I. Online Surveillance of Non-Contents Information
A. Historical Background
B. Current Law and Current Practices
C. The Question of Institutional Choice
II. Comparative Institutional Analysis of Online Surveillance
A. Social Policy Goal
B. Interested Parties and Participation Benefits
C. Comparative Institutional Analysis and its Implications
1. The Market
2. The Congress
3. The Courts
4. The Executive Branch
III. Challenges to the Model
A. The Primacy of Social Policy Goals
B. Choosing Institutions
Rapid technological change has defined the Internet revolution. Just a decade ago, cell phones and e-mail were beginning to take hold, and the World Wide Web was in its infancy.1 As cutting-edge modes of communication have become commonplace, they have outgrown laws designed for more traditional methods. In this context, the comparative institutional inquiry naturally arises: which institution is best suited, or least poorly suited, to change the legal rules to fit the new communications technologies?
The rules regulating government surveillance of the Internet particularly warrant revision. The applicable statute, the Electronic Communications Privacy Act (“ECPA”) ,though designed to be comprehensive, predated the World Wide Web and relies on terms that do not comfortably expand to cover it. Though it has been revised a few times since its passage in 1986, the ECPA leaves many crucial questions unanswered. Meanwhile, the Supreme Court has not specified how the Fourth Amendment’s prohibition on unreasonable searches and seizures translates into the online realm, and lower courts have stretched precedents developed for traditional media beyond recognition.
It is of pressing importance that we update the surveillance laws to account for new communications technologies. Among other things, the limits we place on government surveillance in general are intended to uphold the constitutional separation of powers. Properly formulated, they retain sufficient judicial intervention and congressional oversight to permit executive branch agents to pursue their law enforcement duties zealously but not oppressively. Unfortunately, the current legal scheme has fallen so far behind emerging technologies that it facilitates a surveillance society in which the rights of speech, association, and even self-fulfillment are subject to the whims of an unchecked executive.2 In this essay, I focus on the provisions that regulate the interception by law enforcement agents of online information that is not the contents of electronic communications. These rules are the weakest and the most vague of the current framework. In Part I, I summarize the legal question. Part II conducts a comparative institutional analysis, drawing upon the participation-centered model championed by Professor Neil Komesar. It highlights what that analysis adds to the current thinking. Part III considers the challenges and limits of the comparative institutional method that the case study reveals.
I. Online Surveillance of Non-Contents Information
A. Historical Background
Rules that apply to government surveillance of the Internet are particularly problematic. The constitutional doctrine that underlies the relevant statute fails to account for new practices. Those practices, in turn, are constantly evolving and difficult to pin down, because the government endeavors to keep them secret. The statutory rules are complex, if not chaotic; few cases interpret them, and those that do tend to conflict, strain logic, or both.3
Constitutional doctrine shapes the legal landscape of surveillance law. In 1967, the Supreme Court brought wiretapping under Fourth Amendment regulation in Katz v.UnitedStates, when it announced that the “Fourth Amendment protects people, not places.”4 In Katz, the Court found telephone conversations to be protected from unreasonable search and seizure, even though the government could listen to them without committing a physical trespass.5
Congress responded to Katz by passing the Wiretap Act of 1968.6 The federal law that had previously prohibited wiretapping had been incomplete and under enforced.7 The Wiretap Act brought uniformity to the law and significant protection to the “contents” of communications, which it defined broadly.8 Both Congress and the Court viewed electronic surveillance as particularly intrusive and powerful. As a result, they made it much harder for government investigators to get wiretaps approved as compared to physical searches. For example, government investigators must demonstrate that traditional investigative methods are insufficient and that a wiretap is highly likely to disclose criminal conduct.9 They also have to minimize the interception of non-incriminating conversations.10 Under the Wiretap Act, courts maintain a significant oversight role before, during and after investigations.11 Further, those using or approving wiretaps have to provide detailed annual reports to Congress to insure the efficacy of investigations.12 Finally, targets of surveillance are given after-the-fact notice, and significant recourse for improper investigations, including civil damages and a statutory suppression remedy.13
In Smith v. Maryland, the Supreme Court considered whether the constitutional protection accorded to telephone conversations twelve years earlier extended to the numbers dialed on a telephone and obtained by an investigative device known as a “pen register.”14 The mechanical pen register at issue had limited functions. It used a pen to record on a paper tape the numbers dialed by the target’s phone. It did not indicate whether the caller succeeded in having a telephone conversation, or if so, how long that conversation lasted. Notwithstanding the limited information disclosed by a pen register, a strong dissent in Smith argued that the device revealed the target’s associations and activities and that such information should be constitutionally protected. A majority of the Supreme Court disagreed and found that the pen register investigation did not constitute a search under the Fourth Amendment.15 The Smith majority applied the reasonable expectation of privacy test from Justice Harlan’s concurrence in Katz. That test finds a constitutional search only when the target subjectively expected that the information disclosed was private, and only when society recognizes that expectation as reasonable. The Court in Smith found no reasonable expectation of privacy in telephone numbers, because the caller disclosed them to the telephone company, which could record them. The Court reasoned that one who knowingly discloses his telephone numbers to the telephone company cannot complain when the government learns of those numbers as well.16 There is no question that the Smith decision limited communications privacy. Besides that outcome, there is much to criticize about the Court’s reasoning in Smith. First, the Court viewed callers as assuming the risk that a government agent will intercept the numbers they dial. But callers should not be held to assume risks they had no choice but to accept. Because one cannot avoid disclosing telephone numbers to the telephone company, the element of voluntariness seems lacking. Secondly, if the Supreme Court in Katz had used the Smith approach, it would have found no constitutional protection for telephone conversations, because those were just as capable of interception by the telephone company. Finally, by focusing on the fact of interceptibility, the Smith court avoided the central normative question inherent in the reasonable expectation of privacy test: what should be private in our society? By deriving privacy rights from technological possibilities rather than limiting technology to protect privacy, the Smith Court got it precisely backwards. Moreover, the Court opened the door to further technological erosions of privacy.
Not surprisingly, government investigators walked right through the door Smith opened. The lack of constitutional protection for pen register targets contrasted sharply with the expansive rights granted to wiretapping targets. As a result, government litigators argued that they were free from either constitutional or Wiretap Act restrictions when they used increasingly sophisticated “pen registers” to reveal much more than mere telephone numbers.17 Courts have accepted as “pen registers” devices that recorded, not only the telephone numbers dialed, but whether the call went through, when it happened, how long it lasted, and who the parties to it were. These new “pen registers” could record electronically and transmit remotely, and they could be embodied in computer hardware and software.18 In short, courts have been expansive in their view of what counts as a pen register.
The stakes were raised high in this game when Congress passed the ECPA in 1986 and addressed “pen registers” by statute for the first time. The ECPA provided none of the protections in the Wiretap Act to targets of pen register investigations.19 There was no meaningful limit on investigations and accordingly no real judicial review. Agents seeking a pen register merely had to assert that the device would disclose information relevant to an investigation; judges were instructed to grant any application containing such an assertion. Targets were never notified, and if they somehow found out they had been investigated improperly, they were provided no remedy. Neither civil damages nor a suppression remedy were available.20 Reports to Congress provided little detail. In sum, courts interpreting the ECPA have viewed the pen register provisions as setting up an administrative scheme rather than ensuring any privacy rights to those subject to investigation.21 Language in the 1986 statute that tied pen registers to traditional telephones did not stop investigators from using “pen registers” on the Internet.22 But the concern arose that such practices could create liability and the suppression of evidence. Although some have argued that the absence of language referring to online pen register investigations means that such practices were entirely free from regulation,23 courts could instead have found them entirely prohibited.24 Or, courts might have treated online pen registers the same way that they had handled secret government monitoring by videotaping in the mid-eighties. Despite the Wiretap Act’s omission of any reference to video surveillance, seven circuit courts subjected the practice to four of the “core constitutional” protections of the Wiretap Act. The courts reasoned that such videotaping is as intrusive, powerful, indiscriminate, and hidden as wiretapping, and therefore it warrants the same strict limits.25 Congress gave a partial answer to the question of what limits applied to government use of pen registers on the Internet when it passed the USA Patriot Act (“Patriot Act”) in October 2001. Congress updated the pen register definition to make it applicable to electronic mail. Instead of referring to the numbers dialed, the amended statute permits pen registers to obtain “dialing, routing, addressing, and signaling” information.26 The new law also provides for additional reporting on the use of a filtering device known as “Carnivore,” which purports to be a computerized pen register placed by government agents on a service provider’s computer server.27 The new law thus brings those devices that gather dialing, routing, addressing, and signaling information under the minimal protections of the pen register provisions.
There is much that Congress did not do in the Patriot Act amendments. Importantly, it rejected an outrageous request by the Justice Department that pen registers be permitted to obtain contents.28 If granted, that request would have entirely eviscerated the Wiretap Act protections for electronic communications. That rejection, however, is one of the few privacy-protecting features of the Patriot Act. Though disappointing, that should not be surprising. Congress passed the law six weeks after the September 11 tragedy, under tremendous pressure from the executive branch, and in the midst of a terrifying anthrax attack that kept members of Congress out of their offices. Few in Congress had time to read the statute before adopting it, let alone the will to resist measures that promised to give law enforcement new tools, whether those tools were actually needed or sufficiently restricted. Congress failed to enact proposals to increase the limits on pen registers, such as by imposing a real probable cause requirement, ensuring meaningful judicial review, or providing notice and remedies to targets of unlawful investigations. Those proposals had made it into a bill approved by the House in 2000, and had even appeared in earlier versions of the Patriot Act.29 The final version, supported by the Justice Department, increased the scope of pen register investigations but not their regulation.
The pen register provisions, even as amended, leave much unclear. In the online context, the extent of both “contents” and “dialing, routing, addressing, and signaling” remain opaque, as does the crucial question of whether there is any information that those two categories exclude. I turn to those questions next.
B. The Regulation of Current Practices
The ECPA, as amended, permits law enforcement investigators to benefit from the extremely weak protections accorded in the pen register provisions when they acquire “dialing, routing, addressing, and signaling” (“dras”) information online, but not “contents.” To acquire the “contents” of an electronic communication, government investigators must satisfy the substantially more demanding requirements of the Wiretap Act. That is what we do know.
What we don’t know is what counts as dras, what counts as contents, and whether there is anything besides those two categories. Some hypotheticals may elaborate. Alice sends an e-mail to Bob. The e-mail looks something like this:
Subject: Our Date
When: Feb. 15, 2005
Attachment: Cute picture of us at dinner.
Body Text: I had a great time last night. You are my valentine.
In the above email: “I had a great time last night. You are my valentine” clearly constitutes the contents of the e-mail and should be unavailable to government investigators who acquire authorization only for a pen register. The To and From information is clearly dras. Information identifying the computer that sent the email and the computer that received it would also seem to be dras information. The government has specified in its manuals that the subject line: “Our Date” and the attached picture count as contents.30 However, the statute does not say that and no court has yet confirmed it. There are other facts or attributes about this email, such as how big it is, when it was sent, when it arrived, and whether it has attachments. The government contends that any non-contents information may be obtained as pen register data.31 However, neither the Wiretap Act nor the ECPA mentions these attributes explicitly.
According to the government, the law divides contents protected under the Wiretap Act from non-contents covered by the pen register provisions, and everything fits into one of those two categories.32 But much information seem to fit neither. In the above example, neither dras nor contents captures the information about size, duration, and attachments. In addition, detailed information about an online user’s travels through the Internet seems to fall somewhere in between contents and dras. The same applies to the URL’s of the web sites one visits, the search terms that one enters on web sites, and the URL’s that contain those revealing search terms. Log files retain just this sort of information and also indicate how long one spends at each site.33 Such web-traffic data seems well beyond dras information, but not quite the contents of a communication either.
Courts have not provided clear answers. One of the few cases that has addressed the issue demonstrates that secrecy will further impede clarity. In the Scarfo case, the government convinced the court that it could not release information about a key-stroke logger program it had used to obtain the defendant’s encryption password without unduly compromising national security. The defendant himself was provided only a brief summary of the technology. The court accepted the government’s claim that the device did not intercept communications, contents or otherwise, because it was turned off when the defendant’s modem was engaged. Without full disclosure of the mechanisms by which the government conducts its online monitoring, it is difficult to evaluate its claims.34 The Justice Department has maintained a shroud of secrecy around its practices. Among other issues, its resists disclosing the mechanisms behind Carnivore, the filtering software it considers to be a pen register.35 The Department has gone so far as to resist disclosing its current legal interpretations. Those prosecutors interested in learning more about the line between contents and non-contents information are instructed to call a 1-800 number.36 During consideration of the Patriot Act, Justice Department negotiators refused to clarify what “contents” meant in the online context, despite repeated requests from congressional staffers.37
C. The Question of Institutional Choice
It is hard to deny that the law regulating online surveillance bears amending. Even those who interpret the ECPA to give broad powers to the executive branch recognize that it must be updated.38 But who should update the law? Courts could fill in gaps in the law through statutory interpretation. They could clarify what counts as “dialing, routing, addressing, and signaling” and specify how to treat information excluded from both that category and “contents.” Alternatively, Congress could devise new rules to regulate current practices and even future ones. Other institutions bear consideration, including the market and the executive branch. These are the comparative institutional considerations that I turn to next.
II. Comparative Institutional Analysis of Online Surveillance
At a descriptive level, comparative institutional analysis separates questions of institutional choice from those pertaining to goals and other values. Particularly when proposing reforms, advocates often confuse arguments about what the goal should be with arguments about the appropriate way to achieve that goal. Careful distillation of the institutional part of the debate promotes more refined thinking.
But how well does comparative institutional analysis prescribe? It promises to yield insights into which institution, among all those available, is best situated to effect a particular legal change. In the seminal book, ImperfectAlternatives, Professor Komesar used comparative institutional analysis to select courts as the institution best situated to handle questions of tort reform.39 In a case study evaluating the liability of online intermediaries for third-party defamation, I used the method to choose courts as the preferred institution to set the legal standard.40 Comparative institutional analysis should be able to recommend an institution to update the internet surveillance laws.
The comparative institutional analyst identifies the relevant legal question, the social policy goal to be promoted by the answer, and the parties interested in both. Then the analyst assesses the participation of each interested party in the available institutions. Participation costs derive from the complexity of the question, the difficulty of achieving information about it, and the costs of organizing the members of each interested party. Those must be weighed against participation benefits, which comprise the stakes in the outcome.41 For example, if a particular legal change will dramatically reduce a party’s liability, then that party experiences large participation benefits from achieving such a change. Smaller reductions in liability mean smaller participation benefits. When participation benefits exceed participation costs for a particular group, that group can be expected to participate. Once participation forecasts are made for each party, the last step is to assess institutional participation in light of the social policy goal -- which participation patterns in which institution will best achieve the social policy goal?42 A. Social Policy Goal
Recall from Part I that the legal question is: what rules should govern government interception of non-contents information on the Internet? When Congress has considered similar questions in the past, it has purported to balance the government’s interest in law enforcement against the individual’s civil liberties in general, and right to privacy in particular. Courts have affirmed the need to balance these interests. Both institutions recognize a fundamental conflict between government agents’ desire to acquire the most information possible through surveillance and citizens’ desire to avoid surveillance so as to maintain privacy.43 The balancing metaphor, though pervasive, is problematic. It assumes that the more information government has, the better it will do its job and thereby sacrifices privacy to achieve law enforcement efficiency. Security experts question whether privacy deprivations necessarily increase security. In fact, many “safety” measures are pure “security theater”; they may make us feel better, but they do nothing to help law enforcement.44 Moreover, law enforcement does not need more information so much as it needs the time and intelligence to interpret what it already has.45 Having more non-incriminating information may make analysis more difficult. As the haystack of information grows, it gets harder to find the needle of useful data.46 At a deeper level, the balancing metaphor may not adequately invoke the good reasons to limit government surveillance. Perhaps when the Wiretap Act was passed, when many citizens strongly opposed government wiretapping, the balancing short-hand reminded them of the need to limit law enforcement’s access to communications. But modern citizens, fearful of another terrorist attack, may well view those who want protection from surveillance as either paranoid or having something to hide. The historic abuses by government, including the misuse of surveillance to silence criticism and harass opponents, may seem far removed.47 The traditional balance may thus invite an inappropriate privacy trade-off.
With that in mind, I view the social policy goal to be protecting the privacy of communications from unnecessary government monitoring. This formulation recognizes that government monitoring should be limited to that which is “necessary” and highlights the need to protect privacy. Granted, this social policy goal assumes the primacy of privacy, independent of constitutional doctrine, and begs the question of what monitoring is necessary. I will return to those issues shortly.
B. Interested Parties and Participation Benefits
The next question is: which parties are interested in updating the rules for government surveillance of non-contents information on the Internet, so as to protect privacy from unnecessary government monitoring? What are their participation benefits, or their stake in the outcome?