Electronic surveillance

Widespread electronic surveillance, whether conducted by the government, corporations, or individuals, has obvious consequences for individual privacy. Technological innovations have enabled the use of surveillance without the need for physical proximity to a subject. Since the presence and use of such technology are often difficult to detect, a subject under surveillance may find that conversations, emails, and activities that were assumed to be private communications or actions were in fact observed and tracked. Although such messages and acts may be protected by privacy rights, these traditionally have had to be balanced against an often-conflicting public interest, such as the need to obtain evidence of criminal wrongdoing or to strengthen national security.
The term “electronic surveillance” does not necessarily correspond to a legal definition. As a descriptive phrase, it is extremely broad; as reflected in the legislative framework, however, it is used generally to delineate the means and techniques of surveillance, rather than to characterize the information obtained thereby. This usage thus includes within its purview wiretapping, “bugging,” and the electronic interception of e-mail.
Wiretapping can be done either mechanically or, given modern telephony, digitally. The former involves placing a listening device on physical equipment such as a handset, and either connecting directly to the telephone line or mechanically switching the telephone signals. With the development of digital telephony, which is utilized by cable service companies, and Internet telephony, the difficulties and detection risks of physical or mechanical tapping can be minimized, as a remote computer can be used to perform the requisite signal switching easily and effectively. Wiretapping and bugging, whether mechanical or digital, are means by which the contents of a communication can be detected and recorded. Digital interceptions can, however, also record “logs,” such as a list indicating the number and duration of the calls made and received. Telephone service companies also routinely log non-content data for billing and other subscriber-related purposes. These records may be subject to disclosure in response to a subpoena or other court order.
The “traditional” means of electronic interception reflected a distinction between content and non-content communications, in that pen registers and trap-and-trace devices work differently than wiretaps. A pen register is an electronic device that records the numbers dialed from a telephone; a trap-and-trace device is similar except that it records the incoming dialed numbers to a telephone. As reliance on the use of computers and the Internet has grown, it has become possible to collect more and increasingly varied kinds of non-content data (often referred to as “transactional data” or “traffic data,” to distinguish such information from the actual contents of a communication). Transactional data include the date and time of a communication, its duration, and the kind of telephone dialing information collected by pen/trap devices. On the Internet, which transmits information in the form of digital bit streams and data “packets” that are automatically reassembled at the destination computer, transactional information also includes routing information and the identifying Internet Protocol (IP) “address” of the sending and receiving computer. In essence, devices that enable the monitoring and recording of transactional data are utilized to identify the source, destination, and other information regarding the transmission of a communication.
“Packet sniffer” software and “black box” devices that are attached to a computer network and that detect, filter, intercept, and record data passing across the network are readily and commercially available. Such technology, considered tools for network analysis, are useful for troubleshooting and technical maintenance; however, they also facilitate the monitoring of e-mails, Internet chat sessions, file-sharing activity, and other communications that pass through the network. The Carnivore software suite that was utilized by the U.S. Federal Bureau of Investigation (FBI) is an example of packet sniffer technology, relying on sophisticated filtering to isolate, intercept, and analyze data packets transmitted across an Internet service provider’s (ISP’s) network.
This category of surveillance includes keystroke-logging devices (which record every stroke of a computer user’s keyboard entries). Keystroke loggers can take the form of hardware devices or software; in the latter form, they can be installed by way of a “Trojan horse” or other software virus. The FBI has successfully utilized keystroke loggers to obtain encrypted computer passwords of suspects in criminal investigations.
Other forms of computer and online tracking technology include “cookies” and “web bugs” (also known as “web beacons” or “clear gifs”), used mainly by Internet marketers and advertisers. A cookie is a data file that is stored on the user’s computer and sends back information about that user’s online activity with regard to particular websites and web pages (such as when they were accessed and for how long). Cookies are useful for gathering information about users’ web browsing habits and preferences, and they can also store registration, online shopping, and other user data. A web bug is an invisible image embedded in a web page or an email that is is downloaded when the page or e-mail is opened by a computer user. Although similar to cookies in that they provide information about when a user visits a website, web bugs embedded in e-mails can generate wider privacy concerns, as they also provide information about the user’s computer (e.g., its IP address and web server).
The term “spyware” is used generally to refer to software that exists on a computer’s hard drive unbeknownst to the user and that surreptitiously monitors the user’s computer activity; it may also alter or activate certain computer functions at a third party’s behest (such functionality classifying it also as “malware,” or malicious software). A good deal of “adware,” or software that displays advertising to a user, is also commonly categorized as spyware because it is often installed without the user’s knowledge, though it may not amount to malware. Spyware, particularly adware, usually includes a monitoring function, which can vary from monitoring the user’s online browsing activity to redirecting the user to different websites (usually as part of an advertising network utilizing the spyware in question).
These devices are used to detect the presence and availability of wireless networks and activity within those networks. With the proliferation of wireless networks in homes, schools, offices, and elsewhere, there has been a corresponding increase in the establishment and availability of wireless access points (WAPs), including free WAPs offered by commercial establishments to their customers. This has facilitated the practice of “war driving,” where a laptop enabled with the right software can be used to detect a wireless computer network, to log on to it, and even to intercept data traveling across that network.
“Locational data,” similar to “transactional data” in that they do not generally relate to the contents of a communication, disclose the geographical location of a user or computer. Locational data can be obtained by utilizing the Global Positioning System (GPS) or devices that rely on triangulation between a wireless cellular telephone and cellular signal towers, as does the E-911 feature included in U.S, cellular phones, as mandated by the Federal Communications Commission.
Mobile or cellular telephones utilize a wireless network comprising various base stations linked to a traditional telephone network and communicating through electromagnetic radio waves. Although different providers may use different technological standards for communications, digital technology such as GSM (Global System for Mobile Communications) is used widely. In addition to speech, mobile telephones support other services, such as text messaging, Internet access, and the exchange of video and photo files. Tapping into a mobile telephone network allows the collection of transactional as well as locational data, since it is possible to identify the base station for the call in question. Content data can also be intercepted, and, as new technology (such as 3G, or third-generation, mobile telephone technology) enabling the transfer of more types of files gains ground, the kinds of content data that can be intercepted will also grow. These new technologies rely on the transmission of data stored on a mobile device (“tag”) equipped with a transponder that responds to radio frequency signals sent by a transceiver. Radio frequency identification (RFID) allows the transmission of locational and transactional information in the form of data stored on the tag; because the tag can be attached to any person or object, an RFID system enables mobile tracking.
Data mining is an analytical tool that uses statistical modeling, computational techniques, and search functionality to analyze, extract, compare, and link vast amounts of data within and across databases. Previously disparate or unconnected data can be compiled and analyzed, and patterns discerned.
A significant issue for privacy in relation to some of these new techniques is the possibility that they can be used in combination. For example, locational data can be combined with a user’s web browsing patterns (obtained by some other method), placed into a database, and analyzed using a variety of software and techniques, including data mining. This ability poses a challenge for the legal regulation of electronic surveillance, which traditionally has largely focused on, and applied differing standards based on, distinctions between content and non-content data, and between data being intercepted while in transmission and its interception thereafter (i.e., in electronic storage).
A few differences between the more traditional forms of electronic surveillance (such as wiretapping, bugging, and the use of pen registers and trap-and-trace devices) and methods involving the Internet should also be noted in this context. First, it is easy to make a distinction between the contents of a communication and the transactional data surrounding it, such as the telephone number dialed or the duration of the call. This distinction is less clearcut in the case of Internet communications. For example, the subject line of an e-mail communication can reveal much about the contents of the e-mail itself, and some pen/trap devices can capture dialing signals that are content-related (such as credit card numbers). Second, tracking a computer user across the Internet (such as by means of the websites visited) can disclose information that is not limited to facts regarding location and destination, but that is more personal in nature, such as the user’s online shopping behavior, interests, and habits. Third, the availability and adoption of data mining technology raises the possibility not only that databases containing personal or private information can be created, but also that vast amounts of information can be combed, compiled, linked, and profiled in a way not previously technologically feasible. The implications include the risk that existing laws will prove insufficiently flexible or technology-neutral to cope with the new technology (and its allowance for electronic surveillance on a scale and with an ease not previously possible) and that the broad potential capacity for greater electronic surveillance mandates a reexamination of the appropriate balance to be struck between privacy protection and the need to prevent legitimate government or corporate objectives from being impeded by overzealous regulation of new technology.
Electronic surveillance that does not capture the contents of a communication is dealt with by specific provisions and statutes. The Pen/Trap Statute prohibits the use of pen/trap devices except through a court order or under the Foreign Intelligence Surveillance Act of 1978 (FISA). The Stored Communications Act criminalizes unauthorized access to or alteration of wire or electronic communications in “electronic storage” by anyone other than the systems provider or the user who originated the communication or for whom the communication was intended, except under a warrant or court order. These legislative measures thus allow the U.S. government, upon a court’s authorization, to obtain transactional, traffic-related, and similar data through electronic surveillance, and to gain access to the contents of wire and electronic communications after their transmission.
The same technology that permits government surveillance can be used by private corporations and individuals to obtain information surreptitiously. One key difference between government (public-sector) surveillance and private-sector monitoring is the lack of Fourth Amendment protection for subjects of the latter. Although the provisions of the Wiretap Act prohibiting intentional interceptions of content-based transmissions apply to private-sector surveillance, its exceptions allow limited monitoring. For example, interception is permitted with the consent (express or implied) of at least one of the parties to the communication, or if the interception is “a necessary incident to the rendition of the service or to the protection of the rights or property of the provider of the service.” The consent exception has been invoked in some cases involving the use of cookies and similar technology by Internet advertisers to monitor the web browsing habits of computer users. Because Internet advertising relies on a network of individual websites to which the advertisers serve up their advertising, U.S. courts have held that the provisions of the Electronic Communication Privacy Act of 1986 (ECPA) regarding consent require only the consent of the individual “client” website, not of the individual users of each of those websites, and that consent pertains to the placing of the advertisements, not of the cookies carried by them to an individual user’s computer. For this reason, it has been problematic for individual users to rely on the ECPA to protect them against Internet marketers.
Electronic surveillance is generally viewed as an indispensable tool for criminal investigations and law enforcement. Both legislators and the courts have displayed some measure of nimbleness in enacting, amending, and interpreting the law to accommodate this need while remaining cognizant of the corresponding risk of loss of privacy. In the United States, the need to balance privacy concerns with the needs of law enforcement can be seen in the various procedural safeguards in the wiretap statutes and the courts’ role in interpreting the Constitution. Although recent legislation, such as the Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) and similar laws in other jurisdictions, seems to have tipped the balance in the direction of greater surveillance, this shift may be justified on the grounds of national security in the face of a growing threat of terrorism. The challenge will be to continue to maintain the appropriate balance, to the extent necessary and proportionate to the perceived public policy threat justifying a potential encroachment on privacy. In addition, any future amendments to electronic surveillance legislation should be mindful that new technology challenges the boundaries of legal distinctions between the interceptions of different kinds of data. These issues should remain uppermost in the minds of policymakers, particularly if greater surveillance powers continue to be granted by law, since at some point the pressing public policy need for such powers may well diminish or disappear altogether. Consequently, the difficulties inherent in attempting to craft a balance between individual privacy and increased surveillance must be confronted.