Wednesday, March 06, 2013

Secrecy and federal court dockets: On the nuts and bolts of authorizing government surveillance

The second panel at the Yale Law School's March 3 symposium on Location Tracking and Biometrics focused on the question of "Phones and Mobile Privacy: Government Requests to Carriers." (Go here to see the video; the second panel begins at the 3:03:40 mark.)

Kevin Bankston, an attorney at the Center for Democracy and Technology, opened by recounting his "best week" as a lawyer in December 2010, which included the 6th Circuit Court of Appeals decision in US v. Warshak related to whether there exists a "reasonable expectation of privacy" for emails stored by third parties in "the cloud." The 1986 Electronic Communications Privacy Act (ECPA), which allows the government to access emails more than 180 days old without a warrant if they're stored by a third party, was held unconstitutional by the appellate court (though regrettably its holding only applies in that circuit).

In that ruling, the 6th Circuit offered up this observation which to me sums up the basis for reconsidering electronic privacy, not just for stored email but on location tracking and many other fronts: “the Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will wither and perish.” (I would have added that, if the courts can't or won't do it, legislative bodies must.)

The Obama Administration did not appeal the 6th Circuit ruling, in Bankston's opinion because they feared that the Supreme Court might extend the precedent nationwide. The government argued it didn't need a warrant based on cases from the 70s based on third party doctrine - US v Miller (bank records) and Smith v. Maryland (pen registers) - and if SCOTUS agreed with the Sixth court's ruling it could have profound implications beyond just stored email.

Even though the 6th Circuit ruling applies only in that jurisdiction, Bankston said the result has been that several tech companies have begun asking for warrants every time the government requests stored content. He thinks we're getting close to "a de facto rule of warrants for content" nationwide, even though SCOTUS hasn't taken up the question. (That sounded optimistic to me, but I hope he's right.)

That same week, the 3rd Circuit declined to hold an en banc hearing on a decision by a three-judge panel which allowed (but did not require) magistrate judges to insist upon full-blown probable cause warrants for location tracking data. By contrast to Warshak, the 3rd court's ruling was "cabined and conditional." It provided no "new juice" at the legislative level for restricting location tracking and neither the government nor the cell carriers changed their practices as a result. Moreover, unlike the 6th Circuit case on stored email, the government hasn't been afraid to appeal rulings on location tracking when they lose (as evidenced by a case pending on the topic in the 5th Circuit, whose jurisdiction includes Texas.)

For many years, said Bankston, such orders were issued in secret. It wasn't until 2005 when Stephen Smith, a federal magistrate judge in Houston who was also on the panel, first denied one of these applications that anyone outside the government knew this was going on. (For more background, see Bankston's 2007 article, "Only the DOJ Knows: The Secret Law of Electronic Surveillance.")

In the past, the Department of Justice has claimed location tracking of cell phones was too imprecise to invade privacy and require a warrant, said panelist and attorney Stephanie Pell of SKP Stragies, since triangulation methods only allowed them to pinpoint a target within 100-300 feet. But with the advent of smart phones, the number of cell towers has exploded to accommodate vast quantities of data, and the rise of Femtocells (discussed earlier in this Grits post) mean that today location tracking is much more accurate. Bankston chimed in to say DOJ seemed to be intentionally pretending the tech hasn't changed, often citing to ten-year old studies that fail to address recent advances in location tracking capability. Pell contended that companies should be required to implement "minimization policies" to "make sure innocent third party data doesn't remain in databases" any longer than necessary.

Before last year, I'd never heard of Houston-based Magistrate Judge Stephen Smith, but let me tell you: He's a true judicial hero for anyone concerned about electronic privacy in the 21st century. Not only was Smith the first judge to insist on a warrant for location tracking of cell phones - a position that to this day has left him an outlier among his peers - it's one of his rulings that's currently on appeal at the 5th Circuit. He also has produced a couple of excellent papers on the subject that are both thoughtful and well-written.

Though he declined (as he should) to discuss the case pending at the 5th Circuit, Judge Smith lamented that there's "not really a body of law" surrounding location tracking of cell phones and other electronic devices. A few magistrate and district judges have offered up opinions, he said, but with virtually no appellate guidance. So in practice, each magistrate judge essentially becomes "the law unto themselves." With only a couple of dozen published decisions on the topic nationwide, he said, there's "no way of knowing" what the law really is.

Because of the secrecy surrounding them and the paradoxical nature of who has standing to challenge them, ECPA orders are rarely if ever challenged except by DOJ, said Smith. "The only party that could appeal won't and only party that would appeal can't." Magistrate judges typically seal such orders, he said, for very good reasons, at least on a temporary basis. The problem, he said, is that in most instances they're sealed indefinitely, after which the magistrate judge never sees the case again.

Under the federal wiretap statute, where the law is much better developed, the target can learn about the wiretapping after 90 days if the government doesn't ask to extend the seal. On location orders, Judge Smith seals the orders for 180 days, allowing the government to request an extension if need be. When I asked him how often the government empirically needed such extensions, he said that very few if any required secrecy past the one-year mark, by which time usually investigations had been closed and arrests, if any, had been made.

Judge Smith expressed concern that, if and when Congress does address the issue, they'll do so based on excruciatingly little empirical data. "There's no tracking mechanism," he lamented. On the federal PACER database tracking court decisions just notes orders for location data as a “sealed event.” There's "no way to track it at all. Congress not require courts to report that information." (For more background, see his paper "Gagged, Sealed and Delivered: Reforming ECPA's Secret Docket.")

Smith declared, provocatively, that "Magistrate judges preside over largest secret docket in America." Though much attention as been paid in the media to secret FISA warrants issued under national security auspices, their numbers pale in comparison to secret orders issued daily by federal magistrate judges. In its entire history, the FISA court has issued around 28,000 secret orders, he said. Magistrate judges, by contrast, issue  some 30,000 secret surveillance orders annually, the overwhelming majority of which will remain sealed forever. Elsewhere (see footnote 83), Smith has written that despite magistrate judges issuing "thousands" of orders for location tracking annually, the feds prosecuted just 255 cases relying on that information over a seven year period, raising the question, what in heaven's name are they're using the information for the rest of the time?

From a structural  point of view, said the judge, "secrecy is biggest problem with the ECPA." Most applications in his opinion don't need to be sealed - at most just redacted (for example, to conceal the name of an informant who might be endangered). Sealing should be limited in time and scope and courts should keep better track of what they're doing. He suggested that criminal cases need the equivalent of a "civil  cover sheet," a one-page summary document that describes what case is about, who the parties are, and other basic information. Smith argued the courts should require the same thing on warrants, as well as replacing the “sealed event” designation with a designation that actually describes the nature  of the order.

It would be neglectful not to mention that Judge Smith's heroic interventions on behalf of personal privacy have resulted in a rash of  judge shopping by Assistant US Attorneys (AUSAs) in Texas' Southern District. There are five magistrate judges in Houston, he said, and their duties related to issuing warrants and related orders rotates every two weeks. With the schedule mapped out in advance, each AUSA knows when Judge Smith will be on duty and they've begun avoiding asking for orders on his watch. For example, if applications for pen registers were evenly split among magistrate judges, each of the five would receive roughly 20% of them. In practice, though, Judge Smith gets 8-10% of pen register applications. "Judge shopping is an issue," he said.

Next up was attorney Ed  McNicholas, who represents cell carriers and tech companies on these subjects. He said, "There's a real desire by telecoms to have clarity" on these topics. He also pointed out that there are many other corporate entiities that gather personal location data, flashing up on the screen a stunning infographic (for more detail, see here) showing the byzantine ways in which such information is gathered.

Moderator Barton Gellman pointed out that, for consumers facing this array of corporate interlopers into their personal data, there's "No way of shopping for privacy" because companies don't disclose their practices. McNicholas, replied that "Microsoft is trying to market its privacy," citing their “Don't get Scroogled” ad campaign. But it remains to be seen how much traction it gets. The question is, "Will consumers buy it?" McNicholas argued that all tech companies - not just telecoms - should be subject to the same rules.

Bankston interjected to say that companies could play an important role simply by reporting publicly their  own standards, which can "help establish a norm." Right now, he said, there's no clarity on exactly what records are being gathered and we "don't have barest facts about what is being stored about consumers." The "heat right now is on content," he said, but location data has not received nearly the same attention. McNicholas added that the problem is exacerbated because most "tech companies have products even most of their employees don't fully understand."

See prior Grits writeups from the conference:
Next up: Bypassing the telecoms: 'Stingrays' allow direct government surveillance.

No comments: