Americans Need an IT Bill of Rights

Protecting our computers, cell phones and other technology against unlawful searches and seizures

President George W. Bush recently signed the new Foreign Intelligence Surveillance Act (FISA), bringing an end, at least for now, to a year-long dispute between Congress and the White House over their respective war powers.

Unfortunately, politics obscured important constitutional questions that the issue raised about search and seizure in today’s information age. In the end, aside from granting phone companies immunity when they comply with the FISA warrant, I’m not sure what changed. Some say new amendments strengthen judicial oversight, but there are enough loopholes in the definition of “oversight” that the executive branch can move forward with a surveillance order while delaying court authorization indefinitely. It’s questionable if there were any new civil liberties safeguards. Americans sure could use them though, especially as we become more reliant on information technology in our everyday lives.

In the FISA case, the federal government sought to intercept cell phone calls and examine the international calling records of Americans without a warrant. Elsewhere, the government has floated the idea of tracking Web search queries and compiling a database on individual online purchases. U.S. Customs and Border Protection agents already examine files on laptops at border entry points (see “Government Wants to Know What Is On Your Computer and Cell Phone,” March 5, 2008).

The FISA case really highlights two trends that threaten Americans’ civil liberties and should be of concern to all of us. The first is that the U.S. government, when it comes to IT-related matters, tends to deputize the industry into law enforcement. The second is that, since the 9/11 terrorist attacks, the government seems to be sending a message that when it comes to IT and telecommunications, a different set of citizen privacy and security rights apply.

The Fourth Amendment guarantees the right of Americans to be secure in “their papers and effects.” Today, many of those papers and effects are stored electronically, either on a home PC or an Internet server owned by a third party. The Fourth Amendment can only meaningfully safeguard Americans’ civil liberties in the IT age if the connection between today’s storage and networking technology and the country’s founding principles is sharpened. Here then, I propose an IT user’s Bill of Rights.

The right to be secure in one’s electronic documents, whether created and stored on a personal device, such as a PC, PDA, or phone, or on a third-party server or servers, shall not be violated. No warrants shall be issued, but upon probable cause, supported by legal due process, naming the subject of the search and describing the device to be searched and the documents to be seized.

This language comes directly from the Fourth Amendment. It aims to spell out that electronic documents are subject to the same constitutional safeguards as letters, journals, photos, and other material on paper.

All government agencies shall take necessary and proactive steps to protect any personal data it collects, stores, or copies from unauthorized access, loss, or theft.

In May 2006, the Veterans Administration lost 26 million Social Security numbers and tried to keep it secret. A House investigation that same year found that most government data breaches stem from the theft of laptops, drives, and disks, as well as unauthorized use of the information by employees. If, as a matter of course, the government must collect information on its citizens, there needs to be strong and specific policies in place that assure security and accountability for the protection of that personal data.

Individuals shall have an expectation of privacy for their electronic documents.

Courts allow surveillance photos and video taken in public places to be admitted as evidence because there is no expectation of privacy. A wily government attorney might argue that a computer or server is “public” because its files can be shared over the Internet. This provision establishes that when a user takes reasonable safeguards against unauthorized access to certain data, a zone of privacy exists around the material.

Third-party companies shall not be held legally liable for the destruction, deletion, or erasure of client documents and records if such erasures are a regular part of business operations.

There are already federal and state legislative moves afoot to set regulations on the retention of data by Internet service providers. Such rules stand to impose greater costs on businesses while providing opportunities for electronic “fishing expeditions” by law enforcement officials and private investigators. There are laws regarding the preservation of evidence when an investigation is underway. Absent that, if it’s the policy of an Internet service provider to dispose of client electronic records after a fixed number of days, weeks, or months, and it is consistent in applying that standard, it should be free of any legal liability when it does so.

A third-party company shall not provide any government agency with access to a customer’s electronic documents or records unless the agency has followed legal due process.

While the new FISA law protects telecommunications companies from lawsuits if they comply with a warrant, this provision calls on third-party companies to require law enforcement agencies to have obtained a warrant and to be in compliance with federal, state, and local laws before allowing them access to customer records or calls.

No user shall be held liable for following, in good faith, IT security policies of his or her employer regarding the confidentiality and protection of corporate information.

This protects employees when they follow corporate directives designed to prevent unauthorized access or copying, such as disabling flash drives, encrypting proprietary information, and deleting or offloading hard drive contents before traveling.

The pervasiveness of data networking means that we can’t help but lose some control over where our data goes in this day and age. Yet, the government seems to be more interested in exploiting these vulnerabilities than respecting the privacy of its citizens. Due process asserts that the government, to conduct a search, must show probable cause. Whether it’s the desktop drawer or the desktop computer, the same rule should apply: No warrant, no access.