Friday, April 19, 2013

April 19th in Boston

Today was an extraordinary day for American law.  One terrorist was able to paralyze a million people in Boston when, exactly 238 years ago today, 4,000 British troops could not do the same in a much smaller city as the Revolution began. Today's implications for law and policy are profound-

 Immigration- The Tsarnaev brothers were naturalized citizens who committed terrorist acts.  How we decide who can stay here, and who gets to be an American is a fuzzy issue.  At the very least, the Natural Law language of "rights" for immigrants will, by changing political winds, be replaced by the notion that every sovereign country gets to set to process for naturalization.

 5th Amendment- There is a Public Safety Exception to the Miranda Rule being invoked based on national security threats. On CNN, Jeffrey Toobin made the point that Miranda Rights are about verbal statements being used against the defendant in court.  Here, there may be so much evidence that law enforcement/intelligence may want to start interrogation right away.

 4th Amendment/Privacy- From the commercial Closed Circuit TV footage to the use of infrared scanners on a police helicopter for the ultimate arrest, our norms of "privacy" are changing how law enforcement can operate.  Just yesterday, the House voted on a related bill, CISPA, about telecom companies sharing cybersecurity information with law enforcement.

 Arms-  Why handguns and not bombs?  Who decides, and is that decision a democratic or judicial one?  These suspects had guns and bombs and what people should be allowed to have is another topic voted on in Congress this week.

 Federation- From the variety Federal agents working with the state police, all the way down to various campus police officers, the coordination was truly remarkable. The outpouring of support I see in social media from across the political and cultural spectrum is amazing.  This suggests a general sense of trust in government.

 The arms and armor of law enforcement officers is much more menacing than a generation ago.  As stated above, legal adjectives like "reasonable," "expected privacy," and local "control" will adjust.

Posted by at No comments:

Tuesday, April 9, 2013

Lawfulness with Big Data



Do these analytics fairly present relevant facts that trigger a legal rule or response?  From the lawyer at the bar in an evidentiary motion, to an in-house counsel in the C-Suite, that's the question in this age of incomprehensible volumes of information. 

In cases such as white collar fraud, or a mass conspiracy racket, data about relationships and patterns will be presented for admissibility to judges who may not have taken statistics in college.   Lawyers need to know if all available information was calculated, and if the numbers were presented fairly. Once deemed admissible, data analytics needs to be presented to a lay jury for persuasion. Data Analysis for lawyers will no doubt become a cottage industry.

General Privacy (in addition to Fourth Amendment matters) will become an even hotter topic as the vast resources of the government (and corporations) begin to gather a picture of each of us, in a fair light or not.  As individuals we do not have to capacity to gather as much data, analyze it, or present it in a way to correct our reputations.

Lastly, the national security apparatus, including Congressional Committees and FISA courts, needs to take care not to allow parts of the government to overly monitor the daily lives of the people.  Undoubtedly, our frames of ethics and equity will shift with technical capability, but the law needs to be dynamic enough to only allow outcomes that society wants.
Posted by at No comments:

Saturday, March 16, 2013

The Law, the Military, and Big Data


America has a long history of separating military operations from civilian law enforcement and domestic governmental functions.[1] The information technology revolution has created new realities that will challenge this old order of things.  As knowledge grows, it will greatly improve decision making for the military, law enforcement, the domestic sector of the government, as well as the business community.  With these opportunities, come threats to privacy from the compilation of information, as well as the threat from malicious digitized information itself.[2]  This post focuses on the implications of the military holding all of this information.

Organizational silos have separated military, domestic intelligence, law enforcement, and other parts of the government form each other for over two centuries.  The processing of online information and the need to protect our IT systems is slowly starting to merge across these parts of the government.[3]

Historically the military worked overseas.  The military's potential role in domestic cyber protection was discussed in a previous post on this blog, but this post concerns data collection.  Essentially, what do the American people want the military to know?  The Defense Department has vast resources of computing machines and highly educated personnel to collect all kinds of information.  International crime syndicates, money transfers, immigrant population flows, and of course cyber investigations are all subjects about which the military could collect domestic data in the conduct of its duties.

What other parts of the government and the business community do with that information from the military is yet another set of issues.  The military might have data sets about children's academic performance at on-base schools that the federal and local education authorities might like.  Many medical and scientific innovations come from the battlefield.  In addition, the research and data that the military, and all other parts of the government collect are invaluable to the business community.  These are policies that should be allowed, but then that raises the issue discussed below of whether the aggregation of too much information sets up a power imbalance between the government and citizenry.[4]

As the word privacy is not written in the constitution, it is usually associated with the First and Fourth Amendments.  The U.S. Supreme Court has stated that the military can collect information on civilian matters without a presumption of violating First Amendment rights such as the right to associate.[5]  The law needs to be modernized to control how the information is protected and with whom it is shared.

The other big issue is Fourth Amendment issues in law enforcement.  We want criminals arrested, and better yet, deterred from the start. The Posse Comitatus Act generally bans the military from civilian law enforcement.[6]  The normal judicial test is 1) military troops may not pervade law enforcement organizations, 2) the military cannot be used to catch criminals, and 3) civilians cannot be subject to the military's regulations.[7]  While there is no rule to exclude evidence from military investigators in federal civilian court,[8] three states ban it and it is a rare occurrence.[9] The exception is when military investigators discover fraud with defense contractors or espionage on a base, since there is a nexus between the military and the criminal code on those subject matters.

In the world of Big Data, the military might be able to amass volumes of domestic information legitimately and the hand over evidence of crimes with such regularity that civilian law enforcement becomes dependent on it.  That is where the law comes in.  To stop the temptation to use analyzed data, albeit for public good, when it violates the expected privacy of the American people.

[1] Laird v. Tatum 408 U.S. 1, 15 (1972)
[2] http://thehill.com/blogs/hillicon-valley/technology/280243-overnight-tech-hagel-stresses-importance-of-cybersecurity-ahead-of-confirmation-hearing
[3] http://www.nextgov.com/cybersecurity/2013/02/defense-positions-military-cyber-squad-dhs-turf/61057/
[4] http://www.wired.com/politics/security/commentary/securitymatters/2006/05/70886
[5] Laird v. Tatum 408 U.S. 1 (1972)
[6] 18 U.S.C. § 1385
[7] Congressional Research Service, The Posse Comitatus Act and Related Matters: The use of the Military to Execute Civilian law August 16, 2012 http://www.fas.org/sgp/crs/natsec/R42659.pdf

[8] U.S. v Walden 490 F 2d. 372, 376 (1974)
[9] http://www.fas.org/sgp/crs/natsec/R42659.pdf
Posted by at No comments:

Friday, March 15, 2013

Defining Inherently Governmental Functions in the Era of Big Data

The sheer amount of data and knowledge available today is beyond the ability to comprehend.  Individuals and organizations who are able to take data sets and infer patterns, predictions and conclusions will add much value to efficiency in commerce, prudence in collective action, and enriching our lives as individuals. The U.S. Government has long relied on contracted vendors to conduct studies and analysis to support its decision-making.  This article will focus on the government, and keeping control of its prerogatives as it inevitably outsources a lot of data analysis to vendors.
"Inherently governmental functions" is a term of art describing decisions and actions that must be done by sworn government workers.  This is based in public law[1], the Federal Acquisition Regulations[2], and Executive Orders[3]. The government embeds contractor employees at its sites and as well as working offsite to do a lot of its work.  However decisions like awarding contracts, pressing criminal charges, directing combat forces, voting on legislation, or investing the government's money cannot be outsourced while maintaining the integrity and credibility of the government.
The amount of data and statistics will add a great tool to give insights into public health, crime stoppage, education, and virtually any other governmental function imaginable.  However, Big Data will require a labor force of statisticians, analysts, and subject matter experts that the government does not readily have.  As the saying goes, "knowledge is power" and the government contractors working on data analytics will have their own power base given the tremendous knowledge they will gain.  A vendor that secures some long term contracts will gain expertise in analytics as well as the subject matter they were contracted to study.  This will increase the value of their business, the goal of every business.
This is where the law must come in.  A tension can develop between a vendor seeking to gain as much knowledge as possible, and protecting the privacy of the American people. In a healthy, well functioning contract, a vendor is doing well financially by helping the government achieve its public mission. As vendors are motivated by sales, public officials are motivated to achieve their goals.  As data analysis pervades more and more executive agencies, public officials will have to have legal rules to force them to rein in vendors, we well as their own employees from collecting too much information.    Simple rules can include requiring contractors to wipe all data from their computers' memory, as well as non-disclosure agreements for contractor employees.
Big Data worries are not just about substance, they are about process.  Certain information is available through free online search engines.  Even more is available through expensive databases.  The government, supplemented by embedded private contractors, also has tremendous technical investigative tools and power of legal discovery to access data.  Classic Fourth Amendment (Criminal Procedure) prinicples will inform how domestic government agencies collect, analyze and store data.  Using data "in a manner which will conserve public interests as well as the interests and rights of individual citizens[4] will continually be redefined as search and storage capacity grow geometrically.  America requires a legal regime dynamic enough to keep up with the changing frames of “subjective expectations of privacy”[5] and the temptation for government and vendors to use this information for public goals.
[1] FAIR Act Public Law 105-270
[2] Federal Acquisition Regulations Section 7.500
[3] Publication of the Office of Federal Procurement Policy (OFPP) Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions
[4] Carroll v. U.S.  267 US 132, 149 (1925)
[5] Kyllo v U.S.  533 U.S. 27, 33 (2001)
Posted by at No comments:

Wednesday, February 20, 2013

Federalism Issues with Cyber Security



Incidents of American government IT networks being illegally accessed are increasing in sophistication and tempo.  These software intrusions come from foreign states, as well as foreign and domestic non-state actors.  They range from pranks to malicious efforts to shut down databases, software, hardware, and equipment.  This article is aimed at discussing some constitutional issues arising from a catastrophic incident against a state government that necessitates federal protection of their IT systems.

The main threat is from online worms that could steal data (e.g. a list of a police department's undercover officers), destroy data (e.g. the property tax transactions), or control infrastructure like the controls for an aqueduct.  In the immediate aftermath of a big cyber event on a state government, it may seem intuitive to have the federal Department of Defense of Homeland Security put up a virtual firewall and set compliance procedures.  But that would bring a whole host of questions about federal power and potentially civil-military relations.

In the fall of 2012, the state of South Carolina had a major hacking occurrence with over 3 million citizens having their (federal) Social Security Numbers stolen, as well as tax information for several businesses.[1]  It was the U.S. Secret Service that informed the state government of this.  It took the state government several days to secure its network and even more days to disclose this to the public.[2]  In this case, a private company was contracted to survey the damage and recommend remedial steps, but an attack from a foreign government on several states at once may require a federal government response.[3]

The courts have always maintained the federal government's plenary authority to coordinate defense of the country.  There are also constitutional designs articulated in cases such as New York v United States (1992)[4] and Printz v United States (1997)[5] that elucidate the notion that states are sovereign and must be allowed to function independently in a federal system.  That is a check against political tyranny by the federal government.[6] So how does cyberspace fit in?

"Traditional and non-traditional" government functions have we're debated for a centuries in determining where federal regulation reached its limits. While in 1985, the Supreme Court declared that "traditional and non-traditional" functions was impossible to delineate[7], the following decades of jurisprudence have narrowed the federal government's authority in general.  The Internet, and its pervasiveness and mobility, has transformed our way of life, our economy, and thus, how we govern ourselves.  We can pay for municipal parking tickets on our cell phone, take classes at a state university online, and we can have a federal court subpoena our documents stored in "the cloud." 

New York v U.S. and Printz v U.S. stand for the notion that the federal government cannot mandate that the states follow a federal policy scheme, nor can the federal government commandeer state workers and resources to follow federal processes.  As more state government functions are processed through information technology, and more interaction between states and the public is virtual, a federal regulation of a state's IT systems would be a major constitutional quagmire.

According to cyber security experts, the weakest link in protecting IT systems from hackers is the human element.  Therefore federal regulations regarding how state workers answer email and plug in thumb drives into their home computers could take effect.  Regulations punishing a state worker for a security lapse could very well be required.  Who would administer that is very unclear.  Needless to say, any government functions blending federal and state networks like law enforcement, Medicaid, or public health administration could be impeded if a state did not secure its network.

Given its vast IT resources, the Department of Defense (DoD) is the lead agency protecting the federal government, as opposed to the Department of Homeland Security (DHS).  This raises popular concerns about involving the military in the management of not only federal civilian agencies, but state and local agencies.  The law in fairly clear, as argued in a U.S. Department of Justice memo[8], that there is no law against DoD civilians enforcing the law, or regulations.  Laws such as the Posse Comitatus Act[9] prohibit members of the armed forces from law enforcement and regulating civilians, but non civil servants in the DoD.

During the midst of a massive, debilitating hacking, there could be no choice but for the president to find that state civil resources have been overwhelmed and invoke the Insurrection Act[10] to allow troops to take temporary control of state IT infrastructure.  This is not the notion of army troops on trucks with fixed bayonets driving down Main Street.  It is more likely a bunch of young soldiers in massive computer labs working with state officials to restore their databases, computer systems and websites.

Legal processes would be easiest if a state asked the federal government for help.  Issues of commandeering a state could be written into a contract.  The main problem concerns the protocol for identifying that a major incident is underway, and whether the president decides he or she must act in the national interest to protect state governments.  The incident in South Carolina for example took place with cumulative software intrusions over months[11].

There are a host of issues not analyzed in the article including contract monitoring of state government vendors' cyber security, private companies controlling critical infrastructure, how states collect digitized data, and the criminal investigatory methods states use to deter and investigate hackers.

I hope to have provoked some ideas for the constructional concerns that would come with the federal government protecting a state online. 
Posted by at No comments:
Subscribe to: Posts (Atom)