Pages

Sunday, September 22, 2013

The Third Amendment and Cybersecurity: Quirky But Mistaken

The latest version of the American University Law Review focuses on law and cybersecurity issues.  I have not read through the articles here, but there seem to be some interesting topics.

One of the articles in this issue that I ran across and read while doing one of my own projects is Alan Butler's, When Cyberweapons End Up on Private Networks: Third Amendment Implications for Cybersecurity Policy.  It is available on the American University Law Review website here and on SSRN here.  Here is the abstract:


National security experts have discussed the threat of cyberwarfare for more than twenty years, and there have been a number of high profile cyber attacks over that period. The recent escalation of cyberconflict became clear last year when the New York Times discovered that the United States and Israel had developed and used a worm, known as “Stuxnet,” to disrupt Iranian nuclear facilities. This shot across the bow, along with the recent creation of the U.S. Cybercommand, indicates that the United States has the capability to conduct sophisticated offensive and defensive cyberoperations. Scholars in international law, national security law, and privacy law are now attempting to define the legal rules and boundaries of cyberwarfare. The Obama Administration has also made clear that protecting privacy and civil liberties is a critical component of the U.S. cybersecurity plan. But so far it is unclear what protections will be included.
This article takes a novel approach to identifying necessary civil liberties protections by analyzing U.S. cyberoperations under the Third Amendment. Three types of cyberoperations implicate Third Amendment interests: malware designed to disrupt industrial control systems, cyberespionage tools, and active defense (or “hack-back”) systems. All of these may affect innocent civilian systems, and the Third Amendment prohibits military intrusion into civilian spaces absent consent or legal authorization by Congress.
Based on the principles of the Third Amendment, this article identifies three issues that must be addressed regarding cybersecurity policy: authority, cooperation, and transparency. It concludes that Congress must establish the framework for authorization of cyberoperations that could affect civilian networks; that the private sector has an interest in a public-private collaboration to establish security standards and processes; and that any comprehensive cybersecurity strategy must provide for a transparent, public accountability system to address civil liberties impacts. The Cybersecurity Executive Order is a step in the right direction, but Congress must still establish clear rules governing executive action in this area.
I am always up for some discussion or scholarship on the Third Amendment.  I mentioned a modern case (and alluded to Butler's article) in a previous post, and as I mention in this future (!) post, there are some valid reasons for law journals to publish Third Amendment scholarship (though these reasons should be weighed against the reasons not to publish).

I'm not the only one who was intrigued by Butler's article, with reactions and mentions in the blog/legal commentary world here and here.  The commentators seem to agree with Butler's arguments.  I don't necessarily blame them; the Third Amendment is so rarely mentioned or considered in constitutional law scholarship that any article about it seems delightfully quirky.

Unfortunately, behind the quirky facade of Butler's article there lies a flawed and ultimately unsuccessful argument.  I will dismantle it after the jump.




To begin, the text of the Third Amendment reads:


No soldier shall, in time of peace be quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law.

Butler wants to argue that military cybersecurity/cyberattack software that finds its way onto private computers can be restricted by the Third Amendment.  Looking to the text of the Amendment, I am struck by several hurdles that Butler needs to overcome: (1) "soldier" does not seem to apply to software, (2) "quartered" does not seem to apply to software, and (3) "house" does not seem to apply to computers.

The Soldier Problem

Butler defends his view that military cyberoperations constitute "soldiers" under the Third Amendment:

This view is consistent with both a broad reading of the anti-quartering right in English cases as well as the Second Circuit’s holding in Engblom.  There is English common law, for example, related to the quartering of horses in “actual service.”  The horses were merely an instrumentality of war used by the soldiers, but they were considered quartered at common law.  Similarly, in Engblom, the Second Circuit held that the National Guardsmen were considered “Soldiers” within the meaning of the Third Amendment because they were “state employees under the control of the Governor.”  The degree of military “control” was key in both cases.
Under this analysis, quartering of “Soldiers” in private computer systems occurs when military operators directly or indirectly employ files or software that accesses and places itself upon a private system. Typically, a C&C server will direct cyberoperations that another group is responsible for configuring.  In the case of an active defense system, a remote or local system could also control the operation.  Regardless, USCYBERCOM closely controls and manages any cyberoperation that the United States currently undertakes. (1233) [I excluded the footnotes]

Here's why this argument fails:

  • The English common law that Butler cites may seem relevant to "quartering," but it does not appear to mention that the horses were "soldiers," which is the point that Butler is arguing here.  The case Butler cites, in fact, refers to horses as "horses."
  • As far as Engbom is concerned on this point, Engblom involved humans, who I think would naturally qualify as "soldiers".  While under military control, I do not think that Engblom stands for the proposition that this control necessitates "soldier" status for all things.  People under military control?  Probably.  But programs?  Probably not.
Because equating military software with "soldiers" strains the definition of the term -- the Third Amendment does not seem to apply to this software.

The Quartered Problem

Butler argues that when military software is stored on computers, it is "quartered" under the Third Amendment.


[C]yberoperations may constitute quartering because they involve trespassing into and placing files on a private system.  The long history of quartering was focused primarily on the provision of lodging to members of the military.  The modern usage of the term “quarter,”—to “lodge, or dwell,”—generally matches the traditional definition of “quarter” at the time of the framing—“to lodge; to fix on a temporary dwelling.”  Furthermore, the modern definition of “to lodge”—“to provide temporary quarters for” or “to establish or settle in a place”—also tracks the traditional definition of “to lodge”—”[t]o place in a temporary habitation” or “[t]o afford place to.”  At a minimum, it is clear that the quartering concept encompasses “something less than a permanent occupation.”  It is unclear whether any mere trespass would suffice, or whether there must be some extended use of the private property to constitute quartering.
Given the definition and purpose of the quartering provision, it is likely that cyberoperations could constitute quartering to the extent that they involve intruding into and placing files on a private system. These files can cause damage and impose costs on the “Owners” similar to the “Soldier[s]” quartered in a traditional Third Amendment case.
Here's why this argument fails:
  • The term "quarter" and many of the terms used to define it ("lodge," "dwell," "habitation") all seem to require a human subject.  I would not say that I "lodge" my shirt in the closet, that I give "habitation" to my books on my shelf, or that my forks "dwell" in the drawer.  These terms all require at least a living subject.
  • Regarding the discussion under the "soldier" problem, if we assume that a citation to an English case equals the meaning of a word in a constitutional amendment (which I am not willing to do) we at most might be able to say that horses may be quartered under the Third Amendment.
  • Note that even if we ignore the requirement of a living subject, Butler attempts to move from the dictionary definitions of "quartered" to a historical definition -- describing intrusion, damages, and costs that quartered soldiers may cause and noting that military files can cause the same type of harm.  Intrusion, damages, and costs are nowhere to be found in Butler's definition of "quartered."
Because claiming that software can be "quartered" strains the definition of the term, the Third Amendment does not seem to cover military software.

The House Problem

Butler devotes most of his defensive argumentation to the issue of whether the Third Amendment's "in any house" language applies to computers.  To paraphrase:
  • The term in the amendment was meant to cover all areas in which an individual has a right to exclude.  This is supported by reading the amendment in the context of the Fourth Amendment and the British quartering acts to which the Third Amendment responded, which permitted the quartering of soldiers in public houses, uninhabited houses, barns, outhouses, and other buildings.
  • The broad property-based interpretation of "house" has been confirmed in the courts, notably in Engblom v. Carey, 677 F2d 957 (2d Cir. 1982) which said that the Third Amendment would apply to tenants as well as to owners.  Butler also cites Custer County Action Association v. Garvey, 256 F.3d 1024 (10th Cir. 2001) which rejected a Third Amendment argument pertaining to airspace above homes because homeowners did not have a right to exclude others from that airspace.
  • Concluding that "When framed as a right to exclude the military from private property, it is clear that computers, networks, and other systems fall within the scope of the Third Amendment."
There is a lot to go into here, but I will do my best to keep it orderly.  Regarding the first point on reading the Third Amendment in context:
  • If this accurately characterizes the legal landscape of the time, the "house" language of the Third Amendment reveals nothing more than sloppy drafting.  If the British Quartering Statutes went into the specificity of the buildings in which soldiers could be quartered, it would have made sense for the Third Amendment to be drafted in a manner that excluded soldiers from these particular buildings.  As the amendment is written, it only refers to houses -- a narrow subset of buildings in light of the quartering statutes.
  • Butler seems to attempt to preempt this point by noting that the drafters rejected an alternate, specific version of the Third Amendment that specified public houses, which indicates that the founders wanted a more general amendment.  This alternate version would have permitted lodging of soldiers in public houses, however, meaning that it was likely rejected not for its specificity, but for its explicit leniency.
  • And the Fourth Amendment provides context of just how specific amendments can be, specifying "persons, houses, papers, and effects," instead of just "house."  The Third Amendment's narrow wording contrasts with the Fourth Amendment's explicitly broader scope.
Regarding interpretations of "house" in the case law:
  • The situation in Engblom dealt with a situation where people were living in an area, making that area more like a house.  It is not clear whether the reasoning behind that holding would apply to any situation simply involving property -- Engblom seemed to have been primarily informed by privacy concerns, which are at their zenith in the home or its equivalent.
  • The Custer County Action Association is not helpful.  Surely the right to exclude is a necessary, but probably not sufficient, part of the "house" concept, meaning that if there is no right to exclude, there can therefore be no Third Amendment violation.  Unfortunately, Butler seems to take the case to stand for the proposition that the right to exclude is a sufficient part of the "house" definition, a proposition that goes far beyond the holding of the case.
And as far as property paradigms go:
  • It is much harder to sustain an analogy between digital and physical property.  If a soldier is quartered in your house, he or she will take up space and be noticeable.  Military cyberweapons that Butler discusses, however, such as Stuxnet, are only successful because they can pass from machine to machine without being noticed.  Any "intrusion" by these programs seems far less a violation of property rights because the intrusion is not noticed and has no discernable effect on civilian computers.
Because of all of this, it appears that "house" in the Third Amendment does not apply to computers.

Conclusion

I think that the Third Amendment is interesting and is a useful vehicle for surveying history and exploring the limits of the government's police power.  There are also some cases, albeit rare, when Third Amendment violations occur and should be addressed.  When it is discussed appropriately, it meets these purposes.  When it is used incorrectly, however, nothing gets done.

Butler's discussion of the Third Amendment, while raising interesting points about government policy and power, ultimately achieves nothing.  If there are stronger arguments to be made for Butler's interpretation of the amendment, they were not made in the article.  While the Third Amendment may be a useful analogy or point of context in discussions of government cyber power, the amendment is of very little practical significance.

No comments:

Post a Comment