but the Fourth Circuit found them plausible enough that the case should proceed.  The Fourth Circuit noted that “[w]e would never confuse the plausibility of this conclusion with that accorded to Newton’s laws of motion,” but noted that the standard is merely reasonable plausibility.  Opinion, at 26.  The Fourth Circuit did, however, uphold the dismissal of what it termed that “Dragnet” allegations because the Complaint did not contain specific enough factual assertions about the actual scope of the NSA’s surveillance activity.

The Fourth Circuit makes some interesting interpretive moves in this Opinion relating to how Clapper should apply in cases involving bulk surveillance claims and large Internet entities.  Wikimedia’s “statistical” argument seems dubious, and it seems that under the Fourth Circuit’s analysis any entity with a large Internet presence would have standing to challenge a surveillance program.  Perhaps that is a good policy result, but it does not seem consistent with Clapper.

The Fourth Circuit’s Opinion is below:

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xWm81WlFScWlDY3c/preview?usp=drivesdk” title=”Wikimedia-ca4-20170523.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

Cybersurveillance Developments

Over the past few months there has been a flurry of sometimes contradictory activity concerning the government’s ability to access electronic information in the course of a criminal investigation.  This article highlights three recent proposals that show how the broader policy debate is playing out at the level of specific legal rules.

Changes to the Federal Rules of Criminal Procedure Concerning Search Warrants

On April 28, 2016, the Supreme Court adopted changes to F. R. Crim. Pro. 41, adding a subsection (6), to authorize a magistrate judge in any district “where activities related to a crime may have occurred” to issue a warrant “to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district. . . .”  See Rule changes submitted by Justice John G. Roberts to Congress, April 28, 2016.  Under the amendment, such warrants can issue if “the district where the media or information is located has been concealed through technological means” or in cases involving investigations of hacking or malware transmission under the Computer Fraud and Abuse Act where the “media” are damaged computers in five or more districts.  Id., amended F. R. Crim. Pro. 41(6)(A), (B).

Previously, the general principle was that a warrant could only be issued to search and seize a person or property located outside the district “if the person or property is located within the district when the warrant is issued but might move or be moved outside the district before the warrant is executed.”  Fed. R. Crim. P. 41(b)(1)-(2).   This principle previously was expanded to include authority to issue a warrant for a person or property outside the district if the investigation involved domestic or international terrorism and to include warrants for installation of a tracking device to track the movement of person inside or outside the district. See Fed. R. Crim. P. 41(b)(1)-(4).  Finally, historically a warrant could be issued for property outside the district but within a U.S. territory, possession or commonwealth, on the premises of a U.S. diplomatic or consular mission in a foreign state, or in a residence leased by the U.S. and used by U.S. personnel assigned to a U.S. diplomatic or consular mission in a foreign state.  Fed. R. Crim. P. 41(5).  

Critics of the recent addition of subsection (6), including some tech industry giants such as Google Inc., argued that “remote access” warrants for nationwide or even worldwide electronic surveillance.  See Google Public Policy Blog, “A Small Rule Change that Could Give the U.S. Government Sweeping New Warrant Power.”  Google’s comments in this regard were typical of tech industry concerns:  

The proposed change does not define what a “remote search” is or under what circumstances and conditions a remote search can be undertaken; it merely assumes such searches, whatever they may be, are constitutional and otherwise legal.  It carries with it the specter of government hacking without any Congressional debate or democratic policymaking process.

Id.  Notwithstanding such objections, the Rule change was approved by the Supreme Court, and will become effective unless disavowed by Congress before December 1, 2016 under the Rules Enabling Act.  See 28 U.S.C. § 2074.

Burr-Feinstein Bill

On April 13, 2016, Senators Richard Burr (R-N.C.) and Diane Feinstein (D-Calif.), Chair and Vice-Chair, respectively, of the Senate Intelligence Committee, released a draft Bill titled the “Compliance With Court Orders Act of 2016.”  See April 13, 2016 Press Release; Discussion Draft.  This Bill responds to the recent showdowns between Apple Inc. and the FBi concerning the ability to compel technology companies under the All Writs Act to assist with access to locked and encrypted devices such as iPhones.  See David W. Opderbeck, “The Apple iPhone Showdown:  What is at Stake,” New Jersey Law Journal, March 7, 2016.  The Bill would require any covered entities that receive court orders “for information or data” to provide the information or data “in an intelligible format” and to “provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.”  Discussion Draft, Sec. 3(a)(1).  The Bill states that a covered entity is only responsible for providing data in an intelligible format “if such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided, by the covered entity or a by a third party on behalf of the covered entity.”  Id., Sec. 3(a)(2).  The Bill further states that it would not authorize any government officer to require or prohibit “any specific design or operating system to be adopted.”  Id., Sec. 3(b).  However, the very next subsection of the Bill requires providers of “remote computing service” or “electronic communication service” to ensure that their products or services a capable of complying with the requirement to provide data in an intelligible format.  Id., Sec. 3(d), (e).  The terms “remote computing service” and “electronic communication services” are defined to have the meanings provided in the Electronic Communication Privacy Act (ECPA), 18 U.S.C. s 2510, 2711.

The draft Bill was immediately pilloried by technology industry and civil liberties advocates.  For example, Kevin Bankston, Director of the New America Foundation’s Open Technology Institute, called it “easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen.”  Andy Greenberg, “The Senate’s Draft Encryption Bill is Ludicrous, Dangerous, Technically Illiterate,” Wired Security, April 8, 2016.  Critics noted that the Bill’s performance standard necessarily would constrain design choices, that it would effectively outlaw user-directed end-to-end encryption, and that it would require a greater level of technological assistance than the government ever sought in the All Writs Act cases.  See “The Burr-Feinstein Proposal is Simply Anti-Security,” Electronic Frontier Foundation Deeplinks Blog, April 8, 2016.

Proposed Amendments to ECPA

The changes to F. R. Crim. P. 41 and the Burr-Feinstein Bill are pro-law-enforcement and anti-encryption.  Not all recent legislative proposals, however, fall on that side of the line.  On April 27, 2016, the “Email Privacy Act” passed the House of Representatives.  See H.R. 699, 114th Cong. 2d Sess. (2015-2016).  The Email Privacy Act would amend the ECPA to require the government to obtain a search warrant to access stored electronic communications.  

The law makes a distinction between electronic communications in transit and in storage.  For communications in transit, the Wiretap Act requires a showing of probable cause plus a showing that “normal investigative procedures have been tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous.”  18 U.S.C. s 2518(3).  Wiretap orders must expire after thirty days, although extensions are possible upon a showing of necessity.  Id. s. 2518(5).  For communications in storage, presently, the ECPA distinguishes between contents stored by an “electronic communication service (ECS)” and a “remote computing service (RCS),” and as to an ECS, further distinguishes whether the communications have been in storage for 180 days or more.  See 18 U.S.C. 2703.  Finally, the ECPA allows a judge in any district, not only the district where the information is stored, to issue the order.  Id. s. 2703(d).  

Uunder the ECPA, to obtain the contents of stored electronic communications (such as emails and voicemails ) that have been in storage by an ECS for 180 days or less by obtaining a warrant.  18 U.S.C. s 2703(a).  However, The government may obtain the contents of information held by an RCS “solely for the purpose of providing storage or computer processing services,” or held in storage by an ECS for 180 days or more, through a court order based on “specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”  18 U.S.C. s. 2703(a)-(d).   In other words, the law currently recognizes a lower expectation of privacy (a) for the contents of communications held in storage by an RCS; and (b) for the contents of emails and other communications held in storage for more than 180 days by an ECS.  These distinctions date back to the early days of the Internet, when users were able to download and store only a small amount of data from email servers run by their service providers.  See H. Rept. 114-528 – 114th Congress (2015-2016) April 26, 2016, As Reported by the Judiciary Committee.  

The Email Privacy Act would instead recognize the same expectation of privacy in all communications stored by third party providers by requiring a warrant on probable cause before the government could obtain the contents of such communications, regardless of how long they have been in storage, and regarldess of whether the provider is classified as an RCS or ECS.  See Email Privacy Act, Sec. 3.  This would make the statute consistent with practice in the Sixth Circuit, which has held the distinctions under the present ECPA unconstitutional under the Fourth Amendment.  See United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).  The Bill would not affect the government’s ability to obtain non-content information, such as subscriber records, through an administrative subpoena, nor would it change the ability the owner of a communication system, such as an employer-owned email system, to disclose stored information voluntarily.

Most recently, law enforcement groups sought amendments to the proposed Email Privacy Act, which has stalled the bill’s progress in the Senate.  It is unlikely that any further action will be taken before the Presidential election.

Conclusion

These three recent proposals get “into the weeds” of the larger national policy debate about encryption and Internet surveillance.  They demonstrate that the larger debate implicates a host of more granular authorities involving the scope and requirements of judicially approved process for the government to obtain electronic information and for technology companies to assist with such process.  The critics may be right to worry about the jurisdictional and technological breadth of the changes to the search warrant rule and in the Burr-Feinstein Bill.  However, even if these rules are not adopted and the pro-privacy changes of the Email Privacy Act are enacted into law, significant issues will remain concerning how law enforcement can execute its mission to provide security for everyone while respecting Constitutional privacy concerns in the Internet age.

Klayman v. Obama Preliminary Injunction of NSA Program

Judge Richard Leon in the District of Columbia federal court has again issued a preliminary injunction against the continuation of the NSA bulk telephony metadata collection program.  The bulk collection program is set to expire on November 29, 2015 under the USA FREEDOM Act, so the injunction in this case will not have long-term impact.  Judge Leon’s reasoning, however, could be important to the evaluation of future government data collection programs.  As Judge Leon stated in his November 9, 2015 Memorandum Opinion, this

will not . . . be the last chapter in the ongoing struggle to balance privacy rights and national security interests under our Constitution in an age of evolving technological wizardry.  Although this Court appreciates the zealousness with which the Government seeks to protect the citizens of our Nation, that same Government bears just as great a responsibility to protect the individual liberties of those very citizens.

Mem. Op. at 42.  The first portion of Judge Leon’s Opinion addresses the plaintiffs’ standing to challenge the NSA program.  I will address the standing issue in another post.

On the likelihood of success on the merits, Judge Leon found that the plaintiffs likely will be able to prove that the NSA bulk collection program violates the Fourth Amendment.  According to Judge Leon, plaintiffs “have a very significant expectation of privacy in an aggregated collection of their telephony metadata,” the government’s intrusion on that interest is very broad, and the government has not shown the program has successfully fulfilled the goal of protecting the nation from terrorism.  Mem. Op. at 28-37.  Judge Leon also found that the plaintiffs likely would suffer irreparable harm absent a preliminary injunction and that the public interest favors injunctive relief.  Id. at 37-42.

One notable aspect of Judge Leon’s Opinion is his discussion of expectations of privacy in relation to mobile technology.  He suggests that “Americans’ constant use of cellphones for increasingly diverse and private purposes illustrates the attitude with which people approach this technology as a whole” and that “a person’s expectation of privacy is not radically different when using his or her cellphone to make a call versus to check his or her bank account balance.”  Id. at 29.  Moreover, Judge Leon notes, mobile devices are a necessary part of modern life and therefore entail stronger expectations of privacy than high-security environments that most people enter only occasionally, such as airports.

Another notable aspect of the Opinion is Judge Leon’s often colorful descriptions of the NSA program and the government’s arguments in its favor.  Here is a sampling:  the bulk data collection program “is a sweeping, and truly astounding program that targets millions of Americans arbitrarily and indiscriminately” (Id. at 31); it is “absurd to suggest that the Constitution favors, or even tolerates, such extreme measures!” (Id. at 32 (exclamation point in original)); the government’s evidence in support of the program’s efficacy is “[n]ot exactly confidence inspiring!” (Id. at 35 (exclamation point in original)); “the Government .  .  . suggests that this Court should defer to [its] judgment . .  . Please!” (exclamation point in original)); “the Government incredibly argues that the [newly added] plaintiffs’ claim of irreparable harm is necessarily undercut by their more than two-year delay in joining this suit . . . . Come on!” (Id. at 38, n. 22 (exclamation point in original)); the government argues that the Court must “defer to Congress’ ‘determination’ that continuing the Program during the 180-day transition period is the best way to protect the public interest. . . . Not quite!” (Id. at 39 (exclamation point in original));  “Congress, of course, is not permitted to prioritize any policy goal over the Constitution . . . .  Nor am I!” (Id. at 40 (exclamation point in original)); “[t]his Court simply cannot, and will not, allow the Government to trump the Constitution merely because it suits the exigencies of the moment”) (Id.).

Earlier today, Judge Leon denied the government’s emergency application for a  stay of the preliminary injunction pending appeal, and the government filed an appeal with the D.C. Circuit.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xNm1BRDVyQ2VfTEk/preview?usp=drivesdk” title=”klayman.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]