North Dakota state representative Rick Becker had a good idea with his House Bill 1328, which would forbid the use of drones by law enforcement in the state without a warrant. A few other states have been looking at similar proposals, after there have been growing concerns about police using drones for surveillance activities. Virginia, for example, recently passed a law that requires a warrant for police drone use. So, good idea, Rep. Becker.
Except... in stepped Bruce Burkett, a lobbyist from the North Dakota Peace Officer's Association, who "was allowed by the state house committee to amend HB 1328" to now make it about legalizing weaponized drones for police. Yes, a "peace officer" representative just made it possible to weaponize drones. The trick? He amended the bill to make it only about "lethal weapons," which now opens the door to what police like to refer to as "less than lethal" weapons like "rubber bullets, pepper spray, tear gas, sound cannons, and Tasers" -- some of which have a history of leading to deaths, despite their "less than lethal" claims.
Even “less than lethal” weapons can kill though. At least 39 people have been killed by police Tasers in 2015 so far, according to The Guardian. Bean bags, rubber bullets, and flying tear gas canisters have also maimed, if not killed, in the U.S. and abroad.
Meanwhile, local police are still freaking out about the need to require a warrant. Check out this bit of police state nonsense:
Grand Forks County Sheriff Bob Rost said his department’s drones are only equipped with cameras and he doesn’t think he should need a warrant to go snooping.
“It was a bad bill to start with,” Rost told The Daily Beast. “We just thought the whole thing was ridiculous.”
Rost said he needs to use drones for surveillance in order to obtain a warrant in the first place.
Yes, we need to spy on your first, to then see if we should get a warrant to spy on you some more. That's not how this works.
And, now, while there will be warrant requirements for some uses -- though with broad exceptions including within 25 miles of the US/Canada border and for "exigent circumstances" -- the bill will (thanks to a lobbyist) allow the police to also experiment with weaponizing drones. If you thought the militarization of police wasn't screwed up enough, now you might need to worry about stun guns and rubber bullets hailing down from the sky...
The Peruvian President today adopted a legislative decree that will grant the police warrantless access to real time user location data on a 24/7 basis. But that's not the worst part of the decree: it compels telecom providers to retain, for one year, data on who communicates with whom, for how long, and from where. It also allows the authorities access to the data in real time and online after seven days of the delivery of the court order. Moreover, it compels telecom providers to continue to retain the data for 24 more months in electronic storage. Adding insult to injury, the decree expressly states that location data is excluded from the privacy of communication guaranteed by the Peruvian Constitution.
Of course, as the famous example of Malte Spitz showed in 2011, the stream of geolocation data from a mobile phone provides an incredibly detailed picture of where someone goes, and even what they are doing when cross-referenced with other personal digital information. It's pretty much equivalent to placing a tracking device on someone.
The EFF post goes on to point out that the move contradicts a variety of human rights obligations that Peru has undertaken to comply with. However, that is unlikely to move the Peruvian authorities much, just as it carries little weight with othercountries that have brought in data retention laws. Unfortunately, the underlying problem is deeper than bad laws like Peru's: it's that surveillance in general, and blanket data retention in particular, have become normalized around the world. Until that is addressed, it remains a constant battle to challenge the laws that reflect that approach.
We've talked a bit about the important security certificate effort being put together by EFF, Mozilla and others, called Let's Encrypt, which will offer free HTTPS security certificates, making it much easier to encrypt the web. They've been busy working on the project which is set to launch in a few months. But first... Let's Encrypt has released its first transparency report. Yes, that's right: before it's launched. As you might expect, there are a lot of zeros here:
This is actually pretty important for a variety of reasons. First, it clearly acts as something of a warrant canary. And by posting this now, before launch and before there's even been a chance for the government to request information, Let's Encrypt is actually able to say "0." That may seem like a strange thing to say but, with other companies, the government has told them that they're not allowed to claim "0," but can only give ranges -- such as 0 to 999 if they separate out the specific government requests, or 0 to 249 if they lump together different kinds of government orders. Twitter has been fighting back against these kinds of rules, and others have argued that revealing an accurate number should be protected speech under the First Amendment.
Let's Encrypt is, smartly, getting this first report out there -- with all the zeroes -- before the government can swoop in and insist that it has to only display ranges. In other words, this is getting in before any gag order can stop this kind of thing. Smart move. It's also nice to see them break down all of the different possible types of orders, rather than lumping them into more general buckets. That's an important step that it would be nice to see others follow as well.
The FBI has been really screaming its head off about the evils of encryption over the last year or so. Director James Comey keeps fearmongering about encryption, though when asked to give examples of cases where encryption had created problems, all of his "examples" turn up empty. Yet, the FBI keeps insisting that something needs to be done and, if not, there's a real risk of "going dark." One of Comey's top deputies has insisted that tech companies need to "prevent encryption above all else." And the fearmongering is working. Some politicians are already freaking out about this so-called "going dark" scenario.
In fact, next Wednesday, both the Senate Intelligence Commitee and the Senate Judiciary Committee are hosting "hearings" for Comey, about the issue of "going dark" due to encryption. The Intelligence Committee's is called "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy," while the Judiciary's is "Counterterrorism, Counterintelligence, and the Challenges of 'Going Dark.'"
So it's rather interesting that before all that, the US Courts had released their own data on all wiretaps from 2014, in which it appears that encryption was almost never an issue at all, and in the vast majority of cases when law enforcement encountered encryption, it was able to get around it. Oh, and the number of wiretaps where encryption was even encountered has been going down rather than up:
The number of state wiretaps in which encryption was encountered decreased from 41 in 2013 to 22 in 2014. In two of these wiretaps, officials were unable to decipher the plain text of the messages. Three federal wiretaps were reported as being encrypted in 2014, of which two could not be decrypted. Encryption was also reported for five federal wiretaps that were conducted during previous years, but reported to the AO for the first time in 2014. Officials were able to decipher the plain text of the communications in four of the five intercepts.
Obviously, if more communications are encrypted by default, it's true that the numbers here would likely rise. But the idea that there's some massive problem that requires destroying the safety of much of the internet, seems more than a bit far-fetched.
As computer security expert Matt Blaze noted in response to all of this, aren't there a lot of other tools out there that hide criminals from law enforcement as well? Why is there this moral panic about encryption?
In case you can't read that, it says:
I'll bet burglars wore gloves to avoid leaving fingerprint evidence a lot more than four times last year. Time for a war on gloves?
No government entity shall place, locate, or install an electronic device on the person or property of another, or obtain location information from such an electronic device, without a warrant issued by a judge based on probable cause and on a case-by-case basis.
As Watchdog.org points out, the spirit of the law is somewhat undermined by the letter of the law.
There are noteworthy exceptions, many of which appeared in previous iterations.
Tracking is permitted without a warrant with the informed consent of a device owner, unless the owner knowingly loaned it to a third party. You can track calls for 911 emergencies. A parent or legal guardian can provide informed consent to locate a missing child. The government can track its own property or employees in possession of that property. And alcohol ignition interlock control devices placed by court order would also be traceable without a warrant.
The other problem with the bill is a problem with all bills introduced by state legislators: it can't lock out federal intrusion, at least not in its present form. The bill states that it does not apply to "federal government agencies." So, if local law enforcement wants to engage in warrantless tracking of cellphones, all it has to do is partner up with a federal agency.
On top of that, there are the loopholes that have always been exploited. Stingray use -- one method of tracking location -- has routinely been hidden under more innocuous paperwork, like pen register orders. Obtaining cellphone records -- including location data -- is primarily done with subpoenas, considering most laws still treat these as third-party business records. While the law would force some of the latter requests to take the form of a search warrant, it doesn't make a clear distinction between real-time tracking and historical data.
What it does appear to outlaw is the warrantless, real-time tracking of GPS location, meaning tracking devices can only be deployed after obtaining a warrant. This is certainly a step forward, one perhaps partially prompted by the Supreme Court's US v. Jones decision. However, this would go against precedent in the First Circuit Court (which covers New Hampshire), which has found that warrantless GPS tracking devices may constitute a "search," but not to the extent that a lack of a warrant should automatically result in suppression of evidence. (Also somewhat aligned with the Supreme Court's reluctance to declare all GPS tracking worthy of a warrant.)
The court then held that it was reasonable for the agents to use the GPS device in Sparks’ case based upon reliance on clear precedent.
However, the court noted that they did not decide the issue of whether any exceptions to the warrant requirement exist for future installation use of the GPS device to monitor suspect’s movements. Therefore, future use of such GPS monitoring is governed under the United States v. Jones.
As such, the court of appeals affirmed the denial of the motion to suppress.
Although this case appeared before the judges after the Supreme Court's US v. Jones decision, the events of the case proceeded that finding. This may change rulings in the future, but for now, the First Circuit has not made it expressly clear that tracking devices require warrants.
As the proposed law pertains to physical tracking devices, it's much more closely aligned with the Supreme Court's decision. Left unclear is its application to Stingray devices and obtaining historical cell site location information from telcos -- both forms of "tracking" that don't involve attaching a monitoring device to a "person or property."
The state Senate on Wednesday approved a bill that would require law enforcement in California to obtain a search warrant or wiretap order before searching a person’s smartphone, laptop or other electronic device or accessing information stored on remote servers.
The bill, by Sen. Mark Leno (D-San Francisco), also would protect locational information stored on smartphones and other devices unless police officers show probable cause to a judge.
Good news for California residents, most of whom routinely abduct and abuse children -- at least according to those opposed to the legislation.
The bill is opposed by the California District Attorneys Assn., the California Police Chiefs Assn. and the California State Sheriffs Assn. as unnecessary and a burden to investigations.
By proposing new procedures, the bill “undermines critical efforts to stop child exploitation, mandates the destruction of evidence by law enforcement, and violates the California Constitution,” the prosecutors’ group said in a letter to lawmakers.
This "argument" has become so threadbare, it's hardly worth addressing. The addition of a warrant requirement doesn't make law enforcement efforts any less effective. All it does is require them to conform to the Fourth Amendment. The legislation -- like every other similar law -- contains exigent circumstances exceptions, so Amber Alerts, etc. will still allow officers to access data without warrants and still have a chance at saving All The Children™.
What's more depressing about the bill (other than the usual Appeal To Pedophilic Behavior fallacy) is the transparency language that's been stripped from it to appease law enforcement agencies, prosecutors and the state's governor.
There will be no forthcoming "transparency reports" from the state's DOJ detailing law enforcement demands for data and communications. The following stipulation has been removed from the bill:
The bill would also require a government entity that obtains electronic information pursuant to these provisions to make an annual report to the Attorney General, and would require the Department of Justice to annually publish a summary of the report on its Internet Web site. By requiring local law enforcement entities to make those annual reports, this bill would impose a state-mandated local program.
Another section routes around citizens whose data and communications are obtained by law enforcement, delaying notice from 72 hours to 90 days -- and only if the affected person happens to stumble across the presumably-heavily redacted report posted at the state DOJ website. (And then somehow manages to figure out that the posted info is about them despite all personal information being presumably withheld...)
If there is no identified target of a warrant, wiretap order, or emergency request or access at the time of its issuance, the government entity shall take reasonable steps to provide the notice, within three days of the execution of the warrant, wiretap order, or emergency request or access, to all individuals about whom information was disclosed or obtained. submit to the Department of Justice within 72 hours a report that states with reasonable specificity the nature of the government investigation under which the information was sought and includes a copy of the warrant, or order, or a written statement setting forth facts giving rise to the emergency. The Department of Justice shall publish each report received pursuant to this subdivision on its Internet Web site within 90 days of receiving the report.
Finally, the bill has also had a mandated annual report to the state's Attorney General removed from it, limiting reporting to only the periodic dispersal of information by the DOJ. So, it's basically no transparency and there's no hint that this new requirement will result in any additional oversight of questionable searches.
Given these removals, it must be sheer "principle" that compelled the Sheriffs' Association to make this statement:
The sheriffs' group added that “it conflates existing procedures for obtaining certain electronic information under state and federal law, contains burdensome and unnecessary reporting requirements, and will undermine investigations that are fully compliant with the 4th Amendment.”
These deletions may convince the governor to pass the bill, after rejecting last year's version in part for reporting requirements (mainly the notification of those affected by demands for content and data) that would supposedly "harm criminal investigations." What's good about the bill is that it extends Fourth Amendment protections to areas not normally considered covered by it, like cell site location info. Both the governor and law enforcement seem opposed to expansions of citizens' rights, so even in its stripped-down state, it may see another veto.
The U.S. Court of Appeals for the Second Circuit declined to adopt a rule that agents get a "two-minute presumption" on the reasonableness of wiretapping calls that are personal in nature.
The circuit did so while dismissing a civil suit brought against FBI agents by a woman who claimed her privacy was violated when agents taped intimate phone calls between herself and her husband during a criminal investigation.
The circuit said the woman, Arlene Villamia Drimal, will be allowed to file a new complaint against the agents.
Drimal is the wife of convicted insider trader Craig Drimal. She sued 16 FBI agents for conversations they overheard in 2007 and 2008 while executing a wiretap secured under Title III of the Omnibus Crime Control and Safe Streets Act of 1968, §§2510-2522.
This doesn't necessarily "put to death" the two-minute window on personal calls FBI agents grant themselves, contrary to Drimal's lawyer's claims. The ruling is very specifically narrowed to cover only the FBI agents' actions in this case. The 16 agents listed in Drimal's lawsuit moved for dismissal, citing qualified immunity and pointing to a previous decision which allowed the FBI approximately two minutes to ascertain a call's purpose and relevance.
They cited the Second Circuit case of United States v. Bynum, 485 F.2d 490 (2d Cir. 1973), where the court held a wiretap that monitored 2,058 in a large narcotics case did not violate Title III minimization requirement.
The Bynum court excluded calls under two minutes from its evaluation of the wiretap because "in a case of such wide-ranging criminal activity as this, it would be too brief a period for an eavesdropper even with experience to identify the caller and characterize the conversations as merely social or possibly tainted."
The FBI has an indeterminate amount of time to discern the intent and content of wiretapped calls, with an obligation to disconnect as soon as it's surmised the phone call has no investigatory relevance. This still remains in force, even with this rejection of its "two minute" argument. Without a doubt, this allowance has been abused to listen in on phone calls of a personal nature, but its intent is to minimize privacy violations while still allowing agents to collect evidence. What distinguishes this case from others is that the FBI agents were caught not "minimizing" wiretapped calls in violation of the court order authorizing the wiretap. This abusive behavior was called out by the presiding judge.
This case does not present the same circumstances as Bynum. Many of the violations here took place in the early stages of the wiretap when defendants were less familiar with the case and with Mrs. Drimal’s lack of involvement in it, but the agents should have realized reasonably early in the wiretap that these husband and wife conversations were not relevant to the investigation. As Judge Sullivan noted in Goffer, Mr. and Mrs. Drimal occasionally discussed “deeply personal and intimate” issues, 756 F. Supp. 2d at 594, and “in each of these calls it should have been apparent within seconds that the conversation was privileged and non‐pertinent,” id. at 595.
As a result, the reasoning from Bynum that it would be too difficult to minimize calls under two minutes is not applicable here where agents could determine in seconds that the calls between husband and wife were entirely personal in nature. The two‐minute presumption we applied in Bynum thus does not automatically shield defendants against the failures to minimize calls under two minutes that the putative amended complaint is likely to allege.
On one hand, the ruling undercuts the FBI's assumption that all calls under two minutes in length can be listened to in their entirety, no matter their relevance to ongoing investigations. On the other hand, the ruling cannot be applied broadly to other FBI wiretapping efforts. Civil suits brought over alleged privacy violations aren't going to be any easier to pursue as the "window" for FBI eavesdropping is still wide open, what with the Bynum ruling only applying to the specific facts of that case, rather than FBI wiretapping in general.
Drimal's case was aided by a couple of unlikely incidents, one of which was two agents' open admissions that they had listened to privileged phone calls. The other factor weighing into this decision was the very specific instructions the agents received, not only from the court issuing the wiretap order, but also from the US State's Attorney. Without these two elements, the FBI would likely have been found to be acting lawfully within the confines of its wiretap policies and applicable court orders.
Ever since the Canadian Supreme Court declared law enforcement needed a warrant or court order to obtain ISP subscriber data, Canadian cops have been complaining. What used to be an "informal" process that required "five minutes" of paperwork (and led to law enforcement requesting ISP user data every 27 seconds), now apparently takes up to "ten hours" and is apparently damn near impossible to complete.
As a result, law enforcement has been forced decided to drop cases in which it couldn't put together enough probable cause to secure a warrant or court order. For some reason, the affected agencies seem to feel this is indicative of a broken system, rather than the way it always should have been. If an officer doesn't have enough agency to justify a request for subscriber data, does he or she really have enough information to justify a continued investigation?
The Royal Canadian Mounted Police (RCMP) were the first to complain about the warrant requirement, circulating a memo late last year that declared the ruling was probably resulting in dropped cases -- although this claim also seemed to be short on supporting information.
"Evidence is limited at this early stage, but some cases have already been abandoned by the RCMP as a result of not having enough information to get a production order to obtain (basic subscriber information)," the memo says.
Apparently, this round of complaints didn't gain enough traction to motivate legislators to undercut the Supreme Court decision. So, law enforcement officials are trying again, but this time they're using one of the cheapest and most overused rhetorical ploys: child molesters/pornographers going unarrested.
An RCMP spokesman confirmed the court decision has hampered the ability of police to track down Internet child abusers.
The ruling "has added extra administrative steps to such investigations by requiring police to obtain production orders for basic subscriber information," said Sgt. Harold Pfleiderer.
"Now, investigations of online child exploitation usually take more time. In many cases, there is insufficient information for police to obtain a production order even with the jurisdictional request information."
When Pfleiderer says "administrative," he's actually referring to the minimal efforts officers must make to ensure the civil liberties of Canadian citizens aren't violated. To him, it's just extra paperwork. To the rest of the nation, it's nothing more than what they've generally expected from their service providers when dealing with data requests: that it won't be handed over without justification.
The RCMP want legislators to pave it an unimpeded path to subscriber data -- something the Court's decision noted was a remedy (of sorts) for law enforcement agencies who felt being asked to respect the rights of others was too much of a burden. And nothing prompts legislators to act quickly and inconsiderately like claiming an untold number of pedophiles are wandering the nation completely unarrested.
The Supreme Court ruling suggested the government could pass a "reasonable" law to allow police to obtain basic subscriber information from ISPs, but a spokesman for Public Safety Minister Steven Blaney indicated that is not yet in the works.
"Our government is currently reviewing the decision," said Jeremy Laurin.
Adding to the stupidity, a top online porn cop paraphrases Dirty Harry to suggest some citizens should have fewer rights than others, even while still in the mostly-speculative part of an investigation.
"It's creating a lag in our investigations," said Sgt. Maureen Bryden of the Ottawa police online porn unit. "It's taking more time for us to get to the serious investigations."
"Whose rights do you really think are more important?" she said, criticizing the Supreme Court ruling. "The victim child that's being sexually exploited? Or the offender?"
Oh, I'd say they're equally important. The same court decision that "protects" child molesters also protects the millions of Canadian citizens who've never committed a criminal act in their lives. But the police want suspects to have fewer rights, even if it means those who aren't suspects end up with fewer privacy protections.
Bryden cites a "lag" and other quotes say cases can't be prioritized effectively to allow the pursuit of sexual offenders. But looking at the actual numbers blows any claims about workloads or priorities right out of the water. In 2011, Canadian law enforcement filed nearly 1.2 million requests for subscriber data. The 2013 stats quoted in this article cite a 50% drop off in requests related to child exploitation cases from 2013's high of 1,038. Somewhere in between there -- if request numbers remained largely flat (rather than escalating) from year-to-year -- that's still nearly 1.2 million requests for data every year that have nothing to do with Canadian law enforcement's sudden foremost concern. I think there's plenty of room left for shifting man-hours towards preventing child exploitation -- even with the warrant requirement.
For about a year now, we've been following the Quartavious Davis en banc appeal case, in which Davis's lawyers were challenging the use of historical cell phone location data (not real time GPS info) that was collected without a warrant in order to convict him (technically, they used a 2703(d) order, which is a much lower standard than a warrant, which requires probable cause, rather than "specific and articulable facts that there are reasonable grounds" to believe that the info is "relevant and material to an ongoing criminal investigation"). Given the renewed interest of the Supreme Court (and other courts) in issues related to the 4th Amendment when it meets up with modern technology, this case got a lot of attention in the last few months. The 11th Circuit has now ruled and it isn't going to make 4th Amendment supporters happy. The court ruled that warrantless tracking of your mobile phone location is not an "illegal search" under the 4th Amendment... because of the old (and ridiculous) third party doctrine.
In case you've been living under a rock and not following such things, the third party doctrine basically says you have no expectation of privacy in data that third parties hold on you -- such as... phone records. This doctrine has a lot of problems (going all the way back to the Smith v. Maryland case that is generally cited in support of the doctrine). But, here, the court just runs with it. It spends a few pages restating the ruling in Smith v. Maryland, clearly agreeing with it, and then it drops the hammer:
For starters, like the bank customer in Miller and the phone customer in
Smith, Davis can assert neither ownership nor possession of the third-party’s
business records he sought to suppress. Instead, those cell tower records were
created by MetroPCS, stored on its own premises, and subject to its control. Cell
tower location records do not contain private communications of the subscriber.
This type of non-content evidence, lawfully created by a third-party telephone
company for legitimate business purposes, does not belong to Davis, even if it
concerns him. Like the security camera surveillance images introduced into
evidence at his trial, MetroPCS’s cell tower records were not Davis’s to withhold....
More importantly, like the bank customer in Miller and the phone customer
in Smith, Davis has no subjective or objective reasonable expectation of privacy in
MetroPCS’s business records showing the cell tower locations that wirelessly
connected his calls at or near the time of six of the seven robberies.
It dives in a bit deeper on the "expectation of privacy" question and says that no one should have any expectation of privacy in their cell location data, basically saying that you should know that you're giving up such info to a third party who can give it to law enforcement:
We find no reason to conclude that cell phone users lack facts about the
functions of cell towers or about telephone providers’ recording cell tower usage.
Thus, no "expectation" of privacy.
It also argues this is no different than the ruling in Smith v. Maryland, because, back then, just having the phone numbers (what that case was about) was the equivalent of also showing location, since in that pre-mobile phone era, a phone number also automatically revealed location since it was tied to an address. As for the public policy reasons why this result is pretty scary concerning the public's privacy, the court says, "Hey, take it up with Congress."
The court also distinguishes this case from the Supreme Court's ruling in US v. Jones from a few years ago, that said that attaching a GPS device to a car could violate the 4th Amendment due to it being a "trespass" (though on the side, some Justices raised concerns about the ongoing collection of location data). Basically the court here said it doesn't matter here, as there's no similar "trespass" situation with the MetroPCS data.
Two of the judges on the panel dissented, and pointed out just how crazy the third party doctrine is in this situation, and how it basically destroys the 4th Amendment:
We are asked to decide whether the government’s
actions violated Mr. Davis’s Fourth Amendment rights. The majority says our
analysis is dictated by the third-party doctrine, a rule the Supreme Court developed
almost forty years ago in the context of bank records and telephone numbers. But
such an expansive application of the third-party doctrine would allow the
government warrantless access not only to where we are at any given time, but also
to whom we send e-mails, our search-engine histories, our online dating and
shopping records, and by logical extension, our entire online personas.
In short, those two judges rightly recognize just how problematic the third party doctrine is. In an age where all our info goes to third parties, the 4th Amendment basically goes away. Later, that same dissent notes:
The majority’s blunt application of the third party
doctrine threatens to allow the government access to a staggering amount of
information that surely must be protected under the Fourth Amendment. Consider
the information that Google gets from users of its e-mail and online search
functions. According to its website, Google collects information about you
(name, e-mail address, telephone number, and credit card data); the things you do
online (what videos you watch, what websites you access, and how you view and
interact with advertisements); the devices you use (which particular phone or
computer you are searching on); and your actual location.... Like in Miller and Smith, Google even offers a legitimate business purpose for
such data storage and mining: “Our automated systems analyze your content
(including emails) to provide you personally relevant product features, such as
customized search results, tailored advertising, and spam and malware detection.”
Id. Under a plain reading of the majority’s rule, by allowing a third-party company
access to our e-mail accounts, the websites we visit, and our search-engine
history—all for legitimate business purposes—we give up any privacy interest in
And why stop there? Nearly every website collects information about what
we do when we visit. So now, under the majority’s rule, the Fourth Amendment
allows the government to know from YouTube.com what we watch, or
Facebook.com what we post or whom we “friend,” or Amazon.com what we buy,
or Wikipedia.com what we research, or Match.com whom we date—all without a
warrant. In fact, the government could ask “cloud”-based file-sharing services like
Dropbox or Apple’s iCloud for all the files we relinquish to their servers. I am
convinced that most internet users would be shocked by this. But as far as I can
tell, every argument the government makes in its brief regarding cell site location
data applies equally well to e-mail accounts, search-engine histories, shopping-site
purchases, cloud-storage files, and the like.
Either way, it's pretty clear this issue is heading to the Supreme Court sooner or later (even possibly with this very case). But, for today, this ruling is a pretty big hit against your privacy.
For many years now, we've been writing about the need for ECPA reform. ECPA is the Electronic Communications Privacy Act, written in the mid-1980s, which has some frankly bizarre definitions and rules concerning the privacy of electronic information. There are a lot of weird ones but the one we talk about most is that ECPA defines electronic communications that have been on a server for 180 days or more as "abandoned," allowing them to be examined without a warrant and without probable cause as required under the 4th Amendment. That may have made sense in the 1980s when electronic communications tended to be downloaded to local machines (and deleted), but make little sense in an era of cloud computing when the majority of people store their email forever on servers. For the past few years, Congress has proposed reforming ECPA to require an actual warrant for such emails, and there's tremendous Congressional support for this.
And yet... it never seems to pass. The story that we keep hearing is that two government agencies in particular really like ECPA's outdated system: the IRS and the SEC. Since both only have administrative subpoena power, and not the ability to issue warrants like law enforcement, the lower standards of ECPA make it much easier for them to snoop through your emails without having to show probable cause. Last year, in a Congressional hearing, the SEC's boss, Mary Jo White, was questioned about this by Congressman Kevin Yoder, who has been leading the charge on ECPA reform. As we reported at the time, in the conversation, White clearly said that the SEC needed this ability or it would lose "critical" information in its investigations. You can see the conversation from 2014 below, where White (starting around 2:30) explains how vital this process is to the SEC:
Here's the key line:
"What concerns me, as the head of a... law enforcement agency, is that we not put out of reach of lawful process... what is often, sometimes the only, but critical evidence of a serious securities fraud.... And we use that authority quite judiciously, but it's extremely important to law enforcement."
What struck us as interesting last year was White admitting that the SEC appeared to regularly use this process, since she noted that it was "extremely important" and provided "critical evidence."
Fast forward to this week, and the same two players were involved in yet another Congressional hearing. You can
see that conversation here as well, with the critical point being made after about four and a half minutes, where White says some of the same stuff, about the privacy protections, and how even if the SEC used this process it still notifies the subscribers to give them a due process right to protest the subpoena... but also, oddly, seems to claim that the SEC never actually makes use of this process:
Here's the key line this time (the full response is a jumble of half sentences and unfinished thoughts, so it's a bit of a mess):
"While these discussions have been going on, to try to sufficiently balance the privacy and the law enforcement interests, we've not to date to my knowledge proceeded to subpoena the ISPs. But that, I think, is critical authority to be able to maintain -- done in the right way and with sufficient solicitousness and it's very important to the privacy interests which I do think can be balanced.
As I said, if you watch her entire response, it's a complete mess of half-finished thoughts, which seems rather typical of someone trying to sound like they're answering a question but not actually doing so. Later in the same answer, she insists that taking away this authority might take away an important tool.
So, we know that the SEC really wants to keep this tool. But last year it said it was "extremely important" and provided "critical evidence." This year, she's saying that the SEC isn't even using the tool. So, uh, which is it? Is this tool absolutely necessary for critical evidence, or is it not even being used by the SEC?
And, through all of this, the SEC still has not answered the most basic question: why can't it treat email the same way it has to treat paper documents under the 4th Amendment? That is, if it wants the document it can subpoena the end user for those documents. It does not get to route around the end user and subpoena a third party for those documents. So why can't it treat email in the same way?