Steps that need to be taken to reign in the NSA, et al

  1. Remove the legal authority that allows bulk collection, excessive secrecy, and other abuses. The FREEDOM act and other pieces of legislation proposed so far are tentative, toe-in-the-water, first steps in this direction, nibbling around the edges of the problems. They need to go much further.
  2. Enact harsh, explicit penalties for noncompliance. These are serious issues with major implications domestically and internationally, including causing diplomatic difficulties and negatively impacting markets for American products, not to mention serious violations of privacy and liberty.
  3. Prosecute for past violations of existing laws, as well as for perjury before Congress. (And absolutely do NOT again grant retroactive immunity…) Systematically and repeatedly violating both the will of Congress and the limits imposed by the FISA Court cannot be allowed to pass leniently; nor can repeatedly lying under oath to Congress. Major criminal investigations need to be launched and the perpetrators brought to justice. A GREAT DEAL OF INFORMATION WILL BE BROUGHT TO LIGHT BY DISCOVERY IN THE PROCESS–AS IT SHOULD BE.
  4. Courts should stop deferring to the executive branch in matters of what needs to be kept secret. While they should carefully consider the Government’s arguments about the need for secrecy, I think they have, in general, been far to sympathetic to the Government’s point of view, to the detriment of the public’s right to know important information. In many cases the answer is simple: refuse to make the proceedings confidential, and give the government the choice: if you want to present your evidence, it must be in public. If you want to keep it private, you can’t introduce it as evidence to support your case. Done.
  5. Since bulk collection will no longer be allowed, and that constitutes much of the NSA’s activity, the NSA can no longer justify a large proportion of its budget. NSA’s budget must be cut by at least 50%. (I’d propose a 90% cutback, and lower, 15-25%, cutbacks for the FBI, CIA, DEA, TSA, military, and other agencies.) This would also remove the NSA’s financial ability to perpetrate abuses on such a large scale, forcing them to focus their activities appropriately. It would also punish financially both the agency and their contractors for their corruption and past (and current) abuses.
  6. Enact general privacy laws:
    1. The “third-party doctrine” must be completely eliminated. Virtually everything we do in modern life requires the use of a third party to accomplish. It is ridiculous to think that having handed our information to ONE party (who could be seen as “a member of the public”) amounts to handing that information to “every member of the public as a whole” (or to the government). There are restrictions in place on a few very specific areas of third-party data usage (physical mail, telephones, health care, client-attorney privilege, etc.), but to assume that the lack of such specific coverage for other types of communication or information storage implies they should provide no privacy at all is ridiculous. Even posting to a Facebook wall is not “public”, because many, if not most, people set their postings to be seen by “friends only”. Thus it is not true that even those Facebook postings are in any way “public” – let alone private messages sent to a particular user.
    2. It needs to be made illegal for companies to share anyone’s information with any other party except in specific circumstances:
      1. If the customer has given their express written consent. This consent should need to include a listing of all information fields that will potentially be shared (ie, first name, last name, address, birthdate, social security number, online status, friends list, etc.) as well as the exact party or parties it will potentially be shared with (meaning, the actual company names). If new information fields are supposed to be shared with that service provider, each user must provide consent again before it can be shared, since they only consented to the previous list of fields to share. The same would be true if a new service provider would be used.
      2. If the company is legally compelled to via a court order specifying by name (or username) the customer in question and the information that they are seeking. By law, the company may only provide the specified information (ie, only the particular fields requested) and only provide information regarding the named customer.
      3. If the company suspects or has observed a crime, they can inform the authorities with only the information sufficient to allow the authorities to determine a crime may have been committed, and an associated username so that appropriate warrants may be generated targeting that user’s account in order to gain access to the further information, such as the actual evidence linked to that user or the user’s personally-identifying information. Only if the authorities return with a valid court-ordered warrant may they gain access to the user’s account.
    3. Any company making use of a person’s data must be required to take all reasonable steps to safeguard that data, such as using encrypted communications and data storage and access controls both internally and between the company and the user. Standards similar to PCI should be required of ANY service handling customer information, even if non-financial.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: