Latest

Page 7

The Exclusionary Rule and Security

Earlier this month, the Supreme Court ruled that evidence gathered as a result of errors in a police database is admissible in court. Their narrow decision is wrong, and will only ensure that police databases remain error-filled in the future.

The specifics of the case are simple. A computer database said there was a felony arrest warrant pending for Bennie Herring when there actually wasn’t. When the police came to arrest him, they searched his home and found illegal drugs and a gun. The Supreme Court was asked to rule whether the police had the right to arrest him for possessing those items, even though there was no legal basis for the search and arrest in the first place.

What’s at issue here is the exclusionary rule, which basically says that unconstitutionally or illegally collected evidence is inadmissible in court. It might seem like a technicality, but excluding what is called “the fruit of the poisonous tree” is a security system designed to protect us all from police abuse.

We have a number of rules limiting what the police can do: rules governing arrest, search, interrogation, detention, prosecution, and so on. And one of the ways we ensure that the police follow these rules is by forbidding the police to receive any benefit from breaking them. In fact, we design the system so that the police actually harm their own interests by breaking them, because all evidence that stems from breaking the rules is inadmissible.

And that’s what the exclusionary rule does. If the police search your home without a warrant and find drugs, they can’t arrest you for possession. Since the police have better things to do than waste their time, they have an incentive to get a warrant.

The Herring case is more complicated, because the police thought they did have a warrant. The error was not a police error, but a database error. And, in fact, Judge Roberts wrote for the majority: “The exclusionary rule serves to deter deliberate, reckless, or grossly negligent conduct, or in some circumstances recurring or systemic negligence. The error in this case does not rise to that level.”

Unfortunately, Roberts is wrong. Government databases are filled with errors. People often can’t see data about themselves, and have no way to correct the errors if they do learn of any. And more and more databases are trying to exempt themselves from the Privacy Act of 1974, and specifically the provisions that require data accuracy. The legal argument for excluding this evidence was best made by an amicus curiae brief filed by the Electronic Privacy Information Center, but in short, the court should exclude the evidence because it’s the only way to ensure police database accuracy.

We are protected from becoming a police state by limits on police power and authority. This is not a trade-off we make lightly: we deliberately hamper law enforcement’s ability to do its job because we recognize that these limits make us safer. Without the exclusionary rule, your only remedy against an illegal search is to bring legal action against the police—and that can be very difficult. We, the people, would rather have you go free than motivate the police to ignore the rules that limit their power.

By not applying the exclusionary rule in the Herring case, the Supreme Court missed an important opportunity to motivate the police to purge errors from their databases. Constitutional lawyers have written many articles about this ruling, but the most interesting idea comes from George Washington University professor Daniel J. Solove, who proposes this compromise: “If a particular database has reasonable protections and deterrents against errors, then the Fourth Amendment exclusionary rule should not apply. If not, then the exclusionary rule should apply. Such a rule would create an incentive for law enforcement officials to maintain accurate databases, to avoid all errors, and would ensure that there would be a penalty or consequence for errors.”

Increasingly, we are being judged by the trail of data we leave behind us. Increasingly, data accuracy is vital to our personal safety and security. And if errors made by police databases aren’t held to the same legal standard as errors made by policemen, then more and more innocent Americans will find themselves the victims of incorrect data.

This essay originally appeared on the Wall Street Journal website.

EDITED TO ADD (2/1): More on the assault on the exclusionary rule.

EDITED TO ADD (2/9): Here’s another recent court case involving the exclusionary rule, and a thoughtful analysis by Orin Kerr.

Tags: , , , , , , , ,

Posted on January 28, 2009 at 7:12 AMView Comments

Daniel Solove on the New FISA Law

From his blog:

Future presidents can learn a lot from all this—do exactly what the Bush Administration did! If the law holds you back, don’t first go to Congress and try to work something out. Secretly violate that law, and then when you get caught, staunchly demand that Congress change the law to your liking and then immunize any company that might have illegally cooperated with you. That’s the lesson. You spit in Congress’s face, and they’ll give you what you want.

The past eight years have witnessed a dramatic expansion of Executive Branch power, with a rather anemic push-back from the Legislative and Judicial Branches. We have extensive surveillance on a mass scale by agencies with hardly any public scrutiny, operating mostly in secret, with very limited judicial oversight, and also with very minimal legislative oversight. Most citizens know little about what is going on, and it will be difficult for them to find out, since everything is kept so secret. Secrecy and accountability rarely go well together. The telecomm lawsuits were at least one way that citizens could demand some information and accountability, but now that avenue appears to be shut down significantly with the retroactive immunity grant. There appear to be fewer ways for the individual citizen or citizen advocacy groups to ensure accountability of the government in the context of national security.

That’s the direction we’re heading in—more surveillance, more systemic government monitoring and data mining, and minimal oversight and accountability—with most of the oversight being very general, not particularly rigorous, and nearly always secret—and with the public being almost completely shut out of the process. But don’t worry, you shouldn’t get too upset about all this. You probably won’t know much about it. They’ll keep the dirty details from you, because what you don’t know can’t hurt you.

Tags: , , , ,

Posted on July 14, 2008 at 12:08 PMView Comments

New TSA ID Requirement

The TSA has a new photo ID requirement:

Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity.

This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures.

That’s right; people who refuse to show ID on principle will not be allowed to fly, but people who claim to have lost their ID will. I feel well-protected against terrorists who can’t lie.

I don’t think any further proof is needed that the ID requirement has nothing to do with security, and everything to do with control.

EDITED TO ADD (6/11): Daniel Solove comments.

Tags: , , , , , , ,

Posted on June 11, 2008 at 1:42 PMView Comments

Federal Judge Strikes Down National-Security-Letter Provision of Patriot Act

Article, ACLU press release, some legal commentary, and actual decision.

From the article:

The ACLU had challenged the law on behalf of an Internet service provider, complaining that the law allowed the FBI to demand records without the kind of court supervision required for other government searches. Under the law, investigators can issue so-called national security letters to entities like Internet service providers and phone companies and demand customers’ phone and Internet records.

In his ruling, Marrero said much more was at stake than questions about the national security letters.

He said Congress, in the original USA Patriot Act and less so in a 2005 revision, had essentially tried to legislate how the judiciary must review challenges to the law. If done to other bills, they ultimately could all “be styled to make the validation of the law foolproof.”

Noting that the courthouse where he resides is several blocks from the fallen World Trade Center, the judge said the Constitution was designed so that the dangers of any given moment could never justify discarding fundamental individual liberties.

He said when “the judiciary lowers its guard on the Constitution, it opens the door to far-reaching invasions of liberty.”

Regarding the national security letters, he said, Congress crossed its boundaries so dramatically that to let the law stand might turn an innocent legislative step into “the legislative equivalent of breaking and entering, with an ominous free pass to the hijacking of constitutional values.”

He said the ruling does not mean the FBI must obtain the approval of a court prior to ordering records be turned over, but rather must justify to a court the need for secrecy if the orders will last longer than a reasonable and brief period of time.

Note that judge immediately stayed his decision, pending appeal.

EDITED TO ADD (9/9): More legal commentary.

Tags: , , , , , , , ,

Posted on September 7, 2007 at 10:05 AMView Comments

Terrorist Watch List: 20,000 False Alarms

Why does anyone think this makes security sense?

The Justice Department’s proposed budget for 2008 reveals for the first time how often names match against the database, reporting that there were 19,967 “positive matches” in 2006. The TSC had expected to match a far fewer number 14,780. The watch list matched people 5,396 and 15,730 times in 2004 and 2005 respectively.

The report defines a positive match as “one in which an encountered individual is positively matched with an identity in the Terrorist Screening Data Base, or TSDB.”

It’s not clear from the report whether those numbers include individuals whose names only coincidently match one of those on list, such as when Sen. Ted Kennedy was confused with a former IRA terrorist also named Kennedy.

The watch list has been hounded by these mismatches, which have included small children, former presidential candidates, and Americans with common names such as David Nelson.

How do I know they’re all false alarms? Because this administration makes a press splash with every arrest, no matter how scant the evidence is. Do you really think they would pass up a chance to tout how good the watch list is?

EDITED TO ADD (8/28): The Washington Post just got around to writing an article on the topic, and Dan Solove has some good commentary.

Tags: , , ,

Posted on July 23, 2007 at 1:39 PMView Comments

DHS Data Privacy and Integrity Advisory Committee's Report on REAL ID

The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has issued an excellent report on REAL ID:

The REAL ID Act is one of the largest identity management undertakings in history. It would bring more than 200 million people from a large, diverse, and mobile country within a uniformly defined identity system, jointly operated by state governments. This has never been done before in the USA, and it raises numerous policy, privacy, and data security issues that have had only brief scrutiny, particularly given the scope and scale of the undertaking.

It is critical that specific issues be carefully considered before developing and deploying a uniform identity management system in the 21st century. These include, but are not limited to, the implementation costs, the privacy consequences, the security of stored identity documents and personal information, redress and fairness, “mission creep”, and, perhaps most importantly, provisions for national security protections.

The Department of Homeland Security’s Notice of Proposed Rulemaking touched on some of these issues, though it did not explore them in the depth necessary for a system of such magnitude and such consequence. Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate.

I’ve written about REAL ID here.

Tags: , , , , ,

Posted on June 6, 2007 at 2:55 PMView Comments

Teaching Computers How to Forget

I’ve written about the death of ephemeral conversation, the rise of wholesale surveillance, and the electronic audit trail that now follows us through life. Viktor Mayer-Schönberger, a professor in Harvard’s JFK School of Government, has noticed this too, and believes that computers need to forget.

Why would we want our machines to “forget”? Mayer-Schönberger suggests that we are creating a Benthamist panopticon by archiving so many bits of knowledge for so long. The accumulated weight of stored Google searches, thousands of family photographs, millions of books, credit bureau information, air travel reservations, massive government databases, archived e-mail, etc., can actually be a detriment to speech and action, he argues.

“If whatever we do can be held against us years later, if all our impulsive comments are preserved, they can easily be combined into a composite picture of ourselves,” he writes in the paper. “Afraid how our words and actions may be perceived years later and taken out of context, the lack of forgetting may prompt us to speak less freely and openly.”

In other words, it threatens to make us all politicians.

In contrast to omnibus data protection legislation, Mayer-Schönberger proposes a combination of law and software to ensure that most data is “forgotten” by default. A law would decree that “those who create software that collects and stores data build into their code not only the ability to forget with time, but make such forgetting the default.” Essentially, this means that all collected data is tagged with a new piece of metadata that defines when the information should expire.

In practice, this would mean that iTunes could only store buying data for a limited time, a time defined by law. Should customers explicitly want this time extended, that would be fine, but people must be given a choice. Even data created by users—digital pictures, for example—would be tagged by the cameras that create them to expire in a year or two; pictures that people want to keep could simply be given a date 10,000 years in the future.

Frank Pasquale also comments on the legal implications implicit in this issue. And Paul Ohm wrote a note titled “The Fourth Amendment Right to Delete”:

For years the police have entered homes and offices, hauled away filing cabinets full of records, and searched them back at the police station for evidence. In Fourth Amendment terms, these actions are entry, seizure, and search, respectively, and usually require the police to obtain a warrant. Modern-day police can avoid some of these messy steps with the help of technology: They have tools that duplicate stored records and collect evidence of behavior, all from a distance and without the need for physical entry. These tools generate huge amounts of data that may be searched immediately or stored indefinitely for later analysis. Meanwhile, it is unclear whether the Fourth Amendment’s restrictions apply to these technologies: Are the acts of duplication and collection themselves seizure? Before the data are analyzed, has a search occurred?

EDITED TO ADD (6/14): Interesting presentation earlier this year by Dr. Radia Perlman that represents some work toward this problem. And a counterpoint.

Tags: , , , ,

Posted on May 16, 2007 at 6:19 AMView Comments

FBI Issued Illegal National Security Letters Under USA PATRIOT Act

A new Justice Department report concludes that the FBI broke the law in its use of the Patriot Act to secretly obtain phone, business, and financial data about people in the U.S.

The Justice Department’s inspector general has prepared a scathing report criticizing how the F.B.I. uses a form of administrative subpoena to obtain thousands of telephone, business and financial records without prior judicial approval.

The report, expected to be issued on Friday, says that the bureau lacks sufficient controls to make sure the subpoenas, which do not require a judge’s prior approval, are properly issued and that it does not follow even some of the rules it does have.

From the Associated Press:

The FBI’s transgressions were spelled out in a damning 126-page audit by Justice Department Inspector General Glenn A. Fine. He found that agents sometimes demanded personal data on people without official authorization, and in other cases improperly obtained telephone records in non-emergency circumstances.

The audit also concluded that the FBI for three years underreported to Congress how often it used national security letters to ask businesses to turn over customer data. The letters are administrative subpoenas that do not require a judge’s approval.

[…]

Under the Patriot Act, the national security letters give the FBI authority to demand that telephone companies, Internet service providers, banks, credit bureaus and other businesses produce personal records about their customers or subscribers. About three-fourths of the letters issued between 2003 and 2005 involved counterterror cases, with the rest for espionage investigations, the audit reported.

Shoddy record-keeping and human error were to blame for the bulk of the problems, said Justice auditors, who were careful to note they found no indication of criminal misconduct.

Here’s the report (mirrored here), and here’s a BoingBoing post on the topic; also, this Wired article. And this by Daniel Solove.

Tags: , , , ,

Posted on March 12, 2007 at 3:55 PMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.