Government Surveillance of Internet Activity

Peter Magic


"A state of war is not a blank check for the President when it comes to the rights of the nation's citizens."

- Sandra Day O'Connor in Hamdi v. Rumsfeld


I.               Electronic Surveillance by the Government


a.   What is the relevant law?


The Foreign Intelligence Surveillance Act ("FISA") (50 U.S.C. §§ 1801-1871) was enacted in 1978 to be "the exclusive means by which electronic surveillance of foreign intelligence communications may be conducted." 18 U.S.C. § 2511(2)(f). When a law enforcement agency seeks to perform such surveillance, FISA requires that the DOJ (on behalf of the law enforcement agency) get approval from a secret court (established by FISA) called the Foreign Intelligence Surveillance Court ("FISC"). However, FISA does permit law enforcement agencies to conduct surveillance without a court order for up to one year so long as the Attorney General certifies that there is no "substantial likelihood" that the communications under surveillance involve a U.S. person as one of the parties. Read sections 1801(a), (b), (f) and 1802 here. An overview of FISA is available at (only read the first section; stop at "Minimization Requirement")


Earlier this year three competing bills relating to electronic surveillance were introduced in the U.S. Senate. The Foreign Intelligence Surveillance Improvement and Enhancement Act of 2006 (S.3001 optional) would explicitly declare that foreign electronic surveillance is the exclusive province of FISA. On the opposite end of the spectrum is The National Security Surveillance Act of 2006 (S.2453 optional), which would amend FISA to allow the President to conduct warrantless surveillance. In between these two extremes is the Terrorist Surveillance Act of 2006 (S.2455 optional), which would give the president some additional statutory authority to conduct electronic surveillance of suspected terrorists within the United States. Do you think that there is a need to expand FISA?


The Communications Assistance for Law Enforcement Act ("CALEA") (47 U.S.C. §§ 1001-1021) was enacted in 1994 to help law enforcement conduct surveillance of digital phone networks by requiring that phone companies design their networks to include certain wiretap-friendly capabilities. Read sections 1001(2), (8), and 1002 of CALEA here.


In 2005, the FCC issued a Final Rule that the applicability of CALEA extends to all providers of broadband Internet access as well as VoIP phone service providers. The Electronic Frontier Foundation and others challenged the expansion of CALEA, but lost in the Court of Appeals for the D.C. Circuit in June of 2006.



b.   Recent Controversy: The NSA's Terrorist Surveillance Program ("TSP")


On December 16, 2005, the New York Times reported that in 2002, President Bush signed an executive order authorizing unwarranted wiretapping of phone and email communications of U.S. persons on U.S. soil so long as the communication was international (i.e. sent to or received from outside the U.S.). (The Times actually sat on the story for a year at the request of the government.) Get briefed on the issue here: EFF overview.


On December 22, 2005, the DOJ sent a memo (optional) to the Senate Select Committee on Intelligence justifying the NSA program. The DOJ relied primarily on the Authorization for the Use of Military Force ("AUMF" - enacted September 18, 2001), as interpreted in Hamdi v. Rumsfeld, 542 U.S. 507 (2004), for the proposition that the AUMF gives the President broad power to use "necessary and appropriate force" to deter terrorism. The DOJ contends that Congress implicitly overrode FISA with the AUMF to the extent that it permits warrantless wiretapping of U.S. persons within the U.S.


A group of prominent constitutional scholars and lawyers issued a response (optional) to the DOJ's memo. The response argues that the unwarranted wiretapping conflicts with the constitution and FISA in several ways. The authors explain that foreign intelligence wiretapping is exclusively governed by FISA, and that since the unauthorized wiretapping involves people within United States, the Fourth Amendment requires probable cause.


The recent Eastern District of Michigan decision in ACLU v. NSA (p.1-3, 25-43) gives a great overview of the important constitutional concerns raised by the TSP.


Professor Orin Kerr of George Washington Law School (currently a visiting professor at U of Chicago Law School), has written several articles about Fourth Amendment concerns and search and seizure in the digital world. He is also a frequent blogger at the Volokh Conspiracy website, and he recently posted his thoughts about the TSP. (Stop at the section titled "Article II") He opines that the TSP probably does not violate the Fourth Amendment. If this is true, then what is to stop Congress from modifying FISA to authorize the TSP?


There have also been several lawsuits filed against AT&T for its role in providing the government with information pursuant to NSA's program. Mark Klein, a former AT&T technician and key witness in these cases, revealed that AT&T allowed the government to install secret computer equipment at AT&T's internet backbones to monitor "every individual message on the Internet." (Read about AT&T's involvement here: USA Today). Some, but not all, of the lawsuits have been dismissed.



c.    Where is the law heading?


Broader Executive Authority

Senate bill 2453, "The National Security Surveillance Act of 2006," introduced by Senator Arlen Specter, would essentially modify FISA to legitimize the NSA's domestic spying program. See Wired's article about the bill. Recall that Orin Kerr opined that allowing such surveillance would not violate the Fourth Amendment.


Stored Communications

Remember Ashcroft v. ACLU, 542 U.S. 656 (2004), where the Supreme Court remanded the case (regarding the constitutionality of COPA) because it said the evidentiary record was so old - over six years old - that it did not reflect the realities of modern filtering software? Well, last year, for the stated purpose of showing the pervasiveness and elusiveness of porn websites, the government requested access to the search engine queries of several of the largest search engine providers, including AOL, MSN, Yahoo, and Google. Google was the only company to refuse to comply with the request, and won a "halfway" victory in court in March. The victory was "halfway" because the Court granted the government's request for a large sample (50,000) of URLs contained in a random sampling of Google search results, but denied the government's request for actual search queries entered by Google users.


Attorney General Alberto Gonzales has recently called for new legislation that would require ISPs to store their customers' electronic communications for at least two years so that law enforcement could access them, if necessary. Read about it here. Can you think of any reason why such legislation would violate the Constitution or other laws?




II.         Protecting the Content of Internet Communications


a.   Cryptography


If the government can legally monitor the email of people within the United States, does the Internet then become an attractive and reliable way to monitor for terrorist or other criminal activity? Maybe not, because the parties to any email communication can encrypt their messages.


Cryptography is the science of transforming (encrypting) plain text into cyphertext, which is an unintelligible mess of text that can only be decrypted back into plain text by someone who knows the key. The key is usually a number that that is fed into a mathematical formula that is used to encrypt the plain text. Modern cryptography permits Internet users to send encrypted messages that are practically impossible for the government to decipher. This is due to the fact that the key is usually a very large prime number, the deduction of which is beyond the capability of any modern computer. (Optional math-intensive explanation here.) Since the government will only have the encrypted message when it conducts surveillance of emails being sent through ISPs, it will not be able to figure out the key. Not surprisingly then, the government has argued that cryptography hinders its ability to conduct investigations into criminal matters and terrorism. The FBI has argued that CALEA requires ISPs to accommodate federal wiretaps and therefore, requires ISPs to maintain some kind of encryption key recovery or repository system.


Does the fact that the government can monitor our email traffic violate our Fourth Amendment right to a reasonable expectation of privacy? Professor Orin Kerr has written an article refuting the idea that encryption creates a reasonable expectation of privacy. Consequently, he argues, decryption by the government of Internet users' communications cannot violate the Fourth Amendment. However, would you consider this argument to be irrelevant, given that nearly all modern encryption is virtually impossible to decrypt if you don't know the key? Also, note that Kerr's analysis does not address whether the monitoring of unencrypted emails violates the privacy protections of the Fourth Amendment.


CALEA explicitly exempts telecommunications carriers from responsibility for "decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possess the information necessary to decrypt the communication." 47 USC § 1002(b)(3). In light of this CALEA provision, are concerns about the government's ability to monitor emails well-founded? Even it is accepted that CALEA applies to broadband internet service, does this provision render CALEA ineffective with respect to Internet communications? What if the ISP provided the email service (just as Verizon does, for example), and a user of the service encrypted their email?



III.    Further Questions


The Internet makes it easier for the government to gather and analyze large amounts of personal information. What constitutional issues are implicated by legislation requiring ISPs to store all communications for a certain period of time?


It's easy to argue that government surveillance chills free speech, but to what extent should that concern trump the Executive branch's power to conduct surveillance to prevent terrorism? Note that FISA states that "no United States person may be considered . . . an agent of a foreign power [and hence, subject to FISC-approved surveillance] solely upon the basis of activities protected by the First Amendment to the Constitution of the United States." 50 U.S.C. §1805(a)(3)(A).


Return to the syllabus