The Washington Post reported this morning that between 2002 and 2006 the FBI "illegally collected more than 2,000 telephone records ... by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews." The Post noted that a Justice Department inspector general report due this month is likely to conclude that the spy agency "frequently violated the law with its emergency requests, bureau officials confirmed." TalkLeft has a detailed account of the newspaper's reporting on the illegally obtained phone records here.

The newspaper continued, "Documents show that senior FBI managers up to the assistant director level approved the procedures for emergency requests of phone records and that headquarters officials often made the requests, which persisted for two years after bureau lawyers raised concerns and an FBI official began pressing for changes."

The Supreme Court added new cases to its docket this morning, including one involving the extent of privacy for employee text messages and another involving whether immigrants convicted of repeated drug possession charges can be deported.

In City of Ontario v. Quon, the justices will determine whether Ontario, Calif., officials violated the privacy rights of several police officers by reading scores of text messages they sent via pagers issued by the police department. A U.S. District Court ruled against the officers, but the U.S. Court of Appeals for the Ninth Circuit ruled that the city had violated the privacy rights of police officers. Lewis Maltby, president of the National Workrights Institute, told the Los Angeles Times that the case "came down at a moment when there was virtually no protection for employee privacy. If it stands, it would mean employees for the first time could communicate at work with privacy." City officials, however, argue that employees should expect no privacy when using equipment provided by the employer.

In Carachuri-Rosendo v. Holder, the justices will consider a ruling by the U.S. Court of Appeals for the Fifth Circuit that upheld deportation proceedings of a legal alien convicted of multiple, minor drug possession offenses. The Associated Press reported that while the Fifth Circuit upheld the deportation proceedings, other federal circuits have ruled in favor of immigrants.

The high court also denied, without comment, a case involving four former Guantanamo Bay detainees who say they were tortured and denied their religious liberty rights. For more discussion of today's Supreme Court action see analysis from SCOTUSblog's Lyle Denniston here.  

Does your employer have access to your personal e-mail accounts if they are accessed at work? The answer was once, almost uniformly, "yes."

The Wall Street Journal reports: 

In past years, courts showed sympathy for corporations that monitored personal email accounts accessed over corporate computer networks. Generally, judges treated corporate computers, and anything on them, as company property.
Now, courts are increasingly taking into account whether employers have explicitly described how email is monitored to their employees.

Recent decisions cited by the Journal include cases in New Jersey and San Francisco resolved in favor of employees, who were determined to have a reasonable expectation of privacy. The San Francisco decision is being appealed to the Supreme Court.

After providing a keynote address at a recent ACS event on privacy concerns in a digital age, Christopher N. Olsen, the assistant director in the Federal Trade Commission's Division of Privacy and Identity Protection, noted in an interview with ACSBlog that the agency plans several forums for hearing input on the tackling online privacy concerns. Watch Olsen's interview below or download a podcast of it here.

Louis D. Brandeis

A Life

By Melvin I. Urofsky

[Available Here]

Louis Brandeis is rightly seen as the father of the modern constitutional right to privacy, but it is a long road from his initial statement on this matter to his great dissent in Olmstead v. United States (1928) to the doctrine that emerged following Griswold v. Connecticut (1965).

In 1890, Brandeis's law partner, Samuel D. Warren, complained about the intrusions that the press had made into his private life. Warren, the scion of a prominent paper manufacturing family, and his wife Mabel, the daughter of the U.S. senator from Delaware, were among the leaders of Boston's fashionable younger set, and reporters were always trying to get details on the parties at their house. He prevailed on Brandeis to work with him on an article, and the result was "The Right to Privacy," published in the Harvard Law Review in 1890.

It would become one of the most cited law review articles in American legal history, but today's readers would wonder what the two men were talking about. At the time, there was no constitutional right to privacy, and even if one could discern such a right in the Fourth or Ninth Amendments, the Bill of Rights did not apply to the states. Rather, Brandeis and Warren had to work with an emerging tort law, especially the unauthorized use of a person's likeness, such as photos or line drawings in advertisements with the implication that the person used or endorsed the product, and expanded on it. In essence, they suggested a new tort-a civil wrong-that allowed people to recover damages for unwarranted intrusion into their private affairs.

Interestingly enough, and in a prescient sentence, they wrote "instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the predictions that ‘what is whispered in the closet shall be proclaimed from the house-tops.'" Years later, in his files for the Olmstead case, Mr. Justice Brandeis had a newspaper clipping about a new device called "television" and wanted to include a warning against it, but his clerk dissuaded him.

The Warren and Brandeis article, according to Dean Roscoe Pound, did "nothing less than add a chapter to our law." Within a few years it was being widely quoted not only in other academic pieces but by the courts as well, as plaintiffs seeking damages for invasion of privacy began to win their suits, with arguments based on the article's premises.

Although Brandeis did not actively pursue this idea, he never abandoned the notion that a right to privacy constituted one of society's most prized liberties. In Olmstead he modernized the ideas of the law review article, and garbed the "right to be left alone" in constitutional armor. It would take nearly four decades before the Court converted his dissent into law, but in that time the idea caught on and grew.

Olmstead arose when the government, without a warrant, wiretapped a bootlegging operation, and on the basis of that information secured convictions. Chief Justice Taft wrote a mechanical opinion in which he claimed that since there had been no actual physical invasion of the premises there had been no violation of the Fourth Amendment. The normally conservative Pierce Butler shredded Taft's logic, and Oliver Wendell Holmes, Jr., in his typical Brahmin manner, sniffed at what he called "a dirty business."

Brandeis took the Fourth Amendment and enlarged it, not just to mean the absence of unauthorized physical invasion, but also the intrusion into an area in which people had expectations of privacy. As a result, it did not matter whether the intrusion had been physical or not-the sanctity of that space had been violated. The right to be let alone, as he put it, constituted the right most prized by civilized people.

Eventually the Court would catch up, and in the 1960s and 1970s a series of cases gave constitutional foundation to that prized right. At the same time conservatives, such as Robert Bork, argued that there was no right to privacy because the word is not mentioned in the Constitution. It is an argument that neither the American people nor a majority of bench and bar share.

Interestingly, in recent years we can see how influential the Brandeis argument has remained. In a recent Supreme Court case of a few years back, police used a heat sensor to pick up signatures of excessive heat in a house, a sign that someone might be growing marijuana behind their garden walls. On that evidence they secured a warrant and arrested Danny Kyllo for growing the weed. He appealed, arguing that the police needed a warrant to use the heat sensor, since it technologically invaded his home. The Supreme Court agreed, and in a very Brandeisian opinion written by none other than Justice Anton in Scalia.

Health information technology ("health IT") has been widely recognized as an essential tool in achieving a number of health care reform goals, including improving health care quality, reducing costs, increasing efficiency, and boosting consumer participation in their own health care. But without strong privacy and security protections in place, the risk of electronic health data falling into the wrong hands and being used for inappropriate purposes is amplified.

Survey data shows that the public is cognizant of both the benefits and risks of health IT. A large majority of consumers would like electronic access to their health data (for themselves and their providers), but are still concerned about the privacy of their data. How can we allay consumer fears, while building trust in health IT? The short answer is we need a comprehensive privacy and security framework that sets clear parameters for access, use and disclosures of personal health data for all entities engaged in health IT. Such a framework will build consumer trust in health IT, and help us to fully realize its benefits.

Fortunately, the timing for such efforts could not be better given the "perfect storm" of developments in health care reform in general, and health IT in particular. Health care reform bills currently circulating in Congress underscore the importance of health IT in making health care reform a reality. And, with the passage of the American Recovery and Reinvestment Act of 2009 (ARRA) back in February, which committed billions to the expansion of health IT, doctors and hospitals are likely to adopt health IT (through financial incentives) at a faster pace over the next several years. ARRA also includes the most significant improvements in health privacy that we've seen in a decade, including substantive changes to the federal health Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA), which limits how "covered entities" (including health plans, health care providers, and health care clearinghouses) can use and disclose personal health data.

What ARRA does not articulate, however, is a clear, comprehensive framework that can guide policymakers, key regulatory agencies tasked with fleshing out the health privacy provisions in ARRA, and developers of health IT systems in establishing proper privacy and security protections for personal health data.

Luckily, a framework for health IT already exists in the form of the generally accepted "fair information practices" (FIPS) that have been used to shape policies governing use of personal data in a number of contexts, including the HIPAA Privacy Rule. While there is no single formulation of the FIPS, the Common Framework developed by the Markle Foundation's Connecting for Health initiative would implement core privacy principles, adopt trusted network design characteristics, and create oversight and accountability mechanisms.

One important element of the Markle framework allows for consumer engagement in health care through informed decision-making. But while consumers must be informed about uses and disclosures of their health data, and there are uses and disclosures that should require consumer authorization, consent alone cannot be a substitute for a comprehensive approach to privacy and security that protects consumers and builds trust. Relying solely on consent places an unfair burden on consumers, and often leads to "all-or-nothing" blanket consents that provide them with little meaningful ability to control how they want to share their personal health data, and with whom. An over-reliance on consent can also create a sense of immunity among those who keep personal health data and impede their motivation to develop strong privacy and security protections for this data. A comprehensive approach can avert some of these unintended consequences, and provide meaningful choice and protections for consumers.

Health IT adoption is already underway and will likely ramp up as more providers qualify for financial incentives under ARRA. As such, the time to establish effective privacy and security protections for personal health data is now. Trying to institute protections retroactively, and restoring public trust that has been significantly undermined is a lot harder than building it from the get-go. A comprehensive privacy and security framework can help facilitate this process for both traditional and non-traditional entities that keep personal health data.

The Senate Judiciary Committee yesterday approved legislation to reauthorize the three expiring provisions of the USA PATRIOT Act and in the process rejected key amendments to restore civil liberties damaged when the Act was first adopted a few weeks after 9-11. The Obama Administration's opposition to civil liberties protections played an important role in this disappointing outcome.

The Committee failed to adopt any meaningful limits on National Security Letters (NSLs). Under the Patriot Act, FBI agents can use NSLs, without the approval of a judge, to obtain sensitive financial and communications records about anyone, even people suspected of no wrongdoing, solely on the claim of an FBI official that the information is "relevant" to an ongoing investigation. Earlier I wrote about an amendment that would have ensured that NSLs could be used to obtain sensitive personal information only if there was some reason to believe that the information pertained to a foreign terrorist or spy or somebody in contact with or known to such a person. That's not a very exacting requirement - and the amendment under consideration didn't even go so far as to require judicial approval - but still the Committee rejected it yesterday.

Instead, Senators opted for the more permissive "relevance" standard in current law. After a protracted debate, the Senators adopted a requirement that government agents write down specific facts showing that the information sought was relevant to an investigation. But that addition offers little protection, especially since intelligence investigations can be very broad and no one outside the FBI reviews the claim of relevance anyhow. The better way to focus intelligence resources would have been to ensure that the government was collecting information about potential bad actors and anyone tied to such people. Absent this minimal grounding, abuses and misuses of NSL authority identified by the DOJ's own Inspector General will persist.

Perhaps most surprising and troubling about the Judiciary Committee action was the role of the Obama Administration, which opposed civil liberties protections that were even weaker than the civil liberties protections Barack Obama favored as a Senator. As but one example, as Senator, Obama signed a letter calling for an amendment that would have said that the related authority in Section 215 of the Patriot Act to obtain a court order for any "tangible things" could have been issued only for records pertaining to a suspected spy or terrorist or someone tied to a suspected spy or terrorist. Senator Obama also co-sponsored a bill with an even stronger standard. Despite Senator Obama's history of favoring strong standards in the Patriot Act, President Obama's Administration persuaded Judiciary Committee members to reject even limited improvements.

This is not to say that the bill the Senate Judiciary Committee just approved (S. 1692) diminishes civil liberties protections in current law. In fact, it enhances those protections, albeit in small ways. It shortens from 30 to seven days the period during which the government can delay notice when it conducts a "sneak and peek" search to find evidence of crime. It imposes minimization requirements on NSLs to limit the dissemination to other agencies of personally identifiable but irrelevant information about Americans obtained with an NSL. It takes significant steps to bring the NSL gag provision in line with the First Amendment by providing for a more meaningful judicial review. It requires accountability measures that could uncover abuses, including Inspector General audits of the use of NSL and Section 215 authority, public reporting about the number of people subjected to FISA surveillance, and new sunsets that may prompt members of Congress to ask tough questions about use of Patriot Act powers when reauthorization is sought.

But, when it comes to the most important issue - requiring strong standards for access to records about Americans and appropriate judicial review when those records are sensitive - the Senate bill falls short. We can only hope that the House Judiciary Committee will do better.

Debate continues to rage over the proposed Google Books settlement. The subject, which was the topic of an ACS Issue Brief by Prof. James Grimmelman and a ACSblog reply by David Balto, was taken up recently by Steve Pociask, president of the American Consumer Institute Center for Citizen Research.

The settlement would permit Google to give the public access to scores of "orphan works," or copyrighted material whose owners either are unknown or cannot be found.

Pociask takes issue with the settlement: 

[T]he current book search settlement gives the most dominant online firm a significant competitive advantage over its rivals, delays entry by would-be rivals and hands Google favorable pricing over other Web-centric competitors. The results would likely lead to market power that could permanently lockout competitors, thereby posing anticompetitive risks to the public. Furthermore, this would be accomplished by a single judge's decision, instead of through legislative means or public discourse, or market forces.

When surfing the Internet, consumers find most of their information using search engines, and mostly using Google. Through Web site rankings and ad placement, Google already influences how we find Web content. Google also tracks and retains your Web site browsing history for the purpose of "behavioral advertising." Now, if this court settlement is approved, Google will know exactly what you are reading.

For the complete op-ed, click here.

National commitment to cybersecurity is welcome, but government control of the internet is not. This morning's White House-issued cybersecurity proposals seem to recognize this distinction and are therefore vastly preferable to the Rockefeller-Snowe Cybersecurity Act introduced into Congress last month.

Today, President Obama announced that he would create a White House-level position of "cyber czar" to coordinate and oversee federal efforts to improve network security and response to cyber attacks. At the same time, the White House released a cybersecurity report giving more specific proposals for how the federal government can improve the security of our national networks. Together, the proposals credit the importance of protecting both the network and civil liberties, though the devil will be in the details.

Neither government nor private sector computers are nearly secure enough. But whether a network is secure depends on multiple factors including the value of the information traveling over that system, the evolution of the state of the art in computer programming and the commitment and resources of an attacker. Thus, "cybersecurity" is an ongoing process of research, investment and risk-management, not an attainable final state of impenetrability.

The government must secure our critical infrastructure networks, and can play a leadership role for the private sector. Both goals require wonky management more than dramatic gestures. As security expert Bruce Schneier has pointed out, the causes of government cyber-insecurity are rather mundane.

GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs.

The White House cyber czar, the President says, would set budget priorities, establish measurable security goals and coordinate responses to cyber attacks. Efforts like these that aim to ensure and incentivize better security hygiene across the board, while sharing information and metrics with private network operators, aren't glamorous, but are the kind of measures that improve network security. The report also states commitment to civil liberties, including by designating a privacy and civil liberties officer in the agency devoted to cybersecurity. If this commitment is real, today's White House proposal is a welcome place to start addressing the problem of cyber-insecurity.

Contrast this with the Rockefeller-Snowe bill introduced in April, which includes exaggerated proposals that do little to address the root causes of network vulnerabilities and much to undermine private rights and civil liberties. The bill purports to give the Commerce Department absolute, non-emergency access to "all relevant data" without any privacy safeguards like standards or judicial review. The broad scope of this provision could eviscerate statutory protections for private information, such as the Electronic Communications Privacy Act, the Privacy Protection Act or financial privacy regulations.

Another proposed provision of that bill would give the President unfettered authority to shut down Internet traffic in an emergency and disconnect critical infrastructure systems on national security grounds. This would create a major shift of power away from users and companies to the federal government, without any guidance on when or how the President could responsibly pull the kill switch on privately owned and operated networks.

Notably, the White House report specifically rejects the idea of government access to information regardless of existing law or the Constitution and talks about government leadership, but not government take-over of private networks. The Rockefeller-Snowe bill is an example of the kind of rhetoric that doesn't address the real problems of security and can actually make matters worse by weakening existing privacy safeguards. Our starting point for this discussion should be the White House proposal, which focuses on simpler, practical measures that could create real security by encouraging better computer hygiene for both public and private networks.

Bad Advice

Bush’s Lawyers in the War on Terror

By By Harold H. Bruff, Charles Inglis Thomson Professor of Law, University of Colorado at Boulder

[Available Here]

President Bush received bad advice from his lawyers regarding some crucial decisions in the war on terror, including National Security Agency surveillance of American citizens, detention and trial by military commission of suspected terrorists, and authorization of harsh interrogation techniques-the torture question. In each of these contexts, the President's lawyers made broad and even unprecedented claims of unilateral executive power after a secret process of decision. Their advice exceeded the bounds of professional responsibility.

Legal advice to a President is always sympathetic to his policy goals. Advisers feel political and personal loyalty to the President who selected them. Competition for influence within the administration fosters telling a President what he wants to hear. Also, the culture of the Executive Branch ensures sympathy. Given these powerful incentives to support the President's policy agenda, what can and should constrain the lawyers? First, there is the obligation of the oath to defend the Constitution that they all take. The lawyers also have a second obligation in their professional responsibility to "exercise independent professional judgment and render candid advice." As Robert Jackson said, "the value of legal counsel is in the detachment of the advisor from the advised." We expect that distance from professionals of all kinds, our doctors for example.

To buttress the duty of independent judgment, executive advisers need to accept the principle of the Steel Seizure case that Congress can lay down the law, even in time of war. Support of a broad initiative power for the executive is fully consistent with this principle. Some of President Bush's lawyers followed a theory that the executive has broad unilateral power in the foreign realm that Congress may not control, except perhaps by withholding funds or impeachment. This risks a destabilizing pursuit of executive hegemony, one very erosive of the rule of law.

President Bush absorbed an extreme view of executive power espoused by Vice President Dick Cheney, who operated through his fierce aide, David Addington. He was also helped by John Yoo, second in command in the Office of Legal Counsel. In Yoo's earlier academic career, he had developed theories of nearly unconfined executive power that fit nicely with Cheney's. White House Counsel Alberto Gonzales, who lacked experience in government, was ready to defer to the more experienced lawyers around him. The events of 9/11 soon created a perfect storm in which inclinations toward executive dominance met opportunity in the form of the worst surprise assault on America since Pearl Harbor.

President Bush immediately decided to declare a war on terror rather than to use ordinary criminal processes. This would be, though, a new kind of war because the enemy wore no uniforms, acted clandestinely, and routinely attacked civilians. It was obvious to everyone that gathering intelligence about the identity and intentions of this new enemy was absolutely crucial to preventing future 9/11's. The focus on intelligence gathering shaped all terror policy.

The advice that was given to President Bush regarding terror issues reveals that somewhere a blurring of the line between analytic advice and unrestrained advocacy occurred. The administration's lawyers repeatedly followed a four-part strategy:

• Step One: set the analytic framework. The memos always emphasize the foreign and wartime context of the situation, to invoke broad precedents there. The memos downplay any domestic effects of proposed actions, to avoid more limiting precedents there.
• Step Two: interpret the President's constitutional powers very broadly, without identifying any limits to them, while interpreting possible constitutional restrictions very narrowly. 
• Step Three: take the same approach with statutes, interpreting authorizations of executive action very broadly, and limitations very narrowly. 
• Step Four: invoke the canon of construction that statutes should be read to avoid constitutional difficulties. If you have broadly interpreted the executive's constitutional powers, a broad shadow falls across the meaning of statutes. Combine these elements of strategy and you can, in the words of Alberto Gonzales, "push the envelope" of legal constraint.

This strategy first led to approval of the National Security Agency's "Terrorist Surveillance Program," notwithstanding the program's inconsistency with the Foreign Intelligence Surveillance Act (FISA). It then produced policies of detaining suspected terrorists without process and subjecting them to trial by military commission, which were twice struck down by the Supreme Court. And it led to an endorsement of extremely harsh interrogation techniques in the "torture memos." The advice concerning interrogation made its way to Abu Ghraib and contributed to the scandal there.

If the President's lawyers should have given more independent advice than they did, how can we have any assurance that they actually will do so? Self-interest, both personal and institutional, should have that effect. American history confirms that if the President's lawyers fulfill their professional obligation to provide independent judgments about the law within a framework of an approach that emphasizes the shared powers of the three branches, they will act in the best interests of their President, their nation and their own selves.