Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.
The recent revelations that Verizon and most likely others shared the entire contents of their customer databases with the U.S. National Security Agency raises a question for retailers and payment processors. How much data should I share with the government, particularly when it has a subpoena, and how much effort should I expend fighting government demands for information?
Any time you create “big data,” you run the risk of big headaches. Remember, the government has something called “sovereign immunity,” meaning that, for the most part, it cannot be sued. That leaves the data collector, retailer or payment processor with the responsibilities. If a retailer provides information to a government agency – even in the face of a demand or subpoena – the retailer, and not the government, can face liability if it is later determined that the demand or subpoena was not “lawful.”
Here’s the problem. Most retailers have privacy policies that say they will turn over data (or even databases) in response to “lawful” government demands or requests. But if it turns out that the demand or request is overbroad, unreasonable, not supported by probable cause, done for an improper purpose, or simply that the government did not follow the proper procedure in obtaining the subpoena or warrant, or in otherwise requesting the information, the demand may not be lawful.
And voila! The retailer will have violated its own privacy policies. What’s worse, it will have opened itself up for liability not only to its customers, but also to the government that demanded the information in the first place. Finally, even statutes that appear to provide the entity with immunity for complying may not protect the chain.
The NSA “PRISM” program was actually only part of the NSA’s data-gathering efforts. PRISM was the NSA’s effort to collect “content” information over the Internet – that is to read people’s e-mails, snoop on their Skype calls, capture video conferencing information, and read private SMS messages, tweets and Facebook postings. In addition, the NSA had a program, codenamed NUCLEON, to capture so-called “metadata” from the Internet; the header information from emails (whom customers are writing to, when they are writing, from where they are writing), which websites people are visiting and from where, and other theoretically “non-content” information. For telephone companies, the NSA has similar programs; codename MARINA for content information (listening in on phone calls) and codename MAINWAY for telephone metadata.
We know little about these programs except that they were theoretically approved by a super-secret court called the Foreign Intelligence Surveillance Court (FISC) and that they were targeting the communications of “non-U.S. persons.” Other revelations in the past about programs like ESCHELON indicate that the U.S. government had an understanding with other friendly governments. Since we couldn’t spy on U.S. citizens in the U.S. (without a warrant), they would spy on our citizens for us, and we would spy on theirs for them. All perfectly legal. Well, not perfectly.