You may think that your communications with other individuals over the Internet may be protected from unreasonable use by US law enforcement without subpoena and due process. The truth is, judges have been loosening the interpretation of a 1986 wiretapping law, almost pretending that it did apply to present circumstances. But perhaps the greatest problem with the current Electronic Communications Privacy Act (ECPA) lay with its definitions, which at one point appear to be applicable (after several stretches of logic) to the Internet…and then, upon further review, does not.
“Electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce,” paragraph 12 of section 2510 begins. Sounds fair enough, until you go on: “…but does not include (A) the radio portion of a cordless telephone communication that is transmitted between the cordless telephone handset and the base unit; (B) any wire or oral communication…”
If you subscribe to the FCC’s emerging definition of the Internet, as a global device that consumes spectrum, then the exceptions listed here would appear to exclude your smartphone as a component of electronic communication. That exclusion could conceivably give a crafty law enforcement officer or prosecutor the means for issuing a subpoena for information from a wireless service provider, without just cause as determined by a judge.
“‘Subpoena’ is Latin for ‘no judge has ever approved this,'” said Electronic Frontier Foundation senior staff attorney Kevin Bankston, during a news conference yesterday. “To me, that’s the distinction here. Subpoenas are issued without any judicial review, and we really need that check-and-balance, that critical protection.”
The news conference was assembled by the Center for Democracy and Technology to announce the publication of a set of proposed (and revised) principles for members of Congress to consider. Congress will, perhaps this season, hold hearings (again) on the possible modernization of ECPA, to make it clear that the same protections that applied to wiretapped telephone communication apply to Internet conversations. CDT’s leaders have once again assembled a policy coalition (its last try at this was in 2008) to promote a set of four principles that it believes new law must follow.
This time around, however, the Digital Due Process group has enlisted the support of Microsoft and Google, two names that have figured prominently in the debate over Internet users’ rights. (Facebook also figures prominently in this debate by its conspicuous absence from this coalition.)
“All private communications content stored with a service provider should be protected just as if it were stored on a laptop, or printed out or stored in a file,” stated CDT Vice President for Public Policy Jim Dempsey yesterday, listing the first of the new group’s four proposed principles. “That is, it should be protected by the warrant standard issued by a judge, based upon a finding of probable cause to believe that a crime is being committed or has been committed, and that the information is relevant to that crime.
“Currently, some e-mail stored online is protected by the warrant and some isn’t,” Dempsey continued. “And the rules as to what is protected and what isn’t protected are pretty obscure and completely unknown to the average citizen. For example, there’s the ‘180-day rule,’ which says that after 180 days at the very longest, all of your stored e-mail loses the protection of the warrant and is available to the government, with a subpoena issued without a judge, and without a finding of probable cause. So we would say, one uniform rule across the board.”
The second principle would apply a copy of that uniform rule to GPS and location information retrieved from an individual’s smartphone or laptop. Third, a law enforcement body or government entity should be required to show just cause for requesting e-mail or information about the e-mail or other communication (e.g., the names of parties in the discussion). Fourth — and certainly not least importantly — the principles suggest new law should make clear that any subpoena issued under the existing Stored Communications Act should apply to an individual or an account belonging to an individual, and requests for information belonging to anything else (such as a company or group) must be approved by a judicial finding.
“Most laypeople don’t realize this, but a subpoena is issued by the prosecutor, and often prosecutors hand it off to the FBI agents to fill in,” explained Dempsey to a reporter who asked for a summary of how the law works today under the 1986 provisions. “They may be served in the name of a grand jury, or they may be administrative subpoenas, and a number of agencies have administrative subpoena authority. Those are issued at the discretion of an executive branch official with no judicial review. The Supreme Court has said that you can issue a subpoena…not because you believe the law is being violated, but merely to assure yourself that the law is not being violated. The standard is relevance to an ongoing investigation, and relevance is the lowest and broadest of the standards for compulsory access. It would be incumbent upon a service provider to challenge a subpoena when it’s issued; often the subpoenas are issued with a delayed notice provision, meaning that the true party of interest, the customer, is not told about the subpoena in time to object to it.
“So there really are no checks and balances there that are meaningful,” he continued. “A few service providers, in a few cases, have challenged subpoenas, or have pushed back. But that in and of itself is an expensive and unpredictable process.”
Google’s representative on the new coalition made a familiar case for Google: that the public’s expectations for privacy rights have evolved faster than legislators have been able to keep up.
“This coalition is [in favor of] a very important initiative to advance what the legal protections are that cover the data that people are uploading to online services, those provided by many of the coalition members,” said Google Senior Counsel Richard Salgado yesterday. “We’re seeing tremendous change in the volume of data that people are uploading to services, the sensitivity of that data, and how that data and those services play a role in the day-to-day lives of people. Very different than how things looked in 1986 when the Web…didn’t even exist…We’re so far from that now, that you can hardly recognize the world of 1986; and yet, we’ve got a statute that envisions that bygone era. What we want to do is adjust some of the legal thresholds in the statute in a way that would make them more consistent with what users expect as their privacy right over the data that they’ve provided to these companies, and that they should expect, and doing so with thresholds that are very familiar to judges, very familiar to prosecutors, and that won’t hinder the important work that government has to do.”
For his company’s part, Microsoft Associate General Counsel Mike Hintze yesterday pointed out that cloud technologies are preparing to rewrite the definitions yet again, and that any legal framework based squarely on 2010 could very soon look like 1986.
“ECPA…just hasn’t kept up with technological changes. It doesn’t reflect how people use online services and cloud services today. Therefore, a lot of the distinctions in the statute are illogical or unclear or inconsistent, which creates challenges in terms of compliance. It’s unclear what the standard is, it creates friction between companies and law enforcement, and it creates confusion for the customers.
“More importantly than that, though, is the fact that, as more and more people embrace the benefits of cloud computing — and Microsoft…has invested huge amounts in cloud technologies, and believe there are enormous benefits to the economy and to individual users…as that technological reality permeates our society, and people start moving documents from their file drawers and their individual computers into the cloud, we just don’t believe that the balance between privacy and law enforcement should be fundamentally turned on its head,” Hintze continued. “The US Constitution protects data in your home on your own PC at a very high standard; and as people take advantage of cloud services, we don’t believe that that traditional balance of privacy vis-à-vis the state, should be fundamentally altered.”
Next: Would revised surveillance law protect all personal data?
Would revised surveillance law protect all personal data?
Recently, content providers including Google and Microsoft have been racing to comply with dueling sets of governments’ provisions worldwide: one that mandates how long they must retain information about their customers, and another that mandates they must anonymize that data, or get rid of it, after a given period of time. But as university researchers including Harvard’s Christopher Soghoian demonstrated, anonymization with respect to single databases may be pointless, as engineers with only meager knowledge of how databases work could conceivably reconstruct personally identifiable data by linking records from multiple databases.
This gets into the larger question of aggregate data — information that’s discoverable through manipulation. The principles proposed by Digital Due Process yesterday appear, on the surface, to apply to law enforcement requests for specific records from specific databases applicable to specific investigations. But what happens when data those agencies may already have, reveal something they didn’t know they needed to know, when it’s all pieced together?
We asked the CDT’s Jim Dempsey: “Our principle #4 addresses this issue: It says that when the government seeks aggregate data, it must get a court order; it cannot use a prosecutor’s subpoena,” he told Betanews. With regard to requests for personally-identifiable data (PID) versus non-PID — data that can be compiled to reveal PID — Dempsey said, “ECPA does not distinguish between personally identifiable and non-personally identifiable data. Even the current law covers data that is aggregate and supposedly not personally identifiable.”
But even as the principles are currently written, could new law based on those principles effectively omit aggregate data, creating a loophole? For instance, could a law enforcement agency thwart the new rules by mining data collected in the course of other, unrelated investigations; in so doing, determine new connections between elements of data; and then characterize the resulting evidence as “plain sight” discoveries?
“Nothing in current law or in our proposal limits the government’s use of data already collected,” responded CDT’s Dempsey. “If the government lawfully acquires data one day, it can use that data months or years later in another case. ECPA and the Fourth Amendment [of the US Constitution, pertaining to citizens’ protections against unreasonable searches and seizures] address forcing companies to disclose customer data; they do not address how long the government can keep the data.”
In a statement issued yesterday, Sen. Patrick Leahy (D – Vt.), who currently chairs the Judiciary Committee, promised to hold a new set of hearings to consider the new group’s proposals…some of which have been considered before, including in committees headed or steered by Leahy.
“I applaud the announcement today by Digital Due Process and the Center for Democracy & Technology that a coalition of privacy advocates, legal scholars, and major Internet and communication service providers have joined together to release a consensus set of proposals to modernize the Electronic Communications Privacy Act. I look forward to reviewing these ideas,” stated Sen. Leahy. “While the question of how best to balance privacy and security in the 21st century has no simple answer, what is clear is that our federal electronic privacy laws are woefully outdated. In the coming months, I plan to hold hearings on much-needed updates to the Electronic Communications Privacy Act.”