Privacy Expert Hoofnagle Analyzes Implications of NSA Surveillance

Chris Hoofnagle
Chris Hoofnagle

By Andrew Cohen

The massive scale of domestic surveillance conducted by the National Security Administration (NSA) has stunned many Americans, but Berkeley Law’s Chris Hoofnagle saw it coming. Nearly a decade ago, the lecturer in residence warned of increasingly broad and unchecked monitoring.

In his 2004 article “Big Brother’s Little Helpers,” Hoofnagle, who directs information privacy programs at the law school’s Berkeley Center for Law & Technology, detailed an alarming rise in the outsourcing of government investigations to commercial data brokers. He argued that civil libertarians were too focused on government collection of information—while perilously ignoring similar activities by marketing companies.

“That cleared the way for private-sector organizations to create the very federal data center the Privacy Act of 1974 was intended to prevent,” Hoofnagle explained. Government entities sidestepped protections contained in the Privacy Act by allowing private companies to amass and customize troves of personal information for law enforcement and other government agencies. “It was information the government would ordinarily not be allowed to collect,” Hoofnagle said.

Since 2007, the NSA has operated its now infamous electronic surveillance program PRISM (Planning Tool for Resource Integration, Synchronization, and Management). Designed as a top-secret system that collects emails, documents, photos, and other material for government agents to review, PRISM’s existence was leaked last month by Edward Snowden. The leak occurred one day after it became known that Verizon provided the NSA with daily phone records of millions of U.S. customers.

Snowden worked for government contractor Booz Allen Hamilton, a technology consulting firm that assists the NSA and other federal agencies. Over the past decade, U.S. intelligence has relied increasingly on the technical expertise of such firms; about 70 percent of our national intelligence budget is reportedly spent on the private sector. Despite spending fewer than three months inside the NSA’s Hawaii office, Snowden claimed he had power to spy on virtually anyone in the country.

The American Civil Liberties Union (ACLU) sued the NSA in June, claiming that PRISM’s call-tracking program violates the constitutional rights of free speech, association, and privacy—and that it constitutes “dragnet” surveillance, which violates the First and Fourth Amendments. Hoofnagle, co-chair of the annual Privacy Law Scholars Conference and a frequent media analyst on privacy issues, thinks the ACLU faces an uphill climb.

“Those free speech and associational arguments are difficult to mount because of the Supreme Court’s 1972 holding in Laird v. Tatum concerning military surveillance of Americans,” he said. “Because the court ruled that the mere existence of a surveillance program did not create a recognizable First Amendment harm, the plaintiffs will have to show more than just a ‘subjective chill’ of free-speech interests.”

Although the Fourth Amendment requires law enforcement to show probable cause for domestic surveillance, intelligence-gathering is treated differently. The Supreme Court determined that such activities can be conducted with different, lower standards than required by the Fourth Amendment.

“In principle, I think that’s a reasonable view,” Hoofnagle said. “But the political process still must address several problems, including the risk of leaking intelligence data into the criminal process and the risk that intelligence data are used for competitive business purposes. Intelligence gathering must happen to keep the country safe, but we need to find legal and political structures to promote more accountability and trust in intelligence agencies.”

The NSA and its private partners contend that no privacy harm occurs in the mere collection of data, and that privacy implications only surface when such data is used. Hoofnagle calls that argument intuitively appealing, but says it “ignores the potential energy stored in massive databases. Collecting the data is expensive, and so institutions have incentives to find new uses and markets for it.”

Without practical oversight to prevent agencies from misusing these databases, Hoofnagle says the Privacy Act ought to apply to commercial data brokers. To his view, this would help offset the rise in surveillance outsourcing and collection of public records rich with personal information. With government regulators turning a blind eye to private-sector collection of personal information for marketing and other purposes, a growing number of companies have made large profits from selling it.

“Technology is a factor in the NSA controversy, but perhaps more important has been the political economy of regulating private data firms,” Hoofnagle said. “What’s happening now is the logical outcome of a leave-it-to-the-market public policy agenda, which left the private sector’s hands unbound to collect data for the government.”