Computers, Privacy & the Constitution

View   r3  >  r2  ...
AasthaSailyFirstPaper 3 - 09 May 2024 - Main.AasthaSaily
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<

Colorability of the Government’s Access to Digital Personal Data
>
>

Colorability of the U.S. Government's Access to Digital Personal Data
 -- By AasthaSaily - 04 Mar 2024
Changed:
<
<
The regulatory and enforcement powers of governmental agencies and departments allow them to collect and store a lot of data about citizens as well as non-citizens. There are databases of tax records, legal records, licensing records, and records of government services received maintained by governments across the world. But the unwavering question about government surveillance is whether a government should be able to have access to the information that is not voluntarily disclosed by the people? By following the appropriate channels and for a particular reasonable investigation, definitely. But a government cannot have unbridled access to any or all our data, at all times and for all purposes. In the United States, this is purportedly guaranteed by the Fourth Amendment which put simply, protects people from “unreasonable” search and seizure by the government. Accordingly, the government is prohibited by law from asking such information without probable cause and a judicial order. The contours of this prohibition were redefined in Carpenter, where the Supreme Court seemingly reaffirmed privacy of American citizens in the digital age by clarifying that while the information disclosed voluntarily to others is not protected by the fourth amendment, the government needs a warrant to compel others to produce personal and sensitive data.
>
>
Governments love surveilling the people and they indeed do so, now unfettered. The traditional access route for data not voluntarily disclosed by the people is to compel disclosure of such data, either from the individual or the private sector. In the U.S., this compelled access is regulated by a handful of laws and mechanisms which amongst other things generally require an individualized, fact-based suspicion of wrongdoing. This is guarded by the Fourth Amendment which put simply, protects people from “unreasonable” search and seizure by the government. Accordingly, the government is prohibited by law from asking such information without probable cause and a warrant. The contours of the Fourth Amendment protection were redefined in Carpenter v. United States, where SCOTUS seemingly reaffirmed privacy of individuals in the digital age. But the decision was narrow focusing primarily on cellphone tower location data and the court did not venture into other modes of data collection. This lack of legal instruction has contributed to the current status quo – another (arguably) legal access route for the government – commercial data purchases.
 
Changed:
<
<
Not really. In Carpenter the Court specifically doesn't do all that, by making some sort of strange rule about cellphone tower location data that it declines to apply to Anything else.
>
>
Barring a few specific industries and types of institutions (such as medical sector and financial institutions), voluntary disclosure of data by private sector is not subject to legal restrictions. This has led to the explosion of a largely unregulated market of data brokers who buy, repackage and sell personal data, which is then referred as “commercially available information” or CAI. Government agencies and departments are not blind to the availability of this information stream and have been capitalizing on it. Essentially, the governmental agencies do not request companies or data brokers for information under their search and seizure authority, rather, the government, like a customer, buys the data from them. In the recent years, there have been unofficial reports and speculations that the various federal agencies and local police departments purchase data from a vast network of specialized data brokers to track the activities of individuals over time. For instance, a report suggested that federal agencies have been using commercial databases to obtain location data to detect undocumented immigrants and phone activities along the U.S. – Mexico border and combined with our surveillance tool, have used this information to track, arrest and even deport immigrants across the U.S. Last year, however, the government itself admitted to this practice in a declassified report published by Office of the Director of National Intelligence. The report reveals that the government intelligence agencies acquire a significant amount of CAI for mission-related purposes, including in some cases social media data. Some of the government buyers include the Defense Intelligence Agency (contracting with LexisNexis? ); the FBI (contracting with cybersecurity company for social media alerts); the Department of Homeland Security (using a clearinghouse to identify foreign researchers working in the U.S. who were tied to their home country’s militaries). While technically, the blocks of information being sold are anonymized, it is understood that it is rather easy to deanonymize such data and link it to a particular individual.
 
Added:
>
>
Due to the “no-law” system adopted by the U.S. in respect of general data protection and privacy, the government is able to legally circumvent the Fourth Amendment and gain access to data especially when obtaining such data would otherwise not withstand “reasonable” standard. Since the parameters and particularities of the data obtained are not regulated, this practice (of data purchases) is not subject to the same judicial or other legislative oversight mechanisms to ensure that individuals’ civil rights and liberties are upheld. In addition, when the government buys data (as opposed to compelling disclosure), the typical democratic safeguards around retention, minimization requirements or standards, deletion and transparency are not applicable.
 
Changed:
<
<
But what if these others, like tech companies or cellphone companies are not compelled to share information, that is, the governmental agencies do not request them for information under their search and seizure authority, rather, the government, like a customer, buys the data from them or from data brokers – does this way around the law make it legal?
>
>
Without any constitutional safeguards and democratic accountability, this practice becomes troublesome and concerning since data aggregation allows for an almost unprecedented range of surveillance which needs to be restrained. The Fourth Amendment has struggled to keep pace with the novel privacy issues linked to the evolving surveillance technology and so it falls upon the U.S. Congress to restore the principles and true essence of the Fourth Amendment. As a first step, it is crucial to regulate the way data is queried by the government – indiscriminate and general transmission of data from private sector to the government needs to be stopped. While some steps have been taken by lawmakers in this direction, at present these are far from being law. The most important being the “Fourth Amendment Is Not For Sale Act” (which while has now passed in the House but still faces a lot of opposition), that would prohibit law enforcement and intelligence agencies from purchasing communications content, location data, and other highly sensitive data that would otherwise require a warrant. The bill would also limit the government’s ability to create workarounds in the future by establishing some mechanisms as the exclusive means by which government may acquire information about the people in the U.S. However, it only focuses on data purchases, and does not, in this form, apply to other type of voluntary disclosures by data brokers or app developers – which might be an arrangement that brokers might want to establish contact or rapport with the government.
 
Changed:
<
<
That's hardly self-evident framing. The constitutional principle is that rights against unreasonable search and seizure shall not be violated. How is it unreasonable behavior for government to buy what everyone else can also buy? Reasonable conduct is not "going around the law" against unreasonable conduct, surely?
>
>
Given the fast paced natured of technology and data transactions, and given further the gestation period of a legislation, it is imperative to bring in short term as well as long term measures. In the short term, Congress could affirm that voluntary disclosure of data sets by data brokers are subject to constitutional and statutory constraints and could impose some sanctions on enforcement actions taken on the basis of data not obtained by following constitutional safeguards. In the long term, in addition to FISA, the U.S. Congress should address privacy concerns by introducing a comprehensive data privacy and security framework applicable to all data collectors and processors. While inspiration should be taken from GDPR, it is also important to ensure that the protections which have turned out to be toothless (such as, sharing data with the government “for lawful purposes”, sweeping powers of the government and opt out right / right to be forgotten) should be carefully considered and bolstered in favor of the data subjects.
 
Deleted:
<
<
The government believes so. Government attorneys have argued that purchasing data is a valid way of bypassing the Constitution’s restrictions. The standard argument in favor of unfettered government purchases of private data is that such data is commercially available, and so anyone should be able to purchase it, including government officers. However, while government officials can generally purchase items available to the public without constitutional restriction, sensitive private data about cell phone users isn’t actually available to the public. In the absence of public availability, there’s nothing special about a commercial transaction that allows the government to strip otherwise protected data of its constitutional protections.

Just to understand what the government is buying and what is at stake, it is imperative to understand the regime around data collection, processing, disclosure, and transfer. At present, the United States lacks an effective and comprehensive data privacy law and imposes minimal restraints on collection of consumer data.

No. It has a well-designed and well functioning system of "no-law," that is, immunity—a form of government subsidy to desired industry. Describing the presence of policy as the absence of contrary policy is not analytically helpful.

As a result, while government agencies have to navigate an array of laws that often prevent them from tracking Americans without a court order or warrant, there are few legal restrictions on private companies (popularly called, data brokers) that buy, repackage and sell personal data, which is then referred as “commercially available information” or CAI. This has allowed an entire industry of data brokers to flourish by selling very specific information about people.

I don't see how we reach that conclusion. The industry is perfectly capable of existing where there is "data protection" law, the purpose of which actually is, as described, to protect data. The "privacy shield" disputes with Europe have never been about whether trans-Atlantic brokerage of opted-in Europeans' data could be brokered. The issue concerned only the US government's ability to access that data, which all European governments had granted to themselves, since none of their domestic GDPR implementation legislation put any controls on state-controlled spook/cop access to CAI. All just shams....

While technically, the blocks of information being sold are anonymized, it is understood that it is rather easy to deanonymize such data and like it to a particular individual. There is no argument that people ignorantly disclose a huge amount of their personal information on internet. The biggest of all is our location, our movements and our streaming history which can be tracked by many platforms – the food ordering apps, cabs services, travel booking sites, and of course cookies. In the recent years, there have been unofficial reports and speculations that the various federal agencies and local police departments purchase data from a vast network of specialized data brokers to track the activities of individual over time. Last year, however, the government itself admitted to this practice in a declassified report published by Office of the Director of National Intelligence. The report reveals that the government intelligence agencies acquire a significant amount of CAI for mission-related purposes, including in some cases social media data. Some of the government buyers include the Defense Intelligence Agency; the FBI; the Department of Homeland Security.

Now, the main players seem to be the data providers (that is, data brokers and big tech) and the buyers (that is, the government). The data providers operate in a legal gray area and are not breaking any privacy rules as such since there aren’t any rules to break. The position of the government on the other hand, is the one which is argued. However, it is crucial to understand that even if legal, besides raising privacy red flags, this practice raises civil rights concerns. When government agencies don’t have to show a reasonable cause for a warrant, a probable indication of criminal activity or even provide any information at all to a judge — they’re much more likely to fall back on conscious or subconscious prejudices, targeting people of color and other marginalized communities.

This flourishing industry of trading of sensitive data, needs to be checked and nipped before the privacy and safety of individuals are further invaded and hampered. While some steps have been taken in this direction, at present these are toothless. For instance, in 2021, a bill titled “The Fourth Amendment Is Not For Sale Act” was introduced in the House of Representatives aiming to bar law enforcement and intelligence agencies from purchasing Americans’ geolocation data, the content of their communications or other sensitive information from any company that collects them — whether a cellphone company, an app developer or a data broker. While the bill seeks to address the problem and provide a solution, it only focuses on data purchases, and does not in this form apply to other type of disclosures by data brokers or app developers. And needless to say, it is quite far from being a law at the moment. Similarly, the Federal Trade Commission, earlier this year announced that Americans must be told and agree to their data being sold to “government contractors for national security purposes”. Again, how much tooth these FTC rulings have is yet to be seen.

I think the best route to improvement is more active engagement with other ways of thinking, so that the reader can understand more directly the strengths and weaknesses of your approach. I've tried above to suggest places where you could more directly meet objections.

 
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Revision 3r3 - 09 May 2024 - 23:45:52 - AasthaSaily
Revision 2r2 - 25 Apr 2024 - 13:30:45 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM