home

Sen. Leahy's Denial of Support for Warrantless Email Searches


Yesterday, Declan McCullagh of CNET wrote an article stating that Sen. Patrick Leahy, bowing to pressure from conservatives and law enforcement groups, was revising his proposed bill amending the Electronic Communication Privacy Act (ECPA) to strengthen privacy rights and now going in the opposite direction. He posted a draft of a leaked copy of the amended bill (available here.) McCullagh wrote:

Patrick Leahy, the influential Democratic chairman of the Senate Judiciary Committee, has dramatically reshaped his legislation in response to law enforcement concerns, according to three individuals who have been negotiating with Leahy's staff over the changes. A vote on his bill, which now authorizes warrantless access to Americans' e-mail, is scheduled for next week.

Leahy's rewritten bill would allow more than 22 agencies -- including the Securities and Exchange Commission and the Federal Communications Commission -- to access Americans' e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant.

Hours later, Sen. Leahy denied drafting or supporting the circulated revision of his proposed bill. [More...]

The rumors about warrant exceptions being added to ECPA are incorrect. Many have come forward with ideas for discussion before markup resumes on my bill to strengthen privacy protections under ECPA. As normally happens in the legislative process, these ideas are being circulated for discussion. One of them, having to do with a warrant exception, is one that I have not supported and do not support.

The whole thrust of my bill is to remedy the erosion of the public’s privacy rights under the rapid advances of technology that we have seen since ECPA was first enacted thirty years ago. In particular, my proposal would require search warrants for government access to email stored by third-party service providers – something that of course was not contemplated three decades ago.

The full text of Leahy's bill, as introduced in September, is here.

McCullagh wrote an update to his article after Leahy's denial, characterizing Leahy's denial as a statement that Leahy no longer supports the amended version. McCullagh does not seem to buy Leahy's statement that the revision to his proposed bill was written by interested parties among whom the draft bills had circulated, rather than Leahy's staff. McCullagh continues to refer to the revised version of Leahy's bill as "Leahy's proposed changes."

Chris Calabrese, Legislative Counsel for the ACLU tells The Hill that he has seen the proposed changed version, but was not under the impression it was supported by Leahy. He said it could have been written by Rep. Charles Grassly:

Calabrese noted that the proposal cited by CNET is similar to amendments proposed by Sen. Chuck Grassley (R-Iowa), the Judiciary Committee's top Republican.

On Twitter, McCullagh stands by his reporting. He tweets:

Alternate explanation: Sen. Leahy responded to public criticism. Senate Judiciary aides were definitely not saying that yesterday.

And

My guess is that Sen. Leahy didn't like the criticism his legislation received once it was disclosed to the public.

Sen. Leahy explains what his bill would do here.

For those who would like a little background in terminology, this 2009 Justice Department manual may be helpful (but keep in mind its a guidebook for prosecutors):

The SCA is sometimes referred to as the Electronic Communications Privacy Act. The SCA was included as Title II of the Electronic Communications Privacy Act of 1986 (“ECPA”), but ECPA itself also included amendments to the Wiretap Act and created the Pen Register and Trap and Trace Devices statute addressed in Chapter 4. See Pub. L. No. 99-508, 100 Stat. 1848 (1986). Although 18 U.S.C. § 2701-2712 is referred to as the “Stored Communications Act” here and elsewhere, the phrase “Stored Communications Act” appears nowhere in the language of the statute.

So the ECPA has three parts:

  • the Wiretap Act, 18 U.S.C. S. 2510 et seq.,
  • the Pen Register and Trap and Trace Devices Act 18 U.S.C. S. 3121, et seq., and
  • the Stored Communications Act ("SCA"), 18 U.S.C. S. 2701 et seq.

The statutes provide different levels of protection for customer records and information. In theory, the greater the privacy right in the records and communications, the more stringent the requirements for government access.

Sprint explained the different requirements for each category in non-legalese in this May, 2012 letter to Congress:

(1) Basic subscriber information, which is strictly limited to six specific categories of information (name, address, local long distance records (or records of session times and duration), length/type of service, telephone /subscriber number and means and source of payment), is the only information that can be disclosed to law enforcement pursuant to an administrative, grand jury or trial subpoena. 18 U.S.C. S 2703©(2).

(2) All non-content records or other information pertaining to a subscriber (including basic subscriber information) can be disclosed to law enforcement pursuant to a court order based on "specific and articulable facts showing that there are reasonable grounds to believe that . . . the records or other information sought, are relevant and material to an ongoing criminal
investigation." 18 U.S.C. S. 2703(d).

(3) The stored content of a customer's communications (e.g., text messages), can only be disclosed to law enforcement pursuant to a warrant or court order based on probable cause. 18 U.S.C. S. 2703(a) and (b).

(4) A wiretap can only be established pursuant to a court order based on probable cause. 18 U.S.C. S. 2702(b)(2) & 18 U.S.C. S. 2518(3).

The Justice Department's 2009 manual on searching and seizing computers and obtaining electronic evidence for use in criminal prosecutions (available here) has this chart of the different requirements for obtaining records and content. From Chapter 3 on the Stored Communications Act.

The SCA regulates how the government can obtain stored account information from network service providers such as ISPs. Whenever agents or prosecutors seek stored email, account records, or subscriber information from a network service provider, they must comply with the SCA.

....The Stored Communications Act, 18 U.S.C. §§ 2701-2712 (“SCA”), sets forth a system of statutory privacy rights for customers and subscribers of computer network service providers. There are three main substantive components to this system, which serves to protect and regulate the privacy interests of network users with respect to government, network service providers, and the world at large. First, § 2703 creates a code of criminal procedure that federal and state law enforcement officers must follow to compel disclosure of stored communications from network service providers.

Second, § 2702 regulates voluntary disclosure by network service providers of customer communications and records, both to government and nongovernment entities.

Third, § 2701 prohibits unlawful access to certain stored communications; anyone who obtains, alters, or prevents authorized access to those communications is subject to criminal penalties.

Cloud computing has definitely posed problems for judges. From the 2010 hearing of the House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, ECPA Reform and the Revolution in Cloud Computing (statement of Michael Hintze, Associate General Counsel, Microsoft Corp.)

When law enforcement officials seek data or files stored in the cloud, such as web-based e-mail applications or online word processing services, the privacy standard that is applied is often lower than the standard that applies when law enforcement officials seek the same data stored on an individual’s personal or business hard drive.

Whether a Republican or Leahy drafted the circulated revision doesn't seem like the major point here. That's because Leahy's bill, even as introduced, addresses just a small part of the current problems involving law enforcement's excessive authority to intrude into our private communications and obtain our personal data and information. So many more reforms to existing law are necessary to bring it in line with basic due process principles. Here are just a few, from the Digital Due Process Center:

1. The government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user’s private communications or documents stored online.

This principle applies the safeguards that the law has traditionally provided for the privacy of our phone calls or the physical files we store in our homes to private communications, documents and other private user content stored in or transmitted through the Internet "cloud"-- private emails, instant messages, text messages, word processing documents and spreadsheets, photos, Internet search queries and private posts made over social networks....

2. The government should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device.

This principle addresses the treatment of the growing quantity and quality of data based on the location of cell phones, laptops and other mobile devices, which is currently the subject of conflicting court decisions; it proposes the conclusion reached by a majority of the courts that a search warrant is required for real-time cell phone tracking, and would apply the same standard to access to stored location data....

3. Before obtaining transactional data in real time about when and with whom an individual communicates using email, instant messaging, text messaging, the telephone or any other communications technology, the government should demonstrate to a court that such data is relevant to an authorized criminal investigation.

In 2001, the law governing "pen registers and trap & trace devices" - technologies used to obtain transactional data in real time about when and with whom individuals communicate over the phone - was expanded to also allow monitoring of communications made over the Internet. In particular, the data at issue includes information on who individuals email with, who individuals IM with, who individuals send text messages to, and the Internet Protocol addresses of the Internet sites individuals visit.

This principle would update the law to reflect modern technology by establishing judicial review of surveillance requests for this data based on a factual showing of reasonable grounds to believe that the information sought is relevant to a crime being investigated.

4. Before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect, the government should first demonstrate to a court that the data is needed for its criminal investigation.

This principle addresses the circumstance when the government uses subpoenas to get information in bulk about broad categories of telephone or Internet users, rather than seeking the records of specific individuals that are relevant to an investigation. For example, there have been reported cases of bulk requests for information about everyone that visited a particular web site on a particular day, or everyone that used the Internet to sell products in a particular jurisdiction.

Because such bulk requests for information on classes of unidentified individuals implicate unique privacy interests, this principle applies a standard requiring a showing to the court that the bulk data is relevant to an investigation.

As to the ECPA specifically, the Digital Due Process Coalition lists these principles:

A governmental entity may require an entity covered by ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider’s access to or use of the communications in its normal business operations.

A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.

A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, email to and from information or other data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under 2703(d).

Where the Stored Communications Act authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s). All non-particularized requests must be subject to judicial approval.

For more on the myriad of pending bills in Congress revising cybersecurity and electronic privacy laws, see this November, 2012 Congressional Research Service Report. (hat tip to Bmaz at Empty Wheel, who provides his thoughts on the Leahy/McCullagh news here.)

Whether McCullagh is right or Leahy is telling the truth is really of no more moment than the faux shock over the FBI's obtaining Gen. Daivd Petraus' emails. The real value of both is the potential they have to wake people up to the excessive and ever-increasing infringement of our privacy rights resulting from the power Congress has given law enforcement, and law enforcement's constant demand for more. This power needs to be recouped and reined in.

< Natalie Khawam: Here's Gloria | Hamas Steps Up Bombings, Truce Plans in Jeopardy >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft


  • Display: Sort:
    In the 11 years since the attacks on 9/11, (5.00 / 1) (#1)
    by Anne on Wed Nov 21, 2012 at 09:25:17 AM EST
    there has been a steady and deliberate erosion of so many of our rights, in spite of and in the face of concerted, loud and vigorous protest; it seems to be one more example of those in power ignoring the wishes and will of the people, and I am not optimistic that the power taken by the Congress and the president will be ceded anytime soon.

    I find Leahy's comments to be troubling, the kind that get made only after someone in the media figures out what's going on and calls BS; would Leahy be saying anything if not for the article?  

    I seriously doubt it.

    I dunno about that (none / 0) (#3)
    by bmaz on Wed Nov 21, 2012 at 10:55:56 PM EST
    I saw McCullagh's report before the real furor on twitter and the net hit and contacted sources at Judiciary. They vehemently denied Leahy was ever going where McCullagh said he was. Later in the day, Leahy started tweeting and issuing the press release. For what it's worth, I am pretty sure I caught them before the flood and the answer was the same. That was pretty early in the day, but I wasn't able to write it until later because I was tied up some work.

    Parent
    Thanks for that extra bit of info; (none / 0) (#4)
    by Anne on Thu Nov 22, 2012 at 07:46:24 AM EST
    I guess what I'm wondering - and will probably never know - is whether Leahy would be pushing back or using the media himself to call out those responsible for the changes, or if this would have been one of those quiet, happens/gets-voted-on-without-anyone-paying-attention kind of things.

    What do you imagine McCullagh's end game wass if Leahy really isn't responsible for the changes, and doesn't support them?  Drawing out the person who is?

    Parent

    Not Sure (none / 0) (#5)
    by bmaz on Thu Nov 22, 2012 at 12:34:15 PM EST
    I don't know McCullagh's work that well. He has been around a bit and even works for CBS part of the time, so he is not a flake. There is no question but that the Administration and DOJ is pushing for the craven things that McCullagh described, nor that there are some senators willing to try to accomplish that.

    But Leahy is the gatekeeper on Judiciary, if he really doesn't want it, it will be tough. Maybe he has better sources than I do on Judiciary, but mine have always been pretty square on things like this. I do know this, Leahy was pretty proud of his original amendment when he promulgated it, I find it hard to believe he moved that far off it so fast. Who knows?

    Parent

    Comment with personal attack on McCullagh deleted (none / 0) (#2)
    by Jeralyn on Wed Nov 21, 2012 at 11:11:57 AM EST
    Name-calling and personal attacks are not allowed here.