As we've covered over and over again, the US government has made it clear that it wants access to your data. With things like the FISA Amendments Act, ECPA and various other laws, law enforcement plays the FUD card repeatedly, insisting that it needs to be able to go in and see data to "protect" the public. There's very little basis to make this claim. And, worse, by decimating online privacy, the US government may actively be driving business outside of the US to foreign countries that have stricter privacy laws that actually protect data from government snooping.
Many foreign companies are converging toward a common argument for why they’re better than their American competitors. It’s not that the foreign-made technology is better, more resilient, or more ubiquitous, nor that the foreign companies are more innovative or better managed. They compare not their businessmen but their politicians. They argue simply that American laws undermine any American product — that these laws fail to protect privacy of personal or business information of all users. This argument works partly because consumers claim to “avoid doing business” with companies they don’t trust to protect their privacy.
Basically, because law enforcement believes it needs to build a much bigger haystack as it searches for needles, we're handing other countries a key selling point in setting up services to compete with US services: "you can't trust any service based in the US, because it's subject to government surveillance." That may be a bit of an exaggeration, but I know I've see a number of companies lately who advertise the fact that they're not based in the US to suggest that they're more secure and can keep your data private. This is not the reputation the US needs or wants right now.
My goodness. Yesterday we posted about Rep. Louis Gohmert's incredible, head-shakingly ignorant exchange with lawyer Orin Kerr during a Congressional hearing concerning "hacking" and the CFAA. In that discussion, Gohmert spoke out in favor of being able to "hack back" and destroy the computers of hackers -- and grew indignant at the mere suggestion that this might have unintended consequences or lead people to attack the wrong targets. Gohmert thought that such talk was just Kerr trying to protect hackers.
I thought perhaps Rep. Gohmert was just having a bad day. Maybe he's having a bad month. In a different hearing, held yesterday concerning ECPA reform, Gohmert opened his mouth again, and it was even worse. Much, much worse. Cringe-inducingly clueless. Yell at your screen clueless. Watch for yourself, but be prepared to want to yell.
The short version of this is that he seems to think that when Google has advertisements on Gmail, that's the same thing as selling all of the information in your email to advertisers. And no matter how many times Google's lawyer politely tries to explain the difference, Gohmert doesn't get it. He thinks he's making a point -- smirking the whole time -- that what Google does is somehow the equivalent of government snooping, in that he keeps asking if Google can just "sell" access to everyone's email to the government. I'm going to post a transcript below, and because I simply cannot not interject how ridiculously uninformed Gohmert's line of questioning is, I'm going to interject in the transcript as appropriate.
Rep. Gohmert: I was curious. Doesn't Google sell information acquired from emails to different vendors so that they can target certain individuals with their promotions?
Google lawyer whose name I didn't catch: Uh, no, we don't sell email content. We do have a system -- similar to the system we have for scanning for spam and malware -- that can identify what type of ads are most relevant to serve on email messages. It's an automated process. There's no human interaction. Certainly, the email is not sold to anybody or disclosed.
Gohmert: So how do these other vendors get our emails and think that we may be interested in the products they're selling.
Okay, already we're off to a great start in monumental ignorance. The initial question was based on a complete falsehood -- that Google sells such information -- and after the lawyer told him that this is not true, Gohmert completely ignores that and still asks how they get the emails. It never seems to occur to him that they don't get the emails.
Google lawyer: They don't actually get your email. What they're able to do is through our advertising business be able to identify keywords that they would like to trigger the display of one of their ads, but they don't get information about who the user is or any...
Gohmert: Well that brings me back. So they get information about keywords in our emails that they use to decide who to send promotions to, albeit automatically done. Correct?
NO. Not correct. In fact, that's the exact opposite of what the lawyer just said. Gohmert can't seem to comprehend that Google placing targeted ads next to emails has NOTHING to do with sending any information back to the advertiser. I wonder, when Rep. Gohmert turns on his television to watch the evening news, does he think that the TV station is sending his name, address, channel watching info, etc. back to advertisers? That's not how it works. At all. The advertisers state where they want their ads to appear, and Google's system figures out where to place the ads. At no point does any information from email accounts go back to anyone. And yet Gohmert keeps asking.
And not understanding the rather basic answers. Unfortunately, the lawyer tries to actually explain reality to Gohmert in a professional and detailed manner, when it seems clear that the proper way to answer his questions is in shorter, simpler sentences such as: "No, that's 100% incorrect."
Lawyer: The email context is used to identify what ads are most relevant to the user...
Gohmert: And do they pay for the right or the contractual ability to target those individuals who use those keywords?
Lawyer: I might phrase that slightly differently, but the gist is correct, that advertisers are able to bid for the placement of advertisements to users, where our system has detected might be interested in the advertisement.
Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?
Okay, try not to hit your head on your desk after that exchange. First, he (perhaps accidentally) gets a statement more or less correct, that advertisers pay to have their ads show up, but immediately follows that up with something completely unrelated to that. First, he tosses in "Scroogled" -- a term that Microsoft uses in its advertising against Gmail and in favor of Outlook.com -- suggesting exactly where this "line" of questioning may have originated. Tip to Microsoft lobbyists, by the way: if you want to put Google on the hot seat, it might help to try a line of questioning that actually makes sense.
Then, the second part, you just have to say huh? The lawyer already explained, repeatedly, that Google doesn't send any information back to the advertiser, and yet he's trying to suggest that the government snooping through your email is the same thing... and Google somehow not giving the government that info is Google "discriminating" against the government? What? Really?
Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...
Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.
Seriously? I recognize that there are no requirements on intelligence to get elected to Congress, but is there anyone who honestly could not comprehend what he meant by saying it's "apples and oranges"? But, clearly he does not understand that because not only does he mock the analogy, he then repeats the same question in which he insists -- despite the multiple explanations that state the exact opposite -- that advertisers get access to emails and information about email users, and that the government should be able to do the same thing.
Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.
Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?
Holy crap. Gohmert, for the fourth time already, nobody gets email addresses. No private business gets the email addresses. No private business gets to see inside of anyone's email. Seeing inside someone's email has nothing to do with buying ads in email. If the government wants to "do the same deal as private advertisers" then yes it can advertise on Gmail... and it still won't get the email addresses or any other information about emailers, because at no point does Google advertising work that way.
Lawyer: We would not honor a request from the government for such a...
Gohmert: So you would discriminate against the government if they tried to do what your private advertisers do?
No. No. No. No. No. The lawyer already told you half a dozen times, no. The government can do exactly what private advertisers do, which is buy ads. And, just like private advertisers, they would get back no email addresses or any such information.
Lawyer: I don't think that describes what private advertisers...
Gohmert: Okay, does anybody here have any -- obviously, you're doing a good job protecting your employer -- but does anybody have any proposed legislation that would assist us in what we're doing?
What are we doing, here? Because it certainly seems like you're making one of the most ignorant arguments ever to come out of an elected officials' mouth, and that's saying quite a bit. You keep saying "private advertisers get A" when the reality is that private advertisers get nothing of the sort -- and then you ignore that (over and over and over and over again) and then say "well if private advertisers get A, why can't the government get A." The answer is because neither of them get A and never have.
Gohmert: I would be very interested in any phrase, any clauses, any items that we might add to legislation, or take from existing legislation, to help us deal with this problem. Because I am very interested and very concerned about our privacy and our email.
If you were either interested or concerned then you would know that no such information goes back to advertisers before you stepped into the room (hell, before you got elected, really). But, even if you were ignorant of that fact before the hearing, the fact that the lawyer tried half a dozen times, in a half a dozen different ways to tell you that the information is not shared should have educated you on that fact. So I'm "very interested" in what sort of "language" Gohmert is going to try to add to legislation that deals with a non-existent problem that he insists is real.
Gohmert: And just so the simpletons that sometimes write for the Huffington Post understand, I don't want the government to have all that information.
Rep. Sensenbrenner: For the point of personal privilege, my son writes for the Huffington Post.
Gohmert: Well then maybe he's not one of the simpletons I was referring to.
Sensenbrenner: He does have a Phd.
Gohmert: Well, you can still be a PHUL.
Har, har, har... wait, what? So much insanity to unpack. First of all, Gohmert seems to think that people will be making fun of him for suggesting that the government should "buy" access to your email on Google. And, yes, we will make fun of that, but not for the reasons that he thinks they will. No one thinks that Gohmert seriously wants the government to buy access to information on Google. What everyone's laughing (or cringing) at is the idea that anyone could buy that info, because you can't. No private advertiser. No government. It's just not possible.
But, I guess we're all just "simpletons."
Seriously, however, we as citizens deserve better politicians. No one expects politicians to necessarily understand every aspect of technology, but there are some simple concepts that you should at least be able to grasp when explained to you repeatedly by experts. When a politician repeatedly demonstrates no ability to comprehend a rather basic concept -- and to then granstand on their own ignorance -- it's time to find better politicians. Quickly.
It's been quite a day in terms of news out of DC. We've been talking about copyright/first sale, cybersecurity bills, the CFAA... and now Senator Patrick Leahy, for what feels like the 2,394th time, has introduced a plan to reform ECPA. Like the CFAA, ECPA is an extremely troubling and outdated piece of legislation where Congress tried to deal with "those computer things" back in the 1980s in a manner that just doesn't make any sense today. Mainly it has opened up massive loopholes for the US government to access your data with little to no oversight (for example, the law considers messages on a server for over 180 days to be "abandoned" and thus fair game for law enforcement, as it never considered the idea of cloud storage). Senator Leahy would like to update the law to protect our privacy, such that law enforcement would actually be required to get a warrant.
If all of this sounds familiar, you wouldn't be wrong. We've been discussing it forever. Leahy keeps introducing bills and they never seem to turn into law. Law enforcement has been his main antagonist on this, though the DOJ (somewhat surprisingly) appeared to concede today that ECPA needs significant reform, even calling out the 180 day issue explicitly in testimony before the Judiciary Committee:
Many have noted—and we agree—that some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology, and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications. We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened.
That said, the DOJ is likely to push back on significant parts of any ECPA reform effort, to make sure it still has the ability to trawl through as much data as possible. Much of the testimony seems to warn of a parade of horribles that could occur if (*gasp*!) it has to get warrants for everything.
We've been writing about ECPA reform for ages. In case you haven't been following this, ECPA is an incredibly outdated law concerning the privacy of electronic communications. As it stands now, thanks to some oddities in the law, the government can often access your online data with little oversight (among the many oddities in the bill, it considers emails on a server for more than 180 days "abandoned" and accessible by the government without a warrant). While many politicians in Congress claim that they're in favor of ECPA reform, little ever seems to happen with it. Late last year it had looked like a deal might have been worked out whereby Congress would approve strong ECPA reform that would respect the privacy of our data, in exchange for also reforming privacy laws concerning video rental data (basically a favor to Netflix and Facebook).
Law enforcement, as always, flipped out about the ECPA reform bit, and at the very, very end of Congress, the video rental reform stuff passed while ECPA reform was left on the cutting room floor.
This week, however, ECPA reform has been brought back once again, this time in the House, by Rep. Zoe Lofgren, along with Reps. Ted Poe and Suzan DelBene. The proposed bill, called The Online Communications and Geolocation Protection Act, is embedded below. It's a strong bill, meaning law enforcement folks are likely to flip out again. Among the reforms, it would set up a clear and consistent standard for requiring a warrant for government access to electronics communication. That is, it will get rid of the hodge podge of ECPA rules that change based on how old the communications are, if it's been opened, if it's a draft, etc. Now, we just get one rule, across the board, and that rule is get a warrant. It also requires (with a few exceptions) that notice be given to the user/account holder, so that people actually know when the government goes looking through their data.
In an attempt to appease law enforcement, the bill leaves in many "exceptions," that will allow law enforcement to bypass these rules in certain cases. The bill would be stronger without these exceptions, but there's no way the bill passes without something like that in there.
As you may have realized from the name, the bill also has a section dealing with "geolocation" information. This is important because there are a bunch of ongoing fights concerning the privacy of your location data (obtained via mobile phones, GPS devices and such). As we've covered here repeatedly, the courts have been ruling every which way on the legality of law enforcement accessing this kind of data, and so the bill tries to clarify that, and puts in place prohibitions on the government intercepting location info without a warrant (with, of course, a few key exceptions -- including in an emergency, if the person gives consent or if the data is already public).
It's a good bill that deserves support. While it may not be perfect, it's a hell of a lot better than what we have now. This would be a huge step up in protecting our privacy from government intrusion, which means it's going to be an uphill battle against law enforcement interests to get it passed. That said, maybe this is finally the year when all those elected officials who claim ECPA reform is important get their act together and vote to approve real reform.
Google's latest transparency report, once again, highlights why we need ECPA reform in the US as soon as possible. ECPA -- the Electronic Communications Privacy Act -- is an outdated law that was supposed to be about protecting user privacy, but was written nearly three decades ago and now does exactly the opposite. Beyond being complex in ridiculous and unnecessary ways, things that were true decades ago are no longer the case. For example, the idea that emails left for 180 days on a server no longer need a warrant because under ECPA they are considered "abandoned." Whereas in the real world, where all email lives on servers for quite some time, that idea makes no sense.
Either way, the report makes clear that US government agencies are well aware that they can go trolling through Google to get information on people with little oversight. Requests -- especially requests that are purely a subpoena (with no judicial oversight) appear to continue to rise:
The largest part of that chart is the government subpoenas, meaning no judge had to look them over first:
68 percent of the requests Google received from government entities in the U.S. were through subpoenas. These are requests for user-identifying information, issued under the Electronic Communications Privacy Act (“ECPA”), and are the easiest to get because they typically don't involve judges.
Unfortunately, Congress had a chance to reform ECPA last year, and the Senate Judiciary Committee even approved it. But, right at the end of the year, Congress passed a separate bill that had been attached to ECPA reform by itself... and left ECPA reform to rot.
As we had hoped earlier this week, the Senate Judiciary Committee did, in fact, approve Senator Patrick Leahy's attempt at ECPA reform, which would require law enforcement to do something crazy like "get a warrant" before sifting through your email. The bill was approved despite law enforcement types freaking out that they might actually have to ask a court for permission. Senator Chuck Grassley, as expected, introduced an amendment that would have greatly weakened the warrant requirement for various federal agencies, but it was thankfully voted down.
Of course, at this point, the victory is largely symbolic, as it's happening in a lameduck Congress. The bill still needs to pass the full Senate and have a comparable House version pass as well. In other words: nothing is happening until next year when this whole process may need to repeat. And given some of the quotes from Grassley and law enforcement, there will be yet another effort to strip some of these warrant requirements. Still, it's nice to see that there's at least some recognition in Congress that electronic privacy laws are woefully out of date, and leave private information, such as emails, way too open to law enforcement snooping.
We've written a few times about the urgent need to reform ECPA -- the Electronic Communications Privacy Act, which is woefully outdated, having passed in 1986. Of course, every time there's an attempt to reform it, it seems to fail, often because folks in law enforcement like the outdated law that lets them easily spy on others without a warrant. The latest attempt at ECPA reform is a mostly good proposal from Senator Leahy that (as expected) has law enforcement types livid. The crux of the reform is that law enforcement would need to get a warrant for most situations if they wanted to peer into your electronic lives. That seems entirely consistent with that quaint concept sometimes referred to as the Fourth Amendment.
Last week there was some buzz about a possible manager's amendment from Leahy that would open the door to various federal agencies being able to issue subpoenas without having to get warrants, but Leahy has since insisted that he will introduce no such amendment. Whether it was because of the outcry about it, or if it was never really intended, is a point of some debate. But, either way, the outcry did make some impact -- though not enough. There are still rumors of similar privacy destroying amendments from other Senators at the markup, which is slated for this upcoming Thursday.
In particular, it is expected that Senator Chuck Grassley is planning to sell out the 4th Amendment by offering an amendment even worse than the one discussed last week. It would take away the requirement for a warrant for many more federal agencies. Apparently, Senator Grassley thinks that the whole requirement of warrants based on probable cause before searches can take place is a recommendation, rather than the law of the land.
Given that, a bunch of groups and organizations have teamed up to set up VanishingRights.com, a site asking people to contact your Senator today, especially if they're on the Senate Judiciary Committee (list, with phone numbers, is on the website), to let them know that (a) you support ECPA reform that requires a warrant and (b) you oppose any amendment, such as Senator Grassley's that would take away that warrant requirement. The website has tools for emailing, but also phone numbers and a possible script for calling. If you can, I highly recommend that you call rather than email, as it has a much stronger impact.
If you believe that privacy matters, and that your electronic documents deserve the basic privacy that a warrant provides, rather than just letting law enforcement sniff through your emails freely, now is the time to speak up.
Back in September, we wrote about how Senator Patrick Leahy had introduced a really good bill for ECPA reform. ECPA (the Electronic Communications Privacy Act) is an incredibly outdated bill concerning (as it says) the privacy of electronic messages. It was written in a time (the mid-1980s) before everyone had email, let alone everyone used web-based, cloud-stored email. And thus, it has weird provisions, such as considering that messages stored on a server for more than 180 days are "abandonded" and thus subject to very little privacy protections. And that's just one of many, many problems with ECPA, which treats all kinds of messages differently.
Leahy's reform was pretty straightforward: it basically said that if the government wants to see your electronic info, it needs a warrant. This seems completely reasonable and something that probably should be considered the law already if the 4th Amendment were respected. Of course, almost immediately after he introduced his reform package, we noted that the law enforcement community had freaked out over the bill, saying that if law enforcement had to actually, you know, justify its activities to a judge, it might have "adverse impact" on investigations (you know, like reading the love letters of generals).
Leahy's rewritten bill would allow more than 22 agencies -- including the Securities and Exchange Commission and the Federal Communications Commission -- to access Americans' e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge.
In other words, this went from being a much needed bill to a dangerous bill very quickly. That's extremely unfortunate. ECPA reform is needed, but not this kind of reform. From what we've heard, while there is this new manager's amendment, it is not certain that Leahy will introduce this version, and may still go with his old version (or a modified version that still requires warrants). It seems important to let folks in Congress know that this possible amendment, allowing warrantless spying, is not acceptable.
Update: There's some debate over how serious this proposal was. A new report claims that this amendment wasn't likely to be seriously considered, even though it does exist. Declan McCullagh is standing by his story, and saying that the claim that this amendment won't be seriously considered is in response to the public outcry about it.
Rep. Zoe Lofgren has recently announced two brand new, but important bills (pdf): there's HR 6529, which is an ECPA reform act and HR 6530, the Global Internet Freedom Act. The ECPA reform effort is one we've discussed a few times recently. It's much needed, but law enforcement officials are pushing back against it because it would require them to get warrants before spying on electronic communications -- which is something they don't want at all. Here's what the bill would do according to Lofgren's fact sheet:
The government should obtain a warrant before compelling a service provider to disclose an
individual’s private online communications.
The government should obtain a warrant before it can track the location of an individual’s
wireless communication device.
Before it can install a pen register or trap and trace device to capture real time transactional
data about when and with whom an individual communicates using digital services (such as
email or mobile phone calls), the government should demonstrate to a court that such data is
relevant to a criminal investigation.
The government should not use an administrative subpoena to compel service providers to
disclose transactional data about multiple unidentified users of digital services (such as a bulk
request for the names and addresses of everyone that visited a particular website during a
specified time frame). The government may compel this information through a warrant or court order, but subpoenas should specify the individuals about whom the government seeks
All of these seem perfectly reasonable -- but given how hard law enforcement has fought against earlier ECPA reforms, it seems unlikely it'll go anywhere.
The Free Internet effort is also important, obviously, if a bit more vague. Lofgren's summary:
The Global Free Internet Act would create a Task Force on the Global Internet that identifies,
prioritizes, and develops a response to policies and practices of the U.S. government, foreign
governments, or international bodies that deny fair market access to Internet-related goods and
services, or that threaten the technical operation, security, and free flow of global Internet
communications. Members of the Task Force include the heads of several executive branch agencies,
four U.S. persons nominated by Congressional leadership, and four U.S. persons who are not
government employees nominated by the Internet itself. The Task Force would hold public hearings,
issue reports no less than annually, and coordinate the activity of the U.S. government to respond to
threats to the Internet. When the next SOPA-like legislation, restrictive international trade agreement,
or overbroad treaty from an international body becomes a threat, it is the job of this Task Force to
sound the alarm and propose a course of action
This is basically something that the government probably should have done a while ago, if it truly believed in the importance of an open and free internet... which is exactly why it, too, seems unlikely. And, of course, bills introduced at this point are unlikely to go very far, seeing as Congress is out of session for election season, only to come back briefly for a lame duck session after the election. It would be great if these bills got some attention, but unfortunately they're unlikely to do much this time around. Hopefully Lofgren introduces similar bills next year too.
We recently noted that Senator Leahy had attached his mostly good ECPA (Electronic Communications Privacy Act) reform bill to another bill reforming the VPPA (Video Privacy Protection Act). The ECPA reform would update a decades-old law that law enforcement has interpreted to more or less mean they don't need a warrant to read your online email. Leahy's update would require a warrant. This is a good and important reform that should be supported. But, of course, law enforcement freaked out and it appears that Leahy has backed down, delaying hearings on the bill for now (funny how he really wanted to push through PIPA despite massive public protests, but a few law enforcement people get upset about respecting the 4th Amendment and things get delayed). From Declan McCullagh's coverage:
The delay comes two days after a phalanx of law enforcement organizations objected to the legislation, asking Leahy to "reconsider acting" on it "until a more comprehensive review of its impact on law enforcement investigations is conducted." The groups included the National District Attorneys' Association and the National Sheriffs' Association.
[....] A person participating in Capitol Hill meetings on this topic told CNET that Justice Department officials have been expressing their displeasure about requiring search warrants. The department is on record as opposing such a requirement: James Baker, the associate deputy attorney general, has publicly warned that requiring a warrant to obtain stored e-mail could have an "adverse impact" on criminal investigations.
Of course it would have "adverse impact" on criminal investigations. So do lots of things -- but those are the rules law enforcement plays by in a free society. It's not built to make law enforcement's life easy.
Either way, it appears that this bit of ECPA reform will get pushed off once again. Hopefully, when it comes back, it won't be watered down.
For what it's worth, both the EFF and the ACLU -- who strongly support ECPA reform similar to what Leahy has been proposing -- have also not been that happy with how Leahy introduced this bill, because they both oppose the changes to the VPPA, which they're afraid will weaken privacy for people. This is a (somewhat rare, but not unprecedented) situation where I disagree with both of those organizations. The VPPA was a specific and broad carve-out to deal with a single situation (bork bork bork). I think it's reasonable to update it to allow for things like letting people choose to let Netflix and social networks share info on what movies they've watched -- just like the can choose to show what music they listen to. I don't necessarily believe that it makes sense to link the VPPA to ECPA reform, but I don't think that passing the VPPA reform is so problematic that it should stop ECPA reform. Of course, if law enforcement has its way (and so far, that seems to be the case), ECPA reform might never happen. Is it really worth worrying about how you can choose to share your Netflix movies on Facebook while the Justice Department feels it can snoop broadly through your Gmail?