21 October 2012

Lex Informatica

'The Internet at 20: Evolution of a Constitution for Cyberspace'  by Henry Perritt Jr. in 20 William & Mary Bill of Rights Journal (2012) 1-69  comments that -
The Internet’s “constitution” is not expressed in a single document. Instead, it comprises the open architecture inherent in the Internet’s technological protocols together with a collection of government policies, legislative enactments, and judicial decisions that seek to protect the basic architectural philosophy, ensure space for entrepreneurial freedom, and guard against the abuse of economic or political power.
This Article looks back over the Internet’s first twenty years, highlighting the crucial legal decisions by the executive, legislative, and judicial branches that have led to the Internet’s success, and which now frame its constitution. I participated in many of these decisions and wrote more than a dozen law review articles and reports suggesting directions for public policy and law. This Article uses this foundation to consider the future, focusing on major legal controversies, the resolution of which will define the Internet’s third decade — either strengthening or undermining its constitution.
In discussing traffic analysis - a basis of recent Australian mandatory traffic data retention proposals -  Perritt comments -
Transactional data about communications, not involving access to content, enjoy a less protected position than content in the combinations of legal controls adopted by Congress. Less protection for such data flows from the reasoning of the Smith case - that little expectation of privacy for such data exists because the data are disclosed to and used by third-party service providers. Even if that proposition is correct for dialed telephone numbers, it is not true for the inferences that may be drawn from large quantities of data about patterns of communication available from modern telecommunications networks. Traffic analysis of IP packets to and from a particular target can reveal a blueprint of the target’s human associations. It can reveal subject matter interests through analysis of web browsing. Analysis of geographic information from cell phone connections can detail target movements, minute by minute.
Advances in technology facilitate such traffic analysis because they facilitate acquisition of transactional data, as from IP packet headers, and they also facilitate machine analysis of patterns revealed by the acquired data. In many cases, traffic analysis may actually be more valuable to law enforcement and intelligence agencies than the content of a handful of messages. Traffic analysis may also be more revealing about the private conduct and thoughts of a target than content.
Suppose a criminal intelligence agency acquires information about every cell phone call made or received by a target for a period of six months. Through relatively inexpensive and widely available techniques, the agency can collect information on the date and time of every call made or received and the other telephone number to or from which a call is attempted or established. Call-duration data is also available. By analyzing the patterns of cell phone communication by the target, the monitoring agency could determine, for example, that the target communicates at least daily with a suspected drug dealer and, regularly, on a weekly basis, with another individual in the target’s hometown. From these data the agency could infer that the target is himself a drug dealer, or at least a drug user, and also could infer that the individual with whom the target communicates weekly is a good friend or, possibly, someone with whom the target has a romantic involvement.
A foreign intelligence agency might obtain data on a target, which could reveal that the target has regular communication with a particular telephone number in Iran and places many calls to different individuals in a geographic area with a substantial Muslim population. From these data the foreign intelligence agency might infer that the target is involved in raising money for an activity directed from Iran, or that the target is involved in organizing some form of collective activity related to Iran. At the very least, these inferences might constitute sufficient probable cause to allow the agency to obtain a judicial order for acquisition of the content of these communications.
The overall effect is analogous to physical surveillance of the target - following the target everywhere and identifying all the people with whom the target communicates face to face.
A newer form of traffic analysis is potentially even more useful and even more intrusive: monitoring a target’s web browsing. Information about every web address (URL) visited by a target is readily collectible by intercepting IP traffic to and from the target’s IP address under a Pen/Trap order, which does not require probable cause. Alternatively, and at far less cost, a criminal intelligence or a foreign intelligence agency can obtain much of the same kind of information by obtaining records maintained by search engines, such as Yahoo! and Google, which would reveal every web page a user/target searches for. Because most web browsing involves regular resort to search engines to find the URL for web pages of interest, data from search engines represent a substantial subset of web-browsing activity. Analysis of this type of traffic not only reveals other people with whom a target has communication, but is analogous to a type of physical surveillance - entirely impracticable to effectuate - which would have someone looking over the target’s shoulder as the target browses newspapers, magazines, or possible selections in a bookstore. It is thus closer to revealing the target’s interests and thoughts, even if the target never chooses to reveal these to anyone else.
Here lies the problem: the usefulness of the new kinds of traffic analysis that the technologies of surveillance and target communication make possible is enormous. It should not be difficult to convince legislators and judges that there is a compelling need to engage in these newly productive types of surveillance, especially when the surveillance can be justified as necessary for the “War on Terrorism.” But the risks to personal liberty, and to the personal autonomy that lies at the core of liberty, while unprecedented, are likely to be overlooked when framed within legal concepts developed under the impact of past technologies to distinguish areas in which people have a “reasonable expectation of privacy” from areas where they do not.
Furthermore, legislative and judicial decisions about striking the right balance between surveillance and privacy tend almost always to assume that the government will maintain the confidentiality of everything that it collects. In fact, experience shows that individual government officials and agents do not necessarily respect confidentiality obligations. The investigation of the Vice President’s office with respect to disclosing the identity of CIA agent Plame, FBI Director J. Edgar Hoover’s use of wiretap conversations to undermine the credibility of Martin Luther King, the role of FBI executive Mark Felt as Deep Throat in the Watergate controversy, FBI leaks about an individual suspected for a time of being the Atlanta Olympics bomber, and many other instances demonstrate that when even the most secretive government agencies have explosive information about individuals, the temptation to leak it is strong.
Consider further what would be in the information pool subject to possible leaks if widespread traffic analysis is performed, either monitoring e-mail communications and cell phone communications or monitoring web browsing. The patternmatching tools are imprecise, and it is inevitable that someone engaging in perfectly innocuous activities would occasionally come under suspicion. Heightened suspicion means that more data would be collected and more attention paid to it. And minimization does not work very well in these new contexts. So communications and web browsing associated with suspect persons or subjects would be accompanied by data on other matters of a sensitive nature to the target, albeit unrelated to national security threats or to criminal activity, obviously including sexual relationships or interests that the target legitimately would not want exposed to others. The temptation to leak these kinds of traffic would be especially strong to a leaker who wants to injure the target, because the leaks would not jeopardize legitimate national security or criminal intelligence.