Tag Archives: nsa

Breaking: ACLU vs Clapper holds Bulk Surveillance Legal – Implications for India

On this blog, we had discussed earlier the oral arguments in ACLU v Clapper. Just now, the New York District Court has ruled bulk surveillance legal, going against the decision of the Columbia District Court in Klayman v Obama (if it wasn’t already, this makes it inevitable that eventually, the United States Supreme Court will be called upon to settle the conflicting lower court decisions).

As we had discussed earlier, ACLU v Clapper consisted of two claims: a statutory one, based on S 215 of the Patriot Act, which is of no concern to us, since no parallel legislation with a similar history exists in India. The second claim was a constitutional one, based on issues of free association and privacy, which is directly relevant to India.

On a quick reading of the judgment the following important points emerge:

– contrary to ACLU’s submissions, the Court held that the 1978 precedent of Smith vs Maryland applied, which had held that an individual had no privacy interest in information voluntarily turned over to third parties (telecommunications providers).  As we have discussed on this blog, the Indian courts have rejected Smith vs Maryland and its precursor, US vs Miller, in the 2004 judgment of Distt Collector vs Canara Bank. Holding that privacy is a right of persons, not places, the Supreme Court affirmed in Canara Bank that an individual has a privacy interest in personal financial documents held by a third party (the bank). [the New York court’s Smith analysis can be found in pages 39 – 43] The Court also holds that the Fourth Amendment lays down a standard of reasonableness, and does not require that the “least intrusive method” be used when carrying out a search within the terms of the Constitution. Again, arguably, the position is different in India. As we have seen, the compelling State interest test for privacy violations goes hand-in-hand with narrow tailoring, as is evident by the rules framed by the Court in PUCL vs UoIand those accepted as constitutional in State of Maharashtra vs Bharat Shantilal Shah, which categorically required the government to explore other, less intrusive methods of surveillance before carrying out interceptions, and also required it to intercept to the minimum extent possible to carry out its goals. 

– The Court also ruled that the argument that bulk collection would have a chilling effect on the freedom of association was not well-founded. To recap: ACLU had argued that the knowledge that is call records were being collected would lead to a “chilling effect” in that it would restrict the communication and association rights of hostile and unpopular (yet legal) groups, who would self-censor in an attempt to avoid governmental knowledge of their activities. The reasoning of the Court appears to be that what was taking place was only collection; actual querying of the metadata to reveal specific information could be undertaken only on specific grounds. Since the likelihood that ACLU’s data itself would be queried and reviewed rested upon an “attenuated chain of possibilities“, the chilling effect had not been proven. In this way, the Court implicitly distinguished prior cases like NAACP vs Alabala, where for instance, a group treated with hostility by the government had been required to reveal its membership lists. Whatever the merits of this argument, once again, the key point upon which it turns is that the NSA surveillance is restricted to metadata collection. Consequently, the logic does not apply to something like the CMS, which is all about intercepting bulk content. [see pages 45 – 46 for the First Amendment analysis]

An extraordinary statement at the end:

The effectiveness of bulk telephony metadata collection cannot seriously be disputed.” [p. 48]

However, as Klayman found, that is precisely what is under dispute. In the fifty-four instances cited by the government, it had failed to demonstrate that the outcome would have been materially different in anyone. (see here for an analysis). In other words, there is a familiar story here: in a national security case, a judge takes the executive’s words at face value, and accords an extremely high level of deference. The Indian courts have an ignominious history in this regard (Habeas Corpus), and it will be crucial how this particular claim is treated in the Indian courts.

The New York court ruling is certainly a blow for privacy rights. Like Klayman vs Obama, Indian privacy lawyers ought to study it carefully, not only because of what it holds, but because of what implicitly follows: if the holding of legality is founded upon legal arguments that have been considered and rejected by the Indian Supreme Court, and upon factual premises directly opposed to those prevailing in India, ACLU vs Clapper might – paradoxically – be more of an ally than an enemy in the fight against bulk surveillance.

 

1 Comment

Filed under Privacy, Surveillance

BREAKING: US Federal Court holds NSA Surveillance “Likely” Unconstitutional under Fourth Amendment

Just now, the US Federal Court has held that the NSA’s bulk metadata telephony surveillance is “likely unconstitutional” under the Fourth Amendment. “Likely” because this was a motion for a preliminary injunction, and the grounds for an injunction are based upon the plaintiff’s likelihood of success.

I haven’t had time to read the judgment in detail, but a quick skim-through reveals that under the two-step Fourth Amendment test, the Court found, first, that people have a reasonable expectation of privacy in  their telephone data, because of the sheer volume of personal information that is transacted via phone; and on an investigation of evidence, the Court found that the infringement was unreasonable, because there was no evidence to demonstrate that the compelling State interest – that of protecting national security – was actually being served effectively by said collection. On p. 64, the Court observes:

I cannot imagine a more indiscriminate and arbitrary invasion than this systematic and  high-tech collection and retention of personal data on virtually every single citizen for the purpose of querying and analyzing it without prior judicial approval. Surely such a program infringes on the degree of privacy that the Founders enshrined in the Fourth Amendment.

Indian privacy lawyers would do well to study this judgment closely. As we have argued before in this blog, the two-step Fourth Amendment test is materially similar to Article 21’s right-to-privacy/compelling State interest test. Of particular interest is the Court’s conclusion that:

(a) We do have a reasonable expectation of privacy in our telephone records

(b) The government cannot simply assert national security; the burden lies upon it to actually show that bulk surveillance is effectively serving this purpose – and that is, show through demonstrable evidence of terrorist attacks foiled or prevented.

(c) The absence of judicial approval for mass surveillance is constitutionally fatal.

All of these positions are extremely relevant for the constitutionality of the CMS. We shall see how this judgment progresses through the Courts.

Leave a comment

Filed under Privacy, Surveillance

Surveillance, privacy, association and the Constitution – I: Oral arguments in ACLU v Clapper

Earlier this year, ex-NSA contractor and whistleblower Edward Snowden revealed the industrial-level surveillance of private communications undertaken by the American government. One feature of the American surveillance program is what is known as “telephony metadata collection“.  Under this, all the details of phone conversations minus the actual content of the call – that is, the two numbers involved, the time and duration of the calls etc – are intercepted and stored in a vast database maintained by the National Security Agency. Later in the year, The Hindu revealed that the Indian government’s Central Monitoring System was doing something very similar (the technical details of how the two programs differ is not relevant at the moment, because CMS surveillance is at least as intrusive as NSA surveillance – and in actual fact, is more so). For details, refer to the CIS website here, and articles here and here.)

NSA surveillance was challenged on statutory and constitutional grounds by the American Civil Liberties Union, and the oral arguments took place today morning at the Southern District Court of New York. In what follows, I summarize today morning’s proceedings, because ACLU’s two core constitutional arguments – violations of the rights to privacy and free association – are fundamental constitutional rights in India as well (Article 21 and 19(1)(c)). Examining the constitutional debate in the United States, therefore, can help us understand precisely what is at stake – constitutionally – as far as the CMS goes.

(Caveat: I reconstruct the following from my hurriedly-taken courtroom notes. For a full account of ACLU’s written submissions, please refer to their website here).

As mentioned above, ACLU rested its claims on statutory and constitutional grounds. The statutory argument involved a detailed analysis of Section 215 of the Patriot Act, the likes of which do not exist (thankfully!) in India. The relevant statutory provisions in India are the S. 5 of the Telegraph Act, and S. 69 of the Information Technology Act (along with the 2009 Rules). So while ACLU’s statutory arguments are of limited relevance, it is important to underscore the following: S. 215 of the Patriot Act requires a relevance requirement before data can be collected. Similarly, the IT Act requires the government to be convinced that it is “necessary or expedient” in the interests of the security or integrity of the state etc. – a standard that permits at least a degree of judicial review. One of the arguments made by ACLU was, given that constitutional rights were implicated, the Patriot Act (and other associated legislation) should be construed a manner that preserved – and did not putatively violate – the rights of privacy and free association. That argument, of course, applies to India as well.

Another important takeaway from the statutory arguments was ACLU’s argument that a statutory authorization of individual, targeted surveillance operations did not amount to the massive dragnet operation that the NSA was carrying out. Both because of the sheer scope and because of its potentially limitless extension, mass telephony metadata surveillance could not simply be equated to an individual targeted operation, given that it raised a whole host of issues not ordinarily implicated in standard cases of surveillance. This is critically important, because the 2003 case of PUCL v. Union of India is taken to establish that S. 5, Telegraph Act permits surveillance in general. PUCL, however, did involve individual targeting, and therefore, ACLU’s arguments suggest the first important legal issue for us to consider: does the PUCL opinion legitimate CMS surveillance as well? If the answer is yes, then the potential consequences could be devastating – especially because, amongst the procedural safeguards mandated by the judges in that case, one is conspicuous by its absence: judicial authorization of surveillance. Even the United States, that has, over the past few months, come under sustained criticism for blatant privacy violations, has something called a FISA Court that is – admittedly, in ex parte proceedings – required to authorize surveillance before it can be carried out. The idea that government can carry out surveillance of citizens’ private data on a nationwide scale with a single-step legitimation process that involves no more than administrative review will have radical consequences for a number of important constitutional principles, not least the separation of powers.

However, as the ACLU’s constitutional arguments show, there is a strong case to be made out for the proposition that bulk surveillance does differ, not only in degree but in kind – from individual surveillance, and that therefore, PUCL does not hold the field. Let us therefore, now, turn to the Constitutional case.

ACLU’s first argument rested upon the Fourth Amendment to the American Constitution, that – inter alia – prohibits an unreasonable search. Two questions arise in an American fourth amendment enquiry:  first, has there been a search? And secondly, is the search reasonable? It is around the first question that the American Supreme Court has developed its privacy law jurisprudence. In Katz vs United States, it held that there exist “spheres of privacy” belonging to each individual, which government may not penetrate. What constitutes a protected sphere of privacy depends upon whether or not citizen have a reasonable expectation of privacy. So – as the US Supreme Court has held, for example, I do not have a reasonable expectation of privacy as I walk down a public road, but I do have a reasonable expectation of privacy within my own home. What constitutes “reasonable expectation” seems – largely – to be culturally determined.

Two questions arose with respect to the issue of “search” (i.e., scope of privacy). The first crucial point – that the judge made, and which the government argued – was that on one theory of privacy, the breach occurs not at the moment that the data is collected, but at the moment at which it is subsequently queried to reveal patterns of association. This would mean that the surveillance as such violates no privacy right. ACLU, on the other hand, argued that the very nature of the right to privacy was that it closed off certain spheres from governmental intrusion – and consequently, privacy was violated at the moment of penetration, independent of what was done with the data afterwards. The basic question, according to ACLU, was whether people had a reasonable expectation of privacy with respect to their phone records and the various associational inferences that could be drawn from them. The answer, it was argued, was an unequivocal yes, because of the very nature of metadata surveillance: sociologically – and this is a vitally important point –  it has been shown that a detailed enough metadata trawl can reveal as much information about someone as a straightforward content trawl. As ACLU’s lawyer argued, the government can know when you last called your doctor, your lawyer, your stock-broker, your pastor, your ex-girlfriend, and so on. Over time, a pattern of associational relations would build that would reveal huge amounts of information about your personal life – and surely that was a violation of a reasonable expectation of privacy.

The government also argued, by relying on precedent, that it had already been held by the Supreme Court that there was no reasonable expectation of privacy in phone records. ACLU distinguished the case by arguing that previously, the Court had only considered a specific, temporary targeting – whereas this was bulk targeting, and potentially limitless. This takes us back to our earlier point about the distinction between individual targeting and bulk targeting, which assumes specific importance in light of PUCL.

The second fourth Amendment question was whether, if there was a search (privacy intrusion), it was reasonable. The government argued that there was a compelling state interest at hand, that of counter-terrorism. Counter-terrorism was necessarily prospective in nature. It was designed to detect, disrupt and prevent future terrorist attacks. Consequently, what the intelligence agencies needed to detect was patterns over time and over different (phone) carriers. Such information or connections could not be known at the outset, which is why ACLU’s proposal – of only carrying out surveillance of individuals with known links to terrorist organizations – could not work (although many of these arguments were made in the statutory context, they are equally relevant for understanding the government’s definition of compelling interest). In responding to a question from the judge as to whether bulk surveillance was uniquely suited to achieve governmental objective, the government argued that no other mechanism was as timely or effective. Given all this, it was clear that by placing limits on what part of the data could be queried post-search, it was clearly a narrowly-tailored intrusion, and hence reasonable.

ACLU, on the other hand, argued that the government had produced no evidence to show that bulk surveillance was actually necessary to achieve the objectives of counter-terrorism. ACLU produced evidence to the effect that in most circumstances, a three-hop trail was enough. This is what a three-hop trail is: suppose you have a suspected terrorist, X. You place his phone under metadata surveillance. You then do the same with all the persons he contacts, then all the persons they contact, and then repeat the process once more (three steps). In any event, on the government’s own argument, the only occasions on which surveillance had actually led to a substantive outcome had been simple cases of one-hop.

Readers should now be in a position to recognize that our own fledgling privacy jurisprudence, evolved out of three cases, Kharak Singh v State of UPGobind v State of MP and R. Rajgopal v State of TN, and placed under the all-ecompassing rubric of Article 21, is utterly inadequate to deal with the complex issues raised by bulk metadata surveillance, or other forms of bulk surveillance. There are two questions of particular urgency: first, what is the philosophy of underlying our Article 21 right to privacy? If it’s something like the Katz standard, protecting zones or spheres of privacy from any intrusion, then the mere collection of records could constitute an infringement; pre-Katz law, on the other hand, which seemed to focus more on common law trespass, might not reach the same outcome. Gobind and Kharak Singh tell us nothing, being good, old-fashioned house-surveillance cases. In light of the sheer scope of CMS and government surveillance, this is a debate that must be had now. And secondly, once an infringement of privacy has been demonstrated, what burden of justification is placed upon the government? In today’s hearings, both sides seemed to argue upon a strict scrutiny standard: namely, that the government had to show a compelling state interest, as well  show that no less intrusive measure could serve that compelling state interest than the measure it had chosen (bulk surveillance). The question of whether or not strict scrutiny applies in India is a minefield that we cannot venture into now; but the basic question remains – given the amount of intrusion that the current surveillance system puts into place, what standard is government to be held to (I’m not here referring to the statutory burden under the IT Act, but the constitutional burden of justifying an infringement of privacy). Can the government simply claim deference from the Courts as long as it can demonstrate some reasonable relationship with its objectives of counter-terrorism, and others? Or must the government affirmatively demonstrate that bulk surveillance is the only way that it can achieve its objectives? In today’s district court, the US government spent great amounts of time and effort doing that. Let us see what the outcome is.

In the next post, we shall analyze the freedom of association claim made by ACLU, also litigated in today’s hearings.

3 Comments

Filed under Privacy, Surveillance