Stanford CIS

Surveillance Myth #1: I Have Nothing to Hide

By Jennifer Granick on

In the public debate over secret NSA spying, we keep hearing three refrains to justify, or at least accommodate people, to the U.S. government's surveillance practices. These are, "the spying is legal, so there's nothing improper", "mass surveillance is the price we have to pay for national security" and "I have nothing to hide so why should I worry?"

Over the next few weeks I'll write about why the first two ideas are myths.  Today I wanted share an excerpt from a paper I presented at this year's Privacy Law Scholar's Conference and which I submitted for publication to the Georgetown Journal of National Security Law & Policy to argue that everyone benefits from limited government access and use of personal information.  Under no circumstances, however, should you miss the excellent thoughts of Moxie Marlinspike, in his June 12th blog post "We Should All Have Something to Hide" and of James Duane in his video lecture Don't Talk to Police.

*********************

Sanguinity is misplaced in our current legal regime where so much seemingly innocent behavior arguably fits the definition of one or more crimes.

For example, the federal computer crime law, the Computer Fraud and Abuse Act (CFAA) is notoriously overbroad. My client, Bret McDanel, was an employee who had discovered a security flaw in the online messaging platform his former employer was selling to the general public.  The company failed to fix the flaw or notify its customers.  Eventually, Mr. McDanel left the company. A few months later, he emailed all of his former employer’s customers and informed them that the messaging service was susceptible to attack and that their confidential data could be revealed or stolen.  McDanel provided a link to a webpage he wrote explaining the flaw, and how the customers could protect themselves. The United States Attorney’s Office in the Central District of California prosecuted Mr. McDanel, accusing him of sending code (an email) that caused damage to the messaging platform by informing customers about the vulnerability, thereby interfering with the integrity of the system.  This was, to say the least, a novel and expansive interpretation of the CFAA.  Never before had sending an email been called a crime because some unknown third party might take the information relayed and misuse it.

To bolster its case that Mr. McDanel had criminal intent and did not mean well, the prosecutor elicited testimony from the arresting officer that at the time he was taken into custody, Mr. McDanel wearing a tee shirt from the Defcon hacker conference.  According to the prosecutor, this tee shirt illustrated that Mr. McDanel considered himself a hacker and therefore had the requisite malicious intent when communicating with customers about security flaws in the messaging product.   Following this court trial, the judge found Mr. McDanel guilty.

I successfully represented Mr. McDanel on appeal.  In fact, the government admitted that its prosecution was unfounded.  It was unfortunate for my client that he was wearing that shirt when he was arrested, as it gave the prosecution fodder for its baseless case – fodder a federal judge accepted.  But with surveillance cameras, database searches and facial recognition, the prosecution could have searched camera images from near McDanel’s home to learn what tee shirts he wore every day.  Surely one of them would corroborate the government’s tale of criminal intent.

McDanel’s experience is not singular.  In his book, Three Felonies a Day, Harvey Silverglate documents the ways in which federal criminal law has been used by overzealous or politically ambitious prosecutors to bring criminal charges against innocent people.  The book documents the counterintuitive conclusion that the more information prosecutors have about someone, the easier it is to make a case against them, even when they are innocent.

As just one example, the government began a comprehensive investigation of Frank Quattrone for investment capital mismanagement.  Ultimately, Quattrone was criminally charged.  But, the indictment did not allege that he had mismanaged funds or taken kickbacks.  Rather, the government alleged that Quattrone obstructed justice in his response to a single email from one of his bank’s lawyers reminding employees of the bank’s document retention policy.  Quattrone had replied to the lawyer’s email that he strongly advised them to follow the retention and destruction procedures.  Prosecutors used this single email to claim that Quattrone meant to cause his colleagues to destroy documents that were responsive to federal subpoenas.  The case was particularly flimsy because the evidence showed that the bank’s general counsel’s office had not notified Quattrone or other bankers that they were obligated to preserve documents until after Quattrone’s email was sent.  Obstruction of justice charges are pretty common when investigations fail to turn up evidence of the wrongdoing at issue.  The same kind of claims were pursued against President Bill Clinton for his deposition answers in the Paula Jones lawsuit, against Martha Stewart at the end of that unsuccessful effort to find insider trading and against Lewis “Scooter” Libby for his inconsistent statements about when he learned that Valerie Plame was a CIA agent.  Law enforcement access to hundreds or thousands or hundreds of thousands of emails, greatly increase the chances that agents can find some inconsistencies, or at least one message such as Quattrone’s on which to base a case.

*******************

Published in: Blog , Privacy