by Larry Magid
This article first appeared in the San Jose Mercury News
Like most people, I want government authorities to have the tools they need to protect our national security, and I certainty want law enforcement to keep our communities — including cyberspace– safe from criminals. But when it comes to using online data to investigate crime, it’s also important to protect privacy, ensure due process and assure that our government agencies operate in secret only to the extent that it’s necessary to do their jobs.
National Security Letters
Last week, I learned that the FBI can issue a so-called National Security Letter to force an Internet provider to disclose identifying information about a user or subscriber. These letters, which are supposed to be used only for national security investigations, can come with a gag order. Not only can the company receiving the letter be prohibited from talking about specific requests, they also can also be banned from even disclosing how many such letters they got.
I learned about the letters through one of Google’s ongoing transparency reports and a Google blog post which disclosed that Google had received such letters, but was deliberately vague about how many, disclosing only that it was between 0 and 999 for each year from 2009 through 2012.
These letters aren’t used to demand user content such as email or searches, but they can require disclosure of “the name, address, length of service, and local and long distance toll billing records” of a subscriber to a wire or electronic communications service, according to the authorizing legislation.
But there are other ways that the government and law enforcement agencies can access actual user content for both national security and criminal investigations.
On Jan. 28, Google’s chief legal officer David Drummond blogged that Google on any given day receives dozens of letters, faxes and emails from government agencies and courts around the world, “requesting access to our users’ private account information.”
What information Google or any other provider must turn over to an investigator depends on the type of request. A subpoena is sufficient for metadata, such as the identity of user. But for the actual content of messages — such as a copy of email or a YouTube that’s been uploaded privately — Google requires a search warrant issued by a judge.
Reagan-era law needs an update
But it’s not always clear what type of authority is needed to disclose email. When it comes to access to electronic records for criminal cases, the rules of the road were set down in 1986 with the passage of the Electronic Communications Privacy Act (ECPA). When that law was passed, according to Electronic Frontier Foundation staff attorney Hanni Fakhoury, people typically downloaded all of their email to their personal computers and then deleted them from the server or let the online service automatically delete their mail from the server.
Your own personal computer, said Fakhoury, is protected by Fourth Amendment protections against unreasonable searches, so the law provided privacy protections to messages on servers, but only for the first 180 days. After that, said Fakhoury, messages on servers “would be considered abandoned,” and a search warrant wouldn’t be required.
The privacy act was written long before creation of “cloud computing” or Web-based email services like Gmail that are designed to store your messages on servers for a very long time. I have messages in my Gmail account going back to 2004, when I first started using the service. Because these messages are stored on Google’s servers and not my home PC, the law considers them “abandoned” and not subject to the same level of protection as PC files or recent email.
Ironically — and I’m sure this is an unintended consequences of the law — the unopened messages in your spam file enjoy greater privacy protection than messages you’ve opened or the ones you sent. Speaking on a panel at the State of the Net Conference in January, Kevin Bankston, senior counsel for the Center for Democracy & Technology, called the privacy act “a bit strange and rather outdated.”
The Digital Due Process coalition, which includes advocacy groups like the American Civil Liberties Union as well as companies including Google, Facebook, Hewlett-Packard and IBM, is leading the charge to reform the Electronic Communications Privacy Act. Acknowledging that it “was a forward-looking statute when enacted in 1986,” the group says it has become “a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies.” U.S. Sen. Patrick Leahy, D-VT, and other members of Congress are exploring legislation that would reform the act.
These reformers are right. The government needs to recognize that email is no longer some special type of computer data, but an essential way Americans communicate. To the extent practical, it should enjoy the same level of privacy protection as U.S. mail. Whether it’s stored on a PC or in the cloud, our messages are our property. And while there are cases when law enforcement should have a right to peek, they should only do so with the approval of a judge.