Subject line surveillance

Page 1

(and the contents, too)

Subject line surveillance Why a bill passed in the infancy of email still governs your inbox 30 years later. BY: NATALIE ESCOBAR AND JACOB MESCHKE

12:01 A.M., DAY 181 AFTER RECEIVING AN EMAIL FROM A FRIEND. For the past six months, the government would have needed a search warrant to read this email. One minute later, it’s free game for them to browse. The Electronic Communications Privacy Act of 1986 allows the browsing. After 180 days of sitting in your cloud storage— far longer than any 1980s email user would have kept it because of storage limits—an email has significantly less privacy protection. In passing the law 30 years ago, Congress was trying to keep up with rapid changes in communication. The legislation sought to protect the privacy rights of electronic data transmissions via computer, in the same way phone calls already were. Some members of Congress want to catch the law up to today’s technology realities. Reps. Kevin Yoder, R-Kan., and Jared Polis, D-Colo., introduced the Email Privacy Act in January 2015, and it has 312 co-sponsors, with a nearly equal number of Democrats and Republicans. In its current

form, the bill would require eliminate the 180 day rule entirely, and make it so any law enforcement official would always need a warrant to see the contents of an email. But it has yet to get past the House Judiciary Committee, making it the most supported bill in the House that has not yet gone to a floor vote, according to a press release from Polis. The committee’s chairman, Rep. Robert Goodlatte, R-Va., announced in February that his committee would hold a final review of the legislation. Goodlatte said in a press release on Feb. 3 that he looks forward to bringing the bill to a vote at an unknown point in the future. A false start The fact that ECPA has not changed over the past 30 years, however, is not for lack of trying. In 2013, Yoder introduced the Email Privacy Act in the 113th Congress,

along with Rep. Tom Graves, R-Ga. It was assigned to the House Judiciary Committee, and .Goodlatte said reforming ECPA would be one of the committee’s main policy priorities. By the end of the 113th Congress, the EPA had 272 cosponsors: 174 Republicans and 98 Democrats. But it did not come to a vote in the Judiciary Committee and died at the end of the 113th Congress in December 2014. Goodlatte declined an interview for this story, but said in a statement that reforming ECPA has been a priority for him. “I have been working with members of Congress, advocacy groups, and law enforcement for years on many complicated nuances involved in updating this law,” he said in the statement. Keeping pace ECPA didn’t always seem outdated. When it was written in 1986, five years before the World Wide Web and 10 years before companies like

Hotmail offered free email accounts, it seemed reasonable. Internet access and online storage services were expensive, so people would download emails to their computers and then delete the online version shortly after opening them. Fast forward 30 years, and Gmail users in 2016 can let thousands of unread emails live in their inboxes without paying a dime. Because the law was created before the age of the iPhone, it’s also unclear what exactly ECPA encompasses, said Julian Sanchez, a senior fellow at the libertarian Cato Institute. The law protects “electronic communications,” which could include a broad category of data—photos texted to friends, Twitter direct messages or Facebook chats—apart from email. “I think it’s an easy move to say even if it’s an IM or something, [it’s] obviously really the same thing,” Sanchez said. One court case, zero laws One of the strangest parts in the

Email Privacy Act’s story, legal scholars say, lies in the fact that the courts have already ruled warrant exceptions to be unconstitutional. In 2010, the 6th U.S. Circuit Court of Appeals ruled in United States v. Warshak that the government should always be obligated to get a search warrant to read emails. Because there is a “reasonable expectation of privacy” for the content of emails stored in servers, the court held, the Fourth Amendment unequivocally applies to them. Since then, the decision has effectively become the law of the land; very few agencies actually use the 180-day loophole to their advantage. Following Warshak, the Department of Justice voluntarily adopted a policy requiring warrants to read emails, regardless of date sent. Despite the precedent, Warshak is still worth writing into law, says Albert Gidari, the director of privacy at the Stanford Center for Internet and Society. “The point is that there is a statute on the books that was written

at a time with technological assumptions that are no longer valid,” he said. “And that’s why Congress should clean up that law and eliminate any confusion about it.” Very few people disagree that ECPA needs to move past the 1980s. Eighty-six percent of voters support changing ECPA when told about the law’s basics, according to a poll by a digital advocacy group. Without endorsing a particular bill, the White House said that ECPA is outdated and needs to be reformed in response to a related 2013 petition signed by over 100,000 people. A coalition that includes civil liberties groups, technology groups such as Apple and Google, and the U.S. Chamber of Commerce sent a letter to the House Judiciary Committee in support of the EPA in January 2015. “Successful passage of ECPA reform sends a powerful message— Congress can act swiftly on cru-

cial, widely supported, bipartisan legislation,” the letter said. “Failure to enact reform sends an equally powerful message—that privacy protections are lacking in law enforcement access to user information and that constitutional values are imperiled in a digital world.” The two sides of the privacy coin However, federal and state agencies have dug in their heels. They don’t necessarily object to eliminating the EPA’s 180-day rule, but the search warrant requirement would shut them out from access. Only criminal law enforcement—not civil—can request search warrants. Instead, civil law enforcement agencies like the Securities and Exchange Commission would have to subpoena individual customers, not Internet service providers like Google, to access emails. Even though ECPA current-

ly allows these agencies to subpoena ISPs, the SEC has not used that power in the wake of Warshak, Division of Enforcement Director Andrew Ceresney said at a House Judiciary Committee oversight hearing in December. Losing the ability to go through the company would “pose significant risks to the American public,” he said, because individuals are much less likely to cooperate with investigations than third parties. “Unsurprisingly, individuals who violate the law are often reluctant to produce to the government evidence of their own misconduct,” Ceresney said, according to the hearing transcript. A better ECPA reform bill would allow agencies to subpoena ISPs if the individual did not comply, he said in the hearing. When reached for comment about specific cases in which

not having being able to subpoena email providers hurt investigations, the SEC said that it would defer to Ceresney’s testimony, in which he said that his agency can’t know how much the post-Warshak policy has hurt the SEC. Civil rights groups and voices in the tech community have pushed hard in the opposite direction. Sanchez said ECPA’s current lack of a clear “electronic communications” definition may result in law enforcement applying the law unevenly. “There are all sorts of services where you are storing data remotely, and the company has some type of access to it, or does something to it to provide you with some kind of additional or enhanced service,” he said. “There’s that whole range of different things they’re doing with the data that could give rise to a claim that you just don’t have the

same kind of expectation of privacy.” The Internet service providers themselves have a huge stake in this, since they want to ensure their users’ privacy is protected uniformly. The current confusing standards do not point toward a clear enforcement procedure, said Richard Salgado, Google’s director of law enforcement and information security, at the December hearing. “By creating inconsistent privacy protection for users of cloud services and inefficient and confusing compliance hurdles for service providers, ECPA has created an unnecessary disincentive to move to a more efficient, more productive method of computing,” his prepared statement for the hearing said. Gidari said that he understands that civil law enforcement agents have a difficult job; crimes are sophisticated, and emails can

help prove of intent of fraud. However, he rejected the idea that civil law enforcement agencies need to access messages to do their jobs, since it’s “not the only evidence of a crime.” “You shouldn’t be willing to trade off the huge intrusion into people’s lives that may be even tangential to an investigation for the purpose of making it a little easier for them to do their job,” he said. “They’re not there to do the job easily. They’re there to do the job.” If the SEC were able to enact the type of ECPA reform that Ceresney suggested in testimony, the power to bypass the warrant requirement would also transfer geographically, encompassing hundreds of federal agencies and thousands of state ones, Gidari said. “The New York Sanitation Department would have the power to subpoena your email,” he said. Why now? Despite past “stonewalling” of

the Email Privacy Act, momentum seems to be building during this Congress, said Mark Jaycox. The champions in the House—Yoder, Polis and Graves—have done a good job pushing the bill, he said, but the conversations about encryption surrounding the Apple v. FBI case may have done even more to spur movement. “I certainly think that when we’re talking about encryption, we’re also talking about the larger issue of security,” he said. “The growing awareness of security may have played a role in the cosponsors in [the EPA].” While Goodlatte said his committee would act on the bill, the current session of Congress ends in December and the measure needs approval by both the House and Senate. If not, it’s back to the starting line for EPA in January. “It’s all on Representative Goodlatte right now to hold a markup and to advance the bill,” Yoder said. “Because it’s six years too late on the issue already.”

The evolution of ECPA OCTOBER 1986 Congress passed ECPA, which expanded and adjusted the Wiretap Act to protect electronic communications stored on computers and hard drives. The act regulated when these communications can be procured or read by outside groups, including the U.S. government.

FEBRUARY 2015 At this point, 308 out of 435 House representatives have cosponsored the bill.

Rep. Lee Zeldin, R-N.Y., was the 300th representative to cosponsor the bill. According to a press release on Rep. Yoder’s website, it continued to be the most-supported House bill in the 114th Congress that had not been passed.

Graves

MAY 2013 Rep. Kevin Yoder, R-Kan., and Rep. Tom Graves, R-Ga., introduced the legislation for the first time in the House. Yoder

MARCH 2016

OCTOBER 2015

DECEMBER 2015

FEBRUARY 2015 “It’s clear that the law needs to be modernized and updated to ensure it keeps pace with ever-changing technologies so that we protect Americans’ constitutional rights and provide law enforcement with the tools they need for criminal investigations in the digital age,” said Rep. Robert Goodlatte, R-Va., in a press release.

Polis

Goodlatte

The latest iteration of the bill was introduced with, once again, both bicameral and bipartisan support. Rep. Kevin Yoder, R-Kan., and Rep. Jaren Polis, D-Colo., introduced the House version, while Sen. Mike Lee, R-Utah, and Sen. Patrick Leahy, D-Vt., introduced the Senate version. At the time of introduction, the Senate bill had six additional cosponsors, while the House version had 228.

MAY 2013

Witnesses included Andrew Ceresney, director of the SEC’s enforcement division; Steven Cook, the president of the National Association of Assistant U.S. Attorneys; Richard Littlehale, assistant special agent at the Tennessee Bureau of Investigation; Chris Calabrese, policy vice president at the Center for Democracy and Technology; Richard Salgado, Google’s director of law enforcement and information security; and Paul Rosenzweig, cybersecurity consultant.

You are an agent of the

. As a member of the cybercrimes decision,

it’s your job to track down any evidence from electronic sources to help

Choose Your Own Adventure Data Request

catch the perpetrator of a crime.

1. Has it been more than 180 days?

You’ve just gotten a tip on a case gone cold. Two men, wanted for grand larsony and murder but never found, may have been communicating by email, and the tipster has given you a lead: a

email address.

The time stamps and IP addresses of these emails could be invaluable clues to the whereabouts of these men, and the contents could be all the evidence

NO

needed to convict. You need to get those emails. Here’s how you do it:

3.

LIGHT METADATA

Issue subpoena. Reasonable grounds needed.

Law enforcement is required to notify the subscriber, but not necessarily right away. The Securities and Exchange Commission would like to retain subpoena power,at risk in the new bill,in exchange for primary notification of subscribers.

Get Data!

4.

YES

2.

Is it an emergency?

What do you need?

DETAILED METADATA

Obtain court order from judge. Prove relevancy of information.

CONTENT

ISPs do not currently have to comply with emergency requests, and the current reform bill has not changed that. Stronger compulsion for compliance is a top priority for law enforcement.

Obtain search warrant from a judge. Probable cause and specificity needed.

Does the ISP agree with your request?

ECPA in its current form allows law enforcement to access any emails after 180 days. Eliminating the 180-day rule is the most widely agrreed up priority amongst all parties.

Get Data! YES

Submit request to ISP before going to a court. Compliance by ISP is not compulsory.

REQUEST DENIED

NO

Refine, narrow or adjust search parameters.

YES

REQUEST ACCEPTED

ISPs sometimes reject requests, even signed by a judge, for procedural reasons, including improper method of submission, too small a window of time to comply, and failure to provide the correct details such as an officer’s badge number.

Get Data!

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.