Government Bulk Surveillance from 1978-2020: an Ongoing Violation of Citizens Rights

A Thesis Submitted in Partial Fulfillment of the Requirements of the Renée Crown University Honors Program at

Syracuse University

Whitney Wertheimer

Candidate for Bachelor of Arts, Policy Studies, Minor, Information Management and Technology

and Renée Crown University Honors Spring 2020

Honors Thesis in Information Management and Technology

Thesis Advisor: _______________________ Dr. Steve Sawyer

Thesis Reader: _______________________ Dr. Jennifer Stromer-Galley

Honors Director: _______________________ Dr. Danielle Smith, Director

ii

Abstract

By tracing landmark laws such as the Foreign Intelligence Surveillance Act and the USA Patriot Act through the 1970s to 2020, the public scrutiny of privacy policies looks like a bell curve: people started to slowly understand how much surveillance they were under through media reports, peaking at Edward Snowden’s whistleblowing in 2013, then when publicity died down, concerns fell back to the wayside as Congress and the courts continued to debate whether or not the programs the laws seemed to support were constitutional.

In reading John Cheney-Lippold’s We Are Data, the concept of jus algoritmi or algorithmic citizenship stands out. By definition, jus algoritmi is a type of formalized citizenship that is used by government organizations to determine who they can and cannot surveil. By looking into how the privacy and surveillance laws in place led to the whistleblowing of Edward Snowden in 2013, Cheney-Lippold developed his concept. Starting with the Foreign Intelligence Surveillance Act of 1978 and following the trails of court precedents, and major surveillance policies such as the USA PATRIOT Act of 2001, the reader can understand how data has been unconstitutionally accessed in the past. Following exposure of certain programs, it discusses Congressional steps that have been taken since the public became concerned about the relationship between the government and communication and internet companies. Using Cheney-Lippold’s book and news sources to follow the path surveillance laws have taken reveals that these programs are not completely a thing of the past and were still being debated up until March of 2020, despite lack of public concern once the timeline of Snowden’s whistleblowing ran its course. Conversations in Congress only recently took a pause due to COVID-19.

Surveillance has been and still could be taking place in some capacities, the major concern moving forward should be considering how users take ownership of their data and the way that the government can be more transparent. Laws recently up for debate have the power to shut down programs that collect bulk data completely, but also some also push back on private sector efforts, such as encryption, that could prevent users’ data from being as vulnerable as it has been in the past.

iii

Executive Summary

Citizenship status creates a relationship between the individual and their government. Presumably

with a passport or license, it is easy to determine who is a United States citizen and who is not. For

citizens, that relationship comes with rights guaranteed by the U.S Constitution and its Bill of Rights and

other Amendments. One of those rights protects against illegal searches and seizures of belongings and

personal effects. Yet, as information and communication technologies advance, they raise questions about

how to define search, which went to the Supreme Court in early cases such as Smith v. Maryland (1979),

a case that questioned whether or not the use of a device that records the numbers a phone dials is a

constitutional search. In Smith v. Maryland, two precendents were set. The first is that not all data are

given the same privacy – this case brings into question metadata, which is data about data. It determined

that since the only thing recorded was the number dialed, not actually content, it did not violate the Fourth

Amendment. The second precedent is what is now called third party doctrine. Third party doctrine

dictates that when an individual willingly works with a third party service, their data becomes part of that

company’s business practice and is no longer deserving of individual privacy. So in the case of Smith,

using a phone company to make the call forfeited his reasonable expectation to privacy over the number

he dialed.

Since the late 1970s, Congress has been addressing such questions regarding surveillance.

Prompted initially by concerns of government overstep in the wake of the Watergate scandal, the Foreign

Intelligence Surveillance Act of 1978 was passed to ensure that there was some oversight of surveillance

activities while still allowing them to have a level of secrecy so as to not impede whatever investigation

was going on (Lovells, 2008). This act created the Foreign Intelligence Surveillance Court (FISC) that

would continue to be a major player through debates on surveillance and data privacy.

Decades later, the tragedy of 9/11 again challenged the conceptualization of privacy. As a

response to the overwhelming concern of terrorism, Congress hastily passed the USA Patriot Act a month

after the attacks. This act gave the government broad surveillance powers in the name of national security,

three of which were given a countdown of five years, with the hope that five years later would enable

iv

more sound discussion of the implications. By the time the five year expiration date came up, news

outlets were beginning to report of surveillance programs that included the data of United States citizens,

collected without warrants through decisions from the secret FISC. Regardless, the expiration date was

extended. The Bush Administration passed the Amendments Act of 2008 which addressed some

concerns, but did not do much to change the collection that was going on.

In 2013, things began to change. Edward Snowden, in exile, began to reveal government

programs that were vast overreaches of their constitutional power, but had been enabled by provision in

the Patriot Act and secret decisions by the FISC. From this whistleblowing, John Cheney-Lippold

developed his concept of jus algoritmi, a sort of algorithmic citizenship that government agencies were

using to allow them to continue to surveil as many people as possible. This definition of citizenship

requires that users act ‘as if’ they are citizens by at least 51% in order to be provided the protections given

to citizens (Cheney-Lippold, 2017, 160). This is determined by many indicators and as data gets

aggregated it is always subject to change. It is by using this sort of definition that the government was

able to continue to cast such a broad net, aggregating more and more data to develop the algorithm and

being able to access the data of so many individuals. In 2015, the USA Freedom Act was passed, in an

attempt to address the many concerns raised following Snowden’s whistleblowing. The highlight of the

Freedom Act is that it involved a system that kept all data in the hands of major companies, only allowing

queries under court approval.

Using news sources leading up to 2020, the impact of these programs on terrorism detection and

prevention is miniscule, proving that the government overreach that took place is not necessary and

should be halted. The most recent renewal of the Patriot Act came in March 2020. With COVID-19

taking most of the attention of Congress, the bills that were brought to the floor did not get passed,

meaning the Patriot Act has sunset. Though they are done for now, they can easily be picked up right

where they left off once the pandemic settles down. Throughout the constant conversation going on in

Congress, the public’s concern with these breaches of privacy peak only when Snowden shook the world

with his revelations.

v

The conversation moving forward needs to engage citizens and empower them to consider the

privacy they expect from private corporations and the government on a regular basis – not just when they

are forced to reckon with it.

vi

Table of Contents

Abstract……………………………………….……………….………….. ii

Executive Summary………………………….……………….………….. iii

Acknowledgements …………..…………………………………………… vii

Section 1: Introduction ……………………………………………… 1

Section 2: Citizenship ……………………………………………… 1

Section 3: Early Privacy Debates ……………………………………….. 3

Section 4: Metadata ……………………………………………… 5

Section 5: 9/11 and Privacy ……………………………………………… 5

Section 6: Edward Snowden……………………………………………… 9

Section 7: Who are you online? ………………………………………….. 11

Section 8: Contemporary Implications …………………………………. 14

Section 9: Conclusion ….………………………………………………… 17

Works Cited.……………………………………………………………… 21

vii

Acknowledgements

In chronological order, I would like to acknowledge those who made this thesis possible

and supported me throughout the many iterations.

First, thank you to my parents. Along with my Syracuse University acceptance letter, I

received a piece of paper telling me I have been given a spot in the Renee Crown University

Honors Program. Though I pondered how I would be able to accept a spot at SU without

accepting a spot in Honors, I’m happy I was too embarrassed to ask that question and took my

spot in both.

Thank you to the Honors department faculty. All my advising appointments with Naomi

Shanguhyia helped me to graduate in three and a half years, while also helping me keep my

sanity when I was given the opportunity to delay the submission of this thesis. A thank you is

also due to Dr. Karen Hall due to her commitment to the honors thesis and emails reminding me

to maintain a timeline so I would not be swamped come April 2020. Additionally, the classes I

was given the opportunity to take as an honors student have shaped a piece of my learning and

will continue to have an impact on me as I enter the real world.

One of the HNR offerings led me to my thesis advisor, Dr. Steve Sawyer of the iSchool.

Though my thesis looks nothing like the plan we initially mapped out my sophomore year, it was

with your unwavering support that I was able to explore all my interests before settling on this

one. This thesis somehow went from pages of outlines on topics too broad, to the actual

document before you. Thank you for your help.

Finally, to Dr. Jennifer Stromer-Galley who joined my support team despite my broad

ideas, and helped me to tie them to down and run with a single idea. An idea that was based

heavily on the thought provoking conversations that took place in her IST 343: Data and Society

course. Thank you for taking the time to work with me.

I cannot thank everyone enough for helping me finish my last work as an undergraduate.

Enjoy!

1

Introduction

Citizenship as a legal status is an essential element of global nation-states. Citizenship has always

denoted who has and does not have access to certain rights. In the United States, those rights are

expressed within the Bill of Rights and following Amendments, and promised to its citizens by the 14th

amendment which was ratified in 1868. Proving citizenship traditionally can be simple through physical

documentation, such as a passport or license to show your residency. However, an increasing reliance on

digital technologies and heightened concern of terrorism in the post 9/11 United States has led to a new

definition of citizenship -- one that is much more abstract and dynamic in its structure. In his book We Are

Data, John Cheney-Lippold describes a concept referred to as Jus Algoritmi, a new way to define

citizenship based on online behaviors and patterns. This definition requires individuals to act ‘as if’ they

are citizens online, and by doing so they are protected from surveillance by government organizations. By

discussing past legal precedent, it becomes easier to see how this concept of online citizenship, explained

by Cheney-Lippold in his 2017 book, was formed and used, and begs the question – how does this

definition and similar concepts fit into contemporary United States surveillance?

By tracing landmark laws such as the Foreign Intelligence Surveillance Act and the USA Patriot

Act through the 1970s to 2020, the public scrutiny of privacy policies looks like a bell curve: people

started to slowly understand how much surveillance they were under through media reports, peaking at

Edward Snowden’s whistleblowing in 2013, when publicity died down, concerns fell back to the wayside

as Congress and the courts continued to debate whether or not the programs the laws seemed to support

were constitutional.

Citizenship

Historically, legal definitions of citizenship were limited to jus soli and jus sanguinis. Jus soli

means the right of the soil, or a type of citizenship that relies on an individual being a citizen based on

being born within that nation-state’s boundaries (Cheney-Lippold, 2017, 157). While this is recognized

2

by the United States government currently, it was not an easy means in the past when boundaries were

difficult to verify, etc. Leaving the best measure for citizenship to be jus sanguinis, which means the right

of the blood. Jus sanguinis makes you a citizen based on your parent’s nationality (Cheney-Lippold,

2017, 157). This way of tracking via genealogical lines helped to maintain citizenship in small nations.

Figure 1.

Name of Citizenship Type

Jus Soli Jus Sanguinis

Description Right of the soil, citizenship based on where you were born.

Right of the blood, citizenship based on your parents’

citizenship/nationality.

These traditional definitions were challenged by the United States’s emergence, and for two

major reasons. The first was that the new inhabitants came from Great Britain, meaning none of them

were guaranteed jus soli. The second had more to do with the structure of the budding country – the

federation of states challenges whether or not individuals became citizens of their states or their country

as a whole (Hyde, 2018). A definition of citizenship was officially codified in the passing of the 14th

Amendment in 1868.

Though the United States Constitution and related documents uses the word citizen eleven times,

it had no formal definition until the 14th amendment was written into law 80 years after the original

ratification of the Constitution (Hyde, 2018). Based on the foundation set by the Civil Rights Act of 1866,

the 14th Amendment established the specific framework of citizenship that is used today. Section one of

the amendment is quoted below:

All persons born or naturalized in the United States and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside. No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws. (U.S. Const. amend. XIV).

Breaking this down, even the first sentence has at least two functions. The first is the

establishment of a true definition of citizen, formalizing jus soli and a naturalization process. The second

3

is that a citizen is defined as a member of the United States first and as a member of their home state

second. The privileges and immunities clause outlines that all the rights expressed in the Constitution and

its Amendments, specifically the Bill of Rights, are guaranteed to United States citizens, and it is illegal

to deprive citizens of any of those expressed rights.

One of these guaranteed rights, and the one explored by Cheney-Lippold in We Are Data, is the

Fourth Amendment. The Fourth Amendment protects citizens unlawful searches and seizures. When this

was written, it guaranteed privacy from the government and establishes a warrant process to undertake a

search of one’s personal belongings and effects. With an official definition of citizenship, it became easier

to determine who was protected and who was not in questions of privacy. As personal effects became less

tanglible through development and increased use of new technologies for communication and storage of

information, the application of this right to privacy becomes more complex.

Early Privacy Debates

In the early 1970s, the post-Watergate United States had to revisit concepts of citizen’s privacy

rights, given the increased possibilities of surveillance. Part of the national response was the

establishment of the Foreign Intelligence Surveillance Court (FISC) via the original Foreign Intelligence

Surveillance Act (FISA) of 19781. In addition to the creation of the FISC, the FISA provides a framework

for obtaining permission to gather information via previously unregulated means, including pen registers,

trace, and trap devices used for telephone and email surveillance (Office for Civil Rights and Civil

Liberties, 2013). The function of the court was to establish oversight over government foreign

surveillance activities while maintaining sufficient secrecy to monitor potential national security threats.

The FISA itself was passed to set up boundaries for surveillance and prevent the abuses that had

come to light through events such as the Watergate Scandal (Lovells, 2008). The court exists to hear cases

ex parte, with just government representatives, to decide whether or not to provide a warrant based on the

articles of the FISA (Office for Civil Rights and Civil Liberties, 2013). As Congress was establishing a 1 See https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286

4

protocol for surveillance in the name of national security, the Supreme Court was setting precedent for

domestic surveillance.

In 1979, the Supreme Court heard the case of Smith v Maryland, pondering how the use of a pen

register, a device that records the numbers dialed, plays into the definition of a search under the fourth

amendment. A pen register was used to confirm that the suspect was making threatening phone calls to

the victim of a robbery. The police went through the suspect’s phone company to place a pen register to

monitor only the numbers he was dialing, not the content of the calls. This was enough to see that the

suspect, Michael Lee Smith, was calling the victim, Patricia McDonough, which helped them to secure a

warrant to search his home, take him into custody, and have McDonough identify him as the one she saw

committing the robbery (Oyez, n.d.). Smith argued that the pen register was used to get information

without a warrant, which violated his fourth amendment right against illegal searches and seizures.

The decision established two precedents that have plagued privacy doctrine in the following

years. The first is that not all data are created equal, and therefore do not deserve the same protection. In

this case, the data accessed was simply the phone number dialed, not the content of the call. More

prominent in this case is the discussion of what is to become known as third party doctrine: the idea that

any individual forfeits their reasonable expectation to privacy when they use a third party service (Oyez,

n.d.). Justice Blackmun wrote the majority opinion, saying when Smith used a phone company to

complete his call, he gave the dialing information to a third party, where it became a part of their regular

business conduct (Oyez, n.d.). Because of this, the number he dialed that was picked up by a pen register

is not protected under the fourth amendment, and Smith’s argument is invalid.

This contribution to the foundation of privacy policy might have seemed reasonable at the time,

but becomes more and more risky as technology develops and the utility of phones and other devices

drastically increases.

Metadata

5

Beyond the third party doctrine, the first question of what type of data deserve to be protected can

be more complex. The data described in the case is what is known as metadata, or data about data. In the

case of Smith v Maryland (1979), the number dialed is a piece of data about the call in question. While it

may seem that this type of descriptive data is less threatening to have collected, on the contrary, there are

many benefits to the collection of metadata that are enabled by past precedents such as Smith v Maryland.

For one, metadata is structured which leaves less guesswork for analytical agents. It fits into specific

categories which provides a certain context that you would not get from the content of an actual message.

Because of this, fewer resources are used to figure out meanings and it becomes easier to analyze

compared to the content of a message where ‘green’ could be a name or a color, as one example (Haynes,

2017, 199). Seeing as metadata can have more utility than anticipated, it’s easer to understand the

concerns brought on in the post 9/11 United States.

9/11 and Privacy

Following the terrorist attacks of September 11, 2001, President Bush was able to pass into law a

novel act in the name of national security. With only one senator voting again it, the Uniting and

Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

(USA PATRIOT Act) was passed and has been hotly debated since. The Patriot Act was an anti-terrorism

law that had many areas of focus, most noteably surveillance powers to, in theory, help curb future

attacks.

Senator Russ Feingold of Wisconsin was the only senator to vote against the USA Patriot Act in

2001. In his address to the Senate in October following the terrorist attacks, he explains his position and

concerns for the bill, pointing out the ways that government power was being drastically expanded.

Feingold recognizes that some of the new provisions are reasonable, such as the FBI’s use of warrants to

access voicemails and tap cellphones and the lengthening or elimination of statute of limitations for

terrorist crimes (Feingold, 2001). But the original bill led to concerns in either explicit or potential

government overreach – some of which were addressed prior to the vote, but other provisions remained in

6

place despite his speech. The original bill, Feingold explains, was drafted hastily in the month after the

9/11 attacks and came with pressure to pass it into law as quickly as possible. The broad power being

granted in the bill included some provisions that had been brought up by the FBI in the past that had

already been rejected by Congress, and represented huge contradictions to the Constitution. The original

bill had a provision that would allow for the use of evidence obtained illegally by U.S standards if it was

obtained by foreign law enforcement, as well as a provision that would allow for the freezing of a

suspect’s assets prior to conviction. To freeze their assets would impede the suspect’s ability to hire a

lawyer to defend them. It had also been brought to Congress before and was rejected, excluding occasions

when the suspect’s assets had been gained in an alleged criminal enterprise (Feingold, 2001).

Beyond the breaches of the Constitution, Senator Feingold expressed concern over the expansion

of the original FISA from 1978. The original FISA had lowered the threshold of cause in FBI

investigations of foreign intelligence activities, meaning they did not have to meet the same probable

cause standard that is required in criminal investigations. In the Patriot Act bill presented, the requirement

was changed one again. The bill proposed only requiring that the government shows that the intelligence

is a ‘significant purpose’ of the investigation, even if the investigation is a criminal investigation, not just

a foreign intelligence investigation (Feingold, 2001.

The provisions in the Patriot Act would limit the scope of Fourth Amendment protections and

allow for more and more investigations to go through the FISC because of that lower standard. While

Senator Feingold recognizes that there were changes from the original bill, he is still unsatisfied with

areas that he believes have the potential for abuse. One of these areas described seems to have become

part of the law, what has been known as Section 215 of the passed USA Patriot Act (Figure 2).

Figure 2.

Name Function

Section 206 Called the ‘roving wiretap’ provision, it allowed the government to tap all of an individual’s devices, such as their landline, cell phone, laptop, etc with only one

approval from the FISC (Lind, 2015).

Section 207 Called the ‘lone wolf’ provision, it allowed the government to surveil someone who might be engaging in international terrorism even if they’re not involved with

7

a known terrorist organization (Lind, 2015).

Section 215

This is the most hotly debated section up for constant renewal. It’s referred to as the ‘business records’ provision and had established the foundation for the bulk collection that has since raised concerns of government overstep. This provision

gives the government broad power to ask businesses for their records that relate to an individual who might be involved in terrorism (Lind, 2015).

National Security Letters

This was the most controversial, permanent program, that has only since been modified by the passage of new laws. With this program, the government is able to demand communication records from any telecommunications company without first getting approval from the FISC. This has been used extremely broadly in the past (Lind, 2015).

Feingold’s concern was that Section 215 gave the government power to access records of

virtually anyone by arguing they are seeking information on an individual with a connection to an

investigation on terrorism or espionage (Feingold, 2001). If an individual had been in contact with a

terrorism suspect, whether that means attending school with them, living in proximity to them, working

with them at any capacity, the government could compel a business to provide them with any records on

that individual. Seeing as the judicial oversight is ex parte, and done in secret, there is not enough

oversight to assure this provision would not be abused (Feingold, 2001). Senator Feingold’s concerns

caused little stir Congress, the edited bill being signed by President Bush the following day.

Through four of the Patriot Act’s major provisions, the government was empowered to access and

collect bulk data, with little public opposition until the whistleblowing of Edward Snowden in 2013.

Three of the four described provisions in the Act were so hotly debated that they were given a countdown

of five years, which has now been extended multiple times. Senator Ron Wyden stood firm on the

countdown, hoping that with distance from the trauma of 9/11 would come sounder and less rushed

discussion. In the end of debate in 2001, Sections 206, 207, and 215 were given the countdown, while the

National Security Letters program was not – only modified by laws passed later (Lind, 2015).

It was due to budding public concern in 2005 that some of the surveillance policies that had long

been in place started to be re-examined. The actions taken under the Patriot Act were highly secret until a

media report in 2005 began to reveal some of the bulk collection that was going on under the FISC. This

8

concern took the form of lawsuits being brought against telecommunications companies who had been

providing the government with customer information sans warrants. When the Patriot Act was nearing it

expiration date in 2006, Senator Feingold again tried to express his concern with a filibuster than led to

small tweaks in the concerning provisions (Lind, 2015). The public concern led to the FISA Amendments

Act, which would be passed by the Bush Administration in 2008 (Lovells, 2008).

Although the Bush Administration responded to growing distaste with justifications as to why the

monitoring program was legal, they announced in 2007 that the warrantless surveillance program would

be halted and all actions moving forward would be brought to the FISC. The act that followed in 2008

permitted the following three methods for electronic communication surveillance: under the order of the

FISC, when the attorney general authorizes that an emergency situation requires electronic surveillance to

gather information on foreign intelligence, and when the attorney general calls for the emergency use of a

pen register or trap and trace device to gather information on foreign intelligence (Lovells, 2008). In these

last two examples, the attorney general needs to get permission from the FISC within seven days of

calling for the emergency surveillance (Lovells, 2008). When the Amendments Act passed, it granted

immunity to companies who had participated in the government program, leading to the dismissal of over

forty lawsuits alleging participation in this warrantless surveillance program (Lovells, 2008) The

implications of this act are debatably worse than the original, changing the window for approval from

three days to seven, allowing approval for broad, year-long intercept orders from the FISC that target

groups and people, instead of the original law which required wiretap warrants for each individual target

(Lovells, 2008). Debates for the various iterations of the collection program always stressed the

importance of bulk collection because that’s the only way it can maintain any investigative legitimacy – if

it’s not aggregated there’s no way to see any sort of pattern of association overtime.

In addition to the Amendments Act of 2008, the most novel Patriot Act related legislation came

as a renewal in 2015 – the Uniting and Strengthening America by Fulfilling Rights and Ending

Eavesdropping, Dragnet-collection, and Online Monitoring Act (USA FREEDOM Act) (Lind, 2015). The

Freedom Act was passed in 2015 when the Patriot Act was up for renewal, and worked to greatly limit the

9

bulk collection program. Some of the major provisions included forcing the government to get FISC

permission prior to accessing any phone records and limiting collection to specific searches, no longer

allowing for such broad bulk collection of citizen’s data (Lind, 2015). The new system kept all of the

collected data in the hands of the phone companies, only allowing analysts to run queries with a judge’s

permission (Savage, 2020c). These queries would pull up the records of the suspect, as well as the records

for those the suspect contacted, still allowing for exponential data to be collected (Savage, 2020c). As a

strive towards improved transparency, one major provision requires that the FISC publish its major

decisions, which were previously kept secret (Lind, 2015). While the law was undergoing debate every

few years in Congress, another battle was taking place in the courts, over the precedent set in Smith v

Maryland and the bulk collection program that was coming to light.

Edward Snowden

It was through the whistleblowing of Edward Snowden in 2013 that U.S. citizens finally learned

how much of their data was being taken and used by the government, peaking their interest and concern

over their data. Snowden, a consultant from Booz Allen Hamilton working on government projects,

revealed that the National Security Administration (NSA) was operating under a ‘collect-it-all’ approach

when it came to surveillance – in essence gathering any and all data they could in order to run algorithms

and in theory, track down potential terrorists. Starting mid 2013 and going into the following year,

Snowden worked while in exile abroad to start to share the surveillance projects that had been going on,

including many that targeted United States citizens via their technology usage. This including one of the

first published articles from the Guardian that revealed that FISC sent a court order to telephone

companies, including Verizon, requiring that they give all information on all telephone calls to the NSA

(Greenwald, 2013). This was the first public outing of the plan to collect any and all data, regardless of if

the individuals were deemed suspect of anything.

The information from Verizon was exclusively metadata: who was calling and being called,

location data (nearest cell tower), call duration, for a three month period, from April 25th of 2013 until

10

mid-June (Greenwald, 2013). Despite not having context for the calls, having all this data on so many

individuals and customers of Verizon allows for the creation of massive webs of social connection,

showing associations regardless of call content.

Over the remainder of 2013, more secrets were published including the PRISM and Upstream

internet collection programs. The Prism program involved taking user information from internet

companies such as Google and Facebook, while the Upstream collection took data while in transit through

the United States (Gellman and Poitras, 2013; Hautala, 2018). The Prism program was enabled by the

2008 Amendment Act, due to its provision on immunity for private companies voluntarily working with

the US government to provide information (Gellman and Poitras, 2013). In the shadow of former Bush

Administration programs, this continuation of similar programs under the Obama Administration was

another example of how much the NSA has moved to bulk collection over individual suspicion,

continuing to vaguely claim that efforts are being taken to not target US citizens (Gellman and Poitras,

2013).

The public’s response to this whistleblowing has included many lawsuits, most notably Klayman

v Obama, filed in 2013. Klayman, a Verizon customer, filed against the administration for violating his

fourth amendment rights by collecting data via Verizon. The ruling tackled not only the court order, but

the precedent set in Smith v Maryland. The ruling recognizes that this program is likely a violation of

fourth amendment rights (Klayman v Obama, n.d.). It also calls out the precedent taken from Smith v

Maryland, and admits that it does not apply anymore. Smith v Maryland (1979) had two fundamental

differences that make the precedent borderline irrelevant to the modern conversation. For one, it was

about using a pen register on an individual who was already suspected of the crime committed, as

opposed to collecting everything on everyone. Additionally, the way we engage with and use technology

has surpassed that in question during Smith. The pen register picked up the number being dialed, which

was pretty much the only function of a telephone at the time. Now, our phones are not just phones –

they’re cameras, GPS, small computers capable of sending emails, searching the web, scrolling through

Facebook. To access metadata from our phones is no longer just tracking calls. Not only is the telephone

11

metadata program seen as broad and unconstitutional, but it is worth noting that many experts believe it

has not contributed to the prevention of any attacks therefore serves no government purpose at all

(Klayman v. Obama, n.d.).

In another successful lawsuit, the American Civil Liberties Union (ACLU) brought claims against

James Clapper, the Director of National Intelligence, over the same court order to Verizon. As a user of

Verizon’s businesses services, the ACLU also found their information to be compromised. They

successfully explained how having access to their metadata could be detrimental to their work, proving it

warrants more protection. By explaining that many of their work involves sensitive information and

requires confidentially to protect both their clients and the projects they work on, they showed the true

sensitivity of metadata. Many of their calls are to potential witnesses, confidential sources and business

associates (Brandeisky, 2015). This ruling also explained that the collection of bulk phone data on

Americans is not authorized under Section 215 of the Patriot Act, which has been the foundation of so

many of these and similar programs. Despite these two victories over phone data, in a second case

Klayman tried to target the PRISM internet program, however has been unsuccessful because it’s harder

to prove himself as a victim of this surveillance (Brandeisky, 2015).

Even as all these debates were ongoing, data was being collected and analyzed. From the

whistleblowing and new knowledge of these programs, John Cheney-Lippold developed the theory of a

new form of citizenship to the caliber of jus soli and jus sanguinis, jus algoritimi, an algorithmic

citizenship (Cheney-Lippold, 2017, 157).

Who are you online?

To understand the concept of jus algoritmi, it’s important to first understand how a user is viewed

online by a company such as Google. While surfing the web, you become ‘computationally calculated’,

run through processes and analyzed to become what Cheney-Lippold describes as ‘you’ online (Cheney-

12

Lippold, 2017, 10). With emphasis on the quotation marks, it is a representation of you, as told by your

online behavior compared with others who appear to be similar.

Algorithmic Identity

Formed by fitting into categories called measurable types, algorithmic identity is a way to

compare an individual to other users and help facilitate Google’s advertising schema (Cheney-Lippold,

2017, 19). By comparing individual behaviors to others’ aggregated over time, they can create an

algorithmic caricature of you. This image of ‘you’ can be used as a marketing tool for sites like Google

and their partners (Cheney-Lippold, 2017, 22). Online, ‘you’ could be a 54 year old male based on the

sites you visit, the terms you search, and the other users you engage with, despite the reality of legally

being a 27 year old female. These categories that label us online are dynamic and independent of the

reality of the user. They are relative to other users and exist on a spectrum, leaving little opportunity to

solidify the categories of a user – which results in changes for each person day to day. One day ‘you’

could be a middle aged male, then spend the afternoon reading up on women’s magazines and online

shopping at women’s outfitters, turning ‘you’ into a young woman.

As you create more data that gets aggregated, you continue to be defined according to Google’s

algorithms (Cheney-Lippold, 2017, 19). This process fundamentally sacrifices accuracy. Your measurable

types online come from the way your real time behaviors compare to those of the same type. What ‘men’

are doing online changes every time ‘men’ continue to aggregate data, meaning one night you could be

80% ‘man’ then wake up the next at 70% (Cheney-Lippold, 2017, 28). From understanding Google’s

creation of measurable types and the algorithmic identity for marketing interest, we can begin to

understand how the NSA turned this concept into a type of citizenship used to maintain their

Consitutional integrity while still being able to surveil as many people as possible (Cheney-Lippold,

2017, 153).

Jus Algoritmi

When navigating online, there is no way to prove you’re a citizen. The concepts of jus soli and

jus sanguinis, passports, and documentation of any kind cannot be associated with an online account no

13

matter how hard sites try to verify identities. These accounts are functionally disconnected from an

individual who possesses certain rights under the US Constitution. What does the United States

government mean when they vaguely reference protects to US citizens? How does the NSA maintain

legal integrity without truly limiting their abilities to collect mass data sets? They fabricate a new type of

citizenship that allows for the legal collection of this data: jus algoritmi – algorithmic citizenship.

By taking advantage of the original FISA, the Patriot Act, and the FISA Amendment Act, the

NSA was able to get authorization to surveil anyone “reasonably believed to be located outside the US,”

which led to the need to create such a definition (see figure 3) (Cheney-Lippold, 2017). Cheney-Lippold

describes jus algoritmi as a type of formal citizenship, but by definition it is dynamic and constantly

reevaluated, seeing as it’s based on the same process as Google’s algorithmic identity (Cheney-Lippold,

2017, 158). The algorithmic citizenship of each individual is on a spectrum for each user, giving them a

percentage of citizen versus foreigner, constantly changing based on many different indicators. Some

examples of these indicators include communication with anyone reasonably believed to be associated

with a foreign power or territory, being in the address book of someone reasonably believed to be

associated with a foreign power or territory, content in a language that isn’t English, even legally acquired

metadata records that reveal personal associations with foreigners (Cheney-Lippold, 2017, 160).

You must behave online ‘as if’ you’re a citizen in order to be treated as such – opposing the

typical ‘innocent until proven guilty’, you’re essentially a foreigner until you prove yourself as ‘citizen’

by at least 51% (Cheney-Lippold, 2017, 160). Cheney-Lippold goes on to explain that it has nothing to do

with producing good citizens or that type of maintenance – it is all about maintaining the ability to collect

bulk datasets while acting within the bounds of the Constitution.

Figure 3.

Name of Citizenship

Type Jus Soli Jus Sanguinis Jus Algoritmi

Description Right of the soil,

citizenship based on where you were born.

Right of the blood, citizenship based on your

parents’

Right of the algorithm, given the treatment of a citizen based on your behaviors

14

citizenship/nationality. online being analyzed at least 51% ‘citizen’.

Contemporary Implications

Cheney-Lippold published We Are Data in 2017. What has been revealed since then? While the

concept of jus algoritmi is hard to trace into 2020, there have been other timeline landmarks that have

come and gone, as recently as March 2020. Through newly declassified information, and legislative and

judicial action, there are some conclusions to be drawn about the status of the surveillance concepts

derived from Snowden and Cheney-Lippold.

New reports on declassified information have led to criticism of the iterations of these long

running surveillance programs. The telephone data collection program, modified by the USA Freedom

Act, was analyzing domestic calls as recently as Feburary of this year and was costing the government

$100 million (Savage, 2020c). As previously mentioned, despite claims from intelligence officials that

this program is important and serving a purpose, information collected only led to one significant

investigation and only twice produced information that the FBI didn’t already possess (Savage, 2020c;

Savage, 2019a). Not only does the database lack significant information, the NSA admitted in 2018 that

the program had displayed flaws. The database of call records that were linked to terrorism investigations

had records that were unrelated, had no intended use, and in some cases, were illegally collected (Savage,

2019a). Possibly contributing to the high cost of the ineffective system, it seemed to observers that the

court exercised almost no restraint in its approval process. In 2018, there were 1,833 targets identified and

brought to the court as probable foreign power affiliates, which included 232 Americans (Savage, 2019b).

The court is notorious for approving with ease, only fully denying one of the requests also in that year

(Savage, 2019b).

There has been pushback to these surveillance practices in two areas: the judiciary and the

legislature. Chronologically, the first was a 2011 case brought to the Second Circuit Court of Appeals in

late 2019. Agron Hasbajrami was arrested and plead guilty to a charge of attempting to provide material

15

support to a terrorist organization with evidence collected by means of surveillance. He was informed

after Snowden’s whistleblowing and after his conviction that the evidence used against him was collected

sans warrant (United States v Hasbajrami, 2019). Since he is a United States citizen, he challenged the

charges asking if the information used was collected legally. The decision describes a constitutional

element as well as an unconstitutional element. For one, they deem what they call ‘incidental collection’

as constitutional. This incidental collection describes inadvertently collecting information on citizens

while legally surveilling non-nationals abroad. This would mean that the data they had on Hasbajrami was

collected legally. However, the decision says that it is unconstitutional to query that information (Warrant

not always…, 2019).

The second battle has been raging in the legislature, where various renewal dates have come and

gone without much publicity. In January of 2018, Congress passed a renewal of the Prism and Upstream

collection programs that allow for the gathering of data from private companies such as Microsoft,

Google, and Facebook to name a few as well as the collection of data in transit through the United States

(Hautala, 2018). The Prism program has had an effect in the private sector, encouraging companies to

either show how they had pushed back against government reach or to heighten their privacy measures

moving forward. Yahoo was able to publish their appeals against the court order, which had failed

(Hautala, 2016). Additionally, there were calls for better encryption efforts which have had their ripples

throughout the private sector. This encryption has recently faced a legislative attack in the form of the

EARN IT Act (Marks & Riley, 2020). This act, which has been called dangerous and unconstitutional by

cybersecurity advocates, is an attempt to weaken encryption efforts. Despite typically being motivated by

anti-terrorist sentiment, this bill was proposed as a means of preventing child sex exploitation (Marks &

Riley, 2020). Senator Ron Wyden, who has always taken firm stances in these privacy debates including

proposing the first expiration date of the USA Patriot Act, has called this bill, which was proposed in

January of 2020, a trojan horse that would allow the Trump Administration to have access to every aspect

of Americans’ lives (Marks & Riley, 2020).

16

In most recent news, the major provisions of the Patriot and the Freedom Acts were set to expire

on March 15, 2020. There were two acts proposed as a response to this expiration, one of which was

proposed by Senator Ron Wyden. In January of 2020, the Safeguarding Americans’ Private Records Act

was introduced. It attempted to close loopholes that have allowed for surveillance to take place outside

the FISA process and prohibits the warrantless collection of metadata such as cell site location and GPS

information as well as the collection of browsing and internet search history (Coble, 2020). To continue to

strive for more oversight in the process of getting FISC permission, the bill proposes public reporting of

how many Americans’ have had their information collected, among other things (The Safeguarding

Americans’ Private Records Act, 2020). Another bill was proposed in February and actually passed in the

House a week prior to the March 15, 2020 deadline.

The USA Freedom Reauthorization Act also targets, in part, the surveillance that has been taking

place outside of the FISC. It is also inspired by one of the revelations from the FBI’s Russia Investigation

regarding the wiretap application for Carter Page, a Trump campaign advisor for foreign policy. It was

determined that the wiretap application was inaccurate, filled with cherry picked evidence presented to

the court (Savage, 2020b). As a remedy against the one sided arguments that the government is

empowered to bring to the FISC, this bill proposes an outsider be appointed to critique the governments

arguments when the request could affect political campaigns or religious organizations (Savage, 2020a).

In preparation for the March 15, 2020 expiration, this bill repeals the NSA’s authority that allowed for the

now dormant collection of phone call data. By outlawing it, it would become impossible for the Trump

Administration or a future executive body to re-instate it (Nakashima, 2020). Discussion of these two bills

have been essentially halted due to Congress’s attention being focused on the global pandemic of

COVID-19. When Senator McConnell realized that there wasn’t sufficient time to pass the USA Freedom

Reauthorization Act in the Senate, he proposed a bill that extended the expiring provisions for 77 more

days (Mckinney & Crocker, 2020). This was passed in the Senate but not the House, meaning the famous

provisions have officially sunset (Mckinney & Crocker, 2020). While this may seem like the final nails in

the coffin, there was a clause in the original act that says any information collected prior to expiration can

17

continue to be used by the intelligence community (Mckinney & Crocker, 2020). Additionally, the

conversation can be picked up at any time given that the bills are in circulation.

Conclusion

While the world has seemed to pause due to the global pandemic of COVID-19, these

conversations will pick up again in Congress soon. The question is, what direction will these

conversations take?

In a September 2019 interview, Snowden expressed to the Guardian his concerns for a future that

combines surveillance with developing technologies such as artificial intelligence (AI) and facial

recognition services (MacAskill, 2019). Seemingly in reference to the title of his recently published book,

Permanent Record, Snowden says he fears that governments (not just the United States) and internet

companies are working towards having permanent records of everyone on the planet, with unheard of

abilities to record and store every part of peoples’ daily lives (MacAskill, 2019). While Snowden shares

some of his ideas for reform, he points out that technology is moving at a rapid pace and the private and

public sectors do not always see eye to eye. One of his goals would be strong end-to-end encryption to

better protect emails, chats, and other online communication (MacAskill, 2019). This would fall on

privacy companies who run these communication interfaces. On the legislative end, acts like the EARN

IT Act proposed in early 2020 would go against this hope for encryption, arguing that it would impede the

ability to stop the child sexual exploitation that takes place online (Marks & Riley, 2020). In order to

maintain the push for better privacy policies, Snowden hopes to encourage a social protest movement to

fight against the privacy intrusions that will continue to be possible due to technology advancement

(MacAskill, 2019).

How would all of this change if there was more transparency? Almost as if taking Snowden’s

concern of a ‘permanent record’ and putting it to good use, Estonia has a program known as e-Estonia. E-

Estonia is a government effort that is turning the country into a digital society, linking all essential

services and cutting state spending on salaries and expenses while helping empower people to keep track

18

of their own data (Heller, 2017). Enabled by end to end encryption and links between servers, the data on

individuals lives locally, at their dentist, their high school, their bank, which reduces the risk of massive

breeches of centrally held data (Heller, 2017). Any time anyone glances at secure data online, it is

recorded, and looking at another’s data for no reason is a criminal offense. This ‘Little Brother’ society,

as a local called it, creates high thresholds of transparency and eliminated problems that also take place in

the United States, such as voter intimidation (Heller, 2017). Being able to vote with ease from the

computer could also help increase the number of voters in a given election. This is just one example of the

benefits for citizens with this digital society. This program is constantly expanding and could change the

way citizens’ engage with their own data, and empower them to think more about the privacy levels they

want to be in place.

While an infrastructure overhall would be much more difficult in the United States seeing as its a

much larger country with greater disparities in access to the resources necessary such as computers and

even internet services, emulating the level of transparency could help the United States retain its ability to

surveil ‘foreigners’ while protecting citizens to the best of their ability.

On theme of taking a social stand as encouraged by Snowden, this research brought up a lot of

congressional action that had previously gone on with little fanfare and attention. Laws with questionable

alignment to the Constituion being passed and after minimal debate seems to show a disconnect between

Congress and the people they are expected to represent. There is no accountability for representatives if

people are apathetic and not in touch with what is being debated in Congress. Although people lead busy

lives, its important to remain engaged in and remain up to date on national conversation where

Constitutional rights are coming under question. In a digital society such as the one being created by

Estonia, people are empowered to maintain and access their information; they see it all in one place and

know its being used only with their consent.

This brings into consideration, the power of the default as described in an opinion piece on

Bloomberg. The power of the default describes the reality that most people do not change the default

option they are given (Sunstein, 2017). While this default exists in many areas, in terms of user privacy

19

the best example is the default privacy settings on Facebook. When Facebook first began, the default

settings for its users was public, meaning anyone could see that posts made by a user. It was only in 2014

that new users were given the default of friends only, but this policy did not retroactively change the

setting for existing users, who would still need to go and manually make the change (Magid, 2014). This

power of the default is underestimated, yet has a profound effect on the way users engage with

technology. Prior to 2013, the default was bulk surveillance, whether or not it was upheld by the

Consitution. When a large event such as Snowden’s work with news sources to reveal government

secrets, shook an increasingly technology dependent community, the outrage was shortlived letting the

conversation fall mostly to Congress and private companies. The conversation over the default of

surveillance is ongoing and clashing, as private companies opt for encryption while Congress undermines

those efforts.

Despite program failures and public concerns, there will always be a need for surveillance and as

technology progresses its important to understand where data goes. From Snowden’s whistleblowing in

2013 and John Cheney-Lippold’s jus algoritmi, its clear that the trail a user makes online is not

inconsequential. As a user engages with websites, or other users, makes a call or sends a text linked to a

certain cell tower, algorithmic decisions are being made about that user that can determine whether or not

they are vulnerable to government surveillance. The default is still being debated. While the Patriot Act

has expired for now, conversations must continue about how individual data is being used. Even if it

seems like you have nothing to hide, you have a right to hide it.

20

21

References

Brandeisky, K. (2015, May 13). NSA Lawsuit Surveillance Tracker. ProPublica.

https://projects.propublica.org/graphics/surveillance-suits

Cheney-Lippold, J. (2016). Jus Algoritmi: how the National Security Agency remade citizenship.

International Journal of Communication. https://ijoc.org/index.php/ijoc/article/view/4480

Cheney-Lippold , J. (2017). We are Data: Algorithms and the making of our digital selves. New York

University Press.

Coble, S. (2020, January 27). US rolls out new bill to reform NSA surveillance. Infosecurity.

https://www.infosecurity-magazine.com/news/us-rolls-out-new-bill-to-reform/

Feingold, R. (2001, October 25). Statement Of U.S. Senator Russ Feingold On The Anti-Terrorism Bill

From The Senate Floor. Electronic Privacy Information Center.

https://epic.org/privacy/terrorism/usapatriot/feingold.html

Greenwald, G. (2013, June 6). NSA collecting phone records of millions of Verizon customers daily. The

Guardian. https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-

order

Gellman, B. and Poitras, L. (2013, June 7). U.S., British intelligence mining data from nine U.S internet

companies in broad secret program. Washington Post.

https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-

internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-

d970ccb04497_story.html

22

Hautala, L. (2018, January 19). NSA surveillance programs live on, in case you hadn’t noticed. Cnet.

https://www.cnet.com/news/nsa-surveillance-programs-prism-upstream-live-on-snowden/

Hautala, L. (2016, June 3). The Snowden effect: privacy is good for business. Cnet.

https://www.cnet.com/news/the-snowden-effect-privacy-is-good-for-business-nsa-data-collection/

Haynes, D. (2017). Metadata: the political dimension. Alexandria: the Journal of National and

International Library and Information Issues, Vol. 27(3), 198-206.

https://journals.sagepub.com/doi/10.1177/0955749018778984

Heller, N. (2017, December 11). Estonia, the digital republic. The New Yorker.

https://www.newyorker.com/magazine/2017/12/18/estonia-the-digital-republic

Hyde, C. (2018). Introduction citizenship before the fourteenth amendment. Civic longing: the speculative

origins of U.S citizenship. Harvard University Press. https://www.jstor.org/stable/j.ctvgd2nz.3

Klayman v. Obama (n.d.). Electronic Privacy Information Center.

https://epic.org/amicus/fisa/215/klayman/

Lind, D. (2015, June 2). Everyone’s heard of the Patriot Act. Here’s what it actually does. Vox.

https://www.vox.com/2015/6/2/8701499/patriot-act-explain

Lovells, H. (2008, August). Controversial FISA Amendments Act of 2008 signed into law. Lexology.

https://www.lexology.com/library/detail.aspx?g=b2bdf0cd-beb5-494e-bed1-81d6de156bb6

23

MacAskill, E. (2019, September 13). The man whose state surveillance revelations rocked the world

speaks exclusively to the Guardian about his new life and concerns for the future. The Guardian.

https://www.theguardian.com/us-news/ng-interactive/2019/sep/13/edward-snowden-interview-

whistleblowing-russia-ai-permanent-record

Magid, L. (2014, May 22). Facebook changes new user default privacy settings to friends only – adds

privacy checkup. Forbes. https://www.forbes.com/sites/larrymagid/2014/05/22/facebook-

changes-default-privacy-setting-for-new-users/#32106e7459ac

Marks, J. and Riley, T. (2020, March 6). The cybersecurity 202: Senate bill sparks open war over

encryption. Washington Post. https://www.washingtonpost.com/news/powerpost/paloma/the-

cybersecurity-202/2020/03/06/the-cybersecurity-202-senate-bill-sparks-open-war-over-

encryption/5e616cad88e0fa101a741cee/

Mckinney, I. and Crocker, A. (2020, April 16). Yes, Section 215 expired. Now what? Electric Frontier

Foundation. https://www.eff.org/deeplinks/2020/04/yes-section-215-expired-now-what

Nakashima, E. (2020, February 24). House panel to debate bill that would prevent NSA from reviving

dormant surveillance program. Washington Post. https://www.washingtonpost.com/national-

security/house-panel-to-debate-bill-that-would-prevent-nsa-from-reviving-dormant-surveillance-

program/2020/02/24/9c22cc1e-574a-11ea-9000-f3cffee23036_story.html

Office for Civil Rights and Civil Liberties. (2013, September 19). The Foreign Intelligence Surveillance

Act of 1978 (FISA). Justice Information Sharing.

https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286

24

Savage, C. (2020, February 24). Bill would require an anti-government critic in more surveillance cases.

New York Times. https://www.nytimes.com/2020/02/24/us/bill-surveillance-carter-page-fisa.html

Savage, C. (2020, January 15). FBI’s proposed fixes are inadequate expert tells surveillance court. New

York Times. https://www.nytimes.com/2020/01/15/us/politics/david-kris-fisa-

fbi.html?action=click&module=RelatedLinks&pgtype=Article

Savage, C. (2019, July 30). More NSA call data problems surface as law’s expiration approaches. New

York Times. https://www.nytimes.com/2019/07/30/us/politics/nsa-call-data-

program.html?action=click&module=RelatedLinks&pgtype=Article

Savage, C. (2020, February 25). NSA phone program cost $100 million but produces only two unique

leads. New York Times. https://www.nytimes.com/2020/02/25/us/politics/nsa-phone-

program.html

Savage, C. (2019, December 11). We just got a rare look at national security surveillance. It was ugly.

New York Times. https://www.nytimes.com/2019/12/11/us/politics/fisa-surveillance-

fbi.html?action=click&module=RelatedLinks&pgtype=Article

Smith v Maryland. (n.d.). Oyez. https://www.oyez.org/cases/1978/78-5374

Sunstein, C. (2017, December 28). Don’t underestimate the power of the default option. Bloomberg.

https://www.bloomberg.com/opinion/articles/2017-12-28/don-t-underrate-the-power-of-the-

default-option

The Safeguarding Americans’ Private Records Act. (2020). Ron Wyden: United States Senator for

25

Oregon.

https://www.wyden.senate.gov/imo/media/doc/The%20Safeguarding%20Americans%20Private

%20Records%20Act%20of%202020%20One%20Pager.pdf

Warrant not always needed for ‘inadvertent’ NSA surveillance of Americans: U.S court. (2019, December

19). Yerepouni Daily News. https://search-proquest-

com.libezproxy2.syr.edu/docview/2328304305?accountid=14214

United States v. Hasbajrami (2019) Electronic Frontier Foundation.

https://www.eff.org/cases/united-states-v-hasbajrami

U.S Const. amend. XIV https://www.law.cornell.edu/constitution/amendmentxiv