GOVERNMENT ACCESS TO ELECTRONIC COMMUNICATIONS – UPDATING THE RULES

EDUCAUSE Live!June 9, 2010

James X. DempseyCenter for Democracy & Technology

1

The Origin of Privacy Rights as Against the Government:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Fourth Amendment (1791)

2

The Origin of Privacy Rights as Against the Government:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Fourth Amendment (1791)

3

Notwithstanding technology’s change, some things are pretty clear …Data, regardless of technology…

in your home in your briefcase or wallet on your laptop on any device in your possession

… is highly protected -- full 4th Amendment coverage, requiring a search warrant issued by a judge and notice at the time of the search.

Also subject to 4th A exceptions: How far can “search incident to arrest” go in terms of hand-held device?

4

Computer

IP Phone

VoIPGateway

PBX Gateway

ISPGateway

Cable Modem

Cable Modem

VoIP Router

PhoneLine

PhoneLine

WiFi Access Point

PDA Phone((GSM or CDMA))

DSL Modem

Telephone

Computer

PBX

iPBX(Gateway)

IP Phone

Cellphone

3G

Telephone

Telephone

Telephone

PSTN

LaptopComputer

… but what about data in this environment?

5

The Courts, Congress and Technology

6

Ex parte Jackson (1877)

The Courts, Congress and Technology

7

Olmstead v. United States (1928)

The Courts, Congress and Technology

8

“There is in essence no difference between the sealed letter and the private telephone message. … True, the one is visible, the other invisible; the one is tangible, the other intangible; … but these are distinctions without a difference.” Brandeis, J., dissenting.

Courts, Congress and Technology

9

Communications Act of 1934, Section 605 – no person shall “intercept … and divulge or publish”

Courts, Congress and Technology

10

“The Fourth Amendment protects people, not places.” Katz v. United States (1967).

Courts, Congress and Technology

1968 - Title III – the federal Wiretap Act – requires probable cause order for “interception” of “wire or oral” communications

1972 - U.S. v. U.S. District Ct – “Keith” case

1978 – Foreign Intelligence Surveillance Act

1979 - Smith v. Maryland – zero 4th A privacy interest in dialing information – no warrant needed

11

Technology Revolution of the 1970s – 80s

12

Wiretap Act of 1968 – “wire” or “oral” communications

1969 - CompuServe founded

1977 - Commercial cell phone service introduced

ECPA Overview

Enacted in 1986 as wide use of email, cell phones and large scale data-processing was just beginning

Fills in gap where 4th Amendment protection thought uncertain

The Stored Communications Act or “SCA,” 18 U.S.C. § 2701 – 2711, is the portion of ECPA that specifically governs stored communications and stored subscriber identifying data and transactional data

Designed to protect the privacy of electronic records and communications stored with third parties

13

Other Parts of ECPA

Amended definition of “wire communication” to make it clear it covered cellphone communications, thus requiring a warrant for interception

Extended Wiretap Act to cover all “electronic communications,” thus requiring warrant for data intercepts

Adopted rules for real-time access to dialed number information, using a pen register or trap and trace device, 18 USC 3121 et seq

14

SCA – Who is covered?Any “provider of electronic communication service to

the public” (ECS) and any “provider of remote computing service to the public” (RCS)

ECS defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications”

RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system”

Must analyze by service offering - many entities offer both ECS and RCS – and some entities that offer one or the other also offer services that are neither – those services fall outside ECPA.

15

SCA – Who is covered?

16

Flickr =RCS

Gmail = ECS and RCS

Expedia = ?

SCA – What information is covered? “Contents” of communications, further divided into two

categories: “in electronic storage” in an electronic

communications system held or maintained by an RCS

Records or other information pertaining to a subscriber or customer (not including the contents of communications), further divided into two categories:

Subscriber identifying information –name, address, local and long distance telephone records, session times and duration, length of service, start date, types of service utilized, telephone number or other subscriber # or identity, network address, means and source of payment

All other records – notably, email To and From, URLs

17

SCA – Disclosure rules

Start with basic prohibition: except as otherwise permitted, providers of ECS and RCS to the public cannot disclose –

contents to any person or entity;

non-content to any governmental entity.

Then a series of permitted or voluntary disclosures –

of content – 2702(b)(1)-(8);

of non-content – 2702(c)(1)-(6).

Then a set of rules for compelled disclosures to the government – 2703.

18

SCA – Compelled disclosures

Three basic instruments:

Search warrant

2703(d) order – issued by a judge “only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation”

administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena.

Much stored content is available without a warrant.

19

One Email - Six Standards

1. Draft email stored on desktop - full 4th A protection – not in ECPA.

2. Draft email stored on gMail – SCA – subpoena - 2703(b).

3. Content of email in transit - Katz - 4th Amendment – federal Wiretap Act - court order based on probable cause (with special protections).

4. Content of email in storage with service provider 180 days or less - ECPA - judicial warrant (w/o special protections) – 2703(a)

5. Content of opened email in storage with service provider 180 days or less – in dispute – DOJ says subpoena is enough – contra Theofel (9th Cir 2004).

6. Content of email in storage with service provider > 180 days - SCA - subpoena – 2703(b). Contra, Warshak (6th Cir 2007, rev’d en banc).

20

Technology Revolution of the 21st Century - Storage

21

Technology Revolution of the 21st Century - Storage

22

ECPA leaves most stored communications available with a mere subpoena – no court order required, no probable cause of criminal conduct

Technology Revolution of the 21st Century – Location

23

Technology Revolution of the 21st Century - Location

24

“Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year,” Wired, December 1, 2009

Technology Revolution of the 21st Century - Location

25

ECPA allows access to “records pertaining to a subscriber” without a judicial warrant, and without a finding of probable cause

Updating the Law

26

Digital Due ProcessCore Recommendations

1. Probable cause standard for all content

2. Probable cause standard for location tracking

3. True judicial review for pen/traps – real-time access to transactional data

4. Subpoenas must be particularized to subscriber or account; bulk disclosures subject to judicial review under 2703(d)

27

Digital Due ProcessOverarching Principles

1. Technology and platform neutrality

2. Assurance of law enforcement access

3. Equality between transit and storage

4. Consistency (e.g., content should be protected under the 4th A standard – regardless of how old it is or whether it has been “opened” or not)

5. Simplicity and clarity

6. Recognize existing exceptions – emergency, etc

28

More information

29

Digital Due Process

http://www.digitaldueprocess.org

Center for Democracy & Technology

http://www.cdt.org

Jim Dempsey

jdempsey@cdt.org