Rise of the US Surveillance State

KingGorilla wrote:

I am not seeing your basis for that Cheeze. I would love to see you explain it in greater detail, however.

Think of it this way: if the OCR technology at the Post Office can see through my envelope, does that mean envelopes that can't block the Post Office cameras are no better than postcards? Just because servers and programs are 'reading' my e-mail, why is that enough to categorize it as a digital postcard?

If I conveyed that impression, that was my mistake. What I was intending is that Google has programs to read and store all manner of your personal data and writings. Their treatment of that data, in truth much of online data, falls short of what many privacy advocates would seek. They are much too compliant with requests from private companies, individuals, and government entities in the absence of a court order, warrant, subpoena. That is simply due to a gap in the law, and a failing in their own ethics or a lack of online ethics in general.

These are the facts that the general public is largely ignorant to. The post office is utilizing narrowly defined and legally vetted screening technologies in the name of security-X-rays of packages, chemical tests of envelopes, etc. There are also clearly defined statutes and case histories governing the privacy of the mail system. UPS and Fed Ex are beholden to these as well.

What google and other web service providers, as well as ISPs and Cell Carriers are engaged in is to insulate themselves from liability for their disclosures through contractual means. Western Union engaged in similar actions with the telegraph. It took legislative and judicial action to get them in conformity with privacy laws for parcel and letter carriers.

The issue is not a decision that electronic communications are open or more open than letters. The issue is an absence of authority on the entire subject, and the carriers of that communication punting to avoid liability. They are not taking a stand. They are opening their doors and stating that it is our responsibility as users to take our own stand. The Supreme Court chose to not hear an appeal regarding AT&T's compliance with warrantless NSA wiretaps, so the issue is still very much in the air. And the issue still is in need of clear legislative guidance. The class in the AT&T suit had lousy counsel. But as it stands now all a web service provider can do is lose money and time standing up to requests, engaging the courts. And as they continue to be insulated from lawsuits and liability for complying even without orders or warrants, it falls to the citizens to take up the cause.

In a nutshell, Google and about all web service providers have said "We will not protect your privacy."

And as a tangent, this stretches to other areas as well. Web service providers have insulated themselves well from trademark and copyright issues through similar means. They will gladly host content, but will take no role in preserving your interests.

Figured this would be the appropriate place to share this:
Senate bill rewrite lets feds read your e-mail without warrants

Leahy's rewritten bill would allow more than 22 agencies -- including the Securities and Exchange Commission and the Federal Communications Commission -- to access Americans' e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge. (CNET obtained the revised draft from a source involved in the negotiations with Leahy.)

Not at all good. Is this his actual stance, or a negotiating position?

Turns out one of Leahy's aides is strongly denying the report.

Actually, that kind of scares me more, KG. So now we not only have criminal agencies that have full access to all those things, but civil ones too? Or am I reading that wrong?

Um, I think we want regulatory agencies to have access to this information pursuant to their hearings and investigations. I am not about to hamstring the SEC, FTC, NLRB, OSHA with previously unheard of higher scrutiny over their investigatory powers. And we certainly do not want those companies and people under investigation by the SEC to get prior notice as they build their case.

That bit is not about criminal, but civil investigations by regulatory agencies. The prospect of going another route and requiring grand juries and circuit judges would bog down their regulatory role. It is for this very reason these agencies also carry out their own quasi legal proceedings.

We are not talking about Criminal investigations by the FBI, CIA, NSA, ATF, and so forth.

Rallick wrote:

Actually, that kind of scares me more, KG. So now we not only have criminal agencies that have full access to all those things, but civil ones too? Or am I reading that wrong?

I would argue that it is a clarification of a power that they already have.

As an example, if the SEC suspects that Company X is cooking their books for a secondary stock option. IE the federally mandated disclosures made are not adding up. The SEC has investigatory powers allowing them to delve into a lot of information with a reasonable suspicion.

The same applies to insider trading, and such. If the SEC cannot probe into these, how do they do their job.

What we are talking about are activities undertaken in their regulatory capacity. So if the CEO of Company X should be making everything public, and carries on secret back room dealings; what can the SEC or FTC do?

These agencies are not probing into just anyone and everyone, they do need to justify the actions. But by necessity preliminary and early action needs to be kept under wraps. These agencies are limited in that they can only investigate those persons and agencies under their jurisdiction.

And again, we are talking about their powers in regulatory and civil capacities. Just a reminder, you have no right against self incrimination in American Civil law, not right to a jury, etc.

I am in no way saying we do not need reform to put a higher barrier up regarding criminal probes into private e-mails. But for these regulatory amendments we are talking about reiterating existing powers that these agencies already possess when it comes to ensuring compliance and fair behavior. The common citizen is not subject to SEC or FTC investigations. But they can get certain phone records, wire records, bank records on their own as it is.

Wouldn't you say the common citizen is subject to insider trading investigations, though? This can happen easily to employees of large corporations, for example, or people with relatives/friends/acquaintances with insider knowledge.

You need to be a 10% owner in a company to begin with to qualify as an insider. And while that could conceivably involve friends and family. That is the nature of most criminal conspiracies. If the SEC has cause to suspect Bill Ford Jr. of insider trading, then they can get a lot of information on him. If that investigation leads to seeing his e-mails and phone calls with family and friends; they are not guilty of insider trading because they are not equity owners of Ford.

If a friend or family member involves a private citizen in a conspiracy, be it insider trading, drugs, gun running, or check fraud, I am not sure if government surveillance is the problem. When a person becomes suspect a lot of their friends, family, colleagues will be monitored too just because the authorities are monitoring the suspect individual.

I mean what do you think a wire tap does? It even records a suspect's 2 AM call to Papa Johns, did the government invade the pizza delivery boy's privacy? And Wiretaps do require a warrant.

Insider trading is a good one, the SEC does a lot of those investigations on the year, and often 50+ prosecutions. And it bears reiterating, these are civil matters resulting in fines and injunctions. Civil court outside of regulatory agencies get much wider berths on information than criminal, and always have in the US. And for more examples. Federal courts do not recognize a doctor-patient privilege in civil courts.

We keep circling around this. American law does not really recognize a fundamental right to privacy, in the same way we recognize that fundamental right to life, to own property, to speech. I agree with our legal history that our 5th and 4th and 3rd amendments give strong evidence of one carved out in the constitution, but not as enumerated (our strongest constitutional rights). At common law there was not a right to privacy as such, it was not included in our constitution. The exceptions are certain privileges and confidences recognized at common law, not a general right to privacy.

Hmmm. I thought "insider" also included people with material knowledge of unannounced results, technology or the like, the release of which could affect the decisions of an average investor. Hence quiet periods before corporate results are announced, isolation of special development teams and the like. Is that incorrect?

Robear wrote:

The electronic surveillance of the Internet is well established in the US, and yet, is it properly regulated? Does the law sufficiently protect privacy rights, and what do recent investigations and prosecutions imply for the future?

Here's a summary of the privacy issues related to the Gen. David Petraeus investigation to kick things off.

I think Malor was right to question the very premise. You're starting from the position of "we all agree this is necessary, so we do have the required precautions" when many of us would question why we need to have a surveillance state in the first place.

I love Cornell's legal pages.

http://www.law.cornell.edu/wex/insid...

I think we are getting bogged down into a few too many what-if's.

CEO's of publicly traded companies are quasi public figures. They have a good degree of diminished privacy.

Regulatory agencies are narrowly construed agencies. Their powers to investigate, is limited to those companies and those people within those agencies. These agencies are also largely civil in that they do not impose prison terms, rather fines and injunctions.

By and large companies subject to these regulations and agencies are required to make public the very information that they seek to hide-adverse health findings for a new product to the FDA or USDA, emissions and waste output to the EPA, etc. You cannot assert an argument for breach of privacy when you are seeking to smother public information.

At present these regulatory agencies can with their own subpoena process get phone records, including duration, names, numbers and bank records including wire transfers with account numbers, country, names. There is no warrant required. But that process is narrowly tailored to information from the people under their regulatory bubble (not the country at large).

What we are talking about with extending those powers to pull phone records, to GPS, e-mail, text messages is to extend those existing investigatory powers to modern communications.

In a world of DUI Checkpoints and Random frisking of citizens, the investigatory powers of regulators is rather mild.

DSGamer wrote:
Robear wrote:

The electronic surveillance of the Internet is well established in the US, and yet, is it properly regulated? Does the law sufficiently protect privacy rights, and what do recent investigations and prosecutions imply for the future?

Here's a summary of the privacy issues related to the Gen. David Petraeus investigation to kick things off.

I think Malor was right to question the very premise. You're starting from the position of "we all agree this is necessary, so we do have the required precautions" when many of us would question why we need to have a surveillance state in the first place.

Giant assumption there.
Replace it with "exists" and you'd be accurate.

DSGamer wrote:
Robear wrote:

The electronic surveillance of the Internet is well established in the US, and yet, is it properly regulated? Does the law sufficiently protect privacy rights, and what do recent investigations and prosecutions imply for the future?

Here's a summary of the privacy issues related to the Gen. David Petraeus investigation to kick things off.

I think Malor was right to question the very premise. You're starting from the position of "we all agree this is necessary, so we do have the required precautions" when many of us would question why we need to have a surveillance state in the first place.

Well, considering how many threads we've had around here where people were not allowed to question the premise...

Thank you for that, DS, I appreciate your taking the second look.

Cheeze, please, feel free to question the premises - does the surveillance state exist? And is it poorly regulated? I didn't think many people would, but feel free.

If the premise here is that the surveillance state is a necessary evil or at least an acknowledged part of our lives that isnn't necessarily "bad" and that's what this thread is about,

Just to be clear, it's not even that. I don't view it as necessary or good, but I am interested in how we will let it change our society, our behaviors and our freedoms, and to me, part of that will fall out of how we regulate it. Politics today has a large part of the population believing that the national security state will make us safer, but that is often the same part of the population that believes in personal freedoms in the abstract. I'm curious as to whether that will create a backlash at things like the Patriot Act and the FISA laws. What will happen to public opinion as people begin to realize what is going on?

CheezePavilion wrote:
DSGamer wrote:
Robear wrote:

The electronic surveillance of the Internet is well established in the US, and yet, is it properly regulated? Does the law sufficiently protect privacy rights, and what do recent investigations and prosecutions imply for the future?

Here's a summary of the privacy issues related to the Gen. David Petraeus investigation to kick things off.

I think Malor was right to question the very premise. You're starting from the position of "we all agree this is necessary, so we do have the required precautions" when many of us would question why we need to have a surveillance state in the first place.

Well, considering how many threads we've had around here where people were not allowed to question the premise...

Actually you're correct. And I apologize to Robear and others. If the premise here is that the surveillance state is a necessary evil or at least an acknowledged part of our lives that isn't necessarily "bad" and that's what this thread is about, how to manage it then I would be a hypocrite to say the starting point for this thread should be shifted. I went back and reread what Robear actually wrote and I now see that I was wrong, as was Malor, IMO. Sorry about that.

EDIT: Fixed typo

Hmm, Robear, I'm not sure you are aware but over here we are a little further down the road on personal data protection laws. The OECD suggested seven principles of data protection and they were adopted by the European Council and resulted in the Data Protection Directive of '98 and '03 (Its even getting updated as week speak). Here is the wiki on it.

While the US didn't adopt the recommendations, the EU made it mandatory for companies storing EU citizens data to abide by the Directive. The result of this was the International Safe Harbor Privacy Principles which essentially are the same seven principles of the Data Directive.

The clear example of its use in relation to this discussion is the Passenger Name Records system setup between the US and the EU. Even though it has been agreed in principle since 2007, repeated failing on the US side to get up to scratch on the EU's regulations have stalled the system to this day. I'd be fairly confident in saying that I don't think the failings are anything to do with ability or competence either

On a more commercial level, you'll see evidence of its use in privacy audits of Facebook recently here in Dublin for the European market.

Not sure if all of that is entirely relevant but I'd thought I'd toss it out to give the discussion to give it some perspective.

Hmm, Robear, I'm not sure you are aware but over here we are a little further down the road on personal data protection laws. The OECD suggested seven principles of data protection and they were adopted by the European Council and resulted in the Data Protection Directive of '98 and '03 (Its even getting updated as week speak).

Yep. You're also further down the path of ubiquitous surveillance, and I think the two things are connected. I suspect as Americans become more aware, they will split into two groups - the "if you don't do anything wrong you've got nothing to fear" types, and the "it shouldn't be happening, but if it is, we need to tightly control it's use" types. We'll see who wins.

Yep, probably. I'd say if you asked the average European what their rights are regarding personal data and where do they come from they would struggle.

Just curious, why do you think we are further down the path of ubiquitous surveillance? If this is a derailment, park it, I'd understand. Edit: You could PM me a response if you want a back and forth without it derailing the thread?

Judging from my knowledge of public surveillance in the UK, that country at least has far more use of public surveillance than any areas in the US to date. Not only are cameras ubiquitous, but they are constantly monitored in high-crime areas. The UK also pioneered in the use of automated cameras for traffic law enforcement; that's still fairly new in the US.

That is true, but to balance that, the EU has *much* stronger laws governing the privacy of personal data than does the US as I understand it.

Not strong enough.

Robear wrote:

Judging from my knowledge of public surveillance in the UK, that country at least has far more use of public surveillance than any areas in the US to date. Not only are cameras ubiquitous, but they are constantly monitored in high-crime areas. The UK also pioneered in the use of automated cameras for traffic law enforcement; that's still fairly new in the US.

mudbunny wrote:

That is true, but to balance that, the EU has *much* stronger laws governing the privacy of personal data than does the US as I understand it.

The use of CCTV in the UK is fairly unique in Europe, as far as I'm aware. Not that it isn't used but in countries within Central and Western Europe it is generally met with resistance and suspicion. In some of these countries they have a cultural resistance to privacy infringement that you can certainly make a good stab at why. We in Ireland, in a similar way, still haven't shaken off our colonial past and overt security measures don't go down well. The point is the UK doesn't share the rest of Europe's history on a few key matters that tends to make you value your privacy.

That is not to say that there aren't surveillence policies in place. Take a look at the Data Retention Directive of a good example of that. Use of ID cards are also in standard use and often with legal force (Ireland and the UK are exceptions, interestingly) across the mainland.

1Dgaf wrote:

Not strong enough.

The major problem is the police and other authorities do not take the data protection laws seriously or at least haven't up to recently. They are strong enough if they are used. For example since '98, there as been several cases of employees of the Revenue Commissioners (our tax collectors) viewing and passing on personal data that they were not authorised to do. It is only in the last year that somebody was prosecuted criminally and not dealt with internally so the worm is turning.

Senate panel OKs bill that would strengthen e-mail and cloud privacy http://t.co/SknevH4L

This is interesting, but they could just enforce the laws and prosecute people for spying on US citizens, regardless of whether they were the President or a hacker.

Axon wrote:

While the US didn't adopt the recommendations, the EU made it mandatory for companies storing EU citizens data to abide by the Directive. The result of this was the International Safe Harbor Privacy Principles which essentially are the same seven principles of the Data Directive.

The US Department of Commerce handles US companies attempting to certify that they abide by the Safe Harbor Principles. In the past, this meant sending a check to them, filling out a form, and having a privacy policy available somewhere that states that you comply with the Principles. This year, they've grown a little more stringent as to what exactly needs to be in that policy. I've never had to deal with any complaints stating that my company doesn't actually follow them (which, we actually do) ... but at least for smaller companies its terribly easy to make the claim and to not follow them whatsoever.