Given everything that's been going on with the stories of NSA surveillance lately, it's more clear than ever that our electronic privacy laws are broken. For many years, we've written about the drastic need for ECPA reform. ECPA is the Electronic Communications Privacy Act, which was passed in 1986. As you can imagine, it's exceptionally outdated and convoluted (such as claiming that any emails on a server for more than 180 days should be considered "abandoned" and available for law enforcement to read -- a concept that makes no sense in an era of hosted email with tremendous storage). ECPA is regularly abused by law enforcement agencies seeking information on Americans. This goes well beyond what the NSA is doing in many ways. There's been support in Congress in the past for ECPA reform, but it's never quite made it.
A large group of organizations and companies -- including us at Floor64/Techdirt, along with (among others) EFF, Center for Democracy and Technology, Free Press, Fight for the Future, Demand Progress, ACLU, Engine Advocacy, CCIA, American Library Association, reddit, DuckDuckGo and more -- have teamed up to create VanishingRights.com, to push for a much needed update to ECPA's outdated rules. Instead, we'd like to see a return to basic 4th Amendment ideas like requiring a warrant to search for info. Sounds crazy, I know, but we're in an age where we actually have to tell Congress that it's time to respect the Constitution, because they seem to forget about it all too often.
The latest proposal to support ECPA reform, called the Email Privacy Act, or HR 1852, was introduced by Rep. Kevin Yoder and has 137 co-sponsors -- so it has significant support in Congress. But it needs more support if it's actually going to pass in this do-nothing Congress that we have.
Please check out the site, where you can let your elected officials that ECPA needs to be reformed, and that it should respect the basic tenets of the 4th Amendment. You can also read more about ECPA, why it's broken, and what it means for your privacy.
The ACLU has continued its campaign to explore whether or not the government gets a warrant before scouring your email. Last month, they discovered that the IRS doesn't believe in getting a warrant -- leading to the IRS promising to change that policy. Now they've received some documents from the FBI in response to a FOIA request that again suggest that, despite the ruling in US v. Warshak, in which the 6th Circuit said that a warrant is needed to compel an ISP to turn over emails, the FBI believes it can access emails older than 180 days without a warrant, under ECPA. As we've discussed at length, ECPA (the Electronic Communications Privacy Act) is a very outdated piece of legislation which considers emails on a server over 180 days to be "abandoned" because no one considered a cloud computing future.
What the ACLU found in these documents is that the FBI hasn't updated its Domestic Investigations and Operations Guide (DIOG) in response to the Warshak ruling, and it still suggests that agents can easily access such emails without a warrant. Instead, it says:
In enacting the ECPA, Congress concluded that customers may not retain a “reasonable expectation of privacy” in information sent to network providers. . . [I]f the contents of an unopened message are kept beyond six months or stored on behalf of the customer after the e-mail has been received or opened, it should be treated the same as a business record in the hands of a third party, such as an accountant or attorney. In that case, the government may subpoena the records from the third party without running afoul of either the Fourth or Fifth Amendment.
That's a... charitable interpretation of reality. That's what Congress felt back then, but based on a very different network setup. However, as the courts noted in Warshak, the 4th Amendment is still important and still rules.
The ACLU also asked different US Attorney's offices for their guidelines, and found that policies differed greatly based on location. Northern Illinois, for example, seemed to recognize the 4th Amendment. But others, including in Texas, still seem to think that no warrant is required. As the ACLU notes, this hodgepodge of rules and the fact that the FBI hasn't changed its guidelines in response to Warshak just highlights the need for comprehensive ECPA reform.
If nothing else, these records show that federal policy around access to the contents of our electronic communications is in a state of chaos. The FBI, the Executive Office for U.S. Attorneys, and DOJ Criminal Division should clarify whether they believe warrants are required across the board when accessing people’s email. It has been clear since 1877 that the government needs a warrant to read letters sent via postal mail. The government should formally amend its policies to require law enforcement agents to obtain warrants when seeking the contents of all emails too.
More importantly, Congress also needs to reform ECPA to make clear that a warrant is required for access to all electronic communications. Reform legislation is making its way through the Senate now, and the documents released by the U.S. Attorney in Illinois illustrate that the law can be fixed without harming law enforcement goals. If you agree that your email and other electronic communications should be private, you can urge Congress to take action here.
Well, that went more smoothly than expected. Today, in a markup for reform of the Electronic Communications Privacy Act in the Senate, the Senate Judiciary Committee very quickly (like 10 minutes after it started) approved an amendment offered by Senators Patrick Leahy and Mike Lee, which would amend the law to make it so that law enforcement needs to get a warrant if it's accessing your email. As we've discussed in the past, the ECPA today is completely outdated, and treats different emails differently -- but a key point is that emails over 180 days old don't require a warrant, just a subpoena, because the law mistakenly judges them to be abandoned. The Amendment was approved by a voice vote, meaning that there was pretty strong support for it. The Leahy-Lee plan is definitely a necessary step in protecting privacy of emails, and while Leahy especially has been pushing it for a while, seeing strong support in the Senate is a good sign for (hopefully) having it become law.
The ACLU filed a freedom of information act (FOIA) request last year, asking for details about whether not IRS investigators get warrants before reading people's private communications. After finally getting 247 pages of records (which don't fully answer the questions asked), the ACLU has noted that the documents suggest that the IRS likely read private emails regularly without obtaining a warrant. In their blog post, they note that in the US v. Warshak case, the 6th Circuit made it clear that the government must get a warrant to turn over emails, and it seems clear that the IRS had to change its policy because of that.
The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 “Search Warrant Handbook” from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications.” Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the “4th Amendment Does Not Protect Emails Stored on Server” and there is “No Privacy Expectation” in those emails.
Other older documents corroborate that the IRS did not get warrants across the board. For example, the 2009 edition of the Internal Revenue Manual (the official compilation of IRS policies and procedures) explains that “the government may obtain the contents of electronic communication that has been in storage for more than 180 days” without a warrant.
Of course, the IRS is not alone in this. That's the same way other government agencies have treated email thanks to the outdated nature of ECPA, the Electronic Communications Privacy Act, a law written nearly 30 years ago, which assumed that any content left on a server for over 180 days was "abandoned," because the idea of online messaging systems was foreign to folks in Congress at the time.
The bigger question, though, is whether or not the IRS paid attention to the ruling in Warshak and started getting warrants. As the ACLU notes, while not entirely clear, the answer is likely "no."
Then came Warshak, decided on December 14, 2010. The key question our FOIA request seeks to answer is whether the IRS’s policy changed after Warshak, which should have put the agency on notice that the Fourth Amendment does in fact protect the contents of emails. The first indication of the IRS’s position, from an email exchangein mid-January 2011, does not bode well. In an email titled “US v. Warshak,” an employee of the IRS Criminal Investigation unit asks two lawyers in the IRS Criminal Tax Division whether Warshak will have any effect on the IRS’s work. A Special Counsel in the Criminal Tax Division replies: “I have not heard anything related to this opinion. We have always taken the position that a warrant is necessary when retrieving e-mails that are less than 180 days old.” But that’s just the ECPA standard. The real question is whether the IRS is obtaining warrants for emails more than 180 days old. Shortly after Warshak, apparently it still was not
The IRS had an opportunity to officially reconsider its position when it issued edits to the Internal Revenue Manual in March 2011. But its policy stayed the same: the Manual explained that under ECPA, “Investigators can obtain everything in an account except for unopened e-mail or voice mail stored with a provider for 180 days or less using a [relevant-and-material-standard] court order” instead of a warrant. Again, no suggestion that the Fourth Amendment might require more.
As the ACLU notes, the IRS owes the American public a clear explanation of its view on warrants... and it should put in place a clear warrant requirement before snooping through emails.
As we've covered over and over again, the US government has made it clear that it wants access to your data. With things like the FISA Amendments Act, ECPA and various other laws, law enforcement plays the FUD card repeatedly, insisting that it needs to be able to go in and see data to "protect" the public. There's very little basis to make this claim. And, worse, by decimating online privacy, the US government may actively be driving business outside of the US to foreign countries that have stricter privacy laws that actually protect data from government snooping.
Many foreign companies are converging toward a common argument for why they’re better than their American competitors. It’s not that the foreign-made technology is better, more resilient, or more ubiquitous, nor that the foreign companies are more innovative or better managed. They compare not their businessmen but their politicians. They argue simply that American laws undermine any American product — that these laws fail to protect privacy of personal or business information of all users. This argument works partly because consumers claim to “avoid doing business” with companies they don’t trust to protect their privacy.
Basically, because law enforcement believes it needs to build a much bigger haystack as it searches for needles, we're handing other countries a key selling point in setting up services to compete with US services: "you can't trust any service based in the US, because it's subject to government surveillance." That may be a bit of an exaggeration, but I know I've see a number of companies lately who advertise the fact that they're not based in the US to suggest that they're more secure and can keep your data private. This is not the reputation the US needs or wants right now.
My goodness. Yesterday we posted about Rep. Louis Gohmert's incredible, head-shakingly ignorant exchange with lawyer Orin Kerr during a Congressional hearing concerning "hacking" and the CFAA. In that discussion, Gohmert spoke out in favor of being able to "hack back" and destroy the computers of hackers -- and grew indignant at the mere suggestion that this might have unintended consequences or lead people to attack the wrong targets. Gohmert thought that such talk was just Kerr trying to protect hackers.
I thought perhaps Rep. Gohmert was just having a bad day. Maybe he's having a bad month. In a different hearing, held yesterday concerning ECPA reform, Gohmert opened his mouth again, and it was even worse. Much, much worse. Cringe-inducingly clueless. Yell at your screen clueless. Watch for yourself, but be prepared to want to yell.
The short version of this is that he seems to think that when Google has advertisements on Gmail, that's the same thing as selling all of the information in your email to advertisers. And no matter how many times Google's lawyer politely tries to explain the difference, Gohmert doesn't get it. He thinks he's making a point -- smirking the whole time -- that what Google does is somehow the equivalent of government snooping, in that he keeps asking if Google can just "sell" access to everyone's email to the government. I'm going to post a transcript below, and because I simply cannot not interject how ridiculously uninformed Gohmert's line of questioning is, I'm going to interject in the transcript as appropriate.
Rep. Gohmert: I was curious. Doesn't Google sell information acquired from emails to different vendors so that they can target certain individuals with their promotions?
Google lawyer whose name I didn't catch: Uh, no, we don't sell email content. We do have a system -- similar to the system we have for scanning for spam and malware -- that can identify what type of ads are most relevant to serve on email messages. It's an automated process. There's no human interaction. Certainly, the email is not sold to anybody or disclosed.
Gohmert: So how do these other vendors get our emails and think that we may be interested in the products they're selling.
Okay, already we're off to a great start in monumental ignorance. The initial question was based on a complete falsehood -- that Google sells such information -- and after the lawyer told him that this is not true, Gohmert completely ignores that and still asks how they get the emails. It never seems to occur to him that they don't get the emails.
Google lawyer: They don't actually get your email. What they're able to do is through our advertising business be able to identify keywords that they would like to trigger the display of one of their ads, but they don't get information about who the user is or any...
Gohmert: Well that brings me back. So they get information about keywords in our emails that they use to decide who to send promotions to, albeit automatically done. Correct?
NO. Not correct. In fact, that's the exact opposite of what the lawyer just said. Gohmert can't seem to comprehend that Google placing targeted ads next to emails has NOTHING to do with sending any information back to the advertiser. I wonder, when Rep. Gohmert turns on his television to watch the evening news, does he think that the TV station is sending his name, address, channel watching info, etc. back to advertisers? That's not how it works. At all. The advertisers state where they want their ads to appear, and Google's system figures out where to place the ads. At no point does any information from email accounts go back to anyone. And yet Gohmert keeps asking.
And not understanding the rather basic answers. Unfortunately, the lawyer tries to actually explain reality to Gohmert in a professional and detailed manner, when it seems clear that the proper way to answer his questions is in shorter, simpler sentences such as: "No, that's 100% incorrect."
Lawyer: The email context is used to identify what ads are most relevant to the user...
Gohmert: And do they pay for the right or the contractual ability to target those individuals who use those keywords?
Lawyer: I might phrase that slightly differently, but the gist is correct, that advertisers are able to bid for the placement of advertisements to users, where our system has detected might be interested in the advertisement.
Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?
Okay, try not to hit your head on your desk after that exchange. First, he (perhaps accidentally) gets a statement more or less correct, that advertisers pay to have their ads show up, but immediately follows that up with something completely unrelated to that. First, he tosses in "Scroogled" -- a term that Microsoft uses in its advertising against Gmail and in favor of Outlook.com -- suggesting exactly where this "line" of questioning may have originated. Tip to Microsoft lobbyists, by the way: if you want to put Google on the hot seat, it might help to try a line of questioning that actually makes sense.
Then, the second part, you just have to say huh? The lawyer already explained, repeatedly, that Google doesn't send any information back to the advertiser, and yet he's trying to suggest that the government snooping through your email is the same thing... and Google somehow not giving the government that info is Google "discriminating" against the government? What? Really?
Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...
Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.
Seriously? I recognize that there are no requirements on intelligence to get elected to Congress, but is there anyone who honestly could not comprehend what he meant by saying it's "apples and oranges"? But, clearly he does not understand that because not only does he mock the analogy, he then repeats the same question in which he insists -- despite the multiple explanations that state the exact opposite -- that advertisers get access to emails and information about email users, and that the government should be able to do the same thing.
Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.
Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?
Holy crap. Gohmert, for the fourth time already, nobody gets email addresses. No private business gets the email addresses. No private business gets to see inside of anyone's email. Seeing inside someone's email has nothing to do with buying ads in email. If the government wants to "do the same deal as private advertisers" then yes it can advertise on Gmail... and it still won't get the email addresses or any other information about emailers, because at no point does Google advertising work that way.
Lawyer: We would not honor a request from the government for such a...
Gohmert: So you would discriminate against the government if they tried to do what your private advertisers do?
No. No. No. No. No. The lawyer already told you half a dozen times, no. The government can do exactly what private advertisers do, which is buy ads. And, just like private advertisers, they would get back no email addresses or any such information.
Lawyer: I don't think that describes what private advertisers...
Gohmert: Okay, does anybody here have any -- obviously, you're doing a good job protecting your employer -- but does anybody have any proposed legislation that would assist us in what we're doing?
What are we doing, here? Because it certainly seems like you're making one of the most ignorant arguments ever to come out of an elected officials' mouth, and that's saying quite a bit. You keep saying "private advertisers get A" when the reality is that private advertisers get nothing of the sort -- and then you ignore that (over and over and over and over again) and then say "well if private advertisers get A, why can't the government get A." The answer is because neither of them get A and never have.
Gohmert: I would be very interested in any phrase, any clauses, any items that we might add to legislation, or take from existing legislation, to help us deal with this problem. Because I am very interested and very concerned about our privacy and our email.
If you were either interested or concerned then you would know that no such information goes back to advertisers before you stepped into the room (hell, before you got elected, really). But, even if you were ignorant of that fact before the hearing, the fact that the lawyer tried half a dozen times, in a half a dozen different ways to tell you that the information is not shared should have educated you on that fact. So I'm "very interested" in what sort of "language" Gohmert is going to try to add to legislation that deals with a non-existent problem that he insists is real.
Gohmert: And just so the simpletons that sometimes write for the Huffington Post understand, I don't want the government to have all that information.
Rep. Sensenbrenner: For the point of personal privilege, my son writes for the Huffington Post.
Gohmert: Well then maybe he's not one of the simpletons I was referring to.
Sensenbrenner: He does have a Phd.
Gohmert: Well, you can still be a PHUL.
Har, har, har... wait, what? So much insanity to unpack. First of all, Gohmert seems to think that people will be making fun of him for suggesting that the government should "buy" access to your email on Google. And, yes, we will make fun of that, but not for the reasons that he thinks they will. No one thinks that Gohmert seriously wants the government to buy access to information on Google. What everyone's laughing (or cringing) at is the idea that anyone could buy that info, because you can't. No private advertiser. No government. It's just not possible.
But, I guess we're all just "simpletons."
Seriously, however, we as citizens deserve better politicians. No one expects politicians to necessarily understand every aspect of technology, but there are some simple concepts that you should at least be able to grasp when explained to you repeatedly by experts. When a politician repeatedly demonstrates no ability to comprehend a rather basic concept -- and to then granstand on their own ignorance -- it's time to find better politicians. Quickly.
It's been quite a day in terms of news out of DC. We've been talking about copyright/first sale, cybersecurity bills, the CFAA... and now Senator Patrick Leahy, for what feels like the 2,394th time, has introduced a plan to reform ECPA. Like the CFAA, ECPA is an extremely troubling and outdated piece of legislation where Congress tried to deal with "those computer things" back in the 1980s in a manner that just doesn't make any sense today. Mainly it has opened up massive loopholes for the US government to access your data with little to no oversight (for example, the law considers messages on a server for over 180 days to be "abandoned" and thus fair game for law enforcement, as it never considered the idea of cloud storage). Senator Leahy would like to update the law to protect our privacy, such that law enforcement would actually be required to get a warrant.
If all of this sounds familiar, you wouldn't be wrong. We've been discussing it forever. Leahy keeps introducing bills and they never seem to turn into law. Law enforcement has been his main antagonist on this, though the DOJ (somewhat surprisingly) appeared to concede today that ECPA needs significant reform, even calling out the 180 day issue explicitly in testimony before the Judiciary Committee:
Many have noted—and we agree—that some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology, and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications. We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened.
That said, the DOJ is likely to push back on significant parts of any ECPA reform effort, to make sure it still has the ability to trawl through as much data as possible. Much of the testimony seems to warn of a parade of horribles that could occur if (*gasp*!) it has to get warrants for everything.
We've been writing about ECPA reform for ages. In case you haven't been following this, ECPA is an incredibly outdated law concerning the privacy of electronic communications. As it stands now, thanks to some oddities in the law, the government can often access your online data with little oversight (among the many oddities in the bill, it considers emails on a server for more than 180 days "abandoned" and accessible by the government without a warrant). While many politicians in Congress claim that they're in favor of ECPA reform, little ever seems to happen with it. Late last year it had looked like a deal might have been worked out whereby Congress would approve strong ECPA reform that would respect the privacy of our data, in exchange for also reforming privacy laws concerning video rental data (basically a favor to Netflix and Facebook).
Law enforcement, as always, flipped out about the ECPA reform bit, and at the very, very end of Congress, the video rental reform stuff passed while ECPA reform was left on the cutting room floor.
This week, however, ECPA reform has been brought back once again, this time in the House, by Rep. Zoe Lofgren, along with Reps. Ted Poe and Suzan DelBene. The proposed bill, called The Online Communications and Geolocation Protection Act, is embedded below. It's a strong bill, meaning law enforcement folks are likely to flip out again. Among the reforms, it would set up a clear and consistent standard for requiring a warrant for government access to electronics communication. That is, it will get rid of the hodge podge of ECPA rules that change based on how old the communications are, if it's been opened, if it's a draft, etc. Now, we just get one rule, across the board, and that rule is get a warrant. It also requires (with a few exceptions) that notice be given to the user/account holder, so that people actually know when the government goes looking through their data.
In an attempt to appease law enforcement, the bill leaves in many "exceptions," that will allow law enforcement to bypass these rules in certain cases. The bill would be stronger without these exceptions, but there's no way the bill passes without something like that in there.
As you may have realized from the name, the bill also has a section dealing with "geolocation" information. This is important because there are a bunch of ongoing fights concerning the privacy of your location data (obtained via mobile phones, GPS devices and such). As we've covered here repeatedly, the courts have been ruling every which way on the legality of law enforcement accessing this kind of data, and so the bill tries to clarify that, and puts in place prohibitions on the government intercepting location info without a warrant (with, of course, a few key exceptions -- including in an emergency, if the person gives consent or if the data is already public).
It's a good bill that deserves support. While it may not be perfect, it's a hell of a lot better than what we have now. This would be a huge step up in protecting our privacy from government intrusion, which means it's going to be an uphill battle against law enforcement interests to get it passed. That said, maybe this is finally the year when all those elected officials who claim ECPA reform is important get their act together and vote to approve real reform.
Google's latest transparency report, once again, highlights why we need ECPA reform in the US as soon as possible. ECPA -- the Electronic Communications Privacy Act -- is an outdated law that was supposed to be about protecting user privacy, but was written nearly three decades ago and now does exactly the opposite. Beyond being complex in ridiculous and unnecessary ways, things that were true decades ago are no longer the case. For example, the idea that emails left for 180 days on a server no longer need a warrant because under ECPA they are considered "abandoned." Whereas in the real world, where all email lives on servers for quite some time, that idea makes no sense.
Either way, the report makes clear that US government agencies are well aware that they can go trolling through Google to get information on people with little oversight. Requests -- especially requests that are purely a subpoena (with no judicial oversight) appear to continue to rise:
The largest part of that chart is the government subpoenas, meaning no judge had to look them over first:
68 percent of the requests Google received from government entities in the U.S. were through subpoenas. These are requests for user-identifying information, issued under the Electronic Communications Privacy Act (“ECPA”), and are the easiest to get because they typically don't involve judges.
Unfortunately, Congress had a chance to reform ECPA last year, and the Senate Judiciary Committee even approved it. But, right at the end of the year, Congress passed a separate bill that had been attached to ECPA reform by itself... and left ECPA reform to rot.
As we had hoped earlier this week, the Senate Judiciary Committee did, in fact, approve Senator Patrick Leahy's attempt at ECPA reform, which would require law enforcement to do something crazy like "get a warrant" before sifting through your email. The bill was approved despite law enforcement types freaking out that they might actually have to ask a court for permission. Senator Chuck Grassley, as expected, introduced an amendment that would have greatly weakened the warrant requirement for various federal agencies, but it was thankfully voted down.
Of course, at this point, the victory is largely symbolic, as it's happening in a lameduck Congress. The bill still needs to pass the full Senate and have a comparable House version pass as well. In other words: nothing is happening until next year when this whole process may need to repeat. And given some of the quotes from Grassley and law enforcement, there will be yet another effort to strip some of these warrant requirements. Still, it's nice to see that there's at least some recognition in Congress that electronic privacy laws are woefully out of date, and leave private information, such as emails, way too open to law enforcement snooping.