Sharing is not caring:
President Obama’s voluntary cybersecurity
information sharing proposal will hurt privacy
rights
Melika Nariman
Juli 2015
Masterscriptie
Titel: Sharing is not caring: President Obama’s voluntary cybersecurity
information sharing proposal will hurt privacy rights.
Universiteit van Amsterdam
Instituut voor Informatierecht (IViR)
Master Informatierecht
Door: Melika Nariman
Studentnummer: 10220968
Begeleider: Prof. dr. N.A.N.M. van Eijk
Datum: 31 juli 2015
‘But if thought corrupts language, language can also corrupt thought.’
-‐ George Orwell, Politics and the English Language
TABLE OF CONTENTS
Introduction p. 5
Chapter I: The Cybersecurity Legislative Proposal p. 10
1. Background p. 10
2. Text p. 11
3. Cybersecurity p. 13
Chapter II: Applying legislation p. 16 1. The Fourth Amendment p. 17
1.1 Metadata p. 21
1.2. Private entities p. 27 1.3. Third-‐party doctrine p. 31
1.3.1 Digital complications p. 32
1.3.2 Problems with the third-‐party doctrine p. 35 1.3.3 Recent case law implications p. 39
1.4 Conclusion p. 41
2. Other legislation p. 42
2.1 Privacy statutes p. 42 2.2 The Stored Communications Act of 1986 p. 44
3. Protections For Civil Liberties Within The Proposal p. 48
Chapter III: Private actors p. 51 1. Private entities who voluntary share information p. 51 2. Compelled disclosure of information p. 53 3. Limitations to compelled information disclosure p. 55 3.1 Riley v. California p. 56 3.2 Klayman v. Obama p. 58 Conclusion p. 60 Recommendations p. 61
1. Mandatory information sharing framework p. 61 2. Amending the Proposal to address privacy concerns p. 62 3. An alternate approach p. 63 Bibliography p. 65
‘When Government and industry share information about cyber threats, we’ve got to do so in a way that safeguards your personal information. When people go online, we shouldn’t have
to forfeit the basic privacy we’re entitled to as Americans.’1
INTRODUCTION
The information and communications infrastructure of the United States faces constant threat and has become a National Security issue2 and one of the most pressing issues of the
Obama administration.3 President Obama has declared that the U.S. digital infrastructure -‐ the networks and computers -‐ will be treated as a strategic national asset. Protecting this infrastructure is considered to be a national security priority.4 President Obama once again
highlighted the importance of a secure and protected cyberspace when he stated that ‘America’s economic prosperity in the 21st century will depend on cybersecurity.’5
A successful cyberattack to any form of infrastructure in the United States, has the potential to do as much damage or more than any conventional terrorist attack. Because of the current dependency to computer systems and technology, potential threats or interference of vital systems are extremely dangerous and costly.
One recent and highly publicized example, on November 24th 2014, Sony Pictures
Entertainment suffered a widespread hack that rendered the film studio’s computer useless, in a twist right out of a cybersecurity thriller movie. The hack led to the leak of confidential information, such as unreleased films, employee salaries, and embarrassing e-‐mail
exchanges between top-‐executives. While the Sony hack dominated the news towards the end of 2014, three major cyberattacks against U.S. companies shook the corporate world
1 President Barack Obama, “Remarks by the President at the Cybersecurity and Consumer Protection Summit”,
Stanford University, February 13 2015.
2 Obama, Barack “The National Security Strategy of the United States of America.” 27 May, 2010,
http://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy.pdf
3 The White House, Cyberspace Policy Review (2009), available at
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf.
4 White House Office of the Press Secretary, “Remarks by the President on Securing our Nation’s Cyber
Infrastructure,” press release, May 29, 2009, http://www.whitehouse.gov/the_press_office/Remarks-‐by-‐the-‐ Presidenton-‐ Securing-‐Our-‐Nations-‐Cyber-‐Infrastructure/.
earlier that year6. In January, Target announced that hackers had stolen personal
information from an estimated 110 million accounts. In August, the networks of several banks, most prominently J.P. Morgan Chase was infiltrated by a network of hackers who accessed large quantities of data, including checking and savings account information. And in September, Home Depot confirmed that they had been infiltrated by hackers, admitting that over 56 million customer accounts were put at risk. And while much focus has been on attacks on major corporations, like Target, J.P.Morgan, Home Depot and Sony, small businesses are far from immune. Cybercrime and cyber attacks on U.S. companies can lead to costs that can run up to as much as $100 billion each year.7
In the wake of the Sony hacks, the White House unveiled a proposal for cybersecurity legislation that could shore up the nation’s cyber defenses and help prevent any more breaches. The Obama administration’s 2015 update to the Cybersecurity Legislation Proposal of 20118 aims to encourage the private sector to share cyber threat information with the Government. The President believes that it is important for the private sector and Government to work together to fight any more cyber threats: ‘Neither Government nor the private sector can defend the nation alone. It’s going to have to be a shared mission -‐
Government and industry working hand in hand.’9 President Obama acknowledges that securing the nation’s digital infrastructure ‘is a national security priority and a national economic priority.’10
Computer and network security have become matters of major economic, social, and national security importance in the United States. Computer networks have joined other systems like defense, energy, health care and transportation that are critical to the functioning of the national economy. The Internet has established a critical infrastructure where everything is connected. Therefore, it is important for the administration to propose legislation to further protect the digital infrastructure.
6 Tobias, 2014: The Year in Cyberattacks’, Newsweek 31-‐12-‐2014 [online]
7 http://www.mcafee.com/nl/resources/reports/rp-‐economic-‐impact-‐cybercrime2.pdf
8 Obama Administration Cybersecurity Leglislative Proposal (2015)
9 President Barack Obama, “Remarks by the President at the National Cybersecurity Communications
Integration Center Consumer Protection Summit”, National Cybersecurity Communications Integration Center -‐
Arlington, VA, January 13 2015.
However, is the administration’s Cybersecurity Legislative Proposal, in which the voluntary sharing of cyber information between private companies and the Government is enabled, the way to go?
The main purpose of this thesis is to describe how a voluntary sharing of cybersecurity information framework between private and Government entities, such as proposed in the administration’s Proposal, does not ensure essential safeguards to protect the privacy of American citizens and should therefore not be passed by Congress. The Proposal contains several sections that are problematic when it comes to privacy protection. Firstly, voluntary shared information might hinder the Fourth Amendment from applying. Secondly, other privacy laws are not applicable when information is shared voluntarily. Thirdly, the Government is still able to compel the disclosure of information.
All in all, with the proposed legislation, the administration has found a way to circumvent privacy protection by creating a framework that is misleading. In the digital age, technology has advanced in such a way that it is possible to track and identify personal communication on a large scale. Digital communication technologies have become a part of everyday life for most Americans. In the modern society, personal information is being constantly processed in an online environment. Personal information is being disclosed, verified, recorded and generated in order to participate in the modern society. Therefore, there is a wealth of information available that have to be subject to privacy protection. It is necessary for a voluntary sharing of information framework to safeguard privacy protection, otherwise people’s privacy rights are at risk. Unfortunately, President Obama’s Proposal fails to do so.
The Proposal will function as a guide to discuss the privacy concerns the voluntary sharing of information sections cause. So, even though the Proposal contains other sections that are not directed towards the voluntary sharing of information, those sections are beyond the scope of this thesis. The scope of this thesis is defined by the voluntary sharing of
information.
Furthermore, the descriptive method of research is used in determining the privacy concerns that voluntary sharing of information causes. Descriptive research is a type of research that is concerned with describing the degree of privacy concerns the Proposal causes. The sources that are used are articles that describe privacy in the digital age, and the
complications that voluntary information sharing causes. Also, Supreme Court and lower courts case law will play a major part in providing arguments against the Proposal.
The outline of this thesis is somewhat complicated because of the complicated nature of analyzing the Proposal. Generally speaking, this thesis will consist of two parts: one part will describe the voluntary sharing of information aspect of the Proposal and the other part will analyze the receivers and contributors of such information.
In this thesis, I will discuss how a voluntary sharing of cyber threat information framework, such as proposed in the administration’s Proposal, causes serious concerns for the
protection of digital privacy. Sharing cybersecurity information in such a manner is not only ineffective but it would also entail great privacy risks.
Chapter I will provide a brief background as to how the Proposal came to be, discuss the actual relevant texts of several sections, and briefly explore the concept of “cybersecuriy”. This chapter is meant to provide a brief introduction to the subject of cybersecurity.
Chapter II reviews the voluntary sharing of information standard in the Proposal. A major red flag is that the relevant section includes the words “notwithstanding any other provision of law”. Any private entity that discloses information to the Government will be able to do so without violating privacy laws. To discuss how troubling this exclusion of protection might be, this chapter will address the laws that will be trumped by the Proposal. Firstly, the Fourth Amendment will be applied to the Proposal. The Government assumes that it is possible for them to rely on the third-‐party doctrine. This doctrine was developed a long time ago and holds that there are no Fourth Amendment protections for information
voluntarily disclosed to third parties. While such a policy may have made sense at a time the Internet did not exist, it makes little sense today. The digital age has made everything data. And nearly every bit of data is shared, voluntarily or involuntarily, with third parties. The disclosure of data is necessary to participate in modern society, and therefore it is not always voluntary. Further, the Government has stated that the relevant information will mostly consist of metadata. This argument is not valid, because technology has evolved to the extent that it is possible for metadata to reveal personal information. Furthermore, the Proposal proposes a framework in which only private entities are allowed to disclose information to the Government. This too is a manner in which circumvention of the Fourth Amendment is possible, because according to traditional Fourth Amendment theory it is
only applicable to state action. However, case law suggests that this might not always be the case, since private actions are sometimes considered to be state actions. Secondly, this chapter will review the privacy protections Privacy Statutes might offer. Thirdly, the
protections of the Stored Communications Act will be reviewed. And lastly, this chapter will finish with a review of the protection for Civil Liberties the Proposal offers.
Chapter III explorers the actors that are encouraged to voluntary share information. Because of the controversy surrounding Edward Snowden’s disclosures on the NSA’s prolonged data collection program, private companies are hesitant in disclosing information to the
Government. Therefore, this chapter will also explore the manners in which the Government can compel the disclosure of information form private entities. However, there are
limitations to this ability to legally compel information from private entities: recent case law shows that the court is reviewing the warrantless data collection searches by the
Government.
The very last chapter will consist of a few recommendations that are a better fit to the purpose of the Proposal. A voluntary sharing of cyber threat indicators is not efficient in protection the national security nor the privacy of individuals. A better approach would be a mandatory framework.
CHAPTER I: THE CYBERSECURITY LEGISLATIVE PROPOSAL
1. BACKGROUND
The Obama administration has led several efforts to prepare the Government and economy for the growing amount of cyber threats the nation faces. Shortly after entering office, President Obama embarked on pursuing a new view on cybersecurity when he called for a complete review of Government cyber policies and practices. The administration published The Cyberspace Policy Review several months later.11 This was the first time the
administration conducted a wide review of cybersecurity. The Review recognizes the importance of establishing leadership within the federal Government to improve cybersecurity issues, and describes cybersecurity as a global issue that also requires international cooperation.
A few years later, in 2011, the administration presented its Cybersecurity Legislative Proposal.12 The Cybersecurity Legislative Proposal is a set of non-‐binding regulations that
was composed to improve the nation’s network and infrastructure. This proposal was indented to bring together the many cyber-‐related bills that were introduced in the
Congress and aims to provide guidance to Congress on several key cybersecurity legislative issues.13 The focus of the proposal is on improving cybersecurity for Americans, the nation’s
critical infrastructure, and the Federal Government’s own cybersecurity safety. The
administration proposed the voluntary sharing of information with industry, states, and local Government. These entities can share information about cyber threats or incidents with the Department of Homeland Security (DHS). Any concern within these entities will be
addressed by providing them with immunity when sharing cybersecurity information with the DHS. At the same time, the proposal mandates privacy oversight to ensure that the voluntarily shared information does not violate individual privacy and civil liberties.
Since 2011, the United States has faced an alarming growth in the amount of cyber threats. Cyber threats have become a major threat to the security of the United States. The
11 Ibid, at 3
12 FACT SHEET: Cybersecurity Legislative Proposal (2011). The White House, availabe at
https://www.whitehouse.gov/the-‐press-‐office/2011/05/12/fact-‐sheet-‐cybersecurity-‐legislative-‐proposal
multitude of cyber threat events in 2014, including numerous breaches into major retailers, a widespread encryption vulnerability known as Heartbleed, and the recent destructive and coercive cyber attack against Sony Pictures Entertainment, has led the Obama
administration to launch specific cybersecurity policy initiatives.
On January 13th 2015 the Obama administration presented three legislative proposals that
aim to update the Cybersecurity Legislative Proposal of 2011. The proposals focus on the three remaining priorities that Congress has not yet enacted, or that the administration is unable to accomplish without statutory change. The administration’s 2015 proposals’ three priorities are: 1) enhancing cyber threat information sharing within the private sector and between the private sector and the Federal Government; 2) protecting individuals by requiring businesses to notify consumers if personal information is comprised; and 3) strengthening and clarifying law enforcement’s ability to investigate and prosecute cyber crimes.
The updated proposal promotes better cybersecurity information sharing between the private sector and Government, and it enhances collaboration and information sharing amongst the private sector. The difference between the 2011 version of the proposal lies in the fact that the recent update encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Ingeration Center (NCCIC), which will then share it in as close to real-‐time as practicable with relevant federal agencies and with private sector-‐developed and operated Information Sharing and Analysis Organizations (ISAOs) by providing targeted liability protection for companies that share information with these entities.14
2. TEXT
President Obama’s updated version of the Cybersecurity Legislative Proposal aims to enable cybersecurity information sharing. There are several terms that need to be addressed, since they fall under the scope of the subject of this thesis.
Firstly, for a clearer understanding of the Proposal, it is important to consider that the numbering of the Proposals sections starts at 101. Thus, the Proposal does not contain one hundred articles, but it starts at 101.
Section 101 describes the purpose of the proposal as an act ‘to codify mechanisms for enabling cybersecurity information sharing between private and Government entities, as well as among private entities, to better protect information systems and more effectively respond to cybersecurity incidents.’ The proposal serves as a legal act to provide for the sharing of certain cyber security intelligence and cyber threat information between the federal entities, as well as private entities. The fundamental goal of the proposal is to make it possible for private entities to share cybersecurity information with the Government.
Section 102(1) describes a “cyber threat” as ‘any action that may result in unauthorized access in order to damage or impair the integrity, confidentiality, or availability of an information system or unauthorized exfiltration, deletion, or manipulation of information that is stored on, processed by, or transiting an information system’.
The administration included definitions for several terms. Section 102 sets forth of a list of several definitions of relevant terms. Proposed Section 102(1) goes on to define “cyber threat” as ‘any action that may result in unauthorized access in order to damage or impair the integrity, confidentiality, or availability of an information system or unauthorized exfiltration, deletion, or manipulation of information that is stored on, processed by, or transiting an information system’.
Section 102(2) defines the term “cyber threat indicator”. The administration clarifies the term by listing six types of necessary information that indicate, describe or identify cyber threat indicators. One such type of information is “malicious reconnaissance”, which is described as ‘a method for probing or monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such a method is known or reasonably suspected of being associated with a known or suspected cyber threat.’
Section 103 is of great importance to the scope of this thesis, because it describes the
“voluntary sharing of cyber threat indicators”. Section 103(a) describes the voluntary sharing of cyber threat indicators to private sharing and analysis organizations and the National Cybersecurity and communications Integration Center. Section 103(b) describes the voluntary sharing of cyber threat indicators with law enforcement. Section 103(c) aims to
provide some restrictions on the sharing of such information and asking private entities to take “reasonable efforts” to minimize personal information.
Chapter II will provide a further consideration of Section 103 and the voluntary sharing of cyber threat indicators.
And lastly, Section 106 provides for limitations of liability for disclosure of cyber threat indicators, by proposing that ‘no civil or criminal cause of action’ shall lie or be maintained in court against any entity that voluntary discloses cyber threat indicators to the Government. But, this limitation does not exclude the NCCIC or a private information sharing and analysis organization, pursuant to Section 104, to require an entity to disclose information.
Furthermore, Section 106(2) describes how a Federal entity cannot be prevented from using cyber threat indicators, received independently through other lawful means, even if that same information is also received pursuant this Act.
Chapter III will discuss Section 106 and the disclosure of cyber information to the Government.
3. CYBERSECURITY
Computer and network security (together “cybersecurity”) have become matters of major economic, social, and national security importance to modern society.15 Computer networks have joined other systems like defense, energy, transportation and health care that are critical to the functioning of the United States’ national economy.16 Computer networks are
considered to be the “nervous system” that ties together and controls these other components of national infrastructure.17 This infrastructure, however, is increasingly put
under sophisticated network attacks that constantly threaten the activities that rely on such infrastructure. Modern cyber attacks threaten to target infrastructure that is integral to the economy, national defense, and daily life.18 Society has benefited from innovative
applications that connect people and devices via the Internet, but malicious parties have taken advantage of the Internet’s connectivity by exploiting technological and human
15 Burstein, Amending the ECPA to Enable a Culture of Cybersecurity Research, Harv. J.L. & Pub. Pol’y 2008/22,
No. 1, p. 167.
16 Ibid. 17 Ibid. 18 Ibid.
vulnerabilities to perpetrate attacks for personal, financial and political gain.19 President
Obama has announced that ‘our digital infrastructure -‐ the networks and computers we depend on every day -‐ will be treated as they should be: as a strategic national asset,’ to be protected as ‘a national security propriety.’20
The conceptualization of cybersecurity challenges policymakers and academics.21 The term
“cybersecurity” is a concept that has become widely-‐used by individuals with substantially-‐ varying definitions who all believe a common meaning exists in discourse.22 These varying
definitions require different, sometimes conflicting skill sets and assume different goals. For example, consumer information data breaches is one of the most known aspects of
cybersecurity, but perhaps equally prevalent in the U.S. are the activities of foreign state-‐ sponsored malicious actors. Conventional wisdom on cybersecurity issues identifies the problems as all-‐encompassing.23 Scholars, Government officials, and journalists tend to sometimes view cybersecurity as “the protection of all things Internet” -‐an approach that impedes practical progress by not setting priorities.
Cybersecurity is a complex topic, since regulations are a topic of substantial policy and media attention over the past several years, involving a complex mixture of state and federal regulation.24
Since President Obama’s Cybersecurity Legislative Proposal plays an important part in this thesis, his opinion on what constitutes “cybersecurity” is particularly important. In his Cyberspace Policy Review, President Obama offers a representative definition on cybersecurity:
‘strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information
19 Ibid.
20 Gorman, Electricity Grid in U.S. Penetrated by Spies, WSJ 08-‐04-‐2009.
21 Bambauer, Conundrum, Minn. L. Rev. 2011/96, p. 584.
22 Thaw, Data Breach (Regulatory) Effects, U. of Pittsburgh Legal Studies Research Paper No. 2015-‐13.
23 Sommer & Brown, Reducing Systemic Cybersecurity Risk”, Organisation for Economic Co-‐operation &
Development, 9–14 (January 14th, 2011), available at: http://www.oecd.org/dataoecd/57/44/46889922.pdf
(tracing the history of cyber-‐ security threats and concerns).
assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.’25
For the scope of this thesis, it is not important to consider a specific definition of cybersecurity, because the focus will lie on the voluntary sharing of cybersecurity
information. But for the sake of a clear scope, President Obama’s definition will be upheld in this thesis.
25 Cyberspace Policy Review: assuring a trusted and resilient information and communications infrastructure
(2010), The White House, available at:
CHAPTER II: APPLYING LEGISLATION
The word “privacy” does not appear in the Constitution of the United States. Samuel Warren and Louis Brandeis framed the modern constitutional and common law concepts of privacy in their groundbreaking Harvard Law Review article, The Right to Privacy.26 But despite missing the word “privacy”, the Constitution is the cornerstone of modern privacy laws. Cybersecurity information sharing between the Government and private entities, by definition, takes place in the online world. When the Proposal describes the voluntary sharing of cyber threat indicators between the Government and private entities, that
information will be part of the online world. The voluntary sharing of cyber threat indicators section, poses implications for privacy protections. Privacy protection is a complicated subject on its own, let alone adding the “cyber” component to it.
This chapter will evaluate the Fourth Amendment in relation to the Proposal. The next chapter will evaluate other legislation.
As written, the administration’s proposal aims to ‘codify mechanisms for enabling cybersecurity information sharing between private and Government entities, as well as among private entities.’27 The proposal promotes better cybersecurity information sharing
between the private sector and Government entities, and it enhances collaboration and information sharing amongst the private sector.28
Section 103 describes the main purpose of the proposal by mentioning the voluntary sharing of cyber threat information. More specifically, the proposal encourages the “voluntary sharing of cyber threat indicators” in Section 103(a). In this proposed section the administration clarifies the voluntary sharing of cybersecurity information as follows:
‘Nothwithstanding any other provision of law, any private entity may disclose lawfully obtained cyber threat indicators to private information sharing and analysis
26 Warren & Brandeis, The Right to Privacy, 4 HARV. L. RE V. 193 (1890).
27 Cybersecurity Legislative Proposal (2015), Section 101.
28 The White House, Office of the Press Secretary. (2015). SECURING CYBERSPACE -‐ President Obama
Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts [Press release]. Retrieved from https://www.whitehouse.gov/the-‐press-‐office/2015/01/13/securing-‐cyberspace-‐president-‐obama-‐ announces-‐new-‐cybersecurity-‐legislat
organizations, and the National Cybersecurity and Communications Integration Center, consistent with this Act.29’
Section 103(b) encourages the voluntary sharing of cyber threat indicators with law enforcement, or a federal entity.
Section 103(c) safeguards the personal privacy of American citizens by requiring private entities to comply with certain privacy restrictions such as only allowing the retention of cyber threat indicators for the purpose of protecting an information system, requiring reasonable efforts to minimize information that can be used to reasonably identify a person that is unrelated to a cyber threat, and to comply with reasonable restrictions that another private entity places on further disclosure of a cyber threat indicator to a third party entity.
One of the most troubling provisions is Section 103(a). This section offers private entities an opportunity to share cyber threat information with private information sharing and analysis organizations and Government entities. Cyber threat information remains a vague and broad term and could therefore also indicate personal information. The proposal immunizes these actors from legal liability if the information is “legally obtained”. Furthermore, private entities are permitted to disclose information to the Government “notwithstanding any other provision of law”. These words are troubling, because they explicitly remove cyber threat information shared under the proposal from the coverage of any other laws aimed at protecting privacy. The proposal would therefore come to trump privacy laws. If the words “notwithstanding any other provision of law” would not be included in the provision, what privacy laws would apply to the content covered by the proposal?
1. THE FOURTH AMENDMENT
During the 18th century, British officials in the American colonies conducted searches and
seizures of people’s homes with little to no suspicion of wrongdoing pursuant to either a general warrant or a writ of assistance.30 These intrusive practices contributed to people’s
fear of unrestrained Government power and led to the eventual passage of the Fourth
29 Cybersecurity Legislative Proposal (2015), Section 103(a).
30 Clancy, The Role of Individualized Suspicion in Assessing the Reasonableness of Searches and Seizures,
Amendment. As a result, the primary constitutional limitation on the Government’s ability to collect personal information about individuals is the Fourth Amendment, which reflects the Farmer’s hostility to “general searches” -‐ searches not based on specific suspicion.31
The Fourth Amendment to the U.S. Constitution reads:
‘ The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and
particularly describing the place to be searched, and the persons or things to be seized.’ 32
The Fourth Amendment contains two important clauses, the first establishing the right to be secure in persons, houses, papers and effects against unreasonable searches and seizures, and the second stating the requirements for a valid warrant. The second clause focuses on protecting privacy against certain Government activities. Permissible exercises of
Government power are controlled through the process of obtaining a warrant by probable cause. The relationship between the two clauses has been subject for a long running debate.33
In the United States, the Fourth Amendment applies to Government activity in both the civil and criminal contexts34, but it is limited to activities that constitute “searches” and
“seizures”. When it applies, the Fourth Amendment protects people against unreasonable searches and seizures.35 Both “search” and “seizure” are not defined in the Fourth
Amendment or anywhere else in the Constitution. Whether something is a search or seizure is not simple.36 What an ordinary citizen considers a search or seizure may or may not
31 Cate, Government Data Mining: The Need for a Legal Framework, Harv. C.R.-‐C.L. L. Rev. 2008/43.
32 U.S. CONST. amend. IV.
33 Wasserstrom, The Fourth Amendment’s Two Clauses, Am. Crim. L. Rev. 1989/26, p.1389.
34 Olmstead v. United States, 277 U.S. 438, 479 (1928) (Brandeis, J., dissenting).
35 Terry v. Ohio, 392 U.S. 1, 9 (1968)
actually constitute a search or seizure under Fourth Amendment jurisprudence.37 As a result,
whether a Government conduct falls under a search or seizure has been the subject of much litigation and has resulted in some major Supreme Court cases that clarify both terms. Those cases will be discussed in this chapter.
When it comes to Fourth Amendment application, the guiding principle is that searches and seizures must be reasonable. Unfortunately, the Fourth Amendment does not define
“unreasonable”, therefore the Supreme Court’s Fourth Amendment search and seizure doctrine has become complicated and often times, counter-‐intuitive.38 Generally, searches
and seizures without a warrant are per se unreasonable.39 This is known as the “per se” warrant rule.40
The Government cannot conduct any type of search without consent, unless it has some degree of individualized suspicion that wrongdoing has occurred.41 The degree of
individualized suspicion increases as the suspect’s expectation of privacy rises.42 This means that if, for example, a person having a loud conversation in the middle of a square has no real expectation of privacy. No degree of individualized suspicion is required if the
Government decides to listen to this person’s public conversation. But if the person is at home, the person has a higher expectation of privacy. The Government, therefore, needs a higher individualized suspicion before it can listen in on a conversation inside the home. Basically, it all comes down to reasonableness.43
If the Governments conduct does not constitute “search” or “seizure” within the meaning of the Fourth Amendment, then the Fourth Amendment does not apply to the Government’s conduct, even if a reasonable American person would consider that conduct to be a search or seizure.44 Therefore understanding both terms is important in order to apply the Fourth
Amendment.
37 Turner, When Big Data Meets Big Brother: Why Courts Should Apply United States v. Jones to Protect People’s
Data, N.C. J.L. & Tech. 2015/16.
38 Ibid.
39 Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, S. Cal. L. Rev. 2002/75.
40 Colb, The Qualitative Dimension of Fourth Amendment “Reasonableness,”, Colum. L. Rev. 1998/98, p. 7.
41 Turner, supra note 31.
42 Kyllo v. United States, 533 U.S. 27, 31 (2001); Bailey v. United States, 133 S. Ct. 1031, 1037 (2013)
43 Turner, supra note 31.
The lineage of the search aspect of the Fourth Amendment can be traced back to the Supreme Court’s decision in Olmstead v. United States.45 The Supreme Court upheld the
admissibility of wiretapped phone conversations that were obtained by federal law enforcement officers without warrant. The Supreme Court concluded that the fact that wiretapping involved no physical trespass onto the defendants’ property, there had been no Fourth Amendment violation.46
Forty years after Olmstead, the Supreme Court began to move away from the property-‐ based, trespass theory of the Fourth Amendment found in Olmstead, leading to its complete rejection in Katz v. United States47. After the Katz case, the Supreme Court discarded
“talismanic” locus based protections and reframed constitutional privacy protections in terms of reasonable expectations.48
In Katz, the Supreme Court held that the Government’s recording of the Defendant’s conversation in a public phone booth constituted a search and seizure under the Fourth Amendment and required a warrant. The Court declared that the Fourth Amendment ‘protects people, not places’.49 Katz is taken to stand for the start of the “reasonable
expectation of privacy” test, that governs the Fourth Amendment50. Justice Harlan explained in his concurrence that the reasonable expectation of privacy test requires the satisfaction of two criteria: (1) a person ‘have exhibited an actual (subjective) expectation of privacy; and (2) that the expectation be one that society is prepared to recognize as “reasonable”’.51 Because people have a reasonable expectation that their conversation in a phone booth is private, their conversation cannot be wire tapped by the law enforcement without first obtaining a search warrant.52. Today, the “reasonable expectation of privacy” test is used to
45 277 U.S. 438 (1928),
46 Olmstead, 277 U.S. at 457 (“The insertions were made without trespass upon any property of the
defendants”).
47 Katz v. United States, 389 U.S. 347, 361 (1967).
48 Heffernan, Fourth Amendment Privacy Interests, J. Crim. L. & Criminology 2001/92, p. 1.
49 Katz v. United States, 389 U.S. 347, 361 (1967).
50 Dennis, Mosaic Shield: Maynard, the Fourth Amendment, and Privacy Rights in the Digital Age, Cardozo L.
Rev. 2012/33.
51 Katz v. United States, 389 U.S. 347, 361 (1967).
determine whether a search meets the reasonableness requirement, and to define when law enforcement’s action is considered a “seizure” protected by the Fourth Amendment.53
In this chapter the Fourth Amendment protections will be applied to the voluntary sharing of cyber threat information. Several components of the relevant sections in the Proposal will be discussed and applied to Fourth Amendment protection, starting with the type of data, private actors and the third-‐party doctrine. The paragraph will finish with a conclusion as to how the voluntary sharing of cyber threat indicators constitutes a violation of the Fourth Amendment.
1.1 Metadata
Voluntary sharing of information in the Cybersecurity Legislative Proposal applies to “cyber threat indicators”.54 A part of Section 102(a)(2)55 defines what qualifies as a cyber threat indicator and what the private sector and Government would ultimately be allowed to voluntarily share. In the administration’s Proposal, cyber threat indicators are defined as ‘information that is necessary to indicate, describe or identify’ cyber threat indicators. The same section then gives a list of indicators that can result in a cyber threat -‐ “malicious reconnaissance” or a “technical vulnerability” are among a handful of other descriptions. According to a senior administration official the indicators will primarily comprise of non-‐ content data, such as technical data, Internet Protocol (IP) addresses, date-‐time stamps and routing information.56 The Government official thus speaks of cyber threat indicators as
being metadata. The Proposal itself does not make a distinction between content data and metadata. Therefore, the official’s remark is not based on the content of the Proposal but rather on an assumption. There are no legal grounds in the Proposal for the cyber threat indicators to only consist of technical information. But, because an official Government administrator assumes that the shared information is primarily going to consist of non-‐ content data, this chapter is going to also cover non-‐content data, as well as content data. Before we can dive deeper into the application of the Fourth Amendment on the voluntary
53 Perry, U.S. v. Warshak: Will Fourth Amendment Protection Be Delivered to Your Inbox?, N.C. J.L. & Tech.
2011/12.
54 Cybersecurity Legislative Proposal (2015), Section 103(a).
55 Cybersecurity Legislative Proposal (2015), Section 102(a)(2).