Government lawyers don't get the Internet

Last year the FBI nearly destroyed the life of an innocent physicist. In May 2015, agents arrested Xi Xiaoxing, chairman of Temple University's physics department, and charged that he was sneaking Chinese scientists details about a piece of restricted research equipment known as a pocket heater. An illustrious career seemed suddenly to implode.

A few months later, the Justice Department dropped all the charges and made an embarrassing admission: It hadn't understood Xi's work. After defense experts examined his supposed leaks, they pointed out that what he'd shared with Chinese colleagues wasn't a restricted engineering design but in fact a schematic for an altogether different type of device. The case helped lead earlier this year to new Justice Department restrictions that took power away from prosecutors in the field and centralized certain investigations in Washington, where they could receive more oversight from a specially trained team of lawyers.

Whether it's high-level physics research or the technology of our daily lives, the government's lawyers are struggling to grasp the increasingly technical cases that come before them. Both federal prosecutors and the attorneys who represent executive agencies in court are bungling lawsuits across the country because they don't understand what they're talking about. Too few lawyers have the skills or the specialized knowledge to make sense of code, networks, and the people who use them, and too few law schools are telling them what they need to know. "It would be enormously helpful to have a deeper bench of lawyers with technical backgrounds," says Susan Hennessey, a Brookings Institution fellow and former National Security Agency lawyer.

This situation is stymieing criminal investigations, upending innocents' lives and making it harder to set legal boundaries around mass-surveillance programs. The result is that, when it comes to technology, justice is increasingly out of reach.

Recently a federal judge in Iowa threw out evidence collected by the FBI in a child porn investigation because the Justice Department's search warrant misstated the technical details of where and how it hoped to gather the evidence. As the judge concluded, either the FBI or the prosecutors hadn't understood exactly how their own "network investigative technique" worked, or they'd failed to explain it correctly in the courtroom. What's more, the judge who issued the original warrant didn't have the jurisdiction to do so, because the network investigative technique, a piece of FBI-designed malware that sniffed out people trading illegal files, collected evidence far beyond the bounds of the Virginia district where the warrant was authorized.

Today, cyber, data and privacy questions lie at the core of numerous corporate and government cases, and there aren't anywhere near enough practicing lawyers who can adequately understand the complex issues involved, let alone who can sufficiently explain them in court or advise investigators on how to build a successful case.

"This is a problem that pervades all of the national security apparatus," says Alvaro Bedoya, who previously worked as the chief counsel to the Senate Judiciary Committee's subcommittee on privacy, technology and the law, and now leads Georgetown Law's Center on Privacy & Technology. "You don't have a pipeline of lawyers right now who can read code."

The fallout from Edward Snowden's revelations exposed numerous instances in which agency lawyers miscommunicated to courts about what the government was doing. There are two possible explanations: Either they willfully exploited judges' lack of technical knowledge, or the lawyers couldn't fathom the programs they were trying to explain. In a 2009 case that became public in 2013, NSA Director Keith Alexander admitted that none of the lawyers overseeing one surveillance program grasped what it was doing when it queried a particular agency database: "It appears there was never a complete understanding among the key personnel ... regarding what each individual meant by the terminology used." In a 2011 suit, Judge John Bates of the secret Foreign Intelligence Surveillance Court wrote an angry (and heavily redacted) 85-page decision saying he was troubled that the case marked "the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program." And in yet another case, Solicitor General Donald B. Verrilli Jr. found in 2013 that he'd misled the Supreme Court about how the Justice Department was using evidence derived from warrantless surveillance programs targeting foreigners, an error that led to a months-long internal debate as Verrilli questioned the department's interpretation of the law.

On a more mundane basis, government attorneys frequently confuse content and metadata, even though the two types of information face different legal standards. One possible reason: The Justice Department's decade-old Electronic Surveillance Manual is incorrect about the basic mechanics of how email works, according to a forthcoming article in the Harvard Journal of Law & Technology. Such problems are becoming more pervasive as lawyers misapply law designed for telephone surveillance to cases focused on the Internet, says Susan Landau, a computer scientist at Worcester Polytechnic Institute and one of the article's authors. They "don't know the right questions to ask." And it's not just them: "A judge may not even know what's wrong with the briefs. It's an extremely serious problem," she says.

Jurists have noticed how awkwardly analog-era laws govern modern digital life, and they've struggled over what to do with the disjunction, even at the Supreme Court. "It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties," Justice Sonia Sotomayor wrote in a 2012 opinion. "... This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks."

The Obama administration has made strides in incorporating technology into government, creating teams like the U.S. Digital Service that bring more of Silicon Valley to Washington. But the knowledge base of the government's lawyers is still badly lacking, particularly when it comes to marrying legal and technological tools, says Paul Ohm, a Georgetown law professor who used to work in the Justice Department's computer crime and intellectual property section. "Too much of [the focus] has been the import-export model--forgo your Silicon Valley salary for a couple years and help us be more savvy. And as awesome as that is, they're not going to solve the problem," Ohm says.

Some of today's technical legal befuddlement stems from the fact that the field is so new. "No one who is practicing today had a cybersecurity class in law school," explains Kristen Eichensehr, a UCLA law professor whose own cybersecurity course has doubled in the three years it's been offered. "Everyone who has been in practice has had to learn this on the job."

Even though student demand for such classes is growing, only a handful of mostly elite law schools--like Harvard, Yale, Cornell, Stanford, New York University, Georgetown and UCLA, as well as Indiana University's Maurer School of Law, which helped pioneer the field in the early 2000s--offer classes focused on cybersecurity. At Georgetown, Ohm is helping with what he thinks is the first law school class in the nation to teach students to code in the basic programming language Python. The course launched in January with spots for 20 students and a waitlist of more than 100.

Yale, working with its first "cyber fellow" Ido Kilovaty, is offering its first mixed cybersecurity course this year, bringing together 10 law students and 10 computer science students in an attempt to bridge the jargon chasm between specialists in each field. "People who are trying to come up with solutions in this area usually understand only one side--the law side or the technology side," Kilovaty says. "We want them to talk the same language when the class is done."

Editorial on 10/02/2016

Upcoming Events