The Washington PostDemocracy Dies in Darkness

Government lawyers don’t understand the Internet. That’s a problem.

The law isn't keeping up with technology.

By
September 23, 2016 at 11:48 a.m. EDT
(Washington Post illustration)

Last year, the FBI nearly destroyed the life of an innocent physicist. In May 2015, agents arrested Xi Xiaoxing, the chairman of Temple University’s physics department, and charged that he was sneaking Chinese scientists details about a piece of restricted research equipment known as a “pocket heater.” An illustrious career seemed suddenly to implode. A few months later, though, the Justice Department dropped all the charges and made an embarrassing admission: It hadn’t actually understood Xi’s work. After defense experts examined his supposed “leaks,” they pointed out that what he’d shared with Chinese colleagues wasn’t a restricted engineering design but in fact a schematic for an altogether different type of device. The case helped lead earlier this year to new Justice Department restrictions that took power away from prosecutors in the field and centralized certain investigations in Washington, where they could receive more oversight from a specially trained team of lawyers.

Whether it’s high-level physics research or the technology of our daily lives, the government’s lawyers are struggling to grasp the increasingly technical cases that come before them. Both federal prosecutors and the attorneys who represent executive agencies in court are bungling lawsuits across the country because they don’t understand what they’re talking about. Too few lawyers have the skill set or the specialized knowledge to make sense of code, networks and the people who use them, and too few law schools are telling them what they need to know. “It would be enormously helpful to have a deeper bench of lawyers with technical backgrounds,” says Susan Hennessey, a Brookings Institution fellow and former National Security Agency lawyer.

This situation is stymieing criminal investigations, upending innocents’ lives and making it harder to set legal boundaries around mass-surveillance programs. The result is that, when it comes to technology, justice is increasingly out of reach.

Just this week, a federal judge in Iowa threw out evidence collected by the FBI in a child porn investigation because the Justice Department’s search warrant misstated the technical details of where and how it hoped to gather the evidence. As the judge concluded, either the FBI or the prosecutors hadn’t understood exactly how their own “network investigative technique” worked, or they’d failed to explain it correctly in the courtroom. What’s more, the judge who issued the original warrant didn’t have the jurisdiction to do so, because the “network investigative technique,” a piece of FBI-designed malware that sniffed out people trading illegal files, collected evidence far beyond the bounds of the Virginia district where the warrant was authorized.

Today, cyber, data and privacy questions lie at the core of numerous corporate and government cases, and there aren’t anywhere near enough practicing lawyers who can adequately understand the complex issues involved, let alone who can sufficiently explain them in court or advise investigators on how to build a successful case. “This is a problem that pervades all of the national security apparatus,” says Alvaro Bedoya, who previously worked as the chief counsel to the Senate Judiciary Committee’s subcommittee on privacy, technology and the law, and now leads Georgetown Law’s Center on Privacy & Technology. “You don’t have a pipeline of lawyers right now who can read code.”

* * *

The fallout from Edward Snowden’s revelations exposed numerous instances in which agency lawyers miscommunicated to courts about what the government was doing. There are two possible explanations: Either they willfully exploited judges’ lack of technical knowledge, or the lawyers themselves couldn’t fathom the programs they were trying to explain. In a 2009 case that became public in 2013, NSA Director Keith Alexander admitted that none of the lawyers overseeing one surveillance program grasped what it was doing when it queried a particular agency database: “It appears there was never a complete understanding among the key personnel . . . regarding what each individual meant by the terminology used.” In a 2011 suit, Judge John Bates of the secret Foreign Intelligence Surveillance Court wrote an angry (and heavily redacted) 85-page decision saying he was “troubled” that the case marked “the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.” And in yet another case, Solicitor General Donald B. Verrilli Jr. found in 2013 that he’d misled the Supreme Court about how the Justice Department was using evidence derived from warrantless surveillance programs targeting foreigners, an error that led to a months-long internal debate as Verrilli questioned the department’s interpretation of the law.

The NSA is expected to end its daily vacuuming of millions of Americans' phone records and replace the practice more tightly targeted surveillance methods. (Video: Reuters)

Such confusion is hardly confined to the NSA’s most technical work. On a more mundane basis, government attorneys frequently confuse content and metadata, even though the two types of information face very different legal standards. One possible reason: The Justice Department’s decade-old Electronic Surveillance Manual is incorrect about the basic mechanics of how email works, according to a forthcoming article in the Harvard Journal of Law & Technology. Such problems are becoming more pervasive as lawyers misapply law designed for telephone surveillance to cases focused on the Internet, says Susan Landau, a computer scientist at Worcester Polytechnic Institute and one of the article’s authors. They “don’t know the right questions to ask.” And it’s not just them: “A judge may not even know what’s wrong with the briefs. It’s an extremely serious problem,” she says.

Jurists have noticed how awkwardly analog-era laws govern modern digital life, and they’ve struggled over what to do with the disjunction, even at the Supreme Court. “It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties,” Justice Sonia Sotomayor wrote in a 2012 opinion. “. . . This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

Why you should side with Apple, not the FBI, in the San Bernardino iPhone case

The Obama administration has made strides in incorporating technology into government, creating teams like the U.S. Digital Service that bring more of Silicon Valley to Washington. But the knowledge base of the government’s lawyers is still badly lacking, particularly when it comes to marrying legal and technological tools, says Paul Ohm, a Georgetown law professor who used to work in the Justice Department’s computer crime and intellectual property section. “Too much of [the focus] has been the import-export model — forgo your Silicon Valley salary for a couple years and help us be more savvy. And as awesome as that is, they’re not going to solve the problem,” Ohm says. The rotations through government are useful in the short term, but they don’t help the bulk of the permanent workforce better understand the new digital landscape. “I’ve seen far less internal education at the agencies,” Ohm says.

Some of today’s technical legal befuddlement stems from the fact that the field is so new. “No one who is practicing today had a cybersecurity class in law school,” explains Kristen Eichensehr, a UCLA law professor whose own cybersecurity course has doubled in the three years it’s been offered. “Everyone who has been in practice has had to learn this on the job.”

That problem won’t go away soon: Even though student demand for such classes is growing, only a handful of mostly elite law schools — like Harvard, Yale, Cornell, Stanford, New York University, Georgetown and UCLA, as well as Indiana University’s Maurer School of Law, which helped pioneer the field in the early 2000s — currently offer classes focused on cybersecurity. At Georgetown, Ohm is helping with what he thinks is the first law school class in the nation to teach students to code in the basic programming language Python. The course launched in January with spots for 20 students and a waitlist of more than 100. (For this school year, the class was expanded to 75 students but still had a long waitlist.) Among other projects, students learn to manipulate a 700-megabyte file of 200 years of Supreme Court opinions and code a search engine.

Yale, working with its first “cyber fellow,” Ido Kilovaty, is offering its first mixed cybersecurity course this year, bringing together 10 law students and 10 computer science students in an attempt to bridge the jargon chasm between specialists in each field. “People who are trying to come up with solutions in this area usually understand only one side — the law side or the technology side,” Kilovaty says. “We want them to talk the same language when the class is done.”

That’s proving particularly essential in government, where few of the 93 U.S. attorney’s offices around the nation have federal prosecutors who specialize in cyber-cases, even though cybercrime now touches every corner of the country. “Most lawyers are pretty deathly afraid of code. They don’t even have a working knowledge — what an algorithm is, what a DDOS attack does, how a botnet operates,” says Georgetown’s Bedoya.

Kilovaty adds that too often he sees prosecutors limited by the complexity of the crimes confronting them. In one recent prosecution of a security researcher accused of illegal hacking, an assistant U.S. attorney summarized the case to the court by saying, “He had to download the entire iOS system on his computer, he had to decrypt it, he had to do all of these things I don’t even understand.” The government ultimately lost the case.

It is falling to law schools to educate attorneys who are already on the job. Georgetown hosts an annual conference on cyber-law. Stanford’s Hoover Institution runs “cyber bootcamps” for congressional staffers who oversee the nation’s technical and intelligence infrastructure, as well as for the judges who set precedent for how law will develop online. “Most of what they’re getting is on-the-job learning. From a legal perspective, that’s really troubling,” says Amy Zegart, a Stanford intelligence expert who works on the cyber program.

Given the scope of the questions at hand — from digital eavesdropping to how the FBI should fight Russian ransomware attacks to how social-media sites can target user advertising and how Twitter should be blocking Islamic State recruitment online — the field will only grow more complicated and integral to daily life. “The number of people involved in cybersecurity [law] has to increase dramatically,” says Harriet Pearson, who helps lead Hogan Lovells’s cybersecurity and privacy practice, and who was IBM’s first chief privacy officer. “There’s going to need to be a huge amount of education.”

The good news, at least, is that as the government scrambles to boost its cyber-law knowledge, students coming out of classes like Ohm’s will have no shortage of job prospects.

A previous version of this story omitted a portion of a quote by Alvaro Bedoya. It has been updated.