Whitney Wertheimer · Whitney Wertheimer Candidate for Bachelor of Arts, Policy Studies, Minor,...
Transcript of Whitney Wertheimer · Whitney Wertheimer Candidate for Bachelor of Arts, Policy Studies, Minor,...
Government Bulk Surveillance from 1978-2020: an Ongoing Violation of Citizens Rights
A Thesis Submitted in Partial Fulfillment of the Requirements of the Renée Crown University Honors Program at
Syracuse University
Whitney Wertheimer
Candidate for Bachelor of Arts, Policy Studies, Minor, Information Management and Technology
and Renée Crown University Honors Spring 2020
Honors Thesis in Information Management and Technology
Thesis Advisor: _______________________ Dr. Steve Sawyer
Thesis Reader: _______________________ Dr. Jennifer Stromer-Galley
Honors Director: _______________________ Dr. Danielle Smith, Director
ii
Abstract
By tracing landmark laws such as the Foreign Intelligence Surveillance Act and the USA Patriot Act through the 1970s to 2020, the public scrutiny of privacy policies looks like a bell curve: people started to slowly understand how much surveillance they were under through media reports, peaking at Edward Snowden’s whistleblowing in 2013, then when publicity died down, concerns fell back to the wayside as Congress and the courts continued to debate whether or not the programs the laws seemed to support were constitutional.
In reading John Cheney-Lippold’s We Are Data, the concept of jus algoritmi or algorithmic citizenship stands out. By definition, jus algoritmi is a type of formalized citizenship that is used by government organizations to determine who they can and cannot surveil. By looking into how the privacy and surveillance laws in place led to the whistleblowing of Edward Snowden in 2013, Cheney-Lippold developed his concept. Starting with the Foreign Intelligence Surveillance Act of 1978 and following the trails of court precedents, and major surveillance policies such as the USA PATRIOT Act of 2001, the reader can understand how data has been unconstitutionally accessed in the past. Following exposure of certain programs, it discusses Congressional steps that have been taken since the public became concerned about the relationship between the government and communication and internet companies. Using Cheney-Lippold’s book and news sources to follow the path surveillance laws have taken reveals that these programs are not completely a thing of the past and were still being debated up until March of 2020, despite lack of public concern once the timeline of Snowden’s whistleblowing ran its course. Conversations in Congress only recently took a pause due to COVID-19.
Surveillance has been and still could be taking place in some capacities, the major concern moving forward should be considering how users take ownership of their data and the way that the government can be more transparent. Laws recently up for debate have the power to shut down programs that collect bulk data completely, but also some also push back on private sector efforts, such as encryption, that could prevent users’ data from being as vulnerable as it has been in the past.
iii
Executive Summary
Citizenship status creates a relationship between the individual and their government. Presumably
with a passport or license, it is easy to determine who is a United States citizen and who is not. For
citizens, that relationship comes with rights guaranteed by the U.S Constitution and its Bill of Rights and
other Amendments. One of those rights protects against illegal searches and seizures of belongings and
personal effects. Yet, as information and communication technologies advance, they raise questions about
how to define search, which went to the Supreme Court in early cases such as Smith v. Maryland (1979),
a case that questioned whether or not the use of a device that records the numbers a phone dials is a
constitutional search. In Smith v. Maryland, two precendents were set. The first is that not all data are
given the same privacy – this case brings into question metadata, which is data about data. It determined
that since the only thing recorded was the number dialed, not actually content, it did not violate the Fourth
Amendment. The second precedent is what is now called third party doctrine. Third party doctrine
dictates that when an individual willingly works with a third party service, their data becomes part of that
company’s business practice and is no longer deserving of individual privacy. So in the case of Smith,
using a phone company to make the call forfeited his reasonable expectation to privacy over the number
he dialed.
Since the late 1970s, Congress has been addressing such questions regarding surveillance.
Prompted initially by concerns of government overstep in the wake of the Watergate scandal, the Foreign
Intelligence Surveillance Act of 1978 was passed to ensure that there was some oversight of surveillance
activities while still allowing them to have a level of secrecy so as to not impede whatever investigation
was going on (Lovells, 2008). This act created the Foreign Intelligence Surveillance Court (FISC) that
would continue to be a major player through debates on surveillance and data privacy.
Decades later, the tragedy of 9/11 again challenged the conceptualization of privacy. As a
response to the overwhelming concern of terrorism, Congress hastily passed the USA Patriot Act a month
after the attacks. This act gave the government broad surveillance powers in the name of national security,
three of which were given a countdown of five years, with the hope that five years later would enable
iv
more sound discussion of the implications. By the time the five year expiration date came up, news
outlets were beginning to report of surveillance programs that included the data of United States citizens,
collected without warrants through decisions from the secret FISC. Regardless, the expiration date was
extended. The Bush Administration passed the Amendments Act of 2008 which addressed some
concerns, but did not do much to change the collection that was going on.
In 2013, things began to change. Edward Snowden, in exile, began to reveal government
programs that were vast overreaches of their constitutional power, but had been enabled by provision in
the Patriot Act and secret decisions by the FISC. From this whistleblowing, John Cheney-Lippold
developed his concept of jus algoritmi, a sort of algorithmic citizenship that government agencies were
using to allow them to continue to surveil as many people as possible. This definition of citizenship
requires that users act ‘as if’ they are citizens by at least 51% in order to be provided the protections given
to citizens (Cheney-Lippold, 2017, 160). This is determined by many indicators and as data gets
aggregated it is always subject to change. It is by using this sort of definition that the government was
able to continue to cast such a broad net, aggregating more and more data to develop the algorithm and
being able to access the data of so many individuals. In 2015, the USA Freedom Act was passed, in an
attempt to address the many concerns raised following Snowden’s whistleblowing. The highlight of the
Freedom Act is that it involved a system that kept all data in the hands of major companies, only allowing
queries under court approval.
Using news sources leading up to 2020, the impact of these programs on terrorism detection and
prevention is miniscule, proving that the government overreach that took place is not necessary and
should be halted. The most recent renewal of the Patriot Act came in March 2020. With COVID-19
taking most of the attention of Congress, the bills that were brought to the floor did not get passed,
meaning the Patriot Act has sunset. Though they are done for now, they can easily be picked up right
where they left off once the pandemic settles down. Throughout the constant conversation going on in
Congress, the public’s concern with these breaches of privacy peak only when Snowden shook the world
with his revelations.
v
The conversation moving forward needs to engage citizens and empower them to consider the
privacy they expect from private corporations and the government on a regular basis – not just when they
are forced to reckon with it.
vi
Table of Contents
Abstract……………………………………….……………….………….. ii
Executive Summary………………………….……………….………….. iii
Acknowledgements …………..…………………………………………… vii
Section 1: Introduction ……………………………………………… 1
Section 2: Citizenship ……………………………………………… 1
Section 3: Early Privacy Debates ……………………………………….. 3
Section 4: Metadata ……………………………………………… 5
Section 5: 9/11 and Privacy ……………………………………………… 5
Section 6: Edward Snowden……………………………………………… 9
Section 7: Who are you online? ………………………………………….. 11
Section 8: Contemporary Implications …………………………………. 14
Section 9: Conclusion ….………………………………………………… 17
Works Cited.……………………………………………………………… 21
vii
Acknowledgements
In chronological order, I would like to acknowledge those who made this thesis possible
and supported me throughout the many iterations.
First, thank you to my parents. Along with my Syracuse University acceptance letter, I
received a piece of paper telling me I have been given a spot in the Renee Crown University
Honors Program. Though I pondered how I would be able to accept a spot at SU without
accepting a spot in Honors, I’m happy I was too embarrassed to ask that question and took my
spot in both.
Thank you to the Honors department faculty. All my advising appointments with Naomi
Shanguhyia helped me to graduate in three and a half years, while also helping me keep my
sanity when I was given the opportunity to delay the submission of this thesis. A thank you is
also due to Dr. Karen Hall due to her commitment to the honors thesis and emails reminding me
to maintain a timeline so I would not be swamped come April 2020. Additionally, the classes I
was given the opportunity to take as an honors student have shaped a piece of my learning and
will continue to have an impact on me as I enter the real world.
One of the HNR offerings led me to my thesis advisor, Dr. Steve Sawyer of the iSchool.
Though my thesis looks nothing like the plan we initially mapped out my sophomore year, it was
with your unwavering support that I was able to explore all my interests before settling on this
one. This thesis somehow went from pages of outlines on topics too broad, to the actual
document before you. Thank you for your help.
Finally, to Dr. Jennifer Stromer-Galley who joined my support team despite my broad
ideas, and helped me to tie them to down and run with a single idea. An idea that was based
heavily on the thought provoking conversations that took place in her IST 343: Data and Society
course. Thank you for taking the time to work with me.
I cannot thank everyone enough for helping me finish my last work as an undergraduate.
Enjoy!
1
Introduction
Citizenship as a legal status is an essential element of global nation-states. Citizenship has always
denoted who has and does not have access to certain rights. In the United States, those rights are
expressed within the Bill of Rights and following Amendments, and promised to its citizens by the 14th
amendment which was ratified in 1868. Proving citizenship traditionally can be simple through physical
documentation, such as a passport or license to show your residency. However, an increasing reliance on
digital technologies and heightened concern of terrorism in the post 9/11 United States has led to a new
definition of citizenship -- one that is much more abstract and dynamic in its structure. In his book We Are
Data, John Cheney-Lippold describes a concept referred to as Jus Algoritmi, a new way to define
citizenship based on online behaviors and patterns. This definition requires individuals to act ‘as if’ they
are citizens online, and by doing so they are protected from surveillance by government organizations. By
discussing past legal precedent, it becomes easier to see how this concept of online citizenship, explained
by Cheney-Lippold in his 2017 book, was formed and used, and begs the question – how does this
definition and similar concepts fit into contemporary United States surveillance?
By tracing landmark laws such as the Foreign Intelligence Surveillance Act and the USA Patriot
Act through the 1970s to 2020, the public scrutiny of privacy policies looks like a bell curve: people
started to slowly understand how much surveillance they were under through media reports, peaking at
Edward Snowden’s whistleblowing in 2013, when publicity died down, concerns fell back to the wayside
as Congress and the courts continued to debate whether or not the programs the laws seemed to support
were constitutional.
Citizenship
Historically, legal definitions of citizenship were limited to jus soli and jus sanguinis. Jus soli
means the right of the soil, or a type of citizenship that relies on an individual being a citizen based on
being born within that nation-state’s boundaries (Cheney-Lippold, 2017, 157). While this is recognized
2
by the United States government currently, it was not an easy means in the past when boundaries were
difficult to verify, etc. Leaving the best measure for citizenship to be jus sanguinis, which means the right
of the blood. Jus sanguinis makes you a citizen based on your parent’s nationality (Cheney-Lippold,
2017, 157). This way of tracking via genealogical lines helped to maintain citizenship in small nations.
Figure 1.
Name of Citizenship Type
Jus Soli Jus Sanguinis
Description Right of the soil, citizenship based on where you were born.
Right of the blood, citizenship based on your parents’
citizenship/nationality.
These traditional definitions were challenged by the United States’s emergence, and for two
major reasons. The first was that the new inhabitants came from Great Britain, meaning none of them
were guaranteed jus soli. The second had more to do with the structure of the budding country – the
federation of states challenges whether or not individuals became citizens of their states or their country
as a whole (Hyde, 2018). A definition of citizenship was officially codified in the passing of the 14th
Amendment in 1868.
Though the United States Constitution and related documents uses the word citizen eleven times,
it had no formal definition until the 14th amendment was written into law 80 years after the original
ratification of the Constitution (Hyde, 2018). Based on the foundation set by the Civil Rights Act of 1866,
the 14th Amendment established the specific framework of citizenship that is used today. Section one of
the amendment is quoted below:
All persons born or naturalized in the United States and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside. No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws. (U.S. Const. amend. XIV).
Breaking this down, even the first sentence has at least two functions. The first is the
establishment of a true definition of citizen, formalizing jus soli and a naturalization process. The second
3
is that a citizen is defined as a member of the United States first and as a member of their home state
second. The privileges and immunities clause outlines that all the rights expressed in the Constitution and
its Amendments, specifically the Bill of Rights, are guaranteed to United States citizens, and it is illegal
to deprive citizens of any of those expressed rights.
One of these guaranteed rights, and the one explored by Cheney-Lippold in We Are Data, is the
Fourth Amendment. The Fourth Amendment protects citizens unlawful searches and seizures. When this
was written, it guaranteed privacy from the government and establishes a warrant process to undertake a
search of one’s personal belongings and effects. With an official definition of citizenship, it became easier
to determine who was protected and who was not in questions of privacy. As personal effects became less
tanglible through development and increased use of new technologies for communication and storage of
information, the application of this right to privacy becomes more complex.
Early Privacy Debates
In the early 1970s, the post-Watergate United States had to revisit concepts of citizen’s privacy
rights, given the increased possibilities of surveillance. Part of the national response was the
establishment of the Foreign Intelligence Surveillance Court (FISC) via the original Foreign Intelligence
Surveillance Act (FISA) of 19781. In addition to the creation of the FISC, the FISA provides a framework
for obtaining permission to gather information via previously unregulated means, including pen registers,
trace, and trap devices used for telephone and email surveillance (Office for Civil Rights and Civil
Liberties, 2013). The function of the court was to establish oversight over government foreign
surveillance activities while maintaining sufficient secrecy to monitor potential national security threats.
The FISA itself was passed to set up boundaries for surveillance and prevent the abuses that had
come to light through events such as the Watergate Scandal (Lovells, 2008). The court exists to hear cases
ex parte, with just government representatives, to decide whether or not to provide a warrant based on the
articles of the FISA (Office for Civil Rights and Civil Liberties, 2013). As Congress was establishing a 1 See https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286
4
protocol for surveillance in the name of national security, the Supreme Court was setting precedent for
domestic surveillance.
In 1979, the Supreme Court heard the case of Smith v Maryland, pondering how the use of a pen
register, a device that records the numbers dialed, plays into the definition of a search under the fourth
amendment. A pen register was used to confirm that the suspect was making threatening phone calls to
the victim of a robbery. The police went through the suspect’s phone company to place a pen register to
monitor only the numbers he was dialing, not the content of the calls. This was enough to see that the
suspect, Michael Lee Smith, was calling the victim, Patricia McDonough, which helped them to secure a
warrant to search his home, take him into custody, and have McDonough identify him as the one she saw
committing the robbery (Oyez, n.d.). Smith argued that the pen register was used to get information
without a warrant, which violated his fourth amendment right against illegal searches and seizures.
The decision established two precedents that have plagued privacy doctrine in the following
years. The first is that not all data are created equal, and therefore do not deserve the same protection. In
this case, the data accessed was simply the phone number dialed, not the content of the call. More
prominent in this case is the discussion of what is to become known as third party doctrine: the idea that
any individual forfeits their reasonable expectation to privacy when they use a third party service (Oyez,
n.d.). Justice Blackmun wrote the majority opinion, saying when Smith used a phone company to
complete his call, he gave the dialing information to a third party, where it became a part of their regular
business conduct (Oyez, n.d.). Because of this, the number he dialed that was picked up by a pen register
is not protected under the fourth amendment, and Smith’s argument is invalid.
This contribution to the foundation of privacy policy might have seemed reasonable at the time,
but becomes more and more risky as technology develops and the utility of phones and other devices
drastically increases.
Metadata
5
Beyond the third party doctrine, the first question of what type of data deserve to be protected can
be more complex. The data described in the case is what is known as metadata, or data about data. In the
case of Smith v Maryland (1979), the number dialed is a piece of data about the call in question. While it
may seem that this type of descriptive data is less threatening to have collected, on the contrary, there are
many benefits to the collection of metadata that are enabled by past precedents such as Smith v Maryland.
For one, metadata is structured which leaves less guesswork for analytical agents. It fits into specific
categories which provides a certain context that you would not get from the content of an actual message.
Because of this, fewer resources are used to figure out meanings and it becomes easier to analyze
compared to the content of a message where ‘green’ could be a name or a color, as one example (Haynes,
2017, 199). Seeing as metadata can have more utility than anticipated, it’s easer to understand the
concerns brought on in the post 9/11 United States.
9/11 and Privacy
Following the terrorist attacks of September 11, 2001, President Bush was able to pass into law a
novel act in the name of national security. With only one senator voting again it, the Uniting and
Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
(USA PATRIOT Act) was passed and has been hotly debated since. The Patriot Act was an anti-terrorism
law that had many areas of focus, most noteably surveillance powers to, in theory, help curb future
attacks.
Senator Russ Feingold of Wisconsin was the only senator to vote against the USA Patriot Act in
2001. In his address to the Senate in October following the terrorist attacks, he explains his position and
concerns for the bill, pointing out the ways that government power was being drastically expanded.
Feingold recognizes that some of the new provisions are reasonable, such as the FBI’s use of warrants to
access voicemails and tap cellphones and the lengthening or elimination of statute of limitations for
terrorist crimes (Feingold, 2001). But the original bill led to concerns in either explicit or potential
government overreach – some of which were addressed prior to the vote, but other provisions remained in
6
place despite his speech. The original bill, Feingold explains, was drafted hastily in the month after the
9/11 attacks and came with pressure to pass it into law as quickly as possible. The broad power being
granted in the bill included some provisions that had been brought up by the FBI in the past that had
already been rejected by Congress, and represented huge contradictions to the Constitution. The original
bill had a provision that would allow for the use of evidence obtained illegally by U.S standards if it was
obtained by foreign law enforcement, as well as a provision that would allow for the freezing of a
suspect’s assets prior to conviction. To freeze their assets would impede the suspect’s ability to hire a
lawyer to defend them. It had also been brought to Congress before and was rejected, excluding occasions
when the suspect’s assets had been gained in an alleged criminal enterprise (Feingold, 2001).
Beyond the breaches of the Constitution, Senator Feingold expressed concern over the expansion
of the original FISA from 1978. The original FISA had lowered the threshold of cause in FBI
investigations of foreign intelligence activities, meaning they did not have to meet the same probable
cause standard that is required in criminal investigations. In the Patriot Act bill presented, the requirement
was changed one again. The bill proposed only requiring that the government shows that the intelligence
is a ‘significant purpose’ of the investigation, even if the investigation is a criminal investigation, not just
a foreign intelligence investigation (Feingold, 2001.
The provisions in the Patriot Act would limit the scope of Fourth Amendment protections and
allow for more and more investigations to go through the FISC because of that lower standard. While
Senator Feingold recognizes that there were changes from the original bill, he is still unsatisfied with
areas that he believes have the potential for abuse. One of these areas described seems to have become
part of the law, what has been known as Section 215 of the passed USA Patriot Act (Figure 2).
Figure 2.
Name Function
Section 206 Called the ‘roving wiretap’ provision, it allowed the government to tap all of an individual’s devices, such as their landline, cell phone, laptop, etc with only one
approval from the FISC (Lind, 2015).
Section 207 Called the ‘lone wolf’ provision, it allowed the government to surveil someone who might be engaging in international terrorism even if they’re not involved with
7
a known terrorist organization (Lind, 2015).
Section 215
This is the most hotly debated section up for constant renewal. It’s referred to as the ‘business records’ provision and had established the foundation for the bulk collection that has since raised concerns of government overstep. This provision
gives the government broad power to ask businesses for their records that relate to an individual who might be involved in terrorism (Lind, 2015).
National Security Letters
This was the most controversial, permanent program, that has only since been modified by the passage of new laws. With this program, the government is able to demand communication records from any telecommunications company without first getting approval from the FISC. This has been used extremely broadly in the past (Lind, 2015).
Feingold’s concern was that Section 215 gave the government power to access records of
virtually anyone by arguing they are seeking information on an individual with a connection to an
investigation on terrorism or espionage (Feingold, 2001). If an individual had been in contact with a
terrorism suspect, whether that means attending school with them, living in proximity to them, working
with them at any capacity, the government could compel a business to provide them with any records on
that individual. Seeing as the judicial oversight is ex parte, and done in secret, there is not enough
oversight to assure this provision would not be abused (Feingold, 2001). Senator Feingold’s concerns
caused little stir Congress, the edited bill being signed by President Bush the following day.
Through four of the Patriot Act’s major provisions, the government was empowered to access and
collect bulk data, with little public opposition until the whistleblowing of Edward Snowden in 2013.
Three of the four described provisions in the Act were so hotly debated that they were given a countdown
of five years, which has now been extended multiple times. Senator Ron Wyden stood firm on the
countdown, hoping that with distance from the trauma of 9/11 would come sounder and less rushed
discussion. In the end of debate in 2001, Sections 206, 207, and 215 were given the countdown, while the
National Security Letters program was not – only modified by laws passed later (Lind, 2015).
It was due to budding public concern in 2005 that some of the surveillance policies that had long
been in place started to be re-examined. The actions taken under the Patriot Act were highly secret until a
media report in 2005 began to reveal some of the bulk collection that was going on under the FISC. This
8
concern took the form of lawsuits being brought against telecommunications companies who had been
providing the government with customer information sans warrants. When the Patriot Act was nearing it
expiration date in 2006, Senator Feingold again tried to express his concern with a filibuster than led to
small tweaks in the concerning provisions (Lind, 2015). The public concern led to the FISA Amendments
Act, which would be passed by the Bush Administration in 2008 (Lovells, 2008).
Although the Bush Administration responded to growing distaste with justifications as to why the
monitoring program was legal, they announced in 2007 that the warrantless surveillance program would
be halted and all actions moving forward would be brought to the FISC. The act that followed in 2008
permitted the following three methods for electronic communication surveillance: under the order of the
FISC, when the attorney general authorizes that an emergency situation requires electronic surveillance to
gather information on foreign intelligence, and when the attorney general calls for the emergency use of a
pen register or trap and trace device to gather information on foreign intelligence (Lovells, 2008). In these
last two examples, the attorney general needs to get permission from the FISC within seven days of
calling for the emergency surveillance (Lovells, 2008). When the Amendments Act passed, it granted
immunity to companies who had participated in the government program, leading to the dismissal of over
forty lawsuits alleging participation in this warrantless surveillance program (Lovells, 2008) The
implications of this act are debatably worse than the original, changing the window for approval from
three days to seven, allowing approval for broad, year-long intercept orders from the FISC that target
groups and people, instead of the original law which required wiretap warrants for each individual target
(Lovells, 2008). Debates for the various iterations of the collection program always stressed the
importance of bulk collection because that’s the only way it can maintain any investigative legitimacy – if
it’s not aggregated there’s no way to see any sort of pattern of association overtime.
In addition to the Amendments Act of 2008, the most novel Patriot Act related legislation came
as a renewal in 2015 – the Uniting and Strengthening America by Fulfilling Rights and Ending
Eavesdropping, Dragnet-collection, and Online Monitoring Act (USA FREEDOM Act) (Lind, 2015). The
Freedom Act was passed in 2015 when the Patriot Act was up for renewal, and worked to greatly limit the
9
bulk collection program. Some of the major provisions included forcing the government to get FISC
permission prior to accessing any phone records and limiting collection to specific searches, no longer
allowing for such broad bulk collection of citizen’s data (Lind, 2015). The new system kept all of the
collected data in the hands of the phone companies, only allowing analysts to run queries with a judge’s
permission (Savage, 2020c). These queries would pull up the records of the suspect, as well as the records
for those the suspect contacted, still allowing for exponential data to be collected (Savage, 2020c). As a
strive towards improved transparency, one major provision requires that the FISC publish its major
decisions, which were previously kept secret (Lind, 2015). While the law was undergoing debate every
few years in Congress, another battle was taking place in the courts, over the precedent set in Smith v
Maryland and the bulk collection program that was coming to light.
Edward Snowden
It was through the whistleblowing of Edward Snowden in 2013 that U.S. citizens finally learned
how much of their data was being taken and used by the government, peaking their interest and concern
over their data. Snowden, a consultant from Booz Allen Hamilton working on government projects,
revealed that the National Security Administration (NSA) was operating under a ‘collect-it-all’ approach
when it came to surveillance – in essence gathering any and all data they could in order to run algorithms
and in theory, track down potential terrorists. Starting mid 2013 and going into the following year,
Snowden worked while in exile abroad to start to share the surveillance projects that had been going on,
including many that targeted United States citizens via their technology usage. This including one of the
first published articles from the Guardian that revealed that FISC sent a court order to telephone
companies, including Verizon, requiring that they give all information on all telephone calls to the NSA
(Greenwald, 2013). This was the first public outing of the plan to collect any and all data, regardless of if
the individuals were deemed suspect of anything.
The information from Verizon was exclusively metadata: who was calling and being called,
location data (nearest cell tower), call duration, for a three month period, from April 25th of 2013 until
10
mid-June (Greenwald, 2013). Despite not having context for the calls, having all this data on so many
individuals and customers of Verizon allows for the creation of massive webs of social connection,
showing associations regardless of call content.
Over the remainder of 2013, more secrets were published including the PRISM and Upstream
internet collection programs. The Prism program involved taking user information from internet
companies such as Google and Facebook, while the Upstream collection took data while in transit through
the United States (Gellman and Poitras, 2013; Hautala, 2018). The Prism program was enabled by the
2008 Amendment Act, due to its provision on immunity for private companies voluntarily working with
the US government to provide information (Gellman and Poitras, 2013). In the shadow of former Bush
Administration programs, this continuation of similar programs under the Obama Administration was
another example of how much the NSA has moved to bulk collection over individual suspicion,
continuing to vaguely claim that efforts are being taken to not target US citizens (Gellman and Poitras,
2013).
The public’s response to this whistleblowing has included many lawsuits, most notably Klayman
v Obama, filed in 2013. Klayman, a Verizon customer, filed against the administration for violating his
fourth amendment rights by collecting data via Verizon. The ruling tackled not only the court order, but
the precedent set in Smith v Maryland. The ruling recognizes that this program is likely a violation of
fourth amendment rights (Klayman v Obama, n.d.). It also calls out the precedent taken from Smith v
Maryland, and admits that it does not apply anymore. Smith v Maryland (1979) had two fundamental
differences that make the precedent borderline irrelevant to the modern conversation. For one, it was
about using a pen register on an individual who was already suspected of the crime committed, as
opposed to collecting everything on everyone. Additionally, the way we engage with and use technology
has surpassed that in question during Smith. The pen register picked up the number being dialed, which
was pretty much the only function of a telephone at the time. Now, our phones are not just phones –
they’re cameras, GPS, small computers capable of sending emails, searching the web, scrolling through
Facebook. To access metadata from our phones is no longer just tracking calls. Not only is the telephone
11
metadata program seen as broad and unconstitutional, but it is worth noting that many experts believe it
has not contributed to the prevention of any attacks therefore serves no government purpose at all
(Klayman v. Obama, n.d.).
In another successful lawsuit, the American Civil Liberties Union (ACLU) brought claims against
James Clapper, the Director of National Intelligence, over the same court order to Verizon. As a user of
Verizon’s businesses services, the ACLU also found their information to be compromised. They
successfully explained how having access to their metadata could be detrimental to their work, proving it
warrants more protection. By explaining that many of their work involves sensitive information and
requires confidentially to protect both their clients and the projects they work on, they showed the true
sensitivity of metadata. Many of their calls are to potential witnesses, confidential sources and business
associates (Brandeisky, 2015). This ruling also explained that the collection of bulk phone data on
Americans is not authorized under Section 215 of the Patriot Act, which has been the foundation of so
many of these and similar programs. Despite these two victories over phone data, in a second case
Klayman tried to target the PRISM internet program, however has been unsuccessful because it’s harder
to prove himself as a victim of this surveillance (Brandeisky, 2015).
Even as all these debates were ongoing, data was being collected and analyzed. From the
whistleblowing and new knowledge of these programs, John Cheney-Lippold developed the theory of a
new form of citizenship to the caliber of jus soli and jus sanguinis, jus algoritimi, an algorithmic
citizenship (Cheney-Lippold, 2017, 157).
Who are you online?
To understand the concept of jus algoritmi, it’s important to first understand how a user is viewed
online by a company such as Google. While surfing the web, you become ‘computationally calculated’,
run through processes and analyzed to become what Cheney-Lippold describes as ‘you’ online (Cheney-
12
Lippold, 2017, 10). With emphasis on the quotation marks, it is a representation of you, as told by your
online behavior compared with others who appear to be similar.
Algorithmic Identity
Formed by fitting into categories called measurable types, algorithmic identity is a way to
compare an individual to other users and help facilitate Google’s advertising schema (Cheney-Lippold,
2017, 19). By comparing individual behaviors to others’ aggregated over time, they can create an
algorithmic caricature of you. This image of ‘you’ can be used as a marketing tool for sites like Google
and their partners (Cheney-Lippold, 2017, 22). Online, ‘you’ could be a 54 year old male based on the
sites you visit, the terms you search, and the other users you engage with, despite the reality of legally
being a 27 year old female. These categories that label us online are dynamic and independent of the
reality of the user. They are relative to other users and exist on a spectrum, leaving little opportunity to
solidify the categories of a user – which results in changes for each person day to day. One day ‘you’
could be a middle aged male, then spend the afternoon reading up on women’s magazines and online
shopping at women’s outfitters, turning ‘you’ into a young woman.
As you create more data that gets aggregated, you continue to be defined according to Google’s
algorithms (Cheney-Lippold, 2017, 19). This process fundamentally sacrifices accuracy. Your measurable
types online come from the way your real time behaviors compare to those of the same type. What ‘men’
are doing online changes every time ‘men’ continue to aggregate data, meaning one night you could be
80% ‘man’ then wake up the next at 70% (Cheney-Lippold, 2017, 28). From understanding Google’s
creation of measurable types and the algorithmic identity for marketing interest, we can begin to
understand how the NSA turned this concept into a type of citizenship used to maintain their
Consitutional integrity while still being able to surveil as many people as possible (Cheney-Lippold,
2017, 153).
Jus Algoritmi
When navigating online, there is no way to prove you’re a citizen. The concepts of jus soli and
jus sanguinis, passports, and documentation of any kind cannot be associated with an online account no
13
matter how hard sites try to verify identities. These accounts are functionally disconnected from an
individual who possesses certain rights under the US Constitution. What does the United States
government mean when they vaguely reference protects to US citizens? How does the NSA maintain
legal integrity without truly limiting their abilities to collect mass data sets? They fabricate a new type of
citizenship that allows for the legal collection of this data: jus algoritmi – algorithmic citizenship.
By taking advantage of the original FISA, the Patriot Act, and the FISA Amendment Act, the
NSA was able to get authorization to surveil anyone “reasonably believed to be located outside the US,”
which led to the need to create such a definition (see figure 3) (Cheney-Lippold, 2017). Cheney-Lippold
describes jus algoritmi as a type of formal citizenship, but by definition it is dynamic and constantly
reevaluated, seeing as it’s based on the same process as Google’s algorithmic identity (Cheney-Lippold,
2017, 158). The algorithmic citizenship of each individual is on a spectrum for each user, giving them a
percentage of citizen versus foreigner, constantly changing based on many different indicators. Some
examples of these indicators include communication with anyone reasonably believed to be associated
with a foreign power or territory, being in the address book of someone reasonably believed to be
associated with a foreign power or territory, content in a language that isn’t English, even legally acquired
metadata records that reveal personal associations with foreigners (Cheney-Lippold, 2017, 160).
You must behave online ‘as if’ you’re a citizen in order to be treated as such – opposing the
typical ‘innocent until proven guilty’, you’re essentially a foreigner until you prove yourself as ‘citizen’
by at least 51% (Cheney-Lippold, 2017, 160). Cheney-Lippold goes on to explain that it has nothing to do
with producing good citizens or that type of maintenance – it is all about maintaining the ability to collect
bulk datasets while acting within the bounds of the Constitution.
Figure 3.
Name of Citizenship
Type Jus Soli Jus Sanguinis Jus Algoritmi
Description Right of the soil,
citizenship based on where you were born.
Right of the blood, citizenship based on your
parents’
Right of the algorithm, given the treatment of a citizen based on your behaviors
14
citizenship/nationality. online being analyzed at least 51% ‘citizen’.
Contemporary Implications
Cheney-Lippold published We Are Data in 2017. What has been revealed since then? While the
concept of jus algoritmi is hard to trace into 2020, there have been other timeline landmarks that have
come and gone, as recently as March 2020. Through newly declassified information, and legislative and
judicial action, there are some conclusions to be drawn about the status of the surveillance concepts
derived from Snowden and Cheney-Lippold.
New reports on declassified information have led to criticism of the iterations of these long
running surveillance programs. The telephone data collection program, modified by the USA Freedom
Act, was analyzing domestic calls as recently as Feburary of this year and was costing the government
$100 million (Savage, 2020c). As previously mentioned, despite claims from intelligence officials that
this program is important and serving a purpose, information collected only led to one significant
investigation and only twice produced information that the FBI didn’t already possess (Savage, 2020c;
Savage, 2019a). Not only does the database lack significant information, the NSA admitted in 2018 that
the program had displayed flaws. The database of call records that were linked to terrorism investigations
had records that were unrelated, had no intended use, and in some cases, were illegally collected (Savage,
2019a). Possibly contributing to the high cost of the ineffective system, it seemed to observers that the
court exercised almost no restraint in its approval process. In 2018, there were 1,833 targets identified and
brought to the court as probable foreign power affiliates, which included 232 Americans (Savage, 2019b).
The court is notorious for approving with ease, only fully denying one of the requests also in that year
(Savage, 2019b).
There has been pushback to these surveillance practices in two areas: the judiciary and the
legislature. Chronologically, the first was a 2011 case brought to the Second Circuit Court of Appeals in
late 2019. Agron Hasbajrami was arrested and plead guilty to a charge of attempting to provide material
15
support to a terrorist organization with evidence collected by means of surveillance. He was informed
after Snowden’s whistleblowing and after his conviction that the evidence used against him was collected
sans warrant (United States v Hasbajrami, 2019). Since he is a United States citizen, he challenged the
charges asking if the information used was collected legally. The decision describes a constitutional
element as well as an unconstitutional element. For one, they deem what they call ‘incidental collection’
as constitutional. This incidental collection describes inadvertently collecting information on citizens
while legally surveilling non-nationals abroad. This would mean that the data they had on Hasbajrami was
collected legally. However, the decision says that it is unconstitutional to query that information (Warrant
not always…, 2019).
The second battle has been raging in the legislature, where various renewal dates have come and
gone without much publicity. In January of 2018, Congress passed a renewal of the Prism and Upstream
collection programs that allow for the gathering of data from private companies such as Microsoft,
Google, and Facebook to name a few as well as the collection of data in transit through the United States
(Hautala, 2018). The Prism program has had an effect in the private sector, encouraging companies to
either show how they had pushed back against government reach or to heighten their privacy measures
moving forward. Yahoo was able to publish their appeals against the court order, which had failed
(Hautala, 2016). Additionally, there were calls for better encryption efforts which have had their ripples
throughout the private sector. This encryption has recently faced a legislative attack in the form of the
EARN IT Act (Marks & Riley, 2020). This act, which has been called dangerous and unconstitutional by
cybersecurity advocates, is an attempt to weaken encryption efforts. Despite typically being motivated by
anti-terrorist sentiment, this bill was proposed as a means of preventing child sex exploitation (Marks &
Riley, 2020). Senator Ron Wyden, who has always taken firm stances in these privacy debates including
proposing the first expiration date of the USA Patriot Act, has called this bill, which was proposed in
January of 2020, a trojan horse that would allow the Trump Administration to have access to every aspect
of Americans’ lives (Marks & Riley, 2020).
16
In most recent news, the major provisions of the Patriot and the Freedom Acts were set to expire
on March 15, 2020. There were two acts proposed as a response to this expiration, one of which was
proposed by Senator Ron Wyden. In January of 2020, the Safeguarding Americans’ Private Records Act
was introduced. It attempted to close loopholes that have allowed for surveillance to take place outside
the FISA process and prohibits the warrantless collection of metadata such as cell site location and GPS
information as well as the collection of browsing and internet search history (Coble, 2020). To continue to
strive for more oversight in the process of getting FISC permission, the bill proposes public reporting of
how many Americans’ have had their information collected, among other things (The Safeguarding
Americans’ Private Records Act, 2020). Another bill was proposed in February and actually passed in the
House a week prior to the March 15, 2020 deadline.
The USA Freedom Reauthorization Act also targets, in part, the surveillance that has been taking
place outside of the FISC. It is also inspired by one of the revelations from the FBI’s Russia Investigation
regarding the wiretap application for Carter Page, a Trump campaign advisor for foreign policy. It was
determined that the wiretap application was inaccurate, filled with cherry picked evidence presented to
the court (Savage, 2020b). As a remedy against the one sided arguments that the government is
empowered to bring to the FISC, this bill proposes an outsider be appointed to critique the governments
arguments when the request could affect political campaigns or religious organizations (Savage, 2020a).
In preparation for the March 15, 2020 expiration, this bill repeals the NSA’s authority that allowed for the
now dormant collection of phone call data. By outlawing it, it would become impossible for the Trump
Administration or a future executive body to re-instate it (Nakashima, 2020). Discussion of these two bills
have been essentially halted due to Congress’s attention being focused on the global pandemic of
COVID-19. When Senator McConnell realized that there wasn’t sufficient time to pass the USA Freedom
Reauthorization Act in the Senate, he proposed a bill that extended the expiring provisions for 77 more
days (Mckinney & Crocker, 2020). This was passed in the Senate but not the House, meaning the famous
provisions have officially sunset (Mckinney & Crocker, 2020). While this may seem like the final nails in
the coffin, there was a clause in the original act that says any information collected prior to expiration can
17
continue to be used by the intelligence community (Mckinney & Crocker, 2020). Additionally, the
conversation can be picked up at any time given that the bills are in circulation.
Conclusion
While the world has seemed to pause due to the global pandemic of COVID-19, these
conversations will pick up again in Congress soon. The question is, what direction will these
conversations take?
In a September 2019 interview, Snowden expressed to the Guardian his concerns for a future that
combines surveillance with developing technologies such as artificial intelligence (AI) and facial
recognition services (MacAskill, 2019). Seemingly in reference to the title of his recently published book,
Permanent Record, Snowden says he fears that governments (not just the United States) and internet
companies are working towards having permanent records of everyone on the planet, with unheard of
abilities to record and store every part of peoples’ daily lives (MacAskill, 2019). While Snowden shares
some of his ideas for reform, he points out that technology is moving at a rapid pace and the private and
public sectors do not always see eye to eye. One of his goals would be strong end-to-end encryption to
better protect emails, chats, and other online communication (MacAskill, 2019). This would fall on
privacy companies who run these communication interfaces. On the legislative end, acts like the EARN
IT Act proposed in early 2020 would go against this hope for encryption, arguing that it would impede the
ability to stop the child sexual exploitation that takes place online (Marks & Riley, 2020). In order to
maintain the push for better privacy policies, Snowden hopes to encourage a social protest movement to
fight against the privacy intrusions that will continue to be possible due to technology advancement
(MacAskill, 2019).
How would all of this change if there was more transparency? Almost as if taking Snowden’s
concern of a ‘permanent record’ and putting it to good use, Estonia has a program known as e-Estonia. E-
Estonia is a government effort that is turning the country into a digital society, linking all essential
services and cutting state spending on salaries and expenses while helping empower people to keep track
18
of their own data (Heller, 2017). Enabled by end to end encryption and links between servers, the data on
individuals lives locally, at their dentist, their high school, their bank, which reduces the risk of massive
breeches of centrally held data (Heller, 2017). Any time anyone glances at secure data online, it is
recorded, and looking at another’s data for no reason is a criminal offense. This ‘Little Brother’ society,
as a local called it, creates high thresholds of transparency and eliminated problems that also take place in
the United States, such as voter intimidation (Heller, 2017). Being able to vote with ease from the
computer could also help increase the number of voters in a given election. This is just one example of the
benefits for citizens with this digital society. This program is constantly expanding and could change the
way citizens’ engage with their own data, and empower them to think more about the privacy levels they
want to be in place.
While an infrastructure overhall would be much more difficult in the United States seeing as its a
much larger country with greater disparities in access to the resources necessary such as computers and
even internet services, emulating the level of transparency could help the United States retain its ability to
surveil ‘foreigners’ while protecting citizens to the best of their ability.
On theme of taking a social stand as encouraged by Snowden, this research brought up a lot of
congressional action that had previously gone on with little fanfare and attention. Laws with questionable
alignment to the Constituion being passed and after minimal debate seems to show a disconnect between
Congress and the people they are expected to represent. There is no accountability for representatives if
people are apathetic and not in touch with what is being debated in Congress. Although people lead busy
lives, its important to remain engaged in and remain up to date on national conversation where
Constitutional rights are coming under question. In a digital society such as the one being created by
Estonia, people are empowered to maintain and access their information; they see it all in one place and
know its being used only with their consent.
This brings into consideration, the power of the default as described in an opinion piece on
Bloomberg. The power of the default describes the reality that most people do not change the default
option they are given (Sunstein, 2017). While this default exists in many areas, in terms of user privacy
19
the best example is the default privacy settings on Facebook. When Facebook first began, the default
settings for its users was public, meaning anyone could see that posts made by a user. It was only in 2014
that new users were given the default of friends only, but this policy did not retroactively change the
setting for existing users, who would still need to go and manually make the change (Magid, 2014). This
power of the default is underestimated, yet has a profound effect on the way users engage with
technology. Prior to 2013, the default was bulk surveillance, whether or not it was upheld by the
Consitution. When a large event such as Snowden’s work with news sources to reveal government
secrets, shook an increasingly technology dependent community, the outrage was shortlived letting the
conversation fall mostly to Congress and private companies. The conversation over the default of
surveillance is ongoing and clashing, as private companies opt for encryption while Congress undermines
those efforts.
Despite program failures and public concerns, there will always be a need for surveillance and as
technology progresses its important to understand where data goes. From Snowden’s whistleblowing in
2013 and John Cheney-Lippold’s jus algoritmi, its clear that the trail a user makes online is not
inconsequential. As a user engages with websites, or other users, makes a call or sends a text linked to a
certain cell tower, algorithmic decisions are being made about that user that can determine whether or not
they are vulnerable to government surveillance. The default is still being debated. While the Patriot Act
has expired for now, conversations must continue about how individual data is being used. Even if it
seems like you have nothing to hide, you have a right to hide it.
20
21
References
Brandeisky, K. (2015, May 13). NSA Lawsuit Surveillance Tracker. ProPublica.
https://projects.propublica.org/graphics/surveillance-suits
Cheney-Lippold, J. (2016). Jus Algoritmi: how the National Security Agency remade citizenship.
International Journal of Communication. https://ijoc.org/index.php/ijoc/article/view/4480
Cheney-Lippold , J. (2017). We are Data: Algorithms and the making of our digital selves. New York
University Press.
Coble, S. (2020, January 27). US rolls out new bill to reform NSA surveillance. Infosecurity.
https://www.infosecurity-magazine.com/news/us-rolls-out-new-bill-to-reform/
Feingold, R. (2001, October 25). Statement Of U.S. Senator Russ Feingold On The Anti-Terrorism Bill
From The Senate Floor. Electronic Privacy Information Center.
https://epic.org/privacy/terrorism/usapatriot/feingold.html
Greenwald, G. (2013, June 6). NSA collecting phone records of millions of Verizon customers daily. The
Guardian. https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-
order
Gellman, B. and Poitras, L. (2013, June 7). U.S., British intelligence mining data from nine U.S internet
companies in broad secret program. Washington Post.
https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-
internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-
d970ccb04497_story.html
22
Hautala, L. (2018, January 19). NSA surveillance programs live on, in case you hadn’t noticed. Cnet.
https://www.cnet.com/news/nsa-surveillance-programs-prism-upstream-live-on-snowden/
Hautala, L. (2016, June 3). The Snowden effect: privacy is good for business. Cnet.
https://www.cnet.com/news/the-snowden-effect-privacy-is-good-for-business-nsa-data-collection/
Haynes, D. (2017). Metadata: the political dimension. Alexandria: the Journal of National and
International Library and Information Issues, Vol. 27(3), 198-206.
https://journals.sagepub.com/doi/10.1177/0955749018778984
Heller, N. (2017, December 11). Estonia, the digital republic. The New Yorker.
https://www.newyorker.com/magazine/2017/12/18/estonia-the-digital-republic
Hyde, C. (2018). Introduction citizenship before the fourteenth amendment. Civic longing: the speculative
origins of U.S citizenship. Harvard University Press. https://www.jstor.org/stable/j.ctvgd2nz.3
Klayman v. Obama (n.d.). Electronic Privacy Information Center.
https://epic.org/amicus/fisa/215/klayman/
Lind, D. (2015, June 2). Everyone’s heard of the Patriot Act. Here’s what it actually does. Vox.
https://www.vox.com/2015/6/2/8701499/patriot-act-explain
Lovells, H. (2008, August). Controversial FISA Amendments Act of 2008 signed into law. Lexology.
https://www.lexology.com/library/detail.aspx?g=b2bdf0cd-beb5-494e-bed1-81d6de156bb6
23
MacAskill, E. (2019, September 13). The man whose state surveillance revelations rocked the world
speaks exclusively to the Guardian about his new life and concerns for the future. The Guardian.
https://www.theguardian.com/us-news/ng-interactive/2019/sep/13/edward-snowden-interview-
whistleblowing-russia-ai-permanent-record
Magid, L. (2014, May 22). Facebook changes new user default privacy settings to friends only – adds
privacy checkup. Forbes. https://www.forbes.com/sites/larrymagid/2014/05/22/facebook-
changes-default-privacy-setting-for-new-users/#32106e7459ac
Marks, J. and Riley, T. (2020, March 6). The cybersecurity 202: Senate bill sparks open war over
encryption. Washington Post. https://www.washingtonpost.com/news/powerpost/paloma/the-
cybersecurity-202/2020/03/06/the-cybersecurity-202-senate-bill-sparks-open-war-over-
encryption/5e616cad88e0fa101a741cee/
Mckinney, I. and Crocker, A. (2020, April 16). Yes, Section 215 expired. Now what? Electric Frontier
Foundation. https://www.eff.org/deeplinks/2020/04/yes-section-215-expired-now-what
Nakashima, E. (2020, February 24). House panel to debate bill that would prevent NSA from reviving
dormant surveillance program. Washington Post. https://www.washingtonpost.com/national-
security/house-panel-to-debate-bill-that-would-prevent-nsa-from-reviving-dormant-surveillance-
program/2020/02/24/9c22cc1e-574a-11ea-9000-f3cffee23036_story.html
Office for Civil Rights and Civil Liberties. (2013, September 19). The Foreign Intelligence Surveillance
Act of 1978 (FISA). Justice Information Sharing.
https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286
24
Savage, C. (2020, February 24). Bill would require an anti-government critic in more surveillance cases.
New York Times. https://www.nytimes.com/2020/02/24/us/bill-surveillance-carter-page-fisa.html
Savage, C. (2020, January 15). FBI’s proposed fixes are inadequate expert tells surveillance court. New
York Times. https://www.nytimes.com/2020/01/15/us/politics/david-kris-fisa-
fbi.html?action=click&module=RelatedLinks&pgtype=Article
Savage, C. (2019, July 30). More NSA call data problems surface as law’s expiration approaches. New
York Times. https://www.nytimes.com/2019/07/30/us/politics/nsa-call-data-
program.html?action=click&module=RelatedLinks&pgtype=Article
Savage, C. (2020, February 25). NSA phone program cost $100 million but produces only two unique
leads. New York Times. https://www.nytimes.com/2020/02/25/us/politics/nsa-phone-
program.html
Savage, C. (2019, December 11). We just got a rare look at national security surveillance. It was ugly.
New York Times. https://www.nytimes.com/2019/12/11/us/politics/fisa-surveillance-
fbi.html?action=click&module=RelatedLinks&pgtype=Article
Smith v Maryland. (n.d.). Oyez. https://www.oyez.org/cases/1978/78-5374
Sunstein, C. (2017, December 28). Don’t underestimate the power of the default option. Bloomberg.
https://www.bloomberg.com/opinion/articles/2017-12-28/don-t-underrate-the-power-of-the-
default-option
The Safeguarding Americans’ Private Records Act. (2020). Ron Wyden: United States Senator for
25
Oregon.
https://www.wyden.senate.gov/imo/media/doc/The%20Safeguarding%20Americans%20Private
%20Records%20Act%20of%202020%20One%20Pager.pdf
Warrant not always needed for ‘inadvertent’ NSA surveillance of Americans: U.S court. (2019, December
19). Yerepouni Daily News. https://search-proquest-
com.libezproxy2.syr.edu/docview/2328304305?accountid=14214
United States v. Hasbajrami (2019) Electronic Frontier Foundation.
https://www.eff.org/cases/united-states-v-hasbajrami
U.S Const. amend. XIV https://www.law.cornell.edu/constitution/amendmentxiv