Tag: electronic communications privacy act

A No-Brainer: Bad for Privacy and Liberty

CNET journalist Declan McCullagh has lit up the Internets today with his reporting on a revamped Senate online privacy bill that would give an alphabet soup of federal agencies unprecedented access to email and other online communications.

Leahy’s rewritten bill would allow more than 22 agencies – including the Securities and Exchange Commission and the Federal Communications Commission – to access Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge.

This would be an astounding expansion of government authority to snoop. And it comes at a time when the public is getting wind through the Petraeus scandal of just how easy it already is to access our private communications.

Assuming McCullagh’s reading of the draft he obtained is remotely plausible, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) should reconsider his current course–if he wants to maintain the mantle of a privacy leader, at least.

The Washington, D.C., meta-story is almost as interesting. Who is where on the bill? And when? The ACLU’s Christopher Calabrese told McCullagh last night, “We believe a warrant is the appropriate standard for any contents.” Freedom Works came out of the gate this morning with a petition asking for oppositions to Senator Leahy’s revised bill.

The Center for Democracy did not have a comment when McCullagh asked, though spokesman Brock Meeks suggests via Twitter today that McCullagh didn’t try hard enough to reach him. The reason that’s important? CDT has a history of equivocation and compromise in the face of privacy-invasive legislation and policies. At this point, the group has said via Twitter that they “wouldn’t support the rewrite described in CNET.” That’s good news, and it’s consistent with people’s expectations for CDT both on the outside and within.

There will undoubtedly be more to this story. Emails should not only be statutorily protected, but Fourth Amendment protected, based on the framework for communications privacy I laid out for the Supreme Court in Cato’s Florida v. Jardines brief.

Accountability for ‘Exigent Letter’ Abuse At Last?

It is more than three years since the Office of the Inspector General first brought public attention to the FBI’s systematic misuse of the National Security Letter statutes to issue fictitious “exigent letters” and obtain telecommunications records without due process. Nobody at the Bureau has been fined, or even disciplined, for  this systematic lawbreaking and the efforts to conceal it. But the bipartisan outrage expressed at a subcommittee hearing of the House Judiciary Committee this morning hints that Congress may be running out of patience—and looking for some highly-placed heads to roll. Just to refresh, Committee Chairman John Conyers summarized the main abuses in an opening statement:

The IG found that more than 700 times, such information was obtained about more than 2,000 phone numbers by so-called“exigent letters” from FBI personnel. In some cases, the IG concluded, FBI agents sent the letters even though they believed that factual information in the letters was false. For more than 3,500 phone numbers, the call information was extracted without even a letter, but instead by e‐mail, requests on a post‐it note, or “sneak peaks” of telephone company computer screens or other records…. In one case, the FBI actually obtained phone records of Washington Post and New York Times reporters and kept them in a database, leading to an IG conclusion of “serious abuse” of FBI authority and an FBI public apology.

It’s probably actually worse than that: Since these letters often requested a “community of interest” analysis for targeted numbers, the privacy of many people beyond the nominal targets may have been implicated—though it’s hard to be sure, since the IG report redacts almost all details about this CoI mapping.

And as Rep. Jerry Nadler pointed out, the IG report suggests a “clear pattern here of deliberate evasion,” rather than the innocent oversight the Bureau keeps pleading.  Both Nadler and the Republican ex-chair of the committee, Rep. James Sensenbrenner, expressed frustration at their sense that, when the FBI had failed to win legislative approval for all the powers on its wish list, it had simply ignored lawful process, seizing by fiat what Congress had refused to grant. Sensenbrenner, one of the authors of the Patriot Act, even declared that he felt “betrayed.” But we’ve heard similar rhetoric before. It was the following suggestion from Conyers (from my notes, but pretty near verbatim) that really raised an eyebrow:

There must be further investigation as to who and why and how somebody in the Federal Bureau of Investigation could invent a practice and have allowed it to have gone on for three consecutive years.  I propose and hope that this committee and its leadership will join me, because I think there may be grounds for removal of the general counsel of the FBI.

That would be Valerie Caproni, one of the hearing’s two witnesses, and an executive-level official whose dismissal would be the first hint of an administration response commensurate with the gravity of the violations that occurred. Caproni’s testimony, consistent with previous performances, was an awkward effort to simultaneously minimize the seriousness of FBI’s abuses—she is fond of saying “flawed” when le mot juste is “illegal”—and also to assure legislators that the Bureau was treating it with the utmost seriousness already. Sensenbrenner appeared unpersuaded, at one point barking in obvious irritation: “I don’t think you’re getting the message; will you get the message today?” The Republican also seemed to indirectly echo Conyers’ warning, declaring himself “not unsympathetic” to the incredulous chairman’s indictment of her office. Of course, the FBI has it’s own Office of Professional Responsibility which is supposed to be in charge of holding agents and officials accountable for malfeasance, but apparently the wheels there are still grinding along.

It’s also worth noting that Inspector General Glenn Fine, who also testified, specifically urged Congress to look into a secret memo issued in January by the Office of Legal Counsel, apparently deploying some novel legal theory to conclude that many of the call records obtained by the FBI were not covered by federal privacy statutes after all. This stood out just because my impression is that OIG usually limits itself to straight reporting and leaves it to Congress to judge what merits investigation, suggesting heightened concern about the potential scope of the ruling, despite FBI’s pledge not to avail itself of this novel legal logic without apprising its oversight committees. Alas, the details here are classified, but Caproni did at one point in her testimony conclude that “disclosure of approximately half of the records at issue was not forbidden by ECPA and/or was
connected to a clear emergency situation.”  There were 4,400 improperly obtained “records at issue” in the FBI’s internal review, of which about 150 were ultimately retained on the grounds that they would have qualified for the emergency exception in the Electronic Communications Privacy Act.  Since that tally didn’t include qualifying records for which legitimate process had nevertheless been issued at some point, the number of “real” emergencies is probably slightly higher, but that still suggests that the “half” Caproni alludes to are mostly in the “disclosure…not forbidden by ECPA” category.  Since ECPA is fairly comprehensive when it comes to telecom subscriber records—or at least, so we all thought until recently—we have to assume she means that these are the types of records the OLC opinion has removed from FISA’s protection. If those inferences are correct, and the new OLC exception covers nearly half of the call detail records FBI obtains, that would not constitute a “loophole” in federal electronic privacy law so much as its evisceration.

Of course, it’s possible that the specific nature of the exception would allay civil libertarian fears. What’s really intolerable in a democratic society is that we don’t know. Operational facts about specific investigations, and even specific investigatory techniques, are rightly classified. But an interpretation of a public statute so significant as to potentially halve its apparent protections cannot be kept secret without making a farce of the rule of law.

School Webcams and Strange Gaps in Surveillance Law

Last week, I noted the strange story of a lawsuit filed by parents who allege that their son was spied on by school officials who used security software capable of remotely activating the webcams in laptops distributed to students. A bit more information on that case has since come out. The school district has issued a statement which doesn’t get into the details of the case, but avers that the remote camera capability has only ever been used in an effort to locate laptops believed to have been lost or stolen. (That apparently includes a temporary “loaner computer that, against regulations, might be taken off campus.”)  They do, however, acknowledge that they erred in failing to notify parents about this capability.  The lawyer for the student plaintiff is now telling reporters that school officials called his client in to the vice principal’s office when they mistook his Mike and Ike candies for illegal drugs.

Perhaps most intriguingly, a security blogger has done some probing into the technical capabilities of the surveillance software used by the school district. The blogger also rounds up comments from self-identified students of the high school, many of whom claim that they noticed the webcam light on their school-issued laptops flickering on and off—behavior they were told was a “glitch”—which may provide some reason to question the school’s assertion that this capability was only activated in a handful of cases to locate lost laptops. The FBI, meanwhile, has reportedly opened an investigation to see whether any federal wiretap laws may have been violated.

It’s this last item I want to call attention to. The complaint against the school district states a number of causes of action.  The most obvious one—which sounds to me like a slam dunk—is a Fourth Amendment claim. But there are also a handful of claims under federal wiretapping statutes, specifically the Electronic Communications Privacy Act and the Stored Communications Act. These are more dubious, and rest on the premise that the webcam image was an “electronic communication” that school officials “intercepted” (as those terms are used in the statute), or alternatively that  the activation of the security software involved “unauthorized” access by the school to its own laptop. The trouble is that courts considering similar claims in the past have held that federal electronic surveillance law does not cover silent video surveillance—or rather, the criminal wiretap statutes don’t.

That leads to a strange asymmetry in a couple of different ways. First, intelligence surveillance covered by the Foreign Intelligence Surveillance Act does include silent video monitoring. Second, it seems to provide less protection for a type of monitoring that is arguably still more intrusive. If officials had turned on the laptop’s microphone, that would fall under ECPA’s prohibition on intercepts of “oral communications.” And if the student had been engaged in a video chat using software like Skype, that would clearly constitute an “electronic communication,” even if the audio were not intercepted. But at least in the cases I’m familiar with, the courts have declined to apply that label to surreptitiously recorded silent video—which one might think would be the most invasive of all, given that the target is completely unaware of being observed by anybody.

One final note: The coverage I’m seeing is talking about this as though it involves one school doing something highly unusual. It’s not remotely clear to me that this is the case. We know that at least one other school district employs similar monitoring software, and a growing number of districts are experimenting with issuing laptops to students. I’d like to see reporters start calling around and find out just how many schools are supplying kids with potential telescreens.

Sacrificing Liberties in the Name of Security

The new Justice Department Inspector General report finds that the FBI broke the law in seeking phone records.  Reports Jacob Sullum of Reason magazine:

In a report (PDF) issued today, Justice Department Inspector General Glenn Fine shows that the FBI routinely broke the law for several years by demanding telephone records through informal methods that were not authorized by statute. The abuses, which involved thousands of records, are especially striking because it is not very hard for the FBI to obtain this information legally. The Electronic Communications Privacy Act (ECPA) allows the bureau to demand records from phone companies through a “national security letter” (NSL) signed by the director or an official he designates. Under FBI policy, any special agent in charge can sign an NSL, which simply states that the records sought are “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.”

In 2003 FBI officials began dodging this minimal requirement by asking telecommunications carriers to suppy records without the legally required NSL “due to exigent circumstances” and promising to provide an NSL after the fact. These so-called exigent letters, which were often used when no emergency actually existed, were an extralegal contrivance that violated ECPA, bureau policy, and guidelines issued by the attorney general. The retroactive NSLs promised by the exigent letters often failed to appear because there was no authorized investigation to which they could be linked. To fix that problem, FBI officials resorted to another illegal procedure, issuing “blanket” NSLs tied to no particular investigation.

Even these pseudolegalities look downright upright next to the FBI’s other informal methods of obtaining records, which included requests by email, phone, post-it note, and in-person oral communication as well as “sneak peeks,” which were about as legitimate as they sound. The failure to follow the established NSL process is legally significant because ECPA prohibits telecom companies from disclosing customer records to the government except in specified circumstances. One of them is not when an FBI agent shows up at your office and says, “Mind if I take a look at that?”

The targets of the FBI’s illegal record grabs are unknown, with one major exception. “Some of the most troubling improper requests for telephone records,” the inspector general’s report notes, “occurred in media leak cases, where the FBI sought and acquired reporters’ telephone toll billing records and calling activity information without following federal regulation or obtaining the required Attorney General approval.” In 2008 FBI Director Robert Mueller apologized for the bureau’s improper snooping on foreign correspondents for The New York Times and The Washington Post.

Obviously, federal agencies require investigative authority to combat terrorism and other crimes.  But those investigations need to be conducted in accordance with the law and Constitution.  We must never forget that it is a free society which we are defending.