Congress Is Still in the Dark About the Extent of Electronic Snooping
Here’s the only marginally good news about Congressman Edward Markey’s bombshell revelations last week about government prying into personal cellphone use: the American public and the US Congress now have our very first inkling of the scope of cellphone surveillance requests by law enforcement to telecommunication providers—1.3 million requests for personal data in 2011, according to the telecoms.
The truly bad news, however, is that Congress still has no idea of the scope of law enforcement surveillance. Congress is the body designated to provide oversight of the ways that government peers into our most private affairs. Yet the information that the proactive Markey was able to extract from the telecom providers represents just a fraction of the possible surveillance requests made by law enforcement, a blurry and partial accounting of a field that remains sprawling, unmapped and without rigorous oversight.
The problem begins at the level of Markey’s own worthy but limited investigation. In his capacity as co-chair of the Congressional Bi-Partisan Privacy Caucus, the Massachusetts Democrat queried nine mobile wireless carriers about their policies and practices for sharing their customers’ mobile phone information with law enforcement agencies. Leaving aside the fact that T-Mobile, one of the largest telecom providers, refused to share its numbers with Markey, the deeper and more troubling problem is that the investigation did not take into account all the law enforcement agencies involved in the snooping business. The reason: surveillance orders from the National Security Agency, Central Intelligence Agency and the Defense Intelligence Agency are sealed, meaning that telecom providers could only share information on requests from federal, state and local police—or, more specifically, the police, FBI, Secret Service, US marshals, postal inspectors and US Immigration and Customs Enforcement. It is therefore literally impossible to say how many cellphone data requests would have been tallied if the investigation had included requests to telecom providers by the NSA, CIA and DIA.
No less disturbing, cellphone companies represent only a sliver of the vast landscape of agencies and entities that government routinely taps for personal information. Remember, our data are recorded and archived every time we swipe a card at a subway turnstile, hold up our E-Z Pass at a tollbooth, use our credit or debit cards, interact with any broadband provider, take out a library book, request a disc from Netflix or sign in to Foursquare. But no Congressional body has publicly queried the transportation authorities, the banks or the cable companies, and it was only this week that Senator Al Franken began questioning the FBI and Facebook about their use of facial recognition technologies.
Even the entities that are intended to supply Congress with regular data about surveillance are providing incomplete and sometimes misleading information.
Consider the official 2011 wiretap report delivered to Congress by the Administrative Office of the United States Courts (AO) days before the Markey findings were released. The AO claims that “Federal and state applications for orders authorizing or approving the interception of wire, oral or electronic communications, known as wiretaps, dropped 14 percent in 2011, compared to the number reported in 2010.” This might be the case, but in failing to take other forms of surveillance into account, including requests to cellphone companies for personal data, the AO report tells a falsely optimistic version of the story.
A far less sanguine version is offered by the chart on the third page of AT&T’s May 29, 2012, response to Markey, which details the number and kinds of requests made by law enforcement agencies for information on customers’ cellphone use. These include everything from tracking a phone’s location to tracing calls and text messages to full-scale wiretapping. AT&T’s chart shows a rise in every kind of request from law enforcement (including the number of requests that the company refused to comply with) from 2007 through 2011. While all request categories rise during those years, subpoenas double from 63,100 to 131,400, as does the number of rejected requests, which shot from 425 in 2007 to 965 in 2011. These kinds of numbers are confirmed by Verizon Wireless’ response, which notes that the company received 260,000 requests for customer information from law enforcement in 2011—half in the form of subpoenas and the other half as warrants and orders. “Over the past five years, the number of requests has grown an average of about 15 percent each year,” the letter states (emphasis mine).
Chris Soghoian, a privacy advocate and a Fellow at the Open Society Foundations, lauds Markey for doing “more to shine a light on government surveillance than any member of Congress has up until now” and learning “more now than we’ve ever known.” But Soghoian was also quick to warn that we still have much to learn about the extent to which we are all under electronic surveillance, and that Congress can, and must, do much more to genuinely protect us.
Congress has a variety of laws at its disposal to help monitor and restrain government prying. These laws cover a broad range of areas in which Americans are meant to enjoy some degree of privacy, including communications (in the form, most prominently of the 1986 Electronic Communications Privacy Act, which regulates the use of surveillance in law enforcement), financial records (for example, the 1970 Fair Credit Reporting Act) and medical records (in the form of the Health Insurance Portability and Accountability Act). Thanks to the 1984 Cable Communications Policy Act, there are even prohibitions against cable operators using the cable system to collect “personally identifiable information” concerning any subscriber without prior consent.
These laws remain some of the most important bulwarks against spying and prying, yet many are now weak and outmoded. The 1986 Electronic Communications Privacy Act (ECPA), for instance, has little relevance in today’s communications landscape, which includes unforeseen GPS tracking capabilities (think Foursquare) and the widespread use of technology, including social media, to organize rallies, flash mobs and other forms of protest that may draw undue interest from local law officers. The ECPA as it was first written also failed to anticipate a time when the cost of data storage is so cheap that companies find it less expensive to keep our data indefinitely than to pay someone to delete it. Despite Congress’s having held several hearings looking to update the law to protect information stored in the cloud as well as location information, they have yet to take any kind of decisive action.
Such Congressional inertia is not uncommon. Our elected officials have been largely reluctant to exercise their power to restrain government snooping, especially when it comes to telecommunications and technology issues. Indeed, they have often done more harm than good. Their last major effort in this regard took place in July 2008, when they approved the largest expansion and revamping of federal surveillance law in three decades. The new provisions not only granted the government unprecedented snooping powers but awarded phone companies legal immunity for their role in the then-illegal NSA wiretapping program that then-President Bush had approved after 9/11.
There are signs that some members of Congress would like to see stronger laws, or at least stronger enforcement. Earlier this week a handful of Democrats, led by Markey and Henry Waxman (D-CA), requested a hearing based on the Markey findings. How far they’ll get in an election year and under the regime of the most secretive and surveillance-minded administration in history is questionable. Still, their effort is well worth applauding.
Republicans looking to sway their more libertarian constituents should also be joining the effort, because this is an issue that has appeal for people across the entire political spectrum. While most of us want law enforcement to have the right tools, we also want to make sure they’re using them in the right ways. When Congress is left in the dark regarding the full scale of surveillance activities, it cannot do its job, which includes protecting the American public’s privacy.