Congress and Supreme Court face tough tests on privacy and security
The line between security and privacy is difficult to draw. However, it must be drawn and regularly redrawn as circumstances and the world change. At the same time, overdrawing the line, or drawing it in a vacuum, can cause the delicate balance to tip in a way that undermines both privacy and security.
Congress and the Supreme Court face similar, momentous questions this fall, namely whether Americans, by speaking or even just carrying their phones, give up some measure of their personal privacy for the sake of common security. Concurrently, Europe is getting ready to implement a sweeping new data protection regulation, one that will impact the balance between privacy and security in the United States and may set up a conflict of laws that ensnares U.S. companies and authorities alike.
{mosads}Up first is Congress, who has the urgent task to reauthorize a key surveillance authority by the end of the year. Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the government to collect on foreigners abroad, but it inevitably sweeps up U.S. person data, including the content of calls. Once that data is collected, the FBI has been allowed to sift through that data using U.S. person identifiers like names or phone numbers. But Congress can change that.
Outlawing incidental collection outright would cripple the program. After all, people don’t talk to themselves on the phone, and the government can definitively know if both parties to the call are non-U.S. persons only by being even more privacy invasive and overly cautious. Also, simply proscribing the pinging of Section 702 data with U.S. person identifiers jeopardizes the ability to find out who may be victims of attacks. After all, schools, places of worship and corporations can all be U.S. persons.
But the choice is not binary. There are privacy enhancements that do not overly detract from legitimate security interests. Congress will just have to engage in careful, bipartisan negotiation to find them. The Senate Intelligence Committee, for example, has proffered a reauthorization proposal, while requiring only after the fact court permission for the use of any hits from U.S. person queries of Section 702 data.
The House Judiciary Committee has proposed its own reauthorization bill, which would require the FBI to obtain a warrant before reviewing any incidentally collected U.S. person data. Privacy advocates criticize the Senate’s proposal as being insufficient, while law enforcement criticizes warrants as overly restrictive. Nonetheless, just as with the contentious reauthorization of FISA Section 215, the “telephone metadata” program, effective compromise is attainable and must be the goal.
The Supreme Court is not waiting around for Congress to draw its line, and appears poised to draw its own line between privacy and security. In Carpenter v. United States, the FBI collected the defendant’s cell site location data without a warrant and used the data to ultimately convict the defendant. The legal question before the Court is whether the warrantless collection of this non-content information is permissible under the Fourth Amendment.
But the larger question is what is privacy in today’s digital age and if technology can be used to commit crimes, why can’t it be used to solve and prevent crimes? Traditionally, once you hand over private information to a third party, such as a wireless carrier in this case, it ceases to be private. But, is that a reasonable rule when so much of what we do, what we say, and where we go is done through our phones?
The court, by taking this case, has signaled a desire to answer these momentous questions, but it must be careful lest its decision in this case have wider, potentially unintended consequences. Since incidental collection can also be considered a form of third party collection, the court’s decision, if drawn too broadly, could bind the hands of Congress in the Section 702 context. Even if the court confines its ruling to non-content information, it could imperil the Section 215 metadata program, which directly relies on the third party doctrine.
The cautionary tale of potentially overdrawing lines and legislating in a vacuum, are playing out with the European Union’s General Data Protection Regulation, set to take effect next year. It will require specific, informed and unambiguous consent to the processing of a European subject’s personal data. While certainly a boon to privacy, what will happen when a European country asks the United States for support in tracking down a common adversary?
How can Europe send raw data to the United States to leverage its analytic capabilities without getting the specific consent of the potential bad actor? The same restriction may apply when the United States requests information on a potential European citizen who may be planning an attack in the United States. Additionally, for U.S. companies, responding to U.S. lawful requests for data could run afoul of the General Data Protection Regulation, with potentially steep penalties.
Ultimately, there is no privacy without security, and no security without privacy. It is about striking the right balance, which changes over time. And, it is about taking care not to overdraw lines, or operate in a vacuum. Today’s digital age is defined by complexity and interconnectivity, so the process of line-drawing, while essential, must never be overly simplified or isolated.
Michael Bahar is leader of the U.S. cybersecurity and privacy team at Eversheds Sutherland. He previously served as staff director and general counsel to the minority staff of the U.S. House of Representatives Permanent Select Committee on Intelligence and as deputy legal adviser to the National Security Council under President Obama.
Curtis Arnold Jr. is an associate at Eversheds Sutherland. He represents clients in commercial litigation involving privacy, cybersecurity, financial services, insurance, consumer finance and internal investigations.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.