[ECURE masthead]

[ News | Overview | Speakers | Schedule | Location | Sponsors | Archives | Links | Search ]

ECURE 2004 Prenote Address

David Sobel Pre-Note Presentation

ECURE 2004

Arizona State University

Tempe, Arizona

March 1, 2004

Thank you Rob, and good evening to everybody. Thanks for coming. I hope this talk will be a good starting off point for your discussions over the next couple of days. It's actually nice to talk about technology sometimes, rather than use it. I spent the better part of today dealing with the new federal court system's electronic case filing system. Over the last couple of years the federal court system has moved away from paper-based filing to an Internet-based electronic filing system, which is fine if you're in your office and you have your Internet access, but when you find yourself traveling and need to file something in this system it can be a little bit difficult. And I spent the better part of the day trying to file a three meg exhibit over a twenty-eight eight dial up connection. So as I say, its nice to just talk about technology a little bit because sometimes using it can be a little bit frustrating.

You see the title of my talk, I guess this is already violating one of Rob's rules because the PATRIOT Act is actually an acronym, and it's such a tortured acronym that I never remember what it is. I know that the PAT stands for "protecting against terrorism" and I can never remember what the rest of that is so, my apologies for that. Actually its even a longer acronym, the full name is the USA Patriot Act and the USA is actually "uniting and strengthening America", etc, etc. So my apologies for that.

I spoke about the PATRIOT Act when I was last here a year and a half ago, and at that point the legislation was only about a year old. And I think there were certainly a lot of questions at that time as to how these new authorities and powers that were given to the government to access information were going to play out. I would have thought that a year and a half later I would have been able to give you some specific examples, but as you're going to see through this presentation we really don't know a lot more about the operation of the PATRIOT Act than we did back then. What is notable however is that although there is still a lack of public information on how the act is being used, the debate on the legislation is starting to be much more relevant because several of the more controversial provisions of the PATRIOT Act are set to sunset at the end of next year in December oh five and you might have heard in the President's State of the Union Address that he has already called for the renewal of those authorities that are set to sunset. So I think we're now coming into a period where there is going to be a renewed public debate on these issues. And unfortunately from my perspective we still are not really well-positioned to have a really good and informed public debate. So as I say that's going to be one of the themes that I'm going to address.

The starting point when we talk about these issues that are certainly in a lot of people's minds when we talk about government access to personal information, is thinking about the fourth amendment to the constitution. I think most people have the sense that the fourth amendment is pretty clear-cut and that it provides basic ground rules as to how the government needs to go about accessing personal information. Of course this is the text of the fourth amendment, and I don't think its too much of a stretch to read this provision in the modern context, to extend to a lot of the kinds of electronic information that all of you deal with. I think the average citizen has a sense that when we're talking about these issues the fourth amendment is implicated and provides some protections. But that common understanding is actually wrong because going back to the seventies the Supreme Court in a series of cases dealing with the privacy of financial information that was held by banks found as the courts said that there is "no legitimate expectation of privacy", which is really the threshold issue in any fourth amendment analysis. There is no legitimate expectation of privacy in bank records. And you see this language with the court's rationale for that, and basically the court found that any information that an individual places in the custody of a third party doesn't implicate the fourth amendment when the government seeks access to that information from that third party. And this at least for the last almost thirty years has been the law and has really governed a lot of the issues that we're going to be talking about.

Now obviously over the last thirty years one of the things that we've seen is the technological revolution in information, where an increasing amount of information is in some way or another held by a third party. So much, so many of our transactions occur electronically and so much information is stored electronically that there are all kinds of entities today that really stand in the same place that a bank was standing back in the time that the Supreme Court decided the Miller case. So for that reason the fourth amendment is pretty much out of the analysis, and I think that has some very serious implications. Many of us who deal with these issues have really argued that at some point in the future there might be a need to basically bring a test case to the Supreme Court that would allow the court to revisit these issues in this new reality that I mentioned in terms of the technological decentralization of information. But that has not happened, I think there's some question as to how the court, particularly in the current context of the war on terrorism, would look at those issues if they did revisit it, but in any event I think its important to keep this decision and this precedent in mind as we discuss these issues.

So as a result of the Supreme Court's analysis of the fourth amendment when it comes to information entrusted to third parties, the privacy protections that exist if any, in any particular type of information, are really left to Congress to legislate. And in reaction to the Miller decision Congress did create certain procedural protections for financial information when it enacted the Right to Financial Privacy Act in 1978. Although this was an example where Congress acted in, from my perspective, a positive way to protect privacy and to attempt to replace some of what the Supreme Court had taken away in the Miller case, it also means that the Congress is silent, or worse, the Congress creates some right of the government to access personal information without complying with the warrant requirement or the specificity requirements of the fourth amendment, then that's really the status quo. That if Congress doesn't provide specific protections they just don't exist.

So that really is the background that brings us to the PATRIOT Act. And the PATRIOT Act, as you probably know, is a massive piece of legislation. It runs through several hundred pages, covers a lot of ground, and frankly most of the provisions are not particularly controversial. They have to do with the things like devoting more resources to language translation capabilities within the law enforcement and intelligence agencies. Better information sharing and information processing within the government. But I'm really going to focus on the provisions that have been controversial, and for the most part I think this is a good overview of generally what the controversial provisions do.

First of all they expand the government's ability and authority to obtain a wide range of personal information. At the same time the PATRIOT Act really limits the role of the courts, in some cases in approving these government efforts to obtain information, and also limits the court's role in overseeing what the government is accessing and what it's doing with it and trying to provide some measure of accountability into the process of government data collection. And finally, and this is an issue that I have dealt with quite a bit, there is secrecy that comes with many of these powers that really limits the ability of the public to oversee and understand exactly how the government is using the powers, and also it limits the ability of both the public and the record keepers, who are the recipients of government requests. It limits the ability to actually challenge requests that might be perceived as overbroad.

So as I'm going to discuss, you typically in the course of a criminal investigation or anti-terror investigation think of a request being directed towards information about one specified person. You would normally think of a subpoena or a search warrant naming the person that the government has an interest in. But increasingly that's not the case. These requests under the PATRIOT Act have the ability to be more generic, so that for instance one of the big points of controversy has been the impact on libraries and bookstores. If the government has an interest in knowing generically who has looked at a particular book in a library, or who has accessed a particular type of information, without knowing the identity of the person that the government might be interested in, but really casting a much wider net and wanting to have a list of people. So because of the secrecy that surrounds this process, when that library or when that bookstore, or when whatever third party it is, is served with this request, their ability to challenge that request that they think is inappropriate, has been limited under the PATRIOT Act.

By the way I am going to reserve time at the end to take questions and get your comments, but as I'm going through this discussion if there's anything that you would like me to clarify, please feel free to do that.

I think probably the most controversial provision of the PATRIOT Act is Section 215, and this is the one that has raised questions in terms of its impact on libraries and bookstores. And I think the reason why that's been a focus of controversy is those are really unique types of third parties who possess personal information. Librarians and booksellers have always felt that they have some ethical obligation to their patrons and customers to preserve the confidentiality of what they're reading, so that's really what the lightning rod has been. But Section 215 doesn't obviously specify libraries or bookstores or any other type of entity. Rather it refers to the ability of the FBI to get an order that requires a recipient to produce any tangible things (including books, records, papers, documents) for an investigation to protect against international terrorism or clandestine intelligence activities. Now as I said, what's lacking here is any requirement that there be any specific reason to believe that the particular individual or a particular individual is the subject of this investigation. So you look at that language and you think about a situation for instance like the anthrax attacks a couple years ago. I don't think its too far fetched to assume, although we don't know, because of the gag order provision which I'll talk about in a minute, but I don't think it's too far-fetched to assume that the government in the context of that investigation, might have gone to the host of a particular website, or maybe even a site like Amazon.com, to gain information about people who might have looked for particular chemistry information, or any type of information that the investigators believed would have been of interest to the perpetrator of the anthrax attack. So I think with that very real situation in mind you can kind of understand the potential threat of an authority like this.

Now as you can see Section 215 of the PATRIOT Act also includes this gag order provision that prohibits the person who is served with the order from disclosing the fact that they've been served with the order. So this really creates a situation as I said where first of all it's very difficult for the recipient to challenge the order, certainly to challenge it in the court of public opinion. And it's also very difficult if not impossible for the public to have a real sense of how broadly this authority might be used.

Now, going back to what I said about the modern technological environment, obviously there's a very broad range of information out there in databases in the private sector that this authority could extend to. And these are just some examples that the Attorney General, in congressional testimony, identified, so you see that particularly, a couple are probably of particular interest to this group, educational records, library records, so the scope of this is very broad. And I think anyone who is in the business of collecting and maintaining records needs to be aware of the fact that when information is sitting on a server or sitting on a database its very hard to predict whether or not at some point in the future, that information for reasons that obviously can't be foreseen, might become of interest in the context of some government investigation.

I should also mention because of the nature of the work that many of you do, that there's also a specific provision in the PATRIOT Act that deals with educational records.

And obviously I'm sure you're all familiar with FERPA and I believe FERPA is a topic that will be covered during the course of the conference, and most of you probably know more about FERPA than I do, but I'll just point out to you that one of the provisions, Section 507 of the PATRIOT Act, to some extent overrides the otherwise applicable privacy protections that are contained in FERPA. So I think particularly in the context of foreign students and their records that are held by universities, that these are also likely to be issues that are not going to go away anytime soon.

Now the government's defense of the authority granted under Section 215 usually includes the fact that the orders authorized under Section 215 do have to be approved by a court. Now it's not just any court, it's not an ordinary court, it's the secret and not very well known Foreign Intelligence Surveillance Court, which sits in Washington and which only hears requests from one party, which is the FBI, and issues these secret orders. So the government's defense of the PATRIOT Act Section 215 authority is usually, "Well it's not as if we're just unilaterally issuing these orders, we do have to get an order from the Foreign Intelligence Surveillance Court".

Well there's also an authority that has existed for a long time, and which is expanded under the PATRIOT Act, which is called a national security letter. And this is unilateral within the FBI and the Justice Department. This is basically an administrative subpoena that allows the FBI, again unilaterally, to request from businesses records involving a specified class of activity, which includes telephone and internet activity, financial data, again having some bearing on counter-intelligence or terrorism. Again like Section 215, the national security letters are secret and the recipients are prohibited from disclosing the fact that they've have been received. And as I said at the outset they're entirely internal within the FBI with no judicial authorization or oversight.

As I said the PATRIOT Act expanded the already existing national security letter authority. By removing the requirement that had existed previously, that the FBI in order to issue one of these letters, had to possess specific facts that linked the subject of an investigation to a foreign power. In other words there basically had to be an allegation or some articulable reason to believe that this person was a foreign agent, that they were working on behalf of the Chinese government, or the way that foreign power has been defined it doesn't even have to be an organized government. Al Quida would qualify as a foreign power for this purpose, and that was prior to the amendment containing the PATRIOT Act. At least some limitation on the potential impact of a national security letter on the average person, on the average American, so that in that context these broader requests for information that didn't specify a particular person but identified a particular kind of activity. So in this context information about everyone who has called a particular phone number for instance, with no indication that everyone who would end up on that list might actually be a foreign agent. Since the PATRIOT Act in the recent 2004 Intelligence Authorization Act the definition of financial institution has been expanded to include insurance companies, pawn brokers, precious metal dealers, the Postal Service, casinos, travel agencies, etc. So I think the point to come away from this with is that what we're seeing is a trend of continuing to expand both the government's authority to seek information and also the categories of information that can be obtained.

As I said it's very difficult to have an informed public debate on these issues without knowing the facts, and I would really prefer to be in a position where I could show you some statistical information on how often these things have been used. How often Section 215 orders have been issued, how often national security letters have been issued? But the Justice Department has been very consistent since the passage of the PATRIOT Act, in resisting any public disclosure of even that kind of basic statistical information. My organization along with the ACLU submitted a Freedom of Information Act request a couple of years ago asking for that kind of basic statistical information. The government, as I said, declined to release it. We initiated litigation under the Freedom of Information Act, and we lost. This is basically what the court concluded and I think you can see from that language that the court was not happy about finding itself in a position where it was really legally constrained to rule in favor of the Justice Department. But the fact is that when the government classifies information courts really do have their hands tied and its extremely difficult for a federal court to overrule a government determination that for reasons, as the government always tells the court, that the court can't really appreciate, this information cannot be made public. So in this case that refusal to disclose statistical information was upheld, and for that reason we don't have the kind of information that I'm talking about, that would provide us with some greater sense of how much of a problem this is or isn't.

This is just an illustration to give you a sense of what we did receive back from the Justice Department during the course of this Freedom of Information Act litigation. This is a listing of, as it says, transactional records national security letters since October 26, 2001, which is the day the PATRIOT Act was signed into law, and this is one of six pages. This was a six page list, and this was produced back in January of oh-three, so it was just about a year's worth of activity. So I think you can see certainly with respect to the national security letters that it's not a rare occurrence.

[inaudible audience question]

Well I think you can extrapolate. You can say that there's a six page list that you know has been blacked out and you can come up with a rough estimate of how many might be there. Now this is a, this is the list of Section 215 business order requests, which I'll explain in a minute because we have recently learned a little more about the way to interpret this document. But that's obviously a smaller number. Now you could take some comfort from that, except in reference to the national security letter list, because remember the business record orders under Section 215 of the PATRIOT Act does require judicial authorization by the Foreign Intelligence Surveillance Court, the national security letters are entirely unilateral, so you might be able to take something away from that, that maybe wouldn't make you feel that comfortable.

All right, so there obviously as I said has been a longstanding controversy over this issue and the Justice Department and the Attorney General finally got tired of being hammered with the claims that no one knows how often Section 215 has been used, so last fall the Attorney General sent this memorandum to Director Mueller, the head of the FBI, declassifying the classified number of how many times Section 215 has been used. And he concluded by saying the number of times Section 215 has been used to date is zero. So, going back to the document I showed you a minute ago, which obviously had something on there, apparently the answer to that discrepancy is that, that was a list of requests that field offices around the country had submitted to FBI headquarters asking the Bureau headquarters to go to the Foreign Intelligence Surveillance Court and obtain the orders. And apparently what this means is that headquarters said, "no, you haven't made the case" or "we don't want to go to the Foreign Intelligence Surveillance Court". But for whatever reason as of at least this past fall no Section 215 orders had been issued by the Foreign Intelligence Surveillance Court. So again you might say well that's reassuring and I guess a lot of these concerns have been hyperbolic and there's really nothing to worry about, but the little information that does appear on the public record would raise questions about that.

I don't know how many of you heard about this episode that occurred in Las Vegas at New Year's, but this is an excerpt from a news report in the local Las Vegas newspaper that reported that the FBI had obtained information on hotel visitors and airline passengers staying in or going into Las Vegas. The FBI confirmed it, they referred to it as a normal investigative procedure, and the story goes on to say that we're talking about approximately 300,000 visitors a day. So obviously this is a large amount of information that the FBI characterizes as a normal investigative procedure. So, again to an audience of people who maintain large amounts of personal information or deal with databases, I think something like this has to give you pause, and this also raises the question of well what was the authority? We've already been told that, well timing-wise maybe we don't know that this wasn't Section 215, because of course the Attorney General said the number was zero in I think it was September, and this just happened at the end of December. But probably national security letters is a better example or a better possibility, or the possibility of voluntary disclosure by these businesses. I think you can all foresee a possibility where the FBI comes to hotel operators and airlines and says, "You know we could issue a national security letter" or "We could go to the National Foreign Intelligence Surveillance Court but we'd really prefer just to do this in a voluntary way". But again these are the kinds of issues that I think are important for the public to be informed of and being able to engage in a public debate on these issues but at this point we are really left to little snippets of information like this and really just having to speculate as to what the basis for this really was. Whether there were legal procedures involved or whether it was just a voluntary disclosure. So that really is the state of play right now in terms of the public understanding of how these authorities are being used.

Now even more recently and again specifically in an academic context, there was this curious story that arose at Drake University in Iowa a few weeks ago, where the university was served with a subpoena for information about students who had been involved in an anti-war conference on campus. And the university objected and some accommodation was made. I actually think this situation is still unfolding, so I can't really tell you how this ultimately ended up being resolved. I believe even though the subpoena was withdrawn but this other order was issued, I believe there are pending legal proceedings to determine whether or not the university is in some form or another going to be compelled to disclose this information. This also goes back to the point that I made earlier about the PATRIOT Act provision Section 507, which loosens the protections of FERPA. I said when I talked about that, that that had obvious implications for foreign students, but I think an example like this shows that even US citizens on campuses who are engaged in activities that might be of interest to the government could also be involved in those types of issues that normally would have FERPA protection, but maybe in the current environment post-PATRIOT Act, wouldn't.

Now I want to focus on a particular area of government information acquisition that my organization has been involved in looking at quite a bit. And that has to do with the government's growing interest, obviously and understandably since September 11th, in aviation security issues and information about airline passengers. You might recall that last fall, I believe it was September, there was a very big controversy when it was disclosed that Jet Blue Airways had shared with a defense contractor information on several million of its passengers as part of a research project that the defense contractor was doing for the Pentagon. The specific nature of the research has never been particularly clear, but in any event that incident really created an uproar concerning the issue of the privacy of airline passenger information. My organization had through Freedom of Information Act requests that we had been doing for the last couple of years. We had seen some indications that the NASA Ames Research Center in California had been requesting from Northwest Airlines, passenger data for Ames to use in some type of passenger screening research. After the Jet Blue incident we followed up on that, made a specific request to the Ames Research Center, and in mid-January received documents back that confirmed that yes, not only had Ames requested the information from Northwest but that they had actually received it. And it was three months of passenger data involving upwards of ten million passengers. And you see, this is an excerpt from one of the email messages that Ames disclosed to us. This was an email message from the researcher at Ames who had actually received the passenger information, back to the person at Northwest who has provided it. And you see that he tells him that NASA's data mining for aviation security did not receive any oh-three funds, my interpretation is that NASA management decided that they did not want to continue working with passenger data in order to avoid creating the appearance that we are violating people's privacy. You may have heard about the problems that Jet Blue is now having after providing passenger data for a project similar to ours. And then he says I would like to return to you the PNR passenger name record CD's that you loaned us, where should I send them?

One of the interesting things about this is that NASA sat on this information for two years and it wasn't until two days after the Northwest story was in headlines all across the country that they decided they didn't need this data anymore, and they were ready to return what had been loaned to them. So this I think was another interesting example of an entity that was obviously in a position to collect and maintain a very large amount of personal information, voluntarily sharing it with the government. So here we're not even talking about the PATRIOT Act or national security letters. This is a situation where an entity decides to share information with the government.

You know, we can debate the appropriateness of that. In fact there is now a proceeding that has resulted from this incident at the Department of Transportation, and just on Friday Northwest submitted its legal argument to the Department of Transportation explaining why it should not be fined or otherwise penalized because of this incident, and Northwest said "Look we were just doing our duty, it was soon after September 11th, we are an industry that saw itself as being particularly vulnerable. The government came to us and said they wanted to help us work collaboratively on security issues so we shared it." Well maybe that's legitimate, but the problem with that was that Northwest had a privacy policy that ensured confidentiality of this information to its passengers. It didn't say we might share it with the government for security reasons. And in fact to really add insult to injury, after the Jet Blue disclosure in September it was Northwest's CEO who was quoted in a couple of newspaper articles as saying that "This is something Northwest would never do, we value and protect the privacy of our passengers."

So in any case I think this is a very interesting issue that could be debated both ways, but as I'll turn to now, this is not an issue that's going to go away anytime soon. As you might know the Transportation Security Administration for the last coupe of years has been engaged in developing a system that's known as CAPPS II, I'll make sure I explain what the acronym is: that stands for Computer Assisted Passenger Pre-Screening System. And the two designates the fact that there is already a CAPPS I that is seen as being largely ineffective, so this is an enhanced version of that system that TSA has been developing in order to pre-screen passengers to assess any security risks that they might pose.

Now basically what CAPPS II will do is it will, before any passenger boards the plane, there will have been a background check conducted on that individual. And I won't go into a lot of detail unless you want to talk about it a little more in the discussion period. But first it will do some database checking to verify the identity of the person, then it will go to other sources of information that the government is not willing to describe or disclose, that would be used to assign a security risk score to each person. And depending on the outcome of this process each passenger as they get to the boarding gate would generate either a green light, which means OK, a yellow light, which means that they would be taken aside for additional security screenings, or a red light which means they're not going to get on the plane and they're going to be detained in some way.

Now one of the main sources of controversy with this has been that this is a classified system. TSA back in August published a Privacy Act notice, which is the general requirement that's placed on federal agencies to publicly explain the databases that they're creating that contain personal information. In that Privacy Act notice TSA designated this system as classified, and one of the results of that is that the sources of the data that are going to feed into this system are not going to be published. You know I think in the context of what we talked about before, when you see all of these potential sources of information that the government does have available to it, I think its likely that those kinds of sources, whether its Las Vegas hotel records or whatever else it is, information gleaned from national security letters, we really don't know. Again a large part of the problem here is just the lack of public information.

There are obvious due process and accuracy issues involved in a system where the affected passengers will not be told why it is that every time they go to the airport a yellow light goes off. Maybe there's inaccurate information that the government is looking at. But if the passenger isn't being told what the basis of the security score is, they're not going to be able to address the accuracy issue, and of course this is a basic fair information practice which is generally embodied in the Privacy Act. But one of the things that TSA did in its Privacy Act notice was to exempt itself from the access and correction provisions of the Privacy Act, so passengers won't have the ability to ensure accuracy. There are also obviously due process issues when the government is taking some action against somebody, designating them as for some reason suspicious, and not providing them with an opportunity to challenge that determination, or to even know what the basis of that determination is.

Now the General Accounting Office was directed by Congress in the Homeland Security Authorization Bill that passed last fall, to conduct a study of the CAPPS II program as a condition for any additional funding for the system to go forward. And I think its fair to say that it was fairly scathing critique of the CAPPS II system. GAO concluded that TSA to date, again nearly two years into the development of this system, has failed to address the privacy and what it referred to as "redress" issues, these are basically the accuracy and due process issues that I mentioned. And I think the real question that you have to ask if in fact this approach of conducting in effect secret background checks on people to determine who poses a security risk; if this goes forward in the aviation security arena I think there's a very interesting question in terms of how far it might be extended into other areas. Train travel, getting on the subway in cities like New York and Washington. I think you can come up with a lot of other scenarios where if the government has this capability in place and it's being used in airports, there's going to be a natural tendency in what we refer to as "mission creep", to expand to additional venues. So that's one very interesting and serious question that arises.

And then finally and this really ties into all of the issues surrounding the PATRIOT Act and national security letters and all of the information acquisition issues, where is the data going to come from that feeds a system like this? You might recall that Admiral Poindexter soon after September 11th went to the Pentagon and proposed a system there called "Total Information Awareness" which Congress has since killed because it was really so over the top. But basically that concept that Admiral Poindexter was pursuing was that if the government could just have access to a vast amount of information and then develop the technological capability to data mine it and analyze it, Poindexter's theory was that through this mass of data you would be able to find aberrational activity that would help the government locate people who were potential terrorists or otherwise provide security risks. So although the Total Information Awareness project in name has been terminated I think this is still a concept that is out there and I think the CAPPS II program is a somewhat less ambitious application of the same kind of approach. And as I said I think there remain real questions as to where this information to feed a system like this would come from.

So I'm going to stop at this point. I have probably, or at least hopefully raised some questions in your mind. So let me stop at this point and see if you have questions and/or comments.