Revolutions in technology are fundamentally altering how our institutions of national security, intelligence, and law enforcement must
conduct business. These practical
changes in turn shift our frames for interpreting America’s traditional
constitutional and legal constructs.
This post combines previous posts of mine and looks at how
Big Data, cyber threats, and what I will call “enhanced technology” are forcing
government officials and lawyers to figure out how to protect privacy,
federalism, oversight, and how to balance the public interest with for- profit
vendors critical to the government.
That last issue mentioned, the public interest and vendors,
was analyzed legally in an earlier post, and will concern us throughout this post. Defining what is an “inherently governmental
function” will change in important ways as the very role of government
changes. Suffice it to say, that the
pace of technological change will be much faster than the government is staffed
and organized to handle. Vendors will be
needed as a complement to the government to address the technical and
analytical needs that will rapidly appear.
BIG DATA
Big Data refers to the explosive growth in the capability to
keep records, monitor transactions and occurrences, and analyze the data to
help make decisions. Every aspect of
life is being digitized and put online.
Furthermore, the capacity to transmit and save data is growing by leaps
and bounds. For the individual, it seems
all major technology companies give away 5MG of cloud storage for free, and
thumb drives in electronic stores are getting cheaper and cheaper. For governments, whatever figure I cite will
quickly become obsolescent, most likely by an order of magnitude.
The implications of having access to such a large base of
information are immense. For example,
Las Vegas casinos are quickly acting to ban Google Glasses, because they know
that a card counting program would be developed in no time, and that could
devastate the city’s economy. By the
same token, when the differential in access to information favors an
institution (i.e., the government) over the individual, mistrust and concerns
over privacy are likely to grow.
Here are some law and policy implications of national
security, law enforcement, and intelligence institutions monitoring and storing
reams of information that until recently were unthinkable.
Military
History and legal tradition have separated the military and
civil spheres, particularly in the area of law enforcement. However, the imperatives of the information
age will blur some of these firewalls.
The Defense Department has vast resources of computing
machines and highly educated personnel to collect all kinds of
information. International crime syndicates, money transfers, immigrant
population flows, and of course cyber investigations are all subjects about
which the military could collect domestic data in the conduct of its duties.
What other parts of the government and the business
community might do with that information from the military presents yet another
set of issues. The military might have data sets about children's
academic performance at on-base schools that the federal and local education
authorities might like. Many medical and scientific innovations come from
the battlefield. In addition, the research and data that the military and
other parts of the government collect are invaluable to the business
community. These exchanges of information should be allowed, even
facilitated at times, but this can be difficult unless society resolves the
issue discussed below of whether the aggregation of too much information sets
up a power imbalance between the government and citizenry.[1]
As the word “privacy” is not written in the constitution, it is usually associated
with the First and Fourth Amendments. Concerning the former, the U.S.
Supreme Court has stated that the military can collect information on civilian
matters without a presumption of violating First Amendment rights such as the
right to associate.[2] The law needs to be modernized to
control how the information is protected and with whom it is shared.
Concerning the
latter, in the area of law enforcement, we want criminals arrested or, and
better yet, deterred from criminal activity. The Posse Comitatus Act generally
bans the military from civilian law enforcement.[3] The normal judicial test
is 1) military troops may not pervade law enforcement organizations, 2) the
military cannot be used to catch criminals, and 3) civilians cannot be subject
to the military's regulations.[4] While there is no rule to exclude
evidence from military investigators in federal civilian court,[5] three states ban it and it
is a rare occurrence.[6] The exception is when military investigators discover fraud with
defense contractors or espionage on a base, since there is a nexus between the
military and the criminal code on those subject matters.
In the world of
Big Data, the military might be able to amass volumes of domestic information
legitimately and the hand over evidence of crimes with such regularity that
civilian law enforcement becomes dependent on it. This would be an
untenable situation. However, I believe
that the law can be instrumental in limiting the temptation to use analyzed
data, albeit for public good, when such use violates the expected privacy of
the American people.
Local Police
In light of the
homegrown terrorism in Boston in April 2013, there will be a push across the
country to use information technology to conduct more types of investigations.
The challenge presented by Big Data to a local criminal justice system is the
vast disparity in resources across the roughly 20,000 police departments in
America. Different county courthouses
and prosecutorial offices will have different levels of ability to take in
statistical analysis and apply the law on a case-by-case basis. To the extent that the practice of law
involves applying legal adjectives like “due,” “probable,” “reasonable” etc. to
the facts of the case, the disparities in the ability to interpret the facts
will hurt the trust in our justice system.
My in-depth analysis of local police and counter terrorism is here.
Public
Interest/Vendors
As if the interplay among civil-military law and federalism
weren’t challenging enough, outsourcing these functions to private vendors adds
yet another layer of complexity.
"Inherently
governmental functions" is a term of art describing decisions and
actions that must be done by sworn government workers. This is based in
public law[7], the Federal Acquisition
Regulations[8],
and Executive Orders[9]. The government embeds
contractor employees working at its sites, as well as those working offsite, to
do much of its work. However decisions like awarding contracts, pressing
criminal charges, directing combat forces, voting on legislation, or investing
the government's money cannot be outsourced while maintaining the integrity and
credibility of the government.
As
argued above, the availability of data and statistics can generate insights
into public health, crime stoppage, education, and virtually any other
governmental function imaginable. However, Big Data will require a labor
force of statisticians, analysts, and subject matter experts that the
government does not readily have. As the saying goes, "knowledge is
power" and the government contractors working on data analytics will have
their own power base given the tremendous knowledge they will gain. A
vendor that secures some long-term contracts will gain expertise in analytics
as well as the subject matter they were contracted to study. This will
increase the value of their business, which, of course, is the goal of every
business.
With regards to collecting information and finding patterns
and correlations, there will be a major debate between operational security and
transparency. The government has an
interest in preventing drug dealers, Wall Street fraudsters, and terrorist
financiers from knowing its methods of detection. In the likely scenario of a for-profit
middleman, working as a governmental actor and using computers to do its work,
there would soon be a public outcry demanding to know what software algorithms
are being used or, at the very least, that these algorithms are reliable and
fair. To the degree that the algorithms
are viewed as unsophisticated or unfair, the citizenry would begin to regard
the government’s power as arbitrary, and the government’s contractors as
inimical to its interests. This, in
turn, would lead contractors to become less transparent as they become motivated
to protect their intellectual property, thereby adding yet another level of
complexity.
Ultimately, the public will want to know what the extent of
the government’s power is and what work is being done by contractors. If
contractors are using analytics and presenting their findings to investigators
and prosecutors with much less mathematical sophistication, then the citizenry
will want to know just what the extent of their government’s power is. The dichotomy would add a third leg in the
form of the private contractor’s interest in protecting its intellectual
property.
CYBER THREATS
Securing information has always been a basic principle of
war. Digitized information is different.
Digitized information can, in and of itself be a weapon. It can steal another’s information, spy on
another’s information, destroy another’s information, or effectively become a
kinetic weapon by controlling the hardware (e.g. a dam) of another.
Government’s efforts to minimize the threats, will have side
effects that impact on the law.
Military
The political issues surrounding the military are based on
two things. First, the uniformed military and the Department of Defense (DoD)
writ large have by far the best-organized and resourced cyber defenses. Secondly, there is a legal tradition of not
involving the military in domestic affairs.
Given its vast IT resources, the DoD is the lead agency
protecting the federal government, as opposed to the Department of Homeland
Security (DHS). This raises popular concerns about involving the military
in the management of not only federal civilian agencies, but also state and
local agencies. The law is fairly clear, as argued in a U.S. Department
of Justice memo[10],
that there is no law against DoD civilians enforcing the law, or
regulations. Laws such as the Posse Comitatus Act[11]
prohibit members of the armed forces, but not civil servants in the DoD, from
law enforcement and regulating civilians
During the midst of a massive, debilitating hacking, there might
be no choice but for the president to find that state civil resources have been
overwhelmed and invoke the Insurrection Act[12]
to allow troops to take temporary control of state IT infrastructure.
This is by no means meant to conjure up the image of army troops on trucks with
fixed bayonets driving down Main Street. It would more likely be a group
of young, tech-savvy soldiers in massive computer labs working with state
officials to restore their databases, computer systems and websites.
Federal
Law Enforcement and Homeland Security
Two major legal issues on the horizon are the interface between
the federal government and private telecommunications firms, as well as
federalism issues.
The first issue has plenty of media analysis at the time of this writing and is being hotly debated with
the House and Senate having competing bills related to the House’s Cyber
Intelligence Sharing and Protection Act (CISPA). The issues include searching our
communications and documents online, as well as examining the sanctity of the
contractual relationships that consumers have with telecom companies. If companies who fear they have been hacked
voluntarily provide the government information about their email accounts and
cloud storage access, then that is a privacy and property rights matter.
Furthermore, Corporate America has to deal with the issue of
companies secretly revealing to the government that they have been hacked. It is akin to revealing someone has been
diagnosed with a contagious disease. That hypothetical would be a medical privacy
issue, but one that public health authorities would want to know about. There
is an obvious public interest in stopping international and domestic hackers,
but there is an issue with
whether a publicly traded company should have to reveal this incident to its
shareholders, which could lower its corporate value. The government would want to know of every
attack, as would the rest of the business community looking for antidotes. Perhaps a solution lies in some type of
judicial hearing for each incident of cyber search, or revelation of a cyber
hack. Care could be taken to alert the
cyber security community of the latest type of viral worm.
The second issue that Federal Law Enforcement has to
deal with is federalism. Namely, the act of “protecting” states and localities
may actually lead to federal control over states and localities.
The main threat is from online worms that could steal
data (e.g. a list of a police department's undercover officers), destroy data
(e.g. the property tax transactions), or control infrastructure like the
controls for an aqueduct. In the immediate aftermath of a big cyber event
on a state government, it may seem intuitive to have the federal Department of
Defense or Homeland Security put up a virtual firewall and set compliance
procedures. But that would bring a whole host of questions about federal
power and potentially civil-military relations.
In the fall of 2012, the state of South Carolina had a
major hacking occurrence with over 3 million citizens having their (federal)
Social Security Numbers stolen, as well as tax information for several
businesses.[13] It was the U.S. Secret Service that
informed the state government of this. It took the state government
several days to secure its network and even more days to disclose this to the
public.[14] In this case, a private company
was contracted to survey the damage and recommend remedial steps, but an attack
from a foreign government on several states at once may require a federal
government response.[15]
The courts have always maintained the federal
government's plenary authority to coordinate defense of the country.
There are also constitutional designs articulated in cases such as New York v United States (1992)[16]
and Printz v United States (1997)[17]
that elucidate the notion that states are sovereign and must be allowed to
function independently in a federal system. That is a check against
political tyranny by the federal government.[18]
So how does cyberspace fit in?
"Traditional and non-traditional" government
functions have been debated for
centuries in determining where federal regulation reached its limits.
While in 1985, the Supreme Court declared that "traditional and
non-traditional" functions was impossible to delineate[19],
the following decades of jurisprudence have narrowed the federal government's
authority in general. The Internet, and its pervasiveness and mobility,
has transformed our way of life, our economy, and thus, how we govern
ourselves. We can pay for municipal parking tickets on our cell phone,
take classes at a state university online, and we can have a federal court
subpoena our documents stored in "the cloud."
New York
v U.S. and Printz v U.S. uphold
the notion that the federal government cannot mandate that the states must follow
a federal policy scheme, nor can the federal government commandeer state
workers and resources to follow federal processes. As more state
government functions are processed through information technology, and more
interaction between states and the public is virtual, federal regulation of a
state's IT systems would be a major constitutional quagmire.
According to cyber security experts, the weakest link in
protecting IT systems from hackers is the human element. Therefore
federal regulations regarding how state workers answer email and plug in thumb
drives into their home computers could soon take effect. Regulations
punishing a state worker for a security lapse could very well be
required. Who would administer that is not very clear. Needless to
say, any government functions blending federal and state networks like law
enforcement, Medicaid, or public health administration could be impeded if a
state did not secure its network.
ENHANCED
TECHNOLOGY
This is a catchall term for gadgets that enhance the senses
and abilities of people, people such as government agents, such as the Six
Million Dollar Man character. There are
many types of augmented reality, but for this discussion I will stick with
things like infrared cameras and Google Glasses.
Privacy
This word, unmentioned in the Constitution, is an idea that is
near and dear to us. Our interpretations of privacy are shifting, and the
application of the law must adjust continually. Computerized glasses and
Forward Looking Infrared (FLIR) enhanced our ability to perceive and understand
our immediate surroundings beyond what any statue or court ruling ever had in
mind. Facial recognition in a computerize
glass frame could allow someone to do web searches on random people on the
street. On college campuses, where there
are closed social network communities, this capability will present an even
more acute conundrum.
Giving government officers the capability to constantly do
searches on people suggests that we could be being searched whenever we are
within a cop’s line of sight.
Oversight
There is such a thing as too much government efficiency.
We all complain about government bureaucracies like the DMV. However,
there is sometimes a reason for process. It prevents mistakes, allows for
more transparency, and more say in the process. With technology,
government will be tempted to take shortcuts in things like interviewing
witnesses and seeing as many angles to a story as possible.
Seeing clues that are not really there is a potential hazard when
machines replace the human element. As a
bureaucracy, some may not see inefficiencies or corruptions when they hide in
plain sight. Oversight is crucial.
Government Power
More work needs to be undertaken when considering the notion of
just how much power should the government have. A FLIR device can peer
into our homes and see human activity. In exigent circumstances, chasing
a public danger on the run, I think there is more public support for this
extrasensory technology. But for mere patrol work, or data collection, the
citizenry is not ready yet for authorities having the ability to peer into our homes
and track our movements. This poll taken last
month after the Boston attacks shows strong support for civil liberties.
State and
Local power
How much power should state and local governments have? The
famous infrared photograph from the Boston investigation showing the suspect
hiding in a boat was taken by the Massachusetts State Police. With states
and localities having the power that comes with this technology, there will be
differences in how it is applied. If the differences become too great,
that leads to different levels of civil liberties across jurisdictions,
something contradictory to the 14th Amendment. Furthermore, FLIR
technology is commercially available. We have to have standards of what
corporate security, paparazzi, and others will do to fellow citizens and
businesses.
Public
Interest and Vendors
There are two issues here.
How the government outsources its functions using enhanced technology,
and secondly, how the government uses information that enhanced technology generated
from the private sectors without a contract.
As far as embedded contractors and outside vendors go, the
issues are again controlling their behavior, as well as the concern about one
company becoming too powerful with resources and institutional knowledge. As much as the government will want to grow
its own capacity to surveil and analyze data, it will need to use its personnel
to oversee private contractors.
The Boston FBI’s appeal to the public for cell phone footage
after the Marathon bombing is a wonderful example of private individuals and
companies helping the government. On the
other hand imagine the damage that can be done if a private security guard
without law enforcement education and training, like George Zimmerman is given
more technology. Now extrapolate that
scenario across a well-capitalized security firm, or more simply the security
department of a typical corporation.
Laws will have to be enacted and enforced in order to allow people to
keep private information and identity private.
Please comment.
[1] http://www.wired.com/politics/security/commentary/securitymatters/2006/05/70886
[2] Laird v.
Tatum 408 U.S. 1 (1972)
[3] 18 U.S.C. § 1385
[4] Congressional
Research Service, The Posse Comitatus Act and Related Matters: The use of the
Military to Execute Civilian law August 16, 2012 http://www.fas.org/sgp/crs/natsec/R42659.pdf
[5] U.S. v
Walden 490 F 2d. 372, 376 (1974)
[7] FAIR Act
Public Law 105-270
[8] Federal
Acquisition Regulations Section 7.500
[9] Publication
of the Office of Federal Procurement Policy (OFPP) Policy Letter 11-01,
Performance of Inherently Governmental and Critical Functions
[11] 18
U.S.C. § 1385 (1994)
[12] 10
U.S.C. § 331-335 (1994)
[13] http://www.nytimes.com/2012/11/21/us/more-details-of-south-carolina-hacking-episode.html?_r=0
[15]http://governor.sc.gov/Documents/MANDIANT%20Public%20IR%20Report%20-%20Department%20of%20Revenue%20-%2011%2020%202012.pdf
[16] New York
v. United States, 505 U.S. 144, (1992).
[17] Printz
v. United States, 521 U.S. 898, (1997).
[18] New York
v. United States, 505 U.S. 144, 181 (1992).
[19] Garcia
v. San Antonio Metropolitan Transit Authority, 469 U.S. 528, 547 (1985).
No comments:
Post a Comment