IRS, DHS, ATF and more: the latest surveillance news

Does the IRS get warrants when it searches through our emails? The ACLU wanted a simple answer to this simple question, and so filed a FOIA request to the agency to find out. My colleague Nate Wessler explains what they learned:

The documents the ACLU obtained make clear that, before Warshak [a Sixth Circuit decision ruling probable cause warrants are required for access to all emails], it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 “Search Warrant Handbook” from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications.” Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the “4th Amendment Does Not Protect Emails Stored on Server” and there is “No Privacy Expectation” in those emails.

Other older documents corroborate that the IRS did not get warrants across the board. For example, the 2009 edition of the Internal Revenue Manual (the official compilation of IRS policies and procedures) explains that “the government may obtain the contents of electronic communication that has been in storage for more than 180 days” without a warrant.

So has anything changed since the Warshak decision? Not really. Wessler explains:

The current version of the Internal Revenue Manual, available on the IRS website, continues to explain that no warrant is required for emails that are stored by an ISP for more than 180 days.

Also at the Free Future blog, the ACLU's Jay Stanley describes how a new drone surveillance product developed for the military enables automated analysis of impossibly large streams of video data. The eerily-named Persistics boasts the following capabilities:

“Seamless stitching" together of images from multiple cameras to create “a virtual large-format camera.”
Stabilizing video (“essential for accurate and high-resolution object identification and tracking”).
Eliminating parallax (the difference in how an object appears when viewed from slightly different angles).
Differentiating moving objects from the background.
The ability to automatically follow moving objects such as vehicles.
Creating a “heat map” representation of traffic density in order to “automatically discern if the traffic pattern changes.”
Comparing images taken at different times and automatically detecting any changes that have taken place.
Super-high “1,000-times” video compression.
The ability to provide all the locations a particular vehicle was spotted within a given time frame.
The ability to provide all the vehicles that were spotted at a particular location within a given time frame.

If history is any lesson, this kind of technology will quickly migrate from the foreign battlefield to our own cities and states. But this time we don't even have to wonder. G uess which domestic security agency is already interested?

In other surveillance news, Wired reports on a scheme by Alcohol, Tobacco and Firearms to create a data system that will enable federal agents to identify you based on bits and pieces of information. But not only that: it will also tell the feds who your friends are.

According to a recent solicitation from the Bureau of Alcohol, Tobacco, Firearms and Explosives, the bureau is looking to buy a “massive online data repository system” for its Office of Strategic Intelligence and Information (OSII). The system is intended to operate for at least five years, and be able to process automated searches of individuals, and “find connection points between two or more individuals” by linking together “structured and unstructured data.”

Primarily, the ATF states it wants the database to speed-up criminal investigations. Instead of requiring an analyst to manually search around for your personal information, the database should “obtain exact matches from partial source data searches” such as social security numbers (or even just a fragment of one), vehicle serial codes, age range, “phonetic name spelling,” or a general area where your address is located. Input that data, and out comes your identity, while the computer automatically establishes connections you have with others.

But who cares about all of this stuff? Why is ubiquitous surveillance a threat, and what is it a threat to? Neil Richards spells out "The Dangers of Surveillance" in a new paper for the Harvard Law Review. Here's his summary of those dangers and a proposal for what to do about them, within a legal framework:

At a practical level, I propose a set of four principles that should guide the future development of surveillance law, allowing for a more appropriate balance between the costs and benefits of government surveillance. First, we must recognize that surveillance transcends the public-private divide. Even if we are ultimately more concerned with government surveillance, any solution must grapple with the complex relationships between government and corporate watchers. Second, we must recognize that secret surveillance is illegitimate, and prohibit the creation of any domestic surveillance programs whose existence is secret. Third, we should recognize that total surveillance is illegitimate and reject the idea that it is acceptable for the government to record all Internet activity without authorization. Fourth, we must recognize that surveillance is harmful. Surveillance menaces intellectual privacy and increases the risk of blackmail, coercion, and discrimination; accordingly, we must recognize surveillance as a harm in constitutional standing doctrine.

And finally, some good news. In what's likely to be a blow to data broker firms that track consumer purchasing behaviors, the Massachusetts Supreme Court has ruled that zip codes are personally identifiable information and "determined that collecting such personal information is a violation of state privacy law for which the consumer can sue."