[Infowarrior] - Schneier: It's Time to Drop the 'Expectation of Privacy' Test

[Richard Forno]

It's Time to Drop the 'Expectation of Privacy' Test
Commentary by Bruce Schneier Email 03.26.09

http://www.wired.com/politics/security/commentary/securitymatters/2009/03/securitymatters_0326

In the United States, the concept of "expectation of privacy" matters  
because it's the constitutional test, based on the Fourth Amendment,  
that governs when and how the government can invade your privacy.

Based on the 1967 Katz v. United States Supreme Court decision, this  
test actually has two parts. First, the government's action can't  
contravene an individual's subjective expectation of privacy; and  
second, that expectation of privacy must be one that society in  
general recognizes as reasonable. That second part isn't based on  
anything like polling data; it is more of a normative idea of what  
level of privacy people should be allowed to expect, given the  
competing importance of personal privacy on one hand and the  
government's interest in public safety on the other.

The problem is, in today's information society, that definition test  
will rapidly leave us with no privacy at all.

In Katz, the Court ruled that the police could not eavesdrop on a  
phone call without a warrant: Katz expected his phone conversations to  
be private and this expectation resulted from a reasonable balance  
between personal privacy and societal security. Given NSA's large- 
scale warrantless eavesdropping, and the previous administration's  
continual insistence that it was necessary to keep America safe from  
terrorism, is it still reasonable to expect that our phone  
conversations are private?

Between the NSA's massive internet eavesdropping program and Gmail's  
content-dependent advertising, does anyone actually expect their e- 
mail to be private? Between calls for ISPs to retain user data and  
companies serving content-dependent web ads, does anyone expect their  
web browsing to be private? Between the various computer-infecting  
malware, and world governments increasingly demanding to see laptop  
data at borders, hard drives are barely private. I certainly don't  
believe that my SMSes, any of my telephone data, or anything I say on  
LiveJournal or Facebook -- regardless of the privacy settings -- is  
private.

Aerial surveillance, data mining, automatic face recognition,  
terahertz radar that can "see" through walls, wholesale surveillance,  
brain scans, RFID, "life recorders" that save everything: Even if  
society still has some small expectation of digital privacy, that will  
change as these and other technologies become ubiquitous. In short,  
the problem with a normative expectation of privacy is that it changes  
with perceived threats, technology and large-scale abuses.

Clearly, something has to change if we are to be left with any privacy  
at all. Three legal scholars have written law review articles that  
wrestle with the problems of applying the Fourth Amendment to  
cyberspace and to our computer-mediated world in general.

George Washington University's Daniel Solove, who blogs at Concurring  
Opinions, has tried to capture the byzantine complexities of modern  
privacy. He points out, for example, that the following privacy  
violations -- all real -- are very different: A company markets a list  
of 5 million elderly incontinent women; reporters deceitfully gain  
entry to a person's home and secretly photograph and record the  
person; the government uses a thermal sensor device to detect heat  
patterns in a person's home; and a newspaper reports the name of a  
rape victim. Going beyond simple definitions such as the divulging of  
a secret, Solove has developed a taxonomy of privacy, and the harms  
that result from their violation.

His 16 categories are: surveillance, interrogation, aggregation,  
identification, insecurity, secondary use, exclusion, breach of  
confidentiality, disclosure, exposure, increased accessibility,  
blackmail, appropriation, distortion, intrusion and decisional  
interference. Solove's goal is to provide a coherent and comprehensive  
understanding of what is traditionally an elusive and hard-to-explain  
concept: privacy violations. (This taxonomy is also discussed in  
Solove's book, Understanding Privacy.)

Orin Kerr, also a law professor at George Washington University, and a  
blogger at Volokh Conspiracy, has attempted to lay out general  
principles for applying the Fourth Amendment to the internet. First,  
he points out that the traditional inside/outside distinction -- the  
police can watch you in a public place without a warrant, but not in  
your home -- doesn't work very well with regard to cyberspace.  
Instead, he proposes a distinction between content and non-content  
information: the contents for example. The police should be required  
to get a warrant for the former, but not for the latter. Second, he  
proposes that search warrants should be written for particular  
individuals and not for particular internet accounts.

Meanwhile, Jed Rubenfeld of Yale Law School has tried to reinterpret  
(.pdf) the Fourth Amendment not in terms of privacy, but in terms of  
security. Pointing out that the whole "expectations" test is circular  
-- what the government does affects what the government can do -- he  
redefines everything in terms of security: the security that our  
private affairs are private.

This security is violated when, for example, the government makes  
widespread use of informants, or engages in widespread eavesdropping  
-- even if no one's privacy is actually violated. This neatly bypasses  
the whole individual privacy versus societal security question -- a  
balancing that the individual usually loses -- by framing both sides  
in terms of personal security.

I have issues with all of these articles. Solove's taxonomy is  
excellent, but the sense of outrage that accompanies a privacy  
violation -- "How could they know/do/say that!?" -- is an important  
part of the harm resulting from a privacy violation. The non-content  
information that Kerr believes should be collectible without a warrant  
can be very private and personal: URLs can be very personal, and it's  
possible to figure out browsed content just from the size of encrypted  
SSL traffic. Also, the ease with which the government can collect all  
of it -- the calling and called party of every phone call in the  
country -- makes the balance very different. I believe these need to  
be protected with a warrant requirement. Rubenfeld's reframing is  
interesting, but the devil is in the details. Reframing privacy in  
terms of security still results in a balancing of competing rights.  
I'd rather take the approach of stating the -- obvious to me --  
individual and societal value of privacy, and giving privacy its  
rightful place as a fundamental human right. (There's additional  
commentary on Rubenfeld's thesis at ArsTechnica.)

The trick here is to realize that a normative definition of the  
expectation of privacy doesn't need to depend on threats or  
technology, but rather on what we -- as society -- decide it should  
be. Sure, today's technology make it easier than ever to violate  
privacy. But it doesn't necessarily follow that we have to violate  
privacy. Today's guns make it easier than ever to shoot virtually  
anyone for any reason. That doesn't mean our laws have to change.

No one knows how this will shake out legally. These three articles are  
from law professors; they're not judicial opinions. But clearly  
something has to change, and ideas like these may someday form the  
basis of new Supreme Court decisions that brings legal notions of  
privacy into the 21st century.

---

Bruce Schneier is chief security technology officer of BT. His new  
book is Schneier on Security.