Eugene Volokh is head of the technology practice at Steptoe & Johnson, a former general counsel of the National Security Agency, and co-author of a book titled The Limits of Trust: Cryptography, Governments, and Electronic Commerce , open. Eugene Volokh teaches constitutional law at UCLA School of Law and is the author of a textbook on the First Amendment and many law review articles on rights questions. This week they discuss specific security technologies that the U.S. government might adopt in the wake of recent terrorist attacks, and their effect on civil liberties.
Slate has asked Eugene Volokh and me for a dialogue on the civil liberties issues that arise from the events of last week. My heart's not in it.
Oh, I've got lots of views about these issues and plenty of experience arguing about them. In the early '90s, when I was the National Security Agency's general counsel, it was my job to argue for regulation of encryption, which can frustrate even sophisticated wiretaps (we lost), and my law practice includes a large component of wiretap, technology, and national security advice. It won't be hard to trot out my views.
And that's the problem. All the old arguments are fresh in my mouth. But playing them back in a different key feels somehow like forgetting, maybe even dishonoring, the dead. If, as all the reporters are saying, nothing will ever be the same again, the least we can do is not begin our dialogue with the same old questions.
Instead, I'd like to begin by asking why this topic is so important that Slate and the rest of the press insist on discussing it now. The answer, I suppose, is that Slate thinks that wars are bad for civil liberties and that we need to be reminded not to sacrifice our freedoms in the war against terrorism.
But frankly, I don't hear a lot of calls for sacrificing civil liberties today. Anyone who's dug this deep into Slate has probably already seen roughly 20 warnings about the risk to civil liberties for every proposal they've heard that would significantly restrict our freedoms - unless you think that curbside check-in is enshrined somewhere in the Magna Carta (a position the ACLU's probably briefing at this moment).
Then why does Slate insist on spending this week looking for an Authoritarian Bogeyman Under the Bed? Well, if you'd asked Queen Victoria about the threats her society faced, she'd probably have worried aloud about a breakdown in sexual and other morality. Ask a Hollywood producer the same question, and he'll cite the threat of sex-hating moralists. Every age seems to warn itself most sternly about the risks that are least likely to do it harm.
So too with us. Defending civil liberties is at the heart of the baby-boomer self-image, a self-image that's been packaged and sold to adolescents ever since. However powerful and rich and snobbish we ex-teen-agers become, we still see ourselves as rebels fighting a lonely battle against overweening authority. To make that myth work, we need an overweening authority to battle, preferably one that can't fight back.
Intelligence agencies are perfect for that role. In practically every newspaper story about those agencies, it is understood that the bad guys are the ones invoking national security to keep secrets and protect intelligence sources. The reporters who ferret out those secrets and put them on the front page are the good guys, preventing intelligence abuses like CIA assassinations or monitoring of security risks inside the United States. Now, of course, even those abuses don't look quite as bad as they used to. And the cost of preventing them by publishing the details of intelligence operations looks a lot higher.
When I was in government and I read some press story about the foreign adversaries we were spying on, I knew our enemies would read the same story. They would go back through their communications to find the message we had intercepted. They would add encryption to the channel or get rid of the compromised equipment or execute the spy that gave us our insights. Sooner or later, we'd pay a price - a price that would never be known by the cheerily iconoclastic reporters, so proud of wresting their story from the heart of overweening authority or the climbing officials who tossed them the intelligence to curry their favor. It gave me a helpless sinking in my stomach, the same one we all felt last Tuesday.
The risk that worries me isn't that our leaders will suddenly embrace authoritarianism. It's that they'll keep leaking, and the press will keep reporting, and the terrorists will keep getting smarter. That we'll go on treating the Defense Department and the intelligence agencies the way Chicago's Near North Side treats its cops - expecting absolute protection while offering a mix of Christmas tips and genial contempt.
So instead of spending the week looking for civil liberties threats in this crisis, I wish Slate and the rest of the press were reconsidering a quarter-century of press attacks on intelligence sources and methods.
Why isn't Slate running a dialogue on journalists whose Pulitzers should now be considered tainted because their stories may have compromised classified intelligence methods that we could have used against terrorists? Why not a dialogue on the need to create a code of ethics for national security reporters? The press gave Chelsea Clinton room to grow up normally by not running some stories. Now the right of a lot of other American kids to grow up with two parents, or at all, may depend on not running some national security stories.
Why aren't we debating when journalists should reveal the names of officials who compromise secret military plans? Sure, they'd be burning their sources. But in the light of recent events, what conceivable calculation makes protecting the Washington Post's sources more important than protecting the CIA's?
I don't think we need to change the classification laws or readjust the constitutional balance of the Pentagon Papers case. It's simpler and more difficult than that. We all need to feel that sinking feeling when we see stories based on intelligence leaks in the paper. The journalists who write them and the editors who edit them and the readers who read them should all wonder if the passing thrill is really worth the eventual cost.
And until journalists themselves begin that debate, I'm not sure they really mean it when they say that nothing will ever be the same again. I'm afraid that what they really mean is, "Nothing will ever be the same again. For you. For us, well, it's a hell of a story."
OK, Eugene. Tomorrow, maybe we can talk about Carnivore and roving wiretaps
and the latest Senate
bill allowing emergency intercepts. For now, it looks like you'll have to make
what you can of
this.
Dear Stewart,
I confess I also enter into this discussion with misgivings. I've long bristled when people have talked about civil liberty, which is to say freedom from government oppression, as if it were the most important thing in life. And, yes, it can seem that way when we are physically safe. But when our lives are in danger, we realize that we'd like to have both freedom from government oppression and freedom from oppression by others. Once we see that, it's pretty obvious that some trade-offs might be needed. And no one has a magic formula for how to make these trade-offs.
So not having any real answer to any really tough questions, let me just offer a few general thoughts:
In past wars, we could know when the war was over and peacetime rules could return. But say we kill Bin Laden; overthrow the Taliban, Saddam, and Qaddafi (just to pick some likely suspects); and blow up a bunch of terrorist training camps. Will this be the end of the war? Not by a long shot. There'll always be terrorists. There'll always be the risk of thousands of Americans being killed. We won't even know for sure when the risk has greatly diminished; we'd be fools to ever think it's been eliminated.
So the measures we adopt today constitutional rules, statutes, and perhaps even media ethics principles won't be temporary. They won't go away. This doesn't mean these measures are wrong; they may be good permanent measures to have. But let's not fool ourselves that we can have them just for a few months and then return to business as usual. This is going to be business as usual.
We all the time limit some freedoms in order to get some security and we have to. Consider the constitutionally recognized power of the police to search even your home, if they have probable cause and a warrant. Consider airport X-ray searches. Consider the government's ability to arrest and detain alleged dangerous criminals, if probable cause is present, even before they are tried and convicted. Should we allow still more searches? More detentions? More speech restrictions?
Fewer?These questions can't be answered in the abstract. There must be a specific proposal on the table. We need to know what we're being asked to give up and what we're supposed to get in exchange. We need to think about whether the proposal will in fact make us safer. It's not that we must be pragmatists rather than idealists, it's that in a world where no ideal is absolute (certainly not the Fourth Amendment, for instance, which only bars unreasonable searches and seizures), we can't avoid this kind of pragmatic, concrete thinking.
Here is where I get to tie in to your excellent opening message, Stewart, which is probably 90 percent correct or perhaps even 100 percent. I agree entirely that newspapers' right to publish something doesn't necessarily mean that they should publish it. (By the way, as to rights, let me stress that it's perfectly constitutional to punish government officials for leaking secret material, and that reporters have no categorical First Amendment right to conceal the leaks' source.) My one concern, though and it really is just a concern since I cannot claim to be an expert on the concrete facts (see above) about national security, the intelligence apparatus, and press reporting is that press silence about intelligence matters may sometimes actually backfire.
Intelligence agencies, vital as they are to our survival, are subject to all the flaws of human institutions. They may err; and it's hard for the public to decide whether they've erred enough to need substantial reform unless the public is told the underlying facts. (For instance, did the intelligence agencies fail in this very situation, and, if so, what should we do to prevent such failures in the future?)
Intelligence agencies may become trapped by bureaucratic ossification and internal conventional wisdom, conditions that are exacerbated when no one outside the agencies can provide an alternative perspective. And there's also the inevitable temptation in policy debates to say, for the best of reasons, "Look, I have access to all this secret information that proves I'm right, so you need to trust me", even if on close examination the secret information really wouldn't support the speaker's position. Voluntary, well-intentioned press silence about the actions of well-intentioned intelligence agencies may thus sometimes lead to worse intelligent-gathering capability rather than better.
I can't say this for certain; you spent years at the NSA and I didn't. I'm an expert on constitutional law, not on intelligence policy. I have no doubt that in many situations, perhaps most, press silence is the right answer. And perhaps, to anticipate one response, secrecy is so important to intelligence-gathering that the checks and balances must be provided solely by confidential congressional oversight committees, not by the press, the public, and the policy experts among the public. My goal here is just to raise a possible concern, not to resolve it.
So I hope that the press takes your advice very much to heart. Certainly they should think many times before publishing anything that might help terrorists. But at the same time, the question, "Who will guard the guardians?" (a question one might also ask about the press, but that I ask here about the intelligence community) remains. And we need to guard not just against "our leaders suddenly embracing authoritarianism," but against much more mundane failings as well, failings that unfortunately tend to thrive more in the absence of public scrutiny.
Eugene Volokh is head of the technology practice at Steptoe & Johnson, a former general counsel of the National Security Agency, and co-author of a book titled The Limits of Trust: Cryptography, Governments, and Electronic Commerce > open. > Eugene Volokh teaches constitutional law at UCLA School of Law and is the author of a textbook on the First Amendment and many law review articles on rights questions. This week they discuss specific security technologies that the U.S. government might adopt in the wake of recent terrorist attacks, and their effect on civil liberties.
Let's get down to specifics. Let's take a close look at the legal changes now under consideration and ask whether they pose any threat to civil liberties. As you say, we'd better like the laws we're passing. We'll be living with them a long time.
So far, only the Senate has actually passed anything, a package of anti-terrorism amendments that it tacked on to an appropriations bill last Thursday. It held no hearings and only a short debate. The amendments passed by voice vote, and the full bill was adopted 97-0.
Whenever I hear about a bill that passes like that, I think of the TV show
Yes, Minister, where
the bureaucrats met crises by dusting off an old agenda and serving it up to
their bosses with
the following unanswerable logic:
In fact, though, the Senate bill does little damage to civil liberties; the real question is whether it does much to address the threat.
There are three or four provisions that seem to worry civil libertarians. First, the bill would add terrorism to the list of crimes that justify a wiretap. Is that a good idea? As my daughter once would have said, "Well, duh!" The real question is why it wasn't added to the list long ago. The answer is that you can't be much of a terrorist without violating some other law that is already on the wiretap list. So this amendment falls under the heading of nice to have but no big deal.
Second, the bill authorizes the use of the FBI's disastrously named "Carnivore" device to conduct certain Internet wiretaps. (Actually, the bureau calls it the DCS-1000 these days, but no one can remember that which is probably the point of the new name.) Carnivore is controversial because it is a network "sniffer" that could be programmed by someone willing to risk a felony prosecution to scarf up all the communications on a network, not just those of suspected terrorists. But for all the bad publicity it's received, it is already legal and in common use. It only appears in the bill because the wiretap laws were written with telephones in mind, not networks.
In the telephone world, the police have a choice when they investigate a suspect. If they have a good basis for suspecting him, the courts will allow them to tap the suspect's phone and listen to all his calls. Alternatively, if they only have a suspicion that he might be relevant to their investigation, they can't listen to his calls, but they can record all the numbers he calls or that call him.
How can we apply this model to the Internet? It's easy to imagine what a full wiretap looks like in cyberspace. The police get to see everything the target does online every e-mail he writes or reads, every site he visits, every password he types. But suppose they can only meet the lower standard. What is the Internet equivalent of acquiring every phone number the target dials? The Justice Department thinks that's an easy question, it's the Internet address of the sites he visits, the "to" line on his e-mails. essentially the addressing and routing information for his network activities. The Senate amendments would specifically approve that interpretation.
I can understand why this might raise at least some privacy concerns. Law enforcement can get a remarkable amount of data about people, ?many of whom are not even suspects, just by saying that the information might be relevant to some investigation. They can get a list of every site I visited, how long I spent there, where I went next, who I e-mailed, and when they replied. That sure feels a lot more private than a list of the numbers called from my home phone.
The problem is that phone numbers don't have a perfect digital equivalent. That means that we have to choose between either reducing the government's investigative reach a lot or expanding it a little. After last week, that doesn't seem like a hard choice. If it were up to me, I'd add some safeguards to the bill. For example, we ought to let people especially people who aren't charged with anything, know when their records have been gathered in this way. And we should audit access to that data; anyone who pulls my records should be able to explain why, if not to me, then at least to his superiors.
On a different note, I'd also make sure that the ISPs and phone companies who are working overtime to respond to this crisis know that they won't be sued later for carrying out a national security wiretap and will get reimbursed for the costs of pulling masses of paperwork (the days of adding such costs to a monopoly rate base are pretty much gone). In short, I'd prefer a somewhat different bill. But try as I might, I can't say that the lack of those safeguards threatens freedom as we know it.
The same is true of the other wiretap provisions. The Senate would allow the FBI to get one wiretap order against a suspect, an order that could be used everywhere in the country. This just seems to recognize that the Internet and roving cell phones allow terrorists and other criminals to be active in many different jurisdictions at practically the same time.
Finally, the amendments expand the number of people who can authorize an emergency warrantless wiretap. God knows there are times when minutes are precious, and the tap needs to begin even before the judge can be pulled out of bed. Since warrantless taps must be confirmed by a court within 48 hours, it's hard to see much risk in them. As long as we know who is authorizing such taps, it will be easy to assign blame if abuses emerge.
Are you yawning yet? That may well be the right response. This is inside-baseball stuff at best. The Senate amendments wave the center fielder a few yards to the right. If this is the worst threat our liberties face, we're doing very well indeed.
Tacking back for just a moment to yesterday's exchange, you pointed out that there's a cost to asking that the press stop putting national security secrets on the front page. The cost is that we lose one of the possible checks on stupid bureaucratic behavior or worse. I agree.
I am deeply fond of the dedicated patriots I worked with in government, but even the best government bodies are prone to the failings of government bodies everywhere. One of those is "information management," something that remains a particular problem in agencies that heavily classify their activities. We need checks on such behavior. But when we're talking about secrets that could help us forestall terrorists, the price of using the press as a corrective is just too high.
I would rely instead on the internal dynamic of competing bureaucrats for a rough substitute. As I once said to an outsider skeptical of NSA's commitment to the law, "Why am I sure that the agency isn't breaking the law? Because there are five outside offices with authority to audit our conduct, and those agencies are headed by five ambitious people whose careers would be made if they could uncover violations of law at NSA." Maybe that's not perfect either, but it's better than exposing the agency's secrets to the public, and to Osama Bin Laden at the same time.
You raise, as usual, some excellent points. Before I respond, let me first briefly summarize what the Supreme Court has told us about the Fourth Amendment law and telephone surveillance:
Item 1 probably isn't that surprising. Though the probable-cause-plus-warrant requirement seriously burdens the police, we don't really want the police tapping our phones whenever they decide we might be up to no good (under their own definition of no good). And even if we trust the feds, the Fourth Amendment applies equally to federal, state, and local officials. Constitutional rules empowering the FBI also empower every local police department.
Item 2 might be more surprising: One might think that whom one is calling is pretty private, too, so the government should be able to get this information only if it has probable cause plus a warrant. But on the other hand, the government sometimes needs such surveillance to find the probable cause in the first place. Also, there's an analogy to the government's power to watch your house from outside: The police can note who is coming to talk to you but can't eavesdrop on your conversations unless they have cause and a warrant.
So that's the rule for phones; and I agree, Stewart, that it makes legal sense to apply it to Internet communications, too. Some people aren't wild about Item 2 for phones and don't want it extended to e-mail, but let's for now assume the current rule is sound. So I agree the government should be able to read my e-mail if it has probable cause plus a warrant, and should be able to track the "from" and "to" addresses even without cause or a warrant.
But what about the URLs of Web sites I visit, such as Slate or Ask Jeeves (Search engine queries often translate into URLs containing the search terms.) As you point out, the Justice Department's position is that they're allowed to get this information, too, by analogy to phone numbers. Not a great analogy, if you ask me. Seeing the full URL is more analogous to the government seeing the subject matter of a phone conversation, not just the parties' phone numbers. And, according to the Justice Department's theory, this could all be done with no Fourth Amendment constraint.
Moreover, once Carnivore is installed at an Internet service provider, an overzealous government agent could intercept not just the text of messages for which he has a warrant, but also the text of other messages. You're right that this is illegal, and the agent could be prosecuted for this (if anyone finds out); and I'm happy to hear your suggestion that superiors be able to audit this data (something that to my knowledge is not the case right now). But, sad to say, sometimes superiors are themselves flawed, even in the FBI, and certainly in some local police departments.
And unlike with phone company taps, Carnivore commands are run directly by government agents, without any participation by ISP employees, so there's no outsider keeping records and potentially blowing the whistle. The guardians are unguarded from the outside; and much as I hope that internal government check " ambitious people whose careers would be made if they could uncover violations of law at NSA" will do the job, sometimes (not always, but sometimes) uncovering a fellow government official's misconduct means the end of a career, not the making of one.
Now, I'm not a Fourth Amendment maximalist. I take seriously the notion that only "unreasonable searches and seizures" are unconstitutional. I often define "reasonable" quite broadly. And maybe you're right that "after last week," "expanding [the government's investigative reach] a little" isn't a big deal. But you're also right that we'll be living with this a long time: These powers will not just be used to fight the war on terrorism, but also the war on drugs, the war on pornography, the war on copyright infringement, and who knows what other wars.
Finally, let me return to something I earlier set aside: Is it good for the government to see the phone numbers I've dialed, with no warrant and no probable cause? Yes, the court upheld this 20 years ago, but was it correct? After all, we shouldn't be so precedent-bound that we extend bad ideas into new areas.
I don't know whether the court got this right. But I do know the court's decision has been defended as, well, just a small step. And now this extension from phone numbers to the more telltale URL is defended as, well, just a small step. And the next extension will also be defended as just a small step.
What's more, the logic of the government's argument, which is that there's "no reasonable expectation of privacy" in information (such as a dialed phone number) turned over to a third party (a phone company), can go many steps down: It can apply not just to URLs but also to e-mail text, since that's likewise being turned over to a third party (the Internet service provider). Courts that buy this logic may approve all these steps. And a bunch of small steps could add up to a large one.
Now, it's easy to mock such "slippery slope" arguments; I've mocked many in my day. But our legal system rests on precedent and analogy, as do many of our political and moral arguments witness your own post. So it makes sense to worry about where our small steps are leading.
This having been said, you're absolutely right: We can't demand protection from our police (local or federal) while denying them the tools they really need to provide this protection. And if seeing what Web pages and queries people are using or intercepting communications entirely through government agents, rather than through ISPs will help catch terrorists, maybe the sacrifice is worth it. I guess I'm just not sure the benefits are as great, or the costs are as slight, as some suggest.
Eugene
Eugene Volokh is head of the technology practice at Steptoe & Johnson, a former general counsel of the National Security Agency, and co-author of a book titled The Limits of Trust: Cryptography, Governments, and Electronic Commerce open. Eugene Volokh teaches constitutional law at UCLA School of Law and is the author of a textbook on the First Amendment and many law review articles on rights questions. This week they discuss specific security technologies that the U.S. government might adopt in the wake of recent terrorist attacks, and their effect on civil liberties.
We've been talking about civil liberties and about giving the police new wiretap powers to catch terrorists. In part, that's a question about how much privacy we can afford in this new world. But partly it's about how much we can trust the police. Today I'd like to talk about trust in two contexts.
This was your point, and a good one. In the old days of Ma Bell, the police got the intercept orders, but it was the phone company that actually did a lot of the work when the tap was implemented. Their billing department matched the name to the phone number. Their technicians figured out what line went with what number and often hooked up the tap. I'm sure that the phone company did this mainly to protect the network from inadvertent harm. But putting the phone company in the middle also had a kind of civil liberties value not so much by protecting privacy directly as by building trust in the system. A disinterested phone company technician wasn't likely to get caught up in a desire to capture crooks at any cost. If the police wanted to do more than the court order allowed, the phone company was likely to balk.
As you point out, that safeguard is missing with Carnivore, which is typically programmed by the police. The Internet service providers or ISPs whose networks are tapped have much less control of the tap than the old phone companies did. I agree with you that it would be better to have a third party in the middle, and I'm glad that some ISPs and portals insist on using their own wiretap solutions rather than taking Carnivore off the shelf. But we should also remember the limits of this third-party check. ISPs are often new, financially strapped startups offering retail service for a fixed fee. They aren't a regulated monopoly that can pass on wiretap costs to their customers. So the smaller companies are likely to adopt whatever wiretap solution looks quickest and cheapest. That's why I think we make a mistake in trying to bring back the old Ma Bell model for Internet wiretaps. We ought to focus on other ways to make sure we can "trust but verify" how the police carry out wiretaps.
Whatever the precise scope of the proposal, though, it's hard to see a problem from a privacy point of view. In fact, you could say that this is a pro-privacy approach. In the old days, the police tapped land-line phones in the suspect's house, which meant they listened to the suspect and his wife, and his teen-age daughter, and the housekeeper calling home, and the neighbor who dropped by and needed to check his messages by phone. By focusing the tap on the suspect, we may actually be able to protect those other people's privacy a little better.
As with Carnivore, the real issue is how much you are willing to trust the police. It's not possible to build a technology that will identify the target automatically when he moves from phone to phone. The success of roving wiretaps will depend a lot on the police's ability to identify which phones the suspect is using. Which means that the phone company will no longer be in the middle, using its billing records to help match the wiretap order to particular phones. Instead, the police will likely just tell the phone company to "Move the tap to 555-5692 now; that's where the suspect is calling from." The phone company can't be sure that's true. It has to trust the police.
In this area, too, my inclination is to give the police the authority to follow suspects as they move from phone to phone and then look for other ways to ensure that our trust is not abused. We can't be naive. Police are human. Sometimes they get carried away with their job, and sometimes they misuse their powers. We need to have checks and audits. But I don't think that we should assume, as too many civil libertarians do, that the police can never be trusted; nor should we insist on any single verification method. As technologies and industries change, so too should the methods we use to keep track of wiretaps. The automation of wiretaps can mean less need for third party intervention, but it also means that we can use the audit and logging functions of modern computers to know exactly which police officer did what at any time to the wiretap system and to hold them accountable. Properly used, that technology should provide a better check on police abuses than trying to hang on to the old "Ma Bell in the middle" solution every time we are reluctant just to trust the police.