Transcript Courts, Congress and Technology

GOVERNMENT ACCESS TO
ELECTRONIC
COMMUNICATIONS –
UPDATING THE RULES
EDUCAUSE Live!
June 9, 2010
James X. Dempsey
Center for Democracy &
Technology
1
The Origin of Privacy Rights as Against
the Government:
“The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not
be violated, and no Warrants shall issue, but
upon probable cause, supported by Oath or
affirmation, and particularly describing the place
to be searched, and the persons or things to be
seized.”
Fourth Amendment (1791)
2
The Origin of Privacy Rights as
Against the Government:
“The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not
be violated, and no Warrants shall issue, but
upon probable cause, supported by Oath or
affirmation, and particularly describing the place
to be searched, and the persons or things to be
seized.”
Fourth Amendment (1791)
3
Notwithstanding technology’s change,
some things are pretty clear …
Data, regardless of technology…




in your home
in your briefcase or wallet
on your laptop
on any device in your possession
… is highly protected -- full 4th Amendment coverage,
requiring a search warrant issued by a judge and
notice at the time of the search.
Also subject to 4th A exceptions: How far can “search
incident to arrest” go in terms of hand-held device?
4
Telephone
Telephone
VoIP
Router
3G
Cable
Modem
Cell
phone
PDA Phone
((GSM or CDMA))
Phone
Line
Laptop
Computer
VoIP
Gateway
IP Phone
DSL
Modem
… but what about data in this
environment?
ISP
Gateway
WiFi Access Point
Phone
Line
PBX
Gateway
Cable Modem
PSTN
Computer
iPBX
(Gateway)
Telephone
Computer
IP Phone
5
PBX
Telephone
The Courts, Congress and Technology
Ex parte Jackson (1877)
6
The Courts, Congress and Technology
Olmstead v.
United States
(1928)
7
The Courts, Congress and Technology
“There is in essence
no difference between
the sealed letter and
the private telephone
message. … True, the
one is visible, the other
invisible; the one is
tangible, the other
intangible; … but these
are distinctions without
a difference.”
Brandeis, J.,
dissenting.
8
Courts, Congress and Technology
Communications
Act of 1934, Section
605 – no person
shall “intercept …
and divulge or
publish”
9
Courts, Congress and Technology
“The Fourth
Amendment
protects
people, not
places.” Katz
v. United
States (1967).
10
Courts, Congress and Technology
 1968 - Title III – the federal Wiretap Act –
requires probable cause order for
“interception” of “wire or oral”
communications
 1972 - U.S. v. U.S. District Ct – “Keith” case
 1978 – Foreign Intelligence Surveillance Act
 1979 - Smith v. Maryland – zero 4th A privacy
interest in dialing information – no warrant
needed
11
Technology Revolution of the 1970s – 80s
1969 - CompuServe founded
1977 - Commercial cell phone service
introduced
Wiretap Act of 1968 – “wire” or
“oral” communications
12
ECPA Overview
 Enacted in 1986 as wide use of email, cell phones
and large scale data-processing was just
beginning
 Fills in gap where 4th Amendment protection
thought uncertain
 The Stored Communications Act or “SCA,” 18
U.S.C. § 2701 – 2711, is the portion of ECPA that
specifically governs stored communications and
stored subscriber identifying data and
transactional data
 Designed to protect the privacy of electronic
records and communications stored with third
parties
13
Other Parts of ECPA
 Amended definition of “wire communication” to
make it clear it covered cellphone
communications, thus requiring a warrant for
interception
 Extended Wiretap Act to cover all “electronic
communications,” thus requiring warrant for
data intercepts
 Adopted rules for real-time access to dialed
number information, using a pen register or trap
and trace device, 18 USC 3121 et seq
14
SCA – Who is covered?
Any “provider of electronic communication service to
the public” (ECS) and any “provider of remote
computing service to the public” (RCS)
 ECS defined as “any service which provides to
users thereof the ability to send or receive wire or
electronic communications”
 RCS defined as “the provision to the public of
computer storage or processing services by
means of an electronic communications system”
 Must analyze by service offering - many entities
offer both ECS and RCS – and some entities that
offer one or the other also offer services that are
neither – those services fall outside ECPA.
15
SCA – Who is covered?
Flickr
=
RCS
Expedia
=?
Gmail = ECS and RCS
16
SCA – What information is covered?
 “Contents” of communications, further divided into two
categories:
 “in electronic storage” in an electronic
communications system
 held or maintained by an RCS
 Records or other information pertaining to a subscriber or
customer (not including the contents of communications),
further divided into two categories:
 Subscriber identifying information –name, address,
local and long distance telephone records, session
times and duration, length of service, start date, types
of service utilized, telephone number or other
subscriber # or identity, network address, means and
source of payment
 All other records – notably, email To and From, URLs
17
SCA – Disclosure rules
 Start with basic prohibition: except as otherwise
permitted, providers of ECS and RCS to the
public cannot disclose –
 contents to any person or entity;
 non-content to any governmental entity.
 Then a series of permitted or voluntary
disclosures –
 of content – 2702(b)(1)-(8);
 of non-content – 2702(c)(1)-(6).
 Then a set of rules for compelled disclosures to
the government – 2703.
18
SCA – Compelled disclosures
 Three basic instruments:
 Search warrant
 2703(d) order – issued by a judge “only if the
governmental entity offers specific and articulable
facts showing that there are reasonable grounds
to believe that the contents of a wire or electronic
communication, or the records or other
information sought, are relevant and material to
an ongoing criminal investigation”
 administrative subpoena authorized by a Federal
or State statute or a Federal or State grand jury or
trial subpoena.
 Much stored content is available without a warrant.
19
One Email - Six Standards
1.
Draft email stored on desktop - full 4th A protection – not in
ECPA.
2.
Draft email stored on gMail – SCA – subpoena - 2703(b).
3.
Content of email in transit - Katz - 4th Amendment – federal
Wiretap Act - court order based on probable cause (with special
protections).
4.
Content of email in storage with service provider 180 days or less
- ECPA - judicial warrant (w/o special protections) – 2703(a)
5.
Content of opened email in storage with service provider 180
days or less – in dispute – DOJ says subpoena is enough –
contra Theofel (9th Cir 2004).
6.
Content of email in storage with service provider > 180 days SCA - subpoena – 2703(b). Contra, Warshak (6th Cir 2007, rev’d
en banc).
20
Technology Revolution of the
21st Century - Storage
21
Technology Revolution of the
21st Century - Storage
ECPA leaves most stored communications
available with a mere subpoena – no court order
required, no probable cause of criminal conduct
22
Technology Revolution of the
21st Century – Location
23
Technology Revolution of the
21st Century - Location
“Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year,” Wired,
December 1, 2009
24
Technology Revolution of the
21st Century - Location
ECPA allows access to “records pertaining to
a subscriber” without a judicial warrant, and
without a finding of probable cause
25
Updating the Law
26
Digital Due Process
Core Recommendations
1. Probable cause standard for all content
2. Probable cause standard for location
tracking
3. True judicial review for pen/traps – realtime access to transactional data
4. Subpoenas must be particularized to
subscriber or account; bulk disclosures
subject to judicial review under 2703(d)
27
Digital Due Process
Overarching Principles
1. Technology and platform neutrality
2. Assurance of law enforcement access
3. Equality between transit and storage
4. Consistency (e.g., content should be protected
under the 4th A standard – regardless of how old
it is or whether it has been “opened” or not)
5. Simplicity and clarity
6. Recognize existing exceptions – emergency, etc
28
More information
Digital Due Process
http://www.digitaldueprocess.org
Center for Democracy & Technology
http://www.cdt.org
Jim Dempsey
[email protected]
29