Wikimedia, ACLU, "The Nation" & others sue the NSA

The lead-name plaintiff is Wikimedia. Editorial by Wikimedia’s Jimmy Wales & Lila Tretikov: “Stop Spying on Wikipedia Users.”

From the ACLU website:

The Nation magazine joins in the suit.

Issues for debate:

  1. The wisdom, fairness, justice, etc., of the NSA’s practices here. How much of a surveillance state do we actually need?

  2. The actual harm threatened. What is the NSA doing with this information, anyway? Perhaps nothing? Perhaps something scary?

  3. The constitutionality and legality. Wikimedia alleges the practice a) violates the 4th Amendment and b) exceeds the authority granted under the Foreign Intelligence Surveillance Act.

  4. The likely outcome of the lawsuit.

You can read the complaint in pdf here.

The rise of mass surveillance challenges our antiquated notions and legal customs related to privacy, and so it is unclear how courts will rework Fourth Amendment doctrines to meet contemporary problems of government invasions of privacy.

There are a lot of complicated legal issues in this case, but one of the biggest is the so-called “pen register” exception in Smith v. Maryland. Basically, since the 1970s, a Fourth Amendment doctrine developed in which information is not considered private if it is accessible by other private parties without much control over precisely which private parties might see it. For example, the government can just open up your trash bags and search through them, even though you might well expect that the only people who might see in them is the trash guy. The government can see who you call on the phone, because AT&T gets to see it too. The government can take photos of every piece of mail sent in the US, since anyone else can see the outside of those envelopes while they are in transit. The list goes on and on.

That idea of third parties eroding privacy as to government intrusion was always a bit dodgy in my book. But it has become downright unsupportable in the age of huge amounts of personal data being exchanged with private third parties, and with governments carefully aggregating all of this data. Sure, a garbage man might see my trash and the postal worker might see my envelope and the lady at AT&T might see who I text, but they aren’t compiling all of that information into a single database–and never before was I also sending out all kinds of personal info publicly on Facebook, Twitter, etc., alongside the data that most people consider private, making the private data easier to interpet. The whole of such information is far more than the sum of its parts.

I don’t know how the Supreme Court will ultimately modify this rule about third party access, but I do expect it will be modified. There are two basic ways for it to go. One is to assess the full “mosaic” of data collected by the government when assessing the Fourth Amendment and the other is to narrow the “pen register” doctrine. I hope we do the latter, since I think it was a bad doctrine to begin with and because I think the mosaic theory is pretty unworkable.

Could you explain this “mosaic theory” more fully?

Much more complete analysis here.

But the short version, from Prof. Kerr, is that “instead of asking if a particular act is a search, the mosaic theory asks whether a series of acts that are not searches in isolation amount to a search when considered as a group. The mosaic theory is therefore premised on aggregation: it considers whether a set of nonsearches aggregated together amount to a search because their collection and subsequent analysis creates a revealing mosaic.”

This addresses one issue, which is that the government is now connecting lots of disparate data points to form much more intrusive profiles of individuals. It does not address the other issue, which is that each individual “search” is still not a Fourth Amendment search if the information was available to third parties–which to me is the more (or at least equally) pernicious problem.

Wait - Wikipedia says that it’s editors should have an expectation of privacy when they contribute to a public website even if they are non-US persons (who don’t enjoy the same constitutional protections US persona do) because they would rather remain anonymous?

There are other issues raised in the lawsuit, sure, but that is rediculous on its face.

Which part is ridiculous, that non-US persons want the same Fourth Amendment protections from U.S. government searches that occur on US soil, or that they claim privacy in their anonymous public interactions with a non-government entity? Or both?

I don’t see why either is ridiculous. Could you say a little more?

More recent jurisprudence (e.g. United States v. Jones) gives some hopeful signs in that direction (particularly since the only disagreement in this case was that the majority and concurring opinions differ in their reasoning of exactly why the police action (planting a GPS on a car) constituted an unconstitutional search.

Do you claim the ability to look at a Wikipedia page and identify contributors who use a Wikipedia-specific pseudonym rather than the names by which they are known elsewhere?

If so, I’m sure we would all be interested in seeing a demonstration of this talent. If not, on what possible grounds do you find the expectation of privacy to be “rediculous”?

Has any court ever found that non-US persons overseas have privacy protections from the US government?

You’re confused about the relevant conceptual boundaries. The issue isn’t the citizenship status or even the current location of the person, but the location of the putative search. The very first line of this complaint reads: “This lawsuit challenges the suspicionless seizure and searching of internet traffic by the National Security Agency (“NSA”) on U.S. soil.”

Lot of cases have found that non-citizens have privacy when they are in the US. I don’t know if the particular issue of search of non-citizen messages in the US has been adjudicated (I imagine it has), but the upshot of your view would be that if a UK citizen buys a home in Montana, the FBI can search it any time he leaves the country. It would make no sense.

I would add, on reviewing the complaint, it isn’t clear to me that they are asserting the rights of any non-U.S. citizens or non-U.S.-based organizations. So even if there is controversy over the application of the Fourth Amendment to “Upstream” collection that occurs in U.S. soil, I’m not sure it matters.

Which is why FISA requires a warrant from FISC to collect on US soil. But to use an analogy, let’s say a foreign citizen sends a shortwave message to another foreign citizen. An antenna in the United States intercepts the transmission. Do the communicants have an expectation to Fourth Amendment protections because the collection occurred in US territory? I don’t.

Note also tht I said nothing about US citizens. I said US persons, which includes citizens, residents, and people in the US unless a court says they are agents of a foreign power.

Back to my question: have courts said that non-US persons overseas have Fourth Amendment protections?

We may be reading different things. I was referring to the first few paragraphs of the NYT op-Ed. I’m not sure to what extent that argument is reflected in the complaint you read.

But they didn’t get a warrant for upstream collection. That’s the point. It is suspicion-less.

You may be right that foreign senders don’t have any Fourth Amendment protection while their message is in the U.S. (though I wonder if having a US recipient changes that calculation). But the lawsuit is only asserting the rights of its named plaintiffs, isn’t it?

Is it your view that the Fourth Amendment does not apply to the contents of a letter mailed to me from London, seized at my local post office?

Can anyone tell me, in plain legalese (or even English) what the legal basis for the suit is for? Is it just some vague “violation of privacy” claim? I skimmed the case but it seems more built on platitudes and political gesturing than law.

In addition, the case Riley v. California provides evidence that the may court rule against the government’s surveillance programs. Writing for a unanimous court, Chief Justice Roberts delivered the particularly quotable line “That is like saying a ride on horseback is materially indistinguishable from a flight to the moon”, hinting that the justices may rule that the collection of a single record from a criminal is materially different than the collection of a plethora of records from every American.

They allege that the NSA’s upstream collection practices violate the Fourth Amendment’s prohibition on unreasonable searches and seizures, chill the First Amendment right to association and speech, and contravene the statutory authority provided to the NSA under FISA and its amendments.

Happy to give more detail about the basis for each claim, though that’s exactly what the complaint does.


I think these need some discussion. Ever since 9/11 we’ve grown more and more accepting of an intrusive national-security state with very little pushback. Perhaps we should turn the question around: How much privacy do we really need? How much 4th-Amendment protection do we really need? Are we ready to just give up?

“You have zero privacy anyway. Get over it.”

– Scott McNealy

OTOH – what’s the point of all this that NSA is doing? Leaving constitutional questions and privacy questions aside, this is an awful lot of work and must be costing an awful lot of money. How many terror plots have they thwarted this way? How many non-terrorist crimes have they uncovered?

Should the US be required to show probable cause before intercepting that shortwave signal between two non-Americans? In my opinion, no. They have no right to privacy under the Constitution. Similarly, if an electronic transmission between two non US persons transistor the US, I don’t believe those people gain Fourth Amendment protections because the signal was carried on fiber rather than radio waves.

I also don’t agree that the specific activity of a non US person creates constitutional protections. If someone works for a foreign NGO fighting genocide, that’s fantastic and I support them, but my like of their cause doesn’t give them more rights than the Russian general who goes online to do something to help repress Ukranians. If someone is a Wikipeida contributor, that’s great, but they don’t have any special claims to constitutional protections because they collaborate on a US website on their free time.

My quick read is that the lawsuit claims a broad assertion of rights for people who don’t seem to be US persons, but I may be wrong.

If I mail you a letter from overseas, I think that letter may be incidentally intercepted legally (“We are looking for a terrorist letter sent from London to another terrorist in (your town here), put them all in Box #1”) but as soon as it is believed that either you or I am a US person, the letter cannot be read without a warrant. If it is read, any collection of the contents (like a copy of the text) would have to be destroyed because there is no legal authority to retain that letter. At least, that’s how I understand it. And I think that’s pretty reasonable.

That’s cute. I bet the East Germans feel dumb for never sueing the Stasi.

Knowledge is power.

It’s a good question, and I tend toward your answer. But I don’t think it’s relevant here.

I think you’re not addressing the real argument there. If, for example, a potential client living in Brazil emails me asking for representation, that’s a constitutionally-protected email (in more ways than one), and must be treated differently for surveillance purposes from my buddy in Brazil emailing me stock tips (and note that one of the plaintiffs is a criminal defense organization). The First Amendment also recognizes core and non-core speech, with the Supreme Court having greater concern with avoiding the chilling of, say, political dissent than of commercial advertising.

The sensitivity and nature of the speech is also important to showing the chilling and showing that the speech is likely to be captured by FISA intercepts.

I don’t think so. It’s easy to get that impression from the editorial, but the actual complaint names all US-based plaintiffs and defines the communications that it believes were unlawfully intercepted as those originating or terminating in the US–not just passing through.

That’s not what the complaint alleges is happening.

They say the NSA takes a copy of “substantially all” text-based international data. Then they filter out some, but not all, purely domestic-to-domestic communication that should not be subject to FISA authority at all. Then they examine the content, not based on targeted individuals as contemplated in the original FISA and in your hypothetical, but based on keywords and generic identifiers (like IP addresses used by hundreds of people). They can then read and data-mine what they keep without limitation. Notably, communication that is about a target, but neither sent from or to that target, is still kept.

What you identify is a long-standing FISA loophole in which a foreign target’s communications with a US resident might be captured. This complaint is less about that and more about the post-2007 amendments to FISA and the capturing and reviewing of substantially all upstream data.