GOVERNMENT ACCESS TO ELECTRONIC COMMUNICATIONS – UPDATING THE RULES EDUCAUSE Live! June 9, 2010 James X. Dempsey Center for Democracy & Technology 1 The Origin of Privacy Rights as Against the Government: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Fourth Amendment (1791) 2 The Origin of Privacy Rights as Against the Government: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Fourth Amendment (1791) 3 Notwithstanding technology’s change, some things are pretty clear … Data, regardless of technology… in your home in your briefcase or wallet on your laptop on any device in your possession … is highly protected -- full 4th Amendment coverage, requiring a search warrant issued by a judge and notice at the time of the search. Also subject to 4th A exceptions: How far can “search incident to arrest” go in terms of hand-held device? 4 Telephone Telephone VoIP Router 3G Cable Modem Cell phone PDA Phone ((GSM or CDMA)) Phone Line Laptop Computer VoIP Gateway IP Phone DSL Modem … but what about data in this environment? ISP Gateway WiFi Access Point Phone Line PBX Gateway Cable Modem PSTN Computer iPBX (Gateway) Telephone Computer IP Phone 5 PBX Telephone The Courts, Congress and Technology Ex parte Jackson (1877) 6 The Courts, Congress and Technology Olmstead v. United States (1928) 7 The Courts, Congress and Technology “There is in essence no difference between the sealed letter and the private telephone message. … True, the one is visible, the other invisible; the one is tangible, the other intangible; … but these are distinctions without a difference.” Brandeis, J., dissenting. 8 Courts, Congress and Technology Communications Act of 1934, Section 605 – no person shall “intercept … and divulge or publish” 9 Courts, Congress and Technology “The Fourth Amendment protects people, not places.” Katz v. United States (1967). 10 Courts, Congress and Technology 1968 - Title III – the federal Wiretap Act – requires probable cause order for “interception” of “wire or oral” communications 1972 - U.S. v. U.S. District Ct – “Keith” case 1978 – Foreign Intelligence Surveillance Act 1979 - Smith v. Maryland – zero 4th A privacy interest in dialing information – no warrant needed 11 Technology Revolution of the 1970s – 80s 1969 - CompuServe founded 1977 - Commercial cell phone service introduced Wiretap Act of 1968 – “wire” or “oral” communications 12 ECPA Overview Enacted in 1986 as wide use of email, cell phones and large scale data-processing was just beginning Fills in gap where 4th Amendment protection thought uncertain The Stored Communications Act or “SCA,” 18 U.S.C. § 2701 – 2711, is the portion of ECPA that specifically governs stored communications and stored subscriber identifying data and transactional data Designed to protect the privacy of electronic records and communications stored with third parties 13 Other Parts of ECPA Amended definition of “wire communication” to make it clear it covered cellphone communications, thus requiring a warrant for interception Extended Wiretap Act to cover all “electronic communications,” thus requiring warrant for data intercepts Adopted rules for real-time access to dialed number information, using a pen register or trap and trace device, 18 USC 3121 et seq 14 SCA – Who is covered? Any “provider of electronic communication service to the public” (ECS) and any “provider of remote computing service to the public” (RCS) ECS defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications” RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system” Must analyze by service offering - many entities offer both ECS and RCS – and some entities that offer one or the other also offer services that are neither – those services fall outside ECPA. 15 SCA – Who is covered? Flickr = RCS Expedia =? Gmail = ECS and RCS 16 SCA – What information is covered? “Contents” of communications, further divided into two categories: “in electronic storage” in an electronic communications system held or maintained by an RCS Records or other information pertaining to a subscriber or customer (not including the contents of communications), further divided into two categories: Subscriber identifying information –name, address, local and long distance telephone records, session times and duration, length of service, start date, types of service utilized, telephone number or other subscriber # or identity, network address, means and source of payment All other records – notably, email To and From, URLs 17 SCA – Disclosure rules Start with basic prohibition: except as otherwise permitted, providers of ECS and RCS to the public cannot disclose – contents to any person or entity; non-content to any governmental entity. Then a series of permitted or voluntary disclosures – of content – 2702(b)(1)-(8); of non-content – 2702(c)(1)-(6). Then a set of rules for compelled disclosures to the government – 2703. 18 SCA – Compelled disclosures Three basic instruments: Search warrant 2703(d) order – issued by a judge “only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation” administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena. Much stored content is available without a warrant. 19 One Email - Six Standards 1. Draft email stored on desktop - full 4th A protection – not in ECPA. 2. Draft email stored on gMail – SCA – subpoena - 2703(b). 3. Content of email in transit - Katz - 4th Amendment – federal Wiretap Act - court order based on probable cause (with special protections). 4. Content of email in storage with service provider 180 days or less - ECPA - judicial warrant (w/o special protections) – 2703(a) 5. Content of opened email in storage with service provider 180 days or less – in dispute – DOJ says subpoena is enough – contra Theofel (9th Cir 2004). 6. Content of email in storage with service provider > 180 days SCA - subpoena – 2703(b). Contra, Warshak (6th Cir 2007, rev’d en banc). 20 Technology Revolution of the 21st Century - Storage 21 Technology Revolution of the 21st Century - Storage ECPA leaves most stored communications available with a mere subpoena – no court order required, no probable cause of criminal conduct 22 Technology Revolution of the 21st Century – Location 23 Technology Revolution of the 21st Century - Location “Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year,” Wired, December 1, 2009 24 Technology Revolution of the 21st Century - Location ECPA allows access to “records pertaining to a subscriber” without a judicial warrant, and without a finding of probable cause 25 Updating the Law 26 Digital Due Process Core Recommendations 1. Probable cause standard for all content 2. Probable cause standard for location tracking 3. True judicial review for pen/traps – realtime access to transactional data 4. Subpoenas must be particularized to subscriber or account; bulk disclosures subject to judicial review under 2703(d) 27 Digital Due Process Overarching Principles 1. Technology and platform neutrality 2. Assurance of law enforcement access 3. Equality between transit and storage 4. Consistency (e.g., content should be protected under the 4th A standard – regardless of how old it is or whether it has been “opened” or not) 5. Simplicity and clarity 6. Recognize existing exceptions – emergency, etc 28 More information Digital Due Process http://www.digitaldueprocess.org Center for Democracy & Technology http://www.cdt.org Jim Dempsey jdempsey@cdt.org 29