Digital age leaves privacy law behind
Outdated digital privacy regulations are increasingly allowing law enforcement agencies to use Internet companies and popular social networks to do their spying.
The Fourth Amendment protects against unreasonable search and seizure of private citizens and their “persons, houses, papers, and effects” — but obviously makes no mention of e-mail in a remote server. In 1986, Congress passed a law regulating how law enforcement can access information stored and communicated electronically. That was years before the Internet became a household term and before e-mail was commonplace.
The law, known as the Electronic Communications Privacy Act, updated the 1968 Federal Wiretap Act. Now, as the Senate considers amending the ECPA to make law enforcement more accountable to the courts, Internet providers and service companies find themselves as awkward middlemen between the government and Web users.
“Rather than ‘Big Brother,’ we have lots of ‘Little Brothers,’ ” said Christopher Calabrese, a privacy lawyer at the American Civil Liberties Union.
While Internet users may think of personal information and photos on services like Gmail, Drop-box, Facebook and Twitter as their own, that information resides within easily accessible computers. In addition, Internet service providers such as AT&T and Verizon hold reams of data pertaining to
customers’ IP addresses, Web histories, geo-locations and personal information.
Critics point out that because of the outdated language in the ECPA, personal information can be accessed with a subpoena from a prosecutor — not through a warrant, which requires the review and blessing of a judge.
The ACLU, the Electronic Frontier Foundation, law professors and judges, and the Digital Due Process organization — a group that spans more than 65 technology companies and political organizations from both sides of the aisle — all agree that the ECPA needs to be updated as soon as possible. Susan Freiwald, a professor of law at the University of San Francisco, points out that one of ECPA’s biggest failings is not providing legal recourse for citizens.
In cases of eavesdropping, such as a wiretap, the subject has a right to eventually know about the surveillance. However, if an investigation digs into a person’s e-mail and isn’t brought to trial, she says, the subject rarely finds out that his or her online activities were being monitored. When law enforcement has an unbridled ability to rifle through private correspondence, “then we’re a police state,” she says.
Sen. Patrick Leahy, D-Vt., has proposed an amendment to the ECPA and announced last week that the Senate Judiciary Committee would consider the changes Nov. 29. The crux of the amendment would require investigators to serve either a warrant to the service provider or a subpoena directly to the user when seeking personal digital information. The upcoming debate over reforming the ECPA has put some companies in uncomfortable positions in regard to when they want to respect online privacy and when they don’t. The Association of National Advertisers sent a letter to Microsoft CEO Steve Ballmer professing “profound disappointment” and “strong opposition” in response to the fact that the default setting for the upcoming version of Internet Explorer would be “do not track.” Tracking users on a Web browser makes targeted advertising for new products easier.
Signers of the letter included representatives of such publicly traded giants as IBM, AT&T, Adobe Systems and Intel. Yet all four of those companies are also members of the Digital Due Process organization pushing for ECPA reform. (Microsoft is a member too.)
Law enforcement groups express concerns about the Leahy measure. The FBI Agents Association and the National Law Enforcement Officers Association wrote separate letters arguing that it would add time and paperwork, and potentially alert the suspect of the investigation.
“When lives are on the line, when seconds count, law enforcement needs lawful access to electronic communications records without undue delay,” read a letter from an assortment of national and state-level law enforcement groups.
In the first half of 2012, Google says, governments worldwide made 20,938 requests for information on 34,614 users; the United States made 7,969 of those requests. With its search engine, e-mail client Gmail, office suite Docs and videosharing YouTube — to name just a handful of services — the company has a huge window into how people use the Web.
Microblogging social network Twitter had 948 government requests for information on its users in the first half of 2012 — more than the total requests in 2011. File-sharing service Dropbox and professional network LinkedIn report similar requests, though at smaller magnitudes.
Google, Twitter and others disclose statistics on government information requests voluntarily. Notably, the world’s largest social network, Facebook, says it has no plans to publish data on government requests for information on its users. More than 200 million American and Canadian residents use the social network.
“If the CIA had built Facebook, we’d all be terrified,” points out Wired senior writer Bob McMillan.
In some cases, companies push back on the government. Google did not comply with 10 percent of its information requests in the first half of this year. In September, Twitter asked a New York court to quash a subpoena for personal information on a protester in the Occupy movement.
These fights exist because the law is unclear, says Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation. “The easiest and most sensible way to address online privacy is to apply the Fourth Amendment as if it were your house (being searched),” he said.
But online boundaries are not quite as clear as someone’s home. Digital information is usually backed up across servers, or sliced up and distributed across many servers that can reside in different districts or even countries. Also, electronic data is typically intertwined with additional personal information about the subject and other users. Presenting the digital “boundaries” of an investigation would require careful, if not incredibly difficult, explanation — and a judge who understood the technical ramifications.
The Justice Department’s manual on seizing electronic devices and records says it can access e-mails that have been opened, those in the “sent” folder, and e-mails older than 180 days with just a subpoena — rather than a court-reviewed warrant. This leaves very few e-mails that need the approval of a judge to be accessed. Ironically, the only protected emails might be those filtered to the spam folder unopened.
But law enforcement requests aren’t confined to emails. They cover all forms of electronic communication, including a user’s location, transaction logs and all other “metadata” associated with an online communication.
The Justice Department’s reach is starting to be tested in courts. In the Ninth U.S. Circuit Court of Appeals in San Francisco, Theofel vs. Farey-Jones established that the government can’t touch any e-mails more recent than 180 days old without a warrant. In 2010, the Sixth Circuit said in United States vs. Warshak that the Fourth Amendment protects e-mails of any kind. So in these jurisdictions, investigators actually have to play by different rules than they do elsewhere.
Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, says that some service providers try to get around requests by claiming they are overseen by these two federal appeals courts. They have no interest in being in the middle of any sort of investigation, he points out, and compliance costs them money.
The Supreme Court has ruled that people have an “expectation of privacy” over the phone and in written letters, requiring a warrant. But the high court has not heard a case regarding the question of e-mail privacy. Dempsey believes the Justice Department doesn’t want to present a challenge to the high court for fear of losing.
“They’re worried about losing the whole shooting match,” he says. “They know they’re on thin ice. … I don’t think they have a long-term strategy.”