Social Enterprise

Proposed amendments to ECPA would make Orwell squirm

George Orwell wrote his famous book about Big Brother in 1948. What would he think about the Electronic Communications Privacy Act? Changes to the act are being voted on this week in the U.S. Senate.

Having just completed a month-long study about the life and works of George Orwell, I'm trying hard not to be overly sensitive about "Big Brother." Then I come across "Reform to Require Warrant for Private Online Messages Up for Vote, but Down on Privacy," an Electronic Frontier Foundation (EFF) post by Mark M. Jaycox:

Under these changes, certain administrative agencies would be able to obtain emails without a search warrant, making compliance complex and burdensome for businesses.

The backpedal

From what I understand, the EFF is upset that the politicians involved in reforming the Electronic Communications Privacy Act (ECPA) are backpedaling. The language in the initial amendment they championed removed all controversy about whether digital messages older than 180 days could be acquired without a warrant:

Section 202 amends title 18, United States Code, section 2702 (ECPA) to prohibit an electronic communication or remote computing service provider from voluntarily disclosing the contents of its customer's email or other electronic communications to the Government.

The latest version of the amendment retracts the above language and that is disconcerting to many privacy advocates. Not requiring a warrant for digital messages regardless of age is a problem for another branch of the federal government according to EFF's Jaycox:

Courts increasingly agree that the Fourth Amendment requires a warrant before the government-whether law enforcement or administrative agencies-can access all of our digital communications.

Additional changes

Wanting to understand what else the proposed amendments intended to change, I waded through the verbose lawyer-speak, coming away knowing no more than when I started. So, I checked with my sources who do understand.

Declan McCullagh of CNET already posted his interpretation, "Senate bill rewrite lets feds read your e-mail without warrants." The following points are Declan's translation of the interesting bits:

  • Grants warrantless access to Americans' electronic correspondence to over 22 federal agencies. Only a subpoena is required, not a search warrant signed by a judge based on probable cause.
  • Permits state and local law enforcement warrantless access to Americans' correspondence stored on systems not offered "to the public," including university networks.
  • Authorizes any law enforcement agency to access accounts without a warrant -- or subsequent court review -- if they claim "emergency" situations exist.
  • Says providers "shall notify" law enforcement in advance of any plans to tell their customers that they've been the target of a warrant, order, or subpoena.
  • Delays notification of customers whose accounts have been accessed from 3 days to "10 business days." This notification can be postponed by up to 360 days.

Subpoena versus warrant

So, along with not clarifying the ECPA, politicians want to change from requiring warrants to requiring subpoenas. To fully understand what that meant, I did some checking. In no time at all, I accumulated a plethora of definitions -- all involving lawyer-speak. Sigh...

Fortunately, I know Peter D. Gifford. He's one of the lifeguards who protects me while I'm swimming laps at the local YMCA. I've been known to misjudge where the pool ends. Anyway, he's in law school, so I asked him.

Peter was happy to help, but only after I signed an ex-parte affidavit. That's my future attorney. Peter tackled warrants first:

In order for a court to issue a warrant, a court official (usually a judge) must determine if the requesting party has enough evidence to demonstrate probable cause that the suspect committed the crime.

Probable cause standards generally require more than circumstantial evidence in order for a Court to issue warrants -- therefore issued with more caution.

Next, Peter described why it was easier to obtain a subpoena:

Subpoenas, because they are often used to verify evidence, are issued at a far greater frequency. Judges do not need to issue them (usually just a lawyer or clerk representative of the court), and the standards for their issuance are easier to fulfill than the standards for a warrant.

From that, one might conclude the proposed changes would mean less privacy.

Have it wrong?

I was about to finish up, then all hell broke loose. It seems Declan's article raised quite a ruckus. It's not often the office of a U.S. Senator will issue a tweet saying a writer is wrong, and on the same day the article posted.

Senator Leahy's office also issued a press release that further clarified his position.

Up for vote

All this happened just before the Thanksgiving holiday. There is supposed to be a vote on the proposed changes the week starting November 25. So you still have time to ask questions or voice concerns.

Final thoughts

I better put this piece to bed; my editor will be wondering what's going on. In a sense, I'm wondering as well. My best guess: there were ideas floating around from all concerned parties while the legislators were in what they call "discussion before markup" mode. And, it was some of those ideas that caused the angst.

Finally, it will be interesting to see if Declan's article plays a role in how the ECPA is reformed.

Update (29 Nov 2012): I have been corresponding with Mr. Jaycox, and he asked me to clarify something. I felt it was best to let him explain:

If there's one thing to takeaway from the ECPA reform issue it's that currently the government argues that it can access email older than 180 days without a warrant and only with a subpoena.

Despite Fourth Amendment arguments to the contrary, law enforcement has been successful of convincing the courts that users do not have a reasonable expectation of privacy in their email older than 180 days. Judges are slowly turning aside this argument. In 2010 in the Sixth Circuit's US v. Warshak, they ruled that ECPA's differentiation of 180 days was unconstitutional.

I wanted to clarify this because reading your article left me with the impression that right now the government needs a warrant to read my emails older than 180 days.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

57 comments
boxfiddler
boxfiddler

a lot of our liberties are being whittled away. Good article Michael, and something I'll be watching now. Too many 'the's. ;)

Altotus
Altotus

Yea everything look through all of everyones and this means you business accounts money transfers etc as well. Privacy is not a word that means anything now. You gave it up with out knowing in thinking you had some however the electorate is the stupidest organism on earth politicians use it so hard it is difficult to estimate what kind of crap it will swallow. Oh yea there are still people looking for Obamas birth certificate Wahahaha now thats stupid. Oh yea very difficult to estimate the ultimate limit of stupidity would you have beveled anyone would swallow that crap? It is stupid and slow moving. You lost the oh what was that thing called, privacy huh? Where did it go are you sure you ever had one? Look under the desk it might have fallen off? Well there is an answer, a plan all you need to do is let you politician know (now be polite better than what I am giving you now I hope) what you think. Or I hope so anyway those politicians do want to be reelected what ever their stripe and now especially desperate to be with the tea party ready to tear the Republican party apart with sharp teeth oh so shiny bright with glib tong. Well the keyboard is persuasive be polite and use your own power of gab to light the way with something better. Its better to lead than react. I think I am in the right place with the right people who are prepared to think and act with integrity. What is lost here may never be regained but in the hopes that a spark will be seen. Protect what is good do not seek small dark things what you gain is never worth what you will loose. Do not dishonor the integrity of American spirit by evil acts under color of law be free be fearless be an American that does mean something.

tdrane
tdrane

.... that'd find out what the wife and I were discussing for dinner, or if we were going up up the local American Legion to get smashed again or take a liver-break. In other words, I'm no threat, I do not pose any risk, to anyone. I really do not believe that they will be 'reading' any messages from me, but scanning with that list of buzz words, or if a recipient just happens to be on some sort of watch-list. Now, if they post mt info on 4chan or somewhere, that's a different issue..... Besides, if they wanted my info, they'd get one way or another.

Dr_Zinj
Dr_Zinj

Told them to vote against the bill if it still had the parts allowing warrantless searches. A subpeona does not protect your 4th amendment rights. Oh, and Slayer_, they don't want to enter your house. They want carte blanc access to everything you have on the cloud/stored or transmitted over the Internet. Regardless of whether you are a valid suspect or not. Which means every peice of confidential, personal, or business information would be in the hands of a whole lot of unknown, uncontrolled government types. We know the more people with access, the more likely one of them will misuse that information for their own gain, and your harm.

Deadly Ernest
Deadly Ernest

use by law enforcement in putting together a case. For the purposes of reading the email the vast bulk of all US emails are already being examined by the NSA computer systems as the electronic communications interception system known as Echelon can lawfully collect and examine all communications that cross the USA borders, and that includes any that go via a satellite link as they're in International space being above the US boundary, and any that cross over into Canada or Mexico to use their pipes for delivery. The same applies to all Internet traffic too.

Slayer_
Slayer_

Also, what if the server is specifically hosted in a country that is hostile to the US?

Neon Samurai
Neon Samurai

That's really what they should be looking at. Why differentiate between email and post mail? If they need a warrant to invade my post office box then they need a warrant to invade my email accounts. But then, this is about enabling the bureaucracy not benefiting "The People".

Charles Bundy
Charles Bundy

they would have to come to me, as I am my own e-mail administrator. It would seem to me in that case I can deny them access based on this passage from the Fifth Amendment, to wit - [i]nor shall be compelled in any criminal case to be a witness against himself[/i] Obviously they could issue a warrant and seize my server, but that would require following due process and showing that a criminal act may have been committed. Even then they can't compel me to divulge passwords or assist in retrieving my e-mail from said server. Perhaps we all need micro e-mail/cloud storage devices that are owned and controlled by the individual. Power to the people!

andrew232006
andrew232006

Fake News Alert: Police are now investigating tdrane as a prime suspect in the vandalism case where the american legion was smashed up. The officer questioned stated "We only have one lead so far but we are determined to get to the bottom of this case" I don't trust the government to interpret my personal data fairly. There is a long list of falsely imprisoned people in their track record. I don't trust them to keep my personal data private. And once they have it, I don't trust them to only use it for law enforcement purposes instead of using it to manipulate public opinion and voting. Perhaps I should stop using gmail as my email client. Is there a good free email service outside the US?

JCitizen
JCitizen

The past is the perfect example of this.

Slayer_
Slayer_

So that all communications are encrypted, then they can track you all they want, they will just get garbage.

Michael Kassner
Michael Kassner

I haven't heard anything more about the vote and when it is. Seems everyone is quiet about it. But, I'm not that well-versed on how scheduling of legislation works.

JCitizen
JCitizen

as even the crooks sniff all our packets if they become interested in the data source/destination. However - if a telephone line needs a warrant, so does a network cable in my opinion. Wireless non encrypted traffic - all bets are off, and I see no reason to limit anyone's surveillance of that traffic. My stand is that the government new about 911, but botched getting it to the right reaction force. So they don't need no stinking network surveillance in the first place. They didn't have it before - they don't need it now.

Michael Kassner
Michael Kassner

Do you download email to your client or is it web-based email?

Deadly Ernest
Deadly Ernest

warrants or the like. But it only applies to the official legal copy for the courts as they'd already have a copy via Echelon.

Michael Kassner
Michael Kassner

Here is what I found: "4. Can Postal Inspectors open mail if they feel it may contain something illegal? First-Class letters and parcels are protected against search and seizure under the Fourth Amendment to the Constitution, and, as such, cannot be opened without a search warrant. If there is probable cause to believe the contents of a First-Class letter or parcel violate federal law, Postal Inspectors can obtain a search warrant to open the mailpiece. Other classes of mail do not contain private correspondence, and therefore may be opened without a warrant." https://postalinspectors.uspis.gov/contactUs/faq.aspx

Michael Kassner
Michael Kassner

What about everyone else? They could read your emails at the party you sent them to. Or read the emails being sent to you. There is also a push to remove email from being a person's. If I understand correctly, email saved at an online account is fair game and the 5th does not apply.

Deadly Ernest
Deadly Ernest

are required by federal law to get a warrant issued by a court to tap into communications systems WITHIN the US borders and that those laws do NOT apply at the point the communications system crosses the border. Also the laws ONLY affect the legality of the use of the information gathered when it goes to court. Thus the collection of information by an intelligence agency at the border does NOT require a warrant from a court, but it's legality in a court case varies with circumstances a lot (based on past cases). As to 911 - there is a hell of a difference between having intercepted information and understanding what it means or where events in them are supposed to happen.

Slayer_
Slayer_

But more importantly, without a warrant, why do you even need to let them into your house?

Charles Bundy
Charles Bundy

that would require exponential effort as opposed to targeting the person of interest. If they are willing to expend that effort they would probably seize my server. wrt to the 5th that was my original point. If someone else controls my e-mail the fifth does not apply as there can be no self-incrimination by a third party. wrt e-mails being sent to me, that doesn't really matter unless the party is replying to something. Even then e-mail headers can be forged. To really make a case a prosecutor needs to nail down that the contents of what is being replied to originated from me. Hard to do w/o my server.

HAL 9000
HAL 9000

Sorry but there is no fix for that ever. No matter what you try, each individual agency is on their own Empire Building trip trying to get as big as possible so that they are impossible to destroy as they are too valuable or have their funding cut. These same places will spend a Million $ to save a cent and boast about the savings that they have managed to achieve. However the big thing here is that by design these places where kept separate as the people involved in starting them never wanted any one group to get so big that it was indispensable. Hence the agency investigating Foreign items is unable to talk to Domestic Investigators and the Aircraft Monitoring Authority is prevented from speaking to anyone not directly involved in Air Travel. Some see it as stupid while others see it as a way to prevent any one agency getting so big that they control everything. The people who designed the system tried to prevent the latter and to that end have done a fairly good job of it. Col

JCitizen
JCitizen

There were people that had actionable intelligence, but were prohibited by inter agency rules in getting the information to another agency that could actually do something about it. This has been in the news every since then. But chicken little always over reacts. There were agencies that knew suspicious individuals were taking pilot lessons whose origins and background were known - but they were prohibited in telling another agency in the chain of information. There were actually alarms in several areas, but no communication. If any one agency had all the data, the over all picture would have been obvious. Osama and company's activities were well known by the CIA and foreign intelligence, but no one in country was allowed to gather any of that data either. Each of them had a piece of the picture but couldn't put two and two together without the over all view.

HAL 9000
HAL 9000

Having had the time to actually look at the E Mails in Question. This stuff is collected Electronically and then filtered by whatever system is being used by the Agency who is intercepting the Transfers. Even if it's Encrypted which does raise Red Flags to these Agencies and the Filtering Software that Encryption is broken generally by the Encryption Back Doors supplied by the Encryption Makers and supplied to the Authorities for instance the Software Package known as Microsoft Coffee which is not for general consumption. ;) What the events of 9-11 actually showed is that the data had been collected but not actually seen for another 3 or 4 months after it was transmitted well after the event it was supposed to prevent anyway. The Agency tasked with this Interception is completely swamped with the daily traffic it monitors and the way that the Government Under-Resourced it. So the end result is you will get away with what you are intending but a few months after the event if you have not already killed yourself you are going to get caught and you will serve the time for your crimes. Like all Law Enforcement it is playing Catchup and not actually preventing much at all. Col

Charles Bundy
Charles Bundy

for being out of context there, was thinking of magisterial warrants not federal.

Michael Kassner
Michael Kassner

They require a warrant for email that is under 180 days old. over that no warrant. They were going to change that. And then add the other points that Declan mentioned and I had as bullets.

Charles Bundy
Charles Bundy

And in the US warrants have to be specific with location and item to be taken. If they can't find the item at the premise specified it's time for a new warrant. If there are outbuildings which are not on the same parcel of land your house is on said warrant for the house would not cover the barn.

Deadly Ernest
Deadly Ernest

with information sharing. Echelon is the result of one such agreement and the information collected is shared AFTER it gets to go through over a dozen electronic filters and a few human ones as over 99% of what they collect is garbage from the intelligence community's viewpoint. The final data that comes through the filters is shared with all the participating countries, how they use it is up to them. However, in many countries it can be used for starting intelligence investigations but can't be submitted as evidence in a court of law unless another copy is obtained in the normal process of legal investigation. Now for general data, extradition agreement relating to people, materials, and data do exist, but most are on a country to country or a UN Treaty agreement basis. That's how the FBI got that info from the NZ courts on Mega-upload which has now been declared by the NZ courts as unlawfully obtained and not admissible as court evidence.

Deadly Ernest
Deadly Ernest

a nice big electricity surge to fry the drive will make them scream. Now, me, I'm the sort that'll have a drive set up to do that so when the cops walk in they see me frying a drive. They jump in, grab the drive, spend a fortune recovering the data, and find nothing. Cause I'd have set that up just to cost them money for causing me trouble.

JCitizen
JCitizen

to default to the privacy side of the argument, when possible. I'm actually no more comfortable with surveillance of non encrypted traffic over closed cable than I am tapping phone lines. I have unfortunately been used to the idea - If wifi is not encrypted though, all bets are off. The US public has been fighting for open clear communication over the air for years - especially in certain uses and frequencies. Wifi has been argued as a transparent medium - the usual attitude is okay with everyone hearing everyone else - such is in citizen's band. Public oversight is another reason, such as scanners and police monitors. There are always exceptions, of course.

Neon Samurai
Neon Samurai

We can assume the sender is aware of SSL or encrypted mail and thus do not expect non-SSL mail to be private. We can assume the sender is not aware of SSL or encrypted mail and thus does expect mail to be as private as they expect from physical deliveries. Since we can't really assume all senders are security experts or setup with fully encrypted mail and transport protocols, we have to accept the second option; that the user is not aware and has an expectation of privacy. The outcome is that sniffing that mail in transit exploits the ignorance of innocent civilians. It's a hostile act towards the person who's privacy is being invaded. Granted, this then leads into the discussion about why all non-encrypted protocols should be abolished in favor of there existing encrypted version or replacement. We use SSH instead of Telnet for obvious reasons. We should be using smtps without acception between mail servers, pop3s/imaps/smtps from server to client and encrypted email. The real problem is getting mail admins to block non-encrypted transports and mail encryption that requires minimum effort by the user.

Deadly Ernest
Deadly Ernest

ways they can intercept it and read it, some legal some not. But once the email has reached you, to read it they have to get access to where you have it stored. If you're under investigation for something they may be able to get legal authority to access and read the mail. If the sender is under investigation, they may be able to get authority to access and read the mail. Now if they're investigating the sender and get a warrant to access mail you have, such court orders usually limit the access to ONLY the mails exchanged with the person they're investigating. And sometimes they limit them even further to only those on the subject they're investigating the person about. As a traveller within the USA it shouldn't be much of an issue one way or the other, unless you're a travelling bomb maker. As an international traveller, it's much the same, but the US already has existing laws allowing them to fully examine any electronic device crossing the international boundary and to check ALL the data on it. One reason why some companies now have a few VERY sanitised notebooks for use by staff travelling overseas, they have no data on them and what they need to take is on a DVD or external drive with only the data for the trip on it. This is to limit access to any other company data.

HAL 9000
HAL 9000

Is considered as Media and has other protections to Normal People. After all it's in no ones best interests to attempt to get a warrant to Hit the Wall Street Journal as it's simply never going to be issued. ;) Col

emenau
emenau

So, if I would be in the USA and I receive mail from someone who is criminal then they need to be in my mailbox to see what the criminal wrote? And if any number of people (spammers) send mails to me with 'criminal content' then MY mail (the recipient) is under investigation? Then they invade my privacy and not that of the supposed criminal? Or am I seeing things wrong here? Then what can a traveller do to fight this? And if some site like Wikileaks publishes some secret mails then wikileaks is criminal and not the criminals who hide behind a political wall? Twisted....

JCitizen
JCitizen

that mail at rest is right back under full protection again. Especially if the server exists at the person/organization of interest. I don't know - since the transmission of non SSL communication is definitely public, they figure it has come outside the purview of privacy. I don't agree with that myself. If the government wants to sniff non-SSL communications? Knock themselves out - I could care less then.

Neon Samurai
Neon Samurai

As I understand, mail in transit is treated differently than mail at rest. Once your mail is recieved and stored (ie. at rest) it becomes more accessible or some such doesn't it? either way, it's a heck of a good reason to put more effort into encrypted mail and personal storage if not personal smtp servers.

Michael Kassner
Michael Kassner

I am checking the ECPA to see if it makes that distinction.

Michael Kassner
Michael Kassner

Although, I am not sure that distinction has been made in the ECPA. I will try and find out.

Charles Bundy
Charles Bundy

Hence my first comment. Control your data store, and you have some options when law enforcement comes knocking. :) E.G. Keep a .40 near the server and aim for the platters...

Charles Bundy
Charles Bundy

Was over the top, don't ya think? I'm not saying we aren't being monitored, but I'll bet dollars to donuts it won't be in a national magazine article. Think air conditioned shipping containers scattered across the landscape at strategic points...

JCitizen
JCitizen

They can sniff non SSL packets all day if they want. As far as I'm concerned, second/third party servers, and the ISPs; should be given the same regard as a post office box. That is - if that is even sacrosanct, any more, under the new surveillance laws! It has already been proven we didn't need all this extra oversight even before 911 - they just had a legal over-burden on inter-governmental communication. That was the only choke point, and then again, as far as I'm concerned that opening of the intercommunication should have been limited too. How soon the people forget the abuses of the 60s and 70s during the war protest period. The government committed all kinds of abuse, and there was good reason to put these limits on them!

Michael Kassner
Michael Kassner

But, you will have to explain what is hyperbole. I know the definition, but am missing your point. Not unusual for me.

Charles Bundy
Charles Bundy

A) If Moore's law holds that sucker will be out of date around 2019. B) If data doesn't cross the border it can't be used in a court of law. C) Even with decryption powered by kryptonite and exabytes of nearline storage it is the human analytic part of the chain that makes this unfeasible. Unless of course we start watching each other [i]for the state[/i] ala 1984. That change in our culture would be much more frightening than any technical facility.

Charles Bundy
Charles Bundy

you are stretching far afield with that one. :) When the singularity occurs our machine overlords will be able to read everything and who really cares about human intelligence agencies then?

Michael Kassner
Michael Kassner

That is the whole point of the article. I think Declan was worried reforming the ECPA was not getting enough public scrutiny.

Michael Kassner
Michael Kassner

Carnivore is alive and well. And if you know about their new data center out west, being at the crossroads of all the major pipes, It's a good assumption.

Charles Bundy
Charles Bundy

Just that there be due process and a paper trail I can follow to show who did what to me, when, where and why.

Charles Bundy
Charles Bundy

I don't use an ISP as anything other than a pipe. My e-mail is on a physical server under my direct control. ADDENDUM: Unless you mean monitoring? Again effort involved supercedes the authority outlined and they would probably just yank my physical server. (aka wiretapping)