Law in the Internet Society

Tracing Data Privacy in U.S. Laws

-- By AndrewTaub - 06 Jan 2018

Introduction


This essay will examine how the topic of data privacy surfaces specifically in U.S. laws as well as how that legislation has evolved since the 1970s. The purpose is to trace how we got to where we are today and to assess the role of law in data privacy, among the two other forces of technology and politics. Over the years as regulation evolved, protecting data was never the sole and initial focus of U.S. laws, but rather creating ways for law enforcement to more easily access, collect, and analyze data to find criminal or terrorist actors and activity in the name of defending national security. For this reason, regulation regarding data privacy has never effectively developed in the U.S. in terms of controlling system providers and better serving and protecting end users. Mapping these laws reveal a continuous backward-looking process and can help to prepare for what and how a new approach should be applied moving forward.

Legislation in the 1970s


Driven by the illegal surveillance by Federal agencies during the Watergate scandal and the potential abuses presented by the U.S. Government’s increased use of computers to store data of citizens, Congress enacted the Privacy Act of 1974 which intends to protect an individual against unwarranted invasions of privacy stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information.

With continued Senate Committee investigations in the mid-1970s into whether certain domestic intelligence activities were legal, the Foreign Intelligence Surveillance Act (FISA) was enacted in 1978. Through FISA, Congress wanted to establish judicial and congressional oversight of foreign intelligence surveillance activities and ensured secrecy when monitoring potential national security threats by establishing the Foreign Intelligence Surveillance Court (FISC), a special Federal court that holds nonpublic sessions to consider issuing search warrants.

The 1980s and 90s


Congress had not passed further legislation related to information privacy until 1986 when it enacted the Electronic Communications Privacy Act (ECPA). The Act was to “expand and revise Federal wiretapping and electronic eavesdropping provisions” and meant to improve upon the “Wiretap Act” which Congress enacted in 1968.1 Its main purpose at the time was to improve and protect the capabilities of the U.S. Government to legally intercept communications.

In 1994, the Communications Assistance for Law Enforcement Act (CALEA) was enacted in response to concerns that the development in electronic communications was making authorized surveillance increasingly challenging for law enforcement agencies.2 CALEA requires that telecommunications carriers and equipment manufacturers design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information.

The 2000s


Following 9/11, Congress enacted The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) to provide and authorize law enforcement with new and improved tools to monitor, detect, and counter terrorist efforts. As examples, agents could use surveillance against an expanded set of terror crimes and obtain information on a greater range of terrorist-related crimes; target threats more precisely by tracking specific communication devices; and conduct investigations with greater flexibility by delayed notification to suspects.

By 2008, foreign intelligence targets outside of the U.S. were using communications services which were provided by U.S. ISPs. When FISA was enacted in 1978, the capabilities of electronic surveillance were based on technology of that time, so Congress amended FISA in 2008 and enacted Section 702 of FISA which “facilitates the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States.”3 Under this method, investigators could exercise much broader discretion on the number of foreign persons they could acquire information about.

The Culminating Effect


The laws above have largely been driven by two main factors. The first is the development of technology. As new devices are invented, infrastructure created, or new services provided, the U.S. Government needed to revise and enact new laws to keep pace with these changes. The second is any significant event that might directly impact and necessitate a reevaluation of existing laws, whether it’s surveillance scandals (Nixon) or terrorist attacks (9/11). In these instances, the assessment has continuously been to increase and strengthen the U.S. Government’s capability to access more information more easily. The result of these two factors driving legislation has been a patchwork approach in which old or inadequate laws continue to be revised and amended.

While the government’s intent is to serve as a central authority, detect bad actors, and uphold justice, such laws inherently contend and knock against privacy over time. As Ann Bartow writes: “In many instances, privacy is threatened not by singular egregious acts, but by a slow series of relatively minor acts which gradually begin to add up.” Indeed, a central theme for why the U.S. needs to access information is the defense of its national security and capturing criminal behavior. But as a result of striving for greater safety, the government makes itself stronger and better at accessing private information at the expense of privacy and without concurrently seeking to equally strengthen data privacy and arm the individual with improved rights, especially when such Acts are not rolled back and the authority remains constant and certainly increases further. At the core of this is breeding fear that privacy is more of a means to conceal negative, harmful acts and behavior, rather than a fundamental right to protect.

What has developed over the years is a way for the U.S. Government to more broadly, and secretly, exercise its authority. This is harmful to data privacy when there is no mechanism of disclosure for how that data is being accessed and privacy being harmed. While not perfect, reforms should, for example, limit how surveillance searches are conducted and impose strict transparency measures. Indeed, Congress should consider deauthorizing old programs to break the practice of mending problematic, existing law and instead establish new legislation focused on strengthening the rights of data owners, rather than just the government’s.

I don't understand the effort yet. Data privacy laws, if we are talking about the subject of the course and your last essay, are not surveillance statutes describing government powers, but regulations affecting private parties. Those are not the subject of this draft. One could talk about the efforts of the 1970s (such as FERPA) and the non-regulatory vacuum of the present that corresponds to the presence of the GDPR in the EU. But that would not have anything to do with FISA or the PATRIOT Act. If the point was to shift to government listening, treating the statutes as standing on their own does not suffice either. The constitutional issues surely need some discussion. That's why, from my point of view, it's a different course.

For the purposes of improvement, I think the question is whether to change the packaging to suit the product, or the other way round. If you want to write an essay about surveillance, we can treat the history more as given, and come to the idea you want to propose about where to go from now. If you are writing about privacy and "data owners," on the other hand, a different legal background—such as the one I was suggesting in my comments on the first draft of the first essay—would be more helpful to discuss.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r2 - 01 Apr 2018 - 16:42:43 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM