White House Report Recommends Requiring Warrants for Email
In the wake of mass surveillance revelations sparked by Edward Snowden and others, back in January President Obama ordered his Council of Advisors on Science and Technology to conduct a 90-day review of policies surrounding so-called “big data” and privacy. The council has been looking into everything from marketing analytics (those ads that seem to follow psychically you around the Internet), national security, and biometrics (face and speech recognition) to encryption, data mining, health care, education, automated sensors, and the “Internet of things.”
The council issued its report last week, and privacy advocates have lauded one of the recommendations: reform of the 1986 Electronic Communications Privacy Act (ECPA) to “ensure the standard of protection for online, digital content is consistent with that afforded in the physical world.”
Why is that important? Among other things, ECPA enables law enforcement agencies to access email if it’s left unread or kept online for more than six months with just a subpoena, which needs nothing more than a signature by a government agent. Conversely, search warrants require probable cause and approval by a judge. Subpoenas are a lot easier to get than warrants.
Take a moment to consider email you may have online in Gmail, iCloud, Hotmail, Facebook, your ISP, or any number of other places that’s more than six months old. Now consider that in the last six months of 2013, Google says it received more than 7,700 warrantless requests for user data covering more than 13,500 accounts. Facebook says it got about 5,400 such requests in the same period. Both companies turned over data in the vast majority of the cases.
Clearly, law enforcement agencies are making use of their ability to subpoena email and other communications without a warrant.
How We Got Here — Nearly three decades ago, ECPA’s six-month window on accessing email without a warrant wasn’t entirely unreasonable. Ronald Reagan was president, there was no public Internet, and there were no ISPs. Heck, in 1986, my entire online storage on ARPANET (what would eventually become today’s Internet) was limited to a mere 512 KB (yes, kilobytes!), and I was way ahead of the curve. Considering email messages “abandoned” after 180 days was a generous definition at the time. After all, email was the province of big business and academia, and most users quickly deleted, downloaded, or (ack!) printed messages because they didn’t have space
to store them.
When Congress enacted ECPA, lawmakers envisioned that if the government wanted old email they would almost certainly need a search warrant for specific locations or devices — in 1986, “devices” meant “computers.” Few could imagine everyday Internet users would routinely accumulate gigabytes’ and years’ worth of email online.
The technology industry has been urging ECPA reform for years — a recent example is Digital Due Process, a coalition supported by everybody from Twitter and Apple to Intel and AOL (which, ironically, may hold some of the oldest consumer email on the planet). The essential thrust of the argument is that users’ digital content — whether on their personal devices or stored on Internet-based services — should be subject to the same legal protections as a person’s property. That means the government would need a search warrant before it could requires online data of any age.
Nonetheless, Congress has stalled ECPA reform for years. And, believe it or not, some are against reforming the statute. For instance, while criminal law enforcement agencies like the FBI might be able to obtain search warrants fairly easily, civil law enforcement agencies might have more trouble. The best example is the Securities and Exchange Commission (SEC) (which is primarily a law enforcement agency, in fact), but other examples could include the Federal Communications Commission (FCC) and even the Federal Aviation Administration (FAA). Reforming ECPA could hinder these agencies’ ability to go after wrongdoers.
What Happens Now? — The publication of the White House report on big data carries no legislative weight: it’s just a document, and Congress is under no obligation to act upon it or even read it. (There is some small irony that the presidential counsel who headed up the paper — John Podesta — co-authored ECPA back in the day.) However, by adding its voice to the chorus calling for ECPA reform, the White House is at a minimum making a populist move in favor of online privacy that consumers (and voters) can easily understand. As the ramifications of the NSA mass
surveillance continue to unfold, that may be smart politics.
Unfortunately, the likelihood that Congress will enact ECPA reform in the near future are slim to none. The Senate and House are now deadlocked on party lines on most major issues, and Congress has just entered a holding pattern in anticipation of mid-term elections.
In theory, President Obama could issue an executive order mandating search warrants for disclosure of email and other electronic data. In some ways, it’s a safe bet: only two executive orders have ever been overturned in the history of the U.S. presidency. However, unlike laws, executive orders can be undone at any time by the president, and who knows how the next administration will feel about ECPA?
For now, email, text messages, and other communications older than six months can be requested from Internet companies by law enforcement agencies at any time — and that’s likely to remain the law of the land indefinitely.
Thanks for the reminder to go implement my standing policy from many, many years ago to delete all email more than 6 months old. Hope it is actually gone.
Whether mail is "truly gone" when deleted from an Internet service is kind of an open question. Many services distribute mail across many different systems, and they have backups and mirroring. So, deleting mail may remove the message from displaying in your account, but it doesn't necessarily mean the data isn't still accessible on the service's drives or servers somewhere. Joe Kissell discusses some of this in his "Take Control of your Online Privacy," but (long story short) there aren't many clean solutions to this dilemma.
I should note I self-host my own email.
"I should note I self-host my own email. "
Which doesn't prevent any of the places where it hops along the way from storing it also...
That's absolutely true. But it does mean if anyone subpoenas my email provider, I'll know right away. :)
I also self host my email. Any public accounts (ISP, gmail) have their email harvested every 15 minutes. While that doesn't remove all the ghosts in the machine, it does reduce their number.
While I think our privacy is important and searching a persons stuff without proper protections is important to prevent abuse - it is really hard for me to get upset when I consider what is in my old email. Go ahead Big Brother, read to your hearts content I've got nothing to hide. (he says while writing from a pseudonym)
Fair enough! Different people use email very differently. My own email is almost completely innocuous (although I'm sure some clients would prefer their business plans remained confidential). However, like other rich sources of metadata, I'm sure it can be assembled to compile a surprisingly detailed look at my life.
Other folks are different: I know people who use email so infrequently that they might only check it once every six months. But I know others who keep their professional and personal lives highly compartmentalized for valid reasons, and who are uncomfortable sending and receiving anything sensitive via email, let alone leaving it to sit around 180 days. Different strokes…
Most of my email is from TidBITS. So don't say anything you don't want the NSA to read.
Ooops, they already did! ;)
As a US citizen, this entire issue is surreal to me. Of course this aspect of the ECPA is unconstitutional. Why it was ever created is beyond comprehension. The Fourth Amendment to the Constitution addresses this situation directly, using unambiguous language. There is no wiggle room. Why do I end up posting the Fourth Amendment over and over and over as if people are illiterate and ignorant? Why was ECPA ever tolerated at all? It's incomprehensible.
Here I go posting the Fourth Amendment yet again. Maybe some rare person will read it and understand the unconstitutional, therefore treasonous, nature of ECPA:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Of course this applies to US citizen email.
How can I request from Gmail to know whether or not any of my email has ever been subpoenaed?
Does anyone know?
Google says they will notify you if it's appropriate and they're legally allowed to do so:
http://www.google.com/transparencyreport/userdatarequests/legalprocess/#what_does_google_do
http://www.google.com/transparencyreport/userdatarequests/legalprocess/#in_what_situations
I suspect that other mail hosts have similar policies, but it would have to be checked on a case-by-case basis.
I also ran across this post, which answers a lot of questions about how information can be gotten out of Google from the perspective of an investigator.
http://www.cyberinvestigationservices.com/subpoena-google-some-common-misconceptions/