National Security and Privacy: Recent Developments and Emerging Challenges

This year’s Spokes conference hosted a panel on national security and privacy, moderated by Charlie Savage, Washington Correspondent for The New York Times. Panelists included Travis LeBlanc, a Partner with Cooley and Privacy and Civil Liberties Oversight Board member; Glenn Gerstell, Senior Advisor for the Center for Strategic and International Studies and former General Counsel for the NSA; and Robert Litt, Of Counsel with Morrison & Foerster LLP, and former General Counsel for the ODNI.

Cyber Threats and Government Power

The conversation kicked off with a discussion of cyber security threats—those posed by nation states, as well as independent and rogue hackers—and the U.S. government’s response to these threats. Although it may seem as if the federal government is losing the cyber war, that’s far from the case, and we have plenty of options at our disposal, noted Glenn Gerstell—who also emphasized that that technology—or a lack of it—is not standing in the way of the problem, it’s a lack of political and social will to tackle it. Conversely, we do have options.

“What will make a big dent in the problem is getting information quickly about hacks and attacks currently underway, so that we can stop them in their tracks,” he said.” Right now … we cannot stop incursions. A sophisticated adversary is going to get in your computer somehow, but we can limit their effectiveness, we can stop it from spreading. One way … is to close the gap in our legal architecture, and our foreign adversaries are aware of this gap. We [don’t have] a government agency that has a general domestic cyber monitoring authority—I’m not suggesting that we should have one—but there is a gap there and our foreign adversaries take advantage of it.”

He went on to suggest that granting the FBI more authority and flexibility to pursue these cases might have some impact, and he believes that can be done while also protecting privacy and civil liberties.

Travis LeBlanc countered that he was reticent to put more power in the hands of federal agencies, and the real solution might involve more involvement from the private sector, rather than an over-reliance on a governmental response. “I will say that I am weary of providing the NSA, in particular, with such open access to US networks in the absence of judicial oversight,” he said. “I do tend to share a view that one of the limitations that the private sector has in responding to cyberattacks is the inability to use offensive tactics without beginning to run into legal impediments violating criminal law.”

LeBlanc sees a public/private partnership as a step in the right direction, citing a recent example in which Microsoft discovered a cyberattack and alerted the government. “About 85 percent of our own networks in the United States are owned or operated by the private sector,” LeBlanc continued, “Not the government.”

Gerstell agreed that much could yet be accomplished—including public/private partnerships—but he does believe that empowering federal agencies such as the FBI to do their jobs more effectively is undeniably an important piece of the cybersecurity puzzle. “It will make a big dent in criminal ransomware activity … and it will make a big dent in foreign intelligence operations as they sniff around our networks,” he said. “We need to throw everything we’ve got at it and one of the things that we need to fill is this gap in our legal architecture that predates the cyber world.”

The Fourth Amendment: A Possible Complication?

Robert Litt next addressed questions around the Fourth Amendment, which offers protection against unreasonable searches and seizures by the federal government. In particular, whether automated searching of data constitutes a violation of Fourth Amendment rights. “One of the [techniques the NSA uses involves] sitting on foreign networks and watching the communications that foreign actors are having and learning what their plan is, but the other is to be sitting on the U.S. network,” said Litt. “Sitting on networks all over the United States, looking at all the traffic in and out … does that violate the Fourth Amendment? The arguments aren’t settled.”

Litt notes that if the searches are automated, and no humans see it, then there’s no invasion of privacy that invokes the Fourth Amendment. However, he does acknowledge other arguments that state anytime the government scans the content of a communication, that constitutes a search.

LeBlanc also noted that artificial intelligence and emerging technology significantly change the rules of the game. “In a world when the vast majority of surveillance is done by machines, rather than humans, I think that presents fundamentally different threats to privacy and civil liberties,” he said, “and also raises fundamental questions on the collection side and not merely the querying side with respect to the use of artificial intelligence, for example, and when that would trigger the Fourth Amendment.”

“Given the volume of information that exists in the world, the intelligence community is going to need artificial intelligence and machine learning to do its job properly, whether that be the issue of classification or declassification, whether it be in the job of sifting through social media fields,” said Litt. “There’s no question that this is something the intelligence community is going to have to deal with. But you’re absolutely right that we need to be really thinking through the legal implications between using artificial intelligence to obtain information and using artificial intelligence to support actions.”

Data Sovereignty

The conversation then shifted to the question of data sovereignty, a belief among some nations that the country’s data (and that of its citizens) should be stored on servers inside their national borders. This, of course, has implications around democracy (some governments would elect to strictly control citizens’ information and access to it), security, and the availability of information on the Internet. “We’re seeing a shift from forces propelling globalization to favoring fragmentation,” said Gerstell. “Authoritarian governments insist on greater control and surveillance ability that ranges from national firewalls … to localized data control, insisting that data that relates to citizens in a particular country has to be maintained, analyzed, processed, and stored in that particular country.”

Gerstell went on to note that the tide seemed to be turning against the unfettered flow of information across borders. “We’re seeing a general push throughout the European Union on more aggressive regulation of social media and the digital world well beyond the GDPR, and how this will affect the worldwide Internet and global applications and large platforms is yet to be seen,” he said. “I think one of the defining issues for the next several years will be this balancing of globalization forces that look for efficiency and functionality and innovation and fewer restrictions on technology, versus national efforts to regulate for both benign and nefarious reasons.”

“A balkanized Internet is likely a bad Internet,” said LeBlanc. “It preserves authoritarian tendencies and decreases transparency, accountability, and freedom of expression, it breeds inequality and—from an economic and business perspective—it increases the burden of regulations and non-standard protocols.”

LeBlanc went on to state that localized data control, in particular, was a problem, as it puts U.S. companies at a disadvantage, making it difficult—if not impossible—to access information in countries that control their data more strictly. “Our data is free and available to everyone in the world to do whatever they would like to do with it, and there comes a point at which we have to [question this] as a matter of competition and as a matter of national security,” he said.

Privacy Protections for the Press

The moderator then pivoted to ask about privacy protections for reporters—specifically in cases in which data is obtained from companies such as Yahoo, Google, or Verizon to obtain information about reporters’ confidential sources in leak investigations.

“I start from the premise that there is a national security cost to allowing leaks … [however] this may be one of those areas where the benefits for a lot for law enforcement and national security do not stack up to the political consequences,” said Litt. “The fact of the matter is that there haven’t really been that many leak investigations that had been solved by getting data from or about the reporters.”

The Question of Purchasing Data

The panelists were asked about the notion of agencies such as the NSA purchasing metadata from companies abroad, and the legal implications of doing so.

“Senator Ron Wyden has introduced the Fourth Amendment is Not For Sale Act, and it would limit the ability of the intelligence community to make these sorts of commercial acquisitions of data,” said LeBlanc. “It’s been heralded by privacy advocates as a good path forward. It’s obvious that we are in a world now where there’s a lot of data on each of us that is available on the open market for anyone to purchase—and the question then becomes, does the Constitution or law limit the U.S. Government—and particularly the intelligence community here—from also purchasing and using that data in the absence of judicial oversight?”

The Ongoing Discussions with the European Commission

Finally, Robert Litt also briefly addressed the negotiations between the U.S. and the European Commission over data privacy and its potential effects on global commerce. “This this presents a huge conundrum for companies because violations of the European General Data Protection Regulation can carry fines of up to 4 percent of a company’s growth turnover worldwide,” he said. “You’re really taking a risk if you continue to use existing mechanisms that haven’t been approved by the European Court of Justice. On the other hand, globalization of data is really essential to commerce now. There just has to be some sort of solution … on a government-to-government level, not one that requires individual companies to resolve the question on their own.”