by Mike Masnick
Thu, Apr 25th 2013 7:30am
by Mike Masnick
Thu, Apr 11th 2013 11:40am
from the time-for-an-audit-of-aclu-folks dept
The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 “Search Warrant Handbook” from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications.” Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the “4th Amendment Does Not Protect Emails Stored on Server” and there is “No Privacy Expectation” in those emails.Of course, the IRS is not alone in this. That's the same way other government agencies have treated email thanks to the outdated nature of ECPA, the Electronic Communications Privacy Act, a law written nearly 30 years ago, which assumed that any content left on a server for over 180 days was "abandoned," because the idea of online messaging systems was foreign to folks in Congress at the time.
Other older documents corroborate that the IRS did not get warrants across the board. For example, the 2009 edition of the Internal Revenue Manual (the official compilation of IRS policies and procedures) explains that “the government may obtain the contents of electronic communication that has been in storage for more than 180 days” without a warrant.
The bigger question, though, is whether or not the IRS paid attention to the ruling in Warshak and started getting warrants. As the ACLU notes, while not entirely clear, the answer is likely "no."
Then came Warshak, decided on December 14, 2010. The key question our FOIA request seeks to answer is whether the IRS’s policy changed after Warshak, which should have put the agency on notice that the Fourth Amendment does in fact protect the contents of emails. The first indication of the IRS’s position, from an email exchange in mid-January 2011, does not bode well. In an email titled “US v. Warshak,” an employee of the IRS Criminal Investigation unit asks two lawyers in the IRS Criminal Tax Division whether Warshak will have any effect on the IRS’s work. A Special Counsel in the Criminal Tax Division replies: “I have not heard anything related to this opinion. We have always taken the position that a warrant is necessary when retrieving e-mails that are less than 180 days old.” But that’s just the ECPA standard. The real question is whether the IRS is obtaining warrants for emails more than 180 days old. Shortly after Warshak, apparently it still was notAs the ACLU notes, the IRS owes the American public a clear explanation of its view on warrants... and it should put in place a clear warrant requirement before snooping through emails.
The IRS had an opportunity to officially reconsider its position when it issued edits to the Internal Revenue Manual in March 2011. But its policy stayed the same: the Manual explained that under ECPA, “Investigators can obtain everything in an account except for unopened e-mail or voice mail stored with a provider for 180 days or less using a [relevant-and-material-standard] court order” instead of a warrant. Again, no suggestion that the Fourth Amendment might require more.
by Mike Masnick
Mon, Apr 1st 2013 3:50am
from the all-for-what? dept
Many foreign companies are converging toward a common argument for why they’re better than their American competitors. It’s not that the foreign-made technology is better, more resilient, or more ubiquitous, nor that the foreign companies are more innovative or better managed. They compare not their businessmen but their politicians. They argue simply that American laws undermine any American product — that these laws fail to protect privacy of personal or business information of all users. This argument works partly because consumers claim to “avoid doing business” with companies they don’t trust to protect their privacy.Basically, because law enforcement believes it needs to build a much bigger haystack as it searches for needles, we're handing other countries a key selling point in setting up services to compete with US services: "you can't trust any service based in the US, because it's subject to government surveillance." That may be a bit of an exaggeration, but I know I've see a number of companies lately who advertise the fact that they're not based in the US to suggest that they're more secure and can keep your data private. This is not the reputation the US needs or wants right now.
by Mike Masnick
Wed, Mar 20th 2013 11:06am
from the having-quite-a-week dept
I thought perhaps Rep. Gohmert was just having a bad day. Maybe he's having a bad month. In a different hearing, held yesterday concerning ECPA reform, Gohmert opened his mouth again, and it was even worse. Much, much worse. Cringe-inducingly clueless. Yell at your screen clueless. Watch for yourself, but be prepared to want to yell.
Rep. Gohmert: I was curious. Doesn't Google sell information acquired from emails to different vendors so that they can target certain individuals with their promotions?Okay, already we're off to a great start in monumental ignorance. The initial question was based on a complete falsehood -- that Google sells such information -- and after the lawyer told him that this is not true, Gohmert completely ignores that and still asks how they get the emails. It never seems to occur to him that they don't get the emails.
Google lawyer whose name I didn't catch: Uh, no, we don't sell email content. We do have a system -- similar to the system we have for scanning for spam and malware -- that can identify what type of ads are most relevant to serve on email messages. It's an automated process. There's no human interaction. Certainly, the email is not sold to anybody or disclosed.
Gohmert: So how do these other vendors get our emails and think that we may be interested in the products they're selling.
Google lawyer: They don't actually get your email. What they're able to do is through our advertising business be able to identify keywords that they would like to trigger the display of one of their ads, but they don't get information about who the user is or any...NO. Not correct. In fact, that's the exact opposite of what the lawyer just said. Gohmert can't seem to comprehend that Google placing targeted ads next to emails has NOTHING to do with sending any information back to the advertiser. I wonder, when Rep. Gohmert turns on his television to watch the evening news, does he think that the TV station is sending his name, address, channel watching info, etc. back to advertisers? That's not how it works. At all. The advertisers state where they want their ads to appear, and Google's system figures out where to place the ads. At no point does any information from email accounts go back to anyone. And yet Gohmert keeps asking.
Gohmert: Well that brings me back. So they get information about keywords in our emails that they use to decide who to send promotions to, albeit automatically done. Correct?
And not understanding the rather basic answers. Unfortunately, the lawyer tries to actually explain reality to Gohmert in a professional and detailed manner, when it seems clear that the proper way to answer his questions is in shorter, simpler sentences such as: "No, that's 100% incorrect."
Lawyer: The email context is used to identify what ads are most relevant to the user...Okay, try not to hit your head on your desk after that exchange. First, he (perhaps accidentally) gets a statement more or less correct, that advertisers pay to have their ads show up, but immediately follows that up with something completely unrelated to that. First, he tosses in "Scroogled" -- a term that Microsoft uses in its advertising against Gmail and in favor of Outlook.com -- suggesting exactly where this "line" of questioning may have originated. Tip to Microsoft lobbyists, by the way: if you want to put Google on the hot seat, it might help to try a line of questioning that actually makes sense.
Gohmert: And do they pay for the right or the contractual ability to target those individuals who use those keywords?
Lawyer: I might phrase that slightly differently, but the gist is correct, that advertisers are able to bid for the placement of advertisements to users, where our system has detected might be interested in the advertisement.
Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?
Then, the second part, you just have to say huh? The lawyer already explained, repeatedly, that Google doesn't send any information back to the advertiser, and yet he's trying to suggest that the government snooping through your email is the same thing... and Google somehow not giving the government that info is Google "discriminating" against the government? What? Really?
Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...Seriously? I recognize that there are no requirements on intelligence to get elected to Congress, but is there anyone who honestly could not comprehend what he meant by saying it's "apples and oranges"? But, clearly he does not understand that because not only does he mock the analogy, he then repeats the same question in which he insists -- despite the multiple explanations that state the exact opposite -- that advertisers get access to emails and information about email users, and that the government should be able to do the same thing.
Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.
Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.Holy crap. Gohmert, for the fourth time already, nobody gets email addresses. No private business gets the email addresses. No private business gets to see inside of anyone's email. Seeing inside someone's email has nothing to do with buying ads in email. If the government wants to "do the same deal as private advertisers" then yes it can advertise on Gmail... and it still won't get the email addresses or any other information about emailers, because at no point does Google advertising work that way.
Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?
Lawyer: We would not honor a request from the government for such a...No. No. No. No. No. The lawyer already told you half a dozen times, no. The government can do exactly what private advertisers do, which is buy ads. And, just like private advertisers, they would get back no email addresses or any such information.
Gohmert: So you would discriminate against the government if they tried to do what your private advertisers do?
Lawyer: I don't think that describes what private advertisers...What are we doing, here? Because it certainly seems like you're making one of the most ignorant arguments ever to come out of an elected officials' mouth, and that's saying quite a bit. You keep saying "private advertisers get A" when the reality is that private advertisers get nothing of the sort -- and then you ignore that (over and over and over and over again) and then say "well if private advertisers get A, why can't the government get A." The answer is because neither of them get A and never have.
Gohmert: Okay, does anybody here have any -- obviously, you're doing a good job protecting your employer -- but does anybody have any proposed legislation that would assist us in what we're doing?
Gohmert: I would be very interested in any phrase, any clauses, any items that we might add to legislation, or take from existing legislation, to help us deal with this problem. Because I am very interested and very concerned about our privacy and our email.If you were either interested or concerned then you would know that no such information goes back to advertisers before you stepped into the room (hell, before you got elected, really). But, even if you were ignorant of that fact before the hearing, the fact that the lawyer tried half a dozen times, in a half a dozen different ways to tell you that the information is not shared should have educated you on that fact. So I'm "very interested" in what sort of "language" Gohmert is going to try to add to legislation that deals with a non-existent problem that he insists is real.
Gohmert: And just so the simpletons that sometimes write for the Huffington Post understand, I don't want the government to have all that information.Har, har, har... wait, what? So much insanity to unpack. First of all, Gohmert seems to think that people will be making fun of him for suggesting that the government should "buy" access to your email on Google. And, yes, we will make fun of that, but not for the reasons that he thinks they will. No one thinks that Gohmert seriously wants the government to buy access to information on Google. What everyone's laughing (or cringing) at is the idea that anyone could buy that info, because you can't. No private advertiser. No government. It's just not possible.
Rep. Sensenbrenner: For the point of personal privilege, my son writes for the Huffington Post.
Gohmert: Well then maybe he's not one of the simpletons I was referring to.
Sensenbrenner: He does have a Phd.
Gohmert: Well, you can still be a PHUL.
But, I guess we're all just "simpletons."
Seriously, however, we as citizens deserve better politicians. No one expects politicians to necessarily understand every aspect of technology, but there are some simple concepts that you should at least be able to grasp when explained to you repeatedly by experts. When a politician repeatedly demonstrates no ability to comprehend a rather basic concept -- and to then granstand on their own ignorance -- it's time to find better politicians. Quickly.
by Mike Masnick
Tue, Mar 19th 2013 3:24pm
Patrick Leahy Introduces Legislation (Yet Again) To Require Government Warrants To Get Your Electronic Info
from the dc-just-keeps-doing-remakes dept
If all of this sounds familiar, you wouldn't be wrong. We've been discussing it forever. Leahy keeps introducing bills and they never seem to turn into law. Law enforcement has been his main antagonist on this, though the DOJ (somewhat surprisingly) appeared to concede today that ECPA needs significant reform, even calling out the 180 day issue explicitly in testimony before the Judiciary Committee:
Many have noted—and we agree—that some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology, and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications. We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened.That said, the DOJ is likely to push back on significant parts of any ECPA reform effort, to make sure it still has the ability to trawl through as much data as possible. Much of the testimony seems to warn of a parade of horribles that could occur if (*gasp*!) it has to get warrants for everything.
by Mike Masnick
Fri, Mar 8th 2013 3:06pm
from the that-4th-amendment-thing dept
Law enforcement, as always, flipped out about the ECPA reform bit, and at the very, very end of Congress, the video rental reform stuff passed while ECPA reform was left on the cutting room floor.
This week, however, ECPA reform has been brought back once again, this time in the House, by Rep. Zoe Lofgren, along with Reps. Ted Poe and Suzan DelBene. The proposed bill, called The Online Communications and Geolocation Protection Act, is embedded below. It's a strong bill, meaning law enforcement folks are likely to flip out again. Among the reforms, it would set up a clear and consistent standard for requiring a warrant for government access to electronics communication. That is, it will get rid of the hodge podge of ECPA rules that change based on how old the communications are, if it's been opened, if it's a draft, etc. Now, we just get one rule, across the board, and that rule is get a warrant. It also requires (with a few exceptions) that notice be given to the user/account holder, so that people actually know when the government goes looking through their data.
In an attempt to appease law enforcement, the bill leaves in many "exceptions," that will allow law enforcement to bypass these rules in certain cases. The bill would be stronger without these exceptions, but there's no way the bill passes without something like that in there.
As you may have realized from the name, the bill also has a section dealing with "geolocation" information. This is important because there are a bunch of ongoing fights concerning the privacy of your location data (obtained via mobile phones, GPS devices and such). As we've covered here repeatedly, the courts have been ruling every which way on the legality of law enforcement accessing this kind of data, and so the bill tries to clarify that, and puts in place prohibitions on the government intercepting location info without a warrant (with, of course, a few key exceptions -- including in an emergency, if the person gives consent or if the data is already public).
It's a good bill that deserves support. While it may not be perfect, it's a hell of a lot better than what we have now. This would be a huge step up in protecting our privacy from government intrusion, which means it's going to be an uphill battle against law enforcement interests to get it passed. That said, maybe this is finally the year when all those elected officials who claim ECPA reform is important get their act together and vote to approve real reform.
by Mike Masnick
Wed, Jan 23rd 2013 8:01pm
from the ecpa-reform-now dept
Either way, the report makes clear that US government agencies are well aware that they can go trolling through Google to get information on people with little oversight. Requests -- especially requests that are purely a subpoena (with no judicial oversight) appear to continue to rise:
68 percent of the requests Google received from government entities in the U.S. were through subpoenas. These are requests for user-identifying information, issued under the Electronic Communications Privacy Act (“ECPA”), and are the easiest to get because they typically don't involve judges.Unfortunately, Congress had a chance to reform ECPA last year, and the Senate Judiciary Committee even approved it. But, right at the end of the year, Congress passed a separate bill that had been attached to ECPA reform by itself... and left ECPA reform to rot.
by Mike Masnick
Thu, Nov 29th 2012 8:05pm
from the doubtful dept
Of course, at this point, the victory is largely symbolic, as it's happening in a lameduck Congress. The bill still needs to pass the full Senate and have a comparable House version pass as well. In other words: nothing is happening until next year when this whole process may need to repeat. And given some of the quotes from Grassley and law enforcement, there will be yet another effort to strip some of these warrant requirements. Still, it's nice to see that there's at least some recognition in Congress that electronic privacy laws are woefully out of date, and leave private information, such as emails, way too open to law enforcement snooping.
by Mike Masnick
Mon, Nov 26th 2012 8:37am
from the about-time dept
Last week there was some buzz about a possible manager's amendment from Leahy that would open the door to various federal agencies being able to issue subpoenas without having to get warrants, but Leahy has since insisted that he will introduce no such amendment. Whether it was because of the outcry about it, or if it was never really intended, is a point of some debate. But, either way, the outcry did make some impact -- though not enough. There are still rumors of similar privacy destroying amendments from other Senators at the markup, which is slated for this upcoming Thursday.
In particular, it is expected that Senator Chuck Grassley is planning to sell out the 4th Amendment by offering an amendment even worse than the one discussed last week. It would take away the requirement for a warrant for many more federal agencies. Apparently, Senator Grassley thinks that the whole requirement of warrants based on probable cause before searches can take place is a recommendation, rather than the law of the land.
Given that, a bunch of groups and organizations have teamed up to set up VanishingRights.com, a site asking people to contact your Senator today, especially if they're on the Senate Judiciary Committee (list, with phone numbers, is on the website), to let them know that (a) you support ECPA reform that requires a warrant and (b) you oppose any amendment, such as Senator Grassley's that would take away that warrant requirement. The website has tools for emailing, but also phone numbers and a possible script for calling. If you can, I highly recommend that you call rather than email, as it has a much stronger impact.
If you believe that privacy matters, and that your electronic documents deserve the basic privacy that a warrant provides, rather than just letting law enforcement sniff through your emails freely, now is the time to speak up.
by Mike Masnick
Tue, Nov 20th 2012 9:41am
Patrick Leahy Ready To Cave To Law Enforcement: Has ECPA Reform Amendment To Include Loopholes For Warrantless Spying
from the lame dept
Back in September, we wrote about how Senator Patrick Leahy had introduced a really good bill for ECPA reform. ECPA (the Electronic Communications Privacy Act) is an incredibly outdated bill concerning (as it says) the privacy of electronic messages. It was written in a time (the mid-1980s) before everyone had email, let alone everyone used web-based, cloud-stored email. And thus, it has weird provisions, such as considering that messages stored on a server for more than 180 days are "abandonded" and thus subject to very little privacy protections. And that's just one of many, many problems with ECPA, which treats all kinds of messages differently.
Leahy's reform was pretty straightforward: it basically said that if the government wants to see your electronic info, it needs a warrant. This seems completely reasonable and something that probably should be considered the law already if the 4th Amendment were respected. Of course, almost immediately after he introduced his reform package, we noted that the law enforcement community had freaked out over the bill, saying that if law enforcement had to actually, you know, justify its activities to a judge, it might have "adverse impact" on investigations (you know, like reading the love letters of generals).
We noted that those concerns led Leahy to delay the markup on the bill. However, it had been widely reported that the bill was back on track for late next week. And... today comes the bombshell. According to Declan McCullagh, Leahy is planning a manager's amendment to the bill that will effectively give large parts of the federal government an exception to the warrant requirement and let them snoop on your email with just a subpoena (i.e., no judicial oversight).
Leahy's rewritten bill would allow more than 22 agencies -- including the Securities and Exchange Commission and the Federal Communications Commission -- to access Americans' e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge.In other words, this went from being a much needed bill to a dangerous bill very quickly. That's extremely unfortunate. ECPA reform is needed, but not this kind of reform. From what we've heard, while there is this new manager's amendment, it is not certain that Leahy will introduce this version, and may still go with his old version (or a modified version that still requires warrants). It seems important to let folks in Congress know that this possible amendment, allowing warrantless spying, is not acceptable.
Update: There's some debate over how serious this proposal was. A new report claims that this amendment wasn't likely to be seriously considered, even though it does exist. Declan McCullagh is standing by his story, and saying that the claim that this amendment won't be seriously considered is in response to the public outcry about it.