News, Developments, and Insights

Electronic Surveillance

Currently, there’s a debate raging about whether the phone companies violated the law when they supplied phone call records to the NSA. Orin Kerr opines:

The Stored Communications Act, 18 U.S.C. 2701-11, only regulates two kinds of providers: providers of electronic communication service and providers of remote computing service. Everyone agrees that the telephone companies are not acting as providers of remote computing service, so if they are liable they must be acting as providers of electronic communication service. . . .

A local telephone company is clearly a provider of electronic communication service: it literally provides users the ability to send or receive telephone calls. But is a company that only provides long distance service a provider of electronic communication service?

Maybe, but I’m not entirely sure. I don’t know much about how modern telephone networks work, but I am guessing that local carriers carry the first part of the call. In the case of a long-distance call, I assume that the long-distance carrier picks up the call at some point from the local carrier, and sends it to the local carrier at the receiving end of the call. If that’s right, I’m not entirely sure the long-distance carrier is a provider of electronic communications service.

I can see arguments on both sides. . . .

This debate gets to one of the major problems with electronic surveillance law. In my article, Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I observed:

Electronic surveillance law has not kept pace with the staggering growth of technology. As discussed earlier, the law currently makes antiquated distinctions that often do not protect what is most important. Electronic surveillance law has lagged behind technological developments and has not been responsive to new surveillance technologies. . . .

Despite . . . dramatic changes since the passage of [The Electronic Communications Privacy Act (“ECPA”) which includes the Stored Communications Act under its umbrella] in 1986, Congress has failed to engage in a major revision of the law [except for some smaller changes here and there, the most notable of which was the USA-Patriot Act]. Under this state of affairs, law enforcement cleverly employs new technologies to try to avoid triggering ECPA. Often, these technologies are quite invasive, but the debate seems to turn on technicalities—whether the surveillance fits into ECPA’s framework. This invites a technological rat race, in which law enforcement uses new technologies designed to fit within ECPA’s less stringent provisions or to fall entirely outside of ECPA’s scope. . . .

Lost amid the labyrinthian task of applying ECPA’s complex provisions is the question of whether new technologies contravene the appropriate balance between effective law enforcement and privacy. . . .

Moreover, the FBI has been developing and using new surveillance technologies without discussing them publicly. As one FBI spokesperson said: “It’s completely inappropriate [to discuss new surveillance technologies]. Why would we? That would defeat the whole purpose of surveillance.” . . . . In a self-governing democracy, it is hard to justify the secret deployment and use of surveillance technology on United States citizens without affording adequate public discussion about the costs and benefits of these new technologies.

One of the major problems with current electronic surveillance law is that it was built tightly around technologies existing in the mid-1980s, rather than built more broadly and generally around basic principles for balancing privacy and the need for government surveillance. As a result, the application of the law to new technologies becomes very complex and uncertain. Kerr may be right that the law is up in the air with regard to whether the NSA phone record database contravenes the Stored Communications Act, but if he is right, then this is evidence of a much larger problem. Time and again, our electronic surveillance laws are failing to provide answers when it comes to questions of critical importance.

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
LinkedIn Influencer blog

TeachPrivacy Ad Privacy Training Security Training 01