Published by The Lawfare Institute
in Cooperation With
The life of every person in an advanced industrialized country is a mosaic of digital information stored on public and private computer servers around the world. Most of the tiles of your own personal mosaic do not reside in your hands. They consist of the electronic fingerprints you leave with increasing frequency over the course of your day-to-day life on computers controlled by third parties: They are the web sites you visit, the toll-booths you pass through, the purchases you make online or with credit cards, the prescriptions you fill, the phone numbers you dial, the emails you send, the library books you take out, the specific pages you have read on your Kindle, the restaurants at which you eat, the photos you post on Facebook, and the photos that others post of you. One can learn more about the average person by taking a comprehensive look at his or her mosaic than by rifling through that person’s desk or underwear drawer. Yet our mosaics are composed largely of information that receive dramatically less protection in law and custom than do our homes, cars, and effects. And here’s the rub: Each individual’s mosaic—composed, as it is, of the transactions and data that make up his life—is itself only a single tile in the much larger mosaic that makes up modern society and its behavior. That larger meta-mosaic too is being stored, retained, and constantly processed by government, companies, and individuals. The use of the mosaic often works for the individual’s own protection—to keep terrorists off of airplanes and to keep credit cards safe from identity thieves—but it can also turn against the individual. The mosaics of non-terrorists keep them off airplanes and out of jobs, for example, and prevent them from getting credit or other benefits. As a society, we have yet to write coherent or sensible rules governing either a person’s own mosaic or the super-mosaic, which constitutes the richest portrait of the collective behavior of a culture ever assembled in the history of the world. In many respects, we have yet to develop even an intellectually compelling way of thinking about the individual and societal interests in amalgamations of non-sensitive trivia which cumulatively paint an intimate portrait. We tend to think about mosaic data in terms of privacy, but this vocabulary does not work well. Much of the material that makes up a person’s mosaic involves records of events that take place in public, not in private. Driving through a toll booth and shopping at a store, for example, are not exactly private acts. Only a small fraction of the information in any individual’s mosaic is plausibly protected by the Fourth Amendment. Much of it, by contrast, is not protected by any law at all. In this paper, we look at one corner of the problem of regulating the mosaic—the problem of access by government investigators to individuals’ personal data stored in the hands of third parties. Given the intellectual difficulty of the broad problem of mosaic data, it is perhaps no surprise that our laws in this area are an incoherent mess. The government’s authorities to collect the components of a person’s mosaic are multifaceted, bewilderingly complicated, and analytically inconsistent with one another. Government has a bizarre array of collection authorities that operate under wildly different standards for different types of data. If we are going as a society to develop intellectual and legal strategies for regulating personal data in a pervasively digital society, rationalizing the laws under which government investigators can gain access to individuals’ mosaics is a good place to start. Shortly before he became assistant attorney general in the Department of Justice’s National Security Division, David Kris—writing on the modernization of national security surveillance—posed the question of whether the government’s national security collection authorities could stand a radical simplification. While acknowledging that the amendments Congress passed to the Foreign Intelligence Surveillance Act (FISA) in 2008 were necessary, Kris worried that the accretion of changes to the FISA over the years had left it relentlessly complicated and thus difficult to apply. Because of its stubborn complexity, he worried, only a tiny coterie of intelligence and legal professionals fully grasp the revised law. Kris wondered whether its ever-increasing density would ultimately serve badly both the needs of government and the civil liberties of those on whom government sometimes wishes to spy. “FISA has always been an arcane and difficult law,” Kris wrote, “but [the new amendments’] intricacy risks confusing the government officials who must apply it, often under substantial time pressure. That can lead to errors of both major types: improperly acquiring communications in a fashion that undermines liberty and privacy and improperly refraining from acquiring communications in a fashion that undermines security.” Kris concluded by imagining in broad strokes what he termed “a simpler world in which national security investigations are governed by only two major collection statutes.” Kris’s observation about FISA actually applies more broadly and highlights a more general problem with the law under which government agencies collect information about individuals. The complexity of the many statutes making up that body of law guarantees a measure of confusion on the part of government, industry, civil liberties groups, and citizens as to the circumstances in which government investigators of various types can and cannot obtain information of various types about people of various types. This complexity in the broader system makes errors likely both in the sense of over-collection and in the sense of under-collection. More fundamentally, our approach to the shielding of information from government and the availability of information to government reflects no consistent set of policy or philosophical judgments. Considered as a whole, which they very seldom are, these laws reflect few analytically cognizable principles. They are, rather, a haphazard patchwork of authorities and restrictions pieced together over time with different concerns paramount at different times and with very little consideration of the interaction of disparate rules with one another. The degree of protection afforded any given class of information may or may not have anything to do with how sensitive that information is. In some instances, relatively sensitive data receives irrationally little protection; in other instances, relatively trivial data receives dramatically enhanced protection relative to data that might seem much more sensitive to a reasonable person. What’s more, the laws often allow the government to obtain the same materials under numerous duplicative authorities using completely different instruments. The standards under which officials may obtain information using these disparate instruments may be similar to one another or may vary a great deal, depending on the authority in question and the type of investigation. To illustrate this point, consider a scenario that seems as if it would present a simple case: Government investigators in a criminal investigation wish to gain access to records proving that a given investigative subject rented particular videos from a particular vendor. On its face, the law appears to make this pretty difficult. Under the Video Privacy Protection Act, an investigator may only demand production of that record from the video rental agency with a court order, and a court may not order a video business to disclose rental records, unless law enforcement first shows that there is probable cause to believe that the records are relevant to its investigation. No similar law protects library records, book purchases, or music purchases, all of which prosecutors can obtain merely by asking for them or, faced with an uncooperative vendor, by asserting their relevance to an investigation and giving the vendor a subpoena. Even before proceeding with such a request, the government must notify the affected video customer about its inquiry, even if the notification will prejudice the government’s case. Yet this remarkably high degree of protection turns out to be something of a mirage. The apparently stringent statute also allows the government to seek the same records with a mere grand jury subpoena under the dramatically lower standard of asserted relevance to a criminal investigation—just like those library records and book and music purchases. Video records thus receive irrationally high protection relative to other media unless a grand jury happens to be sitting. What’s more, a different procedure entirely applies to stored email communications. Consequently, if investigators merely sought, say, the receipt emailed to the consumer from Netflix, and it sought that receipt from the Internet Service Provider, rather than the rental company, it could circumvent the video privacy law altogether. If the government wants to force a telecommunications company to turn over a subscriber’s emails, including such a receipt, then the legal standard will vary depending on what kind of computer the email is stored on, who holds the information, whether the email has been accessed or not, and the email’s age. To summarize the matters as simply as possible, if the government wants to obtain the record from the video rental company, it needs to demonstrate probable cause to a judge (if a grand jury is not sitting) or merely assert the material's relevance (if one is sitting); if it wants to obtain the receipt from the ISP, it needs a search warrant if the email is recent and unopened or a mere subpoena if it is stored in the cloud and is either opened by the user or more than 180 days old. If none of this makes much intuitive sense, you’re not missing some secret unified field theory that binds it all together. It simply doesn’t make much sense. The law often suggests a degree of protection utterly disconnected from the protection it affords to comparable data and on which it cannot in practice deliver and therefore does not deliver. It thereby marries obscurity with inconsistency; the principles supposedly guiding this area conflict with one another, and we’re not following them anyway. The system’s incoherence is growing more acute as a result of developments wholly unrelated to the legal architecture of surveillance law. Constant technological changes are ensuring that vast new swathes of personal information come within the coverage of existing collection laws. In the years following FISA’s passage, for instance, telecommunications companies began to send more telephone signals through undersea cables, and to rely less on satellite transmissions. The shift meant a spike in FISA’s application, because the law regulates wire communications more consistently than it does radio communications. Other statutes’ regulatory burdens likewise have swelled, as a consequence of the last decade’s surge in electronic activity—email, e-commerce, and social networking, to name but a few obvious examples. As more and more personal data gets transmitted, stored, and received, the stakes grow ever higher for the dense and badly-thought-through set of legal rules that govern governmental access to material in the hands of third parties. This fact is compounded by the ever-increasing government collection effort. Since the September 11 attacks, the government’s efforts to collect and process large volumes of information have increased dramatically—and rightly so. There is no comprehensive, unclassified account of these efforts, of how much personal information on American nationals and permanent residents the government has obtained during the last nine years, or even of how much it obtains daily. There is very likely no classified account either. But both because of the increased volume of stored information and because of increased investigative energy, the government clearly now acquires more personal information, from more sources, than it ever has before. And the scope of those collection efforts will only grow further. This trajectory will require more reliance on our flawed matrix of collection authorities, and a heightened risk of the problems Kris identified: inappropriate collection and use of protected data and inappropriate failures to collect information essential to securing legitimate government interests. All of which raises the broad question which Kris posed narrowly about FISA: Is it possible to imagine a simpler world in which government collection authorities reflect a coherent, mutually consistent set of principles? Our purpose in this paper is both to describe the incoherence of the system that has developed over time and to sketch a strategy for its radical simplification. We focus here on only one corner of the problem: Data about, owned by, or controlled by individuals yet stored in the hands of third parties. We do not treat in any detail either real-time surveillance under any of various statutes or searches covered by the Fourth Amendment. We are concerned here, rather, with government access to the mosaic, not chiefly with real-time communications—that is, with government access not to transient conversation but to the permanent fingerprints of proliferating types that people leave throughout each and every day. Our goal is not to review existing collection laws exhaustively, much less to offer a detailed roadmap to comprehensive reform. It is, rather, to describe the modern system of government collection authorities as a system, to ask whether it makes sense—or, more precisely, to identify the specific areas where it does and the other areas where it does not. Such an understanding of the system as an organism, we believe, gives rise to policy options towards a simpler, more integrated and philosophically sensible collection regime, one that ensures public goods to the greatest extent possible while identifying precisely the privacy and civil liberties interests it means to protect and then rigorously protecting them. Specifically, we mean to argue that American collection should be reorganized to accomplish three objectives: First, to protect more rigorously data making up the personal communications and materials of individuals stored in the cloud; second, to stop pretending to rigorous yet ultimately fictitious protections of routine transactional data of various sorts and to reorganize such protection to at once encompass a broader array of data and to design a streamlined and uniform administrative subpoena apparatus to give investigators access to such data; and third, to designate certain discrete types of transactional data as especially sensitive and warranting heightened protection.