Tag: probable cause

A Brief Civil Liberties Quiz

See if you can spot the civil-liberties victory:

  1. The Supreme Court says the government can put your DNA in a national database, even if you were wrongly arrested.
  2. The State of Mississippi imposes mandatory collection of the DNA of babies born to teenage moms, neither of which is suspected of a crime.
  3. The Department of Justice is tracking and threatening to prosecute reporters, for the crime of reporting.
  4. The National Security Agency is collecting everyone’s phone records, even if they suspect you of nothing.
  5. The U.S. Senate kills a bill that could lead to a registry of law-abiding gun owners.

Answer: #5. 

Those crazy senators are looking less crazy all the time. 

Phone Numbers, E-Mail Addresses, and Metaphor Wars

The law normally advances by small and cautious steps—by the gradual extension of established precedents and rules to novel problems and fact patterns. Little wonder, then, that tricky questions of law often amount to conflicts between competing metaphors. Is a hard drive like a closed briefcase whose contents are all fair game for police once the “container” is legitimately opened? Or is it more like a warehouse containing hundreds or thousands of individual closed containers? If the latter, what are the “containers”? Directories? Individual files?

A similar metaphor war figures in the FBI’s effort to expand its authority to acquire information from Internet Service Providers using National Security Letters, which are issued by agents without judicial oversight, and typically forbid providers from disclosing anything about the demand for records. The Bureau had long assumed that the NSL statutes gave them broad authority to get “electronic communications transaction records”—information about your online communications, though not the contents of the communications themselves—as long as they certified that those records would be “relevant” to a national security investigation, a far lower standard than the Fourth Amendment’s “probable cause.” But in a 2008 opinion, the Bush administration’s Office of Legal Counsel rejected this interpretation, finding that NSLs could only be used to obtain the particular types of records specified in the statute, including “toll billing records.” For Internet accounts, this meant the FBI could only get “information parallel to… toll billing records for ordinary telephone service.”

The obvious question is what, exactly, constitutes information “parallel to” a toll billing record in the online context. The FBI would prefer to resolve the ambiguity by simply amending the law to give them blanket authority to acquire transaction records. In particular, according to The Washington Post, government lawyers think they can obtain “the addresses to which an Internet user sends e-mail; the times and dates e-mail was sent and received; and possibly a user’s browser history.” On its face, this sounds like a reasonable reading. An important 1979 Supreme Court case, Smith v. Maryland, held that the information contained in telephone “toll billing records”—the itemized list of calls placed and received you’d find on a standard phone bill—didn’t enjoy Fourth Amendment protection, and so unlike the contents of phone conversations themselves, could be obtained by the government without a full probable cause warrant. Surely the obvious equivalent in the online context is the list of e-mail addresses in an Internet user’s inbox and outbox? At a second glance, though, there are some problems with that metaphor, of two central kinds.

First, there’s a problem with the formal analogy. The Court in Smith supported their finding of a diminished privacy interest in toll billing records on numerous grounds.  For one, the Court noted that because one’s itemized phone bill did contain these numbers, no reasonable person could be unaware that this information was “exposed” to employees of the phone company and retained as a matter of course among the company’s business records. Of course, it’s now increasingly common for phone companies to charge a flat rate rather than billing by individual calls, and so the legislative history of the NSL statutes makes clear that by “toll billing records” they mean information that could be used to assess a charge, even if a company happened not to charge that way.

The analogy gets pretty strained when we come to Internet services, though. At the time the laws in question here were written, ISPs almost universally charged people for the amount of time they were connected, not by the number of individual e-mails sent. Now it’s much more common to simply play a flat monthly fee for broadband connection, though you also sometimes see plans where there’s a charge by the megabyte above a certain threshold of bandwidth usage. Your ISP, of course has technical access to the list of e-mail addresses you’ve communicated with—just as they have the ability to access the e-mails themselves—but no major service, as far as I know, has ever actually kept this list as a separate billing record.

But maybe that’s not the right way to apply the metaphor. Maybe what’s important is whether those to/from e-mail records are substantively “parallel to” the kind of information you’d traditionally find in telephone toll billing records. As the Smith Court observed, a list of phone numbers was far less revealing and sensitive than the actual conversation—it revealed nothing of the “purport” of the communication itself, or even who was on the call. But as soon as we start to think more carefully about how we actually use e-mail in the real world, it becomes clear that the analogy is far from perfect.

One thing lots of people do with e-mail, after all, is participate in mailing lists and discussion groups.  Records of this sort, then, are likely to reveal the membership in potentially controversial social, political, or religious groups—and the Supreme Court has also found that such membership lists enjoy First Amendment protection as a component of freedom of association. But they’d also reveal much more than that. The closest telephone analogue to a mailing list discussion is probable a conference call.  An investigator who obtained toll billing records for such a call would, at most, have learned that a certain number of people called in for a certain amount of time; they’d learn nothing about who spoke in response to whom, or how much, and who remained silent.  Someone getting  e-mail transaction records would have a much more detailed picture of who was vocal and who was silent, the order and frequency with which participants spoke, and so on. And more generally, people in practice do not use e-mail like traditional letters: They tend to have exchanges in which each individual e-mail is more like a piece of the longer conversation.

There are also many common uses of e-mail that don’t really have close analogies in the telephonic context.  If I make a purchase from Amazon, win an Ebay auction,  make an OpenTable restaurant reservation, register for a conference at a local think tank, or place a Craigslist ad, that will typically generate an automatic confirmation e-mail from the site, and the e-mail address from which the site comes will often reveal something about the nature of the transaction. (My inbox has messages from auto-confirm, order-update, ship-confirm, and  store-news @amazon.com—inherently more revealing than the mere fact that I called some mail-order vendor.) It’s not a particularly big deal in those cases, but such e-mails could also reveal that I had opened or closed or modified an account at a particular politically, sexually, or religiously oriented Web site, or subscribed to a specific publication.

For an example of just how sensitive and revealing such task-specific e-mail addresses can be, consider Craigslist in particular. The site—which for those who haven’t used it is the vast online equivalent of the newspaper’s classified section—generates an individual anonymized e-mail addresses for each ad placed, so that users don’t have to expose their own contact information to the world. Yet while this provides anonymity against the general public, it also makes those mere e-mail addresses much more revealing to the government agent who obtains transaction records. That’s because each ad can be linked to a particular e-mail address, so if you’ve sent a message to pers-1234567-ABCD [at] craigslist [dot] com, the government may not know exactly who you’ve written, but they can determine why you’re writing: To respond to an ad offering a handgun for sale, say, or one soliciting a foot fetishist for a “casual encounter.”

The point is not just that investigators shouldn’t be able to get e-mail transaction records without a probable cause warrant—though I happen to think that would be a reasonable standard. It’s that metaphors can mislead us: We need to look past the easy equivalencies between new technologies and more traditional forms of communication, and drill down to see the full range of privacy interests implicated given the real-world practices of ordinary people who use those technologies.

Compare and Contrast

Fourth Amendment:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Supreme Court (Katz v. U.S.):

“[S]earches conducted outside the judicial process, without prior approval by judge or magistrate, are per se unreasonable under the Fourth Amendment—subject only to a few specifically established and well delineated exceptions.”

Washington Post:

“The Obama administration is seeking to make it easier for the FBI to compel companies to turn over records of an individual’s Internet activity without a court order if agents deem the information relevant to a terrorism or intelligence investigation.”

Internet Privacy Law Needs an Upgrade

Imagine for a moment that all your computing devices had to run on code that had been written in 1986. Your smartphone is, alas, entirely out of luck, but your laptop or desktop computer might be able to get online using a dial-up modem. But you’d better be happy with a command-line interface to services like e-mail, Usenet, and Telnet, because the only “Web browsers” anyone’s heard of in 1986 are entomologists. Cloud computing? Location based services? Social networking? No can do, though you can still get into a raging debate about the relative merits of Macs and PCs.

When it comes to federal privacy law, alas, we are running on code written in 1986: The Elecronic Communications Privacy Act, a statute that’s not only ludicrously out of date, but so notoriously convoluted and unclear that even legal experts routinely lament the “mess” of electronic privacy law. Scholar Orin Kerr has called it “famously complex, if not entirely impenetrable.” Part of the problem, to be sure, lies with the courts.  It is scandalous that in 2010, we don’t even have a definitive ruling on whether or when the Fourth Amendment requires the government to get a search warrant to read e-mails stored on a server. But the ECPA statute, meant to fill the gap left by the courts, reads like the rules of James T. Kirk’s fictional card game Fizzbin.

Suppose the police want to read your e-mail. To come into your home and look through your computer, of course, they’d need a full Fourth Amendment search warrant based on probable cause. If they want to intercept the e-mail in transit, they have to go still further and meet the “super-warrant” standards of the Wiretap Act. Once it lands on your Internet Service Provider’s server, a regular search warrant is once again the standard—assuming your ISP is providing access “to the public.” If it’s a more closed network like your work account, your employer is permitted to voluntarily hand it over. But if you read the e-mail, or leave it on the server for more than 180 days, then suddenly your ISP has become a “remote computing service” provider rather than an “electronic communications service provider” vis a vis that e-mail. So instead of a probable cause warrant, police can get a 2703(d) order based on “specific and articulable facts” showing the information is “relevant and material” to an investigation—a much lower standard—provided they notify you. Except they can ask a judge to delay notification if they think that would impede the investigation. Oh, unless your ISP is in the Ninth Circuit, where opened e-mails still get the higher level of protection until they’ve “expired in the normal course,” whatever that means.

That’s for e-mail contents.  But maybe they don’t actually need to read your e-mail; maybe they just want some “metadata”—the equivalent of scanning the envelopes of physical letters—to see if your online activity is suspicious enough to warrant a closer look.  Well, then they can get what’s called a pen/trap order based on a mere certification to a judge of “relevance” to capture that information in realtime, but without having to provide any of those “specific and articulable facts.” Unless it’s information that would reveal your location—maybe because you’re e-mailing from your smartphone—in which case, well, the law doesn’t really say, but the Justice Department thinks a pen/trap order plus one of those 2703(d) orders will do, unless it’s really specific location information, at which point they get a warrant. If they want to get those records after the fact, it’s one of those 2703(d) orders—again, unless a non-public provider like your school or employer wants to volunteer them. Oh, unless it’s a counterterror investigation, and the FBI thinks your records might be “relevant” somehow, in which case they can get them with a National Security letter, without getting a judge involved at all.

Dizzy yet? Well, a movement launched today with the aim of dragging our electronic privacy law, kicking and screaming, into the 21st century: The Digital Due Process Coalition.  They’re pushing for a streamlined law that provides clear and consistent protection for sensitive information—the kind of common sense rules you’d have thought would already be in place.  If the government wants to read the contents of your letters, they should need a search warrant—regardless of the phase of the moon when an e-mail is acquired. If they want to track your location, they should need a warrant. And all that “metadata” can be pretty revealing in the digital age—maybe some stricter oversight is in order before they start vacuuming up all our IP logs.

Reforms like these are way overdue. You wouldn’t trust your most sensitive data to software code that hadn’t gone a few years without a security patch. Why would you trust it to legal code that hasn’t had a major patch in over two decades?