President Obama had a signature opportunity in his January speech to limit the damage Edward Snowden’s revelations about National Security Agency (NSA) surveillance had done to U.S. foreign relations. But global response has been rather cool.
Obama called for increased transparency and an institutional advocate for civil liberties before the secret court that oversees the NSA. He recognized that foreigners have an interest in the privacy of their communications. And he announced future restrictions on the use of acquired data as well as his hope to move data storage out of the NSA’s hands. Yet he made clear he did not intend to end bulk collection of data or give foreigners legal rights to defend their privacy against unwarranted U.S. spying.
A month later, European and Brazilian efforts to turn the screws on U.S. companies over data protection continue full steam, and foreign officials remain skeptical of U.S. intentions. Snowden received eight Nobel Prize nominations from around the world. On the domestic front, many also found Obama’s speech wanting (“It was a nothing burger” was legal scholar Jonathan Turley’s memorable take).
In a world where almost all aspects of daily social and economic life have migrated online, the right to privacy has gained in importance, and not just for the paranoid few. It is a necessity for human rights activists and ordinary citizens around the world to freely speak, think, and associate without restrictions imposed by those who might wish to silence or harm them. At the same time, corporations and governments have acquired frightening abilities to amass and search these endless digital records.
The United States, once at the forefront of promoting the right to privacy as essential to modern life, has lagged behind in legal protection even as its spying prowess has burgeoned. As a model, this is ominous, for other nations are working hard to emulate U.S. surveillance capability by bringing more and more data within their reach.
There will be no safe haven if privacy is seen as a strictly domestic issue, and legal doctrine stays stuck in pre-digital time. A strong global right to electronic privacy demands recognition, in U.S. law and internationally.
A Short History of Privacy
The United States early developed a private legal “right to be let alone.” Suits against unwanted intrusion or exploitation of private details were popular, but the press fought back and often won on free expression grounds. Europe’s law often put more emphasis on reputational rights.
World War II and the rise of modern surveillance states gave impetus to privacy as a defense against government abuse. The Third Reich mined census data to carry forward its genocidal policies. Many authoritarian states also deployed elaborate surveillance and data collection systems to cow their populations and suppress dissent — practices still used in places like China, Vietnam, Iran, and Ethiopia.
Privacy was invoked to limit the government’s power of search and seizure. Judicially authorized warrants became a common requirement in many legal systems, and the notion of privacy of “correspondence” broadened to include new technologies, such as telephones, with laws regulating wiretaps.
The Technological Challenge
Yet protections often lagged behind technological change. In the 1928 Olmstead case, the Supreme Court held that an unauthorized wiretap did not violate the constitutional right of the people “to be secure in their persons, houses, papers, and effects.” In 1967, the court reversed course, determining that a person has “reasonable expectation of privacy” when talking in a public phone booth. This bit of common sense developed into a doctrine for when to limit government power to conduct warrantless searches.
The doctrine, however, has not always produced decisions that reflect common sense or popular expectations. Courts tend to focus more on what they think is reasonable for public safety. You may not expect warrantless aerial surveillance of your backyard, but the Supreme Court thinks that’s fine, provided that what the camera sees can be observed by the naked eye. Similarly, courts have ruled that we have no expectation of privacy for information we share as business records — phone or credit card transactions, for example. Never mind that refusing to convey such information essentially bars us from engaging in many realms of modern life.
When the administration disavows indiscriminately reviewing your “private” information, it means it considers the “metadata” — the where-when-who-how long and even subject of your communications — to be “business records,” no matter how detailed a portrait this provides of your daily life.
U.S. law has grown to equate privacy of communications with secrecy, an approach “ill-suited to the digital age,” Justice Sonia Sotomayor said recently in a case that rejected police GPS monitoring of a vehicle for weeks on end without a warrant.
Louis Brandeis, who as a young lawyer practically invented U.S. privacy law, warned of the lag between technological leaps and doctrine. Dissenting in Olmstead, he wrote: “Ways may someday be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.” Maybe in 1928 this sounded futuristic, but post-Snowden it seems weirdly prescient. Wiretaps eventually required warrants, but electronic surveillance metastasized in the 21st century under a secret regime of indulgent, minimalist judicial supervision.
A Different Path
The law in Europe took a different path. In 1983, the German Constitutional Court annulled the national census law, announcing “informational self-determination” as a fundamental democratic right. Integral to the modern European approach has been the belief that individuals have a right to access and correct their data held by various institutions, and ultimately to determine its use and disposal.
This approach to informational self-determination has found some parallel in a different branch of privacy jurisprudence. Key decisions around the world striking down sodomy laws and other aspects of physical autonomy have also invoked privacy, not simply as a “right to be left alone” but as a right to establish one’s identity and chosen relations. This relational view of privacy is essential to protecting minorities, dissidents, and freethinkers from persecution, not to mention simply enabling the rest of us to work out who we are and what we think.
Another area where the United States led was connecting anonymity — the ultimate data protection — to freedom of speech. No doubt it helped that many of the nation’s founders published revolutionary manifestos under pseudonyms. In April, the UN special rapporteur on the promotion and protection of the right to freedom of opinion, Frank LaRue, decried the “chilling effect” that restrictions on anonymity have had on the free expression of information and ideas.
The value of anonymous speech has only become more apparent in the wake of the shift of many aspects of modern life online, and the breakthroughs in our ability to store, search, collate, and analyze data with minimal cost. Anonymity now seems a last defense for both privacy and the many rights to which digital privacy provides access — such as speech, association, belief, and health.
Closing the Loopholes
Snowden’s revelations of massive global surveillance inflamed an existing debate about what constitutes mass surveillance and whether it is ever justified. To understand how we got there, the loopholes knit into U.S. law are as critical to understand as the technological backdoors.
The first loophole is that the United States does not consider itself bound, when its actions pose harm abroad, to respect foreigners’ rights in the way the Constitution requires it to respect rights at home. Moreover, the United States tries to limit its obligations under international human rights law in the same way. Although the president may choose to selectively limit data collection for reasons of comity (calling rather than bugging Angela Merkel, for example), ordinary foreigners who pose no conceivable threat to U.S. interests can’t legally challenge U.S. dragnet surveillance of their communications. Of course, the data of many U.S. citizens gets swept up in the dragnet too.
Another big loophole is that the United States considers digital metadata to be only business records, subject to little protection. Under section 215 of the Patriot Act, these records can be collected if they are merely “relevant” to investigating terrorism, counterespionage, or foreign intelligence generally—and we already know the surveillance court thought virtually all U.S. call records fit that standard.
The administration has also staked a position that use, not acquisition, is the point where data privacy is at stake. But the legal view in Europe is different, and few take comfort in the notion of a foreign entity collecting their data without permission so long as no one has read it (yet). Several domestic lawsuits — including one to which Human Rights Watch is a party — are challenging this point.
Unfortunately, nothing President Obama said would really close these loopholes tightly. And nothing has yet begun to address the breach of trust caused by recent allegations that the United States systematically tried to weaken strong encryption standards, use back-door access to technology and cable flows, or in other ways subvert the very architecture of privacy on the Internet.
Stung by U.S. monitoring of their leaders, Germany and Brazil co-sponsored a successful UN General Assembly resolution that asked the UN human rights expert to report on the harm caused by mass surveillance to privacy.
These issues will soon come before the UN Human Rights Council, the General Assembly, the European Court of Human Rights, and the U.S. Supreme Court. It would be wise for the Obama administration to modify its positions before these considerations reach the point of condemnation.
The administration can do so by immediately ending its indiscriminate, bulk interception programs, giving foreigners the same protections as citizens against unjustified invasion of privacy, ending efforts to weaken privacy protections in both the technical and legal domain, and proposing laws to help these changes survive into the next administration.
And it might help if Obama found a way to enable the man who started the debate — Edward Snowden — to come home without fearing a lifetime in prison. After all, one day they may both be Nobel laureates.