Compliance without credit: the National Security Agency and the international right to privacy.
I. INTRODUCTION II. DESCRIPTIONS OF THE SECTION 215 AND SECTION 702 PROGRAMS A. Section 215. B. Section 702. III. THE RIGHT TO PRIVACY IN INTERNATIONAL LAW A. Universal Declaration of Human Rights (UDHR) B. International Covenant on Civil and Political Rights (ICCPR) C. United Nations Resolutions 1. General Assembly Resolution 68/167 D. United Nations Human Rights Committee Comments on the ICCPR's Right to Privacy E. United Nations Human Rights Council Special Rapporteur Report F. Case Law from European Courts 1. Weber and Saravia v. Germany. 2. Liberty and Others v. the United Kingdom 3. Digital Rights Ireland IV. APPLICATION OF RULES TO THE NS A PROGRAMS. A. Is the Information Collected Included in the Right to Privacy? B. Do the Programs Interfere with the Right to Privacy? C. Is the Interference Unlawful and Arbitrary? V. ANALYSIS OF PROPOSED REFORMS A. Presidential Policy Directive 28 (PPD-28) B. Moving Storage of Metadata from NSA to Private Companies C. Reducing the Amount of "Hops" Permitted After a Query D. Applying a Different Human Rights Framework VI. CONCLUSION
Recent disclosures regarding the National Security Agency's (NSA) intelligence operations have produced an intense backlash to what many characterize as gross overreaching by the United States. Previously, critics focused their ire domestically, arguing that the Section 215 (1) telephony metadata collection and the Section 702 (2) Prism programs violated U.S. law, such as the right to privacy under the Fourth Amendment to the U.S. Constitution. Now, however, critics from foreign governments and human rights groups have widened the aperture and charged the United States with violations of international law as well. (3) This new line of attack cites human rights in general, and the international right to privacy in particular. At first glance, it seems elementary that any NSA espionage program would violate any articulable right to privacy, but upon closer analysis, the programs not only comply with the right to privacy, they actually exceed the protections in many other countries (including those who have protested the loudest).
In March 2014 the Privacy and Civil Liberties Oversight Board (PCLOB) (4) invited comment regarding NSA surveillance compliance with international law and human rights instruments, the most predominant being the International Covenant on Civil and Political Rights (ICCPR). The debate instantly veered toward a well-worn topic of debate: the United States' policy decision not to apply the ICCPR extraterritorially. Most commentators characterize this debate as the defining and controlling contention. If the ICCPR applies extraterritorially, the United States has therefore violated human rights. (5) Conversely, others support the U.S. policy decision refusing extraterritorial application and therefore conclude the U.S. has violated no obligation whatsoever. (6)
This article argues that these discussions fail to address the deeper and more critical issues, and they ultimately evade evaluation of the Section 215 and Section 702 programs on their international legal merits. (7)
For purposes of a more thorough evaluation under international human rights law, this paper assumes that the ICCPR applies extraterritorially to the United States. It does not, however, necessarily follow that the United States has violated its human rights obligations. On the contrary, after critically evaluating the programs under the requirements of the international right to privacy, this paper argues that the Section 215 and Section 702 programs legally comply with the international right to privacy. The programs do raise legitimate privacy concerns, and some proposed changes would strengthen compliance, but, on the whole, the programs as constituted demonstrate a tolerable legal balance between privacy and national security.
This article begins by describing the Section 215 and Section 702 programs in light of recent NSA disclosures regarding the policies and procedures it must follow. Next, the evolution of the right to privacy is detailed, from the Universal Declaration of Human Rights, the ICCPR, United Nations Resolutions, Human Rights Council comments, and Special Rapporteur reports. This paper then reviews two cases from the European Court of Human Rights and one from the European Court of Justice offering examples of how some courts have applied international human rights principles to mass interception of communications and to the collection of bulk metadata. The final section evaluates recent proposed U.S. policy changes to determine if they would strengthen the United States' current compliance with the international human right to privacy. Here, this article argues that other human rights provisions may provide a superior framework for analyzing NSA's surveillance programs and their relationship to the right of privacy.
II. DESCRIPTIONS OF THE SECTION 215 AND SECTION 702 PROGRAMS
A. Section 215
"Section 215" as it is commonly called, is part of the Patriot Act (8) and codified at 50 U.S.C. [section][section] 1861-62. (9) Section 215 expanded the ability of the government to collect business records for the purpose of investigating known or suspected terrorist activity. It therefore differs from the majority of the Foreign Intelligence Surveillance Act (10) (FISA) provisions regulating foreign intelligence collection in general, where the goal is simply to gather foreign intelligence in all of its forms. The program is designed to determine whether "known or suspected terrorist operatives have been in contact with other persons who may be engaged in terrorist activities, including persons and activities in the United States." (11) Although the information can come from a variety of locations, Section 215 attempts to identify national security threats within the United States rather than throughout the globe.
Section 215 achieves this end by analyzing records of past telephone calls. 50 U.S.C. [section] 1861(a)(1) authorizes the Federal Bureau of Investigation (FBI) to apply to the Foreign Intelligence Surveillance Court (FISC) for an order to obtain "any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities...." (12)
The FISC will direct a business to produce bulk telephony metadata when "there are reasonable grounds to believe that the information sought is relevant to an authorized investigation of international terrorism." (13) Pursuant to this authority the FBI issues a subpoena to a telephone service provider in order to obtain the call records for its customers. (14) The information obtained is limited and only includes data about the call: the calls' origins, when the calls occurred, and the calls' durations. (15) This information, or metadata, does not include the contents of any telephone call.
Once received from a telephone company, the metadata rests in a database at NSA, and at this point no one has reviewed the information, and no one has analyzed anything. NSA technicians then query that database with an "identifier" to determine if the records respond to that identifier. (16) An identifier is information, such as the phone number of a suspected terrorist. The FISC-approved procedures require a "reasonable, articulable suspicion" that the identifier is associated with a foreign terrorist organization. (17) Operators cannot base their suspicion on freedom of expression activities protected by the F irst Amendment. (18) Only those records that respond to the query are subject to further analysis. (19) Metadata unresponsive to a query remains unseen due to technical controls in place at NSA. (20) The NSA then passes along responsive information to the relevant department or agency for action. For example, the FBI could use the information to initiate an investigation and to build a counter-terrorism case and to possibly petition the FISC for authorization to intercept the contents of communications to and from that number. (21) Thus, investigators must navigate two levels of judicial review prior to obtaining the contents of any communication via surveillance.
Under the FISC order, the NSA then takes those responsive records and expands to what they refer to as the next "hop." (22) A hop is simply the records associated with the first responsive results. For example if, by querying a terrorist phone number against the database, the phone number for "John Doe" appears, the NSA will then run another query to see with whom "John Doe" has communicated. Analyzing John Doe's number is the first hop. All of John Doe's responsive queries are then analyzed in the same manner. So, if John Doe communicated with Jane Doe and James Doe, both of their numbers will respond to the query using John Doe's phone number as an identifier. Jane Doe and James Doe are then the second hop. NSA will then query Jane Doe and James Doe, as the second hops, ultimately up to three hops. (23) What began with one response to a query (John Doe) can therefore expand exponentially to potentially thousands of people. This would still only amount to a miniscule fraction of the 3 billion phone calls made every day in the United States alone. (24)
Responses to queries only contain telephone metadata. (25) There is no content of the communication, so the NSA at this stage only knows that a terrorist overseas called a number in the United States on a certain date, at a certain time, and for a certain duration. (26) Granted, that is a significant amount of information, but the NSA does not know the subject or content of the communication. This is an important clarification. The NSA may be potentially tracking the calls someone makes, but it is not monitoring or listening into the call. This important distinction is often overlooked in discussions regarding the Section 215 metadata program. (27) It is important to keep the proper context. Section 215 is a monumental records review, not a tap on the phones of Americans. Just as importantly, Section 215 is not a dragnet on the communications of foreigners. Only identifiers that correspond to known or suspected terrorists are run against the database. Section 215 does not track or log the phone calls for all foreigners, and NSA analysts cannot simply input any phone number as an identifier. Section 215 obviously possesses the capability to chum through a tremendous amount of information, but the limitations of acceptable identifiers throttles attempts to expand its reach. For a sense of scope, less than 300 numbers were approved for bulk data retention queries in 2012. (28)
B. Section 702
Section 702 of the Foreign Intelligence Surveillance Act (29) (FISA), as amended, regulates collection for much broader categories of information. Section 702 targets internet communications rather than phone information. Instead of merely obtaining metadata, Section 702 permits the U.S. Government to obtain contents of entire communications, this time via "electronic communication service" providers located in the United States. (30) The statute establishes specific limitations, but they predominantly apply to U.S. citizens. Acquisitions cannot intentionally target "any person" known to be located in the United States, (31) so even a foreigner on U.S. soil cannot be targeted under this provision. Government operatives cannot circumvent this limitation by targeting an individual outside of the United States if the purpose of the acquisition is to target a "known person" in the United States. (32) The statute prohibits targeting a U.S. person outside of the United States (33) as well as any communication where the sender and the intended recipients are known to be located in the United States. (34) Finally, all acquisitions must be consistent with the Fourth Amendment to the U.S. Constitution. (35)
But even if the majority of limitations apply to U.S. citizens (or at least to U.S. borders), not all foreigners' emails are fair game. The NSA is only allowed to target someone outside of the United States in order to obtain "foreign intelligence information." (36) Foreign intelligence information is information needed to protect against "actual or potential attacks" from: foreigners, sabotage, international terrorism, or weapons of mass destruction proliferation by a foreigner, and clandestine intelligence activities by foreign powers. (37) Foreign intelligence also includes information relating to a foreign power that is necessary for the national defense and security of the United States or the conduct of foreign affairs of the United States. (38)
As with all foreign intelligence collection under FISA, Section 702 operations must obtain prior approval from the FISC. Instead of requiring the government to prove probable cause that an individual suspected target is a foreign power or an agent of a foreign power, the FISC reviews annual certifications from the Attorney General (AG) and the Director of National Intelligence (DNI) to ensure statutory compliance. (39) The FISC reviews the certification, and if it determines the certification is complete, the FISC "shall enter an order approving the certification and the use... of the procedures for the acquisition." (40) When the FISC determines that the certification does not meet the requirements, the NSA has a chance to correct any deficiency or it must stop collection already underway. (41)
The FISC has received a good deal of criticism for supposedly acting as a "rubber stamp" for NS A operators, (42) but upon closer analysis the claim is not warranted. The FISC actually rejects a greater percentage of FISA applications than Title III courts when presented with a surveillance warrant. (43) The FISC demands modifications to FISA applications as a matter of standard practice, and then approves the amended FISA submission. (44) This has produced the misconception that the FISC blindly approves 99% of FISA applications. (45) While this process may not yield the formal "rejection" craved by critics, it certainly demonstrates that the FISC actively scrutinizes government FISA application and does not merely "rubber stamp government operations.
Before any intelligence operation can begin, the FISC must approve targeting and minimization procedures under Section 702. (46) Review of the targeting procedures, rather than targets themselves, ensures that the operation does not intentionally capture U.S. persons or communications entirely within the United States. (47) Non-U.S. persons are only targeted if they possess, receive, or are likely to communicate foreign intelligence information relating to a topic that was certified by the AG and DNI as discussed above. (48) The NS A only obtains communications meeting statutory requirements; it cannot, for example, acquire every email from a given country.
When an NSA analyst identifies an individual meeting all of the FISC-approved Section 702 criteria, that person is considered a target. (49) The next step is to determine communications patterns of that target, until an analyst identifies a specific means of communication (phone, internet, etc.) preferred by that target. (50) This information in turn allows the NSA to obtain a unique identifier for the target, just as with the Section 215 query. (51) Under Section 702, an identifier can be a telephone number or email address. (52) The NSA calls this unique identifier a "selector." (53) Note that a selector is not a keyword; it is a specific phone number or email address. (54) Therefore, NSA analysts cannot probe the database with search terms such as "terrorism" or even "al Qaeda." The selector cannot be used to search political points of view or other areas of protected expression.
Each selector requires documentation that it meets the requirements under an authorized certification. (55) The documentation is verified by two "senior NSA analysts" who may request more information or clarification prior to approval. (56) The senior analysts' review undergoes further scrutiny by NSA's compliance division, as well as oversight from the Department of Justice (DOJ) and the DNI. (57) When that approval is obtained, the NSA uses the selector as the basis to compel a U.S. based communications service provider to forward communications associated with that selector. (58)
The NSA receives information under Section 702 via two methods. The government can supply Internet Service Providers (ISPs) with the selectors, and they then furnish the NSA with the communications to or from these selectors (this has been referred to as the PRISM program). (59) In the second method, the communication providers assist NSA in the lawful intercept of electronic communications "to, from, or about tasked selectors." (60) This is referred to as "upstream collection." (61) Unevaluated communications content and metadata obtained from service providers (i.e., the PRISM program) can be kept for up to five years. (62) Upstream collection of intercepted communications can only be kept for up to two years. (63) NSA implements an automated process to comply with these retention limits. (64)
Section 702 is subject to constant review processes to ensure its effectiveness. Every six months the AG and DNI must certify statutory compliance of Section 702 operations to the FISC, congressional intelligence committees, and the Judiciary Committees of both the Senate and the House of Representatives. (65) Each intelligence agency that acquires any information under Section 702 must also annually review whether or not foreign intelligence collection will still be obtained. The review must be provided to the FISC, the AG, the DNI, congressional intelligence committees, and the Judiciary committees from the House and Senate. (66)
The statute provides a remedy for those under Section 702 surveillance. If the government intends to use the results from a Section 702 surveillance in a criminal or administrative proceeding, the government must notify the subject of the surveillance of its intentions. (67) The subject then can challenge whether acquisition of the communication was lawfully executed. (68)
III. THE RIGHT TO PRIVACY IN INTERNATIONAL LAW
A. Universal Declaration of Human Rights (UDHR) (69)
As one of the foundational human rights documents, the UDHR ushered in the era of international human rights concepts following World War 11. (70) Adopted by the General Assembly on December 10, 1948, the UDHR established international acceptance of basic human rights tenets. (71) Included among these concepts was the right to privacy, which is stated as follows: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." (72)
As an aspirational and visionary document, the UDHR did not go into great detail regarding the components of this right. It neither articulates the right nor explains what actions constitute arbitrary interference. Still, it does introduce the notion that privacy as a right exists (in whatever form), and that any interference requires proper justification, not any government whim. It also provides that governments are required to protect the right in law. (73)
B. International Covenant on Civil and Political Rights (ICCPR) (74)
A watershed moment in human rights, the ICCPR was the first major international human rights treaty devoted to civil and political rights. The ICCPR cites UN member state obligations to "promote universal respect for, and observance of human rights." (75) The ICCPR aims to create conditions "whereby everyone may enjoy his civil and political rights, as well as his economic, social, and cultural rights." (76) One such right is the right to privacy. Article 17 of the ICCPR incorporates essentially the same definition of the right to privacy from the UDHR, which is: "1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks." (77)
Again, this is as far as it goes. Just as in the UDHR, the ICCPR does not define the right to privacy or expand upon what actions constitute "arbitrary interference with such a right. Notably, the ICCPR does not distinguish between citizens and non-citizens of a signatory, a crucial legal distinction under U.S. intelligence law. Article 2.1 requires all signatories "to respect and to ensure" the rights of the covenant irrespective of "national or social origin." (78)
C. United Nations Resolutions
1. General Assembly Resolution 68/167 (79)
The international backlash to the NS A programs has now been elevated to the United Nations with recent debates and resolutions criticizing U.S. intelligence activities and the NSA in particular. In December of 2013 the United Nations General Assembly entered the NS A surveillance fray by debating a resolution affirming the international right to privacy. The resulting resolution sponsored by Brazil and Germany entitled "the Right to Privacy in the Digital Age' noted that technical developments improving "surveillance, interception and data collection" may violate or abuse certain human rights, specifically the right to privacy as embodied in Article 12 of the UDHR and Article 17 the ICCPR. (80)
The Resolution affirmed the "human right to privacy" and imported the refrain that no one shall be subject to arbitrary or unlawful interference with his or her privacy. (81) Exercising this right allows individuals to then realize other rights, such as the rights to "freedom of expression" and to "hold opinions without interference." (82) While "concerns about public security" may permit some accumulation of "sensitive information," states must still comply with their human rights obligations. (83) The resolution expressed deep concerns, particularly about the collection of "personal data" on a mass scale, and affirmed that people have the same rights online that they do offline. (84)
In describing the right itself, Resolution 68/167 illustrates very little. It makes it clear that no one shall be subject to "arbitrary or unlawful" interference with his or her right to privacy, (85) but it does not define the right to privacy or present a conceptual framework defining the right. It only lets one know when the right to privacy has been violated: "unlawful or arbitrary surveillance and/or interception of communications" as well as the "highly intrusive acts" of unlawful and arbitrary collection of "personal data." (86) The resolution does not define "personal data" nor does it define "interference."
In the discussions of the draft resolution, Brazil (a co-sponsor along with Germany), stressed the importance of having a "timely and crucial debate on human rights violations" potentially arising out of "mass surveillance and the interception and collection of data." (87) North Korea supported the resolution as a means to force the United States to "rectify its human violations" resulting from its foreign intelligence activities. (88) Most countries that expressed support for the resolution did so on the basis that the resolution affirmed the application of the ICCPR to the digital age. (89)
D. United Nations Human Rights Committee Comments on the ICCPR's Right to Privacy
In its General Comment No. 16 regarding Article 17 of the 1CCPR, the UN Human Rights Committee (90) illustrated some of the principles behind the ICCPR's right to privacy. While still not actually defining the scope of the privacy right itself, the Committee did expound on the principles of the right. For instance, the Committee defined "unlawful" to mean "no interference can take place except in cases envisaged by the law." (91) Not any law, however, will justify interference. The law "must comply with the provisions, aims, and objectives of the Covenant." (92) The objectives of the ICCPR also apply to the determination of "arbitrary interference." (93) Arbitrariness affects any law justifying interference with the privacy right. (94) Even lawful interference with the right to privacy must be consistent with the aims and goals of the ICCPR, and such interference "should be, in any event, reasonable in the particular circumstances." (95) While providing some structure to the analysis, terms like "reasonable in the particular circumstances" are certainly subjective and will surely generate a wide range of reasonable conclusions.
Laws permitting interference with the right to privacy must specify "the precise circumstances in which such interferences may be permitted." (96) The accumulation of "personal information" (not defined) in databases requires legal regulation, and states must ensure that unauthorized persons do not obtain information of a person's "private life." (97) Such information must always be used in a manner consistent with the ICCPR. Individuals should have access to the identity of persons holding their information and the purposes behind the data retention. (98)
E. United Nations Human Rights Council Special Rapporteur Report
In 2013, the UN Human Rights Council (99) commissioned a report by Special Rapporteur Frank LaRue on the subject of "the promotion and protection of the right to freedom of opinion and expression." (100) The report analyzed state surveillance of communications and its implications on the rights to privacy and freedom of opinion. It also assessed the risks to human rights from the "new means and modalities of communications." (101) Recognizing that leaving the right to privacy undefined has caused problems in its application, Mr. LaRue defined the right of privacy as:
the presumption that individuals should have an area of autonomous development, interaction, and liberty, a "private sphere" with or without interaction with others, free from state intervention and from excessive unsolicited intervention by other uninvited individuals. The right to privacy is also the ability of individuals to determine who holds information about them and how that information is used. (102)
Mr. LaRue points out that Article 17, unlike other articles in the ICCPR, does not provide specific elements for limiting the right. (103) LaRue explicitly intertwines the right to privacy to the right to freedom of opinion and expression. The ICCPR's freedom from interference with correspondence produces a state responsibility to ensure that emails and other online communications are delivered to the intended recipient without "interference or inspection by the state." (104) He does not comment as to the state's role if these communications were criminal activity, such as terrorist plans, child pornography, or hate speech of the kind prohibited in many nations.
As noted in LaRue's report, one often-claimed justification for limiting a variety of rights has been national security, (105) and the United States is no exception. The danger, according to LaRue, is that such an "amorphous concept" will justify "invasive limitations on the enjoyment of human rights." (106) LaRue dismisses the necessity and benefits from national security efforts, only looking at such measures as ways for the state to manipulate the law and target vulnerable communities such as human rights groups, journalists, and activists. (107) LaRue gives precious little credit to the benefits of national security, namely the protection and safety of a nation's citizens.
LaRue offers the United States as Exhibit A for his concerns. In LaRue's opinion, the United States grants intelligence agencies "blanket exceptions" to the requirement of judicial authorization. (108) Specifically, he claims that FISA "empowers the National Security Agency to intercept communications without judicial authorization where one party to the communication is located outside the United States, and one participant is reasonably believed to be a member of a State-designated terrorist organization." (109) The accuracy of the last statement is subject to debate. As described above, Section 702 (110) achieves judicial approval on a programmatic level, where approval of targeting procedures themselves ensures that the intelligence target will fall within the statutory requirement of being "non-U.S. persons reasonably believed to be located outside the U.S." (111) The FISC may not approve each individual target, but that does not necessarily equate to an absence of judicial authorization.
If LaRue finds fault with no judicial authorization of interception, then it is strange to accuse the United States of such an infraction. Unlike other nations the United States devotes an entire specialized court to the issue of intelligence collection. Most other nations have no court involvement whatsoever in approving interceptions beforehand. (112) For example, the sponsors of UN Resolution 68/187, Germany and Brazil, each permit the interception of communications with no judicial oversight. (113)
F. Case Law from European Courts
Since the principles of Article 17 are rather vague, judicial interpretations can provide principles and guidelines to augment the ICCPR and its commentary. Although it applies the European Convention on Human Rights (114) rather than the ICCPR directly, the European Court of Human Rights (ECHR) (115) has applied international privacy principles to surveillance programs, and its decisions provide additional context to what the right of privacy looks like under international law. Another European Court with similar experience is the Court of Justice of the European Union. (116) Even though the United States is not bound by these decisions, they illustrate the application of international human rights principles to operations such as bulk data collection and communications interception. It is interesting to see how the NSA operations conform to them. The government programs that came before the European Courts met with varying degrees of success.
1. Weber and Saravia v. Germany (117)
In Weber v. Germany, the ECtHR reviewed a German "strategic monitoring" program that functioned by "intercepting telecommunications in order to identify and avert serious dangers threatening the Federal Republic of Germany, such as an armed attack on its territory, the commission of terrorist attacks, and certain serious offenses." (118) This bulk communications collection program permitted collection of data from throughout the world, not just in Germany. (119) The case was brought by German and Uruguayan citizens, claiming that their rights to privacy had been violated due to the potential of surveillance. (120)
Both the applicant and the government of Germany conceded that the monitoring of communications and the subsequent use of any information obtained interfered with secrecy of telecommunications envisioned in Article 8 of the ECHR, and the court made a point to emphasize that telephone conversations are included in the notions of "private life" and "correspondence." (121) The court then broadened the notion of interference to such a point that there need not be any actual interference at all. The applicants could not prove that the government surveillance interfered with their particular communications, but the "mere existence of legislation which allows for a system for the secret monitoring of communications entails a threat of surveillance...." (122) This "mere existence" of legislation authorizing collection posed a sufficient "threat" to communications that the court found an interference with the exercise of the right to privacy. (123)
Having established interference (without demanding proof of it), the court then turned to whether that interference was done "in accordance with the law," (124) as required by the ECHR. For purposes of the right to privacy, "in accordance with the law" requires three determinations. First, the surveillance measure should have "some basis in domestic law." (125) Second, the quality of the law demands that it be accessible to the person concerned, (126) and finally, the law's consequences must be foreseeable. (127)
Meeting the basis-in-law test was relatively straightforward since the surveillance at issue was executed pursuant to a parliamentary-approved law. The court then looked at public international law, and determined there was no sovereignty violation because Germany was intercepting communications signals from within its own borders (just like the NS A which gets Section 702 information from ISPs in the United States). (128) The accessibility of the law did not "raise any problems in this case" as the law was easily available and public. (129)
The foreseeability analysis was not so elementary. The court acknowledged operational necessities of intelligence programs when it said that foreseeability "cannot mean that an individual should be able to foresee when the authorities are likely to intercept his communications so that he can adapt his conduct accordingly." (130) But the court then undermined this governmental privilege significantly by also requiring "clear, detailed rules on interception of telephone conversations," particularly as improved technology enables interception. (131) To make this balancing act even more difficult, the court concluded by demanding that the "domestic law must be sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in which ... public authorities are empowered to resort to" surveillance. (132) So, the government must tread a careful path of providing "clear, detailed rules" of a surveillance program without disclosing the amount of information that would permit the public from evading the surveillance altogether.
According to the court, Germany successfully walked this tightrope. The court found that Germany had met six minimum safeguards in its surveillance: (1) the nature of the offenses giving rise to surveillance were included in the statute; (2) the statute included a definition of people liable for surveillance; (3) there was a limit on the duration of the tapping; (4) procedures for examining, using, and storing data were articulated; (5) the statute required precautions when communicating data to other parties; and (6) the circumstances where recording will be erased were included. (133)
The court then evaluated the program's purpose and necessity. (134) Governments deserve a "wide margin of appreciation" in their efforts to achieve national security, but a surveillance system cannot be so encompassing as to threaten the democracy it purports to defend. (135) The court must therefore be satisfied that there are adequate safeguards against abuse. (136) Such adequacy is determined by circumstances such as the program's nature, scope, and duration, as well as remedies under the domestic law. Ultimately the court found the surveillance measures necessary to meet the German government's goals of national security and crime prevention. (137)
2. Liberty and Others v. the United Kingdom (138)
While the Weber court worked out well for the German surveillance program, the ECtHR did not treat a British surveillance system as kindly in Liberty and Others v. United Kingdom. The program at issue allowed the British Ministry of Defense to operate an Electronic Test Facility (ETF) "built to intercept 10,000 simultaneous telephone channels" between London and Dublin. (139) The applicants alleged that the ETF intercepted all forms of communication (telephone, email, and facsimile) between British telecom links carrying a good portion of Ireland's communication's traffic. (140) As the United Kingdom had enacted a public law the court found sufficient legal basis in the law. (141) But the law did not limit the type of external communications subject to interception, (142) a significant difference from the Section 702 program. At the time of issuing a warrant the Secretary of State had to "make such arrangements as he considered] necessary " to ensure material not covered by the certificate was not examined and that material requiring examination was only disclosed and reproduced to the extent necessary. (143) The problem with this structure was that the arrangements were not made public. (144) Even a separate approval from a Prime Minister-appointed Commissioner could not cure the defect of a lack of public availability. (145)
The court stressed some of the facts that made the Weber program legitimate that were absent from the U.K. program. (146) In Weber, the monitoring could only be executed with the help of search terms that related to the dangers they sought to stop, and those terms were listed in the monitoring order itself. (147) The German government had published detailed rules for destroying and storing data, and the authorities had to verify every six months that the data was still necessary (if no longer needed, the data was to be destroyed, with such destruction documented). (148) Finally, the German system provided some details regarding transmission, retention, and use of data. (149)
3. Digital Rights Ireland (150)
As helpful as those cases are in analyzing Section 702 collection they provide little help for Section 215 operations. Section 215 differs from the Weber and Liberty programs in many ways, but two stand out. First, and most importantly, there is no content of communications at issue. (151) Second, Section 215 does not involve any sort of intercept as telephony companies transfer phone records over to the NS A pursuant to a FISC order. (152) Section 215 does not permit the NSA to monitor phone calls or track calls; it simply runs analytics on business records (albeit, a tremendous amount of business records) and produces metadata.
The issue of metadata, and when its collection and review can run afoul of human rights law, was addressed by the Court of Justice of the European Union in Digital Rights Ireland. This case involved the review of Directive 2006/24/EC (153) of the European Parliament and of the Council, a directive that sought to harmonize data retention guidelines for member states for the prevention, investigation, detection and prosecution of criminal offenses. (154) Partly motivated by the terrorist attacks on the London underground, (155) the directive mandated public communications networks to retain six types of metadata: "data necessary to trace the identity and source of a communication;" "data necessary to identify the destination of a communication;" "data necessary to identify the date, time, and duration of a communication;" "data necessary to identify the type of a communication;" and "data necessary to identify users' communications equipment." (156) The metadata applied to both telephone calls (fixed line and mobile) and internet communications such as emails, internet access, and internet telephony. (157) The Directive, however, prohibited the retention of data that could reveal the "content of the communication." (158)
The court found (without a great deal of explanation) that the obligation to collect "data relating to a person's private life and to his communications" (i.e., metadata) interfered with the right to privacy. (159) Allowing authorities access to this information at a later date constituted a further interference with the right (here, the court cited Weber, although Weber dealt with the content of intercepted communications, not metadata). (160) Even though the metadata collection constituted a "serious interference" with privacy, the interference was not one to "adversely affect the essence" of privacy rights since the content of the communications was not collected. (161) Also, the court acknowledged the importance of National Security. (162) Retaining data to protect against serious crime, particularly organized crime and terrorism, was deemed "of the utmost importance," and the efficacy of efforts to combat these serious crimes may depend upon modern techniques. (163)
Despite these findings, the court still struck the Directive on the grounds that it was disproportional. (164) The Directive's treatment of everyone in the same generalized manner was the first problem. It applied to all people equally, and those who might never be prosecuted were grouped with those who might. (165) The court then took issue with the lack of objective criteria to determine limits of access and subsequent use. (166) "Above all," the court said, access was "not made dependent on a prior review carried out by a court or by an independent administrative body" that seeks to limit access and use to those things "strictly necessary for the purpose of attaining the objective pursued." (167) The "data retention period" proved to be the third problem, as it required the metadata to be retained between six and twenty-four months. (168) The court did not necessarily find that the period was too lengthy, but it required "objective criteria" to determine that duration of retention was limited to necessity. (169) The court then introduced the ubiquitous critique for all surveillance programs: the "risk of abuse," (170) but it did not identify specific risks associated with the program. The lack of sufficient safeguards to ensure protection of the data from unlawful access and use (171) also contributed to the directive's downfall. The final deficiency was that the Directive did not require data storage in the European Union. (172)
The proportionality analysis in Digital Rights Ireland demonstrates that not all courts grant the state the vast deference implied under Weber. Both Weber and Digital Rights Ireland dealt with national security, but the Digital Rights Ireland court did not find in security's favor despite the fact that the measures under review interfered with privacy much less than those under Weber.
The test presents some interesting implications for privacy law. A concept absent from U.S. privacy law, proportionality would theoretically provide the government with greater justifiability to promote national security over privacy interests in the event circumstances were dire enough. When the state's goal is national security, especially on an existential level, the resulting balancing of interests will tilt toward the state. This is supported by the deference that the Weber court says is due to governments for national security. Proportionality implies that we are willing to accept more intrusive measures if the goal of the surveillance is protection from security threats. When it comes to considerations such as protection from terrorists, few interests will trump, even those enshrined in human rights doctrine (assuming the threats are severe enough).
IV. APPLICATION OF RULES TO THE NS A PROGRAMS
A. Is the Information Collected Included in the Right to Privacy?
The first consideration regarding the application of the international right to privacy to Section 215 and Section 702 is whether or not their operations disturb protected information. With respect to Section 702, the intercepted communications most likely contain personal or private information. Since the communication itself is captured along with relevant metadata, more likely than not it is personal information. The Section 215 metadata is a bit different. That information is simply a list of previous phone calls, to whom they went, from whom they came, and how long they lasted. In U.S. courts, telephony metadata has been held by the third party doctrine to not be subject to a reasonable expectation of privacy, (173) so one could certainly argue that Section 215 data does not possess the requisite character to trigger application of the right to privacy. Human rights notions, however, do not incorporate an expectation-based approach, although they do evaluate reasonableness under the circumstances.
UN Resolution 68/167 uses the term "personal data" rather than "personal information," but again the UN fails to provide much context to the term's meaning. (174) "Data" is presumably broader than "information," and there is therefore a strong case to be made that the term includes telephony metadata. Such data does relate to an individual's phone calls, so it should be included in the term "personal data" even if it is not included in the term personal information. LaRue does not significantly differentiate between metadata and content and would protect the two equally. (175) Digital Rights Ireland, however, does make this distinction. (176) Still, it protects metadata without much discussion or reflection, although it did acknowledge that metadata compromises the essence of privacy less.
B. Do the Programs Interfere with the Right to Privacy?
If the programs do indeed deal with relevant privacy information, one next inquires as to whether or not there was any interference. A crucial consideration for any bulk collection or monitoring program is at what point does the inference actually take place? One can choose a variety of points in the bulk data continuum to choose for determining interference: enacting of legislation (as Weber does), (177) collection, query, or analysis.
Many would likely select the collection phase on bulk data, when emails or telephone records are collected in bulk. At this point, though, no person has seen the content or metadata of any communication. Moreover, given the volume of bulk data, odds are that no person will ever see a given communication. The longer the data is retained the greater probability that the data can be used now or in the future, but at this stage damage is more potential or abstract rather than concrete.
Upon the query, things become a little more interesting. Only the few responsive communications get pulled from the database and reviewed. The other billions simply get deleted without ever being reviewed or analyzed. While it certainly causes some discomfort knowing that for a significant amount of time one's communications are stored in a database out of one's control, if the communications do not respond to an indicator they will be deleted without ever being seen. It is not until the query, when the NSA runs the selector against the database that any single communication actually has the remotest possibility of being acknowledged by another human. It reasonably follows then, that any interference occurs only when the operator executes the query and the analytics produce a result, rather than at the time of collection. At the time of collection, privacy interference is potential rather than actual. Under this approach there is little if any interference with the right to privacy, especially from Section 215, due to the absence of collected content and the extreme unlikelihood that one's metadata will even be seen.
Under a Weber analysis, however, one does not have to even show actual interference. (178) Recall that the court decreed that a surveillance program must be enshrined in a law accessible to the public. (179) If public knowledge is required of a surveillance program, and if the knowledge of such programs is sufficient to establish interference, then the Weber court has essentially eliminated interference as a requirement of the violation of privacy. Under the Weber framework, the interference analysis is essentially moot in the presence of legislation such as Section 702 and Section 215. Every surveillance regime must be founded in law, and Weber argues that such a foundation equates to interference, even if no collection has in fact ever been done.
The Weber court admirably wrestled a novel and complicated issue, but the approach it takes is far from settled. As yet the decision has not attained the status of customary international law. It is certainly not binding on the United States, and other international courts are still free to decline following its conclusion. The great downside to Weber is that it cuts out one of the most contentious and fact-specific issues: when has interference actually occurred. With all due respect to the Weber court, the interference issue needs further discussion.
LaRue's approach similarly requires deeper analysis. When defining the scope of the privacy right, LaRue's conception is unreasonably broad in that he would grant a privacy interest in data in perpetuity. This reflects neither the virtual nor the physical world. When one sends a letter via the mail, the recipient has, generally speaking, lost control of the information in the letter. Absent a recognized legal duty otherwise, the recipient is free to copy the letter or to relay the contents to others. The recipient of an email likewise can print, forward, or copy the contents of any email that he or she receives without obtaining prior consent from either the email's originator or those who may have forwarded it. LaRue's approach to digital privacy essentially provides more protection than privacy in the real world.
If the right to privacy includes control over who holds one's information, then few nations comply with the right. All sorts of government organizations and bureaucracies, from revenue collection to census, maintain information of their citizens without any consent. Most people would probably delete their records from taxation or law enforcement agencies if given the opportunity, so implementing this component of LaRue's calculus would undermine even the most basic of governmental functions, not only national security.
C. Is the Interference Unlawful and Arbitrary?
Assuming for purpose of this discussion that the NSA's programs interfere with generally recognized privacy (or assuming that Weber controls and therefore interference is a given due to FISA), the analysis then turns to the issues of unlawfulness and arbitrariness. Here the U.S. programs comply fairly well.
Appling Weber and Liberty, Section 702 essentially meets all of the criteria. For the Section 702 collections, there is, as in Weber, a basis in the law, and it is accessible as FISA is publicly available. As the NS A PCLOB submission demonstrates, the NSA executed the surveillance based upon previously established and judicially approved criteria. (180) Section 702 clearly articulates what communications are susceptible to surveillance (those that would provide information needed to protect against "actual or potential attacks" from foreigners, sabotage, international terrorism, or weapons of mass destruction proliferation by a foreigner, and clandestine intelligence activities by foreign powers) (181) so the public knows what conduct triggers, in the European Court's words, "the conditions on which the public authorities were empowered," (182) The program undergoes regularly scheduled verification from the NSA, the AG, and the DNI. (183)
Section 702 also hits the six safeguards under Weber. The statute is clear what offenses justify the surveillance, and those liable for surveillance are readily identified (non-U.S. persons' communications relating to certain criminal activity made outside of the United States). (184) The duration is limited (two or five years, depending on how the information was obtained), (185) and the NSA's procedure for "examining, using, and storing data" are in place and blessed by the FISC prior to implementation. (186) Just as in Weber, Section 702 information can only be accessed once it responds to an identifier, and this use of identifiers provides operators with substantially less data than the Liberty program did. The identifiers also support a conclusion that Section 702 is proportional. Only data responding to identifiers is even seen, and the NSA cannot query terms designed to obtain information related to political viewpoints or freedom of expression. (187) The minimization procedures, as they apply to U.S. citizens at least, lay out precautions if the need for dissemination arises. Finally, the NSA PCFOB submissions make it clear that the data is automatically deleted after two or five years, so the final safeguard (inclusion of data erasure provisions) is covered. (188)
FISA also allows for a remedy for those who will potentially have their data used against them. If the Government intends to use the results of FISA surveillance, to include Section 702 surveillance, in a trial or other preceding against a person whose communications were collected, the Government must notify the person so that person can challenge whether the communications were acquired lawfully. (189) Putting all of that together, 702 would fare well in the Weber court.
Section 215 also comes out rather well when analyzed against the relevant judicial criteria. While the regulation at issue in Digital Rights Ireland was problematic, Section 215 would fare much better under the Digital Rights Ireland analysis. As helpful as the Digital Rights Ireland case is for illustration purposes, there are several distinguishing factors between the program covered there and Section 215. Directive 2006/24/EC was much more comprehensive than its American counterpart. Section 215 only collects phone records, (190) while the Ireland program collected a whole trove of metadata related to other forms of communication. (191) Section 215 therefore has even less effect on the "essence" of the right to privacy than Directive 2006/24/EC, but it still combats terrorism, one of the court's goals of "utmost importance." (192) This may produce a contrary proportionality determination from the European Court of Justice. Another significant difference is judicial review. Unlike Section 215, 2006/24/EC authorities had no independent judicial review in place prior to collection. The role of the FISC would meet the court's requirement for "prior review carried out by a court or by an independent administrative body (193) (thereby making sure there are sufficient access limitations and tailoring).
Section 215 hits most if not all of the court's criteria, (194) but it may contradict Digital Rights Ireland's requirement to avoid treating everyone in the same "generalised [sic] manner." (195) Any such treatment however occurs only in the collection phase. Using identifiers associated with known or suspected foreign terrorists segregates the vast majority of data from that which will be reviewed and analyzed. (196) There is also a bit of chicken and egg problem with any collection program. How is the government able to differentiate between suspicious communications and innocent ones? A government must be able to cull the suspicious from the general. It is only after the query that the government knows which communications to subject to further scrutiny. If, after that point, the government treated every communication the same, then that would raise significant legal concerns.
Whether the interference is arbitrary will mostly depend on the eye of the beholder. Any requirement for a law to be "reasonable under the circumstances" (197) will inevitably engender a wide array of legal conclusions. On one hand, one could reasonably argue that collecting information on people who have no relation to terrorism is not "reasonable under the circumstances." Even if the information is not traditionally tangible or physical the programs still collect information about potentially everyone with a communications device. That certainly makes the programs broad.
But that does not necessarily make them unreasonable. Interferences with privacy regularly take place on a macro level in order to thwart attacks. Airport searches, for example, occur in every airport against every person, in an effort to catch or discourage that one terrorist among the millions of harmless travelers. Ninety-nine percent of the people who pass through screening worldwide must do so even though they have absolutely no connection to a terrorist plot. (198) In that context, collecting old phone records and running them against an identifier in a signals intelligence (SIGINT) database looks somewhat minor. Again, no one will ever see the name or number of calls, unless those calls were to or from suspected terrorists. (199)
Reasonableness must be reviewed in the context of circumstances, and in the case of Section 215 and Section 702 the circumstances matter a great deal. The efforts are trying to halt future terrorist attacks or obtain crucial foreign intelligence. As terrorists increasingly rely upon cell phone technology and the internet for their communications, investigators must analyze such means of communications for relevant data. When one considers that future terrorists attacks may be prevented (domestically and internationally), then perhaps allowing personal information to sit in a database for two years where it in all likelihood will never be seen by any human being is a reasonable measure.
Certainly there will be those who will disagree with the author's perspective regarding when the right to privacy is triggered and whether or not storage of five-year-old phone records is cause for alarm. That is debate worth having, but in the place of reasoned debate we have over-reaction and premature legal conclusions. Sections 215 and 702 will never completely satisfy privacy advocates, but in reality what program would?
A detached and objective review of the NSA's policies reveals programs that are not shadowy Orwellian attempts to infiltrate the private sphere of the world's citizens. Rather, by and large the NS A has faced a difficult security and regulatory challenge with admirable compliance with the privacy requirements under international law. No government program, however, is perfect, and the Section 215 and Section 702 programs are now the subject of numerous recommendations intended to reform (or even to terminate) bulk data collection and retention.
V. ANALYSIS OF PROPOSED REFORMS
In the aftermath of the publicity maelstrom surrounding Section 215 and Section 702, there have been many suggestions regarding how to amend the programs to better ensure legal compliance. The recommendations predominantly address U.S. constitutional law, but several are applicable to the right to privacy under human rights law.
A. Presidential Policy Directive 28 (PPD-28) (200)
The most significant effort at reform of Section 215 and Section 702 comes from President Barack Obama. PPD-28 published general policy changes for an operational area traditionally classified and seldom discussed in public. While the President does not cite international human rights law as a motivation for the policy changes, some of the suggestions implicate the international right to privacy and improve upon the programs' compliance with international standards.
For example, the directive for the Assistant to the President and National Security Advisor and DNI to formally evaluate and review the programs on an annual basis (201) could have come straight out of Liberty v. the United Kingdom. As noted above, one of the fatal flaws with the U.K. program was the lack of review, where the program in Weber underwent a review every six months in order to validate its necessity. (202) Even though Section 702 already mandates a six-month review from the AG and the DNI, (203) the advantage to the review required by PPD-28 is that the results are reported directly to the President, so future political accountability is strengthened.
Section 4 of PPD-28, Safeguarding Personal Information Collected Through Signals Intelligence, answers international criticism regarding U.S. treatment of foreigners' information. (204) From now on, U.S. SIGINT programs will include "appropriate safeguards" for all personal information, "regardless of the nationality of the individual." (205) Procedures for minimization, dissemination, and retention will apply equally to American and non-Americans alike. (206) This directive certainly lacks specificity, especially in identifying safeguards and procedures, but the fact that foreigners' information is placed nearly on par with that of American citizens is significant. Now, the NSA will have to satisfy the FISC that all information, not just that of U.S. persons, is being protected.
This policy harmonizes the NSA bulk data programs with the ICCPR in that it lessens any incongruity with respect to "national origin." The ICCPR makes no distinction between the citizen of the collecting state and those from other states, so a state should complement the treatment of its citizens and foreigners as much as possible. (207)
B. Moving Storage of Metadata from NSA to Private Companies
President Obama established the President's Review Group on Intelligence and Communications Technologies in the aftermath of the Snowden disclosures. (208) The President tasked the Review Group to
assess whether, in light of advancements in communications technologies, the United States employs its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust. (209)
The President's Review Group provided numerous recommendations for improving bulk data collection, among them the suggestion to move data storage from the government (presumably the NSA) to private companies. (210) In this proposal, private companies would hold the data until the government needs to query the database. Some would breathe easier knowing that the government did not hold the information, but ultimately this just increases the number of people who have access to the data. There would also be an increased variance in the treatment of data, as each company would undoubtedly have its own distinct capacities, resources, and policies, and there would be some security lapses in violation of the Digital Rights Ireland's requirement to ensure data protection. (211)
In order to fulfill the requirements of minimal access and data security, there is one location that makes sense above all others: the NS A. A top-secret facility with restricted access, a mature oversight culture, and a history of keeping data shielded from unauthorized audiences, the NS A provides the most secure location with the smallest number of potential viewers. One might argue that the Snowden disclosures demonstrate a lack of reliable security at the NSA, but while the programs themselves have become more public, the contents of the databases have not. (212) It may seem counterintuitive, but if the goal is data security and limited access to information, it would be hard to find a more fitting location than the NSA. (213)
One thing that the NSA should do with respect to data retention, however, is to provide more justification for the duration of the retention. The data retention period, two or five years, (214) may not per se violate legal standards, but the NSA should explain how the amount of time it holds the data is consistent with Digital Rights Ireland court. They may present the rationale for their retention criteria to the FISC in private, but the government does need to provide some explanation for the length of data retention. Operational demands may prohibit public disclosure of the criteria, but, if so, NSA should at least let the public know this is the case. Data retention policies would seem relatively minor and operationally unthreatening, especially compared to some of the program information already released. (215)
C. Reducing the Amount of "Hops" Permitted After a Query
Of all of the recommendations, the most directly applicable to the international standards for the right to privacy would be the President's change in policy reducing the permissible number of hops from three to two. (216) The first hop, with those numbers directly in contact with someone communicating with a suspected terrorist, certainly justifies closer inspection. But the more hops that are permitted, the more attenuated the connection between the suspected terrorist identifier and an individual. The more hops one does, the less likely that those whose data one reviews are sufficiently connected to terrorism.
The more hops one allows, the less connected the operation becomes in relation to the suspect. Each additional hop increases the chances of accessing the data of those unconnected to the original identifier. By requiring additional review for additional hops, the process adds a layer of protection for those who do not fit the purpose of the Section 215 program. Operational efficacy, while compromised somewhat, is not completely undermined since investigators would have the opportunity to explore more hops by following established procedures to obtain additional authorization from the FISC. Former Director of NSA General Keith Alexander expressed the opinion that this would not unduly burden Section 215 operations. (217)
D. Applying a Different Human Rights Framework
From the original ICCPR text, to human rights reports, and ultimately even to human rights courts, one can charitably characterize articulation and application of the right to privacy as imprecise. When legal analysis turns on an undefined standard of arbitrary, the results can be, well, arbitrary. With a crucial judgment such as "arbitrary" left open to interpretation, there will always be inconsistent conclusions regarding any surveillance programs. Those who find the Section 215 and Section 702 programs unacceptable from a policy perspective will no doubt disagree that the programs largely comply with international law, but in all honesty, Article 17 of the ICCPR sets the legal bar relatively low.
This debate over Article 17 is especially frustrating in that there is really only one competing consideration at play in bulk surveillance programs: national security. The arbitrary argument is always manifested by a debate between privacy and national security. UN Resolutions even manifest this tension, as the Security Council itself under Chapter VII has called upon member states to "find ways of intensifying and accelerating the exchange of operational information, especially regarding actions or movements of terrorist persons or networks" and the "use of communications technologies by terrorist groups." (218) While not explicitly authorizing surveillance or bulk collection, the Security Council recognizes that terrorists are using new technology for their communications and that the prevention of future terrorist attacks depends upon states' knowledge of these communications networks. (219) These are precisely the goals of both Section 215 and Section 702.
As that is the case, this article recommends utilizing a human rights framework that reflects this dynamic. Such a framework can be found in Article 19 of the ICCPR, the right to freedom of expression. (220) The ICCPR permits restrictions to the right of expression, but only those that are "provided by law and are necessary" for the protection of "national security or of public order ... or of public health or morals." (221) This, in essence, is the fight over Section 215 and Section 702. (222) The advantage to this approach is that it distills the debate into its most crucial competing interests: privacy and national security. As a standard, "arbitrary merely restates the national security debate in other terms. Those who prioritize privacy over national security will inevitably find Section 215 and 702 "arbitrary," and vice-versa.
Recognizing the shortcomings in the current standard, Frank LaRue advocates for a new standard that requires surveillance measures to be "strictly and demonstrably necessary to achieve a legitimate aim." (223) Jordan Paust also looks to strengthen the right to privacy, but he looks to the European Convention on Human Rights (224) to craft a new protocol where surveillance programs must be "necessary in a democratic society in the interests of national security." (225) Both standards certainly clarify the privacy right, but one downside to these approaches (including this article's) is that they focus on the controversy of the moment to the exclusion of perhaps even greater threats to privacy rights.
Not every privacy threat comes from surveillance programs. Governments collect, store and disseminate medical information, (226) DNA, (227) and even their citizens' credit worthiness, (228) but these efforts have inspired nary a whisper from privacy advocates or the media. (229) Article 17 of the ICCPR does not only protect citizens from surveillance programs; all government action is covered. (230) If the legal standard is set too high, we risk outlawing beneficial programs that provide a great service to society. Financial and health databases certainly benefit society, but whether or not they are "strictly and demonstrably necessary" as required by Frank LaRue is debatable. (231) They also contribute nothing to national security. The programs, could, however, qualify under a "public order...[or] public health" (232) provision, adding more support for applying Article 19's formula to the right to privacy.
What then to make of traditional foreign intelligence? Amid the outcry over the tapped phones of politicians, foreign intelligence collection has become the bete noire of the human rights community. (233) This perspective completely misses the larger contributions of foreign intelligence operations, especially in the human rights arena. The intelligence community needs to support governments in their efforts to either thwart or prosecute human rights violations such as belligerent invasions in violation of international law (234) and human rights abuses. (235) Intelligence operations to fulfill these goals arguably fail the legal tests above, but they are crucial for the development of human rights and international law.
Perhaps the addition of one final clause is in order: at the end of Article 19 one can insert, "... or in other efforts protecting the rights enshrined in this convention." (236) This approach would echo the UN Human Rights Committee's requirement that interference of the right to privacy must "comply with the provisions, aims and objectives of the covenant." (237) Intelligence operations supporting the international human rights contained in the ICCPR would therefore be legal. The proportionality requirement from Digital Rights Ireland would also protect the right to privacy and keep it from being automatically subordinated to other rights from the ICCPR. It may not be fashionable to say so, but we must maintain a legal basis for international intelligence gathering, even if the best method for doing so is bulk data collection.
Despite the numerous claims of violating international law, when one looks closer at both of the Section 702 and Section 215 programs a different conclusion emerges. The technology may be daunting, and they may present the government with entirely new capabilities for monitoring its citizens, (238) but increased capability does not equate with violations of the law. (239) These programs narrowly tailor their targets, and any interference only truly occurs once information in a database responds to an identifier. Even applying the expansive view of privacy from the European Courts fails to change the outcome. While reasonable minds can conclude that the international right to privacy has been violated, an honest review of the issues acknowledges that significant credit is due the NSA and the FISC. Section 215 and Section 702 are not the blatant violations of rights that human rights groups and European governments have claimed, but compliance with human rights norms would be strengthened with the adoption of measures discussed above.
Simply because a program complies with the international right to privacy does not mean that discussions will end there. As currently articulated, the right to privacy is imprecise and easily malleable. Courts and commentators decry the potential for abuse in surveillance programs, but other government data programs pose similar threats to our privacy. When something is "subject to abuse," a government must establish oversight and institutions that will ensure that abuse is minimized and that operators who may be tempted to exceed legal limits are kept in check. That is precisely what has been done with the Section 215 and Section 702 programs. The programs can be improved, but the system in place deserves credit for largely complying with international human rights law despite an arguable lack of a legal or policy requirement to do so.
MAJOR PETER BEAUDETTE JR. *
* Major Peter Beaudette, Jr. is currently the Staff Judge Advocate for the Office of Military Cooperation-Kuwait, U.S. Embassy, Kuwait. He received a direct commission as an Air Force judge advocate in May 2004. Major Beaudette is admitted to practice law in California and the United States Court of Appeals for the Armed Forces. He received a B.A. in English from Rollins College, a Juris Doctor from the University of San Francisco, and a LL.M. from Columbia University in International Law.
(1) See discussion infra Part I. A.
(2) See discussion infra Part I.B.
(3) See Nick Hopkins & Ian Traynor, NSA And GCHQ Activities Appear Illegal, Says EU Parliamentary Inquiry, The Guardian, Jan. 9, 2014, http://www.theguardian.com/world/2014/ jan/09/nsa-gchq-illegal-european-parliamentary-inquiry; Amnesty Int'l USA & The Am. Civil Liberties Union, Privacy and Civil Liberties Oversight Board Public Hearing on Section 702 of the FISA Amendments Act March 19, 2014: Submission of Amnesty International USA and the American Civil Liberties Union 4-7 (Mar. 19, 2014), available at https://www.aclu.org/sites/ default/files/assets/aiusaaclusubmissiontopclob.pdf.
(4) The PCLOB's website describes its mission as "an independent, bipartisan agency within the executive branch ... vested with two fundamental authorities: (1) To review and analyze actions the executive branch takes to protect the Nation from terrorism, ensuring the need for such actions is balanced with the need to protect privacy and civil liberties and (2) To ensure that liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the Nation against terrorism." Privacy and Civil Liberties Oversight Board, http://www.pclob.gov/ (last visited July 16, 2014).
(5) See Laura Pitter, Human Rights Watch, Comments of Human Rights Watch: Privacy and Civil Liberties Oversight Board Hearing--March 19,2014, "The Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act," 1-9 (Mar. 19, 2014), available at http://www.hrw.org/sites/default/files/related_material/PCL0B%203-19-14%20 Hearing%20Submission_1.pdf (arguing that the current U.S. position denying extraterritorial application of the ICCPR is inconsistent with international practice and the meaning of the ICCPR).
(6) See John B. Bellinger III, Testimony of John B. Bellinger III: Privacy and Civil Liberties Oversight Board March 19, 2014 1-4 (Mar. 19, 2014), available at https://www.pclob.gov/ Library/20140319-Testimony-Bellinger.pdf (arguing that the ICCPR does not apply outside the United States or obligate the United States as a legal matter to respect privacy rights overseas).
(7) For an exception to this trend, see Peter Marguilles, The NSA in Global Perspective: Surveillance, Human Rights, and International Counterterrorism, 82 Fordham L. Rev. 2137 (2014). Unlike Marguilles, who finds that the NSA programs at issue comply with international law by applying the principle of complementarity, this article argues that the NSA programs meet the requirements of international human rights law more directly, and that therefore an application of the principle of complementarity is unnecessary.
(8) Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, Pub. L. No. 107-56, [section] 215, 115 Stat. 272, 287-88 (codified as amended in scattered sections of 8, 12, 15, 18, 20, 21, 31, 42, 49, and 50 U.S.C.).
(9) 50 U.S.C. [section][section] 1861-62 (2012).
(10) Foreign Intelligence Surveillance Act of 1978, Pub. L. No. 95-511, 92 Stat. 1783 (codified as amended in scattered sections of 8, 18, and 50 U.S.C.).
(11) Administration White Paper, Bulk Collection of Telephony Metadata Under Section 215 of the USA PATRIOT Act, l(Aug. 9, 2013) available at http://big.assets.huffingtonpost.com/ Section215.pdf [hereinafter Section 215 White Paper].
(12) 50 U.S.C. [section] 1861(a)(1).
(13) Section 215 White Paper, supra note 11, at 1.
(14) While the precise amount of call data obtained remains unclear, some media outlets reports that the NSA obtains data on less than 20% of all telephone calls in the United States since the agency does not collect complete records on cellular calls. See Siobhan Gorman, NSA Collects 20% or Less of U.S. Call Data, Wall St. J, Feb. 7, 2014, http://online.wsj.com/news/articles/SB1000142405270 2304680904579368831632834004.
(15) Section 215 White Paper, supra note 11, at 1.
(16) Id. at 3.
(19) Id. at 4.
(20) Id. at 3.
(21) Id. at 4.
(22) Id at 3.
(23) Id. at 3-4.
(24) See Tim Cavanaugh, What Do They Know About You? An Interview with NSA Analyst William Binney, The Daily Caller, June 10, 2013, http://dailycaller.com/2013/06/10/what-do-they-knowabout-you-an-interview- with-nsa-analyst-william-binney/#ixzz37GXHZ6MJ
(25) Section 215 White Paper, supra note 11, at 2.
(27) See Editorial, This Week, Mass Surveillance Wins, N.Y. Times, Dec. 27, 2013, http://www. nytimes.com/2013/12/28/opinion/this-week-mass-surveillance-wins.html (referring to Section 215 as "mass surveillance"; Editorial, Bad Times for Big Brother, N.Y. Times, Dec. 21, 2013, http:// www.nytimes.com/2013/12/22/opinion/sunday/bad-times-for-big-brother.html?_r=0 (arguing that a free society must have security from "the fear that their conversations and activities are being watched, monitored, questioned, interrogated, or scrutinized").
(28) See Mattathias Schwartz, " We 're At Greater Risk": Q. & A. with General Keith Alexander, the New Yorker, May 15, 2014, http://www.newyorker.com/online/blogs/newsdesk/2014/05/were-atgreater-risk-q-a-with-general- keith-alexander.html?utm_source=www&utm_medium=tw&utm_campaign=20140515.
(29) Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, Pub. L. No. 110-261, 122 Stat. 2436 (codified in scattered sections of 8, 18, and 50 U.S.C.). Although the controversy is relatively new, the statute was passed in 2008 and was subject to much debate at the time. See Nat'l Sec. Agency, NSA Director of Civil Liberties and Privacy Office Report: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702 (Apr. 16, 2014), 2, available at http://www.dni.gov/files/documents/0421/702%20Unclassified%20Document.pdf [hereinafter NSA PCLOB Submission].
(30) 50 U.S.C. [section] 1881 a(h) (2012).
(31) Id. [section] 1881 a(b)(1).
(32) Id. [section] 1881 a(b)(2).
(33) Id. [section] 1881 a(b)(3).
(34) Id. [section] 1881a(b)(4).
(35) Id. [section] 1881a(b)(5).
(36) Id. [section] 1881a(a).
(37) Id. [section][section] 1801 (e)(1)(A)-(C).
(38) Id. [section][section] 1801 (e)(2)(A)-(B).
(39) See NSA PCLOB Submission, supra note 29, at 2.
(40) 50 U.S.C. [section] 1881 a(i)(3)(A).
(41) Id. [section][section] 1881 a(i)(3)(B)(i)-(ii)
(42) See Jameel Jaffer and Laura W. Murphy, Am. Civil Liberties Union, Strengthening Privacy Rights and National Security: Oversight of FISA Surveillance Programs, July 31, 2013 (testimony before the Senate Judiciary Committee) available at https://www.aclu.org/files/assets/ testimony.sjc_.073113.final_.pdf (arguing that "[structural features of the Foreign Intelligence Surveillance Court (FISC) have prevented the court from serving as an effective guardian of individual rights"); Eric Lichtblau, In Secret, Court Vastly Broadens Powers ofN.S.A., N.Y. Times, July 6, 2013, http://www.nytimes.com/2013/07/07/us/in-secret-court-vastly-broadens-powers- ofnsa.html?pagewanted=all&_r=0; Jennifer Granick & Christopher Sprigman, The Secret FISA Court Must Go, The Daily Beast, July 24, 2013, http://www.thedailybeast.com/articles/2013/07/24/ the-secret-fisa-court-must-go.html (asserting that "the FISC has denied not a single surveillance request in the past three years. By any measure, the court is simply a rubber stamp for the executive branch").
(43) Letter from the Honorable Reggie B. Walton, Presiding Judge for the Foreign Intelligence Surveillance Court, to the Honorable Patrick J. Leahy, Chairman, Comm, on the Judiciary, U.S. Senate, July 29, 2013, at n.6., available at http://www.fisc.uscourts.gov/sites/default/files/ Correspondence%20Leahy-1.pdf [hereinafter Leahy Letter],
(44) Id. at 2-4. See also Joel Brenner, The Data on FISA Warrants, Lawfare, Oct. 17, 2013, http:// www.lawfareblog.com/2013/10/the-data-on-fisa-warrants/
(45) See Brenner, supra note 44.
(46) NSA PCLOB Submission, supra note 29, at 3.
(47) Id. at 2.
(49) Id. at 4.
(55) Id. at 4-5.
(56) Id. at 5.
(62) Id. at 8.
(65) 50 U.S.C. [section] 1881a(l)(1).
(66) Id. [section] 1881a(l)(3)
(67) Id. [section] 1806(d).
(68) Id. [section] 1806(g). See also Ellen Nakashima, Terrorism Suspect Challenges Warrantless Surveillance, Wash. Post, Jan. 29, 2014, http://www.washingtonpost.com/world/national-security/terrorismsuspect-challenges- warrantless-surveillance/2014/01/29/fb9cc2ae-88f1-11e3-a5bd-844629433ba3_story.html
(69) Universal Declaration of Human Rights, G.A. Res. 217 (III) A, U.N. Doc. A/RES/217(111) (Dec. 10, 1948), available at http://www.un-documents.net/a3r217a.htm [hereinafter UDHR].
(70) The United Nations characterizes the UDHR as "a milestone document in the history of human rights ... as a common standard of achievements for all peoples and all nations. It sets out, for the first time, fundamental human rights to be universally protected." Office of the High Commissioner for Human Rights, Universal Delaration of Human Rights, http://www.ohchr.org/en/udhr/pages/ introduction.aspx (last visited August 4, 2015).
(72) UDHR, supra note 69, at art. 12.
(73) Id. at preamble.
(74) International Covenant on Civil and Political Rights, G.A. Res. 2000 (XXI), U.N. Doc. A/ RES/2000(XXI) (Dec. 16, 1966), available at http://www.un-documents.net/iccpr.htm [hereinafter ICCPR].
(75) Id. at preamble.
(77) Id. at art. 17.
(78) Id. at art. 2.1. Again, this assumes extraterritorial application of the ICCPR.
(79) G.A. Res. 68/167, U.N. Doc. A/RES/68/167 (Jan. 21, 2014), available at http://www.un.org/en/ ga/search/view_doc.asp?symbol=A/RES/68/167.
(80) Id. at 1.
(83) Id at 2.
(85) Id. at 1.
(86) Id. at 2.
(87) U.N. GAOR, 68th Sess, 51st mtg. at 6, U.N. Doc. A/C.3/68/SR.51 (Jan. 16, 2014), available at http://documents-dds-ny.un.Org/doc/UNDOC/GEN/N 13/582/57/pdf/N 1358257. pdf?OpenElement.
(88) Id. at 6-7.
(89) See id at 6 (where Germany stated that the ICCPR's articles 2 and 17 "formed a sound basis for the terms of the draft resolution"); id. at 7 (Canada asserted that states must ensure the rights to privacy and expression were "both respected online and offline"); id. (Australia supported the draft resolution in order to affirm that the ICCPR "remained applicable in the digital age").
(90) The United Nations High Commissioner for Human Rights describes the Human Rights Committee as "the body of independent experts that monitors implementation of the International Covenant on Civil and Political Rights by its State parties." Office of the High Commissioner for Human Rights, Human Rights Committee, http://www.ohchr.org/EN/HRBodies/CCPR/Pages/ CCPRIntro.aspx (last visited August 4, 2015).
(91) U.N. Human Rights Comm., Gen. Comment No. 16: Article 17 (Right to Privacy), 32nd Sess., Apr. 8, 1988, para. 3, U.N. Doc. HRI/GEN/l/Rev.9 (Vol. I), at 191 (2008), available at http:// documents-dds-ny.un.org/doc/UNDOC/GEN/G08/422/35/pdf/G0842235.pdf?OpenElement [hereinafter ICCPR Art. 17 General Comment].
(93) Id. at para. 4.
(96) Id. at para. 8.
(97) Id. at para. 10.
(99) The Human Rights Council "is an inter-governmental body within the United Nations system responsible for strengthening the promotion and protection of human rights around the globe and for addressing situations of human rights violations and make recommendations on them." Office of THE High Commissioner for Human Rights, Human Rights Council, http://www.ohchr.org/EN/ HRBodies/HRC/Pages/AboutCouncil.aspx (last visited August 4, 2015).
(100) U.N. Human Rights Council, Rep. of Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, U.N. Doc. A/HRC/23/40 (Apr. 17, 2013), available at http://documents-dds-ny.un.org/doc/UNDOC/GEN/G13/133/03/pdf/G 1313303. pdf?OpenElement [hereinafter Special Rapporteur Report],
(101) Id. at para. 5.
(102) Id. at para. 22.
(103) Id. at para. 28. LaRue references Article 19, freedom of expression. Para. 3 of Article 19 provides that restrictions of the rights must be provided by law and necessary: 1) for respect of the rights or reputations of others; and 2) for the protection of national security or of public order (order public), or of public health or morals. ICCPR, supra note 74, at art. 19.
(104) Special Rapporteur Report, supra note 100, at para. 24.
(105) Id. at para. 58.
(106) Id. at para. 60.
(108) Id. at para. 59.
(109) Id. (emphasis added).
(110) Section 215 is inapplicable to this accusation, as the program does not intercept communications.
(111) NSA PCLOB Submission, supra note 29, at 2.
(112) See infra Part II.F.
(113) See Christopher Wolf, "A Transnational Perspective on Section 702 of the Foreign Intelligence Surveillance Act (Mar. 19, 2014)" available at http://www.lawfareblog.com/wpcontent/uploads/2014/03/Christopher-Wolf.pdf (demonstrating the lack of judicial oversight in other nations' surveillance regimes). In Brazil, for example the Brazilian intelligence Agency ("ABIN") coordinated the intelligence operations of various government agencies, such as the central bank, the Federal Police, the Revenue Service, and numerous government ministries. Recent legislation has expanded the ABIN's ability to exchange information with other government departments and integrated its databases with that of the police. Id. at 9 (citing Bruno Magrani, Systemic Government Access to Private-Sector Data in Brazil, 4 Int'l Data Privacy L. 30,35 (2014)). German intelligence agencies are authorized to conduct "strategic surveillance" to investigate specific threats or to even "proactively gather relevant information about other countries that are important to the foreign and national security policy of Germany. Id. at 11-12 (citing Paul M. Schwartz, Systematic Government Access to Private Sector Data in Germany, 2 Int'l Data Privacy L. 289, 291 (2012)).
(114) Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms, Nov. 4, 1950, available at http://www.echr.coe.int/Documents/Convention_ENG.pdf [hereinafter European Convention on Human Rights (ECHR)]. Article 8 of the convention, articulates the Right to Privacy in a slightly different way from the ICCPR. Section 1 states that "Everyone has the right to respect for his private and family life, his home and his correspondence." Id. at art. 8, [section] 1. Section 2 then provides guidance regarding what constitutes permissible interference with that right:
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Id. at art. 8, [section] 2.
(115) The European Court of Human Rights is an international court established in 1959 to rule on individual or State applications alleging violations of the civil and political rights set out in the European Convention on Human Rights. European Court of Human Rights, http://www.echr.coe. int/Documents/Court_in_brief_ENG.pdf (last visited August 4, 2015).
(116) The Court of Justice of the European Union has three roles: (1) it "reviews the legality of the acts of the institutions of the European Union;" (2) it "ensures that the Member States comply with obligations under the Treaties;" and (3) it "interprets European Union law at the request of the national courts and tribunals." By cooperating "with the courts and tribunals of the Member States, it ensures the uniform application and interpretation of European Union law." Court of Justice of the European Union, http://curia.europa.eu/jcms/jcms/Jo2_6999/ (last visited August 4, 2015).
(117) Weber and Saravia v. Germany, 2006-X1 Eur. Ct. H.R. 309.
(118) Id. at 315
(119) Id. at 315-16
(121) Id. at 331.
(122) Id. at 331-32.
(123) Id. at 332.
(124) Id. The European Convention requirement that the interference be done "in accordance with the law" is analogous to the ICCPR requirement that the interference not be "unlawful."
(125) Weber, 2006-X1 Eur. Ct. H.R. at 333.
(126) Id. at 333.
(128) Id. at 333-34.
(129) Id. at 335.
(133) Id. at 336-37.
(134) Id. at 337. Again, purpose and necessity are not required terms from the ICCPR but from the European Convention.
(135) Weber, 2006-XI Eur. Ct. H R. at 338.
(137) Id. at 346
(138) Liberty and Others v. the United Kingdom, no. 58243/00 (Eur. Ct. H.R. July 1, 2008), available at http://hudoc.echr.coe.int/sites/eng/pages/search.aspx?i=001-87207.
(139) Id. at para. 5.
(141) Id. at para. 60.
(142) Id. at para. 64.
(143) Id. at para. 66.
(145) Id. at para. 67.
(146) Id. at para. 68.
(150) Case C-293/12, Digital Rights Ireland Ltd. v. Minister for Communications, Marine and Natural Resources and Others, EU:C:2014:238 available at http://curia.europa.eu.
(151) See discussion supra Part I.A.
(152) See id.
(153) Council Directive 2006/24/EC, 2006 O.J. (L 105) 54, available at http://eur- lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32006L0024&qid=1432211757508&from=EN.
(154) Digital Rights Ireland, EU:C:2014:238 at para. 6.
(155) Id. at para. 14.
(156) Id. at para. 16 (citing Directive 2006/24/EC, supra note 153, at art. 5.1).
(157) Id. (citing Directive 2006/24/EC, supra note 153, at art. 5.1.(a)).
(158) Id. (citing Directive 2006/24/EC, supra note 153, at art. 5.2).
(159) Id. at para. 34.
(160) Id. at para. 35.
(161) Id. at para. 39.
(162) Id. at para. 41.
(163) Id. at para. 51.
(164) Id. at para. 56.
(165) Id. at para. 57.
(166) Id. at para. 60.
(167) Id. at para. 62.
(168) Id. at para. 63.
(169) Id. at para. 64.
(170) Id. at para. 66.
(172) Id. at para. 68.
(173) See Smith v. Maryland, 442 U.S. 735 (1979).
(174) G.A. Res. 68/167, supra note 79, at 1.
(175) See discussion supra Part II.E.
(176) See discussion supra Part II.F.3.
(177) See discussion supra Part II.F.1.
(178) See id.
(179) Weber and Saravia v. Germany, 2006-XI Eur. Ct. H.R. 309, 333.
(180) NSA PCLOB Submission, supra note 29, at 1-2.
(181) See 50 U.S.C. [section] 1881a(a) (referencing "foreign intelligence information," which is defined by 50 U.S.C. [section] 1801 (e)(1)(A)-(C)).
(182) Liberty and Others v. the United Kingdom, no. 58243/00 (Eur. Ct. H.R. July 1, 2008) at para 93.
(183) See NSA PCLOB Submission, supra note 29, at 2.
(184) See 50 U.S.C. [section] 1881a(a).
(185) NSA PCLOB Submission, supra note 29, at 8.
(186) See id. at 2.
(187) See 50 U.S.C. [section] 1881a(b)(5).
(188) NSA PCLOB Submission, supra note 29, at 8.
(189) 50 U.S.C. [section] 1806(d).
(190) 50 U.S.C. [section] 1861 (a)(1).
(191) Case C-293/12, Digital Rights Ireland Ltd. v. Minister for Communications, Marine and Natural Resources and Others, EU:C:2014:238, at para. 16, available at http://curia.europa.eu. (citing Directive 2006/24/EC, supra note 153, at art. 5.1).
(192) Id. at para. 51.
(193) Id. at para. 62.
(194) But see Jaffer and Murphy, supra note 42, at 4-6 (arguing that the metadata collection as practiced is not authorized under Section 215, so such collection operations are not, in fact, authorized by law). This view therefore undermines the determination that Section 215 is executed lawfully, so it would violate ICCPR Art. 17.
(195) Digital Rights Ireland, EU:C:2014:238 at para. 57.
(196) The collection dynamic presents a different challenge under U.S. law than it does under European law. Under U.S. law, failure to treat everyone in the same generalized manner is often labeled "profiling."
(197) ICCPR Art. 17 General Comment, supra note 92, at para. 4.
(198) One could argue that airport searching is not interference since it is done with "consent." Such consent, however, is somewhat compelled by the lack of alternatives. If one does not consent, one does not travel by air. Also, what is a more significant infringement to privacy: a revealing image of your body, or phone records in a database that no person will ever see?
(199) See discussion supra Part I.A.
(200) Presidential Policy Directive 28, Signals Intelligence Activities, 2014 Daily Comp. Pres. Doc. 31 (Jan. 17, 2014), available at http://www.gpo.gov/fdsys/pkg/DCPD-201400031/pdf/DCPD201400031.pdf [hereinafter PPD-28].
(201) Id. at 3.
(202) See discussion supra Part II.F.1. and Part II.F.2.
(203) See, NS A PCLOB Submission, supra note 29, at 2.
(204) PPD-28, supra note 200, at 4.
(207) See discussion supra Part II.B. For a discussion regarding responsibilities to foreigners under surveillance operations, see Marko Milanovic, Foreign Surveillance and Human Rights, Part 1: Do Foreigners Deserve Privacy?,EJIL: Talk!, Nov. 25, 2013, http://www.ejiltalk.org/foreignsurveillance-and-human- rights-part-1-do-foreigners-deserve-privacy/.
(208) Memorandum on Reviewing Our Global Signals Intelligence Collection and Communications Technologies, 2013 Daily Comp. Pres. Doc. 567 (Aug. 12, 2013), at 1, available at http://www.gpo. gov/fdsys/pkg/DCPD-201300567/pdf/DCPD-201300567.pdf.
(210) President's Review Grp. on Intelligence and Commc'ns Techs., Liberty and Security in a Changing World: Report and Recommendations of The President's Review Group on Intelligence and Communications Technologies, 25, (Dec. 12, 2013), available at http://www. whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf [hereinafter President's Review Group Report],
(211) Case C-293/12, Digital Rights Ireland Ltd. v. Minister for Communications, Marine and Natural Resources and Others, EU:C:2014:238, at para. 6, available at http://curia.europa.eu.
(212) See Schwartz, supra note 28.
(213) The Review Group's later recommendation to terminate the use of "for profit" corporations to conduct personnel investigations is strange in the context of this suggestion. President's Review Group Report, supra note 210, at 238. Why would the private sector be trusted to hold, manage, analyze and protect intelligence data when they are apparently not trusted enough to run relatively simple background checks? Note that President Obama has made the same proposal. See, Statement on the National Security Agency's Section 215 Bulk Telephony Metadata Program, 2014 Daily Comp. Pres. Doc. 213 (Mar, 27, 2014), available at http://www.gpo.gov/fdsys/pkg/DCPD 201400213/pdf/DCPD-201400213.pdf.
(214) NSA PCLOB Submission, supra note 29, at 8.
(215) The Section 215 White Paper, supra note 11 and the NSA PCLOB Submission, supra note 29 reveal many more details about the metadata collection program.
(216) Press Release, The White House, Office of the Press Sec'y, FACT SHEET: The Administration's Proposal for Ending the Section 215 Bulk Telephony Metadata Program (Mar. 27, 2014), available at: http://www.whitehouse.gov/the-press-office/2014/03/27/fact-sheet-administration-s-proposal ending-section-215-bulk-telephony-m.
(217) See Schwartz, supra note 28.
(218) S.C. Res. 1373, para. 3.(a), U.N. Doc. S/RES/1373 (Sept. 28, 2001), available at http://www. un.org/en/ga/search/view_doc.asp?symbol=S/RES/1373(2001). Peter Marguilles astutely points out tensions between UN positions on the right to privacy and earlier Security Council Resolutions that stress the importance of anti-terrorism measures. See Marguilles, supra note 7, at 2154-55.
(219) One could argue that, according to the UN at least, undermining terrorist exploitation of the internet is even more important than internet privacy considerations as Security Council Resolutions acting under Article VII of the UN Charter are binding to member states (Article 25, UN Charter) and General Assembly Resolutions are not (Article 14, UN Charter).
(220) Under the ICCPR, the right to freedom expression "shall include the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, either orally, or in writing or in print, in the form of art, or through any other media of his choice," ICCPR, supra note 74, at art. 19.2.
(221) Id. at art. 19.3. Note that Article 19.3(a) includes a requirement "for the respect of the rights or reputations of others," but this requirement is not germane to the right to privacy. Id.
(222) Article 19 should not be imported in its entirety, as the protection of "morals" would certainly not be compelling enough for a state to justify bulk data collections.
(223) Special Rapporteur Report, supra note 100, at para. 83(b).
(224) See, European Convention on Human Rights, supra note 115.
(225) Jordan J. Paust, Can You Hear Me Now?: Private Communication. National Security, and the Human Rights Disconnect, 15 Chi. J. Int'l L. 612, 649 (2015).
(226) See Peter Roff, Big Brother: Ohamacare Looks to Collect Private Medical Info, U.S. News and World Report, July 28, 2011, http://www.usnews.com/opinion/blogs/peter-roff/2011/07/28/bigbrother-obamacare-looks-to- collect-private-medical-info.
(227) See Dominic Casciani, Q&A: The National DNA Database; BBC News, May 7, 2009, http:// news.bbc.co.uk/2/hi/uk_news/7532856.stm.
(228) See Richard Pollock, New Federal Database Will Track Americans' Credit Ratings, Other Financial Information, Wash. Examiner, May 30, 2014, http://washingtonexaminer.com/newfederal-database-will-track- americans-credit-ratings-other-financial-information/article/2549064.
(229) When considering the character of the information contained in such databases, it is difficult to justify the obsession with a database of old telephone records in one of the most secure facilities in the world. These other databases contain infinitely more sensitive information, but their operation and maintenance are not governed by anything remotely as strict as the FISC nor is the data stored in a facility as secure as NSA.
(230) ICCPR, supra note 74, at art. 17.
(231) Special Rapporteur Report, supra note 100, at para. 83(b).
(232) ICCPR, supra note 74, at art. 19.
(233) Some argue that pursuing foreign intelligence is Hot in and of itself a laudable end. See, Pitter, supra note 5, at 17 (arguing that the definition of "foreign intelligence" under FISA should be amended to disallow "collection of foreign intelligence information merely because it aids in the conduct of foreign affairs"). Such reasoning based on "international law" is odd as it completely disregards centuries of established state practice.
(234) See Adam Entous, Julian E. Barnes, & Siobhan Gorman, U.S. Scurries to Shore Up Spying on Russia, Wall St. J., Mar. 24, 2014, http://online.wsj.com/news/articles/SB10001424052702304026 304579453331966405354.
(235) See Joby Warrick, More Than 1,400 Killed in Syrian Chemical Weapons Attack, U.S. Says, Wash. Post, Aug. 30, 2013), http://www.washingtonpost.com/world/national-security/nearly 1500-killed-in-syrian-chemical-weapons-attack-us-says/2013/08/30/b2864662-1196-11e3-85b6d27422650fd5_story.html.
(236) Under this article's formula, restrictions to privacy would be allowed when, "required by law and are necessary for the protection of national security, public order, public health or in other efforts protecting the rights enshrined in this convention."
(237) See ICCPR Art. 17 General Comment, supra note 91, at para. 3.
(238) Some claim that such capabilities have produced a "golden age of surveillance." See, Alan Rusbridger, What Now for the Surveillance State!, The Guardian, Dec. 2, 2013, http://www. theguardian.com/world/2013/dec/02/alan-rusbridger-surveillance-state-spies-gchq-nsa.
(239) But see U.S. v. Jones, 132 S. Ct. 945 (2012), where the concurring opinions from Justices Sotomayor and Alito raised the possibility that technological change may alter the legal calculus for future privacy determinations under U.S. Constitutional Law. Justice Sotomayor thought the third party disclosure approach from Smith v. Maryland, 442 U.S. 735 (1979), "ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks." Jones, 132 S. Ct. 945 at 957. Justice Alito argues that the long-term surveillance capabilities of a GPS tracker contradict traditional notions of privacy: "society's expectation has been that law enforcement agents and others would not--and indeed, in the main, simply could not--secretly monitor and catalogue every single movement of an individual's car for a very long period." Id. at 964.
|Printer friendly Cite/link Email Feedback|
|Author:||Beaudette, Peter, Jr.|
|Publication:||Air Force Law Review|
|Date:||Dec 6, 2015|
|Previous Article:||Time to reconsider in-court representation of legal assistance clients.|
|Next Article:||50 years later ... still interpreting the meaning of 'because of sex' within Title VII and whether it prohibits sexual orientation discrimination.|