Recent
revelations about widespread violations by the FBI in obtaining sensitive information about American citizens were sobering, if not terribly surprising. These violations are the natural and predictable outcome of the Patriot Act, which made it dramatically easier for the FBI to obtain sensitive personal information on Americans without judicial approval. Under the Patriot Act, the FBI can issue so-called National Security Letters in intelligence investigations to compel the disclosure of information held by banks, credit agencies, telephone companies and Internet service providers, and other entities without obtaining a warrant or any other sort of judicial approval. Before the Patriot Act, NSLs were limited -- only a few categories of records were subject to the letters -- and even then, those records could only be sought if they were believed to be those of spies or terrorists. Under Patriot anyone's records can be seized as long as an agent certifies that they are "relevant" to an intelligence investigation. Patriot also expanded the types of documents that can be obtained with NSLs, even as it lowered the standards for issuing them.
For those of us in the privacy community who follow these issues closely, there was little doubt that the weakening of standards for government access to records, coupled with eliminating judicial oversight was a recipe for widespread abuse. I'd be extremely surprised if last week's revelations are the last of their kind that we see. Our comments about NSL report are
here.
Even as the Inspector General was investigating rampant violations in the NSL process, the Department of Justice continued advocating for Congress to adopt potentially sweeping data retention laws to force ISPs and other online service providers to hold on to sensitive subscriber information for years at a time.
Since late in the last Congress, the Justice Department has been sending up trial balloons about the need for a "data retention" statute. While initially styled as a needed tool to track down child abusers, it is now clear that the Department wants to be able to access that data for a wide variety of law enforcement and intelligence purposes. The rationale goes like this: someday, in the context of an investigation, we may want to go back and look at the records of a person whom we only recently identified as relevant to an investigation. We can't do that because ISPs don't always hold on to the information. Therefore, ISPs should collect and store information about the online activities of everyone -- just in case.
As has been the case with many of the new or expanded powers the Justice Department has sought since 9/11, there has been little explanation and no evidence offered for why such a burdensome new requirement is needed. In the case of child pornographers, federal law enforcers already have "data preservation" authority under which they can demand that an ISP keep all of the records about a specific users or addressing block for use in later investigations. Using, and perhaps even strengthening that authority is far preferable to simply forcing ISPs to keep massive records about all of their customers movements. Even worse, it appears that Justice wants Congress to write a blank check on the issue. A senior Congressman, Rep. Lamar Smith (R-Texas) has introduced legislation that would require ISPs to retain unspecified information identifying their subscribers and their Internet Activity. Under that language, the Attorney General would have carte blanche to determine what information must be retained and for how long.
Such a provision would create massive databases of extremely sensitive information ripe for abuse at a time when Americans are justifiably concerned about privacy and security online. The right way to protect privacy is to minimize the amount of personal information that is stored online. Mandatory data retention would aggravate the risk of data breaches, unauthorized use and identity theft. And in the United States, where there is no general privacy law establishing rules for how companies collect and use personal data, and very low standards for governmental access; the thought of amassing large databases on the Internet activity of Americans is truly chilling. Rep. Smith defended his proposal, arguing that law abiding Americans have little to fear from the proposal and that full legal process will be provided when records are sought.
But that promise rings hollow, given this administration's increasingly cavalier attitude toward the privacy rights of Americans. Since 9-11, our government has treated the Fourth Amendment as an impediment to law enforcement and judicial involvement as a nuisance to be avoided. With the release of the IG report on FBI misuse and abuse of NSLs, a data retention mandate ought to be a nonstarter.