Thursday, 22 November 2012

Sen. Leahy's Denial of Support for Warrantless Email Searches ...

The rumors about warrant exceptions being added to ECPA are incorrect. Many have come forward with ideas for discussion before markup resumes on my bill to strengthen privacy protections under ECPA. As normally happens in the legislative process, these ideas are being circulated for discussion. One of them, having to do with a warrant exception, is one that I have not supported and do not support.

The whole thrust of my bill is to remedy the erosion of the public?s privacy rights under the rapid advances of technology that we have seen since ECPA was first enacted thirty years ago. In particular, my proposal would require search warrants for government access to email stored by third-party service providers ? something that of course was not contemplated three decades ago.

The full text of Leahy's bill, as introduced in September, is here.

McCullagh wrote an update to his article after Leahy's denial, characterizing Leahy's denial as a statement that Leahy no longer supports the amended version. McCullagh does not seem to buy Leahy's statement that the revision to his proposed bill was written by interested parties among whom the draft bills had circulated, rather than Leahy's staff. McCullagh continues to refer to the revised version of Leahy's bill as "Leahy's proposed changes."

Chris Calabrese, Legislative Counsel for the ACLU tells The Hill that he has seen the proposed changed version, but was not under the impression it was supported by Leahy. He said it could have been written by Rep. Charles Grassly:

Calabrese noted that the proposal cited by CNET is similar to amendments proposed by Sen. Chuck Grassley (R-Iowa), the Judiciary Committee's top Republican.

On Twitter, McCullagh stands by his reporting. He tweets:

Alternate explanation: Sen. Leahy responded to public criticism. Senate Judiciary aides were definitely not saying that yesterday.

And

My guess is that Sen. Leahy didn't like the criticism his legislation received once it was disclosed to the public.

Sen. Leahy explains what his bill would do here.

For those who would like a little background in terminology, this 2009 Justice Department manual may be helpful (but keep in mind its a guidebook for prosecutors):

The SCA is sometimes referred to as the Electronic Communications Privacy Act. The SCA was included as Title II of the Electronic Communications Privacy Act of 1986 (?ECPA?), but ECPA itself also included amendments to the Wiretap Act and created the Pen Register and Trap and Trace Devices statute addressed in Chapter 4. See Pub. L. No. 99-508, 100 Stat. 1848 (1986). Although 18 U.S.C. ? 2701-2712 is referred to as the ?Stored Communications Act? here and elsewhere, the phrase ?Stored Communications Act? appears nowhere in the language of the statute.

So the ECPA has three parts:

  • the Wiretap Act, 18 U.S.C. S. 2510 et seq.,
  • the Pen Register and Trap and Trace Devices Act 18 U.S.C. S. 3121, et seq., and
  • the Stored Communications Act ("SCA"), 18 U.S.C. S. 2701 et seq.

The statutes provide different levels of protection for customer records and information. In theory, the greater the privacy right in the records and communications, the more stringent the requirements for government access.

Sprint explained the different requirements for each category in non-legalese in this May, 2012 letter to Congress:

(1) Basic subscriber information, which is strictly limited to six specific categories of information (name, address, local long distance records (or records of session times and duration), length/type of service, telephone /subscriber number and means and source of payment), is the only information that can be disclosed to law enforcement pursuant to an administrative, grand jury or trial subpoena. 18 U.S.C. S 2703?(2).

(2) All non-content records or other information pertaining to a subscriber (including basic subscriber information) can be disclosed to law enforcement pursuant to a court order based on "specific and articulable facts showing that there are reasonable grounds to believe that . . . the records or other information sought, are relevant and material to an ongoing criminal
investigation." 18 U.S.C. S. 2703(d).

(3) The stored content of a customer's communications (e.g., text messages), can only be disclosed to law enforcement pursuant to a warrant or court order based on probable cause. 18 U.S.C. S. 2703(a) and (b).

(4) A wiretap can only be established pursuant to a court order based on probable cause. 18 U.S.C. S. 2702(b)(2) & 18 U.S.C. S. 2518(3).

The Justice Department's 2009 manual on searching and seizing computers and obtaining electronic evidence for use in criminal prosecutions (available here) has this chart of the different requirements for obtaining records and content. From Chapter 3 on the Stored Communications Act.

The SCA regulates how the government can obtain stored account information from network service providers such as ISPs. Whenever agents or prosecutors seek stored email, account records, or subscriber information from a network service provider, they must comply with the SCA.

....The Stored Communications Act, 18 U.S.C. ?? 2701-2712 (?SCA?), sets forth a system of statutory privacy rights for customers and subscribers of computer network service providers. There are three main substantive components to this system, which serves to protect and regulate the privacy interests of network users with respect to government, network service providers, and the world at large. First, ? 2703 creates a code of criminal procedure that federal and state law enforcement officers must follow to compel disclosure of stored communications from network service providers.

Second, ? 2702 regulates voluntary disclosure by network service providers of customer communications and records, both to government and nongovernment entities.

Third, ? 2701 prohibits unlawful access to certain stored communications; anyone who obtains, alters, or prevents authorized access to those communications is subject to criminal penalties.

Cloud computing has definitely posed problems for judges. From the 2010 hearing of the House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, ECPA Reform and the Revolution in Cloud Computing (statement of Michael Hintze, Associate General Counsel, Microsoft Corp.)

When law enforcement officials seek data or files stored in the cloud, such as web-based e-mail applications or online word processing services, the privacy standard that is applied is often lower than the standard that applies when law enforcement officials seek the same data stored on an individual?s personal or business hard drive.

Whether a Republican or Leahy drafted the circulated revision doesn't seem like the major point here. That's because Leahy's bill, even as introduced, addresses just a small part of the current problems involving law enforcement's excessive authority to intrude into our private communications and obtain our personal data and information. So many more reforms to existing law are necessary to bring it in line with basic due process principles. Here are just a few, from the Digital Due Process Center:

1. The government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user?s private communications or documents stored online.

This principle applies the safeguards that the law has traditionally provided for the privacy of our phone calls or the physical files we store in our homes to private communications, documents and other private user content stored in or transmitted through the Internet "cloud"-- private emails, instant messages, text messages, word processing documents and spreadsheets, photos, Internet search queries and private posts made over social networks....

2. The government should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device.

This principle addresses the treatment of the growing quantity and quality of data based on the location of cell phones, laptops and other mobile devices, which is currently the subject of conflicting court decisions; it proposes the conclusion reached by a majority of the courts that a search warrant is required for real-time cell phone tracking, and would apply the same standard to access to stored location data....

3. Before obtaining transactional data in real time about when and with whom an individual communicates using email, instant messaging, text messaging, the telephone or any other communications technology, the government should demonstrate to a court that such data is relevant to an authorized criminal investigation.

In 2001, the law governing "pen registers and trap & trace devices" - technologies used to obtain transactional data in real time about when and with whom individuals communicate over the phone - was expanded to also allow monitoring of communications made over the Internet. In particular, the data at issue includes information on who individuals email with, who individuals IM with, who individuals send text messages to, and the Internet Protocol addresses of the Internet sites individuals visit.

This principle would update the law to reflect modern technology by establishing judicial review of surveillance requests for this data based on a factual showing of reasonable grounds to believe that the information sought is relevant to a crime being investigated.

4. Before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect, the government should first demonstrate to a court that the data is needed for its criminal investigation.

This principle addresses the circumstance when the government uses subpoenas to get information in bulk about broad categories of telephone or Internet users, rather than seeking the records of specific individuals that are relevant to an investigation. For example, there have been reported cases of bulk requests for information about everyone that visited a particular web site on a particular day, or everyone that used the Internet to sell products in a particular jurisdiction.

Because such bulk requests for information on classes of unidentified individuals implicate unique privacy interests, this principle applies a standard requiring a showing to the court that the bulk data is relevant to an investigation.

As to the ECPA specifically, the Digital Due Process Coalition lists these principles:

A governmental entity may require an entity covered by ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider?s access to or use of the communications in its normal business operations.

A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.

A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, email to and from information or other data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under 2703(d).

Where the Stored Communications Act authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s). All non-particularized requests must be subject to judicial approval.

For more on the myriad of pending bills in Congress revising cybersecurity and electronic privacy laws, see this November, 2012 Congressional Research Service Report. (hat tip to Bmaz at Empty Wheel, who provides his thoughts on the Leahy/McCullagh news here.)

Whether McCullagh is right or Leahy is telling the truth is really of no more moment than the faux shock over the FBI's obtaining Gen. Daivd Petraus' emails. The real value of both is the potential they have to wake people up to the excessive and ever-increasing infringement of our privacy rights resulting from the power Congress has given law enforcement, and law enforcement's constant demand for more. This power needs to be recouped and reined in.

Source: http://www.talkleft.com/story/2012/11/21/32143/604

hopkins dear john derrick rose torn acl pacers undrafted free agents braveheart earthquake california

No comments:

Post a Comment