December 11, 2013

Lost in the ongoing media firestorm over the National Security Agency’s domestic surveillance activities is the discussion about concrete steps to bring the nation’s communications privacy laws into the 21st Century. Under current laws that were drafted before the advent of the commercial Internet, federal and local authorities can gain access to mobile phone and many email records without a court-issued warrant. In this post, I’ll explain what federal lawmakers and readers can do to help change the status quo [tl;dr: if you’d rather skip the explanation and go right to the What Can You Do? section, click here] cloudprivacy

The Center for Democracy & Technology, a policy think-tank based in Washington, D.C., has a concise and informative primer on the Electronic Communications Privacy Act (ECPA), the 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting the ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information. But the Justice Department wanted different treatment for stored electronic communications. (Bear in mind that this was way before anyone was talking about “cloud” storage; indeed CDT notes that electronic storage of digital communications in 1986 was quite expensive, and it wasn’t unusual for email providers to delete messages that were more than a few months old).

CDT explains the bargain that was struck to accommodate the government’s concerns:

“Congress said that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with a subpoena, issued by a prosecutor or FBI agent without the approval of a judge,” CDT wrote. “At the same time, Congress concluded that, while the contents of communications must be highly protected in transit, the ‘transactional data’ associated with communications, such as dialing information showing what numbers you are calling, was less sensitive. ECPA allowed the government to use something less than a warrant to obtain this routing and signaling information.”

Fast-forward to almost 2014, and we find of course that most people store their entire digital lives “in the cloud.” This includes not only email, but calendar data, photos and other sensitive information. Big cloud providers like Google, Microsoft and Yahoo! have given users so much free storage space that hardly anyone has cause to delete their stuff anymore. Not only that, but pretty much everyone is carrying a mobile phone that can be used to track them and paint a fairly detailed account of their daily activities.

But here’s the thing that’s screwy about ECPA: If you’re the kind of person who stores all that information on your laptop, the government can’t get at it without a court-ordered warrant. Leave it in the hands of email, mobile and cloud data providers, however, and it’s relatively easy pickings for investigators.

“There has been an interpretation of the law from the government that says any document stored in the cloud can be accessed with a subpoena, regardless of how old it is,” said Mark Stanley, a communications strategist with CDT. “The government can access emails over 180 days old with just a subpoena. “We also know that the [Justice Department] has interpreted the law to say that any emails that are opened — regardless of how old they are — can be accessed without a warrant.”

Just how easy is it to get an administrative subpoena? Mark Rasch, a Bethesda, Md. lawyer and former Justice Department prosecutor, said administrative subpoenas (which don’t need a sign-off from a judge and allow investigators to seek information without any external check) are extremely easy to get and to serve. The problem, he said, is that subpoenas place most of the burden on the recipient of the request.

“When you subpoena a third party, that third party has fundamentally no ability to challenge the request, because they don’t know if the request is relevant to the investigation or not,” Rasch said. “As a result, it’s in the submitter’s best interest to make the request as broad as possible in the hopes that it will turn up something that’s relevant to the investigation.”

Take the hypothetical case of a subpoena that directs a free Webmail provider to turn over all of the Web browsing and email records of a specific customer for an entire year. Is that provider willing or able to pass the costs of complying with that request on to the consumer? In the vast majority of cases, Rasch said, it doesn’t make economic sense for the provider to challenge these subpoenas, so they simply comply.

Updating ECPA would mean that before prosecutors or other lawyers can get this information, they would have to make an argument to a court about what information they’re seeking and how it’s relevant to an investigation, Rasch said.

“The idea is that before you can get an order to produce certain information, you’d have to do a little ‘mother, may I?’ Rasch said.

It not clear how many subpoenas are sent to email providers each year seeking customer records, but we recently got some sense of how frequently government investigators are asking for mobile device records. Senator Edward J. Markey (D-Mass.) asked this question of seven major wireless carriers, including AT&T, Verizon Wireless, Sprint and T-Mobile.

As The New York Times wrote on Dec. 9, the response from the carriers shows that last year they answered at least 1.1 million requests from law enforcement agencies seeking information on caller locations, text messages and other data for use in investigations. “Most of the requests were for information from a specific customer account,” The Times wrote. “But law enforcement agencies also received information from 9,000 so-called tower dumps, in which the agencies were granted access to data from all the phones that connected to a cell site during a specific period of time.”

Lawmakers in the House and Senate have introduced companion bills that would require law enforcement agencies to get a court-ordered probable-cause warrant to obtain email and other content stored in the cloud. The Senate Judiciary Committee has approved S. 607, a bill sponsored by the committee’s chairman, Sen. Patrick Leahy (D-Vt.), but the measure hasn’t yet progressed to the Senate floor for a vote.

In the House, H.R. 1852 has broad bipartisan support (110 Republicans and 47 Democratic co-sponsors at last count). Speaking on background, an aide to the House Judiciary Committee said the panel’s chairman, Rep. Bob Goodlatte (R-Va.), has been “aggressively meeting with stakeholders and several outside groups- including privacy advocates, industry and law enforcement — to identify ECPA reform priorities and geolocation privacy standards.” No word, however, on when the full committee might consider the House bill.

Interestingly, the effort bring ECPA’s protections into the digital age even has the support of the Justice Department. Testifying at a hearing in the House in May 2013, U.S. Attorney General Eric Holder said the DOJ supports the “general notion of having a warrant to obtain the content of communications from a service provider.” As The Hill noted at the time, Holder’s comments reiterate the department’s stated position taken earlier in the year, which found there was “no principled basis” for the 180 day distinction, and that legislation to expand ECPA’s protections has “considerable merit.”

So why aren’t these changes the law of the land already, aside from the usual partisan gridlock? Unfortunately, said CDT’s Stanley, movement on ECPA reform is currently being blocked by a proposal from the U.S Securities and Exchange Commission (SEC), which wants a special carve-out in the bill for regulatory agencies to get communications from online providers without a warrant.


So what can readers do about all this? For starters, sign a petition at the White House’s “We the People” site, asking the Obama administration to reform ECPA. The petition, which currently has more than 70,000 supporters but needs over 100,000 to force a response from the White House, calls on the administration to support ECPA reform and to “reject any special rules that would force online service providers to disclose our email without a warrant.”

Also, get educated about which companies stand up for your privacy, and don’t patronize companies that fail to do so. For starters, check out the Electronic Frontier Foundation (EFF) 2013 “Who Has Your Back” report, which tracks several ways in which communications companies can help protect user privacy. EFF rates providers with zero to five stars, granting stars for things like promising to notify users about government demands for data whenever the company is not legally prevented from doing so. “Notably, Verizon does not have such a notification policy and did not receive a star,” the EFF notes. “In fact, Verizon was the only company to receive zero stars.” [In fairness, Apple, AT&T and Yahoo! fared almost as poorly].

Finally, consider using an email client — instead of just Webmail — and encrypt your communications. has a great primer on how to do that, using Mozilla Thunderbird and PGP. Ars Technica recently published step-by-step instructions for encrypting email on a PC or Mac.

35 thoughts on “Help Bring Privacy Laws Into 21st Century

  1. Alice

    Thank you. I just signed on to your site. You are doing a fabulous job of investigating and informing your readership about ‘big brother’ and all his games that take away our freedoms.

  2. JohnP


    Interprete the 4th Amendment of the US Constitution where “papers and effects” applies to electronic data storage AND transmission in just the same way.

    The 4th Amendment text is short: and easy to read.
    I’m still shocked that any judge would interpret this in any other manner. “Papers” are exactly the same as files on any computing device – EXACTLY.

    Warrants would be necessary and most people would NOT encrypt their data if the US government actually played by these rules. That is a win-win.

    1. andy

      Spend a few years working for the courts and you’ll see just how ridiculous some judges are.

    2. meh

      They’re making e-warrants now that can be filed/authorized automatically any time the cops/etc requests one… Megadeth had it right, the system has failed.

  3. dud

    Encrypting your e-mail is a good idea, however the recipient of your e-mail has to also be able to decrypt it and most people don’t bother or don’t won’t to learn. I guess it’s too much trouble.

  4. John

    By all means, we should raise the bar for government surveylance of our citizens. But, who really controls all this data, these personal communications? It’s not the government, it’s a very small number of giant telecommunications enterprises. What safeguards exist to prevent THEM from abusing the information we entrust to their servers? Facebook, Microsoft, Yahoo, to name a few players in this game, have “privacy policies” that are written in sand. They change them at will, and it is only when (and if) someone “discovers” a key provision that they’ve inserted or changed in their favor might (maybe) enough pressure occur to effect some kind of half hearted remedy (again written in sand). Shouldn’t privacy laws be enacted that manage private enterprise intrusions, as well as those of government?

  5. Charlie Griffith

    Excellent article, as usual from Krebs.

    It must be pointed out however, that those who gleefully publish pictures of their genitals via the Internet are crassly hypocritical in all of this breathless faux bruhaha over individual “privacy”.

    What is needed really is adult awareness that we as a Nation are indeed at killing war with trans-national Muslims who rely on the same Internet for their communications. These Muslims are very, very good at penetration and infiltration…via our Internet.

    The likes of the A.C.L. and C.A.I.R. whiners and shriekers should have 25/8 responsibility for Americans’ physical welfare. They’re simply not “wired” responsibly for the welfare of all of the rest of us.

    My emails, as this one, are available for review by the N.S.A or the C.I.A.

    1. Artemis Calderwaul, Jr.

      Ah, another patriot who has A), a favorite bogeyman (Muslims) who’s responsible for all our nation’s woes, and B) a second favorite bogeyman (the A.C.L., by which I assumes he means the ACLU) who’s undermining The Nation’s Security by defending the Bill of Rights and the protections it gives the people, or is supposed to.

      I wonder: If it weren’t for the ACLU would people like Charlie even be able to exercise their First Amendment rights and write such venomous posts?

  6. TheOreganoRouter.onion

    Now here’s a article that I am very passionate about

    I noticed that you mentioned third party but you didn’t relate it to the ” third party doctrine” anywhere in the article. This would allow for business records to be turned over to law enforcement without a valid (no rubber stamping) search warrant under the +180 day rule. The key words are “business records” with relations to “third party”

    Every business record regardless if it’s phone, text, or email meta data or content should require a valid search warrant regardless of age if you are a United States citizen.

    I signed that Whitehouse petition, in my opinion every person in this United States who cares about the loss of their fourth amendment rights should

    Shut down the N.S.A. Dismantle it

    Send U.S. Attorney General Eric Holder , Lt. Gen. Keith Alexander, and Admiral James Clapper to the super-max federal prison in Colorado for constitutional crimes against the American people

    And as Charlton Heston once said in that famous movie “damn you , damn you all to hell”


  7. kay4security

    Amazingly, please note that the White House Petitions website is one of those that send you a password in a plain text email. They do suggest you change it in the email, but it’s not required.

  8. David

    Anyone know how to tell the petition site that their sign up routine doesn’t work correctly? If a person’s email address is from a domain that contains a dash character, they will be unable to sign any petitions (this is because the validation routine for creating an account never sends out the validation email, and so you cannot activate an account if one’s domain name contains a dash). I don’t know how many people in the US that this affects but it means that some percentage of the populate will not be able to participate in the petitions.

    1. andy

      Whitehouse petitions don’t mean anything. They’re a joke and not worth the wasted time. Show up at you Senator and Rep’s office – and take some like minded people with you.

      1. Me

        The petitions website isn’t a joke. Jokes are amusing. I think the proper descriptive term would be “waste of electrons.”

        You’re spot-on about showing up with a bunch of like-minded people to your senator/representitive’s office though. It’s very easy to dismiss a bunch of words on some website. Protestors, not so much.

        1. SeymourB

          Often times they’re so bull-headed and in the pocket of corporations that showing up doesn’t do squat.

          Just look at that huge group of people who camped out in Rick Scott’s office while he desperately found every excuse and delay in the book to avoid coming back and meeting with them, only to come back, meet with them, and essentially claim the issue was resolved by actions undertaken months earlier… actions that were heavily disputed due to conflicts of interest by the individual participants.

      2. Frank

        I understand what you mean about petitions, but they aren’t a complete waste of time. They tell the WH “we see what you are doing”. That’s got to be better than saying nothing, especially when it’s so many people speaking up.

  9. Old Bull Lee

    Krebs I realize your intentions are good here, but signing those petitions is a waste of time.

    All these petitions gets are placating speeches from Obama. This one will be about the need for reform and the need to balance privacy needs with protection from terrorism. No one in any branch of government will have their mind changed.

    If anything, signing these petitions serves to validate the cynical tactic and boost the PR illusion of them actually caring what we think. Not to mention harvesting email addresses.

  10. not me

    Nice read Brian, I just signed the petition its well over 100,000,
    the record of my signature was scrolled off the page quickly.
    Lots of folks jumping in today.
    Nice that they give you a link to quickly share with your like minded friends. Keep up the good work in 2014!

    I’d send you a Christmas package but after all that nonsense with the Silk Road I could understand the worry about boxes in the mail.

  11. saucymugwump

    This is a convergence of many things.

    As Old Bull Lee wrote, those Obama petitions are a waste of time because he is a consummate politician only allowing them for political gain. Not that most other politicians are any better.

    As Charlie Griffith wrote, there are many Islamists at war with the non-Muslim world who use the Internet for jihad. The more privacy they have, the more people that will die. And we have a large number of Americans who would call for the heads of our leaders if another 9/11 were to occur, so the politicians allow all sorts of practices, privacy-based and otherwise, to continue in an attempt to prevent that.

    Quite a few Internet users desire privacy so they can continue their repulsive child porn activities and/or online thefts of banks and other businesses.

    Most Internet users, at least in the USA, willingly use Google and Facebook which have a business model predicated on using users’ personal data to make money, yet those same users hypocritically rail against the government for doing the same thing. These people would scream bloody murder if a government agent walked around in public wearing a device for collecting photos, video, and wireless data, yet they positively giggle at the prospect of geeksters walking around wearing Google Glass and the Google Maps Car driving around collecting photos, video, and wireless data.

    The Libertarian / Tea Party / hillbilly crowd sees personal data as Google and Facebook do, simply as a means of making money. The mantra of Jeff Bezos, Mark Zuckerberg, Eric Schmidt, and their ilk is survival of the fittest, social Darwinism, kill them all and let God sort them out, and I’m a success therefore I am a world-class genius in all matters.

    P.S. Read the below WSJ article — written by that uber-liberal, Dianne Feinstein — for a reasoned opinion on the value of NSA spying.

    The NSA’s Watchfulness Protects America

  12. meh

    Maybe I’m just too cynical but I don’t see this happening anytime soon… In a world where millions of us are strapped with hundreds of thousands of dollars in debt for school that cannot ever be discharged, where corporations are writing 90% of the laws in the last 20 years, where 8 out of 10 new jobs are at McDonalds or Walmart I just can’t see them doing much to strengthen the rights of the public. Money has corrupted almost every government and private agency out there and these days the FCC, FDA, etc work for the money not the people.

  13. John Q

    I have no problem with much of what has been leaked by the NSA. Surveillance on foreign diplomats at international summits? I’d be perturbed if the US were NOT doing so. Telephone metadata collection? The aggregation of it into a single database, accessed only under restricted conditions approved by a court, is novel and worthy of more careful deliberation, but it doesn’t scream “abuse of power” either.

    Unfortunately the sensationalism of the NSA leaks, the breathless reporting of them, has all but buried attention to more mundane but more serious issues like the archaism of the ECPA.

    Thanks for highlighting this issue. It would be nice if the President were to support the intelligence agencies while also pushing for reform on the ECPA. He could probably win the issue and score some progress on policy.

    1. JCitizen

      Some how I figure that until you personally have become a target of government interest, you will never be able to identify why the developments since 911 are bad for personal liberty. I and many of my associates have been dead set against almost ALL the changes advocated since then. We didn’t need any of that, just some minor tweaking to allow cross departmental data sharing that is ALL.

      We don’t need no stinking NSA, we didn’t need no stinking Homeland Security Act, we DEFINITELY DON’T NEED NO STINKING PRISM or any of the other invasive electronic surveillance tactics used since then; it was obvious we new about the Sept 11 attackers long before they did their dirty work, it was just that our left hand didn’t know what the right hand was doing.

      We have instituted something even worse that what China was doing to their population; that with the flick of a switch could put a us into a draconian control position for any potential or real tyrant planning to subjugate this populace or even the entire world. After you take the tin foil hat off, you also realize that all this data gathering is almost impossible to filter without a huge inefficient and massive effort by the government snoopers to try and find out what is going on in everyone’s undershorts. It is absolutely ridiculous, I don’t care how much they think they are saving us from crazy idiots.

      Only now are big companies realizing it is hurting our business position in the world, just when we needed it the most; and no one can trust the US or any allies to respect their data security – and I am sure we will rue the day we allowed this to happen, but I’ve been screaming about every since HSA 2002 on other forums, and to my congressmen, to no avail. I think it is perhaps too late! >:(

  14. dotzero

    Starts singing… “bad code bad code, whatchya gonna do when they come for you bad code bad code!

    Brian, you send people to sign a petition about privacy on a web page that doesn’t let them get to the site privacy policy (At least not in IE or FF) – I call EPIC FAIL!

    Towards the top of the page (above signin or register) there is a line “A account is required to sign Petitions. WHY” where “WHY” is a rollover with an apparent link to the privacy policy… nope, you can’t get to there from here.

    So try for a link at the bottom of the page (pretty standard, right?). Nope, one of those never ending pages that keeps on adding content as you scroll down.

    It is possible to get to the privacy policy with a little effort (go to other pages). So 103k people have signed the petition and I’m assuming many of them got there by way of your site yet I can’t find a single other comment about the elusive privacy policy.

    Good enough for government work I guess.

  15. CoolAC

    That EFF is a joke. AT&T and Comcast get a better rating then verizon? haha I’d say thats pretty misleading…

    Comcast is quick to give your name up, they have never fought for customers and have always spied on them and throttled bandwith if they use torrents and sending cease and desist letters for many years, more then any other ISP. They are notorious for it. They are the worst service provider when it comes to privacy imo.

    AT&T? come on now, they were the first to have prism built in their office, them and bell atlantic were giving peoples names up in 2006 left and right, I don’t believe verizon was at that time. In fact Verizons president was jpublickly criticzing them, especially Comcast most of all for doing so at the time. None of them have their webmail encrypted, but at least Verizon lets you know with a pop up when at&t doesn’t even bother.

    And google? Google gets the best rating for our privacy? The company that keeps more records on us then any in history? Supposedly fighting for our rights in court doesn’t’ mean they aren’t selling more data on us then the NSA looks at!

    That who has your back report is not worth anything imo…

    1. SeymourB

      Both AT&T and Verizon were the first major carriers to comply with the Bush administration’s illegal actions. While AT&T may have been first, Verizon was not far behind. By the time this all came to light they were both guilty as sin and desperate for Congress to pass a law that would prevent them from being sued out of existence by the customers they violated.

      What’s different is that Verizon still, to this day, refuses to defend it’s customers by even drafting a do-nothing policy that come to find out doesn’t require them to inform customers when they share data with the government. While AT&T & Comcast have taken that step, thanks to the wonderful PATRIOT act (a gift that just keeps on giving) they are often barred from informing their customers that the government has overreached their authority and is snooping on customers. In other instances the policy itself is pretty worthless, but the goose-stepping nogoodnicks with the requisite authority are often to blame for those lack of notifications.

      That’s not to say that Comcast and AT&T are wonderful and Verizon is horrible – Comcast and AT&T are horrible while Verizon is in a whole other class of horrible below them.

  16. C/od

    Crypto, decrypt and authentication is were the authentic action is . Break this and yo ho-ho may be a merry 2014. click “challenges”

    Peace on earth to men of good will and for men that have none, not so much peace!

    Best Regards and Merry Christmas

    1. JCitizen

      Interesting Vee – these have been top topics in discussions in IT security forum everywhere I’ve been. Many have touch on some of these subjects there.

  17. BGC

    Let’s see if I can lay something out without causing a complete s***storm!!

    As we debate the NSA and all matters private, we’re losing sight of one of the major players that want your data – internet advertising miscreants. And, yes, that means ALL players – Google, MS, FB, etc. But I also refer to the smaller players that sell targeted advertising – Conduit, Ask, etc. – and have to install trackers that report to them your internet activity.

    Today I see more computer hijacks than ever before. Why? Hackers want to hide their presence in your computer (rootkits aplenty make powerful botnets) but advertisers want you to think their tracker is something you installed as a browser extension or application (Wajam, Shop-Up, Tidy Network, Linkswift, Search Protect, Open It, DealPly, Browser Safeguard, etc) and so are bold enough to install in plain sight. This notion of safe search protection is such a joke – (“Let me have your search data and I’ll tell you if you might be connecting to a site serving malware. And if you’re not I’ll sell your search data to the ad companies”)

    In a Ted Talk, Mykko Hyponnen(sp) said “Google knows more about you than your mother.” And what it knows about you is EVERYTHING you search for or click on. That data drives the $50B internet advertising craze and the ad networks are doing everything they can to get the hands on it (AFAIK Google doesn’t sell it’s cache of search terms though it’ll charge you to advertise with them based on search terms) .

    As hackers see their income jeopardized by botnet takedowns, they’re busy looking for other income streams. I suspect that they have learned that a couple affiliate relationships with ad networks can pay handsomely when they can couple the affiliate fees with their silent install tactics.

    As objectionable as it is to know that the NSA is siphoning our private data, the financial incentive is, hopefully, not a part of the NSA effort. But advertising has one goal – to make money with your private data. And while we’re all watching the NSA and complaining about Google, FB, etc., these cretins are busy sucking up our data for their private profit all the while protected by the Wall St. bubble that says you don’t have to admit you broke the laws if you write a big enough check.

    You watch, as this matter heats up and lawmakers begin trying to restrict the harvesting of our private data, the advertising industry will launch their brigades of lobbyists to thwart any effort to restrict their efforts to harvest data.

    Flame on, folks!!!!

    1. Vee

      Well put!

      I just had to scrub Wajam among other things off a PC for someone a few weeks ago. Yeah, there are things so much worse than the NSA, things that truly do care about everything you do online.

      One of the better things though about the NSA scare mongering is it at least gets some people a bit more conscious about what they do online. The same security to “keep the NSA out” can be the same stuff to keep all the other bad guys out too, such as HTTPS everywhere and OpenPGP. And maybe people will learn not to dump their lifestory on Facebook too.

    2. meh

      Compared to the credit bureaus they are mainly just an annoyance, the credit bureaus are rife with mistakes that cost millions of us a ton of money and there is very little you can do against their secret and often inaccurate database. I think the very idea of a massive, secret, unaudited treasure trove of data for sale to anybody with a few bucks but supposedly secure is a joke… It will never be even slightly secure until the person they are acquiring data about has the full access to update/delete/block access and that deprives them of the biggest reason they have it, to punish people and jack up rates through any way possible. If their database is accurate then millions would get lower rates, pay less. They have a financial conflict of interest in keeping it error-free.

      1. JCitizen

        We are not necessarily powerless yet, Consumer’s Union has a political consumer’s action group that is quickly rivaling the NRA in lobbying power; we helped put Richard Cordray into office as the Director of the Consumer Financial Protection Bureau.

        There is a new junk yard dog in town that could help consumers with problems like this, if they are willing to lodge complaints against financial organizations, and business groups who are taking us to the cleaners.

        I generally find any government interference to be distasteful but since the crash of 2007/8 it seems we need something besides our congressmen and weak and ineffective state, and tort law to be on our side.

  18. AlphaCentauri

    How is the NSA going to stop terrorists if it can’t even stop Rachel from Cardmember Services? All those telemarketers seem to be able to act with impunity by spoofing the caller ID data. It seems that their strategy will collect data on honest people and stupid crooks, but that professional terrorists should be able to operate under the radar easily. (Hell, for that matter, if they wanted to get a message through to a terrorist cell, they could have Rachel call everyone in the US with a robocall, but have the call to their own operative be the secret communication. The more hay the NSA collects, the harder it is to find the needle in the haystack.)

    1. JCitizen

      Now there is a thought! Hire the telemarketers to relay messages over the phone for terrorists! HA! Fortunately I don’t think they’d be smart enough to try that (yet).

Comments are closed.