Over the last year, the FBI has had harsh words for Apple, accusing the tech giant of endangering human lives and aiding criminals by turning on encryption by default on the iPhone. When Google announced it would add the feature to Android, meaning that smartphone users would need to unlock their phones for police to be able to go through them, government officials and law enforcement representatives similarly freaked out.
But this move by tech giants to make government surveillance harder reflects public opinion. A significant number of Americans think the government is overreaching: in a recent Pew survey, 65% of respondents said they think the limits on government surveillance are inadequate. Tech companies usually stand accused of violating privacy thanks to business models dependent on amassing and mining data from their millions of users, but Apple and Google are not the only tech companies building features into their products to make it harder for government agencies to do the same.
Both Google and Yahoo have announced that they are working on end-to-end encryption in email. Facebook established its service on a Tor hidden services site, so that users can access the social network without being monitored by those with access to network traffic. Outside of product design, Twitter, Facebook and Microsoft have sent their formidable legal teams to court to block or narrow requests for user information. Update: This weekend, the New York Times reported that Apple could not hand over real-time text messages to the Justice Department, despite a court order in a case concerning "guns and drugs," because of its encryption.
Encryption tools have traditionally been unwieldy and difficult to use; massive companies turning their attention to better and simpler design, and use by default, could be a game changer. Privacy will no longer be accessible only to tech-savvy users, and it will mean that those who do use encryption will no longer stick out like sore thumbs, their rare use of hard-to-use tools making them a target.
There are other avenues protecting privacy as citizens of a constitutional democracy. But in a world where protecting the privacy of our communications, movements and activities is increasingly challenging, our data custodians designing against mass surveillance is the most promising development that we’ve seen.
Americans have ways to resist and reform surveillance on paper: We can vote for privacy-protective politicians. We can challenge surveillance practices in court when the government conducts unreasonable searches. We can adopt technology that hides our identity or scrambles our communications.
As I argue in a forthcoming essay in the University of Chicago Law Review, however, we face serious hurdles in seeking to resist and reform surveillance in practice:
Perhaps the most obvious way for Americans to resist and reform surveillance is at the ballot box. There are a few privacy-minded politicians out there. In the Senate, you think of Senators Ron Wyden (D-OR) and Rand Paul (≈ R-KY). In the House, there’s Representative Justin Amash, Chairman of the House Liberty Caucus and an outspoken advocate for surveillance reform. (And, disclosure, a former classmate of mine.) Given the ambivalence of many Americans about surveillance we might not expect a privacy movement. But perhaps we can move the needle by electing more Wydens and Pauls.
The problem with this approach, according to various law professors and political scientists, is that even officials who care about privacy are not in a position to conduct oversight. These officials often lack the access to provide a check on the enormous, quixotic intelligence community. As Representative Amash puts it:
You don't have any idea what kind of things are going on. So you have to start just spitting off random questions. Does the government have a moon base? Does the government have a talking bear? Does the government have a cyborg army?
(Answers: “no,” “no,” and “probably.”)
Even given access, officials do not necessarily have the expertise to challenge intelligence orthodoxy. Amy Zegart’s work is particularly instructive in this regard. “Expertise is critical,” writes Zegart, “and always in short supply.”
Meanwhile, effective oversight takes place behind the scenes. Compare an act of terrorism, which is always breaking news, and is likely to be used against the politician who reined in the surveillance powers. And just because a reformer is elected, doesn’t mean he or she will stay in office. Former Senator Russ Feingold (D-WI) opposed and helped limit the USA PATRIOT Act. Civil libertarians may applaud Feingold, but if they don’t live in his district, he could (and did) wind up out job.
In short, we can elect privacy-minded politicians, but how will we furnish them with the access, expertise, or incentives needed to pursue reform?
I said earlier that Americans have the ability to resist surveillance “on paper.” This includes a very old piece of paper called the Constitution. Even if citizens cannot collectively achieve political reform through the ballot box, they ought to be able to challenge surveillance practices individually in court.
Once again, the reality is different. The problem has to do with who can challenge surveillance. To challenge surveillance under the First Amendment as an infringement of free speech and assembly, you have to show that your speech has been “chilled.” This is a high bar—even the act of suing tends to suggest you’re not cowed.
To challenge surveillance under the Fourth Amendment, which protects us from unreasonable governmental searches and seizes, you have to be a criminal. I’m overstating a bit, but Fourth Amendment doctrine has limited who can challenge an unlawful search or seizure in court. If I’m keeping drugs at your house and the police enter without a warrant, prosecutors can still enter the drug evidence at my trial. Your remedy is to file a lawsuit and, if the violation was egregious, perhaps get some damages.
A lot of evidence is stored with “third parties” in the so-called cloud. In that case, depending on the jurisdiction, law enforcement may be able to get at the information without a warrant.
Some legal scholars—like Yale Law School’s Akhil Amar—have argued that criminals make bad surrogates for our Fourth Amendment rights. Meanwhile, all this assumes that you know about the surveillance in the first place. It turns out to be hard to show standing to challenge surveillance no one can know about.
Let’s say politics and law are getting you nowhere. There’s always technology. Technology is a big part of the problem—it makes collecting, processing, and storing information much cheaper. But it also affords the means by which to resist surveillance. Technology like Tor and Bitcoin can hide the identity of an individual surfing the Web or making purchases while encrypted email, texts and phone calls can scramble what a person says to make it very hard, maybe impossible, to monitor.
But much of this technology can be hard to use, and ill suited to the tasks users are trying to accomplish. Alma Whitten—who spent a decade working on privacy at Google—has written extensively on the poor usability of encryption. Her 1999 work Why Johnny Can’t Encrypt, with J.D. Tygar, is a classic in the field.
More recently, an interdisciplinary team out of the University of Washington and the Columbia Journalism School examined whether journalists possess the technical tools they need. Journalists are often cited as the very population that require information security to do their important work. And yet, the team found that available tools were not usable and even interfered with the journalistic mission.
Meanwhile, because so few people wind up adopting tools for hiding, their very use can make those people a target for government surveillance.
There are some bright spots. This year, facing both a sunset and a successful court challenge, Congress scaled back the NSA’s surveillance powers, taking away the organization’s ability to collect Americans’ phone call records en masse ETC. There have also been some positive developments in Fourth Amendment law at the Supreme Court—notably, the requirement (announced in Riley v. California) that police get a warrant before searching a smart phone incident to arrest and the decision (in City of Los Angeles v. Patel) to allow parties to challenge statutes themselves, rather than individual applications of those statutes. Russ Feingold is running for Senate again.
But practically speaking, the most promising changes may come from corporations responding to market forces. There seems to be no substitute for a motivated intermediary who can encode privacy with the force of politics and law as a backstop.
The strategy is not without pitfalls. As Jack Balkin, Jon Michaels, and others point out, corporations have historically been complicit in, even enabling of, mass surveillance. Some have argued that corporations make bad “avatars” or stand-ins for citizens in court. And if a company promises to fight for its users, who will enforce that promise if broken? Not the same government asking for the information in the first place.
So, as ever, the price of liberty is eternal vigilance. Keep on top of Apple, Google, Microsoft. Follow what they do and don’t let them let up. They may be our best chance out of this surveillance mess.
Ryan Calo is an assistant professor at the University of Washington School of Law and an affiliate scholar at the Stanford Law School Center for Internet and Society and Yale Law School Information Society Project. Follow him on Twitter @rcalo. This op-ed is adapted from a forthcoming essay in University of Chicago Law Review.
Ryan Calo is an assistant professor at the University of Washington School of Law and an affiliate scholar at the Stanford Law School Center for Internet and Society and Yale Law School Information Society Project. Follow him on Twitter @rcalo.