SwireBlog

Markle Foundation & Electronic Health Records

2006-04-16T11:38:00.000-05:00

For the past two years I have been working with the Markle Foundation's Connecting for Health project. In April, Connecting for Health issued a practical guide for next steps for creating electronic health records, consistent with privacy and security.

The full report is here. I was the lead drafter of the report on how to audit, to assure good privacy and security in the use of health records.

House Judiciary Testimony

2006-04-16T11:34:00.000-05:00

On April 4 I testified before the House Judiciary Committee in a hearing on “Personal Information Acquired by the Government From Information Resellers: Is There Need for Improvement”

My testimony is here. Coverage in the Washington Post is here.

Writing the Call for Action Against Phishing

2006-04-02T16:47:00.000-05:00

I was the “reporter” – chief author – for “A Call for Action: Report from the National Consumers League Anti-Phishing Retreat.” The report drew on participation from consumers groups, leading tech companies, and other stakeholders. The report was released in March, with these principal recommendations:

1. Support greater consumer education.
2. The consumer experience must be “secure by design.”
3. There must be better user and site authentication.
4. There must be better tools for effective investigation and enforcement.
5. Learn from the lifecycle of the phisher.
6. ISPs and domain name owners can cooperate on white lists.
7. Use black lists to create a “phishing recall” approach.

Here is my column summarizing the report.

Here is the full report.

Security and Obscurity, for Open Source, Military, and More

2006-04-02T16:37:00.000-05:00

One of my principal research projects for the past several years has been to answer the question: “When does disclosure help, or hurt, security?” Open source experts say “there is no security through obscurity.” Military experts say “loose lips sink ships.” My research provides the first theoretical model for answering the question of when disclosure is likely to help security.

The Houston Law Review has recently published “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Systems.” It can be downloaded from the bottom of this page.

The new article adds to the first A Model for When Disclosure Helps Security: What is Different About Computer and Network Security, which was published as a chapter in a book on cybersecurity by Cambridge University Press and in a law review.

Another part of this research project has been about the proper level of disclosure in foreign intelligence surveillance law. Wiretaps should be secret, but what should the public know about wiretap law and practice?

Also, coming soon will be an article on “Privacy and Information Sharing in the War Against Terrorism.” A PowerPoint version is available here.

Legal FAQs on NSA Wiretaps

2006-03-21T14:56:00.000-05:00

In response to the controversy about NSA wiretaps, I drafted "Legal FAQs on NSA wiretaps." It was published on January 30, 2006 by the Center for American Progress, where I am a visiting Senior Fellow.

At this time I don't know if I will update the document. It gives a plain-language discussion, however, of the legal issues involved.

My work here is based on my scholarship on the history of foreign intelligence surveillance law, as well as my extensive work on surveillance law while in government from 1999 to early 2001.

Immutable Audit Logs -- Markle Foundation Paper

2006-03-21T14:50:00.000-05:00

Jeff Jonas and I were the primary drafters for "Creating a Trusted Information Sharing Environment: Using Immutable Audit Logs to Increase Security, Accountability, and Transparency."

This paper was released by the Markle Foundation Task Force on National Security in the Information Age.

The paper shows how "immutable audits," where even systems administrators cannot change the logs, can be useful for national security and other systems where there is a high need for public trust but where the details of the system are classified.

Op-ed about Cookies on Federal Web Sites

2006-03-21T14:39:00.000-05:00

This column ran in Federal Computer Week on January 23, 2006: "Making privacy a priority: Citizens should be able to browse federal sites without creating a permanent record."

I participated in the 1999 and 2000 policies to assure privacy on Federal websites. The new column explains why it is important for the government to continue to follow those standards. The column describes recent evidence of non-compliance in federal agencies.

Why the Hamdi Case Does Nothing to Make the NSA Wiretaps Legal

2005-12-22T23:00:00.000-05:00

The Bush Administration is trying to say that it was authorized by Congress to do the NSA wiretaps. It is relying on Justice O’Connor’s opinion in the Hamdi case to support its position. But that opinion does nothing of the sort.

A previous post explained why the NSA wiretaps are illegal. In summary, federal criminal law says that wiretaps by government officials are criminal, “except as authorized by statute.” Next, another part of the law says that Title III (for law enforcement) and FISA (for intelligence) shall be “the exclusive means” for wiretapping U.S. communications. In short, you need a statute, and there are only two statutes.

That is why the NSA wiretaps, without a court order, are illegal. It is simple. In the words of Bob Barr, formerly Republican chair of the House Judiciary subcommittee that oversees wiretap law: “This is just such an egregious violation of the electronic surveillance laws.”

In a letter reported in the media tonight (which is not yet online), the Justice Department argues, mistakenly, that there are actually three statutes. They rely on the Authorization for Use of Military Force (AUMF), passed in the days after the 9/11 attack, to claim that the NSA wiretaps are “authorized by statute.” In press accounts, they have said that Justice O’Connor’s opinion in the Hamdi case, joined by three other justices, is crucial support for that position.

This post explains why the Hamdi case offers no such support.

As Justice O’Connor writes: “The AUMF authorizes the President to use all necessary and appropriate force against nations, organizations, or persons associated with the September 11, 2001, terrorist attacks.” The question was whether Hamdi, a U.S. citizen, could be detained under the AUMF.

The facts are key. Hamdi, after all, was seized on the battlefield in Afghanistan by the Northern Alliance. The government alleged that Hamdi “affiliated with a Taliban military unit and received weapons training.” He was held as an enemy combatant. Quick quiz – do you think that the authorization of force allows such a capture?

Justice O’Connor emphasized that she was answering only “the narrow question before us: whether the detention of citizens falling within that definition is authorized.” The definition of who is covered by the Hamdi opinion: someone who is “part of or supporting forces hostile to the United States or coalition partners in Afghanistan and who engaged in an armed conflict against the United States there.” No mention of wiretaps carried out on U.S. citizens in the U.S.

O’Connor explains why detention of Hamdi fits into anyone’s view of the authorization of force:

“There can be no doubt that individuals who fought against the United States in Afghanistan as part of the Taliban, an organization known to have supported the al Qaeda terrorist network responsible for those attacks, are individuals Congress sought to target in passing the AUMF. We conclude that detention of individuals falling into the limited category we are considering, for the duration of the particular conflict in which they were captured, is so fundamental and accepted an incident to war as to be an exercise of the “necessary and appropriate force” Congress has authorized the President to use.”

OK, that’s O’Connor’s opinion in Hamdi. Does it support the idea that Congress intended the Authorization of Military Force to apply to wiretaps of U.S. citizens in the United States? No, for at least four reasons.

Congressional intent. It is clear that Congress intended persons captured on the battlefield to be detained.

History of authorizations of force. O’Connor says detaining combatants is “fundamental and accepted.”

Would Congress have agreed at the time? Of course Congress would have allowed detention of someone fighting in Afghanistan against the U.S.

Foreign battlefield. The discretion of the President is at its maximum overseas (long legal tradition symbolized by the Curtis-Wright case) and in the theater of war (President as Commander-in-Chief).

All four of these factors are entirely different for wiretaps of U.S. persons in the U.S.

Congressional intent. Members of Congress have been startled and skeptical, to say the least, at the idea that they authorized these wiretaps. They never dreamed they were doing so.

History of authorizations of force. Capturing prisoners on the battlefield is a fundamental and traditional part of Congress authorizing the use of force. Widespread wiretapping of your own citizens is not.

Would Congress have agreed at the time? No. The Administration has admitted they would not have gotten Congressional approval.

Foreign battlefield. In contrast to the foreign battlefield, the power of the President to do searches (wiretaps) of U.S. persons within the U.S. is constrained by the 4th Amendment and numerous laws. Where Congress has spoken clearly about “the exclusive means” of wiretapping, the President cannot overrule the law.

In sum, Justice O’Connor’s opinion in Hamdi says it is limited to detention of persons seized on the battlefield. It offers no support for the NSA wiretaps.

Why the NSA Wiretapping Is Illegal

2005-12-19T08:04:00.000-05:00

This post tries to lay out, in straightforward terms, the reason why the NSA surveillance program violates U.S. criminal law. (It is possible that classified details of the program would change the analysis, but I don’t see how.) The discussion here draws on my law review article “The System of Foreign Intelligence Surveillance Law,” www.ssrn.com/abstracts=586616, which provides the history of this area of law.

It takes two statutes to see the point.

The first statute is 50 U.S.C. Sec. 1809: “A person is guilty of an offense if he intentionally –

(1) engages in electronic surveillance under color of law except as authorized by statute; or

(2) discloses or uses information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized by statute.”

Two things to note here. “Under color of law” refers to government employees who are doing their job, such as NSA employees doing wiretaps under a Presidential order. Second, it is permitted to wiretap if and only if “authorized by statute.”

So what statutory authorization is there? Congress made clear back in 1978 that there are two, and only two, statutes that authorize wiretaps within the United States. One is “Title III,” which gives the rules for wiretaps for law enforcement. The other is the Foreign Intelligence Surveillance Act, which gives the rules for wiretaps for foreign intelligence purposes.

Since 1978, 18 U.S.C. Sec. 2511(2)(f) has said that Title III and FISA “shall be the exclusive means by which electronic surveillance ... and the interception of domestic wire and oral communications may be conducted.”

So that is why the NSA wiretaps appear illegal. Government officials can only wiretap “as authorized by statute” and the only statutes that count are Title III and FISA. The NSA wiretaps did not use the judicial procedures of either Title III or FISA.

What might be the defense in the legal memoranda by the Bush Justice Department? Hints in the press suggest two, both weak.

First, there is the suggestion that the authorization of force after 9/11 permitted the President to order domestic wiretaps. As a matter of reading statutes, this is a weak argument. On the one hand, we have a very specific statement by Congress in Sec. 2511(2)(f) that Title III and FISA are “the exclusive means.” On the other hand, the Administration seems to say that the general Congressional resolution amended that statute, without anyone realizing it. That approach is contrary to the usual reading of statutes, where there is no “repeal by implication” – you have to say you are repealing a specific statute for the repeal to be effective.

Second, the President seems to have invoked his general commander-in-chief power. In essence, the claim is that the President can repeal Sec. 2511(2)(f) simply by saying so in an Executive Order. That sort of claim of inherent presidential power was at the core of the debate about the so-called “torture memo.” Once the Congress and the press saw the memo, it was retracted and rewritten.

Draft Patriot Act compromise

2005-11-17T08:19:00.000-05:00

Initial reactions to the tentative deal on the Patriot Act have been predictably mixed. Orin Kerr, a former prosecutor and expert on electronic surveillance law, has called it a “win-win bill”, while correctly stating it is more a win for the Administration. http://volokh.com/posts/1132196140.shtm. The ACLU says: “Lawmakers have let the administration take us from bad to worse.”
http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=19407&c=206.

Not surprisingly, given my past views, I’m in between these two positions. But I’m closer to the ACLU at this point, especially if two changes don’t happen before the deal is final.

Change 1: Shorten the sunset from 7 years to 4 years. This should be a no-brainer. The Senate bill had a sunset of 4 years. The House bill, true, had a sunset of 10 years, but the House voted just last week overwhelmingly in favor of a 4 year sunset. Let democracy work for once – the two chambers both have voted for 4 years, and 4 years it should be.

This change is far more important than the three provisions that will technically sunset in 2012 under the proposed deal. We have seen this year that the process of having a sunset was the single most important element in Patriot Act reform. Without the sunset, the Department of Justice could have continued indefinitely to stonewall about its actions and refuse to make any changes to the law. With the sunset, we had over a dozen hearings this year on the Patriot Act that finally let us learn key facts about its operation. In addition, we have six or eight modest improvements in the law that otherwise simply would not have existed. The sunset remains the only cure for DOJ saying “the Patriot Act is perfect and change it only to give us expanded powers.”

Change 2: Use the Senate language that links searches to actual suspects. One of the biggest legal changes in the 2001 Patriot Act has turned out to be the application of secret searches to the records of people who are not even suspected of criminal or terrorist activity. Previously, the government had to show that the records sought were those of “an agent of a foreign power.”

Section 215 of the Patriot Act authorized a judge-approved order for any records if the database involved contained records that were “relevant to an ongoing investigation.” Section 909 of the Patriot expanded National Security Letters (issued by an FBI agent without any judicial role) under that same relevance standard. A recent report by the Washington Post has told us that this NSL authority has exploded in use, from a couple of hundred a year to 30,000 a year now. (NSLs apply essentially to phone, email, and financial records.)

The Senate bill made noticeable improvements in this law. At least for U.S. persons, it now requires a statement of facts showing reasonable grounds for the order, and not merely an assertion that the order is needed. Next, those facts would show the link to a suspect – either the suspected agent of a foreign power or “an individual in contact with, or known to, a suspected agent of a foreign power.”

I personally think the case is overwhelming that these secret search powers should only be for the suspects and persons linked to the suspects. I would apply the Senate’s requirements to Section 215 and to NSLs. There may still be time to do so.

The proposed bill has a few things to praise and numerous others to criticize. These two changes, though, have great support already from Members of Congress. They can and should be made before the deal becomes final.

testing

2005-08-15T19:07:00.000-05:00

testing

hello world

2005-08-02T23:54:00.000-05:00

hello world