:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/57701549/shutterstock_465812408.1511301934.jpg)
So much of our lives today are conducted online that it’s essential that we know who has access to our information. And that’s especially true when it’s the government that’s doing the prying into our emails, texts, and Facebook updates.
A recent case, in which Facebook acted in the perhaps surprising role of advocate for the ordinary citizen — two cheers for Mark Zuckerberg — made clear just how hard the government is working to hide its investigation of citizens’ activities online.
Facebook, Verizon, and similar companies get tens of thousands of secret requests apiece from the government for information ostensibly needed to investigate crimes. But citizens and civil rights groups are left largely in the dark about these requests.
As we know all too well from history — consider the FBI’s surveillance of civil rights groups in the ’60s — investigative powers wielded in secret create openings for unconstitutional abuses.
In September, Facebook prevailed in a months-long effort to lift a government gag order covering three search warrants the company had received. The Department of Justice had sought, in early February, access to thousands of records associated with three Facebook users alleged to have helped organize the Inauguration Day protests in DC — in which protesters in black masks were arrested en masse after smashing windows and setting a limousine on fire.
The Superior Court of the District of Columbia approved the government’s request for the information, and issued a nondisclosure order barring Facebook from telling users that the government was looking at their data. After seven months of litigation challenging the non-disclosure provision, Facebook finally won an exceptional victory for transparency and governmental accountability in the DC Court of Appeals.
Facebook challenged the nondisclosure orders in this case because the investigation raised significant First Amendment concerns. The warrants required the company to disclose massive amounts of information concerning people who “liked” the page associated with the planned protests, as well as a host of other data closely linked to the exercise of expressive and associational freedoms: comments, photos, and messages containing information about political organizing and affiliations, for instance.
While Facebook could not challenge the constitutionality of the warrants itself, had the company not pushed back on the gag order, the targets would have been wholly unaware of the government’s demands — and unable to assert their own constitutional rights in response. Once notified of the requests, the targets retained the ACLU to represent them and succeeded in narrowing the government’s demands.
That small step towards transparency mainly reveals the scope of the problem
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/9730731/GettyImages_632226958.jpg)
Unfortunately, shining a light on this single case still leaves in obscurity the hundreds of thousands of similar orders that the government obtains each year. Issued by state and federal courts, the orders include both search warrants (which compel online service providers to disclose the content of emails, text messages, and Facebook status updates), as well as warrantless court orders (in which companies are told to produce metadata associated with such records, including dates, times, locations, and the names of the sender and recipient).
While search warrants require the government to show that it has “probable cause” that a crime has been committed, courts can order companies to produce customer metadata so long as it meets the very low bar of being “relevant” to an ongoing criminal investigation. Courts pretty much defer to law enforcement on what counts as relevant.
As with traditional search warrants, digital search orders are issued in secret proceedings to prevent tipping off suspects to the existence of an investigation. Of course, secrecy is always an element of criminal investigations; it would be nonsensical to alert criminal suspects in advance of searches.
But secrecy is particularly intense in the digital context. Indeed, the secrecy is so pervasive that it obscures the answers to important constitutional questions. When the police search your physical mail, the Fourth Amendment generally requires that they notify you afterward. By contrast, when they search your email they need not provide any notice to the user at all — only your email provider needs to be notified. This is the case even though digital data can be far more revelatory than physical mail, given that our apps collect, retain, and cross-reference information like location histories, the contents of emails, photographs, attachments, contact lists, and even dating preferences.
The gag orders on tech companies that receive government demands for user information — created by the “secrecy order” provision of the Stored Communications Act, enacted in 1986 — only aggravate the situation. Facebook is not alone in challenging gag orders: Microsoft has challenged the constitutionality of the government’s practice of seeking gag orders, saying it receives thousands annually.
In response to Microsoft’s lawsuit, the Department of Justice recently decreed that gag orders would not be issued in every case, and must have “an appropriate factual basis.” The new policy also advises that gags should last no longer than a year, barring exceptional circumstances. These rules are a step forward, but they don’t go far enough: they are only “guidance,” and only apply to federal prosecutors at the Department of Justice, not to the state and local police who also often seek digital data. More important, these improvements do not address the inexplicable distinction drawn between invasive electronic surveillance and its physical counterpart.
The best resource we have on surveillance: tech companies’ vague “transparency reports”
The very little information we have about these searches comes from the companies themselves. In the post-Snowden era, internet companies now issue “transparency reports” intended to convey some information about government demands for information and to burnish their bona fides as protectors of civil liberties. However limited, such reports still provide the most useful and granular information about electronic surveillance we have.
What they reveal is chilling. In 2016, Facebook received over 28,000 search warrants that affected nearly 45,000 users and accounts. Half of the demands Facebook received were accompanied by gag orders. During the first six months of 2017, AT&T and Verizon, the two largest cell phone providers in America, received over 70,000 warrantless court orders demanding sensitive information about consumers, including phone numbers dialed, calls received, and location history. Neither the federal government nor the states provide even the limited amount of information that AT&T and Verizon publish in their transparency reports.
While companies that act in their customers’ interests deserve praise, it’s obviously ludicrous to outsource the protection of American’s’ civil rights and liberties to these firms. But that’s the situation we’re in. Private companies are determining which tiny fraction of cases will garner public attention, and which will remain secret and go unnoticed. (What’s more, as mentioned, companies like Facebook are only in a position to challenge government secrecy; they can’t raise constitutional claims about the searches themselves.)
Though most of these electronic surveillance tools are used in ordinary criminal investigations, challenges to government secrecy are also taking place in the national security context: In the Ninth Circuit, Cloudflare, an internet security company, and Credo Mobile, a telephone service provider, are challenging the constitutionality of gag orders that accompany so-called “national security letters” — warrantless government demands for customer information issued by the FBI itself, without judicial oversight or involvement.
In the Northern District of California, Twitter is taking on government restrictions on how it’s allowed to publicly describe government demands for information under national security laws. Federal law allows companies to disclose how many national security letters, FISA warrants, and other national security demands they receive, but only in aggregate “bands” (a company might say it received between 0 and 249 national security demands in 2016). Twitter wants to be able to disclose the precise number of demands it receives each year.
In short, we lack the information to judge whether the government is snooping on people because of their political beliefs, national origins, or religious affiliations — which would be a flagrant violation of our Constitution. And even if we grant the need for much of this electronic surveillance, all this secrecy means we can’t judge its efficacy. The public should know, for example, if police in Philadelphia use electronic surveillance far more often than their counterparts in Phoenix.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/8799681/GettyImages_118313163.jpg)
Secrecy also obscures legal reasoning: When the government argues in sealed filings that a new surveillance technology such as a StingRay — a device used by law enforcement to monitor communications of nearby cellphones — is not intrusive enough to require a search warrant, it can do so with the assurance that outsiders can’t scrutiny its reasoning. Secret law and secret technology create information asymmetries that make it almost impossible to hold the government accountable.
The Supreme Court prepares to step into the fray
This term, the Supreme Court will hear argument in U.S. v. Carpenter, perhaps the most significant Fourth Amendment case in a generation. While it won’t resolve all the issues I’ve touched on here, it will lay down a crucial marker in how courts treat electronic information. (Oral arguments are scheduled for Wednesday.)
In Carpenter, law enforcement officers obtained months of the defendant’s location history without a warrant: Police simply compelled Timothy Carpenter’s cell phone provider, MetroPCS, to provide his location history (by looking at which cell towers he was nearest). Prosecutors used the evidence, along with more conventional information, in their successful prosecution of Carpenter of six robberies. The Sixth Circuit concluded that this digital intrusion was, in fact, not a “search” under the Constitution at all. Because Carpenter’s location records were held by a third party, he had no “reasonable expectation of privacy.”
The United States is comparing the case to Smith vs. Maryland, in which, in 1979, the Supreme Court decreed that phone companies could turn over the numbers dialed from a given phone, without a warrant, because they were knowingly handed over to a third party (by the act of dialing).
The ACLU, which is helping to defend Carpenter, says a better analogy is United States v. Jones (2012), which held that attaching a GPS device to a suspect’s car requires a search warrant. The ACLU also argues that the third-party standard makes no sense in a world of iPhones. In short, should all of the deeply personal information we provide to fitness trackers, healthcare providers, insurance companies, and Tinder be made freely available to the government, just as phone numbers were in 1979?
We can hope that the court says “No.” In the meantime, relatively minor changes to local rules and practices would drastically improve the imbalance of information. Courts could adopt sunset provisions that would give secrecy an expiration date. Law enforcement agencies, and the courts, could agree to issue public annual reports concerning the use of electronic surveillance that could address a basic question: How many warrants or court orders for electronic data are sought each year?
Indeed, Congress and the Department of Justice already collect information on a variety of other surveillance tools — the intelligence community even discloses the number of people targeted for surveillance under the Foreign Intelligence Surveillance Act. The federal courts themselves already track information like the number of requests they receive to delay notice of searches. These key transparency tools could be easily applied in this new context.
Yes, we should be grateful that companies sometimes elect to protect their users’ interests — and we should demand that they do so more often. But for-profit companies should not, and cannot, serve as our main bulwark against civil-liberties violations. Until we force the government to make public the information necessary for democratic oversight, secrecy will remain the status quo. And secrecy almost always means the government can conceal abuses of its power.
Hannah Bloch-Wehba is a clinical lecturer in law, an associate research scholar, and a Stanton First Amendment Fellow at the Information Society Project at Yale Law School.
The Big Idea is Vox’s home for smart discussion of the most important issues and ideas in politics, science, and culture — typically by outside contributors. If you have an idea for a piece, pitch us at thebigidea@vox.com.
