Lost in the ongoing media firestorm over the National Security Agency’s domestic surveillance activities is the discussion about concrete steps to bring the nation’s communications privacy laws into the 21st Century. Under current laws that were drafted before the advent of the commercial Internet, federal and local authorities can gain access to mobile phone and many email records without a court-issued warrant. In this post, I’ll explain what federal lawmakers and readers can do to help change the status quo [tl;dr: if you'd rather skip the explanation and go right to the What Can You Do? section, click here]
The Center for Democracy & Technology, a policy think-tank based in Washington, D.C., has a concise and informative primer on the Electronic Communications Privacy Act (ECPA), the 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.
Online messaging was something of a novelty when lawmakers were crafting the ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information. But the Justice Department wanted different treatment for stored electronic communications. (Bear in mind that this was way before anyone was talking about “cloud” storage; indeed CDT notes that electronic storage of digital communications in 1986 was quite expensive, and it wasn’t unusual for email providers to delete messages that were more than a few months old).
CDT explains the bargain that was struck to accommodate the government’s concerns:
“Congress said that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with a subpoena, issued by a prosecutor or FBI agent without the approval of a judge,” CDT wrote. “At the same time, Congress concluded that, while the contents of communications must be highly protected in transit, the ‘transactional data’ associated with communications, such as dialing information showing what numbers you are calling, was less sensitive. ECPA allowed the government to use something less than a warrant to obtain this routing and signaling information.”
Fast-forward to almost 2014, and we find of course that most people store their entire digital lives “in the cloud.” This includes not only email, but calendar data, photos and other sensitive information. Big cloud providers like Google, Microsoft and Yahoo! have given users so much free storage space that hardly anyone has cause to delete their stuff anymore. Not only that, but pretty much everyone is carrying a mobile phone that can be used to track them and paint a fairly detailed account of their daily activities.
But here’s the thing that’s screwy about ECPA: If you’re the kind of person who stores all that information on your laptop, the government can’t get at it without a court-ordered warrant. Leave it in the hands of email, mobile and cloud data providers, however, and it’s relatively easy pickings for investigators.
“There has been an interpretation of the law from the government that says any document stored in the cloud can be accessed with a subpoena, regardless of how old it is,” said Mark Stanley, a communications strategist with CDT. “The government can access emails over 180 days old with just a subpoena. “We also know that the [Justice Department] has interpreted the law to say that any emails that are opened — regardless of how old they are — can be accessed without a warrant.”
Just how easy is it to get an administrative subpoena? Mark Rasch, a Bethesda, Md. lawyer and former Justice Department prosecutor, said administrative subpoenas (which don’t need a sign-off from a judge and allow investigators to seek information without any external check) are extremely easy to get and to serve. The problem, he said, is that subpoenas place most of the burden on the recipient of the request.
“When you subpoena a third party, that third party has fundamentally no ability to challenge the request, because they don’t know if the request is relevant to the investigation or not,” Rasch said. “As a result, it’s in the submitter’s best interest to make the request as broad as possible in the hopes that it will turn up something that’s relevant to the investigation.”
Take the hypothetical case of a subpoena that directs a free Webmail provider to turn over all of the Web browsing and email records of a specific customer for an entire year. Is that provider willing or able to pass the costs of complying with that request on to the consumer? In the vast majority of cases, Rasch said, it doesn’t make economic sense for the provider to challenge these subpoenas, so they simply comply.
Updating ECPA would mean that before prosecutors or other lawyers can get this information, they would have to make an argument to a court about what information they’re seeking and how it’s relevant to an investigation, Rasch said.
“The idea is that before you can get an order to produce certain information, you’d have to do a little ‘mother, may I?’ Rasch said.
It not clear how many subpoenas are sent to email providers each year seeking customer records, but we recently got some sense of how frequently government investigators are asking for mobile device records. Senator Edward J. Markey (D-Mass.) asked this question of seven major wireless carriers, including AT&T, Verizon Wireless, Sprint and T-Mobile.
As The New York Times wrote on Dec. 9, the response from the carriers shows that last year they answered at least 1.1 million requests from law enforcement agencies seeking information on caller locations, text messages and other data for use in investigations. “Most of the requests were for information from a specific customer account,” The Times wrote. “But law enforcement agencies also received information from 9,000 so-called tower dumps, in which the agencies were granted access to data from all the phones that connected to a cell site during a specific period of time.”
Lawmakers in the House and Senate have introduced companion bills that would require law enforcement agencies to get a court-ordered probable-cause warrant to obtain email and other content stored in the cloud. The Senate Judiciary Committee has approved S. 607, a bill sponsored by the committee’s chairman, Sen. Patrick Leahy (D-Vt.), but the measure hasn’t yet progressed to the Senate floor for a vote.
In the House, H.R. 1852 has broad bipartisan support (110 Republicans and 47 Democratic co-sponsors at last count). Speaking on background, an aide to the House Judiciary Committee said the panel’s chairman, Rep. Bob Goodlatte (R-Va.), has been “aggressively meeting with stakeholders and several outside groups- including privacy advocates, industry and law enforcement — to identify ECPA reform priorities and geolocation privacy standards.” No word, however, on when the full committee might consider the House bill.
Interestingly, the effort bring ECPA’s protections into the digital age even has the support of the Justice Department. Testifying at a hearing in the House in May 2013, U.S. Attorney General Eric Holder said the DOJ supports the “general notion of having a warrant to obtain the content of communications from a service provider.” As The Hill noted at the time, Holder’s comments reiterate the department’s stated position taken earlier in the year, which found there was “no principled basis” for the 180 day distinction, and that legislation to expand ECPA’s protections has “considerable merit.”
So why aren’t these changes the law of the land already, aside from the usual partisan gridlock? Unfortunately, said CDT’s Stanley, movement on ECPA reform is currently being blocked by a proposal from the U.S Securities and Exchange Commission (SEC), which wants a special carve-out in the bill for regulatory agencies to get communications from online providers without a warrant.
So what can readers do about all this? For starters, sign a petition at the White House’s “We the People” site, asking the Obama administration to reform ECPA. The petition, which currently has more than 70,000 supporters but needs over 100,000 to force a response from the White House, calls on the administration to support ECPA reform and to “reject any special rules that would force online service providers to disclose our email without a warrant.”
Also, get educated about which companies stand up for your privacy, and don’t patronize companies that fail to do so. For starters, check out the Electronic Frontier Foundation (EFF) 2013 “Who Has Your Back” report, which tracks several ways in which communications companies can help protect user privacy. EFF rates providers with zero to five stars, granting stars for things like promising to notify users about government demands for data whenever the company is not legally prevented from doing so. “Notably, Verizon does not have such a notification policy and did not receive a star,” the EFF notes. “In fact, Verizon was the only company to receive zero stars.” [In fairness, Apple, AT&T and Yahoo! fared almost as poorly].
Finally, consider using an email client — instead of just Webmail — and encrypt your communications. Wefightcensorship.org has a great primer on how to do that, using Mozilla Thunderbird and PGP. Ars Technica recently published step-by-step instructions for encrypting email on a PC or Mac.
- Zero-Day Fixes From Adobe, Microsoft
Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing addressing at least two dozen flaws in Windows and other software.
Tags: CDT, Center for Democracy & Technology & Technology, ECPA, eff, Electronic Communications Privacy Act, Electronic Frontier Foundation, mark rasch, Mark Stanley, Rep. Bob Goodlatte, Sen. Patrick Leahy, Senator Edward J. Markey