This post has been contributed by Josh Ag, a software engineer in Silicon Valley who sincerely wishes he had donated more to the EFF and the ACLU the past few years. He can be reached at firstname.lastname@example.org.
After following the NSA leaks closely for the past few weeks, I've yet to see many specific plans for fixing the issue of the government's excessive data collection policies brought to light most recently by Edward Snowden, but also by Thomas Drake, William Binney, and J. Kirk Wiebe. In the interest of keeping this short, I do not provide any reasoning or explanation behind the proposed changes, but if there is enough interest I can write those up in a followup post. This is not meant to be an unchangable manifesto, but rather a starting point for a discussion of how practically protect individuals' privacy in the 21st century. First, we need to clarify and extend the 4th amendment to cover data and metadata, since it is clear that the 4th amendment as it is currently interpreted is not good enough. Specifically, we should: a) Extend the definition of data to include all forms of metadata as well as all forms of the data itself. b) Extend the definition of a person's papers and effects to include any data generated by, given to, stored by, or about the person or his/her possessions in any form, anywhere, at any time, and any physical device that stores the data regardless of how long the data is stored, how much data is stored, how it is stored, where it is stored, or who owns the physical devices storing the data. c) Extend the reasonable expectation of privacy to include any data that is encrypted by something stronger than rot-26 or password/phrase/code protected, regardless of who encrypted it, where it was encrypted, who is storing it, or when it was encrypted. Require that all second parties who store another person's data or data about them, regardless of how it was generated, who generated it, when it was generated, or how much of it there is, to securely store/encrypt all of this data, keep it private, and delete all of it when a person asks for it to be deleted. If a second-party wishes to share any of a person's data, then they must explicitly get permission before sharing it, must allow for the person to view all of this shared data at any time, and must tell (and get confirmation that deletion occurred) from the third party to delete any data regarding a person if a person tells the second party to delete data about them. This should not affect the government's ability to acquire unencrypted data without the help of a third party, or limit the ability of what the government can collect using a search warrant. d) Extend all 4th amendment protections to any and all data transiting through the US regardless of who owns the data, who is holding or transferring the data, who the data is being transferred to, how the data is being transferred, when the data is being transferred, or how the data is encrypted. e) Extend the definition of an unreasonable search to include any data collected from a warrant that searches for other data or for evidence of a different crime, for both the subject of the warrant and anyone else. f) Clarify that when someone is indicted for any crime, they have the right to know as part of their defense whether the government has collected any of their data or data about them, all of this data the government has collected, and why the government collected the data it did. g) If there is any overlap between the data collected as part of a different investigation/warrant and a crime for which a person has been indicted, then the default assumption is that each case/investigation/warrant interfered with the other and improperly tainted the evidence. If the government wishes to use any of the overlapping data or data gathered with or after any of overlapping data, then it must show beyond a reasonable doubt that no interference, even incidental or unintentional, occured, otherwise the data cannot be used. h) Since this could require the government to release information before it would otherwise do so as part of another case/trial, the government can request information remain sealed, however, the judge, entire jury, prosecution, and the accused's lawyers must be allowed to see any and all relevant data. If the government does not wish to let the accused's lawyers see the relevent evidence, then it must petition the court where the accused is being tried for another lawyer (mutually agreed upon by the accused, his lawyers, and the government) who will have full access to all relevant sealed information to become part of the accused's legal team for the entirity of the trial and any and all appeals. If the relevent evidence is unsealed during the course of any trial or appeal, the appointed lawyer must remain part of the accused's legal team just as if the information remained sealed until all trials and appeals ended. The costs associated with this extra attorney are to be paid for solely by the government, regardless of the outcome of any trials or appeals. Second, we need to make courts and investigations more transparent with regard to data collected by the government. Specifically, we should: a) Allow the subject of an investigation (regardless of citizenship or visa status) and any data collected as part of an investigation to remain sealed only until the investigation is closed. b) Allow the means of acquiring the data collected to remain sealed only until the investigation is closed. c) Require all warrants to be reviewed every 6 months by the court that granted the warrant for overly broad searching or collecting of data. d) Require all investigations that remain open after a warrant has expired to be reviewed every 6 months by the court which granted the warrant to determine whether the investigation should be closed. e) Require the investigating agency to notify anyone (regardless of citizenship or visa status) whose data is collected as part of an investigation what data about or belonging to them was collected, how it was collected, and why it was collected after the investigation is closed, but not release the person's data to anyone else without the person's explicit permission. f) Require all warrants to be publicly available and unsealed once an investigation closes or once the warrant expires.