The push to reform ECPA -- the Electronic Communications Privacy Act -- have been going on basically as long as this site has been in existence (i.e. nearly 20 years). There are lots of problems with ECPA, but the big one that everyone points to is that it considers any communication that's on a server more than 180 days to be "abandoned" and accessible without a warrant. That perhaps made some amount of sense back in 1986 when the law was written, because everything was client-server and you downloaded your email off the server. But in an age of cloud computing and webmail it makes no sense at all. Still, the IRS and the SEC really, really liked the ability to use ECPA to snoop on people's emails.
In the past few years, Congress has kept supporting reform, but it always dies when some part of the administration complains and tries to block it. And yet, each time it enters Congress, it gets more and more sponsors. And, finally, the full House has voted to pass the Email Privacy Act. It was no surprise that it passed. The bill had an astounding 315 cosponsors. Seriously:
Still, it's impressive that the bill ended up passing unanimously, 419 votes to 0 (and 14 missing votes). On an issue like this, that's surprising. You figured there would be some Congressional rep from somewhere arguing that this would let terrorists and child predators off the hook or something.
The bill is certainly not perfect, and could be improved, but it's nice to see the House get the basics right. Now, we wait and see what happens in the Senate... Will the Senate ignore a unanimous House and let this bill just die, or will it finally do the right thing and protect email privacy?
Microsoft isn't the first company to sue the government over its gag orders. Google, Yahoo, Twitter, and a small ISP called Calyx Internet Access have all taken the government to court over its various demands for secrecy it ties to its National Security Letter requests.
But the more the merrier. Sooner or later, someone's going to have to side with the recipient. As Microsoft alleges in its announcement of the lawsuit, the secrecy problem is getting worse, instead of better -- despite the national discussion over domestic surveillance, expanded government power and the ongoing circumvention of due process.
It's not that Microsoft believes the government is never entitled to secrecy. It's that the demand for secrecy seems to be its default position.
To be clear, we appreciate that there are times when secrecy around a government warrant is needed. This is the case, for example, when disclosure of the government’s warrant would create a real risk of harm to another individual or when disclosure would allow people to destroy evidence and thwart an investigation. But based on the many secrecy orders we have received, we question whether these orders are grounded in specific facts that truly demand secrecy. To the contrary, it appears that the issuance of secrecy orders has become too routine.
The government is demanding information from Microsoft while telling it to shut up nearly 150 times a month.
Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data.
Worse, in a majority of these cases, Microsoft has been ordered to maintain its silence indefinitely.
Notably and even surprisingly, 1,752 of these secrecy orders, or 68 percent of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.
The lawsuit claims these gag orders violate multiple rights of multiple parties. Those whose data is being requested are having their Fourth Amendment rights violated by the undisclosed searches. Microsoft's First Amendment rights are being violated by the accompanying gag orders.
At the center of Microsoft's lawsuit is a terrible law: the ECPA.
Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them. Yet the Electronic Communications Privacy Act (“ECPA”) allows courts to order Microsoft to keep its customers in the dark when the government seeks their email content or other private information, based solely on a “reason to believe” that disclosure might hinder an investigation. Nothing in the statute requires that the “reason to believe” be grounded in the facts of the particular investigation, and the statute contains no limit on the length of time such secrecy orders may be kept in place.
That antiquated law (passed decades before cloud computing existed) allows courts to impose prior restraints on speech about government conduct—the very core of expressive activity the First Amendment is intended to protect— even if other approaches could achieve the government’s objectives without burdening the right to speak freely. The statute sets no limits on the duration of secrecy orders, and it permits prior restraints any time a court has “reason to believe” adverse consequences would occur if the government were not allowed to operate in secret. Under the statute, the assessment of adverse consequences need not be based on the specific facts of the investigation, and the assessment is made only at the time the government applies for the secrecy order, with no obligation on the government to later justify continued restraints on speech even if circumstances change…
As the lawsuit points out, the outdated law isn't built to handle the reality of cloud computing. Unfortunately, law enforcement agencies like the FBI are perfectly willing to exploit the loopholes this mismatch provides. Rather than approach individuals under investigation and search their home or place of business (if that's where the communications are stored/originate) the government uses the ECPA to demand information from virtually unrelated parties like service providers, simply they provide cloud storage options.
The Fourth Amendment’s requirement that government engage only in “reasonable” searches necessarily includes a right for people to know when the government searches or seizes their property. See Wilson v. Arkansas, 514 U.S. 927, 934 (1995). For example, if the government comes into a person’s home to seize her letters from a desk drawer or computer hard drive, that person in almost all circumstances has the right to notice of the government’s intrusion. The same is true when the government executes a search of a business to seize emails from the business’s on-site server. But Section 2705(b) subjects Microsoft’s cloud customers to a different standard merely because of how they store their communications and data: the statute provides a mechanism for the government to search and seize customers’ private information without notice to the customer, based upon a constitutionally insufficient showing. In so doing, Section 2705(b) falls short of the intended reach of Fourth Amendment protections, which do not depend on the technological medium in which private “papers and effects” are stored.
It also points out how the government has used the law to treat physical searches and digital searches completely differently, thanks to the flaws in the legislation. While physical "sneak-and-peek" searches can be performed without notification of the target, the silence can only be maintained for 30-90 days. But if it goes after cloud backups, it can approach Microsoft and hit it with an indefinite demand for silence.
For these reasons, Microsoft asks the Court to declare that Section 2705(b) is unconstitutional on its face.
To sum up using all the metaphors, this swing for the fences could kill several birds with one stone if the court finds in favor of Microsoft: ECPA will be hobbled badly and will no longer be the go-to justification for government gag orders and, if the gag orders themselves survive, they'll likely be limited to something less than "indefinitely" and be held to a higher level of scrutiny when they're issued.
We've been talking about and asking for ECPA reform for many, many years, and it might finally be moving forward. ECPA is the Electronic Communications Privacy Act, which details how the government can get access to your electronic communications. The law was written in the early 1980s, and as you've probably noticed, we live in a very different world these days as it pertains to electronic communications. One key example: the law says that messages left on a server for more than 180 days are considered abandoned and can be searched without a warrant. That may have made some sense (though, not really) in a client-server era, where everyone downloaded their messages leading to them being deleted from a server, but it makes no sense at all in an era of cloud computing.
The main foes against updating ECPA have been government agencies that have investigatory powers, but not the ability to get a warrant -- mainly the SEC and the IRS, with the SEC being the real stumbling block. The SEC really liked the fact that it could snoop through emails without a warrant. So, even with massive support in Congress, ECPA reform never went anywhere.
So it was a bit surprising to folks this week to see Rep. Bob Goodlatte announce that the Judiciary Committee will now markup the ECPA reform bill, meaning that the bill is moving forward again. It's not entirely clear why it's happening now, but at the very least, it sounds like the SEC's constant protests may no longer be an obstacle. Hopefully it does move forward, and whatever results from the process leads to much stronger privacy protections on electronic communications, such as actually requiring a warrant, like the 4th Amendment says should happen.
from the updated-for-government-needs-and-wants dept
The SEC (Securities and Exchange Commission) has been fighting much-needed updates to the ECPA (Electronic Communications Privacy Act) for a few years now, claiming that treating old email like new email would somehow strip it of its power to investigate and punish wrongdoing. For no discernible reason, legislators decided to treat electronic mail like physical mail, designating unopened emails over six months old "abandoned" and accessible by almost anyone using nothing more than a subpoena.
Moving the law towards logic would insert a warrant requirement for old emails, bringing them under the same protection as emails less than 180 days old. But it's not just the SEC that's resistant to changing the law. It's also local law enforcement and the DOJ itself, both of which have greater powers than the SEC when it comes to accessing electronic communications.
The most recent hearing featured testimony from the SEC, DOJ and, for no discernible reason, the Tennessee Bureau of Investigation. The consensus is that the law should be updated, but not that part of it (SEC) and only if it makes it easier for law enforcement to obtain more stuff without warrants (DOJ, TBI).
The SEC's argument against the introduction of a warrant requirement is that it would prevent the agency from obtaining other user data from ISPs using only a subpoena, glossing over the fact that it likes having warrantless access to tons of email.
When we conduct an investigation, we generally will seek emails and other electronic communications from the key actors via an administrative subpoena – a statutorily authorized mechanism for gathering documents and other evidence in our investigations. In certain instances, the person whose emails are sought will respond to our request. But in other instances, the subpoena recipient may have erased emails, tendered only some emails, asserted damaged hardware, or refused to respond – unsurprisingly, individuals who violate the law are often reluctant to produce to the government evidence of their own misconduct. In still other instances, email account holders cannot be subpoenaed because they are beyond our jurisdiction.
It is at this point in an investigation that we may in some instances, when other mechanisms for obtaining the evidence are unlikely to be successful, need to seek information from the internet service provider (ISP). H.R. 699 would require government entities to procure a criminal warrant when they seek the content of emails and other electronic communications from ISPs. Because the SEC and other civil law enforcement agencies cannot obtain criminal warrants, we would effectively not be able to gather evidence, including communications such as emails, directly from an ISP, regardless of the circumstances.
As is (sort of) admitted in the SEC's testimony, the current law provides more protection for physical documents than electronic ones. However, SEC Director Andrew Ceresney spins this as an argument against modifying the ECPA.
Some have asserted that providing civil law enforcement with an ability to obtain electronic communications from ISPs in limited circumstances would mean electronic documents enjoy less protection than paper documents. That is not accurate. Indeed, as currently drafted, H.R. 699 would create an unprecedented digital shelter – unavailable for paper materials – that would enable wrongdoers to conceal an entire category of evidence from the SEC and civil law enforcement.
The DOJ and Tennessee Bureau of Investigation also express alarm at the proposed rollback of subpoena powers, but they use the kidnapping of children, rather than financial misconduct, as their starting points.
While the DOJ admits the 180-day cutoff period makes very little sense, it suggests no fixes along those lines. Instead, it suggests warrant exceptions for Pen Register statutes (information about communications) be aligned with those in the Wiretap Act (the communications themselves) so DOJ agencies can acquire the data along with the communications when operating a wiretap. It makes a certain amount of sense, but it's actually just the DOJ asking for the less-stringent set of exceptions (tied to the Wiretap Act, believe it or not) to be applied across the board.
It also asks for legislators to better define what can be accessed with certain orders to eliminate "inconsistency" in judge behavior.
The Fifth Circuit has interpreted this provision to require a court to issue a 2703(d) order when the government makes the “specific and articulable facts” showing specified by § 2703(d). See In re Application of the United States, 724 F.3d 600 (5th Cir. 2013). However, the Third Circuit has held that because the statute says that a § 2703(d) order “may” be issued if the government makes the necessary showing, judges may choose not to sign an application even if it provides the statutory showing. See In re Application of the United States, 620 F.3d 304 (3d Cir. 2010). The Third Circuit’s approach makes the issuance of § 2703(d) orders unpredictable and potentially inconsistent; some judges may impose additional requirements, while others may not.
(Hey, judicial inconsistency isn't much fun for defendants, either.)
Once again, the DOJ is looking for a less-stringent standard to be applied, rather than truly looking to bring this law into the 21st century. Its plea for "technologically-neutral" handling of communications data is similarly focused on applying a lower standard to the acquisition of communications, no matter their source.
The Tennessee Bureau of Investigation, on the other hand, argues that an updated ECPA would put too much power in the hands of ISPs and other entities responsive to law enforcement warrants and subpoenas.
H.R. 699 goes far beyond the commonly stated goal of modernizing ECPA by requiring a search warrant for all stored content. In fact, it creates protections for a wider range of stored electronic evidence that could pose a greater hindrance to law enforcement than protections afforded evidence stored on a computer inside a house or office. Searches in response to ECPA process are performed by service providers, not by law enforcement officers, and H.R. 699 extends the notice provisions previously necessary only with lesser levels of process like subpoenas along with the probable cause standard. The end result is that law enforcement has to get a search warrant to access more evidence, and must bear the added burden of notice requirements that were previously limited to lesser process, without the benefit of controlling the execution of the warrant.
Apparently, any increase in difficulty -- no matter its relation to the Fourth Amendment -- is unacceptable.
Because H.R. 699 in its current form imposes burdens that will make our job harder without offering any relief in other areas, we urge the committee not to pass H.R. 699 without amending the bill to reflect greater sensitivity to the concerns of the state and local law enforcement community. When we have to get a warrant, it should mean something; right now, H.R. 699 turns the compulsory process of a search warrant into a subpoena with a higher proof requirement.
The Bureau's Richard Littlehale further lays out his argument for lowered requirements by claiming entities being served with legal paperwork have been less than helpful in the past.
In many instances, we are unable to utilize evidence that would be of enormous value in protecting the public because the technologies used to carry and store that information are not accessible to us, no matter what legal process we obtain. That may be because of technological problems, but just as frequently it is because of non-technical barriers to access. The companies that retain these records are often unable or unwilling to respond to law enforcement’s lawful demands in a timely manner, and there are few consequences for an incomplete or inaccurate response. The primary emergency disclosure provision in the section of ECPA that we use to obtain stored content is voluntary for the providers, not mandatory, and even where emergency access is granted to law enforcement, in some instances, there is insufficient service provider compliance staff to process legitimate emergency requests quickly.
Littlehale's argument appears to be a paraphrasing of Pat Paulsen's satirical campaign slogan: if we (law enforcement) have to up our standards, up theirs! He apparently feels ISPs, etc. don't face enough legal penalties for not immediately handing over everything law enforcement demands, whether they have the capability to do so or not. Littlehale wants warrant service under a modified ECPA to more closely resemble warrant service at a residence: where cops announce their presence after they've entered and destroyed everything they touch in search of evidence. He can't handle the fact that private entities maintain control of digital communications sought and that his agency (and others) must approach them (rather than drive up on their lawns and shoot grenades through their windows) with the proper paperwork and wait until responsive information is gathered and turned over.
Much like the DOJ and the SEC, Littlehale doesn't want an updated law. He wants a law rewritten to treat digital communications like physical communications, bringing the barrier to access and the expectation of privacy down to the lowest level possible. That's what is really being discussed here. Not a rewrite of an outdated law to reflect the reality of modern communications, but ways to make an already law enforcement-friendly law even friendlier.
For a long time now, we've been talking about the need for ECPA reform. ECPA -- the Electronic Communications Privacy Act -- is a truly outdated piece of law that law enforcement regularly abuse to conduct warrantless searches on your digital information. There are a number of problems with it, but the most cited one is the fact that it considers emails to be "abandoned" if they've been on a server for 180 days, and thus no warrant is needed to read those emails. That may have made sense in the mid-1980s when the law passed and the few people who used email downloaded their emails from a server to a local disk, but it makes no sense at all in the cloud era. However, actually getting ECPA reform through Congress has proven difficult, in large part because some in law enforcement really like this ability to snoop on your emails.
Thankfully, here in California, Governor Jerry Brown has just signed a new bill, for CalECPA, which protects users' digital information here in California. Just like the federal ECPA should do, CalECPA requires a warrant for access to digital records, including emails and text messages -- and the same goes for geographical location information.
This is a big win for EFF and the ACLU, who have been pushing for this law to make it through the California Assembly and then have Governor Brown sign it. Now, if only we could do something similar at the federal level...
from the rewriting-history-multiple-times-per-hour dept
The word "historical" tends to conjure up images of musty buildings with plaques attached to them denoting the original construction and possibly who did what when, but several dozen years ago. While anything that happened just before right now could literally be termed "historical," most people tend to associate the word with things that happened well before the exact present.
Superior Court Judge Lucy N. Inman signed the order and Detective Mitchell submitted it to AT&T, the cellular phone service provider and holder of the account associated with the phone number. AT&T provided the records of the location of the cell phone tower “hits” or “pings” whenever a call was made to or from the cell phone. AT&T sent emails of the longitude and latitude coordinates of these historical cell tower “hits” to Detective Mitchell every fifteen minutes. Detective Mitchell testified an approximately five- to seven-minute delay occurred between the time the phone “pinged” a cell phone tower and the time AT&T received and calculated the location and sent the latitude and longitude coordinates to him.
This location info helped track the defendant to a motel and he was arrested shortly thereafter. The defendant sought to suppress the warrantless "search" of his cell phone and its location (obtained via a phone records production order that ran from a month before it was requested to two days after the request was granted [December 10, 2012]). The location data that traced the defendant back to the motel room was acquired (with a 5-7 minute delay) on December 11.
The defendant argued that the "real time" tracking of his location violated his Fourth and Fourteenth Amendment rights (as well as analogous parts of North Carolina's constitution). The court doesn't buy these arguments, citing the Stored Communications Act, which allows government entities to obtain certain third party records without a warrant. It says the difference between what's been considered unconstitutional by several courts -- obtaining real-time location information with a tracking device -- isn't what's happening here.
It argues that because the police didn't intercept these "records," everything is above-board, even if the sought "historical" data included two days of "records" that were created after the court order was approved.
Several courts have held the SCA permits a government entity to obtain cell tower site location information from a third-party service provider in situations where the cell tower site location information sought pre-dates the court order and where the cell tower site location information is collected after the date the court order issues. Although the former may technically be considered “historical” while the latter is “prospective” in relation to the date of the court order, both are considered “records” under the SCA. The government entity only receives this information after it has been collected and stored by the third-party service provider.
In plainer English, this means law enforcement entities can seek "historical" records from the "future," with the mitigating factor being that the records are collected by third parties first. A short delay of a few minutes is enough to call these records "historical" under this interpretation.
In a slightly-dissenting concurrence, Judge C.J. McGee diagrees with the court's definition of "historical" records (while finding the overall opinion valid because of the good faith exception).
Because most federal courts recognize that historical cell site information consists of information generated prior to the issuance date of a judicial order that allowed law enforcement to obtain such records for a given defendant, and because I believe allowing the majority’s characterization of the information provided by AT&T to law enforcement, based on the facts in this case, would effectively obliterate the distinction between “historical” and “real-time” cell site information, I must respectfully disagree with the majority’s characterization.
McGee points to a few details that make this "historical" location data far more analogous to real-time tracking: the fact that the court order allowed for the acquisition of cell site location records for two days past the point of issuance, that the police and AT&T remained in constant contact during the tracking of the suspect and the same short delay ("5-7 minutes") that the majority declared made the records "historical."
While the majority's interpretation dilutes the meaning of "historical" by including location data yet to be generated under its warrantless wing, it does point out to possible future problems with the use of Stingray devices. These have often been deployed with the same sort of court orders, but contain the ability to track individual phones in real time. Once more details on these deployments come to light, the courts will be forced to confront a plethora of Fourth Amendment violations -- at least if they're going to remain consistent with this interpretation of "historical."
A potentially big ruling came out of the courtroom of Judge Lucy Koh yesterday, in which she affirmed a magistrate judge's decision to tell the government to get a warrant if it wants to obtain historical location info about certain "target" mobile phones (officially known as "Cell Site Location Info" -- or CSLI). The government sought to use a provision of the Stored Communications Act (a part of ECPA, the Electronic Communications Privacy Act) to demand this info without a warrant -- using a much lower standard: "specific and articulable facts" rather than the all important "probable cause." Judge Koh says that's doesn't pass 4th Amendment muster, relying heavily on the important Supreme Court rulings in the Jones case, involving attaching a GPS device to a car, and the Riley case about searching mobile phones.
Based on the preceding U.S. Supreme Court cases, the following principles are manifest:
(1) an individual’s expectation of privacy is at its pinnacle when government surveillance intrudes
on the home; (2) long-term electronic surveillance by the government implicates an individual’s
expectation of privacy; and (3) location data generated by cell phones, which are ubiquitous in this
day and age, can reveal a wealth of private information about an individual. Applying those
principles to the information sought here by the government, the Court finds that individuals have
an expectation of privacy in the historical CSLI associated with their cell phones, and that such an
expectation is one that society is willing to recognize as reasonable.
This is big. Obviously, the government is likely to appeal, and so as a first pass, this might seem meaningless. We've still got an appeals court (and possibly a rehearing) and a Supreme Court to get to, but as a first ruling, it's a good one. Koh's analysis is pretty thorough. It notes the similarities to both the Jones and Riley cases:
Here, as in Jones, the government seeks permission to track the movement of
individuals—without a warrant—over an extended period of time and by electronic means. CSLI,
like GPS, can provide the government with a “comprehensive record of a person’s public
movements that reflects a wealth of detail about her familial, political, professional, religious, and
sexual associations.” Riley, 134 S. Ct. at 2490 (quoting Jones, 132 S. Ct. at 955 (Sotomayor, J.,
concurring)). With the proliferation of smaller and smaller base stations such as microcells,
picocells, and femtocells—which cover a very specific area, such as one floor of a building, the
waiting room of an office, or a single home, ...—the government is
able to use historical CSLI to track an individual’s past whereabouts with ever increasing
precision. See Riley, 134 S. Ct. at 2490 (explaining that a cell phone’s “[h]istoric location
information . . . can reconstruct someone’s specific movements down to the minute, not only
around town but also within a particular building”). At oral argument, the government agreed that
in some instances CSLI could locate an individual within her home, ... and did not dispute that CSLI will become more precise as the number of cell towers
continues to multiply.... This admission is of constitutional significance because rules
adopted under the Fourth Amendment “must take account of more sophisticated systems that are
already in use or in development.”...
In fact, the information the government seeks here is arguably more invasive of an
individual’s expectation of privacy than the GPS device attached to the defendant’s car in Jones.
This is so for two reasons. First, as the government conceded at the hearing, over the course of
sixty days an individual will invariably enter constitutionally protected areas, such as private
residences.... Tracking a person’s movements inside the home matters for
Fourth Amendment purposes because “private residences are places in which the individual
normally expects privacy free of governmental intrusion not authorized by a warrant, and that
expectation is plainly one that society is prepared to recognize as justifiable.” Karo, 468 U.S. at
714; see also Kyllo, 533 U.S. at 31 (“At the very core of the Fourth Amendment stands the right of
a man to retreat into his own home and there be free from unreasonable governmental intrusion.”
(internal quotation marks omitted)). As one court put it, “Because cellular telephone users tend to
keep their phone on their person or very close by, placing a particular cellular telephone within a
home is essentially the corollary of locating the user within the home.” ....
Second, the government conceded at oral argument that, compared to GPS tracking of a
car, the government will “get more information, more data points, on the cell phone” via historical
CSLI... (“But, yes, of course the person has the phone
more than they have their car, most people at least do, so it gives [the government] more data.”).
Cell phones generate far more location data because, unlike the vehicle in Jones, cell phones
typically accompany the user wherever she goes.... Indeed, according to a survey
cited by the U.S. Supreme Court in Riley, “nearly three-quarters of smart phone users report being
within five feet of their phones most of the time, with 12% admitting that they even use their
phones in the shower.”....
Judge Koh points to some survey data from Pew (sent in by EFF) noting that many, many people consider their location information to be "sensitive information" and, on top of that, the fact that CSLI is generated even if someone turns off the GPS or "location data" features on their phone -- meaning they can't even opt out of generating such information to try to keep it private.
More importantly, Judge Koh takes on the issue of the infamous third party doctrine and the awful Smith v. Maryland precedent, which says you have no expectation of privacy in data held by third parties. To date, the Supreme Court has punted on this issue in the Jones and Riley cases. However, Koh addresses the issue head on, and says the third party doctrine should not apply to phone location data like this. The key issue: in the Smith case, the "information" that was given to the third party was the phone number being dialed. This was information that the caller voluntarily conveyed to the phone company in order to make the call. Judge Koh points out that this information is quite different:
Cell phone users, by contrast, do not “voluntarily convey” their location to the cellular
service provider in the manner contemplated by Miller and Smith. This is especially true when
historical CSLI is generated just because the cell phone is on, such as when cell phone apps are
sending and receiving data in the background or when the cell phone is “pinging” a nearby cell
tower. As the government’s FBI special agent explained, “CSLI for a cellular telephone may still
be generated in the absence of user interaction with a cellular telephone.” .... “For
example,” the special agent continued, CSLI may be generated by “applications that continually
run in the background that send and receive data (e.g. email applications).” ... At oral argument,
the government confirmed that its § 2703(d) application authorizes the government to obtain
historical CSLI generated by such activities.
[....] In so doing, a cell phone
periodically identifies itself to the closest cell tower—not necessarily the closest cell tower
geographically, but the one with the strongest radio signal—as it moves through its network’s
coverage area.... This process, known as “registration” or “pinging,”
facilitates the making and receiving of calls, the sending and receiving of text messages, and the
sending and receiving of cell phone data.... Pinging nearby cell towers is automatic and
occurs whenever the phone is on, without the user’s input or control.... This
sort of pinging happens every seven to nine minutes....
In Miller and Smith, the individual knew with certainty the information that was being
conveyed and the third party to which the conveyance was made. Cell phone users, on the other
hand, enjoy far less certainty with respect to CSLI. CSLI, in contrast to deposit slips or digits on a
telephone, is neither tangible nor visible to a cell phone user. When the telephone user in Smith
received his monthly bill from the phone company, the numbers he dialed would appear.... The CSLI generated by a user’s cell phone makes no such appearance.... Rather, because CSLI is generated automatically whenever a cell tower detects radio
waves from a cell phone, a cell phone user typically does not know that her phone is
communicating with a cell tower, much less the specific cell tower with which her phone is
communicating.... It may be, as the government explained, that a cell phone
connects to “many towers” during the length of a call,... and the tower to which a cell
phone connects is not necessarily the closest one geographically.... Moreover, when
an app on the user’s phone is continually running in the background, ... she may
not be aware that the cell phone in her pocket is generating CSLI in the first place.
And thus, even with the third party doctrine, this information is quite different than that discussed in the Smith v. Maryland case, which involved phone numbers dialed:
In light of the foregoing, the Court concludes that historical CSLI generated via continuously operating apps or automatic pinging does not amount to a voluntary conveyance of
the user’s location twenty-four hours a day for sixty days. Such data, it is clear, may be generated
with far less intent, awareness, or affirmative conduct on the part of the user than what was at
issue in Miller and Smith. Unlike the depositor in Miller who affirmatively conveyed checks and
deposit slips to the bank, or the telephone user in Smith who affirmatively dialed the numbers
recorded by the pen register, a cell phone user may generate historical CSLI simply because her
phone is on and without committing any affirmative act or knowledge that CSLI is being
generated. Smith, for example, never contemplated the disclosure of information while the
landline telephone was not even in use.
This sort of passive generation of CSLI does not amount to a voluntary conveyance under
the third-party doctrine.
Judge Koh notes that this ruling isn't rejecting the ruling in Smith -- rightly noting that only the Supreme Court can determine that it's no longer good law -- but notes that the ruling there is different enough from this one that it does not apply. Ideally, the Supreme Court will get around to rejecting the ridiculous third party doctrine altogether, but if it must stand, a ruling like this is helpful in returning just a bit of 4th Amendment protected privacy to the American public.
from the SOMEONE-SHOULD-REALLY-FIX-THAT-SOMETIME dept
The Obama administration must be doing a little housecleaning in preparation for the 2016 winner. After months of highly-sporadic and belated responses to We The People petitions, it's answered two big ones (that have been sitting around forever) in a single day. It's also issued a handful of otherresponses to open petitions, some of which are little more than "we decline to respond," accompanied by a link to the site's Terms of Participation.
It took on two big petitions today. The first was a response to a request to pardon Snowden, which it denied under its "No Good Whistleblowing Goes Unpunished" policy. The second asked for a long-delayed rewrite of an outdated law.
The Electronic Communications Privacy Act has been in need of reform for years. If nothing else, the law's misleading name needs to be changed. One of the more notorious aspects of the law is that it gives email less privacy protection than snail mail, which is already an exceedingly low bar.
The administration agrees that reform of this law -- which treats email older than six months as "abandoned" and thus easily-accessible by law enforcement -- is needed. However, it does so both belatedly, vaguely and disingenuously.
It's obvious that many -- and arguably, most -- Americans today use email as one of their primary means of communication. Particularly in an era where we keep so much of our lives online, the content housed there deserves strong privacy protections -- which is at the core of what ECPA was designed to do. But over time, technology has evolved.
Which is why our policy teams agree with you: ECPA is outdated, and it should be reformed.
This is good news. Or it would be if there were any particular plan to get something done. While the response agrees that the outdated law's take on email privacy protection is pretty much terrible, the administration doesn't seem too willing to push for any specific reform effort.
We know there are still important details being worked out across government and in the halls of Congress. We aren't going to endorse a single ECPA-reform bill at this time. As any given bill goes through committee and makes its way to the House and Senate floors, the draft is negotiated and modified to address concerns and strengthen the bill.
In other words, we like the idea of reform so much we're going to do nothing about it. While efforts have been made over the past few years, they've been stalled/gutted to appease law enforcement and (yes, really) regulatory agencies' interests. Very little forward motion has been made and without something stronger than "we'll probably support whatever actually makes its way to the President's desk" propelling this reform, it could still be several more years before the already-outdated law is rewritten to properly address a communication method that originated nearly 45 years ago.
Finally, the response sends a mixed message about reform in the very last sentence.
That said, we're encouraged by the strong bipartisan support for updating this legislation in both chambers of Congress, and are looking forward to seeing this law address today's technological realities while preserving the interests we must protect.
This seems to indicate it will be more supportive of a bill that has the backing law enforcement and other government agencies. A warrant requirement for emails older than six months isn't that much of an imposition, but so far, it's been a tough idea to sell. This last sentence shows the administration finds the government's "interests" worth protection. The privacy interests of millions of Americans? Not so much.
For many years now, we've been writing about the need for ECPA reform. ECPA is the Electronic Communications Privacy Act, written in the mid-1980s, which has some frankly bizarre definitions and rules concerning the privacy of electronic information. There are a lot of weird ones but the one we talk about most is that ECPA defines electronic communications that have been on a server for 180 days or more as "abandoned," allowing them to be examined without a warrant and without probable cause as required under the 4th Amendment. That may have made sense in the 1980s when electronic communications tended to be downloaded to local machines (and deleted), but make little sense in an era of cloud computing when the majority of people store their email forever on servers. For the past few years, Congress has proposed reforming ECPA to require an actual warrant for such emails, and there's tremendous Congressional support for this.
And yet... it never seems to pass. The story that we keep hearing is that two government agencies in particular really like ECPA's outdated system: the IRS and the SEC. Since both only have administrative subpoena power, and not the ability to issue warrants like law enforcement, the lower standards of ECPA make it much easier for them to snoop through your emails without having to show probable cause. Last year, in a Congressional hearing, the SEC's boss, Mary Jo White, was questioned about this by Congressman Kevin Yoder, who has been leading the charge on ECPA reform. As we reported at the time, in the conversation, White clearly said that the SEC needed this ability or it would lose "critical" information in its investigations. You can see the conversation from 2014 below, where White (starting around 2:30) explains how vital this process is to the SEC:
Here's the key line:
"What concerns me, as the head of a... law enforcement agency, is that we not put out of reach of lawful process... what is often, sometimes the only, but critical evidence of a serious securities fraud.... And we use that authority quite judiciously, but it's extremely important to law enforcement."
What struck us as interesting last year was White admitting that the SEC appeared to regularly use this process, since she noted that it was "extremely important" and provided "critical evidence."
Fast forward to this week, and the same two players were involved in yet another Congressional hearing. You can
see that conversation here as well, with the critical point being made after about four and a half minutes, where White says some of the same stuff, about the privacy protections, and how even if the SEC used this process it still notifies the subscribers to give them a due process right to protest the subpoena... but also, oddly, seems to claim that the SEC never actually makes use of this process:
Here's the key line this time (the full response is a jumble of half sentences and unfinished thoughts, so it's a bit of a mess):
"While these discussions have been going on, to try to sufficiently balance the privacy and the law enforcement interests, we've not to date to my knowledge proceeded to subpoena the ISPs. But that, I think, is critical authority to be able to maintain -- done in the right way and with sufficient solicitousness and it's very important to the privacy interests which I do think can be balanced.
As I said, if you watch her entire response, it's a complete mess of half-finished thoughts, which seems rather typical of someone trying to sound like they're answering a question but not actually doing so. Later in the same answer, she insists that taking away this authority might take away an important tool.
So, we know that the SEC really wants to keep this tool. But last year it said it was "extremely important" and provided "critical evidence." This year, she's saying that the SEC isn't even using the tool. So, uh, which is it? Is this tool absolutely necessary for critical evidence, or is it not even being used by the SEC?
And, through all of this, the SEC still has not answered the most basic question: why can't it treat email the same way it has to treat paper documents under the 4th Amendment? That is, if it wants the document it can subpoena the end user for those documents. It does not get to route around the end user and subpoena a third party for those documents. So why can't it treat email in the same way?
from the the-last-time-we-reformed-our-privacy-laws... dept
For many, many years, we've been talking about the need for ECPA reform. ECPA -- the Electronic Communications Privacy Act -- is an incredibly outdated piece of legislation from the 1980s that governs law enforcement's ability to access email and other electronic communications. This was the era before the internet was anywhere close to the mainstream (though it did exist). Among the various weird parts of the law, it says that any communication that is over 180 days old and still on a server is considered "abandoned" so that the government can access it without a warrant. Think about that in this era when you keep all your communications online. It was written when lawmakers thought people would "download" the messages off a server. That's just the most noteworthy problem -- there are all sorts of different definitions based on messages that have been opened or not opened and other oddities as well, almost none of which make sense.
Last year we noted that more than half of the House was co-sponsoring a bill put forth by Reps. Kevin Yoder and Jared Polis to reform ECPA in a big way. But even with so many supporting the law, it failed to move. A big hurdle? Both the IRS and SEC (note: not your standard law enforcement agencies) like the fact that they can use ECPA to snoop through electronic communications (without a warrant -- which those agencies can't get on their own anyway).
Yoder and Polis are back again with another attempt, and it's matched by a similar legislation in the Senate from Senators Patrick Leahy and Mike Lee. To get attention for the bill, Yoder, Polis and some other supporters took to Twitter in a bit of a meme fest, highlighting some historical facts to demonstrate just how long it's been since ECPA became law. It's worth scrolling through them all (though, there are a lot), because some are pretty funny:
At this point, it's a complete travesty that such a bill hasn't become law. People have explained the need for it for well over a decade, and more than half of Congress was signed on to co-sponsor it in the last Congressional term. Already this new bill has 228 additional co-sponsors in the House and another 6 co-sponsors in the Senate. The IRS and SEC's objections are simply ridiculous. Having more convenient access to someone's emails is no excuse for not better protecting the privacy of our online communications.
Of course, this isn't the only effort going on to protect privacy. Reps. Zoe Lofgren, Ted Poe and Suzan DelBene have also introduced a bill to update ECPA. It's pretty clear that Congress knows that the law needs to be updated, and it's time to get past whatever objections there are and actually start protecting our privacy.