Saturday, January 29, 2011

Data retention push confirms DOJ hypocrisy

As I described in a lengthy blog post a couple days ago, the US law enforcement community is yet again pushing for mandatory data retention laws, which would require internet service providers to keep records detailing the IP addresses issued to their customers.

At the hearing last Tuesday, Jason Weinstein of the Department of Justice argued that the government needed this data to be able to effectively investigate serious crimes, such as terrorism and child exploitation.

In what truly is a bit of Orwellian doublespeak Mr. Weinstein told the Congressional committee that retaining this data would actually protect privacy:
Unlike the Department of Justice – which must comply with the Constitution and laws of the United States and is accountable to Congress and other oversight bodies – malicious cyber actors do not respect our laws or our privacy. The government has an obligation to prevent, disrupt, deter, and defeat such intrusions. The protection of privacy requires that we keep information from those who do not respect it — from criminals and others who would abuse that information and cause harm.

Investigating and stopping this type of criminal activity is a high priority for the Department, and investigations of this type require that law enforcement be able to utilize lawful process to obtain data about the activities of identity thieves and other online criminals. Privacy interests can be undercut when data is not retained for a reasonable period of time, thereby preventing law enforcement officers from obtaining the information they need to catch and prosecute those criminals. Short or non-existent data retention periods harm those efforts.
My absolute favorite bit of Mr Weinstein's testimony is the first sentence above:
Unlike the Department of Justice – which must comply with the Constitution and laws of the United States and is accountable to Congress and other oversight bodies
What I love, is the fact that Mr. Weinstein was able to repeat this complete and total lie, under oath, without ever once cracking a sheepish smile, or showing any sign of embarrassment.

From The Washington Post, January 19, 2010:
The FBI illegally collected more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews... A Justice Department inspector general's report due out this month is expected to conclude that the FBI frequently violated the law with its emergency requests, bureau officials confirmed.... FBI general counsel Valerie Caproni said in an interview Monday that the FBI technically violated the Electronic Communications Privacy Act when agents invoked nonexistent emergencies to collect records.

The Washington Post, January 21, 2010:
FBI agents for years sought sensitive records from telephone companies through e-mails, sticky notes, sneak peeks and other "startling" methods that violated electronic privacy law and federal policy, according to a Justice Department inspector general report released Wednesday.

The study details how the FBI between 2002 and 2006 sent more than 700 demands for telephone toll information by citing often nonexistent emergencies and using sometimes misleading language. The practice of sending faulty "exigent" letters to three telecommunications providers became so commonplace that one FBI agent described it to investigators as "like having an ATM in your living room."

The New York Times, March 10, 2007:
Bipartisan outrage erupted on Friday on Capitol Hill as Robert S. Mueller III, the F.B.I. director, conceded that the bureau had improperly used the USA Patriot Act to obtain information about people and businesses...

The report found many instances when national security letters, which allow the bureau to obtain records from telephone companies, Internet service providers, banks, credit companies and other businesses without a judge’s approval, were improperly, and sometimes illegally, used.

Moreover, record keeping was so slipshod, the report found, that the actual number of national security letters exercised was often understated when the bureau reported on them to Congress, as required.

The Washington Post, October 24, 2005:
The FBI has conducted clandestine surveillance on some U.S. residents for as long as 18 months at a time without proper paperwork or oversight, according to previously classified documents to be released today.
These reports only detail violations of the law during the last few years. Such abuses are not a new phenomenon though - the Department of Justice has abused its powers to illegally spy on Americans as long as the agency has existed.

Furthermore, in spite of the numerous instances in which it was confirmed that FBI agents and DOJ officials violated the law and engaged in illegal surveillance, I can't think of a single instance where they (or the telecommunications carriers that collude in their crimes) have been arrested or prosecuted for doing so. Instead, they get a slap on the wrist, and then it is back to business as usual.

One rule for us, one rule for them

The push for data retention seems to be currently limited to IP address allocation records, but, if successful, it will almost certainly extend to non-content information associated with email, chat and instant messaging communications.

The hypocrisy of the government's push for such data retention is clear when compared to the extreme efforts that government agencies go to in order to shield their own communications, documents and other records from the American people.

Consider for a moment, that this president, like Bush and Clinton before him, does not send any emails. The reason for this? Because such emails would have to be retained under the Presidential Records Act. Rather than let the American people later see a record of his official communications, he simply avoids email, and instead does everything by phone or in-person.

Of course, in this day and age, most people do not have the luxury of going without email. Private citizens, corporations and government employees alike rely on email to go about their daily business. However, while the email accounts that consumers rely on increasingly keep their communications forever (due to essentially unlimited storage), companies and government agencies are increasingly embracing data deletion policies in order to limit the risk that their emails will later see the light of day, due to lawsuits or FOIA requests.

For example, starting in the spring of 2010, the Federal Trade Commission (where I worked until August of 2010) adopted a 90-day email deletion policy. Any email messages that employees did not specifically mark to be saved would be automatically deleted after 90 days. This policy creates a significant barrier for public interest groups wishing to learn about the activities of the agency.

At the FTC, all records about particular investigations are shielded from disclosure as long as the investigation is active. However, since most investigations take 6 months or more, by the time the investigation is eventually made public, many email messages will have already been deleted.

Quite simply, government email deletion policies are specifically designed to circumvent and neutralize open government laws, such as the Freedom of Information Act.

I am sure that the FTC is not the only government agency to embrace an aggressive data deletion policy, and at least right now, there is nothing that legally prohibits agencies from adopting such policies.

This would be a great issue for pro-transparency, pro-oversight House Republicans to tackle. Perhaps once the administration is forced to reveal its own official communications to the whole world, then maybe it'll be a bit more sympathetic to the efforts of privacy groups and corporations that wish to protect privacy of regular users.

1 comment:

Anonymous said...

This has always been the biggest thing I can't stand online. Is all the companies thinking they have the right to spy on everything you do, and record and save it forever.

This I would bet even goes against our Constitution. The Post Office doesn't record every piece of mail we send, and save it. Other online companies should not have that right either.