Contrary to substantial public belief, there is NO explicit guarantee of privacy in the U.S. Constitution. Nowhere is the word “privacy” even written in the Constitution. Consequently, the answer to this question is complicated and somewhat unclear:
The right to privacy was, however, inferred in the 1972 U.S. Supreme Court decision in Roe vs. Wade, where the Supremes inferred its existence under the Due Process clause of the Constitution’s Fourteenth Amendment, extending that right to a woman’s decision to have an abortion. In addition, there are many federal (see ECPA, HIPAA and SCA) and state laws (e.g. California SB1386 & AB1950, which govern protection of confidential information) which protect individual rights and data, including information generated and saved on computers, and some that isn’t. These separate and sometimes conflicting laws cover identity theft, unwanted communications, medical and law enforcement records and the like. Many of them are discussed throughout the LAWS section.
With respect to free speech, which can also be viewed as an invation of a person’s privacy, it’s also important to realize that the privacy laws concern the relationship between the individual and the government, but not other institutions. As Judge Oliver Wendell Holmes wrote in the 1919 U.S. Supreme Court decision Schenck v. U.S., some free speech just isn’t protected, like “(falsely) shouting fire in a crowded theatre”. That’s why, even though there may not be any government law compelling them to do so, corporate entities like Facebook and Twitter can refuse to allow postings of things like revenge porn, hate e-mail and the like.
Although in the What?!?? category, the Elonis U.S. Supreme Court decision [No. 13-983] issued on June 1, 2015, leaves me scratching my head. Anthony Elonis was divorced from his wire Tara and immediately started causing trouble. He was fired from his job at an amusement park and responded with a Facebook post about being a nuclear bomb being ready to explode. After a visit from an FBI agent, he responded with another post about a fantasy where he is slitting his estranged wife’s throat and turning her into a “ghost”. He said “There’s one way to love you but a thousand ways to kill you. And I’m not going to rest until your body is a mess, soaked in blood and dying from all the little cuts. He also posted about killing federal law enforcement officials, even a kindergarten class. Not surprisingly, he was convicted and sent to prison, serving three years of a 44 month sentence before the Supreme Court decision. The court reversed the decision on the ground that the lower court’s instruction that the prosecution need prove only that a reasonable person would regard Elonis’s communications as threats was an error and that Elonis had to believe that the posts were actually a threat (he claimed that he was merely “rapping,” saying nothing that hadn’t been said before by others). What more would they have to show??? Nevertheless, that’s the law folks.
As with so much in the U.S., due to an absence of federal regulation, these laws evolve on an ad hoc basis on the state and even local level. A good example: On March 16, 2012 Rutgers University student Dhuran Ravi was convicted by a Middlesex, N.J. jury on 15 charges of hate crimes (including bias intimidation, invasion of privacy, witness and evidence tampering and other offenses) stemming from a webcam video which he surreptitiously posted on the Internet of a gay encounter between his roommate (Tyler Clementi) and another man, as well as Ravi’s follow up Twitter comments, which directly led to Clementi’s immediate suicide by jumping off the George Washington Bridge. The point is that this incident resulted in N.J.’s anti-bullying law, the strongest in the nation.
And you should know that there are no laws protecting your ISP like Microsoft, Yahoo, Google and others from looking at the collected and stored data in their own services, by whatever standards they alone deem appropriate. For examples, look HERE.
For more, see, Cyberbullying, Tools of a Crime and other laws, in the LAWS section of this site. See also, OPINION for more discussion about the Fed spying on U.S. citizens. And FAQs for a discussion of state privacy laws respecting reading another’s (even a spouse’s) e-mails. Also, a discussion of President Obama’s proposed Consumer Privacy Bill of Rights, discussed in the Privacy section of this site.
Privacy from the Government and Corporations
So far as your privacy rights from Government snooping, that’s an entirely different matter. The above appears to conflict with the Obama administration’s backing of a FBI plan for a sweeping overhaul of surveillance laws, making it easier for the Government to wiretap people who communicate using the Internet. In order to “protect U.S. citizens from terrorists,” the FBI claims it is necessary to address and expand the search requirements created by the Internet age. Arguing that the proposals merely extend the searches already applicable to land-line phones under the Communications Assistance for Law Enforcement Act of 1994 to cover peer-to-peer and VoIP calls, they want to mandate that social networks like FaceBook and Google build into their systems a capacity to comply with wiretap orders. (Under CICA, the telecoms had to place surveillance equipment in their own facilities and keep it usable as their technology changed.) They have, however, backed off from the requirements that the services provide the Government with encryption keys to decrypt encrypted communications. Fines would be imposed for non-compliance.
Also, the growing public and legislative outcry against the “harvesting” of non-public information by enterprises and the government is gaining momentum as other countries pass uniform privacy laws of their own. But this may all be smoke and mirrors. The cows may already be out of the barn: First, the disclosure of the NSA’a PRISM collection system, spying on all citizens who use nine of the largest ISPs in real time and continuously, as they text, photo, video and chat. [Interestingly, when the FBI proposed in 2010 the controversial legislation dubbed “Calea-2,” which would have required the ISPs to include mandatory wiretap access to their services, the industry strongly opposed it. Of course, leaks later revealed that Microsoft, Yahoo and probably others complied with literally thousands of NSA requests to provide (limited, not blanket) access to e-mail, web and Skype services due to “legal obligations” (meaning that the NSL orders forbade disclosure).] The FBI has even obtained the database of the anonymous Tor Tormail servers, so you can’t even rely on onion routers. See Tor for more about this. See e-mail for more about possibly secure e-mail servers.
In addition, in June, 2013, it was revealed in the New York Times that the Obama administration was secretly collecting records of Verizon calls, updated on a daily basis, under an order signed by Judge Roger Vinson of the Foreign Intelligence Surveillance Court (?? the what??). The phone records (which include “metadata,” times, dates, numbers and call durations, although allegedly not their actual content, which may or not exist; disproven - they can tell all about the callers, their medical condition, financial and legal connections even whether they own a gun) were sought by the FBI through a Top Secret undisclosed order under a section of the Foreign Intelligence Surveillance Act (“FISA”), the 1978 law that regulates domestic surveillance for national security purposes, including “tangible things” like a business’s customer records. This provision was expanded by Section 215 of the Patriot Act which, some say, was created to bring legitimacy to the Bush administration’s illegal phone surveillance that took place without court orders. The NSA claims that the searches are legitimate, since they only peripherally involve Americans and therefore don’t violate the law because the main purpose of the surveillance is only for foreign information. The Supreme Court ruled in 1979 that metadata is not protected under the 4th Amendment because people have already revealed the existence of their calls to telephone companies and should therefore have no reasonable expectation of privacy. In a session of the House Judiciary Committee held on February 4, 2014, the author of the Patriot Act, Rep. James Sensenbrenner (R-WI) said that there are insufficient votes in Congress to re-authorize Section 215, which expires next June. (So it later got extended, of course. Patriot Act will never go away.) This is the same congressman who wrote in an amicus brief filed in ACLU v. Clapper that the vast majority of NSA collected records have no relationship to investigating terrorism at all.
On June 1, 2015, Section 215 of the Act expired, preventing the NSA’s bulk collection of metadata from U.S. Citizens. On June 2, 2015, Congress passed the USA Freedom Act [HR 3361] by a 67-32 vote, the first legislative overhaul since the Snowden revelations about bulk data collection. Generally, it places some curbs on the collection, specifically by mandating a 6 month transition to a system in which call data would remain in private company hands but could be searched on a case-by-case basis under a court order. But not to worry: Congress immediately swung into action to dilute even that small control. And other NSA programs, lots of them, survive. The USAFA banning the NSA from scooping up phone data started on 11/30/15, but the metadata already collected can be kept and used by the NSA until 2/29/16. And the data will continue to be retained by the telcos. The NSA must now go to the FISA court for permission to gain access to those records. You know, those same guys that the Snowden documents showed secretly gave the NSA permission to collect U.S. citizens’ phone records in the first place. And, while the Act attempted to make th FISA rulings less secret, Congress has already introduced bills to extend the record retention for another 5 years and making permanent the provisions of the Patriot Act (the so-called “lone wolf” and “roving wiretap” provisions) that allow the NSA to get a wiretap warrant from the FISA without specifically naming the person to be tapped or even a showing that he or she is part of a terrorist group! Even worse, the NSA’s ability to harvest bulk communications from the Internet and social media under PRISM, which hacks into Microsoft, Google and Facebook to extract audio, video, photos, emails, documents and collection logs (according to the Washington Post), provides information to the NSA about the fact that a communication was sent, but also the contents of e-mails, chats and Skypes. According to the Post, they can “literally watch you as you type”. How, you ask, does FPRISM persist? Prism is authorized under Sec. 702 of the FISA Amendments Act of 2008, which is not up for renewal until 2017. While it was originally restricted to communications to foreign individuals, it was expanded to include U.S. citizens when the NSA used its foreign offices to evade that restriction, according to the NY Times. According to Gizmodo, the NSA also leans on President Reagan’s Executive Order 12333, which is broadly worded to allow surveillance of any information “incidentally collected” during foreign surveillance. So, I guess your iCloud, DropBox and e-mail address book are fair game. The Electronic Frontier Foundation (see Associations) is concerned, for example, about the definition of “specific selection item” which describes (or limits) who or what the NSA is allowed to monitor. The broader definition could include physical addresses of e-mail providers, financial institutions or IP addresses of web hosting services, which was not in the original proposed definition which restricted collection of “a discrete term, such as a term specifically identifying a person, entity, account, address or device”. On the other side, Kentucky Senator Mitch McConnell opposed the bill because he felt that “this is the worst possible time to be tying our hands behind our backs” in the search for terrorism threats.While the Electronic Frontier Foundation, the ACLU and EPIC continue to fight for citizens’ privacy, Congress continues to chip away at every thru. Expect more of the same.
Although many aspects of the NLSs have been held unconstitutional and abusive, the NSLs still persist. In mid-2016, the Senate Intelligence Committee passed a bill that would expand the reach of NSLs, a provision to the 2017 Intelligence Authorization Act, that would allow the FBI to use NSLs to obtain ”electronic communication transactional records” that presumably would include e-mails, subject lines and metadata, web browsing histories and the like. The House proposed a similar bill by unanimous vote. On the contrary side, both the House and Senate have proposed bills amending the ECPA, which was enacted before people used e-mail and cloud computing, to incorporate protections for citizens’ elecronic communications.
In 2012, the Court also ruled that the police use of a GPS tracker attached to a suspect’s car violated his 4th Amendment rights because the police had to trespass on the suspect’s property to attach the device. In the decision, however, the justices did suggest that any long-term automated collection of a person’s public movements [such as the revealed NSA pilot program to do so in 2011] might still raise 4th Amendment issues. Same for data of U.S. citizens stored in cloud servers in other countries, as is often the case. The excuse that it’s only the metadata is kinda thin - A study recently published in Nature showed that just four data points about the location and time of a mobile call make it possible to identify the caller 95% of the time. And further examination showed that, even if really was only metadata, that information can yield vast amounts of information, including both callers’ medical conditions, gun ownership, and financial and legal connections. Of course, if the call content is recorded (which I personally believe), that much more data could be extracted. But in August, 2013, the NSA admitted to searching the actual “contents” of the messages for telltale words and phrases. Besides, it doesn’t say that they won’t go back, with or without a warrant, for the phone call transcript itself, if they believe it’s necessary to fight terrorism.
Can you imagine, if people are outraged about Google and Facebook data collection, how irate they would be if they knew the Government was secretly collecting daily data about them, using secret orders issued by a secret court? [The Court is staffed by a rotating panel of judges selected by Chief Justice Roberts, without any review, and only the Government is heard when applying for an order, with no representation on behalf of the party against whom it is sought. Sure sounds unconstitutional, doesn’t it?] Besides, isn’t this stuff the kind of public pushback that shut down the Carnivore and Echelon projects in the 1970s and the Clipper chip in the 1980s? See also the Electronic Frontier Foundation’s page on “NSA Spying on Americans”. Of course, thanks to Whistle Blowers like Edward Snowden, everyone knows this stuff now.
Moreover, the NSA later admitted that is has also, secretly, circumvented or cracked much of the digital scrambling that protects global commerce, e-mails, phone calls, medical records and web searches (NY Times 9/6/13), including (with the UK’s GCHQ) hacking the fibre backbone for Google and Yahoo to collect data from hundreds of millions of accounts around the world. Even business and corporate accounts, purloining trade secrets and proprietary information that they thought might be useful later (courtesy of Snowden leaks in January, 2014). And it even disguised itself as Google to get away with its spying. Want to see how they do this? Click HERE for “How the NSA Does It”.
In June 2014, the Privacy and Civil Liberties Oversight Board, which Congress made an independent agency in 2007, concluded that, while it determined that the NSA’s collection of phone records of Americans was illegal, it fully supported so-called “702 collections,” referring to the section of FISA which allows warrantless wiretapping for foreign intelligence purposes. But it expressed concern that such so-called “about” collections, those which enabled the NSA to tap into the internet “backbone” which carries both phone calls and e-mails because they could snare the communications of Americans as well. About collections provide access to e-mail addresses and telephone numbers merely mentioned within the body of a communication, rather than in the address lines. The NSA claims that, because of “technological constraints,” it cannot completely separate the data. Civil liberties groups, of course, have protested.
Disclosures by Edward Snowden through the Guardian show that both the NSA and the UK’s GCHQ successfully decode key online security protocols through programs respectively named Bullrun and Muscular (U.S.A,) and Edgehill (U.K.). It appears that top ISPs were coerced to provide the agencies backdoor access to their security systems. The Fed determined that, as long as the big providers were going to collect data on U.S. citizens for advertising purposes, they could piggyback that data for criminal and national security purposes. In November, 2013 EPIC (see Associations) filed a petition with the Supreme Court, arguing that the Foreign Intelligence Surveillance Court has “exceeded its statutory jurisdiction when it ordered production of millions of domestic telephone records that cannot plausibly be relevant to an authorized investigation.” The Court gave no reason for denying the petition on November 18. 2013, but it is probably waiting for the issue to work its way through the lower courts rather than by direct petition. Shortly thereafter, in December, 2013, U.S. District Judge (for D.C.) Richard Leon ruled (Kleyman v. Obama, 13-cv-881) that the NSA’s collection of domestic phone record metadata is unconstitutional and violates citizens’ privacy rights, setting up likely further challenges and appeals on the subject. But a couple of weeks later, on December 20, 2013, U.S. District (NY) Judge William Pauley ruled that the bulk collection is legal. These disparate rulings may set up Supreme Court review. Same for the disparity in rulings between the FISC Court, which in March, 2014 decreed that the retention of the bulk call data collected by the NSA under Section 215 of the Patriot Act could be deleted after five years, and a week later from the U.S. District Court for the Northern District of California which decided that they must still be retained. A few days later, the FISA amended its ruling to follow that of the California court. Meanwhile, in the executive branch, the Privacy and Civil Liberties Oversight Board issued a report on January 23, 2014 concluding that Section 215 of the Patriot Act did not authorize the NSA phone surveillance and, moreover, that they could not identify even one instance where the surveillance made any concrete difference in counter terrorism. As usual, Congress doesn’t want to incur the ire of the NSA and, on 11.18/14, it again voted down any legislation which would restrict NSA data collection.
By the way, there is apparently no illegality to the Government’s collection of all charge card records from the major credit card companies, which has been going on for years. [My take: They’re also tracking the money so that the IRS can find tax evaders who clearly spend more than they say they make, and this has nothing to do with terrorism. For more about the programs that the NSA and FBI are using to spy on U.S. citizens and what they have to say about this, see my discussion (RANT) HERE.] This type of cybersurveillance by our government has been going on for years: See Whistle Blowers.
The next big frontier of public data collecting is already underway: The mass collection by the NSA of facial images, both independently (public and private cameras) and through social networking like Facebook, text messaging and e-mails. Snowden’s release of an internal NSA report (released by the N.Y. Times in June, 2014), show that in 2010, facial recognition, in addition to “traditional communications,” is part of a “full-arsenal” approach internet “clues” in order to “compile biographic and biometric information”. The report notes that the FBI, state and local police, the State Department and the Department of Homeland Security are increasingly turning to facial recognition programs for a variety of uses.
And none of this even begins to discuss the relationship between the members of the “Five Eyes” international network, of which the U.S. is a member, which uses the “Stoneghost” network for spying, probably on U.S. citizens.
The Numbers: The government’s use of warrantless searches and secret requests for information have exploded, and recent court actions in the digital age have expanded the reach of even legal searches, challenging the Fourth and Fifth amendments of the Constitution in ways the Founding Fathers could never have foreseen. A transparency report released from the Director of National Intelligence (“DNI,” the President’s appointee who manages the U.S. spy agencies) reveals that warrantless searches on Americans doubled between 2013 and 2015, from 2,100 to 4,672. Searches of Americans’ metadata (information about who is talking to who, vs. specific content searches) went from 9,500 to 23,800 during the same period. And these figures don’t even take into account the searches conducted by the FBI or CIA. That’s completely different, as FISA (above) has ruled that the FBI can conduct as many warrantless searches as it wants, because the its database only “incidentally” collects such information (so-called “back door” searches) about American citizens, therefore it is exempt from releasing estimates, although they are believed to far exceed the CIA and NSA warrantless searches.
Comparative Laws of Other Countries
On the other hand, be glad that you’re still in the U.S., where the Internet is still largely unregulated: Other countries, such as China, tightly control access to and use of the Internet and prohibit any discussion of the Government’s policies. Even Vietnam retains a tight grip on Internet media. “Decree 72” not only specifies that social networking sites like Facebook and Twitter be used only “to provide and exchange personal information” but convict users for anti-state activity for online publication of material that “opposes” the Vietnamese government or “harms national security”. Control over the Internet is maintained because Vietnamese law requires foreign ISPs to maintain their local servers inside Vietnam (where they can be shut off). There have been several convictions of these anti-state violations. And on May 5, 2014, Russia passed a “bloggers” law requiring popular sites with more than 3,000 visitors daily to register with the government, no longer able to avail themselves with anonymity. That’s because President Vladimir Putin considers the Internet “a special C.I.A. project,” as he publicly declared in April. Another Russian internet law, effective August 1, 2014 gives his government the power to block websites. And, in June, 2014, Russia’s lower house of parliament passed a law requiring internet companies to store Russian citizens’ personal data inside the country, effectively making the internet a closed system in Russia. The law still has to be passed by the upper chamber and signed by President Putin before it becomes effective in September, 2016.
As discussed elsewhere in this site, Europe has no problem making rulings or passing laws about privacy that cover everyone, everywhere. On May 13, 2014, the Court of Justice of the European Union (“CJEU) ruled that Google and other search engines can be ordered to delete links to outdated information about a person on the Internet. The way it works is that European citizens that want to be forgotten by search engines can file a request directly with the search engine operator to have out-of-date information about them deleted. The operator must determine if the information is still relevant and, if not, must remove the results. Seeing the handwriting on the wall, Google plans to release an on-line tool, both for Europe and other countries like the U.S., implementing a procedure for a “right to be forgotten” (rather “a right not to be found”), along with an authentication mechanism to prevent unauthorized takedown requests. This will be an expansion of the existing semi-automated Google tools for requesting removal of some personal information, such as signatures, bank account details and national identification numbers.
CURRENT AND FUTURE LAW
Unfortunately, because Congress is obviously not interested in addressing or protecting privacy (as said by Johathan Stickland, Republican state representative in Texas), it is left to the states to act in a patchwork quilt of laws. In response to the reports of widespread NSA and other surveillance, over the past year, over two dozen laws have been passed in at least ten states (many of which are listed in this web page with an * to show the evolving nature of the topic). For example, Texas requires warrants for e-mail searches (in a bill sponsored by Rep. Stickland); Oklahoma enacted a law to protect the privacy of student data; states have passed laws to regulate who inherits digital data (e.g. Facebook passwords) when a user dies; eight states have passed laws limiting the use of civilian drones; Vermont has limited the use of data collected by license plate readers, Florida proposes a bill prohibiting schools from collecting certain biometric data about school lunches and school bus stops; California legalizes the right of children to erase social media posts, makes it a misdemeanor to publish identifiable nude pictures on line without permission and also requires companies to tell consumers whether they abide by “do not track” signals on web browsers (while the “right to know” part of the bill which required Internet companies to share a copy of information as well which third parties have received the information was blocked by ISPs lobbyists); Montana’s law requires police to obtain a warrant to track a suspects location through cellphone records; close to a dozen states have passed laws restricting employers from demanding access to their employees’ social media accounts; nearly all states have “data breach notification” laws which require both public and private organizations to inform consumers if their personal data is breached or stolen, including their login name and password. Absent federal government action, like the stalled update to the now 27 year old ECPA or the proposed consumer privacy bill of rights urged by the White House, this free-for-all will continue, yielding inconsistent or nonexistent positions on many privacy issues. The position of the NSA and the White House is essentially unchanged: An “independent” report released on December 18, 2013 by the Review Group on Intelligence didn’t recommend any significant cutbacks to the NSA program, offering only minor judicial oversight and public transparency.
PRIVACY IN SOCIAL NETWORKING
MORE ABOUT THE PRIVACY DEBATE
ARE YOU BEING WATCHED?
HOW THE NSA DOES IT