Digital technology requires stronger US surveillance laws says report

The government surveillance stories that have filled the headlines in recent months aren't isolated incidents, but rather reflect a widening gap between the technology that collects sensitive personal data and the laws designed to protect that data against government misuse, a new report finds. The National Security Agency's domestic spying program, the Justice Department's efforts to obtain millions of internet search records, the government's use of cell phones to track suspects and other developments highlight the law's failure to keep pace with technological advances, according to "Digital Search & Seizure: Updating Privacy Protections to Keep Pace with Technology," a report released on Feb. 21 by the Center for Democracy & Technology (CDT). The report suggests that technology is making government surveillance easier, not harder, and that stronger protections are needed if innocent US citizens are to retain their privacy rights. "The government complains that new technology makes its job more difficult, but the fact is that digital technology has vastly augmented the government's powers, even without legal changes like those in the PATRIOT Act. The capacity of internet technology to collect and store data increases every day, as does the volume of personal information we willingly surrender as we take advantage of new services. Meanwhile, the laws that are supposed to prevent the government from unfairly accessing personal information haven't changed in two decades," said CDT Policy Director Jim Dempsey, the principal author of the report. "The gap between law and technology is widening every day, and privacy is eroding. What makes this even more troubling is that most users of these new technologies don't realize they are putting their privacy in jeopardy," Dempsey added. The report details how two popular and increasingly ubiquitous technologies–web-based email and location awareness–inadvertently give the government unprecedented access to US citizens' personal data. Web-based email is a convenient, inexpensive way to stay in touch with friends and colleagues and to access one's mail, photos and documents from anywhere in the world. Several webmail services now offer their users gigabytes of storage, touting the fact that users never need delete anything. As "Digital Search and Seizure" illustrates, all of this information sits on the computers of service providers. The legal distinction between web-based and traditional email accounts is essentially meaningless for most internet users, but under the Electronic Communications Privacy Act–drafted in 1986, before webmail existed–messages and documents stored with webmail providers are entitled to weaker protections than those stored on users' computers. While the government needs a judicial warrant to search a person's computer, it may be able to access that person's webmail account with only a subpoena, issued without judicial review; without any specific suspicion of wrongdoing on the part of the user; and often without notice to the person whose data is being disclosed. "Digital Search and Seizure" also outlines how mobile phones serve as tracking beacons. "While a cell phone is turned on, whether or not it is making a call, it is regularly seeking out the nearest antenna and sending to it its identification numbers," the report points out. Unfortunately the legal standards regulating the government's ability to use that constant stream of new data haven't kept pace with the technological reality. Since no existing law lays out explicit standards for government location tracking, the government's use of location technology is governed by a patchwork of laws and court precedents, the report finds. Finally, the report discusses the emergence of "government spyware"" keystroke-logging technology that can record everything a subject does on his or her computer. Here too the technology has far outpaced the legal protections, giving the government a uniquely intrusive surveillance tool, with inadequate legal controls. The report concludes that in all these areas and others (such as RFID and search services), the laws must be updated to reflect the technological realities of a new century. The internet and communications industry, public interest organizations and the government need to enter into a dialogue aimed at ensuring that the fundamental right of privacy is protected in the face of technological change, the report urges.