As a federal prosecutor in the 1980s, I used to think nothing of scooping up the phone numbers that a suspect called. I viewed that surveillance as no big deal because the Supreme Court had ruled in Smith v. Maryland (1979) that we have no reasonable expectation of privacy in the phone numbers we dial, as opposed to the content of the calls. And in any event, I had limited time or practical ability to follow up on those numbers.
Today, by contrast, when I look at the government’s large-scale electronic surveillance of private communications, I see an urgent need to rethink the rationale—and legal limits—for such intrusion. The government now has the technology to collect, store, and analyze information about our communications cheaply and quickly. It can assemble a picture of everyone we call or email—essentially our entire personal and professional lives—with a few computer commands. In addition, given the pervasive presence of geo-locators on our smart phones, the government is able to electronically monitor and reconstruct virtually every place we visit—a capacity that will only increase with the growing practice of photographing our license plates and the rapid improvement of facial-recognition software in combination with proliferating video cameras.
The government claims this enhanced capacity to monitor our metadata has helped to foil terrorist plots. But officials have been hard-pressed to identify cases in which broad, unfocused electronic surveillance has made a decisive difference. Meanwhile, US law has not kept up with the dramatic new intrusions on our privacy made possible by current technology.
There has long been a two-tiered approach to electronic surveillance of American citizens and others lawfully on US soil. The contents of our communications, whether by phone or email, receive heightened legal protection. The government can generally monitor them only after showing a judge that there is probable cause to believe criminal activity is being discussed, and that alternative avenues of investigation are insufficient. However, our “metadata”—including the phone numbers and email addresses with which we communicate, the timing, frequency, and pattern of those communications, and the electronic signals about our locations emitted by our smart phones—are given little protection. The government can access this information with a simple declaration to a judge that it is relevant to a criminal investigation.
The rationale for the distinction between the contents of a communication and its participants originated in the view that we expect our phone conversations to be private but not the numbers we call, because we share those numbers with the phone company to direct our call. A similar logic distinguishes between the content and recipients of our emails.
(For foreigners outside the United States, the US government makes no such distinction: because US law benightedly protects the privacy rights of only US citizens and others lawfully in the United States, the governments takes the position that even the content of phone calls and emails among most foreigners can be readily monitored. American Internet companies, which aspire to serve the world, must worry about the commercial consequences of that official disregard for others’ privacy as it becomes widely known.)
Back when I was a prosecutor, the human capacities of investigators meant that even upon accessing metadata, there was still considerable practical protection for privacy. It took little effort to obtain a judge’s order for a “pen register”—a device that recorded the numbers a suspect called—and even less to subpoena records of these numbers from a phone company. But analyzing that information was a time-consuming, manual affair. Similar practical limits governed physical surveillance. Because physical movement around town is public, the courts assumed there was no privacy interest in one’s whereabouts, so investigators were free to monitor a suspect’s movements without a court order. But clandestine monitoring was so costly—typically requiring teams of agents working long hours—that the government’s capacity to do much of it had practical limits.
Today, those limits have largely disappeared. The government still typically needs to make a more rigorous showing to a judge to target the contents of our conversations, but it can now obtain information on virtually every other aspect of our lives for the asking. The lack of a legally recognized privacy interest in our metadata lies behind the recently disclosed court order allowing the National Security Agency to vacuum up that data wholesale.
The government’s new and intrusive capacities should prompt a rethinking of the law. The rationale that we have no privacy interest in our metadata because we share it with phone or Internet companies to route our communications was always a fiction. After all, this routing information is in the same stream of electrical data that includes the contents of our communications. Both are shared with phone and Internet companies by necessity, but for a purpose: to enable our communications in the modern era, not to share them with anyone but their intended recipients. These companies should not be understood as random third parties to whom in choosing to expose our electronic activity we can be said to forego legitimate expectations of privacy. Instead, they should be viewed as custodians of today’s dominant forms of communication with a duty to protect their confidentiality. Only if the government has been able to demonstrate extraordinary circumstances—generally, by obtaining a targeted court order reflecting probable cause to believe that the communications in question contain evidence of criminal activity to which access is needed—should this confidentiality be broken.
Even our movement about town deserves some privacy protection, as a majority of the Supreme Court recognized last year in restricting the police’s ability to attach a GPS monitoring device to a vehicle. In that case, Justice Sonia Sotomayor questioned whether sharing metadata with communications companies should be understood anymore to suggest the lack of a reasonable expectation of privacy.
The law recognizes other forms of privileged communication; our conversations with lawyers and doctors, for example, are protected because we understand that our legal and medical systems cannot work unless communications shared within them retain presumptive confidentiality. We should reach the same conclusion about our phone and Internet systems. The enormous efficiencies of phone and Internet communication provide great benefits to society. We should not discourage their use with privacy protections that are so lax that they force users to effectively share large swaths of their lives with the government.
Limiting governmental access to our metadata would not mean that it was entirely private. Telephone and Internet companies still would have this information, and some even make a practice of profiting from it commercially. But given the range of such companies, we at least have some choice to do business with those that give greater respect to our privacy. However, governmental snooping on our metadata is done without our consent, and there seems to be no way to escape the government’s acquisition of our metadata short of abstaining from electronic communication altogether—hardly a practical alternative in the modern world.
Recognizing a privacy interest in our metadata would not undermine efforts to fight terrorism. In recent weeks, spokesmen for the NSA have claimed that the surveillance operations revealed by Edward Snowden have disrupted dozens of terrorist plots. Upon scrutiny, however, these plots appear in fact to have been uncovered not because of the mass collection of our metadata but through more traditional surveillance of particular phone numbers or email addresses—the kinds of targeted inquiries that easily would have justified a judicial order allowing review of records kept by communications companies or even monitoring the content of those communications.
Consider the NSA’s two most publicized cases, a plot to bomb the New York Stock Exchange and an effort to send money to the Somali Islamist group al-Shabaab. The NYSE case was said to have unraveled beginning with a foreign email captured from the monitoring of a foreign website; the al-Shabaab case was apparently discovered when someone in San Diego called a known terrorist number in East Africa. Neither seems to have depended on the mass vacuuming up of our metadata. In view of the weakness of these “best” cases, twenty-six senators have written to the National Intelligence Director asking him to “provide examples of [the NSA program’s] effectiveness in providing unique intelligence, if such examples exist.”
With the demonstrable advantages of mass surveillance so low, the law should recognize its costs and give meaning to our legitimate expectations of privacy in a wired world. It is time to treat this metadata no differently from the content of our communications.