The time is long past for Section 215 to be meaningfully reformed to restore the civil liberties massively and unjustifiably compromised by the USA PATRIOT Act.
~~ALA President Courtney Young
Very nearly from the day the USA PATRIOT Act was signed into law in 2001, librarians raised concerns about the scope of surveillance authorized under the provisions of the USA PATRIOT Act. In particular, librarians protested the low or non-existent legal thresholds for obtaining Section 215 court orders and the lack of judicial review for secret subpoenas that provided federal agents with the authority to obtain records and information about individuals’ most sensitive First Amendment activities, seeing an enormous potential for abuse in such broad authority to peer into individuals’ lives. The 2013 revelation that the PATRIOT Act and similar laws were used to justify mass surveillance of innocent U.S. citizens’ digital communications confirmed librarians’ fears about the law.
As a result, the American Library Association continues to support legislation that amends or repeals those portions of the USA PATRIOT Act that pose a threat to library users’ civil liberties and right to privacy.
This week, May 4 – 8, 2015, the ALA Washington Office is calling on librarians, library trustees, library patrons, and library supporters to participate in Virtual Library Legislative Day during the week of May 4 by calling and/or emailing their elected officials on May 5, or any time the week of May 4-8.
Currently, the ALA is urging passage of the USA FREEDOM Act of 2015, which bans the “bulk collection” of Americans’ personal communications records under the pen register statutes and National Security Letters; brings the “gag order” provisions of the USA PATRIOT Act into compliance with the First Amendment; and makes important “first step” reforms to privacy-hostile provisions, including Section 702, of the FISA Amendments Act.
ALA also urges passage of the Electronic Communications Privacy Act (ECPA) Amendments Act (S. 356) and Email Privacy Act (H.R. 699) which would bring about real reform to the ECPA (last revised in the 1986, long before the internet and digital communications were a reality.) The reforms would require government authorities to get a warrant to compel access to the emails, documents, photos, texts, and other files that comprise Americans’ “digital lives,” whether on the network or stored for an indefinite period of time. (H.R. 699 already has been cosponsored by a bipartisan super-majority of all Members of the House, as it was in the 113th Congress). Full information can be found in the ALA Washington Office’s privacy and surveillance issue brief (.doc download); you can communicate with your Congressional representatives via this link.
ALA actively works with coalitions like Fight 215! and Digital Due Process to end mass suspicionless surveillance and oppose legislation that: effectively creates new, or expands existing, government surveillance authorities.
Today more than ever, we appreciate that raw data has great financial value. The owners of websites, social media tools, and cell phone applications make billions of dollars annually on “targeted,” or “behavioral,” advertising. They attempt to ensure us that although they collect, share, and use data about us in countless ways, our privacy is safe, because they only use “anonymous” aggregate data. But it turns out that it may not even be possible for aggregate data to be anonymous, no matter hard one tries to make it so.
Underlying the belief that such privacy protection is possible is the assumption that if we “de-identify,” or “anonymize,” data, it is impossible to identify an individual person from that data. A set of data is “anonymized” when it is stripped of “personally identifiable/identifying information,” or “PII.” Obvious examples of PII include name, social security number, and driver’s license number. Although the concept of PII forms the basis for much privacy law and regulation, it turns out that determining which data are capable of identifying an individual, and thus constitute PII that should be subject to regulation, is not a simple task.
And that’s a pretty serious problem in a world in which leaving a trail of digital footprints has become as natural as exhaling a trail of carbon dioxide. In my book What You Need to Know About Privacy Law: A Guide for Librarians and Educators, I ask the question “When is ‘anonymous’ not really anonymous?” In the context of data collection, this is kind of a trick question, because the answer is a resounding “Always!”
IT specialists like Marshall Breeding and privacy advocates like Alison Macrina of the Library Freedom Project are urging libraries and vendors to encrypt their websites and online automation and discovery systems to better protect patron privacy. Encrypting websites and networked communications requires the installation of Transport Layer Security (TLS) / Secure Sockets Layer (SSL) identity certificates and then use of the HTTPS protocol by default.
Let’s Encrypt, a new initiative, will make enabling HTTPS on library websites much easier by providing server certificates and the software required to make websites secure at no charge. Let’s Encrypt is an initiative founded by Mozilla and the Electronic Frontier Foundation, and operated by the Internet Security Research Group (ISRG). It is sponsored by Mozilla, the Electronic Frontier Foundation, Akamai, Cisco, IdenTrust, and Automattic. Let’s Encrypt is scheduled to go live in the near future; full information about the initiative can be found on their website.
Another tool available to libraries whose websites and online catalogs already support HTTPS is HTTPS Everywhere, a browser extension developed by the Electronic Frontier Foundation that encrypts online communications with websites by making them default to secure HTTPS protocols. The HTTPS Everywhere site offers guidance on using the tool to enhance the privacy and security of web communications.